Ubuntu

有人在掃描我的 postfix/dovecot

  • August 23, 2019

有人在掃描我的郵件伺服器。

我能做些什麼來阻止他們?

我嘗試添加它並沒有幫助:

/etc/hosts.deny
ALL: 80.82.77.18

我在日誌中看到了這個:

...
Aug 23 03:34:40 auth-worker(1664): Info: sql(torcac@example.net,80.82.77.18): unknown user (given password: torcac)
Aug 23 03:35:17 auth-worker(1664): Info: sql(roselia@example.net,80.82.77.18): unknown user (given password: roselia)
Aug 23 03:35:56 auth-worker(1664): Info: sql(japan@example.net,80.82.77.18): unknown user (given password: japan)
Aug 23 03:36:35 auth-worker(1664): Info: sql(berta@example.net,80.82.77.18): unknown user (given password: berta)
Aug 23 03:37:08 auth-worker(1664): Info: sql(blue,193.169.252.176): unknown user (given password: 123456)
Aug 23 03:37:12 auth-worker(1664): Info: sql(keely@example.net,80.82.77.18): unknown user (given password: keely)
Aug 23 03:37:49 auth-worker(1664): Info: sql(marcelia@example.net,80.82.77.18): unknown user (given password: marcelia)
Aug 23 03:38:26 auth-worker(1664): Info: sql(yate@example.net,80.82.77.18): unknown user (given password: yate)
Aug 23 03:39:02 auth-worker(1664): Info: sql(silvie@example.net,80.82.77.18): unknown user (given password: silvie)
Aug 23 03:39:41 auth-worker(1664): Info: sql(seven@example.net,80.82.77.18): unknown user (given password: seven)ang@example.net,80.82.77.18): unknown user (given password: bang)
...

來自importgeek.wordpress.com

  1. 安裝 Fail2Ban

:apt-get install fail2ban 2. 要限制記憶體使用,請添加到 /etc/default/fail2ban:

+ulimit -s 256 3. 創建一個本地配置文件 /etc/fail2ban/jail.local 以覆蓋 jail.conf 中的設置:

:cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

:vi /etc/fail2ban/jail.local

[dovecot]
enabled = true
port = pop3,pop3s,imap,imaps
filter = dovecot
logpath = /var/log/mail.log
maxretry  = 3

[postfix]
enabled  = true
port     = smtp,ssmtp
filter   = postfix
logpath  = /var/log/mail.log
maxretry  = 3

[sasl]
enabled   = true
port      = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter    = sasl
logpath   = /var/log/mail.log
maxretry  = 3

編輯

Fail2ban (Debian Squeeze) 未附帶 Dovecot 的配置,因此請創建 /etc/fail2ban/filter.d/dovecot.conf:

[Definition]
failregex = (?: pop3-login|imap-login): .*(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed).*rip=(?P\S*),.*
ignoreregex =

重啟fail2ban:

# /etc/init.d/fail2ban restart

引用自:https://serverfault.com/questions/980423

相關問答

Ubuntu

Postfix 電子郵件伺服器未收到來自外部電子郵件的電子郵件

  • September 1, 2021
檢視問答
Ubuntu

我應該,我應該如何防禦 DOS SMTP 攻擊

  • February 11, 2021
檢視問答
Postfix

Ubuntu 9.04、Postfix、Dovecot、Squirrelmail 和假期/離開消息

  • January 2, 2021
檢視問答
Ubuntu

無法接收帶有 Postfix/Dovecot 的電子郵件 telnet 返回 status0

  • November 25, 2020
檢視問答
Ubuntu

在沒有真正 Linux 使用者的情況下設置郵件帳戶

  • April 7, 2020
檢視問答
Ubuntu

Dovecot:auth_username_chars 不允許的使用者名字元:0x0a

  • January 7, 2020
檢視問答