Log de Servidor - continuamente sendo spamado com sessões SMTP

Navegue suas respostas
1

meu servidor está sendo continuamente bombardeado com essas sessões smtp. Eu verifiquei através do SSH: 

tail -f /usr/local/psa/var/log/maillog

e eu estou recebendo estes continuamente: 

Apr 12 16:48:21 891326-db2 postfix/smtpd[46245]: warning: unknown[xxx.xxx.xxx.xxx]: SASL LOGIN authentication failed: encryption needed to use mechanism
Apr 12 16:48:21 891326-db2 postfix/smtpd[47413]: connect from unknown[000.000.000.000]
Apr 12 16:48:21 891326-db2 postfix/smtpd[46245]: lost connection after AUTH from unknown[xxx.xxx.xxx.xxx]
Apr 12 16:48:21 891326-db2 postfix/smtpd[46245]: disconnect from unknown[xxx.xxx.xxx.xxx]
Apr 12 16:48:21 891326-db2 postfix/smtpd[47413]: warning: unknown[000.000.000.000]: SASL LOGIN authentication failed: encryption needed to use mechanism
Apr 12 16:48:21 891326-db2 postfix/smtpd[47413]: lost connection after AUTH from unknown[000.000.000.000]
Apr 12 16:48:21 891326-db2 postfix/smtpd[47413]: disconnect from unknown[000.000.000.000]
Apr 12 16:48:21 891326-db2 postfix/smtpd[46245]: connect from unknown[xxx.xxx.xxx.xxx]
Apr 12 16:48:21 891326-db2 postfix/smtpd[46245]: warning: unknown[xxx.xxx.xxx.xxx]: SASL LOGIN authentication failed: encryption needed to use mechanism
Apr 12 16:48:21 891326-db2 postfix/smtpd[46245]: lost connection after AUTH from unknown[xxx.xxx.xxx.xxx]
Apr 12 16:48:21 891326-db2 postfix/smtpd[46245]: disconnect from unknown[xxx.xxx.xxx.xxx]
Apr 12 16:48:21 891326-db2 postfix/smtpd[47413]: connect from unknown[xxx.xxx.xxx.xxx]
Apr 12 16:48:21 891326-db2 postfix/smtpd[47413]: warning: unknown[xxx.xxx.xxx.xxx]: SASL LOGIN authentication failed: encryption needed to use mechanism
Apr 12 16:48:21 891326-db2 postfix/smtpd[47413]: lost connection after AUTH from unknown[xxx.xxx.xxx.xxx]
Apr 12 16:48:21 891326-db2 postfix/smtpd[47413]: disconnect from unknown[xxx.xxx.xxx.xxx]

Apr 12 17:03:04 891326-db2 postfix/smtp[1148]: connect to example.com[93.184.216.34]:25: Connection timed out
Apr 12 17:03:04 891326-db2 postfix/smtp[1148]: connect to example.com[2606:2800:220:1:248:1893:25c8:1946]:25: Network is unreachable
Apr 12 17:03:04 891326-db2 postfix/smtp[1148]: 12E2620617BE: to=<[email protected]>, relay=none, delay=265075, delays=265045/0.02/30/0, dsn=4.4.1, status=deferred (connect to example.com[2606:2800:220:1:248:1893:25c8:1946]:25: Network is unreachable)
Apr 12 17:03:04 891326-db2 postfix/smtp[1154]: connect to example.com[93.184.216.34]:25: Connection timed out
Apr 12 17:03:04 891326-db2 postfix/smtp[1154]: connect to example.com[2606:2800:220:1:248:1893:25c8:1946]:25: Network is unreachable
Apr 12 17:03:04 891326-db2 postfix/smtp[1154]: 17C632062FAB: to=<[email protected]>, relay=none, delay=155962, delays=155932/0.04/30/0, dsn=4.4.1, status=deferred (connect to example.com[2606:2800:220:1:248:1893:25c8:1946]:25: Network is unreachable)
Apr 12 17:03:04 891326-db2 postfix/smtp[1153]: connect to example.com[93.184.216.34]:25: Connection timed out
Apr 12 17:03:04 891326-db2 postfix/smtp[1153]: connect to example.com[2606:2800:220:1:248:1893:25c8:1946]:25: Network is unreachable
Apr 12 17:03:04 891326-db2 postfix/smtp[1153]: 1FF3820617F9: to=<[email protected]>, relay=none, delay=264998, delays=264968/0.03/30/0, dsn=4.4.1, status=deferred (connect to example.com[2606:2800:220:1:248:1893:25c8:1946]:25: Network is unreachable)
Apr 12 17:03:04 891326-db2 postfix/smtp[1151]: connect to example.com[93.184.216.34]:25: Connection timed out
Apr 12 17:03:04 891326-db2 postfix/smtp[1151]: connect to example.com[2606:2800:220:1:248:1893:25c8:1946]:25: Network is unreachable
Apr 12 17:03:04 891326-db2 postfix/smtp[1151]: 18756206303B: to=<[email protected]>, relay=none, delay=155848, delays=155818/0.02/30/0, dsn=4.4.1, status=deferred (connect to example.com[2606:2800:220:1:248:1893:25c8:1946]:25: Network is unreachable)
Apr 12 17:03:04 891326-db2 postfix/error[1160]: 1400220630A7: to=<[email protected]>, relay=none, delay=155758, delays=155728/30/0/0, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to example.com[2606:2800:220:1:248:1893:25c8:1946]:25: Network is unreachable)

Eu já bloqueei os IPs, mas novos IPs continuam aparecendo depois que eu os bloqueio. Alguma idéia de como essas sessões estão sendo criadas ou soluções para isso? Um pouco fora de ideias ...

    
por Kakenx 12.04.2018 / 11:07

1 resposta

1

Uma solução é usar o software de verificação de log ( sec.pl , fail2ban ) que bloqueia os endereços IP (temporariamente, normalmente) após X muitos eventos (possivelmente tão baixo quanto 1 se o servidor não for usado para SMTP AUTH , maior se houver usuários agitando em seus teclados) o que, por sua vez, ajudará a reduzir o spam de registro.

Para sec.pl I lista-los, e outros scripts manipulam a remoção das entradas da lista negra após algum tempo (com maior tempo para remoção se o IP remoto persistir em ser um spammer de log): 

type=SingleWithThreshold
ptype=RegExp
pattern=postfix/smtpd\[\d+\]: lost connection after AUTH from [^\[]+\[([^\]]+)
desc=smtp AUTH spam from $1
action=shellcmd /root/bin/blacklistip $1
window=300
thresh=3

O script blacklistip apenas chama iptables ou ip6tables conforme apropriado e adiciona o IP a uma cadeia que não tem permissão para se conectar.

    
por 12.04.2018 / 16:03

Tags

Proxy Forward convert http para https A pasta SYSVOL e NETLOGON precisa estar no mesmo local em todos os controladores de domínio