View Single Post
  #1  
Old 14th May 2011, 10:27
eko_taas eko_taas is offline
Member
 
Join Date: Feb 2011
Posts: 92
Thanks: 2
Thanked 12 Times in 10 Posts
Question sasl / fail2ban vs. postfix/smtpd warnings)

I wonder should fail2ban also ban IPs trying to contact smtp?

Fail2Ban Log has only SSHs at this period:
Code:
...
2011-05-11 18:27:50,277 fail2ban.jail : INFO Jail 'sasl' started
....
2011-05-11 18:41:39,843 fail2ban.actions: WARNING [ssh] Ban 210.114.220.186
2011-05-11 19:11:40,750 fail2ban.actions: WARNING [ssh] Unban 210.114.220.186
2011-05-12 00:46:19,139 fail2ban.actions: WARNING [ssh] Ban 112.137.163.72
2011-05-12 01:16:20,125 fail2ban.actions: WARNING [ssh] Unban 112.137.163.72
...
2011-05-12 07:04:56,836 fail2ban.actions: WARNING [ssh] Ban 122.227.135.143
2011-05-12 07:34:57,763 fail2ban.actions: WARNING [ssh] Unban 122.227.135.143
....
2011-05-12 12:16:09,844 fail2ban.actions: WARNING [ssh] Ban 112.78.1.6
2011-05-12 12:46:10,760 fail2ban.actions: WARNING [ssh] Unban 112.78.1.6
2011-05-12 12:57:46,498 fail2ban.actions: WARNING [ssh] Ban 122.225.101.154
2011-05-12 13:27:47,462 fail2ban.actions: WARNING [ssh] Unban 122.225.101.154
2011-05-12 14:21:34,999 fail2ban.actions: WARNING [ssh] Ban 46.45.147.25
2011-05-12 14:51:35,997 fail2ban.actions: WARNING [ssh] Unban 46.45.147.25
...
but Mail-Warn - Log has also several smtpd-trials (e.g. from IP 70.38.23.166) not listed in above)
Code:
...
May 12 07:51:48 server1 postfix/smtpd[26044]: warning: ip-70-38-23-166.static.privatedns.com[70.38.23.166]: SASL LOGIN authentication failed: authentication failure
May 12 07:51:51 server1 postfix/smtpd[26071]: warning: ip-70-38-23-166.static.privatedns.com[70.38.23.166]: SASL LOGIN authentication failed: authentication failure
May 12 07:51:54 server1 postfix/smtpd[26073]: warning: ip-70-38-23-166.static.privatedns.com[70.38.23.166]: SASL LOGIN authentication failed: authentication failure
May 12 07:51:57 server1 postfix/smtpd[26074]: warning: ip-70-38-23-166.static.privatedns.com[70.38.23.166]: SASL LOGIN authentication failed: authentication failure
May 12 07:52:01 server1 postfix/smtpd[26075]: warning: ip-70-38-23-166.static.privatedns.com[70.38.23.166]: SASL LOGIN authentication failed: authentication failure
May 12 07:52:03 server1 postfix/smtpd[26083]: warning: ip-70-38-23-166.static.privatedns.com[70.38.23.166]: SASL LOGIN authentication failed: authentication failure
May 12 07:52:07 server1 postfix/smtpd[26084]: warning: ip-70-38-23-166.static.privatedns.com[70.38.23.166]: SASL LOGIN authentication failed: authentication failure
May 12 07:52:10 server1 postfix/smtpd[26110]: warning: ip-70-38-23-166.static.privatedns.com[70.38.23.166]: SASL LOGIN authentication failed: authentication failure
May 12 07:52:13 server1 postfix/smtpd[26115]: warning: ip-70-38-23-166.static.privatedns.com[70.38.23.166]: SASL LOGIN authentication failed: authentication failure
May 12 07:52:16 server1 postfix/smtpd[26116]: warning: ip-70-38-23-166.static.privatedns.com[70.38.23.166]: SASL LOGIN authentication failed: authentication failure
May 12 07:52:19 server1 postfix/smtpd[26117]: warning: ip-70-38-23-166.static.privatedns.com[70.38.23.166]: SASL LOGIN authentication failed: authentication failure
May 12 07:52:22 server1 postfix/smtpd[26118]: warning: ip-70-38-23-166.static.privatedns.com[70.38.23.166]: SASL LOGIN authentication failed: authentication failure
May 12 07:52:25 server1 postfix/smtpd[26119]: warning: ip-70-38-23-166.static.privatedns.com[70.38.23.166]: SASL LOGIN authentication failed: authentication failure
May 12 07:52:29 server1 postfix/smtpd[26120]: warning: ip-70-38-23-166.static.privatedns.com[70.38.23.166]: SASL LOGIN authentication failed: authentication failure
May 12 07:52:32 server1 postfix/smtpd[26122]: warning: ip-70-38-23-166.static.privatedns.com[70.38.23.166]: SASL LOGIN authentication failed: authentication failure
May 12 07:52:36 server1 postfix/smtpd[26123]: warning: ip-70-38-23-166.static.privatedns.com[70.38.23.166]: SASL LOGIN authentication failed: authentication failure
...
Any reason why they are not listed /banned? Or should I add something to /etc/fail2ban/jail.local (Debian Squeeze / ISPConfig 3.0.3.3 ) (now as http://www.howtoforge.com/forums/showthread.php?t=52047 )
Code:
[sasl]
enabled  = true
port     = smtp
filter   = sasl
logpath  = /var/log/mail.log
maxretry = 2
Thanks again for cont. support...

Also I have been wondering should I be woried about these warning (also from Mail-Warn - Log)
Code:
...
May 10 01:50:12 server1 postfix/smtpd[9063]: warning: 92.241.190.69: address not listed for hostname heihachi.net
...
May 12 23:44:14 server1 postfix/smtpd[3545]: warning: 114.42.154.89: hostname 114-42-154-89.dynamic.hinet.net verification failed: Temporary failure in name resolution
...
Reply With Quote
Sponsored Links