Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
 |
12-03-2008, 10:52 AM
|
#1
|
QmailToaster Developer
Registered: Dec 2005
Location: Burlington, NC
Distribution: CentOS, Voyage, Debian, Fedora
Posts: 220
Rep:
|
Need help with fail2ban regex
Running Debian Etch with Postfix and Courier.
I get these at least daily:
Code:
Dec 3 04:53:33 mail4 postfix/smtpd[17647]: warning: SASL authentication failure: no secret in database
Dec 3 04:53:33 mail4 postfix/smtpd[17647]: warning: 114-44-146-31.dynamic.hinet.net[114.44.146.31]: SASL CRAM-MD5 authentication failed: authentication failure
Dec 3 04:53:35 mail4 postfix/smtpd[17647]: warning: SASL authentication failure: no secret in database
Dec 3 04:53:35 mail4 postfix/smtpd[17647]: warning: 114-44-146-31.dynamic.hinet.net[114.44.146.31]: SASL CRAM-MD5 authentication failed: authentication failure
Dec 3 04:53:37 mail4 postfix/smtpd[17647]: warning: SASL authentication failure: no secret in database
Dec 3 04:53:37 mail4 postfix/smtpd[17647]: warning: 114-44-146-31.dynamic.hinet.net[114.44.146.31]: SASL CRAM-MD5 authentication failed: authentication failure
I have installed fail2ban, and have this for sasl in the filter.d directory:
Code:
failregex = : warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed$
: warning: [-._\w]+\[<HOST>\]: SASL (?:CRAM|DIGEST)-MD5) authentication failed: authentication failure$
I'm guessing that I messed up my regex and am asking for help.... Any help is appreciated!
|
|
|
12-04-2008, 09:38 PM
|
#2
|
Member
Registered: Jan 2008
Location: w3c
Distribution: Slackware 12 Zenwalk 5.2
Posts: 71
Rep:
|
Last edited by internetSurfer; 12-05-2008 at 10:28 AM.
|
|
|
12-05-2008, 08:01 AM
|
#3
|
QmailToaster Developer
Registered: Dec 2005
Location: Burlington, NC
Distribution: CentOS, Voyage, Debian, Fedora
Posts: 220
Original Poster
Rep:
|
My setup is correct (mysql and not postgres anyway).
These are "hack" attempts. They attempt to log in with different names and dictionary passwords. I'd like to get fail2ban to block these, since they happen daily.
|
|
|
12-06-2008, 05:57 PM
|
#4
|
Member
Registered: Jan 2008
Location: w3c
Distribution: Slackware 12 Zenwalk 5.2
Posts: 71
Rep:
|
|
|
|
12-07-2008, 06:28 AM
|
#5
|
QmailToaster Developer
Registered: Dec 2005
Location: Burlington, NC
Distribution: CentOS, Voyage, Debian, Fedora
Posts: 220
Original Poster
Rep:
|
Okay - thanks for that. This is for POP3, not SSH.
It does look to be distributed attacks since the IP changes all the time, but the method is always the same.
They try to access a POP account using common names like "admin@domain.com" or "apache@domain.com" and a dictionary password.
I'd like to stop them - I have fail2ban installed and it will do so, if I can only get my regex to match. That's what I need help with.
|
|
|
12-07-2008, 06:52 AM
|
#6
|
Moderator
Registered: May 2001
Posts: 29,417
|
Can't you use something simple like "SASL.*authentication fail(ed|ure)$" ?
|
|
|
12-07-2008, 09:35 AM
|
#7
|
Member
Registered: Jan 2008
Location: w3c
Distribution: Slackware 12 Zenwalk 5.2
Posts: 71
Rep:
|
Is your jail.conf configured for POP3:
Quote:
[courierpop3]
enabled = true
port = pop3
filter = courierlogin
failregex = courierpop3login: LOGIN FAILED.*ip=\[.*:<HOST>\]
logpath = /var/log/mail.log
maxretry = 5
|
Reference source: http://www.howtoforge.com/fail2ban_debian_etch
_
|
|
|
All times are GMT -5. The time now is 09:50 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|