View Single Post
  #1  
Old 17th June 2011, 11:45
Captain Captain is offline
Senior Member
 
Join Date: Feb 2009
Posts: 287
Thanks: 82
Thanked 8 Times in 7 Posts
Exclamation Fail2ban configuration

Hello!

In auth.log i see this:
Code:
Jun 16 23:46:42 srv saslauthd[1419]: pam_unix(smtp:auth): check pass; user unknown
Jun 16 23:46:42 srv saslauthd[1419]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Jun 16 23:46:44 srv saslauthd[1419]: DEBUG: auth_pam: pam_authenticate failed: Authentication failure
Jun 16 23:46:44 srv saslauthd[1419]: do_auth         : auth failure: [user=webmaster] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
Jun 16 23:46:45 srv saslauthd[1415]: pam_unix(smtp:auth): check pass; user unknown
Jun 16 23:46:45 srv saslauthd[1415]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Jun 16 23:46:47 srv saslauthd[1415]: DEBUG: auth_pam: pam_authenticate failed: Authentication failure
Jun 16 23:46:47 srv saslauthd[1415]: do_auth         : auth failure: [user=webmaster] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
Jun 16 23:46:48 srv saslauthd[1419]: pam_unix(smtp:auth): check pass; user unknown
Jun 16 23:46:48 srv saslauthd[1419]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Jun 16 23:46:50 srv saslauthd[1419]: DEBUG: auth_pam: pam_authenticate failed: Authentication failure
Jun 16 23:46:50 srv saslauthd[1419]: do_auth         : auth failure: [user=webmaster] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
Jun 16 23:46:51 srv saslauthd[1416]: pam_unix(smtp:auth): check pass; user unknown
Jun 16 23:46:51 srv saslauthd[1416]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Jun 16 23:46:54 srv saslauthd[1416]: DEBUG: auth_pam: pam_authenticate failed: Authentication failure
Jun 16 23:46:54 srv saslauthd[1416]: do_auth         : auth failure: [user=webmaster] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
Jun 16 23:46:55 srv saslauthd[1417]: pam_unix(smtp:auth): check pass; user unknown
Jun 16 23:46:55 srv saslauthd[1417]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Jun 16 23:46:57 srv saslauthd[1417]: DEBUG: auth_pam: pam_authenticate failed: Authentication failure
Jun 16 23:46:57 srv saslauthd[1417]: do_auth         : auth failure: [user=webmaster] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
Jun 16 23:46:58 srv saslauthd[1416]: pam_unix(smtp:auth): check pass; user unknown
Jun 16 23:46:58 srv saslauthd[1416]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Jun 16 23:47:00 srv saslauthd[1416]: DEBUG: auth_pam: pam_authenticate failed: Authentication failure
Jun 16 23:47:00 srv saslauthd[1416]: do_auth         : auth failure: [user=webmaster] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
Jun 16 23:47:01 srv saslauthd[1418]: pam_unix(smtp:auth): check pass; user unknown
Jun 16 23:47:01 srv saslauthd[1418]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Jun 16 23:47:04 srv saslauthd[1418]: DEBUG: auth_pam: pam_authenticate failed: Authentication failure
Jun 16 23:47:04 srv saslauthd[1418]: do_auth         : auth failure: [user=webmaster] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
Jun 16 23:47:05 srv saslauthd[1416]: pam_unix(smtp:auth): check pass; user unknown
Jun 16 23:47:05 srv saslauthd[1416]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Jun 16 23:47:07 srv saslauthd[1416]: DEBUG: auth_pam: pam_authenticate failed: Authentication failure
in mail.log
Code:
warning: unknown[202.109.143.50]: SASL  LOGIN authentification failed: authentification failture
last message repeated 15 times
jail.local

Code:
#
# Mail servers
#

[postfix]

enabled  = true
port     = smtp,ssmtp
filter   = postfix
logpath  = /var/log/mail.log


[couriersmtp]

enabled  = true
port     = smtp,ssmtp
filter   = couriersmtp
logpath  = /var/log/mail.log


#
# Mail servers authenticators: might be used for smtp,ftp,imap servers, so
# all relevant ports get banned
#

[courierauth]

enabled  = true
port     = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter   = courierlogin
logpath  = /var/log/mail.log


[sasl]

enabled  = true
port     = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s,smtpd
filter   = sasl
# You might consider monitoring /var/log/warn.log instead
# if you are running postfix. See http://bugs.debian.org/507990
logpath  = /var/log/mail.log
sasl.conf

Code:
# Fail2Ban configuration file
#
# Author: Yaroslav Halchenko
#
# $Revision: 728 $
#

[Definition]

# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT
#
failregex = (?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [A-Za-z0-9+/]*={0,2})?$

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =
But fail2ban did not block this IP.

How to solve this problem?
Please help!

Thnks.
Reply With Quote
Sponsored Links