• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Resolved fail2ban postfix-sasl not working correctly

P

PeterKi

Regular Pleskian
I have enabled fail2ban and most of the jails are working properly.
I have also enabled the recidive jail.
Alas, I often see messages like this in /var/log/maillog:
Apr 24 05:30:10 h2731888 postfix/smtpd[32272]: warning: unknown[203.159.80.233]: SASL LOGIN authentication failed: authentication failure
Apr 24 05:41:49 h2731888 postfix/smtpd[4137]: warning: unknown[203.159.80.233]: SASL LOGIN authentication failed: authentication failure
Apr 24 05:53:27 h2731888 postfix/smtpd[8381]: warning: unknown[203.159.80.233]: SASL LOGIN authentication failed: authentication failure
Apr 24 06:05:11 h2731888 postfix/smtpd[12617]: warning: unknown[203.159.80.233]: SASL LOGIN authentication failed: authentication failure
Apr 24 06:16:53 h2731888 postfix/smtpd[16348]: warning: unknown[203.159.80.233]: SASL LOGIN authentication failed: authentication failure
Apr 24 06:28:18 h2731888 postfix/smtpd[20651]: warning: unknown[203.159.80.233]: SASL LOGIN authentication failed: authentication failure
Apr 24 06:39:43 h2731888 postfix/smtpd[25252]: warning: unknown[203.159.80.233]: SASL LOGIN authentication failed: authentication failure
Apr 24 06:51:07 h2731888 postfix/smtpd[29408]: warning: unknown[203.159.80.233]: SASL LOGIN authentication failed: authentication failure
Apr 24 07:02:31 h2731888 postfix/smtpd[732]: warning: unknown[203.159.80.233]: SASL LOGIN authentication failed: authentication failure
Apr 24 07:14:00 h2731888 postfix/smtpd[5328]: warning: unknown[203.159.80.233]: SASL LOGIN authentication failed: authentication failure
Apr 24 07:25:20 h2731888 postfix/smtpd[9274]: warning: unknown[203.159.80.233]: SASL LOGIN authentication failed: authentication failure
The postfix.conf filter seems not to match the above lines.

I found another filter in /etc/fail2ban/filter.d/postfix-sasl.local which does not seem to work either.
It has a failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed:)[ A-Za-z0-9+/:]*={0,2})?\s*$ which does not match the log lines above.
Also I cannot find where this filter is enabled at all.


So my question is:
How can I get fail2ban to block those brute force SASL LOGIN attempts?
 
Last edited:
I think that the regex is correct. It can be tested on regex101: build, test, and debug regex. You have to consider that "_prefix_line" and "<HOST>" are placeholders.

There are two Postfix jails, the regular Postfix jail and the Postfix SASL jail. Have you enabled both in Fail2Ban?
 
The postfix jail is enabled, the postfix sasl jail isn't.
There is a difference in that the postfix filter is named postfix.conf whereas the postfix-sasl filter is named postfix-sasl.local.
The jails in jail.d/plesk.conf reference the filters without extension and there is no postfix-sasl entry in jail.d/plesk.conf
Thus, I am puzzled what the correct plesk-way is to enable the postfix-sasl filter.
I am reluctant to configure things outside the plesk mechanism as they may break with upcoming updates.
 
Does anybody have the postfix-sasl filter activated?
I wonder that I seem to be the only one with the problem as I think that every Linux server with postfix will show the problem.
Every day I see IP addresses being blocked by fail2ban for other reasons, but dictionary attacks on postfix do not get blocked.
It is also strange to me that there is a postfix-sasl.local filter but the plesk GUI does not offer a way to activate it.
This looks like someone did build a solution but not implement it in the end.
 
I can see an activated Postfix-SASL jail in our Plesk installations.

I suggest to use the Plesk component upgrade and installation page to remove Fail2Ban from your server, then re-add it.
 
I did uninstalled as suggested and did a cleanup by 'rm -r /etc/fail2ban'.
After that I re-installed fail2ban and activated all the jails.
There is no plesk-sasl jail though and the plesk-sasl.local file which I did see before is not there anymore.
I have attached the fail2ban jails page screenshot and this is the list of my fail2ban tree:
fail2ban
fail2ban/paths-fedora.conf
fail2ban/paths-debian.conf
fail2ban/paths-common.conf
fail2ban/paths-arch.conf
fail2ban/fail2ban.conf
fail2ban/jail.local
fail2ban/filter.d
fail2ban/filter.d/plesk-wordpress.conf
fail2ban/filter.d/common.conf
fail2ban/filter.d/plesk-panel.conf
fail2ban/filter.d/apache-auth.conf
fail2ban/filter.d/apache-common.conf
fail2ban/filter.d/plesk-qmail.conf
fail2ban/filter.d/postfix.conf
fail2ban/filter.d/proftpd.conf
fail2ban/filter.d/plesk-courierlogin.conf
fail2ban/filter.d/plesk-horde.conf
fail2ban/filter.d/plesk-dovecot.conf
fail2ban/filter.d/ignorecommands
fail2ban/filter.d/ignorecommands/apache-fakegooglebot
fail2ban/filter.d/plesk-roundcube.conf
fail2ban/filter.d/sshd.conf
fail2ban/filter.d/plesk-modsecurity.conf
fail2ban/filter.d/recidive.conf
fail2ban/filter.d/apache-badbots.conf
fail2ban/jail.conf
fail2ban/paths-opensuse.conf
fail2ban/jail.d
fail2ban/jail.d/plesk.conf
fail2ban/paths-osx.conf
fail2ban/README
fail2ban/action.d
fail2ban/action.d/sendmail-common.conf
fail2ban/action.d/iptables.conf
fail2ban/action.d/iptables-allports.conf
fail2ban/action.d/iptables-multiport.conf
fail2ban/action.d/badips.py
fail2ban/action.d/sendmail.conf
fail2ban/action.d/iptables-common.conf
fail2ban/action.d/smtp.py
fail2ban/paths-freebsd.conf
 

Attachments

  • 2021-04-29 12_48_15-IP Address Banning - Plesk Obsidian 18.0.34.png
    2021-04-29 12_48_15-IP Address Banning - Plesk Obsidian 18.0.34.png
    23 KB · Views: 17
I found that the regular plesk postfix configuration in /etc/fail2ban/filter.d/postfix.conf already also filters on the SASL authentication failures.
The drawback is, that brute force attackers get only banned for 10 minutes after 5 failure attempts and that with the combined postfix filter the recidive filter never kicks in.
Thus, an attacker can do 5 attempts every other 10 Minutes which is slow but gives some rewards to perseverance.
I used plesk's "Tools & Settings >> IP address banning >> Jails >> Manage Filters >> Add"
and "Tools & Settings >> IP address banning >> Jails >> Add Jail"
to create a separate postfix-sasl filter.
With that, there are 2 filters on the SASL failures so that the recidive filter kicks in and bans such abusing servers for a whole week from all ports.
 
PeterKi said:
I found that the regular plesk postfix configuration in /etc/fail2ban/filter.d/postfix.conf already also filters on the SASL authentication failures.
The drawback is, that brute force attackers get only banned for 10 minutes after 5 failure attempts and that with the combined postfix filter the recidive filter never kicks in.
Thus, an attacker can do 5 attempts every other 10 Minutes which is slow but gives some rewards to perseverance.
I used plesk's "Tools & Settings >> IP address banning >> Jails >> Manage Filters >> Add"
and "Tools & Settings >> IP address banning >> Jails >> Add Jail"
to create a separate postfix-sasl filter.
With that, there are 2 filters on the SASL failures so that the recidive filter kicks in and bans such abusing servers for a whole week from all ports.
Click to expand...
can u share the input of this new filter? thanks
 
You must log in or register to reply here.

Similar threads

A
Question Warnings in mail log [SASL LOGIN authentication failed]
Replies
1
Views
392
Peter Debik
P
Papacico
Resolved Postfix not working anymore after upgrade to Plesk Obsidian v18.0.55_build1800230919.07 os_CentOS 7
Replies
5
Views
900
Papacico
Papacico
P
Input plesk fail2ban missing some important filter rules
Replies
2
Views
568
PeterKi
P
U
Resolved fail2ban plesk-postfix jail and filter configuration
Replies
2
Views
2K
ufreier
U
X
Issue SASL LOGIN authentication failed: authentication failure
Replies
4
Views
2K
Peter Debik
P
Back
Top