Hi.
Thanks. Unfortunately these attacks only occur sporadically and the IP
addresses get unbanned after 5 minutes, so its unlikely that I'd be
able to do this while an address is blocked. I've managed to test
this from a mobile device through port 465, and the error doesn't
occur when I attempt to log on with an incorrect password. I'm
therefore unable to reproduce the problem. Can anyone suggest how I
might debug this?
On Fri, Jan 30, 2015 at 12:25 PM, Lee Clemens <j...@leeclemens.net> wrote:
> That's curious about the nat redirection.
>
> Can you run `iptables -n -L fail2ban-sendmail-auth` when an IP is blocked
> but still getting through?
>
>
> On 01/29/2015 08:10 PM, Robert S wrote:
>>
>> Hi.
>>
>> Here are my input rules:
>>
>> Chain INPUT (policy ACCEPT)
>> target prot opt source destination
>> fail2ban-sshd-rootlogin tcp -- 0.0.0.0/0 0.0.0.0/0
>> multiport dports 22
>> fail2ban-recidive tcp -- 0.0.0.0/0 0.0.0.0/0
>> fail2ban-RoundCube tcp -- 0.0.0.0/0 0.0.0.0/0
>> multiport dports 80,443
>> fail2ban-sendmail-auth tcp -- 0.0.0.0/0 0.0.0.0/0
>> multiport dports 25,465
>> fail2ban-sshd-ddos tcp -- 0.0.0.0/0 0.0.0.0/0
>> multiport dports 22
>> fail2ban-sshd tcp -- 0.0.0.0/0 0.0.0.0/0
>> multiport dports 22
>> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
>> ESTABLISHED
>> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state
>> ESTABLISHED
>> ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state
>> ESTABLISHED
>> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
>> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
>> dpt:25flags: 0x17/0x02
>> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
>> dpt:80flags: 0x17/0x02
>> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
>> dpt:993flags: 0x17/0x02
>> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
>> dpt:995flags: 0x17/0x02
>> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
>> dpt:443flags: 0x17/0x02
>> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
>> dpt:5800flags: 0x17/0x02
>> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
>> dpt:5900flags: 0x17/0x02
>> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
>> ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:6277
>> ACCEPT tcp -- 0.0.0.0/0 255.255.255.255 tcp spt:68
>> dpt:67
>> ACCEPT udp -- 0.0.0.0/0 255.255.255.255 udp spt:68
>> dpt:67
>> ULOG all -- 0.0.0.0/0 0.0.0.0/0 limit:
>> avg 3/sec burst 5 ULOG copy_range 0 nlgroup 1 queue_threshold 1
>> DROP all -- 0.0.0.0/0 0.0.0.0/0
>>
>> I am also redirecting port 465 using this rule - I wonder if this
>> could be the problem:
>>
>> # iptables -n -L -t nat
>> Chain PREROUTING (policy ACCEPT)
>> target prot opt source destination
>> REDIRECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
>> dpt:465 redir ports 25
>> Chain INPUT (policy ACCEPT)
>> target prot opt source destination
>> Chain OUTPUT (policy ACCEPT)
>> target prot opt source destination
>> Chain POSTROUTING (policy ACCEPT)
>> target prot opt source destination
>>
>> On Fri, Jan 30, 2015 at 11:34 AM, Lee Clemens <j...@leeclemens.net> wrote:
>>>
>>> Can you confirm the iptables chain is setup properly? (iptables -n -L
>>> INPUT)
>>>
>>> On 01/29/2015 03:44 PM, Robert S wrote:
>>>>
>>>> I have the following config:
>>>>
>>>> # /etc/fail2ban/jail.local
>>>> [sendmail-auth]
>>>> enabled = true
>>>> filter = sendmail-auth
>>>> action = iptables-multiport-ulog[name=sendmail-auth,
>>>> port="smtp,smtps", protocol=tcp]
>>>> logpath = /var/log/mail.log
>>>> maxretry = 6
>>>>
>>>> # /etc/fail2ban/action.d/iptables-multiport-ulog.conf
>>>> [Definition]
>>>> actionstart = iptables -N fail2ban-<name>
>>>> iptables -A fail2ban-<name> -j RETURN
>>>> iptables -I <chain> 1 -p <protocol> -m multiport
>>>> --dports <port> -j fail2ban-<name>
>>>> iptables -N fail2ban-<name>-ulog
>>>> iptables -I fail2ban-<name>-ulog -j ULOG --ulog-prefix
>>>> "$(expr fail2ban-<name> : '\(.\{1,23\}\)'):DROP " -m limit --limit 6/m
>>>> --limit-burst 2
>>>> iptables -A fail2ban-<name>-ulog -j DROP
>>>> actionstop = iptables -D <chain> -p <protocol> -m multiport --dports
>>>> <port> -j fail2ban-<name>
>>>> iptables -F fail2ban-<name>
>>>> iptables -F fail2ban-<name>-ulog
>>>> iptables -X fail2ban-<name>
>>>> iptables -X fail2ban-<name>-ulog
>>>> actioncheck = iptables -n -L fail2ban-<name>-ulog >/dev/null
>>>> actionban = iptables -I fail2ban-<name> 1 -s <ip> -j
>>>> fail2ban-<name>-ulog
>>>> actionunban = iptables -D fail2ban-<name> -s <ip> -j
>>>> fail2ban-<name>-ulog
>>>> [Init]
>>>> name = default
>>>> port = ssh
>>>> protocol = tcp
>>>> chain = INPUT
>>>>
>>>> # /etc/fail2ban/filter.d/sendmail-auth.conf
>>>> [Definition]
>>>> failregex = (sm-mta|sendmail)(?:\[\d+\])?: .*: (.*)\[<HOST>\].*:
>>>> possible SMTP attack: command=AUTH, count=\d+$
>>>> \[<HOST>\] (|\(may be forged\) )did not issue
>>>> MAIL/EXPN/VRFY/ETRN during connection to MTA
>>>> AUTH failure \(LOGIN\): authentication failure \(-13\)
>>>> SASL\(-13\): authentication failure: checkpass failed, .* \[<HOST>\]$
>>>> ignoreregex =
>>>>
>>>> The regex is scoring hits:
>>>> # fail2ban-regex /var/log/mail.log
>>>> /etc/fail2ban/filter.d/sendmail-auth.conf
>>>> [..]
>>>> Success, the total number of match is 374
>>>>
>>>> But I'm still getting dozens of failed logins coming through:
>>>>
>>>> # /var/log/mail.log
>>>> Jan 29 23:57:38 myserver saslauthd[2156]: do_auth : auth
>>>> failure: [user=webmaster] [service=smtp] [realm=] [mech=pam]
>>>> [reason=PAM auth error]
>>>> Jan 29 23:57:38 myserver sm-mta[17759]: t0TCvXf3017759: AUTH failure
>>>> (LOGIN): authentication failure (-13) SASL(-13): authentication
>>>> failure: checkpass failed, relay=[46.17.100.149]
>>>> Jan 29 23:57:42 myserver saslauthd[2154]: pam_unix(smtp:auth):
>>>> authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
>>>> Jan 29 23:57:44 myserver saslauthd[2154]: do_auth : auth
>>>> failure: [user=webmaster] [service=smtp] [realm=] [mech=pam]
>>>> [reason=PAM auth error]
>>>> Jan 29 23:57:44 myserver sm-mta[17760]: t0TCvdHQ017760: AUTH failure
>>>> (LOGIN): authentication failure (-13) SASL(-13): authentication
>>>> failure: checkpass failed, relay=[46.17.100.149]
>>>> Jan 29 23:57:48 myserver saslauthd[2156]: pam_unix(smtp:auth):
>>>> authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
>>>> Jan 29 23:57:49 myserver saslauthd[2156]: do_auth : auth
>>>> failure: [user=oracle] [service=smtp] [realm=] [mech=pam] [reason=PAM
>>>> auth error]
>>>> Jan 29 23:57:49 myserver sm-mta[17761]: t0TCvjni017761: AUTH failure
>>>> (LOGIN): authentication failure (-13) SASL(-13): authentication
>>>> failure: checkpass failed, relay=[46.17.100.149]
>>>> Jan 29 23:57:53 myserver saslauthd[2158]: pam_unix(smtp:auth):
>>>> authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
>>>>
>>>> My fail2ban log shows the following:
>>>>
>>>> 2015-01-29 23:58:34,479 fail2ban.actions: WARNING [sendmail-auth] Ban
>>>> 46.17.100.149
>>>> 2015-01-29 23:59:10,533 fail2ban.actions: WARNING [sendmail-auth]
>>>> 46.17.100.149 already banned
>>>> 2015-01-29 23:59:45,570 fail2ban.actions: WARNING [sendmail-auth]
>>>> 46.17.100.149 already banned
>>>> 2015-01-30 00:00:22,609 fail2ban.actions: WARNING [sendmail-auth]
>>>> 46.17.100.149 already banned
>>>> 2015-01-30 00:00:57,647 fail2ban.actions: WARNING [sendmail-auth]
>>>> 46.17.100.149 already banned
>>>> 2015-01-30 00:01:33,686 fail2ban.actions: WARNING [sendmail-auth]
>>>> 46.17.100.149 already banned
>>>> 2015-01-30 00:02:09,724 fail2ban.actions: WARNING [sendmail-auth]
>>>> 46.17.100.149 already banned
>>>> 2015-01-30 00:02:46,765 fail2ban.actions: WARNING [sendmail-auth]
>>>> 46.17.100.149 already banned
>>>> 2015-01-30 00:03:22,803 fail2ban.actions: WARNING [sendmail-auth]
>>>> 46.17.100.149 already banned
>>>> 2015-01-30 00:08:35,134 fail2ban.actions: WARNING [sendmail-auth]
>>>> Unban 46.17.100.149
>>>>
>>>> My firewall log reports that connections are dropped:
>>>>
>>>> # /var/log/ulog/syslogemu.log
>>>>
>>>> Jan 29 23:59:05 myserver fail2ban-sendmail-auth:DROP IN=eth0 OUT=
>>>> MAC=00:14:0b:60:09:25:00:24:b2:6f:12:5a:08:00 SRC=46.17.100.149
>>>> DST=192.168.0.33 LEN=64 TOS=00 PREC=0x00 TTL=43 ID=3018 DF PROTO=TCP
>>>> SPT=42942 DPT=25 SEQ=2211492624 ACK=3251895256 WINDOW=244 ACK URGP=0
>>>> Jan 29 23:59:14 myserver fail2ban-sendmail-auth:DROP IN=eth0 OUT=
>>>> MAC=00:14:0b:60:09:25:00:24:b2:6f:12:5a:08:00 SRC=46.17.100.149
>>>> DST=192.168.0.33 LEN=64 TOS=08 PREC=0x00 TTL=48 ID=44648 CE DF
>>>> PROTO=TCP SPT=43513 DPT=25 SEQ=1631474633 ACK=1094857551 WINDOW=244
>>>> ACK URGP=0
>>>> Jan 29 23:59:26 myserver fail2ban-sendmail-auth:DROP IN=eth0 OUT=
>>>> MAC=00:14:0b:60:09:25:00:24:b2:6f:12:5a:08:00 SRC=46.17.100.149
>>>> DST=192.168.0.33 LEN=52 TOS=00 PREC=0x00 TTL=43 ID=41933 CE DF
>>>> PROTO=TCP SPT=43920 DPT=25 SEQ=2510917542 ACK=2695694693 WINDOW=244
>>>> ACK URGP=0
>>>> Jan 29 23:59:35 myserver fail2ban-sendmail-auth:DROP IN=eth0 OUT=
>>>> MAC=00:14:0b:60:09:25:00:24:b2:6f:12:5a:08:00 SRC=46.17.100.149
>>>> DST=192.168.0.33 LEN=64 TOS=00 PREC=0x00 TTL=43 ID=41937 CE DF
>>>> PROTO=TCP SPT=43920 DPT=25 SEQ=2510917542 ACK=2695694693 WINDOW=244
>>>> ACK URGP=0
>>>> Jan 29 23:59:45 myserver fail2ban-sendmail-auth:DROP IN=eth0 OUT=
>>>> MAC=00:14:0b:60:09:25:00:24:b2:6f:12:5a:08:00 SRC=46.17.100.149
>>>> DST=192.168.0.33 LEN=64 TOS=08 PREC=0x00 TTL=48 ID=32164 DF PROTO=TCP
>>>> SPT=44562 DPT=25 SEQ=4229237476 ACK=1694387035 WINDOW=244 ACK URGP=0
>>>> Jan 29 23:59:56 myserver fail2ban-sendmail-auth:DROP IN=eth0 OUT=
>>>> MAC=00:14:0b:60:09:25:00:24:b2:6f:12:5a:08:00 SRC=46.17.100.149
>>>> DST=192.168.0.33 LEN=89 TOS=08 PREC=0x00 TTL=48 ID=30070 DF PROTO=TCP
>>>> SPT=44955 DPT=25 SEQ=1887556476 ACK=3101625078 WINDOW=244 ACK PSH
>>>> URGP=0
>>>>
>>>> I'm using debian with fail2ban 0.8.6-3wheezy3
>>>>
>>>> Can somebody please explain?
>>>>
>>>>
>>>> ------------------------------------------------------------------------------
>>>> Dive into the World of Parallel Programming. The Go Parallel Website,
>>>> sponsored by Intel and developed in partnership with Slashdot Media, is
>>>> your
>>>> hub for all things parallel software development, from weekly thought
>>>> leadership blogs to news, videos, case studies, tutorials and more. Take
>>>> a
>>>> look and join the conversation now. http://goparallel.sourceforge.net/
>>>> _______________________________________________
>>>> Fail2ban-users mailing list
>>>> Fail2ban-users@lists.sourceforge.net
>>>> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Dive into the World of Parallel Programming. The Go Parallel Website,
>>> sponsored by Intel and developed in partnership with Slashdot Media, is
>>> your
>>> hub for all things parallel software development, from weekly thought
>>> leadership blogs to news, videos, case studies, tutorials and more. Take
>>> a
>>> look and join the conversation now. http://goparallel.sourceforge.net/
>>> _______________________________________________
>>> Fail2ban-users mailing list
>>> Fail2ban-users@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
>
>
------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
