[CentOS] fail2ban help
Nikos Gatsis - Qbit
ngatsis at qbit.gr
Wed Aug 10 12:13:31 UTC 2011
On 9/8/2011 7:00 μμ, centos-request at centos.org wrote:
>> > Hello list.
>> > I have a question for fail2ban for bad logins on sasl.
>> > I use sasl, sendmail and cyrus-imapd.
>> > In jail.conf I use the following syntax:
>> >
>> > [sasl-iptables]
>> >
>> > enabled = true
>> > filter = sasl
>> > backend = polling
>> > action = iptables[name=sasl, port=smtp, protocol=tcp]
>> > sendmail-whois[name=sasl, dest=my at email]
>> > logpath = /var/log/maillog
>> > maxretry = 6
>> >
>> > and the following filter:
>> >
>> > failregex = (?i): warning: [-._\w]+\[<HOST>\]: SASL
>> > (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(:
>> > [A-Za-z0-9+/]*={0,2})?$
>> >
>> > in iptables:
>> >
>> > fail2ban-sasl tcp -- anywhere anywhere tcp
>> > dpt:smtp
>> > ...
>> >
>> > Chain fail2ban-sasl (2 references)
>> > target prot opt source destination
>> > RETURN all -- anywhere anywhere
>> >
>> >
>> > The problem is that never ban bad logins.
>> >
>> > I tried to change action as port="imap,imaps,pop3,pop3s,smtp" but
>> > nothing change.
>> >
>> > Can somebody help me?
>> >
>> > Thank you,
>> > Nikos
>> >
>> >
>> >
>> > _______________________________________________
>> > CentOS mailing list
>> > CentOS at centos.org
>> > http://lists.centos.org/mailman/listinfo/centos
> Hello Nikos,
> I have nearly the same regex as you:
>
> failregex = : warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed.*
> and it works with
> fail2ban-regex /var/log/maillog /etc/fail2ban/filter.d/sasl.conf
>
>
> Gru?
Hello list
I change failregex and finally show results!
failregex = : badlogin: [-._\w]+ \[<HOST>\] plaintext [A-Za-z0-9+/]
SASL\(-13\): authentication failure: checkpass failed
fail2ban-regex find hits.
However, although a line added in iptables and I recieve an email that
show the ban ip address, badlogins still continuing from the same IP.
iptables -L:
Chain INPUT (policy ACCEPT)
target prot opt source destination
fail2ban-sasl tcp -- anywhere anywhere tcp
dpt:smtp
fail2ban-SSH tcp -- anywhere anywhere tcp dpt:ssh
...
Chain fail2ban-sasl (1 references)
target prot opt source destination
DROP all -- [ip.ip.ip.ip] anywhere
RETURN all -- anywhere anywhere
What is wrong now?
Thank you
Nikos
More information about the CentOS
mailing list