Fail2Ban 不会阻止对 dovecot 的暴力攻击

Question

Fail2Ban 不会阻止对 dovecot 的暴力攻击

我使用 fail2ban 运行 CentOS 5 服务器，目前我的 dovecot 服务遭到暴力攻击。

我知道fail2ban 正在工作，因为它阻止了对我的FTP 服务器和Postfix 的攻击。出于某种原因，我错过了 dovecot 的一些东西，因为 fail2ban 日志中没有任何内容，并且攻击继续有增无减。

我的日志如下。Dovecot 将所有内容记录到 - /var/log/dovecot-info.log

我看到两种类型的日志。第一个看起来像这样（注意：我的服务器 Ip 没问题 - 我已经用 xxx.xxx.xxx 屏蔽了更精细的细节）：

Feb 22 21:48:21 pop3-login: Info: Aborted login (auth failed, 1 attempts): user=<felix>, method=PLAIN, rip=177.19.151.139, lip=173.xxx.xxx.xxx
Feb 22 21:48:23 auth: Info: passwd-file(felipe,177.19.151.139): unknown user
Feb 22 21:48:25 pop3-login: Info: Aborted login (auth failed, 1 attempts): user=<felipe>, method=PLAIN, rip=177.19.151.139, lip=173.xxx.xxx.xxx
Feb 22 21:48:29 auth: Info: passwd-file(felix,177.19.151.139): unknown user
Feb 22 21:48:31 pop3-login: Info: Aborted login (auth failed, 1 attempts): user=<felix>, method=PLAIN, rip=177.19.151.139, lip=173.xxx.xxx.xxx
Feb 22 21:48:40 auth: Info: passwd-file(felix,177.19.151.139): unknown user
Feb 22 21:48:42 pop3-login: Info: Aborted login (auth failed, 1 attempts): user=<felix>, method=PLAIN, rip=177.19.151.139, lip=173.xxx.xxx.xxx
Feb 22 21:48:50 auth: Info: passwd-file(felix,177.19.151.139): unknown user
Feb 22 21:48:52 pop3-login: Info: Aborted login (auth failed, 1 attempts): user=<felix>, method=PLAIN, rip=177.19.151.139, lip=173.xxx.xxx.xxx
Feb 22 21:49:00 auth: Info: passwd-file(felix,177.19.151.139): unknown user
Feb 22 21:49:02 pop3-login: Info: Aborted login (auth failed, 1 attempts): user=<felix>, method=PLAIN, rip=177.19.151.139, lip=173.xxx.xxx.xxx
Feb 22 21:49:11 auth: Info: passwd-file(felix,177.19.151.139): unknown user
Feb 22 21:49:13 pop3-login: Info: Aborted login (auth failed, 1 attempts): user=<felix>, method=PLAIN, rip=177.19.151.139, lip=173.xxx.xxx.xxx
Feb 22 21:49:21 auth: Info: passwd-file(felix,177.19.151.139): unknown user
Feb 22 21:49:23 pop3-login: Info: Aborted login (auth failed, 1 attempts): user=<felix>, method=PLAIN, rip=177.19.151.139, lip=173.xxx.xxx.xxx
Feb 22 21:49:32 auth: Info: passwd-file(felix,177.19.151.139): unknown user
Feb 22 21:49:34 pop3-login: Info: Aborted login (auth failed, 1 attempts): user=<felix>, method=PLAIN, rip=177.19.151.139, lip=173.xxx.xxx.xxx
Feb 22 21:49:42 auth: Info: passwd-file(felix,177.19.151.139): unknown user
Feb 22 21:49:44 pop3-login: Info: Aborted login (auth failed, 1 attempts): user=<felix>, method=PLAIN, rip=177.19.151.139, lip=173.xxx.xxx.xxx
Feb 22 21:49:52 auth: Info: passwd-file(felix,177.19.151.139): unknown user
Feb 22 21:49:54 pop3-login: Info: Aborted login (auth failed, 1 attempts): user=<felix>, method=PLAIN, rip=177.19.151.139, lip=173.xxx.xxx.xxx
Feb 22 21:50:03 auth: Info: passwd-file(felix,177.19.151.139): unknown user
Feb 22 21:50:05 pop3-login: Info: Aborted login (auth failed, 1 attempts): user=<felix>, method=PLAIN, rip=177.19.151.139, lip=173.xxx.xxx.xxx
Feb 22 21:50:13 auth: Info: passwd-file(felix,177.19.151.139): unknown user

Run Code Online (Sandbox Code Playgroud)

第二个看起来像这样：

Feb 22 22:10:37 pop3-login: Info: Aborted login (auth failed, 1 attempts): user=<frankie>, method=PLAIN, rip=177.19.151.139, lip=173.xxx.xxx.xxx
Feb 22 22:10:38 pop3-login: Info: Aborted login (auth failed, 1 attempts): user=<fox>, method=PLAIN, rip=177.19.151.139, lip=173.xxx.xxx.xxx
Feb 22 22:10:51 pop3-login: Info: Aborted login (auth failed, 1 attempts): user=<frances>, method=PLAIN, rip=177.19.151.139, lip=173.xxx.xxx.xxx
Feb 22 22:10:51 pop3-login: Info: Aborted login (auth failed, 1 attempts): user=<francis>, method=PLAIN, rip=177.19.151.139, lip=173.xxx.xxx.xxx
Feb 22 22:10:51 pop3-login: Info: Aborted login (auth failed, 1 attempts): user=<forest>, method=PLAIN, rip=177.19.151.139, lip=173.xxx.xxx.xxx
Feb 22 22:10:51 pop3-login: Info: Aborted login (auth failed, 1 attempts): user=<frank>, method=PLAIN, rip=177.19.151.139, lip=173.xxx.xxx.xxx
Feb 22 22:10:51 pop3-login: Info: Aborted login (auth failed, 1 attempts): user=<forrest>, method=PLAIN, rip=177.19.151.139, lip=173.xxx.xxx.xxx
Feb 22 22:10:51 pop3-login: Info: Aborted login (auth failed, 1 attempts): user=<frankie>, method=PLAIN, rip=177.19.151.139, lip=173.xxx.xxx.xxx
Feb 22 22:10:51 pop3-login: Info: Aborted login (auth failed, 1 attempts): user=<fox>, method=PLAIN, rip=177.19.151.139, lip=173.xxx.xxx.xxx
Feb 22 22:10:51 auth: Info: passwd-file(francis,177.19.151.139): unknown user
Feb 22 22:10:51 auth: Info: passwd-file(frances,177.19.151.139): unknown user
Feb 22 22:10:51 auth: Info: passwd-file(forest,177.19.151.139): unknown user
Feb 22 22:10:51 auth: Info: passwd-file(frank,177.19.151.139): unknown user
Feb 22 22:10:51 auth: Info: passwd-file(forrest,177.19.151.139): unknown user
Feb 22 22:10:51 auth: Info: passwd-file(frankie,177.19.151.139): unknown user
Feb 22 22:10:51 auth: Info: passwd-file(fox,177.19.151.139): unknown user
Feb 22 22:10:51 auth: Info: passwd-file(francis,177.19.151.139): unknown user
Feb 22 22:10:51 auth: Info: passwd-file(frances,177.19.151.139): unknown user
Feb 22 22:10:51 auth: Info: passwd-file(forest,177.19.151.139): unknown user

Run Code Online (Sandbox Code Playgroud)

jail.conf 看起来像这样：

[dovecot-pop3imap]
enabled  = true
filter   = dovecot-pop3imap
action   = iptables-multiport[name=dovecot-pop3imap, port="pop3,pop3s,imap,imaps", protocol=tcp]
           sendmail-whois[name=dovecot-pop3imap, dest=me@me.com, sender=me@me.com]
logpath  = /var/log/dovecot-info.log
maxretry = 5
findtime = 1200
bantime  = 1200

Run Code Online (Sandbox Code Playgroud)

filter.d/dovecot.conf 看起来像这样：

failregex = ^%(__prefix_line)s(pam_unix(\(dovecot:auth\))?:)?\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=\S* rhost=<HOST>(\s+user=\S*)?\s*$
            ^%(__prefix_line)s(pop3|imap)-login: (Info: )?(Aborted login|Disconnected)(: Inactivity)? \(((no auth attempts|auth failed, \d+ attempts)( in \d+ secs)?|tried to $
            ^%(__prefix_line)s(Info|dovecot: auth\(default\)): pam\(\S+,<HOST>\): pam_authenticate\(\) failed: (User not known to the underlying authentication module: \d+ Ti$

ignoreregex =

Run Code Online (Sandbox Code Playgroud)

fail2ban.conf 看起来像这样：

# Option:  loglevel
# Notes.:  Set the log level output.
#          1 = ERROR
#          2 = WARN
#          3 = INFO
#          4 = DEBUG
# Values:  NUM  Default:  3
#
loglevel = 3

# Option:  logtarget
# Notes.:  Set the log target. This could be a file, SYSLOG, STDERR or STDOUT.
#          Only one log target can be specified.
# Values:  STDOUT STDERR SYSLOG file  Default:  /var/log/fail2ban.log
#
#logtarget = SYSLOG
logtarget = /var/log/fail2ban.log

# Option: socket
# Notes.: Set the socket file. This is used to communicate with the daemon. Do
#         not remove this file when Fail2ban runs. It will not be possible to
#         communicate with the server afterwards.
# Values: FILE  Default:  /var/run/fail2ban/fail2ban.sock
#
socket = /var/run/fail2ban/fail2ban.sock

Run Code Online (Sandbox Code Playgroud)

我几乎可以肯定我的正则表达式在某种程度上是错误的，但我不知所措。在这一点上，任何人都可以提供任何帮助是最受欢迎的。

更多信息 - 我在更改后重新启动了服务，它没有区别，日期/时间是准确的。

Answer 1

daw*_*wud 6

官方fail2ban wiki有一些关于如何测试正则表达式的很好的说明。

更具体地说，您应该fail2ban-regex针对您的日志（样本）运行。

# fail2ban-regex /var/log/dovecot-info.log /etc/fail2ban/filter.d/dovecot.conf

Run Code Online (Sandbox Code Playgroud)

此外，您的配置似乎存在错误：

[dovecot-pop3imap]
  enabled  = true
  filter   = dovecot-pop3imap

Run Code Online (Sandbox Code Playgroud)

因为过滤器的名称应与中的文件名称匹配 /etc/fai2ban/filters.d

我测试了您的日志样本，特别是：

Feb 22 21:48:21 pop3-login: Info: Aborted login (auth failed, 1 attempts): user=<felix>, method=PLAIN, rip=177.19.151.139, lip=173.111.111.111

Run Code Online (Sandbox Code Playgroud)

第一次尝试失败：

# fail2ban-regex sample.log /etc/fail2ban/filter.d/dovecot-pop3imap.conf

Running tests
=============

No section headers in /etc/fail2ban/filter.d/dovecot-pop3imap.conf

Run Code Online (Sandbox Code Playgroud)

在向[Definition]正则表达式指令添加标签后（为了简洁起见，您也可以省略它），输出是：

# fail2ban-regex sample.log /etc/fail2ban/filter.d/dovecot-pop3imap.conf --print-all-missed

Running tests
=============

Use   failregex file : /etc/fail2ban/filter.d/dovecot-pop3imap.conf
Use         log file : sample.log
Use         encoding : UTF-8


Results
=======

Failregex: 1 total
|-  #) [# of hits] regular expression
|   1) [1] ^\s*(<[^.]+\.[^.]+>)?\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?\S*(?:\(\S+\))?[\]\)]?:?|[\[\(]?\S*(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)?\s(?:\[ID \d+ \S+\])?\s*(pop3|imap)-login: (Info: )?(Aborted login|Disconnected)(: Inactivity)? \(((no auth attempts|auth failed, \d+ attempts)( in \d+ secs)?|tried to use disabled \S+ auth)\):( user=<\S*>,)?( method=\S+,)? rip=<HOST>, lip=(\d{1,3}\.){3}\d{1,3}(, session=<\w+>)?(, TLS( handshaking)?(: Disconnected)?)?\s*$
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [1] MON Day 24hour:Minute:Second
`-

Lines: 1 lines, 0 ignored, 1 matched, 0 missed

Run Code Online (Sandbox Code Playgroud)

另请注意，您的正则表达式无法编译（我还没有尝试调试原因）。我使用了随fail2ban版本一起打包的正则表达式：

# rpm -qi fail2ban
Name        : fail2ban
Version     : 0.9
Release     : 0.3.git1f1a561.fc20

Run Code Online (Sandbox Code Playgroud)

略有不同：

failregex = ^%(__prefix_line)s(pam_unix(\(\S+\))?:)?\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=\S* rhost=<HOST>(\s+user=\S*)?\s*$
            ^%(__prefix_line)s(pop3|imap)-login: (Info: )?(Aborted login|Disconnected)(: Inactivity)? \(((no auth attempts|auth failed, \d+ attempts)( in \d+ secs)?|tried to use disabled \S+ auth)\):( user=<\S*>,)?( method=\S+,)? rip=<HOST>, lip=(\d{1,3}\.){3}\d{1,3}(, session=<\w+>)?(, TLS( handshaking)?(: Disconnected)?)?\s*$

Run Code Online (Sandbox Code Playgroud)

冠军！我知道这很简单。我创建了 dovecot.conf，但像白痴一样使用 dovecot-pop3imap。我已经盯着这个问题好几个小时了，直到你的答复。现在我在我的fail2ban日志中看到了这一点 - 2014-02-22 23:21:39,002 failure2ban.actions: 警告 [dovecot-pop3imap] Ban 177.19.151.139 谢谢:) (2认同)

归档时间：	11 年，11 月前
查看次数：	15275 次
最近记录：	11 年，11 月前