Best way to combat SASL authentication attempts

Hi,
I've installed log-watch and I'm seeing over 8000 SASL authentication failures per day. What's the best way to harden the server? fail2ban or something like that? Are there any good Ubuntu hardening guides?
Thanks,

 

ok thanks for confirming. I'll take a look at the man page for fail2ban and see if I can harden it a little more.
Regards,

 

My signature has link to fail2ban tutorial.

 

Thanks for the link. I've managed to configure the jail for `pstfix but does not seem to be blocking the 1000 of SASL attempts.

Code:

postfix/smtpd[1762469]: warning: unknown[80.94.95.239]: SASL LOGIN authentication failed: (reason unavailable), [email protected]

My /etc/fail2ban/jail.local has:

Code:

[DEFAULT]
# here you can overwrite some defaults:

[pure-ftpd]
enabled = true
port = ftp
filter = pure-ftpd
logpath = /var/log/syslog
maxretry = 3

[dovecot]
enabled = true
filter = dovecot
action = iptables-multiport[name=dovecot-pop3imap, port="pop3,pop3s,imap,imaps", protocol=tcp]
logpath = /var/log/mail.log
maxretry = 5

[postfix-sasl]
enabled = true
port = smtp,smtpd,submission,imap2,imap3,imaps,pop3,pop3s
filter = postfix-sasl
logpath = /var/log/mail.log
maxretry = 3

[sshd]
enabled   = true
maxretry  = 5
findtime  = 10m
bantime   = 1d

port    = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s

And my /etc/fail2ban/filter.d/postfix-sasl.conf has:

Code:

# Fail2Ban filter for postfix authentication failures
[INCLUDES]
before = common.conf
[Definition]
_daemon = postfix/smtpd
failregex = ^%(__prefix_line)swarning: [-._\w]+\[\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/]*={0,2})?\s*$

 

Did you write that postfix-sasl.conf yourself? My Debian 12 fail2ban does not have that file. Fail2ban website has instructions on creating filters and how to check it they are working as intended.
On my system I have

Code:

[postfix-sasl]
enabled = true
filter = postfix[mode=auth]
logpath = /var/log/mail.log
maxretry = 3
findtime = 10h

and it does ban offenders:

Code:

2024-08-29 11:24:26,836 fail2ban.filter         [1020]: INFO    [postfix-sasl] Found 193.32.162.74 - 2024-08-29 11:24:26
2024-08-29 11:24:32,642 fail2ban.filter         [1020]: INFO    [postfix-sasl] Found 193.32.162.74 - 2024-08-29 11:24:32
2024-08-29 11:24:42,649 fail2ban.filter         [1020]: INFO    [postfix-sasl] Found 24.116.192.226 - 2024-08-29 11:24:42
2024-08-29 11:24:52,455 fail2ban.filter         [1020]: INFO    [postfix-sasl] Found 193.32.162.74 - 2024-08-29 11:24:52
2024-08-29 11:24:52,617 fail2ban.actions        [1020]: NOTICE  [postfix-sasl] Ban 193.32.162.74
2024-08-29 11:27:19,326 fail2ban.filter         [1020]: INFO    [postfix-sasl] Found 121.129.107.247 - 2024-08-29 11:27:19
2024-08-29 11:27:34,535 fail2ban.filter         [1020]: INFO    [postfix-sasl] Found 103.234.138.220 - 2024-08-29 11:27:34
2024-08-29 11:29:29,018 fail2ban.filter         [1020]: INFO    [postfix-sasl] Found 111.70.32.49 - 2024-08-29 11:29:28
2024-08-29 11:29:37,623 fail2ban.filter         [1020]: INFO    [postfix-sasl] Found 116.114.84.246 - 2024-08-29 11:29:37
2024-08-29 11:30:00,436 fail2ban.filter         [1020]: INFO    [postfix-sasl] Found 159.65.42.164 - 2024-08-29 11:30:00
2024-08-29 11:30:15,043 fail2ban.filter         [1020]: INFO    [postfix-sasl] Found 31.211.132.82 - 2024-08-29 11:30:14
2024-08-29 11:32:47,301 fail2ban.filter         [1020]: INFO    [postfix-sasl] Found 177.215.136.46 - 2024-08-29 11:32:47
2024-08-29 11:32:56,506 fail2ban.filter         [1020]: INFO    [postfix-sasl] Found 180.168.119.2 - 2024-08-29 11:32:56
2024-08-29 11:34:52,018 fail2ban.actions        [1020]: NOTICE  [postfix-sasl] Unban 193.32.162.74

 

Got it working with the following:

/etc/fail2ban/jail.local

Code:

[postfix-sasl]

filter   = postfix[mode=auth]
enabled  = true
port     = smtp,465,submission,imap,imaps,pop3,pop3s
# You might consider monitoring /var/log/mail.warn instead if you are
# running postfix since it would provide the same log lines at the
# "warn" level but overall at the smaller filesize.
logpath  = %(postfix_log)s
backend  = %(postfix_backend)s
maxretry = 3

/etc/fail2ban/filter.d/postfix-sasl.conf

Code:

# Fail2Ban configuration file
[Definition]

# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT
#
failregex = (?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed: \w
# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#

 

/etc/fail2ban/jail.local
Molst lines are identical to lines that are in jail.conf. It is not necessary to repeat a setting that is already in jail.conf, it may even be slightly bad if upstream changes default setting.
So, you could have written just:

Code:

[postfix-sasl]
enabled  = true
maxretry = 3

My system does not have postfix-sasl.conf file. I suspect it is not needed. Did you verify your system does not work unless you create that file? The failregex looks very similar to default expression in filter.d/postfix.conf.
Is there a special situation you experience on your system so the default regex is not enough or is not suitable?

 

It seems without that failregex it does not stop the attacks.
Regards,

 

If that is the case, you should send your improvement upstream so next version of fail2ban maybe includes it.
https://fail2ban.readthedocs.io/en/latest/filters.html

 

https://forum.howtoforge.de/threads/fail2ban-sasl-login-authentication-failed.13315/