我使用 fail2ban 运行 CentOS 5 服务器,目前我的 dovecot 服务遭到暴力攻击。
我知道fail2ban 正在工作,因为它阻止了对我的FTP 服务器和Postfix 的攻击。出于某种原因,我错过了 dovecot 的一些东西,因为 fail2ban 日志中没有任何内容,并且攻击继续有增无减。
我的日志如下。Dovecot 将所有内容记录到 - /var/log/dovecot-info.log
我看到两种类型的日志。第一个看起来像这样(注意:我的服务器 Ip 没问题 - 我已经用 xxx.xxx.xxx 屏蔽了更精细的细节):
Feb 22 21:48:21 pop3-login: Info: Aborted login (auth failed, 1 attempts): user=<felix>, method=PLAIN, rip=177.19.151.139, lip=173.xxx.xxx.xxx
Feb 22 21:48:23 auth: Info: passwd-file(felipe,177.19.151.139): unknown user
Feb 22 21:48:25 pop3-login: Info: Aborted login (auth failed, 1 attempts): user=<felipe>, method=PLAIN, rip=177.19.151.139, lip=173.xxx.xxx.xxx
Feb 22 21:48:29 auth: Info: passwd-file(felix,177.19.151.139): unknown user
Feb 22 21:48:31 pop3-login: Info: Aborted login (auth failed, 1 attempts): user=<felix>, method=PLAIN, rip=177.19.151.139, lip=173.xxx.xxx.xxx
Feb 22 21:48:40 auth: Info: passwd-file(felix,177.19.151.139): unknown user
Feb 22 21:48:42 pop3-login: Info: Aborted login (auth failed, 1 attempts): user=<felix>, method=PLAIN, rip=177.19.151.139, lip=173.xxx.xxx.xxx
Feb 22 21:48:50 auth: Info: passwd-file(felix,177.19.151.139): unknown user
Feb 22 21:48:52 pop3-login: Info: Aborted login (auth failed, 1 attempts): user=<felix>, method=PLAIN, rip=177.19.151.139, lip=173.xxx.xxx.xxx
Feb 22 21:49:00 auth: Info: passwd-file(felix,177.19.151.139): unknown user
Feb 22 21:49:02 pop3-login: Info: Aborted login (auth failed, 1 attempts): user=<felix>, method=PLAIN, rip=177.19.151.139, lip=173.xxx.xxx.xxx
Feb 22 21:49:11 auth: Info: passwd-file(felix,177.19.151.139): unknown user
Feb 22 21:49:13 pop3-login: Info: Aborted login (auth failed, 1 attempts): user=<felix>, method=PLAIN, rip=177.19.151.139, lip=173.xxx.xxx.xxx
Feb 22 21:49:21 auth: Info: passwd-file(felix,177.19.151.139): unknown user
Feb 22 21:49:23 pop3-login: Info: Aborted login (auth failed, 1 attempts): user=<felix>, method=PLAIN, rip=177.19.151.139, lip=173.xxx.xxx.xxx
Feb 22 21:49:32 auth: Info: passwd-file(felix,177.19.151.139): unknown user
Feb 22 21:49:34 pop3-login: Info: Aborted login (auth failed, 1 attempts): user=<felix>, method=PLAIN, rip=177.19.151.139, lip=173.xxx.xxx.xxx
Feb 22 21:49:42 auth: Info: passwd-file(felix,177.19.151.139): unknown user
Feb 22 21:49:44 pop3-login: Info: Aborted login (auth failed, 1 attempts): user=<felix>, method=PLAIN, rip=177.19.151.139, lip=173.xxx.xxx.xxx
Feb 22 21:49:52 auth: Info: passwd-file(felix,177.19.151.139): unknown user
Feb 22 21:49:54 pop3-login: Info: Aborted login (auth failed, 1 attempts): user=<felix>, method=PLAIN, rip=177.19.151.139, lip=173.xxx.xxx.xxx
Feb 22 21:50:03 auth: Info: passwd-file(felix,177.19.151.139): unknown user
Feb 22 21:50:05 pop3-login: Info: Aborted login (auth failed, 1 attempts): user=<felix>, method=PLAIN, rip=177.19.151.139, lip=173.xxx.xxx.xxx
Feb 22 21:50:13 auth: Info: passwd-file(felix,177.19.151.139): unknown user
Run Code Online (Sandbox Code Playgroud)
第二个看起来像这样:
Feb 22 22:10:37 pop3-login: Info: Aborted login (auth failed, 1 attempts): user=<frankie>, method=PLAIN, rip=177.19.151.139, lip=173.xxx.xxx.xxx
Feb 22 22:10:38 pop3-login: Info: Aborted login (auth failed, 1 attempts): user=<fox>, method=PLAIN, rip=177.19.151.139, lip=173.xxx.xxx.xxx
Feb 22 22:10:51 pop3-login: Info: Aborted login (auth failed, 1 attempts): user=<frances>, method=PLAIN, rip=177.19.151.139, lip=173.xxx.xxx.xxx
Feb 22 22:10:51 pop3-login: Info: Aborted login (auth failed, 1 attempts): user=<francis>, method=PLAIN, rip=177.19.151.139, lip=173.xxx.xxx.xxx
Feb 22 22:10:51 pop3-login: Info: Aborted login (auth failed, 1 attempts): user=<forest>, method=PLAIN, rip=177.19.151.139, lip=173.xxx.xxx.xxx
Feb 22 22:10:51 pop3-login: Info: Aborted login (auth failed, 1 attempts): user=<frank>, method=PLAIN, rip=177.19.151.139, lip=173.xxx.xxx.xxx
Feb 22 22:10:51 pop3-login: Info: Aborted login (auth failed, 1 attempts): user=<forrest>, method=PLAIN, rip=177.19.151.139, lip=173.xxx.xxx.xxx
Feb 22 22:10:51 pop3-login: Info: Aborted login (auth failed, 1 attempts): user=<frankie>, method=PLAIN, rip=177.19.151.139, lip=173.xxx.xxx.xxx
Feb 22 22:10:51 pop3-login: Info: Aborted login (auth failed, 1 attempts): user=<fox>, method=PLAIN, rip=177.19.151.139, lip=173.xxx.xxx.xxx
Feb 22 22:10:51 auth: Info: passwd-file(francis,177.19.151.139): unknown user
Feb 22 22:10:51 auth: Info: passwd-file(frances,177.19.151.139): unknown user
Feb 22 22:10:51 auth: Info: passwd-file(forest,177.19.151.139): unknown user
Feb 22 22:10:51 auth: Info: passwd-file(frank,177.19.151.139): unknown user
Feb 22 22:10:51 auth: Info: passwd-file(forrest,177.19.151.139): unknown user
Feb 22 22:10:51 auth: Info: passwd-file(frankie,177.19.151.139): unknown user
Feb 22 22:10:51 auth: Info: passwd-file(fox,177.19.151.139): unknown user
Feb 22 22:10:51 auth: Info: passwd-file(francis,177.19.151.139): unknown user
Feb 22 22:10:51 auth: Info: passwd-file(frances,177.19.151.139): unknown user
Feb 22 22:10:51 auth: Info: passwd-file(forest,177.19.151.139): unknown user
Run Code Online (Sandbox Code Playgroud)
jail.conf 看起来像这样:
[dovecot-pop3imap]
enabled = true
filter = dovecot-pop3imap
action = iptables-multiport[name=dovecot-pop3imap, port="pop3,pop3s,imap,imaps", protocol=tcp]
sendmail-whois[name=dovecot-pop3imap, dest=me@me.com, sender=me@me.com]
logpath = /var/log/dovecot-info.log
maxretry = 5
findtime = 1200
bantime = 1200
Run Code Online (Sandbox Code Playgroud)
filter.d/dovecot.conf 看起来像这样:
failregex = ^%(__prefix_line)s(pam_unix(\(dovecot:auth\))?:)?\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=\S* rhost=<HOST>(\s+user=\S*)?\s*$
^%(__prefix_line)s(pop3|imap)-login: (Info: )?(Aborted login|Disconnected)(: Inactivity)? \(((no auth attempts|auth failed, \d+ attempts)( in \d+ secs)?|tried to $
^%(__prefix_line)s(Info|dovecot: auth\(default\)): pam\(\S+,<HOST>\): pam_authenticate\(\) failed: (User not known to the underlying authentication module: \d+ Ti$
ignoreregex =
Run Code Online (Sandbox Code Playgroud)
fail2ban.conf 看起来像这样:
# Option: loglevel
# Notes.: Set the log level output.
# 1 = ERROR
# 2 = WARN
# 3 = INFO
# 4 = DEBUG
# Values: NUM Default: 3
#
loglevel = 3
# Option: logtarget
# Notes.: Set the log target. This could be a file, SYSLOG, STDERR or STDOUT.
# Only one log target can be specified.
# Values: STDOUT STDERR SYSLOG file Default: /var/log/fail2ban.log
#
#logtarget = SYSLOG
logtarget = /var/log/fail2ban.log
# Option: socket
# Notes.: Set the socket file. This is used to communicate with the daemon. Do
# not remove this file when Fail2ban runs. It will not be possible to
# communicate with the server afterwards.
# Values: FILE Default: /var/run/fail2ban/fail2ban.sock
#
socket = /var/run/fail2ban/fail2ban.sock
Run Code Online (Sandbox Code Playgroud)
我几乎可以肯定我的正则表达式在某种程度上是错误的,但我不知所措。在这一点上,任何人都可以提供任何帮助是最受欢迎的。
更多信息 - 我在更改后重新启动了服务,它没有区别,日期/时间是准确的。
官方fail2ban wiki有一些关于如何测试正则表达式的很好的说明。
更具体地说,您应该fail2ban-regex针对您的日志(样本)运行。
# fail2ban-regex /var/log/dovecot-info.log /etc/fail2ban/filter.d/dovecot.conf
Run Code Online (Sandbox Code Playgroud)
此外,您的配置似乎存在错误:
[dovecot-pop3imap]
enabled = true
filter = dovecot-pop3imap
Run Code Online (Sandbox Code Playgroud)
因为过滤器的名称应与中的文件名称匹配 /etc/fai2ban/filters.d
我测试了您的日志样本,特别是:
Feb 22 21:48:21 pop3-login: Info: Aborted login (auth failed, 1 attempts): user=<felix>, method=PLAIN, rip=177.19.151.139, lip=173.111.111.111
Run Code Online (Sandbox Code Playgroud)
第一次尝试失败:
# fail2ban-regex sample.log /etc/fail2ban/filter.d/dovecot-pop3imap.conf
Running tests
=============
No section headers in /etc/fail2ban/filter.d/dovecot-pop3imap.conf
Run Code Online (Sandbox Code Playgroud)
在向[Definition]正则表达式指令添加标签后(为了简洁起见,您也可以省略它),输出是:
# fail2ban-regex sample.log /etc/fail2ban/filter.d/dovecot-pop3imap.conf --print-all-missed
Running tests
=============
Use failregex file : /etc/fail2ban/filter.d/dovecot-pop3imap.conf
Use log file : sample.log
Use encoding : UTF-8
Results
=======
Failregex: 1 total
|- #) [# of hits] regular expression
| 1) [1] ^\s*(<[^.]+\.[^.]+>)?\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?\S*(?:\(\S+\))?[\]\)]?:?|[\[\(]?\S*(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)?\s(?:\[ID \d+ \S+\])?\s*(pop3|imap)-login: (Info: )?(Aborted login|Disconnected)(: Inactivity)? \(((no auth attempts|auth failed, \d+ attempts)( in \d+ secs)?|tried to use disabled \S+ auth)\):( user=<\S*>,)?( method=\S+,)? rip=<HOST>, lip=(\d{1,3}\.){3}\d{1,3}(, session=<\w+>)?(, TLS( handshaking)?(: Disconnected)?)?\s*$
`-
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [1] MON Day 24hour:Minute:Second
`-
Lines: 1 lines, 0 ignored, 1 matched, 0 missed
Run Code Online (Sandbox Code Playgroud)
另请注意,您的正则表达式无法编译(我还没有尝试调试原因)。我使用了随fail2ban版本一起打包的正则表达式:
# rpm -qi fail2ban
Name : fail2ban
Version : 0.9
Release : 0.3.git1f1a561.fc20
Run Code Online (Sandbox Code Playgroud)
略有不同:
failregex = ^%(__prefix_line)s(pam_unix(\(\S+\))?:)?\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=\S* rhost=<HOST>(\s+user=\S*)?\s*$
^%(__prefix_line)s(pop3|imap)-login: (Info: )?(Aborted login|Disconnected)(: Inactivity)? \(((no auth attempts|auth failed, \d+ attempts)( in \d+ secs)?|tried to use disabled \S+ auth)\):( user=<\S*>,)?( method=\S+,)? rip=<HOST>, lip=(\d{1,3}\.){3}\d{1,3}(, session=<\w+>)?(, TLS( handshaking)?(: Disconnected)?)?\s*$
Run Code Online (Sandbox Code Playgroud)
| 归档时间: |
|
| 查看次数: |
15275 次 |
| 最近记录: |