linuxshelliptablesfail2ban

I can't seem to get Fail2ban to successfully ban IP addresses that are trying to authenticate against our email server


Recently, my manager installed fail2ban on our ubuntu 10.04 email server to ban ip addresses that failed to authenticate to our email server. As we monitor the system, we don't see the IPs that continually try to authenticate on our system banned by fail2ban. What are we doing wrong? Below are the conf files:

fail2ban.conf

# Fail2Ban configuration file
#
# Author: Cyril Jaquier
#
# $Revision: 629 $
#

[Definition]

# Option:  loglevel
# Notes.:  Set the log level output.
#          1 = ERROR
#          2 = WARN
#          3 = INFO
#          4 = DEBUG
# Values:  NUM  Default:  3
#
loglevel = 3

# Option:  logtarget
# Notes.:  Set the log target. This could be a file, SYSLOG, STDERR or STDOUT.
#          Only one log target can be specified.
# Values:  STDOUT STDERR SYSLOG file  Default:  /var/log/fail2ban.log
#
logtarget = /var/log/fail2ban.log

# Option: socket
# Notes.: Set the socket file. This is used to communicate with the daemon. Do
#         not remove this file when Fail2ban runs. It will not be possible to
#         communicate with the server afterwards.
# Values: FILE  Default:  /var/run/fail2ban/fail2ban.sock
#
socket = /var/run/fail2ban/fail2ban.sock

jail.conf Enabled postfix and sasl filters only

# Fail2Ban configuration file.
#
# This file was composed for Debian systems from the original one
#  provided now under /usr/share/doc/fail2ban/examples/jail.conf
#  for additional examples.
#
# To avoid merges during upgrades DO NOT MODIFY THIS FILE
# and rather provide your changes in /etc/fail2ban/jail.local
#
# Author: Yaroslav O. Halchenko <debian@onerussian.com>
#
# $Revision: 281 $
#

# The DEFAULT allows a global definition of the options. They can be override
# in each jail afterwards.

[DEFAULT]

# "ignoreip" can be an IP address, a CIDR mask or a DNS host

# 12/17/19 added to line below: /8
ignoreip = 127.0.0.1/8
bantime  = -1
maxretry = 3

# "backend" specifies the backend used to get files modification. Available
# options are "gamin", "polling" and "auto".
# yoh: For some reason Debian shipped python-gamin didn't work as expected
#      This issue left ToDo, so polling is default backend for now

# 12/17/19 changed from: polling  to: auto
backend = auto

#
# Destination email address used solely for the interpolations in
# jail.{conf,local} configuration files.
destemail = root@localhost

#
# ACTIONS
#

# Default banning action (e.g. iptables, iptables-new,
# iptables-multiport, shorewall, etc) It is used to define 
# action_* variables. Can be overriden globally or per 
# section within jail.local file
banaction = iptables-multiport

# email action. Since 0.8.1 upstream fail2ban uses sendmail
# MTA for the mailing. Change mta configuration parameter to mail
# if you want to revert to conventional 'mail'.
mta = sendmail

# Default protocol
protocol = tcp

#
# Action shortcuts. To be used to define action parameter

# The simplest action to take: ban only
action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s]

# ban & send an e-mail with whois report to the destemail.
action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s]
              %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s]

# ban & send an e-mail with whois report and relevant log lines
# to the destemail.
action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s]
               %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s]

# Choose default action.  To change, just override value of 'action' with the
# interpolation to the chosen action shortcut (e.g.  action_mw, action_mwl, etc) in jail.local
# globally (section [DEFAULT]) or per specific section 
action = %(action_)s

#
# JAILS
#

# Next jails corresponds to the standard configuration in Fail2ban 0.6 which
# was shipped in Debian. Enable any defined here jail by including
#
# [SECTION_NAME] 
# enabled = true

#
# in /etc/fail2ban/jail.local.
#
# Optionally you may override any other parameter (e.g. banaction,
# action, port, logpath, etc) in that section within jail.local

[ssh]

enabled = false
port    = ssh
filter  = sshd
logpath  = /var/log/auth.log
maxretry = 6

# Generic filter for pam. Has to be used with action which bans all ports
# such as iptables-allports, shorewall
[pam-generic]

enabled = false
# pam-generic filter can be customized to monitor specific subset of 'tty's
filter  = pam-generic
# port actually must be irrelevant but lets leave it all for some possible uses
port = all
banaction = iptables-allports
port     = anyport
logpath  = /var/log/auth.log
maxretry = 6

[xinetd-fail]

enabled   = false
filter    = xinetd-fail
port      = all
banaction = iptables-multiport-log
logpath   = /var/log/daemon.log
maxretry  = 2


[ssh-ddos]

enabled = false
port    = ssh
filter  = sshd-ddos
logpath  = /var/log/auth.log
maxretry = 6

#
# HTTP servers
#

[apache]

enabled = false
port    = http,https
filter  = apache-auth
logpath = /var/log/apache*/*error.log
maxretry = 6

# default action is now multiport, so apache-multiport jail was left
# for compatibility with previous (<0.7.6-2) releases
[apache-multiport]

enabled   = false
port      = http,https
filter    = apache-auth
logpath   = /var/log/apache*/*error.log
maxretry  = 6

[apache-noscript]

enabled = false
port    = http,https
filter  = apache-noscript
logpath = /var/log/apache*/*error.log
maxretry = 6

[apache-overflows]

enabled = false
port    = http,https
filter  = apache-overflows
logpath = /var/log/apache*/*error.log
maxretry = 2

#
# FTP servers
#

[vsftpd]

enabled  = false
port     = ftp,ftp-data,ftps,ftps-data
filter   = vsftpd
logpath  = /var/log/vsftpd.log
# or overwrite it in jails.local to be
# logpath = /var/log/auth.log
# if you want to rely on PAM failed login attempts
# vsftpd's failregex should match both of those formats
maxretry = 6


[proftpd]

enabled  = false
port     = ftp,ftp-data,ftps,ftps-data
filter   = proftpd
logpath  = /var/log/proftpd/proftpd.log
maxretry = 6


[wuftpd]

enabled  = false
port     = ftp,ftp-data,ftps,ftps-data
filter   = wuftpd
logpath  = /var/log/auth.log
maxretry = 6


#
# Mail servers
#

[postfix]
# Enabled line below on 12/17/19 by Jesus
enabled  = true
port     = smtp,ssmtp
filter   = postfix
logpath  = /var/log/mail.log


[couriersmtp]

enabled  = false
port     = smtp,ssmtp
filter   = couriersmtp
logpath  = /var/log/mail.log


#
# Mail servers authenticators: might be used for smtp,ftp,imap servers, so
# all relevant ports get banned
#

[courierauth]

enabled  = false
port     = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter   = courierlogin
logpath  = /var/log/mail.log


[sasl]
enabled  = true
port     = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter   = sasl
# You might consider monitoring /var/log/warn.log instead
# if you are running postfix. See http://bugs.debian.org/507990
logpath  = /var/log/mail.log


# DNS Servers


# These jails block attacks against named (bind9). By default, logging is off
# with bind9 installation. You will need something like this:
#
# logging {
#     channel security_file {
#         file "/var/log/named/security.log" versions 3 size 30m;
#         severity dynamic;
#         print-time yes;
#     };
#     category security {
#         security_file;
#     };
# };
#
# in your named.conf to provide proper logging

# Word of Caution:
# Given filter can lead to DoS attack against your DNS server
# since there is no way to assure that UDP packets come from the
# real source IP
[named-refused-udp]

enabled  = false
port     = domain,953
protocol = udp
filter   = named-refused
logpath  = /var/log/named/security.log

[named-refused-tcp]

enabled  = false
port     = domain,953
protocol = tcp
filter   = named-refused
logpath  = /var/log/named/security.log

postfix.conf

# Fail2Ban configuration file
#
# Author: Cyril Jaquier
#
# $Revision: 728 $
#

[Definition]

# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values:  TEXT
#
failregex = reject: RCPT from (.*)\[<HOST>\]: 554

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex = 

sasl.conf

# Fail2Ban configuration file
#
# Author: Yaroslav Halchenko
#
# $Revision: 728 $
#

[Definition]

# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT
#
failregex = (?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [A-Za-z0-9+/]*={0,2})?$

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex = 

iptables show the following:

$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
fail2ban-sasl  tcp  --  anywhere             anywhere            multiport dports smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
fail2ban-postfix  tcp  --  anywhere             anywhere            multiport dports smtp,ssmtp

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain fail2ban-postfix (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

Chain fail2ban-sasl (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

Partial log file entries(/var/log/mail.log)

Dec 29 06:39:16 mail postfix/smtpd[19460]: warning: 38-155-190-109.dsl.ovh.fr[109.190.155.38]: SASL LOGIN authentication failed: authentication failure
Dec 29 06:39:16 mail postfix/smtpd[19460]: lost connection after AUTH from 38-155-190-109.dsl.ovh.fr[109.190.155.38]
Dec 29 06:39:16 mail postfix/smtpd[19460]: disconnect from 38-155-190-109.dsl.ovh.fr[109.190.155.38]
Dec 29 06:39:16 mail postfix/smtpd[19460]: connect from 38-155-190-109.dsl.ovh.fr[109.190.155.38]
Dec 29 06:39:17 mail postfix/smtpd[19460]: warning: 38-155-190-109.dsl.ovh.fr[109.190.155.38]: SASL LOGIN authentication failed: authentication failure
Dec 29 06:39:17 mail postfix/smtpd[19460]: lost connection after AUTH from 38-155-190-109.dsl.ovh.fr[109.190.155.38]
Dec 29 06:39:17 mail postfix/smtpd[19460]: disconnect from 38-155-190-109.dsl.ovh.fr[109.190.155.38]
Dec 29 06:39:17 mail postfix/smtpd[19460]: connect from 38-155-190-109.dsl.ovh.fr[109.190.155.38]
Dec 29 06:39:18 mail postfix/smtpd[19460]: warning: 38-155-190-109.dsl.ovh.fr[109.190.155.38]: SASL LOGIN authentication failed: authentication failure
Dec 29 06:39:18 mail postfix/smtpd[19460]: lost connection after AUTH from 38-155-190-109.dsl.ovh.fr[109.190.155.38]
Dec 29 06:39:18 mail postfix/smtpd[19460]: disconnect from 38-155-190-109.dsl.ovh.fr[109.190.155.38]
Dec 29 06:39:18 mail postfix/smtpd[19460]: connect from 38-155-190-109.dsl.ovh.fr[109.190.155.38]
Dec 29 06:39:18 mail postfix/smtpd[19460]: warning: 38-155-190-109.dsl.ovh.fr[109.190.155.38]: SASL LOGIN authentication failed: authentication failure
Dec 29 06:39:19 mail postfix/smtpd[19460]: lost connection after AUTH from 38-155-190-109.dsl.ovh.fr[109.190.155.38]
Dec 29 06:39:19 mail postfix/smtpd[19460]: disconnect from 38-155-190-109.dsl.ovh.fr[109.190.155.38]
Dec 29 06:39:19 mail postfix/smtpd[19460]: connect from 38-155-190-109.dsl.ovh.fr[109.190.155.38]
Dec 29 06:39:19 mail postfix/smtpd[19460]: warning: 38-155-190-109.dsl.ovh.fr[109.190.155.38]: SASL LOGIN authentication failed: authentication failure
Dec 29 06:39:19 mail postfix/smtpd[19460]: lost connection after AUTH from 38-155-190-109.dsl.ovh.fr[109.190.155.38]
Dec 29 06:39:19 mail postfix/smtpd[19460]: disconnect from 38-155-190-109.dsl.ovh.fr[109.190.155.38]
Dec 29 06:39:19 mail postfix/smtpd[19460]: connect from 38-155-190-109.dsl.ovh.fr[109.190.155.38]
Dec 29 06:39:20 mail postfix/smtpd[19460]: warning: 38-155-190-109.dsl.ovh.fr[109.190.155.38]: SASL LOGIN authentication failed: authentication failure
Dec 29 06:39:20 mail postfix/smtpd[19460]: lost connection after AUTH from 38-155-190-109.dsl.ovh.fr[109.190.155.38]
Dec 29 06:39:20 mail postfix/smtpd[19460]: disconnect from 38-155-190-109.dsl.ovh.fr[109.190.155.38]
Dec 29 06:39:20 mail postfix/smtpd[19460]: connect from 38-155-190-109.dsl.ovh.fr[109.190.155.38]
Dec 29 06:39:21 mail postfix/smtpd[19460]: warning: 38-155-190-109.dsl.ovh.fr[109.190.155.38]: SASL LOGIN authentication failed: authentication failure
Dec 29 06:39:21 mail postfix/smtpd[19460]: lost connection after AUTH from 38-155-190-109.dsl.ovh.fr[109.190.155.38]
Dec 29 06:39:21 mail postfix/smtpd[19460]: disconnect from 38-155-190-109.dsl.ovh.fr[109.190.155.38]
Dec 29 06:39:21 mail postfix/smtpd[19460]: connect from 38-155-190-109.dsl.ovh.fr[109.190.155.38]
Dec 29 06:39:22 mail postfix/smtpd[19460]: warning: 38-155-190-109.dsl.ovh.fr[109.190.155.38]: SASL LOGIN authentication failed: authentication failure
Dec 29 06:39:22 mail postfix/smtpd[19460]: lost connection after AUTH from 38-155-190-109.dsl.ovh.fr[109.190.155.38]
Dec 29 06:39:22 mail postfix/smtpd[19460]: disconnect from 38-155-190-109.dsl.ovh.fr[109.190.155.38]
Dec 29 06:39:22 mail postfix/smtpd[19460]: connect from 38-155-190-109.dsl.ovh.fr[109.190.155.38]
Dec 29 06:39:22 mail postfix/smtpd[19460]: warning: 38-155-190-109.dsl.ovh.fr[109.190.155.38]: SASL LOGIN authentication failed: authentication failure
Dec 29 06:39:23 mail postfix/smtpd[19460]: lost connection after AUTH from 38-155-190-109.dsl.ovh.fr[109.190.155.38]
Dec 29 06:39:23 mail postfix/smtpd[19460]: disconnect from 38-155-190-109.dsl.ovh.fr[109.190.155.38]
Dec 29 06:39:23 mail postfix/smtpd[19460]: connect from 38-155-190-109.dsl.ovh.fr[109.190.155.38]
Dec 29 06:39:23 mail postfix/smtpd[19460]: warning: 38-155-190-109.dsl.ovh.fr[109.190.155.38]: SASL LOGIN authentication failed: authentication failure
Dec 29 06:39:23 mail postfix/smtpd[19460]: lost connection after AUTH from 38-155-190-109.dsl.ovh.fr[109.190.155.38]
Dec 29 06:39:23 mail postfix/smtpd[19460]: disconnect from 38-155-190-109.dsl.ovh.fr[109.190.155.38]
Dec 29 06:39:24 mail postfix/smtpd[19460]: connect from 38-155-190-109.dsl.ovh.fr[109.190.155.38]
Dec 29 06:39:24 mail postfix/smtpd[19460]: warning: 38-155-190-109.dsl.ovh.fr[109.190.155.38]: SASL LOGIN authentication failed: authentication failure
Dec 29 06:39:24 mail postfix/smtpd[19460]: lost connection after AUTH from 38-155-190-109.dsl.ovh.fr[109.190.155.38]
Dec 29 06:39:24 mail postfix/smtpd[19460]: disconnect from 38-155-190-109.dsl.ovh.fr[109.190.155.38]
Dec 29 06:39:24 mail postfix/smtpd[19460]: connect from 38-155-190-109.dsl.ovh.fr[109.190.155.38]
Dec 29 06:39:25 mail postfix/smtpd[19460]: warning: 38-155-190-109.dsl.ovh.fr[109.190.155.38]: SASL LOGIN authentication failed: authentication failure
Dec 29 06:39:25 mail postfix/smtpd[19460]: lost connection after AUTH from 38-155-190-109.dsl.ovh.fr[109.190.155.38]
Dec 29 06:39:25 mail postfix/smtpd[19460]: disconnect from 38-155-190-109.dsl.ovh.fr[109.190.155.38]
Dec 29 06:39:25 mail postfix/smtpd[19460]: connect from 38-155-190-109.dsl.ovh.fr[109.190.155.38]
Dec 29 06:39:26 mail postfix/smtpd[19460]: warning: 38-155-190-109.dsl.ovh.fr[109.190.155.38]: SASL LOGIN authentication failed: authentication failure
Dec 29 06:39:26 mail postfix/smtpd[19460]: lost connection after AUTH from 38-155-190-109.dsl.ovh.fr[109.190.155.38]
Dec 29 06:39:26 mail postfix/smtpd[19460]: disconnect from 38-155-190-109.dsl.ovh.fr[109.190.155.38]
Dec 29 06:39:26 mail postfix/smtpd[19460]: connect from 38-155-190-109.dsl.ovh.fr[109.190.155.38]
Dec 29 06:39:26 mail postfix/smtpd[19460]: warning: 38-155-190-109.dsl.ovh.fr[109.190.155.38]: SASL LOGIN authentication failed: authentication failure
Dec 29 06:39:27 mail postfix/smtpd[19460]: lost connection after AUTH from 38-155-190-109.dsl.ovh.fr[109.190.155.38]
Dec 29 06:39:27 mail postfix/smtpd[19460]: disconnect from 38-155-190-109.dsl.ovh.fr[109.190.155.38]

Solution

  • Jail postfix does not monitoring SASL authentication issues (in v.0.9 at all, in v. >= 0.10 per default).
    There are another default jail postfix-sasl that would do the job.
    If you would upgrade to fail2ban >= 0.10, you can use common jail postfix with specifying mode parameter (to use single jail for any kind of postfix failures), for example:

    [postfix]
    mode = aggressive
    enabled = true
    

    For v.0.9 use jail postfix-sasl.
    If your fail2ban version is < 0.9 (but the filter has a common.conf include), you can try to extend the filter you have with this regex:

    _port = (?::\d+)?
    failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]%(_port)s: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed
    

    If doesn't have common-include (or does not work in your old fail2ban version), the regex could look like:

    failregex = ^\s+mail\s+postfix/\S+: warning: [-._\w]+\[<HOST>\](?::\d+)?: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed
    

    You can also use fail2ban-regex to check the filter works for you:

    # >= 0.10:
    fail2ban-regex /var/log/mail.log 'postfix[mode=auth]'
    fail2ban-regex /var/log/mail.log 'postfix[mode=aggressive]'
    # <= 0.9:
    fail2ban-regex /var/log/mail.log '/etc/fail2ban/filter.d/postfix-sasl'
    # own regex:
    fail2ban-regex /var/log/mail.log '^\s+mail\s+postfix/\S+: warning: [-._\w]+\[<HOST>\](?::\d+)?: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed'