thr3ads.net - CentOS - [CentOS] Problem with mail server: stop flooding with fail2ban ? [Mar 2021]

If this information is useful, please help other people find it:
Share via:

Nicolas Kovacs

2021-Mar-29 19:31 UTC

[CentOS] Problem with mail server: stop flooding with fail2ban ?

Hi,

My main mail server is running CentOS 7 with Postfix and Dovecot.

Last week I was surprised to see that Postfix had some troubles on this
machine, according to Icinga. I took a peek at the logs:

# journalctl -p err
Mar 28 04:37:02 sd-151768 postfix/smtpd[2786]: fatal: no SASL authentication
mechanisms
Mar 28 04:37:02 sd-151768 postfix/smtpd[2788]: fatal: no SASL authentication
mechanisms
Mar 28 04:37:02 sd-151768 postfix/smtpd[2790]: fatal: no SASL authentication
mechanisms
Mar 28 04:37:02 sd-151768 postfix/smtpd[2792]: fatal: no SASL authentication
mechanisms
Mar 28 04:37:02 sd-151768 postfix/smtpd[2794]: fatal: no SASL authentication
mechanisms
...

And in /var/log/maillog I found a tsunami of these:

Mar 28 03:18:33 sd-151768 postfix/smtpd[29589]: warning:
unknown[45.227.253.115]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Mar 28 03:18:33 sd-151768 postfix/smtpd[29589]: lost connection after AUTH from
unknown[45.227.253.115]
Mar 28 03:18:33 sd-151768 postfix/smtpd[29589]: disconnect from
unknown[45.227.253.115]

My first reaction was to manually ban the IP addresses / networks which caused
the flood, using my firewall:

# firewall-cmd --permanent --add-rich-rule="rule family='ipv4'
source
address='45.227.253.0/24' reject"
# firewall-cmd --reload

I'm already using fail2ban in conjunction with firewalld to prevent brute
force
SSH attacks.

Q: can I use it in a similar configuration to stop Postfix from getting flooded
and brought down to its knees?

Thanks & cheers from the sunny South of France,

Niki

-- 
Microlinux - Solutions informatiques durables
7, place de l'?glise - 30730 Montpezat
Site : https://www.microlinux.fr
Blog : https://blog.microlinux.fr
Mail : info at microlinux.fr
T?l. : 04 66 63 10 32
Mob. : 06 51 80 12 12

Jamie Burchell

2021-Mar-31 08:19 UTC

head link

[CentOS] Problem with mail server: stop flooding with fail2ban ?

I'm pretty sure I encountered this and needed to yum install
cyrus-sasl-plain to resolve it.
> On 29 Mar 2021, at 20:31, Nicolas Kovacs <info at microlinux.fr>
wrote:
> 
> ?Hi,
> 
> My main mail server is running CentOS 7 with Postfix and Dovecot.
> 
> Last week I was surprised to see that Postfix had some troubles on this
> machine, according to Icinga. I took a peek at the logs:
> 
> # journalctl -p err
> Mar 28 04:37:02 sd-151768 postfix/smtpd[2786]: fatal: no SASL
authentication
> mechanisms
> Mar 28 04:37:02 sd-151768 postfix/smtpd[2788]: fatal: no SASL
authentication
> mechanisms
> Mar 28 04:37:02 sd-151768 postfix/smtpd[2790]: fatal: no SASL
authentication
> mechanisms
> Mar 28 04:37:02 sd-151768 postfix/smtpd[2792]: fatal: no SASL
authentication
> mechanisms
> Mar 28 04:37:02 sd-151768 postfix/smtpd[2794]: fatal: no SASL
authentication
> mechanisms
> ...
> 
> And in /var/log/maillog I found a tsunami of these:
> 
> Mar 28 03:18:33 sd-151768 postfix/smtpd[29589]: warning:
> unknown[45.227.253.115]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
> Mar 28 03:18:33 sd-151768 postfix/smtpd[29589]: lost connection after AUTH
from
> unknown[45.227.253.115]
> Mar 28 03:18:33 sd-151768 postfix/smtpd[29589]: disconnect from
> unknown[45.227.253.115]
> 
> My first reaction was to manually ban the IP addresses / networks which
caused
> the flood, using my firewall:
> 
> # firewall-cmd --permanent --add-rich-rule="rule family='ipv4'
source
> address='45.227.253.0/24' reject"
> # firewall-cmd --reload
> 
> I'm already using fail2ban in conjunction with firewalld to prevent
brute force
> SSH attacks.
> 
> Q: can I use it in a similar configuration to stop Postfix from getting
flooded
> and brought down to its knees?
> 
> Thanks & cheers from the sunny South of France,
> 
> Niki
> 
> -- 
> Microlinux - Solutions informatiques durables
> 7, place de l'?glise - 30730 Montpezat
> Site : https://www.microlinux.fr
> Blog : https://blog.microlinux.fr
> Mail : info at microlinux.fr
> T?l. : 04 66 63 10 32
> Mob. : 06 51 80 12 12
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos

David Hrbáč

2021-Mar-31 20:04 UTC

head link

[CentOS] Problem with mail server: stop flooding with fail2ban ?

Hello NIki,

Juste enable postfix-sasl in jail.conf:

[postfix-sasl]

filter   = postfix[mode=auth]
port     = smtp,465,submission,imap,imaps,pop3,pop3s
logpath  = %(postfix_log)s
backend  = %(postfix_backend)s
enabled = true
maxretry = 3
findtime = 172800
bantime = 3600

And enable recidive too:

[recidive]

logpath  = /var/log/fail2ban.log
banaction = %(banaction_allports)s
bantime  = 1mo
findtime = 1w
enabled  = true

Add ignoreip = 127.0.0.1 and your jumpoints :)

Regards,
DH

po 29. 3. 2021 v 21:31 odes?latel Nicolas Kovacs <info at microlinux.fr>
napsal:
> Hi,
>
> My main mail server is running CentOS 7 with Postfix and Dovecot.
>
> Last week I was surprised to see that Postfix had some troubles on this
> machine, according to Icinga. I took a peek at the logs:
>
> # journalctl -p err
> Mar 28 04:37:02 sd-151768 postfix/smtpd[2786]: fatal: no SASL
> authentication
> mechanisms
> Mar 28 04:37:02 sd-151768 postfix/smtpd[2788]: fatal: no SASL
> authentication
> mechanisms
> Mar 28 04:37:02 sd-151768 postfix/smtpd[2790]: fatal: no SASL
> authentication
> mechanisms
> Mar 28 04:37:02 sd-151768 postfix/smtpd[2792]: fatal: no SASL
> authentication
> mechanisms
> Mar 28 04:37:02 sd-151768 postfix/smtpd[2794]: fatal: no SASL
> authentication
> mechanisms
> ...
>
> And in /var/log/maillog I found a tsunami of these:
>
> Mar 28 03:18:33 sd-151768 postfix/smtpd[29589]: warning:
> unknown[45.227.253.115]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
> Mar 28 03:18:33 sd-151768 postfix/smtpd[29589]: lost connection after AUTH
> from
> unknown[45.227.253.115]
> Mar 28 03:18:33 sd-151768 postfix/smtpd[29589]: disconnect from
> unknown[45.227.253.115]
>
> My first reaction was to manually ban the IP addresses / networks which
> caused
> the flood, using my firewall:
>
> # firewall-cmd --permanent --add-rich-rule="rule family='ipv4'
source
> address='45.227.253.0/24' reject"
> # firewall-cmd --reload
>
> I'm already using fail2ban in conjunction with firewalld to prevent
brute
> force
> SSH attacks.
>
> Q: can I use it in a similar configuration to stop Postfix from getting
> flooded
> and brought down to its knees?
>
> Thanks & cheers from the sunny South of France,
>
> Niki
>
> --
> Microlinux - Solutions informatiques durables
> 7, place de l'?glise - 30730 Montpezat
> Site : https://www.microlinux.fr
> Blog : https://blog.microlinux.fr
> Mail : info at microlinux.fr
> T?l. : 04 66 63 10 32
> Mob. : 06 51 80 12 12
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos
>

CentOS - Mar 2021 - Problem with mail server: stop flooding with fail2ban ?

[CentOS] Problem with mail server: stop flooding with fail2ban ?

[CentOS] Problem with mail server: stop flooding with fail2ban ?

[CentOS] Problem with mail server: stop flooding with fail2ban ?