What's wrong with my fail2ban regex/setup?

11 posts / 0 new
Last post
#1 Thu, 03/23/2017 - 11:49
oneearth

What's wrong with my fail2ban regex/setup?

hi, i'm trying to ban 103.207.39.206 on my centos 7, virtualmin gpl, fail2ban 0.9 system. here's a recent entry from /var/log/maillog:

Mar 23 09:15:21 server postfix/smtpd[23284]: warning: unknown[103.207.39.206]: SASL LOGIN authentication failed: authentication failure
Mar 23 09:15:21 server postfix/smtpd[23284]: lost connection after AUTH from unknown[103.207.39.206]
Mar 23 09:15:21 server postfix/smtpd[23284]: disconnect from unknown[103.207.39.206]

iptables shows an entry for that ip:

[root@server ~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination        
f2b-Postfix-sasl  tcp  --  anywhere             anywhere             tcp dpt:smtp

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination        

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination        

Chain f2b-Postfix-sasl (1 references)
target     prot opt source               destination        
REJECT     all  --  103.207.39.206       anywhere             reject-with icmp-port-unreachable
RETURN     all  --  anywhere             anywhere           
[root@server ~]#

but i keep on getting attempted logins from that ip.

[root@server ~]# fail2ban-client status
Status
|- Number of jail: 1
`- Jail list: postfix-sasl
[root@server ~]# fail2ban-client status postfix-sasl
Status for the jail: postfix-sasl
|- Filter
|  |- Currently failed: 4
|  |- Total failed: 209
|  `- Journal matches: _SYSTEMD_UNIT=postfix.service
`- Actions
   |- Currently banned: 1
   |- Total banned: 1
   `- Banned IP list: 103.207.39.206

i think that i used the default virtualmin filter but i must have messed up somewhere:

# Fail2Ban filter for postfix authentication failures
#
[INCLUDES]
before = common.conf
[Definition]
_daemon = postfix(-\w+)?/(?:submission/|smtps/)?smtp[ds]

failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(:[ A-Za-z0-9+/:]*={0,2})?\s*$

ignoreregex = authentication failed: Connection lost to authentication server$

[Init]
journalmatch = _SYSTEMD_UNIT=postfix.service
# Author: Yaroslav Halchenko

any help would be appreciated to ban this login attempt.

Fri, 03/24/2017 - 04:27
unborn
unborn's picture

hi, mine is also default but its a bit different from yours, also it works on mine.

# Fail2Ban filter for postfix authentication failures
#

[INCLUDES]

before = common.conf

[Definition]

_daemon = postfix/smtpd

failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/]*={0,2})?\s*$

# Author: Yaroslav Halchenko

also you can test your fai2ban rules with simple command: fail2ban-regex log-you-want-to-read rule-you-applying eg fail2ban-regex /var/log/virtualmin/domain.com_access_log /etc/fail2ban/filter.d/apache-badbots.conf and that would show you if filter is working correctly.

Configuring/troubleshooting Debian servers is always great fun

Fri, 03/24/2017 - 04:42
oneearth

thanks unborn! i replaced the [Definition] in post-sasl.conf with yours above -->

[root@server ~]# fail2ban-client status postfix-sasl
Status for the jail: postfix-sasl
|- Filter
|  |- Currently failed: 4
|  |- Total failed: 6
|  `- Journal matches: _SYSTEMD_UNIT=postfix.service
`- Actions
   |- Currently banned: 4
   |- Total banned: 4
   `- Banned IP list: 103.207.39.206 144.217.211.219 72.55.174.182 80.82.79.100

[root@server ~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination        
f2b-Postfix-sasl  tcp  --  anywhere             anywhere             tcp dpt:smtp

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination        

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination        

Chain f2b-Postfix-sasl (1 references)
target     prot opt source               destination        
REJECT     all  --  no-reverse-dns-configured.com  anywhere             reject-with icmp-port-unreachable
REJECT     all  --  72.55.174.182        anywhere             reject-with icmp-port-unreachable
REJECT     all  --  ip219.ip-144-217-211.net  anywhere             reject-with icmp-port-unreachable
REJECT     all  --  103.207.39.206       anywhere             reject-with icmp-port-unreachable
RETURN     all  --  anywhere             anywhere           
[root@server ~]#

i only have the post-sasl jail filter active, so i'm not sure why there is a difference between iptables -L and fail2ban-client status postfix-sasl (for example, fail2ban-client status doesn't show ip 80.82.79.100. that ip must refer to "no-reverse-dns-configured.com")

will update this post later after checking if my /var/log/maillog is subsequently quieter now thanks to correct regex.

Fri, 03/24/2017 - 09:09
oneearth

the postfix-sasl filter still still doesn't seem to catch the villains. testing with regex gives:

[root@server ~]# fail2ban-regex /var/log/maillog /etc/fail2ban/filter.d/postfix-sasl.conf

Running tests

Use failregex filter file : postfix-sasl, basedir: /etc/fail2ban Use log file : /var/log/maillog Use encoding : UTF-8

Results

Failregex: 29608 total |- #) [# of hits] regular expression | 1) [29608] ^(?:[])?\s(?:<[^.]+.[^.]+>\s+)?(?:\S+\s+)?(?:kernel: [ *\d+.\d+]\s+)?(?:@vserver_\S+\s+)?(?:(?:(?:[\d+])?:\s+[[(]?postfix/smtpd(?:(\S+))?[])]?:?|[[(]?postfix/smtpd(?:(\S+))?[])]?:?(?:[\d+])?:?)\s+)?(?:[ID \d+ \S+]\s+)?warning: [-._\w]+[]: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(:[ A-Za-z0-9+/:]={0,2})?\s*$ `-

Ignoreregex: 0 total

Date template hits: |- [# of hits] date format | [133105] (?:DAY )?MON Day 24hour:Minute:Second(?:.Microseconds)?(?: Year)? `-

Lines: 133105 lines, 0 ignored, 29608 matched, 103497 missed [processed in 16.19 sec]

Missed line(s): too many to print. Use --print-all-missed to print all 103497 lines

in maillog, still have entries of attempts: 133073 Mar 24 13:54:15 server postfix/smtpd[7499]: warning: unknown[91.200.12.165]: SASL LOGIN authentication failed: authe ntication failure 133074 Mar 24 13:54:15 server postfix/smtpd[7499]: lost connection after AUTH from unknown[91.200.12.165] 133075 Mar 24 13:54:15 server postfix/smtpd[7499]: disconnect from unknown[91.200.12.165] 133076 Mar 24 13:56:11 server postfix/smtpd[7609]: warning: hostname no-reverse-dns-configured.com does not resolve to addr ess 80.82.78.188 133077 Mar 24 13:56:11 server postfix/smtpd[7609]: connect from unknown[80.82.78.188] 133078 Mar 24 13:56:13 server postfix/smtpd[7609]: warning: unknown[80.82.78.188]: SASL LOGIN authentication failed: authen tication failure 133079 Mar 24 13:56:14 server postfix/smtpd[7609]: disconnect from unknown[80.82.78.188] 133080 Mar 24 13:56:48 server postfix/smtpd[7614]: warning: hostname dedic878.hidehost.net does not resolve to address 91.2 00.12.186: Name or service not known 133081 Mar 24 13:56:48 server postfix/smtpd[7614]: connect from unknown[91.200.12.186] 133082 Mar 24 13:56:51 server postfix/smtpd[7614]: warning: unknown[91.200.12.186]: SASL LOGIN authentication failed: authe ntication failure 133083 Mar 24 13:56:51 server postfix/smtpd[7614]: lost connection after AUTH from unknown[91.200.12.186] 133084 Mar 24 13:56:51 server postfix/smtpd[7614]: disconnect from unknown[91.200.12.186] 133085 Mar 24 13:57:24 server postfix/smtpd[7614]: connect from unknown[211.244.4.151] 133086 Mar 24 13:57:27 server postfix/smtpd[7614]: warning: unknown[211.244.4.151]: SASL LOGIN authentication failed: authe ntication failure 133087 Mar 24 13:57:27 server postfix/smtpd[7614]: lost connection after AUTH from unknown[211.244.4.151] 133088 Mar 24 13:57:27 server postfix/smtpd[7614]: disconnect from unknown[211.244.4.151]

Fri, 03/24/2017 - 10:12
unborn
unborn's picture

hi, towards your output..

now there is different thing to think.. most of those hackers see fail2ban as problem and they do attack your server slower then each 600 seconds hack.. I will greatly suggest you to use 1400 seconds or any higher number. Also when testing your f2b, just let it working for 12 or more hours. If still not working properly, then your filter is reading wrong log file or you have another issue.. give it time man and then check it out in webmin - linux firewall.

Edit: this works with any debian, ubuntu and centos - my default filter and also testing line.. so either you doing something wrong or you are not using the linux. also you see 29608 matched means once you apply filter you should start to see the resutls within few minutes/days. You wont / cannot ban old attempts - fail2ban will only ban new ones.. if you see that many attempts just apply the jail and restart your fail2ban and wait for about day or so.

Configuring/troubleshooting Debian servers is always great fun

Fri, 03/24/2017 - 11:01
unborn
unborn's picture

also enable those in order to block those attmemtps

  • ssh
  • postfix
  • sasl
  • dovecot
  • always restart your fail2ban to apply configuration :)

Configuring/troubleshooting Debian servers is always great fun

Sun, 03/26/2017 - 13:32
oneearth

changing the findtime and bantime (either manually edit /etc/fail2ban/jail.conf or > Webmin > Networking > Fail2ban Intrusion Detector > Filter Action Jails > postfix-sasl > Max delay between matches / Time to ban IP for) seems to have done the trick and caught the ones that were getting through.

thanks unborn! :-)

Sun, 03/26/2017 - 14:39 (Reply to #7)
unborn
unborn's picture

@oneearth

glad to hear that you have it all sorted ;)

Configuring/troubleshooting Debian servers is always great fun

Mon, 03/27/2017 - 15:54
Diabolico
Diabolico's picture

Just one thing, you should save changes in jail.local and not jail.conf, because .conf will be replaced with the next f2b update. By default you will not have jail.local file so make one and then insert what you want to change or just copy entire content from jail.conf and then make the modifications. Its better to just copy and modify what you want/need but both solutions will work.

- I often come to the conclusion that my brain has too many tabs open. -
Failing at desktop publishing & graphic design since 1994.

Sat, 04/08/2017 - 03:50 (Reply to #9)
unborn
unborn's picture

Great point Diabolico, I usually do git backup somewhere out, so if settings get replaced I could restore it all with one command, but you are right about this!

Configuring/troubleshooting Debian servers is always great fun

Wed, 03/29/2017 - 09:30
oneearth

oh, that's very useful to know @Diabolico. I have made a copy of jail.conf as jail.local and will modify jail.local in the future.

thanks @Diabolico!

Topic locked