Dear All,

I saw someone trying to attack my postfix server by trying to enter random password, how to automatic reject sender IP address after N times attempting?

any help appreciated..

thanks & regards
Winanjaya

fail2ban has a great postfix filter:

http://www.fail2ban.org/wiki/index.php/Main_Page

You can automatically ban an IP for as long as you like. Works great.

yes, I tried it but no luck :->( .. what I missed?
and I also have restarted fail2ban

in /etc/fail2ban/jail.conf .. I have the following:

[postfix-tcpwrapper]

enabled = true
filter = postfix
action = hostsdeny[file=/var/log/postfix_hosts.deny]
sendmail[name=Postfix, dest=it-department@lippoinsurance.com]
logpath = /var/log/postfix.log
bantime = 300

[sasl-iptables]

enabled = true
filter = sasl
backend = polling
action = iptables[name=sasl, port=smtp, protocol=tcp]
sendmail-whois[name=sasl, dest=it-department@lippoinsurance.com]
logpath = /var/log/mail.log

and in /etc/fail2ban/filter.d/postfix.conf

failregex = reject: RCPT from (.*)\[<HOST>\]: 550 5.1.1
reject: RCPT from (.*)\[<HOST>\]: 450 4.7.1
reject: RCPT from (.*)\[<HOST>\]: 554 5.7.1

ignoreregex =

and in /etc/fail2ban/filter.d/sasl.conf

failregex = (?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed
ignoreregex =

I am using Postfix/Dovecot/ with Postgrey and Fail2ban on Ubuntu server 10

My authentication logs for Dovecot are in /var/log/auth.log

You might look thru your logs and see where the nuisance attempts are logged and match fail2ban-postfix to that location.

Also, you may want to create a jail.local rather than using jail.conf so it doesn't get overwritten by an update.

Keep me posted ( pun )

I seem to recall limiting login attempts for SASL with Postfix was a PITA. Nefarious users and brute forcers were able to just keep on hammering away at it. I did ask on the Postfix users list if there was a sensible way to limit attempts and got the usual "Where in the RFC's does it say there should be a limit" type abuse and useless answer from Wietse Venema and co (one of the reasons we use Exim is the author, Phil Hazel, and his users support list is just much better)


Take a look at these config directives/options. They may[stress MAY, not WILL] be helpful to you - but I can't promise. I seem to recall the fix we put in place was to kick a user after three errors in the SMTP session, and limit the number of connections someone could make with a simple IP Tables rule (something like but not tested word for word):
However, I'm not sure it caught SASL logins - it's a bit of a distant memory now.

Also look into these options
The manual may help: http://www.postfix.org/postconf.5.ht...ft_error_limit

in my /var/log/maillog goes below:

Feb 7 14:27:35 smtp postfix/smtpd[11421]: warning: unknown[112.215.45.219]: SASL LOGIN authentication failed: authentication failure
Feb 7 14:27:35 smtp postfix/smtpd[11421]: > unknown[112.215.45.219]: 535 5.7.0 Error: authentication failed: authentication failure
F

and in my jail.local

[spam]
enabled = true
filter = spam
#action = iptables[name=SPAM, port=smtp, protocol=tcp]
action = sendmail-whois[name=SPAM, dest=it-department@mydomain.com, sender=fail2ban@mydomain.com]
logpath = /var/log/maillog
bantime = 3600
ignoreip = 127.0.0.1
maxretry = 3

and my ../filter.d/spam is as follow:

failregex = reject: RCPT from (.*)\[<HOST>\]: 550 5.1.1
reject: RCPT from (.*)\[<HOST>\]: 450 4.7.1
reject: RCPT from (.*)\[<HOST>\]: 554 5.7.1
reject: RCPT from (.*)\[<HOST>\]: 535.5.7.0

# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT


any idea?

thanks

Does your setup use pam ? if so, enable pam-generic. From my last authentication ban :

"The IP 117.41.181.131 has just been banned by Fail2Ban after
3 attempts against pam-generic."

yada yada then :

"Lines containing IP:117.41.181.131 in /var/log/auth.log

Jan 17 18:54:31 myhost dovecot-auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=webmaster rhost=117.41.181.131
Jan 17 18:54:36 myhost dovecot-auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=webmaster rhost=117.41.181.131
Jan 17 18:54:41 myhost dovecot-auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=webmaster rhost=117.41.181.131"

So, on my setup, it is pam that is doing the authentication.

Ciao !

does my jail.local and spam.conf correct?

Your configs look okay for spam, but aren't you trying to block unauthorized logins ? as opposed to spam ?

What authentication method are you using ? Pam , saslauthd ?

hi.. it works
but it does not send me notification email??


cat /var/log/fail2ban.log

2012-02-07 15:21:42,789 fail2ban.actions: WARNING [spam] Ban 202.148.17.2
2012-02-07 15:23:32,573 fail2ban.actions: WARNING [spam] 202.148.17.2 already banned
2012-02-07 15:24:21,571 fail2ban.actions: WARNING [spam] 202.148.17.2 already banned
2012-02-07 15:25:16,566 fail2ban.actions: WARNING [spam] Ban 180.254.63.203
2012-02-07 15:25:37,549 fail2ban.actions: WARNING [spam] Ban 110.137.165.194
2012-02-07 15:25:43,739 fail2ban.actions: WARNING [spam] 110.137.165.194 already banned
2012-02-07 15:25:46,740 fail2ban.actions: WARNING [spam] 110.137.165.194 already banned
2012-02-07 15:26:22,735 fail2ban.actions: WARNING [spam] 110.137.165.194 already banned
2012-02-07 15:26:24,735 fail2ban.actions: WARNING [spam] 110.137.165.194 already banned
2012-02-07 15:26:27,735 fail2ban.actions: WARNING [spam] 110.137.165.194 already banned
2012-02-07 15:26:31,735 fail2ban.actions: WARNING [spam] 110.137.165.194 already banned
2012-02-07 15:26:34,736 fail2ban.actions: WARNING [spam] 110.137.165.194 already banned
2012-02-07 15:26:36,736 fail2ban.actions: WARNING [spam] 110.137.165.194 already banned
2012-02-07 15:27:50,730 fail2ban.actions: WARNING [spam] Ban 180.251.173.143
2012-02-07 15:29:30,974 fail2ban.actions: WARNING [spam] 180.251.173.143 already banned
2012-02-07 15:30:24,969 fail2ban.actions: WARNING [spam] Unban 172.16.1.88
2012-02-07 15:30:24,969 fail2ban.actions: WARNING [spam] Unban 202.148.17.2
2012-02-07 15:30:24,970 fail2ban.actions: WARNING [spam] Unban 180.254.63.203
2012-02-07 15:30:24,970 fail2ban.actions: WARNING [spam] Unban 110.137.165.194
2012-02-07 15:30:24,970 fail2ban.actions: WARNING [spam] Unban 180.251.173.143

I have never received a notification email from fail2ban. Off hand, I am not even sure if it supports this option. It seems to me like you would get A LOT, and I do mean A LOT of noisy email this way. While at first it may be satisfying to see the results, it will get old fast. Instead I would recommend using a program like Logwatch which will give you a daily summary of your log files. There is even a Logwatch like program for Postfix which will scan your email logs and provide you with a summary of the traffic, including bounces, rejects, etc. The one I use is called Pflogsum.pl

1 members found this post helpful.

Can you share/post some snippets from you fail2ban configuration?

I am setting up a new Drupal server and thinking it would be a good idea.

Agreed, I decided not to use email notification since it would be an internal spammer for IT Department :->)

to. rhBegin,

herewith is mine:

I leave default for fail2ban.conf

I copy jail.conf to jail.local

vi /etc/jail.local

[sasl]
enabled = true
filter = sasl
action = iptables-sasl[name=sasl, port 8025, protocol=tcp]
logpath = /var/log/maillog
bantime=3600
ignoreip = 127.0.0.1 172.16.0.1/24
maxretry = 3