当前位置: > Linux安全 >

fail2ban帮助postfix过滤恶意IP

时间:2014-08-31 02:28来源:linux.it.net.cn 作者:it

今天看postfix 日志,发现日志中报大量的NOQUEUE: reject: RCPT from unknown[183.60.103.208]: 504 5.5.2 ,而且在不停的换IP,频率很高,一分钟能收到2000左右的连接,虽然postfix 已经拒绝了请求,但是这也很浪费服务器资源。决定扼杀在萌芽状态。于是想起了fail2ban.

    首先安装,yum 安装,需要epel 源

    yum install fail2ban -y
    cd /etc/fail2ban
    vi jail.conf
    #[postfix-tcpwrapper]
    [POSTFIX]
    enabled  = ture
    port = smtp
    filter   = postfix
    logpath  = /var/log/zimbra.log ##日志
    action   =iptables[name=Postfix, port=25, protocol=tcp] ##调用iptables 拒绝ip
    ignoreip = 127.0.0.1 192.168.2.0/16 ##忽略的ip地址,或者是信任的ip地址
    bantime  = 86400 #####禁止其访问的时间(秒)
    findtime = 60
    maxretry = 5 ###最大尝试次数
    vi filter.d/postfix.conf
    failregex = warning: (。*)\[<HOST>\]: SASL LOGIN authentication failed:
    reject: RCPT from (。*)\[<HOST>\]: 550 5.1.1
    reject: RCPT from (。*)\[<HOST>\]: 450 4.7.1
    reject: RCPT from (。*)\[<HOST>\]: 554 5.7.1
    reject: RCPT from (。*)\[<HOST>\]: 554 5.5.2
    reject: RCPT from (。*)\[<HOST>\]: 504 5.5.2###过滤规则,上面4条默认有,我另外加了两条
    然后启动服务:service fail2ban start

    查看状态:

    fail2ban-client status POSTFIX
    Status for the jail: POSTFIX
    |- filter
    |  |- File list:        /var/log/zimbra.log
    |  |- Currently failed: 0
    |  `- Total failed:     8
    `- action
    |- Currently banned: 1
    |  `- IP list:       120.197.131.6
    `- Total banned:     1

    已经有IP地址了

    iptables -L
    Chain fail2ban-Postfix (1 references)
    target     prot opt source               destination
    DROP       all  --  120.197.131.6        anywhere
    RETURN     all  --  anywhere             anywhere

 

(责任编辑:IT)
------分隔线----------------------------
栏目列表
推荐内容