LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   Need help with fail2ban regex (https://www.linuxquestions.org/questions/linux-security-4/need-help-with-fail2ban-regex-688039/)

jakev383 12-03-2008 10:52 AM
Need help with fail2ban regex
 
Running Debian Etch with Postfix and Courier.
I get these at least daily:
Code:
Dec  3 04:53:33 mail4 postfix/smtpd[17647]: warning: SASL authentication failure: no secret in database
Dec  3 04:53:33 mail4 postfix/smtpd[17647]: warning: 114-44-146-31.dynamic.hinet.net[114.44.146.31]: SASL CRAM-MD5 authentication failed: authentication failure
Dec  3 04:53:35 mail4 postfix/smtpd[17647]: warning: SASL authentication failure: no secret in database
Dec  3 04:53:35 mail4 postfix/smtpd[17647]: warning: 114-44-146-31.dynamic.hinet.net[114.44.146.31]: SASL CRAM-MD5 authentication failed: authentication failure
Dec  3 04:53:37 mail4 postfix/smtpd[17647]: warning: SASL authentication failure: no secret in database
Dec  3 04:53:37 mail4 postfix/smtpd[17647]: warning: 114-44-146-31.dynamic.hinet.net[114.44.146.31]: SASL CRAM-MD5 authentication failed: authentication failure
I have installed fail2ban, and have this for sasl in the filter.d directory:
Code:
failregex = : warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed$
            : warning: [-._\w]+\[<HOST>\]: SASL (?:CRAM|DIGEST)-MD5) authentication failed: authentication failure$
I'm guessing that I messed up my regex and am asking for help.... Any help is appreciated!

internetSurfer 12-04-2008 09:38 PM
Extra Info:

Solution for Postfix with Postgres:
SASL error: authentication failed: authentication failure
_

jakev383 12-05-2008 08:01 AM
My setup is correct (mysql and not postgres anyway).
These are "hack" attempts. They attempt to log in with different names and dictionary passwords. I'd like to get fail2ban to block these, since they happen daily.

internetSurfer 12-06-2008 05:57 PM
Distributed SSH attacks bypass blacklists
http://www.heise-online.co.uk/securi...--/news/112174

_

jakev383 12-07-2008 06:28 AM
Okay - thanks for that. This is for POP3, not SSH.
It does look to be distributed attacks since the IP changes all the time, but the method is always the same.
They try to access a POP account using common names like "admin@domain.com" or "apache@domain.com" and a dictionary password.
I'd like to stop them - I have fail2ban installed and it will do so, if I can only get my regex to match. That's what I need help with.

unSpawn 12-07-2008 06:52 AM
Can't you use something simple like "SASL.*authentication fail(ed|ure)$" ?

internetSurfer 12-07-2008 09:35 AM
Is your jail.conf configured for POP3:

Quote:
[courierpop3]

enabled = true
port = pop3
filter = courierlogin
failregex = courierpop3login: LOGIN FAILED.*ip=\[.*:<HOST>\]
logpath = /var/log/mail.log
maxretry = 5
Reference source: http://www.howtoforge.com/fail2ban_debian_etch

_


All times are GMT -5. The time now is 03:03 PM.