如何在Linux/unix上 ban spammer?

好多時review syslog 及 mail.log 都會見到好多spammer, spammer最common既observations就係做brute force attack. 當然正常情況下用strong password policy唔係咁容易比spammer誤入,但更好既方法就係做prevention control.

Dec 10 13:53:12 delta dovecot: auth-worker(9742): pam(sir@xxx.org,87.246.7.34): pam_authenticate() failed: Authentication failure (password mismatch?)
Dec 10 13:53:14 delta postfix/smtps/smtpd[8101]: warning: unknown[87.246.7.34]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Dec 10 13:53:16 delta postfix/smtps/smtpd[8101]: lost connection after AUTH from unknown[87.246.7.34]
Dec 10 13:53:16 delta postfix/smtps/smtpd[8101]: disconnect from unknown[87.246.7.34] ehlo=1 auth=0/1 rset=1 commands=2/3
Dec 10 13:53:52 delta postfix/smtps/smtpd[8101]: warning: hostname net6-ip34.linkbg.com does not resolve to address 87.246.7.34
Dec 10 13:53:52 delta postfix/smtps/smtpd[8101]: connect from unknown[87.246.7.34]
Dec 10 13:53:56 delta postfix/smtps/smtpd[8101]: Anonymous TLS connection established from unknown[87.246.7.34]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Dec 10 13:54:05 delta dovecot: auth-worker(9742): pam(sistemas@xxx.org,87.246.7.34): pam_authenticate() failed: Authentication failure (password mismatch?)
Dec 10 13:54:07 delta postfix/smtps/smtpd[8101]: warning: unknown[87.246.7.34]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Dec 10 13:54:08 delta postfix/smtps/smtpd[8101]: lost connection after AUTH from unknown[87.246.7.34]
Dec 10 13:54:08 delta postfix/smtps/smtpd[8101]: disconnect from unknown[87.246.7.34] ehlo=1 auth=0/1 rset=1 commands=2/3
Dec 10 13:54:49 delta postfix/smtps/smtpd[8101]: warning: hostname net6-ip34.linkbg.com does not resolve to address 87.246.7.34
Dec 10 13:54:49 delta postfix/smtps/smtpd[8101]: connect from unknown[87.246.7.34]
Dec 10 13:54:56 delta postfix/smtps/smtpd[8101]: Anonymous TLS connection established from unknown[87.246.7.34]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Dec 10 13:55:07 delta dovecot: auth-worker(9841): pam(six@xxx.org,87.246.7.34): pam_authenticate() failed: Authentication failure (password mismatch?)
Dec 10 13:55:09 delta postfix/smtps/smtpd[8101]: warning: unknown[87.246.7.34]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Dec 10 13:55:11 delta postfix/smtps/smtpd[8101]: lost connection after AUTH from unknown[87.246.7.34]
Dec 10 13:55:11 delta postfix/smtps/smtpd[8101]: disconnect from unknown[87.246.7.34] ehlo=1 auth=0/1 rset=1 commands=2/3
Dec 10 13:55:47 delta postfix/smtps/smtpd[8101]: warning: hostname net6-ip34.linkbg.com does not resolve to address 87.246.7.34
Dec 10 13:55:47 delta postfix/smtps/smtpd[8101]: connect from unknown[87.246.7.34]
Dec 10 13:55:51 delta postfix/smtps/smtpd[8101]: Anonymous TLS connection established from unknown[87.246.7.34]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)


今次既教學係用 fail2ban 呢個utility去做filter及 ban IP address. 要用呢個utility 就先要install呢個package. command 如下

apt install fail2ban

完成install package後其實已經提供基上保障, 但out-of-box既configuration當然係做些少改善比較好啦. 其中一個例子就好似上面 postfix/smtp 不停 retry及brute force. out-of-box 既 configuration 暫時未有對應既jail rule/policy, 所以您就要跟住我做啦.

step 1 – 修改 /etc/fail2ban/, 在最後郭份加入

[postfix-auth]
enabled     = true
filter      = postfix-auth
action      = iptables-multiport[name=postfix,port="http,https,smtp,submission,pop3,pop3s,imap,imaps,sieve", protocol=tcp]
logpath     = /var/log/mail.log

step 1.1 – 增加敏感度 (optional)

maxretry     = 3

step 2 – 增加jail file /etc/fail2ban/filter.d/postfix-auth.conf

[Definition]
failregex = lost connection after AUTH from (.*)\[\]
ignoreregex =

step 3 – restart fail2ban

service fail2ban restart

睇成果既 command – tail/var/log/fail2ban.log

2019-12-10 14:18:57,014 fail2ban.actions        [9427]: NOTICE  [postfix-auth] Ban 87.246.7.34
2019-12-10 14:19:01,717 fail2ban.actions        [9427]: NOTICE  [sshd] Unban 106.12.21.193
2019-12-10 14:19:05,461 fail2ban.filter         [9427]: INFO    [sshd] Found 118.24.19.178
2019-12-10 14:19:05,495 fail2ban.filter         [9427]: INFO    [sshd] Found 118.24.19.178
2019-12-10 14:19:07,554 fail2ban.filter         [9427]: INFO    [sshd] Found 118.24.19.178
2019-12-10 14:19:30,989 fail2ban.actions        [9427]: NOTICE  [sshd] Unban 51.83.42.138
2019-12-10 14:19:34,048 fail2ban.filter         [9427]: INFO    [sshd] Found 180.168.76.222
2019-12-10 14:19:34,063 fail2ban.filter         [9427]: INFO    [sshd] Found 180.168.76.222
2019-12-10 14:19:36,101 fail2ban.filter         [9427]: INFO    [sshd] Found 180.168.76.222
2019-12-10 14:19:36,288 fail2ban.actions        [9427]: NOTICE  [sshd] Unban 49.88.112.60

Leave a Reply