ADJ網路實驗室
打印

[介紹] 使用Fail2Ban 來防止 postfix AUTH DoS attacks

使用Fail2Ban 來防止 postfix AUTH DoS attacks

最近每天系統報表都會顯示以下多個訊息
引用:
Apr 21 15:23:44 mail postfix/smtpd[13516]: lost connection after AUTH from unknown[112.122.101.14]
Apr 21 15:23:44 mail postfix/smtpd[13516]: disconnect from unknown[112.122.101.14]
Apr 21 15:23:44 mail postfix/smtpd[13516]: connect from unknown[112.122.101.14]
Apr 21 15:23:44 mail postfix/smtpd[13516]: lost connection after AUTH from unknown[112.122.101.14]
Apr 21 15:23:44 mail postfix/smtpd[13516]: disconnect from unknown[112.122.101.14]
Apr 21 15:23:44 mail postfix/smtpd[13516]: connect from unknown[112.122.101.14]
Apr 21 15:23:45 mail postfix/smtpd[13516]: lost connection after AUTH from unknown[112.122.101.14]
Apr 21 15:23:45 mail postfix/smtpd[13516]: disconnect from unknown[112.122.101.14]
似乎是被鎖定 Sasl 攻擊了,由於之前已經有安裝 fail2ban,可以打開相關的 sasl 防護功能


(1) add following section to the end of your /etc/fail2ban/jail.local
引用:
[postfix-auth]
enabled     = true
filter      = postfix.auth
action      = iptables-multiport[name=postfix, port="http,https,smtp,submission,pop3,pop3s,imap,imaps,sieve", protocol=tcp]
#           sendmail[name=Postfix, dest=you@mail.com]
logpath     = /var/log/mail.log
(2) create new file /etc/fail2ban/filter.d/postfix.auth.conf
引用:
[Definition]
failregex = lost connection after AUTH from (.*)\[<HOST>\]
ignoreregex =
(3) Restart fail2ban. Attacker will be blocked after five attempts.





TOP

逢甲夜市住宿台中逢甲住宿推薦 台中逢甲住宿逢甲民宿逢甲便宜住宿一中街住宿逢甲商旅台中住宿taichung hostel台中背包客棧一中街住宿
ARTERY.cn