今天看postfix 日志,发现日志中报大量的NOQUEUE: reject: RCPT from unknown[183.60.103.208]: 504 5.5.2 ,而且在不停的换IP,频率很高,一分钟能收到2000左右的连接,虽然postfix 已经拒绝了请求,但是这也很浪费服务器资源。决定扼杀在萌芽状态。于是想起了fail2ban.
首先安装,yum 安装,需要epel 源
yum install fail2ban -y
cd /etc/fail2ban
vi jail.conf
#[postfix-tcpwrapper]
[POSTFIX]
enabled = ture
port = smtp
filter = postfix
logpath = /var/log/zimbra.log ##日志
action =iptables[name=Postfix, port=25, protocol=tcp] ##调用iptables 拒绝ip
ignoreip = 127.0.0.1 192.168.2.0/16 ##忽略的ip地址,或者是信任的ip地址
bantime = 86400 #####禁止其访问的时间(秒)
findtime = 60
maxretry = 5 ###最大尝试次数
vi filter.d/postfix.conf
failregex = warning: (。*)\[<HOST>\]: SASL LOGIN authentication failed:
reject: RCPT from (。*)\[<HOST>\]: 550 5.1.1
reject: RCPT from (。*)\[<HOST>\]: 450 4.7.1
reject: RCPT from (。*)\[<HOST>\]: 554 5.7.1
reject: RCPT from (。*)\[<HOST>\]: 554 5.5.2
reject: RCPT from (。*)\[<HOST>\]: 504 5.5.2###过滤规则,上面4条默认有,我另外加了两条
然后启动服务:service fail2ban start
查看状态:
fail2ban-client status POSTFIX
Status for the jail: POSTFIX
|- filter
| |- File list: /var/log/zimbra.log
| |- Currently failed: 0
| `- Total failed: 8
`- action
|- Currently banned: 1
| `- IP list: 120.197.131.6
`- Total banned: 1
已经有IP地址了
iptables -L
Chain fail2ban-Postfix (1 references)
target prot opt source destination
DROP all -- 120.197.131.6 anywhere
RETURN all -- anywhere anywhere
(责任编辑:IT) |