fail2ban postfix-sasl.conf not working with default regex filter

Discussion in 'Installation/Configuration' started by kerrsmith, Sep 19, 2015.

  1. kerrsmith

    kerrsmith Member

    I have installed my server using the The Perfect Server - Debian 8 Jessie (Apache2, BIND, Dovecot, ISPConfig 3) and have been testing out the fail2ban part.

    With the default filter in postfix-sasl.conf it was not catching all the attempted failed logins in mail.log, the default filter was:

    Code:
    failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/:]*={0,2})?\s*$
    I spent a while testing this and could not get myself banned using Thunderbird and repeatedly trying incorrect passwords. I have set this jail to work on ports 25 and 465.

    I used fail2ban-regex to test the logs and found that if they look like the following they were being missed:

    Sep 18 20:04:57 ?????? postfix/smtps/smtpd[25905]: warning: ???.???.???.???.some.host.net[???.???.???.???]: SASL LOGIN authentication failed: UGFzd3dvgaQ7

    (?s are IP numbers and plain text etc...)

    I had a look and found a replacement filter and tweaked it a little so it caught all these lines, it now looks like the following:

    Code:
    failregex = (?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(:[A-Za-z0-9+/ ]*)?$
    Using fail2ban-regex with this filter it now catches all these attempted logins.

    This filter now works if I attempt to login with incorrect details and I get banned as expected.

    (I have put the above in the bug tracker just in case it is helpful)
     
    Last edited: Sep 19, 2015
    borekon, augustaugust and till like this.
  2. concept21

    concept21 Active Member HowtoForge Supporter

    There is a default section [sasl] in fail2ban designed for Postfix sasl already. Don't copy everything from installation guide. :cool:
     
    Last edited: Sep 25, 2015
  3. kerrsmith

    kerrsmith Member

    Thanks for mentioning this but the default filter is the one that did not work.
    I did create the custom [postfix-sasl] part in jail.local as per the how to guide but the filter was the default one and it did not work for the type of authentication errors I was getting, this was why I wrote this post .
     
    concept21 likes this.
  4. concept21

    concept21 Active Member HowtoForge Supporter

    Webmin has a new beautiful module "Fail2Ban Intrusion Detector". Any body can try it. It is easier to work with. :cool:
     
  5. sjau

    sjau Local Meanie Moderator

    I encountered that problem also. The problem on debian was that failed sasl logins didn't get logged to warn.log as the sasl filter was setup. So I did alter a custom entry that also watches mail.log

    Edit /etc/fail2ban/jail.local and append:
    Code:
    [postfix-sasl]
    enabled  = true
    port     = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
    filter   = sasl
    # You might consider monitoring /var/log/warn.log instead
    # if you are running postfix. See http://bugs.debian.org/507990
    logpath  = /var/log/mail.log
    maxretry = 5
    
     
  6. augustaugust

    augustaugust New Member

    Thanks, this worked perfectly for me. (Ubuntu 14.04)
     
  7. maumar

    maumar Member

    this is simpler and does work
    Code:
    cat filter.d/postfix-sasl.conf
    
    [INCLUDES]
    before = common.conf
    [Definition]
    _daemon = postfix/smtpd
    failregex = ^(.*)\[<HOST>\]: SASL LOGIN authentication failed: (.*)$
    ignoreregex =
    
    
     
    concept21 likes this.
  8. concept21

    concept21 Active Member HowtoForge Supporter


    Yes, fail2ban can start with this new filter. Thanks.
     
  9. Bookworm

    Bookworm Member

    The problem with this -
    failregex = ^(.*)\[<HOST>\]: SASL LOGIN authentication failed: (.*)$

    is that it won't catch the PLAIN failures.
    in that case, you could try
    Code:
     failregex = ^(.*)\[<HOST>\]: SASL (?:LOGIN|PLAIN) authentication failed:(.*)$ 
    I haven't seen a CRAM or DIGEST failure yet.

    (Editing to remove a space after the semicolon. PLAIN doesn't show the UGFzc3dvcmQ6 which means Password)

    (Re-editing because this board keeps replacing colon open parentheses with a frowny face. )
     
    Last edited: Oct 24, 2020

Share This Page