Hi, I just start a new server, (with debian 10 and the last ispconfig) and after look into my log I see that I have a lots of wrong login like : Code: postfix/smtpd[1094]: connect from unknown[92.118.38.57] postfix/smtpd[1094]: warning: unknown[92.118.38.57]: SASL LOGIN authentication failed So I look into fail2ban and I see that postfix-sasl doesn't work. I have this line into my jail.local (I have just add [postfix] rules, but it's also doesn't work without) : Code: [pureftpd] enabled = true port = ftp filter = pure-ftpd logpath = /var/log/syslog maxretry = 3 [postfix] enabled = true port = smtp,submission,smtps,smtpd filter = postfix logpath = /var/log/mail.log maxretry = 5 [postfix-sasl] enabled = true port = smtp filter = postfix-sasl logpath = /var/log/mail.log maxretry = 5 If I do a "fail2ban-client status", I get : Code: - Number of jail: 3 Jail list: postfix, pureftpd, sshd If I do a "fail2ban-client status postfix-sasl", I get : Code: NOK: ('postfix-sasl',) Sorry but the jail 'postfix-sasl' does not exist If I do a "fail2ban-client status postfix", I get : Code: Status for the jail: postfix |- Filter | |- Currently failed: 0 | |- Total failed: 0 | `- File list: /var/log/mail.log `- Actions |- Currently banned: 0 |- Total banned: 0 `- Banned IP list: So I don't understand why fail2ban doesn't work for postfix (but it work for ssh), the hacker/bot are not banned, can you help me for this ? Thanks
Does postfix-sals appear in jails after Code: systemctl restart fail2ban If not, try just this in jail.local for postfix-sasl Code: [postfix-sasl] enabled = true Or this Code: [postfix-sasl] enabled = false port = smtp filter = postfix[mode=auth] logpath = /var/log/mail.log maxretry = 3
Thanks for your help, No I have try but it's the same It's working ! With just Code: enabled = true (and it banned many user, so it seems working) maybe it's because of Code: filter = postfix-sasl ? Because when I go in "filter.d" folder I don't see postfix-sasl : What do you think ?
I have that filter in my server /etc/fail2ban/filter.d/postfix-sasl.conf Code: # Fail2Ban filter for postfix authentication failures # [INCLUDES] before = common.conf [Definition] _daemon = postfix/(submission/)?smtp(d|s) failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/:]*={0,2})?\s*$ ignoreregex = authentication failed: Connection lost to authentication server$ [Init] journalmatch = _SYSTEMD_UNIT=postfix.service # Author: Yaroslav Halchenko ignoreregex =
Great, thanks for the file, it was what I thinking but I don't understand why this file doesn't existe on my fresh install. So I have create this file, and paste your content, and set the rule in jail.local like it was before, and all seems to work like this, the ""fail2ban-client status" show the "postfix-sasl" rule, and the rule work well (many user banned).
I had my server under attack so I have to set more aggressive rules in fail2ban if you need more rules in the future send me a message and I can share them with you. Regards.