Unable to get Fail2Ban SASL filter to work

[Chris1]

Hi everyone,

I'm getting the following attempts every few minutes, I'd to put a stop to it with Fail2Ban but so far I've been unsuccessful. I get no IP bans in the Fail2Ban panel in Plesk 12.

Dec 3 23:24:14 XXX postfix/smtpd[2535]: warning: ca215.calcit.fastwebserver.de[146.0.42.84]: SASL LOGIN authentication failed: authentication failure

/etc/fail2ban/filter.d/sasl.conf
# Fail2Ban filter for postfix authentication failures
#
[INCLUDES]
before = common.conf
[Definition]
_daemon = postfix/smtpd
failregex = (?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed
ignoreregex =
# Author: Yaroslav Halchenko

/etc/fail2ban/jail.local
[sasl]
enabled = true
logpath = /var/log/maillog
filter = sasl
maxretry = 1
action = iptables[name=sasl, port=smtp, protocol=tcp]
port = smtp

I also have the following under [DEFAULT] in my jail.local file:
findtime = 600
bantime = 3600

A Fail2Ban regex test shows the following:


[root@XXX fail2ban]# fail2ban-regex /var/log/maillog /etc/fail2ban/filter.d/sasl.conf

Running tests
=============

Use failregex file : /etc/fail2ban/filter.d/sasl.conf
Use log file : /var/log/maillog


Results
=======

Failregex: 2329 total
|- #) [# of hits] regular expression
| 1) [2329] (?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
| [74635] MONTH Day Hour:Minute:Second
`-

Lines: 74635 lines, 0 ignored, 2329 matched, 72306 missed
Missed line(s): too many to print. Use --print-all-missed to print all 72306 lines
*****************************************

Could someone please assist with letting me know where I'm going wrong?

Kind regards,
Chris

 

[IgorG]

There is should be already:

[root@ppu12-0 ~]# cat /etc/fail2ban/filter.d/postfix-sasl.conf
# Fail2Ban filter for postfix authentication failures
#

[INCLUDES]

before = common.conf

[Definition]

_daemon = postfix/smtpd

failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed [ A-Za-z0-9+/]*={0,2})?\s*$

# Author: Yaroslav Halchenko

Have you tried to use it instead of adding own filter?

 

[Chris1]

Hi IgorG,

Thank you for the reply.

I have but unfortunately I couldn't get anything to become banned, even if I set the maxretry to 1.

I have since changed the regex back to the one you have listed above.

I have an idea as to why it isn't working. I've noticed that my mail log time zone is set to +10 which equates to 16:29 however when I run the date function I get:

"Thu Dec 4 17:29:30 AEDT 2014" (which is +11)

I have it set to the correct time zone in Plesk. (Australia/Melbourne)

1.) How can I fix my log time zone?
2.) Would the timezone different affect Fail2Ban from working correctly?

Kind regards,
Chris

 

[Chris1]

Hi IgorG,

I managed to fix the timestamps on the logs and a result the fail2ban issue by simply restarting the server. It seems fail2ban will not work correctly if the timestamps in the log file aren't correct.

I've got another issue now though. Since restarting the server my Server Health stats are reading incorrectly.

Apache CPU Usage: 954.5%
Mail server CPU usage: 1431.6%
MySQL CPU usage: 954.5%
Total CPU usage: 14913080.3%
Network throughput: 9544368.4 packets/sec

Any idea on how to fix this?

Kind regards,
Chris

 

[Alexey.Plotnitsky]

Hi Chris1,

1) Fail2Ban listens for recent log entries. So if you have fixed your mail server's log file then it should work
2) Try to check - which process does consume CPU:
#top

3) Check fail2ban server's status:
#fail2ban-client status

 

[Chris1]

Thank you

It appears my problem has been resolved.