安裝套件:
yum install fail2ban
設定fail2bban設定檔
vi /etc/fail2ban/fail2ban.conf
修改這行logtarget = SYSLOG這行
logtarget = /var/log/fail2ban.log
新增dovecot-pop3的設定檔
vi /etc/fail2ban/filter.d/dovecot-pop3imap.conf
[Definition] failregex = (?: Authentication failure|Aborted login|Disconnected).*rip=(?:::f{4,6}:)?(?P<host>\S*),.* ignoreregex = (?: Disconnected: Logged out).*
修改jail.conf設定後面加入dovecot-pop3imap的內容
vi /etc/fail2ban/jail.conf
[dovecot-pop3imap] enabled = true filter = dovecot-pop3imap action = iptables-multiport[name=dovecot-pop3imap, port="pop3,pop3s,imap,imaps", protocol=tcp] sendmail-whois[name=dovecot-pop3imap, dest=root, [email protected]] logpath = /var/log/maillog ignoreip = 192.168.1.0 maxretry = 20 findtime = 1200 bantime = 1200
設定Fail2Ban 對bind的參數
vi /etc/named.conf
: logging { : channel security_file { file "/var/log/named/security.log" versions 3 size 30m; severity dynamic; print-time yes; }; category security {security_file; }; : :
啟動Fail2Ban服務
[root@bk-mail fail2ban]# service fail2ban start 启动fail2ban: [确定] [root@bk-mail fail2ban]# chkconfig fail2ban on
查看Fail2Ban的啟動狀態
[root@bk-mail fail2ban]# service fail2ban status Fail2ban (pid 1635) is running... Status |- Number of jail: 2 `- Jail list: dovecot-pop3imap, ssh-iptables
使用iptables --list 或 iptables -L -nv查看被ban的ip
[root@bk-mail fail2ban]# iptables --list Chain INPUT (policy ACCEPT) target prot opt source destination fail2ban-dovecot-pop3imap tcp -- anywhere anywhere multiport dports pop3,pop3s,imap,imaps fail2ban-SSH tcp -- anywhere anywhere tcp dpt:ssh Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain fail2ban-SSH (1 references) target prot opt source destination RETURN all -- anywhere anywhere Chain fail2ban-dovecot-pop3imap (1 references) target prot opt source destination DROP all -- 192.168.1.30 anywhere RETURN all -- anywhere anywhere
查看fail2ban的鎖定及解鎖日誌
# cat fail2ban.log | grep 'Ban' # cat fail2ban.log | grep 'Unban'
查看fail2ban運作狀態
[root@bk-mail fail2ban]# watch -n 1 fail2ban-client status dovecot-pop3imapEvery 1.0s: fail2ban-client status dovecot-pop3imap Fri Jun 14 18:19:20 2013 Status for the jail: dovecot-pop3imap |- filter | |- File list: /var/log/maillog | |- Currently failed: 1 | `- Total failed: 137 `- action |- Currently banned: 1 | `- IP list: 192.168.1.30 `- Total banned: 3
觀察特定 jail 的內容
# fail2ban-client status dovecot-check
參考資料
- http://www.ichiayi.com/wiki/tech/dovecot_fail2ban
- http://hi.baidu.com/sleepycat2008/item/8ae5299f66aa62cfb72531cd