近期用 postfix + dovecot 搭建了一个邮件server, 被人当做垃圾邮件转发器,经过配置postfix 的黑白名单, postfix 提示成功的 REJECT 了垃圾邮件, 只是还是有无数的IP地址, 连接过来要进行发送邮件, 尽管垃圾邮件被拒绝了,可是未知连接太多,造成 maillog 日志越变越大, 拖慢 postfix 的执行速度, 总得想个办法解决。要是能把这些没用的IP地址直接用防火墙拒绝就好了。 思路有了,我们就着手处理吧。
这些垃圾IP地址所有是
- 本站主数据:台湾省 中华电信股份有限公司
- 參考数据一:台湾
tail -f /var/log/maillog 查看日志例如以下所看到的:
这日志还是非常有规律的, 是不是 ?
Aug 20 12:11:40 www postfix/smtpd[18033]: NOQUEUE: reject: RCPT from 36-224-133-61.dynamic-ip.hinet.net[36.224.133.61]: 554 5.7.1 <[email protected]>: Recipient address rejected: Access denied; from=<[email protected]> to=<[email protected]> proto=SMTP helo=<115.28.81.191> Aug 20 12:11:41 www postfix/smtpd[18033]: NOQUEUE: reject: RCPT from 36-224-133-61.dynamic-ip.hinet.net[36.224.133.61]: 554 5.7.1 <[email protected]>: Recipient address rejected: Access denied; from=<[email protected]> to=<[email protected]> proto=SMTP helo=<115.28.81.191> Aug 20 12:11:41 www postfix/smtpd[18026]: NOQUEUE: reject: RCPT from 36-224-135-60.dynamic-ip.hinet.net[36.224.135.60]: 554 5.7.1 <[email protected]>: Recipient address rejected: Access denied; from=<[email protected]> to=<[email protected]> proto=SMTP helo=<115.28.81.191> Aug 20 12:11:42 www postfix/smtpd[18023]: NOQUEUE: reject: RCPT from 114-45-29-112.dynamic.hinet.net[114.45.29.112]: 554 5.1.8 <[email protected]>: Sender address rejected: Domain not found; from=<[email protected]> to=<[email protected]> proto=SMTP helo=<115.28.81.191> Aug 20 12:11:43 www postfix/smtpd[18033]: NOQUEUE: reject: RCPT from 36-224-133-61.dynamic-ip.hinet.net[36.224.133.61]: 554 5.7.1 <[email protected]>: Recipient address rejected: Access denied; from=<[email protected]> to=<[email protected]> proto=SMTP helo=<115.28.81.191> Aug 20 12:11:43 www postfix/smtpd[18026]: NOQUEUE: reject: RCPT from 36-224-135-60.dynamic-ip.hinet.net[36.224.135.60]: 554 5.7.1 <[email protected]>: Recipient address rejected: Access denied; from=<[email protected]> to=<[email protected]> proto=SMTP helo=<115.28.81.191> Aug 20 12:11:44 www postfix/smtpd[18033]: NOQUEUE: reject: RCPT from 36-224-133-61.dynamic-ip.hinet.net[36.224.133.61]: 554 5.7.1 <[email protected]>: Recipient address rejected: Access denied; from=<[email protected]> to=<[email protected]> proto=SMTP helo=<115.28.81.191> Aug 20 12:11:44 www postfix/smtpd[18023]: NOQUEUE: reject: RCPT from 114-45-29-112.dynamic.hinet.net[114.45.29.112]: 554 5.1.8 <[email protected]>: Sender address rejected: Domain not found; from=<[email protected]> to=<[email protected]> proto=SMTP helo=<115.28.81.191> Aug 20 12:11:45 www postfix/smtpd[18033]: NOQUEUE: reject: RCPT from 36-224-133-61.dynamic-ip.hinet.net[36.224.133.61]: 554 5.7.1 <[email protected]>: Recipient address rejected: Access denied; from=<[email protected]> to=<[email protected]> proto=SMTP helo=<115.28.81.191> Aug 20 12:11:45 www postfix/smtpd[18026]: too many errors after RCPT from 36-224-135-60.dynamic-ip.hinet.net[36.224.135.60] Aug 20 12:11:45 www postfix/smtpd[18026]: disconnect from 36-224-135-60.dynamic-ip.hinet.net[36.224.135.60] Aug 20 12:11:46 www postfix/smtpd[18023]: too many errors after RCPT from 114-45-29-112.dynamic.hinet.net[114.45.29.112] Aug 20 12:11:46 www postfix/smtpd[18023]: disconnect from 114-45-29-112.dynamic.hinet.net[114.45.29.112] Aug 20 12:11:47 www postfix/smtpd[18033]: NOQUEUE: reject: RCPT from 36-224-133-61.dynamic-ip.hinet.net[36.224.133.61]: 554 5.7.1 <[email protected]>: Recipient address rejected: Access denied; from=<[email protected]> to=<[email protected]> proto=SMTP helo=<115.28.81.191> Aug 20 12:11:49 www postfix/smtpd[18033]: too many errors after RCPT from 36-224-133-61.dynamic-ip.hinet.net[36.224.133.61] Aug 20 12:11:49 www postfix/smtpd[18033]: disconnect from 36-224-133-61.dynamic-ip.hinet.net[36.224.133.61] Aug 20 12:14:10 www postfix/smtpd[18097]: connect from 36-224-136-82.dynamic-ip.hinet.net[36.224.136.82] Aug 20 12:14:11 www postfix/smtpd[18097]: NOQUEUE: reject: RCPT from 36-224-136-82.dynamic-ip.hinet.net[36.224.136.82]: 554 5.7.1 <[email protected]>: Sender address rejected: Access denied; from=<[email protected]> to=<[email protected]> proto=SMTP helo=<115.28.81.191> Aug 20 12:14:11 www postfix/smtpd[18097]: NOQUEUE: reject: RCPT from 36-224-136-82.dynamic-ip.hinet.net[36.224.136.82]: 554 5.7.1 <[email protected]>: Sender address rejected: Access denied; from=<[email protected]> to=<[email protected]> proto=SMTP helo=<115.28.81.191>
我们能够动态分析日志, 把
too many errors after RCPT from 后面的IP地址获取, 动态添?到防火墙进行拒绝即可。
思路有了, 我就写个小程序来分析日志吧,我写的是C的, 只是用perl 或者 shell 脚本可能更简单。
反正用自己最熟悉的语言即可。
dyn.c 源码文件的内容例如以下 :
#include <string.h>
#include <stdio.h>
#include <stdlib.h>
#define BUF_LEN 4096
#define DATA_LEN 4096*10
int main (int argc, char** argv)
{
//too many errors after RCPT from 36-224-128-99.dynamic-ip.hinet.net[36.224.128.99]
//too many errors after RCPT from 118-169-22-28.dynamic.hinet.net[118.169.22.28]
//too many errors after AUTH from unknown[79.125.161.236]
char buf[BUF_LEN] = {0};
const char* sep = "too many errors after";
while (1)
{
memset (buf, 0, sizeof(buf));
char* tp = fgets (buf, sizeof(buf)-1, stdin);
if (tp != NULL)
{
int buflen = strlen(tp);
char* p = strstr(buf, sep);
if (p != NULL)
{
char* p1 = p + strlen(sep) + 1;
char* ps = NULL;
char* pe = NULL;
while (*p1 != ‘\0‘ && *p1 != ‘\n‘)
{
if (*p1 == ‘[‘)
ps = p1+1;
if (*p1 == ‘]‘)
pe = p1;
p1++;
}
if (ps != NULL && pe != NULL)
{
char ipbuf[64]={0};
memcpy (ipbuf, ps, pe-ps);
char ebuf[512] = {0};
snprintf(ebuf, sizeof(ebuf)-1, "iptables -I INPUT -s %s -j DROP", ipbuf);
system (ebuf);
printf ("%s\n", ebuf);
}
}
}
}
return 0;
}
用 gcc -g -o dyn dyn.c , 编译后生成了可运行文件 dyn
我的dyn可运行文件在 /root 文件夹, 所以用 命令:
nohup tail -f /var/log/maillog | /root/dyn &
让它自己跑吧。
过一段时间后, 我们再看maillog日志, 已经基本没有 不认识的IP地址再连接过来打算发邮件了。
时间: 2024-08-09 10:44:02