SASL LOGIN authentication failed

Discussion in 'Installation/Configuration' started by Captain, Mar 9, 2012.

  1. Captain

    Captain Member

    Hello!

    At time to time I see in mail.log many of this logs:
    Code:
    Mar  9 09:06:57 itex postfix/smtpd[5534]: warning: mail.domain.com[1.2.3.4]: SASL LOGIN authentication failed: authentication failure
    Mar  9 09:07:12 itex postfix/smtpd[5324]: warning: mail.domain.com[1.2.3.4]: SASL LOGIN authentication failed: authentication failure
    Mar  9 09:07:30 itex postfix/smtpd[5324]: warning: mail.domain.com[1.2.3.4]: SASL LOGIN authentication failed: authentication failure
    Mar  9 09:08:02 itex postfix/smtpd[5534]: warning: mail.domain.com[1.2.3.4]: SASL LOGIN authentication failed: authentication failure
    Mar  9 09:08:10 itex postfix/smtpd[5324]: warning: mail.domain.com[1.2.3.4]: SASL LOGIN authentication failed: authentication failure
    Mar  9 09:08:20 itex postfix/smtpd[5534]: warning: mail.domain.com[1.2.3.4]: SASL LOGIN authentication failed: authentication failure
    Mar  9 09:08:31 itex postfix/smtpd[5534]: warning: mail.domain.com[1.2.3.4]: SASL LOGIN authentication failed: authentication failure
    Mar  9 09:08:50 itex postfix/smtpd[5324]: warning: mail.domain.com[1.2.3.4]: SASL LOGIN authentication failed: authentication failure
    Mar  9 09:08:58 itex postfix/smtpd[5324]: warning: mail.domain.com[1.2.3.4]: SASL LOGIN authentication failed: authentication failure
    Mar  9 09:09:20 itex postfix/smtpd[5534]: warning: mail.domain.com[1.2.3.4]: SASL LOGIN authentication failed: authentication failure
    Mar  9 09:09:53 itex postfix/smtpd[5534]: last message repeated 2 times
    Mar  9 09:09:53 itex postfix/smtpd[5324]: warning: mail.domain.com[1.2.3.4]: SASL LOGIN authentication failed: authentication failure
    Mar  9 09:10:02 itex postfix/smtpd[5534]: warning: mail.domain.com[1.2.3.4]: SASL LOGIN authentication failed: authentication failure
    Mar  9 09:10:14 itex postfix/smtpd[5324]: warning: mail.domain.com[1.2.3.4]: SASL LOGIN authentication failed: authentication failure
    Mar  9 09:10:35 itex postfix/smtpd[5324]: warning: mail.domain.com[1.2.3.4]: SASL LOGIN authentication failed: authentication failure
    Mar  9 09:10:48 itex postfix/smtpd[5534]: warning: mail.domain.com[1.2.3.4]: SASL LOGIN authentication failed: authentication failure
    Mar  9 09:11:05 itex postfix/smtpd[5324]: warning: mail.domain.com[1.2.3.4]: SASL LOGIN authentication failed: authentication failure
    Mar  9 09:11:13 itex postfix/smtpd[5534]: warning: mail.domain.com[1.2.3.4]: SASL LOGIN authentication failed: authentication failure
    Mar  9 09:11:23 itex postfix/smtpd[5534]: warning: mail.domain.com[1.2.3.4]: SASL LOGIN authentication failed: authentication failure
    Mar  9 09:11:32 itex postfix/smtpd[5324]: warning: mail.domain.com[1.2.3.4]: SASL LOGIN authentication failed: authentication failure
    Mar  9 09:11:44 itex postfix/smtpd[5324]: warning: mail.domain.com[1.2.3.4]: SASL LOGIN authentication failed: authentication failure
    
    Where mail.domain.com is domain of my server and 1.2.3.4 is IP of my server.

    chkrootkit and rkhunter is clean.

    And fail2ban dont recognized it.
    jail.conf
    Code:
    [sasl]
    
    enabled  = true
    port     = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s,smtpd
    filter   = sasl
    # You might consider monitoring /var/log/warn.log instead
    # if you are running postfix. See http://bugs.debian.org/507990
    logpath  = /var/log/mail.log
    
    
    sasl.conf

    Code:
    # Fail2Ban configuration file
    #
    # Author: Yaroslav Halchenko
    #
    # $Revision: 728 $
    #
    
    [Definition]
    
    # Option: failregex
    # Notes.: regex to match the password failures messages in the logfile. The
    #          host must be matched by a group named "host". The tag "<HOST>" can
    #          be used for standard IP/hostname matching and is only an alias for
    #          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
    # Values: TEXT
    #
    #failregex = (?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [A-Za-z0-9+/]*={0,2})?$
    failregex = (?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed
    # Option:  ignoreregex
    # Notes.:  regex to ignore. If this regex matches, the line is ignored.
    # Values:  TEXT
    #
    ignoreregex =
    
    
    In fail2ban log have this:

    Code:
    2012-03-09 13:36:52,832 fail2ban.actions.action: ERROR  iptables -N fail2ban-sasl
    iptables -A fail2ban-sasl -j RETURN
    iptables -I INPUT -p tcp -m multiport --dports smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s,smtpd -j fail2ban-sasl returned 200
    
    


    It is normal or something wrong with server security?
    I have ISPConfig2 final, Ubuntu 10.04.1 LTS

    Thnk you!
     
    Last edited: Mar 9, 2012
  2. falko

    falko Super Moderator

    I guess this is the ISPConfig monitor that tries to find out if Postfix is still online. And because localhost is whitelisted in the fail2ban configuration, your host isn't blocked.
     
  3. Captain

    Captain Member

    Thank you Falko.

    But what can I do with fail2ban

    I tried to solve problem with fail2ban restarting
    and input this line to iptables-multiport.conf
    Code:
    sleep ${RANDOM:0:1}.${RANDOM: -1:1}
    
    Now fail2ban restart is fine, but when fail2ban try to unban have this log:

    Code:
    2012-03-12 07:22:00,102 fail2ban.actions: WARNING [sasl] Unban 183.7.88.183
    2012-03-12 07:22:00,110 fail2ban.actions.action: ERROR  iptables -n -L INPUT | grep -q fail2ban-sasl returned 100
    2012-03-12 07:22:00,111 fail2ban.actions.action: ERROR  Invariant check failed. Trying to restore a sane environment
    2012-03-12 07:22:03,239 fail2ban.actions.action: ERROR  sleep ${RANDOM:0:1}.${RANDOM: -1:1}
    iptables -N fail2ban-sasl
    iptables -A fail2ban-sasl -j RETURN
    iptables -I INPUT -p tcp -m multiport --dports smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s,smtpd -j fail2ban-sasl returned 200
    2012-03-12 07:22:03,247 fail2ban.actions.action: ERROR  iptables -n -L INPUT | grep -q fail2ban-sasl returned 100
    
    
     
  4. falko

    falko Super Moderator

  5. Captain

    Captain Member

    I dont try manually unban. It is fail2ban log file - automatic unban.

    And I cant understand this log:
    Code:
    2012-03-13 19:52:13,396 fail2ban.actions: WARNING [sasl] Ban 59.40.168.253
    2012-03-13 19:52:13,407 fail2ban.actions.action: ERROR  iptables -n -L INPUT | grep -q fail2ban-sasl returned 100
    2012-03-13 19:52:13,407 fail2ban.actions.action: ERROR  Invariant check failed. Trying to restore a sane environment
    2012-03-13 19:52:20,137 fail2ban.actions.action: ERROR  sleep ${RANDOM:0:1}.${RANDOM: -1:1}
    iptables -N fail2ban-sasl
    iptables -A fail2ban-sasl -j RETURN
    iptables -I INPUT -p tcp -m multiport --dports smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s,smtpd -j fail2ban-sasl returned 200
    2012-03-13 19:52:20,145 fail2ban.actions.action: ERROR  iptables -n -L INPUT | grep -q fail2ban-sasl returned 100
    2012-03-13 19:52:20,146 fail2ban.actions.action: CRITICAL Unable to restore environment
    2012-03-13 19:52:40,167 fail2ban.actions: WARNING [sasl] 59.40.168.253 already banned
    2012-03-13 19:53:13,203 fail2ban.actions: WARNING [sasl] 59.40.168.253 already banned
    2012-03-13 19:53:40,233 fail2ban.actions: WARNING [sasl] 59.40.168.253 already banned
    2012-03-13 19:54:07,262 fail2ban.actions: WARNING [sasl] 59.40.168.253 already banned
    2012-03-13 19:54:33,288 fail2ban.actions: WARNING [sasl] 59.40.168.253 already banned
    2012-03-13 19:54:59,315 fail2ban.actions: WARNING [sasl] 59.40.168.253 already banned
    2012-03-13 19:55:27,345 fail2ban.actions: WARNING [sasl] 59.40.168.253 already banned
    2012-03-13 19:55:53,373 fail2ban.actions: WARNING [sasl] 59.40.168.253 already banned
    2012-03-13 19:56:22,403 fail2ban.actions: WARNING [sasl] 59.40.168.253 already banned
    2012-03-13 19:56:50,433 fail2ban.actions: WARNING [sasl] 59.40.168.253 already banned
    2012-03-13 19:57:17,461 fail2ban.actions: WARNING [sasl] 59.40.168.253 already banned
    2012-03-13 19:57:46,492 fail2ban.actions: WARNING [sasl] 59.40.168.253 already banned
    2012-03-13 19:58:13,519 fail2ban.actions: WARNING [sasl] 59.40.168.253 already banned
    2012-03-13 19:58:41,548 fail2ban.actions: WARNING [sasl] 59.40.168.253 already banned
    2012-03-13 19:59:10,578 fail2ban.actions: WARNING [sasl] 59.40.168.253 already banned
    2012-03-13 19:59:37,607 fail2ban.actions: WARNING [sasl] 59.40.168.253 already banned
    2012-03-13 20:00:03,635 fail2ban.actions: WARNING [sasl] 59.40.168.253 already banned
    2012-03-13 20:00:30,665 fail2ban.actions: WARNING [sasl] 59.40.168.253 already banned
    2012-03-13 20:00:58,696 fail2ban.actions: WARNING [sasl] 59.40.168.253 already banned
    2012-03-13 20:01:24,724 fail2ban.actions: WARNING [sasl] 59.40.168.253 already banned
    2012-03-13 20:01:52,753 fail2ban.actions: WARNING [sasl] 59.40.168.253 already banned
    2012-03-13 20:02:13,775 fail2ban.actions: WARNING [sasl] Unban 59.40.168.253
    2012-03-13 20:02:13,798 fail2ban.actions.action: ERROR  iptables -n -L INPUT | grep -q fail2ban-sasl returned 100
    2012-03-13 20:02:13,798 fail2ban.actions.action: ERROR  Invariant check failed. Trying to restore a sane environment
    2012-03-13 20:02:23,736 fail2ban.actions.action: ERROR  sleep ${RANDOM:0:1}.${RANDOM: -1:1}
    iptables -N fail2ban-sasl
    iptables -A fail2ban-sasl -j RETURN
    iptables -I INPUT -p tcp -m multiport --dports smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s,smtpd -j fail2ban-sasl returned 200
    2012-03-13 20:02:23,744 fail2ban.actions.action: ERROR  iptables -n -L INPUT | grep -q fail2ban-sasl returned 100
    2012-03-13 20:02:23,744 fail2ban.actions.action: CRITICAL Unable to restore environment
    2012-03-13 20:02:24,746 fail2ban.actions: WARNING [sasl] Ban 59.40.168.253
    2012-03-13 20:02:24,756 fail2ban.actions.action: ERROR  iptables -n -L INPUT | grep -q fail2ban-sasl returned 100
    2012-03-13 20:02:24,757 fail2ban.actions.action: ERROR  Invariant check failed. Trying to restore a sane environment
    2012-03-13 20:02:27,885 fail2ban.actions.action: ERROR  sleep ${RANDOM:0:1}.${RANDOM: -1:1}
    iptables -N fail2ban-sasl
    iptables -A fail2ban-sasl -j RETURN
    iptables -I INPUT -p tcp -m multiport --dports smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s,smtpd -j fail2ban-sasl returned 200
    2012-03-13 20:02:27,897 fail2ban.actions.action: ERROR  iptables -n -L INPUT | grep -q fail2ban-sasl returned 100
    2012-03-13 20:02:27,897 fail2ban.actions.action: CRITICAL Unable to restore environment
    2012-03-13 20:02:47,920 fail2ban.actions: WARNING [sasl] 59.40.168.253 already banned
    2012-03-13 20:12:25,530 fail2ban.actions: WARNING [sasl] Unban 59.40.168.253
    2012-03-13 20:12:25,539 fail2ban.actions.action: ERROR  iptables -n -L INPUT | grep -q fail2ban-sasl returned 100
    2012-03-13 20:12:25,539 fail2ban.actions.action: ERROR  Invariant check failed. Trying to restore a sane environment
    2012-03-13 20:12:28,599 fail2ban.actions.action: ERROR  sleep ${RANDOM:0:1}.${RANDOM: -1:1}
    iptables -N fail2ban-sasl
    iptables -A fail2ban-sasl -j RETURN
    iptables -I INPUT -p tcp -m multiport --dports smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s,smtpd -j fail2ban-sasl returned 200
    2012-03-13 20:12:28,606 fail2ban.actions.action: ERROR  iptables -n -L INPUT | grep -q fail2ban-sasl returned 100
    
    It is means that IP is baned.
    But in mail.warn I see this:

    Code:
    Mar 13 19:59:58 itex postfix/smtpd[6965]: warning: 59.40.168.253: hostname 253.168.40.59.broad.sz.gd.dynamic.163data.com.cn verification failed: Name or service not known
    Mar 13 20:00:02 itex postfix/smtpd[6965]: warning: unknown[59.40.168.253]: SASL LOGIN authentication failed: authentication failure
    Mar 13 20:00:03 itex postfix/smtpd[14253]: warning: 59.40.168.253: hostname 253.168.40.59.broad.sz.gd.dynamic.163data.com.cn verification failed: Name or service not known
    Mar 13 20:00:08 itex postfix/smtpd[14253]: warning: unknown[59.40.168.253]: SASL LOGIN authentication failed: authentication failure
    Mar 13 20:00:10 itex postfix/smtpd[15442]: warning: 59.40.168.253: hostname 253.168.40.59.broad.sz.gd.dynamic.163data.com.cn verification failed: Name or service not known
    Mar 13 20:00:14 itex postfix/smtpd[15442]: warning: unknown[59.40.168.253]: SASL LOGIN authentication failed: authentication failure
    Mar 13 20:00:15 itex postfix/smtpd[14253]: warning: 59.40.168.253: hostname 253.168.40.59.broad.sz.gd.dynamic.163data.com.cn verification failed: Name or service not known
    Mar 13 20:00:19 itex postfix/smtpd[14253]: warning: unknown[59.40.168.253]: SASL LOGIN authentication failed: authentication failure
    Mar 13 20:00:20 itex postfix/smtpd[6965]: warning: 59.40.168.253: hostname 253.168.40.59.broad.sz.gd.dynamic.163data.com.cn verification failed: Name or service not known
    Mar 13 20:00:24 itex postfix/smtpd[6965]: warning: unknown[59.40.168.253]: SASL LOGIN authentication failed: authentication failure
    Mar 13 20:00:26 itex postfix/smtpd[15442]: warning: 59.40.168.253: hostname 253.168.40.59.broad.sz.gd.dynamic.163data.com.cn verification failed: Name or service not known
    Mar 13 20:00:29 itex postfix/smtpd[15442]: warning: unknown[59.40.168.253]: SASL LOGIN authentication failed: authentication failure
    Mar 13 20:00:31 itex postfix/smtpd[6965]: warning: 59.40.168.253: hostname 253.168.40.59.broad.sz.gd.dynamic.163data.com.cn verification failed: Name or service not known
    Mar 13 20:00:34 itex postfix/smtpd[6965]: warning: unknown[59.40.168.253]: SASL LOGIN authentication failed: authentication failure
    Mar 13 20:00:35 itex postfix/smtpd[14253]: warning: 59.40.168.253: hostname 253.168.40.59.broad.sz.gd.dynamic.163data.com.cn verification failed: Name or service not known
    Mar 13 20:00:39 itex postfix/smtpd[14253]: warning: unknown[59.40.168.253]: SASL LOGIN authentication failed: authentication failure
    Mar 13 20:00:40 itex postfix/smtpd[6965]: warning: 59.40.168.253: hostname 253.168.40.59.broad.sz.gd.dynamic.163data.com.cn verification failed: Name or service not known
    Mar 13 20:00:47 itex postfix/smtpd[6965]: warning: unknown[59.40.168.253]: SASL LOGIN authentication failed: authentication failure
    Mar 13 20:00:48 itex postfix/smtpd[15442]: warning: 59.40.168.253: hostname 253.168.40.59.broad.sz.gd.dynamic.163data.com.cn verification failed: Name or service not known
    Mar 13 20:00:52 itex postfix/smtpd[15442]: warning: unknown[59.40.168.253]: SASL LOGIN authentication failed: authentication failure
    Mar 13 20:00:53 itex postfix/smtpd[14253]: warning: 59.40.168.253: hostname 253.168.40.59.broad.sz.gd.dynamic.163data.com.cn verification failed: Name or service not known
    Mar 13 20:00:57 itex postfix/smtpd[14253]: warning: unknown[59.40.168.253]: SASL LOGIN authentication failed: authentication failure
    Mar 13 20:00:59 itex postfix/smtpd[6965]: warning: 59.40.168.253: hostname 253.168.40.59.broad.sz.gd.dynamic.163data.com.cn verification failed: Name or service not known
    Mar 13 20:01:03 itex postfix/smtpd[6965]: warning: unknown[59.40.168.253]: SASL LOGIN authentication failed: authentication failure
    Mar 13 20:01:04 itex postfix/smtpd[15442]: warning: 59.40.168.253: hostname 253.168.40.59.broad.sz.gd.dynamic.163data.com.cn verification failed: Name or service not known
    Mar 13 20:01:08 itex postfix/smtpd[15442]: warning: unknown[59.40.168.253]: SASL LOGIN authentication failed: authentication failure
    Mar 13 20:01:09 itex postfix/smtpd[6965]: warning: 59.40.168.253: hostname 253.168.40.59.broad.sz.gd.dynamic.163data.com.cn verification failed: Name or service not known
    Mar 13 20:01:13 itex postfix/smtpd[6965]: warning: unknown[59.40.168.253]: SASL LOGIN authentication failed: authentication failure
    Mar 13 20:01:14 itex postfix/smtpd[6965]: warning: 59.40.168.253: hostname 253.168.40.59.broad.sz.gd.dynamic.163data.com.cn verification failed: Name or service not known
    Mar 13 20:01:18 itex postfix/smtpd[6965]: warning: unknown[59.40.168.253]: SASL LOGIN authentication failed: authentication failure
    Mar 13 20:01:19 itex postfix/smtpd[14253]: warning: 59.40.168.253: hostname 253.168.40.59.broad.sz.gd.dynamic.163data.com.cn verification failed: Name or service not known
    Mar 13 20:01:23 itex postfix/smtpd[14253]: warning: unknown[59.40.168.253]: SASL LOGIN authentication failed: authentication failure
    Mar 13 20:01:24 itex postfix/smtpd[6965]: warning: 59.40.168.253: hostname 253.168.40.59.broad.sz.gd.dynamic.163data.com.cn verification failed: Name or service not known
    Mar 13 20:01:28 itex postfix/smtpd[6965]: warning: unknown[59.40.168.253]: SASL LOGIN authentication failed: authentication failure
    Mar 13 20:01:30 itex postfix/smtpd[15442]: warning: 59.40.168.253: hostname 253.168.40.59.broad.sz.gd.dynamic.163data.com.cn verification failed: Name or service not known
    Mar 13 20:01:34 itex postfix/smtpd[15442]: warning: unknown[59.40.168.253]: SASL LOGIN authentication failed: authentication failure
    Mar 13 20:01:35 itex postfix/smtpd[14253]: warning: 59.40.168.253: hostname 253.168.40.59.broad.sz.gd.dynamic.163data.com.cn verification failed: Name or service not known
    Mar 13 20:01:40 itex postfix/smtpd[14253]: warning: unknown[59.40.168.253]: SASL LOGIN authentication failed: authentication failure
    Mar 13 20:01:41 itex postfix/smtpd[6965]: warning: 59.40.168.253: hostname 253.168.40.59.broad.sz.gd.dynamic.163data.com.cn verification failed: Name or service not known
    
    
    It means that this IP try to connect and Iptables does not block it!

    How I can block this IP, I need that this IP could not connect.

    Falko can you help me to solve this problem?

    Big thnks.
     

Share This Page