LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 12-03-2008, 10:52 AM   #1
jakev383
QmailToaster Developer
 
Registered: Dec 2005
Location: Burlington, NC
Distribution: CentOS, Voyage, Debian, Fedora
Posts: 220

Rep: Reputation: 31
Need help with fail2ban regex


Running Debian Etch with Postfix and Courier.
I get these at least daily:
Code:
Dec  3 04:53:33 mail4 postfix/smtpd[17647]: warning: SASL authentication failure: no secret in database
Dec  3 04:53:33 mail4 postfix/smtpd[17647]: warning: 114-44-146-31.dynamic.hinet.net[114.44.146.31]: SASL CRAM-MD5 authentication failed: authentication failure
Dec  3 04:53:35 mail4 postfix/smtpd[17647]: warning: SASL authentication failure: no secret in database
Dec  3 04:53:35 mail4 postfix/smtpd[17647]: warning: 114-44-146-31.dynamic.hinet.net[114.44.146.31]: SASL CRAM-MD5 authentication failed: authentication failure
Dec  3 04:53:37 mail4 postfix/smtpd[17647]: warning: SASL authentication failure: no secret in database
Dec  3 04:53:37 mail4 postfix/smtpd[17647]: warning: 114-44-146-31.dynamic.hinet.net[114.44.146.31]: SASL CRAM-MD5 authentication failed: authentication failure
I have installed fail2ban, and have this for sasl in the filter.d directory:
Code:
failregex = : warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed$
            : warning: [-._\w]+\[<HOST>\]: SASL (?:CRAM|DIGEST)-MD5) authentication failed: authentication failure$
I'm guessing that I messed up my regex and am asking for help.... Any help is appreciated!
 
Old 12-04-2008, 09:38 PM   #2
internetSurfer
Member
 
Registered: Jan 2008
Location: w3c
Distribution: Slackware 12 Zenwalk 5.2
Posts: 71

Rep: Reputation: 16
Extra Info:

Solution for Postfix with Postgres:
SASL error: authentication failed: authentication failure
_

Last edited by internetSurfer; 12-05-2008 at 10:28 AM.
 
Old 12-05-2008, 08:01 AM   #3
jakev383
QmailToaster Developer
 
Registered: Dec 2005
Location: Burlington, NC
Distribution: CentOS, Voyage, Debian, Fedora
Posts: 220

Original Poster
Rep: Reputation: 31
My setup is correct (mysql and not postgres anyway).
These are "hack" attempts. They attempt to log in with different names and dictionary passwords. I'd like to get fail2ban to block these, since they happen daily.
 
Old 12-06-2008, 05:57 PM   #4
internetSurfer
Member
 
Registered: Jan 2008
Location: w3c
Distribution: Slackware 12 Zenwalk 5.2
Posts: 71

Rep: Reputation: 16
Distributed SSH attacks bypass blacklists
http://www.heise-online.co.uk/securi...--/news/112174

_
 
Old 12-07-2008, 06:28 AM   #5
jakev383
QmailToaster Developer
 
Registered: Dec 2005
Location: Burlington, NC
Distribution: CentOS, Voyage, Debian, Fedora
Posts: 220

Original Poster
Rep: Reputation: 31
Okay - thanks for that. This is for POP3, not SSH.
It does look to be distributed attacks since the IP changes all the time, but the method is always the same.
They try to access a POP account using common names like "admin@domain.com" or "apache@domain.com" and a dictionary password.
I'd like to stop them - I have fail2ban installed and it will do so, if I can only get my regex to match. That's what I need help with.
 
Old 12-07-2008, 06:52 AM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3599Reputation: 3599Reputation: 3599Reputation: 3599Reputation: 3599Reputation: 3599Reputation: 3599Reputation: 3599Reputation: 3599Reputation: 3599Reputation: 3599
Can't you use something simple like "SASL.*authentication fail(ed|ure)$" ?
 
Old 12-07-2008, 09:35 AM   #7
internetSurfer
Member
 
Registered: Jan 2008
Location: w3c
Distribution: Slackware 12 Zenwalk 5.2
Posts: 71

Rep: Reputation: 16
Is your jail.conf configured for POP3:

Quote:
[courierpop3]

enabled = true
port = pop3
filter = courierlogin
failregex = courierpop3login: LOGIN FAILED.*ip=\[.*:<HOST>\]
logpath = /var/log/mail.log
maxretry = 5
Reference source: http://www.howtoforge.com/fail2ban_debian_etch

_
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Fail2ban and Firestarter baldur2630 Linux - Software 2 09-29-2008 05:46 AM
regex with sed to process file, need help on regex dwynter Linux - Newbie 5 08-31-2007 05:10 AM
Fail2Ban Question nomb Debian 0 05-21-2007 07:28 AM
fail2ban not blocking vsftp samnjugu Linux - Security 1 04-11-2007 02:35 AM
fail2ban and proftpd 1.3 reeseslover531 Linux - Security 4 02-14-2007 07:10 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 07:38 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration