FailBan: Dovecot and Postfix login spam/trys

Hello every body thx for your help
i have managed to setup my virutalmin and it is working fine but i found alot like this in my mail.log:

jun 5 03:26:53 server postfix/smtpd[2057]: warning: unknown[113.200.102.90]: SASL LOGIN authentication failed: authentication failure
Jun 5 03:26:56 server postfix/smtpd[2057]: warning: unknown[113.200.102.90]: SASL LOGIN authentication failed: authentication failure
Jun 5 03:26:59 server postfix/smtpd[2057]: warning: unknown[113.200.102.90]: SASL LOGIN authentication failed: authentication failure
Jun 5 03:27:02 server postfix/smtpd[2057]: warning: unknown[113.200.102.90]: SASL LOGIN authentication failed: authentication failure
Jun 5 03:27:05 server postfix/smtpd[2057]: warning: unknown[113.200.102.90]: SASL LOGIN authentication failed: authentication failure
Jun 5 03:27:08 server postfix/smtpd[2057]: warning: unknown[113.200.102.90]: SASL LOGIN authentication failed: authentication failure
Jun 5 03:27:12 server postfix/smtpd[2057]: warning: unknown[113.200.102.90]: SASL LOGIN authentication failed: authentication failure
Jun 5 03:27:15 server postfix/smtpd[2057]: warning: unknown[113.200.102.90]: SASL LOGIN authentication failed: authentication failure
Jun 5 03:27:21 server postfix/smtpd[2057]: warning: unknown[113.200.102.90]: SASL LOGIN authentication failed: authentication failure
Jun 5 03:27:28 server postfix/smtpd[2057]: warning: unknown[113.200.102.90]: SASL LOGIN authentication failed: authentication failure
Jun 5 03:27:36 server postfix/smtpd[2057]: warning: unknown[113.200.102.90]: SASL LOGIN authentication failed: authentication failure
Jun 5 03:27:42 server postfix/smtpd[2057]: warning: unknown[113.200.102.90]: SASL LOGIN authentication failed: authentication failure
Jun 5 03:27:50 server postfix/smtpd[2057]: warning: unknown[113.200.102.90]: SASL LOGIN authentication failed: authentication failure
Jun 5 03:27:57 server postfix/smtpd[2057]: warning: unknown[113.200.102.90]: SASL LOGIN authentication failed: authentication failure
Jun 5 03:28:04 server postfix/smtpd[2057]: warning: unknown[113.200.102.90]: SASL LOGIN authentication failed: authentication failure
Jun 5 03:28:11 server postfix/smtpd[2057]: warning: unknown[113.200.102.90]: SASL LOGIN authentication failed: authentication failure
Jun 5 03:28:18 server postfix/smtpd[2057]: warning: unknown[113.200.102.90]: SASL LOGIN authentication failed: authentication failure

and

Jun 5 07:09:29 server postfix/smtpd[11904]: disconnect from 200-100-93-140.dial-up.telesp.net.br[200.100.93.140] ehlo=1 auth=0/1 commands=1/2

Jun 5 07:09:30 server postfix/smtpd[11904]: connect from 200-100-93-140.dial-up.telesp.net.br[200.100.93.140]

Jun 5 07:09:33 server postfix/smtpd[11907]: lost connection after AUTH from 200-100-93-140.dial-up.telesp.net.br[200.100.93.140]

Jun 5 07:09:33 server postfix/smtpd[11907]: disconnect from 200-100-93-140.dial-up.telesp.net.br[200.100.93.140] ehlo=1 auth=0/1 commands=1/2

Jun 5 07:09:37 server postfix/smtpd[11906]: lost connection after AUTH from 200-100-93-140.dial-up.telesp.net.br[200.100.93.140]

Jun 5 07:09:37 server postfix/smtpd[11906]: disconnect from 200-100-93-140.dial-up.telesp.net.br[200.100.93.140] ehlo=1 auth=0/1 commands=1/2

I tought stuff like this will be banned but in my case is not happening.

FailBan is installed and working fine for sshd ecc. i see inside the logs that there are bans and so on but no bans for the mail stuff. Inside FailBan the log file path for postfix is set to: %(postfix_log)s and inside dovecot %(dovecot_log)s (both default setting, i don’t have changed anything for now) i couldn’t check if it is right because i dont know where the vars are set but maybe its not set on the mail.log.

dovecot and postfix jails are enabled

maybe i must change the log filters or i must set the path to the mail.log. Is there some one with some hints or config setups for me that solve this? it would be awesome.

i wish a nice day and thx for reading

Not sure if this was a case with Centos 6 or early days of 7 … The point is Fail2Ban had a problem to read some log files when using %(postfix_log)s and %(dovecot_log)s. So what i did was replace all lines** containing the path info with actual full path to the log file, e.g. replaced %(postfix_log)s and %(dovecot_log)s with /var/log/maillog.

Now i’m not 100% sure this is same as your problem but the “symptoms” are similar so its worth to try and see if it works.

** - Replaced all lines (named, ssh, ftp, mail…) in jail.local who already didnt have a full path to the log file not only the ones about emails. If you wonder what is jail.local there is a plenty of info on Google, but in short - during the update jail.conf gets overwritten so all changes is best to put in jail.local.

Thx a lot for your help.
I will try it out immediately.

Im working on a Ubuntu 16.04 System and with the latest virtualmin version. Installed maybe a week ago i post this only for information i forgot to mention it earlier.

Big thx again its working fine now. but i figured out a new strange and critical issue:
failban log:

this guy
2018-06-06 23:03:38,779 fail2ban.filter [1450]: INFO [proftpd] Found 218.60.67.70
2018-06-06 23:03:41,501 fail2ban.filter [1450]: INFO [proftpd] Found 218.60.67.70
2018-06-06 23:03:41,884 fail2ban.actions [1450]: NOTICE [proftpd] 218.60.67.70 already banned
and this guy :
2018-06-06 21:46:38,837 fail2ban.filter [1450]: INFO [proftpd] Found 218.60.67.67
2018-06-06 21:46:39,544 fail2ban.actions [1450]: NOTICE [proftpd] 218.60.67.67 already banned
2018-06-06 21:46:41,905 fail2ban.filter [1450]: INFO [proftpd] Found 218.60.67.67
2018-06-06 21:46:43,911 fail2ban.filter [1450]: INFO [proftpd] Found 218.60.67.67

and this is the log part from proftpd:
2018-06-06 21:47:10,194 server.a-domain.com proftpd[19621] 0.0.0.0 (218.60.67.67[218.60.67.67]): SSH2 session closed.
2018-06-06 21:47:10,959 server.a-domain.com proftpd[19622] 0.0.0.0 (218.60.67.67[218.60.67.67]): SSH2 session opened.
2018-06-06 21:47:10,972 server.a-domain.com proftpd[19622] 0.0.0.0 (218.60.67.67[218.60.67.67]): SSH2 session closed.
2018-06-06 21:47:11,786 server.a-domain.com proftpd[19623] 0.0.0.0 (218.60.67.67[218.60.67.67]): SSH2 session opened.
2018-06-06 21:47:11,804 server.a-domain.com proftpd[19623] 0.0.0.0 (218.60.67.67[218.60.67.67]): SSH2 session closed.
2018-06-06 21:47:12,562 server.a-domain.com proftpd[19624] 0.0.0.0 (218.60.67.67[218.60.67.67]): SSH2 session opened.
2018-06-06 21:47:14,003 server.a-domain.com proftpd[19624] 0.0.0.0 (218.60.67.67[218.60.67.67]): USER admin: no such user found from 218.60.67.67 [218.60.67.67] to ::ffff:server-ip:2222
2018-06-06 21:47:16,705 server.a-domain.com proftpd[19624] 0.0.0.0 (218.60.67.67[218.60.67.67]): USER admin: no such user found from 218.60.67.67 [218.60.67.67] to ::ffff:server-ip:2222
2018-06-06 21:47:18,702 server.a-domain.com proftpd[19624] 0.0.0.0 (218.60.67.67[218.60.67.67]): USER admin: no such user found from 218.60.67.67 [218.60.67.67] to ::ffff:server-ip:2222
2018-06-06 21:47:21,071 server.a-domain.com proftpd[19624] 0.0.0.0 (218.60.67.67[218.60.67.67]): USER admin: no such user found from 218.60.67.67 [218.60.67.67] to ::ffff:server-ip:2222
2018-06-06 21:47:23,628 server.a-domain.com proftpd[19624] 0.0.0.0 (218.60.67.67[218.60.67.67]): SSH2 session closed.
2018-06-06 23:03:12,086 server.a-domain.com proftpd[22714] 0.0.0.0 (218.60.67.70[218.60.67.70]): SSH2 session opened.
2018-06-06 23:03:15,763 server.a-domain.com proftpd[22714] 0.0.0.0 (218.60.67.70[218.60.67.70]): USER root (Login failed): Incorrect password
2018-06-06 23:03:18,485 server.a-domain.com proftpd[22714] 0.0.0.0 (218.60.67.70[218.60.67.70]): USER root (Login failed): Incorrect password
2018-06-06 23:03:20,995 server.a-domain.com proftpd[22714] 0.0.0.0 (218.60.67.70[218.60.67.70]): USER root (Login failed): Incorrect password
2018-06-06 23:03:22,909 server.a-domain.com proftpd[22714] 0.0.0.0 (218.60.67.70[218.60.67.70]): USER root (Login failed): Incorrect password
2018-06-06 23:03:25,749 server.a-domain.com proftpd[22714] 0.0.0.0 (218.60.67.70[218.60.67.70]): USER root (Login failed): Incorrect password
2018-06-06 23:03:28,404 server.a-domain.com proftpd[22714] 0.0.0.0 (218.60.67.70[218.60.67.70]): USER root (Login failed): Incorrect password
2018-06-06 23:03:28,404 server.a-domain.com proftpd[22714] 0.0.0.0 (218.60.67.70[218.60.67.70]): Maximum login attempts (6) exceeded, connection refused
2018-06-06 23:03:28,405 server.a-domain.com proftpd[22714] 0.0.0.0 (218.60.67.70[218.60.67.70]): SSH2 session closed.
2018-06-06 23:03:28,985 server.a-domain.com proftpd[22719] 0.0.0.0 (218.60.67.70[218.60.67.70]): SSH2 session opened.
2018-06-06 23:03:33,031 server.a-domain.com proftpd[22719] 0.0.0.0 (218.60.67.70[218.60.67.70]): USER root (Login failed): Incorrect password
2018-06-06 23:03:34,936 server.a-domain.com proftpd[22719] 0.0.0.0 (218.60.67.70[218.60.67.70]): USER root (Login failed): Incorrect password
2018-06-06 23:03:38,778 server.a-domain.com proftpd[22719] 0.0.0.0 (218.60.67.70[218.60.67.70]): USER root (Login failed): Incorrect password
2018-06-06 23:03:41,501 server.a-domain.com proftpd[22719] 0.0.0.0 (218.60.67.70[218.60.67.70]): USER root (Login failed): Incorrect password
2018-06-06 23:03:43,892 server.a-domain.com proftpd[22719] 0.0.0.0 (218.60.67.70[218.60.67.70]): USER root (Login failed): Incorrect password
2018-06-06 23:03:45,824 server.a-domain.com proftpd[22719] 0.0.0.0 (218.60.67.70[218.60.67.70]): USER root (Login failed): Incorrect password
2018-06-06 23:03:47,352 server.a-domain.com proftpd[22719] 0.0.0.0 (218.60.67.70[218.60.67.70]): Maximum login attempts (6) exceeded, connection refused

inside the jail config in fail2ban is specified ssh as port is ssh2 the same?

as always thx for any hint.

Restart iptables and then fail2ban. If this doesnt help disable (stop) fail2ban, restart iptables and check if there are some traces of fail2ban inside iptables. If there are some f2b leftovers delete them, save and restart iptables. Once done now you can enable fail2ban and see if it works.

My suggestion would be to change default ports something bigger than 1024. The default ports will always get hammered by bots and brute force attacks. For email your only option is to ban the offending IP(s) but at least you can change the ports for SSH, FTP, Virtualmin/Webmin and Usermin. Just doing this you will reduce for more than 99% (no joking) attacks on earlier mentioned services. I mean, the difference is from several hundreds or thousands attacks per day to maybe few in several months.

If you are the only one handling SSH and FTP or your clients have enough knowledge you could leave all ports as they are and enable port knocking (more info on google).

Back to your problem:
2018-06-06 21:46:38,837 fail2ban.filter [1450]: INFO [proftpd] Found 218.60.67.67
2018-06-06 21:46:39,544 fail2ban.actions [1450]: NOTICE [proftpd] 218.60.67.67 already banned

This usually happens if you have a lot of attacks in really short amount of time, like 10-20+/per second. As the server will take some split of the second to ban the IP it could happen the attacks are coming so fast that few (1-3) could reach the server before iptables apply the new ban.

Other reason is when fail2ban doesnt properly apply the rules to iptables and then technically bans the IP but the iptables dont have any record of that IP. This problem usually goes away if you restart the server (you should avoid this if isnt 100% necessary) or restart iptables and then fail2ban (in this exact order).

Thx for the great suggestion, i will try it out and read about port knocking.
I wish you a great weekend.