Fail2Ban
1 前言
一个问题,一篇文章,一出故事。
我们生产环境有使用PostFix邮件服务器,笔者希望当用户一分钟内邮件达到一定数量后收到警告邮件,暂时不使用该选项拉黑。
PostFix邮件服务器环境你可以参考如下章节,
2 最佳实践
2.1 实践环境
请参阅如下章节安装Fail2Ban
2.2 配置Fail2Ban
2.2.1 创建过滤规则
vim /etc/fail2ban/filter.d/postfix-client-connect.conf
加入如下配置,
[Definition] failregex = ^.* .* postfix/smtpd\[.*\]: .*: client=.*\[<HOST>\] ignoreregex =
2.2.2 定义服务监视配置
vim /etc/fail2ban/jail.local
加入如下配置,
[DEFAULT] ignoreself = true ignoreip = 127.0.0.1/8 bantime = 1h findtime = 1m maxretry = 5 destemail = will@cmdschool.org, jeff@cmdschool.org sender = postman@cmdschool.org sendername = Fail2ban mta = sendmail action = %(action_mwl)s [postfix-client-connect] enabled = true filter = postfix-client-connect logpath = /var/log/maillog maxretry = 300 findtime = 60 bantime = 60 port = 25 action = %(action_mwl)s
配置修改后,你需要重启服务使配置生效,
systemctl restart fail2ban.service systemctl status fail2ban.service
2.2.3 测试配置
我们建议你使用如下方法进行压力测试,你需要连续发送超过300封以上的邮件,
2.2.4 查看服务状态
fail2ban-client status postfix-client-connect
可见如下显示,
Status for the jail: postfix-client-connect |- Filter | |- Currently failed: 0 | |- Total failed: 300 | `- File list: /var/log/maillog `- Actions |- Currently banned: 1 |- Total banned: 1 `- Banned IP list: 10.168.0.152
2.2.5 查看防火墙状态
firewall-cmd --list-all
可见如下显示,
public (active) target: default icmp-block-inversion: no interfaces: ens192 sources: services: cockpit dhcpv6-client smtp ssh ports: 10000/tcp protocols: forward: yes masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: rule family="ipv4" source address="10.168.0.152" port port="25" protocol="tcp" reject type="icmp-port-unreachable"
如果防火墙使用了iptables,你可以使用如下命令查看,
iptables -L -n -v
可见如下显示,
Chain INPUT (policy ACCEPT 24409 packets, 4111K bytes) pkts bytes target prot opt in out source destination 381 126K f2b-postfix-client-connect 6 -- * * 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain f2b-postfix-client-connect (1 references) pkts bytes target prot opt in out source destination 0 0 REJECT 0 -- * * 10.168.0.152 0.0.0.0/0 reject-with icmp-port-unreachable 381 126K RETURN 0 -- * * 0.0.0.0/0 0.0.0.0/0
如果你使用iptables,你可能还需要调整拉黑的规则,否则可能是整个IP拉黑,
vim /etc/fail2ban/action.d/iptables.conf
修改如下配置,
#actionban = <iptables> -I f2b-<name> 1 -s <ip> -j <blocktype> actionban = <iptables> -I f2b-<name> 1 -p tcp --dport <port> -s <ip> -j <blocktype> #actionunban = <iptables> -D f2b-<name> -s <ip> -j <blocktype> actionunban = <iptables> -D f2b-<name> -p tcp --dport <port> -s <ip> -j <blocktype>
以上规则修改为只针对某个端口拉黑,配置修改后,你需要重启服务使配置生效,
systemctl restart fail2ban.service
没有评论