Exim
fail2ban監獄沒有開火
在幾種不同的方法中使用了 fail2ban,現在已經嘗試讓它通過 smtp 阻止黑客嘗試通過伺服器發送垃圾郵件。
測試時正則表達式匹配正常:
Failregex |- Regular expressions: | [1] \[<HOST>\]: 535 Incorrect authentication data | `- Number of matches: [1] 147 match(es)
監獄載入正常:
2014-03-04 21:16:46,162 fail2ban.server : INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.6 2014-03-04 21:16:46,163 fail2ban.jail : INFO Creating new jail 'exim-auth' 2014-03-04 21:16:46,165 fail2ban.jail : INFO Jail 'exim-auth' uses Gamin 2014-03-04 21:16:46,187 fail2ban.filter : INFO Added logfile = /var/log/exim/main.log 2014-03-04 21:16:46,188 fail2ban.filter : INFO Set maxRetry = 3 2014-03-04 21:16:46,190 fail2ban.filter : INFO Set findtime = 3600 2014-03-04 21:16:46,191 fail2ban.actions: INFO Set banTime = 3600 2014-03-04 21:16:46,205 fail2ban.jail : INFO Creating new jail 'ssh-iptables' 2014-03-04 21:16:46,206 fail2ban.jail : INFO Jail 'ssh-iptables' uses Gamin 2014-03-04 21:16:46,207 fail2ban.filter : INFO Added logfile = /var/log/secure 2014-03-04 21:16:46,208 fail2ban.filter : INFO Set maxRetry = 5 2014-03-04 21:16:46,210 fail2ban.filter : INFO Set findtime = 3600 2014-03-04 21:16:46,211 fail2ban.actions: INFO Set banTime = 3600 2014-03-04 21:16:46,410 fail2ban.jail : INFO Jail 'exim-auth' started 2014-03-04 21:16:46,439 fail2ban.jail : INFO Jail 'ssh-iptables' started
並且 ssh 禁令仍然可以正常工作。即使錯誤通過日誌,也不會發生任何事情。所有時間同步,系統日誌,fail2ban 和 exim 都重新啟動。
進出口主日誌:
2014-03-04 21:16:24 no host name found for IP address 89.xxx.33.33 2014-03-04 21:16:24 auth_plain authenticator failed for ([10.xxx.80.53]) [89.xxx.33.33]: 535 Incorrect authentication data (set_id=jamie@****.co.uk) 2014-03-04 21:16:30 no host name found for IP address 89.xxx.33.33 2014-03-04 21:16:30 auth_plain authenticator failed for ([10.xxx.80.53]) [89.xxx.33.33]: 535 Incorrect authentication data (set_id=jamie@****.co.uk) 2014-03-04 21:16:38 no host name found for IP address 89.xxx.33.33 2014-03-04 21:16:38 auth_plain authenticator failed for ([10.xxx.80.53]) [89.xxx.33.33]: 535 Incorrect authentication data (set_id=jamie@****.co.uk)
(顯然現在已經編輯了 xxx 和 ****)。
jail.conf 部分的配置:
[ssh-iptables] enabled = true filter = sshd action = iptables[name=SSH, port=ssh, protocol=tcp] logpath = /var/log/secure maxretry = 5 [exim-auth] enabled = true filter = exim_auth action = iptables[name=SMTP, port=25, protocol=tcp] mail[name=EximAuth, dest=jamie@****.co.uk] logpath = /var/log/exim/main.log maxretry = 3
文件解析正常,我成功收到一封電子郵件,說明監獄何時停止和啟動。
filter.d/exim_auth.conf:
# Fail2Ban configuration file # # # $Revision$ # [Definition] # Option: failregex # Notes.: regex to match the password failures messages in the logfile. The # host must be matched by a group named "host". The tag "<HOST>" can # be used for standard IP/hostname matching and is only an alias for # (?:::f{4,6}:)?(?P<host>[\w\-.^_]+) # Values: TEXT # failregex = \[<HOST>\]: 535 Incorrect authentication data # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT # ignoreregex =
如果有人能弄清楚為什麼它沒有觸發,並且還有一個獎勵點,我可以執行兩個 iptables 操作來阻止埠 25 和 465,我真的很感激。
好的,我已經解決了我自己的問題。耐心,並且像往常一樣缺乏調試。
每個人都很完美。一個因素是被入侵的帳戶導致的異常大的日誌文件意味著fail2ban有一個1.2GB的文件要處理,這需要很長時間。
將 debug 設置為 4 顯示所有行都被跳過,快速驗證每個行的時間戳表明它們是舊的。
強制使用 logrotate,漂亮的新鮮文件並觸發一切正常。