Verhindern von Bruteforce Attaken auf Postfix SASL, Courier-IMAP und SSH

von

Hinweis

Dieses Howto wurde für Debian Etch geschrieben.

Installation

apt-get install fail2ban

Konfiguration anpassen

/etc/fail2ban/jail.local

[DEFAULT]

# "ignoreip" can be an IP address, a CIDR mask or a DNS host
ignoreip = 127.0.0.1 
bantime  = 600
maxretry = 3

# "backend" specifies the backend used to get files modification. Available
# options are "gamin", "polling" and "auto".
# yoh: For some reason Debian shipped python-gamin didn't work as expected
#      This issue left ToDo, so polling is default backend for now
backend = polling

#
# Destination email address used solely for the interpolations in
# jail.{conf,local} configuration files.
destemail = root@localhost

# Default action to take: ban only
action = iptables[name=%(__name__)s, port=%(port)s]


[ssh]

enabled = true
port    = ssh
filter  = sshd
logpath  = /var/log/auth.log
maxretry = 5

[postfix]

enabled  = false
port     = smtp
filter   = postfix
logpath  = /var/log/mail.log
maxretry = 5


[courierpop3]

enabled  = true
port     = pop3
filter   = courierlogin
failregex = courierpop3login: LOGIN FAILED.*ip=\[.*:<HOST>\]
logpath  = /var/log/mail.log
maxretry = 5


[courierimap]

enabled  = true
port     = imap2
filter   = courierlogin
failregex = imapd: LOGIN FAILED.*ip=\[.*:<HOST>\]
logpath  = /var/log/mail.log
maxretry = 5

[sasl]

enabled  = true
port     = smtp
filter   = sasl
failregex = warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed
logpath  = /var/log/mail.log
maxretry = 5

Restart von fail2ban

/etc/init.d/fail2ban restart

Ergebnis kontrollieren

iptables -L -n

Ergebnis:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
fail2ban-sasl  tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:25
fail2ban-courierimap  tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:143
fail2ban-ssh  tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:22
fail2ban-courierpop3  tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:110

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain fail2ban-courierimap (1 references)
target     prot opt source               destination
RETURN     0    --  0.0.0.0/0            0.0.0.0/0

Chain fail2ban-courierpop3 (1 references)
target     prot opt source               destination
RETURN     0    --  0.0.0.0/0            0.0.0.0/0

Chain fail2ban-sasl (1 references)
target     prot opt source               destination
RETURN     0    --  0.0.0.0/0            0.0.0.0/0

Chain fail2ban-ssh (1 references)
target     prot opt source               destination
RETURN     0    --  0.0.0.0/0            0.0.0.0/0

Test

Loggen Sie sich einfach mit einem vorhandenen Benutzer und falschen Passwort 5 mal an. Dann sollte Ihre IP-Adresse für 5 Minuten blockiert sein.

Es sollte nur der Dienst gesperrt werden der betroffen ist.

Iptables:

Chain fail2ban-courierimap (1 references)
target     prot opt source               destination
RETURN     0    --  0.0.0.0/0            0.0.0.0/0

Chain fail2ban-courierpop3 (1 references)
target     prot opt source               destination
DROP       0    --  62.158.111.222       0.0.0.0/0
RETURN     0    --  0.0.0.0/0            0.0.0.0/0

Chain fail2ban-sasl (1 references)
target     prot opt source               destination
RETURN     0    --  0.0.0.0/0            0.0.0.0/0

Chain fail2ban-ssh (1 references)
target     prot opt source               destination
RETURN     0    --  0.0.0.0/0            0.0.0.0/0

Logeintrag:

Rechner wurde gesperrt:

2007-07-11 21:41:49,063 fail2ban.actions: WARNING [courierpop3] Ban 62.158.111.222

Rechner wurde entsperrt:

2007-07-11 21:51:49,324 fail2ban.actions: WARNING [courierpop3] Unban 62.158.111.222

Schreibe einen Kommentar

Diese Website verwendet Akismet, um Spam zu reduzieren. Erfahre mehr darüber, wie deine Kommentardaten verarbeitet werden.