Way to automatically block SASL LOGIN attacks?

Discussion in 'Server Operation' started by PermaNoob, Mar 19, 2012.

  1. PermaNoob

    PermaNoob New Member

    Is there an automatic way to use the firewall or some other way to add ip's like this to iptables?

    I'm using fail2ban.

    Mar 19 00:11:33 server3 postfix/smtpd[1002]: warning: unknown[183.7.92.44]: SASL LOGIN authentication failed: authentication failure
    Mar 19 00:11:33 server3 postfix/smtpd[1002]: lost connection after AUTH from unknown[183.7.92.44]
    Mar 19 00:11:33 server3 postfix/smtpd[1002]: disconnect from unknown[183.7.92.44]
    Mar 19 00:11:33 server3 postfix/smtpd[1002]: connect from unknown[183.7.92.44]
    Mar 19 00:11:35 server3 postfix/smtpd[1002]: warning: unknown[183.7.92.44]: SASL LOGIN authentication failed: authentication failure
    Mar 19 00:11:35 server3 postfix/smtpd[1002]: lost connection after AUTH from unknown[183.7.92.44]
    Mar 19 00:11:35 server3 postfix/smtpd[1002]: disconnect from unknown[183.7.92.44]
    Mar 19 00:11:35 server3 postfix/smtpd[1002]: connect from unknown[183.7.92.44]
    Mar 19 00:11:37 server3 postfix/smtpd[1002]: warning: unknown[183.7.92.44]: SASL LOGIN authentication failed: authentication failure
    Mar 19 00:11:37 server3 postfix/smtpd[1002]: lost connection after AUTH from unknown[183.7.92.44]
    Mar 19 00:11:37 server3 postfix/smtpd[1002]: disconnect from unknown[183.7.92.44]
    Mar 19 00:11:38 server3 postfix/smtpd[1002]: connect from unknown[183.7.92.44]
    Mar 19 00:11:39 server3 postfix/smtpd[1002]: warning: unknown[183.7.92.44]: SASL LOGIN authentication failed: authentication failure
    Mar 19 00:11:39 server3 postfix/smtpd[1002]: lost connection after AUTH from unknown[183.7.92.44]
    Mar 19 00:11:39 server3 postfix/smtpd[1002]: disconnect from unknown[183.7.92.44]
    Mar 19 00:11:40 server3 postfix/smtpd[1002]: connect from unknown[183.7.92.44]
    Mar 19 00:11:41 server3 postfix/smtpd[1002]: warning: unknown[183.7.92.44]: SASL LOGIN authentication failed: authentication failure
    Mar 19 00:11:41 server3 postfix/smtpd[1002]: lost connection after AUTH from unknown[183.7.92.44]
    Mar 19 00:11:41 server3 postfix/smtpd[1002]: disconnect from unknown[183.7.92.44]
    Mar 19 00:11:42 server3 postfix/smtpd[1002]: connect from unknown[183.7.92.44]
    Mar 19 00:11:43 server3 postfix/smtpd[1002]: warning: unknown[183.7.92.44]: SASL LOGIN authentication failed: authentication failure
    Mar 19 00:11:43 server3 postfix/smtpd[1002]: lost connection after AUTH from unknown[183.7.92.44]
    Mar 19 00:11:43 server3 postfix/smtpd[1002]: disconnect from unknown[183.7.92.44]
    Mar 19 00:11:44 server3 postfix/smtpd[1002]: connect from unknown[183.7.92.44]
    Mar 19 00:11:45 server3 postfix/smtpd[1002]: warning: unknown[183.7.92.44]: SASL LOGIN authentication failed: authentication failure
    Mar 19 00:11:46 server3 postfix/smtpd[1002]: lost connection after AUTH from unknown[183.7.92.44]
    Mar 19 00:11:46 server3 postfix/smtpd[1002]: disconnect from unknown[183.7.92.44]
    Mar 19 00:11:46 server3 postfix/smtpd[1002]: connect from unknown[183.7.92.44]
    Mar 19 00:11:47 server3 postfix/smtpd[1002]: warning: unknown[183.7.92.44]: SASL LOGIN authentication failed: authentication failure
    Mar 19 00:11:48 server3 postfix/smtpd[1002]: lost connection after AUTH from unknown[183.7.92.44]
    Mar 19 00:11:48 server3 postfix/smtpd[1002]: disconnect from unknown[183.7.92.44]
     
  2. PermaNoob

    PermaNoob New Member

    Did I get this right?

    OK, that's why my name is permanoob.

    I think I found the solution in the fail2ban jail.conf

    Is this correct now?:

    [postfix]

    enabled = true
    port = smtp,ssmtp,smtpd
    filter = postfix
    logpath = /var/log/mail.log
    maxretry = 5

    [sasl]

    enabled = true
    port = smtp,ssmtp,smtpd,imap2,imap3,imaps,pop3,pop3s
    filter = sasl
    logpath = /var/log/mail.log
    maxretry = 5

    ---------------------------

    Must be wrong because log shows errors:

    2012-03-19 01:12:44,599 fail2ban.jail : INFO Jail 'ssh' started
    2012-03-19 01:12:46,013 fail2ban.jail : INFO Jail 'postfix' started
    2012-03-19 01:12:46,015 fail2ban.actions.action: ERROR iptables -N fail2ban-postfix
    iptables -A fail2ban-postfix -j RETURN
    iptables -I INPUT -p tcp -m multiport --dports smtp,ssmtp,smtpd -j fail2ban-postfix returned 200
    2012-03-19 01:12:47,439 fail2ban.jail : INFO Jail 'sasl' started
    2012-03-19 01:12:47,444 fail2ban.actions.action: ERROR iptables -N fail2ban-sasl
    iptables -A fail2ban-sasl -j RETURN
    iptables -I INPUT -p tcp -m multiport --dports smtp,ssmtp,smtpd,imap2,imap3,imaps,pop3,pop3s -j fail2ban-sasl returned 200
     
    Last edited: Mar 19, 2012
  3. PermaNoob

    PermaNoob New Member

    Should I replace the following line in sasl.conf

    failregex = : warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed$

    with a line Falko posted in another thread

    failregex = (?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failure

    ?

    The error was because I had added smtpd to: port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s

    so now the restart looks ok:

    2012-03-19 10:23:26,471 fail2ban.jail : INFO Jail 'ssh' started
    2012-03-19 10:23:26,533 fail2ban.jail : INFO Jail 'postfix' started
    2012-03-19 10:23:26,593 fail2ban.jail : INFO Jail 'sasl' started
    2012-03-19 10:23:29,477 fail2ban.actions: WARNING [ssh] Ban 66.85.166.106

    but this ip is still not blocked:

    Mar 19 10:37:09 server3 postfix/smtpd[26203]: warning: h201.204.17.98.static.ip.windstream.net[98.17.204.201]: SASL LOGIN authentication failed: authentication failure
    Mar 19 10:37:09 server3 postfix/smtpd[26350]: warning: h201.204.17.98.static.ip.windstream.net[98.17.204.201]: SASL LOGIN authentication failed: authentication failure
    Mar 19 10:37:09 server3 postfix/smtpd[29163]: warning: h201.204.17.98.static.ip.windstream.net[98.17.204.201]: SASL LOGIN authentication failed: authentication failure
    Mar 19 10:37:10 server3 postfix/smtpd[26600]: warning: h201.204.17.98.static.ip.windstream.net[98.17.204.201]: SASL LOGIN authentication failed: authentication failure
     
    Last edited: Mar 19, 2012
  4. PermaNoob

    PermaNoob New Member

    I replaced

    failregex = : warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed$

    with a line Falko posted in another thread

    failregex = (?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failure

    and restarted:

    2012-03-19 10:39:58,879 fail2ban.jail : INFO Jail 'ssh' started
    2012-03-19 10:39:58,943 fail2ban.jail : INFO Jail 'postfix' started
    2012-03-19 10:39:59,002 fail2ban.jail : INFO Jail 'sasl' started
    2012-03-19 10:41:59,885 fail2ban.actions: WARNING [ssh] Ban 66.85.166.106

    but fail2ban is still not blocking:

    Mar 19 10:47:31 server3 postfix/smtpd[29170]: warning: h201.204.17.98.static.ip.windstream.net[98.17.204.201]: SASL LOGIN authentication failed: authentication failure
    Mar 19 10:47:31 server3 postfix/smtpd[26350]: connect from h201.204.17.98.static.ip.windstream.net[98.17.204.201]
    Mar 19 10:47:32 server3 postfix/smtpd[29170]: disconnect from h201.204.17.98.static.ip.windstream.net[98.17.204.201]
    Mar 19 10:47:33 server3 postfix/smtpd[30156]: warning: h201.204.17.98.static.ip.windstream.net[98.17.204.201]: SASL LOGIN authentication failed: authentication failure
    Mar 19 10:47:34 server3 postfix/smtpd[26600]: connect from h201.204.17.98.static.ip.windstream.net[98.17.204.201]
    Mar 19 10:47:34 server3 postfix/smtpd[30156]: disconnect from h201.204.17.98.static.ip.windstream.net[98.17.204.201]
    Mar 19 10:47:36 server3 postfix/smtpd[26350]: warning: h201.204.17.98.static.ip.windstream.net[98.17.204.201]: SASL LOGIN authentication failed: authentication failure
    Mar 19 10:47:37 server3 postfix/smtpd[26350]: disconnect from h201.204.17.98.static.ip.windstream.net[98.17.204.201]
    Mar 19 10:47:39 server3 postfix/smtpd[26600]: warning: h201.204.17.98.static.ip.windstream.net[98.17.204.201]: SASL LOGIN authentication failed: authentication failure
    Mar 19 10:47:40 server3 postfix/smtpd[30154]: connect from h201.204.17.98.static.ip.windstream.net[98.17.204.201]
    Mar 19 10:47:40 server3 postfix/smtpd[26600]: disconnect from h201.204.17.98.static.ip.windstream.net[98.17.204.201]
    Mar 19 10:47:43 server3 postfix/smtpd[29165]: connect from h201.204.17.98.static.ip.windstream.net[98.17.204.201]
    Mar 19 10:47:44 server3 postfix/smtpd[29954]: connect from h201.204.17.98.static.ip.windstream.net[98.17.204.201]
    Mar 19 10:47:45 server3 postfix/smtpd[30154]: warning: h201.204.17.98.static.ip.windstream.net[98.17.204.201]: SASL LOGIN authentication failed: authentication failure
    Mar 19 10:47:46 server3 postfix/smtpd[30154]: disconnect from h201.204.17.98.static.ip.windstream.net[98.17.204.201]
    Mar 19 10:47:48 server3 postfix/smtpd[29165]: warning: h201.204.17.98.static.ip.windstream.net[98.17.204.201]: SASL LOGIN authentication failed: authentication failure
    Mar 19 10:47:49 server3 postfix/smtpd[29165]: disconnect from h201.204.17.98.static.ip.windstream.net[98.17.204.201]
    Mar 19 10:47:49 server3 postfix/smtpd[29954]: warning: h201.204.17.98.static.ip.windstream.net[98.17.204.201]: SASL LOGIN authentication failed: authentication failure
    Mar 19 10:47:50 server3 postfix/smtpd[29954]: disconnect from h201.204.17.98.static.ip.windstream.net[98.17.204.201]
     
  5. PermaNoob

    PermaNoob New Member

    I'm testing with

    fail2ban-regex /var/log/mail.log /etc/fail2ban/filter.d/sasl.conf

    also tried switching to mail.info

    fail2ban-regex /var/log/mail.info /etc/fail2ban/filter.d/sasl.conf

    and

    [sasl]

    enabled = true
    port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
    filter = sasl
    logpath = /var/log/mail.info
    maxretry = 5

    still no matches though there are plenty in the log file
     
  6. Lancelot28

    Lancelot28 New Member

    [​IMG]I think I found the solution in the fail2ban jail.conf.
     
  7. PermaNoob

    PermaNoob New Member

    I was wrong, it's still not working.
     
  8. falko

    falko Super Moderator

    Can you try
    Code:
    failregex = : warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed
    (without the $ sign at the end)?
     
  9. PermaNoob

    PermaNoob New Member

    That worked--Thanks!

    2012-03-21 06:25:24,390 fail2ban.jail : INFO Jail 'ssh' started
    2012-03-21 06:25:24,462 fail2ban.jail : INFO Jail 'postfix' started
    2012-03-21 06:25:24,530 fail2ban.jail : INFO Jail 'sasl' started
    2012-03-21 06:34:41,566 fail2ban.actions: WARNING [sasl] Ban 14.208.80.207
     
    Last edited: Mar 21, 2012

Share This Page