fail2ban调用iptables过滤试探postfix账号ip

说明：
邮件系统、FTP服务器等，常会遇到成百上千的试探攻击及暴力破解密码。特别是邮件服务器，邮箱账号被破解了又被拿去发垃圾邮件，导致公司邮件被gmail，qq等退信，实现无奈。如下

Jul 28 17:05:01 mail10 postfix/smtpd[11722]: warning: unknown[101.69.192.41]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Jul 28 17:06:07 mail10 postfix/smtpd[11722]: warning: unknown[218.108.46.51]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Jul 28 17:08:48 mail10 postfix/smtpd[11722]: warning: unknown[58.42.247.14]: SASL LOGIN authentication failed: UGFzc3dvcmQ6

其实可以通过fail2ban调用iptables来阻档这些尝试。

1、fail2ban编译安装

# wget http://cznic.dl.sourceforge.net/project/fail2ban/fail2ban-stable/fail2ban-0.8.11/fail2ban-0.8.11.tar.gz
# tar jxvf fail2ban-0.8.11.tar.bz2
# cd fail2ban-0.8.11
# ./setup.py install
# cp files/redhat-initd /etc/init.d/fail2ban  //fail2ban安装包内自带几种系统的启动脚本，centos为files/redhat-initd，将redhat-initd文件复制到/etc/init.d
# chmod 755 /etc/init.d/fail2ban
# chkconfig --add fail2ban
# chkconfig fail2ban on

因为fail2ban是基于python写的，所以其安装时需要python环境才能进行安装。

主要配置文件及参数

# ll /etc/fail2ban/
drwxr-xr-x 2 root root 4096 06-28 16:53 action.d       //是如何调用iptables、mail发送等程序的目录
-rw-r--r-- 1 root root  859 01-17 12:24 fail2ban.conf  //设置该程序的日志等
drwxr-xr-x 2 root root 4096 06-28 16:11 filter.d      //过滤规则目录
-rw-r--r-- 1 root root 6593 06-28 15:42 jail.conf    //监控和过滤的配置参数。
-rw-r--r-- 1 root root 1375 2011-11-30 jail.local    //配置本地主要监控的日志及相关参数

 
2、配置fail2ban，我这里配置了4个，postfix，pop3，exmail，vsftp，可自己定制。其实像postfix,pop3如果不熟的话，可以先一个个加，先测试postfix，再测试pop3，避免影响线上邮件接收！

# vi /etc/fail2ban/jail.conf
[postfix]
enabled  = true    
filter   = postfix    
action   = iptables[name=postfix, port=25, protocol=tcp]
ignoreip = 127.0.0.1 192.168.1.0/16
logpath  = /var/log/maillog    
bantime  = 86400    
findtime = 60    
maxretry = 5

[POP3]
enabled = true
filter   = courierlogin
action   = iptables[name=pop3, port=110, protocol=tcp]
logpath = /var/log/maillog
bantime = 1800
findtime = 300
maxretry = 15

[vsftpd]
enabled  = true
filter   = vsftpd
action   = iptables[name=vsftpd, port=21, protocol=tcp]
ignoreip = 127.0.0.1 192.168.1.0/16
logpath  = /var/log/vsftpd.log
maxretry = 5
bantime  = 1800

[extmail]
enabled = true
filter   = extmail
action   = iptables[name=extmail, port=80, protocol=tcp]
logpath = /var/log/maillog
bantime = 300
findtime = 300
maxretry = 6

ignoreip = 127.0.0.1 192.168.1.0/16 是指本地网忽略及192.168.0.0段，多个ip段以空格分隔！

3、/etc/fail2ban/filter.d中编辑或新加文件，文件名一定要跟上一步jail.conf配置文件中的“filter=”对应

# vim /etc/fail2ban/filter.d/postfix.conf
failregex = warning: (.*)\[\]: SASL LOGIN authentication failed:
    reject: RCPT from (.*)\[\]: 550 5.1.1
    reject: RCPT from (.*)\[\]: 450 4.7.1
    reject: RCPT from (.*)\[\]: 554 5.7.1
    reject: RCPT from (.*)\[\]: 554 5.5.2
    reject: RCPT from (.*)\[\]: 504 5.5.2
ignoreregex =

 

# vim /etc/fail2ban/filter.d/pop3，即courierlogin.conf
failregex = LOGIN FAILED, .*, ip=\[\]$
ignorereg

 

# vim /etc/fail2ban/filter.d/vsftpd.conf
failregex = vsftpd(?:\(pam_unix\))?(?:\[\d+\])?:.* authentication failure; .* rhost=(?:\s+user=\S*)?\s*$
            \[.+\] FAIL LOGIN: Client ""\s*$
ignoreregex =

 

# vim /etc/fail2ban/filter.d/extmail.conf
failregex = extmail.*: user=.*, client=, module=login, status=badlogin
ignoreregex =

 
4、测试，可以先进行过滤检查语法测试，可以看到其实还挺多ip来试探的，话说这哥们还真闲，一直换着ip搞

# fail2ban-client status postfix  
Status for the jail: postfix
|- filter
|  |- File list:        /var/log/maillog 
|  |- Currently failed: 121
|  `- Total failed:     1363
`- action
   |- Currently banned: 82
   |  `- IP list:       62.241.143.247 222.213.236.162 118.98.97.94 202.21.181.110 112.124.37.83 119.188.103.129 180.252.181.15 58.221.83.10 118.212.129.175 186.24.34.179 218.84.213.182 203.57.24.25 121.31.62.162 222.186.12.5 202.29.235.121 218.90.174.167 202.29.235.122 181.29.132.201 1.234.75.53 122.225.124.74 211.144.81.68 202.159.6.146 210.209.118.57 58.61.29.233 201.249.188.101 211.144.81.67 211.144.81.66 193.150.105.40 193.255.217.101 182.131.2.222 202.137.8.148 23.239.106.103 202.77.123.38 218.249.114.42 103.31.204.167 200.68.15.61 46.20.46.152 124.161.189.49 191.101.2.37 14.146.228.2 187.240.117.148 222.42.1.132 183.224.71.21 218.76.158.156 192.3.110.146 121.52.159.236 58.215.212.243 124.73.7.249 124.114.141.118 61.150.76.201 121.14.228.16 117.45.18.100 58.248.22.41 181.65.183.42 62.231.187.137 80.227.12.90 115.239.248.235 118.97.66.4 119.176.234.232 58.67.143.165 94.242.238.13 190.111.122.3 194.68.142.57 177.2.109.234 218.95.158.99 58.68.145.39 123.138.68.172 113.108.186.138 202.44.64.4 189.17.184.3 94.23.192.79 124.161.94.8 177.159.173.106 61.177.137.131 118.112.181.36 109.201.140.35 121.63.246.223 124.207.34.91 219.146.2.105 188.17.153.192 60.21.132.218 61.143.158.226 
   `- Total banned:     82

 
5、启动fail2ban

# /etc/init.d/fail2ban start

 
6、然后就可以通过iptables命令查看被封掉的IP

# iptables -L -nv
Chain INPUT (policy DROP 660 packets, 68278 bytes)
 pkts bytes target     prot opt in     out     source               destination
 121M   27G ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
1522K   91M ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           multiport dports 80,443,25,465,110, 4929  290K ACCEPT     all  --  lo     *       。。。。。。

 
附录：
附录1： 重启iptables后一定要重启fail2ban，不然fail2ban不能生效，fail2ban的过滤表是在iptables启动后再添加的