Old 16th July 2013, 17:43
dynamind dynamind is offline
Join Date: Mar 2011
Location: Mdling bei Wien
Posts: 62
Thanks: 21
Thanked 9 Times in 6 Posts
Send a message via Skype™ to dynamind
Default fail2ban not working?

I've been monitoring the mail.log and curiously just in this moment
I found


fail2ban doesn't respond? I had to stop that with iptables drop.

cat /etc/fail2ban/filter.d/sasl.conf
# Fail2Ban configuration file
# Author: Yaroslav Halchenko
# $Revision: 728 $


# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}?(?P<host>[\w\-.^_]+)
# Values: TEXT
failregex = (?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [A-Za-z0-9+/]*={0,2})?$

# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
ignoreregex =
cat /etc/fail2ban/jail.local
# Fail2Ban configuration file


banaction = route


enabled = true
port = ftp
filter = pureftpd
logpath = /var/log/syslog
maxretry = 3


enabled = true
port = smtp
filter = sasl
logpath = /var/log/mail.log
maxretry = 5


enabled = true
port = pop3
filter = courierpop3
logpath = /var/log/mail.log
maxretry = 5


enabled = true
port = pop3s
filter = courierpop3s
logpath = /var/log/mail.log
maxretry = 5


enabled = true
port = imap2
filter = courierimap
logpath = /var/log/mail.log
maxretry = 5


enabled = true
port = imaps
filter = courierimaps
logpath = /var/log/mail.log
maxretry = 5
service fail2ban status
[ ok ] Status of authentication failure monitor:[....] fail2ban is running.


Last edited by dynamind; 16th July 2013 at 18:16. Reason: added more info
Reply With Quote
Sponsored Links
Old 14th September 2013, 02:28
alexa6moon alexa6moon is offline
Junior Member
Join Date: Sep 2013
Location: Ukraine Dnipropetrovks
Posts: 3
Thanks: 0
Thanked 0 Times in 0 Posts

I also have some trouble when follow instruction install ISPConfig 3 in Debian
18 Install fail2ban
/etc/init.d/fail2ban restart
[ ok ] Restarting authentication failure monitor: fail2ban.
I change
nano /etc/fail2ban/jail.local
filter = pureftpd
filter = pure-ftpd
but still appear
[ ok ] Restarting authentication failure monitor: fail2ban.

Please me need help!

Last edited by alexa6moon; 14th September 2013 at 02:33.
Reply With Quote
Old 14th September 2013, 23:16
MaddinXx MaddinXx is offline
Senior Member
Join Date: Jul 2011
Location: Switzerland
Posts: 200
Thanks: 26
Thanked 65 Times in 48 Posts

Multiple problems here.

1. http://regexr.com?36beu -- the regex doesn't match
2. banaction = route -> is this wanted? Don't know what route does, but it's not IPTables (at least not the default)
3. The restart is fine... nothing wrong there..

you could try:

^.* warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [A-Za-z0-9+/]*={0,2})?$
Reply With Quote
Old 15th September 2013, 13:00
scarleo scarleo is offline
Junior Member
Join Date: Sep 2013
Posts: 4
Thanks: 0
Thanked 0 Times in 0 Posts

I'd say go with CSF instead, it is much more powerful than Fail2ban and really easy to setup: http://configserver.com/cp/csf.html

It's almost out of the box, very little configuration needed.
Reply With Quote
Old 16th September 2013, 21:10
concept21 concept21 is offline
Senior Member
Join Date: Dec 2011
Posts: 168
Thanks: 32
Thanked 28 Times in 21 Posts
Thumbs up

fail2ban sasl filter works for my Ubuntu 10.04.

I have read from other posts here. The procedure is simple.

Edit the failregex line in /etc/fail2ban/filter.d/sasl.conf as:

failregex = (?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed

Edit /etc/fail2ban/jail.local:

logpath = /var/log/mail.warn

This picture shows how fail2ban blocks hackers attacking from 3 different mail protocols.
Attached Images

Last edited by concept21; 17th September 2013 at 19:38. Reason: Add photo
Reply With Quote
Old 18th September 2013, 13:50
SamTzu SamTzu is offline
HowtoForge Supporter
Join Date: Apr 2007
Location: Helsinki
Posts: 438
Thanks: 34
Thanked 56 Times in 39 Posts
Send a message via Skype™ to SamTzu

According to their home page CSF may require rewriting some regex rules on Debian. I don't like that at all.

Sami Mattila

Email: firstname.lastname@internet-content.org
Shop: http://shop.internet-content.net
Site: http://www.internet-content.net
Blog: http://www.internet-content.net/en/blog
FB: https://www.facebook.com/internetcontent

Reply With Quote


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
fail2ban is no working mentes Installation/Configuration 7 6th August 2011 22:19
fail2ban is doing nothing? rlischer Server Operation 16 29th June 2010 08:29
Fail2ban not working with FC10 eeyore HOWTO-Related Questions 9 9th February 2009 11:25
fail2ban not working linuxwannabe Installation/Configuration 1 25th January 2009 07:09
Fail2Ban not working bswinnerton Installation/Configuration 17 16th May 2008 21:12

All times are GMT +2. The time now is 06:54.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.