艾瑞克的 Hexo 空間

[筆記]在MAILLOG中快速找出從外部利用SASL認證發信的帳號及IP

本文發表於1491天之前,文章內容可能已經過時,如有疑問,請聯繫作者。

找出來之後,再去判斷這個人是否有需要,是否真的會在外部發信。

 

cat maillog-20131027 |grep sasl|grep -v 192.168
 

Oct 26 01:24:17 SH-DNS-FC14 postfix/smtpd[25649]: C2A1A88E5E: client=23-24-225-177-static.hfc.comcastbusiness.net[23.24.225.177], sasl_method=LOGIN, sasl_username=cindy
Oct 26 01:24:18 SH-DNS-FC14 postfix/smtpd[25645]: 931E388E5F: client=23-24-225-177-static.hfc.comcastbusiness.net[23.24.225.177], sasl_method=LOGIN, sasl_username=cindy
Oct 26 01:24:20 SH-DNS-FC14 postfix/smtpd[25645]: 9B15488E60: client=23-24-225-177-static.hfc.comcastbusiness.net[23.24.225.177], sasl_method=LOGIN, sasl_username=cindy
Oct 26 01:24:31 SH-DNS-FC14 postfix/smtpd[25645]: A957B88E69: client=23-24-225-177-static.hfc.comcastbusiness.net[23.24.225.177], sasl_method=LOGIN, sasl_username=cindy
Oct 26 01:24:32 SH-DNS-FC14 postfix/smtpd[25648]: D7D2788E6A: client=23-24-225-177-static.hfc.comcastbusiness.net[23.24.225.177], sasl_method=LOGIN, sasl_username=cindy
Oct 26 01:24:32 SH-DNS-FC14 postfix/smtpd[25649]: D9C1488E6B: client=23-24-225-177-static.hfc.comcastbusiness.net[23.24.225.177], sasl_method=LOGIN, sasl_username=cindy
Oct 26 01:24:32 SH-DNS-FC14 postfix/smtpd[25647]: DAFD188E6C: client=23-24-225-177-static.hfc.comcastbusiness.net[23.24.225.177], sasl_method=LOGIN, sasl_username=cindy
Oct 26 01:24:32 SH-DNS-FC14 postfix/smtpd[25650]: DC24988E6D: client=23-24-225-177-static.hfc.comcastbusiness.net[23.24.225.177], sasl_method=LOGIN, sasl_username=cindy
Oct 26 01:24:36 SH-DNS-FC14 postfix/smtpd[25645]: AA62088E6F: client=23-24-225-177-static.hfc.comcastbusiness.net[23.24.225.177], sasl_method=LOGIN, sasl_username=cindy
Oct 26 01:24:37 SH-DNS-FC14 postfix/smtpd[25648]: DA31F88E73: client=23-24-225-177-static.hfc.comcastbusiness.net[23.24.225.177], sasl_method=LOGIN, sasl_username=cindy
Oct 26 01:24:37 SH-DNS-FC14 postfix/smtpd[25647]: DA38088E74: client=23-24-225-177-static.hfc.comcastbusiness.net[23.24.225.177], sasl_method=LOGIN, sasl_username=cindy
Oct 26 01:24:37 SH-DNS-FC14 postfix/smtpd[25649]: DA5E988E75: client=23-24-225-177-static.hfc.comcastbusiness.net[23.24.225.177], sasl_method=LOGIN, sasl_username=cindy
Oct 26 01:24:37 SH-DNS-FC14 postfix/smtpd[25650]: E1C2888E76: client=23-24-225-177-static.hfc.comcastbusiness.net[23.24.225.177], sasl_method=LOGIN, sasl_username=cindy
Oct 26 01:24:38 SH-DNS-FC14 postfix/smtpd[25645]: E524388E77: client=23-24-225-177-static.hfc.comcastbusiness.net[23.24.225.177], sasl_method=LOGIN, sasl_username=cindy
Oct 26 01:24:40 SH-DNS-FC14 postfix/smtpd[25645]: ECC7B88E7A: client=23-24-225-177-static.hfc.comcastbusiness.net[23.24.225.177], sasl_method=LOGIN, sasl_username=cindy

像這樣,短時間內大量發信,肯定就是USER的帳號密碼被猜到了,先改密碼或者把帳號砍掉,接下來封這些IP,再叫USER換一組強度高一點的密碼。

如果被打得很有經驗,手邊應該會有非常多的IP要封鎖,可以參考底下這篇文章用iptables把這些IP都擋掉

[教學] 自動透過 iptables 封鎖 IP 黑名單

程式不難,看一下大概就知道怎麼改了,我是改成自己手邊的黑名單(算一算也有上百個吧)….

 

avatar
[筆記] 利用find/grep/xargs 在目錄中找出所有包含特定字串的檔案路徑

  1. 1. [教學] 自動透過 iptables 封鎖 IP 黑名單