• Plesk Uservoice will be deprecated by October. Moving forward, all product feature requests and improvement suggestions will be managed through our new platform Plesk Productboard.
    To continue sharing your ideas and feedback, please visit features.plesk.com

Fail2Ban - postfix-sasl filter issue

T

timber

Basic Pleskian
Hi!

I've been experiencing SASL authentication attacks and have been wondering why Fail2Ban didn't recognize and ban them:

Aug 16 16:18:29 hosting02 postfix/smtpd[9899]: warning: server.domain.com[AAA.BBB.CCC.DDD]: SASL login authentication failed: authentication failure

The "login" is in lowercase. This seems to have changed recently for some reason because when I google it, all I found are uppercase "LOGIN" log entries. Hence, the postfix-sasl filter regex:

failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed:) [ A-Za-z0-9+/]*={0,2})?\s*$

This simply did not match with my log entries in /var/log/maillog. The workaround was to match both entries. Lowercase and uppercase:

failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL (?:login|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed:) [ A-Za-z0-9+/]*={0,2})?\s*$
^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed:) [ A-Za-z0-9+/]*={0,2})?\s*$

Did anybody else experience this?

Cheers
 
You must log in or register to reply here.

Similar threads

wakabayashi
Resolved Fail2Ban - Postfix not working for SASL (bug?)
Replies
4
Views
3K
mizar
mizar
P
Input plesk fail2ban missing some important filter rules
Replies
2
Views
2K
PeterKi
P
A
Question Warnings in mail log [SASL LOGIN authentication failed]
Replies
1
Views
2K
Peter Debik
P
U
Resolved fail2ban plesk-postfix jail and filter configuration
Replies
2
Views
4K
ufreier
U
P
Input Enhancement suggestions for Plesk's fail2ban filters
Replies
1
Views
2K
Maarten
M
Back
Top