I have followed "Perfect server for ubuntu 18.04" tutorial to install Ispconfig Here is the error I got in syslog thousands of time! "postfix/smtpd[1558]: warning: unknown[92.118.38.55]: SASL LOGIN authentication failed: UGFzc3dvcmQ6" My jail.local file (I am not using pureftpd) Code: [dovecot] enabled = true filter = dovecot action = iptables-multiport[name=dovecot-pop3imap, port="pop3,pop3s,imap,imaps", protocol=tcp] logpath = /var/log/mail.log maxretry = 3 [postfix] enabled = true port = smtp filter = postfix logpath = /var/log/mail.log maxretry = 2 Output of: fail2ban-client status Code: fail2ban-client status Status |- Number of jail: 3 `- Jail list: dovecot, postfix, sshd Output of: $ fail2ban-client status postfix Code: Status for the jail: postfix |- Filter | |- Currently failed: 0 | |- Total failed: 0 | `- File list: /var/log/mail.log `- Actions |- Currently banned: 0 |- Total banned: 0 `- Banned IP list: What I am missing here!?
Seems your fail2ban is working just fine. If you want to ban those SASL LOGIN authentication failed use a jail that triggers on those. To see your fail2ban working: Code: tail -f /var/log/fail2ban.log I believe it is the sasl jail that triggers on those entries you are interested in. So add this to your jail.local Code: [sasl] enabled = true What is that INDENT doing in your dovecot jail?
Sorry that "INDENT" added during writing this post here in forum. I added that line in jail.local, restarted fail2ban, no luck And original tutorial for setting up perfect server ubuntu 18, doesn't have that [sasl] part Here is post https://www.howtoforge.com/communit...onsiderations-ubuntu-18-perfect-server.80717/ @till Mentioned that "Mail users are authenticated by postfix trough dovecot, so failed smtp logins (sasl) should already be covered by the filters. Try if you get a ban when you login with wrong smtp password multiple times."
Thank you again Taleman! After adding this block in local.jail Code: [sasl] enabled = true port = smtp filter = postfix-sasl logpath = /var/log/mail.log maxretry = 5 and adding /etc/fail2ban/filter.d/postfix-sasl.conf Code: # Fail2Ban filter for postfix authentication failures [INCLUDES] before = common.conf [Definition] _daemon = postfix/smtpd failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/]*={0,2})?\s*$ looks everything good now!