我可以在路由器后面使用 fail2ban 作为邮件服务器吗?
Can I use fail2ban behind router for mail server?
我 运行 Docker 在 FritzBox 路由器后面的家庭网络中的 NAS 上。邮件和网络服务器已docker化,外部端口22、80、443被转发到NAS上的相应端口,Traefik作为反向代理。
虽然 traefik 工作正常感谢 X-Forwarded headers 和 HTTP 1.1 Host headers,但我无法设置 fail2ban 来阻止恶意客户端的过多登录尝试.感谢路由器上的 NAT,邮件容器似乎总是以路由器的 IP 作为源。
服务器日志如下所示:
dovecot: auth: passwd-file(luv5@xn--...,172.19.0.1): unknown user (SHA1 of given password: 63f39e)
postfix/smtpd[1118]: warning: unknown[172.19.0.1]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
postfix/smtpd[1118]: disconnect from unknown[172.19.0.1] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
postfix/smtpd[1028]: warning: unknown[172.19.0.1]: SASL LOGIN authentication failed: Connection lost to authentication server
postfix/smtpd[1028]: disconnect from unknown[172.19.0.1] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
postfix/smtpd[1066]: warning: unknown[172.19.0.1]: SASL LOGIN authentication failed: Connection lost to authentication server
postfix/smtpd[1066]: disconnect from unknown[172.19.0.1] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
dovecot: auth: passwd-file(mathew@xn--...,172.19.0.1): unknown user (SHA1 of given password: 011c94)
postfix/smtpd[2295]: warning: unknown[172.19.0.1]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
postfix/smtpd[2295]: disconnect from unknown[172.19.0.1] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
postfix/postscreen[1020]: CONNECT from [172.19.0.1]:36922 to [172.19.0.11]:25
postfix/postscreen[1020]: PASS OLD [172.19.0.1]:36922
postfix/smtpd[1118]: connect from unknown[172.19.0.1]
postfix/postscreen[1020]: CONNECT from [172.19.0.1]:36948 to [172.19.0.11]:25
dovecot: auth: passwd-file(psycho@xn--...,172.19.0.1): unknown user (SHA1 of given password: 7c4a8d)
postfix/postscreen[1020]: CONNECT from [172.19.0.1]:36950 to [172.19.0.11]:25
postfix/smtpd[1118]: warning: unknown[172.19.0.1]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
postfix/smtpd[1118]: disconnect from unknown[172.19.0.1] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
postfix/postscreen[1020]: CONNECT from [172.19.0.1]:36958 to [172.19.0.11]:25
postfix/postscreen[1020]: PASS OLD [172.19.0.1]:36948
postfix/smtpd[2295]: connect from unknown[172.19.0.1]
postfix/postscreen[1020]: PASS OLD [172.19.0.1]:36950
postfix/smtpd[1066]: connect from unknown[172.19.0.1]
有什么办法可以让 fail2ban 根据 IP 地址阻止 NAT 后面的 SMTP(使用 "exposed host" 除外)?
Thanks to NAT on the router, the mail container always seems the router's IP as source.
如果您完全能够从 log/journal 过滤器中捕获原始 IP(或其他识别入侵者的东西),您可以:
- 编写自己的
failregex 或过滤器捕获转发的 IP、会话或用户名(您可以用作识别入侵者的 ID),然后...
- 要么尝试实施我们 wiki 中描述的解决方案 - How to ban something other as host (IP address), like user or mail, etc.
- 或写一些像 https://github.com/fail2ban/fail2ban/blob/0.10/config/action.d/nginx-block-map.conf 这样的操作(禁止入侵者 resp. 拒绝其在网络服务器或邮件服务端的连接)
- 或者编写你自己的操作来通知你的代理服务,以禁止另一端的原始 IP(不知道 traefik 有类似的东西,但仍然有关于那个的公开 RFE - https://github.com/containous/traefik/issues/4026 ).
另请注意类似问题 -
我 运行 Docker 在 FritzBox 路由器后面的家庭网络中的 NAS 上。邮件和网络服务器已docker化,外部端口22、80、443被转发到NAS上的相应端口,Traefik作为反向代理。
虽然 traefik 工作正常感谢 X-Forwarded headers 和 HTTP 1.1 Host headers,但我无法设置 fail2ban 来阻止恶意客户端的过多登录尝试.感谢路由器上的 NAT,邮件容器似乎总是以路由器的 IP 作为源。
服务器日志如下所示:
dovecot: auth: passwd-file(luv5@xn--...,172.19.0.1): unknown user (SHA1 of given password: 63f39e)
postfix/smtpd[1118]: warning: unknown[172.19.0.1]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
postfix/smtpd[1118]: disconnect from unknown[172.19.0.1] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
postfix/smtpd[1028]: warning: unknown[172.19.0.1]: SASL LOGIN authentication failed: Connection lost to authentication server
postfix/smtpd[1028]: disconnect from unknown[172.19.0.1] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
postfix/smtpd[1066]: warning: unknown[172.19.0.1]: SASL LOGIN authentication failed: Connection lost to authentication server
postfix/smtpd[1066]: disconnect from unknown[172.19.0.1] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
dovecot: auth: passwd-file(mathew@xn--...,172.19.0.1): unknown user (SHA1 of given password: 011c94)
postfix/smtpd[2295]: warning: unknown[172.19.0.1]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
postfix/smtpd[2295]: disconnect from unknown[172.19.0.1] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
postfix/postscreen[1020]: CONNECT from [172.19.0.1]:36922 to [172.19.0.11]:25
postfix/postscreen[1020]: PASS OLD [172.19.0.1]:36922
postfix/smtpd[1118]: connect from unknown[172.19.0.1]
postfix/postscreen[1020]: CONNECT from [172.19.0.1]:36948 to [172.19.0.11]:25
dovecot: auth: passwd-file(psycho@xn--...,172.19.0.1): unknown user (SHA1 of given password: 7c4a8d)
postfix/postscreen[1020]: CONNECT from [172.19.0.1]:36950 to [172.19.0.11]:25
postfix/smtpd[1118]: warning: unknown[172.19.0.1]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
postfix/smtpd[1118]: disconnect from unknown[172.19.0.1] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
postfix/postscreen[1020]: CONNECT from [172.19.0.1]:36958 to [172.19.0.11]:25
postfix/postscreen[1020]: PASS OLD [172.19.0.1]:36948
postfix/smtpd[2295]: connect from unknown[172.19.0.1]
postfix/postscreen[1020]: PASS OLD [172.19.0.1]:36950
postfix/smtpd[1066]: connect from unknown[172.19.0.1]
有什么办法可以让 fail2ban 根据 IP 地址阻止 NAT 后面的 SMTP(使用 "exposed host" 除外)?
Thanks to NAT on the router, the mail container always seems the router's IP as source.
如果您完全能够从 log/journal 过滤器中捕获原始 IP(或其他识别入侵者的东西),您可以:
- 编写自己的
failregex或过滤器捕获转发的 IP、会话或用户名(您可以用作识别入侵者的 ID),然后... - 要么尝试实施我们 wiki 中描述的解决方案 - How to ban something other as host (IP address), like user or mail, etc.
- 或写一些像 https://github.com/fail2ban/fail2ban/blob/0.10/config/action.d/nginx-block-map.conf 这样的操作(禁止入侵者 resp. 拒绝其在网络服务器或邮件服务端的连接)
- 或者编写你自己的操作来通知你的代理服务,以禁止另一端的原始 IP(不知道 traefik 有类似的东西,但仍然有关于那个的公开 RFE - https://github.com/containous/traefik/issues/4026 ).
另请注意类似问题 -