Thanks for the reply. I just tried this and does not seem to catch them. Heres my config. Any ideas? (sorry could not find the code tool to paste correctly).
Code:
/etc/fail2ban/filter.d/sasl.conf
# Fail2Ban configuration file
#
# Author: Yaroslav Halchenko
#
# $Revision: 728 $
#
[Definition]
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT
#
failregex = (?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed: \w
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
Code:
/etc/fail2ban/jai.conf:
[sasl]
enabled = true
port = smtp
filter = sasl
logpath = /var/log/mail.log
maxretry = 5
Code:
/var/log/mail.log:
May 5 21:04:30 sosaria postfix/smtpd[15785]: connect from unknown[185.234.216.178]
May 5 21:04:31 sosaria postfix/smtpd[16453]: lost connection after AUTH from unknown[185.143.74.49]
May 5 21:04:31 sosaria postfix/smtpd[16453]: disconnect from unknown[185.143.74.49] ehlo=1 auth=0/1 rset=1 commands=2/3
May 5 21:04:32 sosaria postfix/smtpd[15785]: warning: unknown[185.234.216.178]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
May 5 21:04:32 sosaria postfix/smtpd[15785]: lost connection after AUTH from unknown[185.234.216.178]
May 5 21:04:32 sosaria postfix/smtpd[15785]: disconnect from unknown[185.234.216.178] ehlo=1 auth=0/1 commands=1/2
May 5 21:04:36 sosaria postfix/smtpd[15786]: warning: unknown[45.142.195.6]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
May 5 21:04:36 sosaria postfix/smtpd[15786]: disconnect from unknown[45.142.195.6] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
May 5 21:04:36 sosaria postfix/smtpd[15783]: connect from unknown[45.142.195.7]
May 5 21:04:43 sosaria postfix/smtpd[15783]: warning: unknown[45.142.195.7]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
May 5 21:04:44 sosaria postfix/smtpd[15783]: disconnect from unknown[45.142.195.7] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
May 5 21:04:48 sosaria postfix/smtpd[16453]: connect from unknown[46.38.144.179]
May 5 21:04:51 sosaria postfix/smtpd[15786]: connect from unknown[46.38.144.32]
May 5 21:04:55 sosaria postfix/smtpd[16453]: warning: unknown[46.38.144.179]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
May 5 21:04:56 sosaria postfix/smtpd[16453]: disconnect from unknown[46.38.144.179] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
May 5 21:04:58 sosaria postfix/smtpd[15786]: warning: unknown[46.38.144.32]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
May 5 21:04:58 sosaria postfix/smtpd[16750]: connect from unknown[185.143.74.49]
May 5 21:04:59 sosaria postfix/smtpd[15786]: disconnect from unknown[46.38.144.32] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
May 5 21:05:01 sosaria postfix/smtpd[16453]: connect from unknown[185.143.74.73]
May 5 21:05:07 sosaria postfix/smtpd[16453]: warning: unknown[185.143.74.73]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
May 5 21:05:07 sosaria postfix/smtpd[16453]: disconnect from unknown[185.143.74.73] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
May 5 21:05:09 sosaria postfix/smtpd[15785]: connect from unknown[185.143.74.108]
May 5 21:05:15 sosaria postfix/smtpd[15785]: warning: unknown[185.143.74.108]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
May 5 21:05:15 sosaria postfix/smtpd[15785]: disconnect from unknown[185.143.74.108] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
May 5 21:05:19 sosaria postfix/smtpd[16750]: warning: unknown[185.143.74.49]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
May 5 21:05:27 sosaria postfix/smtpd[16453]: connect from unknown[45.142.195.7]
May 5 21:05:28 sosaria postfix/smtpd[15785]: connect from unknown[46.38.144.202]
May 5 21:05:34 sosaria postfix/smtpd[15785]: warning: unknown[46.38.144.202]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
May 5 21:05:34 sosaria postfix/smtpd[16453]: warning: unknown[45.142.195.7]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
May 5 21:05:34 sosaria postfix/smtpd[16453]: disconnect from unknown[45.142.195.7] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
May 5 21:05:34 sosaria postfix/smtpd[15785]: disconnect from unknown[46.38.144.202] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
May 5 21:05:34 sosaria postfix/smtpd[15786]: connect from unknown[45.142.195.6]
May 5 21:05:41 sosaria postfix/smtpd[15783]: connect from unknown[185.143.74.133]
May 5 21:05:48 sosaria postfix/smtpd[15783]: warning: unknown[185.143.74.133]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
May 5 21:05:48 sosaria postfix/smtpd[16750]: disconnect from unknown[185.143.74.49] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
May 5 21:05:48 sosaria postfix/smtpd[15783]: disconnect from unknown[185.143.74.133] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
May 5 21:05:51 sosaria postfix/smtpd[15785]: connect from unknown[185.143.74.93]
May 5 21:05:55 sosaria postfix/smtpd[15785]: warning: unknown[185.143.74.93]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
May 5 21:05:55 sosaria postfix/smtpd[15785]: disconnect from unknown[185.143.74.93] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Testing:
Code:
fail2ban-regex /var/log/mail.log /etc/fail2ban/filter.d/sasl.conf
Running tests
=============
Use failregex filter file : sasl, basedir: /etc/fail2ban
Use log file : /var/log/mail.log
Use encoding : UTF-8
Results
=======
Failregex: 7268 total
|- #) [# of hits] regular expression
| 1) [7268] (?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed: \w
`-
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [23469] {^LN-BEG}(?:DAY )?MON Day %k:Minute:Second(?:\.Microseconds)?(?: ExYear)?
`-
Lines: 23469 lines, 0 ignored, 7268 matched, 16201 missed
[processed in 4.05 sec]
Missed line(s): too many to print. Use --print-all-missed to print all 16201 lines
Bookmarks