• Plesk Uservoice will be deprecated by October. Moving forward, all product feature requests and improvement suggestions will be managed through our new platform Plesk Productboard.
    To continue sharing your ideas and feedback, please visit features.plesk.com

Fail2Ban - postfix-sasl filter issue

timber

Basic Pleskian
Hi!

I've been experiencing SASL authentication attacks and have been wondering why Fail2Ban didn't recognize and ban them:

Aug 16 16:18:29 hosting02 postfix/smtpd[9899]: warning: server.domain.com[AAA.BBB.CCC.DDD]: SASL login authentication failed: authentication failure

The "login" is in lowercase. This seems to have changed recently for some reason because when I google it, all I found are uppercase "LOGIN" log entries. Hence, the postfix-sasl filter regex:

failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed:) [ A-Za-z0-9+/]*={0,2})?\s*$

This simply did not match with my log entries in /var/log/maillog. The workaround was to match both entries. Lowercase and uppercase:

failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL (?:login|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed:) [ A-Za-z0-9+/]*={0,2})?\s*$
^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed:) [ A-Za-z0-9+/]*={0,2})?\s*$

Did anybody else experience this?

Cheers
 
Back
Top