HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)
-   Installation/Configuration (http://www.howtoforge.com/forums/forumdisplay.php?f=4)
-   -   Fail2ban configuration (http://www.howtoforge.com/forums/showthread.php?t=53104)

Captain 17th June 2011 10:45

Fail2ban configuration
 
Hello!

In auth.log i see this:
Code:

Jun 16 23:46:42 srv saslauthd[1419]: pam_unix(smtp:auth): check pass; user unknown
Jun 16 23:46:42 srv saslauthd[1419]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Jun 16 23:46:44 srv saslauthd[1419]: DEBUG: auth_pam: pam_authenticate failed: Authentication failure
Jun 16 23:46:44 srv saslauthd[1419]: do_auth        : auth failure: [user=webmaster] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
Jun 16 23:46:45 srv saslauthd[1415]: pam_unix(smtp:auth): check pass; user unknown
Jun 16 23:46:45 srv saslauthd[1415]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Jun 16 23:46:47 srv saslauthd[1415]: DEBUG: auth_pam: pam_authenticate failed: Authentication failure
Jun 16 23:46:47 srv saslauthd[1415]: do_auth        : auth failure: [user=webmaster] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
Jun 16 23:46:48 srv saslauthd[1419]: pam_unix(smtp:auth): check pass; user unknown
Jun 16 23:46:48 srv saslauthd[1419]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Jun 16 23:46:50 srv saslauthd[1419]: DEBUG: auth_pam: pam_authenticate failed: Authentication failure
Jun 16 23:46:50 srv saslauthd[1419]: do_auth        : auth failure: [user=webmaster] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
Jun 16 23:46:51 srv saslauthd[1416]: pam_unix(smtp:auth): check pass; user unknown
Jun 16 23:46:51 srv saslauthd[1416]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Jun 16 23:46:54 srv saslauthd[1416]: DEBUG: auth_pam: pam_authenticate failed: Authentication failure
Jun 16 23:46:54 srv saslauthd[1416]: do_auth        : auth failure: [user=webmaster] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
Jun 16 23:46:55 srv saslauthd[1417]: pam_unix(smtp:auth): check pass; user unknown
Jun 16 23:46:55 srv saslauthd[1417]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Jun 16 23:46:57 srv saslauthd[1417]: DEBUG: auth_pam: pam_authenticate failed: Authentication failure
Jun 16 23:46:57 srv saslauthd[1417]: do_auth        : auth failure: [user=webmaster] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
Jun 16 23:46:58 srv saslauthd[1416]: pam_unix(smtp:auth): check pass; user unknown
Jun 16 23:46:58 srv saslauthd[1416]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Jun 16 23:47:00 srv saslauthd[1416]: DEBUG: auth_pam: pam_authenticate failed: Authentication failure
Jun 16 23:47:00 srv saslauthd[1416]: do_auth        : auth failure: [user=webmaster] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
Jun 16 23:47:01 srv saslauthd[1418]: pam_unix(smtp:auth): check pass; user unknown
Jun 16 23:47:01 srv saslauthd[1418]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Jun 16 23:47:04 srv saslauthd[1418]: DEBUG: auth_pam: pam_authenticate failed: Authentication failure
Jun 16 23:47:04 srv saslauthd[1418]: do_auth        : auth failure: [user=webmaster] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
Jun 16 23:47:05 srv saslauthd[1416]: pam_unix(smtp:auth): check pass; user unknown
Jun 16 23:47:05 srv saslauthd[1416]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Jun 16 23:47:07 srv saslauthd[1416]: DEBUG: auth_pam: pam_authenticate failed: Authentication failure

in mail.log
Code:

warning: unknown[202.109.143.50]: SASL  LOGIN authentification failed: authentification failture
last message repeated 15 times

jail.local

Code:

#
# Mail servers
#

[postfix]

enabled  = true
port    = smtp,ssmtp
filter  = postfix
logpath  = /var/log/mail.log


[couriersmtp]

enabled  = true
port    = smtp,ssmtp
filter  = couriersmtp
logpath  = /var/log/mail.log


#
# Mail servers authenticators: might be used for smtp,ftp,imap servers, so
# all relevant ports get banned
#

[courierauth]

enabled  = true
port    = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter  = courierlogin
logpath  = /var/log/mail.log


[sasl]

enabled  = true
port    = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s,smtpd
filter  = sasl
# You might consider monitoring /var/log/warn.log instead
# if you are running postfix. See http://bugs.debian.org/507990
logpath  = /var/log/mail.log

sasl.conf

Code:

# Fail2Ban configuration file
#
# Author: Yaroslav Halchenko
#
# $Revision: 728 $
#

[Definition]

# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT
#
failregex = (?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [A-Za-z0-9+/]*={0,2})?$

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

But fail2ban did not block this IP.

How to solve this problem?
Please help!

Thnks.

falko 18th June 2011 11:56

Can you try this line instead?

Code:

failregex = (?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failure

Captain 28th June 2011 19:48

still have this log:
Code:

Jun 26 21:52:00 itex postfix/smtpd[30207]: warning: unknown[183.44.196.143]: SASL LOGIN authentication failed: authentication failure
Jun 26 21:52:18 itex postfix/smtpd[30207]: last message repeated 2 times
Jun 26 21:52:18 itex postfix/smtpd[32287]: warning: unknown[183.44.196.143]: SASL LOGIN authentication failed: authentication failure
Jun 26 21:52:22 itex postfix/smtpd[30207]: warning: unknown[183.44.196.143]: SASL LOGIN authentication failed: authentication failure
Jun 26 21:52:26 itex postfix/smtpd[32287]: warning: unknown[183.44.196.143]: SASL LOGIN authentication failed: authentication failure
Jun 26 21:52:31 itex postfix/smtpd[30207]: warning: unknown[183.44.196.143]: SASL LOGIN authentication failed: authentication failure
Jun 26 21:52:36 itex postfix/smtpd[32287]: warning: unknown[183.44.196.143]: SASL LOGIN authentication failed: authentication failure
Jun 26 21:52:43 itex postfix/smtpd[30207]: warning: unknown[183.44.196.143]: SASL LOGIN authentication failed: authentication failure
Jun 26 21:52:48 itex postfix/smtpd[32287]: warning: unknown[183.44.196.143]: SASL LOGIN authentication failed: authentication failure
Jun 26 21:52:57 itex postfix/smtpd[30207]: warning: unknown[183.44.196.143]: SASL LOGIN authentication failed: authentication failure
Jun 26 21:53:01 itex postfix/smtpd[32287]: warning: unknown[183.44.196.143]: SASL LOGIN authentication failed: authentication failure
Jun 26 21:53:06 itex postfix/smtpd[30207]: warning: unknown[183.44.196.143]: SASL LOGIN authentication failed: authentication failure
Jun 26 21:53:12 itex postfix/smtpd[32287]: warning: unknown[183.44.196.143]: SASL LOGIN authentication failed: authentication failure
Jun 26 21:53:17 itex postfix/smtpd[30207]: warning: unknown[183.44.196.143]: SASL LOGIN authentication failed: authentication failure
Jun 26 21:53:20 itex postfix/smtpd[32287]: warning: unknown[183.44.196.143]: SASL LOGIN authentication failed: authentication failure
Jun 26 21:53:28 itex postfix/smtpd[30207]: warning: unknown[183.44.196.143]: SASL LOGIN authentication failed: authentication failure
Jun 26 21:53:32 itex postfix/smtpd[32287]: warning: unknown[183.44.196.143]: SASL LOGIN authentication failed: authentication failure
Jun 26 21:53:37 itex postfix/smtpd[30207]: warning: unknown[183.44.196.143]: SASL LOGIN authentication failed: authentication failure
Jun 26 21:53:41 itex postfix/smtpd[32287]: warning: unknown[183.44.196.143]: SASL LOGIN authentication failed: authentication failure
Jun 26 21:53:48 itex postfix/smtpd[30207]: warning: unknown[183.44.196.143]: SASL LOGIN authentication failed: authentication failure
Jun 26 21:53:55 itex postfix/smtpd[32287]: warning: unknown[183.44.196.143]: SASL LOGIN authentication failed: authentication failure
Jun 26 21:53:59 itex postfix/smtpd[30207]: warning: unknown[183.44.196.143]: SASL LOGIN authentication failed: authentication failure
Jun 26 21:54:03 itex postfix/smtpd[32287]: warning: unknown[183.44.196.143]: SASL LOGIN authentication failed: authentication failure
Jun 26 21:54:08 itex postfix/smtpd[30207]: warning: unknown[183.44.196.143]: SASL LOGIN authentication failed: authentication failure
Jun 26 21:54:12 itex postfix/smtpd[32287]: warning: unknown[183.44.196.143]: SASL LOGIN authentication failed: authentication failure
Jun 26 21:54:16 itex postfix/smtpd[30207]: warning: unknown[183.44.196.143]: SASL LOGIN authentication failed: authentication failure
Jun 26 21:54:25 itex postfix/smtpd[32287]: warning: unknown[183.44.196.143]: SASL LOGIN authentication failed: authentication failure
Jun 26 21:54:29 itex postfix/smtpd[30207]: warning: unknown[183.44.196.143]: SASL LOGIN authentication failed: authentication failure
Jun 26 21:54:33 itex postfix/smtpd[32287]: warning: unknown[183.44.196.143]: SASL LOGIN authentication failed: authentication failure
Jun 26 21:54:38 itex postfix/smtpd[30207]: warning: unknown[183.44.196.143]: SASL LOGIN authentication failed: authentication failure
Jun 26 21:54:42 itex postfix/smtpd[32287]: warning: unknown[183.44.196.143]: SASL LOGIN authentication failed: authentication failure
Jun 26 21:54:47 itex postfix/smtpd[30207]: warning: unknown[183.44.196.143]: SASL LOGIN authentication failed: authentication failure
Jun 26 21:54:52 itex postfix/smtpd[32287]: warning: unknown[183.44.196.143]: SASL LOGIN authentication failed: authentication failure
Jun 26 21:54:59 itex postfix/smtpd[30207]: warning: unknown[183.44.196.143]: SASL LOGIN authentication failed: authentication failure
Jun 26 21:55:03 itex postfix/smtpd[32287]: warning: unknown[183.44.196.143]: SASL LOGIN authentication failed: authentication failure
Jun 26 21:55:08 itex postfix/smtpd[30207]: warning: unknown[183.44.196.143]: SASL LOGIN authentication failed: authentication failure
Jun 26 21:55:19 itex postfix/smtpd[32287]: warning: unknown[183.44.196.143]: SASL LOGIN authentication failed: authentication failure
Jun 26 21:55:24 itex postfix/smtpd[30207]: warning: unknown[183.44.196.143]: SASL LOGIN authentication failed: authentication failure
Jun 26 21:55:28 itex postfix/smtpd[32287]: warning: unknown[183.44.196.143]: SASL LOGIN authentication failed: authentication failure
Jun 26 21:55:32 itex postfix/smtpd[30207]: warning: unknown[183.44.196.143]: SASL LOGIN authentication failed: authentication failure
Jun 26 21:55:37 itex postfix/smtpd[32287]: warning: unknown[183.44.196.143]: SASL LOGIN authentication failed: authentication failure
Jun 26 21:55:41 itex postfix/smtpd[30207]: warning: unknown[183.44.196.143]: SASL LOGIN authentication failed: authentication failure
Jun 26 21:55:45 itex postfix/smtpd[32287]: warning: unknown[183.44.196.143]: SASL LOGIN authentication failed: authentication failure
Jun 26 21:55:50 itex postfix/smtpd[30207]: warning: unknown[183.44.196.143]: SASL LOGIN authentication failed: authentication failure
Jun 26 21:55:54 itex postfix/smtpd[32287]: warning: unknown[183.44.196.143]: SASL LOGIN authentication failed: authentication failure
Jun 26 21:56:02 itex postfix/smtpd[30207]: warning: unknown[183.44.196.143]: SASL LOGIN authentication failed: authentication failure
Jun 26 21:56:10 itex postfix/smtpd[32287]: warning: unknown[183.44.196.143]: SASL LOGIN authentication failed: authentication failure

your post did not helps.


All times are GMT +2. The time now is 09:04.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.