Issue ip block for postfix in Fail2ban dosent work

[shopuser]

Hello,

i have installed fail2ban, with all jails and a other with a blacklist.
and spammer try different usernames for mail adress and with different password len since 5 days !
the mailservice from this domain is off in the configuration in plesk, the IP from this server in blocked in the Jails:
plesk-postfix
recidive
IP-Blacklist

but in the mail.log i see again with :

plesk_saslauthd[33456]: failed mail authenticatication attempt for user '[email protected]' (password len=10)
postfix/smtpd[33456]: warning: unknown[000.000.000.00]: SASL LOGIN authentication failed: authentication failure
plesk_saslauthd[33456]: No such user '[email protected]' in mail authorization database
plesk_saslauthd[33456]: failed mail authenticatication attempt for user '[email protected]' (password len=8)
plesk_saslauthd[33456]: No such user '[email protected]' in mail authorization database
plesk_saslauthd[33456]: failed mail authenticatication attempt for user '[email protected]' (password len=4)
plesk_saslauthd[33456]: No such user '[email protected]' in mail authorization database

....


postfix/smtpd[33456]: message repeated 14 times: [ warning: unknown[000.000.000.00]: SASL LOGIN authentication failed: authentication failure]
postfix/smtpd[33456]: too many errors after AUTH from unknown[000.000.000.00]

 

[Lloyd_mcse]

Hi shopuser,
what OS are you using? If Ubuntu try to use /var/log/mail.log instead of /var/log/maillog for the jail.
Anything other than Ubuntu ignore me
Regards

Lloyd

 

[trialotto]

@shopuser,

The "attacks" (of the brute force kind) are known, they are certainly present on your system for more than 5 days.

The hack attempt is unsuccesful for 99,99999% of the cases, no worries there.

Nevertheless, it is true that the default Plesk postfix jail for Fail2Ban will not work: the scripts bypass this jail, in the sense that Fail2Ban does not take action (read: ban IPs).

More on this will follow later.........the above is just some preliminary explanation.

Regards.....

 

[Linulex]

unknown[000.000.000.00]

have you changed the ip adres in the log for the purpouse of the post or is this actualy what is in you log?

If this is in your log then its normal fail2ban doesnt block it. It needs to know what ip adress to block.

regards
Jan

 

[trialotto]

@Linulex

any log entry of the kind

unknown[<HOST>]

with <HOST> the IP address, is covered and detected by Fail2Ban with the postfix-jail (or the qmail equivalent of that).

The problem is that Fail2Ban does not take action (read: ban the IP), due to the nature and frequency of the "attack".

It is a horrendous problem, since any change in Fail2Ban settings does not really make a difference.

I am working on a quickfix to share later on this forum.

Regards.....

 

[UFHH01]

@ anyone, who also experience such issues:

Pls. POST your filter and your corresponding jail and log - file entry, so that investigations can be done and solutions can be provided. Without all three informations, all further suggestions are just guessings!

 

[trialotto]

@UFHH01, @everyone,

With respect to

Pls. POST your filter and your corresponding jail and log - file entry, so that investigations can be done and solutions can be provided. Without all three informations, all further suggestions are just guessings!

note the following:

a) most of the attacks started around 5th of june, implying that logs for 16 days (with tenthousands of lines) should be provided: not practical

b) the "attacks" (of the brute force kind) are

- following a known pattern
- exhibiting multi-port attack mode (smtp, smtps, pop3, imap, pop3s, imaps)
- show "intelligent" scripts (behaviour changes)

and so on.

c) the "attacks" (of the brute force kind) will exhaust resources (certainly on a VPS), if additional jails are entered to prevent these "attacks"

d) each Plesk instance is confronted by "attacks" by an unique set of approximately 100 to 500 bad IPs

and I can continue with a number of facts.


However, I do emphasize that any feedback is welcome, you always send me a PM with the following log files:

- /var/log/mail.log
- /var/log/mail.log.1

Regards....

 

[UFHH01]

most of the attacks started around 5th of june, implying that logs for 16 days (with tenthousands of lines) should be provided: not practical

It is only necessary to post ONE single ( complete ) corresponding log - file entry. There is absolutely no need to provide log - files from 16 days... or what ever else amount of days.
It is pretty easy to modify existing failregex ( if needed, depending to your jail and filter AND corresponding log - file entries ), so all further discussions are pretty useless and lead to nothing.

 

[trialotto]

@UFHH01,

You don´t like discussion, that is clear by now. Just do not create them!

And note that it is worthwhile to look further than only your own servers: every server is "attacked" in a different fashion, with not all Fail2Ban adjustments having the same effect.

Not only does the effectiveness of a Fail2Ban adjustment depend on the other jails/actions/filters activated, these factors also do matter:

- VPS (or not; in the case of a VPS, one can or will encounter numiptent issues)
- error notifications can vary across Plesk instances (read: type of attacks can be different)
- the attack mode is changing every day.........depending on which action is taken against the "attacks"

Also note that you are exactly saying the same as me, so where should there be a discussion in your opinion?

Nevertheless, I do add some information that can be valuable for forum members to provide the relevant output.

So......????

Regards........

 

[UFHH01]

You don´t like discussion, that is clear by now. Just do not create them!

Your "help" is confusing... and could be considered as spam. If you insist to "discuss" solutions, work-arounds or hints how to solve issues described by thread-starters, or posting users, consider to use the private message function of this forum.


@ all persons, who are just interested in solutions, how to solve their issues, just try to follow: https://talk.plesk.com/threads/ip-block-for-postfix-in-fail2ban-dosent-work.338374/#post-803656

 

[trialotto]

@UFHH01,

Yes, I do ask other forum members to send me a PM, so they can share full information from logs.

Yes, I do work on a solution.

No, your solutions provided in other topic threads will NOT work (at best, they catch a small fraction of "attacks")

No, the link you posted is not very clear, it points to the topic thread we are in now.

No, it is not nice what you are doing right now.

Regards.......

 

[Linulex]

I dont have any problems with fail2ban, no matter how many entries, and believe me, xml-rpc has more entries then any mailserver.
but i dont use postfix, i use qmail, so i cant post my postfix rule.
I know there are several points to check why fail2ban could fail:

- what is the fail2ban version? plesk doesnt work well with 0.9.3, you need to use 0.9.2. I have posted a 0.9.2 rpm here Plesk 12.0.18 Update #68 and Fail2ban 0.9.3 problem
- if you change a rule, always restart fail2ban
- if you restart the firewall, always restart fail2ban after that
- dont have many rules that all use all the httpd logs. every rule reads the logs in and it can get overloaded very fast.

and the 000.000.000.00: it wont block that because there is nothing to block, it is not a true ip adress. The route to 0.0.0.0 is the route the system will use if it doesn't have a "more specific" route. So hence my question: does the log really says: 000.000.000.00 or was that changed for the example?

regards
Jan