自从我的电子邮件服务器遭受两次黑客攻击(最后一次非常严重)以来,我一直非常积极地监控我的日志并在发现攻击时采取适当的措施。我已经为服务器安装了 MalwareBytes,该软件在阻止大约 95% 的暴力密码攻击(以及其他类型)方面非常有效,并且我已经报告了任何通过的人。鉴于我非常有效地阻止了攻击,攻击者已经改变了策略。我现在看到很多计算机/设备将连接到我的服务器并执行一堆“无法识别的命令”。连接数量已经增加到对服务器性能产生影响的程度。许多这些 IP 都列在 Spamhaus.org 和其他 DNS 阻止网站上,我的问题是,我是否可以配置防火墙来阻止这些网站上列出的任何 IP 地址?除了显而易见的原因之外,我想要这样做的原因是,一旦用户确定他们的机器被“感染”并清理它并将其从阻止列表中删除,他们作为潜在客户就可以再次访问我的软件。我不知道有任何软件可以做到这一点,我想我会在这里发布这个问题,因为我相信一定有人知道解决方案。任何帮助都将不胜感激。谢谢。
这是我在日志中看到的示例,我在 Windows Server 2012 R2 上运行最新版本的 MDaemon:
以下是相关的 POP3 日志条目:
Mon 2023-05-01 11:31:54.682: Session 00775141; child 0001
Mon 2023-05-01 11:31:54.682: Accepting POP3 connection from 167.248.133.127:57754 to xxxxxxxxxxxxxxxx
Mon 2023-05-01 11:31:54.761: Socket connection closed by the other side (how rude!)
Mon 2023-05-01 11:31:54.761: * Socket error 10053 - Connection abort.
Mon 2023-05-01 11:31:54.761: Connection closed
Mon 2023-05-01 11:31:54.762: POP3 session terminated, (Bytes in/out: 429/1692)
Mon 2023-05-01 11:31:54.762: ----------
Mon 2023-05-01 11:31:55.044: Session 00775142; child 0001
Mon 2023-05-01 11:31:55.044: Accepting POP3 connection from 167.248.133.127:36340 to xxxxxxxxxxxxxxxx
Mon 2023-05-01 11:31:55.075: Socket connection closed by the other side (how rude!)
Mon 2023-05-01 11:31:55.075: * Socket error 10053 - Connection abort.
Mon 2023-05-01 11:31:55.075: Connection closed
Mon 2023-05-01 11:31:55.075: POP3 session terminated, (Bytes in/out: 429/1692)
Mon 2023-05-01 11:31:55.075: ----------
Mon 2023-05-01 11:31:55.357: Session 00775143; child 0001
Mon 2023-05-01 11:31:55.357: Accepting POP3 connection from 167.248.133.127:42256 to xxxxxxxxxxxxxxxx
Mon 2023-05-01 11:31:55.360: * SSL negotiation failed, error code 0x80090331
Mon 2023-05-01 11:31:55.360: POP3 session complete (Bytes in/out: 350/0)
Mon 2023-05-01 11:31:55.360: ----------
Mon 2023-05-01 11:31:55.678: Session 00775144; child 0001
Mon 2023-05-01 11:31:55.678: Accepting POP3 connection from 167.248.133.127:47866 to xxxxxxxxxxxxxxxx
Mon 2023-05-01 11:31:55.711: Socket connection closed by the other side (how rude!)
Mon 2023-05-01 11:31:55.711: * Socket error 10053 - Connection abort.
Mon 2023-05-01 11:31:55.711: Connection closed
Mon 2023-05-01 11:31:55.712: POP3 session terminated, (Bytes in/out: 336/1692)
Mon 2023-05-01 11:31:55.712: ----------
Mon 2023-05-01 11:31:55.997: Session 00775145; child 0001
Mon 2023-05-01 11:31:55.997: Accepting POP3 connection from 167.248.133.127:53762 to xxxxxxxxxxxxxxxx
Mon 2023-05-01 11:31:56.027: Socket connection closed by the other side (how rude!)
Mon 2023-05-01 11:31:56.028: * Socket error 10053 - Connection abort.
Mon 2023-05-01 11:31:56.028: Connection closed
Mon 2023-05-01 11:31:56.028: POP3 session terminated, (Bytes in/out: 417/1692)
Mon 2023-05-01 11:31:56.028: ----------
The following is the SMTP log entries I get for IPs that are also blocked by this feature, the above IP has also executed this:
Sat 2023-04-29 09:40:13.202: Session 00773261; child 0001
Sat 2023-04-29 09:40:13.202: Accepting SMTP connection from 162.142.125.223:53396 to xxxxxxxxxxxxxxxx
Sat 2023-04-29 09:40:13.205: --> 220 smtp.myemailserver.com ESMTP MSA MDaemon 23.0.1; Sat, 29 Apr 2023 09:40:13 -0400
Sat 2023-04-29 09:40:13.205: <-- ¨
Sat 2023-04-29 09:40:13.205: --> 500 5.0.0 Unrecognized command
Sat 2023-04-29 09:40:13.205: <--
Sat 2023-04-29 09:40:13.205: --> 500 5.0.0 Unrecognized command
Sat 2023-04-29 09:40:13.205: <-- À$ÀÀ¯À,ÀrÀsÌ©ÌÀÀÀÀ'À/ÀÀ(À0À`ÀaÀvÀw̨ÌÀ
Sat 2023-04-29 09:40:13.205: --> 500 5.0.0 Unrecognized command
Sat 2023-04-29 09:40:13.205: <--
Sat 2023-04-29 09:40:13.205: Too many errors encountered
Sat 2023-04-29 09:40:13.205: SMTP session terminated (Bytes in/out: 429/183)
Sat 2023-04-29 09:40:13.206: ----------
Sat 2023-04-29 09:40:13.514: Session 00773262; child 0001
Sat 2023-04-29 09:40:13.514: Accepting SMTP connection from 162.142.125.223:38992 to xxxxxxxxxxxxxxxx
Sat 2023-04-29 09:40:13.516: --> 220 smtp.myemailserver.com ESMTP MSA MDaemon 23.0.1; Sat, 29 Apr 2023 09:40:13 -0400
Sat 2023-04-29 09:40:13.516: <-- ¨
Sat 2023-04-29 09:40:13.516: --> 500 5.0.0 Unrecognized command
Sat 2023-04-29 09:40:13.516: <-- <rá®RD²ã ¬Ë–?äžII!úXJ×…—÷c×mCà‚]¹ ÿºiƒ
Sat 2023-04-29 09:40:13.517: --> 500 5.0.0 Unrecognized command
Sat 2023-04-29 09:40:13.517: <-- ÀĮ̀ÀwÀvÀaÀ`À0À(ÀÀ/À'ÀÀÀÌÌ©ÀsÀrÀ,À¯ÀÀ$À
Sat 2023-04-29 09:40:13.517: --> 500 5.0.0 Unrecognized command
Sat 2023-04-29 09:40:13.517: <-- À+À®À¬À#À À
Sat 2023-04-29 09:40:13.517: Too many errors encountered
Sat 2023-04-29 09:40:13.517: SMTP session terminated (Bytes in/out: 429/183)
Sat 2023-04-29 09:40:13.517: ----------
Sat 2023-04-29 09:40:13.823: Session 00773263; child 0001
Sat 2023-04-29 09:40:13.823: Accepting SMTP connection from 162.142.125.223:52074 to xxxxxxxxxxxxxxxx
Sat 2023-04-29 09:40:13.824: --> 220 smtp.myemailserver.com ESMTP MSA MDaemon 23.0.1; Sat, 29 Apr 2023 09:40:13 -0400
Sat 2023-04-29 09:40:13.825: <-- Y
Sat 2023-04-29 09:40:13.825: --> 500 5.0.0 Unrecognized command
Sat 2023-04-29 09:40:13.825: <-- À+À®À¬À#À À
Sat 2023-04-29 09:40:13.825: --> 500 5.0.0 Unrecognized command
Sat 2023-04-29 09:40:13.825: <--
Sat 2023-04-29 09:40:13.825: --> 500 5.0.0 Unrecognized command
Sat 2023-04-29 09:40:14.374: <--
Sat 2023-04-29 09:40:14.374: Too many errors encountered
Sat 2023-04-29 09:40:14.374: SMTP session terminated (Bytes in/out: 350/183)
Sat 2023-04-29 09:40:14.374: ----------
Sat 2023-04-29 09:40:14.655: Session 00773264; child 0001
Sat 2023-04-29 09:40:14.655: Accepting SMTP connection from 162.142.125.223:59426 to xxxxxxxxxxxxxxxx
Sat 2023-04-29 09:40:14.658: --> 220 smtp.myemailserver.com ESMTP MSA MDaemon 23.0.1; Sat, 29 Apr 2023 09:40:14 -0400
Sat 2023-04-29 09:40:14.659: <-- K
Sat 2023-04-29 09:40:14.659: --> 500 5.0.0 Unrecognized command
Sat 2023-04-29 09:40:14.659: <--
Sat 2023-04-29 09:40:14.659: --> 500 5.0.0 Unrecognized command
Sat 2023-04-29 09:40:14.659: <--
Sat 2023-04-29 09:40:14.659: --> 500 5.0.0 Unrecognized command
Sat 2023-04-29 09:40:15.208: <--
Sat 2023-04-29 09:40:15.208: Too many errors encountered
Sat 2023-04-29 09:40:15.208: SMTP session terminated (Bytes in/out: 336/183)
Sat 2023-04-29 09:40:15.208: ----------
Sat 2023-04-29 09:40:15.488: Session 00773266; child 0001
Sat 2023-04-29 09:40:15.488: Accepting SMTP connection from 162.142.125.223:38688 to xxxxxxxxxxxxxxxx
Sat 2023-04-29 09:40:15.490: --> 220 smtp.myemailserver.com ESMTP MSA MDaemon 23.0.1; Sat, 29 Apr 2023 09:40:15 -0400
Sat 2023-04-29 09:40:15.491: <-- œ
Sat 2023-04-29 09:40:15.491: --> 500 5.0.0 Unrecognized command
Sat 2023-04-29 09:40:15.491: <-- vk¢_[ UU
Sat 2023-04-29 09:40:15.491: --> 500 5.0.0 Unrecognized command
Sat 2023-04-29 09:40:15.491: <-- À+À®ÌÀ¬ÀÀ#
Sat 2023-04-29 09:40:15.491: --> 500 5.0.0 Unrecognized command
Sat 2023-04-29 09:40:15.491: <-- À
Sat 2023-04-29 09:40:15.491: Too many errors encountered
Sat 2023-04-29 09:40:15.491: SMTP session terminated (Bytes in/out: 417/183)
Sat 2023-04-29 09:40:15.491: ----------
Sat 2023-04-29 09:40:56.122: Session 00773271; child 0001
Sat 2023-04-29 09:40:56.122: Accepting SMTP connection from 167.248.133.52:42486 to xxxxxxxxxxxxxxxx
Sat 2023-04-29 09:40:56.196: * SSL error 10054 An existing connection was forcibly closed by the remote host.
Sat 2023-04-29 09:40:56.196: SMTP session terminated (Bytes in/out: 429/1692)
Sat 2023-04-29 09:40:56.196: ----------
Sat 2023-04-29 09:40:56.478: Session 00773272; child 0001
Sat 2023-04-29 09:40:56.478: Accepting SMTP connection from 167.248.133.52:53048 to xxxxxxxxxxxxxxxx
Sat 2023-04-29 09:40:56.510: * SSL error 10054 An existing connection was forcibly closed by the remote host.
Sat 2023-04-29 09:40:56.510: SMTP session terminated (Bytes in/out: 429/1692)
Sat 2023-04-29 09:40:56.510: ----------
Sat 2023-04-29 09:40:56.793: Session 00773273; child 0001
Sat 2023-04-29 09:40:56.793: Accepting SMTP connection from 167.248.133.52:33830 to xxxxxxxxxxxxxxxx
Sat 2023-04-29 09:40:56.796: * SSL error 0x80090331 The client and server cannot communicate, because they do not possess a common algorithm.
Sat 2023-04-29 09:40:56.796: SMTP session terminated (Bytes in/out: 350/0)
Sat 2023-04-29 09:40:56.796: ----------
Sat 2023-04-29 09:40:57.102: Session 00773274; child 0001
Sat 2023-04-29 09:40:57.102: Accepting SMTP connection from 167.248.133.52:43136 to xxxxxxxxxxxxxxxx
Sat 2023-04-29 09:40:57.133: * SSL error 10054 An existing connection was forcibly closed by the remote host.
Sat 2023-04-29 09:40:57.133: SMTP session terminated (Bytes in/out: 336/1692)
Sat 2023-04-29 09:40:57.133: ----------
Sat 2023-04-29 09:40:57.414: Session 00773275; child 0001
Sat 2023-04-29 09:40:57.414: Accepting SMTP connection from 167.248.133.52:52120 to xxxxxxxxxxxxxxxx
Sat 2023-04-29 09:40:57.450: * SSL error 10054 An existing connection was forcibly closed by the remote host.
Sat 2023-04-29 09:40:57.450: SMTP session terminated (Bytes in/out: 417/1692)
Sat 2023-04-29 09:40:57.450: ----------
Sat 2023-04-29 09:41:52.287: Session 00773280; child 0001
Sat 2023-04-29 09:41:52.287: Accepting SMTP connection from 167.248.133.187:39424 to xxxxxxxxxxxxxxxx
Sat 2023-04-29 09:41:52.289: --> 220 smtp.myemailserver.com ESMTP MDaemon 23.0.1; Sat, 29 Apr 2023 09:41:52 -0400
Sat 2023-04-29 09:41:52.290: <-- ¨
Sat 2023-04-29 09:41:52.290: --> 500 5.0.0 Unrecognized command
Sat 2023-04-29 09:41:52.290: <-- À$ÀÀ¯À,ÀrÀsÌ©ÌÀÀÀÀ'À/ÀÀ(À0À`ÀaÀvÀw̨ÌÀ
Sat 2023-04-29 09:41:52.290: --> 500 5.0.0 Unrecognized command
Sat 2023-04-29 09:41:52.290: <--
Sat 2023-04-29 09:41:52.290: --> 500 5.0.0 Unrecognized command
Sat 2023-04-29 09:41:52.290: <--
Sat 2023-04-29 09:41:52.290: Too many errors encountered
Sat 2023-04-29 09:41:52.290: SMTP session terminated (Bytes in/out: 429/179)
Sat 2023-04-29 09:41:52.290: ----------
Sat 2023-04-29 09:41:52.598: Session 00773281; child 0001
Sat 2023-04-29 09:41:52.598: Accepting SMTP connection from 167.248.133.187:49952 to xxxxxxxxxxxxxxxx
Sat 2023-04-29 09:41:52.600: --> 220 smtp.myemailserver.com ESMTP MDaemon 23.0.1; Sat, 29 Apr 2023 09:41:52 -0400
Sat 2023-04-29 09:41:52.600: <-- ¨
Sat 2023-04-29 09:41:52.601: --> 500 5.0.0 Unrecognized command
Sat 2023-04-29 09:41:52.601: <--
Sat 2023-04-29 09:41:52.601: --> 500 5.0.0 Unrecognized command
Sat 2023-04-29 09:41:52.601: <-- ÀĮ̀ÀwÀvÀaÀ`À0À(ÀÀ/À'ÀÀÀÌÌ©ÀsÀrÀ,À¯ÀÀ$À
Sat 2023-04-29 09:41:52.601: --> 500 5.0.0 Unrecognized command
Sat 2023-04-29 09:41:52.601: <-- À+À®À¬À#À À
Sat 2023-04-29 09:41:52.601: Too many errors encountered
Sat 2023-04-29 09:41:52.601: SMTP session terminated (Bytes in/out: 429/179)
Sat 2023-04-29 09:41:52.601: ----------
Sat 2023-04-29 09:41:52.911: Session 00773282; child 0001
Sat 2023-04-29 09:41:52.911: Accepting SMTP connection from 167.248.133.187:59158 to xxxxxxxxxxxxxxxx
Sat 2023-04-29 09:41:52.913: --> 220 smtp.myemailserver.com ESMTP MDaemon 23.0.1; Sat, 29 Apr 2023 09:41:52 -0400
Sat 2023-04-29 09:41:52.913: <-- Y
Sat 2023-04-29 09:41:52.914: --> 500 5.0.0 Unrecognized command
Sat 2023-04-29 09:41:52.914: <-- À+À®À¬À#À À
Sat 2023-04-29 09:41:52.914: --> 500 5.0.0 Unrecognized command
Sat 2023-04-29 09:41:52.914: <--
Sat 2023-04-29 09:41:52.914: --> 500 5.0.0 Unrecognized command
Sat 2023-04-29 09:41:52.914: <--
Sat 2023-04-29 09:41:52.914: Too many errors encountered
Sat 2023-04-29 09:41:52.914: SMTP session terminated (Bytes in/out: 350/179)
Sat 2023-04-29 09:41:52.914: ----------
Sat 2023-04-29 09:41:53.220: Session 00773283; child 0001
Sat 2023-04-29 09:41:53.220: Accepting SMTP connection from 167.248.133.187:38580 to xxxxxxxxxxxxxxxx
Sat 2023-04-29 09:41:53.223: --> 220 smtp.myemailserver.com ESMTP MDaemon 23.0.1; Sat, 29 Apr 2023 09:41:53 -0400
Sat 2023-04-29 09:41:53.223: <-- K
Sat 2023-04-29 09:41:53.223: --> 500 5.0.0 Unrecognized command
Sat 2023-04-29 09:41:53.223: <--
Sat 2023-04-29 09:41:53.223: --> 500 5.0.0 Unrecognized command
Sat 2023-04-29 09:41:53.223: <--
Sat 2023-04-29 09:41:53.223: --> 500 5.0.0 Unrecognized command
Sat 2023-04-29 09:41:53.775: <--
Sat 2023-04-29 09:41:53.775: Too many errors encountered
Sat 2023-04-29 09:41:53.775: SMTP session terminated (Bytes in/out: 336/179)
Sat 2023-04-29 09:41:53.776: ----------
Sat 2023-04-29 09:41:54.057: Session 00773284; child 0001
Sat 2023-04-29 09:41:54.057: Accepting SMTP connection from 167.248.133.187:37494 to xxxxxxxxxxxxxxxx
Sat 2023-04-29 09:41:54.058: --> 220 smtp.myemailserver.com ESMTP MDaemon 23.0.1; Sat, 29 Apr 2023 09:41:54 -0400
Sat 2023-04-29 09:41:54.059: <-- œ
Sat 2023-04-29 09:41:54.059: --> 500 5.0.0 Unrecognized command
Sat 2023-04-29 09:41:54.059: <-- À+À®ÌÀ¬ÀÀ#
Sat 2023-04-29 09:41:54.059: --> 500 5.0.0 Unrecognized command
Sat 2023-04-29 09:41:54.059: <-- À
Sat 2023-04-29 09:41:54.059: --> 500 5.0.0 Unrecognized command
Sat 2023-04-29 09:41:54.059: <--
Sat 2023-04-29 09:41:54.059: Too many errors encountered
Sat 2023-04-29 09:41:54.059: SMTP session terminated (Bytes in/out: 417/179)
Sat 2023-04-29 09:41:54.059: ----------
答案1
netsh advfirewall firewall add rule name="banned IP" dir=in interface=any action=block remoteip=167.248.133.127/32
黑客获得了对 IP 块的访问权,他们很可能会开始 +1 这些 IP 地址,而您将需要开始阻止 /24 子网的 IP。
目前,俄罗斯、朝鲜和中国等国家都有人随机攻击计算机,对您来说,最好的办法可能是对 IP 进行 whois 查询,如果它们来自这些国家,就全部屏蔽它们。Whois 将列出该公司拥有的一系列 PC,以便您可以全部屏蔽它们。
我使用 Linux,因为我发现它具有更好的邮件服务器体验,但我有超过 100 万个被禁止的 IP 地址。
你所经历的随机角色
ÀĮ̀ÀwÀvÀaÀ`À0À(ÀÀ/À'ÀÀÌÌ©ÀsÀrÀ,À¯ÀÀ$À
黑客是否试图利用您邮件服务器的漏洞?当他们找到漏洞时,您将再次受到攻击。
https://www.spamhaus.com/dataset/ip-blocklists/
此链接可以让您注册免费试用,但我读到的价格低至每年 250 美元。
您可能还想查看 AbuseIPDB 网站,因为我相信您可以从那里下载列表。
然后编写一个批处理将列表迭代到 Windows 防火墙中。
我没有使用过 MDaemon,但这个 YouTube 视频似乎描述了如何保护您的服务器。
https://www.youtube.com/watch?v=m4Ky2cPvLfI