I’m running

• Ubuntu 18.04
• Virtualmin 6.09.gpl
• Apache 2.4.29
• Webmin 1.942
• Postfix 3.3.0

In the mail log (/var/log/mail.log) i see lots of lines as below:

Jun 22 23:42:31 vps1 postfix/smtpd[16725]: disconnect from unknown[212.70.149.18] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Jun 22 23:42:33 vps1 postfix/smtpd[13461]: connect from unknown[212.70.149.2]
Jun 22 23:42:40 vps1 postfix/smtpd[13461]: warning: unknown[212.70.149.2]: SASL LOGIN authentication failed: authentication failure
Jun 22 23:42:40 vps1 postfix/smtpd[13461]: disconnect from unknown[212.70.149.2] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4

I have Fail2Ban setup. The jail.local has

[postfix-sasl]
enabled = true
port = smtp,465,submission,imap3,imaps,pop3,pop3s
logpath = /var/log/mail.log

The out of the box filter is there too:

Fail2Ban filter for postfix authentication failures

[INCLUDES]
before = common.conf
[Definition]
daemon = postfix/(submission/)?smtp(d|s)
failregex = ^%(__prefix_line)swarning: [-.\w]+[]: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/:]={0,2})?\s$
ignoreregex = authentication failed: Connection lost to authentication server$
[Init]
journalmatch = _SYSTEMD_UNIT=postfix.service

Author: Yaroslav Halchenko

A status check on the jail shows

Status for the jail: postfix-sasl
|- Filter
| |- Currently failed: 2
| |- Total failed: 48
| - File list: /var/log/mail.log - Actions
|- Currently banned: 2
|- Total banned: 2
`- Banned IP list: 212.70.149.18 212.70.149.2

The 2 IP’s are listed there. It’s the same 2 IP’s over and over again in the log.

If the IP’s were banned - I would not be expecting to see them in the mail.log. Or am I missing something?

Thanks in advance.

Dibs

If you aren’t using the default firewalld setup, you will probably need to change your config.

@noisemarine - thanks for the reply. I’m not a firewalld or ufw type person. Always been happy enough with plain old iptables.

I think I’ve got to the bottom of the problem. iptables 0.10.2 has a quirk in that it doesn’t auto-create the iptables rules\chains as you would expect. There’s either a workaround (which is a faff) or you just add the action line into the service section. Then it appears to work.

Still testing\tinkering…LOL

Cheers

Dibs

Fail2ban appears to be working correctly on your system @Dibs, else the status for the jail postfix-sasl would not show two IPs jailed.

The explanation for the IP showing up repeatedly in your logs could be a simple one: Fail2ban does jail the IP for the limited time that it has been configured to (600 seconds, if I recall correctly) and then releases the IP from the jail. Thereafter, when it shows up again in your logs, you wonder how the IP could access the port if it is banned.

You could configure Fail2ban to increase the duration of the ban ( Time to ban IP for in Virtualmin’s Edit Jail screen) but let me caution you that the Fail2ban tool is not intended to keep your logs free of unwanted IPs. With its default settings Fail2ban will stop brute force attacks without drawing disproportionately upon system resources but if you change defaults (e.g. increase jail time to tidy up logs) then Fail2ban might take long to start and use 100% CPU while it does. Be mindful of this if you change the defaults.

@calport

I thought that too at 1st - the timeouts where several hours, yet I was seeing the repeating blocks in the mail log every 30s. Then when looking at my outgoing VPS I realised the results of

iptables -v -x -n -L

was different. In that extra chains were present - prefaced with f2b and this new VPS didn’t. The new VPS didn’t.

My understanding is (and correct me if I am off base) is that F2B does the log parsing, regex’ing etc.and (in my case) Iptables does the actual banning.

Even tho Postfix-SASL jail was showing those 2 IP’s, Iptables was not showing any banned IPs.

F2B 0.10.2 works weird, or possibly not at all the work you might expect:

calls it the “on demand behaviour”. I was experiencing exactly the same on F2B 0.10.2

Cheers

Dibs

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.