Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > Linux Forums > Server Operation
Reload this Page Way to automatically block SASL LOGIN attacks?
Register FAQ Members List Social Groups Calendar Search Today's Posts Mark Forums Read

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 19th March 2012, 00:16
PermaNoob PermaNoob is offline
Senior Member
  
Join Date: Jan 2007
Posts: 159
Thanks: 11
Thanked 4 Times in 4 Posts
Default Way to automatically block SASL LOGIN attacks?
Is there an automatic way to use the firewall or some other way to add ip's like this to iptables?

I'm using fail2ban.

Mar 19 00:11:33 server3 postfix/smtpd[1002]: warning: unknown[183.7.92.44]: SASL LOGIN authentication failed: authentication failure
Mar 19 00:11:33 server3 postfix/smtpd[1002]: lost connection after AUTH from unknown[183.7.92.44]
Mar 19 00:11:33 server3 postfix/smtpd[1002]: disconnect from unknown[183.7.92.44]
Mar 19 00:11:33 server3 postfix/smtpd[1002]: connect from unknown[183.7.92.44]
Mar 19 00:11:35 server3 postfix/smtpd[1002]: warning: unknown[183.7.92.44]: SASL LOGIN authentication failed: authentication failure
Mar 19 00:11:35 server3 postfix/smtpd[1002]: lost connection after AUTH from unknown[183.7.92.44]
Mar 19 00:11:35 server3 postfix/smtpd[1002]: disconnect from unknown[183.7.92.44]
Mar 19 00:11:35 server3 postfix/smtpd[1002]: connect from unknown[183.7.92.44]
Mar 19 00:11:37 server3 postfix/smtpd[1002]: warning: unknown[183.7.92.44]: SASL LOGIN authentication failed: authentication failure
Mar 19 00:11:37 server3 postfix/smtpd[1002]: lost connection after AUTH from unknown[183.7.92.44]
Mar 19 00:11:37 server3 postfix/smtpd[1002]: disconnect from unknown[183.7.92.44]
Mar 19 00:11:38 server3 postfix/smtpd[1002]: connect from unknown[183.7.92.44]
Mar 19 00:11:39 server3 postfix/smtpd[1002]: warning: unknown[183.7.92.44]: SASL LOGIN authentication failed: authentication failure
Mar 19 00:11:39 server3 postfix/smtpd[1002]: lost connection after AUTH from unknown[183.7.92.44]
Mar 19 00:11:39 server3 postfix/smtpd[1002]: disconnect from unknown[183.7.92.44]
Mar 19 00:11:40 server3 postfix/smtpd[1002]: connect from unknown[183.7.92.44]
Mar 19 00:11:41 server3 postfix/smtpd[1002]: warning: unknown[183.7.92.44]: SASL LOGIN authentication failed: authentication failure
Mar 19 00:11:41 server3 postfix/smtpd[1002]: lost connection after AUTH from unknown[183.7.92.44]
Mar 19 00:11:41 server3 postfix/smtpd[1002]: disconnect from unknown[183.7.92.44]
Mar 19 00:11:42 server3 postfix/smtpd[1002]: connect from unknown[183.7.92.44]
Mar 19 00:11:43 server3 postfix/smtpd[1002]: warning: unknown[183.7.92.44]: SASL LOGIN authentication failed: authentication failure
Mar 19 00:11:43 server3 postfix/smtpd[1002]: lost connection after AUTH from unknown[183.7.92.44]
Mar 19 00:11:43 server3 postfix/smtpd[1002]: disconnect from unknown[183.7.92.44]
Mar 19 00:11:44 server3 postfix/smtpd[1002]: connect from unknown[183.7.92.44]
Mar 19 00:11:45 server3 postfix/smtpd[1002]: warning: unknown[183.7.92.44]: SASL LOGIN authentication failed: authentication failure
Mar 19 00:11:46 server3 postfix/smtpd[1002]: lost connection after AUTH from unknown[183.7.92.44]
Mar 19 00:11:46 server3 postfix/smtpd[1002]: disconnect from unknown[183.7.92.44]
Mar 19 00:11:46 server3 postfix/smtpd[1002]: connect from unknown[183.7.92.44]
Mar 19 00:11:47 server3 postfix/smtpd[1002]: warning: unknown[183.7.92.44]: SASL LOGIN authentication failed: authentication failure
Mar 19 00:11:48 server3 postfix/smtpd[1002]: lost connection after AUTH from unknown[183.7.92.44]
Mar 19 00:11:48 server3 postfix/smtpd[1002]: disconnect from unknown[183.7.92.44]
Reply With Quote
Sponsored Links
  #2  
Old 19th March 2012, 00:31
PermaNoob PermaNoob is offline
Senior Member
  
Join Date: Jan 2007
Posts: 159
Thanks: 11
Thanked 4 Times in 4 Posts
Default Did I get this right?
OK, that's why my name is permanoob.

I think I found the solution in the fail2ban jail.conf

Is this correct now?:

[postfix]

enabled = true
port = smtp,ssmtp,smtpd
filter = postfix
logpath = /var/log/mail.log
maxretry = 5

[sasl]

enabled = true
port = smtp,ssmtp,smtpd,imap2,imap3,imaps,pop3,pop3s
filter = sasl
logpath = /var/log/mail.log
maxretry = 5

---------------------------

Must be wrong because log shows errors:

2012-03-19 01:12:44,599 fail2ban.jail : INFO Jail 'ssh' started
2012-03-19 01:12:46,013 fail2ban.jail : INFO Jail 'postfix' started
2012-03-19 01:12:46,015 fail2ban.actions.action: ERROR iptables -N fail2ban-postfix
iptables -A fail2ban-postfix -j RETURN
iptables -I INPUT -p tcp -m multiport --dports smtp,ssmtp,smtpd -j fail2ban-postfix returned 200
2012-03-19 01:12:47,439 fail2ban.jail : INFO Jail 'sasl' started
2012-03-19 01:12:47,444 fail2ban.actions.action: ERROR iptables -N fail2ban-sasl
iptables -A fail2ban-sasl -j RETURN
iptables -I INPUT -p tcp -m multiport --dports smtp,ssmtp,smtpd,imap2,imap3,imaps,pop3,pop3s -j fail2ban-sasl returned 200
Last edited by PermaNoob; 19th March 2012 at 01:17. Reason: addition
Reply With Quote
  #3  
Old 19th March 2012, 09:50
PermaNoob PermaNoob is offline
Senior Member
  
Join Date: Jan 2007
Posts: 159
Thanks: 11
Thanked 4 Times in 4 Posts
Default
Should I replace the following line in sasl.conf

failregex = : warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed$

with a line Falko posted in another thread

failregex = (?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failure

?

The error was because I had added smtpd to: port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s

so now the restart looks ok:

2012-03-19 10:23:26,471 fail2ban.jail : INFO Jail 'ssh' started
2012-03-19 10:23:26,533 fail2ban.jail : INFO Jail 'postfix' started
2012-03-19 10:23:26,593 fail2ban.jail : INFO Jail 'sasl' started
2012-03-19 10:23:29,477 fail2ban.actions: WARNING [ssh] Ban 66.85.166.106

but this ip is still not blocked:

Mar 19 10:37:09 server3 postfix/smtpd[26203]: warning: h201.204.17.98.static.ip.windstream.net[98.17.204.201]: SASL LOGIN authentication failed: authentication failure
Mar 19 10:37:09 server3 postfix/smtpd[26350]: warning: h201.204.17.98.static.ip.windstream.net[98.17.204.201]: SASL LOGIN authentication failed: authentication failure
Mar 19 10:37:09 server3 postfix/smtpd[29163]: warning: h201.204.17.98.static.ip.windstream.net[98.17.204.201]: SASL LOGIN authentication failed: authentication failure
Mar 19 10:37:10 server3 postfix/smtpd[26600]: warning: h201.204.17.98.static.ip.windstream.net[98.17.204.201]: SASL LOGIN authentication failed: authentication failure
Last edited by PermaNoob; 19th March 2012 at 10:38.
Reply With Quote
  #4  
Old 19th March 2012, 10:49
PermaNoob PermaNoob is offline
Senior Member
  
Join Date: Jan 2007
Posts: 159
Thanks: 11
Thanked 4 Times in 4 Posts
Default
I replaced

failregex = : warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed$

with a line Falko posted in another thread

failregex = (?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failure

and restarted:

2012-03-19 10:39:58,879 fail2ban.jail : INFO Jail 'ssh' started
2012-03-19 10:39:58,943 fail2ban.jail : INFO Jail 'postfix' started
2012-03-19 10:39:59,002 fail2ban.jail : INFO Jail 'sasl' started
2012-03-19 10:41:59,885 fail2ban.actions: WARNING [ssh] Ban 66.85.166.106

but fail2ban is still not blocking:

Mar 19 10:47:31 server3 postfix/smtpd[29170]: warning: h201.204.17.98.static.ip.windstream.net[98.17.204.201]: SASL LOGIN authentication failed: authentication failure
Mar 19 10:47:31 server3 postfix/smtpd[26350]: connect from h201.204.17.98.static.ip.windstream.net[98.17.204.201]
Mar 19 10:47:32 server3 postfix/smtpd[29170]: disconnect from h201.204.17.98.static.ip.windstream.net[98.17.204.201]
Mar 19 10:47:33 server3 postfix/smtpd[30156]: warning: h201.204.17.98.static.ip.windstream.net[98.17.204.201]: SASL LOGIN authentication failed: authentication failure
Mar 19 10:47:34 server3 postfix/smtpd[26600]: connect from h201.204.17.98.static.ip.windstream.net[98.17.204.201]
Mar 19 10:47:34 server3 postfix/smtpd[30156]: disconnect from h201.204.17.98.static.ip.windstream.net[98.17.204.201]
Mar 19 10:47:36 server3 postfix/smtpd[26350]: warning: h201.204.17.98.static.ip.windstream.net[98.17.204.201]: SASL LOGIN authentication failed: authentication failure
Mar 19 10:47:37 server3 postfix/smtpd[26350]: disconnect from h201.204.17.98.static.ip.windstream.net[98.17.204.201]
Mar 19 10:47:39 server3 postfix/smtpd[26600]: warning: h201.204.17.98.static.ip.windstream.net[98.17.204.201]: SASL LOGIN authentication failed: authentication failure
Mar 19 10:47:40 server3 postfix/smtpd[30154]: connect from h201.204.17.98.static.ip.windstream.net[98.17.204.201]
Mar 19 10:47:40 server3 postfix/smtpd[26600]: disconnect from h201.204.17.98.static.ip.windstream.net[98.17.204.201]
Mar 19 10:47:43 server3 postfix/smtpd[29165]: connect from h201.204.17.98.static.ip.windstream.net[98.17.204.201]
Mar 19 10:47:44 server3 postfix/smtpd[29954]: connect from h201.204.17.98.static.ip.windstream.net[98.17.204.201]
Mar 19 10:47:45 server3 postfix/smtpd[30154]: warning: h201.204.17.98.static.ip.windstream.net[98.17.204.201]: SASL LOGIN authentication failed: authentication failure
Mar 19 10:47:46 server3 postfix/smtpd[30154]: disconnect from h201.204.17.98.static.ip.windstream.net[98.17.204.201]
Mar 19 10:47:48 server3 postfix/smtpd[29165]: warning: h201.204.17.98.static.ip.windstream.net[98.17.204.201]: SASL LOGIN authentication failed: authentication failure
Mar 19 10:47:49 server3 postfix/smtpd[29165]: disconnect from h201.204.17.98.static.ip.windstream.net[98.17.204.201]
Mar 19 10:47:49 server3 postfix/smtpd[29954]: warning: h201.204.17.98.static.ip.windstream.net[98.17.204.201]: SASL LOGIN authentication failed: authentication failure
Mar 19 10:47:50 server3 postfix/smtpd[29954]: disconnect from h201.204.17.98.static.ip.windstream.net[98.17.204.201]
Reply With Quote
  #5  
Old 19th March 2012, 11:22
PermaNoob PermaNoob is offline
Senior Member
  
Join Date: Jan 2007
Posts: 159
Thanks: 11
Thanked 4 Times in 4 Posts
Default
I'm testing with

fail2ban-regex /var/log/mail.log /etc/fail2ban/filter.d/sasl.conf

also tried switching to mail.info

fail2ban-regex /var/log/mail.info /etc/fail2ban/filter.d/sasl.conf

and

[sasl]

enabled = true
port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter = sasl
logpath = /var/log/mail.info
maxretry = 5

still no matches though there are plenty in the log file
Reply With Quote
  #6  
Old 19th March 2012, 11:42
Lancelot28 Lancelot28 is offline
Junior Member
  
Join Date: Mar 2012
Posts: 4
Thanks: 0
Thanked 0 Times in 0 Posts
Default
I think I found the solution in the fail2ban jail.conf.
Reply With Quote
Reply

Bookmarks

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Hybrid Mode Hybrid Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
postfix problems kwickcut Installation/Configuration 6 5th March 2012 19:19
Need help with ISPConfig Mail and Squirrelmail m.xander Installation/Configuration 109 3rd February 2012 00:15
Fail2ban configuration Captain Installation/Configuration 2 28th June 2011 19:48
Cannot login to SquirrelMail sellotape Installation/Configuration 13 26th October 2010 11:03
squirrelmail and postfix witoszek General 12 1st December 2009 18:07


All times are GMT +2. The time now is 00:30.

Contact Us - HowtoForge - Linux Howtos and Tutorials - Archive - Top

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2013, vBulletin Solutions, Inc.