Resolved fail2ban postfix-sasl not working correctly

[PeterKi]

I have enabled fail2ban and most of the jails are working properly.
I have also enabled the recidive jail.
Alas, I often see messages like this in /var/log/maillog:
Apr 24 05:30:10 h2731888 postfix/smtpd[32272]: warning: unknown[203.159.80.233]: SASL LOGIN authentication failed: authentication failure
Apr 24 05:41:49 h2731888 postfix/smtpd[4137]: warning: unknown[203.159.80.233]: SASL LOGIN authentication failed: authentication failure
Apr 24 05:53:27 h2731888 postfix/smtpd[8381]: warning: unknown[203.159.80.233]: SASL LOGIN authentication failed: authentication failure
Apr 24 06:05:11 h2731888 postfix/smtpd[12617]: warning: unknown[203.159.80.233]: SASL LOGIN authentication failed: authentication failure
Apr 24 06:16:53 h2731888 postfix/smtpd[16348]: warning: unknown[203.159.80.233]: SASL LOGIN authentication failed: authentication failure
Apr 24 06:28:18 h2731888 postfix/smtpd[20651]: warning: unknown[203.159.80.233]: SASL LOGIN authentication failed: authentication failure
Apr 24 06:39:43 h2731888 postfix/smtpd[25252]: warning: unknown[203.159.80.233]: SASL LOGIN authentication failed: authentication failure
Apr 24 06:51:07 h2731888 postfix/smtpd[29408]: warning: unknown[203.159.80.233]: SASL LOGIN authentication failed: authentication failure
Apr 24 07:02:31 h2731888 postfix/smtpd[732]: warning: unknown[203.159.80.233]: SASL LOGIN authentication failed: authentication failure
Apr 24 07:14:00 h2731888 postfix/smtpd[5328]: warning: unknown[203.159.80.233]: SASL LOGIN authentication failed: authentication failure
Apr 24 07:25:20 h2731888 postfix/smtpd[9274]: warning: unknown[203.159.80.233]: SASL LOGIN authentication failed: authentication failure
The postfix.conf filter seems not to match the above lines.

I found another filter in /etc/fail2ban/filter.d/postfix-sasl.local which does not seem to work either.
It has a failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed[ A-Za-z0-9+/:]*={0,2})?\s*$ which does not match the log lines above.
Also I cannot find where this filter is enabled at all.


So my question is:
How can I get fail2ban to block those brute force SASL LOGIN attempts?

 

[Bitpalast]

I think that the regex is correct. It can be tested on regex101: build, test, and debug regex. You have to consider that "_prefix_line" and "<HOST>" are placeholders.

There are two Postfix jails, the regular Postfix jail and the Postfix SASL jail. Have you enabled both in Fail2Ban?

 

[PeterKi]

The postfix jail is enabled, the postfix sasl jail isn't.
There is a difference in that the postfix filter is named postfix.conf whereas the postfix-sasl filter is named postfix-sasl.local.
The jails in jail.d/plesk.conf reference the filters without extension and there is no postfix-sasl entry in jail.d/plesk.conf
Thus, I am puzzled what the correct plesk-way is to enable the postfix-sasl filter.
I am reluctant to configure things outside the plesk mechanism as they may break with upcoming updates.

 

[PeterKi]

Does anybody have the postfix-sasl filter activated?
I wonder that I seem to be the only one with the problem as I think that every Linux server with postfix will show the problem.
Every day I see IP addresses being blocked by fail2ban for other reasons, but dictionary attacks on postfix do not get blocked.
It is also strange to me that there is a postfix-sasl.local filter but the plesk GUI does not offer a way to activate it.
This looks like someone did build a solution but not implement it in the end.

 

[Bitpalast]

I can see an activated Postfix-SASL jail in our Plesk installations.

I suggest to use the Plesk component upgrade and installation page to remove Fail2Ban from your server, then re-add it.

 

[PeterKi]

I did uninstalled as suggested and did a cleanup by 'rm -r /etc/fail2ban'.
After that I re-installed fail2ban and activated all the jails.
There is no plesk-sasl jail though and the plesk-sasl.local file which I did see before is not there anymore.
I have attached the fail2ban jails page screenshot and this is the list of my fail2ban tree:
fail2ban
fail2ban/paths-fedora.conf
fail2ban/paths-debian.conf
fail2ban/paths-common.conf
fail2ban/paths-arch.conf
fail2ban/fail2ban.conf
fail2ban/jail.local
fail2ban/filter.d
fail2ban/filter.d/plesk-wordpress.conf
fail2ban/filter.d/common.conf
fail2ban/filter.d/plesk-panel.conf
fail2ban/filter.d/apache-auth.conf
fail2ban/filter.d/apache-common.conf
fail2ban/filter.d/plesk-qmail.conf
fail2ban/filter.d/postfix.conf
fail2ban/filter.d/proftpd.conf
fail2ban/filter.d/plesk-courierlogin.conf
fail2ban/filter.d/plesk-horde.conf
fail2ban/filter.d/plesk-dovecot.conf
fail2ban/filter.d/ignorecommands
fail2ban/filter.d/ignorecommands/apache-fakegooglebot
fail2ban/filter.d/plesk-roundcube.conf
fail2ban/filter.d/sshd.conf
fail2ban/filter.d/plesk-modsecurity.conf
fail2ban/filter.d/recidive.conf
fail2ban/filter.d/apache-badbots.conf
fail2ban/jail.conf
fail2ban/paths-opensuse.conf
fail2ban/jail.d
fail2ban/jail.d/plesk.conf
fail2ban/paths-osx.conf
fail2ban/README
fail2ban/action.d
fail2ban/action.d/sendmail-common.conf
fail2ban/action.d/iptables.conf
fail2ban/action.d/iptables-allports.conf
fail2ban/action.d/iptables-multiport.conf
fail2ban/action.d/badips.py
fail2ban/action.d/sendmail.conf
fail2ban/action.d/iptables-common.conf
fail2ban/action.d/smtp.py
fail2ban/paths-freebsd.conf

 

[PeterKi]

I found that the regular plesk postfix configuration in /etc/fail2ban/filter.d/postfix.conf already also filters on the SASL authentication failures.
The drawback is, that brute force attackers get only banned for 10 minutes after 5 failure attempts and that with the combined postfix filter the recidive filter never kicks in.
Thus, an attacker can do 5 attempts every other 10 Minutes which is slow but gives some rewards to perseverance.
I used plesk's "Tools & Settings >> IP address banning >> Jails >> Manage Filters >> Add"
and "Tools & Settings >> IP address banning >> Jails >> Add Jail"
to create a separate postfix-sasl filter.
With that, there are 2 filters on the SASL failures so that the recidive filter kicks in and bans such abusing servers for a whole week from all ports.

 

[Alaa Mansour]

I found that the regular plesk postfix configuration in /etc/fail2ban/filter.d/postfix.conf already also filters on the SASL authentication failures.
The drawback is, that brute force attackers get only banned for 10 minutes after 5 failure attempts and that with the combined postfix filter the recidive filter never kicks in.
Thus, an attacker can do 5 attempts every other 10 Minutes which is slow but gives some rewards to perseverance.
I used plesk's "Tools & Settings >> IP address banning >> Jails >> Manage Filters >> Add"
and "Tools & Settings >> IP address banning >> Jails >> Add Jail"
to create a separate postfix-sasl filter.
With that, there are 2 filters on the SASL failures so that the recidive filter kicks in and bans such abusing servers for a whole week from all ports.

can u share the input of this new filter? thanks