Postfix:fail2ban 和 iptables 禁令不会停止连接和身份验证尝试

Postfix:fail2ban 和 iptables 禁令不会停止连接和身份验证尝试

我正在运行 Ubuntu 16.04.6 LTS,带有 Postfix 3.1.0 和 fail2ban 0.9.3。现在我的/var/log/mail.log电脑经常受到这样的暴力破解攻击:

postfix/submission/smtpd[2282]: connect from unknown[xxx.xxx.xxx.xxx]
postfix/submission/smtpd[2282]: warning: unknown[xxx.xxx.xxx.xxx]: SASL LOGIN authentication failed: authentication failure
postfix/submission/smtpd[2282]: disconnect from unknown[xxx.xxx.xxx.xxx] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4

我尝试设置/etc/fail2ban/jail.local为:

[postfix]
enabled  = true
port     = smtp,ssmtp
filter   = postfix
logpath  = /var/log/mail.log
maxretry = 3
bantime = 86400

[sasl]
enabled  = true
port     = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter   = postfix-sasl
logpath  = /var/log/mail.log
maxretry = 3
bantime = 86400

根据以下情况,它似乎运行正常/var/log/fail2ban.log

fail2ban.filter   [2208]: INFO    [sasl] Found xxx.xxx.xxx.xxx
fail2ban.actions  [2208]: NOTICE  [sasl] xxx.xxx.xxx.xxx already banned

但是 smtpd 不断接收 SASL 身份验证尝试。

iptables -A INPUT -s xxx.xxx.xxx.xxx -j DROP前几天我也尝试过,但尽管出现了明确的DROPiptables -L INPUT -v -n),连接和身份验证尝试仍继续:

 pkts bytes target     prot opt in     out     source               destination
  416 2974K f2b-sasl   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 25,465,143,220,993,110,995
 1763  170K f2b-wordpress-soft  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 80,443
 1763  170K f2b-wordpress-hard  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 80,443
  416 2974K f2b-postfix  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 25,465
 1891  144K f2b-sshd   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 22
33899 8794K ufw-before-logging-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0
33899 8794K ufw-before-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0
  136  6931 ufw-after-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0
  113  5875 ufw-after-logging-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0
  113  5875 ufw-reject-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0
  113  5875 ufw-track-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 DROP       all  --  *      *       xxx.xxx.xxx.xxx      0.0.0.0/0

答案1

尝试,端口配置,重命名ssmtpsmtps465并添加submission端口或587并重新启动。

此外,对于监狱行动,你需要smptssubmission端口

类似于这个

iptables-multiport[name=postfix-sasl, port="smtp,smtps,submission", protocol=tcp]

相关内容