Linux自建邮局之通过Fail2ban调用iptables过滤试探postfix账号ip

摘要

邮件系统、FTP服务器等,常会遇到成百上千的试探攻击及暴力破解密码。特别是邮件服务器,邮箱账号被破解了又被拿去发垃圾邮件,导致公司邮件被qq等退信,我被领导批,也是气不过。。。。

Linux自建邮局之通过Fail2ban调用iptables过滤试探postfix账号ip

Jun  5 01:35:23 mail postfix/smtpd[635]: warning: unknown[31.204.150.143]: SASL login authentication failed: UGFzc3dvcmQ6
Jun  5 01:35:34 mail postfix/smtpd[635]: warning: unknown[31.204.150.143]: SASL login authentication failed: UGFzc3dvcmQ6
Jun  5 01:35:43 mail postfix/smtpd[635]: warning: unknown[31.204.150.143]: SASL login authentication failed: UGFzc3dvcmQ6
Jun  5 01:35:49 mail postfix/smtpd[635]: warning: unknown[31.204.150.143]: SASL login authentication failed: UGFzc3dvcmQ6
Jun  5 01:35:58 mail postfix/smtpd[635]: warning: unknown[31.204.150.143]: SASL login authentication failed: UGFzc3dvcmQ6
Jun  5 01:36:05 mail postfix/smtpd[635]: warning: unknown[31.204.150.143]: SASL login authentication failed: UGFzc3dvcmQ6
Jun  5 01:36:13 mail postfix/smtpd[635]: warning: unknown[31.204.150.143]: SASL login authentication failed: UGFzc3dvcmQ6
Jun  5 01:36:19 mail postfix/smtpd[635]: warning: unknown[31.204.150.143]: SASL login authentication failed: UGFzc3dvcmQ6
Jun  5 01:36:29 mail postfix/smtpd[635]: warning: unknown[31.204.150.143]: SASL login authentication failed: UGFzc3dvcmQ6
Jun  5 01:36:36 mail postfix/smtpd[635]: warning: unknown[31.204.150.143]: SASL login authentication failed: UGFzc3dvcmQ6
Jun  5 01:36:49 mail postfix/smtpd[635]: warning: unknown[31.204.150.143]: SASL login authentication failed: UGFzc3dvcmQ6
Jun  5 01:52:37 mail postfix/smtpd[2269]: warning: unknown[93.174.91.105]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Jun  5 01:52:38 mail postfix/smtpd[2272]: warning: unknown[93.174.91.105]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Jun  5 01:52:40 mail postfix/smtpd[2269]: warning: unknown[93.174.91.105]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Jun  5 01:52:45 mail postfix/smtpd[2272]: warning: unknown[93.174.91.105]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Jun  5 01:52:47 mail postfix/smtpd[2269]: warning: unknown[93.174.91.105]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Jun  5 01:52:56 mail postfix/smtpd[2272]: warning: unknown[93.174.91.105]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Jun  5 04:13:53 mail postfix/smtpd[18815]: warning: unknown[93.174.91.105]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Jun  5 04:13:53 mail postfix/smtpd[18720]: warning: unknown[93.174.91.105]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Jun  5 04:13:56 mail postfix/smtpd[18720]: warning: unknown[93.174.91.105]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Jun  5 04:13:56 mail postfix/smtpd[18815]: warning: unknown[93.174.91.105]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Jun  5 04:13:59 mail postfix/smtpd[18720]: warning: unknown[93.174.91.105]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Jun  5 04:13:59 mail postfix/smtpd[18815]: warning: unknown[93.174.91.105]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Jun  5 04:45:45 mail postfix/smtpd[23962]: warning: unknown[31.204.150.143]: SASL login authentication failed: UGFzc3dvcmQ6
Jun  5 04:45:55 mail postfix/smtpd[23962]: warning: unknown[31.204.150.143]: SASL login authentication failed: UGFzc3dvcmQ6
Jun  5 04:46:01 mail postfix/smtpd[23962]: warning: unknown[31.204.150.143]: SASL login authentication failed: UGFzc3dvcmQ6
Jun  5 04:46:08 mail postfix/smtpd[23962]: warning: unknown[31.204.150.143]: SASL login authentication failed: UGFzc3dvcmQ6
Jun  5 04:46:15 mail postfix/smtpd[23962]: warning: unknown[31.204.150.143]: SASL login authentication failed: UGFzc3dvcmQ6
Jun  5 04:46:22 mail postfix/smtpd[23962]: warning: unknown[31.204.150.143]: SASL login authentication failed: UGFzc3dvcmQ6
Jun  5 04:46:28 mail postfix/smtpd[23962]: warning: unknown[31.204.150.143]: SASL login authentication failed: UGFzc3dvcmQ6
Jun  5 04:46:36 mail postfix/smtpd[23962]: warning: unknown[31.204.150.143]: SASL login authentication failed: UGFzc3dvcmQ6
Jun  5 04:46:43 mail postfix/smtpd[23962]: warning: unknown[31.204.150.143]: SASL login authentication failed: UGFzc3dvcmQ6
Jun  5 04:46:52 mail postfix/smtpd[23962]: warning: unknown[31.204.150.143]: SASL login authentication failed: UGFzc3dvcmQ6
Jun  5 06:34:48 mail postfix/smtpd[996]: warning: unknown[93.174.91.105]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Jun  5 06:34:48 mail postfix/smtpd[998]: warning: unknown[93.174.91.105]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Jun  5 06:34:51 mail postfix/smtpd[996]: warning: unknown[93.174.91.105]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Jun  5 06:34:51 mail postfix/smtpd[998]: warning: unknown[93.174.91.105]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Jun  5 06:34:54 mail postfix/smtpd[998]: warning: unknown[93.174.91.105]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Jun  5 06:34:54 mail postfix/smtpd[996]: warning: unknown[93.174.91.105]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Jun  5 08:55:49 mail postfix/smtpd[18258]: warning: unknown[93.174.91.105]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Jun  5 08:55:55 mail postfix/smtpd[18256]: warning: unknown[93.174.91.105]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Jun  5 06:34:51 mail postfix/smtpd[996]: warning: unknown[93.174.91.105]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Jun  5 06:34:51 mail postfix/smtpd[998]: warning: unknown[93.174.91.105]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Jun  5 06:34:54 mail postfix/smtpd[998]: warning: unknown[93.174.91.105]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Jun  5 06:34:54 mail postfix/smtpd[996]: warning: unknown[93.174.91.105]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Jun  5 08:55:49 mail postfix/smtpd[18258]: warning: unknown[93.174.91.105]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Jun  5 08:55:55 mail postfix/smtpd[18256]: warning: unknown[93.174.91.105]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Jun  5 08:55:56 mail postfix/smtpd[18258]: warning: unknown[93.174.91.105]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Jun  5 08:56:06 mail postfix/smtpd[18256]: warning: unknown[93.174.91.105]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Jun  5 08:56:07 mail postfix/smtpd[18258]: warning: unknown[93.174.91.105]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Jun  5 08:56:17 mail postfix/smtpd[18256]: warning: unknown[93.174.91.105]: SASL LOGIN authentication failed: Connection lost to authentication server
Jun  5 11:16:46 mail postfix/smtpd[7380]: warning: unknown[93.174.91.105]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Jun  5 11:16:46 mail postfix/smtpd[7428]: warning: unknown[93.174.91.105]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Jun  5 11:16:49 mail postfix/smtpd[7380]: warning: unknown[93.174.91.105]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Jun  5 11:16:49 mail postfix/smtpd[7428]: warning: unknown[93.174.91.105]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Jun  5 11:16:52 mail postfix/smtpd[7428]: warning: unknown[93.174.91.105]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Jun  5 11:16:53 mail postfix/smtpd[7380]: warning: unknown[93.174.91.105]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Jun  5 13:38:14 mail postfix/smtpd[26802]: warning: unknown[93.174.91.105]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Jun  5 13:38:20 mail postfix/smtpd[26804]: warning: unknown[93.174.91.105]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Jun  5 13:38:21 mail postfix/smtpd[26802]: warning: unknown[93.174.91.105]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Jun  5 13:38:32 mail postfix/smtpd[26804]: warning: unknown[93.174.91.105]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Jun  5 13:38:33 mail postfix/smtpd[26802]: warning: unknown[93.174.91.105]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Jun  5 13:38:42 mail postfix/smtpd[26804]: warning: unknown[93.174.91.105]: SASL LOGIN authentication failed: Connection lost to authentication server
Jun  5 15:59:26 mail postfix/smtpd[15707]: warning: unknown[93.174.91.105]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Jun  5 15:59:26 mail postfix/smtpd[15708]: warning: unknown[93.174.91.105]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Jun  5 15:59:30 mail postfix/smtpd[15708]: warning: unknown[93.174.91.105]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Jun  5 15:59:30 mail postfix/smtpd[15707]: warning: unknown[93.174.91.105]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Jun  5 15:59:34 mail postfix/smtpd[15708]: warning: unknown[93.174.91.105]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Jun  5 15:59:44 mail postfix/smtpd[15707]: warning: unknown[93.174.91.105]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Jun  5 18:20:30 mail postfix/smtpd[28916]: warning: unknown[93.174.91.105]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Jun  5 18:20:30 mail postfix/smtpd[28914]: warning: unknown[93.174.91.105]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Jun  5 18:20:33 mail postfix/smtpd[28916]: warning: unknown[93.174.91.105]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Jun  5 18:20:33 mail postfix/smtpd[28914]: warning: unknown[93.174.91.105]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Jun  5 18:20:37 mail postfix/smtpd[28916]: warning: unknown[93.174.91.105]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Jun  5 18:20:37 mail postfix/smtpd[28914]: warning: unknown[93.174.91.105]: SASL LOGIN authentication failed: UGFzc3dvcmQ6

1、安装fail2ban

[root@mail tmp]# git clone https://github.com/fail2ban/fail2ban.git
[root@mail tmp]# cd fail2ban/
[root@mail fail2ban]# ls
bin        CONTRIBUTING.md  doc            fail2ban-testcases-all          FILTERS      MANIFEST     README.Solaris  setup.py  Vagrantfile
ChangeLog  COPYING          fail2ban       fail2ban-testcases-all-python3  kill-server  MANIFEST.in  RELEASE         THANKS
config     DEVELOP          fail2ban-2to3  files                           man          README.md    setup.cfg       TODO
[root@mail fail2ban]# ./setup.py install
[root@mail fail2ban]# cp -a files/redhat-initd /etc/init.d/fail2ban
[root@mail fail2ban]# chmod +x /etc/init.d/fail2ban
[root@mail fail2ban]# chkconfig fail2ban on
[root@mail fail2ban]# chkconfig --list fail2ban
fail2ban        0:关闭  1:关闭  2:启用  3:启用  4:启用  5:启用  6:关闭
[root@mail fail2ban]# 

2、主要配置文件及参数

[root@mail fail2ban]# cd /etc/fail2ban/
[root@mail fail2ban]# ls -l
总用量 60
drwxr-xr-x 2 root root  4096 6月   5 22:05 action.d             #是如何调用iptables、mail发送等程序的目录
-rw-r--r-- 1 root root  2328 6月   5 22:02 fail2ban.conf        #设置该程序的日志等
drwxr-xr-x 2 root root  4096 6月   5 22:05 fail2ban.d           
drwxr-xr-x 3 root root  4096 6月   5 22:05 filter.d             #过滤规则目录
-rw-r--r-- 1 root root 17826 6月   5 22:02 jail.conf
drwxr-xr-x 2 root root  4096 6月   5 22:05 jail.d               #监控和过滤的配置参数。
-rw-r--r-- 1 root root  1889 6月   5 22:02 paths-common.conf
-rw-r--r-- 1 root root   645 6月   5 22:02 paths-debian.conf
-rw-r--r-- 1 root root   689 6月   5 22:02 paths-fedora.conf
-rw-r--r-- 1 root root  1174 6月   5 22:02 paths-freebsd.conf
-rw-r--r-- 1 root root   290 6月   5 22:02 paths-osx.conf
[root@mail fail2ban]# 

3、配置fail2ban,我这里配置了4个,postfix,pop3,vsftp,可自己定制。其实像postfix,pop3如果不熟的话,可以先一个个加,先测试postfix,再测试pop3,避免影响线上邮件接收!

[postfix]
enabled  = true    
filter   = postfix    
action   = iptables[name=postfix, port=25, protocol=tcp]
ignoreip = 127.0.0.1 192.168.1.0/16
logpath  = /var/log/maillog    
bantime  = 86400    
findtime = 60    
maxretry = 5

[POP3]
enabled = true
filter   = courierlogin
action   = iptables[name=pop3, port=110, protocol=tcp]
logpath = /var/log/maillog
bantime = 1800
findtime = 300
maxretry = 15

[vsftpd]
enabled  = true
filter   = vsftpd
action   = iptables[name=vsftpd, port=21, protocol=tcp]
ignoreip = 127.0.0.1 192.168.1.0/16
logpath  = /var/log/vsftpd.log
maxretry = 5
bantime  = 1800
lookback
  • 本文由 发表于 2015年6月5日22:23:11
  • 除非特殊声明,本站文章均为原创,转载请务必保留本文链接
匿名

发表评论

匿名网友 填写信息

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: