#1  
Old 17th June 2011, 10:45
Captain Captain is offline
Senior Member
 
Join Date: Feb 2009
Posts: 284
Thanks: 78
Thanked 7 Times in 6 Posts
Exclamation Fail2ban configuration

Hello!

In auth.log i see this:
Code:
Jun 16 23:46:42 srv saslauthd[1419]: pam_unix(smtp:auth): check pass; user unknown
Jun 16 23:46:42 srv saslauthd[1419]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Jun 16 23:46:44 srv saslauthd[1419]: DEBUG: auth_pam: pam_authenticate failed: Authentication failure
Jun 16 23:46:44 srv saslauthd[1419]: do_auth         : auth failure: [user=webmaster] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
Jun 16 23:46:45 srv saslauthd[1415]: pam_unix(smtp:auth): check pass; user unknown
Jun 16 23:46:45 srv saslauthd[1415]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Jun 16 23:46:47 srv saslauthd[1415]: DEBUG: auth_pam: pam_authenticate failed: Authentication failure
Jun 16 23:46:47 srv saslauthd[1415]: do_auth         : auth failure: [user=webmaster] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
Jun 16 23:46:48 srv saslauthd[1419]: pam_unix(smtp:auth): check pass; user unknown
Jun 16 23:46:48 srv saslauthd[1419]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Jun 16 23:46:50 srv saslauthd[1419]: DEBUG: auth_pam: pam_authenticate failed: Authentication failure
Jun 16 23:46:50 srv saslauthd[1419]: do_auth         : auth failure: [user=webmaster] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
Jun 16 23:46:51 srv saslauthd[1416]: pam_unix(smtp:auth): check pass; user unknown
Jun 16 23:46:51 srv saslauthd[1416]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Jun 16 23:46:54 srv saslauthd[1416]: DEBUG: auth_pam: pam_authenticate failed: Authentication failure
Jun 16 23:46:54 srv saslauthd[1416]: do_auth         : auth failure: [user=webmaster] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
Jun 16 23:46:55 srv saslauthd[1417]: pam_unix(smtp:auth): check pass; user unknown
Jun 16 23:46:55 srv saslauthd[1417]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Jun 16 23:46:57 srv saslauthd[1417]: DEBUG: auth_pam: pam_authenticate failed: Authentication failure
Jun 16 23:46:57 srv saslauthd[1417]: do_auth         : auth failure: [user=webmaster] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
Jun 16 23:46:58 srv saslauthd[1416]: pam_unix(smtp:auth): check pass; user unknown
Jun 16 23:46:58 srv saslauthd[1416]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Jun 16 23:47:00 srv saslauthd[1416]: DEBUG: auth_pam: pam_authenticate failed: Authentication failure
Jun 16 23:47:00 srv saslauthd[1416]: do_auth         : auth failure: [user=webmaster] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
Jun 16 23:47:01 srv saslauthd[1418]: pam_unix(smtp:auth): check pass; user unknown
Jun 16 23:47:01 srv saslauthd[1418]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Jun 16 23:47:04 srv saslauthd[1418]: DEBUG: auth_pam: pam_authenticate failed: Authentication failure
Jun 16 23:47:04 srv saslauthd[1418]: do_auth         : auth failure: [user=webmaster] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
Jun 16 23:47:05 srv saslauthd[1416]: pam_unix(smtp:auth): check pass; user unknown
Jun 16 23:47:05 srv saslauthd[1416]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Jun 16 23:47:07 srv saslauthd[1416]: DEBUG: auth_pam: pam_authenticate failed: Authentication failure
in mail.log
Code:
warning: unknown[202.109.143.50]: SASL  LOGIN authentification failed: authentification failture
last message repeated 15 times
jail.local

Code:
#
# Mail servers
#

[postfix]

enabled  = true
port     = smtp,ssmtp
filter   = postfix
logpath  = /var/log/mail.log


[couriersmtp]

enabled  = true
port     = smtp,ssmtp
filter   = couriersmtp
logpath  = /var/log/mail.log


#
# Mail servers authenticators: might be used for smtp,ftp,imap servers, so
# all relevant ports get banned
#

[courierauth]

enabled  = true
port     = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter   = courierlogin
logpath  = /var/log/mail.log


[sasl]

enabled  = true
port     = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s,smtpd
filter   = sasl
# You might consider monitoring /var/log/warn.log instead
# if you are running postfix. See http://bugs.debian.org/507990
logpath  = /var/log/mail.log
sasl.conf

Code:
# Fail2Ban configuration file
#
# Author: Yaroslav Halchenko
#
# $Revision: 728 $
#

[Definition]

# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT
#
failregex = (?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [A-Za-z0-9+/]*={0,2})?$

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =
But fail2ban did not block this IP.

How to solve this problem?
Please help!

Thnks.
Reply With Quote
Sponsored Links
  #2  
Old 18th June 2011, 11:56
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,735 Times in 2,571 Posts
Default

Can you try this line instead?

Code:
failregex = (?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failure
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #3  
Old 28th June 2011, 19:48
Captain Captain is offline
Senior Member
 
Join Date: Feb 2009
Posts: 284
Thanks: 78
Thanked 7 Times in 6 Posts
 
Default

still have this log:
Code:
Jun 26 21:52:00 itex postfix/smtpd[30207]: warning: unknown[183.44.196.143]: SASL LOGIN authentication failed: authentication failure
Jun 26 21:52:18 itex postfix/smtpd[30207]: last message repeated 2 times
Jun 26 21:52:18 itex postfix/smtpd[32287]: warning: unknown[183.44.196.143]: SASL LOGIN authentication failed: authentication failure
Jun 26 21:52:22 itex postfix/smtpd[30207]: warning: unknown[183.44.196.143]: SASL LOGIN authentication failed: authentication failure
Jun 26 21:52:26 itex postfix/smtpd[32287]: warning: unknown[183.44.196.143]: SASL LOGIN authentication failed: authentication failure
Jun 26 21:52:31 itex postfix/smtpd[30207]: warning: unknown[183.44.196.143]: SASL LOGIN authentication failed: authentication failure
Jun 26 21:52:36 itex postfix/smtpd[32287]: warning: unknown[183.44.196.143]: SASL LOGIN authentication failed: authentication failure
Jun 26 21:52:43 itex postfix/smtpd[30207]: warning: unknown[183.44.196.143]: SASL LOGIN authentication failed: authentication failure
Jun 26 21:52:48 itex postfix/smtpd[32287]: warning: unknown[183.44.196.143]: SASL LOGIN authentication failed: authentication failure
Jun 26 21:52:57 itex postfix/smtpd[30207]: warning: unknown[183.44.196.143]: SASL LOGIN authentication failed: authentication failure
Jun 26 21:53:01 itex postfix/smtpd[32287]: warning: unknown[183.44.196.143]: SASL LOGIN authentication failed: authentication failure
Jun 26 21:53:06 itex postfix/smtpd[30207]: warning: unknown[183.44.196.143]: SASL LOGIN authentication failed: authentication failure
Jun 26 21:53:12 itex postfix/smtpd[32287]: warning: unknown[183.44.196.143]: SASL LOGIN authentication failed: authentication failure
Jun 26 21:53:17 itex postfix/smtpd[30207]: warning: unknown[183.44.196.143]: SASL LOGIN authentication failed: authentication failure
Jun 26 21:53:20 itex postfix/smtpd[32287]: warning: unknown[183.44.196.143]: SASL LOGIN authentication failed: authentication failure
Jun 26 21:53:28 itex postfix/smtpd[30207]: warning: unknown[183.44.196.143]: SASL LOGIN authentication failed: authentication failure
Jun 26 21:53:32 itex postfix/smtpd[32287]: warning: unknown[183.44.196.143]: SASL LOGIN authentication failed: authentication failure
Jun 26 21:53:37 itex postfix/smtpd[30207]: warning: unknown[183.44.196.143]: SASL LOGIN authentication failed: authentication failure
Jun 26 21:53:41 itex postfix/smtpd[32287]: warning: unknown[183.44.196.143]: SASL LOGIN authentication failed: authentication failure
Jun 26 21:53:48 itex postfix/smtpd[30207]: warning: unknown[183.44.196.143]: SASL LOGIN authentication failed: authentication failure
Jun 26 21:53:55 itex postfix/smtpd[32287]: warning: unknown[183.44.196.143]: SASL LOGIN authentication failed: authentication failure
Jun 26 21:53:59 itex postfix/smtpd[30207]: warning: unknown[183.44.196.143]: SASL LOGIN authentication failed: authentication failure
Jun 26 21:54:03 itex postfix/smtpd[32287]: warning: unknown[183.44.196.143]: SASL LOGIN authentication failed: authentication failure
Jun 26 21:54:08 itex postfix/smtpd[30207]: warning: unknown[183.44.196.143]: SASL LOGIN authentication failed: authentication failure
Jun 26 21:54:12 itex postfix/smtpd[32287]: warning: unknown[183.44.196.143]: SASL LOGIN authentication failed: authentication failure
Jun 26 21:54:16 itex postfix/smtpd[30207]: warning: unknown[183.44.196.143]: SASL LOGIN authentication failed: authentication failure
Jun 26 21:54:25 itex postfix/smtpd[32287]: warning: unknown[183.44.196.143]: SASL LOGIN authentication failed: authentication failure
Jun 26 21:54:29 itex postfix/smtpd[30207]: warning: unknown[183.44.196.143]: SASL LOGIN authentication failed: authentication failure
Jun 26 21:54:33 itex postfix/smtpd[32287]: warning: unknown[183.44.196.143]: SASL LOGIN authentication failed: authentication failure
Jun 26 21:54:38 itex postfix/smtpd[30207]: warning: unknown[183.44.196.143]: SASL LOGIN authentication failed: authentication failure
Jun 26 21:54:42 itex postfix/smtpd[32287]: warning: unknown[183.44.196.143]: SASL LOGIN authentication failed: authentication failure
Jun 26 21:54:47 itex postfix/smtpd[30207]: warning: unknown[183.44.196.143]: SASL LOGIN authentication failed: authentication failure
Jun 26 21:54:52 itex postfix/smtpd[32287]: warning: unknown[183.44.196.143]: SASL LOGIN authentication failed: authentication failure
Jun 26 21:54:59 itex postfix/smtpd[30207]: warning: unknown[183.44.196.143]: SASL LOGIN authentication failed: authentication failure
Jun 26 21:55:03 itex postfix/smtpd[32287]: warning: unknown[183.44.196.143]: SASL LOGIN authentication failed: authentication failure
Jun 26 21:55:08 itex postfix/smtpd[30207]: warning: unknown[183.44.196.143]: SASL LOGIN authentication failed: authentication failure
Jun 26 21:55:19 itex postfix/smtpd[32287]: warning: unknown[183.44.196.143]: SASL LOGIN authentication failed: authentication failure
Jun 26 21:55:24 itex postfix/smtpd[30207]: warning: unknown[183.44.196.143]: SASL LOGIN authentication failed: authentication failure
Jun 26 21:55:28 itex postfix/smtpd[32287]: warning: unknown[183.44.196.143]: SASL LOGIN authentication failed: authentication failure
Jun 26 21:55:32 itex postfix/smtpd[30207]: warning: unknown[183.44.196.143]: SASL LOGIN authentication failed: authentication failure
Jun 26 21:55:37 itex postfix/smtpd[32287]: warning: unknown[183.44.196.143]: SASL LOGIN authentication failed: authentication failure
Jun 26 21:55:41 itex postfix/smtpd[30207]: warning: unknown[183.44.196.143]: SASL LOGIN authentication failed: authentication failure
Jun 26 21:55:45 itex postfix/smtpd[32287]: warning: unknown[183.44.196.143]: SASL LOGIN authentication failed: authentication failure
Jun 26 21:55:50 itex postfix/smtpd[30207]: warning: unknown[183.44.196.143]: SASL LOGIN authentication failed: authentication failure
Jun 26 21:55:54 itex postfix/smtpd[32287]: warning: unknown[183.44.196.143]: SASL LOGIN authentication failed: authentication failure
Jun 26 21:56:02 itex postfix/smtpd[30207]: warning: unknown[183.44.196.143]: SASL LOGIN authentication failed: authentication failure
Jun 26 21:56:10 itex postfix/smtpd[32287]: warning: unknown[183.44.196.143]: SASL LOGIN authentication failed: authentication failure
your post did not helps.
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Freeradius and Mysql uvstudios HOWTO-Related Questions 4 19th February 2014 12:11
All my mail is going to /var/mail/vmail _sluimers_ Installation/Configuration 21 10th January 2011 13:21
fail2ban is doing nothing? rlischer Server Operation 16 29th June 2010 07:29
FreeRadius + MySQL working, but I don't know how to customise SQL queries awe Installation/Configuration 4 4th April 2010 23:28
The system is currently updating the configuration files. warlock General 8 21st February 2009 18:15


All times are GMT +2. The time now is 09:12.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.