我有一台带有 postfix/dovecot 的服务器,但不知何故受到了攻击。我经常看到大量这样的日志(用 example.com 替换了我的域名):
Jul 2 10:03:03 my-server postfix/pickup[14702]: 878D313894B: uid=33 from=<www-data>
Jul 2 10:03:03 my-server postfix/cleanup[14916]: 878D313894B: message-id=<[email protected]>
Jul 2 10:03:03 my-server postfix/qmgr[19570]: 878D313894B: from=<[email protected]>, size=40324, nrcpt=1 (queue active)
Jul 2 10:03:05 my-server postfix/smtp[14923]: 878D313894B: to=<[email protected]>, relay=hotmail-com.olc.protection.outlook.com[104.47.42.33]:25, delay=2.1, delays=0.03/0.03/1.1/0.93, dsn=2.6.0, status=sent (250 2.6.0 <[email protected]> [InternalId=11360188501262, Hostname=BY2NAM03HT083.eop-NAM03.prod.protection.outlook.com] 45866 bytes in 0.498, 89.854 KB/sec Queued mail for delivery)
Jul 2 10:03:05 my-server postfix/qmgr[19570]: 878D313894B: removed
Jul 2 10:03:03 my-server postfix/pickup[14702]: 97D4E138950: uid=33 from=<www-data>
Jul 2 10:03:03 my-server postfix/cleanup[14916]: 97D4E138950: message-id=<[email protected]>
Jul 2 10:03:03 my-server postfix/qmgr[19570]: 97D4E138950: from=<[email protected]>, size=40308, nrcpt=1 (queue active)
Jul 2 10:03:03 my-server postfix/smtp[14933]: 97D4E138950: to=<a@a>, relay=none, delay=0.14, delays=0.01/0.02/0.11/0, dsn=5.4.4, status=bounced (Host or domain name not found. Name service error for name=a type=AAAA: Host not found)
Jul 2 10:03:03 my-server postfix/bounce[14935]: 97D4E138950: sender non-delivery notification: B9416138951
Jul 2 10:03:03 my-server postfix/qmgr[19570]: 97D4E138950: removed
Jul 2 10:03:03 my-server postfix/cleanup[14916]: A6851138951: message-id=<[email protected]>
Jul 2 10:03:03 my-server postfix/qmgr[19570]: A6851138951: from=<>, size=42121, nrcpt=1 (queue active)
Jul 2 10:03:03 my-server postfix/bounce[14935]: 9C33113894C: sender non-delivery notification: A6851138951
Jul 2 10:03:03 my-server dovecot: lmtp([email protected]): mNzcKTfcOVtZOgAAruHjSQ: msgid=<[email protected]>: saved mail to INBOX
Jul 2 10:03:03 my-server postfix/lmtp[14936]: A6851138951: to=<[email protected]>, orig_to=<[email protected]>, relay=example.com[private/dovecot-lmtp], delay=0.03, delays=0/0.01/0.01/0.01, dsn=2.0.0, status=sent (250 2.0.0 <[email protected]> mNzcKTfcOVtZOgAAruHjSQ Saved)
Jul 2 10:03:03 my-server postfix/qmgr[19570]: A6851138951: removed
我已经尝试使用以下规则配置 postfix 以避免此类攻击,它已经平息了攻击的规模,但服务器仍然收到大量活动:
/etc/postfix/main.cf:
#################################################################
# ANTI SPAM: https://www.howtoforge.com/virtual_postfix_antispam
#################################################################
smtpd_helo_required = yes
strict_rfc821_envelopes = yes
disable_vrfy_command = yes
unknown_address_reject_code = 554
unknown_hostname_reject_code = 554
unknown_client_reject_code = 554
smtpd_sender_restrictions = reject_unknown_address
smtpd_helo_restrictions =
permit_mynetworks,
reject_invalid_hostname,
regexp:/etc/postfix/antispam/helo.regexp,
permit
#smtpd_recipient_restrictions =
# permit_sasl_authenticated,
# permit_mynetworks,
# reject_unauth_destination
smtpd_recipient_restrictions =
check_client_access hash:/etc/postfix/antispam/helo_client_exceptions
# check_sender_access hash:/etc/postfix/antispam/sender_checks,
reject_invalid_hostname,
### Can cause issues with Auth SMTP, so be weary!
reject_non_fqdn_hostname,
##################################
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
permit_mynetworks,
reject_unauth_destination,
# Add RBL exceptions here, when changing rbl_client_exceptions, this file must be regenerated using postmap <file>, to generate a Berkeley DB
check_client_access hash:/etc/postfix/antispam/rbl_client_exceptions,
reject_rbl_client cbl.abuseat.org,
# reject_rbl_client zen.spamhaus.org,
reject_rbl_client bl.spamcop.net,
# reject_rbl_client list.dsbl.org
reject_rhsbl_sender dsn.rfc-ignorant.org,
# check_policy_service inet:127.0.0.1:60000,
permit
smtpd_relay_restrictions =
permit_mynetworks,
# permit_sasl_authenticated,
defer_unauth_destination
我担心该服务器被用来以某种方式向人们发送垃圾邮件,因此它会惹恼人们并损害我的 IP 声誉。
我花了很多时间在互联网上调查和阅读文档,但我仍然对正在发生的事情以及如何阻止它感到困惑。我想知道攻击者如何使用该服务器以及如何阻止攻击。
不知道是否相关,今天我收到了一封来自我的托管提供商的电子邮件,说他们暂停了服务器,因为他们检测到异常活动(今天两次,15 天前两次):
Attack detail : 173Kpps/38Mbps
dateTime srcIp:srcPort dstIp:dstPort protocol flags bytes reason
2018.07.02 16:35:04 CEST xx.xx.xx.xx:41403 78.46.61.106:80 UDP --- 29 ATTACK:UDP
我已经关闭了除 TCP 22、80、443、25、587、993、995、465 之外的所有端口,因此我希望传出的 UDP 现在已被阻止。我不确定服务器内是否安装了某些恶意软件触发此活动以及如何检测它。