前回のblacklistdでsshdへの攻撃をブロックするに続き、今回は同様にSendmailへの攻撃をブロックします。
しかし、OSバンドル版Sendmailはblacklistdに対応していませんので、portsからsendmailをインストールすることで実現します。
Ansible Playbook
タスクにports_sendmail.yamlを追加します。
roles/freebsd/tasks/main.yml
- name: blacklistd import_tasks: blacklistd.yaml - name: sshd import_tasks: sshd.yaml - name: sendmail import_tasks: ports_sendmail.yaml
ハンドラーにsendmailを追加します。
roles/freebsd/handlers/main.yml
- name: Reload sshd service
service:
name: sshd
state: reloaded
listen:
- reload_sshd
- name: Restart blacklistd service
service:
name: blacklistd
state: restarted
listen:
- restart_blacklistd
- name: Restart sendmail service
service:
name: sendmail
state: restarted
listen:
- restart_sendmail
portsからsendmailをインストールするタスクを記述します。
UseBlocklistオプションはOSバンドル版マクロではパースされないので、コマンドラインオプションで渡すようにします。
roles/freebsd/tasks/ports_sendmail.yaml
---
- name: Initialize portupgrade command
set_fact:
portupgrade_cmd: /usr/local/sbin/portupgrade
- name: Set ports sendmail installation status
set_fact:
ports_sendmail_installed: true
ports_sendmail_name: sendmail
ports_sendmail_category: mail
- name: Set valiables
set_fact:
ports_name: "{{ ports_sendmail_name }}"
ports_category: "{{ ports_sendmail_category }}"
when:
- ports_sendmail_installed
- name: Check if {{ ports_name }} installed
command: pkg info "{{ ports_name }}"
register: pkg_info
when:
- ports_sendmail_installed
changed_when: false
failed_when: false
- name: Add new option to portupgrade command
set_fact:
portupgrade_cmd: "/usr/local/sbin/portupgrade --new"
when:
- ports_sendmail_installed
- "'pkg: No package(s) matching' in pkg_info.stderr"
- name: Ensure port options directory exists
file:
path: "/var/db/ports/{{ ports_category }}_{{ ports_name }}"
state: directory
mode: "0755"
when:
- ports_sendmail_installed
- name: Copy {{ ports_name }} options
copy:
dest: "/var/db/ports/{{ ports_category }}_{{ ports_name }}/options"
mode: "0644"
content: |
# This file is auto-generated by 'make config'.
_FILE_COMPLETE_OPTIONS_LIST=SHMEM SEM LA NIS IPV6 TLS DANE SASL SASLAUTHD LDAP BDB GDBM SOCKETMAP CYRUSLOOKUP BLOCKLISTD SMTPUTF8 PICKY_HELO_CHECK MILTER MTA_STS TLS_CERT_CHAIN DOCS
OPTIONS_FILE_SET+=SHMEM
OPTIONS_FILE_SET+=SEM
OPTIONS_FILE_SET+=LA
OPTIONS_FILE_SET+=NIS
OPTIONS_FILE_SET+=IPV6
OPTIONS_FILE_SET+=TLS
OPTIONS_FILE_SET+=DANE
OPTIONS_FILE_SET+=SASL
OPTIONS_FILE_SET+=SASLAUTHD
OPTIONS_FILE_SET+=LDAP
OPTIONS_FILE_UNSET+=BDB
OPTIONS_FILE_UNSET+=GDBM
OPTIONS_FILE_SET+=SOCKETMAP
OPTIONS_FILE_UNSET+=CYRUSLOOKUP
OPTIONS_FILE_SET+=BLOCKLISTD
OPTIONS_FILE_SET+=SMTPUTF8
OPTIONS_FILE_SET+=PICKY_HELO_CHECK
OPTIONS_FILE_SET+=MILTER
OPTIONS_FILE_SET+=MTA_STS
OPTIONS_FILE_UNSET+=TLS_CERT_CHAIN
OPTIONS_FILE_SET+=DOCS
when:
- ports_sendmail_installed
- name: Install/Update {{ ports_name }}
command: '{{ portupgrade_cmd }} {{ ports_name }}'
register: daemon_port_install_result
when:
- ports_sendmail_installed
changed_when:
- "'Cleaning for' in daemon_port_install_result.stdout"
notify:
- restart_sendmail
- name: sysrc sendmail_program
community.general.sysrc:
name: sendmail_program
value: "/usr/local/sbin/sendmail"
when:
- ports_sendmail_installed
notify:
- restart_sendmail
- name: sysrc sendmail_procname
community.general.sysrc:
name: sendmail_procname
value: "/usr/local/sbin/sendmail"
when:
- ports_sendmail_installed
notify:
- restart_sendmail
- name: sysrc sendmail_flags
community.general.sysrc:
name: sendmail_flags
value: "-L sm-mta -bd -q30m -O UseBlocklist"
when:
- ports_sendmail_installed
notify:
- restart_sendmail
Ansible Playbookの実行
ansible-playbook -i hosts freebsd.yaml
結果
ルールはblacklistdによって自動的に作成されます。
# ipfw list | grep port25 02025 deny tcp from table(port25) to any 25 # ipfw list | grep port587 02587 deny tcp from table(port587) to any 587
blacklistdが攻撃的なふるまいを検知すると自動的にIPアドレスをリスト化します。
# blacklistctl dump -a
address/ma:port id nfail last access
XX.144.212.98/32:25 OK 40/3 XXXX/XX/XX XX:XX:XX
XX.142.154.37/32:587 OK 6/3 XXXX/XX/XX XX:XX:XX
...
リスト化されたIPアドレスはblacklistdによって自動的にtable(port25)とtable(port587)に追加されます。
# ipfw table port25 list XX.144.212.98/32 0 ... # ipfw table port587 list XX.142.154.37/32 0