Exim

Exim 伺服器和黑名單登錄嘗試次數過多

  • January 8, 2016

這是今天的 exim 拒絕日誌:

2016-01-07 13:48:44 login authenticator failed for (USER) [212.224.87.119]: 535 Incorrect authentication data (set_id=info@mydomain.com)
2016-01-07 15:32:09 login authenticator failed for (USER) [212.224.87.119]: 535 Incorrect authentication data (set_id=info@mydomain.com)
2016-01-07 15:41:35 login authenticator failed for (USER) [212.224.87.119]: 535 Incorrect authentication data (set_id=info@mydomain.com)
2016-01-07 15:49:01 login authenticator failed for (USER) [212.224.87.119]: 535 Incorrect authentication data (set_id=info@mydomain.com)
2016-01-07 15:56:50 login authenticator failed for (USER) [212.224.87.119]: 535 Incorrect authentication data (set_id=info@mydomain.com)
2016-01-07 16:04:58 login authenticator failed for (USER) [212.224.87.119]: 535 Incorrect authentication data (set_id=info@mydomain.com)
2016-01-07 16:12:28 login authenticator failed for (USER) [212.224.87.119]: 535 Incorrect authentication data (set_id=info@mydomain.com)
2016-01-07 16:20:19 login authenticator failed for (USER) [212.224.87.119]: 535 Incorrect authentication data (set_id=info@mydomain.com)
2016-01-07 16:28:08 login authenticator failed for (USER) [212.224.87.119]: 535 Incorrect authentication data (set_id=info@mydomain.com)
2016-01-07 16:35:50 login authenticator failed for (USER) [212.224.87.119]: 535 Incorrect authentication data (set_id=info@mydomain.com)
2016-01-07 16:43:28 login authenticator failed for (USER) [212.224.87.119]: 535 Incorrect authentication data (set_id=info@mydomain.com)
2016-01-07 16:51:18 login authenticator failed for (USER) [212.224.87.119]: 535 Incorrect authentication data (set_id=info@mydomain.com)
2016-01-07 16:58:51 login authenticator failed for (USER) [212.224.87.119]: 535 Incorrect authentication data (set_id=info@mydomain.com)
2016-01-07 17:06:25 login authenticator failed for (USER) [212.224.87.119]: 535 Incorrect authentication data (set_id=info@mydomain.com)
2016-01-07 17:13:58 login authenticator failed for (USER) [212.224.87.119]: 535 Incorrect authentication data (set_id=info@mydomain.com)
2016-01-07 17:21:29 login authenticator failed for (USER) [212.224.87.119]: 535 Incorrect authentication data (set_id=test@mydomain.com)
2016-01-07 17:28:52 login authenticator failed for (USER) [212.224.87.119]: 535 Incorrect authentication data (set_id=test@mydomain.com)
2016-01-07 17:36:18 login authenticator failed for (USER) [212.224.87.119]: 535 Incorrect authentication data (set_id=test@mydomain.com)
2016-01-07 17:43:43 login authenticator failed for (USER) [212.224.87.119]: 535 Incorrect authentication data (set_id=test@mydomain.com)
2016-01-07 17:51:46 login authenticator failed for (USER) [212.224.87.119]: 535 Incorrect authentication data (set_id=test@mydomain.com)
2016-01-07 17:59:08 login authenticator failed for (USER) [212.224.87.119]: 535 Incorrect authentication data (set_id=test@mydomain.com)
2016-01-07 18:06:44 login authenticator failed for (USER) [212.224.87.119]: 535 Incorrect authentication data (set_id=test@mydomain.com)
2016-01-07 18:14:10 login authenticator failed for (USER) [212.224.87.119]: 535 Incorrect authentication data (set_id=test@mydomain.com)
2016-01-07 18:21:39 login authenticator failed for (USER) [212.224.87.119]: 535 Incorrect authentication data (set_id=test@mydomain.com)
2016-01-07 18:29:02 login authenticator failed for (USER) [212.224.87.119]: 535 Incorrect authentication data (set_id=test@mydomain.com)
2016-01-07 18:36:36 login authenticator failed for (USER) [212.224.87.119]: 535 Incorrect authentication data (set_id=test@mydomain.com)
2016-01-07 18:44:00 login authenticator failed for (USER) [212.224.87.119]: 535 Incorrect authentication data (set_id=test@mydomain.com)
2016-01-07 18:51:21 login authenticator failed for (USER) [212.224.87.119]: 535 Incorrect authentication data (set_id=test@mydomain.com)
2016-01-07 18:58:40 login authenticator failed for (USER) [212.224.87.119]: 535 Incorrect authentication data (set_id=test@mydomain.com)
2016-01-07 19:05:59 login authenticator failed for (USER) [212.224.87.119]: 535 Incorrect authentication data (set_id=vito@mydomain.com)
2016-01-07 19:13:18 login authenticator failed for (USER) [212.224.87.119]: 535 Incorrect authentication data (set_id=vito@mydomain.com)
2016-01-07 19:20:42 login authenticator failed for (USER) [212.224.87.119]: 535 Incorrect authentication data (set_id=vito@mydomain.com)
2016-01-07 19:28:03 login authenticator failed for (USER) [212.224.87.119]: 535 Incorrect authentication data (set_id=vito@mydomain.com)
2016-01-07 19:35:48 login authenticator failed for (USER) [212.224.87.119]: 535 Incorrect authentication data (set_id=vito@mydomain.com)
2016-01-07 19:43:11 login authenticator failed for (USER) [212.224.87.119]: 535 Incorrect authentication data (set_id=vito@mydomain.com)
2016-01-07 19:50:35 login authenticator failed for (USER) [212.224.87.119]: 535 Incorrect authentication data (set_id=vito@mydomain.com)
2016-01-07 19:57:59 login authenticator failed for (USER) [212.224.87.119]: 535 Incorrect authentication data (set_id=vito@mydomain.com)
2016-01-07 20:05:25 login authenticator failed for (USER) [212.224.87.119]: 535 Incorrect authentication data (set_id=vito@mydomain.com)
2016-01-07 20:12:51 login authenticator failed for (USER) [212.224.87.119]: 535 Incorrect authentication data (set_id=vito@mydomain.com)
2016-01-07 20:20:17 login authenticator failed for (USER) [212.224.87.119]: 535 Incorrect authentication data (set_id=vito@mydomain.com)
2016-01-07 20:27:41 login authenticator failed for (USER) [212.224.87.119]: 535 Incorrect authentication data (set_id=vito@mydomain.com)
2016-01-07 20:35:06 login authenticator failed for (USER) [212.224.87.119]: 535 Incorrect authentication data (set_id=vito@mydomain.com)

我不想等待,什麼也不做,是否可以為 exim 創建一個黑名單,在 1 小時內填充超過 10 次登錄嘗試的 IP 地址?

請注意,我想為 smtp 登錄嘗試創建一個黑名單,而不是為電子郵件發件人創建一個黑名單。

這看起來像是一次糟糕的黑客嘗試。我見過其中的幾個。

我建議使用fail2ban在多次故障時阻止 IP。您應該驗證模式,因為預設模式並不總是匹配。它處理多個文件和多個服務。

Exim確實有能力限制流量。有兩個版本,較新的版本旨在用於 ACL。這只會減慢試圖破解您密碼的人的速度,但可能會鼓勵他們嘗試不同的伺服器。如果您將速率設置得太低,可能會給合法使用者帶來問題。

您還可以將身份驗證限制為送出埠。像這樣的郵件部分中的一行在提供身份驗證之前應該需要 TLS 加密和送出埠。

auth_advertise_hosts = ${if and 
                    {eq {$tls_cipher}{}{}{*}}
                    {eq {$interface_port}{587}} }

引用自:https://serverfault.com/questions/747477