I'm very new to linux and I need help with fail2ban settings. I'm try to apply some rules to fail2ban to use postfix and postfix-rbl but each time I try I get a error in the fail2ba.log which is below. As I do not know how to debug fail2ban I'm stuck. I was think that is may be there is a bug in fail2ban, but I have search the net and not found any mention of this kind of problem. Code: /etc/fail2ban/jail.local [postfix] # To use another modes set filter parameter "mode" in jail.local: enabled = true filter = postfix mode = normal port = smtp,465,submission logpath = %(postfix_log)s backend = %(postfix_backend)s [postfix-rbl] enabled = true filter = postfix[mode=rbl] port = smtp,465,submission logpath = %(postfix_log)s backend = %(postfix_backend)s maxretry = 1 Code: Here is the error that I do not understand /var/log/fail2ban.log with error 2019-04-29 14:02:57,109 fail2ban.jail [4616]: INFO Creating new jail 'apache-shellshock' 2019-04-29 14:02:57,113 fail2ban.jail [4616]: INFO Jail 'apache-shellshock' uses poller {} 2019-04-29 14:02:57,114 fail2ban.jail [4616]: INFO Initiated 'polling' backend 2019-04-29 14:02:57,143 fail2ban.filter [4616]: INFO Added logfile: '/var/log/apache2/error.log' (pos = 23825, hash = 42c5b88d48c42e4d257fb18229bb22ec) 2019-04-29 14:02:57,145 fail2ban.filter [4616]: INFO maxRetry: 1 2019-04-29 14:02:57,146 fail2ban.filter [4616]: INFO encoding: UTF-8 2019-04-29 14:02:57,147 fail2ban.filter [4616]: INFO findtime: 3600 2019-04-29 14:02:57,148 fail2ban.actions [4616]: INFO banTime: 3600 2019-04-29 14:02:57,151 fail2ban.jail [4616]: INFO Creating new jail 'php-url-fopen' 2019-04-29 14:02:57,155 fail2ban.jail [4616]: INFO Jail 'php-url-fopen' uses poller {} 2019-04-29 14:02:57,157 fail2ban.jail [4616]: INFO Initiated 'polling' backend 2019-04-29 14:02:57,177 fail2ban.filter [4616]: INFO Added logfile: '/var/log/apache2/other_vhosts_access.log' (pos = 0, hash = d41d8cd98f00b204e9800998ecf8427e) 2019-04-29 14:02:57,179 fail2ban.filter [4616]: INFO Added logfile: '/var/log/apache2/access.log' (pos = 18846, hash = 8026f2bdcbabd3847ff1cbecfba80f55) 2019-04-29 14:02:57,180 fail2ban.filter [4616]: INFO maxRetry: 3 2019-04-29 14:02:57,181 fail2ban.filter [4616]: INFO encoding: UTF-8 2019-04-29 14:02:57,182 fail2ban.filter [4616]: INFO findtime: 3600 2019-04-29 14:02:57,184 fail2ban.actions [4616]: INFO banTime: 3600 2019-04-29 14:02:57,187 fail2ban.jail [4616]: INFO Creating new jail 'postfix' 2019-04-29 14:02:57,191 fail2ban.jail [4616]: INFO Jail 'postfix' uses poller {} 2019-04-29 14:02:57,192 fail2ban.jail [4616]: INFO Initiated 'polling' backend 2019-04-29 14:02:57,220 fail2ban.filter [4616]: ERROR Unable to compile regular expression 'warning: (.*)[]: SASL LOGIN authentication failed:' 2019-04-29 14:02:57,221 fail2ban.transmitter [4616]: WARNING Command ['server-stream', [['set', 'syslogsocket', 'auto'], ['set', 'loglevel', 'INFO'], ['set', 'logtarget', '/var/log/fail2ban.log'], ['set', 'dbfile', '/var/lib/fail2ban/fail2ban.sqlite3'], ['set', 'dbpurgeage', '1d'], ['add', 'sshd', 'auto'], ['set', 'sshd', 'maxlines', 1], ['set', 'sshd', 'prefregex', '^<F-MLFID>(?:\\[\\])?\\s*(?:<[^.]+\\.[^.]+>\\s+)?(?:\\S+\\s+)?(?:kernel:\\s?\\[ *\\d+\\.\\d+\\]:?\\s+)?(?:@vserver_\\S+\\s+)?(?:(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)\\s+)?(?:\\[ID \\d+ \\S+\\]\\s+)?</F-MLFID>(?:(?:error|fatal): (?:PAM: )?)?<F-CONTENT>.+</F-CONTENT>$'], ['set', 'sshd', 'addjournalmatch', '_SYSTEMD_UNIT=sshd.service', '+', '_COMM=sshd'], ['multi-set', 'sshd', 'addfailregex', ['^[aA]uthentication (?:failure|error|failed) for <F-USER>.*</F-USER> from <HOST>( via \\S+)?(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$', '^User not known to the underlying authentication module for <F-USER>.*</F-USER> from <HOST>(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$', '^Failed publickey for invalid user <F-USER>(?P<cond_user>\\S+)|(?:(?! from ).)*?</F-USER> from <HOST>(?: (?:port \\d+|on \\S+)){0,2}(?: ssh\\d*)?(?(cond_user): |(?:(?:(?! from ).)*)$)', '^Failed \\b(?!publickey)\\S+ for (?P<cond_inv>invalid user )?<F-USER>(?P<cond_user>\\S+)|(?(cond_inv)(?:(?! from ).)*?|[^:]+)</F-USER> from <HOST>(?: (?:port \\d+|on \\S+)){0,2}(?: ssh\\d*)?(?(cond_user): |(?:(?:(?! from ).)*)$)', '^<F-USER>ROOT</F-USER> LOGIN REFUSED FROM <HOST>', '^[iI](?:llegal|nvalid) user <F-USER>.*?</F-USER> from <HOST>(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$', '^User <F-USER>.+</F-USER> from <HOST> not allowed because not listed in AllowUsers(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$', '^User 2019-04-29 14:02:57,232 fail2ban [4616]: ERROR NOK: ("Unable to compile regular expression 'warning: (.*)[]: SASL LOGIN authentication failed:'",) Code: /var/log/fail2ban.log without postfix and postfix-rbl 2019-04-29 14:17:28,227 fail2ban.jail [6209]: INFO Jail 'apache-shellshock' uses poller {} 2019-04-29 14:17:28,229 fail2ban.jail [6209]: INFO Initiated 'polling' backend 2019-04-29 14:17:28,257 fail2ban.filter [6209]: INFO Added logfile: '/var/log/apache2/error.log' (pos = 0, hash = 42c5b88d48c42e4d257fb18229bb22ec) 2019-04-29 14:17:28,258 fail2ban.filter [6209]: INFO maxRetry: 1 2019-04-29 14:17:28,259 fail2ban.filter [6209]: INFO encoding: UTF-8 2019-04-29 14:17:28,260 fail2ban.filter [6209]: INFO findtime: 3600 2019-04-29 14:17:28,261 fail2ban.actions [6209]: INFO banTime: 3600 2019-04-29 14:17:28,264 fail2ban.jail [6209]: INFO Creating new jail 'php-url-fopen' 2019-04-29 14:17:28,268 fail2ban.jail [6209]: INFO Jail 'php-url-fopen' uses poller {} 2019-04-29 14:17:28,269 fail2ban.jail [6209]: INFO Initiated 'polling' backend 2019-04-29 14:17:28,290 fail2ban.filter [6209]: INFO Added logfile: '/var/log/apache2/other_vhosts_access.log' (pos = 0, hash = d41d8cd98f00b204e9800998ecf8427e) 2019-04-29 14:17:28,292 fail2ban.filter [6209]: INFO Added logfile: '/var/log/apache2/access.log' (pos = 0, hash = 8026f2bdcbabd3847ff1cbecfba80f55) 2019-04-29 14:17:28,293 fail2ban.filter [6209]: INFO maxRetry: 3 2019-04-29 14:17:28,294 fail2ban.filter [6209]: INFO encoding: UTF-8 2019-04-29 14:17:28,296 fail2ban.filter [6209]: INFO findtime: 3600 2019-04-29 14:17:28,297 fail2ban.actions [6209]: INFO banTime: 3600 2019-04-29 14:17:28,299 fail2ban.jail [6209]: INFO Creating new jail 'dovecot' 2019-04-29 14:17:28,303 fail2ban.jail [6209]: INFO Jail 'dovecot' uses poller {} 2019-04-29 14:17:28,305 fail2ban.jail [6209]: INFO Initiated 'polling' backend 2019-04-29 14:17:28,403 fail2ban.datedetector [6209]: INFO date pattern `''`: `{^LN-BEG}TAI64N` 2019-04-29 14:17:28,407 fail2ban.filter [6209]: INFO Added logfile: '/var/log/mail.log' (pos = 28260, hash = 8c79e1807138e6c3f0718d2714acb238) 2019-04-29 14:17:28,408 fail2ban.filter [6209]: INFO maxRetry: 3 2019-04-29 14:17:28,409 fail2ban.filter [6209]: INFO encoding: UTF-8 2019-04-29 14:17:28,410 fail2ban.filter [6209]: INFO findtime: 3600 2019-04-29 14:17:28,411 fail2ban.actions [6209]: INFO banTime: 3600 2019-04-29 14:17:28,414 fail2ban.jail [6209]: INFO Creating new jail 'sieve' 2019-04-29 14:17:28,418 fail2ban.jail [6209]: INFO Jail 'sieve' uses poller {} 2019-04-29 14:17:28,420 fail2ban.jail [6209]: INFO Initiated 'polling' backend 2019-04-29 14:17:28,453 fail2ban.filter [6209]: INFO Added logfile: '/var/log/mail.log' (pos = 28260, hash = 8c79e1807138e6c3f0718d2714acb238) 2019-04-29 14:17:28,454 fail2ban.filter [6209]: INFO maxRetry: 3 2019-04-29 14:17:28,456 fail2ban.filter [6209]: INFO encoding: UTF-8 2019-04-29 14:17:28,457 fail2ban.filter [6209]: INFO findtime: 3600 2019-04-29 14:17:28,458 fail2ban.actions [6209]: INFO banTime: 3600 2019-04-29 14:17:28,500 fail2ban.jail [6209]: INFO Jail 'sshd' started 2019-04-29 14:17:28,508 fail2ban.jail [6209]: INFO Jail 'apache-auth' started 2019-04-29 14:17:28,563 fail2ban.jail [6209]: INFO Jail 'apache-badbots' started 2019-04-29 14:17:28,585 fail2ban.jail [6209]: INFO Jail 'apache-noscript' started 2019-04-29 14:17:28,693 fail2ban.jail [6209]: INFO Jail 'apache-overflows' started 2019-04-29 14:17:28,705 fail2ban.jail [6209]: INFO Jail 'apache-nohome' started 2019-04-29 14:17:28,743 fail2ban.jail [6209]: INFO Jail 'apache-fakegooglebot' started 2019-04-29 14:17:28,840 fail2ban.jail [6209]: INFO Jail 'apache-modsecurity' started 2019-04-29 14:17:28,900 fail2ban.jail [6209]: INFO Jail 'apache-shellshock' started 2019-04-29 14:17:29,041 fail2ban.jail [6209]: INFO Jail 'php-url-fopen' started 2019-04-29 14:17:29,153 fail2ban.jail [6209]: INFO Jail 'dovecot' started 2019-04-29 14:17:29,265 fail2ban.jail [6209]: INFO Jail 'sieve' started
Taleman thanks for pointing in the right direction. The fault was in the postfix.conf see code. I just removed the line near the end failregex = warning: (.*)[]: SASL LOGIN authentication failed Code: # Fail2Ban filter for selected Postfix SMTP rejections # # [INCLUDES] # Read common prefixes. If any customizations available -- read them from # common.local before = common.conf [Definition] _daemon = postfix(-\w+)?/\w+(?:/smtp[ds])? _port = (?::\d+)? prefregex = ^%(__prefix_line)s<mdpr-<mode>> <F-CONTENT>.+</F-CONTENT>$ mdpr-normal = (?:NOQUEUE: reject:|improper command pipelining after \S+) mdre-normal=^RCPT from [^[]*\[<HOST>\]%(_port)s: 55[04] 5\.7\.1\s ^RCPT from [^[]*\[<HOST>\]%(_port)s: 45[04] 4\.7\.1 (?:Service unavailable\b|Client host rejected: cannot find your (reverse )?hostname\b) ^RCPT from [^[]*\[<HOST>\]%(_port)s: 450 4\.7\.1 (<[^>]*>)?: Helo command rejected: Host not found\b ^EHLO from [^[]*\[<HOST>\]%(_port)s: 504 5\.5\.2 (<[^>]*>)?: Helo command rejected: need fully-qualified hostname\b ^VRFY from [^[]*\[<HOST>\]%(_port)s: 550 5\.1\.1\s ^RCPT from [^[]*\[<HOST>\]%(_port)s: 450 4\.1\.8 (<[^>]*>)?: Sender address rejected: Domain not found\b ^from [^[]*\[<HOST>\]%(_port)s:? mdpr-auth = warning: mdre-auth = ^[^[]*\[<HOST>\]%(_port)s: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed:(?! Connection lost to authentication server| Invalid authentication mechanism) mdre-auth2= ^[^[]*\[<HOST>\]%(_port)s: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed:(?! Connection lost to authentication server) # todo: check/remove "Invalid authentication mechanism" from ignore list, if gh-1243 will get finished (see gh-1297). # Mode "rbl" currently included in mode "normal", but if needed for jail "postfix-rbl" only: mdpr-rbl = %(mdpr-normal)s mdre-rbl = ^RCPT from [^[]*\[<HOST>\]%(_port)s: [45]54 [45]\.7\.1 Service unavailable; Client host \[\S+\] blocked\b # Mode "rbl" currently included in mode "normal" (within 1st rule) mdpr-more = %(mdpr-normal)s mdre-more = %(mdre-normal)s mdpr-ddos = lost connection after(?! DATA) [A-Z]+ mdre-ddos = ^from [^[]*\[<HOST>\]%(_port)s:? mdpr-extra = (?:%(mdpr-auth)s|%(mdpr-normal)s) mdre-extra = %(mdre-auth)s %(mdre-normal)s mdpr-aggressive = (?:%(mdpr-auth)s|%(mdpr-normal)s|%(mdpr-ddos)s) mdre-aggressive = %(mdre-auth2)s %(mdre-normal)s failregex = <mdre-<mode>> # Parameter "mode": more (default combines normal and rbl), auth, normal, rbl, ddos, extra or aggressive (combines all) # Usage example (for jail.local): # [postfix] # mode = aggressive # # or another jail (rewrite filter parameters of jail): # [postfix-rbl] # filter = postfix[mode=rbl] # mode = more ignoreregex = [Init] journalmatch = _SYSTEMD_UNIT=postfix.service failregex = warning: (.*)[]: SASL LOGIN authentication failed: # Author: Cyril Jaquier
