postfix sasl 登入攻擊

1. 啟動 sasl-iptables，其中 filter postfix-sasl 對應到 /etc/fail2ban/filter.d/postfix-sasl.conf。

   [root@mail ~]# vim /etc/fail2ban/jail.local 
   [root@mail ~]# tail -7 /etc/fail2ban/jail.local
   [sasl-iptables]
   enabled  = true
   filter   = postfix-sasl
   backend  = polling
   action   = iptables[name=sasl, port=smtp, protocol=tcp]
   #          sendmail-whois[name=sasl, dest=you@example.com]
   logpath  = /var/log/maillog
   

2. 測試以 postfix-sasl.conf 過濾 maillog。

   [root@mail ~]# fail2ban-regex /var/log/maillog /etc/fail2ban/filter.d/postfix-sasl.conf
   

3. 啟動 fail2ban 服務並設定開機啟動。

   [root@mail ~]# /etc/init.d/fail2ban start
   Starting fail2ban:                                         [  OK  ]
   [root@mail ~]# chkconfig fail2ban on
   

4. 檢查 iptables 防火牆，最後要有一段 f2b-sasl。

   [root@mail ~]#  iptables -L -nv
   Chain INPUT (policy DROP 193 packets, 19542 bytes)
    pkts bytes target     prot opt in     out     source               destination         
       4   240 f2b-sasl   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:25 
   ............
   Chain FORWARD (policy DROP 0 packets, 0 bytes)
    pkts bytes target     prot opt in     out     source               destination         
   
   Chain OUTPUT (policy ACCEPT 1531 packets, 298K bytes)
    pkts bytes target     prot opt in     out     source               destination         
   
   Chain f2b-sasl (1 references)
    pkts bytes target     prot opt in     out     source               destination         
       4   240 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0