查看邮件服务器上的日志,我注意到如下消息:
Nov 29 12:09:38 mta postfix/smtpd[8362]: connect from unknown[183.13.165.14]
Nov 29 12:09:39 mta postfix/smtpd[8362]: lost connection after AUTH from unknown[183.13.165.14]
Nov 29 12:09:39 mta postfix/smtpd[8362]: disconnect from unknown[183.13.165.14]
Nov 29 12:09:39 mta postfix/smtpd[8409]: connect from unknown[183.13.165.14]
Nov 29 12:09:40 mta postfix/smtpd[8409]: lost connection after AUTH from unknown[183.13.165.14]
Nov 29 12:09:40 mta postfix/smtpd[8409]: disconnect from unknown[183.13.165.14]
在这些情况下没有 SASL 故障。其他时间会记录 SASL 失败,但从未记录过lost connection after AUTH.
这里发生了什么,我应该做些什么?
这些不是 MX,并且已经smtpd_client_connection_rate_limit设置。
可能相关:
在宣布 AUTH 之前,系统需要 SMTPS 或 STARTTLS。
小智 21
我的日志文件被填满了,即使允许来自这些混蛋的连接也浪费了 CPU。我创建了一个fail2ban规则。
Jul 11 02:35:08 mail postfix/smtpd[16299]: lost connection after AUTH from unknown[196.12.178.73]
的内容 /etc/fail2ban/jail.conf
[postfix]
# Ban for 10 minutes if it fails 6 times within 10 minutes
enabled = true
port = smtp,ssmtp
filter = postfix
logpath = /var/log/mail.log
maxretry = 6
bantime = 600
findtime = 600
的内容 /etc/fail2ban/filter.d/postfix.conf
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
#
# $Revision$
#
[Definition]
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT
#
# Jul 11 02:35:08 mail postfix/smtpd[16299]: lost connection after AUTH from unknown[196.12.178.73]
failregex = lost connection after AUTH from unknown\[<HOST>\]
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
这是一个来自中国的僵尸网络,它连接到您的盒子,试图发送垃圾邮件。但是当被告知要对自己进行身份验证时,机器人太愚蠢了,不知道该怎么做。机器人只是停止发送邮件,然后断开连接以攻击下一个受害者。
绝对没有什么可担心的。
小智 5
就这样smtpd_recipient_restrictions设置:reject_unknown_client_hostname
smtpd_recipient_restrictions = reject_unknown_client_hostname
这将导致拒绝客户端以及主机名未知的流浪或愚蠢的僵尸机器人。设置后,您的日志将如下所示:
postfix/smtpd[11111]: NOQUEUE: reject: RCPT from unknown[183.13.165.14]: 450 4.7.1 Client host rejected: cannot find your hostname, [183.13.165.14]
| 归档时间: |
|
| 查看次数: |
26802 次 |
| 最近记录: |