阻止對 exim2 的暴力攻擊

Question

這是一個寫得不好看的分散式機器人。據我所知，這些主機正在嘗試透過未加密的連線進行身份驗證。如果您需要安全連線來進行身份驗證，它們甚至會失敗。但是，您似乎允許對未加密的連線進行身份驗證。

預設fail2ban會錯過此條件，但會在 10 分鐘內嘗試 3 次後阻止。您可以建立一個jail.local檔案來調整被禁止所需的失敗次數fail2ban或增加禁止時間。 fail2ban-client還允許您在伺服器運行時調整配置。您可能需要建立一個exim.local文件來filter.d匹配正在產生的行。我已將我的內容包含在內exim.local。您可以用來fail2ban-regex測試正規表示式（您需要替換正規表示式中的 python 包含）。

[Definition]

host_info = H=([\w.-]+ )?(\(\S+\) )?\[<HOST>\](:\d+)? ?(I=\[\S+\]:\d+ )?(U=\S+ )?(P=e?smtp )?

failregex = ^%(pid)s %(host_info)s [^:]+: Sender host address is listed in zen.spamhaus.org
        ^%(pid)s %(host_info)s sender verify fail for <\S+>: (?:Unknown user|Unrouteable address|all relevant MX records point to non-existent hosts)\s*$
        ^%(pid)s (plain|login) authenticator failed for (\S+ )?\(\S+\) \[<HOST>\]: 535 Incorrect authentication data( \(set_id=.*\)|: \d+ Time\(s\))?\s*$
        ^%(pid)s %(host_info)s F=(<>|[^@]+@\S+) rejected RCPT [^@]+@\S+: (relay not permitted|Sender verify failed|Unknown user)\s*$
        ^%(pid)s SMTP protocol synchronization error \([^)]*\): rejected (connection from|"\S+") %(host_info)s(next )?input=".*"\s*$
        ^%(pid)s SMTP call from \S+ \[<HOST>\](:\d+)? (I=\[\S+\]:\d+ )?dropped: too many nonmail commands \(last was "\S+"\)\s*$
        \[<HOST>\]: 535 Incorrect authentication data
        ^%(pid)s %(host_info)s Warning: smtp used a hostname$
        ^%(pid)s no MAIL in SMTP connection from (\([^)]+\) )?\[<HOST>\] D=\d+(m\d+)?s( C=.*)?$
        ^%(pid)s SMTP protocol synchronization error \(input sent without waiting for greeting\): rejected connection from %(host_info)s

ignoreregex =

Answer 1

這是一個寫得不好看的分散式機器人。據我所知，這些主機正在嘗試透過未加密的連線進行身份驗證。如果您需要安全連線來進行身份驗證，它們甚至會失敗。但是，您似乎允許對未加密的連線進行身份驗證。

預設fail2ban會錯過此條件，但會在 10 分鐘內嘗試 3 次後阻止。您可以建立一個jail.local檔案來調整被禁止所需的失敗次數fail2ban或增加禁止時間。 fail2ban-client還允許您在伺服器運行時調整配置。您可能需要建立一個exim.local文件來filter.d匹配正在產生的行。我已將我的內容包含在內exim.local。您可以用來fail2ban-regex測試正規表示式（您需要替換正規表示式中的 python 包含）。

[Definition]

host_info = H=([\w.-]+ )?(\(\S+\) )?\[<HOST>\](:\d+)? ?(I=\[\S+\]:\d+ )?(U=\S+ )?(P=e?smtp )?

failregex = ^%(pid)s %(host_info)s [^:]+: Sender host address is listed in zen.spamhaus.org
        ^%(pid)s %(host_info)s sender verify fail for <\S+>: (?:Unknown user|Unrouteable address|all relevant MX records point to non-existent hosts)\s*$
        ^%(pid)s (plain|login) authenticator failed for (\S+ )?\(\S+\) \[<HOST>\]: 535 Incorrect authentication data( \(set_id=.*\)|: \d+ Time\(s\))?\s*$
        ^%(pid)s %(host_info)s F=(<>|[^@]+@\S+) rejected RCPT [^@]+@\S+: (relay not permitted|Sender verify failed|Unknown user)\s*$
        ^%(pid)s SMTP protocol synchronization error \([^)]*\): rejected (connection from|"\S+") %(host_info)s(next )?input=".*"\s*$
        ^%(pid)s SMTP call from \S+ \[<HOST>\](:\d+)? (I=\[\S+\]:\d+ )?dropped: too many nonmail commands \(last was "\S+"\)\s*$
        \[<HOST>\]: 535 Incorrect authentication data
        ^%(pid)s %(host_info)s Warning: smtp used a hostname$
        ^%(pid)s no MAIL in SMTP connection from (\([^)]+\) )?\[<HOST>\] D=\d+(m\d+)?s( C=.*)?$
        ^%(pid)s SMTP protocol synchronization error \(input sent without waiting for greeting\): rejected connection from %(host_info)s

ignoreregex =

阻止對 exim2 的暴力攻擊

答案1

相關內容