Postfix可能的SMTP攻击和黑名单

时间:2017-03-22 14:26:56

标签: email ubuntu smtp plesk postfix

我的服务器上有plesk 12.5.30,它经常被列入Symantec Mail Security声誉的黑名单。 ip是新的(我在17.02.2017购买了服务器)。

此外,我的IP已在BACKSCATTERER上列入黑名单。

看到postfix的日志我有很多条目,比如

Mar 22 14:51:43 server postfix/smtpd[14204]: connect from 75-143-80-240.dhcp.aubn.al.charter.com[75.143.80.240]
Mar 22 14:51:45 server postfix/smtpd[14204]: lost connection after EHLO from 75-143-80-240.dhcp.aubn.al.charter.com[75.143.80.240]
Mar 22 14:51:45 server postfix/smtpd[14204]: disconnect from 75-143-80-240.dhcp.aubn.al.charter.com[75.143.80.240]
Mar 22 14:51:50 server postfix/smtpd[14204]: connect from 128.128.72.76.cable.dhcp.goeaston.net[76.72.128.128]
Mar 22 14:51:51 server postfix/smtpd[14204]: lost connection after EHLO from 128.128.72.76.cable.dhcp.goeaston.net[76.72.128.128]
Mar 22 14:51:51 server postfix/smtpd[14204]: disconnect from 128.128.72.76.cable.dhcp.goeaston.net[76.72.128.128]
Mar 22 14:52:19 server postfix/smtpd[14204]: connect from mail.dedeckeraccountants.be[91.183.46.186]
Mar 22 14:52:19 server postfix/smtpd[14204]: disconnect from mail.dedeckeraccountants.be[91.183.46.186]

我有

  1. 将smtp端口更改为非标准端口(9456)
  2. 在plesk上安装了防火墙和fail2ban并设置了as in image
  3. 设置了plesk as in image
  4. 的邮件设置
  5. 安装了spamassasin
  6. 我也注意到,几天前我在日志中有这些行

    Mar 19 06:47:00 server postfix/smtp[13517]: CCC1C510023D: to=<229e7dc3183452c7d3290d1ba28f073e@www.lablue.de>, relay=none, delay=235637, delays=235636/0.05/0.09/0, dsn=4.4.1, status=deferred (connect to www.lablue.de[217.22.195.26]:25: Connection refused)
    Mar 19 06:47:00 server postfix/smtp[13503]: 7EDD55100138: to=<Weber226@brockel.kirche-rotenburg.de>, relay=kirche-rotenburg-verden.de[136.243.213.122]:25, delay=239980, delays=239979/0.01/0.35/0.1, dsn=4.0.0, status=deferred (host kirche-rotenburg-verden.de[136.243.213.122] said: 451 Temporary local problem - please try later (in reply to RCPT TO command))
    Mar 19 06:47:00 server postfix/smtp[13504]: 97B055100233: to=<office@angerlehner.at>, relay=none, delay=222922, delays=222922/0.01/0.64/0, dsn=4.4.3, status=deferred (Host or domain name not found. Name service error for name=angerlehner.at type=MX: Host not found, try again)
    Mar 19 06:47:00 server postfix/smtp[13509]: 1E15F510019B: host mx1.leventboru.com.tr[89.19.1.69] said: 450 4.7.1 Recipient address rejected: Requested action not taken: mailbox unavailable or not local (in reply to RCPT TO command)
    

    我注意到在plesk设置中有一个很长的邮件队列(我已经删除了队列中的所有邮件)

    阻止此攻击的任何建议??

    提前致谢

    修改:我想分享我的plesk-postfix设置

    [plesk-postfix]
    enabled = true
    filter = postfix-sasl
    action = iptables-multiport[name="plesk-postfix", port="http,https,smtp,submission,pop3,pop3s,imap,imaps,sieve", protocol=tcp]
    logpath = /var/log/maillog
    maxretry = 2
    

    我可以在这里改善吗?

1 个答案:

答案 0 :(得分:0)

您可以考虑使用带有以下正则表达式的Fail2Ban过滤器 - 表达式:

failregex = ^%(__prefix_line)slost connection after (AUTH|UNKNOWN|EHLO) from [^\[]*\[<HOST>\]\s*$

如果你需要进一步的Fail2Ban正则表达式 - 表达式,请。考虑添加相应的日志文件条目,因为一些常规标准条目可能不适合您的需要或/和您的服务器上安装的qmail / postfix / imap-courier / dovecot版本。 ; - )

修改 为了更精确,我现在添加完整建议,包括。 @MattiaDiGiuseppe已经在他的评论中使用了正则表达式 - 它的格式就好了。

[Definition]

_daemon = postfix(-\w+)?/(?:submission/|smtps/)?smtp[ds]

failregex = ^%(__prefix_line)swarning: (.*?)does not resolve to address <HOST>: Name or service not known$
        ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(:[ A-Za-z0-9+/:]*={0,2})?\s*$
        ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 554 5\.7\.1 .* Relay access denied.*$
        ^%(__prefix_line)sSSL_accept error from \S+\s*\[<HOST>\]: lost connection$
        ^%(__prefix_line)sSSL_accept error from \S+\s*\[<HOST>\]: -1$
        ^%(__prefix_line)slost connection after (AUTH|UNKNOWN|EHLO) from [^\[]*\[<HOST>\]\s*$

ignoreregex = authentication failed: Connection lost to authentication server$

PLS。考虑查看所有标准过滤器(适用于Fail2Ban 0.10及更早版本),访问:

=&GT; https://github.com/fail2ban/fail2ban/tree/0.10/config/filter.d

如果您希望查看旧版本的标准,只需点击&#34;分支:0.10&#34; dropdpwn - 按钮,请。