Facebook
TwitterThere are frequent attempts to brute force login to my mail server which show up in /var/log/maillog as shown below.
The filter in /etc/fail2ban/filter.d/postfix.conf does not detect those lines and thus does not ban the IPs in question.
I did check with the following command, and it indeed does not match any of the warnings shown below but lists them as missed
fail2ban-regex -v --print-all-matched --print-all-missed /var/log/maillog /etc/fail2ban/filter.d/postfix.conf
Thus, I think the postfix.conf filter should either be adapted or there should be a separate filter and jail to ban those attacking servers.
As a workaround I did setup a postfix-sasl.local filter as shown, but I would expect a plesk filter for these common attacks.
May 19 23:59:24 h1231588 plesk_saslauthd[32060]: No such user '[email protected]' in mail authorization database
May 19 23:59:24 h1231588 plesk_saslauthd[32060]: failed mail authentication attempt for user '[email protected]' (password len=6)
May 19 23:59:24 h1231588 postfix/smtpd[32028]: warning: unknown[103.147.184.193]: SASL LOGIN authentication failed: authentication failure
May 19 23:59:27 h1231588 plesk_saslauthd[32060]: No such user '[email protected]' in mail authorization database
May 19 23:59:27 h1231588 plesk_saslauthd[32060]: failed mail authentication attempt for user '[email protected]' (password len=10)
May 19 23:59:27 h1231588 postfix/smtpd[32028]: warning: unknown[103.147.184.193]: SASL LOGIN authentication failed: authentication failure
May 19 23:59:29 h1231588 plesk_saslauthd[32060]: No such user '[email protected]' in mail authorization database
May 19 23:59:29 h1231588 plesk_saslauthd[32060]: failed mail authentication attempt for user '[email protected]' (password len=7)
May 19 23:59:29 h1231588 postfix/smtpd[32028]: warning: unknown[103.147.184.193]: SASL LOGIN authentication failed: authentication failure
May 19 23:59:30 h1231588 plesk_saslauthd[32060]: No such user '[email protected]' in mail authorization database
May 19 23:59:30 h1231588 plesk_saslauthd[32060]: failed mail authentication attempt for user '[email protected]' (password len=5)
May 19 23:59:30 h1231588 postfix/smtpd[32028]: warning: unknown[103.147.184.193]: SASL LOGIN authentication failed: authentication failure
May 19 23:59:33 h1231588 plesk_saslauthd[32060]: No such user '[email protected]' in mail authorization database
May 19 23:59:33 h1231588 plesk_saslauthd[32060]: failed mail authentication attempt for user '[email protected]' (password len=6)
May 19 23:59:33 h1231588 postfix/smtpd[32028]: warning: unknown[103.147.184.193]: SASL LOGIN authentication failed: authentication failure
cat /etc/fail2ban/filter.d/postfix-sasl.local
# Fail2Ban filter for postfix authentication failures
[INCLUDES]
# include common.conf rules before other definitions
before = common.conf
[Definition]
daemon = postfix(-\w+)?/(?:submission/|smtps/)?smtp[ds]
# ref: regex101: build, test, and debug regex
failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed([\s\w+\/:]*={0,4})?\s*$
ignoreregex = authentication failed: Connection lost to authentication server$
[Init]
journalmatch = _SYSTEMD_UNIT=postfix.service
The filter in /etc/fail2ban/filter.d/postfix.conf does not detect those lines and thus does not ban the IPs in question.
I did check with the following command, and it indeed does not match any of the warnings shown below but lists them as missed
fail2ban-regex -v --print-all-matched --print-all-missed /var/log/maillog /etc/fail2ban/filter.d/postfix.conf
Thus, I think the postfix.conf filter should either be adapted or there should be a separate filter and jail to ban those attacking servers.
As a workaround I did setup a postfix-sasl.local filter as shown, but I would expect a plesk filter for these common attacks.
May 19 23:59:24 h1231588 plesk_saslauthd[32060]: No such user '[email protected]' in mail authorization database
May 19 23:59:24 h1231588 plesk_saslauthd[32060]: failed mail authentication attempt for user '[email protected]' (password len=6)
May 19 23:59:24 h1231588 postfix/smtpd[32028]: warning: unknown[103.147.184.193]: SASL LOGIN authentication failed: authentication failure
May 19 23:59:27 h1231588 plesk_saslauthd[32060]: No such user '[email protected]' in mail authorization database
May 19 23:59:27 h1231588 plesk_saslauthd[32060]: failed mail authentication attempt for user '[email protected]' (password len=10)
May 19 23:59:27 h1231588 postfix/smtpd[32028]: warning: unknown[103.147.184.193]: SASL LOGIN authentication failed: authentication failure
May 19 23:59:29 h1231588 plesk_saslauthd[32060]: No such user '[email protected]' in mail authorization database
May 19 23:59:29 h1231588 plesk_saslauthd[32060]: failed mail authentication attempt for user '[email protected]' (password len=7)
May 19 23:59:29 h1231588 postfix/smtpd[32028]: warning: unknown[103.147.184.193]: SASL LOGIN authentication failed: authentication failure
May 19 23:59:30 h1231588 plesk_saslauthd[32060]: No such user '[email protected]' in mail authorization database
May 19 23:59:30 h1231588 plesk_saslauthd[32060]: failed mail authentication attempt for user '[email protected]' (password len=5)
May 19 23:59:30 h1231588 postfix/smtpd[32028]: warning: unknown[103.147.184.193]: SASL LOGIN authentication failed: authentication failure
May 19 23:59:33 h1231588 plesk_saslauthd[32060]: No such user '[email protected]' in mail authorization database
May 19 23:59:33 h1231588 plesk_saslauthd[32060]: failed mail authentication attempt for user '[email protected]' (password len=6)
May 19 23:59:33 h1231588 postfix/smtpd[32028]: warning: unknown[103.147.184.193]: SASL LOGIN authentication failed: authentication failure
cat /etc/fail2ban/filter.d/postfix-sasl.local
# Fail2Ban filter for postfix authentication failures
[INCLUDES]
# include common.conf rules before other definitions
before = common.conf
[Definition]
daemon = postfix(-\w+)?/(?:submission/|smtps/)?smtp[ds]
# ref: regex101: build, test, and debug regex
failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed([\s\w+\/:]*={0,4})?\s*$
ignoreregex = authentication failed: Connection lost to authentication server$
[Init]
journalmatch = _SYSTEMD_UNIT=postfix.service
