LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 02-13-2019, 10:04 AM   #1
bulletproof.rs
Member
 
Registered: Jun 2011
Posts: 47

Rep: Reputation: Disabled
Help figuring out fail2ban regex for postfix


Hey everyone.

I need help figuring out the regex that i should use for fail2ban to ban IP address of attackers.
I don't know whether i should put this in Linux - Security or Linux - Server so sorry

I am using Debian 9.7.
Postfix package and fail2ban installed from repo.

I have aaaaaaa looot of logs like this

Code:
Feb 13 17:03:01 smarthost-net-2 postfix/postscreen[16496]: NOQUEUE: reject: RCPT from [188.255.159.9]:37058: 550 5.7.1 Service unavailable; client [188.255.159.9] blocked using dyna.spamrats.com; from=<mufds@throwawaymail.com>, to=<sophie0811@live.fr>, proto=ESMTP, helo=<throwawaymail.com>
Feb 13 17:03:01 smarthost-net-2 postfix/postscreen[16496]: PREGREET 24 after 0.19 from [217.169.214.225]:35116: EHLO throwawaymail.com\r\n
Feb 13 17:03:01 smarthost-net-2 postfix/postscreen[16496]: DNSBL rank 1 for [217.169.214.225]:35116
Feb 13 17:03:01 smarthost-net-2 postfix/postscreen[16496]: NOQUEUE: reject: RCPT from [217.169.214.225]:46135: 550 5.7.1 Service unavailable; client [217.169.214.225] blocked using zen.spamhaus.org; from=<lljrvlgiem@throwawaymail.com>, to=<babs1901@msn.com>, proto=ESMTP, helo=<throwawaymail.com>
Feb 13 17:03:01 smarthost-net-2 postfix/postscreen[16496]: NOQUEUE: reject: RCPT from [188.255.152.32]:35768: 550 5.7.1 Service unavailable; client [188.255.152.32] blocked using dyna.spamrats.com; from=<nzgjo@throwawaymail.com>, to=<mcdrmr84@yahoo.com>, proto=ESMTP, helo=<throwawaymail.com>
Feb 13 17:03:01 smarthost-net-2 postfix/postscreen[16496]: NOQUEUE: reject: RCPT from [188.255.159.9]:37058: 550 5.7.1 Service unavailable; client [188.255.159.9] blocked using dyna.spamrats.com; from=<mufds@throwawaymail.com>, to=<elbenito@live.fr>, proto=ESMTP, helo=<throwawaymail.com>
Feb 13 17:03:01 smarthost-net-2 postfix/postscreen[16496]: NOQUEUE: reject: RCPT from [217.169.214.225]:46135: 550 5.7.1 Service unavailable; client [217.169.214.225] blocked using zen.spamhaus.org; from=<lljrvlgiem@throwawaymail.com>, to=<jcyounkin@msn.com>, proto=ESMTP, helo=<throwawaymail.com>
I wanted to ban them using fail2ban. I have enabled postfix-rbl in jail.conf
I have edited failedregex to look more like this

Code:
failregex = ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 454 4\.7\.1 Service unavailable; Client host \[\S+\] blocked using .* from=<\S*> to=<\S+> proto=ESMTP helo=<\S*>$
            ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 550 5\.7\.1 Service unavailable; Client host \[\S+\] blocked using .* from=<\S*> to=<\S+> proto=ESMTP helo=<\S*>$
            ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 550 5\.7\.1 Service unavailable; client \[\S+\] blocked using .* from=<\S*>, to=<\S+>, proto=ESMTP, helo=<\S*>$
And whenever i try testing it with fail2ban-regex it's not working... And it's not even banning users.
Any help would be appreciated!

EDIT:
So, i have managed to get this working by modifying regex by removing __prefix_line and replacing \S+ with (\*). Here is the failregex now:
Code:
	    NOQUEUE: reject: RCPT from (.*)\[<HOST>\]:(.*) 550 5.7.1 Service unavailable; client \[(.*)\] blocked using .* from=<.*>, to=<.*>, proto=ESMTP, helo=<.*>
I have also tried the same method with prefix_line but definitely does not work. SO there has to be something improperly formatted in prefix_line.. But nevermind

Last edited by bulletproof.rs; 02-13-2019 at 11:24 AM. Reason: Found a solution
 
Old 02-13-2019, 11:28 AM   #2
scasey
Senior Member
 
Registered: Feb 2013
Location: Tucson, AZ, USA
Distribution: CentOS 7.6
Posts: 2,889

Rep: Reputation: 1001Reputation: 1001Reputation: 1001Reputation: 1001Reputation: 1001Reputation: 1001Reputation: 1001Reputation: 1001
You want to block IPs that are already being blocked by spamhaus and spamrats?

EDIT: Glad you got it working. Please mark your thread [SOLVED]

Last edited by scasey; 02-13-2019 at 11:29 AM.
 
Old 02-13-2019, 01:05 PM   #3
bulletproof.rs
Member
 
Registered: Jun 2011
Posts: 47

Original Poster
Rep: Reputation: Disabled
Yeah, because there is way to many hits in log file. It grows over 50GB in a day if i just leave it at that.
Btw, i don't know if it's related or not, but i have the issue with fail2ban rule now.

It will ban perfectly fine.
When it's time to expire, it will remove the the rule from iptables but will not add it again.
Basically log file of fail2ban is like this

Code:
2019-02-13 20:03:50,558 fail2ban.actions        [4924]: NOTICE  [postfix-rbl] 217.169.214.225 already banned
2019-02-13 20:03:50,574 fail2ban.filter         [4924]: INFO    [postfix-rbl] Found 188.255.159.201
2019-02-13 20:03:50,625 fail2ban.filter         [4924]: INFO    [postfix-rbl] Found 188.255.159.5
2019-02-13 20:03:50,666 fail2ban.filter         [4924]: INFO    [postfix-rbl] Found 188.255.159.201
2019-02-13 20:03:50,752 fail2ban.filter         [4924]: INFO    [postfix-rbl] Found 188.255.159.201
2019-02-13 20:03:50,770 fail2ban.filter         [4924]: INFO    [postfix-rbl] Found 188.255.159.5
2019-02-13 20:03:50,836 fail2ban.filter         [4924]: INFO    [postfix-rbl] Found 188.255.159.201
2019-02-13 20:03:50,861 fail2ban.filter         [4924]: INFO    [postfix-rbl] Found 188.255.159.5
2019-02-13 20:03:51,132 fail2ban.filter         [4924]: INFO    [postfix-rbl] Found 188.255.159.5
2019-02-13 20:03:51,173 fail2ban.filter         [4924]: INFO    [postfix-rbl] Found 188.255.151.62
2019-02-13 20:03:51,216 fail2ban.filter         [4924]: INFO    [postfix-rbl] Found 188.255.159.5
2019-02-13 20:03:51,315 fail2ban.filter         [4924]: INFO    [postfix-rbl] Found 188.255.159.5
2019-02-13 20:03:51,410 fail2ban.filter         [4924]: INFO    [postfix-rbl] Found 188.255.159.5
2019-02-13 20:03:51,497 fail2ban.filter         [4924]: INFO    [postfix-rbl] Found 188.255.159.5
2019-02-13 20:03:51,560 fail2ban.actions        [4924]: NOTICE  [postfix-rbl] 217.169.214.225 already banned
2019-02-13 20:03:51,581 fail2ban.filter         [4924]: INFO    [postfix-rbl] Found 188.255.159.5
2019-02-13 20:03:51,604 fail2ban.filter         [4924]: INFO    [postfix-rbl] Found 188.255.151.62
2019-02-13 20:03:51,751 fail2ban.filter         [4924]: INFO    [postfix-rbl] Found 188.255.148.30
2019-02-13 20:03:51,860 fail2ban.filter         [4924]: INFO    [postfix-rbl] Found 188.255.159.5
2019-02-13 20:03:51,961 fail2ban.filter         [4924]: INFO    [postfix-rbl] Found 188.255.159.5
2019-02-13 20:03:52,514 fail2ban.filter         [4924]: INFO    [postfix-rbl] Found 188.255.159.5
2019-02-13 20:03:52,561 fail2ban.actions        [4924]: NOTICE  [postfix-rbl] 217.169.214.225 already banned
2019-02-13 20:03:52,602 fail2ban.filter         [4924]: INFO    [postfix-rbl] Found 188.255.159.5
2019-02-13 20:03:52,689 fail2ban.filter         [4924]: INFO    [postfix-rbl] Found 188.255.159.5
2019-02-13 20:03:52,776 fail2ban.filter         [4924]: INFO    [postfix-rbl] Found 188.255.159.5
2019-02-13 20:03:52,868 fail2ban.filter         [4924]: INFO    [postfix-rbl] Found 188.255.159.5
2019-02-13 20:03:52,952 fail2ban.filter         [4924]: INFO    [postfix-rbl] Found 188.255.159.5
2019-02-13 20:03:53,141 fail2ban.filter         [4924]: INFO    [postfix-rbl] Found 188.255.159.5
2019-02-13 20:03:53,238 fail2ban.filter         [4924]: INFO    [postfix-rbl] Found 188.255.159.201
2019-02-13 20:03:53,317 fail2ban.filter         [4924]: INFO    [postfix-rbl] Found 188.255.159.5
2019-02-13 20:03:53,325 fail2ban.filter         [4924]: INFO    [postfix-rbl] Found 188.255.159.201
2019-02-13 20:03:53,411 fail2ban.filter         [4924]: INFO    [postfix-rbl] Found 188.255.159.201
2019-02-13 20:03:53,490 fail2ban.filter         [4924]: INFO    [postfix-rbl] Found 188.255.159.201
2019-02-13 20:03:53,563 fail2ban.actions        [4924]: NOTICE  [postfix-rbl] 188.255.152.32 already banned
2019-02-13 20:03:53,577 fail2ban.filter         [4924]: INFO    [postfix-rbl] Found 188.255.159.201
2019-02-13 20:03:53,585 fail2ban.filter         [4924]: INFO    [postfix-rbl] Found 188.255.159.5
2019-02-13 20:03:53,671 fail2ban.filter         [4924]: INFO    [postfix-rbl] Found 188.255.159.201
2019-02-13 20:03:53,707 fail2ban.filter         [4924]: INFO    [postfix-rbl] Found 188.255.159.5
2019-02-13 20:03:53,765 fail2ban.filter         [4924]: INFO    [postfix-rbl] Found 188.255.159.201
2019-02-13 20:03:53,773 fail2ban.filter         [4924]: INFO    [postfix-rbl] Found 188.255.159.5
2019-02-13 20:03:53,854 fail2ban.filter         [4924]: INFO    [postfix-rbl] Found 188.255.159.201
2019-02-13 20:03:53,865 fail2ban.filter         [4924]: INFO    [postfix-rbl] Found 188.255.159.5
2019-02-13 20:03:53,908 fail2ban.filter         [4924]: INFO    [postfix-rbl] Found 188.255.159.5
If i restart fail2ban it will work just fine, it will ban the IP address again but... When time passes, it will just remove it from iptables and do it all over again..

Should i open a new thread because of this ?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] fail2ban regex help needed ! papampi Linux - Security 30 06-19-2012 09:29 AM
[SOLVED] differences between shell regex and php regex and perl regex and javascript and mysql golden_boy615 Linux - General 2 04-19-2011 01:10 AM
Fail2ban regex help please wvroger Linux - Security 1 05-23-2010 07:30 PM
Fail2ban and Dovecot Regex kevinslair Linux - Software 3 05-31-2009 08:19 PM
Need help with fail2ban regex jakev383 Linux - Security 6 12-07-2008 09:35 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 06:33 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration