• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.

Resolved fail2ban postfix-sasl not working correctly

PeterKi

Regular Pleskian
I have enabled fail2ban and most of the jails are working properly.
I have also enabled the recidive jail.
Alas, I often see messages like this in /var/log/maillog:
Apr 24 05:30:10 h2731888 postfix/smtpd[32272]: warning: unknown[203.159.80.233]: SASL LOGIN authentication failed: authentication failure
Apr 24 05:41:49 h2731888 postfix/smtpd[4137]: warning: unknown[203.159.80.233]: SASL LOGIN authentication failed: authentication failure
Apr 24 05:53:27 h2731888 postfix/smtpd[8381]: warning: unknown[203.159.80.233]: SASL LOGIN authentication failed: authentication failure
Apr 24 06:05:11 h2731888 postfix/smtpd[12617]: warning: unknown[203.159.80.233]: SASL LOGIN authentication failed: authentication failure
Apr 24 06:16:53 h2731888 postfix/smtpd[16348]: warning: unknown[203.159.80.233]: SASL LOGIN authentication failed: authentication failure
Apr 24 06:28:18 h2731888 postfix/smtpd[20651]: warning: unknown[203.159.80.233]: SASL LOGIN authentication failed: authentication failure
Apr 24 06:39:43 h2731888 postfix/smtpd[25252]: warning: unknown[203.159.80.233]: SASL LOGIN authentication failed: authentication failure
Apr 24 06:51:07 h2731888 postfix/smtpd[29408]: warning: unknown[203.159.80.233]: SASL LOGIN authentication failed: authentication failure
Apr 24 07:02:31 h2731888 postfix/smtpd[732]: warning: unknown[203.159.80.233]: SASL LOGIN authentication failed: authentication failure
Apr 24 07:14:00 h2731888 postfix/smtpd[5328]: warning: unknown[203.159.80.233]: SASL LOGIN authentication failed: authentication failure
Apr 24 07:25:20 h2731888 postfix/smtpd[9274]: warning: unknown[203.159.80.233]: SASL LOGIN authentication failed: authentication failure
The postfix.conf filter seems not to match the above lines.

I found another filter in /etc/fail2ban/filter.d/postfix-sasl.local which does not seem to work either.
It has a failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed:)[ A-Za-z0-9+/:]*={0,2})?\s*$ which does not match the log lines above.
Also I cannot find where this filter is enabled at all.


So my question is:
How can I get fail2ban to block those brute force SASL LOGIN attempts?
 
Last edited:
I think that the regex is correct. It can be tested on regex101: build, test, and debug regex. You have to consider that "_prefix_line" and "<HOST>" are placeholders.

There are two Postfix jails, the regular Postfix jail and the Postfix SASL jail. Have you enabled both in Fail2Ban?
 
The postfix jail is enabled, the postfix sasl jail isn't.
There is a difference in that the postfix filter is named postfix.conf whereas the postfix-sasl filter is named postfix-sasl.local.
The jails in jail.d/plesk.conf reference the filters without extension and there is no postfix-sasl entry in jail.d/plesk.conf
Thus, I am puzzled what the correct plesk-way is to enable the postfix-sasl filter.
I am reluctant to configure things outside the plesk mechanism as they may break with upcoming updates.
 
Does anybody have the postfix-sasl filter activated?
I wonder that I seem to be the only one with the problem as I think that every Linux server with postfix will show the problem.
Every day I see IP addresses being blocked by fail2ban for other reasons, but dictionary attacks on postfix do not get blocked.
It is also strange to me that there is a postfix-sasl.local filter but the plesk GUI does not offer a way to activate it.
This looks like someone did build a solution but not implement it in the end.
 
I can see an activated Postfix-SASL jail in our Plesk installations.

I suggest to use the Plesk component upgrade and installation page to remove Fail2Ban from your server, then re-add it.
 
I did uninstalled as suggested and did a cleanup by 'rm -r /etc/fail2ban'.
After that I re-installed fail2ban and activated all the jails.
There is no plesk-sasl jail though and the plesk-sasl.local file which I did see before is not there anymore.
I have attached the fail2ban jails page screenshot and this is the list of my fail2ban tree:
fail2ban
fail2ban/paths-fedora.conf
fail2ban/paths-debian.conf
fail2ban/paths-common.conf
fail2ban/paths-arch.conf
fail2ban/fail2ban.conf
fail2ban/jail.local
fail2ban/filter.d
fail2ban/filter.d/plesk-wordpress.conf
fail2ban/filter.d/common.conf
fail2ban/filter.d/plesk-panel.conf
fail2ban/filter.d/apache-auth.conf
fail2ban/filter.d/apache-common.conf
fail2ban/filter.d/plesk-qmail.conf
fail2ban/filter.d/postfix.conf
fail2ban/filter.d/proftpd.conf
fail2ban/filter.d/plesk-courierlogin.conf
fail2ban/filter.d/plesk-horde.conf
fail2ban/filter.d/plesk-dovecot.conf
fail2ban/filter.d/ignorecommands
fail2ban/filter.d/ignorecommands/apache-fakegooglebot
fail2ban/filter.d/plesk-roundcube.conf
fail2ban/filter.d/sshd.conf
fail2ban/filter.d/plesk-modsecurity.conf
fail2ban/filter.d/recidive.conf
fail2ban/filter.d/apache-badbots.conf
fail2ban/jail.conf
fail2ban/paths-opensuse.conf
fail2ban/jail.d
fail2ban/jail.d/plesk.conf
fail2ban/paths-osx.conf
fail2ban/README
fail2ban/action.d
fail2ban/action.d/sendmail-common.conf
fail2ban/action.d/iptables.conf
fail2ban/action.d/iptables-allports.conf
fail2ban/action.d/iptables-multiport.conf
fail2ban/action.d/badips.py
fail2ban/action.d/sendmail.conf
fail2ban/action.d/iptables-common.conf
fail2ban/action.d/smtp.py
fail2ban/paths-freebsd.conf
 

Attachments

  • 2021-04-29 12_48_15-IP Address Banning - Plesk Obsidian 18.0.34.png
    2021-04-29 12_48_15-IP Address Banning - Plesk Obsidian 18.0.34.png
    23 KB · Views: 17
I found that the regular plesk postfix configuration in /etc/fail2ban/filter.d/postfix.conf already also filters on the SASL authentication failures.
The drawback is, that brute force attackers get only banned for 10 minutes after 5 failure attempts and that with the combined postfix filter the recidive filter never kicks in.
Thus, an attacker can do 5 attempts every other 10 Minutes which is slow but gives some rewards to perseverance.
I used plesk's "Tools & Settings >> IP address banning >> Jails >> Manage Filters >> Add"
and "Tools & Settings >> IP address banning >> Jails >> Add Jail"
to create a separate postfix-sasl filter.
With that, there are 2 filters on the SASL failures so that the recidive filter kicks in and bans such abusing servers for a whole week from all ports.
 
I found that the regular plesk postfix configuration in /etc/fail2ban/filter.d/postfix.conf already also filters on the SASL authentication failures.
The drawback is, that brute force attackers get only banned for 10 minutes after 5 failure attempts and that with the combined postfix filter the recidive filter never kicks in.
Thus, an attacker can do 5 attempts every other 10 Minutes which is slow but gives some rewards to perseverance.
I used plesk's "Tools & Settings >> IP address banning >> Jails >> Manage Filters >> Add"
and "Tools & Settings >> IP address banning >> Jails >> Add Jail"
to create a separate postfix-sasl filter.
With that, there are 2 filters on the SASL failures so that the recidive filter kicks in and bans such abusing servers for a whole week from all ports.
can u share the input of this new filter? thanks
 
Back
Top