主題: 它！這個狗東西一直踹我

[Acoju]

這是這2天Mail log 的一小小段
ct 27 16:05:13 localhost postfix/smtpd[4469]: connect from ca207.calcit.fastwebserver.de[146.0.42.76]
Oct 27 16:05:19 localhost postfix/smtpd[4469]: warning: ca207.calcit.fastwebserver.de[146.0.42.76]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Oct 27 16:05:19 localhost postfix/smtpd[4469]: lost connection after AUTH from ca207.calcit.fastwebserver.de[146.0.42.76]
Oct 27 16:05:19 localhost postfix/smtpd[4469]: disconnect from ca207.calcit.fastwebserver.de[146.0.42.76]
Oct 27 16:06:24 localhost postfix/smtpd[4469]: connect from ca207.calcit.fastwebserver.de[146.0.42.76]
Oct 27 16:06:29 localhost postfix/smtpd[4469]: warning: ca207.calcit.fastwebserver.de[146.0.42.76]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Oct 27 16:06:29 localhost postfix/smtpd[4469]: lost connection after AUTH from ca207.calcit.fastwebserver.de[146.0.42.76]
Oct 27 16:06:29 localhost postfix/smtpd[4469]: disconnect from ca207.calcit.fastwebserver.de[146.0.42.76]
Oct 27 16:06:57 localhost postfix/smtpd[4469]: connect from ca207.calcit.fastwebserver.de[146.0.42.76]
Oct 27 16:07:20 localhost postfix/smtpd[4469]: warning: ca207.calcit.fastwebserver.de[146.0.42.76]: SASL LOGIN authentication failed: UGFzc3dvcmQ6

我不曉得對方在做啥麼？？？，底下是secure的片段
Fail2ban也擋不了，是不是因爲不是連續的，一分鍾踹一下，有人說不用理這個訊息，是對還是不對

Oct 27 16:11:32 localhost auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=info@hinet.net rhost=146.0.42.76
Oct 27 16:13:08 localhost auth: pam_unix(dovecot:auth): check pass; user unknown
Oct 27 16:13:08 localhost auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=info@hinet.net rhost=146.0.42.76
Oct 27 16:15:07 localhost auth: pam_unix(dovecot:auth): check pass; user unknown
Oct 27 16:15:07 localhost auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=info@hinet.net rhost=146.0.42.76
Oct 27 16:17:53 localhost auth: pam_unix(dovecot:auth): check pass; user unknown

這也不是的的網址跟USER帳號，對方幹麻還要一直踹我的MailServer，
maillog有時還會接着蹦出下面訊息？這是在釣魚嗎？？
Oct 27 16:08:30 localhost postfix/qmgr[4604]: 2B92E2238E3: from=<sb@seo.uk.net>, size=621, nrcpt=1 (queue active)
Oct 27 16:08:30 localhost postfix/qmgr[4604]: 91D5D22395B: from=<sb@seo.uk.net>, size=623, nrcpt=1 (queue active)
Oct 27 16:08:30 localhost postfix/smtp[4606]: 2B92E2238E3: host smtp.europe.secureserver.net[188.121.52.56] refused to talk to me: 554 n1plibsmtp01-02.prod.ams1.secureserver.net bizsmtp RBL Reject -Please submit an unblock request <http://unblock.secureserver.net/?ip=59.126.238.72>  <http://x.co/rblbounce>
Oct 27 16:08:30 localhost postfix/smtp[4607]: 91D5D22395B: host smtp.europe.secureserver.net[188.121.52.56] refused to talk to me: 554 n1plibsmtp01-03.prod.ams1.secureserver.net bizsmtp RBL Reject -Please submit an unblock request <http://unblock.secureserver.net/?ip=59.126.238.72>  <http://x.co/rblbounce>
Oct 27 16:08:31 localhost postfix/smtp[4606]: 2B92E2238E3: to=<sb@seo.uk.net>, relay=mailstore1.europe.secureserver.net[188.121.52.56]:25, delay=56074, delays=56073/0.01/1.4/0, dsn=4.0.0, status=deferred (host mailstore1.europe.secureserver.net[188.121.52.56] refused to talk to me: 554 n1plibsmtp01-01.prod.ams1.secureserver.net bizsmtp RBL Reject -Please submit an unblock request <http://unblock.secureserver.net/?ip=59.126.238.72>  <http://x.co/rblbounce>)
Oct 27 16:08:31 localhost postfix/smtp[4607]: 91D5D22395B: to=<sb@seo.uk.net>, relay=mailstore1.europe.secureserver.net[188.121.52.56]:25, delay=55870, delays=55868/0.01/1.4/0, dsn=4.0.0, status=deferred (host mailstore1.europe.secureserver.net[188.121.52.56] refused to talk to me: 554 n1plibsmtp01-03.prod.ams1.secureserver.net bizsmtp RBL Reject -Please submit an unblock request <http://unblock.secureserver.net/?ip=59.126.238.72>  <http://x.co/rblbounce>)

[darkranger]

既然有固定的 IP 對象，就先把該 IP DROP 掉吧

至少也要讓對方知道，這邊網管可是有在做事的

[hikohan]

利用fail2ban根據時間內錯誤次數ban IP。

[Acoju]

SASL LOGIN authentication failed （已解）。原來是fail2ban要抓的maillog檔設錯了，所以擋沒到，不過設10小時過了之後。。。還在踹！！

在來就是Oct 27 16:08:30 localhost postfix/qmgr[4604]: 2B92E2238E3: from=<sb@seo.uk.net>, size=621, nrcpt=1 (queue active)
我在想是不是設定postfix就能直接擋掉，所以增加了
client_checks
# Restricts which clients this system accepts SMTP connections from.
#postmap /etc/postfix/client_checks
example.com               REJECT No spammers
.example.com              REJECT No spammers, from your subdomain
123.456.789.123           REJECT Your IP is spammer
123.456.789.0/24          REJECT Your IP range is spammer
146.0.42.76           REJECT Your IP is spammer
.fastwebserver.de           REJECT No spammers, from your subdomain
跟sender_checks
# Restricts sender addresses this system accepts in MAIL FROM commands.
#postmap /etc/postfix/sender_checks
example.com              REJECT env. from addr any@example.com rejected
.example.com             REJECT env. from addr any@sub.example.com rejected
user@example.com         REJECT We don't want your email
sb@seo.uk.net              REJECT
，也postmap。
Spam設定
smtpd_recipient_restrictions = check_client_access hash:/etc/postfix/client_checks, check_sender_access hash:/etc/postfix/sender_checks, permit_mynetworks, permit_sasl_authenticated, permit_auth_destination, reject_unauth_destination, reject_unknown_helo_hostname

不過沒直接drop掉踹我的146.0.42.76，也沒直接drop掉sb@seo.uk.net，大概設錯了。。。

http://unblock.secureserver.net這個網站不知道有沒有問題？GOOGLE查查，有人說是Linux系的，不知道是啥的，有人說輸入IP沒Block，還說要解blacklist還要錢？這好有問題。。。我用撥接的固定IP架站只在臺灣用，又不是玩很大的企業，只是小工作室，有需要嗎？

[netman]

直接用 iptables DROP 掉就好

[Acoju]

drop果然很有效。
fedora redhat 現在內定使用Firewall
firewall-cmd --permanent --zone="public" --add-rich-rule='rule family="ipv4" source address="146.0.42.76" drop'
至於from=<sb@seo.uk.net>的問題，發覺它是來自系統內部本身
su -
密碼：
[root@localhost ~]# postqueue -p
-Queue ID- --Size-- ----Arrival Time---- -Sender/Recipient-------
2B92E2238E3      621 Mon Oct 27 00:33:57  sb@seo.uk.net
(host mailstore1.europe.secureserver.net[188.121.52.56] refused to talk to me: 554 n1plibsmtp01-03.prod.ams1.secureserver.net bizsmtp RBL Reject -Please submit an unblock request <http://unblock.secureserver.net/?ip=59.126.238.72>  <http://x.co/rblbounce>)
                                         sb@seo.uk.net

91D5D22395B      623 Mon Oct 27 00:37:21  sb@seo.uk.net
(host mailstore1.europe.secureserver.net[188.121.52.56] refused to talk to me: 554 n1plibsmtp01-01.prod.ams1.secureserver.net bizsmtp RBL Reject -Please submit an unblock request <http://unblock.secureserver.net/?ip=59.126.238.72>  <http://x.co/rblbounce>)
                                         sb@seo.uk.net

-- 2 Kbytes in 2 Requests.
[root@localhost ~]# postsuper -d ALL
postsuper: Deleted: 2 messages
[root@localhost ~]# postqueue -p
Mail queue is empty
有駭客這麼厲害！！那不就是特別超級的可以從外部把mail塞進server？
我想想後，這應該是在安裝WP的外掛時，裝進去測試的時候，跑進MAILSERVER的吧！
在想可能會有問題，果然可以驗證到。

[西歪街]

懶得解釋太多
Keyword:DHA
http://www.netadmin.com.tw/article_content.aspx?sn=1310300007&ns=1404300001&jump=1