|
Way to automatically block SASL LOGIN attacks?
Is there an automatic way to use the firewall or some other way to add ip's like this to iptables?
I'm using fail2ban. Mar 19 00:11:33 server3 postfix/smtpd[1002]: warning: unknown[183.7.92.44]: SASL LOGIN authentication failed: authentication failure Mar 19 00:11:33 server3 postfix/smtpd[1002]: lost connection after AUTH from unknown[183.7.92.44] Mar 19 00:11:33 server3 postfix/smtpd[1002]: disconnect from unknown[183.7.92.44] Mar 19 00:11:33 server3 postfix/smtpd[1002]: connect from unknown[183.7.92.44] Mar 19 00:11:35 server3 postfix/smtpd[1002]: warning: unknown[183.7.92.44]: SASL LOGIN authentication failed: authentication failure Mar 19 00:11:35 server3 postfix/smtpd[1002]: lost connection after AUTH from unknown[183.7.92.44] Mar 19 00:11:35 server3 postfix/smtpd[1002]: disconnect from unknown[183.7.92.44] Mar 19 00:11:35 server3 postfix/smtpd[1002]: connect from unknown[183.7.92.44] Mar 19 00:11:37 server3 postfix/smtpd[1002]: warning: unknown[183.7.92.44]: SASL LOGIN authentication failed: authentication failure Mar 19 00:11:37 server3 postfix/smtpd[1002]: lost connection after AUTH from unknown[183.7.92.44] Mar 19 00:11:37 server3 postfix/smtpd[1002]: disconnect from unknown[183.7.92.44] Mar 19 00:11:38 server3 postfix/smtpd[1002]: connect from unknown[183.7.92.44] Mar 19 00:11:39 server3 postfix/smtpd[1002]: warning: unknown[183.7.92.44]: SASL LOGIN authentication failed: authentication failure Mar 19 00:11:39 server3 postfix/smtpd[1002]: lost connection after AUTH from unknown[183.7.92.44] Mar 19 00:11:39 server3 postfix/smtpd[1002]: disconnect from unknown[183.7.92.44] Mar 19 00:11:40 server3 postfix/smtpd[1002]: connect from unknown[183.7.92.44] Mar 19 00:11:41 server3 postfix/smtpd[1002]: warning: unknown[183.7.92.44]: SASL LOGIN authentication failed: authentication failure Mar 19 00:11:41 server3 postfix/smtpd[1002]: lost connection after AUTH from unknown[183.7.92.44] Mar 19 00:11:41 server3 postfix/smtpd[1002]: disconnect from unknown[183.7.92.44] Mar 19 00:11:42 server3 postfix/smtpd[1002]: connect from unknown[183.7.92.44] Mar 19 00:11:43 server3 postfix/smtpd[1002]: warning: unknown[183.7.92.44]: SASL LOGIN authentication failed: authentication failure Mar 19 00:11:43 server3 postfix/smtpd[1002]: lost connection after AUTH from unknown[183.7.92.44] Mar 19 00:11:43 server3 postfix/smtpd[1002]: disconnect from unknown[183.7.92.44] Mar 19 00:11:44 server3 postfix/smtpd[1002]: connect from unknown[183.7.92.44] Mar 19 00:11:45 server3 postfix/smtpd[1002]: warning: unknown[183.7.92.44]: SASL LOGIN authentication failed: authentication failure Mar 19 00:11:46 server3 postfix/smtpd[1002]: lost connection after AUTH from unknown[183.7.92.44] Mar 19 00:11:46 server3 postfix/smtpd[1002]: disconnect from unknown[183.7.92.44] Mar 19 00:11:46 server3 postfix/smtpd[1002]: connect from unknown[183.7.92.44] Mar 19 00:11:47 server3 postfix/smtpd[1002]: warning: unknown[183.7.92.44]: SASL LOGIN authentication failed: authentication failure Mar 19 00:11:48 server3 postfix/smtpd[1002]: lost connection after AUTH from unknown[183.7.92.44] Mar 19 00:11:48 server3 postfix/smtpd[1002]: disconnect from unknown[183.7.92.44] |
Did I get this right?
OK, that's why my name is permanoob.
I think I found the solution in the fail2ban jail.conf Is this correct now?: [postfix] enabled = true port = smtp,ssmtp,smtpd filter = postfix logpath = /var/log/mail.log maxretry = 5 [sasl] enabled = true port = smtp,ssmtp,smtpd,imap2,imap3,imaps,pop3,pop3s filter = sasl logpath = /var/log/mail.log maxretry = 5 --------------------------- Must be wrong because log shows errors: 2012-03-19 01:12:44,599 fail2ban.jail : INFO Jail 'ssh' started 2012-03-19 01:12:46,013 fail2ban.jail : INFO Jail 'postfix' started 2012-03-19 01:12:46,015 fail2ban.actions.action: ERROR iptables -N fail2ban-postfix iptables -A fail2ban-postfix -j RETURN iptables -I INPUT -p tcp -m multiport --dports smtp,ssmtp,smtpd -j fail2ban-postfix returned 200 2012-03-19 01:12:47,439 fail2ban.jail : INFO Jail 'sasl' started 2012-03-19 01:12:47,444 fail2ban.actions.action: ERROR iptables -N fail2ban-sasl iptables -A fail2ban-sasl -j RETURN iptables -I INPUT -p tcp -m multiport --dports smtp,ssmtp,smtpd,imap2,imap3,imaps,pop3,pop3s -j fail2ban-sasl returned 200 |
Should I replace the following line in sasl.conf
failregex = : warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed$ with a line Falko posted in another thread failregex = (?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failure ? The error was because I had added smtpd to: port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s so now the restart looks ok: 2012-03-19 10:23:26,471 fail2ban.jail : INFO Jail 'ssh' started 2012-03-19 10:23:26,533 fail2ban.jail : INFO Jail 'postfix' started 2012-03-19 10:23:26,593 fail2ban.jail : INFO Jail 'sasl' started 2012-03-19 10:23:29,477 fail2ban.actions: WARNING [ssh] Ban 66.85.166.106 but this ip is still not blocked: Mar 19 10:37:09 server3 postfix/smtpd[26203]: warning: h201.204.17.98.static.ip.windstream.net[98.17.204.201]: SASL LOGIN authentication failed: authentication failure Mar 19 10:37:09 server3 postfix/smtpd[26350]: warning: h201.204.17.98.static.ip.windstream.net[98.17.204.201]: SASL LOGIN authentication failed: authentication failure Mar 19 10:37:09 server3 postfix/smtpd[29163]: warning: h201.204.17.98.static.ip.windstream.net[98.17.204.201]: SASL LOGIN authentication failed: authentication failure Mar 19 10:37:10 server3 postfix/smtpd[26600]: warning: h201.204.17.98.static.ip.windstream.net[98.17.204.201]: SASL LOGIN authentication failed: authentication failure |
I replaced
failregex = : warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed$ with a line Falko posted in another thread failregex = (?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failure and restarted: 2012-03-19 10:39:58,879 fail2ban.jail : INFO Jail 'ssh' started 2012-03-19 10:39:58,943 fail2ban.jail : INFO Jail 'postfix' started 2012-03-19 10:39:59,002 fail2ban.jail : INFO Jail 'sasl' started 2012-03-19 10:41:59,885 fail2ban.actions: WARNING [ssh] Ban 66.85.166.106 but fail2ban is still not blocking: Mar 19 10:47:31 server3 postfix/smtpd[29170]: warning: h201.204.17.98.static.ip.windstream.net[98.17.204.201]: SASL LOGIN authentication failed: authentication failure Mar 19 10:47:31 server3 postfix/smtpd[26350]: connect from h201.204.17.98.static.ip.windstream.net[98.17.204.201] Mar 19 10:47:32 server3 postfix/smtpd[29170]: disconnect from h201.204.17.98.static.ip.windstream.net[98.17.204.201] Mar 19 10:47:33 server3 postfix/smtpd[30156]: warning: h201.204.17.98.static.ip.windstream.net[98.17.204.201]: SASL LOGIN authentication failed: authentication failure Mar 19 10:47:34 server3 postfix/smtpd[26600]: connect from h201.204.17.98.static.ip.windstream.net[98.17.204.201] Mar 19 10:47:34 server3 postfix/smtpd[30156]: disconnect from h201.204.17.98.static.ip.windstream.net[98.17.204.201] Mar 19 10:47:36 server3 postfix/smtpd[26350]: warning: h201.204.17.98.static.ip.windstream.net[98.17.204.201]: SASL LOGIN authentication failed: authentication failure Mar 19 10:47:37 server3 postfix/smtpd[26350]: disconnect from h201.204.17.98.static.ip.windstream.net[98.17.204.201] Mar 19 10:47:39 server3 postfix/smtpd[26600]: warning: h201.204.17.98.static.ip.windstream.net[98.17.204.201]: SASL LOGIN authentication failed: authentication failure Mar 19 10:47:40 server3 postfix/smtpd[30154]: connect from h201.204.17.98.static.ip.windstream.net[98.17.204.201] Mar 19 10:47:40 server3 postfix/smtpd[26600]: disconnect from h201.204.17.98.static.ip.windstream.net[98.17.204.201] Mar 19 10:47:43 server3 postfix/smtpd[29165]: connect from h201.204.17.98.static.ip.windstream.net[98.17.204.201] Mar 19 10:47:44 server3 postfix/smtpd[29954]: connect from h201.204.17.98.static.ip.windstream.net[98.17.204.201] Mar 19 10:47:45 server3 postfix/smtpd[30154]: warning: h201.204.17.98.static.ip.windstream.net[98.17.204.201]: SASL LOGIN authentication failed: authentication failure Mar 19 10:47:46 server3 postfix/smtpd[30154]: disconnect from h201.204.17.98.static.ip.windstream.net[98.17.204.201] Mar 19 10:47:48 server3 postfix/smtpd[29165]: warning: h201.204.17.98.static.ip.windstream.net[98.17.204.201]: SASL LOGIN authentication failed: authentication failure Mar 19 10:47:49 server3 postfix/smtpd[29165]: disconnect from h201.204.17.98.static.ip.windstream.net[98.17.204.201] Mar 19 10:47:49 server3 postfix/smtpd[29954]: warning: h201.204.17.98.static.ip.windstream.net[98.17.204.201]: SASL LOGIN authentication failed: authentication failure Mar 19 10:47:50 server3 postfix/smtpd[29954]: disconnect from h201.204.17.98.static.ip.windstream.net[98.17.204.201] |
I'm testing with
fail2ban-regex /var/log/mail.log /etc/fail2ban/filter.d/sasl.conf also tried switching to mail.info fail2ban-regex /var/log/mail.info /etc/fail2ban/filter.d/sasl.conf and [sasl] enabled = true port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s filter = sasl logpath = /var/log/mail.info maxretry = 5 still no matches though there are plenty in the log file |
http://www.infoocean.info/avatar1.jpgI think I found the solution in the fail2ban jail.conf.
|
Quote:
|
Can you try
Code:
failregex = : warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed |
Quote:
2012-03-21 06:25:24,390 fail2ban.jail : INFO Jail 'ssh' started 2012-03-21 06:25:24,462 fail2ban.jail : INFO Jail 'postfix' started 2012-03-21 06:25:24,530 fail2ban.jail : INFO Jail 'sasl' started 2012-03-21 06:34:41,566 fail2ban.actions: WARNING [sasl] Ban 14.208.80.207 |
| All times are GMT +2. The time now is 11:29. |
Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2013, vBulletin Solutions, Inc.