I am getting hundreds of these in my mail server logs. I have fail2ban running however it doesnt seem to be stopping them from repeating ipaddresses. May 11 20:30:37 server1 postfix/smtpd[468]: warning: unknown[103.231.139.142]: SASL LOGIN authentication failed: authentication failure May 11 20:30:38 server1 postfix/smtpd[468]: disconnect from unknown[103.231.139.142] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4 May 11 20:30:39 server1 postfix/smtpd[12859]: connect from unknown[103.231.139.55] May 11 20:30:45 server1 postfix/smtpd[12859]: warning: unknown[103.231.139.55]: SASL LOGIN authentication failed: authentication failure May 11 20:30:45 server1 postfix/smtpd[12859]: disconnect from unknown[103.231.139.55] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4 May 11 20:31:33 server1 postfix/smtpd[468]: connect from unknown[103.231.139.142] May 11 20:31:40 server1 postfix/smtpd[468]: warning: unknown[103.231.139.142]: SASL LOGIN authentication failed: authentication failure May 11 20:31:40 server1 postfix/smtpd[468]: disconnect from unknown[103.231.139.142] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4 May 11 20:31:42 server1 postfix/smtpd[12859]: connect from unknown[103.231.139.55] May 11 20:31:46 server1 postfix/smtpd[12859]: warning: unknown[103.231.139.55]: SASL LOGIN authentication failed: authentication failure May 11 20:31:47 server1 postfix/smtpd[12859]: disconnect from unknown[103.231.139.55] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4 May 11 20:32:35 server1 postfix/smtpd[468]: connect from unknown[103.231.139.142] May 11 20:32:42 server1 postfix/smtpd[468]: warning: unknown[103.231.139.142]: SASL LOGIN authentication failed: authentication failure May 11 20:32:43 server1 postfix/smtpd[468]: disconnect from unknown[103.231.139.142] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4 May 11 20:32:44 server1 postfix/smtpd[12859]: connect from unknown[103.231.139.55] May 11 20:32:50 server1 postfix/smtpd[12859]: warning: unknown[103.231.139.55]: SASL LOGIN authentication failed: authentication failure May 11 20:32:51 server1 postfix/smtpd[12859]: disconnect from unknown[103.231.139.55] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4 May 11 20:33:38 server1 postfix/smtpd[468]: connect from unknown[103.231.139.142] May 11 20:33:44 server1 postfix/smtpd[468]: warning: unknown[103.231.139.142]: SASL LOGIN authentication failed: authentication failure May 11 20:33:45 server1 postfix/smtpd[468]: disconnect from unknown[103.231.139.142] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4 I have gone into fail2ban and set the authentication failure ban to 1 attempt (instead of the default 5 login attempts). Is there a better way that i can stop all this? suggestions? At present i am just running a default fail2ban setup! EDIT...also, what does the following mean? fail2ban.actions [10179]: ERROR Failed to start jail 'postfix-sasl' action 'firewallcmd-ipset': Error starting action
what does that solution actually do? Does it just stop relogging the same over and over, or does it do something else? What i have found is that this script is using 2 or 3 or more ip addresses and constantly swapping from one to another (between 15 and 30 seconds apart roughly) so fail2ban doesnt ban it. I have done the following for now... firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='103.231.139.55' reject" firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='103.231.139.142' reject" and i am going to set the number of retries to 1 and increase the time between retries (which will be a pain, but i dont know what else to do?) I have also found the tutorial on badips...would this be a suitable solution?
Read Code: man 5 jail.conf and adjust findtime and maxretry. I do not believe that rotating a few IP-numbers prevents fail2ban from setting bans.
is there any means of stopping the log entries below? This is going to fill my logs up with 10's of 1,000's of entries rather quickly. I need to find a method of just not allowing these bloody bots to get in to attempt to authenticate all the time. Is there a different way of setting up a mail server such that the standard is different...ie some kind of "tunnel" that users can also use in order to connect to using their mail clients? (i realise that an incoming mail relay provider would be an option because that is non standard ports) Is it feasible to have incoming on a non standard port between myself and my wehosting clients with sites and email on the server? (would that work with my wehosting clients or would it cause too much trouble.) EDIT...oh hang on, then how do they get emails from other people sending on standards ports...doh!!!) Thoughts? 2019-05-13 23:12:46,263 fail2ban.filter [18037]: INFO [postfix-sasl] Found 37.49.230.154 2019-05-13 23:12:46,795 fail2ban.actions [18037]: NOTICE [postfix-sasl] 37.49.230.154 already banned 2019-05-13 23:12:49,807 fail2ban.filter [18037]: INFO [postfix-sasl] Found 37.49.230.154 2019-05-13 23:12:50,800 fail2ban.actions [18037]: NOTICE [postfix-sasl] 37.49.230.154 already banned 2019-05-13 23:12:53,640 fail2ban.filter [18037]: INFO [postfix-sasl] Found 37.49.230.154 2019-05-13 23:12:53,804 fail2ban.actions [18037]: NOTICE [postfix-sasl] 37.49.230.154 already banned 2019-05-13 23:12:57,146 fail2ban.filter [18037]: INFO [postfix-sasl] Found 37.49.230.154 2019-05-13 23:12:57,809 fail2ban.actions [18037]: NOTICE [postfix-sasl] 37.49.230.154 already banned 2019-05-13 23:13:01,073 fail2ban.filter [18037]: INFO [postfix-sasl] Found 37.49.230.154 2019-05-13 23:13:01,814 fail2ban.actions [18037]: NOTICE [postfix-sasl] 37.49.230.154 already banned 2019-05-13 23:13:07,322 fail2ban.filter [18037]: INFO [postfix-sasl] Found 37.49.230.154 2019-05-13 23:13:07,821 fail2ban.actions [18037]: NOTICE [postfix-sasl] 37.49.230.154 already banned 2019-05-13 23:13:14,520 fail2ban.filter [18037]: INFO [postfix-sasl] Found 37.49.230.154 2019-05-13 23:13:14,830 fail2ban.actions [18037]: NOTICE [postfix-sasl] 37.49.230.154 already banned 2019-05-13 23:13:21,990 fail2ban.filter [18037]: INFO [postfix-sasl] Found 37.49.230.154 2019-05-13 23:13:22,839 fail2ban.actions [18037]: NOTICE [postfix-sasl] 37.49.230.154 already banned 2019-05-13 23:13:29,666 fail2ban.filter [18037]: INFO [postfix-sasl] Found 37.49.230.154 2019-05-13 23:13:29,848 fail2ban.actions [18037]: NOTICE [postfix-sasl] 37.49.230.154 already banned 2019-05-13 23:13:36,982 fail2ban.filter [18037]: INFO [postfix-sasl] Found 37.49.230.154 2019-05-13 23:13:37,857 fail2ban.actions [18037]: NOTICE [postfix-sasl] 37.49.230.154 already banned 2019-05-13 23:13:44,275 fail2ban.filter [18037]: INFO [postfix-sasl] Found 37.49.230.154 2019-05-13 23:13:44,866 fail2ban.actions [18037]: NOTICE [postfix-sasl] 37.49.230.154 already banned 2019-05-13 23:13:52,101 fail2ban.filter [18037]: INFO [postfix-sasl] Found 37.49.230.154 2019-05-13 23:13:52,875 fail2ban.actions [18037]: NOTICE [postfix-sasl] 37.49.230.154 already banned 2019-05-13 23:13:59,900 fail2ban.filter [18037]: INFO [postfix-sasl] Found 37.49.230.154 2019-05-13 23:14:00,885 fail2ban.actions [18037]: NOTICE [postfix-sasl] 37.49.230.154 already banned 2019-05-13 23:14:07,155 fail2ban.filter [18037]: INFO [postfix-sasl] Found 37.49.230.154 2019-05-13 23:14:07,894 fail2ban.actions [18037]: NOTICE [postfix-sasl] 37.49.230.154 already banned 2019-05-13 23:14:14,720 fail2ban.filter [18037]: INFO [postfix-sasl] Found 37.49.230.154 2019-05-13 23:14:14,902 fail2ban.actions [18037]: NOTICE [postfix-sasl] 37.49.230.154 already banned 2019-05-13 23:18:47,461 fail2ban.filter [18037]: INFO [postfix-sasl] Found 37.49.230.154 2019-05-13 23:18:48,221 fail2ban.actions [18037]: NOTICE [postfix-sasl] 37.49.230.154 already banned 2019-05-13 23:18:50,932 fail2ban.filter [18037]: INFO [postfix-sasl] Found 37.49.230.154 2019-05-13 23:18:51,225 fail2ban.actions [18037]: NOTICE [postfix-sasl] 37.49.230.154 already banned 2019-05-13 23:18:54,472 fail2ban.filter [18037]: INFO [postfix-sasl] Found 37.49.230.154 2019-05-13 23:18:55,230 fail2ban.actions [18037]: NOTICE [postfix-sasl] 37.49.230.154 already banned 2019-05-13 23:18:58,648 fail2ban.filter [18037]: INFO [postfix-sasl] Found 37.49.230.154 2019-05-13 23:18:59,235 fail2ban.actions [18037]: NOTICE [postfix-sasl] 37.49.230.154 already banned 2019-05-13 23:19:01,940 fail2ban.filter [18037]: INFO [postfix-sasl] Found 37.49.230.154 2019-05-13 23:19:02,238 fail2ban.actions [18037]: NOTICE [postfix-sasl] 37.49.230.154 already banned 2019-05-13 23:19:05,856 fail2ban.filter [18037]: INFO [postfix-sasl] Found 37.49.230.154 2019-05-13 23:19:06,243 fail2ban.actions [18037]: NOTICE [postfix-sasl] 37.49.230.154 already banned 2019-05-13 23:19:09,658 fail2ban.filter [18037]: INFO [postfix-sasl] Found 37.49.230.154 2019-05-13 23:19:10,248 fail2ban.actions [18037]: NOTICE [postfix-sasl] 37.49.230.154 already banned 2019-05-13 23:19:12,482 fail2ban.filter [18037]: INFO [postfix-sasl] Found 37.49.230.154 2019-05-13 23:19:13,252 fail2ban.actions [18037]: NOTICE [postfix-sasl] 37.49.230.154 already banned 2019-05-13 23:19:15,717 fail2ban.filter [18037]: INFO [postfix-sasl] Found 37.49.230.154 2019-05-13 23:19:16,256 fail2ban.actions [18037]: NOTICE [postfix-sasl] 37.49.230.154 already banned 2019-05-13 23:19:19,041 fail2ban.filter [18037]: INFO [postfix-sasl] Found 37.49.230.154 2019-05-13 23:19:19,260 fail2ban.actions [18037]: NOTICE [postfix-sasl] 37.49.230.154 already banned 2019-05-13 23:19:25,621 fail2ban.filter [18037]: INFO [postfix-sasl] Found 37.49.230.154 2019-05-13 23:19:26,268 fail2ban.actions [18037]: NOTICE [postfix-sasl] 37.49.230.154 already banned 2019-05-13 23:19:33,843 fail2ban.filter [18037]: INFO [postfix-sasl] Found 37.49.230.154 2019-05-13 23:19:34,278 fail2ban.actions [18037]: NOTICE [postfix-sasl] 37.49.230.154 already banned 2019-05-13 23:19:41,653 fail2ban.filter [18037]: INFO [postfix-sasl] Found 37.49.230.154 2019-05-13 23:19:42,288 fail2ban.actions [18037]: NOTICE [postfix-sasl] 37.49.230.154 already banned 2019-05-13 23:19:49,166 fail2ban.filter [18037]: INFO [postfix-sasl] Found 37.49.230.154 2019-05-13 23:19:49,296 fail2ban.actions [18037]: NOTICE [postfix-sasl] 37.49.230.154 already banned 2019-05-13 23:19:56,707 fail2ban.filter [18037]: INFO [postfix-sasl] Found 37.49.230.154 2019-05-13 23:19:57,306 fail2ban.actions [18037]: NOTICE [postfix-sasl] 37.49.230.154 already banned 2019-05-13 23:20:04,361 fail2ban.filter [18037]: INFO [postfix-sasl] Found 37.49.230.154 2019-05-13 23:20:05,315 fail2ban.actions [18037]: NOTICE [postfix-sasl] 37.49.230.154 already banned 2019-05-13 23:20:11,999 fail2ban.filter [18037]: INFO [postfix-sasl] Found 37.49.230.154 2019-05-13 23:20:12,324 fail2ban.actions [18037]: NOTICE [postfix-sasl] 37.49.230.154 already banned 2019-05-13 23:20:19,471 fail2ban.filter [18037]: INFO [postfix-sasl] Found 37.49.230.154 2019-05-13 23:20:20,334 fail2ban.actions [18037]: NOTICE [postfix-sasl] 37.49.230.154 already banned 2019-05-13 23:20:27,264 fail2ban.filter [18037]: INFO [postfix-sasl] Found 37.49.230.154 2019-05-13 23:20:27,342 fail2ban.actions [18037]: NOTICE [postfix-sasl] 37.49.230.154 already banned 2019-05-13 23:20:35,026 fail2ban.filter [18037]: INFO [postfix-sasl] Found 37.49.230.154 2019-05-13 23:20:35,351 fail2ban.actions [18037]: NOTICE [postfix-sasl] 37.49.230.154 already banned 2019-05-13 23:25:12,980 fail2ban.filter [18037]: INFO [postfix-sasl] Found 37.49.230.154 2019-05-13 23:25:13,582 fail2ban.actions [18037]: NOTICE [postfix-sasl] 37.49.230.154 already banned 2019-05-13 23:25:16,518 fail2ban.filter [18037]: INFO [postfix-sasl] Found 37.49.230.154 2019-05-13 23:25:16,586 fail2ban.actions [18037]: NOTICE [postfix-sasl] 37.49.230.154 already banned 2019-05-13 23:25:19,399 fail2ban.filter [18037]: INFO [postfix-sasl] Found 37.49.230.154 2019-05-13 23:25:19,590 fail2ban.actions [18037]: NOTICE [postfix-sasl] 37.49.230.154 already banned 2019-05-13 23:25:22,994 fail2ban.filter [18037]: INFO [postfix-sasl] Found 37.49.230.154 2019-05-13 23:25:23,595 fail2ban.actions [18037]: NOTICE [postfix-sasl] 37.49.230.154 already banned 2019-05-13 23:25:26,565 fail2ban.filter [18037]: INFO [postfix-sasl] Found 37.49.230.154 2019-05-13 23:25:26,599 fail2ban.actions [18037]: NOTICE [postfix-sasl] 37.49.230.154 already banned 2019-05-13 23:25:29,927 fail2ban.filter [18037]: INFO [postfix-sasl] Found 37.49.230.154 2019-05-13 23:25:30,603 fail2ban.actions [18037]: NOTICE [postfix-sasl] 37.49.230.154 already banned 2019-05-13 23:25:33,109 fail2ban.filter [18037]: INFO [postfix-sasl] Found 37.49.230.154 2019-05-13 23:25:33,607 fail2ban.actions [18037]: NOTICE [postfix-sasl] 37.49.230.154 already banned
Set up logrotate to prevent log files growing huge. My server has now less than 5 Mbytes fail2ban logs: Code: ls -lh /var/log/fail2ban.log* -rw-r----- 1 root adm 179K touko 13 16:55 /var/log/fail2ban.log -rw-r----- 1 root adm 3,0M touko 13 06:26 /var/log/fail2ban.log.1 -rw-r----- 1 root adm 231K touko 5 06:26 /var/log/fail2ban.log.2.gz -rw-r----- 1 root adm 396K huhti 29 06:26 /var/log/fail2ban.log.3.gz -rw-r----- 1 root adm 424K huhti 21 06:28 /var/log/fail2ban.log.4.gz
I have some thoughts on this, what are the advantages in rotating log files in this way? Also, i notice that some of yours are archived. Why is this? Also, in looking at my mxtoolbox email results, can i change the "Auth Plain Login" to instead only accept a key? If a key is feasible, does this help with this issue at all? Connecting to <ipaddress> 220 server1.domain.com ESMTP Postfix (Debian/GNU) [875 ms] EHLO keeper-us-east-1c.mxtoolbox.com 250-server1.domain.com 250-PIPELINING 250-SIZE 10240000 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250-DSN 250 SMTPUTF8 [836 ms] MAIL FROM:<[email protected]> 250 2.1.0 Ok [849 ms] RCPT TO:<[email protected]> 454 4.7.1 <[email protected]>: Relay access denied [836 ms] LookupServer 4452ms
If log files are never deleted, disk is eventually filled with log files and the Unix or Linux system stops working. Logrotate and similar helpers automate this maintenance, so admin does not need to remember to clean away old log files. Compressed files use less disk space. And log files compress well, that 231 K /var/log/fail2ban.log.2.gz is 2,2M when uncompressed.
