
나는 메일 서버를 가지고 있습니다 dovecot
. fail2ban
감옥이 활성화된 상태로 실행하고 있습니다 [dovecot]
. 현재 교도소 상황입니다.
# fail2ban-client status dovecot
Status for the jail: dovecot
|- Filter
| |- Currently failed: 5
| |- Total failed: 94
| `- File list: /var/log/mail.warn /var/log/auth.log
`- Actions
|- Currently banned: 23
|- Total banned: 23
`- Banned IP list: 102.165.49.129 114.220.45.96 115.98.44.72 117.20.117.40 117.81.173.196 117.81.173.227 121.227.161.24 121.239.88.158 180.107.116.92 180.107.125.85 185.137.111.14 185.137.111.145 185.137.111.44 185.137.111.77 185.234.216.120 221.225.183.210 221.225.183.214 221.225.26.196 45.13.36.22 45.227.253.107 49.73.157.152 5.178.153.116 111.94.169.183
블록 유형을 기본값 REJECT --reject-with icmp-port-unreachable
에서 DROP
.iptables -S
...
-A f2b-dovecot -s 45.13.36.22/32 -j DROP
-A f2b-dovecot -s 221.225.26.196/32 -j DROP
-A f2b-dovecot -s 221.225.183.214/32 -j DROP
-A f2b-dovecot -s 221.225.183.210/32 -j DROP
-A f2b-dovecot -s 185.234.216.120/32 -j DROP
-A f2b-dovecot -s 185.137.111.77/32 -j DROP
-A f2b-dovecot -s 185.137.111.44/32 -j DROP
-A f2b-dovecot -s 185.137.111.145/32 -j DROP
-A f2b-dovecot -s 185.137.111.14/32 -j DROP
-A f2b-dovecot -s 180.107.125.85/32 -j DROP
-A f2b-dovecot -s 180.107.116.92/32 -j DROP
-A f2b-dovecot -s 121.239.88.158/32 -j DROP
-A f2b-dovecot -s 121.227.161.24/32 -j DROP
-A f2b-dovecot -s 117.81.173.227/32 -j DROP
-A f2b-dovecot -s 117.81.173.196/32 -j DROP
-A f2b-dovecot -s 117.20.117.40/32 -j DROP
-A f2b-dovecot -s 115.98.44.72/32 -j DROP
-A f2b-dovecot -s 114.220.45.96/32 -j DROP
-A f2b-dovecot -s 102.165.49.129/32 -j DROP
...
그런데 계속해서 다음과 같은 메시지가 옵니다.
May 27 22:27:08 mail auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot [email protected] rhost=185.137.111.77
금지된 IP 주소에서 IMAP 연결이 시도되고 있는 것 같습니다. 그러나 수동으로 실행하면
iptables -I f2b-dovecot <MY_IP> -j DROP
그리고 달리다
telnet MY_MAIL_SERVER 993
예상대로 패킷이 삭제되었습니다.
pam_unix(dovecot:auth) authentication failure
Q: 왜 메시지가 계속 수신되나요 auth.log
? IMAP 포트에 대한 연결이 차단되어 있습니까?