使用较少 CPU 的 fail2ban 正则表达式?

使用较少 CPU 的 fail2ban 正则表达式?

使用 fail2ban,我想要禁止这些向垃圾邮件陷阱地址发送垃圾邮件的发送者:

Oct 27 09:04:22 si68 postfix/smtpd[3240]: NOQUEUE: reject: RCPT from unknown[117.197.114.222]: 550 5.7.1 <[email protected]>: Recipient address rejected: Mail appeared to be SPAM or forged. Ask your Mail/DNS-Administrator to correct HELO and DNS MX settings or to get removed from DNSBLs; MTA helo: odwsgs.com, MTA hostname: unknown[117.197.114.222] (helo/hostname mismatch); from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<odwsgs.com>
Oct 27 09:08:51 si68 postfix/smtpd[32646]: NOQUEUE: reject: RCPT from unknown[182.177.131.71]: 550 5.7.1 <[email protected]>: Recipient address rejected: Mail appeared to be SPAM or forged. Ask your Mail/DNS-Administrator to correct HELO and DNS MX settings or to get removed from DNSBLs; MTA helo: rigplj.com, MTA hostname: unknown[182.177.131.71] (helo/hostname mismatch); from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<rigplj.com>
Oct 27 12:42:09 si68 postfix/smtpd[22119]: NOQUEUE: reject: RCPT from unknown[70.39.119.76]: 550 5.7.1 <[email protected]>: Recipient address rejected: temporarily blocked because of previous errors - retrying too fast. penalty: 30 seconds x 0 retries.; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<CT623.local>
Oct 27 14:03:12 si68 postfix/smtpd[30183]: NOQUEUE: reject: RCPT from unknown[91.79.137.194]: 550 5.7.1 <[email protected]>: Recipient address rejected: Mail appeared to be SPAM or forged. Ask your Mail/DNS-Administrator to correct HELO and DNS MX settings or to get removed from DNSBLs; please relay via your ISP (mchi.org); Please use DynDNS; from=<[email protected]> to=<[email protected]> proto=SMTP helo=<ppp91-79-137-194.pppoe.mtu-net.ru>
Oct 27 22:00:28 si68 postfix/smtpd[18310]: NOQUEUE: reject: RCPT from unknown[96.31.94.71]: 550 5.1.1 <[email protected]>: Recipient address rejected: User unknown; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<ipr-management-mail.com>
Oct 28 00:40:00 si68 postfix/smtpd[18319]: NOQUEUE: reject: RCPT from unknown[63.141.229.165]: 550 5.1.1 <[email protected]>: Recipient address rejected: User unknown; from=<[email protected]> to=<[email protected]> proto=SMTP helo=<mx1.nnamedia.com>
Oct 28 04:05:14 si68 postfix/smtpd[9519]: NOQUEUE: reject: RCPT from unknown[70.39.119.76]: 550 5.7.1 <[email protected]>: Recipient address rejected: Your MTA is listed in too many DNSBLs; check http://www.robtex.com/rbl/70.39.119.76.html; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<CT623.local>

我不太擅长正则表达式,但是我想出了这个:

[Definition]
failregex = reject: RCPT from (.*)\[<HOST>\]: (.*)spamtrap

但是,当我针对(46MB)邮件日志测试上述正则表达式时,如下所示:

fail2ban-regex /var/log/maillog 'failregex = reject: RCPT from (.*)\[<HOST>\]: (.*)spamtrap'

CPU 会疯狂地处理它。我认为正则表达式可以写得更高效。有什么建议吗?

更新:上述日志文件中的 IP 仅针对上述特定交易被拒绝。我想完全阻止它们。这只是一个非常小的日志摘录。同样的垃圾邮件发送者 IP 不仅会向垃圾邮件陷阱地址发送邮件,还会向真正的有效收件人发送邮件,并且都能通过。

换句话说,我想在他们尝试垃圾邮件陷阱地址的那一刻就禁止他们 - 从而阻止来自同一 IP 的更多邮件到达真实的人。

答案1

找到了一种使用更少 CPU 的方法,使用了 Michael Orlitzky 的建议:

failregex = reject: RCPT from (.*)\[<HOST>\]: 550 5\.1\.1 <spamtrap@example\.com>

参考:http://old.nabble.com/Re%3A-fail2ban-for-spamtraps-p28964882.html

答案2

我看不出你想实现什么。你能获得的最低 CPU 使用率是删除 fail2ban 并忽略邮件日志中的条目。所有这些邮件都被拒绝了。那么为什么要关心呢?

您会在拒绝(policyd-weight)时消耗 CPU,然后在 fail2ban 上禁止已关闭的连接。只需忽略过去即可。

如果你确实需要这样做,你应该重定向日志。使用 syslog-ng 过滤器创建一个只针对垃圾邮件陷阱命中的日志文件。然后在那个小日志文件上使用 fail2ban。

相关内容