在几种不同的方法中使用了fail2ban,现在试图通过smtp来阻止黑客通过服务器发送垃圾邮件。
testing时正则expression式匹配正确:
Failregex |- Regular expressions: | [1] \[<HOST>\]: 535 Incorrect authentication data | `- Number of matches: [1] 147 match(es) 监狱加载好:
2014-03-04 21:16:46,162 fail2ban.server : INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.6 2014-03-04 21:16:46,163 fail2ban.jail : INFO Creating new jail 'exim-auth' 2014-03-04 21:16:46,165 fail2ban.jail : INFO Jail 'exim-auth' uses Gamin 2014-03-04 21:16:46,187 fail2ban.filter : INFO Added logfile = /var/log/exim/main.log 2014-03-04 21:16:46,188 fail2ban.filter : INFO Set maxRetry = 3 2014-03-04 21:16:46,190 fail2ban.filter : INFO Set findtime = 3600 2014-03-04 21:16:46,191 fail2ban.actions: INFO Set banTime = 3600 2014-03-04 21:16:46,205 fail2ban.jail : INFO Creating new jail 'ssh-iptables' 2014-03-04 21:16:46,206 fail2ban.jail : INFO Jail 'ssh-iptables' uses Gamin 2014-03-04 21:16:46,207 fail2ban.filter : INFO Added logfile = /var/log/secure 2014-03-04 21:16:46,208 fail2ban.filter : INFO Set maxRetry = 5 2014-03-04 21:16:46,210 fail2ban.filter : INFO Set findtime = 3600 2014-03-04 21:16:46,211 fail2ban.actions: INFO Set banTime = 3600 2014-03-04 21:16:46,410 fail2ban.jail : INFO Jail 'exim-auth' started 2014-03-04 21:16:46,439 fail2ban.jail : INFO Jail 'ssh-iptables' started
而且ssh禁止仍然正常。 即使错误通过日志,也没有任何反应。 所有时间同步,syslog,fail2ban和exim都重新启动。
Exim mainlog:
2014-03-04 21:16:24 no host name found for IP address 89.xxx.33.33 2014-03-04 21:16:24 auth_plain authenticator failed for ([10.xxx.80.53]) [89.xxx.33.33]: 535 Incorrect authentication data (set_id=jamie@****.co.uk) 2014-03-04 21:16:30 no host name found for IP address 89.xxx.33.33 2014-03-04 21:16:30 auth_plain authenticator failed for ([10.xxx.80.53]) [89.xxx.33.33]: 535 Incorrect authentication data (set_id=jamie@****.co.uk) 2014-03-04 21:16:38 no host name found for IP address 89.xxx.33.33 2014-03-04 21:16:38 auth_plain authenticator failed for ([10.xxx.80.53]) [89.xxx.33.33]: 535 Incorrect authentication data (set_id=jamie@****.co.uk)
(显然现在编辑了xxx和****)。
configurationjail.conf的部分:
[ssh-iptables] enabled = true filter = sshd action = iptables[name=SSH, port=ssh, protocol=tcp] logpath = /var/log/secure maxretry = 5 [exim-auth] enabled = true filter = exim_auth action = iptables[name=SMTP, port=25, protocol=tcp] mail[name=EximAuth, dest=jamie@****.co.uk] logpath = /var/log/exim/main.log maxretry = 3
文件parsing成功,我收到一封电子邮件,说明监狱何时停止并开始。
filter.d / exim_auth.conf:
# Fail2Ban configuration file # # # $Revision$ # [Definition] # Option: failregex # Notes.: regex to match the password failures messages in the logfile. The # host must be matched by a group named "host". The tag "<HOST>" can # be used for standard IP/hostname matching and is only an alias for # (?:::f{4,6}:)?(?P<host>[\w\-.^_]+) # Values: TEXT # failregex = \[<HOST>\]: 535 Incorrect authentication data # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT # ignoreregex =
如果任何人都可以找出为什么它不触发,并且为了能够运行两个iptables动作来阻止端口25和465,我也会很感激。
好的,我已经解决了我自己的问题。 耐心,像往常一样缺乏debugging。
大家都很完美。 其中一个原因是受损账户导致的exception大的日志文件意味着fail2ban有一个1.2GB的文件需要处理,而这需要很长的时间。
设置debugging到4显示所有行被跳过,快速validation时间戳每个显示他们是旧的。
强制一个logrotate,漂亮的新鲜文件使用并触发一切正常。