Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 3 > Installation/Configuration

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 14th May 2011, 10:27
eko_taas eko_taas is offline
Member
 
Join Date: Feb 2011
Posts: 92
Thanks: 2
Thanked 12 Times in 10 Posts
Question sasl / fail2ban vs. postfix/smtpd warnings)

I wonder should fail2ban also ban IPs trying to contact smtp?

Fail2Ban Log has only SSHs at this period:
Code:
...
2011-05-11 18:27:50,277 fail2ban.jail : INFO Jail 'sasl' started
....
2011-05-11 18:41:39,843 fail2ban.actions: WARNING [ssh] Ban 210.114.220.186
2011-05-11 19:11:40,750 fail2ban.actions: WARNING [ssh] Unban 210.114.220.186
2011-05-12 00:46:19,139 fail2ban.actions: WARNING [ssh] Ban 112.137.163.72
2011-05-12 01:16:20,125 fail2ban.actions: WARNING [ssh] Unban 112.137.163.72
...
2011-05-12 07:04:56,836 fail2ban.actions: WARNING [ssh] Ban 122.227.135.143
2011-05-12 07:34:57,763 fail2ban.actions: WARNING [ssh] Unban 122.227.135.143
....
2011-05-12 12:16:09,844 fail2ban.actions: WARNING [ssh] Ban 112.78.1.6
2011-05-12 12:46:10,760 fail2ban.actions: WARNING [ssh] Unban 112.78.1.6
2011-05-12 12:57:46,498 fail2ban.actions: WARNING [ssh] Ban 122.225.101.154
2011-05-12 13:27:47,462 fail2ban.actions: WARNING [ssh] Unban 122.225.101.154
2011-05-12 14:21:34,999 fail2ban.actions: WARNING [ssh] Ban 46.45.147.25
2011-05-12 14:51:35,997 fail2ban.actions: WARNING [ssh] Unban 46.45.147.25
...
but Mail-Warn - Log has also several smtpd-trials (e.g. from IP 70.38.23.166) not listed in above)
Code:
...
May 12 07:51:48 server1 postfix/smtpd[26044]: warning: ip-70-38-23-166.static.privatedns.com[70.38.23.166]: SASL LOGIN authentication failed: authentication failure
May 12 07:51:51 server1 postfix/smtpd[26071]: warning: ip-70-38-23-166.static.privatedns.com[70.38.23.166]: SASL LOGIN authentication failed: authentication failure
May 12 07:51:54 server1 postfix/smtpd[26073]: warning: ip-70-38-23-166.static.privatedns.com[70.38.23.166]: SASL LOGIN authentication failed: authentication failure
May 12 07:51:57 server1 postfix/smtpd[26074]: warning: ip-70-38-23-166.static.privatedns.com[70.38.23.166]: SASL LOGIN authentication failed: authentication failure
May 12 07:52:01 server1 postfix/smtpd[26075]: warning: ip-70-38-23-166.static.privatedns.com[70.38.23.166]: SASL LOGIN authentication failed: authentication failure
May 12 07:52:03 server1 postfix/smtpd[26083]: warning: ip-70-38-23-166.static.privatedns.com[70.38.23.166]: SASL LOGIN authentication failed: authentication failure
May 12 07:52:07 server1 postfix/smtpd[26084]: warning: ip-70-38-23-166.static.privatedns.com[70.38.23.166]: SASL LOGIN authentication failed: authentication failure
May 12 07:52:10 server1 postfix/smtpd[26110]: warning: ip-70-38-23-166.static.privatedns.com[70.38.23.166]: SASL LOGIN authentication failed: authentication failure
May 12 07:52:13 server1 postfix/smtpd[26115]: warning: ip-70-38-23-166.static.privatedns.com[70.38.23.166]: SASL LOGIN authentication failed: authentication failure
May 12 07:52:16 server1 postfix/smtpd[26116]: warning: ip-70-38-23-166.static.privatedns.com[70.38.23.166]: SASL LOGIN authentication failed: authentication failure
May 12 07:52:19 server1 postfix/smtpd[26117]: warning: ip-70-38-23-166.static.privatedns.com[70.38.23.166]: SASL LOGIN authentication failed: authentication failure
May 12 07:52:22 server1 postfix/smtpd[26118]: warning: ip-70-38-23-166.static.privatedns.com[70.38.23.166]: SASL LOGIN authentication failed: authentication failure
May 12 07:52:25 server1 postfix/smtpd[26119]: warning: ip-70-38-23-166.static.privatedns.com[70.38.23.166]: SASL LOGIN authentication failed: authentication failure
May 12 07:52:29 server1 postfix/smtpd[26120]: warning: ip-70-38-23-166.static.privatedns.com[70.38.23.166]: SASL LOGIN authentication failed: authentication failure
May 12 07:52:32 server1 postfix/smtpd[26122]: warning: ip-70-38-23-166.static.privatedns.com[70.38.23.166]: SASL LOGIN authentication failed: authentication failure
May 12 07:52:36 server1 postfix/smtpd[26123]: warning: ip-70-38-23-166.static.privatedns.com[70.38.23.166]: SASL LOGIN authentication failed: authentication failure
...
Any reason why they are not listed /banned? Or should I add something to /etc/fail2ban/jail.local (Debian Squeeze / ISPConfig 3.0.3.3 ) (now as http://www.howtoforge.com/forums/showthread.php?t=52047 )
Code:
[sasl]
enabled  = true
port     = smtp
filter   = sasl
logpath  = /var/log/mail.log
maxretry = 2
Thanks again for cont. support...

Also I have been wondering should I be woried about these warning (also from Mail-Warn - Log)
Code:
...
May 10 01:50:12 server1 postfix/smtpd[9063]: warning: 92.241.190.69: address not listed for hostname heihachi.net
...
May 12 23:44:14 server1 postfix/smtpd[3545]: warning: 114.42.154.89: hostname 114-42-154-89.dynamic.hinet.net verification failed: Temporary failure in name resolution
...
Reply With Quote
Sponsored Links
  #2  
Old 15th May 2011, 22:05
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,735 Times in 2,571 Posts
Default

Quote:
Originally Posted by eko_taas View Post
Or should I add something to /etc/fail2ban/jail.local
Yes, you need to add a section for sasl.
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #3  
Old 16th May 2011, 06:29
eko_taas eko_taas is offline
Member
 
Join Date: Feb 2011
Posts: 92
Thanks: 2
Thanked 12 Times in 10 Posts
Question but section of sasl already exists...

Thanks for support
Quote:
Yes, you need to add a section for sasl.
What to add as I have already (as mentioned in above based on "perfect server" - HOWTO) sasl section in my /etc/fail2ban/jail.local

Code:
[sasl]
enabled  = true
port     = smtp
filter   = sasl
logpath  = /var/log/mail.log
maxretry = 2
Also fail2ban starts all services (incl. sasl) - e.g. last restart:
Code:
...
2011-05-15 01:38:53,125 fail2ban.jail   : INFO   Jail 'roundcube' started
2011-05-15 01:38:53,227 fail2ban.jail   : INFO   Jail 'sasl' started
....
Reply With Quote
  #4  
Old 17th May 2011, 13:58
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,735 Times in 2,571 Posts
Default

Please check if the regex in /etc/fail2ban/filter.d/sasl.conf is correct.
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #5  
Old 17th May 2011, 16:04
eko_taas eko_taas is offline
Member
 
Join Date: Feb 2011
Posts: 92
Thanks: 2
Thanked 12 Times in 10 Posts
 
Question sasl conf

Quote:
Please check if the regex in /etc/fail2ban/filter.d/sasl.conf is correct.
For NewB, everything looks correct

/etc/fail2ban/filter.d/sasl.conf and etc. files (collection)
Code:
failregex = .*pure-ftpd: \(.*@<HOST>\) \[WARNING\] Authentication failed for user.*
failregex = pop3d: LOGIN FAILED.*ip=\[.*:<HOST>\]
failregex = pop3d-ssl: LOGIN FAILED.*ip=\[.*:<HOST>\]
failregex = imapd: LOGIN FAILED.*ip=\[.*:<HOST>\]
failregex = imapd-ssl: LOGIN FAILED.*ip=\[.*:<HOST>\]
/etc/fail2ban/filter.d/sasl.conf has:
Code:
failregex = (?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGE$
ignoreregex =
But /etc/fail2ban/filter.d/sasl.conf was not modified at all ( http://www.howtoforge.com/perfect-server-debian-squeeze-with-bind-and-courier-ispconfig-3-p5 see item 17. Fail2ban )

How to line should look like ? something like
failregex = sasl: LOGIN FAILED.*ip=\[.*:<HOST>\]
Better also to add/correct in instructions (if missing ) for Rest-of-us ?

Last edited by till; 17th May 2011 at 17:00.
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Fail2ban + sasl problem and Solution pititis General 1 2nd March 2011 07:02
Cannot login to SquirrelMail sellotape Installation/Configuration 13 26th October 2010 11:03
Need some Hints to "The Perfect Server - Debian Lenny (Debian 5.0) [ISPConfig 3]" wahid HOWTO-Related Questions 10 25th August 2010 15:18
fail2ban is doing nothing? rlischer Server Operation 16 29th June 2010 07:29
The Perfect Setup - Debian Etch (Debian 4.0) some trouble daniel80 HOWTO-Related Questions 26 1st February 2008 16:30


All times are GMT +2. The time now is 03:44.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.