•   Login
  •  
  •   Rss
  •   Rss2.0
  •   ATOM1.0
  •   Admin
  •   Top
  •   Home

Fail2banの機能不全を回避
2018-01-05 18:52:23,986 fail2ban.action [761]: ERROR iptables -D fail2ban-postfix-sasl -s 91.200.12.174 -j REJECT --reject-with icmp-port-unreachable -- stdout: b''。
年末にFail2banの機能不全を発見し、その後Googleで探しつつも、日本語サイトは一つも見つからず。
結局何が原因なのか分からないけど、海外サイトでようやく見つけてPostfix-SASLだけを試しにやってみたところ機能しました。
その回避方法を説明します。


まずはエラーログ。
2017-12-27 20:45:14,204 fail2ban.filter [22428]: INFO [postfix-sasl] Found 185.222.209.14
2017-12-27 22:36:45,858 fail2ban.filter [22428]: INFO [proftpd] Found 91.200.12.53
2017-12-27 23:14:15,220 fail2ban.filter [22428]: INFO [postfix-sasl] Found 185.222.209.14
2017-12-28 01:42:50,392 fail2ban.filter [22428]: INFO [proftpd] Found 164.132.91.13
2017-12-28 01:43:20,085 fail2ban.filter [22428]: INFO [postfix-sasl] Found 185.222.209.14
2017-12-28 01:43:21,036 fail2ban.actions [22428]: NOTICE [postfix-sasl] Ban 185.222.209.14
2017-12-28 01:43:21,635 fail2ban.action [22428]: ERROR iptables -w -n -L INPUT | grep -q 'f2b-postfix-sasl[ \t]' -- stdout: b''
2017-12-28 01:43:21,636 fail2ban.action [22428]: ERROR iptables -w -n -L INPUT | grep -q 'f2b-postfix-sasl[ \t]' -- stderr: b''
2017-12-28 01:43:21,637 fail2ban.action [22428]: ERROR iptables -w -n -L INPUT | grep -q 'f2b-postfix-sasl[ \t]' -- returned 1
2017-12-28 01:43:21,637 fail2ban.CommandAction [22428]: ERROR Invariant check failed. Trying to restore a sane environment
2017-12-28 01:43:21,965 fail2ban.action [22428]: ERROR iptables -w -n -L INPUT | grep -q 'f2b-postfix-sasl[ \t]' -- stdout: b''
2017-12-28 01:43:21,965 fail2ban.action [22428]: ERROR iptables -w -n -L INPUT | grep -q 'f2b-postfix-sasl[ \t]' -- stderr: b''
2017-12-28 01:43:21,965 fail2ban.action [22428]: ERROR iptables -w -n -L INPUT | grep -q 'f2b-postfix-sasl[ \t]' -- returned 1
2017-12-28 01:43:21,980 fail2ban.CommandAction [22428]: CRITICAL Unable to restore environment
2017-12-28 01:43:21,995 fail2ban.actions [22428]: ERROR Failed to execute ban jail 'postfix-sasl' action 'iptables-multiport' info 'CallingMap({'ipmatches': <function Actions.__checkBan.<locals>.<lambda> at 0x7f0e76160c80>, 'time': 1514393001.023401, 'matches': 'Dec 27 20:45:14 sir-2 postfix/smtpd[31675]: warning: unknown[185.222.209.14]: SASL LOGIN authentication failed: UGFzc3dvcmQ6\nDec 27 23:14:15 sir-2 postfix/smtpd[1090]: warning: unknown[185.222.209.14]: SASL LOGIN authentication failed: UGFzc3dvcmQ6\nDec 28 01:43:20 sir-2 postfix/smtpd[3132]: warning: unknown[185.222.209.14]: SASL LOGIN authentication failed: UGFzc3dvcmQ6', 'failures': 3, 'ip': '185.222.209.14', 'ipfailures': <function Actions.__checkBan.<locals>.<lambda> at 0x7f0e76160f28>, 'ipjailmatches': <function Actions.__checkBan.<locals>.<lambda> at 0x7f0e76160d90>, 'ipjailfailures': <function Actions.__checkBan.<locals>.<lambda> at 0x7f0e76160bf8>})': Error banning 185.222.209.14
2017-12-28 01:53:21,697 fail2ban.actions [22428]: NOTICE [postfix-sasl] Unban 185.222.209.14

IPのBANに失敗している様子。


そこで、/etc/fail2ban/jail.confの[postfix-sasl]を次のようにした。
[postfix-sasl]

port = smtp,465,submission,imap3,imaps,pop3,pop3s
# You might consider monitoring /var/log/mail.warn instead if you are
# running postfix since it would provide the same log lines at the
# "warn" level but overall at the smaller filesize.
logpath = %(postfix_log)s
backend = %(postfix_backend)s
enabled = true
action = iptables-multiport[name=postfix-sasl, port="smtp,smtps,submission,imap3,imaps,pop3,pop3s", protocol=tcp]

とどのつまり、,「 protocol=tcp」を削除。
これでサービス再起動して様子を見ることにしました。

これでも、まだ失敗。
2018-01-05 18:41:31,160 fail2ban.action [761]: ERROR iptables -D INPUT -p tcp -m multiport --dports smtp,smtps,submission,imap3,imaps,pop3,pop3s -j fail2ban-postfix-sasl
iptables -F fail2ban-postfix-sasl
iptables -X fail2ban-postfix-sasl -- stdout: b''
2018-01-05 18:41:31,160 fail2ban.action [761]: ERROR iptables -D INPUT -p tcp -m multiport --dports smtp,smtps,submission,imap3,imaps,pop3,pop3s -j fail2ban-postfix-sasl
iptables -F fail2ban-postfix-sasl
iptables -X fail2ban-postfix-sasl -- stderr: b"iptables v1.6.0: invalid port/service `imap3' specified\nTry `iptables -h' or 'iptables --help' for more information.\niptables: No chain/target/match by that name.\niptables: No chain/target/match by that name.\n"
2018-01-05 18:41:31,161 fail2ban.action [761]: ERROR iptables -D INPUT -p tcp -m multiport --dports smtp,smtps,submission,imap3,imaps,pop3,pop3s -j fail2ban-postfix-sasl
iptables -F fail2ban-postfix-sasl
iptables -X fail2ban-postfix-sasl -- returned 1
2018-01-05 18:41:31,161 fail2ban.actions [761]: ERROR Failed to execute unban jail 'postfix-sasl' action 'iptables-multiport' info '{'failures': 3, 'matches': 'Jan 5 16:56:45 sir-2 postfix/smtpd[12722]: warning: unknown[91.200.12.215]: SASL LOGIN authentication failed: UGFzc3dvcmQ6Jan 5 17:48:32 sir-2 postfix/smtpd[13447]: warning: unknown[91.200.12.215]: SASL LOGIN authentication failed: VXNlcm5hbWU6Jan 5 18:40:43 sir-2 postfix/smtpd[14488]: warning: unknown[91.200.12.215]: SASL LOGIN authentication failed: UGFzc3dvcmQ6', 'ip': '91.200.12.215', 'time': 1515145243.3979373}': Error stopping action
2018-01-05 18:41:31,372 fail2ban.action [761]: ERROR iptables -D INPUT -p tcp -m multiport --dports smtp,smtps,submission,imap3,imaps,pop3,pop3s -j fail2ban-postfix-sasl
iptables -F fail2ban-postfix-sasl
iptables -X fail2ban-postfix-sasl -- stdout: b''
2018-01-05 18:41:31,373 fail2ban.action [761]: ERROR iptables -D INPUT -p tcp -m multiport --dports smtp,smtps,submission,imap3,imaps,pop3,pop3s -j fail2ban-postfix-sasl
iptables -F fail2ban-postfix-sasl
iptables -X fail2ban-postfix-sasl -- stderr: b"iptables v1.6.0: invalid port/service `imap3' specified\nTry `iptables -h' or 'iptables --help' for more information.\niptables: No chain/target/match by that name.\niptables: No chain/target/match by that name.\n"
2018-01-05 18:41:31,373 fail2ban.action [761]: ERROR iptables -D INPUT -p tcp -m multiport --dports smtp,smtps,submission,imap3,imaps,pop3,pop3s -j fail2ban-postfix-sasl
iptables -F fail2ban-postfix-sasl
iptables -X fail2ban-postfix-sasl -- returned 1
2018-01-05 18:41:31,373 fail2ban.actions [761]: ERROR Failed to stop jail 'postfix-sasl' action 'iptables-multiport': Error stopping action
2018-01-05 18:41:31,373 fail2ban.jail [761]: INFO Jail 'postfix-sasl' stopped
2018-01-05 18:41:32,528 fail2ban.action [761]: ERROR iptables -D INPUT -p tcp -m multiport --dports ftp,ftp-data,ftps,ftps-data -j fail2ban-proftpd
iptables -F fail2ban-proftpd
iptables -X fail2ban-proftpd -- stdout: b''
2018-01-05 18:41:32,531 fail2ban.action [761]: ERROR iptables -D INPUT -p tcp -m multiport --dports ftp,ftp-data,ftps,ftps-data -j fail2ban-proftpd
iptables -F fail2ban-proftpd
iptables -X fail2ban-proftpd -- stderr: b"iptables v1.6.0: Couldn't load target `fail2ban-proftpd':No such file or directory\n\nTry `iptables -h' or 'iptables --help' for more information.\niptables: No chain/target/match by that name.\niptables: No chain/target/match by that name.\n"
2018-01-05 18:41:32,532 fail2ban.action [761]: ERROR iptables -D INPUT -p tcp -m multiport --dports ftp,ftp-data,ftps,ftps-data -j fail2ban-proftpd
iptables -F fail2ban-proftpd
iptables -X fail2ban-proftpd -- returned 1
2018-01-05 18:41:32,532 fail2ban.actions [761]: ERROR Failed to stop jail 'proftpd' action 'iptables-multiport': Error stopping action
2018-01-05 18:41:32,532 fail2ban.jail [761]: INFO Jail 'proftpd' stopped

どうやら、マルチポートで指定するのが良くないようだ。
そこで、/etc/fail2ban/jail.confの[postfix-sasl]を次のようにした。
[postfix-sasl]

port = smtp,465,submission,imap3,imaps,pop3,pop3s
# You might consider monitoring /var/log/mail.warn instead if you are
# running postfix since it would provide the same log lines at the
# "warn" level but overall at the smaller filesize.
logpath = %(postfix_log)s
backend = %(postfix_backend)s
enabled = true
action = iptables-multiport[name=postfix-sasl, port="smtp,smtps,submission,imap3,imaps,pop3,pop3s"]


割と効果があったようだが、まだダメなようだ。
2018-01-05 18:49:58,241 fail2ban.filter [761]: INFO [postfix-sasl] Found 91.200.12.210
2018-01-05 18:50:37,061 fail2ban.filter [761]: INFO [postfix-sasl] Found 91.200.12.217
2018-01-05 18:50:48,464 fail2ban.filter [761]: INFO [postfix-sasl] Found 91.200.12.220
2018-01-05 18:51:20,084 fail2ban.filter [761]: INFO [postfix-sasl] Found 91.200.12.204
2018-01-05 18:51:45,461 fail2ban.filter [761]: INFO [postfix-sasl] Found 91.200.12.219
2018-01-05 18:52:23,746 fail2ban.actions [761]: NOTICE [postfix-sasl] Unban 91.200.12.174
2018-01-05 18:52:23,986 fail2ban.action [761]: ERROR iptables -D fail2ban-postfix-sasl -s 91.200.12.174 -j REJECT --reject-with icmp-port-unreachable -- stdout: b''
2018-01-05 18:52:23,987 fail2ban.action [761]: ERROR iptables -D fail2ban-postfix-sasl -s 91.200.12.174 -j REJECT --reject-with icmp-port-unreachable -- stderr: b'iptables: No chain/target/match by that name.\n'
2018-01-05 18:52:23,987 fail2ban.action [761]: ERROR iptables -D fail2ban-postfix-sasl -s 91.200.12.174 -j REJECT --reject-with icmp-port-unreachable -- returned 1
2018-01-05 18:52:23,987 fail2ban.actions [761]: ERROR Failed to execute unban jail 'postfix-sasl' action 'iptables-multiport' info '{'failures': 3, 'matches': 'Jan 5 17:04:26 sir-2 postfix/smtpd[12817]: warning: unknown[91.200.12.174]: SASL LOGIN authentication failed: UGFzc3dvcmQ6Jan 5 17:49:52 sir-2 postfix/smtpd[13447]: warning: unknown[91.200.12.174]: SASL LOGIN authentication failed: UGFzc3dvcmQ6Jan 5 18:36:08 sir-2 postfix/smtpd[14208]: warning: unknown[91.200.12.174]: SASL LOGIN authentication failed: UGFzc3dvcmQ6', 'ip': '91.200.12.174', 'time': 1515145343.4443443}': Error unbanning 91.200.12.174
2018-01-05 18:52:24,989 fail2ban.actions [761]: NOTICE [postfix-sasl] Unban 91.200.12.207
2018-01-05 18:52:25,207 fail2ban.action [761]: ERROR iptables -D fail2ban-postfix-sasl -s 91.200.12.207 -j REJECT --reject-with icmp-port-unreachable -- stdout: b''
2018-01-05 18:52:25,207 fail2ban.action [761]: ERROR iptables -D fail2ban-postfix-sasl -s 91.200.12.207 -j REJECT --reject-with icmp-port-unreachable -- stderr: b'iptables: No chain/target/match by that name.\n'
2018-01-05 18:52:25,208 fail2ban.action [761]: ERROR iptables -D fail2ban-postfix-sasl -s 91.200.12.207 -j REJECT --reject-with icmp-port-unreachable -- returned 1
2018-01-05 18:52:25,208 fail2ban.actions [761]: ERROR Failed to execute unban jail 'postfix-sasl' action 'iptables-multiport' info '{'failures': 3, 'matches': 'Jan 5 17:05:43 sir-2 postfix/smtpd[12817]: warning: unknown[91.200.12.207]: SASL LOGIN authentication failed: UGFzc3dvcmQ6Jan 5 17:50:50 sir-2 postfix/smtpd[13447]: warning: unknown[91.200.12.207]: SASL LOGIN authentication failed: UGFzc3dvcmQ6Jan 5 18:36:27 sir-2 postfix/smtpd[14208]: warning: unknown[91.200.12.207]: SASL LOGIN authentication failed: UGFzc3dvcmQ6', 'ip': '91.200.12.207', 'time': 1515145344.2789757}': Error unbanning 91.200.12.207
2018-01-05 18:52:26,210 fail2ban.actions [761]: NOTICE [postfix-sasl] Unban 91.200.12.209
2018-01-05 18:52:26,424 fail2ban.action [761]: ERROR iptables -D fail2ban-postfix-sasl -s 91.200.12.209 -j REJECT --reject-with icmp-port-unreachable -- stdout: b''
2018-01-05 18:52:26,425 fail2ban.action [761]: ERROR iptables -D fail2ban-postfix-sasl -s 91.200.12.209 -j REJECT --reject-with icmp-port-unreachable -- stderr: b'iptables: No chain/target/match by that name.\n'
2018-01-05 18:52:26,425 fail2ban.action [761]: ERROR iptables -D fail2ban-postfix-sasl -s 91.200.12.209 -j REJECT --reject-with icmp-port-unreachable -- returned 1
2018-01-05 18:52:26,425 fail2ban.actions [761]: ERROR Failed to execute unban jail 'postfix-sasl' action 'iptables-multiport' info '{'failures': 3, 'matches': 'Jan 5 17:05:28 sir-2 postfix/smtpd[12817]: warning: unknown[91.200.12.209]: SASL LOGIN authentication failed: UGFzc3dvcmQ6Jan 5 17:50:55 sir-2 postfix/smtpd[13483]: warning: unknown[91.200.12.209]: SASL LOGIN authentication failed: UGFzc3dvcmQ6Jan 5 18:36:56 sir-2 postfix/smtpd[14208]: warning: unknown[91.200.12.209]: SASL LOGIN authentication failed: UGFzc3dvcmQ6', 'ip': '91.200.12.209', 'time': 1515145345.1067364}': Error unbanning 91.200.12.209
2018-01-05 18:52:26,425 fail2ban.actions [761]: NOTICE [postfix-sasl] Unban 91.200.12.215
2018-01-05 18:52:26,650 fail2ban.action [761]: ERROR iptables -D fail2ban-postfix-sasl -s 91.200.12.215 -j REJECT --reject-with icmp-port-unreachable -- stdout: b''
2018-01-05 18:52:26,651 fail2ban.action [761]: ERROR iptables -D fail2ban-postfix-sasl -s 91.200.12.215 -j REJECT --reject-with icmp-port-unreachable -- stderr: b'iptables: No chain/target/match by that name.\n'
2018-01-05 18:52:26,652 fail2ban.action [761]: ERROR iptables -D fail2ban-postfix-sasl -s 91.200.12.215 -j REJECT --reject-with icmp-port-unreachable -- returned 1
2018-01-05 18:52:26,652 fail2ban.actions [761]: ERROR Failed to execute unban jail 'postfix-sasl' action 'iptables-multiport' info '{'failures': 3, 'matches': 'Jan 5 16:56:45 sir-2 postfix/smtpd[12722]: warning: unknown[91.200.12.215]: SASL LOGIN authentication failed: UGFzc3dvcmQ6Jan 5 17:48:32 sir-2 postfix/smtpd[13447]: warning: unknown[91.200.12.215]: SASL LOGIN authentication failed: VXNlcm5hbWU6Jan 5 18:40:43 sir-2 postfix/smtpd[14488]: warning: unknown[91.200.12.215]: SASL LOGIN authentication failed: UGFzc3dvcmQ6', 'ip': '91.200.12.215', 'time': 1515145345.9329934}': Error unbanning 91.200.12.215

ただ、しっかりとBANをしているので当分このままで運用する。
iptables -Dでエラーを吐いているのは、該当するIPを特定のチェーンから削除するコマンドなので、悪さをするIPは永久BANで良いと思うんですわ。
と言うことで、もしも「いやそれは違うよ!」と言うことであれば添削プリーズ。。。

記事を評価してください(★1つ=悪い、★5つ=良い)
この記事の平均評価: 未評価 (0人)
Posted by いぐぅ 06:00 | システム::linux | comments (0) | trackback (0)
コメント
コメントする









この記事のトラックバックURL
http://www.sir-2.net/dablg/tb.php/6218
トラックバック

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31