On our infrastructure we widely use fail2ban for all kinds of applications, including Postfix on our central mail servers. The job of fail2ban in this case is to identify invalid or brute force SMTP login attempts and block these in the firewall.
A typical Postfix log entry for such a failed login attempt looks (more or less) like this:
May 28 22:57:19 localhost postfix/smtpd[512035]: warning: unknown[220.88.29.162]: SASL LOGIN authentication failed: UGFzc3dvcmQ6, sasl_username=info
A pre-defined filter for such SMTP SASL shipped with the fail2ban package:
root@postfix:~# cat /etc/fail2ban/filter.d/postfix-sasl.conf
# Fail2Ban filter for postfix authentication failures
#
[INCLUDES]
before = common.conf
[Definition]
_daemon = postfix(-\w+)?/(?:submission/|smtps/)?smtp[ds]
failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(:[ A-Za-z0-9+/:]*={0,2})?\s*$
ignoreregex = authentication failed: Connection lost to authentication server$
[Init]
journalmatch = _SYSTEMD_UNIT=postfix.service
# Author: Yaroslav Halchenko
Unfortunately the filter doesn't seem to work as no invalid login attempts were detected:
root@postfix:~# fail2ban-client status postfix-sasl
Status for the jail: postfix-sasl
|- Filter
| |- Currently failed: 0
| |- Total failed: 0
| `- File list: /var/log/mail.log
`- Actions
|- Currently banned: 0
|- Total banned: 0
`- Banned IP list:
Fail2ban also ships with a regex tester which allows to test a filter against a log file. And this clearly shows that all the lines in /var/log/mail.log were parsed but none matched the failregex:
root@postfix:~# fail2ban-regex /var/log/mail.log /etc/fail2ban/filter.d/postfix-sasl.conf
Running tests
=============
Use failregex filter file : postfix-sasl, basedir: /etc/fail2ban
Use datepattern : {^LN-BEG} : Default Detectors
Use log file : /var/log/mail.log
Use encoding : UTF-8
Results
=======
Failregex: 0 total
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [2349252] {^LN-BEG}(?:DAY )?MON Day %k:Minute:Second(?:\.Microseconds)?(?: ExYear)?
`-
Lines: 2349252 lines, 0 ignored, 0 matched, 2349252 missed
[processed in 165.50 sec]
A research confirmed that the postfix-sasl filter does indeed not work, or has stopped working in the past years:
A look into the fail2ban changelog reveals why. Version 0.10.0 (the long awaited 0.10th version) mentions the following change:
filter.d/postfix-sasl.conf: removed (replaced with postfix[mode=auth])
Our mail infrastructure has been running since 2018 and has undergone continuous Debian distribution upgrades. The now removed postfix-sasl filter most likely came from the Debian 9 (Stretch) release and had been in use ever since. In Debian 10 (Buster), fail2ban was packaged as version 0.10.2 and therefore already contained the updated postfix filter.
With this new information at hand, let's enable the postfix[auth] filter and get rid of postfix-sasl once and for all. This can be done by defining a new jail for Postfix. Interestingly the config differs a bit from the previous jail config, as no filter is defined (but mode is set):
root@postfix:~# cat /etc/fail2ban/jail.d/postfix-sasl.conf
[postfix]
enabled = true
mode = auth
logpath = /var/log/mail.log
maxretry = 3
bantime = 3600
findtime = 600
banaction = iptables-allports
The reason for this is that the newer postfix filter combines previously separated filters, such as postfix-sasl or postfix-rbl. The mode defines which "sub-filter" should be used.
After a fail2ban restart, it didn't take long and invalid logins were detected:
root@postfix:~# fail2ban-client status postfix
Status for the jail: postfix
|- Filter
| |- Currently failed: 484
| |- Total failed: 15637
| `- File list: /var/log/mail.log
`- Actions
|- Currently banned: 6
|- Total banned: 94
`- Banned IP list: 36.110.161.134 42.57.151.81 92.118.39.146 121.176.4.110 172.245.93.116 121.154.90.17
Of course we monitor the fail2ban jails by using the check_fail2ban Nagios plugin (available in the fail2ban project). The performance data are written into an InfluxDB time series database and our Grafana dashboard visualizes the data:
This graph clearly shows how the postfix jail (using the auth sub-filter) started banning IPs - compared to the postfix-sasl jail which didn't detect and ban anything before.
No comments yet.
AWS Android Ansible Apache Apple Atlassian BSD Backup Bash Bluecoat CMS Chef Cloud Coding Consul Containers CouchDB DB DNS Database Databases Docker ELK Elasticsearch Filebeat FreeBSD Galera Git GlusterFS Grafana Graphics HAProxy HTML Hacks Hardware Icinga Influx Internet Java KVM Kibana Kodi Kubernetes LVM LXC Linux Logstash Mac Macintosh Mail MariaDB Minio MongoDB Monitoring Multimedia MySQL NFS Nagios Network Nginx OSSEC OTRS Office OpenSearch PGSQL PHP Perl Personal PostgreSQL Postgres PowerDNS Proxmox Proxy Python Rancher Rant Redis Roundcube SSL Samba Seafile Security Shell SmartOS Solaris Surveillance Systemd TLS Tomcat Ubuntu Unix VMWare VMware Varnish Virtualization Windows Wireless Wordpress Wyse ZFS Zoneminder