apt-get install fail2ban
設定檔
/etc/fail2ban/fail2ban.conf
check
logtarget = /var/log/fail2ban.log
cp jail.conf jail.local
修改jail.local內容就好, 原始檔不動
jail.local設定會覆蓋jail.conf
注意事項
ignoreip = 127.0.0.1/8 192.168.1.0/24 (空白區隔)
bantime = 600(秒)
maxretry = 10 (失敗幾次封鎖)
增加dovecot
[dovecot]
enabled = true
port = pop3,pop3s,imap,imaps
filter = dovecot
logpath = /var/log/dovecot (看實際 log檔放哪)
maxretry = 10
/etc/fail2ban/filter.d/dovecot.conf
[Definition]
failregex = (?: pop3-login|imap-login): .*(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed).*rip=(?P
ignoreregex =
/etc/fail2ban/filter.d/sasl.conf
failregex = (?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [A-Za-z0-9+/ ]*={0,2})?$
=========
測規則
Example1
fail2ban-regex /var/log/dovecot /etc/fail2ban/filter.d/dovecot.conf
Example2
fail2ban-regex /var/log/mail.log /etc/fail2ban/filter.d/postfix.conf
Example3
fail2ban-regex /var/log/mail.log /etc/fail2ban/filter.d/sasl.conf
