FreeBSD Iscsi with zfs

 

2. Configurare ZFS:

Create s ZFS pool and data set (zvol) to serve as iSCSI volume. For example to create o pool name mypool and zvol named myzvol:

sudo zpool create mypool /dev/ada0 
sudo zfs create -V 100G mypool/myzvol
After that we need to install istgt
pkg install istgt
In my case will use following config files:
auth.conf
#[AuthGroup1]
  Comment "Group for the Test Disk"
  Auth "iqn.1991-05.com.microsoft:vm111wdc.test.soft:testdisk"  "between12and16" 
[AuthGroup9999]
  Comment "Group for discovery"
  Auth "iqn.1991-05.com.microsoft:vm111wdc.test.soft"  "discovermenow"

#
[AuthGroup10000]
#  Comment "Group for unit controller"
#  Auth "ctluser" "test" "mutualuser" "mutualsecret"
istgt.conf

[Global]
  Comment "Global section"
  NodeBase "iqn.1991-05.com.microsoft:vm111wdc.test.soft"
#  DiscoveryAuthMethod CHAP
#  DiscoveryAuthGroup AuthGroup9999

  #The following values were not editied
  PidFile /var/run/istgt.pid
#  AuthFile /usr/local/etc/istgt/auth.conf
  MediaDirectory /var/istgt
  LogFacility "local7"

  Timeout 30
  NopInInterval 20

  MaxSessions 16
  MaxConnections 4
  MaxR2T 32
  MaxOutstandingR2T 16
  DefaultTime2Wait 2
  DefaultTime2Retain 60
  FirstBurstLength 262144
  MaxBurstLength 1048576
  MaxRecvDataSegmentLength 262144
  InitialR2T Yes
  ImmediateData Yes
  DataPDUInOrder Yes
  DataSequenceInOrder Yes
  ErrorRecoveryLevel 0

#Unit controller
[UnitControl]
  Comment "Internal Logical Unit Controller"
#  AuthMethod CHAP Mutual
#  AuthGroup AuthGroup10000
  Portal UC1 127.0.0.1:3261
  Netmask 127.0.0.1

#Portal of the Test Disk
[PortalGroup1]
  Comment "SINGLE PORT TEST"
  Portal DA1 10.100.200.109:3260

#Initiators for the Test Disk
[InitiatorGroup1]
  Comment "Initiator Group1"
  InitiatorName "iqn.1991-05.com.microsoft:vm111wdc.test.soft"
  Netmask 10.100.200.0/24

#Test Disk
[LogicalUnit1]
  Comment "Test Disk"
  TargetName testdisk
  TargetAlias "ISCSI Test Disk"
  Mapping PortalGroup1 InitiatorGroup1
#  AuthMethod CHAP
#  AuthGroup AuthGroup1

  ReadOnly No
  UnitType Disk
  UnitOnline Yes

  UseDigest Auto
#  UnitType Pass

LUN0 Storage /dev/zvol/storage/storage 26T


istgtcontrol.conf


[Global] 
 Comment "Sample Configuration" 
 Timeout 60 
 AuthMethod CHAP Mutual 
 Auth "ctluser" "test" "mutualuser" "mutualsecret" 
 Host localhost
  Port 3261 
 TargetName "iqn.1991-05.com.microsoft:vm111wdc.test.soft" 
 Lun 0 
 Flags "ro" 
 Size "auto"

file2ban qmail configuration

 

# Install fail2ban

# yum install fail2ban -y

# Create the filter definition files in filter.d

# cat >/etc/fail2ban/filter.d/qmail-smtp-authnotavail.conf << EOL
[Definition]
#Looks for failed auth outside TLS to SMTP
failregex = 503 auth not available \(\#5\.3\.3\) - <HOST>
ignoreregex =
EOL

# cat >/etc/fail2ban/filter.d/qmail-smtps-auth.conf<< EOL
[Definition]
#Looks for failed password logins to SMTP
failregex = vchkpw-smtps: password fail ([^)]*) [^@]*@[^:]*:<HOST>
ignoreregex =
EOL

# cat >/etc/fail2ban/filter.d/qmail-smtps-passfail.conf<< EOL
[Definition]
#Looks for failed password logins to SMTP
failregex = vchkpw-smtps: password fail ([^)]*) [^@]*@[^:]*:<HOST>
ignoreregex =
EOL

# cat >/etc/fail2ban/filter.d/qmail-smtps-usernotfound.conf<< EOL
[Definition]
failregex = vchkpw-smtps: vpopmail user not found .*:<HOST>
ignoreregex =
EOL

# cat >/etc/fail2ban/filter.d/qmail-submission-passfail.conf<< EOL
[Definition]
failregex = vchkpw-submission: password fail ([^)]*) [^@]*@[^:]*:<HOST>
ignoreregex =
EOL

# cat >/etc/fail2ban/filter.d/qmail-submission-usernotfound.conf<< EOL
[Definition]
failregex = vchkpw-submission: vpopmail user not found .*:<HOST>
ignoreregex =
EOL

# Add filter definitions to jail.conf

# cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.conf.bak-`date`

# cat >>/etc/fail2ban/jail.conf << EOL

[qmail-submission-passfail]
enabled = true
filter  = qmail-submission-passfail
action  = iptables[name=QMAIL-SUBMISSION, port=587, protocol=tcp]
logpath = /var/log/maillog
maxretry = 3
bantime  = 86400
findtime = 3600
backend = auto

[qmail-submission-usernotfound]
enabled = true
filter  = qmail-submission-usernotfound
action  = iptables[name=QMAIL-SUBMISSION, port=587, protocol=tcp]
logpath = /var/log/maillog
maxretry = 3
bantime  = 86400
findtime = 3600
backend = auto

[qmail-smtps-passfail]
enabled  = true
filter   = qmail-smtps-passfail
action   = iptables[name=QMAIL-SMTPS, port=465, protocol=tcp]
logpath  = /var/log/maillog
maxretry = 3
bantime  = 86400
findtime = 3600
backend = auto

[qmail-smtps-usernotfound]
enabled = true
filter = qmail-smtps-usernotfound
action = iptables[name=QMAIL-SMTPS, port=465, protocol=tcp]
logpath = /var/log/maillog
maxretry = 3
bantime  = 86400
findtime = 3600
backend = auto

[qmail-smtp-authnotavail]
enabled = true
filter = qmail-smtp-authnotavail
action = iptables[name=QMAIL-SMTP, port=25, protocol=tcp]
logpath = /var/log/qmail/smtptx/current
maxretry = 3
bantime = 86400
findtime = 300
backend = auto

EOL

# Set up Authorization not available

   In order to log SMTP transactions do the following:
   1) # qmailctl stop
   2) Add 'SMTP_DEBUG="1"' to /etc/tcprules.d/tcp.smtp 
   3) Replace contents of '/var/qmail/supervise/smtp/log/run' script with below to log transactions to different file: 
      
      #!/bin/sh
      LOGSIZE=`cat /var/qmail/control/logsize`
      LOGCOUNT=`cat /var/qmail/control/logcount`
      exec /usr/bin/setuidgid qmaill \
        /usr/bin/multilog t s$LOGSIZE n$LOGCOUNT \
        '-*' '+@* server:[*' '+@* client:[*' /var/log/qmail/smtptx \
        '+*' '-@* server:[*' '-@* client:[*' /var/log/qmail/smtp 2>&1
   4) # qmailctl start && qmailctl cdb
   5) # tail -f /var/log/qmail/smtptx/current | tai64nlocal

# Start fail2ban

# systemctl start fail2ban


# Script to check blocking

# cat >./f2bstat << EOL
#!/bin/bash

for FILTER in qmail-submission-passfail \
              qmail-submission-usernotfound \
              qmail-smtps-passfail \
              qmail-smtps-usernotfound \
              qmail-smtp-authnotavail
do
   fail2ban-client status $FILTER
   echo ""
done

EOL

# Set permissions & run script (w/output sample)

# chmod 755 ./f2bstat && ./f2bstat

qmail-submission-passfail:

Status for the jail: qmail-submission-passfail
|- Filter
|  |- Currently failed: 1
|  |- Total failed:     1
|  `- File list:        /var/log/maillog
`- Actions
   |- Currently banned: 0
   |- Total banned:     0
   `- Banned IP list:

qmail-submission-usernotfound:

Status for the jail: qmail-submission-usernotfound
|- Filter
|  |- Currently failed: 7
|  |- Total failed:     7
|  `- File list:        /var/log/maillog
`- Actions
   |- Currently banned: 0
   |- Total banned:     0
   `- Banned IP list:

qmail-smtps-passfail:

Status for the jail: qmail-smtps-passfail
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     0
|  `- File list:        /var/log/maillog
`- Actions
   |- Currently banned: 0
   |- Total banned:     0
   `- Banned IP list:

qmail-smtps-usernotfound:

Status for the jail: qmail-smtps-usernotfound
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     0
|  `- File list:        /var/log/maillog
`- Actions
   |- Currently banned: 2
   |- Total banned:     2
   `- Banned IP list:   5.34.207.174 212.70.149.72

qmail-smtp-authnotavail:

Status for the jail: qmail-smtp-authnotavail
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     0
|  `- File list:        /var/log/qmail/smtptx/current
`- Actions
   |- Currently banned: 0
   |- Total banned:     0
   `- Banned IP list:

source