Fail2ban 不會禁止 postfix/smtps/smtpd

tag-icon tag-icon postfix syslog fail2ban ubuntu-20.04
Fail2ban 不會禁止 postfix/smtps/smtpd

我有一台 Ubuntu 20.04 伺服器,每天在我的 postfix 伺服器上從相同 IP 接收數百個 SMTP AUTH 請求。我安裝了fail2ban,但諷刺的是,它無法禁止IP。

我的/etc/fail2ban/jail.local文件是(<snip> 的位是個人和企業 IP):

[postfix-flood-attack]
enabled  = true
bantime  = 1h
filter   = postfix-flood-attack
action   = iptables-multiport[name=postfix, port="http,https,smtp,submission,pop3,pop3s,imap,imaps,sieve", protocol=tcp]
logpath  = /var/log/mail.log
ignoreip = <snip> 127.0.0.1/8
maxretry = 3

[postfix]
enabled = true
maxretry = 3
bantime = 1h
filter = postfix[mode=aggressive]
logpath = /var/log/mail.log
ignoreip = <snip> 127.0.0.1/8

[dovecot]
enabled = true
port = pop3,pop3s,imap,imaps
filter = dovecot
logpath = /var/log/mail.log
maxretry  = 3
ignoreip = <snip> 127.0.01/8

所討論的監獄是postfix-flood-attack取自本教程的底部。該/etc/fail2ban/filter.d/postfix-flood-attack.conf文件是:

[Definition]
failregex = lost connection after AUTH from (.*)\[<HOST>\]
ignoreregex =

我的日誌訊息看起來像

Aug 15 13:54:45 ikana postfix/smtps/smtpd[268729]: connect from unknown[193.35.48.18]
Aug 15 13:54:46 ikana postfix/smtps/smtpd[268729]: Anonymous TLS connection established from unknown[193.35.48.18]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Aug 15 13:54:50 ikana postfix/smtps/smtpd[268729]: warning: unknown[193.35.48.18]: SASL PLAIN authentication failed:
Aug 15 13:54:50 ikana postfix/smtps/smtpd[268729]: lost connection after AUTH from unknown[193.35.48.18]
Aug 15 13:54:50 ikana postfix/smtps/smtpd[268729]: disconnect from unknown[193.35.48.18] ehlo=1 auth=0/1 commands=1/2
Aug 15 13:54:50 ikana postfix/smtps/smtpd[268729]: connect from unknown[193.35.48.18]
Aug 15 13:54:51 ikana postfix/smtps/smtpd[268729]: Anonymous TLS connection established from unknown[193.35.48.18]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Aug 15 13:54:57 ikana postfix/smtps/smtpd[268729]: lost connection after AUTH from unknown[193.35.48.18]
Aug 15 13:54:57 ikana postfix/smtps/smtpd[268729]: disconnect from unknown[193.35.48.18] ehlo=1 auth=0/1 commands=1/2
Aug 15 13:54:57 ikana postfix/smtps/smtpd[268729]: connect from unknown[193.35.48.18]
Aug 15 13:54:58 ikana postfix/smtps/smtpd[268729]: Anonymous TLS connection established from unknown[193.35.48.18]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Aug 15 13:55:04 ikana postfix/smtps/smtpd[268729]: lost connection after AUTH from unknown[193.35.48.18]
Aug 15 13:55:04 ikana postfix/smtps/smtpd[268729]: disconnect from unknown[193.35.48.18] ehlo=1 auth=0/1 commands=1/2
Aug 15 13:55:04 ikana postfix/smtps/smtpd[268734]: connect from unknown[193.35.48.18]
Aug 15 13:55:05 ikana postfix/smtps/smtpd[268734]: Anonymous TLS connection established from unknown[193.35.48.18]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Aug 15 13:55:09 ikana postfix/smtps/smtpd[268734]: warning: unknown[193.35.48.18]: SASL PLAIN authentication failed:
Aug 15 13:55:09 ikana postfix/smtps/smtpd[268734]: lost connection after AUTH from unknown[193.35.48.18]
Aug 15 13:55:09 ikana postfix/smtps/smtpd[268734]: disconnect from unknown[193.35.48.18] ehlo=1 auth=0/1 commands=1/2

據 稱fail2ban-regex,這應該可行,但 IP 並未被禁止。該命令的輸出fail2ban-regex /var/log/mail.log /etc/fail2ban/filter.d/postfix-flood-attack.conf是:

Running tests
=============

Use   failregex filter file : postfix-flood-attack, basedir: /etc/fail2ban
Use         log file : /var/log/mail.log
Use         encoding : UTF-8


Results
=======

Failregex: 5356 total
|-  #) [# of hits] regular expression
|   1) [5356] lost connection after AUTH from (.*)\[<HOST>\]
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [37949] {^LN-BEG}(?:DAY )?MON Day %k:Minute:Second(?:\.Microseconds)?(?: ExYear)?
`-

Lines: 37949 lines, 0 ignored, 5356 matched, 32593 missed
[processed in 1.43 sec]

Missed line(s): too many to print.  Use --print-all-missed to print all 32593 lines

因此它會找到 5,356 個日誌的匹配項,並且從不禁止任何日誌。在預設的 10 分鐘查找時間內通常有 8 次嘗試。使用-v選項 with的片段fail2ban-regex顯示了以下與時間戳記的匹配:

...
193.35.48.18  Thu Aug 15 13:50:55 2019
193.35.48.18  Thu Aug 15 13:51:02 2019
193.35.48.18  Thu Aug 15 13:51:10 2019
193.35.48.18  Thu Aug 15 13:51:15 2019
193.35.48.18  Thu Aug 15 13:54:50 2019
193.35.48.18  Thu Aug 15 13:54:57 2019
193.35.48.18  Thu Aug 15 13:55:04 2019
193.35.48.18  Thu Aug 15 13:55:09 2019
193.35.48.18  Thu Aug 15 13:58:40 2019
193.35.48.18  Thu Aug 15 13:58:48 2019
193.35.48.18  Thu Aug 15 13:58:54 2019
193.35.48.18  Thu Aug 15 13:58:59 2019
...

答案1

配置看起來不錯,但有一個重要的細節需要注意fail2ban-regex:它確定日期是從 2019 年開始的。事實證明,這是fail2ban 的一個已知問題,他們稱之為TZ問題。將伺服器配置為使用特定時區後,您需要重新啟動一堆服務,或重新啟動整個系統才能使其正常生效。雖然我不記得已經過了多久,但我想自從配置時區以來我從未重新啟動過我的伺服器。

通過 重新啟動 syslog 服務後systemctl restart syslog,fail2ban 會辨識正確時區的日誌行。

Fail2ban 立即在配置的查找時間內識別出日誌訊息,並禁止了困擾我的伺服器幾天的 IP。我猜 Fail2ban 會向 syslog 詢問時區信息,而不是使用自 failed2ban-server 啟動以來在計算機上設置的信息。

我希望這能幫助其他有類似問題的人。

答案2

當您使用標準日期格式時,不會出現導致 failed2ban 假設這些日期是 2019 年的模糊性。您可以透過以下方式完全避免該問題使用 ISO 8601- 2020 年,您可能沒有任何充分的理由堅持使用向後相容的日誌格式。

另外,在 Ubuntu 中,您可能可以透過指示fail2ban直接使用 systemd 日誌來完全跳過日期格式化/解析,它提供了與紀元的簡單偏移量,沒有時區資訊(嘗試backend = systemd[DEFAULT]本地監獄配置中的區塊中)。

相關內容