Solved fail2ban and ipfw - again

olafz

Active Member

Reaction score: 3
Messages: 113

Hello,

right now my fail2ban setup is half way working. For ssh logins, it is working just fine with the ssh-ipfw action:

Code:
2021-05-19 11:09:56,802 fail2ban.filter         [39101]: INFO    [ssh-ipfw] Found 209.141.50.79 - 2021-05-19 11:09:56
2021-05-19 11:09:59,766 fail2ban.filter         [39101]: INFO    [ssh-ipfw] Found 209.141.50.79 - 2021-05-19 11:09:59
2021-05-19 11:10:00,044 fail2ban.actions        [39101]: NOTICE  [ssh-ipfw] Ban 209.141.50.79

But for the SASL logins, it does not. Same ssh-ipfw action:
Code:
2021-05-15 05:24:56,740 fail2ban.filter         [779]: INFO    [postfix-sasl] Found 103.147.184.193 - 2021-05-15 05:24:56
2021-05-15 05:58:17,901 fail2ban.filter         [779]: INFO    [postfix-sasl] Found 103.147.184.193 - 2021-05-15 05:58:17
2021-05-15 07:05:57,423 fail2ban.filter         [779]: INFO    [postfix-sasl] Found 103.147.184.193 - 2021-05-15 07:05:57
2021-05-15 19:40:02,547 fail2ban.filter         [779]: INFO    [postfix-sasl] Found 103.147.184.193 - 2021-05-15 19:40:02
2021-05-16 01:19:14,517 fail2ban.filter         [779]: INFO    [postfix-sasl] Found 103.147.184.193 - 2021-05-16 01:19:14
2021-05-16 15:29:02,159 fail2ban.filter         [779]: INFO    [postfix-sasl] Found 103.147.184.193 - 2021-05-16 15:29:01
2021-05-16 18:44:44,466 fail2ban.filter         [779]: INFO    [postfix-sasl] Found 103.147.184.193 - 2021-05-16 18:44:44
2021-05-16 23:52:31,294 fail2ban.filter         [779]: INFO    [postfix-sasl] Found 103.147.184.193 - 2021-05-16 23:52:31
2021-05-17 00:53:47,163 fail2ban.filter         [779]: INFO    [postfix-sasl] Found 103.147.184.193 - 2021-05-17 00:53:46
2021-05-17 01:54:07,191 fail2ban.filter         [779]: INFO    [postfix-sasl] Found 103.147.184.193 - 2021-05-17 01:54:06
2021-05-17 06:31:03,776 fail2ban.filter         [779]: INFO    [postfix-sasl] Found 103.147.184.193 - 2021-05-17 06:31:03
I have no idea why fail2ban is detecting, but not doing anything.
 

covacat

Well-Known Member

Reaction score: 171
Messages: 365

do you have something like

Code:
[postfix-bsd-ipfw]

enabled  = true
filter   = bsd-postfix
action   = bsd-ipfw[port="25,587,465",table=2]
logpath  = /var/log/maillog
maxretry = 1
bantime = 1800
 
OP
olafz

olafz

Active Member

Reaction score: 3
Messages: 113

My jail.d/postfix-sasl.local:
Code:
[postfix-sasl]
enabled = true
mode     = auth
filter   = postfix-sasl
action = myipfw[mode=aggressive]
        mail-whois[name=SASL]
maxretry = 2
port     = smtp
logpath  = %(postfix_log)s
backend  = %(postfix_backend)s
bantime = 1w

For comparison, my jail.d/ssh-ipfw.local:
Code:
[ssh-ipfw]
enabled = true
mode = aggressive
filter = sshd
#action = myipfw[mode=aggressive, name=SSH, port=ssh, protocol=tcp]
action = myipfw[mode=aggressive]
#       mail-whois[name=SSH]
logpath = /var/log/auth.log
findtime = 4h
maxretry = 2
bantime = 1w
 
OP
olafz

olafz

Active Member

Reaction score: 3
Messages: 113

And my filter.d/postfix-sasl.local:
Code:
[INCLUDES]
before = common.conf

[Definition]

_daemon = postfix(-\w+)?/\w+(?:/smtp[ds])?
_port = (?::\d+)?

failregex = ^.*\[<HOST>\]: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed:
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 11,604
Messages: 37,927

But for the SASL logins, it does not.
Look at the timestamps. It's a really "slow-and-low" bruteforce attack. So they stay under the "X failures within Y time" trigger that would block them.
 
OP
olafz

olafz

Active Member

Reaction score: 3
Messages: 113

Somehow I have fixed it:
Code:
2021-05-20 01:51:28,595 fail2ban.filter         [39564]: INFO    [postfix-sasl] Found 193.142.59.214 - 2021-05-20 01:51:28
2021-05-20 01:51:43,119 fail2ban.filter         [39564]: INFO    [postfix-sasl] Found 193.142.59.214 - 2021-05-20 01:51:43
2021-05-20 01:51:43,171 fail2ban.actions        [39564]: NOTICE  [postfix-sasl] Ban 193.142.59.214
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 11,604
Messages: 37,927

Again, look at the timestamps. These attacks came in within 15 seconds of each other. Now look again at the timestamps of the original message.

Code:
2021-05-15 05:24:56,740 fail2ban.filter         [779]: INFO    [postfix-sasl] Found 103.147.184.193 - 2021-05-15 05:24:56
# 34 minutes 
2021-05-15 05:58:17,901 fail2ban.filter         [779]: INFO    [postfix-sasl] Found 103.147.184.193 - 2021-05-15 05:58:17
# 1 hour, 7 minutes 
2021-05-15 07:05:57,423 fail2ban.filter         [779]: INFO    [postfix-sasl] Found 103.147.184.193 - 2021-05-15 07:05:57
# 12 hours, 35 minutes
2021-05-15 19:40:02,547 fail2ban.filter         [779]: INFO    [postfix-sasl] Found 103.147.184.193 - 2021-05-15 19:40:02
# 5 hours, 40 minutes
2021-05-16 01:19:14,517 fail2ban.filter         [779]: INFO    [postfix-sasl] Found 103.147.184.193 - 2021-05-16 01:19:14
# 14 hours, 10 minutes.
2021-05-16 15:29:02,159 fail2ban.filter         [779]: INFO    [postfix-sasl] Found 103.147.184.193 - 2021-05-16 15:29:01
# Etc.
 
Top