Ubuntu
Postfix:無法停止郵件日誌中的“SASL LOGIN authentication failed”攻擊
我正在嘗試阻止攻擊並記錄
SASL LOGIN authentication failed我的郵件伺服器。但是,我已經嘗試了一天,但仍然無法實現。日誌繼續使用相同的 IP 生成攻擊。機器
Linux server 5.4.0-109-generic #123-Ubuntu SMP Fri Apr 8 09:10:54 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux郵件登錄
/var/log/mail.logApr 28 20:45:23 server postfix/smtpd[112579]: connect from unknown[5.34.207.81] Apr 28 20:45:24 server postfix/smtpd[112409]: warning: unknown[5.34.207.81]: SASL LOGIN authentication failed: authentication failure Apr 28 20:45:25 server postfix/smtpd[112409]: disconnect from unknown[5.34.207.81] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4 Apr 28 20:45:30 server postfix/smtpd[112599]: connect from unknown[5.34.207.81] Apr 28 20:45:31 server postfix/smtpd[112579]: warning: unknown[5.34.207.81]: SASL LOGIN authentication failed: authentication failure Apr 28 20:45:32 server postfix/smtpd[112579]: disconnect from unknown[5.34.207.81] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4 Apr 28 20:45:36 server postfix/smtpd[112409]: connect from unknown[5.34.207.81] Apr 28 20:45:38 server postfix/smtpd[112599]: warning: unknown[5.34.207.81]: SASL LOGIN authentication failed: authentication failure Apr 28 20:45:38 server postfix/smtpd[112599]: disconnect from unknown[5.34.207.81] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4帶有 IPtables 的 Fail2Ban
/etc/fail2ban/jail.local[postfix-sasl] enabled = true port = smtp,ssmtp,465,submission,imap,imaps,pop3,pop3s bantime = 10m filter = postfix-sasl #action = iptables-multiport[name=postfix, port="smtp,ssmtp,465,submission,imap,imaps,pop3,pop3s", protocol=tcp] logpath = /var/log/mail.log maxretry = 15我做到了
sudo service fail2ban restart,而且連線的事情是我沒有看到任何帶有f2b-postfix.
fail2ban來自日誌的 grep 也是如此,這是輸出:Fail2Ban 登錄
/var/log/fail2ban.log2022-04-27 16:27:10,133 fail2ban.actions [567]: NOTICE [postfix-sasl] Unban 5.34.207.81 2022-04-27 16:27:45,391 fail2ban.actions [567]: NOTICE [postfix-sasl] Ban 5.34.207.81 2022-04-27 16:32:17,801 fail2ban.actions [567]: NOTICE [postfix-sasl] Unban 212.70.149.72 2022-04-27 22:37:46,299 fail2ban.actions [567]: NOTICE [postfix-sasl] Unban 5.34.207.81UFW 的 Fail2Ban
在我的研究中,我知道 Fail2Ban 可以與 UFW 一起使用,所以我對其進行了一些研究,這是我的配置:
/etc/fail2ban/jail.local[postfix-sasl] enabled = true journalmatch = backend = polling bantime = -1 // Permanent ban? Maybe filter = postfix-sasl logpath = /var/log/mail.log maxretry = 15 banaction = ufw findtime = 120值得一提的是,我已經手動輸入
sudo ufw insert 1 deny from 5.34.207.81 to any了,sudo ufw reload但不幸的是我仍然能夠在郵件日誌中看到來自同一 IP 的攻擊/var/log/mail.log😢Status: active To Action From -- ------ ---- Anywhere DENY 212.70.149.72 Anywhere DENY 5.34.207.81在 Fail2Ban 中過濾兩者
/etc/fail2ban/filter.d/postfix-sasl.conf[INCLUDES] before = common.conf [Definition] _daemon = postfix/smtpd failregex = ^(.*)\[<HOST>\]: SASL (?:LOGIN|PLAIN) authentication failed:(.*)$ ignoreregex =如果有人可以幫助我,將不勝感激!🙏🏻🙏🏻🙏🏻
更新
最後,我的
Fail2Ban作品符合預期,我將把它標記為答案!解決方法是設置
action等於iptables-multiport禁止多個埠!但是,我不使用UFW來限制攻擊者,因為我意識到UFW由於與firewalld.解決方案
將此行添加到您的
/etc/fail2ban/jail.localaction = iptables-multiport[name=postfix, port="smtp,ssmtp,465,submission,imap,imaps,pop3,pop3s"]它應該看起來像這樣:
[postfix-sasl] enabled = true filter = postfix-sasl action = iptables-multiport[name=postfix, port="smtp,ssmtp,465,submission,imap,imaps,pop3,pop3s"] logpath = /var/log/mail.log maxretry = 15 bantime = 12h以前我已經設置
maxretry為3測試目的。您可能希望將其更改為更高的值。否則,您的使用者可能很快就會遇到麻煩。檢查 Fail2Ban 狀態
值得檢查你的監獄:
sudo fail2ban-server status postfix-sasl輸出:
Status for the jail: postfix-sasl |- Filter | |- Currently failed: 2 | |- Total failed: 49 | `- File list: /var/log/mail.log `- Actions |- Currently banned: 1 |- Total banned: 3 `- Banned IP list: 5.34.207.81