Fail2Ban not banning ip in messages that contain /postfix/submission/smtpd

Discussion in 'ISPConfig 3 Priority Support' started by frperalta1, Jan 13, 2022.

Tags:
  1. frperalta1

    frperalta1 New Member

    I have the following in jail.local:
    Code:
    [postfix-sasl]
enabled = true
#port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
port = smtp,465,587,submission
filter = postfix-sasl
logpath = /var/log/mail.log
maxretry = 5
findtime = 2d
bantime = 2d
#action = iptables-multiport[name=postfix-sasl, port="smtp,smtps,submission", protocol=tcp]
action = iptables-multiport[name=postfix-sasl, port="smtp,465,587,submission", protocol=tcp]
    In postfix-sasl.conf:
    Code:
    [INCLUDES]
before = common.conf
[Definition]
_daemon = postfix/(submission/)?smtp(d|s)
failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/:]*={0,2})?\s*$
ignoreregex = authentication failed: Connection lost to authentication server$
[Init]
journalmatch = _SYSTEMD_UNIT=postfix.service
# Author: Yaroslav Halchenko
ignoreregex =
    I believe my filter is work because when I type in:
    Code:
    fail2ban-regex -v /var/log/mail.log /etc/fail2ban/filter.d/postfix-sasl.conf
    It produces a list of "SASL LOGIN authentication failed" log messages that contain both postfix/smtpd and postfix/submission/smtpd.

    But only the log messages that contain postfix/smtpd are banned NOT the ones that contain postfix/submission/smtpd

    I am missing something here and I have searched but can't seem to find an answer.
     
    frperalta1, Jan 13, 2022
    #1
  2. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    What does a log line look like that is not matching?
     
    Jesse Norell, Jan 13, 2022
    #2
  3. frperalta1

    frperalta1 New Member

    Like this:
    Code:
    Jan 13 17:05:15 ip-10-0-1-15 postfix/submission/smtpd[11112]: warning: unknown[212.192.241.55]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
     
    frperalta1, Jan 13, 2022
    #3
  4. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    What happens on those lines? Does fail2ban.log say they are banned, but in fact they are not? Or no mention of it in the log at all?
     
    Jesse Norell, Jan 14, 2022
    #4
  5. frperalta1

    frperalta1 New Member

    There is no mention of banning the problem ip but it does find them, here are some logs:
    Code:
    2022-01-13 12:59:30,450 fail2ban.filter         [28418]: INFO    [postfix-sasl] Found 212.192.246.81 - 2022-01-13 12:59:30
2022-01-13 13:02:13,257 fail2ban.filter         [28418]: INFO    [postfix-sasl] Found 212.192.246.73 - 2022-01-13 13:02:13
2022-01-13 13:18:18,837 fail2ban.filter         [28418]: INFO    [postfix-sasl] Found 212.192.246.120 - 2022-01-13 13:18:18
2022-01-13 13:21:03,217 fail2ban.filter         [28418]: INFO    [postfix-sasl] Found 212.192.246.226 - 2022-01-13 13:21:03
2022-01-13 13:22:55,226 fail2ban.filter         [28418]: INFO    [postfix-sasl] Found 212.192.246.145 - 2022-01-13 13:22:55
2022-01-13 13:29:49,643 fail2ban.filter         [28418]: INFO    [postfix-sasl] Found 212.192.246.237 - 2022-01-13 13:29:49
2022-01-13 14:36:29,311 fail2ban.filter         [28418]: INFO    [postfix-sasl] Found 212.192.246.11 - 2022-01-13 14:36:29
2022-01-13 14:41:55,154 fail2ban.filter         [28418]: INFO    [postfix-sasl] Found 212.192.246.167 - 2022-01-13 14:41:55
2022-01-13 14:42:54,085 fail2ban.filter         [28418]: INFO    [postfix-sasl] Found 212.192.241.186 - 2022-01-13 14:42:54
2022-01-13 14:44:16,274 fail2ban.filter         [28418]: INFO    [postfix-sasl] Found 212.192.246.9 - 2022-01-13 14:44:16
2022-01-13 15:00:43,180 fail2ban.filter         [28418]: INFO    [postfix-sasl] Found 2.56.57.153 - 2022-01-13 15:00:43
2022-01-13 15:01:44,229 fail2ban.filter         [28418]: INFO    [postfix-sasl] Found 2.56.57.170 - 2022-01-13 15:01:44
2022-01-13 15:39:24,409 fail2ban.filter         [28418]: INFO    [postfix-sasl] Found 212.192.246.28 - 2022-01-13 15:39:24
2022-01-13 15:39:49,129 fail2ban.filter         [28418]: INFO    [postfix-sasl] Found 212.192.246.133 - 2022-01-13 15:39:49
2022-01-13 15:43:03,695 fail2ban.filter         [28418]: INFO    [postfix-sasl] Found 212.192.246.82 - 2022-01-13 15:43:03
2022-01-13 15:45:30,231 fail2ban.filter         [28418]: INFO    [postfix-sasl] Found 212.192.246.17 - 2022-01-13 15:45:30
2022-01-13 16:03:02,438 fail2ban.filter         [28418]: INFO    [postfix-sasl] Found 212.192.246.64 - 2022-01-13 16:03:02
2022-01-13 16:07:21,392 fail2ban.filter         [28418]: INFO    [postfix-sasl] Found 212.192.246.191 - 2022-01-13 16:07:21
2022-01-13 16:38:04,590 fail2ban.actions        [28418]: NOTICE  [postfix-sasl] Unban 5.34.206.30
2022-01-13 16:49:21,263 fail2ban.filter         [28418]: INFO    [postfix-sasl] Found 2.56.57.142 - 2022-01-13 16:49:21
2022-01-13 16:51:46,500 fail2ban.filter         [28418]: INFO    [postfix-sasl] Found 212.192.246.120 - 2022-01-13 16:51:46
2022-01-13 16:58:07,368 fail2ban.filter         [28418]: INFO    [postfix-sasl] Found 212.192.241.186 - 2022-01-13 16:58:07
2022-01-13 17:05:15,045 fail2ban.filter         [28418]: INFO    [postfix-sasl] Found 212.192.241.55 - 2022-01-13 17:05:15
2022-01-13 17:13:39,561 fail2ban.actions        [28418]: NOTICE  [postfix-sasl] Unban 5.34.206.46
2022-01-13 17:17:55,495 fail2ban.filter         [28418]: INFO    [postfix-sasl] Found 212.192.246.36 - 2022-01-13 17:17:55
2022-01-13 17:20:26,151 fail2ban.actions        [28418]: NOTICE  [postfix-sasl] Unban 5.34.206.71
2022-01-13 17:20:58,218 fail2ban.actions        [28418]: NOTICE  [postfix-sasl] Unban 5.34.206.93
2022-01-13 17:23:28,440 fail2ban.actions        [28418]: NOTICE  [postfix-sasl] Unban 5.34.206.137
2022-01-13 17:35:18,177 fail2ban.filter         [28418]: INFO    [postfix-sasl] Found 212.192.246.145 - 2022-01-13 17:35:18
2022-01-13 17:35:21,436 fail2ban.actions        [28418]: NOTICE  [postfix-sasl] Unban 5.34.206.83
2022-01-13 17:54:21,660 fail2ban.filter         [28418]: INFO    [postfix] Found 91.212.12.133 - 2022-01-13 17:54:21
2022-01-13 18:01:43,446 fail2ban.filter         [28418]: INFO    [postfix-sasl] Found 212.192.246.73 - 2022-01-13 18:01:43
2022-01-13 18:06:03,397 fail2ban.filter         [28418]: INFO    [postfix-sasl] Found 212.192.246.81 - 2022-01-13 18:06:03
2022-01-13 18:29:15,165 fail2ban.filter         [28418]: INFO    [postfix-sasl] Found 212.192.246.9 - 2022-01-13 18:29:15
2022-01-13 18:30:19,292 fail2ban.filter         [28418]: INFO    [postfix-sasl] Found 212.192.246.237 - 2022-01-13 18:30:19
2022-01-13 18:38:30,513 fail2ban.filter         [28418]: INFO    [postfix-sasl] Found 212.192.246.226 - 2022-01-13 18:38:30
2022-01-13 18:43:49,083 fail2ban.filter         [28418]: INFO    [postfix-sasl] Found 2.56.57.153 - 2022-01-13 18:43:49
2022-01-13 18:49:57,655 fail2ban.actions        [28418]: NOTICE  [postfix-sasl] Unban 5.34.206.141
    And it in fact counts them as they come in:
    Code:
    fail2ban-client status postfix-sasl
Status for the jail: postfix-sasl
|- Filter
|  |- Currently failed: 21
|  |- Total failed:     30
|  `- File list:        /var/log/mail.log
`- Actions
   |- Currently banned: 6
   |- Total banned:     13
   `- Banned IP list:   5.34.206.104 5.34.206.162 5.34.206.167 5.34.206.27 5.34.206.37 5.34.206.85
root@ip-10-0-1-15:/etc/fail2ban/filter.d#
     
    frperalta1, Jan 14, 2022
    #5
  6. frperalta1

    frperalta1 New Member

    I cannot explain what happened but I restarted fail2ban last night and this morning it is finding and banning as expected!:confused:
    Case closed.
     
    frperalta1, Jan 14, 2022
    #6
    till likes this.

Share This Page