安裝套件:

yum install fail2ban

設定fail2bban設定檔

vi /etc/fail2ban/fail2ban.conf

修改這行logtarget = SYSLOG這行

logtarget = /var/log/fail2ban.log

新增dovecot-pop3的設定檔

vi /etc/fail2ban/filter.d/dovecot-pop3imap.conf
[Definition]
failregex =  (?: Authentication failure|Aborted login|Disconnected).*rip=(?:::f{4,6}:)?(?P<host>\S*),.*
ignoreregex = (?: Disconnected: Logged out).*

修改jail.conf設定後面加入dovecot-pop3imap的內容

vi /etc/fail2ban/jail.conf
[dovecot-pop3imap]
enabled  = true
filter   = dovecot-pop3imap
action   = iptables-multiport[name=dovecot-pop3imap, port="pop3,pop3s,imap,imaps", protocol=tcp]
           sendmail-whois[name=dovecot-pop3imap, dest=root, [email protected]]
logpath  = /var/log/maillog
ignoreip = 192.168.1.0
maxretry = 20
findtime = 1200
bantime  = 1200

設定Fail2Ban 對bind的參數

vi /etc/named.conf

:
logging {
:
        channel security_file {
                file "/var/log/named/security.log" versions 3 size 30m;
                severity dynamic;
                print-time yes; };
        category security {security_file; };
:
:

啟動Fail2Ban服務

[root@bk-mail fail2ban]# service fail2ban start
启动fail2ban: [确定]
[root@bk-mail fail2ban]# chkconfig fail2ban on

查看Fail2Ban的啟動狀態

[root@bk-mail fail2ban]# service fail2ban status
Fail2ban (pid 1635) is running...
Status
|- Number of jail:	2
`- Jail list:		dovecot-pop3imap, ssh-iptables

使用iptables --list 或 iptables -L -nv查看被ban的ip

[root@bk-mail fail2ban]# iptables --list
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
fail2ban-dovecot-pop3imap  tcp  --  anywhere             anywhere            multiport dports pop3,pop3s,imap,imaps 
fail2ban-SSH  tcp  --  anywhere             anywhere            tcp dpt:ssh 

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain fail2ban-SSH (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere            

Chain fail2ban-dovecot-pop3imap (1 references)
target     prot opt source               destination         
DROP       all  --  192.168.1.30         anywhere            
RETURN     all  --  anywhere             anywhere

查看fail2ban的鎖定及解鎖日誌

# cat fail2ban.log | grep 'Ban'

# cat fail2ban.log | grep 'Unban'

查看fail2ban運作狀態

[root@bk-mail fail2ban]# watch -n 1 fail2ban-client status dovecot-pop3imap

Every 1.0s: fail2ban-client status dovecot-pop3imap Fri Jun 14 18:19:20 2013

Status for the jail: dovecot-pop3imap
|- filter
| |- File list: /var/log/maillog
| |- Currently failed: 1
| `- Total failed: 137
`- action
|- Currently banned: 1
| `- IP list: 192.168.1.30
`- Total banned: 3

觀察特定 jail 的內容

# fail2ban-client status dovecot-check

參考資料

By tony

自由軟體愛好者~喜歡不斷的思考各種問題,有新的事物都會想去學習嘗試 做實驗並熱衷研究 沒有所謂頂天的技術 只有謙虛及不斷的學習 精進專業,本站主要以分享系統及網路相關知識、資源而建立。 Github http://stnet253.github.io

發佈留言

發佈留言必須填寫的電子郵件地址不會公開。 必填欄位標示為 *

這個網站採用 Akismet 服務減少垃圾留言。進一步了解 Akismet 如何處理網站訪客的留言資料