Fail2Ban阻挡SquirrelMail、POP3、SMTP、POSTFIX的穷举
上次介绍了用Fail2Ban 防御 SSH、FTP的穷举,但其实fail2ban的可扩展性很好,只要是有登入错误的纪录档,及写下正确的正规表示式便可以使用,以下是阻挡SquirrelMail、POP3、SMTP、POSTFIX的穷举。(我是在DirectAdmin(DA)下配置,其它请根据自身修正 logpath 位置)
一、SquirrelMail 防御
编辑 /etc/fail2ban/jail.conf 文件, 并加入以下內容:
[squirrelmail-iptables] enabled = true filter = squirrelmail action = iptables[name=SquirrelMail, port=http, protocol=tcp] logpath = /var/log/maillog bantime = 3600 findtime = 300 maxretry = 6
在 /etc/fail2ban/filter.d 目录下面, 建立一个 squirrelmail.conf 文件, 並加入以下内容:
# Fail2Ban configuration file # # Author: Bill Landry ((email_protected)) # # $Revision: 510 $ [Definition] # Option: failregex # Notes.: regex to match the password failures messages in the logfile. The # host must be matched by a group named "host". The tag "" can # be used for standard IP/hostname matching and is only an alias for # (?:::f{4,6}:)?(?P\S+) # Values: TEXT failregex = \[LOGIN_ERROR\].*from : Unknown user or password incorrect # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT ignoreregex =
然后编辑 /usr/share/fail2ban/server/datedetector.py 文件, 在 Apache 及 Exim 中间加入以下内容:
# SquirrelMail 09/13/2007 06:43:20 template = DateStrptime() template.setName(“Month/Day/Year Hour:Minute:Second”) template.setRegex(“\d{2}/\d{2}/\d{4} \d{2}:\d{2}:\d{2}”) template.setPattern(“%m/%d/%Y %H:%M:%S”) self.__templates.append(template)
重启: service fail2ban restart ,显示OK则正常,要进行测试的话, 只要试试登入错误几次便知道是否正常运作。
二、POP3 保护拦截
vi /etc/fail2ban/jail.conf 添加以下内容
[POP3] enabled = true filter = courierlogin action = iptables[name=pop3, port=110, protocol=tcp] logpath = /var/log/maillog bantime = 3600 findtime = 300 maxretry = 10
重启Fail2Ban:service fail2ban restart
三、SMTP 保护拦截
vi /etc/fail2ban/jail.conf 添加以下内容
[SMTP] enabled = true filter = couriersmtp action = iptables[name=smtp, port=25:366, protocol=tcp] logpath = /var/log/maillog bantime = 3600 findtime = 300 maxretry = 10
重启Fail2Ban:service fail2ban restart
四、保护User unknow 的试探以及垃圾邮件跳信攻击
[POSTFIX] enabled = true filter = postfix action = iptables[name=postfix, port=25, protocol=tcp] logpath = /var/log/maillog bantime = 43200 findtime = 1200 maxretry = 5
重启Fail2Ban:service fail2ban restart
本文核心代码分别参考转载自:
網絡技術日誌:http://www.hkcode.com/linux-bsd-notes/796
Mine Blog:http://j3j5.com/post-114.html