spacebiker's questions

我有一台服务器自 1 月以来一直被报告为攻击者，今天我终于找到了有关这些攻击的一些信息，但是我服务器上的日志都没有显示任何类似的东西。结果，该 IP 在许多黑名单中被禁止，并给我的 postfix 用户带来了很大的问题。

从攻击日志中可以看出，这些都是通过浏览器和 Windows NT 进行的，但是我的服务器是 Debian 9，这里有一些例子，62.XXX 是我的 IP（敏感信息已删除）

62.X.X.X - - [01/Mar/2021:14:25:28 +0000] 80 "GET /wp-login.php HTTP/1.1" 403 794 "-" "Mozilla/5.0(Windows NT 6.3; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0"

xmlrpc attack

WP-xmlrpc exploit

Mar 1 06:52:53 h2880623 wordpress(www.zzzzz.zz)[6547]: XML-RPC authentication attempt for unknown user [login] from 62.X.X.X

uvcm 62.X.X.X [27/Feb/2021:19:47:01 "-" "POST /wp-login.php 200 1946
62.X.X.X [28/Feb/2021:12:01:03 "-" "GET /wp-login.php 200 5753
62.X.X.X [28/Feb/2021:12:01:05 "-" "POST /wp-login.php 200 5872

62.X.X.X - - [27/Feb/2021:19:09:53 +0100] "POST /wp-login.php HTTP/1.1" 200 2661 "-" "Mozilla/5.0(Windows NT 6.3; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0"
62.X.X.X - - [27/Feb/2021:19:09:54 +0100] "POST /wp-login.php HTTP/1.1" 200 2637 "-" "Mozilla/5.0(Windows NT 6.3; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0"
62.X.X.X - - [27/Feb/2021:19:10:00 +0100] "POST /wp-login.php HTTP/1.1" 200 2636 "-" "Mozilla/5.0(Windows NT 6.3; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0"

etc.. etc..

有人可以欺骗我的 IP 来执行这些攻击吗？我可以做些什么来减轻它吗？

编辑：我很久以前就读过这篇文章如何处理受损的服务器？，并仔细遵循它，但即使遵循了这些建议，我的服务器也受到了损害，或者还有其他事情超出了我的范围。

最近，dovecot 开始将一些帐户收到的所有电子邮件的副本重新发送到未经授权的电子邮件地址：[email protected]。显然消息是在本地生成的（127.0.0.1），但我无法找出它是在哪里或如何生成的。

Mar 26 19:37:44 sd-4XXXX postfix/cleanup[21014]: 64BA6E182985: message-id=<[email protected]>
Mar 26 19:37:44 sd-4XXXX postfix/qmgr[26225]: 64BA6E182985: from=<[email protected]>, size=15412, nrcpt=1 (queue active)
Mar 26 19:37:46 sd-4XXXX postfix/smtpd[21022]: connect from localhost[127.0.0.1]
Mar 26 19:37:46 sd-4XXXX postfix/smtpd[21022]: E1743E1839D6: client=localhost[127.0.0.1]
Mar 26 19:37:46 sd-4XXXX postfix/cleanup[21014]: E1743E1839D6: message-id=<[email protected]>
Mar 26 19:37:46 sd-4XXXX postfix/smtpd[21022]: disconnect from localhost[127.0.0.1] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
Mar 26 19:37:46 sd-4XXXX postfix/qmgr[26225]: E1743E1839D6: from=<[email protected]>, size=16476, nrcpt=1 (queue active)
Mar 26 19:37:46 sd-4XXXX amavis[32748]: (32748-11) Passed CLEAN {RelayedInternal}, ORIGINATING LOCAL [8X.8X.6X.3X]:55254 [8X.8X.6X.3X] <[email protected]> -> <[email protected]>, Queue-ID: 64BA6E182985, Message-ID: <[email protected]>, mail_id: Buvs90Q9JFpr, Hits: -2.898, size: 15412, queued_as: E1743E1839D6, dkim_new=default:mydomain.com, 2353 ms
Mar 26 19:37:46 sd-4XXXX postfix/smtp[21015]: 64BA6E182985: to=<[email protected]>, relay=127.0.0.1[127.0.0.1]:10026, delay=2.6, delays=0.23/0.01/0/2.4, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10027): 250 2.0.0 Ok: queued as E1743E1839D6)
Mar 26 19:37:46 sd-4XXXX postfix/qmgr[26225]: 64BA6E182985: removed
Mar 26 19:37:47 sd-4XXXX postfix/pickup[831]: 0CA2BE1851F7: uid=5000 from=<[email protected]>
Mar 26 19:37:47 sd-4XXXX dovecot: lda([email protected]): sieve: msgid=<[email protected]>: forwarded to <[email protected]>
Mar 26 19:37:47 sd-4XXXX postfix/cleanup[21014]: 0CA2BE1851F7: message-id=<[email protected]>
Mar 26 19:37:47 sd-4XXXX postfix/qmgr[26225]: 0CA2BE1851F7: from=<[email protected]>, size=16711, nrcpt=1 (queue active)
Mar 26 19:37:47 sd-4XXXX dovecot: lda([email protected]): sieve: msgid=<[email protected]>: stored mail into mailbox 'INBOX'
Mar 26 19:37:47 sd-4XXXX postfix/pipe[21023]: E1743E1839D6: to=<[email protected]>, relay=dovecot, delay=0.27, delays=0.04/0.02/0/0.22, dsn=2.0.0, status=sent (delivered via dovecot service)
Mar 26 19:37:47 sd-4XXXX postfix/qmgr[26225]: E1743E1839D6: removed
Mar 26 19:37:49 sd-4XXXX postfix/smtpd[21033]: connect from localhost[127.0.0.1]
Mar 26 19:37:49 sd-4XXXX postfix/smtpd[21033]: 0113FE182985: client=localhost[127.0.0.1]
Mar 26 19:37:49 sd-4XXXX postfix/cleanup[21014]: 0113FE182985: message-id=<[email protected]>
Mar 26 19:37:49 sd-4XXXX postfix/smtpd[21033]: disconnect from localhost[127.0.0.1] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
Mar 26 19:37:49 sd-4XXXX postfix/qmgr[26225]: 0113FE182985: from=<[email protected]>, size=17040, nrcpt=1 (queue active)
Mar 26 19:37:49 sd-4XXXX amavis[32627]: (32627-11) Passed CLEAN {RelayedOutbound}, LOCAL [127.0.0.1] [8X.8X.6X.3X] <[email protected]> -> <[email protected]>, Message-ID: <[email protected]>, mail_id: 4g8Irz6LJmCW, Hits: -3.098, size: 16711, queued_as: 0113FE182985, dkim_sd=default:mydomain.com, 1985 ms
Mar 26 19:37:49 sd-4XXXX postfix/smtp[21015]: 0CA2BE1851F7: to=<[email protected]>, relay=127.0.0.1[127.0.0.1]:10024, delay=2.1, delays=0.12/0/0/2, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 0113FE182985)
Mar 26 19:37:49 sd-4XXXX postfix/qmgr[26225]: 0CA2BE1851F7: removed

编辑 1 我在服务器中安装了 ISPConfig 3，并且这些电子邮件帐户在 cc 字段中有非授权地址 ([email protected])，我已经删除了这些条目，但问题仍然存在。

编辑 2 经过一番研究，我发现 dovecot sieve 被配置为将这些电子邮件重定向到有问题的地址。我检查了 /var/vmail/destindomain.com/info/.sieve 中的文件，我可以找到redirect "[email protected]"显然是从 ispconfig 创建的行，但是当我通过 ispconfig 界面修改条目时没有删除。

我将 Mariadb 从 10.0 更新到 10.2，现在 pure-ftpd-mysql 不会重启：

service pure-ftpd-mysql restart

输出：

Job for pure-ftpd-mysql.service failed. See 'systemctl status pure-ftpd-mysql.service' and 'journalctl -xn' for details.

系统控制

systemctl status pure-ftpd-mysql.service -l

输出

● pure-ftpd-mysql.service - (null)
 Loaded: loaded (/etc/init.d/pure-ftpd-mysql)
 Active: failed (Result: exit-code) since Sun 2017-07-09 23:12:23 CEST; 53s ago
Process: 3887 ExecStart=/etc/init.d/pure-ftpd-mysql start (code=exited, status=127)

  Jul 09 23:12:23 s***.h****.net pure-ftpd-mysql[3887]: Starting ftp server: Running: /usr/sbin/pure-ftpd-mysql-virtualchroot -l mysql:/etc/pure-ftpd/db/mysql.conf -l pam -E -j -D -A -H -J ALL:!aNULL:!SSLv3 -O clf:/var/log/pure-ftpd/transfer.log -b -8 UTF-8 -Y 1 -u 1000 -B
  Jul 09 23:12:23 s***.h****.net pure-ftpd-mysql[3887]: /usr/sbin/pure-ftpd-mysql-virtualchroot: /usr/lib/x86_64-linux-gnu/libmysqlclient.so.18: no version information available (required by /usr/sbin/pure-ftpd-mysql-virtualchroot)
  Jul 09 23:12:23 s***.h****.net pure-ftpd-mysql[3887]: /usr/sbin/pure-ftpd-mysql-virtualchroot: relocation error: /usr/sbin/pure-ftpd-mysql-virtualchroot: symbol my_make_scrambled_password, version libmysqlclient_18 not defined in file libmysqlclient.so.18 with link time reference
  Jul 09 23:12:23 s***.h****.net systemd[1]: pure-ftpd-mysql.service: control process exited, code=exited status=127
  Jul 09 23:12:23 s***.h****.net systemd[1]: Failed to start (null).
  Jul 09 23:12:23 s***.h****.net systemd[1]: Unit pure-ftpd-mysql.service entered failed state.

日志控制

-- Unit pure-ftpd-mysql.service has begun starting up.
Jul 09 23:15:22 s***.h****.net pure-ftpd-mysql[4170]: Starting ftp server: Running: /usr/sbin/pure-ftpd-mysql-virtualchroot -l mysql:/etc/pure-ftpd/db/mysql.conf -l pam -
Jul 09 23:15:22 s***.h****.net pure-ftpd-mysql[4170]: /usr/sbin/pure-ftpd-mysql-virtualchroot: /usr/lib/x86_64-linux-gnu/libmysqlclient.so.18: no version information avai
Jul 09 23:15:22 s***.h****.net pure-ftpd-mysql[4170]: /usr/sbin/pure-ftpd-mysql-virtualchroot: relocation error: /usr/sbin/pure-ftpd-mysql-virtualchroot: symbol my_make_s
Jul 09 23:15:22 s***.h****.net systemd[1]: pure-ftpd-mysql.service: control process exited, code=exited status=127
Jul 09 23:15:22 s***.h****.net systemd[1]: Failed to start (null).
-- Subject: Unit pure-ftpd-mysql.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit pure-ftpd-mysql.service has failed.
-- 
-- The result is failed.
Jul 09 23:15:22 s***.h****.net systemd[1]: Unit pure-ftpd-mysql.service entered failed state.

mariadb -v

Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 17831
Server version: 10.2.6-MariaDB-10.2.6+maria~jessie-log mariadb.org binary distribution

Copyright (c) 2000, 2017, Oracle, MariaDB Corporation Ab and others.

Reading history-file /root/.mysql_history

输入“帮助”；或 '\h' 寻求帮助。键入 '\c' 以清除当前输入语句。

邮件服务器配置让我发疯。从我自己的私人服务器发送的电子邮件再次被 Gmail 和其他私人服务器禁止。

我检查了 gmail 标头和 SPF，DKIM 和 DMARC 通过了考试。附加由 gmail 发送和阻止的被阻止电子邮件的标题（发送到垃圾邮件文件夹）

Delivered-To: t***@gmail.com
Received: by 10.129.84.197 with SMTP id i188csp307475ywb;
    Tue, 28 Mar 2017 08:09:36 -0700 (PDT)
X-Received: by 10.223.179.15 with SMTP id j15mr28236175wrd.62.1490713776657;
    Tue, 28 Mar 2017 08:09:36 -0700 (PDT)
Return-Path: <x****@e****a.com>
Received: from sd-****.h****t.net (sd-****.h****t.net. [62.***.***.202])
    by mx.google.com with ESMTPS id d9si3721691wmf.26.2017.03.28.08.09.36
    for <t***@gmail.com>
    (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
    Tue, 28 Mar 2017 08:09:36 -0700 (PDT)
Received-SPF: pass (google.com: domain of x****@e****a.com designates 62.***.***.202 as permitted sender) client-ip=62.***.***.202;
Authentication-Results: mx.google.com;
   dkim=pass header.i=@e****a.com;
   spf=pass (google.com: domain of x****@e****a.com designates 62.***.***.202 as permitted sender) smtp.mailfrom=x****@e****a.com;
   dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=e****a.com
Received: from localhost (localhost [127.0.0.1]) by sd-****.h****t.net (Postfix) with ESMTP id 23010E1804BD for <t***@gmail.com>; Tue, 28 Mar 2017 17:09:06 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=e****a.com; h= user-agent:message-id:references:in-reply-to:organization :subject:subject:from:from:date:date:content-type:content-type :mime-version; s=default; t=1490713742; x=1492528143; bh=3ja/eI3 QdMpadvw414LY9BFcUewLWEwqdI4hsKcMJJM=; b=j6otfwG+Z3810Oy1UDib4qM NJ580B6v06J9DVKRoP8orJnGtd3UpP5l2ingbwaR5c9q4X/XJ9NAFVe9d4TW76Nv sNAMimkRVYX78SS47gRVlCRmHDwab1FwgdsAP6yJRBpBhT76X/nydqbqfkkQampr FDWehLeYjk0w5XgZUilA=
X-Virus-Scanned: Debian amavisd-new at sd-****.h****t.net
Received: from sd-****.h****t.net ([127.0.0.1]) by localhost (sd-****.h****t.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id cZ7SDTl25__u for <t***@gmail.com>; Tue, 28 Mar 2017 17:09:02 +0200 (CEST)
Received: from webmail.e***.com (localhost [IPv6:::1]) by sd-****.h****t.net (Postfix) with ESMTP id B5787E180487 for <t***@gmail.com>; Tue, 28 Mar 2017 17:09:02 +0200 (CEST)
MIME-Version: 1.0
Content-Type: multipart/alternative;     boundary="=_63e0609e24a7c5c6e72a2b53077f53c2"
Date: Tue, 28 Mar 2017 17:09:02 +0200
From: X*** **** - E*** K*** <x****@e****a.com>
To: t***@gmail.com
Subject: Fwd: Re: --- Subject of the message ---
Organization: E*** K****
In-Reply-To: <9f2d7aa8380dcf31e2a7af4795a1463d@e****a.com>
References: <CAMhvi0=PAuUOpg4eNmYn+gckaRhP6wFMMyO-frJeY5=gPC-qVg@mail.gmail.com> <9f2d7aa8380dcf31e2a7af4795a1463d@e****a.com>
Message-ID: <794731b396abba6212312e17219e6d7f@e****a.com>
X-Sender: x****@e****a.com
User-Agent: Roundcube Webmail/1.1.5

--=_63e0609e24a7c5c6e72a2b53077f53c2
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

--- Here the content of the message ---

--=_63e0609e24a7c5c6e72a2b53077f53c2--

编辑：来自 senderbase 的结果：

Details
IP Address  62.***.***.202
Fwd/Rev DNS Match  Help Yes

Email Reputation  Help  Neutral
Web Reputation  Help    Neutral

Last Day    Last Month
Email Volume  Help  0.0 1.9
Volume Change  Help -100%  ↓    

Hostname    sd-****.h****t.net
Domain  Help    poneytelecom.eu
Network Owner  Help Free SAS
Blacklists  Help
bl.spamcop.net  Not Listed
cbl.abuseat.org Not Listed
pbl.spamhaus.org    Not Listed
sbl.spamhaus.org    Not Listed

稍微说明一下情况吧。。

有两个网站托管在同一台服务器上，example1.com 和 example2.com。假设 Example2 被黑客入侵，攻击者编写了一个 PHP 函数来使用 PHP 邮件函数或 sendmail 发送电子邮件，并且他正在使用@example1.com 域地址发送电子邮件。SPF 和 DKIM 记录会将来自 example2.com 脚本的传出邮件识别为合法邮件，因为 SPF 记录指向正确的服务器地址，对吗？

那么.. 是否可以阻止托管在您自己的私人服务器中的网站使用其他托管域名发送电子邮件（通过 PHP 邮件或 sendmail）？

我已经设置了一个 Debian LAMP 服务器，我在其中托管了多个网站。据我所知，我只能在其中一个网站上使用 SSL，如果我想在两个或更多网站上使用 SSL，我必须添加另一个 IP - 到目前为止一切顺利。

问题是每当我输入https://siteone.com或https://sitetwo.com它总是显示来自的内容：https://siteone.com。我宁愿它显示一些错误消息或其他内容，但绝对不显示我的主要站点的内容（这是我希望 SSL 工作的地方）。

注意：我的 Debian Web 服务器使用 ispconfig 作为它的控制面板。