Fail2Ban automatic or something to do with SASL attack

Hi there…

Someone or many trying to get into my server… so i want something to protect myself from sasl attacks, floods, ssh, webmin/usermin, bruteforce generally… is there something can do… ?

i have virtualmin on debian 9… any idea ?

Thanks in advance…

Have you seen this?

i ve seen now ! :slight_smile: but…

  • already have ssl
  • i am searching enable 2FA for webmin… etc…
  • what about sasl attack / bruteforce at postfix - fail2ban - i ve enabled but not banning/blocking ips - is there a tutorial for virtualmin (or something i can do ?)…

Thanks in advance…

Assuming Fail2Ban is enabled and has default configuration; in Webmin -> Networking -> Fail2Ban Intrusion Detector, click Filter Action Jails and see list of jails

Click Postfix-SASL to see the edit jail screen. Set Currently enabled? to yes. Set Filter to search log for: select Postfix-SASL from dropdown. For Actions to apply set Action to iptables-allports; name to postfix-sasl; port to 0:65535; protocol to TCP. Log file path should already be set to %(postfix_log)s. Leave the other settings to default for now. Hit Save.

Do a similar configuration for webmin-auth, postfix, dovecot and any other services you feel you need to protect against brute force attacks.

Restart Fail2ban. After a few minutes, check if offending IPs are being jailed:

sudo fail2ban-client status postfix-sasl

2 Likes

what is ? :grinning: :upside_down_face:

Lol, that’s a typo. Correcting, thanks.

1 Like

For those using CSF on CentOS I can suggest this:

https://www.24k.com.sg/blog/csf-setting-to-catch-sasl-login-authentication-failed-on-centos

It solved the bruteforce flooding in my case

seems that working good with fail2ban settings - calport gave me ! :slight_smile:

Blockquote
sudo fail2ban-client status postfix-sasl
Status for the jail: postfix-sasl
|- Filter
| |- Currently failed: 0
| |- Total failed: 3
| - File list: /var/log/mail.warn - Actions
|- Currently banned: 42
|- Total banned: 42
`-

What means… that failed… ?

is failing maybe - that ip already blocked from route reject command (i ve already blocked some ip ranges) ???

Or failing for other reason ???

This is what I see on my system:

Status for the jail: postfix-sasl
|- Filter
|  |- Currently failed:	7
|  |- Total failed:	73
|  `- Journal matches:	_SYSTEMD_UNIT=postfix.service
`- Actions
   |- Currently banned:	23
   |- Total banned:	37
   `- Banned IP list:	46.38.145.251 46.38.145.250 46.38.145.253 46.38.145.252 185.143.73.84 185.143.73.157 185.143.73.171 185.143.73.152 185.143.73.175 185.143.73.134 185.143.73.48 185.143.73.41 185.143.73.62 46.38.145.247 185.143.73.103 185.143.73.93 185.143.73.148 185.143.73.250 185.143.73.142 212.70.149.19 185.143.73.33 185.143.73.58 185.143.73.162

…Why having fails… what means that ?..

This topic was automatically closed 4 days after the last reply. New replies are no longer allowed.