Jan 19 22:49:00 intelligent-mahavira postfix/smtpd[670231]: connection established
Jan 19 22:49:00 intelligent-mahavira postfix/smtpd[670231]: master_notify: status 0
Jan 19 22:49:00 intelligent-mahavira postfix/smtpd[670231]: name_mask: resource
Jan 19 22:49:00 intelligent-mahavira postfix/smtpd[670231]: name_mask: software
Jan 19 22:49:00 intelligent-mahavira postfix/smtpd[670231]: connect from scanner-05.ch1.censys-scanner.com[162.142.125.57]
Jan 19 22:49:00 intelligent-mahavira postfix/smtpd[670231]: match_list_match: scanner-05.ch1.censys-scanner.com: no match
Jan 19 22:49:00 intelligent-mahavira postfix/smtpd[670231]: match_list_match: 162.142.125.57: no match
Jan 19 22:49:00 intelligent-mahavira postfix/smtpd[670231]: match_hostname: smtpd_authorized_xforward_hosts: scanner-05.ch1.censys-scanner.com ~? 12>
Jan 19 22:49:00 intelligent-mahavira postfix/smtpd[670231]: match_hostaddr: smtpd_authorized_xforward_hosts: 162.142.125.57 ~? 127.0.0.0/8
Jan 19 22:49:00 intelligent-mahavira postfix/smtpd[670231]: match_hostname: smtpd_authorized_xforward_hosts: scanner-05.ch1.censys-scanner.com ~? [:>
Jan 19 22:49:00 intelligent-mahavira postfix/smtpd[670231]: match_hostaddr: smtpd_authorized_xforward_hosts: 162.142.125.57 ~? [::1]/128
Jan 19 22:49:00 intelligent-mahavira postfix/smtpd[670231]: match_list_match: scanner-05.ch1.censys-scanner.com: no match
Jan 19 22:49:00 intelligent-mahavira postfix/smtpd[670231]: match_list_match: 162.142.125.57: no match
Jan 19 22:49:00 intelligent-mahavira postfix/smtpd[670231]: smtp_stream_setup: maxtime=3600 enable_deadline=0
Jan 19 22:49:00 intelligent-mahavira postfix/smtpd[670231]: match_list_match: scanner-05.ch1.censys-scanner.com: no match
Jan 19 22:49:00 intelligent-mahavira postfix/smtpd[670231]: match_list_match: 162.142.125.57: no match
Jan 19 22:49:00 intelligent-mahavira postfix/smtpd[670231]: auto_clnt_open: connected to private/anvil
这都是我的系统日志的内容。
我在 fail2ban 中没有看到任何过滤器。
我如何编写过滤器?
我写了一个正则表达式来捕获所有的 IP 地址
推送(@matches,$&)而($search_contents =~/$regex/gm);
接下来我需要找到一种方法来在 fail2ban 中创建过滤器
你能给我像 postfix.conf 那样的完整文件吗?
can you give me full file? here is postfix.conf --->
# Fail2Ban filter for selected Postfix SMTP rejections
#
#
[INCLUDES]
# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf
[Definition]
_daemon = postfix(-\w+)?/\w+(?:/smtp[ds])?
_port = (?::\d+)?
prefregex = ^%(__prefix_line)s<mdpr-<mode>> <F-CONTENT>.+</F-CONTENT>$
mdpr-normal = (?:NOQUEUE: reject:|improper command pipelining after \S+)
mdre-normal=^RCPT from [^[]*\[<HOST>\]%(_port)s: 55[04] 5\.7\.1\s
^RCPT from [^[]*\[<HOST>\]%(_port)s: 45[04] 4\.7\.1 (?:Service unavailable\b|Client host rejected: cannot find your (reverse )?hostname\b)
^RCPT from [^[]*\[<HOST>\]%(_port)s: 450 4\.7\.1 (<[^>]*>)?: Helo command rejected: Host not found\b
^EHLO from [^[]*\[<HOST>\]%(_port)s: 504 5\.5\.2 (<[^>]*>)?: Helo command rejected: need fully-qualified hostname\b
^VRFY from [^[]*\[<HOST>\]%(_port)s: 550 5\.1\.1\s
^RCPT from [^[]*\[<HOST>\]%(_port)s: 450 4\.1\.8 (<[^>]*>)?: Sender address rejected: Domain not found\b
^from [^[]*\[<HOST>\]%(_port)s:?
mdpr-auth = warning:
mdre-auth = ^[^[]*\[<HOST>\]%(_port)s: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed:(?! Connection lost to authentication server| Invalid authentication mechanism)
mdre-auth2= ^[^[]*\[<HOST>\]%(_port)s: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed:(?! Connection lost to authentication server)
# todo: check/remove "Invalid authentication mechanism" from ignore list, if gh-1243 will get finished (see gh-1297).
# Mode "rbl" currently included in mode "normal", but if needed for jail "postfix-rbl" only:
mdpr-rbl = %(mdpr-normal)s
mdre-rbl = ^RCPT from [^[]*\[<HOST>\]%(_port)s: [45]54 [45]\.7\.1 Service unavailable; Client host \[\S+\] blocked\b
# Mode "rbl" currently included in mode "normal" (within 1st rule)
mdpr-more = %(mdpr-normal)s
mdre-more = %(mdre-normal)s
mdpr-ddos = lost connection after(?! DATA) [A-Z]+
mdre-ddos = ^from [^[]*\[<HOST>\]%(_port)s:?
mdpr-extra = (?:%(mdpr-auth)s|%(mdpr-normal)s)
mdre-extra = %(mdre-auth)s
%(mdre-normal)s
mdpr-aggressive = (?:%(mdpr-auth)s|%(mdpr-normal)s|%(mdpr-ddos)s)
mdre-aggressive = %(mdre-auth2)s
%(mdre-normal)s
mdre-scanner=(?<=match: )(.*)(?=: no match)
mdpr-scanner=(?<=match: )(.*)(?=: no match)
failregex = <mdre-<mode>>
# Parameter "mode": more (default combines normal and rbl), auth, normal, rbl, ddos, extra or aggressive (combines all)
# Usage example (for jail.local):
# [postfix]
# mode = aggressive
# # or another jail (rewrite filter parameters of jail):
# [postfix-rbl]
# filter = postfix[mode=rbl]
#
mode = more
ignoreregex =
[Init]
journalmatch = _SYSTEMD_UNIT=postfix.service
# Author: Cyril Jaquier
奇怪。我发现 mediatemple 中的 postfix_sasl 过滤器不在 amazon lightsail postfix 中。
当 Sasl 失败时,postfix_sasl 仍能正常工作。
现在我需要使用它来匹配此匹配错误。谁试图登录我的服务器,他们又是如何获得我的 IP 地址的?plesk 会给出这些信息吗?还是 mxlookup(我曾经检查过电子邮件是否正常工作)。
这是 postfix-sasl.conf,有人可以解释一下每一行吗?我如何使用它来解决无匹配登录错误
# Fail2Ban filter for postfix authentication failures
#
[INCLUDES]
before = common.conf
[Definition]
_daemon = postfix(-\w+)?/(?:submission/|smtps/)?smtp[ds]
failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(:[ A-Za-z0-9+/:]*={0,2})?\s*$
ignoreregex = authentication failed: Connection lost to authentication server$
[Init]
journalmatch = _SYSTEMD_UNIT=postfix.service
# Author: Yaroslav Halchenko
enter code here
我得到了这个,但我没有看到 fail2ban 任何使用不匹配的 ip。 fail2ban-regex -v /var/log/maillog /etc/fail2ban/filter.d/nomatcH
Running tests
=============
Use failregex filter file : nomatch, basedir: /etc/fail2ban
Use datepattern : Default Detectors
Use log file : /var/log/maillog
Use encoding : UTF-8
Results
=======
Failregex: 100 total
|- #) [# of hits] regular expression
| 1) [81] ^match_list_match: <ADDR>: <F-NOFAIL>no match</F-NOFAIL>
| 152.32.131.196 Fri Jan 21 06:52:15 2022
| 152.32.131.196 Fri Jan 21 06:52:15 2022
| 152.32.131.196 Fri Jan 21 06:52:15 2022
| 152.32.131.196 Fri Jan 21 06:52:15 2022
| 152.32.131.196 Fri Jan 21 06:52:16 2022
| 45.33.78.63 Fri Jan 21 07:01:15 2022
| 45.33.78.63 Fri Jan 21 07:01:15 2022
| 45.33.78.63 Fri Jan 21 07:01:17 2022
| 139.162.99.243 Fri Jan 21 08:19:03 2022
| 139.162.99.243 Fri Jan 21 08:19:03 2022
| 139.162.99.243 Fri Jan 21 08:19:03 2022
| 139.162.99.243 Fri Jan 21 08:19:03 2022
| 162.142.125.41 Fri Jan 21 08:48:58 2022
| 162.142.125.41 Fri Jan 21 08:48:58 2022
| 162.142.125.41 Fri Jan 21 08:48:58 2022
| 162.142.125.41 Fri Jan 21 08:48:58 2022
| 162.142.125.41 Fri Jan 21 08:48:58 2022
| 45.56.101.55 Fri Jan 21 10:13:22 2022
| 45.56.101.55 Fri Jan 21 10:13:22 2022
| 45.56.101.55 Fri Jan 21 10:13:22 2022
| 45.56.101.55 Fri Jan 21 10:13:22 2022
| 45.56.101.55 Fri Jan 21 10:13:22 2022
| 162.142.125.42 Fri Jan 21 10:31:18 2022
| 162.142.125.42 Fri Jan 21 10:31:18 2022
| 162.142.125.42 Fri Jan 21 10:31:19 2022
| 162.142.125.42 Fri Jan 21 10:31:19 2022
| 162.142.125.42 Fri Jan 21 10:31:19 2022
| 45.79.158.51 Fri Jan 21 11:02:09 2022
| 45.79.158.51 Fri Jan 21 11:02:09 2022
| 45.79.158.51 Fri Jan 21 11:02:11 2022
| 104.206.128.26 Fri Jan 21 12:07:17 2022
| 104.206.128.26 Fri Jan 21 12:07:17 2022
| 104.206.128.26 Fri Jan 21 12:07:17 2022
| 45.33.95.172 Fri Jan 21 12:15:12 2022
| 45.33.95.172 Fri Jan 21 12:15:12 2022
| 45.33.95.172 Fri Jan 21 12:15:12 2022
| 45.33.95.172 Fri Jan 21 12:15:12 2022
| 45.33.95.172 Fri Jan 21 12:15:12 2022
| 192.241.219.199 Fri Jan 21 13:24:46 2022
| 192.241.219.199 Fri Jan 21 13:24:46 2022
| 192.241.219.199 Fri Jan 21 13:24:46 2022
| 45.79.178.163 Fri Jan 21 14:13:30 2022
| 45.79.178.163 Fri Jan 21 14:13:30 2022
| 45.79.178.163 Fri Jan 21 14:13:30 2022
| 45.79.178.163 Fri Jan 21 14:13:30 2022
| 45.79.178.163 Fri Jan 21 14:13:30 2022
| 96.126.109.15 Fri Jan 21 16:13:44 2022
| 96.126.109.15 Fri Jan 21 16:13:44 2022
| 96.126.109.15 Fri Jan 21 16:13:44 2022
| 96.126.109.15 Fri Jan 21 16:13:44 2022
| 96.126.109.15 Fri Jan 21 16:13:44 2022
| 66.240.236.116 Fri Jan 21 17:29:42 2022
| 66.240.236.116 Fri Jan 21 17:29:42 2022
| 66.240.236.116 Fri Jan 21 17:29:42 2022
| 66.240.236.116 Fri Jan 21 17:29:43 2022
| 69.164.210.216 Fri Jan 21 18:13:10 2022
| 69.164.210.216 Fri Jan 21 18:13:10 2022
| 69.164.210.216 Fri Jan 21 18:13:10 2022
| 69.164.210.216 Fri Jan 21 18:13:10 2022
| 69.164.210.216 Fri Jan 21 18:13:10 2022
| 164.90.197.27 Fri Jan 21 19:06:22 2022
| 164.90.197.27 Fri Jan 21 19:06:22 2022
| 164.90.197.27 Fri Jan 21 19:06:22 2022
| 164.90.197.27 Fri Jan 21 19:06:52 2022
| 45.56.99.23 Fri Jan 21 20:14:25 2022
| 45.56.99.23 Fri Jan 21 20:14:25 2022
| 45.56.99.23 Fri Jan 21 20:14:25 2022
| 45.56.99.23 Fri Jan 21 20:14:25 2022
| 45.56.99.23 Fri Jan 21 20:14:25 2022
| 178.79.189.233 Fri Jan 21 20:22:36 2022
| 178.79.189.233 Fri Jan 21 20:22:36 2022
| 178.79.189.233 Fri Jan 21 20:22:36 2022
| 178.79.189.233 Fri Jan 21 20:22:38 2022
| 162.142.125.44 Fri Jan 21 20:29:10 2022
| 162.142.125.44 Fri Jan 21 20:29:10 2022
| 162.142.125.44 Fri Jan 21 20:29:10 2022
| 162.142.125.44 Fri Jan 21 20:29:10 2022
| 162.142.125.44 Fri Jan 21 20:29:10 2022
| 45.56.104.184 Fri Jan 21 21:00:33 2022
| 45.56.104.184 Fri Jan 21 21:00:33 2022
| 45.56.104.184 Fri Jan 21 21:00:35 2022
| 2) [19] ^auto_clnt_open: connected to private/anvil
| 152.32.131.196 Fri Jan 21 06:52:15 2022
| 45.33.78.63 Fri Jan 21 07:01:17 2022
| 139.162.99.243 Fri Jan 21 08:19:03 2022
| 162.142.125.41 Fri Jan 21 08:48:58 2022
| 45.56.101.55 Fri Jan 21 10:13:22 2022
| 162.142.125.42 Fri Jan 21 10:31:19 2022
| 45.79.158.51 Fri Jan 21 11:02:11 2022
| 104.206.128.26 Fri Jan 21 12:07:17 2022
| 45.33.95.172 Fri Jan 21 12:15:12 2022
| 192.241.219.199 Fri Jan 21 13:24:46 2022
| 45.79.178.163 Fri Jan 21 14:13:30 2022
| 96.126.109.15 Fri Jan 21 16:13:44 2022
| 66.240.236.116 Fri Jan 21 17:29:42 2022
| 69.164.210.216 Fri Jan 21 18:13:10 2022
| 164.90.197.27 Fri Jan 21 19:06:22 2022
| 45.56.99.23 Fri Jan 21 20:14:25 2022
| 178.79.189.233 Fri Jan 21 20:22:36 2022
| 162.142.125.44 Fri Jan 21 20:29:10 2022
| 45.56.104.184 Fri Jan 21 21:00:35 2022
`-
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [3923] {^LN-BEG}(?:DAY )?MON Day %k:Minute:Second(?:\.Microseconds)?(?: ExYear)?
| [0] {^LN-BEG}ExYear(?P<_sep>[-/.])Month(?P=_sep)Day(?:T| ?)24hour:Minute:Second(?:[.,]Microseconds)?(?:\s*Zone offset)?
| [0] {^LN-BEG}(?:DAY )?MON Day ExYear %k:Minute:Second(?:\.Microseconds)?
| [0] {^LN-BEG}Day(?P<_sep>[-/])Month(?P=_sep)(?:ExYear|ExYear2) %k:Minute:Second
| [0] {^LN-BEG}Day(?P<_sep>[-/])MON(?P=_sep)ExYear[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
| [0] {^LN-BEG}Month/Day/ExYear:24hour:Minute:Second
| [0] {^LN-BEG}Month-Day-ExYear %k:Minute:Second(?:\.Microseconds)?
| [0] {^LN-BEG}Epoch
| [0] {^LN-BEG}ExYear2ExMonthExDay ?24hour:Minute:Second
| [0] {^LN-BEG}MON Day, ExYear 12hour:Minute:Second AMPM
| [0] {^LN-BEG}ExYearExMonthExDay(?:T| ?)Ex24hourExMinuteExSecond(?:[.,]Microseconds)?(?:\s*Zone offset)?
| [0] {^LN-BEG}(?:Zone name )?(?:DAY )?MON Day %k:Minute:Second(?:\.Microseconds)?(?: ExYear)?
| [0] {^LN-BEG}(?:Zone offset )?(?:DAY )?MON Day %k:Minute:Second(?:\.Microseconds)?(?: ExYear)?
| [0] {^LN-BEG}TAI64N
| [0] {^LN-BEG}24hour:Minute:Second
| [0] ^<Month/Day/ExYear2@24hour:Minute:Second>
| [0] ^MON-Day-ExYear2 %k:Minute:Second
`-
Lines: 3923 lines, 0 ignored, 100 matched, 3823 missed
[processed in 0.25 sec]
Missed line(s): too many to print. Use --print-all-missed to print all 3823 lines
答案1
postfix通常,带有模式的过滤器aggressive用于查找此类扫描仪:
[postfix]
mode = aggressive
如何测试fail2ban-regex:
fail2ban-regex /path/to/log_or_systemd-journal postfix[logtype=short,mode=aggressive]
但是我没有看到任何与某些错误或连接被拒绝相匹配的消息。此外,它auto_clnt_open: connected to private/anvil告诉我们它已连接(尽管对于 Anvil 来说,Postfix 的速率限制守护进程是什么,但无论如何)。
那么最后还有其他消息吗(来自此会话[670231])?
或者您到底想将什么视为失败?
如果您的意思是它必须对no match消息做出反应,那么这里是您的过滤器:
[Definition]
failregex = ^\s*\S+ postfix/smtpd\[[^\]]+]: match_list_match: <ADDR>: no match
只是日志似乎包含no match单个“会话”的多个条目,所以每次尝试都会导致多次失败(在这种情况下正好是 3 次),所以您maxretry可能需要增加。
当必须是的时候connected to private/anvil,你可以这样做(这必须与 fail2ban >= 0.10 一起工作):
[Definition]
prefregex = ^\s*\S+ postfix/smtpd\[<F-MLFID>[^\]]+</F-MLFID>\]: <F-CONTENT>(?:match_list_match|auto_clnt_open).+</F-CONTENT>$
failregex = ^match_list_match: <ADDR>: <F-NOFAIL>no match</F-NOFAIL>
^auto_clnt_open: connected to private/anvil
答案2
有官方文档开发过滤器. 还有很多过滤器包含在/etc/fail2ban/filter.d/
答案3
谁试图登录我的服务器以及他们如何获取我的 IP 地址?
您的日志中的这些条目似乎来自森西斯,一项互联网范围的扫描服务。他们在“Censys 互联网扫描简介“ 他们做什么。
和2021 年硕士论文卡尔顿大学的研究人员详细介绍了该扫描仪和类似的扫描仪的功能。
并且whois 162.142.125.57表明该 IP 确实属于 Censys。
您可以考虑忽略这些连接,并调整您的日志记录。或者您可以 选择退出 Censys 数据收集。