Way to automatically block SASL LOGIN attacks?

Discussion in 'Server Operation' started by PermaNoob, Mar 19, 2012.

  1. PermaNoob

    PermaNoob Member

    Is there an automatic way to use the firewall or some other way to add ip's like this to iptables?

    I'm using fail2ban.

    Mar 19 00:11:33 server3 postfix/smtpd[1002]: warning: unknown[183.7.92.44]: SASL LOGIN authentication failed: authentication failure
    Mar 19 00:11:33 server3 postfix/smtpd[1002]: lost connection after AUTH from unknown[183.7.92.44]
    Mar 19 00:11:33 server3 postfix/smtpd[1002]: disconnect from unknown[183.7.92.44]
    Mar 19 00:11:33 server3 postfix/smtpd[1002]: connect from unknown[183.7.92.44]
    Mar 19 00:11:35 server3 postfix/smtpd[1002]: warning: unknown[183.7.92.44]: SASL LOGIN authentication failed: authentication failure
    Mar 19 00:11:35 server3 postfix/smtpd[1002]: lost connection after AUTH from unknown[183.7.92.44]
    Mar 19 00:11:35 server3 postfix/smtpd[1002]: disconnect from unknown[183.7.92.44]
    Mar 19 00:11:35 server3 postfix/smtpd[1002]: connect from unknown[183.7.92.44]
    Mar 19 00:11:37 server3 postfix/smtpd[1002]: warning: unknown[183.7.92.44]: SASL LOGIN authentication failed: authentication failure
    Mar 19 00:11:37 server3 postfix/smtpd[1002]: lost connection after AUTH from unknown[183.7.92.44]
    Mar 19 00:11:37 server3 postfix/smtpd[1002]: disconnect from unknown[183.7.92.44]
    Mar 19 00:11:38 server3 postfix/smtpd[1002]: connect from unknown[183.7.92.44]
    Mar 19 00:11:39 server3 postfix/smtpd[1002]: warning: unknown[183.7.92.44]: SASL LOGIN authentication failed: authentication failure
    Mar 19 00:11:39 server3 postfix/smtpd[1002]: lost connection after AUTH from unknown[183.7.92.44]
    Mar 19 00:11:39 server3 postfix/smtpd[1002]: disconnect from unknown[183.7.92.44]
    Mar 19 00:11:40 server3 postfix/smtpd[1002]: connect from unknown[183.7.92.44]
    Mar 19 00:11:41 server3 postfix/smtpd[1002]: warning: unknown[183.7.92.44]: SASL LOGIN authentication failed: authentication failure
    Mar 19 00:11:41 server3 postfix/smtpd[1002]: lost connection after AUTH from unknown[183.7.92.44]
    Mar 19 00:11:41 server3 postfix/smtpd[1002]: disconnect from unknown[183.7.92.44]
    Mar 19 00:11:42 server3 postfix/smtpd[1002]: connect from unknown[183.7.92.44]
    Mar 19 00:11:43 server3 postfix/smtpd[1002]: warning: unknown[183.7.92.44]: SASL LOGIN authentication failed: authentication failure
    Mar 19 00:11:43 server3 postfix/smtpd[1002]: lost connection after AUTH from unknown[183.7.92.44]
    Mar 19 00:11:43 server3 postfix/smtpd[1002]: disconnect from unknown[183.7.92.44]
    Mar 19 00:11:44 server3 postfix/smtpd[1002]: connect from unknown[183.7.92.44]
    Mar 19 00:11:45 server3 postfix/smtpd[1002]: warning: unknown[183.7.92.44]: SASL LOGIN authentication failed: authentication failure
    Mar 19 00:11:46 server3 postfix/smtpd[1002]: lost connection after AUTH from unknown[183.7.92.44]
    Mar 19 00:11:46 server3 postfix/smtpd[1002]: disconnect from unknown[183.7.92.44]
    Mar 19 00:11:46 server3 postfix/smtpd[1002]: connect from unknown[183.7.92.44]
    Mar 19 00:11:47 server3 postfix/smtpd[1002]: warning: unknown[183.7.92.44]: SASL LOGIN authentication failed: authentication failure
    Mar 19 00:11:48 server3 postfix/smtpd[1002]: lost connection after AUTH from unknown[183.7.92.44]
    Mar 19 00:11:48 server3 postfix/smtpd[1002]: disconnect from unknown[183.7.92.44]
     
  2. PermaNoob

    PermaNoob Member

    Did I get this right?

    OK, that's why my name is permanoob.

    I think I found the solution in the fail2ban jail.conf

    Is this correct now?:

    [postfix]

    enabled = true
    port = smtp,ssmtp,smtpd
    filter = postfix
    logpath = /var/log/mail.log
    maxretry = 5

    [sasl]

    enabled = true
    port = smtp,ssmtp,smtpd,imap2,imap3,imaps,pop3,pop3s
    filter = sasl
    logpath = /var/log/mail.log
    maxretry = 5

    ---------------------------

    Must be wrong because log shows errors:

    2012-03-19 01:12:44,599 fail2ban.jail : INFO Jail 'ssh' started
    2012-03-19 01:12:46,013 fail2ban.jail : INFO Jail 'postfix' started
    2012-03-19 01:12:46,015 fail2ban.actions.action: ERROR iptables -N fail2ban-postfix
    iptables -A fail2ban-postfix -j RETURN
    iptables -I INPUT -p tcp -m multiport --dports smtp,ssmtp,smtpd -j fail2ban-postfix returned 200
    2012-03-19 01:12:47,439 fail2ban.jail : INFO Jail 'sasl' started
    2012-03-19 01:12:47,444 fail2ban.actions.action: ERROR iptables -N fail2ban-sasl
    iptables -A fail2ban-sasl -j RETURN
    iptables -I INPUT -p tcp -m multiport --dports smtp,ssmtp,smtpd,imap2,imap3,imaps,pop3,pop3s -j fail2ban-sasl returned 200
     
    Last edited: Mar 19, 2012
  3. PermaNoob

    PermaNoob Member

    Should I replace the following line in sasl.conf

    failregex = : warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed$

    with a line Falko posted in another thread

    failregex = (?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failure

    ?

    The error was because I had added smtpd to: port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s

    so now the restart looks ok:

    2012-03-19 10:23:26,471 fail2ban.jail : INFO Jail 'ssh' started
    2012-03-19 10:23:26,533 fail2ban.jail : INFO Jail 'postfix' started
    2012-03-19 10:23:26,593 fail2ban.jail : INFO Jail 'sasl' started
    2012-03-19 10:23:29,477 fail2ban.actions: WARNING [ssh] Ban 66.85.166.106

    but this ip is still not blocked:

    Mar 19 10:37:09 server3 postfix/smtpd[26203]: warning: h201.204.17.98.static.ip.windstream.net[98.17.204.201]: SASL LOGIN authentication failed: authentication failure
    Mar 19 10:37:09 server3 postfix/smtpd[26350]: warning: h201.204.17.98.static.ip.windstream.net[98.17.204.201]: SASL LOGIN authentication failed: authentication failure
    Mar 19 10:37:09 server3 postfix/smtpd[29163]: warning: h201.204.17.98.static.ip.windstream.net[98.17.204.201]: SASL LOGIN authentication failed: authentication failure
    Mar 19 10:37:10 server3 postfix/smtpd[26600]: warning: h201.204.17.98.static.ip.windstream.net[98.17.204.201]: SASL LOGIN authentication failed: authentication failure
     
    Last edited: Mar 19, 2012
  4. PermaNoob

    PermaNoob Member

    I replaced

    failregex = : warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed$

    with a line Falko posted in another thread

    failregex = (?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failure

    and restarted:

    2012-03-19 10:39:58,879 fail2ban.jail : INFO Jail 'ssh' started
    2012-03-19 10:39:58,943 fail2ban.jail : INFO Jail 'postfix' started
    2012-03-19 10:39:59,002 fail2ban.jail : INFO Jail 'sasl' started
    2012-03-19 10:41:59,885 fail2ban.actions: WARNING [ssh] Ban 66.85.166.106

    but fail2ban is still not blocking:

    Mar 19 10:47:31 server3 postfix/smtpd[29170]: warning: h201.204.17.98.static.ip.windstream.net[98.17.204.201]: SASL LOGIN authentication failed: authentication failure
    Mar 19 10:47:31 server3 postfix/smtpd[26350]: connect from h201.204.17.98.static.ip.windstream.net[98.17.204.201]
    Mar 19 10:47:32 server3 postfix/smtpd[29170]: disconnect from h201.204.17.98.static.ip.windstream.net[98.17.204.201]
    Mar 19 10:47:33 server3 postfix/smtpd[30156]: warning: h201.204.17.98.static.ip.windstream.net[98.17.204.201]: SASL LOGIN authentication failed: authentication failure
    Mar 19 10:47:34 server3 postfix/smtpd[26600]: connect from h201.204.17.98.static.ip.windstream.net[98.17.204.201]
    Mar 19 10:47:34 server3 postfix/smtpd[30156]: disconnect from h201.204.17.98.static.ip.windstream.net[98.17.204.201]
    Mar 19 10:47:36 server3 postfix/smtpd[26350]: warning: h201.204.17.98.static.ip.windstream.net[98.17.204.201]: SASL LOGIN authentication failed: authentication failure
    Mar 19 10:47:37 server3 postfix/smtpd[26350]: disconnect from h201.204.17.98.static.ip.windstream.net[98.17.204.201]
    Mar 19 10:47:39 server3 postfix/smtpd[26600]: warning: h201.204.17.98.static.ip.windstream.net[98.17.204.201]: SASL LOGIN authentication failed: authentication failure
    Mar 19 10:47:40 server3 postfix/smtpd[30154]: connect from h201.204.17.98.static.ip.windstream.net[98.17.204.201]
    Mar 19 10:47:40 server3 postfix/smtpd[26600]: disconnect from h201.204.17.98.static.ip.windstream.net[98.17.204.201]
    Mar 19 10:47:43 server3 postfix/smtpd[29165]: connect from h201.204.17.98.static.ip.windstream.net[98.17.204.201]
    Mar 19 10:47:44 server3 postfix/smtpd[29954]: connect from h201.204.17.98.static.ip.windstream.net[98.17.204.201]
    Mar 19 10:47:45 server3 postfix/smtpd[30154]: warning: h201.204.17.98.static.ip.windstream.net[98.17.204.201]: SASL LOGIN authentication failed: authentication failure
    Mar 19 10:47:46 server3 postfix/smtpd[30154]: disconnect from h201.204.17.98.static.ip.windstream.net[98.17.204.201]
    Mar 19 10:47:48 server3 postfix/smtpd[29165]: warning: h201.204.17.98.static.ip.windstream.net[98.17.204.201]: SASL LOGIN authentication failed: authentication failure
    Mar 19 10:47:49 server3 postfix/smtpd[29165]: disconnect from h201.204.17.98.static.ip.windstream.net[98.17.204.201]
    Mar 19 10:47:49 server3 postfix/smtpd[29954]: warning: h201.204.17.98.static.ip.windstream.net[98.17.204.201]: SASL LOGIN authentication failed: authentication failure
    Mar 19 10:47:50 server3 postfix/smtpd[29954]: disconnect from h201.204.17.98.static.ip.windstream.net[98.17.204.201]
     
  5. PermaNoob

    PermaNoob Member

    I'm testing with

    fail2ban-regex /var/log/mail.log /etc/fail2ban/filter.d/sasl.conf

    also tried switching to mail.info

    fail2ban-regex /var/log/mail.info /etc/fail2ban/filter.d/sasl.conf

    and

    [sasl]

    enabled = true
    port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
    filter = sasl
    logpath = /var/log/mail.info
    maxretry = 5

    still no matches though there are plenty in the log file
     
  6. Lancelot28

    Lancelot28 New Member

    [​IMG]I think I found the solution in the fail2ban jail.conf.
     
  7. PermaNoob

    PermaNoob Member

    I was wrong, it's still not working.
     
  8. falko

    falko Super Moderator ISPConfig Developer

    Can you try
    Code:
    failregex = : warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed
    (without the $ sign at the end)?
     
  9. PermaNoob

    PermaNoob Member

    That worked--Thanks!

    2012-03-21 06:25:24,390 fail2ban.jail : INFO Jail 'ssh' started
    2012-03-21 06:25:24,462 fail2ban.jail : INFO Jail 'postfix' started
    2012-03-21 06:25:24,530 fail2ban.jail : INFO Jail 'sasl' started
    2012-03-21 06:34:41,566 fail2ban.actions: WARNING [sasl] Ban 14.208.80.207
     
    Last edited: Mar 21, 2012
  10. ifoyil34

    ifoyil34 New Member

    Hi I can't success to SASL Login authentical failed someone is help me to please ..
     

    Attached Files:

    • 123.JPG
      123.JPG
      File size:
      195 KB
      Views:
      9
  11. ztk.me

    ztk.me ISPConfig Developer ISPConfig Developer

    shouldn't it be
    Code:
    [postfix-sasl]
    enabled = true
    port = smtp
    filter = postfix-sasl
    logpath = /var/log/mail.log
    maxretry = 3
    bantime = 900
    
    well maybe it's different for your os, however my sasl file looks as

    Code:
    # Fail2Ban filter for postfix authentication failures
    #
    [INCLUDES]
    before = common.conf
    [Definition]
    _daemon = postfix(-\w+)?/(?:submission/|smtps/)?smtp[ds]
    failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(:[ A-Za-z0-9+/:]*={0,2})?\s*$
    ignoreregex = authentication failed: Connection lost to authentication server$
    [Init]
    journalmatch = _SYSTEMD_UNIT=postfix.service
    # Author: Yaroslav Halchenko
    
    and works fine, however check the logpath wether that file is actually listing the auth attempts.

    What's the reason for your smtp_connect_addr ip issue showing up in your provided log anyway?
     
  12. ifoyil34

    ifoyil34 New Member

    First so thanks for your message I was happy ,
    I couldn't save your settings I am using webmin tool on debian; I put screen shots to attachment
     

    Attached Files:

    • 345.JPG
      345.JPG
      File size:
      55.9 KB
      Views:
      11
  13. ztk.me

    ztk.me ISPConfig Developer ISPConfig Developer

    uhm I'm not familiar with webmin but shouldn't fail2ban filters be placed in
    /etc/fail2ban/filter.d/
    anyway?
    edit: and the config for whichjails to use be in /etc/fail2ban/jail.local
     
  14. till

    till Super Moderator Staff Member ISPConfig Developer

    One thing that might be worth to mention: fail2ban does not support IPv6 yet as far as I know. so it is probably 'blind' for connection attempts on IPv6.
     
    ztk.me likes this.
  15. ifoyil34

    ifoyil34 New Member

    also I'am getting this message "cannot assing requested adress" after bind showing my local ip

    postfix/smtp[4667]: warning: smtp_connect_addr: bind *.*.*.* : Cannot assign requested address

    postfix/smtpd[3208]: warning: hostname ip-adsl-190.171.221.245.cotas.com.bo does not resolve to address 190.171.221.245: Name or service not known
    mira postfix/smtpd[3208]: connect from unknown[190.171.221.245]
    mira postfix/smtpd[3208]: warning: unknown[190.171.221.245]: SASL LOGIN authentication failed: authentication failure
    mira postfix/smtpd[3208]: disconnect from unknown[190.171.221.245]
     
  16. ztk.me

    ztk.me ISPConfig Developer ISPConfig Developer

    do you have an entry like
    Code:
    smtp_bind_address=*.*.*.*
    
    in your main.cf or master.cf? is it the correct IP?
     
  17. ifoyil34

    ifoyil34 New Member

    I displayed in master.cf like as below, but I couldn't display in main.cnf
    smtp-150710383317139 unix - - - - - smtp -o smtp_bind_address=*.*.*.* (ISPlocal ip) True
    smtp-15072951369435 unix - - n - - smtp -o smtp_bind_address=192.168.1.34 (True)
     
    Last edited: Oct 11, 2017
  18. ztk.me

    ztk.me ISPConfig Developer ISPConfig Developer

    well that can't be true, you are either trying to bind to an IP which is not on your local net or tried to bind to the same ip/port twice ( which actually would display a different warning however ).
     
    Last edited: Oct 12, 2017
  19. ifoyil34

    ifoyil34 New Member

    I changed to bind IP adress I can display well on mail.log, Postfix is sending e-mail but I'm still getting "SASL LOGIN authentication failed: authentication failure" Messages I bored it I couldn't find to reason

    mira postfix/qmgr[9791]: 068A31A2AB3: from=<[email protected]>, size=668, nrcpt=1 (queue active)
    Oct 12 18:49:51 mira postfix/qmgr[9791]: E99571A2B40: from=<>, size=4329, nrcpt=1 (queue active)
    Oct 12 18:49:51 mira postfix/smtp[11931]: connect to gmail-smtp-in.l.google.com[64.233.184.26]:25: No route to host
    Oct 12 18:49:52 mira postfix/error[11932]: BE8F01A2ACA: to=<[email protected]>, relay=none, delay=118184, delays=118183/0.04/0/0.86, dsn=4.3.0, status=deferred (mail transport unavailable)
    Oct 12 18:49:52 mira postfix/error[11934]: 068A31A2AB3: to=<[email protected]>, relay=none, delay=165803, delays=165803/0.05/0/0.85, dsn=4.3.0, status=deferred (mail transport unavailable)
    Oct 12 18:49:52 mira postfix/error[11930]: 416CC1A2AAF: to=<[email protected]>, relay=none, delay=170605, delays=170604/0.03/0/0.89, dsn=4.3.0, status=deferred (mail transport unavailable)
    Oct 12 18:49:52 mira postfix/smtp[11936]: connect to gmail-smtp-in.l.google.com[64.233.184.26]:25: No route to host
    Oct 12 18:49:53 mira postfix/smtpd[10812]: connect from unknown[190.232.174.54]
    Oct 12 18:49:55 mira postfix/smtpd[10812]: warning: unknown[190.232.174.54]: SASL LOGIN authentication failed: authentication failure
    Oct 12 18:49:55 mira postfix/smtpd[10812]: disconnect from unknown[190.232.174.54]
    Oct 12 18:49:58 mira postfix/smtp[11938]: connect to gmail-smtp-in.l.google.com[64.233.184.26]:25: No route to host
    Oct 12 18:49:59 mira postfix/smtp[11938]: connect to alt1.gmail-smtp-in.l.google.com[64.233.162.27]:25: No route to host
    Oct 12 18:50:06 mira postfix/smtp[11938]: connect to alt2.gmail-smtp-in.l.google.com[74.125.68.27]:25: No route to host
    Oct 12 18:50:07 mira postfix/smtp[11940]: connect to gmail-smtp-in.l.google.com[64.233.184.26]:25: No route to host
    Oct 12 18:50:21 mira postfix/smtp[11931]: connect to alt1.gmail-smtp-in.l.google.com[64.233.162.27]:25: Connection timed out
    Oct 12 18:50:21 mira postfix/smtp[11939]: connect to gmail-smtp-in.l.google.com[64.233.184.26]:25: Connection timed out
    Oct 12 18:50:22 mira postfix/smtp[11936]: connect to alt1.gmail-smtp-in.l.google.com[64.233.162.27]:25: Connection timed out
    Oct 12 18:50:24 mira postfix/smtpd[9956]: connect from host3-211-static.241-95-b.business.telecomitalia.it[95.241.211.3]
    Oct 12 18:50:24 mira postfix/smtp[11939]: connect to alt1.gmail-smtp-in.l.google.com[64.233.162.27]:25: No route to host
    Oct 12 18:50:25 mira postfix/smtpd[9956]: warning: host3-211-static.241-95-b.business.telecomitalia.it[95.241.211.3]: SASL LOGIN authentication failed: authentication failure
    Oct 12 18:50:25 mira postfix/smtpd[9956]: disconnect from host3-211-static.241-95-b.business.telecomitalia.it[95.241.211.3]
    Oct 12 18:50:25 mira postfix/smtp[11936]: connect to alt2.gmail-smtp-in.l.google.com[74.125.68.27]:25: No route to host
    Oct 12 18:50:25 mira postfix/smtp[11939]: connect to alt2.gmail-smtp-in.l.google.com[74.125.68.27]:25: No route to host
    Oct 12 18:50:33 mira postfix/smtp[11939]: connect to alt3.gmail-smtp-in.l.google.com[74.125.204.27]:25: No route to host
    Oct 12 18:50:36 mira postfix/smtp[11938]: connect to alt3.gmail-smtp-in.l.google.com[74.125.204.27]:25: Connection timed out
    Oct 12 18:50:37 mira postfix/smtp[11940]: connect to alt1.gmail-smtp-in.l.google.com[64.233.162.27]:25: Connection timed out
    Oct 12 18:50:37 mira postfix/smtpd[10812]: connect from unknown[191.96.249.63]
    Oct 12 18:50:37 mira postfix/smtpd[10812]: warning: unknown[191.96.249.63]: SASL LOGIN authentication failed: authentication failure
     
  20. ztk.me

    ztk.me ISPConfig Developer ISPConfig Developer

    first of all, you are aware of
    ?
    What did you do with your poor server? ;)
    Have you checked your fail2ban logfile if it actually tries to ban them or even load the desired jail-config?
    Also take special note to the following configuration vars:
    Code:
    logpath = /var/log/mail.log
    maxretry = 3
    bantime = 900
    
    
    this would ban an IP for 900 seconds after three matching log entries were found which have been matched in a given timerange which also is an option to configure if you like.
     

Share This Page