Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[solved] fail2ban for postfix-sasl
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Elleni
Veteran
Veteran


Joined: 23 May 2006
Posts: 1073

PostPosted: Tue Nov 26, 2019 10:52 pm    Post subject: [solved] fail2ban for postfix-sasl Reply with quote

I activated said jail, by creating postfix-sasl.conf in jail.d with following entry
Code:
[postfix-sasl]
enabled  = true
but preconfigured seems not to catch anything.
fail2ban-client status postfix-sasl
Code:
Status for the jail: postfix-sasl
|- Filter
|  |- Currently failed:   0
|  |- Total failed:   0
|  `- File list:   /var/log/mail.log
`- Actions
   |- Currently banned:   0
   |- Total banned:   0
   `- Banned IP list:

I am missing postfix-sasl in filter.d folder anyway, but I thought, ok maybe one is supposed to go with postfix one nowadays.

But testing gives:
fail2ban-regex /var/log/mail.log /etc/fail2ban/filter.d/postfix.conf
Code:


Running tests
=============

Use   failregex filter file : postfix, basedir: /etc/fail2ban
Use      datepattern : Default Detectors
Use         log file : /var/log/mail.log
Use         encoding : UTF-8


Results
=======

Failregex: 1 total
|-  #) [# of hits] regular expression
|   1) [1] ^RCPT from [^[]*\[<HOST>\](?::\d+)?: 55[04] 5\.7\.1\s
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [2805] {^LN-BEG}(?:DAY )?MON Day %k:Minute:Second(?:\.Microseconds)?(?: ExYear)?
`-

Lines: 2805 lines, 0 ignored, 1 matched, 2804 missed
[processed in 0.26 sec]

Missed line(s): too many to print.  Use --print-all-missed to print all 2804 lines


So what am I missing?

cat /var/log/mail.log|grep "SASL LOGIN authentication failed" gives plenty of the following
Code:

Nov 26 03:54:04 hostname postfix/smtpd[25848]: warning: unknown[193.56.28.213]: SASL LOGIN authentication failed: UGFzc3dvcmQ6


Last edited by Elleni on Wed Nov 27, 2019 10:42 pm; edited 1 time in total
Back to top
View user's profile Send private message
freke
Guru
Guru


Joined: 23 Jan 2003
Posts: 588
Location: Somewhere in Denmark

PostPosted: Wed Nov 27, 2019 2:39 pm    Post subject: Reply with quote

I'm using 4 jails for my mailserver;
postfix-auth, postfix, dovecot and sasl

Can't remember if I edited any of the filters really - but I don't think so.

I currently have:
~1000 banned via dovecot-filter
7 via postfix
7 via postfix-auth
16 via sasl

I'm doing harsh banning on my dovecot-filter, it's a personal server, so if anyone tries to login with a failed password it's a ban after 1st attempt.

my jail.local
Code:
[DEFAULT]
ignoreip = 10.0.0.0/23 2001:470:28:4a6:f5db:7b20:83a1:e2a9 2001:470:28:4a6:20d:b9ff:fe4a:e000
backend  = pyinotify

[postfix-auth]
enabled  = true
bantime  = 1d
filter   = postfix.auth
action   = iptables-allports[name=postfix, protocol=tcp]
logpath  = /var/log/messages
maxretry = 2
findtime = 2h

[postfix]
enabled  = true
bantime  = 1d
filter   = postfix
action   = iptables-allports[name=postfix, protocol=tcp]
logpath  = /var/log/messages
maxretry = 2
findtime = 2h

[dovecot]
enabled  = true
bantime  = 7d
filter   = dovecot
action   = iptables-multiport[name=dovecot, port="http,https,smtp,submission,pop3,pop3s,imap,imaps,sieve", protocol=tcp]
logpath  = /var/log/messages
maxretry = 1
findtime = 1h

[sasl]
enabled  = true
bantime  = 1d
filter   = sasl
action   = iptables-allports[name=sasl, protocol=tcp]
logpath  = /var/log/messages
maxretry = 2
findtime = 2h

Code:
mail /etc/fail2ban # fail2ban-regex /var/log/messages /etc/fail2ban/filter.d/dovecot.conf

Running tests
=============

Use   failregex filter file : dovecot, basedir: /etc/fail2ban
Use      datepattern : Default Detectors
Use         log file : /var/log/messages
Use         encoding : UTF-8


Results
=======

Failregex: 566 total
|-  #) [# of hits] regular expression
|   2) [566] ^(?:Aborted login|Disconnected)(?::(?: [^ \(]+)+)? \((?:auth failed, \d+ attempts(?: in \d+ secs)?|tried to use (?:disabled|disallowed) \S+ auth|proxy dest auth failed)\):(?: user=<<F-USER>[^>]*</F-USER>>,)?(?: method=\S+,)? rip=<HOST>(?:[^>]*(?:, session=<\S+>)?)\s*$
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [27884] {^LN-BEG}(?:DAY )?MON Day %k:Minute:Second(?:\.Microseconds)?(?: ExYear)?
`-

Lines: 27884 lines, 0 ignored, 566 matched, 27318 missed
[processed in 23.99 sec]

Missed line(s): too many to print.  Use --print-all-missed to print all 27318 lines
I get 566 matches on my current log (rotated 3 days ago)
Back to top
View user's profile Send private message
Elleni
Veteran
Veteran


Joined: 23 May 2006
Posts: 1073

PostPosted: Wed Nov 27, 2019 10:41 pm    Post subject: Reply with quote

I thought, it might have to do with my syslog-ng which I shortly tried to configure to get separate mails. So I deleted syslog-ng.conf reverted back and retried with default syslog-ng.conf and guess what, postfix-sasl started to do its job :)

Code:
fail2ban-client status postfix-sasl
Status for the jail: postfix-sasl
|- Filter
|  |- Currently failed:   0
|  |- Total failed:   0
|  `- File list:   /var/log/messages
`- Actions
   |- Currently banned:   2
   |- Total banned:   2
   `- Banned IP list:   178.128.148.84 193.56.28.213


So I will wait and see if more IPs will be trapped in this jail and slowly I'll experiment with more jails.

Thanks for sharing your configuration as example.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum