Facebook
TwitterHi!
I've been experiencing SASL authentication attacks and have been wondering why Fail2Ban didn't recognize and ban them:
Aug 16 16:18:29 hosting02 postfix/smtpd[9899]: warning: server.domain.com[AAA.BBB.CCC.DDD]: SASL login authentication failed: authentication failure
The "login" is in lowercase. This seems to have changed recently for some reason because when I google it, all I found are uppercase "LOGIN" log entries. Hence, the postfix-sasl filter regex:
failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed
[ A-Za-z0-9+/]*={0,2})?\s*$
This simply did not match with my log entries in /var/log/maillog. The workaround was to match both entries. Lowercase and uppercase:
failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL (?:login|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed [ A-Za-z0-9+/]*={0,2})?\s*$
^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed [ A-Za-z0-9+/]*={0,2})?\s*$
Did anybody else experience this?
Cheers
I've been experiencing SASL authentication attacks and have been wondering why Fail2Ban didn't recognize and ban them:
Aug 16 16:18:29 hosting02 postfix/smtpd[9899]: warning: server.domain.com[AAA.BBB.CCC.DDD]: SASL login authentication failed: authentication failure
The "login" is in lowercase. This seems to have changed recently for some reason because when I google it, all I found are uppercase "LOGIN" log entries. Hence, the postfix-sasl filter regex:
failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed
[ A-Za-z0-9+/]*={0,2})?\s*$This simply did not match with my log entries in /var/log/maillog. The workaround was to match both entries. Lowercase and uppercase:
failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL (?:login|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed
[ A-Za-z0-9+/]*={0,2})?\s*$^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed
[ A-Za-z0-9+/]*={0,2})?\s*$Did anybody else experience this?
Cheers
