FAIL2BAN 过滤器 - 谁能给我过滤器来阻止这种入侵?

FAIL2BAN 过滤器 - 谁能给我过滤器来阻止这种入侵?

我看到我的 mediatemple 服务器邮件日志中存在无休止的入侵。我需要阻止这些 IP。谁可以帮助我过滤文件以匹配这些?

Jan 21 07:51:44 mydomain postfix/smtpd[23505]: SSL_accept error from unknown[185.7.214.188]: -1
Jan 21 07:51:44 mydomain postfix/smtpd[23505]: warning: TLS library problem: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol:s23_srvr.c:647:
Jan 21 07:51:44 mydomain postfix/smtpd[23505]: lost connection after STARTTLS from unknown[185.7.214.188]
Jan 21 07:51:44 mydomain postfix/smtpd[23505]: disconnect from unknown[185.7.214.188]
Jan 21 07:51:44 mydomain postfix/smtpd[23505]: connect from unknown[185.7.214.188]
Jan 21 07:51:44 mydomain postfix/smtpd[23505]: SSL_accept error from unknown[185.7.214.188]: -1
Jan 21 07:51:44 mydomain postfix/smtpd[23505]: warning: TLS library problem: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol:s23_srvr.c:647:
Jan 21 07:51:44 mydomain postfix/smtpd[23505]: lost connection after STARTTLS from unknown[185.7.214.188]
Jan 21 07:51:44 mydomain postfix/smtpd[23505]: disconnect from unknown[185.7.214.188]
Jan 21 07:52:46 mydomain spamd[19730]: spamd: connection from mydomain.com [127.0.0.1] at port 35360
Jan 21 07:52:46 mydomain spamd[19728]: prefork: child states: I
Jan 21 07:54:05 mydomain postfix/smtpd[23549]: warning: hostname zg-0104b-34.stretchoid.com does not resolve to address 192.241.208.40
Jan 21 07:54:05 mydomain postfix/smtpd[23549]: connect from unknown[192.241.208.40]
Jan 21 07:54:05 mydomain postfix/smtpd[23549]: disconnect from unknown[192.241.208.40]
Jan 21 07:57:25 mydomain postfix/anvil[23507]: statistics: max connection rate 2/60s for (submission:185.7.214.188) at Jan 21 07:51:44
Jan 21 07:57:25 mydomain postfix/anvil[23507]: statistics: max connection count 1 for (submission:185.7.214.188) at Jan 21 07:51:43
Jan 21 07:57:25 mydomain postfix/anvil[23507]: statistics: max cache size 1 at Jan 21 07:51:43
Jan 21 07:57:46 mydomain spamd[19730]: spamd: connection from mydomain.com [127.0.0.1] at port 53520
Jan 21 07:57:46 mydomain spamd[19728]: prefork: child states: I
Jan 21 08:01:40 mydomain postfix/smtpd[23649]: warning: hostname turtle.census.shodan.io does not resolve to address 185.181.102.18
Jan 21 08:01:40 mydomain postfix/smtpd[23649]: connect from unknown[185.181.102.18]
Jan 21 08:01:45 mydomain postfix/smtpd[23652]: warning: hostname turtle.census.shodan.io does not resolve to address 185.181.102.18
Jan 21 08:01:45 mydomain postfix/smtpd[23652]: connect from unknown[185.181.102.18]
Jan 21 08:01:45 mydomain postfix/smtpd[23652]: lost connection after UNKNOWN from unknown[185.181.102.18]
Jan 21 08:01:45 mydomain postfix/smtpd[23652]: disconnect from unknown[185.181.102.18]
Jan 21 08:01:45 mydomain postfix/smtpd[23652]: warning: hostname turtle.census.shodan.io does not resolve to address 185.181.102.18
Jan 21 08:01:45 mydomain postfix/smtpd[23652]: connect from unknown[185.181.102.18]
Jan 21 08:01:45 mydomain postfix/smtpd[23652]: lost connection after UNKNOWN from unknown[185.181.102.18]
Jan 21 08:01:45 mydomain postfix/smtpd[23652]: disconnect from unknown[185.181.102.18]
Jan 21 08:01:45 mydomain postfix/smtpd[23652]: warning: hostname turtle.census.shodan.io does not resolve to address 185.181.102.18
Jan 21 08:01:45 mydomain postfix/smtpd[23652]: connect from unknown[185.181.102.18]
Jan 21 08:01:45 mydomain postfix/smtpd[23652]: lost connection after UNKNOWN from unknown[185.181.102.18]
Jan 21 08:01:45 mydomain postfix/smtpd[23652]: disconnect from unknown[185.181.102.18]
Jan 21 08:01:46 mydomain postfix/smtpd[23652]: warning: hostname turtle.census.shodan.io does not resolve to address 185.181.102.18
Jan 21 08:01:46 mydomain postfix/smtpd[23652]: connect from unknown[185.181.102.18]
Jan 21 08:01:46 mydomain postfix/smtpd[23652]: lost connection after UNKNOWN from unknown[185.181.102.18]
Jan 21 08:01:46 mydomain postfix/smtpd[23652]: disconnect from unknown[185.181.102.18]
Jan 21 08:01:46 mydomain postfix/smtpd[23652]: warning: hostname turtle.census.shodan.io does not resolve to address 185.181.102.18
Jan 21 08:01:46 mydomain postfix/smtpd[23652]: connect from unknown[185.181.102.18]
Jan 21 08:01:46 mydomain postfix/smtpd[23652]: lost connection after UNKNOWN from unknown[185.181.102.18]
Jan 21 08:01:46 mydomain postfix/smtpd[23652]: disconnect from unknown[185.181.102.18]
Jan 21 08:01:46 mydomain postfix/smtpd[23652]: warning: hostname turtle.census.shodan.io does not resolve to address 185.181.102.18
Jan 21 08:01:46 mydomain postfix/smtpd[23652]: connect from unknown[185.181.102.18]
Jan 21 08:01:46 mydomain postfix/smtpd[23652]: lost connection after UNKNOWN from unknown[185.181.102.18]
Jan 21 08:01:46 mydomain postfix/smtpd[23652]: disconnect from unknown[185.181.102.18]
Jan 21 08:01:47 mydomain postfix/smtpd[23652]: warning: hostname turtle.census.shodan.io does not resolve to address 185.181.102.18
Jan 21 08:01:47 mydomain postfix/smtpd[23652]: connect from unknown[185.181.102.18]
Jan 21 08:01:47 mydomain postfix/smtpd[23652]: lost connection after UNKNOWN from unknown[185.181.102.18]
Jan 21 08:01:47 mydomain postfix/smtpd[23652]: disconnect from unknown[185.181.102.18]
Jan 21 08:01:47 mydomain postfix/smtpd[23652]: warning: hostname turtle.census.shodan.io does not resolve to address 185.181.102.18
Jan 21 08:01:47 mydomain postfix/smtpd[23652]: connect from unknown[185.181.102.18]
Jan 21 08:01:47 mydomain postfix/smtpd[23652]: lost connection after UNKNOWN from unknown[185.181.102.18]
Jan 21 08:01:47 mydomain postfix/smtpd[23652]: disconnect from unknown[185.181.102.18]
Jan 21 08:01:47 mydomain postfix/smtpd[23652]: warning: hostname turtle.census.shodan.io does not resolve to address 185.181.102.18
Jan 21 08:01:47 mydomain postfix/smtpd[23652]: connect from unknown[185.181.102.18]
Jan 21 08:01:47 mydomain postfix/smtpd[23652]: lost connection after UNKNOWN from unknown[185.181.102.18]
Jan 21 08:01:47 mydomain postfix/smtpd[23652]: disconnect from unknown[185.181.102.18]
Jan 21 08:01:47 mydomain postfix/smtpd[23652]: warning: hostname turtle.census.shodan.io does not resolve to address 185.181.102.18
Jan 21 08:01:47 mydomain postfix/smtpd[23652]: connect from unknown[185.181.102.18]
Jan 21 08:01:48 mydomain postfix/smtpd[23652]: lost connection after UNKNOWN from unknown[185.181.102.18]
Jan 21 08:01:48 mydomain postfix/smtpd[23652]: disconnect from unknown[185.181.102.18]
Jan 21 08:01:48 mydomain postfix/smtpd[23649]: lost connection after STARTTLS from unknown[185.181.102.18]
Jan 21 08:01:48 mydomain postfix/smtpd[23649]: disconnect from unknown[185.181.102.18]
Jan 21 08:01:48 mydomain postfix/smtpd[23652]: warning: hostname turtle.census.shodan.io does not resolve to address 185.181.102.18
Jan 21 08:01:48 mydomain postfix/smtpd[23652]: connect from unknown[185.181.102.18]
Jan 21 08:01:48 mydomain postfix/smtpd[23652]: SSL_accept error from unknown[185.181.102.18]: -1
Jan 21 08:01:48 mydomain postfix/smtpd[23652]: warning: TLS library problem: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol:s23_srvr.c:647:
Jan 21 08:01:48 mydomain postfix/smtpd[23652]: lost connection after STARTTLS from unknown[185.181.102.18]
Jan 21 08:01:48 mydomain postfix/smtpd[23652]: disconnect from unknown[185.181.102.18]
Jan 21 08:01:48 mydomain postfix/smtpd[23649]: warning: hostname turtle.census.shodan.io does not resolve to address 185.181.102.18
Jan 21 08:01:48 mydomain postfix/smtpd[23649]: connect from unknown[185.181.102.18]
Jan 21 08:01:49 mydomain postfix/smtpd[23649]: SSL_accept error from unknown[185.181.102.18]: -1
Jan 21 08:01:49 mydomain postfix/smtpd[23649]: warning: TLS library problem: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol:s23_srvr.c:647:
Jan 21 08:01:49 mydomain postfix/smtpd[23649]: lost connection after STARTTLS from unknown[185.181.102.18]
Jan 21 08:01:49 mydomain postfix/smtpd[23649]: disconnect from unknown[185.181.102.18]
Jan 21 08:01:49 mydomain postfix/smtpd[23652]: warning: hostname turtle.census.shodan.io does not resolve to address 185.181.102.18

我有 postfix-sasl - 我该如何修改它以适应这些连接错误。

答案1

首先,这不是直接的入侵 - 这看起来像是最简单的端口扫描...除了某些(postfix)端口的泛滥,以及可能的应用程序公告,或者更确切地说是您的服务器监听扫描器端的端口),您不会遇到任何问题。
您当然可以禁止它们,但您必须知道您做了什么(例如,为了避免对您的某些合法用户产生误报,例如如果某人的连接速度慢会导致相同的消息)...

为了仅在后缀端禁止这种洪水攻击,您可以添加此监狱:

[postfix-scan]
filter =
failregex = ^\s*\S+ postfix/smtpd\[[^\]]+\]: lost connection after (?:STARTTLS|UNKNOWN) from [^\[]*\[<ADDR>\]
port = smtp,465,submission
... (logpath, backend, maxretry, findtime, etc) ...
enabled = true

(正如已经说过的,理论上你可以禁止一些合法用户,所以也许你应该增加maxretry或减少findtime这个监狱)

要从根本上禁止端口扫描,您可以添加一些网络过滤规则,例如记录(并可能丢弃)向许多端口(有一些突发)发送 SYN 数据包的连接,甚至记录向某些关闭端口发送某些数据包的连接。
然后,您甚至可以使用类似以下方法进一步禁止它们 -https://github.com/fail2ban/fail2ban/issues/1945

相关内容