![Fail2Ban 无法与 2 月 9 日 11:57:51 NOQUEUE 配合使用:拒绝:来自未知 [185.143.223.170] 的 RCPT](https://linux22.com/image/748294/Fail2Ban%20%E6%97%A0%E6%B3%95%E4%B8%8E%202%20%E6%9C%88%209%20%E6%97%A5%2011%3A57%3A51%20NOQUEUE%20%E9%85%8D%E5%90%88%E4%BD%BF%E7%94%A8%EF%BC%9A%E6%8B%92%E7%BB%9D%EF%BC%9A%E6%9D%A5%E8%87%AA%E6%9C%AA%E7%9F%A5%20%5B185.143.223.170%5D%20%E7%9A%84%20RCPT.png)
我的 mail.log 文件中有这些文件:
Feb 9 11:57:50 ctrl-01 postfix/smtpd[21155]: NOQUEUE: reject: RCPT from unknown[185.143.223.170]: 454 4.7.1 <[email protected]>: Relay access denied; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<[185.143.223.97]>
Feb 9 11:57:50 ctrl-01 postfix/smtpd[21155]: NOQUEUE: reject: RCPT from unknown[185.143.223.170]: 454 4.7.1 <[email protected]>: Relay access denied; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<[185.143.223.97]>
Feb 9 11:57:50 ctrl-01 postfix/smtpd[21155]: NOQUEUE: reject: RCPT from unknown[185.143.223.170]: 454 4.7.1 <[email protected]>: Relay access denied; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<[185.143.223.97]>
Feb 9 11:57:51 ctrl-01 postfix/smtpd[21155]: NOQUEUE: reject: RCPT from unknown[185.143.223.170]: 454 4.7.1 <[email protected]>: Relay access denied; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<[185.143.223.97]>
Feb 9 11:57:52 ctrl-01 postfix/smtpd[21155]: NOQUEUE: reject: RCPT from unknown[185.143.223.170]: 454 4.7.1 <[email protected]>: Relay access denied; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<[185.143.223.97]>
我的 /etc/fail2ban/filter.d/postfix.conf 中有这个
failregex = reject: RCPT from (.*)\[<HOST>\]: 550 5.1.1
reject: RCPT from (.*)\[<HOST>\]: 450 4.7.1
reject: RCPT from (.*)\[<HOST>\]: 454 4.7.1
reject: RCPT from (.*)\[<HOST>\]: 554 5.7.1
但是当我检查正则表达式时,它不匹配任何内容:
$ fail2ban-regex /var/log/mail.log /etc/fail2ban/filter.d/postfix.conf
Running tests
=============
Use failregex filter file : postfix, basedir: /etc/fail2ban
Use datepattern : Default Detectors
Use log file : /var/log/mail.log
Use encoding : UTF-8
Results
=======
Failregex: 0 total
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [10000] {^LN-BEG}(?:DAY )?MON Day %k:Minute:Second(?:\.Microseconds)?(?: ExYear)?
`-
Lines: 10000 lines, 0 ignored, 0 matched, 10000 missed
[processed in 0.60 sec]
有什么想法可以解释为什么会这样吗?
更新:我在 ubuntu 18.04.04 LTS 服务器上 - 库存 fail2ban 版本 0.10.2-2
更新2:我取得了一些进展,如果我注释掉这一行,那么它匹配:
prefregex = ^%(__prefix_line)s<mdpr-<mode>> <F-CONTENT>.+</F-CONTENT>$
但我想修复这个问题而不是添加黑客攻击。
答案1
当prefregex存在时,失败2ban首先删除与 不匹配的日志行prefregex,然后与failregex的内容匹配<F-CONTENT>。由于postgres过滤器包含:
prefregex = ^%(__prefix_line)s<mdpr-<mode>> <F-CONTENT>.+</F-CONTENT>$
mdpr-normal = (?:NOQUEUE: reject:|improper command pipelining after \S+)
应用后prefregex,内容将是:
RCPT from unknown[185.143.223.170]: 454 4.7.1 <[email protected]>: Relay access denied; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<[185.143.223.97]>
RCPT from unknown[185.143.223.170]: 454 4.7.1 <[email protected]>: Relay access denied; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<[185.143.223.97]>
RCPT from unknown[185.143.223.170]: 454 4.7.1 <[email protected]>: Relay access denied; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<[185.143.223.97]>
RCPT from unknown[185.143.223.170]: 454 4.7.1 <[email protected]>: Relay access denied; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<[185.143.223.97]>
RCPT from unknown[185.143.223.170]: 454 4.7.1 <[email protected]>: Relay access denied; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<[185.143.223.97]>
并且您需要删除reject:正则表达式的一部分:
failregex = RCPT from (.*)\[<HOST>\]: 550 5.1.1
RCPT from (.*)\[<HOST>\]: 450 4.7.1
RCPT from (.*)\[<HOST>\]: 454 4.7.1
RCPT from (.*)\[<HOST>\]: 554 5.7.1