Facebook
Twitter
cmak.fr
New Pleskian
Hi all
My maillog shows several failed mail authentication attempts.
Fail2ban is configured from Pesk Onyx webui
Defaults jails have simply lowered maxretry values and increased ban periods.
Regarding to the config files and the logs, i cant figure out why Fail2ban does not ban an attacker.
Here is the (kept original) filter file for postfix-sasl.
Maybe there's something missing in the filter definition ?
How to have a clean workaround for this ?
Many thanks for any help...
[root@host ~]# cat /etc/fail2ban/filter.d/postfix-sasl.conf
# Fail2Ban filter for postfix authentication failures
#
[INCLUDES]
before = common.conf
[Definition]
_daemon = postfix(-\w+)?/(?:submission/|smtps/)?smtp[ds]
failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed
[ A-Za-z0-9+/:]*={0,2})?\s*$
ignoreregex = authentication failed: Connection lost to authentication server$
[Init]
journalmatch = _SYSTEMD_UNIT=postfix.service
# Author: Yaroslav Halchenko
Extract of /var/maillog : repeated login attempts from same ip
# /var/log/maillog
Apr 22 04:39:57 f4d7bff postfix/smtpd[59419]: connect from unknown[37.49.227.49]
Apr 22 04:39:57 f4d7bff plesk_saslauthd[61171]: No such user '[email protected]' in mail authorization database
Apr 22 04:39:57 f4d7bff plesk_saslauthd[61171]: failed mail authentication attempt for user '[email protected]' (password len=12)
Apr 22 04:39:57 f4d7bff postfix/smtpd[59419]: warning: unknown[37.49.227.49] SASL LOGIN authentication failed: authentication failure
Apr 22 04:39:57 f4d7bff postfix/smtpd[59419]: lost connection after AUTH from unknown[37.49.227.49]
Apr 22 04:39:57 f4d7bff postfix/smtpd[59419]: disconnect from unknown[37.49.227.49]
---
Apr 22 04:39:58 f4d7bff postfix/smtpd[59419]: connect from unknown[37.49.227.49]
Apr 22 04:39:58 f4d7bff plesk_saslauthd[61171]: No such user '[email protected]' in mail authorization database
Apr 22 04:39:58 f4d7bff plesk_saslauthd[61171]: failed mail authentication attempt for user '[email protected]' (password len=11)
Apr 22 04:39:58 f4d7bff postfix/smtpd[59419]: warning: unknown[37.49.227.49] SASL LOGIN authentication failed: authentication failure
Apr 22 04:39:58 f4d7bff postfix/smtpd[59419]: lost connection after AUTH from unknown[37.49.227.49]
Apr 22 04:39:58 f4d7bff postfix/smtpd[59419]: disconnect from unknown[37.49.227.49]
---
Apr 22 04:39:58 f4d7bff postfix/smtpd[59419]: connect from unknown[37.49.227.49]
Apr 22 04:39:59 f4d7bff plesk_saslauthd[61171]: No such user '[email protected]' in mail authorization database
Apr 22 04:39:59 f4d7bff plesk_saslauthd[61171]: failed mail authentication attempt for user '[email protected]' (password len=6)
Apr 22 04:39:59 f4d7bff postfix/smtpd[59419]: warning: unknown[37.49.227.49] SASL LOGIN authentication failed: authentication failure
Apr 22 04:39:59 f4d7bff postfix/smtpd[59419]: lost connection after AUTH from unknown[37.49.227.49]
Apr 22 04:39:59 f4d7bff postfix/smtpd[59419]: disconnect from unknown[37.49.227.49]
Extract of /var/log/fail2ban : fail2ban does not catch the ip
# /var/log/fail2ban
2019-04-22 06:27:37,699 fail2ban.server [10027]: INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.9.6
2019-04-22 06:27:37,700 fail2ban.jail [10027]: INFO Creating new jail 'plesk-postfix'
2019-04-22 06:27:37,700 fail2ban.jail [10027]: INFO Jail 'plesk-postfix' uses pyinotify {}
2019-04-22 06:27:37,706 fail2ban.jail [10027]: INFO Initiated 'pyinotify' backend
2019-04-22 06:27:37,708 fail2ban.filter [10027]: INFO Added logfile = /var/log/maillog
2019-04-22 06:27:37,709 fail2ban.filter [10027]: INFO Set maxRetry = 2
2019-04-22 06:27:37,711 fail2ban.filter [10027]: INFO Set findtime = 1800
2019-04-22 06:27:37,711 fail2ban.actions [10027]: INFO Set banTime = 3600
2019-04-22 06:27:37,713 fail2ban.server [10027]: INFO Jail plesk-postfix is not a JournalFilter instance
2019-04-22 06:27:37,721 fail2ban.jail [10027]: INFO Jail 'plesk-postfix' started
My maillog shows several failed mail authentication attempts.
Fail2ban is configured from Pesk Onyx webui
Defaults jails have simply lowered maxretry values and increased ban periods.
Regarding to the config files and the logs, i cant figure out why Fail2ban does not ban an attacker.
Here is the (kept original) filter file for postfix-sasl.
Maybe there's something missing in the filter definition ?
How to have a clean workaround for this ?
Many thanks for any help...
[root@host ~]# cat /etc/fail2ban/filter.d/postfix-sasl.conf
# Fail2Ban filter for postfix authentication failures
#
[INCLUDES]
before = common.conf
[Definition]
_daemon = postfix(-\w+)?/(?:submission/|smtps/)?smtp[ds]
failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed
[ A-Za-z0-9+/:]*={0,2})?\s*$ignoreregex = authentication failed: Connection lost to authentication server$
[Init]
journalmatch = _SYSTEMD_UNIT=postfix.service
# Author: Yaroslav Halchenko
Extract of /var/maillog : repeated login attempts from same ip
# /var/log/maillog
Apr 22 04:39:57 f4d7bff postfix/smtpd[59419]: connect from unknown[37.49.227.49]
Apr 22 04:39:57 f4d7bff plesk_saslauthd[61171]: No such user '[email protected]' in mail authorization database
Apr 22 04:39:57 f4d7bff plesk_saslauthd[61171]: failed mail authentication attempt for user '[email protected]' (password len=12)
Apr 22 04:39:57 f4d7bff postfix/smtpd[59419]: warning: unknown[37.49.227.49] SASL LOGIN authentication failed: authentication failure
Apr 22 04:39:57 f4d7bff postfix/smtpd[59419]: lost connection after AUTH from unknown[37.49.227.49]
Apr 22 04:39:57 f4d7bff postfix/smtpd[59419]: disconnect from unknown[37.49.227.49]
---
Apr 22 04:39:58 f4d7bff postfix/smtpd[59419]: connect from unknown[37.49.227.49]
Apr 22 04:39:58 f4d7bff plesk_saslauthd[61171]: No such user '[email protected]' in mail authorization database
Apr 22 04:39:58 f4d7bff plesk_saslauthd[61171]: failed mail authentication attempt for user '[email protected]' (password len=11)
Apr 22 04:39:58 f4d7bff postfix/smtpd[59419]: warning: unknown[37.49.227.49] SASL LOGIN authentication failed: authentication failure
Apr 22 04:39:58 f4d7bff postfix/smtpd[59419]: lost connection after AUTH from unknown[37.49.227.49]
Apr 22 04:39:58 f4d7bff postfix/smtpd[59419]: disconnect from unknown[37.49.227.49]
---
Apr 22 04:39:58 f4d7bff postfix/smtpd[59419]: connect from unknown[37.49.227.49]
Apr 22 04:39:59 f4d7bff plesk_saslauthd[61171]: No such user '[email protected]' in mail authorization database
Apr 22 04:39:59 f4d7bff plesk_saslauthd[61171]: failed mail authentication attempt for user '[email protected]' (password len=6)
Apr 22 04:39:59 f4d7bff postfix/smtpd[59419]: warning: unknown[37.49.227.49] SASL LOGIN authentication failed: authentication failure
Apr 22 04:39:59 f4d7bff postfix/smtpd[59419]: lost connection after AUTH from unknown[37.49.227.49]
Apr 22 04:39:59 f4d7bff postfix/smtpd[59419]: disconnect from unknown[37.49.227.49]
Extract of /var/log/fail2ban : fail2ban does not catch the ip
# /var/log/fail2ban
2019-04-22 06:27:37,699 fail2ban.server [10027]: INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.9.6
2019-04-22 06:27:37,700 fail2ban.jail [10027]: INFO Creating new jail 'plesk-postfix'
2019-04-22 06:27:37,700 fail2ban.jail [10027]: INFO Jail 'plesk-postfix' uses pyinotify {}
2019-04-22 06:27:37,706 fail2ban.jail [10027]: INFO Initiated 'pyinotify' backend
2019-04-22 06:27:37,708 fail2ban.filter [10027]: INFO Added logfile = /var/log/maillog
2019-04-22 06:27:37,709 fail2ban.filter [10027]: INFO Set maxRetry = 2
2019-04-22 06:27:37,711 fail2ban.filter [10027]: INFO Set findtime = 1800
2019-04-22 06:27:37,711 fail2ban.actions [10027]: INFO Set banTime = 3600
2019-04-22 06:27:37,713 fail2ban.server [10027]: INFO Jail plesk-postfix is not a JournalFilter instance
2019-04-22 06:27:37,721 fail2ban.jail [10027]: INFO Jail 'plesk-postfix' started
