服务器 Gind.cn
  1. 服务器 Gind.cn
  3. Fail2Ban不会阻止对鸽子的暴力攻击
Intereting Posts
移动文件与文件夹名称相同 TCP拥塞避免与由CPU亲和力引起的偷看stream量有什么关系? 如何在没有完整path的情况下通过他们的名字在htop中列出进程? 我的服务器被攻击了吗? Fail2ban从其他任务的syslog / process / stdout中读取日志 Apache Limit指令不能按预期方式工作 基于Windows更新的重启 – 绕过 Tomcat 6.0服务无法启动:java / lang / NoClassDefFoundError Apache不会在web根目录下显示索引,子文件夹没有问题 bash脚本在cron中返回“内存不足”,但不在shell中 Get-AzureSubscription $ subscriptionName -ExtendedDetails返回空白证书 Microsoft Online Services的Exchange 2007架构扩展Active Directory 如何判断OpenLDAP是否安装在CentOS上,并testing它是否正常工作? 我可以更改WSUS中的更新说明吗? Samba 4 OpenLDAP身份validation问题

Fail2Ban不会阻止对鸽子的暴力攻击

我使用fail2ban运行CentOS 5服务器,目前我的鸽舍服务遭受了powershell攻击。

我知道fail2ban正在工作,因为它阻止了我的FTP服务器和Postfix的攻击。 出于某种原因,我错过了一些与dovecot有关的事情,因为fail2ban日志没有任何内容,攻击仍然没有消失。

我的日志如下。 Dovecot将所有内容logging到/var/log/dovecot-info.log

我看到两种types的日志。 第一个看起来像这样(注意:我的服务器IP是好的 – 我用xxx.xxx.xxx阻止了更细的细节): 

Feb 22 21:48:21 pop3-login: Info: Aborted login (auth failed, 1 attempts): user=<felix>, method=PLAIN, rip=177.19.151.139, lip=173.xxx.xxx.xxx Feb 22 21:48:23 auth: Info: passwd-file(felipe,177.19.151.139): unknown user Feb 22 21:48:25 pop3-login: Info: Aborted login (auth failed, 1 attempts): user=<felipe>, method=PLAIN, rip=177.19.151.139, lip=173.xxx.xxx.xxx Feb 22 21:48:29 auth: Info: passwd-file(felix,177.19.151.139): unknown user Feb 22 21:48:31 pop3-login: Info: Aborted login (auth failed, 1 attempts): user=<felix>, method=PLAIN, rip=177.19.151.139, lip=173.xxx.xxx.xxx Feb 22 21:48:40 auth: Info: passwd-file(felix,177.19.151.139): unknown user Feb 22 21:48:42 pop3-login: Info: Aborted login (auth failed, 1 attempts): user=<felix>, method=PLAIN, rip=177.19.151.139, lip=173.xxx.xxx.xxx Feb 22 21:48:50 auth: Info: passwd-file(felix,177.19.151.139): unknown user Feb 22 21:48:52 pop3-login: Info: Aborted login (auth failed, 1 attempts): user=<felix>, method=PLAIN, rip=177.19.151.139, lip=173.xxx.xxx.xxx Feb 22 21:49:00 auth: Info: passwd-file(felix,177.19.151.139): unknown user Feb 22 21:49:02 pop3-login: Info: Aborted login (auth failed, 1 attempts): user=<felix>, method=PLAIN, rip=177.19.151.139, lip=173.xxx.xxx.xxx Feb 22 21:49:11 auth: Info: passwd-file(felix,177.19.151.139): unknown user Feb 22 21:49:13 pop3-login: Info: Aborted login (auth failed, 1 attempts): user=<felix>, method=PLAIN, rip=177.19.151.139, lip=173.xxx.xxx.xxx Feb 22 21:49:21 auth: Info: passwd-file(felix,177.19.151.139): unknown user Feb 22 21:49:23 pop3-login: Info: Aborted login (auth failed, 1 attempts): user=<felix>, method=PLAIN, rip=177.19.151.139, lip=173.xxx.xxx.xxx Feb 22 21:49:32 auth: Info: passwd-file(felix,177.19.151.139): unknown user Feb 22 21:49:34 pop3-login: Info: Aborted login (auth failed, 1 attempts): user=<felix>, method=PLAIN, rip=177.19.151.139, lip=173.xxx.xxx.xxx Feb 22 21:49:42 auth: Info: passwd-file(felix,177.19.151.139): unknown user Feb 22 21:49:44 pop3-login: Info: Aborted login (auth failed, 1 attempts): user=<felix>, method=PLAIN, rip=177.19.151.139, lip=173.xxx.xxx.xxx Feb 22 21:49:52 auth: Info: passwd-file(felix,177.19.151.139): unknown user Feb 22 21:49:54 pop3-login: Info: Aborted login (auth failed, 1 attempts): user=<felix>, method=PLAIN, rip=177.19.151.139, lip=173.xxx.xxx.xxx Feb 22 21:50:03 auth: Info: passwd-file(felix,177.19.151.139): unknown user Feb 22 21:50:05 pop3-login: Info: Aborted login (auth failed, 1 attempts): user=<felix>, method=PLAIN, rip=177.19.151.139, lip=173.xxx.xxx.xxx Feb 22 21:50:13 auth: Info: passwd-file(felix,177.19.151.139): unknown user

第二个看起来像这样: 

 Feb 22 22:10:37 pop3-login: Info: Aborted login (auth failed, 1 attempts): user=<frankie>, method=PLAIN, rip=177.19.151.139, lip=173.xxx.xxx.xxx Feb 22 22:10:38 pop3-login: Info: Aborted login (auth failed, 1 attempts): user=<fox>, method=PLAIN, rip=177.19.151.139, lip=173.xxx.xxx.xxx Feb 22 22:10:51 pop3-login: Info: Aborted login (auth failed, 1 attempts): user=<frances>, method=PLAIN, rip=177.19.151.139, lip=173.xxx.xxx.xxx Feb 22 22:10:51 pop3-login: Info: Aborted login (auth failed, 1 attempts): user=<francis>, method=PLAIN, rip=177.19.151.139, lip=173.xxx.xxx.xxx Feb 22 22:10:51 pop3-login: Info: Aborted login (auth failed, 1 attempts): user=<forest>, method=PLAIN, rip=177.19.151.139, lip=173.xxx.xxx.xxx Feb 22 22:10:51 pop3-login: Info: Aborted login (auth failed, 1 attempts): user=<frank>, method=PLAIN, rip=177.19.151.139, lip=173.xxx.xxx.xxx Feb 22 22:10:51 pop3-login: Info: Aborted login (auth failed, 1 attempts): user=<forrest>, method=PLAIN, rip=177.19.151.139, lip=173.xxx.xxx.xxx Feb 22 22:10:51 pop3-login: Info: Aborted login (auth failed, 1 attempts): user=<frankie>, method=PLAIN, rip=177.19.151.139, lip=173.xxx.xxx.xxx Feb 22 22:10:51 pop3-login: Info: Aborted login (auth failed, 1 attempts): user=<fox>, method=PLAIN, rip=177.19.151.139, lip=173.xxx.xxx.xxx Feb 22 22:10:51 auth: Info: passwd-file(francis,177.19.151.139): unknown user Feb 22 22:10:51 auth: Info: passwd-file(frances,177.19.151.139): unknown user Feb 22 22:10:51 auth: Info: passwd-file(forest,177.19.151.139): unknown user Feb 22 22:10:51 auth: Info: passwd-file(frank,177.19.151.139): unknown user Feb 22 22:10:51 auth: Info: passwd-file(forrest,177.19.151.139): unknown user Feb 22 22:10:51 auth: Info: passwd-file(frankie,177.19.151.139): unknown user Feb 22 22:10:51 auth: Info: passwd-file(fox,177.19.151.139): unknown user Feb 22 22:10:51 auth: Info: passwd-file(francis,177.19.151.139): unknown user Feb 22 22:10:51 auth: Info: passwd-file(frances,177.19.151.139): unknown user Feb 22 22:10:51 auth: Info: passwd-file(forest,177.19.151.139): unknown user

jail.conf如下所示: 

 [dovecot-pop3imap] enabled = true filter = dovecot-pop3imap action = iptables-multiport[name=dovecot-pop3imap, port="pop3,pop3s,imap,imaps", protocol=tcp] sendmail-whois[name=dovecot-pop3imap, [email protected], [email protected]] logpath = /var/log/dovecot-info.log maxretry = 5 findtime = 1200 bantime = 1200

filter.d / dovecot.conf看起来像这样: 

 failregex = ^%(__prefix_line)s(pam_unix(\(dovecot:auth\))?:)?\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=\S* rhost=<HOST>(\s+user=\S*)?\s*$ ^%(__prefix_line)s(pop3|imap)-login: (Info: )?(Aborted login|Disconnected)(: Inactivity)? \(((no auth attempts|auth failed, \d+ attempts)( in \d+ secs)?|tried to $ ^%(__prefix_line)s(Info|dovecot: auth\(default\)): pam\(\S+,<HOST>\): pam_authenticate\(\) failed: (User not known to the underlying authentication module: \d+ Ti$ ignoreregex =

fail2ban.conf看起来像这样: 

 # Option: loglevel # Notes.: Set the log level output. # 1 = ERROR # 2 = WARN # 3 = INFO # 4 = DEBUG # Values: NUM Default: 3 # loglevel = 3 # Option: logtarget # Notes.: Set the log target. This could be a file, SYSLOG, STDERR or STDOUT. # Only one log target can be specified. # Values: STDOUT STDERR SYSLOG file Default: /var/log/fail2ban.log # #logtarget = SYSLOG logtarget = /var/log/fail2ban.log # Option: socket # Notes.: Set the socket file. This is used to communicate with the daemon. Do # not remove this file when Fail2ban runs. It will not be possible to # communicate with the server afterwards. # Values: FILE Default: /var/run/fail2ban/fail2ban.sock # socket = /var/run/fail2ban/fail2ban.sock

我几乎肯定我的正则expression式是错误的,但是我不知所措。 任何人都可以提供的帮助是最受欢迎的。

更多信息 – 我已经重新启动服务后的变化,没有什么区别,date/时间是准确的。

官方的fail2ban wiki对如何testing正则expression式有一些很好的说明。

更具体地说,你应该运行fail2ban-regex针对你的日志(的一个样本)。 

 # fail2ban-regex /var/log/dovecot-info.log /etc/fail2ban/filter.d/dovecot.conf

另外,你的configuration似乎有错误: 

 [dovecot-pop3imap] enabled = true filter = dovecot-pop3imap

因为filter的名称应与/etc/fai2ban/filters.d文件的名称相匹配

我testing了一个日志的样本,具体来说: 

 Feb 22 21:48:21 pop3-login: Info: Aborted login (auth failed, 1 attempts): user=<felix>, method=PLAIN, rip=177.19.151.139, lip=173.111.111.111

第一次尝试失败: 

 # fail2ban-regex sample.log /etc/fail2ban/filter.d/dovecot-pop3imap.conf Running tests ============= No section headers in /etc/fail2ban/filter.d/dovecot-pop3imap.conf

在给正则expression式指令添加一个[Definition]标签之后(为了简洁,你可能已经省略了),输出结果是: 

 # fail2ban-regex sample.log /etc/fail2ban/filter.d/dovecot-pop3imap.conf --print-all-missed Running tests ============= Use failregex file : /etc/fail2ban/filter.d/dovecot-pop3imap.conf Use log file : sample.log Use encoding : UTF-8 Results ======= Failregex: 1 total |- #) [# of hits] regular expression | 1) [1] ^\s*(<[^.]+\.[^.]+>)?\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?\S*(?:\(\S+\))?[\]\)]?:?|[\[\(]?\S*(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)?\s(?:\[ID \d+ \S+\])?\s*(pop3|imap)-login: (Info: )?(Aborted login|Disconnected)(: Inactivity)? \(((no auth attempts|auth failed, \d+ attempts)( in \d+ secs)?|tried to use disabled \S+ auth)\):( user=<\S*>,)?( method=\S+,)? rip=<HOST>, lip=(\d{1,3}\.){3}\d{1,3}(, session=<\w+>)?(, TLS( handshaking)?(: Disconnected)?)?\s*$ `- Ignoreregex: 0 total Date template hits: |- [# of hits] date format | [1] MON Day 24hour:Minute:Second `- Lines: 1 lines, 0 ignored, 1 matched, 0 missed

另外请注意,你的正则expression式无法编译(我还没有尝试debugging的原因)。 我使用了与fail2ban打包在一起的正则expression式: 

 # rpm -qi fail2ban Name : fail2ban Version : 0.9 Release : 0.3.git1f1a561.fc20

略有不同: 

 failregex = ^%(__prefix_line)s(pam_unix(\(\S+\))?:)?\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=\S* rhost=<HOST>(\s+user=\S*)?\s*$ ^%(__prefix_line)s(pop3|imap)-login: (Info: )?(Aborted login|Disconnected)(: Inactivity)? \(((no auth attempts|auth failed, \d+ attempts)( in \d+ secs)?|tried to use disabled \S+ auth)\):( user=<\S*>,)?( method=\S+,)? rip=<HOST>, lip=(\d{1,3}\.){3}\d{1,3}(, session=<\w+>)?(, TLS( handshaking)?(: Disconnected)?)?\s*$