fail2ban postfix-sasl filter not working, use postfix auth mode instead

Written by - 0 comments

Published on - Listed in Monitoring Linux Security Mail


On our infrastructure we widely use fail2ban for all kinds of applications, including Postfix on our central mail servers. The job of fail2ban in this case is to identify invalid or brute force SMTP login attempts and block these in the firewall.

fail2ban

postfix-sasl filter: lines missed

A typical Postfix log entry for such a failed login attempt looks (more or less) like this:

May 28 22:57:19 localhost postfix/smtpd[512035]: warning: unknown[220.88.29.162]: SASL LOGIN authentication failed: UGFzc3dvcmQ6, sasl_username=info

A pre-defined filter for such SMTP SASL shipped with the fail2ban package:

root@postfix:~# cat /etc/fail2ban/filter.d/postfix-sasl.conf
# Fail2Ban filter for postfix authentication failures
#

[INCLUDES]

before = common.conf

[Definition]

_daemon = postfix(-\w+)?/(?:submission/|smtps/)?smtp[ds]

failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(:[ A-Za-z0-9+/:]*={0,2})?\s*$

ignoreregex = authentication failed: Connection lost to authentication server$

[Init]

journalmatch = _SYSTEMD_UNIT=postfix.service


# Author: Yaroslav Halchenko

Unfortunately the filter doesn't seem to work as no invalid login attempts were detected:

root@postfix:~# fail2ban-client status postfix-sasl
Status for the jail: postfix-sasl
|- Filter
|  |- Currently failed:    0
|  |- Total failed:    0
|  `- File list:    /var/log/mail.log
`- Actions
   |- Currently banned:    0
   |- Total banned:    0
   `- Banned IP list:   

Fail2ban also ships with a regex tester which allows to test a filter against a log file. And this clearly shows that all the lines in /var/log/mail.log were parsed but none matched the failregex:

root@postfix:~# fail2ban-regex /var/log/mail.log /etc/fail2ban/filter.d/postfix-sasl.conf

Running tests
=============

Use   failregex filter file : postfix-sasl, basedir: /etc/fail2ban
Use      datepattern : {^LN-BEG} : Default Detectors
Use         log file : /var/log/mail.log
Use         encoding : UTF-8


Results
=======

Failregex: 0 total

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [2349252] {^LN-BEG}(?:DAY )?MON Day %k:Minute:Second(?:\.Microseconds)?(?: ExYear)?
`-

Lines: 2349252 lines, 0 ignored, 0 matched, 2349252 missed
[processed in 165.50 sec]

postfix-sasl was replaced by postfix[auth]

A research confirmed that the postfix-sasl filter does indeed not work, or has stopped working in the past years:

A look into the fail2ban changelog reveals why. Version 0.10.0 (the long awaited 0.10th version) mentions the following change:

filter.d/postfix-sasl.conf: removed (replaced with postfix[mode=auth])

Our mail infrastructure has been running since 2018 and has undergone continuous Debian distribution upgrades. The now removed postfix-sasl filter most likely came from the Debian 9 (Stretch) release and had been in use ever since. In Debian 10 (Buster), fail2ban was packaged as version 0.10.2 and therefore already contained the updated postfix filter.

Enabling postfix[auth] filter

With this new information at hand, let's enable the postfix[auth] filter and get rid of postfix-sasl once and for all. This can be done by defining a new jail for Postfix. Interestingly the config differs a bit from the previous jail config, as no filter is defined (but mode is set):

root@postfix:~# cat /etc/fail2ban/jail.d/postfix-sasl.conf
[postfix]
enabled  = true
mode = auth
logpath = /var/log/mail.log
maxretry = 3
bantime  = 3600
findtime = 600
banaction = iptables-allports

The reason for this is that the newer postfix filter combines previously separated filters, such as postfix-sasl or postfix-rbl. The mode defines which "sub-filter" should be used.

After a fail2ban restart, it didn't take long and invalid logins were detected:

root@postfix:~# fail2ban-client status postfix
Status for the jail: postfix
|- Filter
|  |- Currently failed:    484
|  |- Total failed:    15637
|  `- File list:    /var/log/mail.log
`- Actions
   |- Currently banned:    6
   |- Total banned:    94
   `- Banned IP list:    36.110.161.134 42.57.151.81 92.118.39.146 121.176.4.110 172.245.93.116 121.154.90.17

fail2ban monitoring and visualization

Of course we monitor the fail2ban jails by using the check_fail2ban Nagios plugin (available in the fail2ban project). The performance data are written into an InfluxDB time series database and our Grafana dashboard visualizes the data:

This graph clearly shows how the postfix jail (using the auth sub-filter) started banning IPs - compared to the postfix-sasl jail which didn't detect and ban anything before.


Add a comment

Show form to leave a comment

Comments (newest first)

No comments yet.

RSS feed

Blog Tags:

  AWS   Android   Ansible   Apache   Apple   Atlassian   BSD   Backup   Bash   Bluecoat   CMS   Chef   Cloud   Coding   Consul   Containers   CouchDB   DB   DNS   Database   Databases   Docker   ELK   Elasticsearch   Filebeat   FreeBSD   Galera   Git   GlusterFS   Grafana   Graphics   HAProxy   HTML   Hacks   Hardware   Icinga   Influx   Internet   Java   KVM   Kibana   Kodi   Kubernetes   LVM   LXC   Linux   Logstash   Mac   Macintosh   Mail   MariaDB   Minio   MongoDB   Monitoring   Multimedia   MySQL   NFS   Nagios   Network   Nginx   OSSEC   OTRS   Office   OpenSearch   PGSQL   PHP   Perl   Personal   PostgreSQL   Postgres   PowerDNS   Proxmox   Proxy   Python   Rancher   Rant   Redis   Roundcube   SSL   Samba   Seafile   Security   Shell   SmartOS   Solaris   Surveillance   Systemd   TLS   Tomcat   Ubuntu   Unix   VMWare   VMware   Varnish   Virtualization   Windows   Wireless   Wordpress   Wyse   ZFS   Zoneminder