我正在运行 Ubuntu 16.04.6 LTS,带有 Postfix 3.1.0 和 fail2ban 0.9.3。现在我的/var/log/mail.log
电脑经常受到这样的暴力破解攻击:
postfix/submission/smtpd[2282]: connect from unknown[xxx.xxx.xxx.xxx]
postfix/submission/smtpd[2282]: warning: unknown[xxx.xxx.xxx.xxx]: SASL LOGIN authentication failed: authentication failure
postfix/submission/smtpd[2282]: disconnect from unknown[xxx.xxx.xxx.xxx] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
我尝试设置/etc/fail2ban/jail.local
为:
[postfix]
enabled = true
port = smtp,ssmtp
filter = postfix
logpath = /var/log/mail.log
maxretry = 3
bantime = 86400
[sasl]
enabled = true
port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter = postfix-sasl
logpath = /var/log/mail.log
maxretry = 3
bantime = 86400
根据以下情况,它似乎运行正常/var/log/fail2ban.log
:
fail2ban.filter [2208]: INFO [sasl] Found xxx.xxx.xxx.xxx
fail2ban.actions [2208]: NOTICE [sasl] xxx.xxx.xxx.xxx already banned
但是 smtpd 不断接收 SASL 身份验证尝试。
iptables -A INPUT -s xxx.xxx.xxx.xxx -j DROP
前几天我也尝试过,但尽管出现了明确的DROP
(iptables -L INPUT -v -n
),连接和身份验证尝试仍继续:
pkts bytes target prot opt in out source destination
416 2974K f2b-sasl tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 25,465,143,220,993,110,995
1763 170K f2b-wordpress-soft tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443
1763 170K f2b-wordpress-hard tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443
416 2974K f2b-postfix tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 25,465
1891 144K f2b-sshd tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 22
33899 8794K ufw-before-logging-input all -- * * 0.0.0.0/0 0.0.0.0/0
33899 8794K ufw-before-input all -- * * 0.0.0.0/0 0.0.0.0/0
136 6931 ufw-after-input all -- * * 0.0.0.0/0 0.0.0.0/0
113 5875 ufw-after-logging-input all -- * * 0.0.0.0/0 0.0.0.0/0
113 5875 ufw-reject-input all -- * * 0.0.0.0/0 0.0.0.0/0
113 5875 ufw-track-input all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * xxx.xxx.xxx.xxx 0.0.0.0/0
答案1
尝试,端口配置,重命名ssmtp
为smtps
或465
并添加submission
端口或587
并重新启动。
此外,对于监狱行动,你需要smpts
和submission
端口
类似于这个
iptables-multiport[name=postfix-sasl, port="smtp,smtps,submission", protocol=tcp]