Fail2ban is not working at all

Discussion in 'Installation/Configuration' started by Tuhin, Dec 5, 2019.

  1. Tuhin

    Tuhin New Member

    I have followed "Perfect server for ubuntu 18.04" tutorial to install Ispconfig

    Here is the error I got in syslog thousands of time!
    "postfix/smtpd[1558]: warning: unknown[]: SASL LOGIN authentication failed: UGFzc3dvcmQ6"

    My jail.local file (I am not using pureftpd)
    enabled = true
    filter = dovecot
    action = iptables-multiport[name=dovecot-pop3imap, port="pop3,pop3s,imap,imaps", protocol=tcp]
    logpath = /var/log/mail.log
    maxretry = 3
    enabled  = true
    port     = smtp
    filter   = postfix
    logpath  = /var/log/mail.log
    maxretry = 2

    Output of: fail2ban-client status
    fail2ban-client status
    |- Number of jail:      3
    `- Jail list:   dovecot, postfix, sshd
    Output of: $ fail2ban-client status postfix

    Status for the jail: postfix
    |- Filter
    |  |- Currently failed: 0
    |  |- Total failed:     0
    |  `- File list:        /var/log/mail.log
    `- Actions
       |- Currently banned: 0
       |- Total banned:     0
       `- Banned IP list:
    What I am missing here!?
    Last edited: Dec 5, 2019
  2. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    Seems your fail2ban is working just fine. If you want to ban those SASL LOGIN authentication failed use a jail that triggers on those.
    To see your fail2ban working:
    tail -f /var/log/fail2ban.log
    I believe it is the sasl jail that triggers on those entries you are interested in. So add this to your jail.local
    enabled = true
    What is that INDENT doing in your dovecot jail?
    Tuhin likes this.
  3. Tuhin

    Tuhin New Member

    Sorry that "INDENT" added during writing this post here in forum.

    I added that line in jail.local, restarted fail2ban, no luck
    And original tutorial for setting up perfect server ubuntu 18, doesn't have that [sasl] part

    Here is post
    @till Mentioned that
    "Mail users are authenticated by postfix trough dovecot, so failed smtp logins (sasl) should already be covered by the filters. Try if you get a ban when you login with wrong smtp password multiple times."
  4. Tuhin

    Tuhin New Member

    Thank you again Taleman!
    After adding this block in local.jail
    enabled  = true
    port     = smtp
    filter   = postfix-sasl
    logpath  = /var/log/mail.log
    maxretry = 5
    and adding /etc/fail2ban/filter.d/postfix-sasl.conf

    # Fail2Ban filter for postfix authentication failures
    before = common.conf
    _daemon = postfix/smtpd
    failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/]*={0,2})?\s*$
    looks everything good now!

Share This Page