Si vous mettez en place un relais smtp sur votre serveur, des robots peuvent tenter de forcer l’accès en force brute pour transformer votre machine en machine à SPAM.
Dans mes logs je peux facilement remarquer que 118.167.128.72 s’acharne à la tache (tout en étant assez intelligent pour ne pas exploser le max connection rate):
Feb 12 05:22:20 ubuntuserv postfix/smtpd[20950]: lost connection after RCPT from 118-167-128-72.dynamic.hinet.net[118.167.128.72] Feb 12 05:22:20 ubuntuserv postfix/smtpd[20950]: disconnect from 118-167-128-72.dynamic.hinet.net[118.167.128.72] Feb 12 05:25:40 ubuntuserv postfix/anvil[20952]: statistics: max connection rate 1/60s for (smtp:118.167.128.72) at Feb 12 05:22:19 Feb 12 05:25:40 ubuntuserv postfix/anvil[20952]: statistics: max connection count 1 for (smtp:118.167.128.72) at Feb 12 05:22:19 Feb 12 05:25:40 ubuntuserv postfix/anvil[20952]: statistics: max cache size 1 at Feb 12 05:22:19 Feb 12 05:31:20 ubuntuserv postfix/smtpd[22890]: connect from 118-167-128-72.dynamic.hinet.net[118.167.128.72] Feb 12 05:31:21 ubuntuserv postfix/smtpd[22890]: NOQUEUE: reject: RCPT from 118-167-128-72.dynamic.hinet.net[118.167.128.72]: 554 5.7.1 <s2288@mail2000.com.tw>: Relay access denied; from=<itidgh483987@hotmail.com> to=<s2288@mail2000.com.tw> proto=SMTP helo=<79.132.57.102> Feb 12 05:31:22 ubuntuserv postfix/smtpd[22890]: lost connection after RCPT from 118-167-128-72.dynamic.hinet.net[118.167.128.72] Feb 12 05:31:22 ubuntuserv postfix/smtpd[22890]: disconnect from 118-167-128-72.dynamic.hinet.net[118.167.128.72] Feb 12 05:34:42 ubuntuserv postfix/anvil[22892]: statistics: max connection rate 1/60s for (smtp:118.167.128.72) at Feb 12 05:31:20 Feb 12 05:34:42 ubuntuserv postfix/anvil[22892]: statistics: max connection count 1 for (smtp:118.167.128.72) at Feb 12 05:31:20 Feb 12 05:34:42 ubuntuserv postfix/anvil[22892]: statistics: max cache size 1 at Feb 12 05:31:20 Feb 12 05:40:38 ubuntuserv postfix/smtpd[24764]: connect from 118-167-128-72.dynamic.hinet.net[118.167.128.72] Feb 12 05:40:39 ubuntuserv postfix/smtpd[24764]: NOQUEUE: reject: RCPT from 118-167-128-72.dynamic.hinet.net[118.167.128.72]: 554 5.7.1 <s2288@mail2000.com.tw>: Relay access denied; from=<itidgh483987@hotmail.com> to=<s2288@mail2000.com.tw> proto=SMTP helo=<79.132.57.102>
Pour se protéger des attaques en force-brute le classique Fail2Ban, il manque juste l’expression régulière qui va bien:
NOQUEUE\: reject\: RCPT from .*\[<HOST>\]: .*: Relay access denied;
que l’on ajoute dans /etc/fail2ban/filter.d/couriersmtp.conf qui devient:
# Fail2Ban configuration file # # Author: Cyril Jaquier # # $Revision: 510 $ # [Definition] # Option: failregex # Notes.: regex to match the password failures messages in the logfile. The # host must be matched by a group named "host". The tag "<HOST>" can # be used for standard IP/hostname matching and is only an alias for # (?:::f{4,6}:)?(?P<host>[\w\-.^_]+) # Values: TEXT # failregex = error,relay=<HOST>,.*550 User unknown NOQUEUE\: reject\: RCPT from .*\[<HOST>\]: .*: Relay access denied; # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT # ignoreregex =
et on n’oublie pas de valider le filtre dans /etc/fail2ban/jail.conf en passant enabled à true dans la section couriersmtp
[couriersmtp] enabled = true port = smtp,ssmtp filter = couriersmtp logpath = /var/log/mail.log</pre>