有人正在扫描我的 postfix/dovecot

有人正在扫描我的 postfix/dovecot

有人正在扫描我的邮件服务器。

我该怎么做才能阻止他们?

我尝试添加这个,但没有帮助:

/etc/hosts.deny
ALL: 80.82.77.18

我在日志中看到这一点:

...
Aug 23 03:34:40 auth-worker(1664): Info: sql([email protected],80.82.77.18): unknown user (given password: torcac)
Aug 23 03:35:17 auth-worker(1664): Info: sql([email protected],80.82.77.18): unknown user (given password: roselia)
Aug 23 03:35:56 auth-worker(1664): Info: sql([email protected],80.82.77.18): unknown user (given password: japan)
Aug 23 03:36:35 auth-worker(1664): Info: sql([email protected],80.82.77.18): unknown user (given password: berta)
Aug 23 03:37:08 auth-worker(1664): Info: sql(blue,193.169.252.176): unknown user (given password: 123456)
Aug 23 03:37:12 auth-worker(1664): Info: sql([email protected],80.82.77.18): unknown user (given password: keely)
Aug 23 03:37:49 auth-worker(1664): Info: sql([email protected],80.82.77.18): unknown user (given password: marcelia)
Aug 23 03:38:26 auth-worker(1664): Info: sql([email protected],80.82.77.18): unknown user (given password: yate)
Aug 23 03:39:02 auth-worker(1664): Info: sql([email protected],80.82.77.18): unknown user (given password: silvie)
Aug 23 03:39:41 auth-worker(1664): Info: sql([email protected],80.82.77.18): unknown user (given password: seven)[email protected],80.82.77.18): unknown user (given password: bang)
...

答案1

importgeek.wordpress.com

  1. 安装 Fail2Ban

    apt-get install fail2ban

  2. 要限制内存使用量,请在 /etc/default/fail2ban 中添加:

    +ulimit -s 256

  3. 创建本地配置文件 /etc/fail2ban/jail.local 来覆盖 jail.conf 中的设置:

    cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

    vi /etc/fail2ban/jail.local

[dovecot]
enabled = true
port = pop3,pop3s,imap,imaps
filter = dovecot
logpath = /var/log/mail.log
maxretry  = 3

[postfix]
enabled  = true
port     = smtp,ssmtp
filter   = postfix
logpath  = /var/log/mail.log
maxretry  = 3

[sasl]
enabled   = true
port      = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter    = sasl
logpath   = /var/log/mail.log
maxretry  = 3

编辑

Fail2ban(Debian Squeeze)没有附带 Dovecot 的配置,因此请创建 /etc/fail2ban/filter.d/dovecot.conf:

[Definition]
failregex = (?: pop3-login|imap-login): .*(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed).*rip=(?P\S*),.*
ignoreregex =

重新启动fail2ban:

# /etc/init.d/fail2ban restart

相关内容