From: chaouche y. <yac...@ya...> - 2017-09-17 10:13:04
|
Hello list, I have two problems to discuss here 163.172.20.242 : a banned IP continued to make login requests to my postfix server 2.139.229.39 : another IP that should have been banned by my postfix-sasl-long jail (10 failures in 24 hours) but hasn't. It is divided in three parts : First part is for the first IP Second part is for the second IP Last part is the full config for my postfix jails. FIRST IP : 163.172.20.242 ========================= 1) Proof that it has reached its maxretry in the specified findtime ------------------------------------------------------------------- Here's the config ['set', 'postfix-sasl', 'addlogpath', '/var/log/mail.warn'] ['set', 'postfix-sasl', 'maxretry', 3] ['set', 'postfix-sasl', 'findtime', 600] <<<<<< 5 minutes ['set', 'postfix-sasl', 'bantime', 86400] ['set', 'postfix-sasl', 'addfailregex', '^\\s*(<[^.]+\\.[^.]+>)?\\s*(?:\\S+ )?(?:kernel: \\[ *\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?postfix/smtpd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?postfix/smtpd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)?\\s(?:\\[ID \\d+ \\S+\\])?\\s*warning: [-._\\w]+\\[<HOST>\\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/]*={0,2})?\\s*$'] Here are the logged failures : root@messagerie[10.10.10.19] ~ # grep 163.172.20.242 /var/log/mail.warn.1 Sep 15 00:44:00 messagerie postfix/smtpd[14051]: warning: 163-172-20-242.rev.poneytelecom.eu[163.172.20.242]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Sep 15 00:44:00 messagerie postfix/smtpd[14389]: warning: 163-172-20-242.rev.poneytelecom.eu[163.172.20.242]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Sep 15 00:44:00 messagerie postfix/smtpd[14391]: warning: 163-172-20-242.rev.poneytelecom.eu[163.172.20.242]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Sep 15 00:44:00 messagerie postfix/smtpd[14392]: warning: 163-172-20-242.rev.poneytelecom.eu[163.172.20.242]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Sep 15 00:44:01 messagerie postfix/smtpd[14393]: warning: 163-172-20-242.rev.poneytelecom.eu[163.172.20.242]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Sep 15 00:44:06 messagerie postfix/smtpd[14051]: warning: 163-172-20-242.rev.poneytelecom.eu[163.172.20.242]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Sep 15 00:44:06 messagerie postfix/smtpd[14389]: warning: 163-172-20-242.rev.poneytelecom.eu[163.172.20.242]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Sep 15 00:44:06 messagerie postfix/smtpd[14391]: warning: 163-172-20-242.rev.poneytelecom.eu[163.172.20.242]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Sep 15 00:44:06 messagerie postfix/smtpd[14392]: warning: 163-172-20-242.rev.poneytelecom.eu[163.172.20.242]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Sep 15 00:44:07 messagerie postfix/smtpd[14393]: warning: 163-172-20-242.rev.poneytelecom.eu[163.172.20.242]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Sep 15 00:44:16 messagerie postfix/smtpd[14051]: warning: 163-172-20-242.rev.poneytelecom.eu[163.172.20.242]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Sep 15 00:44:16 messagerie postfix/smtpd[14389]: warning: 163-172-20-242.rev.poneytelecom.eu[163.172.20.242]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Sep 15 00:44:16 messagerie postfix/smtpd[14392]: warning: 163-172-20-242.rev.poneytelecom.eu[163.172.20.242]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Sep 15 00:44:16 messagerie postfix/smtpd[14391]: warning: 163-172-20-242.rev.poneytelecom.eu[163.172.20.242]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Sep 15 00:44:17 messagerie postfix/smtpd[14393]: warning: 163-172-20-242.rev.poneytelecom.eu[163.172.20.242]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Sep 15 00:44:26 messagerie postfix/smtpd[14051]: warning: 163-172-20-242.rev.poneytelecom.eu[163.172.20.242]: SASL LOGIN authentication failed: Connection lost to authentication server Sep 15 00:44:26 messagerie postfix/smtpd[14389]: warning: 163-172-20-242.rev.poneytelecom.eu[163.172.20.242]: SASL LOGIN authentication failed: Connection lost to authentication server Sep 15 00:44:26 messagerie postfix/smtpd[14392]: warning: 163-172-20-242.rev.poneytelecom.eu[163.172.20.242]: SASL LOGIN authentication failed: Connection lost to authentication server Sep 15 00:44:26 messagerie postfix/smtpd[14391]: warning: 163-172-20-242.rev.poneytelecom.eu[163.172.20.242]: SASL LOGIN authentication failed: Connection lost to authentication server Sep 15 00:44:27 messagerie postfix/smtpd[14393]: warning: 163-172-20-242.rev.poneytelecom.eu[163.172.20.242]: SASL LOGIN authentication failed: Connection lost to authentication server root@messagerie[10.10.10.19] ~ # That's 20 lines in only 27 seconds. root@messagerie[10.10.10.19] ~ # grep 163.172.20.242 /var/log/mail.warn.1 | wc -l 20 root@messagerie[10.10.10.19] ~ # 2) Proof that is has been banned after the maxretry --------------------------------------------------- That IP has been first banned at 00:44:01, after 5 attempts, although it is configured to ban after 3 attempts in 5 minutes. root@messagerie[10.10.10.19] ~/SCRIPTS/MAIL # zgrep 163.172.20.242 /var/log/fail2ban.log* /var/log/fail2ban.log:2017-09-15 00:44:01,429 fail2ban.actions[10631]: WARNING [postfix-sasl] Ban 163.172.20.242 /var/log/fail2ban.log:2017-09-15 00:44:06,477 fail2ban.actions[10631]: INFO [postfix-sasl] 163.172.20.242 already banned /var/log/fail2ban.log:2017-09-15 00:44:16,489 fail2ban.actions[10631]: INFO [postfix-sasl] 163.172.20.242 already banned /var/log/fail2ban.log:2017-09-15 00:44:26,500 fail2ban.actions[10631]: INFO [postfix-sasl] 163.172.20.242 already banned /var/log/fail2ban.log:2017-09-16 00:44:02,005 fail2ban.actions[10631]: WARNING [postfix-sasl] Unban 163.172.20.242 root@messagerie[10.10.10.19] ~/SCRIPTS/MAIL # 3) Proof that it continued to try to login after it has been banned ------------------------------------------------------------------- The IP has been banned at 00:44:01 /var/log/fail2ban.log:2017-09-15 00:44:01,429 fail2ban.actions[10631]: WARNING [postfix-sasl] Ban 163.172.20.242 But it continued to try to login after that, starting at 00:44:06 Sep 15 00:44:06 messagerie postfix/smtpd[14051]: warning: 163-172-20-242.rev.poneytelecom.eu[163.172.20.242]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Sep 15 00:44:06 messagerie postfix/smtpd[14389]: warning: 163-172-20-242.rev.poneytelecom.eu[163.172.20.242]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Sep 15 00:44:06 messagerie postfix/smtpd[14391]: warning: 163-172-20-242.rev.poneytelecom.eu[163.172.20.242]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Sep 15 00:44:06 messagerie postfix/smtpd[14392]: warning: 163-172-20-242.rev.poneytelecom.eu[163.172.20.242]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Sep 15 00:44:07 messagerie postfix/smtpd[14393]: warning: 163-172-20-242.rev.poneytelecom.eu[163.172.20.242]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Sep 15 00:44:16 messagerie postfix/smtpd[14051]: warning: 163-172-20-242.rev.poneytelecom.eu[163.172.20.242]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Sep 15 00:44:16 messagerie postfix/smtpd[14389]: warning: 163-172-20-242.rev.poneytelecom.eu[163.172.20.242]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Sep 15 00:44:16 messagerie postfix/smtpd[14392]: warning: 163-172-20-242.rev.poneytelecom.eu[163.172.20.242]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Sep 15 00:44:16 messagerie postfix/smtpd[14391]: warning: 163-172-20-242.rev.poneytelecom.eu[163.172.20.242]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Sep 15 00:44:17 messagerie postfix/smtpd[14393]: warning: 163-172-20-242.rev.poneytelecom.eu[163.172.20.242]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Sep 15 00:44:26 messagerie postfix/smtpd[14051]: warning: 163-172-20-242.rev.poneytelecom.eu[163.172.20.242]: SASL LOGIN authentication failed: Connection lost to authentication server Sep 15 00:44:26 messagerie postfix/smtpd[14389]: warning: 163-172-20-242.rev.poneytelecom.eu[163.172.20.242]: SASL LOGIN authentication failed: Connection lost to authentication server Sep 15 00:44:26 messagerie postfix/smtpd[14392]: warning: 163-172-20-242.rev.poneytelecom.eu[163.172.20.242]: SASL LOGIN authentication failed: Connection lost to authentication server Sep 15 00:44:26 messagerie postfix/smtpd[14391]: warning: 163-172-20-242.rev.poneytelecom.eu[163.172.20.242]: SASL LOGIN authentication failed: Connection lost to authentication server Sep 15 00:44:27 messagerie postfix/smtpd[14393]: warning: 163-172-20-242.rev.poneytelecom.eu[163.172.20.242]: SASL LOGIN authentication failed: Connection lost to authentication server SECOND IP : 2.139.229.39 ======================== 1) Proof that it has reached its maxretry in the specified findtime ------------------------------------------------------------------- Here's the config that should have banned it : ['set', 'postfix-sasl-long', 'addlogpath', '/var/log/mail.warn'] ['set', 'postfix-sasl-long', 'maxretry', 10] ['set', 'postfix-sasl-long', 'findtime', 86400] <<<<<<< 1 day ['set', 'postfix-sasl-long', 'bantime', 432000] ['set', 'postfix-sasl-long', 'addfailregex', '^\\s*(<[^.]+\\.[^.]+>)?\\s*(?:\\S+ )?(?:kernel: \\[ *\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?postfix/smtpd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?postfix/smtpd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)?\\s(?:\\[ID \\d+ \\S+\\])?\\s*warning: [-._\\w]+\\[<HOST>\\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/]*={0,2})?\\s*$'] It had 19 attempts in the first 24 hours, far more than the 10 maxretry configured (nearly by a factor of two), and 11 in the following 24 hours, plus 3 others, for a total of 36 attempts root@messagerie[10.10.10.19] ~/SCRIPTS/MAIL # grep 2.139.229.39 /var/log/mail.warn.1 Sep 14 11:56:11 messagerie postfix/smtpd[34392]: warning: 39.red-2-139-229.staticip.rima-tde.net[2.139.229.39]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Sep 14 12:23:30 messagerie postfix/smtpd[38425]: warning: 39.red-2-139-229.staticip.rima-tde.net[2.139.229.39]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Sep 14 14:53:44 messagerie postfix/smtpd[55061]: warning: 39.red-2-139-229.staticip.rima-tde.net[2.139.229.39]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Sep 14 15:24:51 messagerie postfix/smtpd[51822]: warning: 39.red-2-139-229.staticip.rima-tde.net[2.139.229.39]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Sep 14 16:09:21 messagerie postfix/smtpd[58682]: warning: 39.red-2-139-229.staticip.rima-tde.net[2.139.229.39]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Sep 14 17:23:55 messagerie postfix/smtpd[63313]: warning: 39.red-2-139-229.staticip.rima-tde.net[2.139.229.39]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Sep 14 17:30:39 messagerie postfix/smtpd[63313]: warning: 39.red-2-139-229.staticip.rima-tde.net[2.139.229.39]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Sep 14 18:51:09 messagerie postfix/smtpd[1634]: warning: 39.red-2-139-229.staticip.rima-tde.net[2.139.229.39]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Sep 14 19:04:43 messagerie postfix/smtpd[2202]: warning: 39.red-2-139-229.staticip.rima-tde.net[2.139.229.39]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Sep 14 20:46:44 messagerie postfix/smtpd[4874]: warning: 39.red-2-139-229.staticip.rima-tde.net[2.139.229.39]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Sep 14 21:27:24 messagerie postfix/smtpd[5654]: warning: 39.red-2-139-229.staticip.rima-tde.net[2.139.229.39]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Sep 14 21:40:56 messagerie postfix/smtpd[5654]: warning: 39.red-2-139-229.staticip.rima-tde.net[2.139.229.39]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Sep 14 22:04:41 messagerie postfix/smtpd[5654]: warning: 39.red-2-139-229.staticip.rima-tde.net[2.139.229.39]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Sep 15 00:27:32 messagerie postfix/smtpd[9260]: warning: 39.red-2-139-229.staticip.rima-tde.net[2.139.229.39]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Sep 15 02:22:29 messagerie postfix/smtpd[15942]: warning: 39.red-2-139-229.staticip.rima-tde.net[2.139.229.39]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Sep 15 04:05:28 messagerie postfix/smtpd[18713]: warning: 39.red-2-139-229.staticip.rima-tde.net[2.139.229.39]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Sep 15 08:51:57 messagerie postfix/smtpd[26630]: warning: 39.red-2-139-229.staticip.rima-tde.net[2.139.229.39]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Sep 15 09:28:31 messagerie postfix/smtpd[27272]: warning: 39.red-2-139-229.staticip.rima-tde.net[2.139.229.39]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Sep 15 10:25:28 messagerie postfix/smtpd[27943]: warning: 39.red-2-139-229.staticip.rima-tde.net[2.139.229.39]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 --- less than 24 hours , 19 attempts ---- Sep 15 12:10:52 messagerie postfix/smtpd[31898]: warning: 39.red-2-139-229.staticip.rima-tde.net[2.139.229.39]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Sep 15 14:47:49 messagerie postfix/smtpd[36892]: warning: 39.red-2-139-229.staticip.rima-tde.net[2.139.229.39]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Sep 15 19:34:48 messagerie postfix/smtpd[45045]: warning: 39.red-2-139-229.staticip.rima-tde.net[2.139.229.39]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Sep 15 21:29:18 messagerie postfix/smtpd[47890]: warning: 39.red-2-139-229.staticip.rima-tde.net[2.139.229.39]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Sep 15 21:57:39 messagerie postfix/smtpd[48234]: warning: 39.red-2-139-229.staticip.rima-tde.net[2.139.229.39]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Sep 15 22:11:43 messagerie postfix/smtpd[48234]: warning: 39.red-2-139-229.staticip.rima-tde.net[2.139.229.39]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Sep 16 01:43:17 messagerie postfix/smtpd[56386]: warning: 39.red-2-139-229.staticip.rima-tde.net[2.139.229.39]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Sep 16 04:08:04 messagerie postfix/smtpd[59243]: warning: 39.red-2-139-229.staticip.rima-tde.net[2.139.229.39]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Sep 16 06:06:34 messagerie postfix/smtpd[61984]: warning: 39.red-2-139-229.staticip.rima-tde.net[2.139.229.39]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Sep 16 10:07:22 messagerie postfix/smtpd[3019]: warning: 39.red-2-139-229.staticip.rima-tde.net[2.139.229.39]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Sep 16 11:48:31 messagerie postfix/smtpd[5676]: warning: 39.red-2-139-229.staticip.rima-tde.net[2.139.229.39]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 --- less than 24 hours, 11 attempts --- Sep 16 15:57:47 messagerie postfix/smtpd[12907]: warning: 39.red-2-139-229.staticip.rima-tde.net[2.139.229.39]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Sep 16 16:49:52 messagerie postfix/smtpd[14043]: warning: 39.red-2-139-229.staticip.rima-tde.net[2.139.229.39]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Sep 16 17:56:26 messagerie postfix/smtpd[15798]: warning: 39.red-2-139-229.staticip.rima-tde.net[2.139.229.39]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Sep 16 23:18:18 messagerie postfix/smtpd[23541]: warning: 39.red-2-139-229.staticip.rima-tde.net[2.139.229.39]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Sep 17 00:55:30 messagerie postfix/smtpd[29593]: warning: 39.red-2-139-229.staticip.rima-tde.net[2.139.229.39]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Sep 17 04:03:45 messagerie postfix/smtpd[33811]: warning: 39.red-2-139-229.staticip.rima-tde.net[2.139.229.39]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 root@messagerie[10.10.10.19] ~/SCRIPTS/MAIL # grep 2.139.229.39 /var/log/mail.warn.1 | wc -l 36 root@messagerie[10.10.10.19] ~/SCRIPTS/MAIL # 2) Proof that it hasn't been banned ----------------------------------- root@messagerie[10.10.10.19] ~/SCRIPTS/MAIL # zgrep 2.139.229.39 /var/log/fail2ban.log* root@messagerie[10.10.10.19] ~/SCRIPTS/MAIL # FULL CONFIGURATION ================== Here's my configuration for the postfix jails : I have postix, postfix-sasl and postfix-sasl-long. The postfix jail is for rejected mail The postfix-sasl jail is for login failures (3 in 5 minutes) The postfix-sasl-long jail is for login failures in a longer period of time (10 in 24 hours) root@messagerie[10.10.10.19] ~ # fail2ban-client -d | grep postfix WARNING 'ignoreregex' not defined in 'Definition'. Using default one: '' WARNING 'ignoreregex' not defined in 'Definition'. Using default one: '' ['add', 'postfix', 'auto'] ['set', 'postfix', 'usedns', 'warn'] ['set', 'postfix', 'addlogpath', '/var/log/mail.log'] ['set', 'postfix', 'maxretry', 3] ['set', 'postfix', 'addignoreip', '127.0.0.1/8'] ['set', 'postfix', 'addignoreip', '10.10.10.0/24'] ['set', 'postfix', 'addignoreip', '172.16.0.0/16'] ['set', 'postfix', 'addignoreip', '192.168.0.0/16'] ['set', 'postfix', 'ignorecommand', ''] ['set', 'postfix', 'findtime', 600] ['set', 'postfix', 'bantime', 86400] ['set', 'postfix', 'addfailregex', '^\\s*(<[^.]+\\.[^.]+>)?\\s*(?:\\S+ )?(?:kernel: \\[ *\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?postfix/smtpd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?postfix/smtpd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)?\\s(?:\\[ID \\d+ \\S+\\])?\\s*NOQUEUE: reject: RCPT from \\S+\\[<HOST>\\]: 554 5\\.7\\.1 .*$'] ['set', 'postfix', 'addfailregex', '^\\s*(<[^.]+\\.[^.]+>)?\\s*(?:\\S+ )?(?:kernel: \\[ *\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?postfix/smtpd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?postfix/smtpd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)?\\s(?:\\[ID \\d+ \\S+\\])?\\s*NOQUEUE: reject: RCPT from \\S+\\[<HOST>\\]: 450 4\\.7\\.1 : Helo command rejected: Host not found; from=<> to=<> proto=ESMTP helo= *$'] ['set', 'postfix', 'addfailregex', '^\\s*(<[^.]+\\.[^.]+>)?\\s*(?:\\S+ )?(?:kernel: \\[ *\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?postfix/smtpd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?postfix/smtpd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)?\\s(?:\\[ID \\d+ \\S+\\])?\\s*NOQUEUE: reject: VRFY from \\S+\\[<HOST>\\]: 550 5\\.1\\.1 .*$'] ['set', 'postfix', 'addfailregex', '^\\s*(<[^.]+\\.[^.]+>)?\\s*(?:\\S+ )?(?:kernel: \\[ *\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?postfix/smtpd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?postfix/smtpd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)?\\s(?:\\[ID \\d+ \\S+\\])?\\s*improper command pipelining after \\S+ from [^[]*\\[<HOST>\\]:?$'] ['set', 'postfix', 'addaction', 'shorewall'] ['set', 'postfix', 'actionban', 'shorewall', 'shorewall <blocktype> <ip>'] ['set', 'postfix', 'actionstop', 'shorewall', ''] ['set', 'postfix', 'actionstart', 'shorewall', ''] ['set', 'postfix', 'actionunban', 'shorewall', 'shorewall allow <ip>'] ['set', 'postfix', 'actioncheck', 'shorewall', ''] ['set', 'postfix', 'setcinfo', 'shorewall', 'blocktype', 'reject'] ['add', 'postfix-sasl', 'auto'] ['set', 'postfix-sasl', 'usedns', 'warn'] ['set', 'postfix-sasl', 'addlogpath', '/var/log/mail.warn'] ['set', 'postfix-sasl', 'maxretry', 3] ['set', 'postfix-sasl', 'addignoreip', '127.0.0.1/8'] ['set', 'postfix-sasl', 'addignoreip', '10.10.10.0/24'] ['set', 'postfix-sasl', 'addignoreip', '172.16.0.0/16'] ['set', 'postfix-sasl', 'addignoreip', '192.168.0.0/16'] ['set', 'postfix-sasl', 'ignorecommand', ''] ['set', 'postfix-sasl', 'findtime', 600] ['set', 'postfix-sasl', 'bantime', 86400] ['set', 'postfix-sasl', 'addfailregex', '^\\s*(<[^.]+\\.[^.]+>)?\\s*(?:\\S+ )?(?:kernel: \\[ *\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?postfix/smtpd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?postfix/smtpd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)?\\s(?:\\[ID \\d+ \\S+\\])?\\s*warning: [-._\\w]+\\[<HOST>\\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/]*={0,2})?\\s*$'] ['set', 'postfix-sasl', 'addaction', 'shorewall'] ['set', 'postfix-sasl', 'actionban', 'shorewall', 'shorewall <blocktype> <ip>'] ['set', 'postfix-sasl', 'actionstop', 'shorewall', ''] ['set', 'postfix-sasl', 'actionstart', 'shorewall', ''] ['set', 'postfix-sasl', 'actionunban', 'shorewall', 'shorewall allow <ip>'] ['set', 'postfix-sasl', 'actioncheck', 'shorewall', ''] ['set', 'postfix-sasl', 'setcinfo', 'shorewall', 'blocktype', 'reject'] ['add', 'postfix-sasl-long', 'auto'] ['set', 'postfix-sasl-long', 'usedns', 'warn'] ['set', 'postfix-sasl-long', 'addlogpath', '/var/log/mail.warn'] ['set', 'postfix-sasl-long', 'maxretry', 10] ['set', 'postfix-sasl-long', 'addignoreip', '127.0.0.1/8'] ['set', 'postfix-sasl-long', 'addignoreip', '10.10.10.0/24'] ['set', 'postfix-sasl-long', 'addignoreip', '172.16.0.0/16'] ['set', 'postfix-sasl-long', 'addignoreip', '192.168.0.0/16'] ['set', 'postfix-sasl-long', 'ignorecommand', ''] ['set', 'postfix-sasl-long', 'findtime', 86400] ['set', 'postfix-sasl-long', 'bantime', 432000] ['set', 'postfix-sasl-long', 'addfailregex', '^\\s*(<[^.]+\\.[^.]+>)?\\s*(?:\\S+ )?(?:kernel: \\[ *\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?postfix/smtpd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?postfix/smtpd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)?\\s(?:\\[ID \\d+ \\S+\\])?\\s*warning: [-._\\w]+\\[<HOST>\\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/]*={0,2})?\\s*$'] ['set', 'postfix-sasl-long', 'addaction', 'shorewall'] ['set', 'postfix-sasl-long', 'actionban', 'shorewall', 'shorewall <blocktype> <ip>'] ['set', 'postfix-sasl-long', 'actionstop', 'shorewall', ''] ['set', 'postfix-sasl-long', 'actionstart', 'shorewall', ''] ['set', 'postfix-sasl-long', 'actionunban', 'shorewall', 'shorewall allow <ip>'] ['set', 'postfix-sasl-long', 'actioncheck', 'shorewall', ''] ['set', 'postfix-sasl-long', 'setcinfo', 'shorewall', 'blocktype', 'reject'] ['start', 'postfix'] ['start', 'postfix-sasl'] ['start', 'postfix-sasl-long'] In particular, we have the following configuration for the postfix-sasl jail that should have banned fhe first IP 163.172.20.242 ['set', 'postfix-sasl', 'addlogpath', '/var/log/mail.warn'] ['set', 'postfix-sasl', 'maxretry', 3] ['set', 'postfix-sasl', 'findtime', 600] ['set', 'postfix-sasl', 'bantime', 86400] ['set', 'postfix-sasl', 'addfailregex', '^\\s*(<[^.]+\\.[^.]+>)?\\s*(?:\\S+ )?(?:kernel: \\[ *\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?postfix/smtpd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?postfix/smtpd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)?\\s(?:\\[ID \\d+ \\S+\\])?\\s*warning: [-._\\w]+\\[<HOST>\\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/]*={0,2})?\\s*$'] And this config for postfix-sasl-long that should have banned the second IP 2.139.229.39 ['set', 'postfix-sasl-long', 'addlogpath', '/var/log/mail.warn'] ['set', 'postfix-sasl-long', 'maxretry', 10] ['set', 'postfix-sasl-long', 'findtime', 86400] ['set', 'postfix-sasl-long', 'bantime', 432000] ['set', 'postfix-sasl-long', 'addfailregex', '^\\s*(<[^.]+\\.[^.]+>)?\\s*(?:\\S+ )?(?:kernel: \\[ *\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?postfix/smtpd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?postfix/smtpd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)?\\s(?:\\[ID \\d+ \\S+\\])?\\s*warning: [-._\\w]+\\[<HOST>\\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/]*={0,2})?\\s*$'] Any hints appreciated. |
From: Dominic R. <do...@ti...> - 2017-09-17 10:27:27
|
On 17 September 2017 at 11:12, chaouche yacine via Fail2ban-users < fai...@li...> wrote: > Hello list, > > I have two problems to discuss here > ... > Assuming your machine is using iptables you can check if a given ip is actually banned there (during the period of fail2ban's supposed ban) - this may help isolate where the problem is: iptables -nL|grep -F ip.value.to.check example from my server (I use syslog for f2b logging): $ sudo grep -a "fail2ban" /var/log/syslog | tail -n1 2017-09-17 11:18:01 myserver fail2ban.actions[1594]: NOTICE [postfix] Ban 14.165.80.98 $ sudo iptables -nL | grep -F 14.165.80.98 REJECT all -- 14.165.80.98 0.0.0.0/0 reject-with icmp-port-unreachable |
From: chaouche y. <yac...@ya...> - 2017-09-17 10:34:56
|
Hello Dominic, There was only 1 IP that was banned out of 4. The banned one has been unbanned after bantime (1 day) so I can't find it in iptables : root@messagerie[10.10.10.19] ~/SCRIPTS/MAIL # iptables -nL | grep 201.236.111.84 root@messagerie[10.10.10.19] ~/SCRIPTS/MAIL # The other 3 werent' banned by fail2ban NB : I am using shorewall, which uses iptables under the hood IIRC. |
From: Bill S. <bsh...@op...> - 2017-09-18 21:25:22
|
You do realize if you run shorewall commands (restart|stop|clear|etc) it will wipe out the iptables entries that fail2ban adds? Shorewall reloads the entire iptables. You should use an ipset instead. Define the ipsets in /etc/shorewall/init: ipset -exist create fail2ban-IPv4-port hash:ip,port timeout 3600 ipset -exist create fail2ban-IPv4-ip hash:ip timeout 86400 add this after the ?SECTION NEW in /etc/shorewall/rules ?COMMENT flagged by fail2ban DROP inet:+fail2ban-IPv4-port[src,dst] fw DROP inet:+fail2ban-IPv4-ip[src] fw Create a /etc/fail2ban/action.d/iptables-ipset-proto4.local (a copy of iptables-ipset-proto4.conf) and blank out: actioncheck = actionstart = actionstop = (Don't need these because the ipsets are defined in shorewall init. Modify jails to use iptables-ipset-proto4. Note in the boot order: Shorewall should start before fail2ban. Bill On 9/17/2017 6:34 AM, chaouche yacine via Fail2ban-users wrote: > Hello Dominic, > > There was only 1 IP that was banned out of 4. The banned one has been unbanned after bantime (1 day) so I can't find it in > iptables : > > root@messagerie[10.10.10.19] ~/SCRIPTS/MAIL # iptables -nL | grep 201.236.111.84 > root@messagerie[10.10.10.19] ~/SCRIPTS/MAIL # > > The other 3 werent' banned by fail2ban > > NB : I am using shorewall, which uses iptables under the hood IIRC. > > > > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > > > _______________________________________________ > Fail2ban-users mailing list > Fai...@li... > https://lists.sourceforge.net/lists/listinfo/fail2ban-users |
From: Dominic R. <do...@ti...> - 2017-09-17 10:46:47
|
On 17 September 2017 at 11:34, chaouche yacine <yac...@ya...> wrote: > Hello Dominic, > > There was only 1 IP that was banned out of 4. The banned one has been > unbanned after bantime (1 day) so I can't find it in iptables : > > root@messagerie[10.10.10.19] ~/SCRIPTS/MAIL # iptables -nL | grep > 201.236.111.84 > root@messagerie[10.10.10.19] ~/SCRIPTS/MAIL # > > The other 3 werent' banned by fail2ban > > NB : I am using shorewall, which uses iptables under the hood IIRC. > Too bad. It might be worth monitoring for the next time there is a fail2ban-postfix-sasl ban and having a look in iptables then. I suspect that fail2ban is failing to implement the ban in iptables. Try: $ fail2ban-client get postfix-sasl actions iptables-multiport Then you can find the actual ban action (your action may differ from the above, in which case substitute appropriately): $ fail2ban-client get postfix-sasl action iptables-multiport actionban <iptables> -I f2b-<name> 1 -s <ip> -j <blocktype> This tells you what fail2ban is doing to execute the ban. |
From: chaouche y. <yac...@ya...> - 2017-09-17 14:58:01
|
Dominic, Thank you so much for your troubleshooting tips. Apparently, I shouldn't have trusted the output of fail2ban -d : root@messagerie[10.10.10.19] ~ # fail2ban-client -d | grep postfix-sasl-long WARNING 'ignoreregex' not defined in 'Definition'. Using default one: '' WARNING 'ignoreregex' not defined in 'Definition'. Using default one: '' ['add', 'postfix-sasl-long', 'auto'] ['set', 'postfix-sasl-long', 'usedns', 'warn'] ['set', 'postfix-sasl-long', 'addlogpath', '/var/log/mail.warn'] ['set', 'postfix-sasl-long', 'maxretry', 10] ['set', 'postfix-sasl-long', 'addignoreip', '127.0.0.1/8'] ['set', 'postfix-sasl-long', 'addignoreip', '10.10.10.0/24'] ['set', 'postfix-sasl-long', 'addignoreip', '172.16.0.0/16'] ['set', 'postfix-sasl-long', 'addignoreip', '192.168.0.0/16'] ['set', 'postfix-sasl-long', 'ignorecommand', ''] ['set', 'postfix-sasl-long', 'findtime', 86400] ['set', 'postfix-sasl-long', 'bantime', 432000] ['set', 'postfix-sasl-long', 'addfailregex', '^\\s*(<[^.]+\\.[^.]+>)?\\s*(?:\\S+ )?(?:kernel: \\[ *\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?postfix/smtpd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?postfix/smtpd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)?\\s(?:\\[ID \\d+ \\S+\\])?\\s*warning: [-._\\w]+\\[<HOST>\\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/]*={0,2})?\\s*$'] ['set', 'postfix-sasl-long', 'addaction', 'shorewall'] ['set', 'postfix-sasl-long', 'actionban', 'shorewall', 'shorewall <blocktype> <ip>'] ['set', 'postfix-sasl-long', 'actionstop', 'shorewall', ''] ['set', 'postfix-sasl-long', 'actionstart', 'shorewall', ''] ['set', 'postfix-sasl-long', 'actionunban', 'shorewall', 'shorewall allow <ip>'] ['set', 'postfix-sasl-long', 'actioncheck', 'shorewall', ''] ['set', 'postfix-sasl-long', 'setcinfo', 'shorewall', 'blocktype', 'reject'] ['start', 'postfix-sasl-long'] root@messagerie[10.10.10.19] ~ # Here it seems that the jail postfix-sasl-long exist, but when I issue the command you have given root@messagerie[10.10.10.19] ~/SCRIPTS/MAIL # fail2ban-client get postfix-sasl-long addaction ERROR NOK: ('postfix-sasl-long',) Sorry but the jail 'postfix-sasl-long' does not exist root@messagerie[10.10.10.19] ~/SCRIPTS/MAIL # The jail doesn't exit ! are there two configurations for fail2ban ? (one for the "client" and one for the "server" ?) After restarting (the server I guess), the jail is found and the action too root@messagerie[10.10.10.19] ~/SCRIPTS/MAIL # service fail2ban restart root@messagerie[10.10.10.19] ~/SCRIPTS/MAIL # fail2ban-client get postfix-sasl-long addaction shorewall root@messagerie[10.10.10.19] ~/SCRIPTS/MAIL # I'll leave it like this for a day and see what I get tomorrow. Thanks again ! |