近期用 postfix + dovecot 搭建了一个邮件server, 被人当做垃圾邮件转发器,经过配置postfix 的黑白名单, postfix 提示成功的 REJECT 了垃圾邮件, 只是还是有无数的IP地址, 连接过来要进行发送邮件, 尽管垃圾邮件被拒绝了,可是未知连接太多,造成 maillog 日志越变越大, 拖慢 postfix 的执行速度, 总得想个办法解决。要是能把这些没用的IP地址直接用防火墙拒绝就好了。 思路有了,我们就着手处理吧。
这些垃圾IP地址所有是
tail -f /var/log/maillog 查看日志例如以下所看到的:
这日志还是非常有规律的, 是不是 ?
Aug 20 12:11:40 www postfix/smtpd[18033]: NOQUEUE: reject: RCPT from 36-224-133-61.dynamic-ip.hinet.net[36.224.133.61]: 554 5.7.1 <[email protected]>: Recipient address rejected: Access denied; from=<[email protected]> to=<[email protected]> proto=SMTP helo=<115.28.81.191> Aug 20 12:11:41 www postfix/smtpd[18033]: NOQUEUE: reject: RCPT from 36-224-133-61.dynamic-ip.hinet.net[36.224.133.61]: 554 5.7.1 <[email protected]>: Recipient address rejected: Access denied; from=<[email protected]> to=<[email protected]> proto=SMTP helo=<115.28.81.191> Aug 20 12:11:41 www postfix/smtpd[18026]: NOQUEUE: reject: RCPT from 36-224-135-60.dynamic-ip.hinet.net[36.224.135.60]: 554 5.7.1 <[email protected]>: Recipient address rejected: Access denied; from=<[email protected]> to=<[email protected]> proto=SMTP helo=<115.28.81.191> Aug 20 12:11:42 www postfix/smtpd[18023]: NOQUEUE: reject: RCPT from 114-45-29-112.dynamic.hinet.net[114.45.29.112]: 554 5.1.8 <[email protected]>: Sender address rejected: Domain not found; from=<[email protected]> to=<[email protected]> proto=SMTP helo=<115.28.81.191> Aug 20 12:11:43 www postfix/smtpd[18033]: NOQUEUE: reject: RCPT from 36-224-133-61.dynamic-ip.hinet.net[36.224.133.61]: 554 5.7.1 <[email protected]>: Recipient address rejected: Access denied; from=<[email protected]> to=<[email protected]> proto=SMTP helo=<115.28.81.191> Aug 20 12:11:43 www postfix/smtpd[18026]: NOQUEUE: reject: RCPT from 36-224-135-60.dynamic-ip.hinet.net[36.224.135.60]: 554 5.7.1 <[email protected]>: Recipient address rejected: Access denied; from=<[email protected]> to=<[email protected]> proto=SMTP helo=<115.28.81.191> Aug 20 12:11:44 www postfix/smtpd[18033]: NOQUEUE: reject: RCPT from 36-224-133-61.dynamic-ip.hinet.net[36.224.133.61]: 554 5.7.1 <[email protected]>: Recipient address rejected: Access denied; from=<[email protected]> to=<[email protected]> proto=SMTP helo=<115.28.81.191> Aug 20 12:11:44 www postfix/smtpd[18023]: NOQUEUE: reject: RCPT from 114-45-29-112.dynamic.hinet.net[114.45.29.112]: 554 5.1.8 <[email protected]>: Sender address rejected: Domain not found; from=<[email protected]> to=<[email protected]> proto=SMTP helo=<115.28.81.191> Aug 20 12:11:45 www postfix/smtpd[18033]: NOQUEUE: reject: RCPT from 36-224-133-61.dynamic-ip.hinet.net[36.224.133.61]: 554 5.7.1 <[email protected]>: Recipient address rejected: Access denied; from=<[email protected]> to=<[email protected]> proto=SMTP helo=<115.28.81.191> Aug 20 12:11:45 www postfix/smtpd[18026]: too many errors after RCPT from 36-224-135-60.dynamic-ip.hinet.net[36.224.135.60] Aug 20 12:11:45 www postfix/smtpd[18026]: disconnect from 36-224-135-60.dynamic-ip.hinet.net[36.224.135.60] Aug 20 12:11:46 www postfix/smtpd[18023]: too many errors after RCPT from 114-45-29-112.dynamic.hinet.net[114.45.29.112] Aug 20 12:11:46 www postfix/smtpd[18023]: disconnect from 114-45-29-112.dynamic.hinet.net[114.45.29.112] Aug 20 12:11:47 www postfix/smtpd[18033]: NOQUEUE: reject: RCPT from 36-224-133-61.dynamic-ip.hinet.net[36.224.133.61]: 554 5.7.1 <[email protected]>: Recipient address rejected: Access denied; from=<[email protected]> to=<[email protected]> proto=SMTP helo=<115.28.81.191> Aug 20 12:11:49 www postfix/smtpd[18033]: too many errors after RCPT from 36-224-133-61.dynamic-ip.hinet.net[36.224.133.61] Aug 20 12:11:49 www postfix/smtpd[18033]: disconnect from 36-224-133-61.dynamic-ip.hinet.net[36.224.133.61] Aug 20 12:14:10 www postfix/smtpd[18097]: connect from 36-224-136-82.dynamic-ip.hinet.net[36.224.136.82] Aug 20 12:14:11 www postfix/smtpd[18097]: NOQUEUE: reject: RCPT from 36-224-136-82.dynamic-ip.hinet.net[36.224.136.82]: 554 5.7.1 <[email protected]>: Sender address rejected: Access denied; from=<[email protected]> to=<[email protected]> proto=SMTP helo=<115.28.81.191> Aug 20 12:14:11 www postfix/smtpd[18097]: NOQUEUE: reject: RCPT from 36-224-136-82.dynamic-ip.hinet.net[36.224.136.82]: 554 5.7.1 <[email protected]>: Sender address rejected: Access denied; from=<[email protected]> to=<[email protected]> proto=SMTP helo=<115.28.81.191>
too many errors after RCPT from 后面的IP地址获取, 动态添�到防火墙进行拒绝即可。
思路有了, 我就写个小程序来分析日志吧,我写的是C的, 只是用perl 或者 shell 脚本可能更简单。
反正用自己最熟悉的语言即可。
dyn.c 源码文件的内容例如以下 :
#include <string.h> #include <stdio.h> #include <stdlib.h> #define BUF_LEN 4096 #define DATA_LEN 4096*10 int main (int argc, char** argv) { //too many errors after RCPT from 36-224-128-99.dynamic-ip.hinet.net[36.224.128.99] //too many errors after RCPT from 118-169-22-28.dynamic.hinet.net[118.169.22.28] //too many errors after AUTH from unknown[79.125.161.236] char buf[BUF_LEN] = {0}; const char* sep = "too many errors after"; while (1) { memset (buf, 0, sizeof(buf)); char* tp = fgets (buf, sizeof(buf)-1, stdin); if (tp != NULL) { int buflen = strlen(tp); char* p = strstr(buf, sep); if (p != NULL) { char* p1 = p + strlen(sep) + 1; char* ps = NULL; char* pe = NULL; while (*p1 != '\0' && *p1 != '\n') { if (*p1 == '[') ps = p1+1; if (*p1 == ']') pe = p1; p1++; } if (ps != NULL && pe != NULL) { char ipbuf[64]={0}; memcpy (ipbuf, ps, pe-ps); char ebuf[512] = {0}; snprintf(ebuf, sizeof(ebuf)-1, "iptables -I INPUT -s %s -j DROP", ipbuf); system (ebuf); printf ("%s\n", ebuf); } } } } return 0; }
我的dyn可运行文件在 /root 文件夹, 所以用 命令:
nohup tail -f /var/log/maillog | /root/dyn &
让它自己跑吧。
过一段时间后, 我们再看maillog日志, 已经基本没有 不认识的IP地址再连接过来打算发邮件了。