![[PukiWiki]](image/pukiwiki.png "[PukiWiki]")
#author("2024-07-16T16:42:01+09:00","","") #author("2024-07-18T09:27:21+09:00","","") dnf install fail2ban systemctl enable fail2ban Created symlink /etc/systemd/system/multi-user.target.wants/fail2ban.service → /usr/lib/systemd/system/fail2ban.service. systemctl start fail2ban systemctl status fail2ban systemctl restart fail2ban systemctl reload fail2ban qmailのリンクを必ず確認すること ls -l /usr/*/sendmail vi /etc/fail2ban/jail.local [Definition] loglevel = INFO [DEFAULT] dbpurgeage = 3456000 ignoreip = 127.0.0.1/8 153.231.230.72/29 192.168.10.0/24 bantime = 1d findtime = 10m maxretry = 3 backend = auto banaction = firewallcmd-ipset banaction_allports = firewallcmd-allports blocktype = DROP destemail = root@74.myeki.com sendername = Fail2Ban78 mta = sendmail action = %(action_mwl)s [sshd] enabled = true port = ssh filter = sshd logpath = %(sshd_log)s backend = auto [vsftpd] enabled = true port = ftp,ftp-data,ftps,ftps-data failregex = .* addr=<HOST> terminal=ftp res=failed'\s*$ logpath = /var/log/messages backend = auto [qmail] enabled = true port = smtp,smtps,submission failregex = vchkpw-smtp: vpopmail user not found .*:<HOST>\s*$ vchkpw-smtp: password fail .*:<HOST>\s*$ vchkpw-smtps: vpopmail user not found .*:<HOST>\s*$ vchkpw-smtps: password fail .*:<HOST>\s*$ logpath = /var/log/maillog backend = auto maxretry = 1 maxretry = 3 [qmail-pop] enabled = true filter = qmail-pop port = pop3,pop3s failregex = vchkpw-pop: vpopmail user not found .*:<HOST>\s*$ logpath = /var/log/maillog backend = auto bantime = 1w findtime = 1d maxentry = 3 [qmail-rbl] enabled = true destemail = shimada-o@myeki.com port = smtp,465,submission failregex = .* rblsmtpd: <HOST> .*\s*$ logpath = /var/log/maillog maxretry = 1 [dovecot] enabled = true filter = dovecot port = imaps logpath = /var/log/secure bantime = 1w findtime = 15m maxentry = 5 backend = auto [roundcube-auth] enabled = true filter = roundcube-auth port = http,https logpath = /var/log/roundcubemail/errors.log [recidive] enabled = true filter = recidive bantime = -1 findtime = 1d maxentry = 6 ・(firewallはこっち banaction = firewallcmd-ipset banaction_allports = firewallcmd-allports dir /etc/fail2ban/filter.d vi /etc/fail2ban/jail.local アクセス許可 fail2ban-client set sshd unbanip 192.168.2.120 ・指定IPアドレスをBAN # fail2ban-client set <フィルタ-名> banip <IPアドレス> 例:SSH用に作成したフィルター規則でIPアドレス「10.8.25.2」をBAN # fail2ban-client set recidive banip 10.8.25.2 ・指定IPアドレスをBAN解除 # fail2ban-client set <フィルタ-名> unbanip <IPアドレス> # fail2ban-client set recidive unbanip 118.69.134.204 ・状況確認 fail2ban-client status fail2ban-client status sshd fail2ban-client status vsftpd fail2ban-client status qmail fail2ban-client status qmail-rbl fail2ban-client status dovecot fail2ban-client status recidive ・ログ見てるか確認 fail2ban-client get sshd logpath fail2ban-client get vsftpd logpath fail2ban-client get qmail logpath fail2ban-client get qmail-rbl logpath fail2ban-client get dovecot logpath fail2ban-client get recidive logpath ・確認(firewall ipset --list ipset --list f2b-qmail ipset --list f2b-recidive ・確認(iptable iptables -L f2b-qmail -v -n iptables -L f2b-recidive -v -n ・フィルターの動作確認 fail2ban-regex /var/log/httpd/access_log "<HOST>" fail2ban-regex /var/log/maillog "%(prefix)s vchkpw-smtp: vpopmail user not found .*:<HOST>\s*$" fail2ban-regex /var/log/maillog "%(prefix)s vchkpw-smtp: password fail .*:<HOST>\s*$"
