View Single Post
  #1  
Old 9th March 2012, 10:35
Captain Captain is offline
Senior Member
 
Join Date: Feb 2009
Posts: 287
Thanks: 82
Thanked 7 Times in 6 Posts
Exclamation SASL LOGIN authentication failed

Hello!

At time to time I see in mail.log many of this logs:
Code:
Mar  9 09:06:57 itex postfix/smtpd[5534]: warning: mail.domain.com[1.2.3.4]: SASL LOGIN authentication failed: authentication failure
Mar  9 09:07:12 itex postfix/smtpd[5324]: warning: mail.domain.com[1.2.3.4]: SASL LOGIN authentication failed: authentication failure
Mar  9 09:07:30 itex postfix/smtpd[5324]: warning: mail.domain.com[1.2.3.4]: SASL LOGIN authentication failed: authentication failure
Mar  9 09:08:02 itex postfix/smtpd[5534]: warning: mail.domain.com[1.2.3.4]: SASL LOGIN authentication failed: authentication failure
Mar  9 09:08:10 itex postfix/smtpd[5324]: warning: mail.domain.com[1.2.3.4]: SASL LOGIN authentication failed: authentication failure
Mar  9 09:08:20 itex postfix/smtpd[5534]: warning: mail.domain.com[1.2.3.4]: SASL LOGIN authentication failed: authentication failure
Mar  9 09:08:31 itex postfix/smtpd[5534]: warning: mail.domain.com[1.2.3.4]: SASL LOGIN authentication failed: authentication failure
Mar  9 09:08:50 itex postfix/smtpd[5324]: warning: mail.domain.com[1.2.3.4]: SASL LOGIN authentication failed: authentication failure
Mar  9 09:08:58 itex postfix/smtpd[5324]: warning: mail.domain.com[1.2.3.4]: SASL LOGIN authentication failed: authentication failure
Mar  9 09:09:20 itex postfix/smtpd[5534]: warning: mail.domain.com[1.2.3.4]: SASL LOGIN authentication failed: authentication failure
Mar  9 09:09:53 itex postfix/smtpd[5534]: last message repeated 2 times
Mar  9 09:09:53 itex postfix/smtpd[5324]: warning: mail.domain.com[1.2.3.4]: SASL LOGIN authentication failed: authentication failure
Mar  9 09:10:02 itex postfix/smtpd[5534]: warning: mail.domain.com[1.2.3.4]: SASL LOGIN authentication failed: authentication failure
Mar  9 09:10:14 itex postfix/smtpd[5324]: warning: mail.domain.com[1.2.3.4]: SASL LOGIN authentication failed: authentication failure
Mar  9 09:10:35 itex postfix/smtpd[5324]: warning: mail.domain.com[1.2.3.4]: SASL LOGIN authentication failed: authentication failure
Mar  9 09:10:48 itex postfix/smtpd[5534]: warning: mail.domain.com[1.2.3.4]: SASL LOGIN authentication failed: authentication failure
Mar  9 09:11:05 itex postfix/smtpd[5324]: warning: mail.domain.com[1.2.3.4]: SASL LOGIN authentication failed: authentication failure
Mar  9 09:11:13 itex postfix/smtpd[5534]: warning: mail.domain.com[1.2.3.4]: SASL LOGIN authentication failed: authentication failure
Mar  9 09:11:23 itex postfix/smtpd[5534]: warning: mail.domain.com[1.2.3.4]: SASL LOGIN authentication failed: authentication failure
Mar  9 09:11:32 itex postfix/smtpd[5324]: warning: mail.domain.com[1.2.3.4]: SASL LOGIN authentication failed: authentication failure
Mar  9 09:11:44 itex postfix/smtpd[5324]: warning: mail.domain.com[1.2.3.4]: SASL LOGIN authentication failed: authentication failure
Where mail.domain.com is domain of my server and 1.2.3.4 is IP of my server.

chkrootkit and rkhunter is clean.

And fail2ban dont recognized it.
jail.conf
Code:
[sasl]

enabled  = true
port     = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s,smtpd
filter   = sasl
# You might consider monitoring /var/log/warn.log instead
# if you are running postfix. See http://bugs.debian.org/507990
logpath  = /var/log/mail.log
sasl.conf

Code:
# Fail2Ban configuration file
#
# Author: Yaroslav Halchenko
#
# $Revision: 728 $
#

[Definition]

# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT
#
#failregex = (?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [A-Za-z0-9+/]*={0,2})?$
failregex = (?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed
# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =
In fail2ban log have this:

Code:
2012-03-09 13:36:52,832 fail2ban.actions.action: ERROR  iptables -N fail2ban-sasl
iptables -A fail2ban-sasl -j RETURN
iptables -I INPUT -p tcp -m multiport --dports smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s,smtpd -j fail2ban-sasl returned 200


It is normal or something wrong with server security?
I have ISPConfig2 final, Ubuntu 10.04.1 LTS

Thnk you!

Last edited by Captain; 9th March 2012 at 13:41.
Reply With Quote
Sponsored Links