![[PukiWiki]](image/pukiwiki.png "[PukiWiki]")
dnf install fail2ban
systemctl enable fail2ban Created symlink /etc/systemd/system/multi-user.target.wants/fail2ban.service → /usr/lib/systemd/system/fail2ban.service. systemctl start fail2ban systemctl status fail2ban systemctl restart fail2ban systemctl reload fail2ban
qmailのリンクを必ず確認すること
ls -l /usr/*/sendmail
vi /etc/fail2ban/jail.local
[Definition]
loglevel = INFO
[DEFAULT]
dbpurgeage = 3456000
ignoreip = 127.0.0.1/8 153.231.230.72/29 192.168.10.0/24
bantime = 1d
findtime = 10m
maxretry = 3
backend = auto
banaction = firewallcmd-ipset
banaction_allports = firewallcmd-allports
blocktype = DROP
destemail = root@74.myeki.com
sendername = Fail2Ban78
mta = sendmail
action = %(action_mwl)s
[sshd]
enabled = true
port = ssh
filter = sshd
logpath = %(sshd_log)s
backend = auto
[vsftpd]
enabled = true
port = ftp,ftp-data,ftps,ftps-data
failregex = .* addr=<HOST> terminal=ftp res=failed'\s*$
logpath = /var/log/messages
backend = auto
[qmail]
enabled = true
port = smtp,smtps,submission
failregex = vchkpw-smtp: vpopmail user not found .*:<HOST>\s*$
vchkpw-smtp: password fail .*:<HOST>\s*$
vchkpw-smtps: vpopmail user not found .*:<HOST>\s*$
vchkpw-smtps: password fail .*:<HOST>\s*$
logpath = /var/log/maillog
backend = auto
maxretry = 1
[qmail-pop]
enabled = true
filter = qmail-pop
port = pop3,pop3s
failregex = vchkpw-pop: vpopmail user not found .*:<HOST>\s*$
logpath = /var/log/maillog
backend = auto
bantime = 1w
findtime = 1d
maxentry = 3
[qmail-rbl]
enabled = true
destemail = shimada-o@myeki.com
port = smtp,465,submission
failregex = .* rblsmtpd: <HOST> .*\s*$
logpath = /var/log/maillog
maxretry = 1
[dovecot]
enabled = true
filter = dovecot
port = imaps
logpath = /var/log/secure
bantime = 1w
findtime = 15m
maxentry = 5
backend = auto
[roundcube-auth]
enabled = true
filter = roundcube-auth
port = http,https
logpath = /var/log/roundcubemail/errors.log
[recidive]
enabled = true
filter = recidive
bantime = -1
findtime = 1d
maxentry = 6
・(firewallはこっち
banaction = firewallcmd-ipset banaction_allports = firewallcmd-allports
dir /etc/fail2ban/filter.d vi /etc/fail2ban/jail.local
アクセス許可
fail2ban-client set sshd unbanip 192.168.2.120
・指定IPアドレスをBAN
# fail2ban-client set <フィルタ-名> banip <IPアドレス>
例:SSH用に作成したフィルター規則でIPアドレス「10.8.25.2」をBAN
# fail2ban-client set recidive banip 10.8.25.2
・指定IPアドレスをBAN解除
# fail2ban-client set <フィルタ-名> unbanip <IPアドレス> # fail2ban-client set recidive unbanip 118.69.134.204
・状況確認
fail2ban-client status fail2ban-client status sshd fail2ban-client status vsftpd fail2ban-client status qmail fail2ban-client status qmail-rbl fail2ban-client status dovecot fail2ban-client status recidive
・ログ見てるか確認
fail2ban-client get sshd logpath fail2ban-client get vsftpd logpath fail2ban-client get qmail logpath fail2ban-client get qmail-rbl logpath fail2ban-client get dovecot logpath fail2ban-client get recidive logpath
・確認(firewall
ipset --list ipset --list f2b-qmail ipset --list f2b-recidive
・確認(iptable
iptables -L f2b-qmail -v -n iptables -L f2b-recidive -v -n
・フィルターの動作確認
fail2ban-regex /var/log/httpd/access_log "<HOST>" fail2ban-regex /var/log/maillog "%(prefix)s vchkpw-smtp: vpopmail user not found .*:<HOST>\s*$" fail2ban-regex /var/log/maillog "%(prefix)s vchkpw-smtp: password fail .*:<HOST>\s*$"
