HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)
-   Server Operation (http://www.howtoforge.com/forums/forumdisplay.php?f=5)
-   -   Way to automatically block SASL LOGIN attacks? (http://www.howtoforge.com/forums/showthread.php?t=56599)

PermaNoob 19th March 2012 00:16

Way to automatically block SASL LOGIN attacks?
 
Is there an automatic way to use the firewall or some other way to add ip's like this to iptables?

I'm using fail2ban.

Mar 19 00:11:33 server3 postfix/smtpd[1002]: warning: unknown[183.7.92.44]: SASL LOGIN authentication failed: authentication failure
Mar 19 00:11:33 server3 postfix/smtpd[1002]: lost connection after AUTH from unknown[183.7.92.44]
Mar 19 00:11:33 server3 postfix/smtpd[1002]: disconnect from unknown[183.7.92.44]
Mar 19 00:11:33 server3 postfix/smtpd[1002]: connect from unknown[183.7.92.44]
Mar 19 00:11:35 server3 postfix/smtpd[1002]: warning: unknown[183.7.92.44]: SASL LOGIN authentication failed: authentication failure
Mar 19 00:11:35 server3 postfix/smtpd[1002]: lost connection after AUTH from unknown[183.7.92.44]
Mar 19 00:11:35 server3 postfix/smtpd[1002]: disconnect from unknown[183.7.92.44]
Mar 19 00:11:35 server3 postfix/smtpd[1002]: connect from unknown[183.7.92.44]
Mar 19 00:11:37 server3 postfix/smtpd[1002]: warning: unknown[183.7.92.44]: SASL LOGIN authentication failed: authentication failure
Mar 19 00:11:37 server3 postfix/smtpd[1002]: lost connection after AUTH from unknown[183.7.92.44]
Mar 19 00:11:37 server3 postfix/smtpd[1002]: disconnect from unknown[183.7.92.44]
Mar 19 00:11:38 server3 postfix/smtpd[1002]: connect from unknown[183.7.92.44]
Mar 19 00:11:39 server3 postfix/smtpd[1002]: warning: unknown[183.7.92.44]: SASL LOGIN authentication failed: authentication failure
Mar 19 00:11:39 server3 postfix/smtpd[1002]: lost connection after AUTH from unknown[183.7.92.44]
Mar 19 00:11:39 server3 postfix/smtpd[1002]: disconnect from unknown[183.7.92.44]
Mar 19 00:11:40 server3 postfix/smtpd[1002]: connect from unknown[183.7.92.44]
Mar 19 00:11:41 server3 postfix/smtpd[1002]: warning: unknown[183.7.92.44]: SASL LOGIN authentication failed: authentication failure
Mar 19 00:11:41 server3 postfix/smtpd[1002]: lost connection after AUTH from unknown[183.7.92.44]
Mar 19 00:11:41 server3 postfix/smtpd[1002]: disconnect from unknown[183.7.92.44]
Mar 19 00:11:42 server3 postfix/smtpd[1002]: connect from unknown[183.7.92.44]
Mar 19 00:11:43 server3 postfix/smtpd[1002]: warning: unknown[183.7.92.44]: SASL LOGIN authentication failed: authentication failure
Mar 19 00:11:43 server3 postfix/smtpd[1002]: lost connection after AUTH from unknown[183.7.92.44]
Mar 19 00:11:43 server3 postfix/smtpd[1002]: disconnect from unknown[183.7.92.44]
Mar 19 00:11:44 server3 postfix/smtpd[1002]: connect from unknown[183.7.92.44]
Mar 19 00:11:45 server3 postfix/smtpd[1002]: warning: unknown[183.7.92.44]: SASL LOGIN authentication failed: authentication failure
Mar 19 00:11:46 server3 postfix/smtpd[1002]: lost connection after AUTH from unknown[183.7.92.44]
Mar 19 00:11:46 server3 postfix/smtpd[1002]: disconnect from unknown[183.7.92.44]
Mar 19 00:11:46 server3 postfix/smtpd[1002]: connect from unknown[183.7.92.44]
Mar 19 00:11:47 server3 postfix/smtpd[1002]: warning: unknown[183.7.92.44]: SASL LOGIN authentication failed: authentication failure
Mar 19 00:11:48 server3 postfix/smtpd[1002]: lost connection after AUTH from unknown[183.7.92.44]
Mar 19 00:11:48 server3 postfix/smtpd[1002]: disconnect from unknown[183.7.92.44]

PermaNoob 19th March 2012 00:31

Did I get this right?
 
OK, that's why my name is permanoob.

I think I found the solution in the fail2ban jail.conf

Is this correct now?:

[postfix]

enabled = true
port = smtp,ssmtp,smtpd
filter = postfix
logpath = /var/log/mail.log
maxretry = 5

[sasl]

enabled = true
port = smtp,ssmtp,smtpd,imap2,imap3,imaps,pop3,pop3s
filter = sasl
logpath = /var/log/mail.log
maxretry = 5

---------------------------

Must be wrong because log shows errors:

2012-03-19 01:12:44,599 fail2ban.jail : INFO Jail 'ssh' started
2012-03-19 01:12:46,013 fail2ban.jail : INFO Jail 'postfix' started
2012-03-19 01:12:46,015 fail2ban.actions.action: ERROR iptables -N fail2ban-postfix
iptables -A fail2ban-postfix -j RETURN
iptables -I INPUT -p tcp -m multiport --dports smtp,ssmtp,smtpd -j fail2ban-postfix returned 200
2012-03-19 01:12:47,439 fail2ban.jail : INFO Jail 'sasl' started
2012-03-19 01:12:47,444 fail2ban.actions.action: ERROR iptables -N fail2ban-sasl
iptables -A fail2ban-sasl -j RETURN
iptables -I INPUT -p tcp -m multiport --dports smtp,ssmtp,smtpd,imap2,imap3,imaps,pop3,pop3s -j fail2ban-sasl returned 200

PermaNoob 19th March 2012 09:50

Should I replace the following line in sasl.conf

failregex = : warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed$

with a line Falko posted in another thread

failregex = (?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failure

?

The error was because I had added smtpd to: port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s

so now the restart looks ok:

2012-03-19 10:23:26,471 fail2ban.jail : INFO Jail 'ssh' started
2012-03-19 10:23:26,533 fail2ban.jail : INFO Jail 'postfix' started
2012-03-19 10:23:26,593 fail2ban.jail : INFO Jail 'sasl' started
2012-03-19 10:23:29,477 fail2ban.actions: WARNING [ssh] Ban 66.85.166.106

but this ip is still not blocked:

Mar 19 10:37:09 server3 postfix/smtpd[26203]: warning: h201.204.17.98.static.ip.windstream.net[98.17.204.201]: SASL LOGIN authentication failed: authentication failure
Mar 19 10:37:09 server3 postfix/smtpd[26350]: warning: h201.204.17.98.static.ip.windstream.net[98.17.204.201]: SASL LOGIN authentication failed: authentication failure
Mar 19 10:37:09 server3 postfix/smtpd[29163]: warning: h201.204.17.98.static.ip.windstream.net[98.17.204.201]: SASL LOGIN authentication failed: authentication failure
Mar 19 10:37:10 server3 postfix/smtpd[26600]: warning: h201.204.17.98.static.ip.windstream.net[98.17.204.201]: SASL LOGIN authentication failed: authentication failure

PermaNoob 19th March 2012 10:49

I replaced

failregex = : warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed$

with a line Falko posted in another thread

failregex = (?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failure

and restarted:

2012-03-19 10:39:58,879 fail2ban.jail : INFO Jail 'ssh' started
2012-03-19 10:39:58,943 fail2ban.jail : INFO Jail 'postfix' started
2012-03-19 10:39:59,002 fail2ban.jail : INFO Jail 'sasl' started
2012-03-19 10:41:59,885 fail2ban.actions: WARNING [ssh] Ban 66.85.166.106

but fail2ban is still not blocking:

Mar 19 10:47:31 server3 postfix/smtpd[29170]: warning: h201.204.17.98.static.ip.windstream.net[98.17.204.201]: SASL LOGIN authentication failed: authentication failure
Mar 19 10:47:31 server3 postfix/smtpd[26350]: connect from h201.204.17.98.static.ip.windstream.net[98.17.204.201]
Mar 19 10:47:32 server3 postfix/smtpd[29170]: disconnect from h201.204.17.98.static.ip.windstream.net[98.17.204.201]
Mar 19 10:47:33 server3 postfix/smtpd[30156]: warning: h201.204.17.98.static.ip.windstream.net[98.17.204.201]: SASL LOGIN authentication failed: authentication failure
Mar 19 10:47:34 server3 postfix/smtpd[26600]: connect from h201.204.17.98.static.ip.windstream.net[98.17.204.201]
Mar 19 10:47:34 server3 postfix/smtpd[30156]: disconnect from h201.204.17.98.static.ip.windstream.net[98.17.204.201]
Mar 19 10:47:36 server3 postfix/smtpd[26350]: warning: h201.204.17.98.static.ip.windstream.net[98.17.204.201]: SASL LOGIN authentication failed: authentication failure
Mar 19 10:47:37 server3 postfix/smtpd[26350]: disconnect from h201.204.17.98.static.ip.windstream.net[98.17.204.201]
Mar 19 10:47:39 server3 postfix/smtpd[26600]: warning: h201.204.17.98.static.ip.windstream.net[98.17.204.201]: SASL LOGIN authentication failed: authentication failure
Mar 19 10:47:40 server3 postfix/smtpd[30154]: connect from h201.204.17.98.static.ip.windstream.net[98.17.204.201]
Mar 19 10:47:40 server3 postfix/smtpd[26600]: disconnect from h201.204.17.98.static.ip.windstream.net[98.17.204.201]
Mar 19 10:47:43 server3 postfix/smtpd[29165]: connect from h201.204.17.98.static.ip.windstream.net[98.17.204.201]
Mar 19 10:47:44 server3 postfix/smtpd[29954]: connect from h201.204.17.98.static.ip.windstream.net[98.17.204.201]
Mar 19 10:47:45 server3 postfix/smtpd[30154]: warning: h201.204.17.98.static.ip.windstream.net[98.17.204.201]: SASL LOGIN authentication failed: authentication failure
Mar 19 10:47:46 server3 postfix/smtpd[30154]: disconnect from h201.204.17.98.static.ip.windstream.net[98.17.204.201]
Mar 19 10:47:48 server3 postfix/smtpd[29165]: warning: h201.204.17.98.static.ip.windstream.net[98.17.204.201]: SASL LOGIN authentication failed: authentication failure
Mar 19 10:47:49 server3 postfix/smtpd[29165]: disconnect from h201.204.17.98.static.ip.windstream.net[98.17.204.201]
Mar 19 10:47:49 server3 postfix/smtpd[29954]: warning: h201.204.17.98.static.ip.windstream.net[98.17.204.201]: SASL LOGIN authentication failed: authentication failure
Mar 19 10:47:50 server3 postfix/smtpd[29954]: disconnect from h201.204.17.98.static.ip.windstream.net[98.17.204.201]

PermaNoob 19th March 2012 11:22

I'm testing with

fail2ban-regex /var/log/mail.log /etc/fail2ban/filter.d/sasl.conf

also tried switching to mail.info

fail2ban-regex /var/log/mail.info /etc/fail2ban/filter.d/sasl.conf

and

[sasl]

enabled = true
port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter = sasl
logpath = /var/log/mail.info
maxretry = 5

still no matches though there are plenty in the log file

Lancelot28 19th March 2012 11:42

http://www.infoocean.info/avatar1.jpgI think I found the solution in the fail2ban jail.conf.

PermaNoob 19th March 2012 11:49

Quote:

Originally Posted by Lancelot28 (Post 275778)
http://www.infoocean.info/avatar1.jpgI think I found the solution in the fail2ban jail.conf.

I was wrong, it's still not working.

falko 20th March 2012 13:52

Can you try
Code:

failregex = : warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed
(without the $ sign at the end)?

PermaNoob 21st March 2012 06:31

Quote:

Originally Posted by falko (Post 275849)
Can you try
Code:

failregex = : warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed
(without the $ sign at the end)?

That worked--Thanks!

2012-03-21 06:25:24,390 fail2ban.jail : INFO Jail 'ssh' started
2012-03-21 06:25:24,462 fail2ban.jail : INFO Jail 'postfix' started
2012-03-21 06:25:24,530 fail2ban.jail : INFO Jail 'sasl' started
2012-03-21 06:34:41,566 fail2ban.actions: WARNING [sasl] Ban 14.208.80.207


All times are GMT +2. The time now is 06:43.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.