• Introducing WebPros Cloud - a fully managed infrastructure platform purpose-built to simplify the deployment of WebPros products !  WebPros Cloud enables you to easily deliver WebPros solutions — without the complexity of managing the infrastructure.
    Join the pilot program today!
  • Support for BIND DNS has been removed from Plesk for Windows due to security and maintenance risks.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS.

Input Fail2ban was not detecting SASL

tkalfaoglu

Silver Pleskian
I noticed thousands of brute force attacks that were not detected by fail2ban when I did a journalctl -f

Please ensure that

Dec 2 03:52:38 jedi postfix/smtpd[49188]: warning: unknown[193.56.28.139]: SASL LOGIN authentication failed: authentication failure

blurbs are trapped by your fail2ban.. Mine were not..
I just created a new filter and jail definitions..
 
I'm not sure about this.. Every IP has 5 attempts before being blocked by Fail2Ban. Are you sure you are not seen the first 4 attempts for each IP?

Fail2Ban just work fine in Plesk.
 
I'm not sure about this.. Every IP has 5 attempts before being blocked by Fail2Ban. Are you sure you are not seen the first 4 attempts for each IP?
Fail2Ban just work fine in Plesk.

Only for SASL it was not working for me.. For other rules, sure it was working fine..
 
Here is my sasl.conf in jail.d

[sasl]

enabled = true
action = route[name="sasl"]
filter = sasl
logpath = /var/log/maillog
maxretry = 8​

and sasl.conf in filter.d:
PS: I am using a different action that routes the IP to unreachable.


[Definition]

# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT

failregex = (?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) au
thentication failed:) [A-Za-z0-9+/ ]*)?$

# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =​
 
Last edited:
Back
Top