我的服务器不断受到这些 smtp 会话的轰炸。我通过 SSH 检查了:
tail -f /usr/local/psa/var/log/maillog
我不断收到这些信息:
Apr 12 16:48:21 891326-db2 postfix/smtpd[46245]: warning: unknown[xxx.xxx.xxx.xxx]: SASL LOGIN authentication failed: encryption needed to use mechanism
Apr 12 16:48:21 891326-db2 postfix/smtpd[47413]: connect from unknown[000.000.000.000]
Apr 12 16:48:21 891326-db2 postfix/smtpd[46245]: lost connection after AUTH from unknown[xxx.xxx.xxx.xxx]
Apr 12 16:48:21 891326-db2 postfix/smtpd[46245]: disconnect from unknown[xxx.xxx.xxx.xxx]
Apr 12 16:48:21 891326-db2 postfix/smtpd[47413]: warning: unknown[000.000.000.000]: SASL LOGIN authentication failed: encryption needed to use mechanism
Apr 12 16:48:21 891326-db2 postfix/smtpd[47413]: lost connection after AUTH from unknown[000.000.000.000]
Apr 12 16:48:21 891326-db2 postfix/smtpd[47413]: disconnect from unknown[000.000.000.000]
Apr 12 16:48:21 891326-db2 postfix/smtpd[46245]: connect from unknown[xxx.xxx.xxx.xxx]
Apr 12 16:48:21 891326-db2 postfix/smtpd[46245]: warning: unknown[xxx.xxx.xxx.xxx]: SASL LOGIN authentication failed: encryption needed to use mechanism
Apr 12 16:48:21 891326-db2 postfix/smtpd[46245]: lost connection after AUTH from unknown[xxx.xxx.xxx.xxx]
Apr 12 16:48:21 891326-db2 postfix/smtpd[46245]: disconnect from unknown[xxx.xxx.xxx.xxx]
Apr 12 16:48:21 891326-db2 postfix/smtpd[47413]: connect from unknown[xxx.xxx.xxx.xxx]
Apr 12 16:48:21 891326-db2 postfix/smtpd[47413]: warning: unknown[xxx.xxx.xxx.xxx]: SASL LOGIN authentication failed: encryption needed to use mechanism
Apr 12 16:48:21 891326-db2 postfix/smtpd[47413]: lost connection after AUTH from unknown[xxx.xxx.xxx.xxx]
Apr 12 16:48:21 891326-db2 postfix/smtpd[47413]: disconnect from unknown[xxx.xxx.xxx.xxx]
Apr 12 17:03:04 891326-db2 postfix/smtp[1148]: connect to example.com[93.184.216.34]:25: Connection timed out
Apr 12 17:03:04 891326-db2 postfix/smtp[1148]: connect to example.com[2606:2800:220:1:248:1893:25c8:1946]:25: Network is unreachable
Apr 12 17:03:04 891326-db2 postfix/smtp[1148]: 12E2620617BE: to=<[email protected]>, relay=none, delay=265075, delays=265045/0.02/30/0, dsn=4.4.1, status=deferred (connect to example.com[2606:2800:220:1:248:1893:25c8:1946]:25: Network is unreachable)
Apr 12 17:03:04 891326-db2 postfix/smtp[1154]: connect to example.com[93.184.216.34]:25: Connection timed out
Apr 12 17:03:04 891326-db2 postfix/smtp[1154]: connect to example.com[2606:2800:220:1:248:1893:25c8:1946]:25: Network is unreachable
Apr 12 17:03:04 891326-db2 postfix/smtp[1154]: 17C632062FAB: to=<[email protected]>, relay=none, delay=155962, delays=155932/0.04/30/0, dsn=4.4.1, status=deferred (connect to example.com[2606:2800:220:1:248:1893:25c8:1946]:25: Network is unreachable)
Apr 12 17:03:04 891326-db2 postfix/smtp[1153]: connect to example.com[93.184.216.34]:25: Connection timed out
Apr 12 17:03:04 891326-db2 postfix/smtp[1153]: connect to example.com[2606:2800:220:1:248:1893:25c8:1946]:25: Network is unreachable
Apr 12 17:03:04 891326-db2 postfix/smtp[1153]: 1FF3820617F9: to=<[email protected]>, relay=none, delay=264998, delays=264968/0.03/30/0, dsn=4.4.1, status=deferred (connect to example.com[2606:2800:220:1:248:1893:25c8:1946]:25: Network is unreachable)
Apr 12 17:03:04 891326-db2 postfix/smtp[1151]: connect to example.com[93.184.216.34]:25: Connection timed out
Apr 12 17:03:04 891326-db2 postfix/smtp[1151]: connect to example.com[2606:2800:220:1:248:1893:25c8:1946]:25: Network is unreachable
Apr 12 17:03:04 891326-db2 postfix/smtp[1151]: 18756206303B: to=<[email protected]>, relay=none, delay=155848, delays=155818/0.02/30/0, dsn=4.4.1, status=deferred (connect to example.com[2606:2800:220:1:248:1893:25c8:1946]:25: Network is unreachable)
Apr 12 17:03:04 891326-db2 postfix/error[1160]: 1400220630A7: to=<[email protected]>, relay=none, delay=155758, delays=155728/30/0/0, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to example.com[2606:2800:220:1:248:1893:25c8:1946]:25: Network is unreachable)
我已经屏蔽了 IP,但屏蔽后新 IP 不断出现。有人知道这些会话是如何创建的吗?或者有解决方案吗?有点想不通……
答案1
一个解决方案是使用日志扫描软件(sec.pl,fail2ban),在 X 次事件之后阻止 IP 地址(通常是暂时的)(如果服务器没有使用,则可能低至 1 SMTP AUTH,如果可能有用户在敲打键盘,则可能更高),这反过来将有助于减少日志垃圾邮件。
我将sec.pl它们列入黑名单,其他脚本会在一段时间后处理删除黑名单条目(如果远程 IP 仍然是日志垃圾邮件发送者,则删除时间会增加):
type=SingleWithThreshold
ptype=RegExp
pattern=postfix/smtpd\[\d+\]: lost connection after AUTH from [^\[]+\[([^\]]+)
desc=smtp AUTH spam from $1
action=shellcmd /root/bin/blacklistip $1
window=300
thresh=3
该blacklistip脚本大多只是根据需要调用iptables或ip6tables将 IP 添加到不允许连接的链中。