sasl / fail2ban vs. postfix/smtpd warnings)

Discussion in 'Installation/Configuration' started by eko_taas, May 14, 2011.

  1. eko_taas

    eko_taas New Member

    I wonder should fail2ban also ban IPs trying to contact smtp?

    Fail2Ban Log has only SSHs at this period:
    Code:
    ...
    2011-05-11 18:27:50,277 fail2ban.jail : INFO Jail 'sasl' started
    ....
    2011-05-11 18:41:39,843 fail2ban.actions: WARNING [ssh] Ban 210.114.220.186
    2011-05-11 19:11:40,750 fail2ban.actions: WARNING [ssh] Unban 210.114.220.186
    2011-05-12 00:46:19,139 fail2ban.actions: WARNING [ssh] Ban 112.137.163.72
    2011-05-12 01:16:20,125 fail2ban.actions: WARNING [ssh] Unban 112.137.163.72
    ...
    2011-05-12 07:04:56,836 fail2ban.actions: WARNING [ssh] Ban 122.227.135.143
    2011-05-12 07:34:57,763 fail2ban.actions: WARNING [ssh] Unban 122.227.135.143
    ....
    2011-05-12 12:16:09,844 fail2ban.actions: WARNING [ssh] Ban 112.78.1.6
    2011-05-12 12:46:10,760 fail2ban.actions: WARNING [ssh] Unban 112.78.1.6
    2011-05-12 12:57:46,498 fail2ban.actions: WARNING [ssh] Ban 122.225.101.154
    2011-05-12 13:27:47,462 fail2ban.actions: WARNING [ssh] Unban 122.225.101.154
    2011-05-12 14:21:34,999 fail2ban.actions: WARNING [ssh] Ban 46.45.147.25
    2011-05-12 14:51:35,997 fail2ban.actions: WARNING [ssh] Unban 46.45.147.25
    ...
    but Mail-Warn - Log has also several smtpd-trials (e.g. from IP 70.38.23.166) not listed in above)
    Code:
    ...
    May 12 07:51:48 server1 postfix/smtpd[26044]: warning: ip-70-38-23-166.static.privatedns.com[70.38.23.166]: SASL LOGIN authentication failed: authentication failure
    May 12 07:51:51 server1 postfix/smtpd[26071]: warning: ip-70-38-23-166.static.privatedns.com[70.38.23.166]: SASL LOGIN authentication failed: authentication failure
    May 12 07:51:54 server1 postfix/smtpd[26073]: warning: ip-70-38-23-166.static.privatedns.com[70.38.23.166]: SASL LOGIN authentication failed: authentication failure
    May 12 07:51:57 server1 postfix/smtpd[26074]: warning: ip-70-38-23-166.static.privatedns.com[70.38.23.166]: SASL LOGIN authentication failed: authentication failure
    May 12 07:52:01 server1 postfix/smtpd[26075]: warning: ip-70-38-23-166.static.privatedns.com[70.38.23.166]: SASL LOGIN authentication failed: authentication failure
    May 12 07:52:03 server1 postfix/smtpd[26083]: warning: ip-70-38-23-166.static.privatedns.com[70.38.23.166]: SASL LOGIN authentication failed: authentication failure
    May 12 07:52:07 server1 postfix/smtpd[26084]: warning: ip-70-38-23-166.static.privatedns.com[70.38.23.166]: SASL LOGIN authentication failed: authentication failure
    May 12 07:52:10 server1 postfix/smtpd[26110]: warning: ip-70-38-23-166.static.privatedns.com[70.38.23.166]: SASL LOGIN authentication failed: authentication failure
    May 12 07:52:13 server1 postfix/smtpd[26115]: warning: ip-70-38-23-166.static.privatedns.com[70.38.23.166]: SASL LOGIN authentication failed: authentication failure
    May 12 07:52:16 server1 postfix/smtpd[26116]: warning: ip-70-38-23-166.static.privatedns.com[70.38.23.166]: SASL LOGIN authentication failed: authentication failure
    May 12 07:52:19 server1 postfix/smtpd[26117]: warning: ip-70-38-23-166.static.privatedns.com[70.38.23.166]: SASL LOGIN authentication failed: authentication failure
    May 12 07:52:22 server1 postfix/smtpd[26118]: warning: ip-70-38-23-166.static.privatedns.com[70.38.23.166]: SASL LOGIN authentication failed: authentication failure
    May 12 07:52:25 server1 postfix/smtpd[26119]: warning: ip-70-38-23-166.static.privatedns.com[70.38.23.166]: SASL LOGIN authentication failed: authentication failure
    May 12 07:52:29 server1 postfix/smtpd[26120]: warning: ip-70-38-23-166.static.privatedns.com[70.38.23.166]: SASL LOGIN authentication failed: authentication failure
    May 12 07:52:32 server1 postfix/smtpd[26122]: warning: ip-70-38-23-166.static.privatedns.com[70.38.23.166]: SASL LOGIN authentication failed: authentication failure
    May 12 07:52:36 server1 postfix/smtpd[26123]: warning: ip-70-38-23-166.static.privatedns.com[70.38.23.166]: SASL LOGIN authentication failed: authentication failure
    ...
    Any reason why they are not listed /banned? Or should I add something to /etc/fail2ban/jail.local (Debian Squeeze / ISPConfig 3.0.3.3 ) (now as http://www.howtoforge.com/forums/showthread.php?t=52047 )
    Code:
    [sasl]
    enabled  = true
    port     = smtp
    filter   = sasl
    logpath  = /var/log/mail.log
    maxretry = 2
    
    Thanks again for cont. support...

    Also I have been wondering should I be woried about these warning (also from Mail-Warn - Log)
    Code:
    ...
    May 10 01:50:12 server1 postfix/smtpd[9063]: warning: 92.241.190.69: address not listed for hostname heihachi.net
    ...
    May 12 23:44:14 server1 postfix/smtpd[3545]: warning: 114.42.154.89: hostname 114-42-154-89.dynamic.hinet.net verification failed: Temporary failure in name resolution
    ...
     
  2. falko

    falko Super Moderator ISPConfig Developer

    Yes, you need to add a section for sasl.
     
  3. eko_taas

    eko_taas New Member

    but section of sasl already exists...

    Thanks for support :)
    What to add :confused: as I have already (as mentioned in above based on "perfect server" - HOWTO) sasl section in my /etc/fail2ban/jail.local

    Code:
    [sasl]
    enabled  = true
    port     = smtp
    filter   = sasl
    logpath  = /var/log/mail.log
    maxretry = 2
    Also fail2ban starts all services (incl. sasl) - e.g. last restart:
    Code:
    ...
    2011-05-15 01:38:53,125 fail2ban.jail   : INFO   Jail 'roundcube' started
    2011-05-15 01:38:53,227 fail2ban.jail   : INFO   Jail 'sasl' started
    ....
    
     
  4. falko

    falko Super Moderator ISPConfig Developer

    Please check if the regex in /etc/fail2ban/filter.d/sasl.conf is correct.
     
  5. eko_taas

    eko_taas New Member

    sasl conf

    For NewB, everything looks correct :D

    /etc/fail2ban/filter.d/sasl.conf and etc. files (collection)
    Code:
    failregex = .*pure-ftpd: \(.*@<HOST>\) \[WARNING\] Authentication failed for user.*
    failregex = pop3d: LOGIN FAILED.*ip=\[.*:<HOST>\]
    failregex = pop3d-ssl: LOGIN FAILED.*ip=\[.*:<HOST>\]
    failregex = imapd: LOGIN FAILED.*ip=\[.*:<HOST>\]
    failregex = imapd-ssl: LOGIN FAILED.*ip=\[.*:<HOST>\]
    
    /etc/fail2ban/filter.d/sasl.conf has:
    Code:
    failregex = (?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGE$
    ignoreregex =
    But /etc/fail2ban/filter.d/sasl.conf was not modified at all ( http://www.howtoforge.com/perfect-server-debian-squeeze-with-bind-and-courier-ispconfig-3-p5 see item 17. Fail2ban )

    How to line should look like :confused:? something like
    failregex = sasl: LOGIN FAILED.*ip=\[.*:<HOST>\]​

    Better also to add/correct in instructions (if missing :eek:) for Rest-of-us :rolleyes: ?
     
    Last edited by a moderator: May 17, 2011

Share This Page