Input Fail2ban was not detecting SASL

[tkalfaoglu]

I noticed thousands of brute force attacks that were not detected by fail2ban when I did a journalctl -f

Please ensure that

Dec 2 03:52:38 jedi postfix/smtpd[49188]: warning: unknown[193.56.28.139]: SASL LOGIN authentication failed: authentication failure

blurbs are trapped by your fail2ban.. Mine were not..
I just created a new filter and jail definitions..

 

[WebHostingAce]

I'm not sure about this.. Every IP has 5 attempts before being blocked by Fail2Ban. Are you sure you are not seen the first 4 attempts for each IP?

Fail2Ban just work fine in Plesk.

 

[tkalfaoglu]

I'm not sure about this.. Every IP has 5 attempts before being blocked by Fail2Ban. Are you sure you are not seen the first 4 attempts for each IP?
Fail2Ban just work fine in Plesk.

Only for SASL it was not working for me.. For other rules, sure it was working fine..

 

[ChrisCP]

Same happens to me. Which rule do you have applied?

 

[tkalfaoglu]

Here is my sasl.conf in jail.d

[sasl]

enabled = true
action = route[name="sasl"]
filter = sasl
logpath = /var/log/maillog
maxretry = 8​

and sasl.conf in filter.d:
PS: I am using a different action that routes the IP to unreachable.

[Definition]

# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}?(?P<host>[\w\-.^_]+)
# Values: TEXT

failregex = (?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) au
thentication failed [A-Za-z0-9+/ ]*)?$

# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =​