Ubuntu
有人在掃描我的 postfix/dovecot
有人在掃描我的郵件伺服器。
我能做些什麼來阻止他們?
我嘗試添加它並沒有幫助:
/etc/hosts.deny ALL: 80.82.77.18
我在日誌中看到了這個:
... Aug 23 03:34:40 auth-worker(1664): Info: sql(torcac@example.net,80.82.77.18): unknown user (given password: torcac) Aug 23 03:35:17 auth-worker(1664): Info: sql(roselia@example.net,80.82.77.18): unknown user (given password: roselia) Aug 23 03:35:56 auth-worker(1664): Info: sql(japan@example.net,80.82.77.18): unknown user (given password: japan) Aug 23 03:36:35 auth-worker(1664): Info: sql(berta@example.net,80.82.77.18): unknown user (given password: berta) Aug 23 03:37:08 auth-worker(1664): Info: sql(blue,193.169.252.176): unknown user (given password: 123456) Aug 23 03:37:12 auth-worker(1664): Info: sql(keely@example.net,80.82.77.18): unknown user (given password: keely) Aug 23 03:37:49 auth-worker(1664): Info: sql(marcelia@example.net,80.82.77.18): unknown user (given password: marcelia) Aug 23 03:38:26 auth-worker(1664): Info: sql(yate@example.net,80.82.77.18): unknown user (given password: yate) Aug 23 03:39:02 auth-worker(1664): Info: sql(silvie@example.net,80.82.77.18): unknown user (given password: silvie) Aug 23 03:39:41 auth-worker(1664): Info: sql(seven@example.net,80.82.77.18): unknown user (given password: seven)ang@example.net,80.82.77.18): unknown user (given password: bang) ...
- 安裝 Fail2Ban
:
apt-get install fail2ban
2. 要限制記憶體使用,請添加到 /etc/default/fail2ban:
+ulimit -s 256
3. 創建一個本地配置文件 /etc/fail2ban/jail.local 以覆蓋 jail.conf 中的設置::
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
:
vi /etc/fail2ban/jail.local
[dovecot] enabled = true port = pop3,pop3s,imap,imaps filter = dovecot logpath = /var/log/mail.log maxretry = 3 [postfix] enabled = true port = smtp,ssmtp filter = postfix logpath = /var/log/mail.log maxretry = 3 [sasl] enabled = true port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s filter = sasl logpath = /var/log/mail.log maxretry = 3
編輯
Fail2ban (Debian Squeeze) 未附帶 Dovecot 的配置,因此請創建 /etc/fail2ban/filter.d/dovecot.conf:
[Definition] failregex = (?: pop3-login|imap-login): .*(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed).*rip=(?P\S*),.* ignoreregex =
重啟fail2ban:
# /etc/init.d/fail2ban restart