Exim

fail2ban監獄沒有開火

  • March 9, 2014

在幾種不同的方法中使用了 fail2ban,現在已經嘗試讓它通過 smtp 阻止黑客嘗試通過伺服器發送垃圾郵件。

測試時正則表達式匹配正常:

   Failregex
|- Regular expressions:
|  [1] \[<HOST>\]: 535 Incorrect authentication data
|
`- Number of matches:
  [1] 147 match(es)

監獄載入正常:

2014-03-04 21:16:46,162 fail2ban.server : INFO   Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.6
2014-03-04 21:16:46,163 fail2ban.jail   : INFO   Creating new jail 'exim-auth'
2014-03-04 21:16:46,165 fail2ban.jail   : INFO   Jail 'exim-auth' uses Gamin
2014-03-04 21:16:46,187 fail2ban.filter : INFO   Added logfile = /var/log/exim/main.log
2014-03-04 21:16:46,188 fail2ban.filter : INFO   Set maxRetry = 3
2014-03-04 21:16:46,190 fail2ban.filter : INFO   Set findtime = 3600
2014-03-04 21:16:46,191 fail2ban.actions: INFO   Set banTime = 3600
2014-03-04 21:16:46,205 fail2ban.jail   : INFO   Creating new jail 'ssh-iptables'
2014-03-04 21:16:46,206 fail2ban.jail   : INFO   Jail 'ssh-iptables' uses Gamin
2014-03-04 21:16:46,207 fail2ban.filter : INFO   Added logfile = /var/log/secure
2014-03-04 21:16:46,208 fail2ban.filter : INFO   Set maxRetry = 5
2014-03-04 21:16:46,210 fail2ban.filter : INFO   Set findtime = 3600
2014-03-04 21:16:46,211 fail2ban.actions: INFO   Set banTime = 3600
2014-03-04 21:16:46,410 fail2ban.jail   : INFO   Jail 'exim-auth' started
2014-03-04 21:16:46,439 fail2ban.jail   : INFO   Jail 'ssh-iptables' started

並且 ssh 禁令仍然可以正常工作。即使錯誤通過日誌,也不會發生任何事情。所有時間同步,系統日誌,fail2ban 和 exim 都重新啟動。

進出口主日誌:

2014-03-04 21:16:24 no host name found for IP address 89.xxx.33.33
2014-03-04 21:16:24 auth_plain authenticator failed for ([10.xxx.80.53]) [89.xxx.33.33]: 535 Incorrect authentication data (set_id=jamie@****.co.uk)
2014-03-04 21:16:30 no host name found for IP address 89.xxx.33.33
2014-03-04 21:16:30 auth_plain authenticator failed for ([10.xxx.80.53]) [89.xxx.33.33]: 535 Incorrect authentication data (set_id=jamie@****.co.uk)
2014-03-04 21:16:38 no host name found for IP address 89.xxx.33.33
2014-03-04 21:16:38 auth_plain authenticator failed for ([10.xxx.80.53]) [89.xxx.33.33]: 535 Incorrect authentication data (set_id=jamie@****.co.uk)

(顯然現在已經編輯了 xxx 和 ****)。

jail.conf 部分的配置:

[ssh-iptables]

enabled  = true
filter   = sshd
action   = iptables[name=SSH, port=ssh, protocol=tcp]
logpath  = /var/log/secure
maxretry = 5

[exim-auth]

enabled = true
filter = exim_auth
action = iptables[name=SMTP, port=25, protocol=tcp]
        mail[name=EximAuth, dest=jamie@****.co.uk]
logpath = /var/log/exim/main.log
maxretry = 3

文件解析正常,我成功收到一封電子郵件,說明監獄何時停止和啟動。

filter.d/exim_auth.conf:

# Fail2Ban configuration file
#
#
# $Revision$
#

[Definition]

# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values:  TEXT
#
failregex = \[<HOST>\]: 535 Incorrect authentication data

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

如果有人能弄清楚為什麼它沒有觸發,並且還有一個獎勵點,我可以執行兩個 iptables 操作來阻止埠 25 和 465,我真的很感激。

好的,我已經解決了我自己的問題。耐心,並且像​​往常一樣缺乏調試。

每個人都很完美。一個因素是被入侵的帳戶導致的異常大的日誌文件意味著fail2ban有一個1.2GB的文件要處理,這需要很長時間。

將 debug 設置為 4 顯示所有行都被跳過,快速驗證每個行的時間戳表明它們是舊的。

強制使用 logrotate,漂亮的新鮮文件並觸發一切正常。

引用自:https://serverfault.com/questions/579844