安装fail2ban过滤vpopmail暴力破解密码

直接yum install -y fail2ban 就可以了，这主要记录一些配置信息1， 主配置文件# vi /etc/fail2ban/fail2ban.conflogtarget = /var/l

直接yum install -y fail2ban 就可以了，这主要记录一些配置信息

1， 主配置文件

# vi /etc/fail2ban/fail2ban.conflogtarget = /var/log/fail2ban.log

2，添加filter

# vi /etc/fail2ban/filter.d/vpopmail.conf# Fail2Ban filter vpopmail authentication#[INCLUDES]before = common.conf[Definition]_daemon = vpopmail# ^%(__prefix_line)svchkpw-smtp: vpopmail user not found .*@:<HOST>failregex = ^%(__prefix_line)svchkpw-smtp: vpopmail user not found .*@:<HOST>            ^%(__prefix_line)svchkpw-(smtp|submission): password fail.*@.*:<HOST>ignoreregex = 

3，注册vpopmail

#vi /etc/fail2ban/jail.conf[vpopmail]enabled = truefilter  = vpopmailaction  = iptables-multiport[name=vpopmail,port="25,465,587"]logpath = /var/log/maillog

4，查看filter状态

[root@localhost fail2ban]#  fail2ban-client status vpopmailStatus for the jail: vpopmail|- filter|  |- File list:        /var/log/maillog|  |- Currently failed: 0|  `- Total failed:     0`- action   |- Currently banned: 0   |  `- IP list:   `- Total banned:     0

现在可以找几条记录放到a.txt里面进行测试

[root@localhost fail2ban]# fail2ban-regex a.txt /etc/fail2ban/filter.d/vpopmail.confRunning tests=============Use   failregex file : /etc/fail2ban/filter.d/vpopmail.confUse         log file : a.txtResults=======Failregex: 3 total|-  #) [# of hits] regular expression|   1) [1] ^/s*(<[^.]+/.[^.]+>)?/s*(?:/S+ )?(?:kernel: /[ */d+/./d+/] )?(?:@vserver_/S+ )?(?:(?:/[/d+/])?:/s+[/[/(]?vpopmail(?:/(/S+/))?[/]/)]?:?|[/[/(]?vpopmail(?:/(/S+/))?[/]/)]?:?(?:/[/d+/])?:?)?/s(?:/[ID /d+ /S+/])?/s*vchkpw-smtp: vpopmail user not found .*@:<HOST>|   2) [2] ^/s*(<[^.]+/.[^.]+>)?/s*(?:/S+ )?(?:kernel: /[ */d+/./d+/] )?(?:@vserver_/S+ )?(?:(?:/[/d+/])?:/s+[/[/(]?vpopmail(?:/(/S+/))?[/]/)]?:?|[/[/(]?vpopmail(?:/(/S+/))?[/]/)]?:?(?:/[/d+/])?:?)?/s(?:/[ID /d+ /S+/])?/s*vchkpw-(smtp|submission): password fail.*@.*:<HOST>`-Ignoreregex: 0 totalDate template hits:|- [# of hits] date format|  [3] MONTH Day Hour:Minute:Second`-Lines: 3 lines, 0 ignored, 3 matched, 0 missed

这里面三条规则全部命中，可以自己改下规则或者日志记录进行调试

# 这里面用于测试的3条记录Nov 15 07:26:08 localhost vpopmail[27693]: vchkpw-smtp: password fail (pass: 'Ab123321') [email protected]:112.123.54.250Nov 15 14:36:26 localhost vpopmail[26443]: vchkpw-smtp: vpopmail user not found ligj@:111.181.33.91Nov 15 07:18:10 localhost vpopmail[24302]: vchkpw-submission: password fail (pass: '12345a') [email protected]:46.183.221.123