SASL LOGIN authentication failed

[Captain]

Hello!

At time to time I see in mail.log many of this logs:

Code:

Mar  9 09:06:57 itex postfix/smtpd[5534]: warning: mail.domain.com[1.2.3.4]: SASL LOGIN authentication failed: authentication failure
Mar  9 09:07:12 itex postfix/smtpd[5324]: warning: mail.domain.com[1.2.3.4]: SASL LOGIN authentication failed: authentication failure
Mar  9 09:07:30 itex postfix/smtpd[5324]: warning: mail.domain.com[1.2.3.4]: SASL LOGIN authentication failed: authentication failure
Mar  9 09:08:02 itex postfix/smtpd[5534]: warning: mail.domain.com[1.2.3.4]: SASL LOGIN authentication failed: authentication failure
Mar  9 09:08:10 itex postfix/smtpd[5324]: warning: mail.domain.com[1.2.3.4]: SASL LOGIN authentication failed: authentication failure
Mar  9 09:08:20 itex postfix/smtpd[5534]: warning: mail.domain.com[1.2.3.4]: SASL LOGIN authentication failed: authentication failure
Mar  9 09:08:31 itex postfix/smtpd[5534]: warning: mail.domain.com[1.2.3.4]: SASL LOGIN authentication failed: authentication failure
Mar  9 09:08:50 itex postfix/smtpd[5324]: warning: mail.domain.com[1.2.3.4]: SASL LOGIN authentication failed: authentication failure
Mar  9 09:08:58 itex postfix/smtpd[5324]: warning: mail.domain.com[1.2.3.4]: SASL LOGIN authentication failed: authentication failure
Mar  9 09:09:20 itex postfix/smtpd[5534]: warning: mail.domain.com[1.2.3.4]: SASL LOGIN authentication failed: authentication failure
Mar  9 09:09:53 itex postfix/smtpd[5534]: last message repeated 2 times
Mar  9 09:09:53 itex postfix/smtpd[5324]: warning: mail.domain.com[1.2.3.4]: SASL LOGIN authentication failed: authentication failure
Mar  9 09:10:02 itex postfix/smtpd[5534]: warning: mail.domain.com[1.2.3.4]: SASL LOGIN authentication failed: authentication failure
Mar  9 09:10:14 itex postfix/smtpd[5324]: warning: mail.domain.com[1.2.3.4]: SASL LOGIN authentication failed: authentication failure
Mar  9 09:10:35 itex postfix/smtpd[5324]: warning: mail.domain.com[1.2.3.4]: SASL LOGIN authentication failed: authentication failure
Mar  9 09:10:48 itex postfix/smtpd[5534]: warning: mail.domain.com[1.2.3.4]: SASL LOGIN authentication failed: authentication failure
Mar  9 09:11:05 itex postfix/smtpd[5324]: warning: mail.domain.com[1.2.3.4]: SASL LOGIN authentication failed: authentication failure
Mar  9 09:11:13 itex postfix/smtpd[5534]: warning: mail.domain.com[1.2.3.4]: SASL LOGIN authentication failed: authentication failure
Mar  9 09:11:23 itex postfix/smtpd[5534]: warning: mail.domain.com[1.2.3.4]: SASL LOGIN authentication failed: authentication failure
Mar  9 09:11:32 itex postfix/smtpd[5324]: warning: mail.domain.com[1.2.3.4]: SASL LOGIN authentication failed: authentication failure
Mar  9 09:11:44 itex postfix/smtpd[5324]: warning: mail.domain.com[1.2.3.4]: SASL LOGIN authentication failed: authentication failure

Where mail.domain.com is domain of my server and 1.2.3.4 is IP of my server.

chkrootkit and rkhunter is clean.

And fail2ban dont recognized it.
jail.conf

Code:

[sasl]

enabled  = true
port     = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s,smtpd
filter   = sasl
# You might consider monitoring /var/log/warn.log instead
# if you are running postfix. See http://bugs.debian.org/507990
logpath  = /var/log/mail.log

sasl.conf

Code:

# Fail2Ban configuration file
#
# Author: Yaroslav Halchenko
#
# $Revision: 728 $
#

[Definition]

# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT
#
#failregex = (?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [A-Za-z0-9+/]*={0,2})?$
failregex = (?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed
# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

In fail2ban log have this:

Code:

2012-03-09 13:36:52,832 fail2ban.actions.action: ERROR  iptables -N fail2ban-sasl
iptables -A fail2ban-sasl -j RETURN
iptables -I INPUT -p tcp -m multiport --dports smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s,smtpd -j fail2ban-sasl returned 200

It is normal or something wrong with server security?
I have ISPConfig2 final, Ubuntu 10.04.1 LTS

Thnk you!

[falko]

I guess this is the ISPConfig monitor that tries to find out if Postfix is still online. And because localhost is whitelisted in the fail2ban configuration, your host isn't blocked.

[Captain]

Thank you Falko.

But what can I do with fail2ban

I tried to solve problem with fail2ban restarting
and input this line to iptables-multiport.conf

Code:

sleep ${RANDOM:0:1}.${RANDOM: -1:1}

Now fail2ban restart is fine, but when fail2ban try to unban have this log:

Code:

2012-03-12 07:22:00,102 fail2ban.actions: WARNING [sasl] Unban 183.7.88.183
2012-03-12 07:22:00,110 fail2ban.actions.action: ERROR  iptables -n -L INPUT | grep -q fail2ban-sasl returned 100
2012-03-12 07:22:00,111 fail2ban.actions.action: ERROR  Invariant check failed. Trying to restore a sane environment
2012-03-12 07:22:03,239 fail2ban.actions.action: ERROR  sleep ${RANDOM:0:1}.${RANDOM: -1:1}
iptables -N fail2ban-sasl
iptables -A fail2ban-sasl -j RETURN
iptables -I INPUT -p tcp -m multiport --dports smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s,smtpd -j fail2ban-sasl returned 200
2012-03-12 07:22:03,247 fail2ban.actions.action: ERROR  iptables -n -L INPUT | grep -q fail2ban-sasl returned 100

[falko]

How do you try to unban an IP? I suggest you try this method: http://www.howtoforge.com/forums/showthread.php?t=51366

[Captain]

I dont try manually unban. It is fail2ban log file - automatic unban.

And I cant understand this log:

Code:

2012-03-13 19:52:13,396 fail2ban.actions: WARNING [sasl] Ban 59.40.168.253
2012-03-13 19:52:13,407 fail2ban.actions.action: ERROR  iptables -n -L INPUT | grep -q fail2ban-sasl returned 100
2012-03-13 19:52:13,407 fail2ban.actions.action: ERROR  Invariant check failed. Trying to restore a sane environment
2012-03-13 19:52:20,137 fail2ban.actions.action: ERROR  sleep ${RANDOM:0:1}.${RANDOM: -1:1}
iptables -N fail2ban-sasl
iptables -A fail2ban-sasl -j RETURN
iptables -I INPUT -p tcp -m multiport --dports smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s,smtpd -j fail2ban-sasl returned 200
2012-03-13 19:52:20,145 fail2ban.actions.action: ERROR  iptables -n -L INPUT | grep -q fail2ban-sasl returned 100
2012-03-13 19:52:20,146 fail2ban.actions.action: CRITICAL Unable to restore environment
2012-03-13 19:52:40,167 fail2ban.actions: WARNING [sasl] 59.40.168.253 already banned
2012-03-13 19:53:13,203 fail2ban.actions: WARNING [sasl] 59.40.168.253 already banned
2012-03-13 19:53:40,233 fail2ban.actions: WARNING [sasl] 59.40.168.253 already banned
2012-03-13 19:54:07,262 fail2ban.actions: WARNING [sasl] 59.40.168.253 already banned
2012-03-13 19:54:33,288 fail2ban.actions: WARNING [sasl] 59.40.168.253 already banned
2012-03-13 19:54:59,315 fail2ban.actions: WARNING [sasl] 59.40.168.253 already banned
2012-03-13 19:55:27,345 fail2ban.actions: WARNING [sasl] 59.40.168.253 already banned
2012-03-13 19:55:53,373 fail2ban.actions: WARNING [sasl] 59.40.168.253 already banned
2012-03-13 19:56:22,403 fail2ban.actions: WARNING [sasl] 59.40.168.253 already banned
2012-03-13 19:56:50,433 fail2ban.actions: WARNING [sasl] 59.40.168.253 already banned
2012-03-13 19:57:17,461 fail2ban.actions: WARNING [sasl] 59.40.168.253 already banned
2012-03-13 19:57:46,492 fail2ban.actions: WARNING [sasl] 59.40.168.253 already banned
2012-03-13 19:58:13,519 fail2ban.actions: WARNING [sasl] 59.40.168.253 already banned
2012-03-13 19:58:41,548 fail2ban.actions: WARNING [sasl] 59.40.168.253 already banned
2012-03-13 19:59:10,578 fail2ban.actions: WARNING [sasl] 59.40.168.253 already banned
2012-03-13 19:59:37,607 fail2ban.actions: WARNING [sasl] 59.40.168.253 already banned
2012-03-13 20:00:03,635 fail2ban.actions: WARNING [sasl] 59.40.168.253 already banned
2012-03-13 20:00:30,665 fail2ban.actions: WARNING [sasl] 59.40.168.253 already banned
2012-03-13 20:00:58,696 fail2ban.actions: WARNING [sasl] 59.40.168.253 already banned
2012-03-13 20:01:24,724 fail2ban.actions: WARNING [sasl] 59.40.168.253 already banned
2012-03-13 20:01:52,753 fail2ban.actions: WARNING [sasl] 59.40.168.253 already banned
2012-03-13 20:02:13,775 fail2ban.actions: WARNING [sasl] Unban 59.40.168.253
2012-03-13 20:02:13,798 fail2ban.actions.action: ERROR  iptables -n -L INPUT | grep -q fail2ban-sasl returned 100
2012-03-13 20:02:13,798 fail2ban.actions.action: ERROR  Invariant check failed. Trying to restore a sane environment
2012-03-13 20:02:23,736 fail2ban.actions.action: ERROR  sleep ${RANDOM:0:1}.${RANDOM: -1:1}
iptables -N fail2ban-sasl
iptables -A fail2ban-sasl -j RETURN
iptables -I INPUT -p tcp -m multiport --dports smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s,smtpd -j fail2ban-sasl returned 200
2012-03-13 20:02:23,744 fail2ban.actions.action: ERROR  iptables -n -L INPUT | grep -q fail2ban-sasl returned 100
2012-03-13 20:02:23,744 fail2ban.actions.action: CRITICAL Unable to restore environment
2012-03-13 20:02:24,746 fail2ban.actions: WARNING [sasl] Ban 59.40.168.253
2012-03-13 20:02:24,756 fail2ban.actions.action: ERROR  iptables -n -L INPUT | grep -q fail2ban-sasl returned 100
2012-03-13 20:02:24,757 fail2ban.actions.action: ERROR  Invariant check failed. Trying to restore a sane environment
2012-03-13 20:02:27,885 fail2ban.actions.action: ERROR  sleep ${RANDOM:0:1}.${RANDOM: -1:1}
iptables -N fail2ban-sasl
iptables -A fail2ban-sasl -j RETURN
iptables -I INPUT -p tcp -m multiport --dports smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s,smtpd -j fail2ban-sasl returned 200
2012-03-13 20:02:27,897 fail2ban.actions.action: ERROR  iptables -n -L INPUT | grep -q fail2ban-sasl returned 100
2012-03-13 20:02:27,897 fail2ban.actions.action: CRITICAL Unable to restore environment
2012-03-13 20:02:47,920 fail2ban.actions: WARNING [sasl] 59.40.168.253 already banned
2012-03-13 20:12:25,530 fail2ban.actions: WARNING [sasl] Unban 59.40.168.253
2012-03-13 20:12:25,539 fail2ban.actions.action: ERROR  iptables -n -L INPUT | grep -q fail2ban-sasl returned 100
2012-03-13 20:12:25,539 fail2ban.actions.action: ERROR  Invariant check failed. Trying to restore a sane environment
2012-03-13 20:12:28,599 fail2ban.actions.action: ERROR  sleep ${RANDOM:0:1}.${RANDOM: -1:1}
iptables -N fail2ban-sasl
iptables -A fail2ban-sasl -j RETURN
iptables -I INPUT -p tcp -m multiport --dports smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s,smtpd -j fail2ban-sasl returned 200
2012-03-13 20:12:28,606 fail2ban.actions.action: ERROR  iptables -n -L INPUT | grep -q fail2ban-sasl returned 100

It is means that IP is baned.
But in mail.warn I see this:

Code:

Mar 13 19:59:58 itex postfix/smtpd[6965]: warning: 59.40.168.253: hostname 253.168.40.59.broad.sz.gd.dynamic.163data.com.cn verification failed: Name or service not known
Mar 13 20:00:02 itex postfix/smtpd[6965]: warning: unknown[59.40.168.253]: SASL LOGIN authentication failed: authentication failure
Mar 13 20:00:03 itex postfix/smtpd[14253]: warning: 59.40.168.253: hostname 253.168.40.59.broad.sz.gd.dynamic.163data.com.cn verification failed: Name or service not known
Mar 13 20:00:08 itex postfix/smtpd[14253]: warning: unknown[59.40.168.253]: SASL LOGIN authentication failed: authentication failure
Mar 13 20:00:10 itex postfix/smtpd[15442]: warning: 59.40.168.253: hostname 253.168.40.59.broad.sz.gd.dynamic.163data.com.cn verification failed: Name or service not known
Mar 13 20:00:14 itex postfix/smtpd[15442]: warning: unknown[59.40.168.253]: SASL LOGIN authentication failed: authentication failure
Mar 13 20:00:15 itex postfix/smtpd[14253]: warning: 59.40.168.253: hostname 253.168.40.59.broad.sz.gd.dynamic.163data.com.cn verification failed: Name or service not known
Mar 13 20:00:19 itex postfix/smtpd[14253]: warning: unknown[59.40.168.253]: SASL LOGIN authentication failed: authentication failure
Mar 13 20:00:20 itex postfix/smtpd[6965]: warning: 59.40.168.253: hostname 253.168.40.59.broad.sz.gd.dynamic.163data.com.cn verification failed: Name or service not known
Mar 13 20:00:24 itex postfix/smtpd[6965]: warning: unknown[59.40.168.253]: SASL LOGIN authentication failed: authentication failure
Mar 13 20:00:26 itex postfix/smtpd[15442]: warning: 59.40.168.253: hostname 253.168.40.59.broad.sz.gd.dynamic.163data.com.cn verification failed: Name or service not known
Mar 13 20:00:29 itex postfix/smtpd[15442]: warning: unknown[59.40.168.253]: SASL LOGIN authentication failed: authentication failure
Mar 13 20:00:31 itex postfix/smtpd[6965]: warning: 59.40.168.253: hostname 253.168.40.59.broad.sz.gd.dynamic.163data.com.cn verification failed: Name or service not known
Mar 13 20:00:34 itex postfix/smtpd[6965]: warning: unknown[59.40.168.253]: SASL LOGIN authentication failed: authentication failure
Mar 13 20:00:35 itex postfix/smtpd[14253]: warning: 59.40.168.253: hostname 253.168.40.59.broad.sz.gd.dynamic.163data.com.cn verification failed: Name or service not known
Mar 13 20:00:39 itex postfix/smtpd[14253]: warning: unknown[59.40.168.253]: SASL LOGIN authentication failed: authentication failure
Mar 13 20:00:40 itex postfix/smtpd[6965]: warning: 59.40.168.253: hostname 253.168.40.59.broad.sz.gd.dynamic.163data.com.cn verification failed: Name or service not known
Mar 13 20:00:47 itex postfix/smtpd[6965]: warning: unknown[59.40.168.253]: SASL LOGIN authentication failed: authentication failure
Mar 13 20:00:48 itex postfix/smtpd[15442]: warning: 59.40.168.253: hostname 253.168.40.59.broad.sz.gd.dynamic.163data.com.cn verification failed: Name or service not known
Mar 13 20:00:52 itex postfix/smtpd[15442]: warning: unknown[59.40.168.253]: SASL LOGIN authentication failed: authentication failure
Mar 13 20:00:53 itex postfix/smtpd[14253]: warning: 59.40.168.253: hostname 253.168.40.59.broad.sz.gd.dynamic.163data.com.cn verification failed: Name or service not known
Mar 13 20:00:57 itex postfix/smtpd[14253]: warning: unknown[59.40.168.253]: SASL LOGIN authentication failed: authentication failure
Mar 13 20:00:59 itex postfix/smtpd[6965]: warning: 59.40.168.253: hostname 253.168.40.59.broad.sz.gd.dynamic.163data.com.cn verification failed: Name or service not known
Mar 13 20:01:03 itex postfix/smtpd[6965]: warning: unknown[59.40.168.253]: SASL LOGIN authentication failed: authentication failure
Mar 13 20:01:04 itex postfix/smtpd[15442]: warning: 59.40.168.253: hostname 253.168.40.59.broad.sz.gd.dynamic.163data.com.cn verification failed: Name or service not known
Mar 13 20:01:08 itex postfix/smtpd[15442]: warning: unknown[59.40.168.253]: SASL LOGIN authentication failed: authentication failure
Mar 13 20:01:09 itex postfix/smtpd[6965]: warning: 59.40.168.253: hostname 253.168.40.59.broad.sz.gd.dynamic.163data.com.cn verification failed: Name or service not known
Mar 13 20:01:13 itex postfix/smtpd[6965]: warning: unknown[59.40.168.253]: SASL LOGIN authentication failed: authentication failure
Mar 13 20:01:14 itex postfix/smtpd[6965]: warning: 59.40.168.253: hostname 253.168.40.59.broad.sz.gd.dynamic.163data.com.cn verification failed: Name or service not known
Mar 13 20:01:18 itex postfix/smtpd[6965]: warning: unknown[59.40.168.253]: SASL LOGIN authentication failed: authentication failure
Mar 13 20:01:19 itex postfix/smtpd[14253]: warning: 59.40.168.253: hostname 253.168.40.59.broad.sz.gd.dynamic.163data.com.cn verification failed: Name or service not known
Mar 13 20:01:23 itex postfix/smtpd[14253]: warning: unknown[59.40.168.253]: SASL LOGIN authentication failed: authentication failure
Mar 13 20:01:24 itex postfix/smtpd[6965]: warning: 59.40.168.253: hostname 253.168.40.59.broad.sz.gd.dynamic.163data.com.cn verification failed: Name or service not known
Mar 13 20:01:28 itex postfix/smtpd[6965]: warning: unknown[59.40.168.253]: SASL LOGIN authentication failed: authentication failure
Mar 13 20:01:30 itex postfix/smtpd[15442]: warning: 59.40.168.253: hostname 253.168.40.59.broad.sz.gd.dynamic.163data.com.cn verification failed: Name or service not known
Mar 13 20:01:34 itex postfix/smtpd[15442]: warning: unknown[59.40.168.253]: SASL LOGIN authentication failed: authentication failure
Mar 13 20:01:35 itex postfix/smtpd[14253]: warning: 59.40.168.253: hostname 253.168.40.59.broad.sz.gd.dynamic.163data.com.cn verification failed: Name or service not known
Mar 13 20:01:40 itex postfix/smtpd[14253]: warning: unknown[59.40.168.253]: SASL LOGIN authentication failed: authentication failure
Mar 13 20:01:41 itex postfix/smtpd[6965]: warning: 59.40.168.253: hostname 253.168.40.59.broad.sz.gd.dynamic.163data.com.cn verification failed: Name or service not known

It means that this IP try to connect and Iptables does not block it!

How I can block this IP, I need that this IP could not connect.

Falko can you help me to solve this problem?

Big thnks.