E-Mail warn-log SASL LOGIN authentication failed:

Discussion in 'Installation/Configuration' started by Robin.k, Sep 18, 2020.

  1. Robin.k

    Robin.k Member

    Hi, i get a lot off "E-Mail warn-log SASL LOGIN authentication failed:" notifications.
    What is the best way to block them?
    Is there a way if 5 times the same IP address gives this notification it automatic blocks
    this IP address?

    Thanks
    Robin
     
  2. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    If you have installed your server following the Perfect Server guide, Fail2Ban should be installed. Open /etc/fail2ban/jail.local, search for the jail postfix-sasl, and enable it. Restart fail2ban after that.
     
  3. Robin.k

    Robin.k Member

    Hi, i checked this and it is "true"

    [postfix-sasl]
    enabled = true
    port = smtp
    filter = postfix-sasl
    logpath = /var/log/mail.log
    maxretry = 5

    But the warning log gives me always:
    static postfix/smtpd[2868]: warning: unknown[xx.xx.xx.36]: SASL LOGIN authentication failed:

    In postfix-sasl is written "port = smtp"
    Do I have to add also the lines with "port = smtpd" ?

    [postfix-sasl]
    enabled = true
    port = smtpd
    filter = postfix-sasl
    logpath = /var/log/mail.log
    maxretry = 5

    Thanks
    Robin
     
  4. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    It is normal that you receive those logs, but the IP's should be banned after 5 tries now. Can you share the content of your jail.local within code tags, so it's readable? (Insert -> Code)
     
  5. Robin.k

    Robin.k Member

    When I open the file etc/fail2ban/jail.local is all what I see

    Code:
    [pureftpd]
    enabled = true
    port = ftp
    filter = pure-ftpd
    logpath = /var/log/syslog
    maxretry = 3
    
    [postfix-sasl]
    enabled = true
    port = smtp
    filter = postfix-sasl
    logpath = /var/log/mail.log
    maxretry = 5
     
    Last edited: Sep 18, 2020
  6. Robin.k

    Robin.k Member

    The file /etc/fail2ban/filter.d/postfix-sasl.conf gives me
    Code:
    # Fail2Ban filter for postfix authentication failures
    #
    
    [INCLUDES]
    
    before = common.conf
    
    [Definition]
    
    _daemon = postfix(-\w+)?/(?:submission/|smtps/)?smtp[ds]
    
    failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(:[ A-Za-z0-9+/:]*={0,2})?\s*$
    
    ignoreregex = authentication failed: Connection lost to authentication server$
    
    [Init]
    
    journalmatch = _SYSTEMD_UNIT=postfix.service
    
    
    # Author: Yaroslav Halchenko
    
     
  7. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    That's probably your problem, the default action set in jail.conf is not great:
    Code:
    [DEFAULT]
    
    banaction = iptables-multiport
    action_ = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
    action = %(action_)s
    
    So if you specify a port= in a jail, that's the only port which is blocked. Sometimes that might make sense, eg. a jail that matches spam email might only block port 25, but most of the time the jails are catching malicious traffic/hacking, and it doesn't make sense to allow the client ip to continue abusing other services/ports. There's a lot of config you can do with fail2ban, but at least start your jail.local with something like:
    Code:
    [DEFAULT]
    
    # add any ip's you absolutely shouldn't block (other ispconfig servers and admin)
    ignoreip = 127.0.0.1 xx.xx.xx.xx/32
    destemail = [email protected]
    sender = [email protected]
    banaction = %(banaction_allports)s
    
    Or you could see what else you find in /etc/fail2ban/action.d/, and/or write your own actions to be more efficient or take other actions. Also note the other action definitions in jail.conf, which eg. combine a ban with emailing the admin, etc. - you might want to use those with specific jails.
     
  8. Robin.k

    Robin.k Member

    Thanks for the info, I'll experiment with it.
     

Share This Page