Fail2ban SASL strange behavior

Discussion in 'Installation/Configuration' started by tomnhanni, Dec 2, 2013.

  1. tomnhanni

    tomnhanni New Member

    Hello ,

    I noticed a lot of SASL LOGIN authentication failed: UGFzc3dvcmQ6 in my mail.log and was wondering why fail2ban does not seem to block the IP.

    System: Debian wheezy installed using perfect-server-debian-wheezy-apache2-bind-dovecot-ispconfig-3

    Here are some entries from mail.warn
    Code:
    Dec  1 19:15:54 myserver postfix/smtpd[563]: warning: 50-202-171-113-static.hfc.comcastbusiness.net[50.202.171.113]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
    Dec  1 19:38:35 myserver postfix/smtpd[1119]: warning: 50-202-171-113-static.hfc.comcastbusiness.net[50.202.171.113]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
    Dec  1 20:01:32 myserver postfix/smtpd[1673]: warning: 50-202-171-113-static.hfc.comcastbusiness.net[50.202.171.113]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
    Dec  1 20:24:25 myserver postfix/smtpd[2695]: warning: 50-202-171-113-static.hfc.comcastbusiness.net[50.202.171.113]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
    Dec  1 20:47:10 myserver postfix/smtpd[3250]: warning: 50-202-171-113-static.hfc.comcastbusiness.net[50.202.171.113]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
    Dec  1 21:10:11 myserver postfix/smtpd[3885]: warning: 50-202-171-113-static.hfc.comcastbusiness.net[50.202.171.113]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
    Dec  1 21:33:13 myserver postfix/smtpd[4378]: warning: 50-202-171-113-static.hfc.comcastbusiness.net[50.202.171.113]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
    Dec  1 21:56:02 myserver postfix/smtpd[4861]: warning: 50-202-171-113-static.hfc.comcastbusiness.net[50.202.171.113]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
    Dec  1 22:18:05 myserver postfix/smtpd[5532]: warning: 50-202-171-113-static.hfc.comcastbusiness.net[50.202.171.113]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
    
    there was a lot of this all from the same IP.
    So i looked at my fail2ban log and there is no ban for this IP. :confused:

    my etc/fail2ban/jail.local

    Code:
    [sasl]
    enabled  = true
    port     = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
    filter   = sasl
    logpath  = /var/log/mail.warn
    maxretry = 3
    
    look at my sasl.conf
    Code:
    failregex = (?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/]*={0,2})?\s*$
    
    so to test I run

    Code:
    fail2ban-regex /var/logmail.warn /etc/fail2ban/filter.d/sasl.conf
    
    and get some 300 matches and the questionable IP is also matched!
    So i fire up telnet and test this:

    Code:
    telnet myserver 25
    ehlo test
    AUTH LOGIN
    somepassword
    
    and get
    Code:
    535 5.7.8 Error: authentication failed: VXNlcm5hbWU6
    in mail.warn
    Code:
    Dec  2 10:40:20 myserver postfix/smtpd[27724]: warning: myipadress[XX.XX.X.XXX]: SASL LOGIN authentication failed: VXNlcm5hbWU6
    I do this 3 times and get banned by fail2ban. My IP is in the fail2ban log. So I know it works!

    But this one IP is still trying as I'm typing this and not getting banned. So I'm really confused and need some help.
    The only thing I can think of is that theres a time between attempts issue. The logs show it attempts every 23 minutes or so. Is this a possibility that fail2ban only block attempts that are closer together?
    One other thought I had was do I need to add "smtpd" as port to my jail.local?
    Right now I have
    Code:
    port     = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s

    any other Ideas? Thanks
     
  2. tomnhanni

    tomnhanni New Member

    So I think I might be able to answer my own question. I guess it helps to RTFM :rolleyes:

    findtime = 600

    Code:
    (from Manual)
    
    Jail Options
    
    Every jail can be customized by tuning following options:
    Jail Options Name 	Default 	Description
    filter 		Name of the filter to be used by the jail to detect matches. Each single match by a filter increments the counter within the jail
    logpath 	/var/log/messages 	Path to the log file which is provided to the filter
    maxretry 	3 	Number of matches (i.e. value of the counter) which triggers ban action on the IP.
    findtime 	600 sec 	The counter is set to zero if no match is found within "findtime" seconds.
    bantime 	600 sec 	Duration (in seconds) for IP to be banned for. Negative number for "permanent" ban. 
    I think I should set findtime to something like 1800.
    Anybody think this might adversely affect anything else?
     
  3. Croydon

    Croydon ISPConfig Developer ISPConfig Developer

    1800 Should be no problem - at least if no client uses some invalid login data accidently ;)
     

Share This Page