使用fail2ban阻挡对电邮系统的DDOS攻击

By | 2019-11-19

前段时间电邮服务器一直受到DDOS攻击,导致防火墙的连接都爆满了,没办法只能手工在防火墙对攻击的IP地址进行封禁,但海量的攻击源根本无法及时阻挡,只能别想办法了。

网络架构更改为:

VPS –> 防火墙 –> Mail Gateway –> Mail Server

构想是通过公网上的VPS架设SMTP服务作为第一接入点,攻击就攻击VPS吧,fail2ban自动封锁一些攻击的IP地址,起码防火墙不会因连接数爆满而导致其他服务也受到影响,然后防火墙规则只允许VPS的IP地址入25 port , 这样的更改等于在电邮系统前再加一个电邮网关了。

编辑/etc/fail2ban/jail.conf

[postfix-ddos]
enabled  = true
filter   = postfix-ddos
action   = iptables-allports[name=MAIL, protocol=all]
logpath  = /var/log/mail.log
maxretry = 2
findtime = 86400
bantime  = 604800

在/etc/fail2ban/filter.d目录中创建 postfix-ddos.conf

# Fail2Ban filter for Postfix DDOS attacks
#

[INCLUDES]

before = common.conf

[Definition]

_daemon = postfix/(submission/)?smtp(d|s)

failregex = ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 450 4\.7\.1 Client host rejected: cannot find your hostname, (\[\S*\]); from=<\S*> to=<\S+> proto=ESMTP helo=<\S*>$
            ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 450 4\.7\.1 : Helo command rejected: Host not found; from=<> to=<> proto=ESMTP helo= *$
            ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 454 4\.7\.1 Service unavailable; Client host \[\S+\] blocked using .* from=<\S*> to=<\S+> proto=ESMTP helo=<\S*>$
            ^%(__prefix_line)sNOQUEUE: reject: VRFY from \S+\[<HOST>\]: 550 5\.1\.1 .*$
            ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 504 5\.5\.2 .*$
            ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 554 5\.7\.1 .*$
            ^%(__prefix_line)simproper command pipelining after \S+ from [^[]*\[<HOST>\]:?$
            ^%(__prefix_line)slost connection after \S+ from [^[]*\[<HOST>\]:?$
            ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/:]*={0,2})?\s*$
            ^%(__prefix_line)sstatistics: max connection rate \S+ for \(smtp:<HOST>\):?$

ignoreregex = lost connection after .* from unknown\[unknown\]$
              authentication failed: Connection lost to authentication server$
              statistics: max connection rate .* for \(smtp:unknown\).*$

[Init]

journalmatch = _SYSTEMD_UNIT=postfix.service


# Author: kn007

最后重启一下fail2ban即可,使用 fail2ban-client status 查看是否已经启动postfix-ddos过滤器。

结语:过程中还有很多细节,例如VPS到本地电邮网关的传输加密等,这里就不详细描述了。

發佈回覆