py-fail2ban
をテンプレートにして作成
[
トップ
] [
新規
|
一覧
|
検索
|
最終更新
|
ヘルプ
|
ログイン
]
開始行:
CONTENTS
#contents
----
Lastmodified &lastmod;
----
[[blacklistd(8)]]では、pop3 qpopper への不整アタックの遮...
https://fnf.seesaa.net/article/476415931.html
https://fnf.seesaa.net/article/476435243.html
https://intaa.net/archives/37086
*py-fail2ban をインストール [#af7a7a86]
portinstall security/py-fail2ban
/usr/local/etc/rc.d/fail2ban start
2023-09-30 17:00:26,803 fail2ban.configreader [48582]:...
Server ready
fail2ban.conf
#allowipv6 = auto
allowipv6 = auto
[[FreeBSD+fail2ban(4):https://fnf.seesaa.net/article/4764...
/etc/rc.conf
fail2ban_enable="YES"
** ログを読むフィルター [#wbe3c828]
を作っておく。ファイル名は「dovecot-pop3imap.conf」とした...
/usr/local/etc/fail2ban/filter.d/dovecot-pop3imap.conf
[Definition]
failregex = refused connection from <HOST>, service qpop...
datepattern = {^LN-BEG}
もう一つは、/ver/log/all.log を読み込むフィルター
/usr/local/etc/fail2ban/filter.d/qpopperauth.conf
対象となるログの行は、こんな
Feb 16 10:21:00 hostname qpopper[25932]: foo@example.com...
[Definition]
failregex = .* at .* \(<HOST>\): -ERR \[AUTH\] Password ...
datepattern = {^LN-BEG}
動作確認するには、
# fail2ban-regex /var/log/all.log /usr/local/etc/fail2b...
とする。
[[fail2banをうまく動かすためのTips。正規表現はシンプルに...
**フィルターの動作確認を [#ib35d2cb]
# fail2ban-regex /var/log/auth.log /usr/local/etc/fail2b...
Running tests
=============
Use failregex filter file : dovecot-pop3imap, basedir:...
Use log file : /var/log/auth.log
Use encoding : UTF-8
Results
=======
Failregex: 0 total
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [6618] {^LN-BEG}(?:DAY )?MON Day %k:Minute:Second(?:\...
`-
Lines: 6618 lines, 0 ignored, 0 matched, 6618 missed
[processed in 0.53 sec]
Missed line(s): too many to print. Use --print-all-miss...
**ブロック設定ファイル jail.local の設定 [#meee1c9b]
/usr/local/etc/fail2ban/jail.local
[INCLUDES]
before = paths-freebsd.conf
[dovecot-pop3imap]
enabled = true
mode = more
filter = dovecot-pop3imap
logpath = /var/log/auth.log
maxretry = 2
findtime = 1200
bantime = 1200
backend = polling
banaction = bsd-ipfw[table=dovecot-pop3imap,protocol=tcp]
[qpopperauth]
enabled = true
mode = more
filter = qpopperauth
logpath = /var/log/all.log
maxretry = 2
findtime = 1200
bantime = 86400
backend = polling
banaction = bsd-ipfw[table=qpopperauth.conf,protocol=tcp]
fail2ban 再起動
# /usr/local/etc/rc.d/fail2ban restart
**確認 [#aa177daa]
***ブロックリスト確認 [#t54237cd]
ipfw table all list
# ipfw table all list
--- table(port25), set(0) ---
37.139.129.4/32 0
45.66.230.99/32 0
79.110.62.188/32 0
80.76.51.40/32 0
85.31.45.34/32 0
95.214.27.23/32 0
147.78.103.88/32 0
147.78.103.182/32 0
185.216.71.126/32 0
193.42.33.87/32 0
--- table(port587), set(0) ---
94.156.102.204/32 0
150.230.59.115/32 0
150.230.63.186/32 0
163.172.88.229/32 0
194.180.49.106/32 0
194.180.49.245/32 0
--- table(dovecot-pop3imap), set(0) ---
150.230.63.186/32 0
***Fail2ban のログ [#bafa1eda]
tail -80 /var/log/fail2ban.log
***ブロックファイル作成のためのログ [#b98fcad8]
tail -80 /var/log/auth.log
* SASL LOGIN authentication failed [#bcdd7a74]
ログを見ると、多数の SASL LOGIN authentication failed が...
Jan 20 08:53:48 hoge postfix/smtpd[7395]: warning: unkno...
で、これを抑止する設定をしてみることに。
【設定ファイル】~
/usr/local/etc/fail2ban/filter.d/postfix-auth.conf
# Fail2Ban filter for postfix SMTP-AUTH failures
[Definition]
failregex = warning: unknown\[<HOST>\]: SASL LOGIN authe...
datepattern = {^LN-BEG}
#Oct 26 10:21:21 hoge postfix/smtpd[4911]: warning: unkn...
#warning: unknown[<HOST>]: SASL LOGIN authentication fai...
#fail2ban-regex /var/log/maillog /usr/local/etc/fail2ban...
----
Total access &counter(total);:本日 &counter(today);:昨...
#counter([total|today|yesterday]);
終了行:
CONTENTS
#contents
----
Lastmodified &lastmod;
----
[[blacklistd(8)]]では、pop3 qpopper への不整アタックの遮...
https://fnf.seesaa.net/article/476415931.html
https://fnf.seesaa.net/article/476435243.html
https://intaa.net/archives/37086
*py-fail2ban をインストール [#af7a7a86]
portinstall security/py-fail2ban
/usr/local/etc/rc.d/fail2ban start
2023-09-30 17:00:26,803 fail2ban.configreader [48582]:...
Server ready
fail2ban.conf
#allowipv6 = auto
allowipv6 = auto
[[FreeBSD+fail2ban(4):https://fnf.seesaa.net/article/4764...
/etc/rc.conf
fail2ban_enable="YES"
** ログを読むフィルター [#wbe3c828]
を作っておく。ファイル名は「dovecot-pop3imap.conf」とした...
/usr/local/etc/fail2ban/filter.d/dovecot-pop3imap.conf
[Definition]
failregex = refused connection from <HOST>, service qpop...
datepattern = {^LN-BEG}
もう一つは、/ver/log/all.log を読み込むフィルター
/usr/local/etc/fail2ban/filter.d/qpopperauth.conf
対象となるログの行は、こんな
Feb 16 10:21:00 hostname qpopper[25932]: foo@example.com...
[Definition]
failregex = .* at .* \(<HOST>\): -ERR \[AUTH\] Password ...
datepattern = {^LN-BEG}
動作確認するには、
# fail2ban-regex /var/log/all.log /usr/local/etc/fail2b...
とする。
[[fail2banをうまく動かすためのTips。正規表現はシンプルに...
**フィルターの動作確認を [#ib35d2cb]
# fail2ban-regex /var/log/auth.log /usr/local/etc/fail2b...
Running tests
=============
Use failregex filter file : dovecot-pop3imap, basedir:...
Use log file : /var/log/auth.log
Use encoding : UTF-8
Results
=======
Failregex: 0 total
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [6618] {^LN-BEG}(?:DAY )?MON Day %k:Minute:Second(?:\...
`-
Lines: 6618 lines, 0 ignored, 0 matched, 6618 missed
[processed in 0.53 sec]
Missed line(s): too many to print. Use --print-all-miss...
**ブロック設定ファイル jail.local の設定 [#meee1c9b]
/usr/local/etc/fail2ban/jail.local
[INCLUDES]
before = paths-freebsd.conf
[dovecot-pop3imap]
enabled = true
mode = more
filter = dovecot-pop3imap
logpath = /var/log/auth.log
maxretry = 2
findtime = 1200
bantime = 1200
backend = polling
banaction = bsd-ipfw[table=dovecot-pop3imap,protocol=tcp]
[qpopperauth]
enabled = true
mode = more
filter = qpopperauth
logpath = /var/log/all.log
maxretry = 2
findtime = 1200
bantime = 86400
backend = polling
banaction = bsd-ipfw[table=qpopperauth.conf,protocol=tcp]
fail2ban 再起動
# /usr/local/etc/rc.d/fail2ban restart
**確認 [#aa177daa]
***ブロックリスト確認 [#t54237cd]
ipfw table all list
# ipfw table all list
--- table(port25), set(0) ---
37.139.129.4/32 0
45.66.230.99/32 0
79.110.62.188/32 0
80.76.51.40/32 0
85.31.45.34/32 0
95.214.27.23/32 0
147.78.103.88/32 0
147.78.103.182/32 0
185.216.71.126/32 0
193.42.33.87/32 0
--- table(port587), set(0) ---
94.156.102.204/32 0
150.230.59.115/32 0
150.230.63.186/32 0
163.172.88.229/32 0
194.180.49.106/32 0
194.180.49.245/32 0
--- table(dovecot-pop3imap), set(0) ---
150.230.63.186/32 0
***Fail2ban のログ [#bafa1eda]
tail -80 /var/log/fail2ban.log
***ブロックファイル作成のためのログ [#b98fcad8]
tail -80 /var/log/auth.log
* SASL LOGIN authentication failed [#bcdd7a74]
ログを見ると、多数の SASL LOGIN authentication failed が...
Jan 20 08:53:48 hoge postfix/smtpd[7395]: warning: unkno...
で、これを抑止する設定をしてみることに。
【設定ファイル】~
/usr/local/etc/fail2ban/filter.d/postfix-auth.conf
# Fail2Ban filter for postfix SMTP-AUTH failures
[Definition]
failregex = warning: unknown\[<HOST>\]: SASL LOGIN authe...
datepattern = {^LN-BEG}
#Oct 26 10:21:21 hoge postfix/smtpd[4911]: warning: unkn...
#warning: unknown[<HOST>]: SASL LOGIN authentication fai...
#fail2ban-regex /var/log/maillog /usr/local/etc/fail2ban...
----
Total access &counter(total);:本日 &counter(today);:昨...
#counter([total|today|yesterday]);
ページ名: