最近postfix+saslで構築したメールサーバ(smtp認証)への不正アクセスが増加しています。
ログを見ているとこれはこれで面白いですが(^^
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
Aug 1 04:55:13 host01 saslauthd[4590]: do_auth: auth failure: [user=info] [service=smtp] Aug 1 05:27:56 host01 saslauthd[4589]: do_auth: auth failure: [user=scanner] [service=smtp] Aug 1 05:40:03 host01 saslauthd[4592]: do_auth: auth failure: [user=test] [service=smtp] Aug 1 05:48:53 host01 saslauthd[4589]: do_auth: auth failure: [user=webmaster] [service=smtp] Aug 1 06:25:02 host01 saslauthd[4592]: do_auth: auth failure: [user=info] [service=smtp] Aug 1 07:30:23 host01 saslauthd[4588]: do_auth: auth failure: [user=james] [service=smtp] Aug 1 08:14:20 host01 saslauthd[4589]: do_auth: auth failure: [user=john] [service=smtp] Aug 1 08:58:33 host01 saslauthd[4592]: do_auth: auth failure: [user=robert] [service=smtp] Aug 1 09:43:00 host01 saslauthd[4591]: do_auth: auth failure: [user=michael] [service=smtp] Aug 1 10:27:55 host01 saslauthd[4590]: do_auth: auth failure: [user=william] [service=smtp] Aug 1 11:13:06 host01 saslauthd[4592]: do_auth: auth failure: [user=david] [service=smtp] Aug 1 11:58:40 host01 saslauthd[4592]: do_auth: auth failure: [user=richard] [service=smtp] Aug 1 12:44:28 host01 saslauthd[4588]: do_auth: auth failure: [user=joseph] [service=smtp] Aug 1 13:30:28 host01 saslauthd[4589]: do_auth: auth failure: [user=charles] [service=smtp] |
あまりにしつこいのでfail2banで対策を行いました。
Install the Fail2ban on CentOS 5
https://www.rootlinks.net/2013/08/14/install-the-fail2ban-on-centos-5/
- /etc/fail2ban/jail.conに追記
- /etc/fail2ban/filter.d/postfix-sasl.confの編集
- fail2banの再起動
1 2 3 4 5 6 7 8 |
[postfix-sasl] enabled = true filter = postfix-sasl action = iptables[name=postfix-sasl, port=smtp, protocol=tcp] sendmail-whois[name=postfix-sasl, dest=admin, sender=fail2ban] logpath = /var/log/maillog maxretry = 3 bantime = 86400 |
最初から作成する予定がすでに雛形がありました。
ただこのままだと起動時にエラーが表示されたので修正しています。
1 |
WARNING 'ignoreregex' not defined in 'Definition'. Using default one: '' |
“ignoreregex =”を追記しています。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
# Fail2Ban filter for postfix authentication failures # [INCLUDES] before = common.conf [Definition] _daemon = postfix/smtpd failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/]*={0,2})?\s*$ ignoreregex = # Author: Yaroslav Halchenko |
1 |
[root@host01 ~]# /etc/init.d/fail2ban restart |
動作確認の手助けをしてくれたのか早々に捉えてメールが届きました。
sendmail-whoisはブロックしたIPをwhoisで調べてメール送信します。
1 2 3 4 5 6 7 8 9 10 |
Hi, The IP 80.82.65.237 has just been banned by Fail2Ban after 1 attempts against postfix-sasl. Here is more information about 80.82.65.237: [Querying whois.ripe.net] [whois.ripe.net] % This is the RIPE Database query service. (snip) |