Hi!

I have fail2ban working properly to block FTP attacks and I want to block "SMTP attacks". I mean I want to block IPs sending mails to non-existent adresses in our mail server. In /var/log/qmail/smtpd/current they are logged as :@400000004a5dced82e4669a4 Reject::RCPT::Failed_Rcptto: P:ESMTP S:187.4.68.30:**** H:**** F:fake-email@fakedomain T:non-existant-email@mydomain


I've configured /etc/fail2ban/filter.d/qmail.conf as follows:

# Fail2Ban configuration file
#
# Author: Cyril Jaquier
#
# $Revision: 510 $
#

[Definition]

# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>\S+)
# Values: TEXT
#
#failregex = (?:[\d,.]+[\d,.] rblsmtpd: |421 badiprbl: ip )<HOST>
failregex = Reject::RCPT::Failed_Rcptto: P:ESMTP S:<HOST>

# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =



Also configured /etc/fail2ban/jail.conf to enable qmail:

[qmail-iptables]

enabled = true
filter = qmail
action = iptables[name=QMAIL, port=smtp, protocol=tcp]
sendmail-whois[name=QMAIL, dest=myqmail@mydomain]
logpath = /var/log/qmail/smtpd/current.log
maxretry = 3
bantime = 600



iptable rules are created:

# iptables -L -n --line-numbers
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 fail2ban-VSFTPD tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:21
2 fail2ban-QMAIL tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:25

Chain FORWARD (policy ACCEPT)
num target prot opt source destination

Chain OUTPUT (policy ACCEPT)
num target prot opt source destination

Chain fail2ban-QMAIL (1 references)
num target prot opt source destination
1 RETURN 0 -- 0.0.0.0/0 0.0.0.0/0

Chain fail2ban-VSFTPD (1 references)
num target prot opt source destination
1 RETURN 0 -- 0.0.0.0/0 0.0.0.0/0




Regular expression seems to be correct:

# fail2ban-regex /var/log/qmail/smtpd/current /etc/fail2ban/filter.d/qmail.conf

Running tests
=============

Use regex file : /etc/fail2ban/filter.d/qmail.conf
Use log file : /var/log/qmail/smtpd/current


Results
=======

Failregex
|- Regular expressions:
| [1] Reject::RCPT::Failed_Rcptto: P:ESMTP S:<HOST>
|
`- Number of matches:
[1] 65 match(es)

Ignoreregex
|- Regular expressions:
|
`- Number of matches:

Summary
=======

Addresses found:
[1]
...
202.157.70.55 (Wed Jul 15 13:57:40 2009)
...

Date template hits:
0 hit(s): Month Day Hour:Minute:Second
0 hit(s): Weekday Month Day Hour:Minute:Second Year
0 hit(s): Weekday Month Day Hour:Minute:Second
0 hit(s): Year/Month/Day Hour:Minute:Second
0 hit(s): Day/Month/Year Hour:Minute:Second
0 hit(s): Day/Month/Year:Hour:Minute:Second
0 hit(s): Year-Month-Day Hour:Minute:Second
0 hit(s): Day-Month-Year Hour:Minute:Second[.Millisecond]
5964 hit(s): TAI64N
0 hit(s): Epoch
0 hit(s): ISO 8601

Success, the total number of match is 65

However, look at the above section 'Running tests' which could contain important
information.




But fail2ban doesn't block any IP for qmail.

Anyone can tell what am I doing wrong?

Thanks in advance.

You're doing nothing wrong, fail2ban and other 'protection' screens must accept all mail to obey SMTP specs, and then reject, i.e., not queue mail, that meets or does not meet certain conditions. Is there a reason you do not wish to see these?

I believed that fail2ban would block any SMTP connection atempt after the attacking IP was spotted in qmail log and no SMTP dialog would happen afterwards.

We block any email with no valid recipient and/or sender and we don´t send any reply, but I want attacking servers not to connect to our mail server so SMTP connection can't occur.

The point is, if it's an SMTP server, other servers can always connect. What you want is that your server is not relaying messages from users that are not yours, i.e., you want to configure your server so it's not an open relay! Take a look at this for some good info: http://en.wikipedia.org/wiki/Open_mail_relay, and search for securing your mail server.

Frankly, at this stage, if I don't see some activity from people trying to spam through my machine in the logs, I would be worried. It is to be expected. You must be vigilant with your logs!

Thank you, irishbitte.

We already had configured our servers not be an open relay, but I wanted those spammers not even connect to our SMTP servers so we don't have to reject the mail.

I would like to release those "bad" connections inmediately so "legal" senders can connect to our SMTP servers.

Ok, can you post some more info, perhaps a snippet from the logs, an example of a 'bad' connection perhaps? I would like to take a look and compare against my own and some other logs I have on hand.

Same happends to me with a different filter in qmail.
The test run fine, catch a lot of ipaddress but once fail2ban is running don't ban anyting. All I can see in the fail2ban logs is "Log rotation detected for /var/log/qmail/qmail-smtpd/current"

Xnake:
As a test try this:
Change the logpath to /var/log/test.log

Make a tail -f /var/log/qmail/smtpd/current.log |tai64nlocal >>/var/log/test.log

Reload fail2ban and watch the logs

In my case fail2ban begin to ban ip's so i think is something related to the date format in qmail logs that work different in fail2ban-regex

Irishbite, in /var/log/qmail/smtpd/current they are logged as :@400000004a5dced82e4669a4 Reject::RCPT::Failed_Rcptto: P:ESMTP S:187.4.68.30:**** H:**** F:fake-email@fakedomain T:non-existant-email@mydomain

fasuto, thanks for the reply. I think your right, probably fail2ban doesn't ban qmail "attacks" because it doesn't understand qmail log's timestamp.

I'll try to report this issue to fail2ban team so they can fix it. I'll try to find out if there's some way to use "normal" timestamps in qmail logs as well.