好多時review syslog 及 mail.log 都會見到好多spammer, spammer最common既observations就係做brute force attack. 當然正常情況下用strong password policy唔係咁容易比spammer誤入,但更好既方法就係做prevention control.
Dec 10 13:53:12 delta dovecot: auth-worker(9742): pam([email protected],87.246.7.34): pam_authenticate() failed: Authentication failure (password mismatch?) Dec 10 13:53:14 delta postfix/smtps/smtpd[8101]: warning: unknown[87.246.7.34]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Dec 10 13:53:16 delta postfix/smtps/smtpd[8101]: lost connection after AUTH from unknown[87.246.7.34] Dec 10 13:53:16 delta postfix/smtps/smtpd[8101]: disconnect from unknown[87.246.7.34] ehlo=1 auth=0/1 rset=1 commands=2/3 Dec 10 13:53:52 delta postfix/smtps/smtpd[8101]: warning: hostname net6-ip34.linkbg.com does not resolve to address 87.246.7.34 Dec 10 13:53:52 delta postfix/smtps/smtpd[8101]: connect from unknown[87.246.7.34] Dec 10 13:53:56 delta postfix/smtps/smtpd[8101]: Anonymous TLS connection established from unknown[87.246.7.34]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) Dec 10 13:54:05 delta dovecot: auth-worker(9742): pam([email protected],87.246.7.34): pam_authenticate() failed: Authentication failure (password mismatch?) Dec 10 13:54:07 delta postfix/smtps/smtpd[8101]: warning: unknown[87.246.7.34]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Dec 10 13:54:08 delta postfix/smtps/smtpd[8101]: lost connection after AUTH from unknown[87.246.7.34] Dec 10 13:54:08 delta postfix/smtps/smtpd[8101]: disconnect from unknown[87.246.7.34] ehlo=1 auth=0/1 rset=1 commands=2/3 Dec 10 13:54:49 delta postfix/smtps/smtpd[8101]: warning: hostname net6-ip34.linkbg.com does not resolve to address 87.246.7.34 Dec 10 13:54:49 delta postfix/smtps/smtpd[8101]: connect from unknown[87.246.7.34] Dec 10 13:54:56 delta postfix/smtps/smtpd[8101]: Anonymous TLS connection established from unknown[87.246.7.34]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) Dec 10 13:55:07 delta dovecot: auth-worker(9841): pam([email protected],87.246.7.34): pam_authenticate() failed: Authentication failure (password mismatch?) Dec 10 13:55:09 delta postfix/smtps/smtpd[8101]: warning: unknown[87.246.7.34]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Dec 10 13:55:11 delta postfix/smtps/smtpd[8101]: lost connection after AUTH from unknown[87.246.7.34] Dec 10 13:55:11 delta postfix/smtps/smtpd[8101]: disconnect from unknown[87.246.7.34] ehlo=1 auth=0/1 rset=1 commands=2/3 Dec 10 13:55:47 delta postfix/smtps/smtpd[8101]: warning: hostname net6-ip34.linkbg.com does not resolve to address 87.246.7.34 Dec 10 13:55:47 delta postfix/smtps/smtpd[8101]: connect from unknown[87.246.7.34] Dec 10 13:55:51 delta postfix/smtps/smtpd[8101]: Anonymous TLS connection established from unknown[87.246.7.34]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
今次既教學係用 fail2ban 呢個utility去做filter及 ban IP address. 要用呢個utility 就先要install呢個package. command 如下
apt install fail2ban
完成install package後其實已經提供基上保障, 但out-of-box既configuration當然係做些少改善比較好啦. 其中一個例子就好似上面 postfix/smtp 不停 retry及brute force. out-of-box 既 configuration 暫時未有對應既jail rule/policy, 所以您就要跟住我做啦.
step 1 – 修改 /etc/fail2ban/, 在最後郭份加入
[postfix-auth] enabled = true filter = postfix-auth action = iptables-multiport[name=postfix,port="http,https,smtp,submission,pop3,pop3s,imap,imaps,sieve", protocol=tcp] logpath = /var/log/mail.log
step 1.1 – 增加敏感度 (optional)
maxretry = 3
step 2 – 增加jail file /etc/fail2ban/filter.d/postfix-auth.conf
[Definition] failregex = lost connection after AUTH from (.*)\[\] ignoreregex =
step 3 – restart fail2ban
service fail2ban restart
睇成果既 command – tail/var/log/fail2ban.log
2019-12-10 14:18:57,014 fail2ban.actions [9427]: NOTICE [postfix-auth] Ban 87.246.7.34 2019-12-10 14:19:01,717 fail2ban.actions [9427]: NOTICE [sshd] Unban 106.12.21.193 2019-12-10 14:19:05,461 fail2ban.filter [9427]: INFO [sshd] Found 118.24.19.178 2019-12-10 14:19:05,495 fail2ban.filter [9427]: INFO [sshd] Found 118.24.19.178 2019-12-10 14:19:07,554 fail2ban.filter [9427]: INFO [sshd] Found 118.24.19.178 2019-12-10 14:19:30,989 fail2ban.actions [9427]: NOTICE [sshd] Unban 51.83.42.138 2019-12-10 14:19:34,048 fail2ban.filter [9427]: INFO [sshd] Found 180.168.76.222 2019-12-10 14:19:34,063 fail2ban.filter [9427]: INFO [sshd] Found 180.168.76.222 2019-12-10 14:19:36,101 fail2ban.filter [9427]: INFO [sshd] Found 180.168.76.222 2019-12-10 14:19:36,288 fail2ban.actions [9427]: NOTICE [sshd] Unban 49.88.112.60