Re: [Fail2ban-users] sendmail rule does not block login attempts

Thu, 29 Jan 2015 16:36:25 -0800 

Can you confirm the iptables chain is setup properly? (iptables -n -L INPUT)

On 01/29/2015 03:44 PM, Robert S wrote:
> I have the following config:
>
> # /etc/fail2ban/jail.local
> [sendmail-auth]
> enabled  = true
> filter   = sendmail-auth
> action   = iptables-multiport-ulog[name=sendmail-auth,
> port="smtp,smtps", protocol=tcp]
> logpath  = /var/log/mail.log
> maxretry = 6
>
> # /etc/fail2ban/action.d/iptables-multiport-ulog.conf
> [Definition]
> actionstart = iptables -N fail2ban-<name>
>                iptables -A fail2ban-<name> -j RETURN
>                iptables -I <chain> 1 -p <protocol> -m multiport
> --dports <port> -j fail2ban-<name>
>                iptables -N fail2ban-<name>-ulog
>                iptables -I fail2ban-<name>-ulog -j ULOG --ulog-prefix
> "$(expr fail2ban-<name> : '\(.\{1,23\}\)'):DROP " -m limit --limit 6/m
> --limit-burst 2
>                iptables -A fail2ban-<name>-ulog -j DROP
> actionstop = iptables -D <chain> -p <protocol> -m multiport --dports
> <port> -j fail2ban-<name>
>               iptables -F fail2ban-<name>
>               iptables -F fail2ban-<name>-ulog
>               iptables -X fail2ban-<name>
>               iptables -X fail2ban-<name>-ulog
> actioncheck = iptables -n -L fail2ban-<name>-ulog >/dev/null
> actionban = iptables -I fail2ban-<name> 1 -s <ip> -j fail2ban-<name>-ulog
> actionunban = iptables -D fail2ban-<name> -s <ip> -j fail2ban-<name>-ulog
> [Init]
> name = default
> port = ssh
> protocol = tcp
> chain = INPUT
>
> # /etc/fail2ban/filter.d/sendmail-auth.conf
> [Definition]
> failregex = (sm-mta|sendmail)(?:\[\d+\])?: .*: (.*)\[<HOST>\].*:
> possible SMTP attack: command=AUTH, count=\d+$
>              \[<HOST>\] (|\(may be forged\) )did not issue
> MAIL/EXPN/VRFY/ETRN during connection to MTA
>              AUTH failure \(LOGIN\): authentication failure \(-13\)
> SASL\(-13\): authentication failure: checkpass failed, .* \[<HOST>\]$
> ignoreregex =
>
> The regex is scoring hits:
> # fail2ban-regex  /var/log/mail.log /etc/fail2ban/filter.d/sendmail-auth.conf
> [..]
> Success, the total number of match is 374
>
> But I'm still getting dozens of failed logins coming through:
>
> # /var/log/mail.log
> Jan 29 23:57:38 myserver saslauthd[2156]: do_auth         : auth
> failure: [user=webmaster] [service=smtp] [realm=] [mech=pam]
> [reason=PAM auth error]
> Jan 29 23:57:38 myserver sm-mta[17759]: t0TCvXf3017759: AUTH failure
> (LOGIN): authentication failure (-13) SASL(-13): authentication
> failure: checkpass failed, relay=[46.17.100.149]
> Jan 29 23:57:42 myserver saslauthd[2154]: pam_unix(smtp:auth):
> authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
> Jan 29 23:57:44 myserver saslauthd[2154]: do_auth         : auth
> failure: [user=webmaster] [service=smtp] [realm=] [mech=pam]
> [reason=PAM auth error]
> Jan 29 23:57:44 myserver sm-mta[17760]: t0TCvdHQ017760: AUTH failure
> (LOGIN): authentication failure (-13) SASL(-13): authentication
> failure: checkpass failed, relay=[46.17.100.149]
> Jan 29 23:57:48 myserver saslauthd[2156]: pam_unix(smtp:auth):
> authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
> Jan 29 23:57:49 myserver saslauthd[2156]: do_auth         : auth
> failure: [user=oracle] [service=smtp] [realm=] [mech=pam] [reason=PAM
> auth error]
> Jan 29 23:57:49 myserver sm-mta[17761]: t0TCvjni017761: AUTH failure
> (LOGIN): authentication failure (-13) SASL(-13): authentication
> failure: checkpass failed, relay=[46.17.100.149]
> Jan 29 23:57:53 myserver saslauthd[2158]: pam_unix(smtp:auth):
> authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
>
> My fail2ban log shows the following:
>
> 2015-01-29 23:58:34,479 fail2ban.actions: WARNING [sendmail-auth] Ban
> 46.17.100.149
> 2015-01-29 23:59:10,533 fail2ban.actions: WARNING [sendmail-auth]
> 46.17.100.149 already banned
> 2015-01-29 23:59:45,570 fail2ban.actions: WARNING [sendmail-auth]
> 46.17.100.149 already banned
> 2015-01-30 00:00:22,609 fail2ban.actions: WARNING [sendmail-auth]
> 46.17.100.149 already banned
> 2015-01-30 00:00:57,647 fail2ban.actions: WARNING [sendmail-auth]
> 46.17.100.149 already banned
> 2015-01-30 00:01:33,686 fail2ban.actions: WARNING [sendmail-auth]
> 46.17.100.149 already banned
> 2015-01-30 00:02:09,724 fail2ban.actions: WARNING [sendmail-auth]
> 46.17.100.149 already banned
> 2015-01-30 00:02:46,765 fail2ban.actions: WARNING [sendmail-auth]
> 46.17.100.149 already banned
> 2015-01-30 00:03:22,803 fail2ban.actions: WARNING [sendmail-auth]
> 46.17.100.149 already banned
> 2015-01-30 00:08:35,134 fail2ban.actions: WARNING [sendmail-auth]
> Unban 46.17.100.149
>
> My firewall log reports that connections are dropped:
>
> # /var/log/ulog/syslogemu.log
>
> Jan 29 23:59:05 myserver fail2ban-sendmail-auth:DROP  IN=eth0 OUT=
> MAC=00:14:0b:60:09:25:00:24:b2:6f:12:5a:08:00  SRC=46.17.100.149
> DST=192.168.0.33 LEN=64 TOS=00 PREC=0x00 TTL=43 ID=3018 DF PROTO=TCP
> SPT=42942 DPT=25 SEQ=2211492624 ACK=3251895256 WINDOW=244 ACK URGP=0
> Jan 29 23:59:14 myserver fail2ban-sendmail-auth:DROP  IN=eth0 OUT=
> MAC=00:14:0b:60:09:25:00:24:b2:6f:12:5a:08:00  SRC=46.17.100.149
> DST=192.168.0.33 LEN=64 TOS=08 PREC=0x00 TTL=48 ID=44648 CE DF
> PROTO=TCP SPT=43513 DPT=25 SEQ=1631474633 ACK=1094857551 WINDOW=244
> ACK URGP=0
> Jan 29 23:59:26 myserver fail2ban-sendmail-auth:DROP  IN=eth0 OUT=
> MAC=00:14:0b:60:09:25:00:24:b2:6f:12:5a:08:00  SRC=46.17.100.149
> DST=192.168.0.33 LEN=52 TOS=00 PREC=0x00 TTL=43 ID=41933 CE DF
> PROTO=TCP SPT=43920 DPT=25 SEQ=2510917542 ACK=2695694693 WINDOW=244
> ACK URGP=0
> Jan 29 23:59:35 myserver fail2ban-sendmail-auth:DROP  IN=eth0 OUT=
> MAC=00:14:0b:60:09:25:00:24:b2:6f:12:5a:08:00  SRC=46.17.100.149
> DST=192.168.0.33 LEN=64 TOS=00 PREC=0x00 TTL=43 ID=41937 CE DF
> PROTO=TCP SPT=43920 DPT=25 SEQ=2510917542 ACK=2695694693 WINDOW=244
> ACK URGP=0
> Jan 29 23:59:45 myserver fail2ban-sendmail-auth:DROP  IN=eth0 OUT=
> MAC=00:14:0b:60:09:25:00:24:b2:6f:12:5a:08:00  SRC=46.17.100.149
> DST=192.168.0.33 LEN=64 TOS=08 PREC=0x00 TTL=48 ID=32164 DF PROTO=TCP
> SPT=44562 DPT=25 SEQ=4229237476 ACK=1694387035 WINDOW=244 ACK URGP=0
> Jan 29 23:59:56 myserver fail2ban-sendmail-auth:DROP  IN=eth0 OUT=
> MAC=00:14:0b:60:09:25:00:24:b2:6f:12:5a:08:00  SRC=46.17.100.149
> DST=192.168.0.33 LEN=89 TOS=08 PREC=0x00 TTL=48 ID=30070 DF PROTO=TCP
> SPT=44955 DPT=25 SEQ=1887556476 ACK=3101625078 WINDOW=244 ACK PSH
> URGP=0
>
> I'm using debian with fail2ban 0.8.6-3wheezy3
>
> Can somebody please explain?
>
> ------------------------------------------------------------------------------
> Dive into the World of Parallel Programming. The Go Parallel Website,
> sponsored by Intel and developed in partnership with Slashdot Media, is your
> hub for all things parallel software development, from weekly thought
> leadership blogs to news, videos, case studies, tutorials and more. Take a
> look and join the conversation now. http://goparallel.sourceforge.net/
> _______________________________________________
> Fail2ban-users mailing list
> Fail2ban-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/fail2ban-users


------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Reply via email to