Исправление регэкспов fail2ban для exim
Исправление регэкспов fail2ban для exim
В логах /var/log/exim4/mainlog (внезапно) обнаружились подозрительные записи типа:
где ХХХ.ХХХ.ХХХ.ХХХ - ip моего сервера.
Причем fail2ban не банит данные адреса, несмотря на частоту, превышающую установленную в /etc/fail2ban/jail.local.
В общем после долгих поисков мне помогли найти решение проблемы:
в файле /etc/fail2ban/filter.d/jail.local регэкспы не отрабатывают данные строки.
После удаления (по совету старших товарищей) из регэкспов выражения '^%(pid)s ' всё заработало. Преобразованные выражения я добавил, оставив старые на месте от греха подальше.
Вот что получилось на выходе:
Может кому поможет.
Code: Select all
2017-02-23 20:58:44 dovecot_login authenticator failed for (User) [91.200.12.125]: 535 Incorrect authentication data (set_id=miriam)
2017-02-23 21:04:12 dovecot_login authenticator failed for (ХХХ.ХХХ.ХХХ.ХХХ) [155.133.82.141]: 535 Incorrect authentication data (set_id=trade)
2017-02-23 21:05:32 dovecot_login authenticator failed for (User) [91.200.12.125]: 535 Incorrect authentication data (set_id=mission)
2017-02-23 21:10:54 dovecot_login authenticator failed for (ХХХ.ХХХ.ХХХ.ХХХ) [155.133.82.141]: 535 Incorrect authentication data (set_id=train)
2017-02-23 21:12:21 dovecot_login authenticator failed for (User) [91.200.12.125]: 535 Incorrect authentication data (set_id=mix)
2017-02-23 21:17:33 dovecot_login authenticator failed for (ХХХ.ХХХ.ХХХ.ХХХ) [155.133.82.141]: 535 Incorrect authentication data (set_id=trainer)где ХХХ.ХХХ.ХХХ.ХХХ - ip моего сервера.
Причем fail2ban не банит данные адреса, несмотря на частоту, превышающую установленную в /etc/fail2ban/jail.local.
В общем после долгих поисков мне помогли найти решение проблемы:
в файле /etc/fail2ban/filter.d/jail.local регэкспы не отрабатывают данные строки.
Code: Select all
[Definition]
failregex = ^%(pid)s %(host_info)ssender verify fail for <\S+>: (?:Unknown user|Unrouteable address|all relevant MX records point to non-existent hosts)\s*$
^%(pid)s (plain|login) authenticator failed for (\S+ )?\(\S+\) \[<HOST>\]: 535 Incorrect authentication data( \(set_id=.*\)|: \d+ Time\(s\))?\s*$
^%(pid)s %(host_info)sF=(<>|[^@]+@\S+) rejected RCPT [^@]+@\S+: (relay not permitted|Sender verify failed|Unknown user)\s*$
^%(pid)s SMTP protocol synchronization error \([^)]*\): rejected (connection from|"\S+") %(host_info)s(next )?input=".*"\s*$
^%(pid)s SMTP call from \S+ \[<HOST>\](:\d+)? (I=\[\S+\]:\d+ )?dropped: too many nonmail commands \(last was "\S+"\)\s*$После удаления (по совету старших товарищей) из регэкспов выражения '^%(pid)s ' всё заработало. Преобразованные выражения я добавил, оставив старые на месте от греха подальше.
Вот что получилось на выходе:
модифицированный /etc/fail2ban/filter.d/exim.confShow
# Fail2Ban filter for exim
#
# This includes the rejection messages of exim. For spam and filter
# related bans use the exim-spam.conf
#
[INCLUDES]
# Read common prefixes. If any customizations available -- read them from
# exim-common.local
before = exim-common.conf
[Definition]
failregex = ^%(pid)s %(host_info)ssender verify fail for <\S+>: (?:Unknown user|Unrouteable address|all relevant MX records point to non-existent hosts)\s*$
^%(pid)s (plain|login) authenticator failed for (\S+ )?\(\S+\) \[<HOST>\]: 535 Incorrect authentication data( \(set_id=.*\)|: \d+ Time\(s\))?\s*$
^%(pid)s %(host_info)sF=(<>|[^@]+@\S+) rejected RCPT [^@]+@\S+: (relay not permitted|Sender verify failed|Unknown user)\s*$
^%(pid)s SMTP protocol synchronization error \([^)]*\): rejected (connection from|"\S+") %(host_info)s(next )?input=".*"\s*$
^%(pid)s SMTP call from \S+ \[<HOST>\](:\d+)? (I=\[\S+\]:\d+ )?dropped: too many nonmail commands \(last was "\S+"\)\s*$
%(host_info)ssender verify fail for <\S+>: (?:Unknown user|Unrouteable address|all relevant MX records point to non-existent hosts)\s*$
(plain|login) authenticator failed for (\S+ )?\(\S+\) \[<HOST>\]: 535 Incorrect authentication data( \(set_id=.*\)|: \d+ Time\(s\))?\s*$
%(host_info)sF=(<>|[^@]+@\S+) rejected RCPT [^@]+@\S+: (relay not permitted|Sender verify failed|Unknown user)\s*$
SMTP protocol synchronization error \([^)]*\): rejected (connection from|"\S+") %(host_info)s(next )?input=".*"\s*$
SMTP call from \S+ \[<HOST>\](:\d+)? (I=\[\S+\]:\d+ )?dropped: too many nonmail commands \(last was "\S+"\)\s*$
ignoreregex =
# DEV Notes:
# The %(host_info) defination contains a <HOST> match
#
# SMTP protocol synchronization error \([^)]*\) <- This needs to be non-greedy
# to void capture beyond ")" to avoid a DoS Injection vulnerabilty as input= is
# user injectable data.
#
# Author: Cyril Jaquier
# Daniel Black (rewrote with strong regexs)
#
# This includes the rejection messages of exim. For spam and filter
# related bans use the exim-spam.conf
#
[INCLUDES]
# Read common prefixes. If any customizations available -- read them from
# exim-common.local
before = exim-common.conf
[Definition]
failregex = ^%(pid)s %(host_info)ssender verify fail for <\S+>: (?:Unknown user|Unrouteable address|all relevant MX records point to non-existent hosts)\s*$
^%(pid)s (plain|login) authenticator failed for (\S+ )?\(\S+\) \[<HOST>\]: 535 Incorrect authentication data( \(set_id=.*\)|: \d+ Time\(s\))?\s*$
^%(pid)s %(host_info)sF=(<>|[^@]+@\S+) rejected RCPT [^@]+@\S+: (relay not permitted|Sender verify failed|Unknown user)\s*$
^%(pid)s SMTP protocol synchronization error \([^)]*\): rejected (connection from|"\S+") %(host_info)s(next )?input=".*"\s*$
^%(pid)s SMTP call from \S+ \[<HOST>\](:\d+)? (I=\[\S+\]:\d+ )?dropped: too many nonmail commands \(last was "\S+"\)\s*$
%(host_info)ssender verify fail for <\S+>: (?:Unknown user|Unrouteable address|all relevant MX records point to non-existent hosts)\s*$
(plain|login) authenticator failed for (\S+ )?\(\S+\) \[<HOST>\]: 535 Incorrect authentication data( \(set_id=.*\)|: \d+ Time\(s\))?\s*$
%(host_info)sF=(<>|[^@]+@\S+) rejected RCPT [^@]+@\S+: (relay not permitted|Sender verify failed|Unknown user)\s*$
SMTP protocol synchronization error \([^)]*\): rejected (connection from|"\S+") %(host_info)s(next )?input=".*"\s*$
SMTP call from \S+ \[<HOST>\](:\d+)? (I=\[\S+\]:\d+ )?dropped: too many nonmail commands \(last was "\S+"\)\s*$
ignoreregex =
# DEV Notes:
# The %(host_info) defination contains a <HOST> match
#
# SMTP protocol synchronization error \([^)]*\) <- This needs to be non-greedy
# to void capture beyond ")" to avoid a DoS Injection vulnerabilty as input= is
# user injectable data.
#
# Author: Cyril Jaquier
# Daniel Black (rewrote with strong regexs)
Может кому поможет.