hi, i'm trying to ban 103.207.39.206 on my centos 7, virtualmin gpl, fail2ban 0.9 system. here's a recent entry from /var/log/maillog:
Mar 23 09:15:21 server postfix/smtpd[23284]: warning: unknown[103.207.39.206]: SASL LOGIN authentication failed: authentication failure
Mar 23 09:15:21 server postfix/smtpd[23284]: lost connection after AUTH from unknown[103.207.39.206]
Mar 23 09:15:21 server postfix/smtpd[23284]: disconnect from unknown[103.207.39.206]
iptables shows an entry for that ip:
[root@server ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
f2b-Postfix-sasl tcp -- anywhere anywhere tcp dpt:smtp
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain f2b-Postfix-sasl (1 references)
target prot opt source destination
REJECT all -- 103.207.39.206 anywhere reject-with icmp-port-unreachable
RETURN all -- anywhere anywhere
[root@server ~]#
but i keep on getting attempted logins from that ip.
[root@server ~]# fail2ban-client status
Status
|- Number of jail: 1
`- Jail list: postfix-sasl
[root@server ~]# fail2ban-client status postfix-sasl
Status for the jail: postfix-sasl
|- Filter
| |- Currently failed: 4
| |- Total failed: 209
| `- Journal matches: _SYSTEMD_UNIT=postfix.service
`- Actions
|- Currently banned: 1
|- Total banned: 1
`- Banned IP list: 103.207.39.206
i think that i used the default virtualmin filter but i must have messed up somewhere:
# Fail2Ban filter for postfix authentication failures
#
[INCLUDES]
before = common.conf
[Definition]
_daemon = postfix(-\w+)?/(?:submission/|smtps/)?smtp[ds]
failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(:[ A-Za-z0-9+/:]*={0,2})?\s*$
ignoreregex = authentication failed: Connection lost to authentication server$
[Init]
journalmatch = _SYSTEMD_UNIT=postfix.service
# Author: Yaroslav Halchenko
any help would be appreciated to ban this login attempt.
hi, mine is also default but its a bit different from yours, also it works on mine.
# Fail2Ban filter for postfix authentication failures
#
[INCLUDES]
before = common.conf
[Definition]
_daemon = postfix/smtpd
failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/]*={0,2})?\s*$
# Author: Yaroslav Halchenko
also you can test your fai2ban rules with simple command:
fail2ban-regex log-you-want-to-read rule-you-applyingegfail2ban-regex /var/log/virtualmin/domain.com_access_log /etc/fail2ban/filter.d/apache-badbots.confand that would show you if filter is working correctly.Configuring/troubleshooting Debian servers is always great fun
thanks unborn! i replaced the [Definition] in post-sasl.conf with yours above -->
[root@server ~]# fail2ban-client status postfix-sasl
Status for the jail: postfix-sasl
|- Filter
| |- Currently failed: 4
| |- Total failed: 6
| `- Journal matches: _SYSTEMD_UNIT=postfix.service
`- Actions
|- Currently banned: 4
|- Total banned: 4
`- Banned IP list: 103.207.39.206 144.217.211.219 72.55.174.182 80.82.79.100
[root@server ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
f2b-Postfix-sasl tcp -- anywhere anywhere tcp dpt:smtp
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain f2b-Postfix-sasl (1 references)
target prot opt source destination
REJECT all -- no-reverse-dns-configured.com anywhere reject-with icmp-port-unreachable
REJECT all -- 72.55.174.182 anywhere reject-with icmp-port-unreachable
REJECT all -- ip219.ip-144-217-211.net anywhere reject-with icmp-port-unreachable
REJECT all -- 103.207.39.206 anywhere reject-with icmp-port-unreachable
RETURN all -- anywhere anywhere
[root@server ~]#
i only have the post-sasl jail filter active, so i'm not sure why there is a difference between iptables -L and fail2ban-client status postfix-sasl (for example, fail2ban-client status doesn't show ip 80.82.79.100. that ip must refer to "no-reverse-dns-configured.com")
will update this post later after checking if my /var/log/maillog is subsequently quieter now thanks to correct regex.
the postfix-sasl filter still still doesn't seem to catch the villains. testing with regex gives:
[root@server ~]# fail2ban-regex /var/log/maillog /etc/fail2ban/filter.d/postfix-sasl.conf
Running testsUse failregex filter file : postfix-sasl, basedir: /etc/fail2ban Use log file : /var/log/maillog Use encoding : UTF-8
ResultsFailregex: 29608 total |- #) [# of hits] regular expression | 1) [29608] ^(?:[])?\s(?:<[^.]+.[^.]+>\s+)?(?:\S+\s+)?(?:kernel: [ *\d+.\d+]\s+)?(?:@vserver_\S+\s+)?(?:(?:(?:[\d+])?:\s+[[(]?postfix/smtpd(?:(\S+))?[])]?:?|[[(]?postfix/smtpd(?:(\S+))?[])]?:?(?:[\d+])?:?)\s+)?(?:[ID \d+ \S+]\s+)?warning: [-._\w]+[]: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(:[ A-Za-z0-9+/:]={0,2})?\s*$ `-
Ignoreregex: 0 total
Date template hits: |- [# of hits] date format | [133105] (?:DAY )?MON Day 24hour:Minute:Second(?:.Microseconds)?(?: Year)? `-
Lines: 133105 lines, 0 ignored, 29608 matched, 103497 missed [processed in 16.19 sec]
Missed line(s): too many to print. Use --print-all-missed to print all 103497 lines
in maillog, still have entries of attempts: 133073 Mar 24 13:54:15 server postfix/smtpd[7499]: warning: unknown[91.200.12.165]: SASL LOGIN authentication failed: authe ntication failure 133074 Mar 24 13:54:15 server postfix/smtpd[7499]: lost connection after AUTH from unknown[91.200.12.165] 133075 Mar 24 13:54:15 server postfix/smtpd[7499]: disconnect from unknown[91.200.12.165] 133076 Mar 24 13:56:11 server postfix/smtpd[7609]: warning: hostname no-reverse-dns-configured.com does not resolve to addr ess 80.82.78.188 133077 Mar 24 13:56:11 server postfix/smtpd[7609]: connect from unknown[80.82.78.188] 133078 Mar 24 13:56:13 server postfix/smtpd[7609]: warning: unknown[80.82.78.188]: SASL LOGIN authentication failed: authen tication failure 133079 Mar 24 13:56:14 server postfix/smtpd[7609]: disconnect from unknown[80.82.78.188] 133080 Mar 24 13:56:48 server postfix/smtpd[7614]: warning: hostname dedic878.hidehost.net does not resolve to address 91.2 00.12.186: Name or service not known 133081 Mar 24 13:56:48 server postfix/smtpd[7614]: connect from unknown[91.200.12.186] 133082 Mar 24 13:56:51 server postfix/smtpd[7614]: warning: unknown[91.200.12.186]: SASL LOGIN authentication failed: authe ntication failure 133083 Mar 24 13:56:51 server postfix/smtpd[7614]: lost connection after AUTH from unknown[91.200.12.186] 133084 Mar 24 13:56:51 server postfix/smtpd[7614]: disconnect from unknown[91.200.12.186] 133085 Mar 24 13:57:24 server postfix/smtpd[7614]: connect from unknown[211.244.4.151] 133086 Mar 24 13:57:27 server postfix/smtpd[7614]: warning: unknown[211.244.4.151]: SASL LOGIN authentication failed: authe ntication failure 133087 Mar 24 13:57:27 server postfix/smtpd[7614]: lost connection after AUTH from unknown[211.244.4.151] 133088 Mar 24 13:57:27 server postfix/smtpd[7614]: disconnect from unknown[211.244.4.151]
hi, towards your output..
now there is different thing to think.. most of those hackers see fail2ban as problem and they do attack your server slower then each 600 seconds hack.. I will greatly suggest you to use 1400 seconds or any higher number. Also when testing your f2b, just let it working for 12 or more hours. If still not working properly, then your filter is reading wrong log file or you have another issue.. give it time man and then check it out in webmin - linux firewall.
Edit: this works with any debian, ubuntu and centos - my default filter and also testing line.. so either you doing something wrong or you are not using the linux. also you see 29608 matched means once you apply filter you should start to see the resutls within few minutes/days. You wont / cannot ban old attempts - fail2ban will only ban new ones.. if you see that many attempts just apply the jail and restart your fail2ban and wait for about day or so.
Configuring/troubleshooting Debian servers is always great fun
also enable those in order to block those attmemtps
Configuring/troubleshooting Debian servers is always great fun
changing the findtime and bantime (either manually edit /etc/fail2ban/jail.conf or > Webmin > Networking > Fail2ban Intrusion Detector > Filter Action Jails > postfix-sasl > Max delay between matches / Time to ban IP for) seems to have done the trick and caught the ones that were getting through.
thanks unborn! :-)
@oneearth
glad to hear that you have it all sorted ;)
Configuring/troubleshooting Debian servers is always great fun
Just one thing, you should save changes in jail.local and not jail.conf, because .conf will be replaced with the next f2b update. By default you will not have jail.local file so make one and then insert what you want to change or just copy entire content from jail.conf and then make the modifications. Its better to just copy and modify what you want/need but both solutions will work.
- I often come to the conclusion that my brain has too many tabs open. -
Failing at desktop publishing & graphic design since 1994.
Great point Diabolico, I usually do git backup somewhere out, so if settings get replaced I could restore it all with one command, butyou are right about this!Configuring/troubleshooting Debian servers is always great fun
oh, that's very useful to know @Diabolico. I have made a copy of jail.conf as jail.local and will modify jail.local in the future.
thanks @Diabolico!