Spammers a tentarem se autenticar via SASL?
Já verificou o fluxo de correio no seu EFA?
Pode o fazer da seguinte forma:
sudo tailf /var/log/maillog
Reparou em algo estranho do género:
Dec 20 14:43:52 mailscanner postfix/smtpd[18724]: warning: unknown[xxx.xxx.xxx.x]: SASL LOGIN authentication failed: authentication failure Dec 20 14:43:52 mailscanner postfix/smtpd[18724]: warning: unknown[xxx.xxx.xxx.x]: SASL LOGIN authentication failed: authentication failure Dec 20 14:43:52 mailscanner postfix/smtpd[18724]: warning: unknown[xxx.xxx.xxx.x]: SASL LOGIN authentication failed: authentication failure Dec 20 14:43:53 mailscanner postfix/smtpd[18724]: warning: unknown[xxx.xxx.xxx.x]: SASL LOGIN authentication failed: authentication failure
É porque provavelmente esta a receber um ataque “Brute Force”.
Nem sempre é fácil lidar com estes problemas mas certamente que os podemos mitigar.
O programa fail2ban dá uma grande ajuda neste campo, bloqueando IPs com mais de x tentativas de logins nos mais diversos serviços.
Vamos então configurar o fail2ban na nossa Apliance EFA e colocar estes spammers de castigo durante umas horas.
Instale o fail2ban na apliance EFA:
sudo yum install fail2ban
Copie o ficheiro jail.conf para o jail.local
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Edite o ficheiro jail.local de acordo com as suas necessidades
[INCLUDES] #before = paths-distro.conf before = paths-fedora.conf # The DEFAULT allows a global definition of the options. They can be overridden # in each jail afterwards. [DEFAULT] # # MISCELLANEOUS OPTIONS # # "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not # ban a host which matches an address in this list. Several addresses can be # defined using space (and/or comma) separator. ignoreip = 127.0.0.1/8 # External command that will take an tagged arguments to ignore, e.g. , # and return true if the IP is to be ignored. False otherwise. # # ignorecommand = /path/to/command ignorecommand = # "bantime" is the number of seconds that a host is banned. # 86400 = 24h bantime = 43200 # A host is banned if it has generated "maxretry" during the last "findtime" # seconds. #findtime = 600 # 43200 = 12h findtime = 86400 # "maxretry" is the number of failures before a host get banned. maxretry = 5 # "backend" specifies the backend used to get files modification. # Available options are "pyinotify", "gamin", "polling", "systemd" and "auto". # This option can be overridden in each jail as well. # # pyinotify: requires pyinotify (a file alteration monitor) to be installed. # If pyinotify is not installed, Fail2ban will use auto. # gamin: requires Gamin (a file alteration monitor) to be installed. # If Gamin is not installed, Fail2ban will use auto. # polling: uses a polling algorithm which does not require external libraries. # systemd: uses systemd python library to access the systemd journal. # Specifying "logpath" is not valid for this backend. # See "journalmatch" in the jails associated filter config # auto: will try to use the following backends, in order: # pyinotify, gamin, polling. # # Note: if systemd backend is chosen as the default but you enable a jail # for which logs are present only in its own log files, specify some other # backend for that jail (e.g. polling) and provide empty value for # journalmatch. See https://github.com/fail2ban/fail2ban/issues/959#issuecomment-74901200 backend = auto # "usedns" specifies if jails should trust hostnames in logs, # warn when DNS lookups are performed, or ignore all hostnames in logs # # yes: if a hostname is encountered, a DNS lookup will be performed. # warn: if a hostname is encountered, a DNS lookup will be performed, # but it will be logged as a warning. # no: if a hostname is encountered, will not be used for banning, # but it will be logged as info. usedns = no # "logencoding" specifies the encoding of the log files handled by the jail # This is used to decode the lines from the log file. # Typical examples: "ascii", "utf-8" # # auto: will use the system locale setting logencoding = auto # "enabled" enables the jails. # By default all jails are disabled, and it should stay this way. # Enable only relevant to your setup jails in your .local or jail.d/*.conf # # true: jail will be enabled and log files will get monitored for changes # false: jail is not enabled enabled = false # "filter" defines the filter to use by the jail. # By default jails have names matching their filter name # filter = %(__name__)s # # ACTIONS # # Some options used for actions # Destination email address used solely for the interpolations in # jail.{conf,local,d/*} configuration files. destemail = administrator@mydomain.tld # Sender email address used solely for some actions sender = fail2ban # E-mail action. Since 0.8.1 Fail2Ban uses sendmail MTA for the # mailing. Change mta configuration parameter to mail if you want to # revert to conventional 'mail'. #mta = sendmail mta = mail # Default protocol protocol = tcp # Specify chain where jumps would need to be added in iptables-* actions chain = INPUT # Ports to be banned # Usually should be overridden in a particular jail port = 0:65535 # Format of user-agent https://tools.ietf.org/html/rfc7231#section-5.5.3 fail2ban_agent = Fail2Ban/%(fail2ban_version)s # # Action shortcuts. To be used to define action parameter # Default banning action (e.g. iptables, iptables-new, # iptables-multiport, shorewall, etc) It is used to define # action_* variables. Can be overridden globally or per # section within jail.local file banaction = iptables-multiport banaction_allports = iptables-allports #disabled the action with _MWL as that sends out emails :-/ #action = %(action_mwl)s action = %(action_)s # # Mail servers # [postfix] enabled = true port = smtp,465,submission logpath = %(postfix_log)s backend = %(postfix_backend)s action = %(action_mwl)s [postfix-rbl] enabled = true port = smtp,465,submission logpath = %(postfix_log)s backend = %(postfix_backend)s action = %(action_mwl)s maxretry = 3 [postfix-sasl] enabled = true port = smtp,465,submission,imap3,imaps,pop3,pop3s logpath = %(postfix_log)s backend = %(postfix_backend)s maxretry = 3 # Jail for more extended banning of persistent abusers # !!! WARNINGS !!! # 1. Make sure that your loglevel specified in fail2ban.conf/.local # is not at DEBUG level -- which might then cause fail2ban to fall into # an infinite loop constantly feeding itself with non-informative lines # 2. Increase dbpurgeage defined in fail2ban.conf to e.g. 648000 (7.5 days) # to maintain entries for failed logins for sufficient amount of time [recidive] #enabled = true logpath = /var/log/messages banaction = %(banaction_allports)s bantime = 604800 ; 1 week findtime = 259200 ; 3 days maxretry = 3 action = %(action_mwl)s
Edite o ficheiro /etc/fail2ban/filter.d/postfix-rbl.conf para ficar como este
failregex = ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[\]: 454 4\.7\.1 Service unavailable; Client host \[\S+\] blocked using .* from=<\S*> to=<\S+> proto=ESMTP helo=<\S*>$ ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[\]: 554 5\.7\.1 Service unavailable; Client host \[\S+\] blocked using .* from=<\S*> to=<\S+> proto=ESMTP helo=<\S*>$
Reinicie o fail2ban:
sudo service fail2ban restart
acompanhe o estado no “IPTABLES”:
iptables -nvL --line-numbers | more
acompanhe o estado no “messages”:
tail -f /var/log/messages | grep fail2ban
Confira o fluxo de email e veja o ataque a ser mitigado em “maillog”:
sudo tailf /var/log/maillog
Terá sertamente mais páz de espirito
Ficheiro de exemplo copiado de jail.local