Fail2ban postfix/sasl - i am having a lot spammers trying

**Operating system: Debian *
OS version: 10 - Virtualmin 6.1.5

Well i am trying to setup Fail2ban… better…
but always some IP pass the smtpd wihout banned (and keep trying)…

Mar 18 08:16:22 m***** postfix/smtpd[29171]: warning: unknown[87.246.7.226]: SASL LOGIN authentication failed: authentication failure

My postfix.conf is:

Fail2Ban filter for selected Postfix SMTP rejections

[INCLUDES]

Read common prefixes. If any customizations available – read them from

common.local

before = common.conf

[Definition]

_daemon = postfix(-\w+)?/\w+(?:/smtp[ds])?
_port = (?::\d+)?

prefregex = ^%(__prefix_line)s<mdpr-> .+$

mdpr-normal = (?:NOQUEUE: reject:|improper command pipelining after \S+)
mdre-normal=^RCPT from [^[][]%(_port)s: 55[04] 5.7.1\s
^RCPT from [^[]
[]%(_port)s: 45[04] 4.7.1 (?:Service unavailable\b|Client host rejected: cannot find your (reverse )?hostname\b)
^RCPT from [^[][]%(_port)s: 450 4.7.1 (<[^>]>)?: Helo command rejected: Host not found\b
^EHLO from [^[][]%(_port)s: 504 5.5.2 (<[^>]>)?: Helo command rejected: need fully-qualified hostname\b
^VRFY from [^[][]%(_port)s: 550 5.1.1\s
^RCPT from [^[]
[]%(_port)s: 450 4.1.8 (<[^>]>)?: Sender address rejected: Domain not found\b
^from [^[]
[]%(_port)s:?

mdpr-auth = warning:
mdre-auth = ^[^[][]%(_port)s: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed:(?! Connection lost to authentication server| Invalid authentication mechanism)
mdre-auth2= ^[^[]
[]%(_port)s: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed:(?! Connection lost to authentication server)

todo: check/remove “Invalid authentication mechanism” from ignore list, if gh-1243 will get finished (see gh-1297).

Mode “rbl” currently included in mode “normal”, but if needed for jail “postfix-rbl” only:

mdpr-rbl = %(mdpr-normal)s
mdre-rbl = ^RCPT from [^[]*[]%(_port)s: [45]54 [45].7.1 Service unavailable; Client host [\S+] blocked\b

Mode “rbl” currently included in mode “normal” (within 1st rule)

mdpr-more = %(mdpr-normal)s
mdre-more = %(mdre-normal)s

mdpr-ddos = lost connection after(?! DATA) [A-Z]+
mdre-ddos = ^from [^[]*[]%(_port)s:?

mdpr-extra = (?:%(mdpr-auth)s|%(mdpr-normal)s)
mdre-extra = %(mdre-auth)s
%(mdre-normal)s

mdpr-aggressive = (?:%(mdpr-auth)s|%(mdpr-normal)s|%(mdpr-ddos)s)
mdre-aggressive = %(mdre-auth2)s
%(mdre-normal)s

failregex = <mdre->

Parameter “mode”: more (default combines normal and rbl), auth, normal, rbl, ddos, extra or aggressive (combines all)

Usage example (for jail.local):

[postfix]

mode = aggressive

# or another jail (rewrite filter parameters of jail):

[postfix-rbl]

filter = postfix[mode=rbl]

mode = more

ignoreregex =

[Init]

journalmatch = _SYSTEMD_UNIT=postfix.service

Author: Cyril Jaquier


when i run: fail2ban-client status postfix-sasl
Status for the jail: postfix-sasl
|- Filter
| |- Currently failed: 7
| |- Total failed: 6454
| - File list: /var/log/mail.log - Actions
|- Currently banned: 16
|- Total banned: 54
`- Banned IP list: 212.70.149.55 212.70.149.71 77.40.3.8 78.128.113.131 87.246.7.226 …

but some ips always trying more than 3 and 10 and 1000 times…

my config at jail:

are that commands iptables-all blocking - do i need something better like route/reject… at other-parameters need to type something ?

Yesterday i had 4GB logs of mail… :frowning:

Thanks in advance…
Hope to find a solution… i have only 4 mail accounts and having problems… :frowning:

Could you expand upon this please? When you say IPs pass smtpd, are these IPs sending out email from your system or are the IPs attempting to brute-force login to your system?

The screenshot: Virtualmin (full / non-minimal install) configures fail2ban with sensible defaults. I have used these defaults on all my servers and they do the job just fine. However, I notice that you have deviated from Virtualmin default settings for fail2ban. Are you sure you know what you are doing when you deviate from default settings or are you experimenting and your experiments have broken / impeded performance of fail2ban on yoir system?

What is the exact problem that you wish to solve?

seems that trying to connect…

When you are saying deviated… what the defaults for maximum security ?
may be tried to experiment thought internet blogs copy-paste some configurations for better security… but some ips… trying and trying…

In Fail2ban settings> at Edit Match Action… iptables-allports . have this:
Command to ban an IP -I f2b- 1 -s -j
is being reject from fail2ban or must use it at other parameters some how (at the jail config)

by the way at Filter Action Jails i have all postfix options selected/enabled… with the same options at jail config… is that right ?

do i need better/more clear postfix.cf - is there something i can use ?

On a production system, if you must experiment with tips and tricks that you read about in sundry blogs then you need to keep a log of changes that you make so that you can come back to the last working configuration, should you need to.

If you have not kept such a log and you are unable to undo the experimentation, then you will have to install Virtualmin on a temporary server and copy over the sensible defaults that the Virtualmin full install offers out of the box over to your production system.

Rather than carrying out improvements and enhancements to a system that is likely broken for fail2ban, I would simplify by going back to a working configuration, if I were you.

1 Like
  1. it was only postfix.cf changed… and ofcourse the settings of Filter Jail Actions /enabled/ and select iptables-all to block all ports… but i am asking if that command following is blocking the ips… (from copy-paste a problem with formatting at prev. post <> i gave an extra space to show you)…

< iptables> -I f2b-< name> 1 -s < ip> -j < blocktype>

  1. isn’t there any postfix.cf to change it only…

  2. ps: for example now - some IP ranges from spammers used to brute force… i am blocking the with command shells

like…

route add -net 45.142.120.0/24 reject

Ofcouse my system working… getting emails and sending mails right but all this movement to a simple server like mine is… bad… i think - so i must keep it safe somehow… i know i didn;t take backup of postfix.conf or did that before a year… i am asking for a working one… didn;t change a lot of things :frowning: only that…

just found the backup of postifx.conf is the same !

so now what can i do ?

i didnt upload the of failban - here it is:

2021-03-18 11:11:01,032 fail2ban.filter [9260]: INFO [postfix-sasl] Found 212.70.149.55 - 2021-03-18 11:11:00
2021-03-18 11:10:27,011 fail2ban.filter [9260]: INFO [postfix-sasl] Found 87.246.7.226 - 2021-03-18 11:10:27
2021-03-18 11:10:26,820 fail2ban.filter [9260]: INFO [postfix-sasl] Found 212.70.149.55 - 2021-03-18 11:10:26
2021-03-18 11:09:50,950 fail2ban.actions [9260]: WARNING [postfix-sasl] 212.70.149.55 already banned
2021-03-18 11:09:50,875 fail2ban.filter [9260]: INFO [postfix-sasl] Found 212.70.149.55 - 2021-03-18 11:09:50
2021-03-18 11:09:41,742 fail2ban.actions [9260]: WARNING [postfix-sasl] 212.70.149.71 already banned
2021-03-18 11:09:41,219 fail2ban.filter [9260]: INFO [postfix-sasl] Found 212.70.149.71 - 2021-03-18 11:09:41
2021-03-18 11:09:39,740 fail2ban.actions [9260]: WARNING [postfix-sasl] 87.246.7.226 already banned
2021-03-18 11:09:39,197 fail2ban.filter [9260]: INFO [postfix-sasl] Found 87.246.7.226 - 2021-03-18 11:09:39
2021-03-18 11:09:15,347 fail2ban.filter [9260]: INFO [postfix-sasl] Found 212.70.149.55 - 2021-03-18 11:09:15
2021-03-18 11:08:52,614 fail2ban.filter [9260]: INFO [postfix-sasl] Found 87.246.7.226 - 2021-03-18 11:08:52
2021-03-18 11:08:42,770 fail2ban.filter [9260]: INFO [postfix-sasl] Found 91.243.45.40 - 2021-03-18 11:08:42
2021-03-18 11:08:40,223 fail2ban.filter [9260]: INFO [postfix-sasl] Found 212.70.149.55 - 2021-03-18 11:08:40
2021-03-18 11:08:38,275 fail2ban.actions [9260]: WARNING [postfix-sasl] 91.243.45.40 already banned
2021-03-18 11:08:38,024 fail2ban.filter [9260]: INFO [postfix-sasl] Found 91.243.45.40 - 2021-03-18 11:08:38
2021-03-18 11:08:04,839 fail2ban.actions [9260]: WARNING [postfix-sasl] 212.70.149.55 already banned
2021-03-18 11:08:04,566 fail2ban.filter [9260]: INFO [postfix-sasl] Found 87.246.7.226 - 2021-03-18 11:08:04
2021-03-18 11:08:04,498 fail2ban.filter [9260]: INFO [postfix-sasl] Found 212.70.149.55 - 2021-03-18 11:08:04
2021-03-18 11:07:55,234 fail2ban.filter [9260]: INFO [postfix-sasl] Found 212.70.149.71 - 2021-03-18 11:07:54
2021-03-18 11:07:49,326 fail2ban.filter [9260]: INFO [postfix-sasl] Found 193.169.255.72 - 2021-03-18 11:07:48
2021-03-18 11:07:29,902 fail2ban.filter [9260]: INFO [postfix-sasl] Found 212.70.149.55 - 2021-03-18 11:07:29
2021-03-18 11:07:22,469 fail2ban.filter [9260]: INFO [dovecot] Found 106.38.36.99 - 2021-03-18 11:07:22
2021-03-18 11:07:18,189 fail2ban.actions [9260]: WARNING [postfix-sasl] 87.246.7.226 already banned
2021-03-18 11:07:18,060 fail2ban.filter [9260]: INFO [postfix-sasl] Found 87.246.7.226 - 2021-03-18 11:07:18
2021-03-18 11:06:56,767 fail2ban.actions [9260]: WARNING [postfix-sasl] 193.169.255.72 already banned
2021-03-18 11:06:56,224 fail2ban.filter [9260]: INFO [postfix-sasl] Found 193.169.255.72 - 2021-03-18 11:06:56
2021-03-18 11:06:53,751 fail2ban.filter [9260]: INFO [postfix-sasl] Found 212.70.149.55 - 2021-03-18 11:06:53
2021-03-18 11:06:34,871 fail2ban.filter [9260]: INFO [postfix-sasl] Found 176.111.173.12 - 2021-03-18 11:06:34
2021-03-18 11:06:30,409 fail2ban.filter [9260]: INFO [postfix-sasl] Found 87.246.7.226 - 2021-03-18 11:06:30
2021-03-18 11:06:19,526 fail2ban.actions [9260]: WARNING [postfix-sasl] 212.70.149.55 already banned
2021-03-18 11:06:18,749 fail2ban.filter [9260]: INFO [postfix-sasl] Found 212.70.149.55 - 2021-03-18 11:06:18
2021-03-18 11:06:18,044 fail2ban.filter [9260]: INFO [postfix-sasl] Found 212.70.149.71 - 2021-03-18 11:06:18
2021-03-18 11:06:02,196 fail2ban.filter [9260]: INFO [postfix-sasl] Found 78.128.113.131 - 2021-03-18 11:06:02
2021-03-18 11:05:59,275 fail2ban.filter [9260]: INFO [postfix-sasl] Found 78.128.113.131 - 2021-03-18 11:05:59
2021-03-18 11:05:43,513 fail2ban.filter [9260]: INFO [postfix-sasl] Found 87.246.7.226 - 2021-03-18 11:05:43
2021-03-18 11:05:41,842 fail2ban.filter [9260]: INFO [postfix-sasl] Found 212.70.149.55 - 2021-03-18 11:05:41
2021-03-18 11:05:05,924 fail2ban.filter [9260]: INFO [postfix-sasl] Found 212.70.149.55 - 2021-03-18 11:05:05
2021-03-18 11:04:55,638 fail2ban.actions [9260]: WARNING [postfix-sasl] 87.246.7.226 already banned
2021-03-18 11:04:55,592 fail2ban.filter [9260]: INFO [postfix-sasl] Found 87.246.7.226 - 2021-03-18 11:04:55

as you can see every second have attacks… - so the ban command is not doing something to them… can i make a fix perhaps with route reject (that has a power?)

And it is the experimentation that you have done on a live system (without keeping a log of changes) that has caused this.

The following is a screenshot of what works for me on a high volume mail server:

1 Like

Thanks for that calport, it reminded me of checking my own config and update.

1 Like

Thank you for fast respone…

but when changed… the fail2ban with route…

at route set those settings:
Command to ban an IP ip route add unreachable < ip>
Command to un-ban an IP ip route del unreachable < ip>

fail2ban seems now works and ban with route… …

To help simplify your setup, I don’t think the postfix-rbl and postfix-sasl jails are needed anymore. Those filters were combined into postfix.conf with recent Fail2ban releases, so using only the [postfix] jail should be enough.

Is Fail2ban updating with virtualmin updates… i have virtualmin 6.1.5 … what version is latest fail2ban… must i do that manually ?

Please start a new topic or search the forum to get a list of discussions related to fail2ban updates.

The topic that you originally started was about fail2ban configuration and troubleshooting because your server was getting hit with brute-force attacks.

Fail2ban updates is unrelated to this.

1 Like