阻止对 exim2 的暴力攻击

Question

这是一个编写不佳的分布式机器人。据我所知，这些主机正在尝试通过未加密的连接进行身份验证。如果您需要安全连接进行身份验证，它们甚至会失败。但是，您似乎允许在未加密的连接上进行身份验证。

默认情况下fail2ban会错过此条件，但在 10 分钟内尝试 3 次后会被阻止。您可以创建一个jail.local文件来调整被禁止所需的失败次数fail2ban或增加禁止时间。 fail2ban-client还允许您在服务器运行时调整配置。您可能需要创建一个exim.local文件来filter.d匹配正在生成的行。我已经包含了我的内容exim.local。您可以使用它fail2ban-regex来测试正则表达式（您需要替换正则表达式中的 python 包含）。

[Definition]

host_info = H=([\w.-]+ )?(\(\S+\) )?\[<HOST>\](:\d+)? ?(I=\[\S+\]:\d+ )?(U=\S+ )?(P=e?smtp )?

failregex = ^%(pid)s %(host_info)s [^:]+: Sender host address is listed in zen.spamhaus.org
        ^%(pid)s %(host_info)s sender verify fail for <\S+>: (?:Unknown user|Unrouteable address|all relevant MX records point to non-existent hosts)\s*$
        ^%(pid)s (plain|login) authenticator failed for (\S+ )?\(\S+\) \[<HOST>\]: 535 Incorrect authentication data( \(set_id=.*\)|: \d+ Time\(s\))?\s*$
        ^%(pid)s %(host_info)s F=(<>|[^@]+@\S+) rejected RCPT [^@]+@\S+: (relay not permitted|Sender verify failed|Unknown user)\s*$
        ^%(pid)s SMTP protocol synchronization error \([^)]*\): rejected (connection from|"\S+") %(host_info)s(next )?input=".*"\s*$
        ^%(pid)s SMTP call from \S+ \[<HOST>\](:\d+)? (I=\[\S+\]:\d+ )?dropped: too many nonmail commands \(last was "\S+"\)\s*$
        \[<HOST>\]: 535 Incorrect authentication data
        ^%(pid)s %(host_info)s Warning: smtp used a hostname$
        ^%(pid)s no MAIL in SMTP connection from (\([^)]+\) )?\[<HOST>\] D=\d+(m\d+)?s( C=.*)?$
        ^%(pid)s SMTP protocol synchronization error \(input sent without waiting for greeting\): rejected connection from %(host_info)s

ignoreregex =

Answer 1

这是一个编写不佳的分布式机器人。据我所知，这些主机正在尝试通过未加密的连接进行身份验证。如果您需要安全连接进行身份验证，它们甚至会失败。但是，您似乎允许在未加密的连接上进行身份验证。

默认情况下fail2ban会错过此条件，但在 10 分钟内尝试 3 次后会被阻止。您可以创建一个jail.local文件来调整被禁止所需的失败次数fail2ban或增加禁止时间。 fail2ban-client还允许您在服务器运行时调整配置。您可能需要创建一个exim.local文件来filter.d匹配正在生成的行。我已经包含了我的内容exim.local。您可以使用它fail2ban-regex来测试正则表达式（您需要替换正则表达式中的 python 包含）。

[Definition]

host_info = H=([\w.-]+ )?(\(\S+\) )?\[<HOST>\](:\d+)? ?(I=\[\S+\]:\d+ )?(U=\S+ )?(P=e?smtp )?

failregex = ^%(pid)s %(host_info)s [^:]+: Sender host address is listed in zen.spamhaus.org
        ^%(pid)s %(host_info)s sender verify fail for <\S+>: (?:Unknown user|Unrouteable address|all relevant MX records point to non-existent hosts)\s*$
        ^%(pid)s (plain|login) authenticator failed for (\S+ )?\(\S+\) \[<HOST>\]: 535 Incorrect authentication data( \(set_id=.*\)|: \d+ Time\(s\))?\s*$
        ^%(pid)s %(host_info)s F=(<>|[^@]+@\S+) rejected RCPT [^@]+@\S+: (relay not permitted|Sender verify failed|Unknown user)\s*$
        ^%(pid)s SMTP protocol synchronization error \([^)]*\): rejected (connection from|"\S+") %(host_info)s(next )?input=".*"\s*$
        ^%(pid)s SMTP call from \S+ \[<HOST>\](:\d+)? (I=\[\S+\]:\d+ )?dropped: too many nonmail commands \(last was "\S+"\)\s*$
        \[<HOST>\]: 535 Incorrect authentication data
        ^%(pid)s %(host_info)s Warning: smtp used a hostname$
        ^%(pid)s no MAIL in SMTP connection from (\([^)]+\) )?\[<HOST>\] D=\d+(m\d+)?s( C=.*)?$
        ^%(pid)s SMTP protocol synchronization error \(input sent without waiting for greeting\): rejected connection from %(host_info)s

ignoreregex =

阻止对 exim2 的暴力攻击

答案1

相关内容