Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 2 > Installation/Configuration

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 9th March 2012, 10:35
Captain Captain is offline
Senior Member
 
Join Date: Feb 2009
Posts: 287
Thanks: 82
Thanked 8 Times in 7 Posts
Exclamation SASL LOGIN authentication failed

Hello!

At time to time I see in mail.log many of this logs:
Code:
Mar  9 09:06:57 itex postfix/smtpd[5534]: warning: mail.domain.com[1.2.3.4]: SASL LOGIN authentication failed: authentication failure
Mar  9 09:07:12 itex postfix/smtpd[5324]: warning: mail.domain.com[1.2.3.4]: SASL LOGIN authentication failed: authentication failure
Mar  9 09:07:30 itex postfix/smtpd[5324]: warning: mail.domain.com[1.2.3.4]: SASL LOGIN authentication failed: authentication failure
Mar  9 09:08:02 itex postfix/smtpd[5534]: warning: mail.domain.com[1.2.3.4]: SASL LOGIN authentication failed: authentication failure
Mar  9 09:08:10 itex postfix/smtpd[5324]: warning: mail.domain.com[1.2.3.4]: SASL LOGIN authentication failed: authentication failure
Mar  9 09:08:20 itex postfix/smtpd[5534]: warning: mail.domain.com[1.2.3.4]: SASL LOGIN authentication failed: authentication failure
Mar  9 09:08:31 itex postfix/smtpd[5534]: warning: mail.domain.com[1.2.3.4]: SASL LOGIN authentication failed: authentication failure
Mar  9 09:08:50 itex postfix/smtpd[5324]: warning: mail.domain.com[1.2.3.4]: SASL LOGIN authentication failed: authentication failure
Mar  9 09:08:58 itex postfix/smtpd[5324]: warning: mail.domain.com[1.2.3.4]: SASL LOGIN authentication failed: authentication failure
Mar  9 09:09:20 itex postfix/smtpd[5534]: warning: mail.domain.com[1.2.3.4]: SASL LOGIN authentication failed: authentication failure
Mar  9 09:09:53 itex postfix/smtpd[5534]: last message repeated 2 times
Mar  9 09:09:53 itex postfix/smtpd[5324]: warning: mail.domain.com[1.2.3.4]: SASL LOGIN authentication failed: authentication failure
Mar  9 09:10:02 itex postfix/smtpd[5534]: warning: mail.domain.com[1.2.3.4]: SASL LOGIN authentication failed: authentication failure
Mar  9 09:10:14 itex postfix/smtpd[5324]: warning: mail.domain.com[1.2.3.4]: SASL LOGIN authentication failed: authentication failure
Mar  9 09:10:35 itex postfix/smtpd[5324]: warning: mail.domain.com[1.2.3.4]: SASL LOGIN authentication failed: authentication failure
Mar  9 09:10:48 itex postfix/smtpd[5534]: warning: mail.domain.com[1.2.3.4]: SASL LOGIN authentication failed: authentication failure
Mar  9 09:11:05 itex postfix/smtpd[5324]: warning: mail.domain.com[1.2.3.4]: SASL LOGIN authentication failed: authentication failure
Mar  9 09:11:13 itex postfix/smtpd[5534]: warning: mail.domain.com[1.2.3.4]: SASL LOGIN authentication failed: authentication failure
Mar  9 09:11:23 itex postfix/smtpd[5534]: warning: mail.domain.com[1.2.3.4]: SASL LOGIN authentication failed: authentication failure
Mar  9 09:11:32 itex postfix/smtpd[5324]: warning: mail.domain.com[1.2.3.4]: SASL LOGIN authentication failed: authentication failure
Mar  9 09:11:44 itex postfix/smtpd[5324]: warning: mail.domain.com[1.2.3.4]: SASL LOGIN authentication failed: authentication failure
Where mail.domain.com is domain of my server and 1.2.3.4 is IP of my server.

chkrootkit and rkhunter is clean.

And fail2ban dont recognized it.
jail.conf
Code:
[sasl]

enabled  = true
port     = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s,smtpd
filter   = sasl
# You might consider monitoring /var/log/warn.log instead
# if you are running postfix. See http://bugs.debian.org/507990
logpath  = /var/log/mail.log
sasl.conf

Code:
# Fail2Ban configuration file
#
# Author: Yaroslav Halchenko
#
# $Revision: 728 $
#

[Definition]

# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT
#
#failregex = (?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [A-Za-z0-9+/]*={0,2})?$
failregex = (?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed
# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =
In fail2ban log have this:

Code:
2012-03-09 13:36:52,832 fail2ban.actions.action: ERROR  iptables -N fail2ban-sasl
iptables -A fail2ban-sasl -j RETURN
iptables -I INPUT -p tcp -m multiport --dports smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s,smtpd -j fail2ban-sasl returned 200


It is normal or something wrong with server security?
I have ISPConfig2 final, Ubuntu 10.04.1 LTS

Thnk you!

Last edited by Captain; 9th March 2012 at 13:41.
Reply With Quote
Sponsored Links
  #2  
Old 10th March 2012, 15:21
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,752 Times in 2,582 Posts
Default

I guess this is the ISPConfig monitor that tries to find out if Postfix is still online. And because localhost is whitelisted in the fail2ban configuration, your host isn't blocked.
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
The Following User Says Thank You to falko For This Useful Post:
Captain (12th March 2012)
  #3  
Old 12th March 2012, 10:12
Captain Captain is offline
Senior Member
 
Join Date: Feb 2009
Posts: 287
Thanks: 82
Thanked 8 Times in 7 Posts
Exclamation

Thank you Falko.

But what can I do with fail2ban

I tried to solve problem with fail2ban restarting
and input this line to iptables-multiport.conf
Code:
sleep ${RANDOM:0:1}.${RANDOM: -1:1}
Now fail2ban restart is fine, but when fail2ban try to unban have this log:

Code:
2012-03-12 07:22:00,102 fail2ban.actions: WARNING [sasl] Unban 183.7.88.183
2012-03-12 07:22:00,110 fail2ban.actions.action: ERROR  iptables -n -L INPUT | grep -q fail2ban-sasl returned 100
2012-03-12 07:22:00,111 fail2ban.actions.action: ERROR  Invariant check failed. Trying to restore a sane environment
2012-03-12 07:22:03,239 fail2ban.actions.action: ERROR  sleep ${RANDOM:0:1}.${RANDOM: -1:1}
iptables -N fail2ban-sasl
iptables -A fail2ban-sasl -j RETURN
iptables -I INPUT -p tcp -m multiport --dports smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s,smtpd -j fail2ban-sasl returned 200
2012-03-12 07:22:03,247 fail2ban.actions.action: ERROR  iptables -n -L INPUT | grep -q fail2ban-sasl returned 100
Reply With Quote
  #4  
Old 13th March 2012, 17:49
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,752 Times in 2,582 Posts
Default

How do you try to unban an IP? I suggest you try this method: http://www.howtoforge.com/forums/showthread.php?t=51366
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #5  
Old 13th March 2012, 21:07
Captain Captain is offline
Senior Member
 
Join Date: Feb 2009
Posts: 287
Thanks: 82
Thanked 8 Times in 7 Posts
 
Exclamation

I dont try manually unban. It is fail2ban log file - automatic unban.

And I cant understand this log:
Code:
2012-03-13 19:52:13,396 fail2ban.actions: WARNING [sasl] Ban 59.40.168.253
2012-03-13 19:52:13,407 fail2ban.actions.action: ERROR  iptables -n -L INPUT | grep -q fail2ban-sasl returned 100
2012-03-13 19:52:13,407 fail2ban.actions.action: ERROR  Invariant check failed. Trying to restore a sane environment
2012-03-13 19:52:20,137 fail2ban.actions.action: ERROR  sleep ${RANDOM:0:1}.${RANDOM: -1:1}
iptables -N fail2ban-sasl
iptables -A fail2ban-sasl -j RETURN
iptables -I INPUT -p tcp -m multiport --dports smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s,smtpd -j fail2ban-sasl returned 200
2012-03-13 19:52:20,145 fail2ban.actions.action: ERROR  iptables -n -L INPUT | grep -q fail2ban-sasl returned 100
2012-03-13 19:52:20,146 fail2ban.actions.action: CRITICAL Unable to restore environment
2012-03-13 19:52:40,167 fail2ban.actions: WARNING [sasl] 59.40.168.253 already banned
2012-03-13 19:53:13,203 fail2ban.actions: WARNING [sasl] 59.40.168.253 already banned
2012-03-13 19:53:40,233 fail2ban.actions: WARNING [sasl] 59.40.168.253 already banned
2012-03-13 19:54:07,262 fail2ban.actions: WARNING [sasl] 59.40.168.253 already banned
2012-03-13 19:54:33,288 fail2ban.actions: WARNING [sasl] 59.40.168.253 already banned
2012-03-13 19:54:59,315 fail2ban.actions: WARNING [sasl] 59.40.168.253 already banned
2012-03-13 19:55:27,345 fail2ban.actions: WARNING [sasl] 59.40.168.253 already banned
2012-03-13 19:55:53,373 fail2ban.actions: WARNING [sasl] 59.40.168.253 already banned
2012-03-13 19:56:22,403 fail2ban.actions: WARNING [sasl] 59.40.168.253 already banned
2012-03-13 19:56:50,433 fail2ban.actions: WARNING [sasl] 59.40.168.253 already banned
2012-03-13 19:57:17,461 fail2ban.actions: WARNING [sasl] 59.40.168.253 already banned
2012-03-13 19:57:46,492 fail2ban.actions: WARNING [sasl] 59.40.168.253 already banned
2012-03-13 19:58:13,519 fail2ban.actions: WARNING [sasl] 59.40.168.253 already banned
2012-03-13 19:58:41,548 fail2ban.actions: WARNING [sasl] 59.40.168.253 already banned
2012-03-13 19:59:10,578 fail2ban.actions: WARNING [sasl] 59.40.168.253 already banned
2012-03-13 19:59:37,607 fail2ban.actions: WARNING [sasl] 59.40.168.253 already banned
2012-03-13 20:00:03,635 fail2ban.actions: WARNING [sasl] 59.40.168.253 already banned
2012-03-13 20:00:30,665 fail2ban.actions: WARNING [sasl] 59.40.168.253 already banned
2012-03-13 20:00:58,696 fail2ban.actions: WARNING [sasl] 59.40.168.253 already banned
2012-03-13 20:01:24,724 fail2ban.actions: WARNING [sasl] 59.40.168.253 already banned
2012-03-13 20:01:52,753 fail2ban.actions: WARNING [sasl] 59.40.168.253 already banned
2012-03-13 20:02:13,775 fail2ban.actions: WARNING [sasl] Unban 59.40.168.253
2012-03-13 20:02:13,798 fail2ban.actions.action: ERROR  iptables -n -L INPUT | grep -q fail2ban-sasl returned 100
2012-03-13 20:02:13,798 fail2ban.actions.action: ERROR  Invariant check failed. Trying to restore a sane environment
2012-03-13 20:02:23,736 fail2ban.actions.action: ERROR  sleep ${RANDOM:0:1}.${RANDOM: -1:1}
iptables -N fail2ban-sasl
iptables -A fail2ban-sasl -j RETURN
iptables -I INPUT -p tcp -m multiport --dports smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s,smtpd -j fail2ban-sasl returned 200
2012-03-13 20:02:23,744 fail2ban.actions.action: ERROR  iptables -n -L INPUT | grep -q fail2ban-sasl returned 100
2012-03-13 20:02:23,744 fail2ban.actions.action: CRITICAL Unable to restore environment
2012-03-13 20:02:24,746 fail2ban.actions: WARNING [sasl] Ban 59.40.168.253
2012-03-13 20:02:24,756 fail2ban.actions.action: ERROR  iptables -n -L INPUT | grep -q fail2ban-sasl returned 100
2012-03-13 20:02:24,757 fail2ban.actions.action: ERROR  Invariant check failed. Trying to restore a sane environment
2012-03-13 20:02:27,885 fail2ban.actions.action: ERROR  sleep ${RANDOM:0:1}.${RANDOM: -1:1}
iptables -N fail2ban-sasl
iptables -A fail2ban-sasl -j RETURN
iptables -I INPUT -p tcp -m multiport --dports smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s,smtpd -j fail2ban-sasl returned 200
2012-03-13 20:02:27,897 fail2ban.actions.action: ERROR  iptables -n -L INPUT | grep -q fail2ban-sasl returned 100
2012-03-13 20:02:27,897 fail2ban.actions.action: CRITICAL Unable to restore environment
2012-03-13 20:02:47,920 fail2ban.actions: WARNING [sasl] 59.40.168.253 already banned
2012-03-13 20:12:25,530 fail2ban.actions: WARNING [sasl] Unban 59.40.168.253
2012-03-13 20:12:25,539 fail2ban.actions.action: ERROR  iptables -n -L INPUT | grep -q fail2ban-sasl returned 100
2012-03-13 20:12:25,539 fail2ban.actions.action: ERROR  Invariant check failed. Trying to restore a sane environment
2012-03-13 20:12:28,599 fail2ban.actions.action: ERROR  sleep ${RANDOM:0:1}.${RANDOM: -1:1}
iptables -N fail2ban-sasl
iptables -A fail2ban-sasl -j RETURN
iptables -I INPUT -p tcp -m multiport --dports smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s,smtpd -j fail2ban-sasl returned 200
2012-03-13 20:12:28,606 fail2ban.actions.action: ERROR  iptables -n -L INPUT | grep -q fail2ban-sasl returned 100
It is means that IP is baned.
But in mail.warn I see this:

Code:
Mar 13 19:59:58 itex postfix/smtpd[6965]: warning: 59.40.168.253: hostname 253.168.40.59.broad.sz.gd.dynamic.163data.com.cn verification failed: Name or service not known
Mar 13 20:00:02 itex postfix/smtpd[6965]: warning: unknown[59.40.168.253]: SASL LOGIN authentication failed: authentication failure
Mar 13 20:00:03 itex postfix/smtpd[14253]: warning: 59.40.168.253: hostname 253.168.40.59.broad.sz.gd.dynamic.163data.com.cn verification failed: Name or service not known
Mar 13 20:00:08 itex postfix/smtpd[14253]: warning: unknown[59.40.168.253]: SASL LOGIN authentication failed: authentication failure
Mar 13 20:00:10 itex postfix/smtpd[15442]: warning: 59.40.168.253: hostname 253.168.40.59.broad.sz.gd.dynamic.163data.com.cn verification failed: Name or service not known
Mar 13 20:00:14 itex postfix/smtpd[15442]: warning: unknown[59.40.168.253]: SASL LOGIN authentication failed: authentication failure
Mar 13 20:00:15 itex postfix/smtpd[14253]: warning: 59.40.168.253: hostname 253.168.40.59.broad.sz.gd.dynamic.163data.com.cn verification failed: Name or service not known
Mar 13 20:00:19 itex postfix/smtpd[14253]: warning: unknown[59.40.168.253]: SASL LOGIN authentication failed: authentication failure
Mar 13 20:00:20 itex postfix/smtpd[6965]: warning: 59.40.168.253: hostname 253.168.40.59.broad.sz.gd.dynamic.163data.com.cn verification failed: Name or service not known
Mar 13 20:00:24 itex postfix/smtpd[6965]: warning: unknown[59.40.168.253]: SASL LOGIN authentication failed: authentication failure
Mar 13 20:00:26 itex postfix/smtpd[15442]: warning: 59.40.168.253: hostname 253.168.40.59.broad.sz.gd.dynamic.163data.com.cn verification failed: Name or service not known
Mar 13 20:00:29 itex postfix/smtpd[15442]: warning: unknown[59.40.168.253]: SASL LOGIN authentication failed: authentication failure
Mar 13 20:00:31 itex postfix/smtpd[6965]: warning: 59.40.168.253: hostname 253.168.40.59.broad.sz.gd.dynamic.163data.com.cn verification failed: Name or service not known
Mar 13 20:00:34 itex postfix/smtpd[6965]: warning: unknown[59.40.168.253]: SASL LOGIN authentication failed: authentication failure
Mar 13 20:00:35 itex postfix/smtpd[14253]: warning: 59.40.168.253: hostname 253.168.40.59.broad.sz.gd.dynamic.163data.com.cn verification failed: Name or service not known
Mar 13 20:00:39 itex postfix/smtpd[14253]: warning: unknown[59.40.168.253]: SASL LOGIN authentication failed: authentication failure
Mar 13 20:00:40 itex postfix/smtpd[6965]: warning: 59.40.168.253: hostname 253.168.40.59.broad.sz.gd.dynamic.163data.com.cn verification failed: Name or service not known
Mar 13 20:00:47 itex postfix/smtpd[6965]: warning: unknown[59.40.168.253]: SASL LOGIN authentication failed: authentication failure
Mar 13 20:00:48 itex postfix/smtpd[15442]: warning: 59.40.168.253: hostname 253.168.40.59.broad.sz.gd.dynamic.163data.com.cn verification failed: Name or service not known
Mar 13 20:00:52 itex postfix/smtpd[15442]: warning: unknown[59.40.168.253]: SASL LOGIN authentication failed: authentication failure
Mar 13 20:00:53 itex postfix/smtpd[14253]: warning: 59.40.168.253: hostname 253.168.40.59.broad.sz.gd.dynamic.163data.com.cn verification failed: Name or service not known
Mar 13 20:00:57 itex postfix/smtpd[14253]: warning: unknown[59.40.168.253]: SASL LOGIN authentication failed: authentication failure
Mar 13 20:00:59 itex postfix/smtpd[6965]: warning: 59.40.168.253: hostname 253.168.40.59.broad.sz.gd.dynamic.163data.com.cn verification failed: Name or service not known
Mar 13 20:01:03 itex postfix/smtpd[6965]: warning: unknown[59.40.168.253]: SASL LOGIN authentication failed: authentication failure
Mar 13 20:01:04 itex postfix/smtpd[15442]: warning: 59.40.168.253: hostname 253.168.40.59.broad.sz.gd.dynamic.163data.com.cn verification failed: Name or service not known
Mar 13 20:01:08 itex postfix/smtpd[15442]: warning: unknown[59.40.168.253]: SASL LOGIN authentication failed: authentication failure
Mar 13 20:01:09 itex postfix/smtpd[6965]: warning: 59.40.168.253: hostname 253.168.40.59.broad.sz.gd.dynamic.163data.com.cn verification failed: Name or service not known
Mar 13 20:01:13 itex postfix/smtpd[6965]: warning: unknown[59.40.168.253]: SASL LOGIN authentication failed: authentication failure
Mar 13 20:01:14 itex postfix/smtpd[6965]: warning: 59.40.168.253: hostname 253.168.40.59.broad.sz.gd.dynamic.163data.com.cn verification failed: Name or service not known
Mar 13 20:01:18 itex postfix/smtpd[6965]: warning: unknown[59.40.168.253]: SASL LOGIN authentication failed: authentication failure
Mar 13 20:01:19 itex postfix/smtpd[14253]: warning: 59.40.168.253: hostname 253.168.40.59.broad.sz.gd.dynamic.163data.com.cn verification failed: Name or service not known
Mar 13 20:01:23 itex postfix/smtpd[14253]: warning: unknown[59.40.168.253]: SASL LOGIN authentication failed: authentication failure
Mar 13 20:01:24 itex postfix/smtpd[6965]: warning: 59.40.168.253: hostname 253.168.40.59.broad.sz.gd.dynamic.163data.com.cn verification failed: Name or service not known
Mar 13 20:01:28 itex postfix/smtpd[6965]: warning: unknown[59.40.168.253]: SASL LOGIN authentication failed: authentication failure
Mar 13 20:01:30 itex postfix/smtpd[15442]: warning: 59.40.168.253: hostname 253.168.40.59.broad.sz.gd.dynamic.163data.com.cn verification failed: Name or service not known
Mar 13 20:01:34 itex postfix/smtpd[15442]: warning: unknown[59.40.168.253]: SASL LOGIN authentication failed: authentication failure
Mar 13 20:01:35 itex postfix/smtpd[14253]: warning: 59.40.168.253: hostname 253.168.40.59.broad.sz.gd.dynamic.163data.com.cn verification failed: Name or service not known
Mar 13 20:01:40 itex postfix/smtpd[14253]: warning: unknown[59.40.168.253]: SASL LOGIN authentication failed: authentication failure
Mar 13 20:01:41 itex postfix/smtpd[6965]: warning: 59.40.168.253: hostname 253.168.40.59.broad.sz.gd.dynamic.163data.com.cn verification failed: Name or service not known
It means that this IP try to connect and Iptables does not block it!

How I can block this IP, I need that this IP could not connect.

Falko can you help me to solve this problem?

Big thnks.
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Need help with ISPConfig Mail and Squirrelmail m.xander Installation/Configuration 109 3rd February 2012 01:15
strange fail2ban behaviour > doesn't ban specific IP Djamu Server Operation 2 13th January 2012 03:29
Fail2ban + sasl problem and Solution pititis General 1 2nd March 2011 08:02
Cannot login to SquirrelMail sellotape Installation/Configuration 13 26th October 2010 12:03
Systemimager (rsync) doesn't copy all comedit HOWTO-Related Questions 11 19th January 2007 18:17


All times are GMT +2. The time now is 15:51.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.