HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)
-   Installation/Configuration (http://www.howtoforge.com/forums/forumdisplay.php?f=27)
-   -   sasl / fail2ban vs. postfix/smtpd warnings) (http://www.howtoforge.com/forums/showthread.php?t=52667)

eko_taas 14th May 2011 10:27

sasl / fail2ban vs. postfix/smtpd warnings)
 
I wonder should fail2ban also ban IPs trying to contact smtp?

Fail2Ban Log has only SSHs at this period:
Code:

...
2011-05-11 18:27:50,277 fail2ban.jail : INFO Jail 'sasl' started
....
2011-05-11 18:41:39,843 fail2ban.actions: WARNING [ssh] Ban 210.114.220.186
2011-05-11 19:11:40,750 fail2ban.actions: WARNING [ssh] Unban 210.114.220.186
2011-05-12 00:46:19,139 fail2ban.actions: WARNING [ssh] Ban 112.137.163.72
2011-05-12 01:16:20,125 fail2ban.actions: WARNING [ssh] Unban 112.137.163.72
...
2011-05-12 07:04:56,836 fail2ban.actions: WARNING [ssh] Ban 122.227.135.143
2011-05-12 07:34:57,763 fail2ban.actions: WARNING [ssh] Unban 122.227.135.143
....
2011-05-12 12:16:09,844 fail2ban.actions: WARNING [ssh] Ban 112.78.1.6
2011-05-12 12:46:10,760 fail2ban.actions: WARNING [ssh] Unban 112.78.1.6
2011-05-12 12:57:46,498 fail2ban.actions: WARNING [ssh] Ban 122.225.101.154
2011-05-12 13:27:47,462 fail2ban.actions: WARNING [ssh] Unban 122.225.101.154
2011-05-12 14:21:34,999 fail2ban.actions: WARNING [ssh] Ban 46.45.147.25
2011-05-12 14:51:35,997 fail2ban.actions: WARNING [ssh] Unban 46.45.147.25
...

but Mail-Warn - Log has also several smtpd-trials (e.g. from IP 70.38.23.166) not listed in above)
Code:

...
May 12 07:51:48 server1 postfix/smtpd[26044]: warning: ip-70-38-23-166.static.privatedns.com[70.38.23.166]: SASL LOGIN authentication failed: authentication failure
May 12 07:51:51 server1 postfix/smtpd[26071]: warning: ip-70-38-23-166.static.privatedns.com[70.38.23.166]: SASL LOGIN authentication failed: authentication failure
May 12 07:51:54 server1 postfix/smtpd[26073]: warning: ip-70-38-23-166.static.privatedns.com[70.38.23.166]: SASL LOGIN authentication failed: authentication failure
May 12 07:51:57 server1 postfix/smtpd[26074]: warning: ip-70-38-23-166.static.privatedns.com[70.38.23.166]: SASL LOGIN authentication failed: authentication failure
May 12 07:52:01 server1 postfix/smtpd[26075]: warning: ip-70-38-23-166.static.privatedns.com[70.38.23.166]: SASL LOGIN authentication failed: authentication failure
May 12 07:52:03 server1 postfix/smtpd[26083]: warning: ip-70-38-23-166.static.privatedns.com[70.38.23.166]: SASL LOGIN authentication failed: authentication failure
May 12 07:52:07 server1 postfix/smtpd[26084]: warning: ip-70-38-23-166.static.privatedns.com[70.38.23.166]: SASL LOGIN authentication failed: authentication failure
May 12 07:52:10 server1 postfix/smtpd[26110]: warning: ip-70-38-23-166.static.privatedns.com[70.38.23.166]: SASL LOGIN authentication failed: authentication failure
May 12 07:52:13 server1 postfix/smtpd[26115]: warning: ip-70-38-23-166.static.privatedns.com[70.38.23.166]: SASL LOGIN authentication failed: authentication failure
May 12 07:52:16 server1 postfix/smtpd[26116]: warning: ip-70-38-23-166.static.privatedns.com[70.38.23.166]: SASL LOGIN authentication failed: authentication failure
May 12 07:52:19 server1 postfix/smtpd[26117]: warning: ip-70-38-23-166.static.privatedns.com[70.38.23.166]: SASL LOGIN authentication failed: authentication failure
May 12 07:52:22 server1 postfix/smtpd[26118]: warning: ip-70-38-23-166.static.privatedns.com[70.38.23.166]: SASL LOGIN authentication failed: authentication failure
May 12 07:52:25 server1 postfix/smtpd[26119]: warning: ip-70-38-23-166.static.privatedns.com[70.38.23.166]: SASL LOGIN authentication failed: authentication failure
May 12 07:52:29 server1 postfix/smtpd[26120]: warning: ip-70-38-23-166.static.privatedns.com[70.38.23.166]: SASL LOGIN authentication failed: authentication failure
May 12 07:52:32 server1 postfix/smtpd[26122]: warning: ip-70-38-23-166.static.privatedns.com[70.38.23.166]: SASL LOGIN authentication failed: authentication failure
May 12 07:52:36 server1 postfix/smtpd[26123]: warning: ip-70-38-23-166.static.privatedns.com[70.38.23.166]: SASL LOGIN authentication failed: authentication failure
...

Any reason why they are not listed /banned? Or should I add something to /etc/fail2ban/jail.local (Debian Squeeze / ISPConfig 3.0.3.3 ) (now as http://www.howtoforge.com/forums/showthread.php?t=52047 )
Code:

[sasl]
enabled  = true
port    = smtp
filter  = sasl
logpath  = /var/log/mail.log
maxretry = 2

Thanks again for cont. support...

Also I have been wondering should I be woried about these warning (also from Mail-Warn - Log)
Code:

...
May 10 01:50:12 server1 postfix/smtpd[9063]: warning: 92.241.190.69: address not listed for hostname heihachi.net
...
May 12 23:44:14 server1 postfix/smtpd[3545]: warning: 114.42.154.89: hostname 114-42-154-89.dynamic.hinet.net verification failed: Temporary failure in name resolution
...


falko 15th May 2011 22:05

Quote:

Originally Posted by eko_taas (Post 256885)
Or should I add something to /etc/fail2ban/jail.local

Yes, you need to add a section for sasl.

eko_taas 16th May 2011 06:29

but section of sasl already exists...
 
Thanks for support :)
Quote:

Yes, you need to add a section for sasl.
What to add :confused: as I have already (as mentioned in above based on "perfect server" - HOWTO) sasl section in my /etc/fail2ban/jail.local

Code:

[sasl]
enabled  = true
port    = smtp
filter  = sasl
logpath  = /var/log/mail.log
maxretry = 2

Also fail2ban starts all services (incl. sasl) - e.g. last restart:
Code:

...
2011-05-15 01:38:53,125 fail2ban.jail  : INFO  Jail 'roundcube' started
2011-05-15 01:38:53,227 fail2ban.jail  : INFO  Jail 'sasl' started
....


falko 17th May 2011 13:58

Please check if the regex in /etc/fail2ban/filter.d/sasl.conf is correct.

eko_taas 17th May 2011 16:04

sasl conf
 
Quote:

Please check if the regex in /etc/fail2ban/filter.d/sasl.conf is correct.
For NewB, everything looks correct :D

/etc/fail2ban/filter.d/sasl.conf and etc. files (collection)
Code:

failregex = .*pure-ftpd: \(.*@<HOST>\) \[WARNING\] Authentication failed for user.*
failregex = pop3d: LOGIN FAILED.*ip=\[.*:<HOST>\]
failregex = pop3d-ssl: LOGIN FAILED.*ip=\[.*:<HOST>\]
failregex = imapd: LOGIN FAILED.*ip=\[.*:<HOST>\]
failregex = imapd-ssl: LOGIN FAILED.*ip=\[.*:<HOST>\]

/etc/fail2ban/filter.d/sasl.conf has:
Code:

failregex = (?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGE$
ignoreregex =

But /etc/fail2ban/filter.d/sasl.conf was not modified at all ( http://www.howtoforge.com/perfect-server-debian-squeeze-with-bind-and-courier-ispconfig-3-p5 see item 17. Fail2ban )

How to line should look like :confused:? something like
failregex = sasl: LOGIN FAILED.*ip=\[.*:<HOST>\]
Better also to add/correct in instructions (if missing :eek:) for Rest-of-us :rolleyes: ?


All times are GMT +2. The time now is 07:11.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.