Hello list.
I have a question for fail2ban for bad logins on sasl.
I use sasl, sendmail and cyrus-imapd.
In jail.conf I use the following syntax:
[sasl-iptables]
enabled = true
filter = sasl
backend = polling
action = iptables[name=sasl, port=smtp, protocol=tcp]
sendmail-whois[name=sasl, dest=my at email]
logpath = /var/log/maillog
maxretry = 6
and the following filter:
failregex = (?i): warning: [-._\w]+\[<HOST>\]: SASL
(?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(:
[A-Za-z0-9+/]*={0,2})?$
in iptables:
fail2ban-sasl tcp -- anywhere anywhere tcp
dpt:smtp
...
Chain fail2ban-sasl (2 references)
target prot opt source destination
RETURN all -- anywhere anywhere
The problem is that never ban bad logins.
I tried to change action as port="imap,imaps,pop3,pop3s,smtp" but
nothing change.
Can somebody help me?
Thank you,
Nikos
centos-bounces at centos.org schrieb am 09.08.2011 10:39:57:> Nikos Gatsis - Qbit <ngatsis at qbit.gr> > Gesendet von: centos-bounces at centos.org > > 09.08.2011 10:40 > > Bitte antworten an > CentOS mailing list <centos at centos.org> > > An > > centos at centos.org > > Kopie > > Thema > > [CentOS] fail2ban help > > Hello list. > I have a question for fail2ban for bad logins on sasl. > I use sasl, sendmail and cyrus-imapd. > In jail.conf I use the following syntax: > > [sasl-iptables] > > enabled = true > filter = sasl > backend = polling > action = iptables[name=sasl, port=smtp, protocol=tcp] > sendmail-whois[name=sasl, dest=my at email] > logpath = /var/log/maillog > maxretry = 6 > > and the following filter: > > failregex = (?i): warning: [-._\w]+\[<HOST>\]: SASL > (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: > [A-Za-z0-9+/]*={0,2})?$ > > in iptables: > > fail2ban-sasl tcp -- anywhere anywhere tcp > dpt:smtp > ... > > Chain fail2ban-sasl (2 references) > target prot opt source destination > RETURN all -- anywhere anywhere > > > The problem is that never ban bad logins. > > I tried to change action as port="imap,imaps,pop3,pop3s,smtp" but > nothing change. > > Can somebody help me? > > Thank you, > Nikos > > > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > lists.centos.org/mailman/listinfo/centosHello Nikos, I have nearly the same regex as you: failregex = : warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed.* and it works with fail2ban-regex /var/log/maillog /etc/fail2ban/filter.d/sasl.conf Gru? Andreas Reschke ________________________________________________________________ Unix/Linux-Administration Andreas.Reschke at behrgroup.com -------------- next part -------------- An HTML attachment was scrubbed... URL: <lists.centos.org/pipermail/centos/attachments/20110809/47560e1e/attachment-0003.html>
Nikos Gatsis - Qbit <ngatsis at qbit.gr> Gesendet von: centos-bounces at centos.org 09.08.2011 10:40 Bitte antworten an CentOS mailing list <centos at centos.org> An centos at centos.org Kopie Thema [CentOS] fail2ban help Hello list. I have a question for fail2ban for bad logins on sasl. I use sasl, sendmail and cyrus-imapd. In jail.conf I use the following syntax: [sasl-iptables] enabled = true filter = sasl backend = polling action = iptables[name=sasl, port=smtp, protocol=tcp] sendmail-whois[name=sasl, dest=my at email] logpath = /var/log/maillog maxretry = 6 and the following filter: failregex = (?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [A-Za-z0-9+/]*={0,2})?$ in iptables: fail2ban-sasl tcp -- anywhere anywhere tcp dpt:smtp ... Chain fail2ban-sasl (2 references) target prot opt source destination RETURN all -- anywhere anywhere The problem is that never ban bad logins. I tried to change action as port="imap,imaps,pop3,pop3s,smtp" but nothing change. Can somebody help me? Thank you, Nikos _______________________________________________ CentOS mailing list CentOS at centos.org lists.centos.org/mailman/listinfo/centos Hello Nikos, I have nearly the same regex as you: failregex = : warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed.* and it works with fail2ban-regex /var/log/maillog /etc/fail2ban/filter.d/sasl.conf Gru? Andreas Reschke --------------------------------------------------------- I try yours and get no matches on maillog. Do you thing that the following is correct? ... port="imap,imaps,pop3,pop3s,smtp" ... Thank you
On 9/8/2011 7:00 ??, centos-request at centos.org wrote:>> > Hello list. >> > I have a question for fail2ban for bad logins on sasl. >> > I use sasl, sendmail and cyrus-imapd. >> > In jail.conf I use the following syntax: >> > >> > [sasl-iptables] >> > >> > enabled = true >> > filter = sasl >> > backend = polling >> > action = iptables[name=sasl, port=smtp, protocol=tcp] >> > sendmail-whois[name=sasl, dest=my at email] >> > logpath = /var/log/maillog >> > maxretry = 6 >> > >> > and the following filter: >> > >> > failregex = (?i): warning: [-._\w]+\[<HOST>\]: SASL >> > (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: >> > [A-Za-z0-9+/]*={0,2})?$ >> > >> > in iptables: >> > >> > fail2ban-sasl tcp -- anywhere anywhere tcp >> > dpt:smtp >> > ... >> > >> > Chain fail2ban-sasl (2 references) >> > target prot opt source destination >> > RETURN all -- anywhere anywhere >> > >> > >> > The problem is that never ban bad logins. >> > >> > I tried to change action as port="imap,imaps,pop3,pop3s,smtp" but >> > nothing change. >> > >> > Can somebody help me? >> > >> > Thank you, >> > Nikos >> > >> > >> > >> > _______________________________________________ >> > CentOS mailing list >> > CentOS at centos.org >> > lists.centos.org/mailman/listinfo/centos > Hello Nikos, > I have nearly the same regex as you: > > failregex = : warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed.* > and it works with > fail2ban-regex /var/log/maillog /etc/fail2ban/filter.d/sasl.conf > > > Gru?Hello list I change failregex and finally show results! failregex = : badlogin: [-._\w]+ \[<HOST>\] plaintext [A-Za-z0-9+/] SASL\(-13\): authentication failure: checkpass failed fail2ban-regex find hits. However, although a line added in iptables and I recieve an email that show the ban ip address, badlogins still continuing from the same IP. iptables -L: Chain INPUT (policy ACCEPT) target prot opt source destination fail2ban-sasl tcp -- anywhere anywhere tcp dpt:smtp fail2ban-SSH tcp -- anywhere anywhere tcp dpt:ssh ... Chain fail2ban-sasl (1 references) target prot opt source destination DROP all -- [ip.ip.ip.ip] anywhere RETURN all -- anywhere anywhere What is wrong now? Thank you Nikos