Hi, i get a lot off "E-Mail warn-log SASL LOGIN authentication failed:" notifications. What is the best way to block them? Is there a way if 5 times the same IP address gives this notification it automatic blocks this IP address? Thanks Robin
If you have installed your server following the Perfect Server guide, Fail2Ban should be installed. Open /etc/fail2ban/jail.local, search for the jail postfix-sasl, and enable it. Restart fail2ban after that.
Hi, i checked this and it is "true" [postfix-sasl] enabled = true port = smtp filter = postfix-sasl logpath = /var/log/mail.log maxretry = 5 But the warning log gives me always: static postfix/smtpd[2868]: warning: unknown[xx.xx.xx.36]: SASL LOGIN authentication failed: In postfix-sasl is written "port = smtp" Do I have to add also the lines with "port = smtpd" ? [postfix-sasl] enabled = true port = smtpd filter = postfix-sasl logpath = /var/log/mail.log maxretry = 5 Thanks Robin
It is normal that you receive those logs, but the IP's should be banned after 5 tries now. Can you share the content of your jail.local within code tags, so it's readable? (Insert -> Code)
When I open the file etc/fail2ban/jail.local is all what I see Code: [pureftpd] enabled = true port = ftp filter = pure-ftpd logpath = /var/log/syslog maxretry = 3 [postfix-sasl] enabled = true port = smtp filter = postfix-sasl logpath = /var/log/mail.log maxretry = 5
The file /etc/fail2ban/filter.d/postfix-sasl.conf gives me Code: # Fail2Ban filter for postfix authentication failures # [INCLUDES] before = common.conf [Definition] _daemon = postfix(-\w+)?/(?:submission/|smtps/)?smtp[ds] failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(:[ A-Za-z0-9+/:]*={0,2})?\s*$ ignoreregex = authentication failed: Connection lost to authentication server$ [Init] journalmatch = _SYSTEMD_UNIT=postfix.service # Author: Yaroslav Halchenko
That's probably your problem, the default action set in jail.conf is not great: Code: [DEFAULT] banaction = iptables-multiport action_ = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] action = %(action_)s So if you specify a port= in a jail, that's the only port which is blocked. Sometimes that might make sense, eg. a jail that matches spam email might only block port 25, but most of the time the jails are catching malicious traffic/hacking, and it doesn't make sense to allow the client ip to continue abusing other services/ports. There's a lot of config you can do with fail2ban, but at least start your jail.local with something like: Code: [DEFAULT] # add any ip's you absolutely shouldn't block (other ispconfig servers and admin) ignoreip = 127.0.0.1 xx.xx.xx.xx/32 destemail = [email protected] sender = [email protected] banaction = %(banaction_allports)s Or you could see what else you find in /etc/fail2ban/action.d/, and/or write your own actions to be more efficient or take other actions. Also note the other action definitions in jail.conf, which eg. combine a ban with emailing the admin, etc. - you might want to use those with specific jails.
