fail2ban

EXIM, sendmail, postfix, Dovecot и прочие. Решение проблем связанных с работой электронной почты

Модератор: xM

Правила форума
Убедительная просьба юзать теги [code] при оформлении листингов.
Сообщения не оформленные должным образом имеют все шансы быть незамеченными.
yarnik
рядовой
Сообщения: 12
Зарегистрирован: 2011-06-17 17:51:37

fail2ban

Непрочитанное сообщение yarnik » 2011-07-11 18:35:38

настроил почти как написано, читал о том что порт имеет задержку, но не до такой же степени.....
2011-07-11 12:48:12,124 fail2ban.actions: WARNING [exim-ipfw] Ban 114.36.5.210
2011-07-11 13:23:44,909 fail2ban.actions: WARNING [exim-ipfw] 114.42.31.21 already banned
2011-07-11 13:23:46,918 fail2ban.actions: WARNING [exim-ipfw] 114.42.31.21 already banned
2011-07-11 13:23:48,923 fail2ban.actions: WARNING [exim-ipfw] 114.42.31.21 already banned
2011-07-11 13:23:50,929 fail2ban.actions: WARNING [exim-ipfw] 114.42.31.21 already banned
2011-07-11 13:23:52,935 fail2ban.actions: WARNING [exim-ipfw] 114.42.31.21 already banned
2011-07-11 13:23:54,978 fail2ban.actions: WARNING [exim-ipfw] 114.42.31.21 already banned
2011-07-11 13:23:56,983 fail2ban.actions: WARNING [exim-ipfw] 114.42.31.21 already banned
2011-07-11 13:24:01,034 fail2ban.actions: WARNING [exim-ipfw] 114.42.31.21 already banned
2011-07-11 13:24:03,040 fail2ban.actions: WARNING [exim-ipfw] 114.42.31.21 already banned
2011-07-11 13:24:05,045 fail2ban.actions: WARNING [exim-ipfw] 114.42.31.21 already banned
2011-07-11 13:24:07,083 fail2ban.actions: WARNING [exim-ipfw] 114.42.31.21 already banned
2011-07-11 13:24:09,095 fail2ban.actions: WARNING [exim-ipfw] 114.42.31.21 already banned
2011-07-11 13:24:11,101 fail2ban.actions: WARNING [exim-ipfw] 114.42.31.21 already banned
2011-07-11 13:24:13,106 fail2ban.actions: WARNING [exim-ipfw] 114.42.31.21 already banned
2011-07-11 13:24:16,139 fail2ban.actions: WARNING [exim-ipfw] 114.42.31.21 already banned
2011-07-11 13:24:18,143 fail2ban.actions: WARNING [exim-ipfw] 114.42.31.21 already banned
2011-07-11 13:24:20,149 fail2ban.actions: WARNING [exim-ipfw] 114.42.31.21 already banned
2011-07-11 13:24:22,180 fail2ban.actions: WARNING [exim-ipfw] 114.42.31.21 already banned
2011-07-11 13:24:24,234 fail2ban.actions: WARNING [exim-ipfw] 114.42.31.21 already banned
2011-07-11 13:24:26,311 fail2ban.actions: WARNING [exim-ipfw] 114.42.31.21 already banned
2011-07-11 13:24:28,331 fail2ban.actions: WARNING [exim-ipfw] 114.42.31.21 already banned
2011-07-11 13:24:30,336 fail2ban.actions: WARNING [exim-ipfw] 114.42.31.21 already banned
2011-07-11 13:29:06,252 fail2ban.actions: WARNING [exim-ipfw] 114.42.31.21 already banned
2011-07-11 13:29:08,289 fail2ban.actions: WARNING [exim-ipfw] 114.42.31.21 already banned
2011-07-11 13:29:11,296 fail2ban.actions: WARNING [exim-ipfw] 114.42.31.21 already banned
2011-07-11 13:29:13,302 fail2ban.actions: WARNING [exim-ipfw] 114.42.31.21 already banned
2011-07-11 13:29:15,309 fail2ban.actions: WARNING [exim-ipfw] 114.42.31.21 already banned
2011-07-11 13:29:17,329 fail2ban.actions: WARNING [exim-ipfw] 114.42.31.21 already banned
2011-07-11 13:29:19,334 fail2ban.actions: WARNING [exim-ipfw] 114.42.31.21 already banned
2011-07-11 13:29:21,340 fail2ban.actions: WARNING [exim-ipfw] 114.42.31.21 already banned
2011-07-11 13:29:23,346 fail2ban.actions: WARNING [exim-ipfw] 114.42.31.21 already banned
2011-07-11 13:29:25,352 fail2ban.actions: WARNING [exim-ipfw] 114.42.31.21 already banned
2011-07-11 13:29:27,377 fail2ban.actions: WARNING [exim-ipfw] 114.42.31.21 already banned
почему оно вообще пускат его к серверу?
в файрволе:
#!/bin/sh
ipfw="/sbin/ipfw -q add"
/sbin/ipfw -q -f flush
${ipfw} check-state

exim_ban_table="table(50)"
sshd_ban_table="table(55)"
dovecot_ban_table="table(60)"
${ipfw} 10 deny ip from ${exim_ban_table} to me
${ipfw} 20 deny ip from ${sshd_ban_table} to me
${ipfw} 30 deny ip from ${dovecot_ban_table} to me
в jail.conf
[dovecot-ipfw]
enabled = true
filter = dovecot
logpath = /var/log/maillog
action = bsd-ipfw[table=60]
findtime = 3600
maxretry = 5
bantime = 36000

Хостинговая компания Host-Food.ru
Хостинг HostFood.ru
 

Услуги хостинговой компании Host-Food.ru

Хостинг HostFood.ru

Тарифы на хостинг в России, от 12 рублей: https://www.host-food.ru/tariffs/hosting/
Тарифы на виртуальные сервера (VPS/VDS/KVM) в РФ, от 189 руб.: https://www.host-food.ru/tariffs/virtualny-server-vps/
Выделенные сервера, Россия, Москва, от 2000 рублей (HP Proliant G5, Intel Xeon E5430 (2.66GHz, Quad-Core, 12Mb), 8Gb RAM, 2x300Gb SAS HDD, P400i, 512Mb, BBU):
https://www.host-food.ru/tariffs/vydelennyi-server-ds/
Недорогие домены в популярных зонах: https://www.host-food.ru/domains/

yarnik
рядовой
Сообщения: 12
Зарегистрирован: 2011-06-17 17:51:37

Re: fail2ban

Непрочитанное сообщение yarnik » 2011-07-11 18:41:52

ой, не тот блок запостил для jail.conf
вот нужный:
[exim-ipfw]
enabled = true
filter = exim
logpath = /var/log/exim/mainlog
action = bsd-ipfw[table=50]
findtime = 600
maxretry = 5
bantime = 3000000

Аватара пользователя
dmtr
ст. прапорщик
Сообщения: 545
Зарегистрирован: 2009-11-06 22:01:34
Откуда: с Ростова

Re: fail2ban

Непрочитанное сообщение dmtr » 2011-07-12 10:17:30

а покажите еще содержимое action.d/bsd-ipfw.conf и

Код: Выделить всё

# ipfw show
This game has no name. It will never be the same.

yarnik
рядовой
Сообщения: 12
Зарегистрирован: 2011-06-17 17:51:37

Re: fail2ban

Непрочитанное сообщение yarnik » 2011-07-12 11:21:43

%ipfw show
00010 3424 173484 deny ip from table(50) to me
00020 1231 88832 deny ip from table(55) to me
00030 2045 96037 deny ip from table(60) to me
00100 0 0 check-state
65535 52711026 40577024062 allow ip from any to an

Аватара пользователя
dmtr
ст. прапорщик
Сообщения: 545
Зарегистрирован: 2009-11-06 22:01:34
Откуда: с Ростова

Re: fail2ban

Непрочитанное сообщение dmtr » 2011-07-12 11:40:24

почему вас надо уговаривать?
покажите файл action.d/bsd-ipfw.conf и

Код: Выделить всё

ipfw table 50 list
подтвердите что ip находится в блокирующих правилах файрвола и корректно fail2ban'ом туда добавляются.
This game has no name. It will never be the same.

yarnik
рядовой
Сообщения: 12
Зарегистрирован: 2011-06-17 17:51:37

Re: fail2ban

Непрочитанное сообщение yarnik » 2011-07-12 12:29:32

%ipfw table 50 list
95.57.229.39/32 0
111.250.136.80/32 0
111.250.138.85/32 0
111.250.139.217/32 0
111.250.141.69/32 0
111.250.142.58/32 0
111.250.142.67/32 0
114.36.0.26/32 0
114.36.0.84/32 0
114.36.0.222/32 0
114.36.0.239/32 0
114.36.1.38/32 0
114.36.1.130/32 0
114.36.2.16/32 0
114.36.2.31/32 0
114.36.2.114/32 0
114.36.3.38/32 0
114.36.3.157/32 0
114.36.3.251/32 0
114.36.4.169/32 0
114.36.4.220/32 0
114.36.5.29/32 0
114.36.5.54/32 0
114.36.5.210/32 0
114.36.5.224/32 0
114.36.6.124/32 0
114.36.9.87/32 0
114.36.9.111/32 0
114.36.9.220/32 0
114.36.11.126/32 0
114.36.12.238/32 0
114.36.12.247/32 0
114.36.13.49/32 0
114.36.13.167/32 0
114.36.14.163/32 0
114.36.15.45/32 0
114.36.15.82/32 0
114.36.15.166/32 0
114.36.15.241/32 0
114.36.88.94/32 0
114.36.89.83/32 0
114.36.89.119/32 0
114.36.89.162/32 0
114.36.89.232/32 0
114.36.90.16/32 0
114.36.90.78/32 0
114.36.90.192/32 0
114.36.90.231/32 0
114.36.91.74/32 0
114.36.91.93/32 0
114.36.93.248/32 0
114.36.94.109/32 0
114.36.94.156/32 0
114.36.94.183/32 0
114.42.0.229/32 0
114.42.1.183/32 0
114.42.2.172/32 0
114.42.3.245/32 0
114.42.4.185/32 0
114.42.5.140/32 0
114.42.5.182/32 0
114.42.5.197/32 0
114.42.6.14/32 0
114.42.8.121/32 0
114.42.8.217/32 0
114.42.8.252/32 0
114.42.9.183/32 0
114.42.10.45/32 0
114.42.10.182/32 0
114.42.11.104/32 0
114.42.12.35/32 0
114.42.12.77/32 0
114.42.12.78/32 0
114.42.12.239/32 0
114.42.14.132/32 0
114.42.14.192/32 0
114.42.16.77/32 0
114.42.16.110/32 0
114.42.16.139/32 0
114.42.16.196/32 0
114.42.17.173/32 0
114.42.18.227/32 0
114.42.19.189/32 0
114.42.19.244/32 0
114.42.21.215/32 0
114.42.22.94/32 0
114.42.22.150/32 0
114.42.23.56/32 0
114.42.23.199/32 0
114.42.23.223/32 0
114.42.24.187/32 0
114.42.26.177/32 0
114.42.26.215/32 0
114.42.28.77/32 0
114.42.28.85/32 0
114.42.30.193/32 0
114.42.31.44/32 0
114.42.31.203/32 0
223.255.229.30/32 0
странно, нету......
/var/log/fail2ban.log
2011-07-11 13:43:46,643 fail2ban.actions: WARNING [exim-ipfw] 114.42.31.21 already banned
2011-07-11 13:43:48,680 fail2ban.actions: WARNING [exim-ipfw] 114.42.31.21 already banned
2011-07-11 13:43:50,687 fail2ban.actions: WARNING [exim-ipfw] 114.42.31.21 already banned
2011-07-11 14:15:55,150 fail2ban.actions: WARNING [exim-ipfw] Ban 114.36.94.109
2011-07-11 14:52:53,773 fail2ban.actions: WARNING [dovecot-ipfw] Unban 60.174.152.50
2011-07-11 14:54:28,625 fail2ban.actions: WARNING [dovecot-ipfw] Unban 218.22.171.246
2011-07-11 17:15:56,778 fail2ban.actions: WARNING [ssh-ipfw] Ban 120.138.17.6
2011-07-11 17:15:56,798 fail2ban.actions: WARNING [ssh-ipfw] 120.138.17.6 already banned
2011-07-11 18:42:55,179 fail2ban.actions: WARNING [ssh-ipfw] Unban 190.41.123.164
2011-07-11 20:07:30,159 fail2ban.actions: WARNING [ssh-ipfw] Unban 201.44.155.3
2011-07-11 21:00:36,576 fail2ban.actions: WARNING [ssh-ipfw] Ban 77.43.59.194
2011-07-11 21:27:46,829 fail2ban.actions: WARNING [ssh-ipfw] Ban 80.48.242.131
2011-07-11 21:38:01,581 fail2ban.actions: WARNING [ssh-ipfw] Ban 89.149.223.21
2011-07-11 21:46:44,026 fail2ban.actions: WARNING [dovecot-ipfw] Unban 77.105.35.77
2011-07-12 00:00:01,075 fail2ban.filter : INFO Log rotation detected for /var/log/auth.log
2011-07-12 00:00:01,075 fail2ban.filter : INFO Log rotation detected for /var/log/maillog
2011-07-12 00:01:23,270 fail2ban.filter : ERROR Unable to get stat on /var/log/exim/mainlog
2011-07-12 00:01:24,272 fail2ban.filter : INFO Log rotation detected for /var/log/exim/mainlog
2011-07-12 00:02:00,807 fail2ban.filter : INFO Log rotation detected for /var/log/exim/mainlog
2011-07-12 03:15:57,470 fail2ban.actions: WARNING [ssh-ipfw] Unban 120.138.17.6
2011-07-12 05:46:16,501 fail2ban.actions: WARNING [exim-ipfw] Ban 114.42.19.189
2011-07-12 06:40:03,392 fail2ban.actions: WARNING [exim-ipfw] Ban 114.36.13.167
2011-07-12 07:00:37,501 fail2ban.actions: WARNING [ssh-ipfw] Unban 77.43.59.194
2011-07-12 07:23:44,538 fail2ban.actions: WARNING [exim-ipfw] Ban 114.36.15.45
2011-07-12 07:24:22,646 fail2ban.actions: WARNING [exim-ipfw] Ban 114.36.90.231
2011-07-12 07:27:47,170 fail2ban.actions: WARNING [ssh-ipfw] Unban 80.48.242.131
2011-07-12 07:38:02,121 fail2ban.actions: WARNING [ssh-ipfw] Unban 89.149.223.21
2011-07-12 07:43:30,047 fail2ban.actions: WARNING [ssh-ipfw] Ban 219.232.236.17
2011-07-12 08:03:52,040 fail2ban.actions: WARNING [exim-ipfw] Ban 114.36.91.74
хотя наверное это произошло когда я очистил таблицы, за пару дней до этого, но не обнулил счетчики.
если это так, то спасибо что помогли разобраться.