メールサーバーを連続攻撃するメールを阻止


メールサーバーの認証に1秒間に3回以上のアクセスがある。pop3のポートを突いてユーザをIDとパスワードを探り出し、サーバーに侵入しようとする試みだ。

# cat messages
Mar 29 02:53:20 domain saslauthd[279988]: do_auth : auth failure: [user=test] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
Mar 29 02:53:20 domain smtp(pam_unix)[279988]: check pass; user unknown
Mar 29 02:53:20 domain smtp(pam_unix)[279988]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Mar 29 02:53:22 domain saslauthd[279988]: do_auth : auth failure: [user=test] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
Mar 29 02:53:22 domain smtp(pam_unix)[279988]: check pass; user unknown
Mar 29 02:53:22 domain smtp(pam_unix)[279988]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Mar 29 02:53:24 domain saslauthd[279988]: do_auth : auth failure: [user=test] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
...............
...............
...............
Mar 29 02:53:48 domain smtp(pam_unix)[279988]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Mar 29 02:53:50 domain saslauthd[279988]: do_auth : auth failure: [user=test] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
Mar 29 02:53:50 domain smtp(pam_unix)[279988]: check pass; user unknown
Mar 29 02:53:50 domain smtp(pam_unix)[279988]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Mar 29 02:53:52 domain saslauthd[279988]: do_auth : auth failure: [user=test] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
Mar 29 02:53:52 domain smtp(pam_unix)[279988]: check pass; user unknown
Mar 29 02:53:52 domain smtp(pam_unix)[279988]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Mar 29 02:53:53 domain sendmail[31809]: cannot create socket for saslauthd: Too many open files in system
Mar 29 02:53:53 domain sendmail[31823]: cannot create socket for saslauthd: Too many open files in system
Mar 29 02:53:55 domain saslauthd[279988]: do_auth : auth failure: [user=test] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
Mar 29 02:53:55 domain smtp(pam_unix)[279988]: check pass; user unknown
Mar 29 02:53:55 domain smtp(pam_unix)[279988]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Mar 29 02:53:57 domain saslauthd[279988]: do_auth : auth failure: [user=test] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
Mar 29 02:53:57 domain smtp(pam_unix)[279988]: check pass; user unknown
Mar 29 02:53:57 domain smtp(pam_unix)[279988]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=

連続攻撃を阻止したい

連続してアクセスしてくる攻撃に対し、接続条件で締め付けを行う。
アクセス制限と言えば iptablesだ。

iptablesに制限を追加する

/etc/sysconfig/iptables に記述を追加する。
iptables(8) - Linux man pageを参考にする。
############### これ追加
-A INPUT -p tcp -m state --syn --state NEW --dport pop3 -m limit --limit 6/m --limit-burst 8 -j ACCEPT ← 8回は通す その後は10秒に一つだけ通す
-A INPUT -p tcp -m state --syn --state NEW --dport pop3 -j DROP ← 通さなかったものは捨てる

iptableの再設定

# service iptables restart
 Flushing firewall rules:                                 [ OK ]
 Setting chains to policy ACCEPT: mangle filter nat     [ OK ]
 Applying iptables firewall rules:                        [ OK ]

iptableの設定の確認

# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:pop3 flags:SYN,RST,ACK/SYN limit: avg 6/min burst 8
DROP tcp -- anywhere anywhere state NEW tcp dpt:pop3 flags:SYN,RST,ACK/SYN
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:smtp limit: avg 4/min burst 16
DROP tcp -- anywhere anywhere state NEW tcp dpt:smtp
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:submission limit: avg 4/min burst 16
DROP tcp -- anywhere anywhere state NEW tcp dpt:submission


参考文献

Turbolinux 11 Server: ユーザーガイド 22.2. iptables のコマンド書式
iptablesテンプレート集 改訂版(7):iptablesでできるDoS/DDoS対策 (1/3) - テンプレート12
Red Hat Enterprise Linux 4: リファレンスガイド 18章. iptables - MIT.edu


24 Jun, 2016 | mokimoc
« Prev item - Next Item »
---------------------------------------------

Comments



Leave comments

このアイテムは閲覧専用です。コメントの投稿、投票はできません。