[CentOS] fail2ban help

Nikos Gatsis - Qbit ngatsis at qbit.gr
Wed Aug 10 12:13:31 UTC 2011 


On 9/8/2011 7:00 μμ, centos-request at centos.org wrote:
>> > Hello list.
>> > I have a question for fail2ban for bad logins on sasl.
>> > I use sasl, sendmail and cyrus-imapd.
>> > In jail.conf I use the following syntax:
>> > 
>> > [sasl-iptables]
>> > 
>> > enabled  = true
>> > filter   = sasl
>> > backend  = polling
>> > action   = iptables[name=sasl, port=smtp, protocol=tcp]
>> >            sendmail-whois[name=sasl, dest=my at email]
>> > logpath  = /var/log/maillog
>> > maxretry = 6
>> > 
>> > and the following filter:
>> > 
>> > failregex = (?i): warning: [-._\w]+\[<HOST>\]: SASL
>> > (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(:
>> > [A-Za-z0-9+/]*={0,2})?$
>> > 
>> > in iptables:
>> > 
>> > fail2ban-sasl  tcp  --  anywhere             anywhere            tcp
>> > dpt:smtp
>> > ...
>> > 
>> > Chain fail2ban-sasl (2 references)
>> > target     prot opt source               destination
>> > RETURN     all  --  anywhere             anywhere
>> > 
>> > 
>> > The problem is that never ban bad logins.
>> > 
>> > I tried to change action as port="imap,imaps,pop3,pop3s,smtp" but
>> > nothing change.
>> > 
>> > Can somebody help me?
>> > 
>> > Thank you,
>> > Nikos
>> > 
>> > 
>> > 
>> > _______________________________________________
>> > CentOS mailing list
>> > CentOS at centos.org
>> > http://lists.centos.org/mailman/listinfo/centos
> Hello Nikos,
> I have nearly the same regex as you:
>
> failregex = : warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed.*
> and it works with
> fail2ban-regex /var/log/maillog /etc/fail2ban/filter.d/sasl.conf
>  
>  
> Gru?
Hello list
I change failregex and finally show results!

failregex = : badlogin: [-._\w]+ \[<HOST>\] plaintext [A-Za-z0-9+/]
SASL\(-13\): authentication failure: checkpass failed

fail2ban-regex find hits.
However, although a line added in iptables and I recieve an email that
show the ban ip address, badlogins still continuing from the same IP.

iptables -L:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
fail2ban-sasl  tcp  --  anywhere             anywhere            tcp
dpt:smtp
fail2ban-SSH  tcp  --  anywhere             anywhere            tcp dpt:ssh
...

Chain fail2ban-sasl (1 references)
target     prot opt source               destination
DROP       all  --  [ip.ip.ip.ip]  anywhere
RETURN     all  --  anywhere             anywhere


What is wrong now?

Thank you
Nikos

More information about the CentOS mailing list