I have installed my server using the The Perfect Server - Debian 8 Jessie (Apache2, BIND, Dovecot, ISPConfig 3) and have been testing out the fail2ban part. With the default filter in postfix-sasl.conf it was not catching all the attempted failed logins in mail.log, the default filter was: Code: failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/:]*={0,2})?\s*$ I spent a while testing this and could not get myself banned using Thunderbird and repeatedly trying incorrect passwords. I have set this jail to work on ports 25 and 465. I used fail2ban-regex to test the logs and found that if they look like the following they were being missed: Sep 18 20:04:57 ?????? postfix/smtps/smtpd[25905]: warning: ???.???.???.???.some.host.net[???.???.???.???]: SASL LOGIN authentication failed: UGFzd3dvgaQ7 (?s are IP numbers and plain text etc...) I had a look and found a replacement filter and tweaked it a little so it caught all these lines, it now looks like the following: Code: failregex = (?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(:[A-Za-z0-9+/ ]*)?$ Using fail2ban-regex with this filter it now catches all these attempted logins. This filter now works if I attempt to login with incorrect details and I get banned as expected. (I have put the above in the bug tracker just in case it is helpful)
There is a default section [sasl] in fail2ban designed for Postfix sasl already. Don't copy everything from installation guide.
Thanks for mentioning this but the default filter is the one that did not work. I did create the custom [postfix-sasl] part in jail.local as per the how to guide but the filter was the default one and it did not work for the type of authentication errors I was getting, this was why I wrote this post .
Webmin has a new beautiful module "Fail2Ban Intrusion Detector". Any body can try it. It is easier to work with.
I encountered that problem also. The problem on debian was that failed sasl logins didn't get logged to warn.log as the sasl filter was setup. So I did alter a custom entry that also watches mail.log Edit /etc/fail2ban/jail.local and append: Code: [postfix-sasl] enabled = true port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s filter = sasl # You might consider monitoring /var/log/warn.log instead # if you are running postfix. See http://bugs.debian.org/507990 logpath = /var/log/mail.log maxretry = 5
this is simpler and does work Code: cat filter.d/postfix-sasl.conf [INCLUDES] before = common.conf [Definition] _daemon = postfix/smtpd failregex = ^(.*)\[<HOST>\]: SASL LOGIN authentication failed: (.*)$ ignoreregex =
The problem with this - failregex = ^(.*)\[<HOST>\]: SASL LOGIN authentication failed: (.*)$ is that it won't catch the PLAIN failures. in that case, you could try Code: failregex = ^(.*)\[<HOST>\]: SASL (?:LOGIN|PLAIN) authentication failed:(.*)$ I haven't seen a CRAM or DIGEST failure yet. (Editing to remove a space after the semicolon. PLAIN doesn't show the UGFzc3dvcmQ6 which means Password) (Re-editing because this board keeps replacing colon open parentheses with a frowny face. )