阻止对 postfix 的请求 (fail2ban)
Blocking requests on postfix (fail2ban)
我在我的邮件日志中看到了相同的非 smtp 请求,但我无法弄清楚缺少什么以便可以阻止这些请求。
fail2ban 已设置,我已经配置了一个 jail.local 文件。我怎样才能阻止这 6 个请求:
Feb 10 10:58:57 host postfix/submission/smtpd[5167]: warning: non-SMTP command from unknown[161.35.7.72]: GET /system_api.php HTTP/1.1
Feb 10 10:58:57 host postfix/submission/smtpd[5167]: warning: non-SMTP command from unknown[161.35.7.72]: GET /c/version.js HTTP/1.1
Feb 10 10:58:58 host postfix/submission/smtpd[5167]: warning: non-SMTP command from unknown[161.35.7.72]: GET /streaming/clients_live.php HTTP/1.1
Feb 10 10:58:58 host postfix/submission/smtpd[5167]: warning: non-SMTP command from unknown[161.35.7.72]: GET /stalker_portal/c/version.js HTTP/1.1
Feb 10 10:58:58 host postfix/submission/smtpd[5167]: warning: non-SMTP command from unknown[161.35.7.72]: GET /client_area/ HTTP/1.1
Feb 10 10:58:59 host postfix/submission/smtpd[5167]: warning: non-SMTP command from unknown[161.35.7.72]: GET /stalker_portal/c/ HTTP/1.1
后缀配置的jail.local如下所示:
[postfix]
# To use another modes set filter parameter "mode" in jail.local:
enabeld = true
mode = more
port = smtp,ssmtp,submission
logpath = %(postfix_log)s
backend = %(postfix_backend)s
bantime = 1000
findtime = 10000
maxretry = 3
maxmatches = %(maxretry)s
bantime.increment = true
bantime.rndtime = 1000
bantime.factor = 1
bantime.formula = ban.Time * (1<<(ban.Count if ban.Count<20 else 20)) * banFactor
bantime.multipliers = 1 2 4 8 16 32 64
bantime.overalljails = true
看起来 postfix 默认规则没有阻止/禁止那些非 smtp 请求。我在这里错过了什么?
为什么不尝试在您的 conf 文件中定义失败的正则表达式,例如:
failregex = 161.35.7.72.*GET.*/system_api.php.*
更多输出检查this
缺少的部分是过滤器中的“HOST”,所以 fail2ban 知道要禁止哪个 IP。
过滤器现在看起来像这样:
[Definition]
failregex = ^.*\[<HOST>].*system\_api
^.*\[<HOST>].*c\/version\.js
^.*\[<HOST>].*streaming\/clients
^.*\[<HOST>].*client\_area
^.*\[<HOST>].*stalker\_portal
datepattern = ^[^\[]*\[({DATE})
{^LN-BEG}
ignoreregex =
我在我的邮件日志中看到了相同的非 smtp 请求,但我无法弄清楚缺少什么以便可以阻止这些请求。
fail2ban 已设置,我已经配置了一个 jail.local 文件。我怎样才能阻止这 6 个请求:
Feb 10 10:58:57 host postfix/submission/smtpd[5167]: warning: non-SMTP command from unknown[161.35.7.72]: GET /system_api.php HTTP/1.1
Feb 10 10:58:57 host postfix/submission/smtpd[5167]: warning: non-SMTP command from unknown[161.35.7.72]: GET /c/version.js HTTP/1.1
Feb 10 10:58:58 host postfix/submission/smtpd[5167]: warning: non-SMTP command from unknown[161.35.7.72]: GET /streaming/clients_live.php HTTP/1.1
Feb 10 10:58:58 host postfix/submission/smtpd[5167]: warning: non-SMTP command from unknown[161.35.7.72]: GET /stalker_portal/c/version.js HTTP/1.1
Feb 10 10:58:58 host postfix/submission/smtpd[5167]: warning: non-SMTP command from unknown[161.35.7.72]: GET /client_area/ HTTP/1.1
Feb 10 10:58:59 host postfix/submission/smtpd[5167]: warning: non-SMTP command from unknown[161.35.7.72]: GET /stalker_portal/c/ HTTP/1.1
后缀配置的jail.local如下所示:
[postfix]
# To use another modes set filter parameter "mode" in jail.local:
enabeld = true
mode = more
port = smtp,ssmtp,submission
logpath = %(postfix_log)s
backend = %(postfix_backend)s
bantime = 1000
findtime = 10000
maxretry = 3
maxmatches = %(maxretry)s
bantime.increment = true
bantime.rndtime = 1000
bantime.factor = 1
bantime.formula = ban.Time * (1<<(ban.Count if ban.Count<20 else 20)) * banFactor
bantime.multipliers = 1 2 4 8 16 32 64
bantime.overalljails = true
看起来 postfix 默认规则没有阻止/禁止那些非 smtp 请求。我在这里错过了什么?
为什么不尝试在您的 conf 文件中定义失败的正则表达式,例如:
failregex = 161.35.7.72.*GET.*/system_api.php.*
更多输出检查this
缺少的部分是过滤器中的“HOST”,所以 fail2ban 知道要禁止哪个 IP。
过滤器现在看起来像这样:
[Definition]
failregex = ^.*\[<HOST>].*system\_api
^.*\[<HOST>].*c\/version\.js
^.*\[<HOST>].*streaming\/clients
^.*\[<HOST>].*client\_area
^.*\[<HOST>].*stalker\_portal
datepattern = ^[^\[]*\[({DATE})
{^LN-BEG}
ignoreregex =