CentOS5.8 smtp auth での不正アタック対策

一昨日あたりから、サーバーに smtp auth で不正アタックが続くようになりました。

messageログには、下記、ログが大量に出力されていました。

Nov 23 16:53:33 ns1 saslauthd[6761]: do_auth : auth failure: [user=vernon] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]

一度に１～２つのホストからアタックしきて、ブロックされると、替わりのホストから執拗にアタックしてくるようです。
この不正アクセスのログには、IPが直接出力されないので、非常にたちが悪いです。
インターネットのあちこちの情報を参考に対策してみました。参考にさせて頂いたサイトの方には、この場をかりて、お礼申し上げます。

sendmail のログレベルを 9 → 10 に上げると、mail ログに詳しい内容が表示されるようです。
https://bugzilla.redhat.com/show_bug.cgi?id=683797

/etc/mail/sendmail.mc
dnl define(`confLOG_LEVEL', `9')dnl
↓
define(`confLOG_LEVEL', `10')dnl
http://www.blindead.jp/sick/2008/07/sendmailmc1.html

#cd /etc/mail
#vi sendmail.mc で内容を修正
(#make たぶん make は、自動なので必要ない。)
#service sendmail restart で、有効になります。

下が、変更後の mail ログ

Nov 23 16:25:49 ns1 sendmail[9800]: NOQUEUE: connect from ool-4b7fecc2.static.optonline.net [75.127.236.194]
Nov 23 16:25:57 ns1 sendmail[9800]: qAN7Pnm4009800: AUTH failure (LOGIN): authentication failure (-13) SASL(-13): authentication failure: checkpass failed
Nov 23 16:25:59 ns1 sendmail[9800]: qAN7Pnm4009800: AUTH failure (LOGIN): authentication failure (-13) SASL(-13): authentication failure: checkpass failed
Nov 23 16:26:02 ns1 sendmail[9800]: qAN7Pnm4009800: AUTH failure (LOGIN): authentication failure (-13) SASL(-13): authentication failure: checkpass failed
Nov 23 16:26:04 ns1 sendmail[9800]: qAN7Pnm4009800: AUTH failure (LOGIN): authentication failure (-13) SASL(-13): authentication failure: checkpass failed
Nov 23 16:26:06 ns1 sendmail[9800]: qAN7Pnm4009800: AUTH failure (LOGIN): authentication failure (-13) SASL(-13): authentication failure: checkpass failed
Nov 23 16:26:07 ns1 sendmail[9800]: qAN7Pnm4009800: ool-4b7fecc2.static.optonline.net [75.127.236.194] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA

最後の、ラインの

Nov 23 16:26:07 ns1 sendmail[9800]: qAN7Pnm4009800: ool-4b7fecc2.static.optonline.net [75.127.236.194] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA

を fail2ban でチェックして、このログが一度でも表示されると、すぐさま ban させます。
注）LOG_LEVEL=9 でも、このログは、出力されますが、いきなりこの行だけが出てくると不正アクセスの所為だとは、判断できません。
ですが、気にしないのであれば、LOG_LEVEL=9 でも大丈夫です。

下記が、fail2banの今回のフィルターです。
/etc/fail2ban/filter.d/sendmail-auth.conf
# Fail2Ban configuration file # for sendmail SMTP attack # Source: http://www.the-art-of-web.com/system/fail2ban-sendmail/ # Contibutors: Gutza, the SASL regex # # $Revision: 0 $ # [Definition] # Option: failregex # Notes.: regex to match the password failures messages in the logfile. The # host must be matched by a group named "host". The tag "<HOST>" can # be used for standard IP/hostname matching and is only an alias for # (?:::f{4,6}:)?(?P<host>\S+) # Values: TEXT # failregex = \[<HOST>\] .*to MTA \[<HOST>\]: possible SMTP attack: command=AUTH # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT # ignoreregex =

下記が、 jail.local の抜粋です。
/etc/fail2ban/jail.local
[sendmail-auth] enabled = true filter = sendmail-auth action = iptables[name=sendmail-auth, port=smtp, protocol=tcp] # sendmail-whois[name=sendmail, dest=root , sender=fail2ban@server] logpath = /var/log/maillog maxretry = 0 # 20 hour bantime = 72000

上記しかけで、下記の不正ホストIPを収集しました。今回の主なアクセス元IPです。
多分、踏み台にされたPCなどではないでしょうか？

Nov 22 18:41:09 ns1 fail2ban.actions: WARNING [sendmail-auth] Ban 120.146.193.153
Nov 22 18:43:02 ns1 fail2ban.actions: WARNING [sendmail-auth] Ban 199.168.143.53
Nov 22 18:50:23 ns1 fail2ban.actions: WARNING [sendmail-auth] Ban 75.127.236.194
Nov 22 18:50:26 ns1 fail2ban.actions: WARNING [sendmail-auth] Ban 90.184.114.13
Nov 22 18:50:28 ns1 fail2ban.actions: WARNING [sendmail-auth] Ban 108.71.19.30
Nov 22 18:59:53 ns1 fail2ban.actions: WARNING [sendmail-auth] Ban 50.84.168.222
Nov 22 18:59:53 ns1 fail2ban.actions: WARNING [sendmail-auth] Ban 66.64.240.218
Nov 22 18:59:53 ns1 fail2ban.actions: WARNING [sendmail-auth] Ban 108.162.17.130
Nov 22 19:00:00 ns1 fail2ban.actions: WARNING [sendmail-auth] Ban 213.153.47.1
Nov 22 19:09:24 ns1 fail2ban.actions: WARNING [sendmail-auth] Ban 72.89.191.60
Nov 22 19:09:25 ns1 fail2ban.actions: WARNING [sendmail-auth] Ban 149.172.6.222
Nov 22 19:09:26 ns1 fail2ban.actions: WARNING [sendmail-auth] Ban 70.43.109.131
Nov 22 19:19:01 ns1 fail2ban.actions: WARNING [sendmail-auth] Ban 203.45.134.40
Nov 22 19:19:09 ns1 fail2ban.actions: WARNING [sendmail-auth] Ban 80.26.50.39
Nov 22 19:28:44 ns1 fail2ban.actions: WARNING [sendmail-auth] Ban 64.77.234.112
Nov 22 19:28:50 ns1 fail2ban.actions: WARNING [sendmail-auth] Ban 165.228.246.237
Nov 22 19:38:16 ns1 fail2ban.actions: WARNING [sendmail-auth] Ban 95.61.84.31
Nov 22 19:47:26 ns1 fail2ban.actions: WARNING [sendmail-auth] Ban 209.190.190.196
Nov 22 19:57:14 ns1 fail2ban.actions: WARNING [sendmail-auth] Ban 88.0.82.60
Nov 22 20:06:51 ns1 fail2ban.actions: WARNING [sendmail-auth] Ban 212.145.136.149
Nov 22 20:06:51 ns1 fail2ban.actions: WARNING [sendmail-auth] Ban 24.234.155.80
Nov 22 20:26:13 ns1 fail2ban.actions: WARNING [sendmail-auth] Ban 173.200.3.25
Nov 22 20:26:17 ns1 fail2ban.actions: WARNING [sendmail-auth] Ban 75.149.2.246
Nov 22 20:26:42 ns1 fail2ban.actions: WARNING [sendmail-auth] Ban 190.0.57.98
Nov 22 20:36:34 ns1 fail2ban.actions: WARNING [sendmail-auth] Ban 98.174.235.103
Nov 22 20:36:40 ns1 fail2ban.actions: WARNING [sendmail-auth] Ban 23.24.12.243
Nov 22 20:56:56 ns1 fail2ban.actions: WARNING [sendmail-auth] Ban 74.84.111.214
Nov 22 21:07:07 ns1 fail2ban.actions: WARNING [sendmail-auth] Ban 23.25.216.129
Nov 22 21:07:07 ns1 fail2ban.actions: WARNING [sendmail-auth] Ban 66.64.6.154
Nov 22 21:07:10 ns1 fail2ban.actions: WARNING [sendmail-auth] Ban 75.151.109.166
Nov 22 21:35:46 ns1 fail2ban.actions: WARNING [sendmail-auth] Ban 74.11.126.243
Nov 22 21:54:51 ns1 fail2ban.actions: WARNING [sendmail-auth] Ban 89.87.130.233
Nov 22 22:04:47 ns1 fail2ban.actions: WARNING [sendmail-auth] Ban 75.146.225.49
Nov 22 22:49:52 ns1 fail2ban.actions: WARNING [sendmail-auth] Ban 50.121.152.110
Nov 22 23:40:23 ns1 fail2ban.actions: WARNING [sendmail-auth] Ban 184.91.103.84
Nov 23 00:58:47 ns1 fail2ban.actions: WARNING [sendmail-auth] Ban 94.86.194.251
Nov 23 01:45:18 ns1 fail2ban.actions: WARNING [sendmail-auth] Ban 98.189.122.23
Nov 23 03:45:42 ns1 fail2ban.actions: WARNING [sendmail-auth] Ban 93.64.210.123
Nov 23 04:32:35 ns1 fail2ban.actions: WARNING [sendmail-auth] Ban 93.63.6.214
Nov 23 05:07:02 ns1 fail2ban.actions: WARNING [sendmail-auth] Ban 95.225.148.31
Nov 23 08:01:33 ns1 fail2ban.actions: WARNING [sendmail-auth] Ban 83.60.252.165

fail2ban で 20時間ブロックしていましたが、ブロックが終了すると、アタックが再開されるようなので、
上記IPを iptables に登録して、やっとなんとか静かになりました。
踏み台にされたPCだと、本来の使用者からのメールもブロックされるので、申し訳ないですが！

下記は、実際のiptables の抜粋です。

-A RH-Firewall-1-INPUT -p tcp -s 23.24.12.243 --dport 25 -j DROP
-A RH-Firewall-1-INPUT -p tcp -s 23.25.216.129 --dport 25 -j DROP
-A RH-Firewall-1-INPUT -p tcp -s 24.234.155.80 --dport 25 -j DROP
-A RH-Firewall-1-INPUT -p tcp -s 50.84.168.222 --dport 25 -j DROP
-A RH-Firewall-1-INPUT -p tcp -s 50.121.152.110 --dport 25 -j DROP
-A RH-Firewall-1-INPUT -p tcp -s 64.77.234.112 --dport 25 -j DROP
-A RH-Firewall-1-INPUT -p tcp -s 66.64.6.154 --dport 25 -j DROP
-A RH-Firewall-1-INPUT -p tcp -s 66.64.240.218 --dport 25 -j DROP
-A RH-Firewall-1-INPUT -p tcp -s 70.43.109.131 --dport 25 -j DROP
-A RH-Firewall-1-INPUT -p tcp -s 72.89.191.60 --dport 25 -j DROP
-A RH-Firewall-1-INPUT -p tcp -s 74.11.126.243 --dport 25 -j DROP
-A RH-Firewall-1-INPUT -p tcp -s 74.84.111.214 --dport 25 -j DROP
-A RH-Firewall-1-INPUT -p tcp -s 75.127.236.194 --dport 25 -j DROP
-A RH-Firewall-1-INPUT -p tcp -s 75.146.225.49 --dport 25 -j DROP
-A RH-Firewall-1-INPUT -p tcp -s 75.149.2.246 --dport 25 -j DROP
-A RH-Firewall-1-INPUT -p tcp -s 75.151.109.166 --dport 25 -j DROP
-A RH-Firewall-1-INPUT -p tcp -s 80.26.50.39 --dport 25 -j DROP
-A RH-Firewall-1-INPUT -p tcp -s 83.60.252.165 --dport 25 -j DROP
-A RH-Firewall-1-INPUT -p tcp -s 88.0.82.60 --dport 25 -j DROP
-A RH-Firewall-1-INPUT -p tcp -s 89.87.130.233 --dport 25 -j DROP
-A RH-Firewall-1-INPUT -p tcp -s 90.184.114.13 --dport 25 -j DROP
-A RH-Firewall-1-INPUT -p tcp -s 93.63.6.214 --dport 25 -j DROP
-A RH-Firewall-1-INPUT -p tcp -s 93.64.210.123 --dport 25 -j DROP
-A RH-Firewall-1-INPUT -p tcp -s 94.86.194.251 --dport 25 -j DROP
-A RH-Firewall-1-INPUT -p tcp -s 95.61.84.31 --dport 25 -j DROP
-A RH-Firewall-1-INPUT -p tcp -s 95.225.148.31 --dport 25 -j DROP
-A RH-Firewall-1-INPUT -p tcp -s 98.174.235.103 --dport 25 -j DROP
-A RH-Firewall-1-INPUT -p tcp -s 98.189.122.23 --dport 25 -j DROP
-A RH-Firewall-1-INPUT -p tcp -s 108.71.19.30 --dport 25 -j DROP
-A RH-Firewall-1-INPUT -p tcp -s 120.146.193.153 --dport 25 -j DROP
-A RH-Firewall-1-INPUT -p tcp -s 120.146.193.153 --dport 25 -j DROP
-A RH-Firewall-1-INPUT -p tcp -s 149.172.6.222 --dport 25 -j DROP
-A RH-Firewall-1-INPUT -p tcp -s 165.228.246.237 --dport 25 -j DROP
-A RH-Firewall-1-INPUT -p tcp -s 173.200.3.25 --dport 25 -j DROP
-A RH-Firewall-1-INPUT -p tcp -s 184.91.103.84 --dport 25 -j DROP
-A RH-Firewall-1-INPUT -p tcp -s 190.0.57.98 --dport 25 -j DROP
-A RH-Firewall-1-INPUT -p tcp -s 199.168.143.53 --dport 25 -j DROP
-A RH-Firewall-1-INPUT -p tcp -s 203.45.134.40 --dport 25 -j DROP
-A RH-Firewall-1-INPUT -p tcp -s 209.190.190.196 --dport 25 -j DROP
-A RH-Firewall-1-INPUT -p tcp -s 212.145.136.149 --dport 25 -j DROP
-A RH-Firewall-1-INPUT -p tcp -s 213.153.47.1 --dport 25 -j DROP

同じような不正アクセスで困った方の参考になれば幸いです。

カテゴリ:

検索

このブログ記事について

カテゴリ

月別アーカイブ

ウェブページ

サイトナビ