Hello everyone. I am seeing in my mail.log a LOT of messages with the following information and I am trying to figure out why fail2ban is not stopping them: Oct 21 10:19:48 server1 postfix/smtpd[3939]: warning: unknown[116.12.154.18]: SASL LOGIN authentication failed: authentication failure Oct 21 10:19:49 server1 postfix/smtpd[2715]: warning: unknown[116.12.154.18]: SASL LOGIN authentication failed: authentication failure Oct 21 10:19:49 server1 postfix/smtpd[2525]: warning: unknown[116.12.154.18]: SASL LOGIN authentication failed: authentication failure Oct 21 10:19:49 server1 postfix/smtpd[2414]: warning: unknown[116.12.154.18]: SASL LOGIN authentication failed: authentication failure What do I have to do to get this to stop? I am looking in /etc/fail2ban/jail.conf file and I see that my sasl entry is not enabled? [sasl] enabled = false port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s filter = sasl # You might consider monitoring /var/log/warn.log instead # if you are running postfix. See http://bugs.debian.org/507990 logpath = /var/log/mail.log Is there anything in particular I should do to get this enabled? I mean, I know I could probably set that to true and reboot, but I don't want to break anything! sERGE
Update This is what the entry in my sasl.conf file looks like . . . failregex = (?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed [A-Za-z0-9+/]*={0,2})?$
Not sure things are working right Looks like I am getting hit hard now with a DOS attack! I need to make certain the jailing is working correctly. I am seeing all my sessions used up and my server is running very poorly. This is the error I am seeing: Oct 22 02:37:17 server1 postfix/smtpd[9075]: warning: 88.247.7.123: hostname 88.247.7.123.static.ttnet.com.tr verification failed: No address associated with hostname Oct 22 02:43:02 server1 postfix/smtpd[9169]: warning: 89.36.168.98: hostname dyn-168.98.sovata.digicomm.ro verification failed: No address associated with hostname Oct 22 02:46:24 server1 postfix/smtpd[9214]: warning: 200.43.14.162: hostname smtp.indiosolosa.com.ar verification failed: No address associated with hostname Oct 22 02:49:54 server1 postfix/smtpd[9256]: warning: 123.14.45.210: hostname hn.kd.ny.adsl verification failed: No address associated with hostname I don't see their IP's being jailed. Please help!
Check fail2ban.log and compare your fail2ban rules with theones from the perfect server guide for the linux distribution that you use here at howtoforge.
I'd recommend you anyway to switch to OSSEC + APF (or another firewall). OSSEC does a great job and it's easy to write custom rules etc. There's a great book on Packt Publishing called "Instant OSSEC HIDS". For example you can take a look at my ruleset: http://drops.frontender.ch/AlJ6/1RmuZ7Hy
thanks much guys Thanks so much guys for the quick replies. I can't find where to look for the rules that fail2ban should have turned on by default. I am running Ubuntu 10.4, and I am a noob at looking at these things, so any help (or hand-holding) you can provide, I'd appreciate. Looks like I am seeing a whole lot of different issues. The one below is the newest of the possible attacks. It looks like someone is trying to get into my email using generic accounts. How do I stop that? Again, thanks in advance for any help you can give me. sERGE Oct 22 22:31:49 server1 postfix/smtpd[2920]: connect from 223-93-16-190.fibertel.com.ar[190.16.93.223] Oct 22 22:31:50 server1 postfix/smtpd[2920]: NOQUEUE: reject: RCPT from 223-93-16-190.fibertel.com.ar[190.16.93.223]: 550 5.1.1 <[email protected]>: Recipient address rejected: User unknown in virtual mailbox table; fr
Ahh . . I love this . . . I think I may have found something . . . Could this be my problem? 2013-10-22 22:57:18,796 fail2ban.actions.action: ERROR iptables -N fail2ban-apache-overflows iptables -A fail2ban-apache-overflows -j RETURN iptables -I INPUT -p tcp -m multiport --dports http,https -j fail2ban-apache-overflows returned 200 2013-10-22 22:57:18,829 fail2ban.jail : INFO Jail 'apache' started 2013-10-22 22:57:18,870 fail2ban.jail : INFO Jail 'pure-ftpd' started 2013-10-22 22:57:18,888 fail2ban.actions.action: ERROR iptables -N fail2ban-postfix iptables -A fail2ban-postfix -j RETURN iptables -I INPUT -p tcp -m multiport --dports smtp,ssmtp -j fail2ban-postfix returned 200
