I have got fail2ban up and running, but....

  • I got fail2ban running according to the settings in the wiki. And everything seems to be working after a few tweaks.


    But today I encountered a lot of entries in the "mail.warn" log file (see below - changed the IP by xxx). How do I effectively close for this?


    Mar 26 20:06:59 host1 postfix/smtpd[5723]: warning: unknown[xxx.xxx.xxx.xxx]: SASL LOGIN authentication failed: authentication failure
    Mar 26 20:06:59 host1 postfix/smtpd[5723]: warning: unknown[xxx.xxx.xxx.xxx]: SASL LOGIN authentication failed: authentication failure
    Mar 26 20:06:59 host1 postfix/smtpd[5723]: warning: unknown[xxx.xxx.xxx.xxx]: SASL LOGIN authentication failed: authentication failure
    Mar 26 20:06:59 host1 postfix/smtpd[5723]: warning: unknown[xxx.xxx.xxx.xxx]: SASL LOGIN authentication failed: authentication failure
    Mar 26 20:07:00 host1 postfix/smtpd[5723]: warning: unknown[xxx.xxx.xxx.xxx]: SASL LOGIN authentication failed: authentication failure
    Mar 26 20:07:00 host1 postfix/smtpd[5723]: warning: unknown[xxx.xxx.xxx.xxx]: SASL LOGIN authentication failed: authentication failure
    Mar 26 20:07:00 host1 postfix/smtpd[5723]: warning: unknown[xxx.xxx.xxx.xxx]: SASL LOGIN authentication failed: authentication failure
    Mar 26 20:07:00 host1 postfix/smtpd[5723]: warning: unknown[xxx.xxx.xxx.xxx]: SASL LOGIN authentication failed: authentication failure
    Mar 26 20:07:01 host1 postfix/smtpd[5723]: warning: unknown[xxx.xxx.xxx.xxx]: SASL LOGIN authentication failed: authentication failure
    Mar 26 20:07:01 host1 postfix/smtpd[5723]: warning: unknown[xxx.xxx.xxx.xxx]: SASL LOGIN authentication failed: authentication failure
    Mar 26 20:07:01 host1 postfix/smtpd[5723]: warning: unknown[xxx.xxx.xxx.xxx]: SASL LOGIN authentication failed: authentication failure
    Mar 26 20:07:01 host1 postfix/smtpd[5724]: warning: unknown[xxx.xxx.xxx.xxx]: SASL LOGIN authentication failed: authentication failure
    Mar 26 20:07:01 host1 postfix/smtpd[5724]: warning: unknown[xxx.xxx.xxx.xxx]: SASL LOGIN authentication failed: authentication failure
    Mar 26 20:07:02 host1 postfix/smtpd[5724]: warning: unknown[xxx.xxx.xxx.xxx]: SASL LOGIN authentication failed: authentication failure
    Mar 26 20:07:02 host1 postfix/smtpd[5724]: warning: unknown[xxx.xxx.xxx.xxx]: SASL LOGIN authentication failed: authentication failure
    Mar 26 20:07:02 host1 postfix/smtpd[5724]: warning: unknown[xxx.xxx.xxx.xxx]: SASL LOGIN authentication failed: authentication failure
    Mar 26 20:07:02 host1 postfix/smtpd[5724]: warning: unknown[xxx.xxx.xxx.xxx]: SASL LOGIN authentication failed: authentication failure
    Mar 26 20:07:02 host1 postfix/smtpd[5724]: warning: unknown[xxx.xxx.xxx.xxx]: SASL LOGIN authentication failed: authentication failure
    Mar 26 20:07:03 host1 postfix/smtpd[5724]: warning: unknown[xxx.xxx.xxx.xxx]: SASL LOGIN authentication failed: authentication failure
    Mar 26 20:07:03 host1 postfix/smtpd[5724]: warning: unknown[xxx.xxx.xxx.xxx]: SASL LOGIN authentication failed: authentication failure
    Mar 26 20:07:03 host1 postfix/smtpd[5724]: warning: unknown[xxx.xxx.xxx.xxx]: SASL LOGIN authentication failed: authentication failure
    Mar 26 20:07:03 host1 postfix/smtpd[5724]: warning: unknown[xxx.xxx.xxx.xxx]: SASL LOGIN authentication failed: authentication failure
    Mar 26 20:07:03 host1 postfix/smtpd[5724]: warning: unknown[xxx.xxx.xxx.xxx]: SASL LOGIN authentication failed: authentication failure
    Mar 26 20:07:04 host1 postfix/smtpd[5724]: warning: unknown[xxx.xxx.xxx.xxx]: SASL LOGIN authentication failed: authentication failure
    Mar 26 20:07:04 host1 postfix/smtpd[5724]: warning: unknown[xxx.xxx.xxx.xxx]: SASL LOGIN authentication failed: authentication failure
    Mar 26 20:07:04 host1 postfix/smtpd[5724]: warning: unknown[xxx.xxx.xxx.xxx]: SASL LOGIN authentication failed: authentication failure
    Mar 26 20:07:04 host1 postfix/smtpd[5724]: warning: unknown[xxx.xxx.xxx.xxx]: SASL LOGIN authentication failed: authentication failure


    It seem to take up a lot of resources (CPU) and (Disk I/O utilization), so it would be nice to get this banned.


    Michael

    Concrete5 Denmark - CMS til alle
    --------------------------
    Michael Jensen-Maar
    Concrete5 Danmark

    --------------------------

  • Hello ;


    Show us your fail2ban configuration, specially the configuration file where you added your filters.

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

  • It is almost exactly as the wiki...


    http://wiki.i-mscp.net/doku.php?id=start:howto:fail2ban


    The only thing that I tweaked is the following entries:


    ignoreip = 127.0.0.1/8 xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
    findtime = 1800
    bantime = 1800
    maxretry = 6


    The rest is the same!

    Concrete5 Denmark - CMS til alle
    --------------------------
    Michael Jensen-Maar
    Concrete5 Danmark

    --------------------------

  • Hi.


    I cannot see any postfix things in the howto. You may need a filter for postfix. I am on my phone right now so I cannot have a look at the applied filters but do a google search for fail2ban postfix. I can send you my config and filter tomorrow if needed.


    Regards

  • That is the point. When I look in to the filters, I see them all. But I have to take a closer look to see if one is looking at mail.warn.


    Would appreciate to have a look at yours!

    Concrete5 Denmark - CMS til alle
    --------------------------
    Michael Jensen-Maar
    Concrete5 Danmark

    --------------------------

  • Hi MGAV, you need to add in jail.conf

    Code
    1. [sasl]enabled = trueport = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3sfilter = saslmaxretry = 2bantime = 36000


    and /etc/fail2ban/filter.d/sasl.conf must contain


    After that you need to restar the service


    /etc/init.d/fail2ban restart


    Done ^^


    Suerte


    Victor

  • Hi MGAV , to check this rule, run in your server this


    Code
    1. fail2ban-regex /var/log/mail.log /etc/fail2ban/filter.d/sasl.conf


    and tell me what happend


    Victor