今天看postfix 日志,发现日志中报大量的NOQUEUE: reject: RCPT from unknown[183.60.103.208]: 504 5.5.2 ,而且在不停的换IP,频率很高,一分钟能收到2000左右的连接,虽然postfix 已经拒绝了请求,但是这也很浪费服务器资源。决定扼杀在萌芽状态。于是想起了fail2ban。
首先安装,yum 安装,需要epel 源
yum install fail2ban -y
cd /etc/fail2ban
vi jail.conf
#[postfix-tcpwrapper]
[POSTFIX] enabled = ture port = smtp filter = postfix logpath = /var/log/zimbra.log ##日志 action =iptables[name=Postfix, port=25, protocol=tcp] ##调用iptables 拒绝ip ignoreip = 127.0.0.1 192.168.2.0/16 ##忽略的ip地址,或者是信任的ip地址 bantime = 86400 #####禁止其访问的时间(秒) findtime = 60 maxretry = 5 ###最大尝试次数vi filter.d/postfix.conf
failregex = warning: (.*)\[<HOST>\]: SASL LOGIN authentication failed:
reject: RCPT from (.*)\[<HOST>\]: 550 5.1.1 reject: RCPT from (.*)\[<HOST>\]: 450 4.7.1 reject: RCPT from (.*)\[<HOST>\]: 554 5.7.1 reject: RCPT from (.*)\[<HOST>\]: 554 5.5.2reject: RCPT from (.*)\[<HOST>\]: 504 5.5.2###过滤规则,上面4条默认有,我另外加了两条
然后启动服务:service fail2ban start
查看状态:
fail2ban-client status POSTFIX
Status for the jail: POSTFIX |- filter | |- File list: /var/log/zimbra.log | |- Currently failed: 0 | `- Total failed: 8 `- action |- Currently banned: 1 | `- IP list: 120.197.131.6 `- Total banned: 1已经有IP地址了
iptables -L
Chain fail2ban-Postfix (1 references)
target prot opt source destination DROP all -- 120.197.131.6 anywhere RETURN all -- anywhere anywhere世界终于安静多了