19th March 2012, 00:16
|
|
Senior Member
|
|
Join Date: Jan 2007
Posts: 159
Thanks: 11
Thanked 4 Times in 4 Posts
|
|
Way to automatically block SASL LOGIN attacks?
Is there an automatic way to use the firewall or some other way to add ip's like this to iptables?
I'm using fail2ban.
Mar 19 00:11:33 server3 postfix/smtpd[1002]: warning: unknown[183.7.92.44]: SASL LOGIN authentication failed: authentication failure
Mar 19 00:11:33 server3 postfix/smtpd[1002]: lost connection after AUTH from unknown[183.7.92.44]
Mar 19 00:11:33 server3 postfix/smtpd[1002]: disconnect from unknown[183.7.92.44]
Mar 19 00:11:33 server3 postfix/smtpd[1002]: connect from unknown[183.7.92.44]
Mar 19 00:11:35 server3 postfix/smtpd[1002]: warning: unknown[183.7.92.44]: SASL LOGIN authentication failed: authentication failure
Mar 19 00:11:35 server3 postfix/smtpd[1002]: lost connection after AUTH from unknown[183.7.92.44]
Mar 19 00:11:35 server3 postfix/smtpd[1002]: disconnect from unknown[183.7.92.44]
Mar 19 00:11:35 server3 postfix/smtpd[1002]: connect from unknown[183.7.92.44]
Mar 19 00:11:37 server3 postfix/smtpd[1002]: warning: unknown[183.7.92.44]: SASL LOGIN authentication failed: authentication failure
Mar 19 00:11:37 server3 postfix/smtpd[1002]: lost connection after AUTH from unknown[183.7.92.44]
Mar 19 00:11:37 server3 postfix/smtpd[1002]: disconnect from unknown[183.7.92.44]
Mar 19 00:11:38 server3 postfix/smtpd[1002]: connect from unknown[183.7.92.44]
Mar 19 00:11:39 server3 postfix/smtpd[1002]: warning: unknown[183.7.92.44]: SASL LOGIN authentication failed: authentication failure
Mar 19 00:11:39 server3 postfix/smtpd[1002]: lost connection after AUTH from unknown[183.7.92.44]
Mar 19 00:11:39 server3 postfix/smtpd[1002]: disconnect from unknown[183.7.92.44]
Mar 19 00:11:40 server3 postfix/smtpd[1002]: connect from unknown[183.7.92.44]
Mar 19 00:11:41 server3 postfix/smtpd[1002]: warning: unknown[183.7.92.44]: SASL LOGIN authentication failed: authentication failure
Mar 19 00:11:41 server3 postfix/smtpd[1002]: lost connection after AUTH from unknown[183.7.92.44]
Mar 19 00:11:41 server3 postfix/smtpd[1002]: disconnect from unknown[183.7.92.44]
Mar 19 00:11:42 server3 postfix/smtpd[1002]: connect from unknown[183.7.92.44]
Mar 19 00:11:43 server3 postfix/smtpd[1002]: warning: unknown[183.7.92.44]: SASL LOGIN authentication failed: authentication failure
Mar 19 00:11:43 server3 postfix/smtpd[1002]: lost connection after AUTH from unknown[183.7.92.44]
Mar 19 00:11:43 server3 postfix/smtpd[1002]: disconnect from unknown[183.7.92.44]
Mar 19 00:11:44 server3 postfix/smtpd[1002]: connect from unknown[183.7.92.44]
Mar 19 00:11:45 server3 postfix/smtpd[1002]: warning: unknown[183.7.92.44]: SASL LOGIN authentication failed: authentication failure
Mar 19 00:11:46 server3 postfix/smtpd[1002]: lost connection after AUTH from unknown[183.7.92.44]
Mar 19 00:11:46 server3 postfix/smtpd[1002]: disconnect from unknown[183.7.92.44]
Mar 19 00:11:46 server3 postfix/smtpd[1002]: connect from unknown[183.7.92.44]
Mar 19 00:11:47 server3 postfix/smtpd[1002]: warning: unknown[183.7.92.44]: SASL LOGIN authentication failed: authentication failure
Mar 19 00:11:48 server3 postfix/smtpd[1002]: lost connection after AUTH from unknown[183.7.92.44]
Mar 19 00:11:48 server3 postfix/smtpd[1002]: disconnect from unknown[183.7.92.44]
|
19th March 2012, 00:31
|
|
Senior Member
|
|
Join Date: Jan 2007
Posts: 159
Thanks: 11
Thanked 4 Times in 4 Posts
|
|
Did I get this right?
OK, that's why my name is permanoob.
I think I found the solution in the fail2ban jail.conf
Is this correct now?:
[postfix]
enabled = true
port = smtp,ssmtp,smtpd
filter = postfix
logpath = /var/log/mail.log
maxretry = 5
[sasl]
enabled = true
port = smtp,ssmtp,smtpd,imap2,imap3,imaps,pop3,pop3s
filter = sasl
logpath = /var/log/mail.log
maxretry = 5
---------------------------
Must be wrong because log shows errors:
2012-03-19 01:12:44,599 fail2ban.jail : INFO Jail 'ssh' started
2012-03-19 01:12:46,013 fail2ban.jail : INFO Jail 'postfix' started
2012-03-19 01:12:46,015 fail2ban.actions.action: ERROR iptables -N fail2ban-postfix
iptables -A fail2ban-postfix -j RETURN
iptables -I INPUT -p tcp -m multiport --dports smtp,ssmtp,smtpd -j fail2ban-postfix returned 200
2012-03-19 01:12:47,439 fail2ban.jail : INFO Jail 'sasl' started
2012-03-19 01:12:47,444 fail2ban.actions.action: ERROR iptables -N fail2ban-sasl
iptables -A fail2ban-sasl -j RETURN
iptables -I INPUT -p tcp -m multiport --dports smtp,ssmtp,smtpd,imap2,imap3,imaps,pop3,pop3s -j fail2ban-sasl returned 200
Last edited by PermaNoob; 19th March 2012 at 01:17.
Reason: addition
|
19th March 2012, 09:50
|
|
Senior Member
|
|
Join Date: Jan 2007
Posts: 159
Thanks: 11
Thanked 4 Times in 4 Posts
|
|
Should I replace the following line in sasl.conf
failregex = : warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed$
with a line Falko posted in another thread
failregex = (?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failure
?
The error was because I had added smtpd to: port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
so now the restart looks ok:
2012-03-19 10:23:26,471 fail2ban.jail : INFO Jail 'ssh' started
2012-03-19 10:23:26,533 fail2ban.jail : INFO Jail 'postfix' started
2012-03-19 10:23:26,593 fail2ban.jail : INFO Jail 'sasl' started
2012-03-19 10:23:29,477 fail2ban.actions: WARNING [ssh] Ban 66.85.166.106
but this ip is still not blocked:
Mar 19 10:37:09 server3 postfix/smtpd[26203]: warning: h201.204.17.98.static.ip.windstream.net[98.17.204.201]: SASL LOGIN authentication failed: authentication failure
Mar 19 10:37:09 server3 postfix/smtpd[26350]: warning: h201.204.17.98.static.ip.windstream.net[98.17.204.201]: SASL LOGIN authentication failed: authentication failure
Mar 19 10:37:09 server3 postfix/smtpd[29163]: warning: h201.204.17.98.static.ip.windstream.net[98.17.204.201]: SASL LOGIN authentication failed: authentication failure
Mar 19 10:37:10 server3 postfix/smtpd[26600]: warning: h201.204.17.98.static.ip.windstream.net[98.17.204.201]: SASL LOGIN authentication failed: authentication failure
Last edited by PermaNoob; 19th March 2012 at 10:38.
|
19th March 2012, 10:49
|
|
Senior Member
|
|
Join Date: Jan 2007
Posts: 159
Thanks: 11
Thanked 4 Times in 4 Posts
|
|
I replaced
failregex = : warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed$
with a line Falko posted in another thread
failregex = (?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failure
and restarted:
2012-03-19 10:39:58,879 fail2ban.jail : INFO Jail 'ssh' started
2012-03-19 10:39:58,943 fail2ban.jail : INFO Jail 'postfix' started
2012-03-19 10:39:59,002 fail2ban.jail : INFO Jail 'sasl' started
2012-03-19 10:41:59,885 fail2ban.actions: WARNING [ssh] Ban 66.85.166.106
but fail2ban is still not blocking:
Mar 19 10:47:31 server3 postfix/smtpd[29170]: warning: h201.204.17.98.static.ip.windstream.net[98.17.204.201]: SASL LOGIN authentication failed: authentication failure
Mar 19 10:47:31 server3 postfix/smtpd[26350]: connect from h201.204.17.98.static.ip.windstream.net[98.17.204.201]
Mar 19 10:47:32 server3 postfix/smtpd[29170]: disconnect from h201.204.17.98.static.ip.windstream.net[98.17.204.201]
Mar 19 10:47:33 server3 postfix/smtpd[30156]: warning: h201.204.17.98.static.ip.windstream.net[98.17.204.201]: SASL LOGIN authentication failed: authentication failure
Mar 19 10:47:34 server3 postfix/smtpd[26600]: connect from h201.204.17.98.static.ip.windstream.net[98.17.204.201]
Mar 19 10:47:34 server3 postfix/smtpd[30156]: disconnect from h201.204.17.98.static.ip.windstream.net[98.17.204.201]
Mar 19 10:47:36 server3 postfix/smtpd[26350]: warning: h201.204.17.98.static.ip.windstream.net[98.17.204.201]: SASL LOGIN authentication failed: authentication failure
Mar 19 10:47:37 server3 postfix/smtpd[26350]: disconnect from h201.204.17.98.static.ip.windstream.net[98.17.204.201]
Mar 19 10:47:39 server3 postfix/smtpd[26600]: warning: h201.204.17.98.static.ip.windstream.net[98.17.204.201]: SASL LOGIN authentication failed: authentication failure
Mar 19 10:47:40 server3 postfix/smtpd[30154]: connect from h201.204.17.98.static.ip.windstream.net[98.17.204.201]
Mar 19 10:47:40 server3 postfix/smtpd[26600]: disconnect from h201.204.17.98.static.ip.windstream.net[98.17.204.201]
Mar 19 10:47:43 server3 postfix/smtpd[29165]: connect from h201.204.17.98.static.ip.windstream.net[98.17.204.201]
Mar 19 10:47:44 server3 postfix/smtpd[29954]: connect from h201.204.17.98.static.ip.windstream.net[98.17.204.201]
Mar 19 10:47:45 server3 postfix/smtpd[30154]: warning: h201.204.17.98.static.ip.windstream.net[98.17.204.201]: SASL LOGIN authentication failed: authentication failure
Mar 19 10:47:46 server3 postfix/smtpd[30154]: disconnect from h201.204.17.98.static.ip.windstream.net[98.17.204.201]
Mar 19 10:47:48 server3 postfix/smtpd[29165]: warning: h201.204.17.98.static.ip.windstream.net[98.17.204.201]: SASL LOGIN authentication failed: authentication failure
Mar 19 10:47:49 server3 postfix/smtpd[29165]: disconnect from h201.204.17.98.static.ip.windstream.net[98.17.204.201]
Mar 19 10:47:49 server3 postfix/smtpd[29954]: warning: h201.204.17.98.static.ip.windstream.net[98.17.204.201]: SASL LOGIN authentication failed: authentication failure
Mar 19 10:47:50 server3 postfix/smtpd[29954]: disconnect from h201.204.17.98.static.ip.windstream.net[98.17.204.201]
|
19th March 2012, 11:22
|
|
Senior Member
|
|
Join Date: Jan 2007
Posts: 159
Thanks: 11
Thanked 4 Times in 4 Posts
|
|
I'm testing with
fail2ban-regex /var/log/mail.log /etc/fail2ban/filter.d/sasl.conf
also tried switching to mail.info
fail2ban-regex /var/log/mail.info /etc/fail2ban/filter.d/sasl.conf
and
[sasl]
enabled = true
port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter = sasl
logpath = /var/log/mail.info
maxretry = 5
still no matches though there are plenty in the log file
|
19th March 2012, 11:42
|
|
Junior Member
|
|
Join Date: Mar 2012
Posts: 4
Thanks: 0
Thanked 0 Times in 0 Posts
|
|
 I think I found the solution in the fail2ban jail.conf.
|
19th March 2012, 11:49
|
|
Senior Member
|
|
Join Date: Jan 2007
Posts: 159
Thanks: 11
Thanked 4 Times in 4 Posts
|
|
Quote:
Originally Posted by Lancelot28
I think I found the solution in the fail2ban jail.conf. |
I was wrong, it's still not working.
|
20th March 2012, 13:52
|
|
Super Moderator
|
|
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,665
Thanks: 1,896
Thanked 2,595 Times in 2,446 Posts
|
|
Can you try
Code:
failregex = : warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed
(without the $ sign at the end)?
|
|
The Following User Says Thank You to falko For This Useful Post:
|
|
21st March 2012, 06:31
|
|
Senior Member
|
|
Join Date: Jan 2007
Posts: 159
Thanks: 11
Thanked 4 Times in 4 Posts
|
|
Quote:
Originally Posted by falko
Can you try
Code:
failregex = : warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed
(without the $ sign at the end)? |
That worked--Thanks!
2012-03-21 06:25:24,390 fail2ban.jail : INFO Jail 'ssh' started
2012-03-21 06:25:24,462 fail2ban.jail : INFO Jail 'postfix' started
2012-03-21 06:25:24,530 fail2ban.jail : INFO Jail 'sasl' started
2012-03-21 06:34:41,566 fail2ban.actions: WARNING [sasl] Ban 14.208.80.207
Last edited by PermaNoob; 21st March 2012 at 06:37.
|
| Thread Tools |
|
|
| Display Modes |
 Linear Mode
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
All times are GMT +2. The time now is 09:00.
|
|
English | 
Deutsch
Recent comments
1 day 7 hours ago
1 day 12 hours ago
1 day 17 hours ago
1 day 18 hours ago
2 days 9 hours ago
2 days 9 hours ago
2 days 14 hours ago
2 days 20 hours ago
2 days 21 hours ago
2 days 22 hours ago