上次介绍了用Fail2Ban 防御 SSH、FTP的穷举,但其实fail2ban的可扩展性很好,只要是有登入错误的纪录档,及写下正确的正规表示式便可以使用,以下是阻挡SquirrelMail、POP3、SMTP、POSTFIX的穷举。(我是在DirectAdmin(DA)下配置,其它请根据自身修正 logpath 位置)

一、SquirrelMail 防御

编辑 /etc/fail2ban/jail.conf 文件, 并加入以下內容:

[squirrelmail-iptables]

enabled = true
filter = squirrelmail
action = iptables[name=SquirrelMail, port=http, protocol=tcp]
logpath = /var/log/maillog
bantime = 3600
findtime = 300
maxretry = 6


在 /etc/fail2ban/filter.d 目录下面, 建立一个 squirrelmail.conf 文件, 並加入以下内容:

# Fail2Ban configuration file
#
# Author: Bill Landry ((email_protected))
#
# $Revision: 510 $
[Definition]

# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P\S+)
# Values: TEXT

failregex = \[LOGIN_ERROR\].*from : Unknown user or password incorrect

# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT

ignoreregex =

然后编辑 /usr/share/fail2ban/server/datedetector.py 文件, 在 Apache 及 Exim 中间加入以下内容:

# SquirrelMail 09/13/2007 06:43:20
template = DateStrptime()
template.setName(“Month/Day/Year Hour:Minute:Second”)
template.setRegex(“\d{2}/\d{2}/\d{4} \d{2}:\d{2}:\d{2}”)
template.setPattern(“%m/%d/%Y %H:%M:%S”)
self.__templates.append(template)

重启: service fail2ban restart ,显示OK则正常,要进行测试的话, 只要试试登入错误几次便知道是否正常运作。

二、POP3 保护拦截

vi /etc/fail2ban/jail.conf 添加以下内容

[POP3]

enabled = true
filter = courierlogin
action = iptables[name=pop3, port=110, protocol=tcp]
logpath = /var/log/maillog
bantime = 3600
findtime = 300
maxretry = 10

重启Fail2Ban:service fail2ban restart

三、SMTP 保护拦截

vi /etc/fail2ban/jail.conf 添加以下内容

[SMTP]

enabled = true
filter = couriersmtp
action = iptables[name=smtp, port=25:366, protocol=tcp]
logpath = /var/log/maillog
bantime = 3600
findtime = 300
maxretry = 10

重启Fail2Ban:service fail2ban restart

四、保护User unknow 的试探以及垃圾邮件跳信攻击

[POSTFIX]

enabled = true
filter = postfix
action = iptables[name=postfix, port=25, protocol=tcp]
logpath = /var/log/maillog
bantime = 43200
findtime = 1200
maxretry = 5

重启Fail2Ban:service fail2ban restart

本文核心代码分别参考转载自:
網絡技術日誌:http://www.hkcode.com/linux-bsd-notes/796
Mine Blog:http://j3j5.com/post-114.html

标签: DirectAdmin, Linux系统安全

添加新评论