How to configure Fail2ban to blacklist an attack with postfix/smtpd (I am a novice)

Hello

Since December 2023, I have a new Debian 12 server with Virtualmin/Webmin. Before December 2023 and since 2010, I had CentOS with cPanel/WHM. I have a problem with Fail2ban; it doesn’t ban any attacks on Postfix SASL.

Jun 15 20:38:38 ns postfix/smtpd[4151380]: connect from unknown[80.244.11.65]
Jun 15 20:38:38 ns postfix/smtpd[4151372]: connect from unknown[80.244.11.67]
Jun 15 20:38:38 ns postfix/smtpd[4151376]: connect from unknown[80.244.11.147]
Jun 15 20:38:38 ns postfix/smtpd[4151386]: disconnect from unknown[80.244.11.121] quit=1 commands=1
Jun 15 20:38:38 ns postfix/smtpd[4151386]: connect from unknown[80.244.11.120]
Jun 15 20:38:40 ns postfix/smtpd[4151379]: warning: unknown[80.244.11.66]: SASL LOGIN authentication failed: authentication failure, sasl_username=carolyn
Jun 15 20:38:40 ns postfix/smtpd[4151413]: warning: unknown[80.244.11.146]: SASL LOGIN authentication failed: authentication failure, sasl_username=oa
Jun 15 20:38:40 ns postfix/smtpd[4151387]: warning: unknown[80.244.11.121]: SASL LOGIN authentication failed: authentication failure, sasl_username=deka
Jun 15 20:38:40 ns postfix/smtpd[4151388]: warning: unknown[80.244.11.120]: SASL LOGIN authentication failed: authentication failure, sasl_username=new3
Jun 15 20:38:40 ns postfix/smtpd[4151384]: warning: unknown[80.244.11.148]: SASL LOGIN authentication failed: authentication failure, sasl_username=mscan
Jun 15 20:38:40 ns postfix/smtpd[4151388]: too many errors after AUTH from unknown[80.244.11.120]
Jun 15 20:38:40 ns postfix/smtpd[4151388]: disconnect from unknown[80.244.11.120] ehlo=1 auth=0/1 rset=1 commands=2/3
Jun 15 20:38:40 ns postfix/smtpd[4151387]: too many errors after AUTH from unknown[80.244.11.121]
Jun 15 20:38:40 ns postfix/smtpd[4151379]: too many errors after AUTH from unknown[80.244.11.66]
Jun 15 20:38:40 ns postfix/smtpd[4151384]: too many errors after AUTH from unknown[80.244.11.148]
Jun 15 20:38:40 ns postfix/smtpd[4151387]: disconnect from unknown[80.244.11.121] ehlo=1 auth=0/1 rset=1 commands=2/3
Jun 15 20:38:40 ns postfix/smtpd[4151379]: disconnect from unknown[80.244.11.66] ehlo=1 auth=0/1 rset=1 commands=2/3
Jun 15 20:38:40 ns postfix/smtpd[4151384]: disconnect from unknown[80.244.11.148] ehlo=1 auth=0/1 rset=1 commands=2/3
Jun 15 20:38:40 ns postfix/smtpd[4151388]: connect from unknown[80.244.11.146]
Jun 15 20:38:40 ns postfix/smtpd[4151379]: connect from unknown[80.244.11.148]
Jun 15 20:38:40 ns postfix/smtpd[4151387]: connect from unknown[80.244.11.65]
Jun 15 20:38:40 ns postfix/smtpd[4151384]: connect from unknown[80.244.11.147]
Jun 15 20:38:40 ns postfix/smtpd[4151413]: too many errors after AUTH from unknown[80.244.11.146]
Jun 15 20:38:40 ns postfix/smtpd[4151413]: disconnect from unknown[80.244.11.146] ehlo=1 auth=0/1 rset=1 commands=2/3
Jun 15 20:38:40 ns postfix/smtpd[4151413]: connect from unknown[80.244.11.69]
Jun 15 20:38:42 ns postfix/smtpd[4151398]: warning: unknown[80.244.11.120]: SASL LOGIN authentication failed: authentication failure, sasl_username=new3
Jun 15 20:38:42 ns postfix/smtpd[4151401]: warning: unknown[80.244.11.69]: SASL LOGIN authentication failed: authentication failure, sasl_username=mission
Jun 15 20:38:42 ns postfix/smtpd[4151397]: warning: unknown[80.244.11.140]: SASL LOGIN authentication failed: authentication failure, sasl_username=mssql
Jun 15 20:38:42 ns postfix/smtpd[4151399]: warning: unknown[80.244.11.120]: SASL LOGIN authentication failed: authentication failure, sasl_username=new3
Jun 15 20:38:42 ns postfix/smtpd[4151398]: too many errors after AUTH from unknown[80.244.11.120]
Jun 15 20:38:42 ns postfix/smtpd[4151399]: too many errors after AUTH from unknown[80.244.11.120]
Jun 15 20:38:42 ns postfix/smtpd[4151397]: too many errors after AUTH from unknown[80.244.11.140]
Jun 15 20:38:42 ns postfix/smtpd[4151398]: disconnect from unknown[80.244.11.120] ehlo=1 auth=0/1 rset=1 commands=2/3
Jun 15 20:38:42 ns postfix/smtpd[4151397]: disconnect from unknown[80.244.11.140] ehlo=1 auth=0/1 rset=1 commands=2/3
Jun 15 20:38:42 ns postfix/smtpd[4151399]: disconnect from unknown[80.244.11.120] ehlo=1 auth=0/1 rset=1 commands=2/3
Jun 15 20:38:42 ns postfix/smtpd[4151400]: warning: unknown[80.244.11.148]: SASL LOGIN authentication failed: authentication failure, sasl_username=mscan
Jun 15 20:38:42 ns postfix/smtpd[4151401]: too many errors after AUTH from unknown[80.244.11.69]
Jun 15 20:38:42 ns postfix/smtpd[4151401]: disconnect from unknown[80.244.11.69] ehlo=1 auth=0/1 rset=1 commands=2/3
Jun 15 20:38:42 ns postfix/smtpd[4151400]: too many errors after AUTH from unknown[80.244.11.148]
Jun 15 20:38:42 ns postfix/smtpd[4151400]: disconnect from unknown[80.244.11.148] ehlo=1 auth=0/1 rset=1 commands=2/3
Jun 15 20:38:42 ns postfix/smtpd[4151399]: connect from unknown[80.244.11.121]
Jun 15 20:38:42 ns postfix/smtpd[4151398]: connect from unknown[80.244.11.69]
Jun 15 20:38:42 ns postfix/smtpd[4151397]: connect from unknown[80.244.11.140]
Jun 15 20:38:42 ns postfix/smtpd[4151397]: improper command pipelining after CONNECT from unknown[80.244.11.140]: QUIT\r\n
Jun 15 20:38:42 ns postfix/smtpd[4151401]: connect from unknown[80.244.11.65]
Jun 15 20:38:42 ns postfix/smtpd[4151400]: connect from unknown[80.244.11.120]
Jun 15 20:38:42 ns postfix/smtpd[4151397]: disconnect from unknown[80.244.11.140] quit=1 commands=1
Jun 15 20:38:42 ns postfix/smtpd[4151397]: connect from unknown[80.244.11.120]

Is there a complete method that works in 2024?

I have spent 6 hours researching and testing various solutions provided by ChatGPT and Gemini, but nothing works; no IP addresses are automatically blacklisted.

It’s quite frustrating because the mail server lags a lot and takes a long time to send emails. I can’t manually filter the IPs because new ones keep coming back a few days later. For your information, firewalld is my firewall.

Thank you in advance.

Best regards.

Copy and paste this into /etc/fail2ban/jail.local

You can easily find it in Virtualmin/Webmin under Webmin tab:
Networking → Fail2Ban Intrusion Detector: Edit Config Files
Drop down to: /etc/fail2ban/jail.local

If it’s already there? replace with this code:

[postfix-sasl]
enabled = true
filter   = postfix[mode=auth]
port = smtp,submission,imap,imaps,pop3,pop3s
maxretry = 1
bantime = 12h
# incremental banning:
bantime.increment = true
# default factor (causes increment - 1h -> 1d 2d 4d 8d 16d 32d ...):
bantime.factor = 2
# max banning time = 5 week:
bantime.maxtime = 5w
action = %(action_)s

What this does is bans them on first try for 12 hours. If the same IP continues, fail2ban will start to increase their ban time.

It is also set not to send any email alert because you will end up with hundreds of them during an SASL Attack.

Don’t forget to Restart Fail2Ban…

I still have the same problem; there is neither a ban nor any counting. Here is what I have in /etc/fail2ban/jail.local

[dovecot]
enabled = true

[postfix]
enabled  = true

#[postfix-sasl]
#enabled = true
#backend = systemd
#journalmatch = _SYSTEMD_UNIT=postfix@-.service
#port     = smtp,465,submission,imap,imaps,pop3,pop3s

[postfix-sasl]
enabled = true
filter   = postfix[mode=auth]
port = smtp,submission,imap,imaps,pop3,pop3s
maxretry = 1
bantime = 12h
# incremental banning:
bantime.increment = true
# default factor (causes increment - 1h -> 1d 2d 4d 8d 16d 32d ...):
bantime.factor = 2
# max banning time = 5 week:
bantime.maxtime = 5w
action = %(action_)s


[proftpd]
enabled = true
backend = auto
logpath = /var/log/proftpd/proftpd.log

[sshd]
enabled = true

[webmin-auth]
enabled = true
journalmatch = _SYSTEMD_UNIT=webmin.service

I restart Fail2ban and Firewalld properly. Fail2ban seems to work for other default services, like ProFTP; it works fine there.

I do not receive any errors; everything is applied correctly, but Fail2ban does not ban. There must be something missing or overlooked somewhere.

Ok, I see what the problem is. We need to find out how to tell fail2ban to watch from journal for your postfix logs.
I just realized you are using Debian 12

add these to the code I gave you and stop and restart fail2ban

backend = systemd
journalmatch = _SYSTEMD_UNIT=postfix@-.service

No, it doesn’t work; however, with this, it works:

backend = auto
logpath = /var/log/mail.log

Can I leave it like this, or is there something to improve ?

Absolutely! I didn’t realize you had mail.log on your system, otherwise I would have suggested this first.

Thank you for the quick help.

Also I replaced the max-retry with:

maxretry = 5

This is the default setting. I expected that if you installed Virtualmin as described on the download page, this jail would be configured out of the box.

As you can see from their script, this is the default jail on Debian and Ubuntu. If its jail is backend = systemd it’s over riding your default setting for backend = auto that is set outside the jail.

No, it doesn’t! It works perfectly fine with the default settings we configure, which are:

[postfix-sasl]
enabled = true
backend = systemd
journalmatch = _SYSTEMD_UNIT=postfix@-.service

I’m not going to argue with you, as you can see backend = auto resolved the problem.

It has resolved many issues here on this forum in the past.

Hi

I just typed “tail -f /var/log/mail.log” and it doesn’t seem to block anything anymore, whereas before it seemed to be blocking.

Here are the results of the command:

Jul 17 22:09:00 ns postfix/smtpd[111922]: warning: unknown[194.169.175.33]: SASL LOGIN authentication failed: authentication failure, sasl_username=mb@……com
Jul 17 22:09:00 ns postfix/smtpd[111728]: warning: unknown[194.169.175.65]: SASL LOGIN authentication failed: authentication failure, sasl_username=js@……com
Jul 17 22:09:01 ns postfix/smtpd[111330]: warning: unknown[194.169.175.47]: SASL LOGIN authentication failed: authentication failure, sasl_username=regine@……com
Jul 17 22:09:01 ns postfix/smtpd[111330]: lost connection after AUTH from unknown[194.169.175.47]
Jul 17 22:09:01 ns postfix/smtpd[111330]: disconnect from unknown[194.169.175.47] ehlo=1 auth=0/1 rset=1 commands=2/3
Jul 17 22:09:01 ns postfix/smtpd[111779]: warning: unknown[194.169.175.47]: SASL LOGIN authentication failed: authentication failure, sasl_username=regine@……com
Jul 17 22:09:01 ns postfix/smtpd[111035]: warning: unknown[194.169.175.47]: SASL LOGIN authentication failed: authentication failure, sasl_username=regine@……com

I just checked, but it is sometimes banned, but not always:

prison-bans1391×775 62.6 KB

Do you know where the problem could come from?

According to the first messages at the top of the forum, I was trying to block this:

Jun 15 20:38:42 ns postfix/smtpd[4151399]: warning: unknown[80.244.11.120]: SASL LOGIN authentication failed: authentication failure, sasl_username=new3

and now it is this:

Jul 17 22:09:01 ns postfix/smtpd[111779]: warning: unknown[194.169.175.47]: SASL LOGIN authentication failed: authentication failure, sasl_username=regine@……com

There may be something that didn’t work, like updating virtualmin, or rebooting the machine.

Here is my /etc/fail2ban/jail.local for a month:

[postfix-sasl]
enabled = true
filter   = postfix[mode=auth]
port = smtp,submission,imap,imaps,pop3,pop3s
maxretry = 5
bantime = 12h
# incremental banning:
bantime.increment = true
# default factor (causes increment - 1h -> 1d 2d 4d 8d 16d 32d ...):
bantime.factor = 2
# max banning time = 5 week:
bantime.maxtime = 5w
action = %(action_)s
backend = auto
logpath = /var/log/mail.log

Those lines should be:

backend = systemd
journalmatch = _SYSTEMD_UNIT=postfix@-.service

I posted this a moment ago:

backend = systemd
journalmatch = _SYSTEMD_UNIT=postfix@-.service

this time, nothing new is banned (I just cleared the list of bans) and there is no effect, that’s why I put

backend = auto
logpath = /var/log/mail.log

Even putting the second, I see IPs well banned, but yet they continue to attack, I see them on /var/log/mail.log

Are you also using Debian 12 as the original poster?

Yes, Debian 12, installed from OVH. Maybe the problem is something to do with “action = %(action_)s” not doing any action. I use Firewalld.

I just remodified:

[postfix-sasl]
enabled = true
filter   = postfix[mode=auth]
port = smtp,465,submission,imap,imaps,pop3,pop3s
maxretry = 5
bantime = 12h
# incremental banning:
bantime.increment = true
# default factor (causes increment - 1h -> 1d 2d 4d 8d 16d 32d ...):
bantime.factor = 2
# max banning time = 5 week:
bantime.maxtime = 5w
action = %(action_)s
backend = auto
logpath = /var/log/mail.log

I put this:

port = smtp,465,submission,imap,imaps,pop3,pop3s

instead of

port = smtp,submission,imap,imaps,pop3,pop3s

The logs scroll much less at once, it seems to take into account the blockages. Here’s what it does now:

Jul 17 23:11:43 ns postfix/smtpd[153971]: disconnect from unknown[194.169.175.33] ehlo=1 rset=1 commands=2
Jul 17 23:11:43 ns postfix/smtpd[153738]: SSL_accept error from unknown[194.169.175.33]: Connection timed out
Jul 17 23:11:43 ns postfix/smtpd[153738]: lost connection after CONNECT from unknown[194.169.175.33]
Jul 17 23:11:43 ns postfix/smtpd[153738]: disconnect from unknown[194.169.175.33] commands=0/0
Jul 17 23:11:43 ns postfix/smtpd[155906]: timeout after CONNECT from unknown[194.169.175.65]
Jul 17 23:11:43 ns postfix/smtpd[155906]: disconnect from unknown[194.169.175.65] commands=0/0
Jul 17 23:11:43 ns postfix/smtpd[153730]: timeout after AUTH from unknown[194.169.175.33]
Jul 17 23:11:43 ns postfix/smtpd[153730]: disconnect from unknown[194.169.175.33] ehlo=1 auth=0/1 rset=1 commands=2/3
Jul 17 23:11:44 ns postfix/smtpd[153701]: timeout after CONNECT from unknown[194.169.175.65]
Jul 17 23:11:44 ns postfix/smtpd[153701]: disconnect from unknown[194.169.175.65] commands=0/0

after a few minutes it seems to block

Can it be good?

If your system has been configured to create a mail log, then, obviously you want fail2ban to watch the mail log. That’s becoming less common…most now default to mail services logging to the journal, but most can also easily be configured to do otherwise (but you have to make sure everything that works with logs knows about that difference).

When I installed it in December 2023, I probably used the minimal setup. I remember having to manually activate Postfix (or maybe I don’t remember exactly). Since I switched from Cpanel to Virtualmin, I didn’t select the options I wasn’t familiar with. Before, I didn’t know Postfix or Fail2ban. On Cpanel, I used Exim and CSF. I installed Virtualmin with Apache (and not Nginx, because I really needed .htaccess).

image1368×768 205 KB

root@ip-10-0-31-121:~# cat /etc/fail2ban/jail.local
[pure-ftpd]
enabled = true
port = ftp
filter = pure-ftpd
logpath = /var/log/syslog
maxretry = 3

[dovecot]
enabled = true
filter = dovecot
action = iptables-multiport[name=dovecot-pop3imap, port=“pop3,pop3s,imap,imaps”, protocol=tcp]
logpath = /var/log/mail.log
maxretry = 5

[postfix]
enabled = true
mode = auth
#journalmatch = SYSLOG_IDENTIFIER=postfix/smtpd
journalmatch = _SYSTEMD_UNIT=postfix@-.service
#port = smtp
port = smtp,465,submission,imap,imaps,pop3,pop3s
filter = postfix[mode=auth]
logpath = /var/log/mail.log
maxretry = 3
backend = systemd
bantime = 24h
findtime = 6h

the easter egg in the above screenshot is the $ date #command , 3 retry was the limit, that ip got banned just after 4th try…