On 9/8/2011 7:00 μμ, centos-request@centos.org wrote:
Hello list. I have a question for fail2ban for bad logins on sasl. I use sasl, sendmail and cyrus-imapd. In jail.conf I use the following syntax:
[sasl-iptables]
enabled = true filter = sasl backend = polling action = iptables[name=sasl, port=smtp, protocol=tcp] sendmail-whois[name=sasl, dest=my@email] logpath = /var/log/maillog maxretry = 6
and the following filter:
failregex = (?i): warning: [-._\w]+[<HOST>]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [A-Za-z0-9+/]*={0,2})?$
in iptables:
fail2ban-sasl tcp -- anywhere anywhere tcp dpt:smtp ...
Chain fail2ban-sasl (2 references) target prot opt source destination RETURN all -- anywhere anywhere
The problem is that never ban bad logins.
I tried to change action as port="imap,imaps,pop3,pop3s,smtp" but nothing change.
Can somebody help me?
Thank you, Nikos
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Hello Nikos, I have nearly the same regex as you:
failregex = : warning: [-._\w]+[<HOST>]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed.* and it works with fail2ban-regex /var/log/maillog /etc/fail2ban/filter.d/sasl.conf
Gru?
Hello list I change failregex and finally show results!
failregex = : badlogin: [-._\w]+ [<HOST>] plaintext [A-Za-z0-9+/] SASL(-13): authentication failure: checkpass failed
fail2ban-regex find hits. However, although a line added in iptables and I recieve an email that show the ban ip address, badlogins still continuing from the same IP.
iptables -L:
Chain INPUT (policy ACCEPT) target prot opt source destination fail2ban-sasl tcp -- anywhere anywhere tcp dpt:smtp fail2ban-SSH tcp -- anywhere anywhere tcp dpt:ssh ...
Chain fail2ban-sasl (1 references) target prot opt source destination DROP all -- [ip.ip.ip.ip] anywhere RETURN all -- anywhere anywhere
What is wrong now?
Thank you Nikos
-
Nikos Gatsis - Qbit