Hello , I noticed a lot of SASL LOGIN authentication failed: UGFzc3dvcmQ6 in my mail.log and was wondering why fail2ban does not seem to block the IP. System: Debian wheezy installed using perfect-server-debian-wheezy-apache2-bind-dovecot-ispconfig-3 Here are some entries from mail.warn Code: Dec 1 19:15:54 myserver postfix/smtpd[563]: warning: 50-202-171-113-static.hfc.comcastbusiness.net[50.202.171.113]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Dec 1 19:38:35 myserver postfix/smtpd[1119]: warning: 50-202-171-113-static.hfc.comcastbusiness.net[50.202.171.113]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Dec 1 20:01:32 myserver postfix/smtpd[1673]: warning: 50-202-171-113-static.hfc.comcastbusiness.net[50.202.171.113]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Dec 1 20:24:25 myserver postfix/smtpd[2695]: warning: 50-202-171-113-static.hfc.comcastbusiness.net[50.202.171.113]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Dec 1 20:47:10 myserver postfix/smtpd[3250]: warning: 50-202-171-113-static.hfc.comcastbusiness.net[50.202.171.113]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Dec 1 21:10:11 myserver postfix/smtpd[3885]: warning: 50-202-171-113-static.hfc.comcastbusiness.net[50.202.171.113]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Dec 1 21:33:13 myserver postfix/smtpd[4378]: warning: 50-202-171-113-static.hfc.comcastbusiness.net[50.202.171.113]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Dec 1 21:56:02 myserver postfix/smtpd[4861]: warning: 50-202-171-113-static.hfc.comcastbusiness.net[50.202.171.113]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Dec 1 22:18:05 myserver postfix/smtpd[5532]: warning: 50-202-171-113-static.hfc.comcastbusiness.net[50.202.171.113]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 there was a lot of this all from the same IP. So i looked at my fail2ban log and there is no ban for this IP. my etc/fail2ban/jail.local Code: [sasl] enabled = true port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s filter = sasl logpath = /var/log/mail.warn maxretry = 3 look at my sasl.conf Code: failregex = (?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/]*={0,2})?\s*$ so to test I run Code: fail2ban-regex /var/logmail.warn /etc/fail2ban/filter.d/sasl.conf and get some 300 matches and the questionable IP is also matched! So i fire up telnet and test this: Code: telnet myserver 25 ehlo test AUTH LOGIN somepassword and get Code: 535 5.7.8 Error: authentication failed: VXNlcm5hbWU6 in mail.warn Code: Dec 2 10:40:20 myserver postfix/smtpd[27724]: warning: myipadress[XX.XX.X.XXX]: SASL LOGIN authentication failed: VXNlcm5hbWU6 I do this 3 times and get banned by fail2ban. My IP is in the fail2ban log. So I know it works! But this one IP is still trying as I'm typing this and not getting banned. So I'm really confused and need some help. The only thing I can think of is that theres a time between attempts issue. The logs show it attempts every 23 minutes or so. Is this a possibility that fail2ban only block attempts that are closer together? One other thought I had was do I need to add "smtpd" as port to my jail.local? Right now I have Code: port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s any other Ideas? Thanks
So I think I might be able to answer my own question. I guess it helps to RTFM findtime = 600 Code: (from Manual) Jail Options Every jail can be customized by tuning following options: Jail Options Name Default Description filter Name of the filter to be used by the jail to detect matches. Each single match by a filter increments the counter within the jail logpath /var/log/messages Path to the log file which is provided to the filter maxretry 3 Number of matches (i.e. value of the counter) which triggers ban action on the IP. findtime 600 sec The counter is set to zero if no match is found within "findtime" seconds. bantime 600 sec Duration (in seconds) for IP to be banned for. Negative number for "permanent" ban. I think I should set findtime to something like 1800. Anybody think this might adversely affect anything else?
