Fail2ban configuration

Discussion in 'Installation/Configuration' started by Captain, Jun 17, 2011.

  1. Captain

    Captain Member

    Hello!

    In auth.log i see this:
    Code:
    Jun 16 23:46:42 srv saslauthd[1419]: pam_unix(smtp:auth): check pass; user unknown
Jun 16 23:46:42 srv saslauthd[1419]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Jun 16 23:46:44 srv saslauthd[1419]: DEBUG: auth_pam: pam_authenticate failed: Authentication failure
Jun 16 23:46:44 srv saslauthd[1419]: do_auth         : auth failure: [user=webmaster] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
Jun 16 23:46:45 srv saslauthd[1415]: pam_unix(smtp:auth): check pass; user unknown
Jun 16 23:46:45 srv saslauthd[1415]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Jun 16 23:46:47 srv saslauthd[1415]: DEBUG: auth_pam: pam_authenticate failed: Authentication failure
Jun 16 23:46:47 srv saslauthd[1415]: do_auth         : auth failure: [user=webmaster] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
Jun 16 23:46:48 srv saslauthd[1419]: pam_unix(smtp:auth): check pass; user unknown
Jun 16 23:46:48 srv saslauthd[1419]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Jun 16 23:46:50 srv saslauthd[1419]: DEBUG: auth_pam: pam_authenticate failed: Authentication failure
Jun 16 23:46:50 srv saslauthd[1419]: do_auth         : auth failure: [user=webmaster] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
Jun 16 23:46:51 srv saslauthd[1416]: pam_unix(smtp:auth): check pass; user unknown
Jun 16 23:46:51 srv saslauthd[1416]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Jun 16 23:46:54 srv saslauthd[1416]: DEBUG: auth_pam: pam_authenticate failed: Authentication failure
Jun 16 23:46:54 srv saslauthd[1416]: do_auth         : auth failure: [user=webmaster] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
Jun 16 23:46:55 srv saslauthd[1417]: pam_unix(smtp:auth): check pass; user unknown
Jun 16 23:46:55 srv saslauthd[1417]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Jun 16 23:46:57 srv saslauthd[1417]: DEBUG: auth_pam: pam_authenticate failed: Authentication failure
Jun 16 23:46:57 srv saslauthd[1417]: do_auth         : auth failure: [user=webmaster] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
Jun 16 23:46:58 srv saslauthd[1416]: pam_unix(smtp:auth): check pass; user unknown
Jun 16 23:46:58 srv saslauthd[1416]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Jun 16 23:47:00 srv saslauthd[1416]: DEBUG: auth_pam: pam_authenticate failed: Authentication failure
Jun 16 23:47:00 srv saslauthd[1416]: do_auth         : auth failure: [user=webmaster] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
Jun 16 23:47:01 srv saslauthd[1418]: pam_unix(smtp:auth): check pass; user unknown
Jun 16 23:47:01 srv saslauthd[1418]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Jun 16 23:47:04 srv saslauthd[1418]: DEBUG: auth_pam: pam_authenticate failed: Authentication failure
Jun 16 23:47:04 srv saslauthd[1418]: do_auth         : auth failure: [user=webmaster] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
Jun 16 23:47:05 srv saslauthd[1416]: pam_unix(smtp:auth): check pass; user unknown
Jun 16 23:47:05 srv saslauthd[1416]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Jun 16 23:47:07 srv saslauthd[1416]: DEBUG: auth_pam: pam_authenticate failed: Authentication failure
    in mail.log
    Code:
    warning: unknown[202.109.143.50]: SASL  LOGIN authentification failed: authentification failture
last message repeated 15 times
    jail.local

    Code:
    #
# Mail servers
#

[postfix]

enabled  = true
port     = smtp,ssmtp
filter   = postfix
logpath  = /var/log/mail.log


[couriersmtp]

enabled  = true
port     = smtp,ssmtp
filter   = couriersmtp
logpath  = /var/log/mail.log


#
# Mail servers authenticators: might be used for smtp,ftp,imap servers, so
# all relevant ports get banned
#

[courierauth]

enabled  = true
port     = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter   = courierlogin
logpath  = /var/log/mail.log


[sasl]

enabled  = true
port     = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s,smtpd
filter   = sasl
# You might consider monitoring /var/log/warn.log instead
# if you are running postfix. See http://bugs.debian.org/507990
logpath  = /var/log/mail.log
    sasl.conf

    Code:
    # Fail2Ban configuration file
#
# Author: Yaroslav Halchenko
#
# $Revision: 728 $
#

[Definition]

# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT
#
failregex = (?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [A-Za-z0-9+/]*={0,2})?$

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =
    But fail2ban did not block this IP.

    How to solve this problem?
    Please help!

    Thnks.
     
    Captain, Jun 17, 2011
    #1
  2. falko

    falko Super Moderator Howtoforge Staff

    Can you try this line instead?

    Code:
    failregex = (?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failure
     
    falko, Jun 18, 2011
    #2
  3. Captain

    Captain Member

    still have this log:
    Code:
    Jun 26 21:52:00 itex postfix/smtpd[30207]: warning: unknown[183.44.196.143]: SASL LOGIN authentication failed: authentication failure
Jun 26 21:52:18 itex postfix/smtpd[30207]: last message repeated 2 times
Jun 26 21:52:18 itex postfix/smtpd[32287]: warning: unknown[183.44.196.143]: SASL LOGIN authentication failed: authentication failure
Jun 26 21:52:22 itex postfix/smtpd[30207]: warning: unknown[183.44.196.143]: SASL LOGIN authentication failed: authentication failure
Jun 26 21:52:26 itex postfix/smtpd[32287]: warning: unknown[183.44.196.143]: SASL LOGIN authentication failed: authentication failure
Jun 26 21:52:31 itex postfix/smtpd[30207]: warning: unknown[183.44.196.143]: SASL LOGIN authentication failed: authentication failure
Jun 26 21:52:36 itex postfix/smtpd[32287]: warning: unknown[183.44.196.143]: SASL LOGIN authentication failed: authentication failure
Jun 26 21:52:43 itex postfix/smtpd[30207]: warning: unknown[183.44.196.143]: SASL LOGIN authentication failed: authentication failure
Jun 26 21:52:48 itex postfix/smtpd[32287]: warning: unknown[183.44.196.143]: SASL LOGIN authentication failed: authentication failure
Jun 26 21:52:57 itex postfix/smtpd[30207]: warning: unknown[183.44.196.143]: SASL LOGIN authentication failed: authentication failure
Jun 26 21:53:01 itex postfix/smtpd[32287]: warning: unknown[183.44.196.143]: SASL LOGIN authentication failed: authentication failure
Jun 26 21:53:06 itex postfix/smtpd[30207]: warning: unknown[183.44.196.143]: SASL LOGIN authentication failed: authentication failure
Jun 26 21:53:12 itex postfix/smtpd[32287]: warning: unknown[183.44.196.143]: SASL LOGIN authentication failed: authentication failure
Jun 26 21:53:17 itex postfix/smtpd[30207]: warning: unknown[183.44.196.143]: SASL LOGIN authentication failed: authentication failure
Jun 26 21:53:20 itex postfix/smtpd[32287]: warning: unknown[183.44.196.143]: SASL LOGIN authentication failed: authentication failure
Jun 26 21:53:28 itex postfix/smtpd[30207]: warning: unknown[183.44.196.143]: SASL LOGIN authentication failed: authentication failure
Jun 26 21:53:32 itex postfix/smtpd[32287]: warning: unknown[183.44.196.143]: SASL LOGIN authentication failed: authentication failure
Jun 26 21:53:37 itex postfix/smtpd[30207]: warning: unknown[183.44.196.143]: SASL LOGIN authentication failed: authentication failure
Jun 26 21:53:41 itex postfix/smtpd[32287]: warning: unknown[183.44.196.143]: SASL LOGIN authentication failed: authentication failure
Jun 26 21:53:48 itex postfix/smtpd[30207]: warning: unknown[183.44.196.143]: SASL LOGIN authentication failed: authentication failure
Jun 26 21:53:55 itex postfix/smtpd[32287]: warning: unknown[183.44.196.143]: SASL LOGIN authentication failed: authentication failure
Jun 26 21:53:59 itex postfix/smtpd[30207]: warning: unknown[183.44.196.143]: SASL LOGIN authentication failed: authentication failure
Jun 26 21:54:03 itex postfix/smtpd[32287]: warning: unknown[183.44.196.143]: SASL LOGIN authentication failed: authentication failure
Jun 26 21:54:08 itex postfix/smtpd[30207]: warning: unknown[183.44.196.143]: SASL LOGIN authentication failed: authentication failure
Jun 26 21:54:12 itex postfix/smtpd[32287]: warning: unknown[183.44.196.143]: SASL LOGIN authentication failed: authentication failure
Jun 26 21:54:16 itex postfix/smtpd[30207]: warning: unknown[183.44.196.143]: SASL LOGIN authentication failed: authentication failure
Jun 26 21:54:25 itex postfix/smtpd[32287]: warning: unknown[183.44.196.143]: SASL LOGIN authentication failed: authentication failure
Jun 26 21:54:29 itex postfix/smtpd[30207]: warning: unknown[183.44.196.143]: SASL LOGIN authentication failed: authentication failure
Jun 26 21:54:33 itex postfix/smtpd[32287]: warning: unknown[183.44.196.143]: SASL LOGIN authentication failed: authentication failure
Jun 26 21:54:38 itex postfix/smtpd[30207]: warning: unknown[183.44.196.143]: SASL LOGIN authentication failed: authentication failure
Jun 26 21:54:42 itex postfix/smtpd[32287]: warning: unknown[183.44.196.143]: SASL LOGIN authentication failed: authentication failure
Jun 26 21:54:47 itex postfix/smtpd[30207]: warning: unknown[183.44.196.143]: SASL LOGIN authentication failed: authentication failure
Jun 26 21:54:52 itex postfix/smtpd[32287]: warning: unknown[183.44.196.143]: SASL LOGIN authentication failed: authentication failure
Jun 26 21:54:59 itex postfix/smtpd[30207]: warning: unknown[183.44.196.143]: SASL LOGIN authentication failed: authentication failure
Jun 26 21:55:03 itex postfix/smtpd[32287]: warning: unknown[183.44.196.143]: SASL LOGIN authentication failed: authentication failure
Jun 26 21:55:08 itex postfix/smtpd[30207]: warning: unknown[183.44.196.143]: SASL LOGIN authentication failed: authentication failure
Jun 26 21:55:19 itex postfix/smtpd[32287]: warning: unknown[183.44.196.143]: SASL LOGIN authentication failed: authentication failure
Jun 26 21:55:24 itex postfix/smtpd[30207]: warning: unknown[183.44.196.143]: SASL LOGIN authentication failed: authentication failure
Jun 26 21:55:28 itex postfix/smtpd[32287]: warning: unknown[183.44.196.143]: SASL LOGIN authentication failed: authentication failure
Jun 26 21:55:32 itex postfix/smtpd[30207]: warning: unknown[183.44.196.143]: SASL LOGIN authentication failed: authentication failure
Jun 26 21:55:37 itex postfix/smtpd[32287]: warning: unknown[183.44.196.143]: SASL LOGIN authentication failed: authentication failure
Jun 26 21:55:41 itex postfix/smtpd[30207]: warning: unknown[183.44.196.143]: SASL LOGIN authentication failed: authentication failure
Jun 26 21:55:45 itex postfix/smtpd[32287]: warning: unknown[183.44.196.143]: SASL LOGIN authentication failed: authentication failure
Jun 26 21:55:50 itex postfix/smtpd[30207]: warning: unknown[183.44.196.143]: SASL LOGIN authentication failed: authentication failure
Jun 26 21:55:54 itex postfix/smtpd[32287]: warning: unknown[183.44.196.143]: SASL LOGIN authentication failed: authentication failure
Jun 26 21:56:02 itex postfix/smtpd[30207]: warning: unknown[183.44.196.143]: SASL LOGIN authentication failed: authentication failure
Jun 26 21:56:10 itex postfix/smtpd[32287]: warning: unknown[183.44.196.143]: SASL LOGIN authentication failed: authentication failure
    your post did not helps.
     
    Captain, Jun 28, 2011
    #3

Share This Page