Fail2ban postfix-sasl does not exist

Discussion in 'Installation/Configuration' started by webcimes, Feb 7, 2020.

  1. webcimes

    webcimes New Member

    Hi,
    I just start a new server, (with debian 10 and the last ispconfig) and after look into my log I see that I have a lots of wrong login like :
    Code:
    postfix/smtpd[1094]: connect from unknown[92.118.38.57]
    postfix/smtpd[1094]: warning: unknown[92.118.38.57]: SASL LOGIN authentication failed
    So I look into fail2ban and I see that postfix-sasl doesn't work.

    I have this line into my jail.local (I have just add [postfix] rules, but it's also doesn't work without) :

    Code:
    [pureftpd]
    enabled = true
    port = ftp
    filter = pure-ftpd
    logpath = /var/log/syslog
    maxretry = 3
    
    [postfix]
    enabled  = true
    port     = smtp,submission,smtps,smtpd
    filter   = postfix
    logpath  = /var/log/mail.log
    maxretry = 5
    
    [postfix-sasl]
    enabled = true
    port = smtp
    filter = postfix-sasl
    logpath = /var/log/mail.log
    maxretry = 5
    If I do a "fail2ban-client status", I get :
    Code:
    - Number of jail:      3
    Jail list:   postfix, pureftpd, sshd

    If I do a "fail2ban-client status postfix-sasl", I get :
    Code:
    NOK: ('postfix-sasl',)
    Sorry but the jail 'postfix-sasl' does not exist
    If I do a "fail2ban-client status postfix", I get :
    Code:
    Status for the jail: postfix
    |- Filter
    |  |- Currently failed: 0
    |  |- Total failed:     0
    |  `- File list:        /var/log/mail.log
    `- Actions
       |- Currently banned: 0
       |- Total banned:     0
       `- Banned IP list:
    So I don't understand why fail2ban doesn't work for postfix (but it work for ssh), the hacker/bot are not banned, can you help me for this ?

    Thanks
     
  2. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    Does postfix-sals appear in jails after
    Code:
    systemctl restart fail2ban
    If not, try just this in jail.local for postfix-sasl
    Code:
    [postfix-sasl]
    enabled = true
    
    Or this

    Code:
    [postfix-sasl]
    enabled = false
    port = smtp
    filter = postfix[mode=auth]
    logpath = /var/log/mail.log
    maxretry = 3
     
  3. webcimes

    webcimes New Member

    Thanks for your help,

    No I have try but it's the same

    It's working ! :) With just
    Code:
    enabled = true
    (and it banned many user, so it seems working) maybe it's because of
    Code:
    filter = postfix-sasl
    ?

    Because when I go in "filter.d" folder I don't see postfix-sasl :
    upload_2020-2-7_18-34-26.png

    What do you think ?
     
  4. Zague

    Zague New Member

    I have that filter in my server /etc/fail2ban/filter.d/postfix-sasl.conf
    Code:
    # Fail2Ban filter for postfix authentication failures
    #
    
    [INCLUDES]
    
    before = common.conf
    
    [Definition]
    
    _daemon = postfix/(submission/)?smtp(d|s)
    
    failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/:]*={0,2})?\s*$
    
    ignoreregex = authentication failed: Connection lost to authentication server$
    
    [Init]
    
    journalmatch = _SYSTEMD_UNIT=postfix.service
    
    
    # Author: Yaroslav Halchenko
    ignoreregex =
     
  5. webcimes

    webcimes New Member

    Great, thanks for the file, it was what I thinking but I don't understand why this file doesn't existe on my fresh install.
    So I have create this file, and paste your content, and set the rule in jail.local like it was before, and all seems to work like this, the ""fail2ban-client status" show the "postfix-sasl" rule, and the rule work well (many user banned).
     
    Zague likes this.
  6. Zague

    Zague New Member

    I had my server under attack so I have to set more aggressive rules in fail2ban if you need more rules in the future send me a message and I can share them with you.
    Regards.
     
    webcimes likes this.
  7. recin

    recin Member

    Why not shared them here?
     

Share This Page