SASL LOGIN authentication failed

Hello!

At time to time I see in mail.log many of this logs:

Code:

Mar  9 09:06:57 itex postfix/smtpd[5534]: warning: mail.domain.com[1.2.3.4]: SASL LOGIN authentication failed: authentication failure
Mar  9 09:07:12 itex postfix/smtpd[5324]: warning: mail.domain.com[1.2.3.4]: SASL LOGIN authentication failed: authentication failure
Mar  9 09:07:30 itex postfix/smtpd[5324]: warning: mail.domain.com[1.2.3.4]: SASL LOGIN authentication failed: authentication failure
Mar  9 09:08:02 itex postfix/smtpd[5534]: warning: mail.domain.com[1.2.3.4]: SASL LOGIN authentication failed: authentication failure
Mar  9 09:08:10 itex postfix/smtpd[5324]: warning: mail.domain.com[1.2.3.4]: SASL LOGIN authentication failed: authentication failure
Mar  9 09:08:20 itex postfix/smtpd[5534]: warning: mail.domain.com[1.2.3.4]: SASL LOGIN authentication failed: authentication failure
Mar  9 09:08:31 itex postfix/smtpd[5534]: warning: mail.domain.com[1.2.3.4]: SASL LOGIN authentication failed: authentication failure
Mar  9 09:08:50 itex postfix/smtpd[5324]: warning: mail.domain.com[1.2.3.4]: SASL LOGIN authentication failed: authentication failure
Mar  9 09:08:58 itex postfix/smtpd[5324]: warning: mail.domain.com[1.2.3.4]: SASL LOGIN authentication failed: authentication failure
Mar  9 09:09:20 itex postfix/smtpd[5534]: warning: mail.domain.com[1.2.3.4]: SASL LOGIN authentication failed: authentication failure
Mar  9 09:09:53 itex postfix/smtpd[5534]: last message repeated 2 times
Mar  9 09:09:53 itex postfix/smtpd[5324]: warning: mail.domain.com[1.2.3.4]: SASL LOGIN authentication failed: authentication failure
Mar  9 09:10:02 itex postfix/smtpd[5534]: warning: mail.domain.com[1.2.3.4]: SASL LOGIN authentication failed: authentication failure
Mar  9 09:10:14 itex postfix/smtpd[5324]: warning: mail.domain.com[1.2.3.4]: SASL LOGIN authentication failed: authentication failure
Mar  9 09:10:35 itex postfix/smtpd[5324]: warning: mail.domain.com[1.2.3.4]: SASL LOGIN authentication failed: authentication failure
Mar  9 09:10:48 itex postfix/smtpd[5534]: warning: mail.domain.com[1.2.3.4]: SASL LOGIN authentication failed: authentication failure
Mar  9 09:11:05 itex postfix/smtpd[5324]: warning: mail.domain.com[1.2.3.4]: SASL LOGIN authentication failed: authentication failure
Mar  9 09:11:13 itex postfix/smtpd[5534]: warning: mail.domain.com[1.2.3.4]: SASL LOGIN authentication failed: authentication failure
Mar  9 09:11:23 itex postfix/smtpd[5534]: warning: mail.domain.com[1.2.3.4]: SASL LOGIN authentication failed: authentication failure
Mar  9 09:11:32 itex postfix/smtpd[5324]: warning: mail.domain.com[1.2.3.4]: SASL LOGIN authentication failed: authentication failure
Mar  9 09:11:44 itex postfix/smtpd[5324]: warning: mail.domain.com[1.2.3.4]: SASL LOGIN authentication failed: authentication failure

Where mail.domain.com is domain of my server and 1.2.3.4 is IP of my server.

chkrootkit and rkhunter is clean.

And fail2ban dont recognized it.
jail.conf

Code:

[sasl]

enabled  = true
port     = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s,smtpd
filter   = sasl
# You might consider monitoring /var/log/warn.log instead
# if you are running postfix. See http://bugs.debian.org/507990
logpath  = /var/log/mail.log

sasl.conf

Code:

# Fail2Ban configuration file
#
# Author: Yaroslav Halchenko
#
# $Revision: 728 $
#

[Definition]

# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT
#
#failregex = (?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [A-Za-z0-9+/]*={0,2})?$
failregex = (?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed
# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

In fail2ban log have this:

Code:

2012-03-09 13:36:52,832 fail2ban.actions.action: ERROR  iptables -N fail2ban-sasl
iptables -A fail2ban-sasl -j RETURN
iptables -I INPUT -p tcp -m multiport --dports smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s,smtpd -j fail2ban-sasl returned 200

It is normal or something wrong with server security?
I have ISPConfig2 final, Ubuntu 10.04.1 LTS

Thnk you!

 

I guess this is the ISPConfig monitor that tries to find out if Postfix is still online. And because localhost is whitelisted in the fail2ban configuration, your host isn't blocked.

 

Thank you Falko.

But what can I do with fail2ban

I tried to solve problem with fail2ban restarting
and input this line to iptables-multiport.conf

Code:

sleep ${RANDOM:0:1}.${RANDOM: -1:1}

Now fail2ban restart is fine, but when fail2ban try to unban have this log:

Code:

2012-03-12 07:22:00,102 fail2ban.actions: WARNING [sasl] Unban 183.7.88.183
2012-03-12 07:22:00,110 fail2ban.actions.action: ERROR  iptables -n -L INPUT | grep -q fail2ban-sasl returned 100
2012-03-12 07:22:00,111 fail2ban.actions.action: ERROR  Invariant check failed. Trying to restore a sane environment
2012-03-12 07:22:03,239 fail2ban.actions.action: ERROR  sleep ${RANDOM:0:1}.${RANDOM: -1:1}
iptables -N fail2ban-sasl
iptables -A fail2ban-sasl -j RETURN
iptables -I INPUT -p tcp -m multiport --dports smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s,smtpd -j fail2ban-sasl returned 200
2012-03-12 07:22:03,247 fail2ban.actions.action: ERROR  iptables -n -L INPUT | grep -q fail2ban-sasl returned 100

 

How do you try to unban an IP? I suggest you try this method: http://www.howtoforge.com/forums/showthread.php?t=51366

 

I dont try manually unban. It is fail2ban log file - automatic unban.

And I cant understand this log:

Code:

2012-03-13 19:52:13,396 fail2ban.actions: WARNING [sasl] Ban 59.40.168.253
2012-03-13 19:52:13,407 fail2ban.actions.action: ERROR  iptables -n -L INPUT | grep -q fail2ban-sasl returned 100
2012-03-13 19:52:13,407 fail2ban.actions.action: ERROR  Invariant check failed. Trying to restore a sane environment
2012-03-13 19:52:20,137 fail2ban.actions.action: ERROR  sleep ${RANDOM:0:1}.${RANDOM: -1:1}
iptables -N fail2ban-sasl
iptables -A fail2ban-sasl -j RETURN
iptables -I INPUT -p tcp -m multiport --dports smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s,smtpd -j fail2ban-sasl returned 200
2012-03-13 19:52:20,145 fail2ban.actions.action: ERROR  iptables -n -L INPUT | grep -q fail2ban-sasl returned 100
2012-03-13 19:52:20,146 fail2ban.actions.action: CRITICAL Unable to restore environment
2012-03-13 19:52:40,167 fail2ban.actions: WARNING [sasl] 59.40.168.253 already banned
2012-03-13 19:53:13,203 fail2ban.actions: WARNING [sasl] 59.40.168.253 already banned
2012-03-13 19:53:40,233 fail2ban.actions: WARNING [sasl] 59.40.168.253 already banned
2012-03-13 19:54:07,262 fail2ban.actions: WARNING [sasl] 59.40.168.253 already banned
2012-03-13 19:54:33,288 fail2ban.actions: WARNING [sasl] 59.40.168.253 already banned
2012-03-13 19:54:59,315 fail2ban.actions: WARNING [sasl] 59.40.168.253 already banned
2012-03-13 19:55:27,345 fail2ban.actions: WARNING [sasl] 59.40.168.253 already banned
2012-03-13 19:55:53,373 fail2ban.actions: WARNING [sasl] 59.40.168.253 already banned
2012-03-13 19:56:22,403 fail2ban.actions: WARNING [sasl] 59.40.168.253 already banned
2012-03-13 19:56:50,433 fail2ban.actions: WARNING [sasl] 59.40.168.253 already banned
2012-03-13 19:57:17,461 fail2ban.actions: WARNING [sasl] 59.40.168.253 already banned
2012-03-13 19:57:46,492 fail2ban.actions: WARNING [sasl] 59.40.168.253 already banned
2012-03-13 19:58:13,519 fail2ban.actions: WARNING [sasl] 59.40.168.253 already banned
2012-03-13 19:58:41,548 fail2ban.actions: WARNING [sasl] 59.40.168.253 already banned
2012-03-13 19:59:10,578 fail2ban.actions: WARNING [sasl] 59.40.168.253 already banned
2012-03-13 19:59:37,607 fail2ban.actions: WARNING [sasl] 59.40.168.253 already banned
2012-03-13 20:00:03,635 fail2ban.actions: WARNING [sasl] 59.40.168.253 already banned
2012-03-13 20:00:30,665 fail2ban.actions: WARNING [sasl] 59.40.168.253 already banned
2012-03-13 20:00:58,696 fail2ban.actions: WARNING [sasl] 59.40.168.253 already banned
2012-03-13 20:01:24,724 fail2ban.actions: WARNING [sasl] 59.40.168.253 already banned
2012-03-13 20:01:52,753 fail2ban.actions: WARNING [sasl] 59.40.168.253 already banned
2012-03-13 20:02:13,775 fail2ban.actions: WARNING [sasl] Unban 59.40.168.253
2012-03-13 20:02:13,798 fail2ban.actions.action: ERROR  iptables -n -L INPUT | grep -q fail2ban-sasl returned 100
2012-03-13 20:02:13,798 fail2ban.actions.action: ERROR  Invariant check failed. Trying to restore a sane environment
2012-03-13 20:02:23,736 fail2ban.actions.action: ERROR  sleep ${RANDOM:0:1}.${RANDOM: -1:1}
iptables -N fail2ban-sasl
iptables -A fail2ban-sasl -j RETURN
iptables -I INPUT -p tcp -m multiport --dports smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s,smtpd -j fail2ban-sasl returned 200
2012-03-13 20:02:23,744 fail2ban.actions.action: ERROR  iptables -n -L INPUT | grep -q fail2ban-sasl returned 100
2012-03-13 20:02:23,744 fail2ban.actions.action: CRITICAL Unable to restore environment
2012-03-13 20:02:24,746 fail2ban.actions: WARNING [sasl] Ban 59.40.168.253
2012-03-13 20:02:24,756 fail2ban.actions.action: ERROR  iptables -n -L INPUT | grep -q fail2ban-sasl returned 100
2012-03-13 20:02:24,757 fail2ban.actions.action: ERROR  Invariant check failed. Trying to restore a sane environment
2012-03-13 20:02:27,885 fail2ban.actions.action: ERROR  sleep ${RANDOM:0:1}.${RANDOM: -1:1}
iptables -N fail2ban-sasl
iptables -A fail2ban-sasl -j RETURN
iptables -I INPUT -p tcp -m multiport --dports smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s,smtpd -j fail2ban-sasl returned 200
2012-03-13 20:02:27,897 fail2ban.actions.action: ERROR  iptables -n -L INPUT | grep -q fail2ban-sasl returned 100
2012-03-13 20:02:27,897 fail2ban.actions.action: CRITICAL Unable to restore environment
2012-03-13 20:02:47,920 fail2ban.actions: WARNING [sasl] 59.40.168.253 already banned
2012-03-13 20:12:25,530 fail2ban.actions: WARNING [sasl] Unban 59.40.168.253
2012-03-13 20:12:25,539 fail2ban.actions.action: ERROR  iptables -n -L INPUT | grep -q fail2ban-sasl returned 100
2012-03-13 20:12:25,539 fail2ban.actions.action: ERROR  Invariant check failed. Trying to restore a sane environment
2012-03-13 20:12:28,599 fail2ban.actions.action: ERROR  sleep ${RANDOM:0:1}.${RANDOM: -1:1}
iptables -N fail2ban-sasl
iptables -A fail2ban-sasl -j RETURN
iptables -I INPUT -p tcp -m multiport --dports smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s,smtpd -j fail2ban-sasl returned 200
2012-03-13 20:12:28,606 fail2ban.actions.action: ERROR  iptables -n -L INPUT | grep -q fail2ban-sasl returned 100

It is means that IP is baned.
But in mail.warn I see this:

Code:

Mar 13 19:59:58 itex postfix/smtpd[6965]: warning: 59.40.168.253: hostname 253.168.40.59.broad.sz.gd.dynamic.163data.com.cn verification failed: Name or service not known
Mar 13 20:00:02 itex postfix/smtpd[6965]: warning: unknown[59.40.168.253]: SASL LOGIN authentication failed: authentication failure
Mar 13 20:00:03 itex postfix/smtpd[14253]: warning: 59.40.168.253: hostname 253.168.40.59.broad.sz.gd.dynamic.163data.com.cn verification failed: Name or service not known
Mar 13 20:00:08 itex postfix/smtpd[14253]: warning: unknown[59.40.168.253]: SASL LOGIN authentication failed: authentication failure
Mar 13 20:00:10 itex postfix/smtpd[15442]: warning: 59.40.168.253: hostname 253.168.40.59.broad.sz.gd.dynamic.163data.com.cn verification failed: Name or service not known
Mar 13 20:00:14 itex postfix/smtpd[15442]: warning: unknown[59.40.168.253]: SASL LOGIN authentication failed: authentication failure
Mar 13 20:00:15 itex postfix/smtpd[14253]: warning: 59.40.168.253: hostname 253.168.40.59.broad.sz.gd.dynamic.163data.com.cn verification failed: Name or service not known
Mar 13 20:00:19 itex postfix/smtpd[14253]: warning: unknown[59.40.168.253]: SASL LOGIN authentication failed: authentication failure
Mar 13 20:00:20 itex postfix/smtpd[6965]: warning: 59.40.168.253: hostname 253.168.40.59.broad.sz.gd.dynamic.163data.com.cn verification failed: Name or service not known
Mar 13 20:00:24 itex postfix/smtpd[6965]: warning: unknown[59.40.168.253]: SASL LOGIN authentication failed: authentication failure
Mar 13 20:00:26 itex postfix/smtpd[15442]: warning: 59.40.168.253: hostname 253.168.40.59.broad.sz.gd.dynamic.163data.com.cn verification failed: Name or service not known
Mar 13 20:00:29 itex postfix/smtpd[15442]: warning: unknown[59.40.168.253]: SASL LOGIN authentication failed: authentication failure
Mar 13 20:00:31 itex postfix/smtpd[6965]: warning: 59.40.168.253: hostname 253.168.40.59.broad.sz.gd.dynamic.163data.com.cn verification failed: Name or service not known
Mar 13 20:00:34 itex postfix/smtpd[6965]: warning: unknown[59.40.168.253]: SASL LOGIN authentication failed: authentication failure
Mar 13 20:00:35 itex postfix/smtpd[14253]: warning: 59.40.168.253: hostname 253.168.40.59.broad.sz.gd.dynamic.163data.com.cn verification failed: Name or service not known
Mar 13 20:00:39 itex postfix/smtpd[14253]: warning: unknown[59.40.168.253]: SASL LOGIN authentication failed: authentication failure
Mar 13 20:00:40 itex postfix/smtpd[6965]: warning: 59.40.168.253: hostname 253.168.40.59.broad.sz.gd.dynamic.163data.com.cn verification failed: Name or service not known
Mar 13 20:00:47 itex postfix/smtpd[6965]: warning: unknown[59.40.168.253]: SASL LOGIN authentication failed: authentication failure
Mar 13 20:00:48 itex postfix/smtpd[15442]: warning: 59.40.168.253: hostname 253.168.40.59.broad.sz.gd.dynamic.163data.com.cn verification failed: Name or service not known
Mar 13 20:00:52 itex postfix/smtpd[15442]: warning: unknown[59.40.168.253]: SASL LOGIN authentication failed: authentication failure
Mar 13 20:00:53 itex postfix/smtpd[14253]: warning: 59.40.168.253: hostname 253.168.40.59.broad.sz.gd.dynamic.163data.com.cn verification failed: Name or service not known
Mar 13 20:00:57 itex postfix/smtpd[14253]: warning: unknown[59.40.168.253]: SASL LOGIN authentication failed: authentication failure
Mar 13 20:00:59 itex postfix/smtpd[6965]: warning: 59.40.168.253: hostname 253.168.40.59.broad.sz.gd.dynamic.163data.com.cn verification failed: Name or service not known
Mar 13 20:01:03 itex postfix/smtpd[6965]: warning: unknown[59.40.168.253]: SASL LOGIN authentication failed: authentication failure
Mar 13 20:01:04 itex postfix/smtpd[15442]: warning: 59.40.168.253: hostname 253.168.40.59.broad.sz.gd.dynamic.163data.com.cn verification failed: Name or service not known
Mar 13 20:01:08 itex postfix/smtpd[15442]: warning: unknown[59.40.168.253]: SASL LOGIN authentication failed: authentication failure
Mar 13 20:01:09 itex postfix/smtpd[6965]: warning: 59.40.168.253: hostname 253.168.40.59.broad.sz.gd.dynamic.163data.com.cn verification failed: Name or service not known
Mar 13 20:01:13 itex postfix/smtpd[6965]: warning: unknown[59.40.168.253]: SASL LOGIN authentication failed: authentication failure
Mar 13 20:01:14 itex postfix/smtpd[6965]: warning: 59.40.168.253: hostname 253.168.40.59.broad.sz.gd.dynamic.163data.com.cn verification failed: Name or service not known
Mar 13 20:01:18 itex postfix/smtpd[6965]: warning: unknown[59.40.168.253]: SASL LOGIN authentication failed: authentication failure
Mar 13 20:01:19 itex postfix/smtpd[14253]: warning: 59.40.168.253: hostname 253.168.40.59.broad.sz.gd.dynamic.163data.com.cn verification failed: Name or service not known
Mar 13 20:01:23 itex postfix/smtpd[14253]: warning: unknown[59.40.168.253]: SASL LOGIN authentication failed: authentication failure
Mar 13 20:01:24 itex postfix/smtpd[6965]: warning: 59.40.168.253: hostname 253.168.40.59.broad.sz.gd.dynamic.163data.com.cn verification failed: Name or service not known
Mar 13 20:01:28 itex postfix/smtpd[6965]: warning: unknown[59.40.168.253]: SASL LOGIN authentication failed: authentication failure
Mar 13 20:01:30 itex postfix/smtpd[15442]: warning: 59.40.168.253: hostname 253.168.40.59.broad.sz.gd.dynamic.163data.com.cn verification failed: Name or service not known
Mar 13 20:01:34 itex postfix/smtpd[15442]: warning: unknown[59.40.168.253]: SASL LOGIN authentication failed: authentication failure
Mar 13 20:01:35 itex postfix/smtpd[14253]: warning: 59.40.168.253: hostname 253.168.40.59.broad.sz.gd.dynamic.163data.com.cn verification failed: Name or service not known
Mar 13 20:01:40 itex postfix/smtpd[14253]: warning: unknown[59.40.168.253]: SASL LOGIN authentication failed: authentication failure
Mar 13 20:01:41 itex postfix/smtpd[6965]: warning: 59.40.168.253: hostname 253.168.40.59.broad.sz.gd.dynamic.163data.com.cn verification failed: Name or service not known

It means that this IP try to connect and Iptables does not block it!

How I can block this IP, I need that this IP could not connect.

Falko can you help me to solve this problem?

Big thnks.