[Fail2ban-users] Banned IP continues its attempts, other IP isn't banned even after maxretry

Sun, 17 Sep 2017 03:15:08 -0700 

Hello list,

I have two problems to discuss here

163.172.20.242 : a banned IP continued to make login requests to my postfix 
server
2.139.229.39   : another IP that should have been banned by my 
postfix-sasl-long jail (10 failures in 24 hours) but hasn't.


It is divided in three parts : 


First part is for the first IP
Second part is for the second IP
Last part is the full config for my postfix jails.



FIRST IP : 163.172.20.242
=========================

1) Proof that it has reached its maxretry in the specified findtime
-------------------------------------------------------------------

Here's the config

['set', 'postfix-sasl', 'addlogpath', '/var/log/mail.warn']
['set', 'postfix-sasl', 'maxretry', 3]
['set', 'postfix-sasl', 'findtime', 600]  <<<<<< 5 minutes
['set', 'postfix-sasl', 'bantime', 86400]
['set', 'postfix-sasl', 'addfailregex', '^\\s*(<[^.]+\\.[^.]+>)?\\s*(?:\\S+ 
)?(?:kernel: \\[ *\\d+\\.\\d+\\] )?(?:@vserver_\\S+ 
)?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?postfix/smtpd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?postfix/smtpd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)?\\s(?:\\[ID
 \\d+ \\S+\\])?\\s*warning: [-._\\w]+\\[<HOST>\\]: SASL 
(?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ 
A-Za-z0-9+/]*={0,2})?\\s*$']

Here are the logged failures : 

root@messagerie[10.10.10.19] ~ # grep 163.172.20.242 /var/log/mail.warn.1 
Sep 15 00:44:00 messagerie postfix/smtpd[14051]: warning: 
163-172-20-242.rev.poneytelecom.eu[163.172.20.242]: SASL LOGIN authentication 
failed: UGFzc3dvcmQ6
Sep 15 00:44:00 messagerie postfix/smtpd[14389]: warning: 
163-172-20-242.rev.poneytelecom.eu[163.172.20.242]: SASL LOGIN authentication 
failed: UGFzc3dvcmQ6
Sep 15 00:44:00 messagerie postfix/smtpd[14391]: warning: 
163-172-20-242.rev.poneytelecom.eu[163.172.20.242]: SASL LOGIN authentication 
failed: UGFzc3dvcmQ6
Sep 15 00:44:00 messagerie postfix/smtpd[14392]: warning: 
163-172-20-242.rev.poneytelecom.eu[163.172.20.242]: SASL LOGIN authentication 
failed: UGFzc3dvcmQ6
Sep 15 00:44:01 messagerie postfix/smtpd[14393]: warning: 
163-172-20-242.rev.poneytelecom.eu[163.172.20.242]: SASL LOGIN authentication 
failed: UGFzc3dvcmQ6
Sep 15 00:44:06 messagerie postfix/smtpd[14051]: warning: 
163-172-20-242.rev.poneytelecom.eu[163.172.20.242]: SASL LOGIN authentication 
failed: UGFzc3dvcmQ6
Sep 15 00:44:06 messagerie postfix/smtpd[14389]: warning: 
163-172-20-242.rev.poneytelecom.eu[163.172.20.242]: SASL LOGIN authentication 
failed: UGFzc3dvcmQ6
Sep 15 00:44:06 messagerie postfix/smtpd[14391]: warning: 
163-172-20-242.rev.poneytelecom.eu[163.172.20.242]: SASL LOGIN authentication 
failed: UGFzc3dvcmQ6
Sep 15 00:44:06 messagerie postfix/smtpd[14392]: warning: 
163-172-20-242.rev.poneytelecom.eu[163.172.20.242]: SASL LOGIN authentication 
failed: UGFzc3dvcmQ6
Sep 15 00:44:07 messagerie postfix/smtpd[14393]: warning: 
163-172-20-242.rev.poneytelecom.eu[163.172.20.242]: SASL LOGIN authentication 
failed: UGFzc3dvcmQ6
Sep 15 00:44:16 messagerie postfix/smtpd[14051]: warning: 
163-172-20-242.rev.poneytelecom.eu[163.172.20.242]: SASL LOGIN authentication 
failed: UGFzc3dvcmQ6
Sep 15 00:44:16 messagerie postfix/smtpd[14389]: warning: 
163-172-20-242.rev.poneytelecom.eu[163.172.20.242]: SASL LOGIN authentication 
failed: UGFzc3dvcmQ6
Sep 15 00:44:16 messagerie postfix/smtpd[14392]: warning: 
163-172-20-242.rev.poneytelecom.eu[163.172.20.242]: SASL LOGIN authentication 
failed: UGFzc3dvcmQ6
Sep 15 00:44:16 messagerie postfix/smtpd[14391]: warning: 
163-172-20-242.rev.poneytelecom.eu[163.172.20.242]: SASL LOGIN authentication 
failed: UGFzc3dvcmQ6
Sep 15 00:44:17 messagerie postfix/smtpd[14393]: warning: 
163-172-20-242.rev.poneytelecom.eu[163.172.20.242]: SASL LOGIN authentication 
failed: UGFzc3dvcmQ6
Sep 15 00:44:26 messagerie postfix/smtpd[14051]: warning: 
163-172-20-242.rev.poneytelecom.eu[163.172.20.242]: SASL LOGIN authentication 
failed: Connection lost to authentication server
Sep 15 00:44:26 messagerie postfix/smtpd[14389]: warning: 
163-172-20-242.rev.poneytelecom.eu[163.172.20.242]: SASL LOGIN authentication 
failed: Connection lost to authentication server
Sep 15 00:44:26 messagerie postfix/smtpd[14392]: warning: 
163-172-20-242.rev.poneytelecom.eu[163.172.20.242]: SASL LOGIN authentication 
failed: Connection lost to authentication server
Sep 15 00:44:26 messagerie postfix/smtpd[14391]: warning: 
163-172-20-242.rev.poneytelecom.eu[163.172.20.242]: SASL LOGIN authentication 
failed: Connection lost to authentication server
Sep 15 00:44:27 messagerie postfix/smtpd[14393]: warning: 
163-172-20-242.rev.poneytelecom.eu[163.172.20.242]: SASL LOGIN authentication 
failed: Connection lost to authentication server
root@messagerie[10.10.10.19] ~ # 

That's 20 lines in only 27 seconds.

root@messagerie[10.10.10.19] ~ # grep 163.172.20.242 /var/log/mail.warn.1 | wc 
-l
20
root@messagerie[10.10.10.19] ~ # 


2) Proof that is has been banned after the maxretry
---------------------------------------------------

That IP has been first banned at 00:44:01, after 5 attempts, although it is 
configured to ban after 3 attempts in 5 minutes.

root@messagerie[10.10.10.19] ~/SCRIPTS/MAIL # zgrep 163.172.20.242 
/var/log/fail2ban.log*
/var/log/fail2ban.log:2017-09-15 00:44:01,429 fail2ban.actions[10631]: WARNING 
[postfix-sasl] Ban 163.172.20.242
/var/log/fail2ban.log:2017-09-15 00:44:06,477 fail2ban.actions[10631]: INFO    
[postfix-sasl] 163.172.20.242 already banned
/var/log/fail2ban.log:2017-09-15 00:44:16,489 fail2ban.actions[10631]: INFO    
[postfix-sasl] 163.172.20.242 already banned
/var/log/fail2ban.log:2017-09-15 00:44:26,500 fail2ban.actions[10631]: INFO    
[postfix-sasl] 163.172.20.242 already banned
/var/log/fail2ban.log:2017-09-16 00:44:02,005 fail2ban.actions[10631]: WARNING 
[postfix-sasl] Unban 163.172.20.242
 root@messagerie[10.10.10.19] ~/SCRIPTS/MAIL #     

3) Proof that it continued to try to login after it has been banned
-------------------------------------------------------------------

The IP has been banned at 00:44:01
/var/log/fail2ban.log:2017-09-15 00:44:01,429 fail2ban.actions[10631]: WARNING 
[postfix-sasl] Ban 163.172.20.242

But it continued to try to login after that, starting at 00:44:06

Sep 15 00:44:06 messagerie postfix/smtpd[14051]: warning: 
163-172-20-242.rev.poneytelecom.eu[163.172.20.242]: SASL LOGIN authentication 
failed: UGFzc3dvcmQ6
Sep 15 00:44:06 messagerie postfix/smtpd[14389]: warning: 
163-172-20-242.rev.poneytelecom.eu[163.172.20.242]: SASL LOGIN authentication 
failed: UGFzc3dvcmQ6
Sep 15 00:44:06 messagerie postfix/smtpd[14391]: warning: 
163-172-20-242.rev.poneytelecom.eu[163.172.20.242]: SASL LOGIN authentication 
failed: UGFzc3dvcmQ6
Sep 15 00:44:06 messagerie postfix/smtpd[14392]: warning: 
163-172-20-242.rev.poneytelecom.eu[163.172.20.242]: SASL LOGIN authentication 
failed: UGFzc3dvcmQ6
Sep 15 00:44:07 messagerie postfix/smtpd[14393]: warning: 
163-172-20-242.rev.poneytelecom.eu[163.172.20.242]: SASL LOGIN authentication 
failed: UGFzc3dvcmQ6
Sep 15 00:44:16 messagerie postfix/smtpd[14051]: warning: 
163-172-20-242.rev.poneytelecom.eu[163.172.20.242]: SASL LOGIN authentication 
failed: UGFzc3dvcmQ6
Sep 15 00:44:16 messagerie postfix/smtpd[14389]: warning: 
163-172-20-242.rev.poneytelecom.eu[163.172.20.242]: SASL LOGIN authentication 
failed: UGFzc3dvcmQ6
Sep 15 00:44:16 messagerie postfix/smtpd[14392]: warning: 
163-172-20-242.rev.poneytelecom.eu[163.172.20.242]: SASL LOGIN authentication 
failed: UGFzc3dvcmQ6
Sep 15 00:44:16 messagerie postfix/smtpd[14391]: warning: 
163-172-20-242.rev.poneytelecom.eu[163.172.20.242]: SASL LOGIN authentication 
failed: UGFzc3dvcmQ6
Sep 15 00:44:17 messagerie postfix/smtpd[14393]: warning: 
163-172-20-242.rev.poneytelecom.eu[163.172.20.242]: SASL LOGIN authentication 
failed: UGFzc3dvcmQ6
Sep 15 00:44:26 messagerie postfix/smtpd[14051]: warning: 
163-172-20-242.rev.poneytelecom.eu[163.172.20.242]: SASL LOGIN authentication 
failed: Connection lost to authentication server
Sep 15 00:44:26 messagerie postfix/smtpd[14389]: warning: 
163-172-20-242.rev.poneytelecom.eu[163.172.20.242]: SASL LOGIN authentication 
failed: Connection lost to authentication server
Sep 15 00:44:26 messagerie postfix/smtpd[14392]: warning: 
163-172-20-242.rev.poneytelecom.eu[163.172.20.242]: SASL LOGIN authentication 
failed: Connection lost to authentication server
Sep 15 00:44:26 messagerie postfix/smtpd[14391]: warning: 
163-172-20-242.rev.poneytelecom.eu[163.172.20.242]: SASL LOGIN authentication 
failed: Connection lost to authentication server
Sep 15 00:44:27 messagerie postfix/smtpd[14393]: warning: 
163-172-20-242.rev.poneytelecom.eu[163.172.20.242]: SASL LOGIN authentication 
failed: Connection lost to authentication server


SECOND IP : 2.139.229.39
========================

1) Proof that it has reached its maxretry in the specified findtime
-------------------------------------------------------------------

Here's the config that should have banned it :

['set', 'postfix-sasl-long', 'addlogpath', '/var/log/mail.warn']
['set', 'postfix-sasl-long', 'maxretry', 10]
['set', 'postfix-sasl-long', 'findtime', 86400] <<<<<<< 1 day
['set', 'postfix-sasl-long', 'bantime', 432000]
['set', 'postfix-sasl-long', 'addfailregex', 
'^\\s*(<[^.]+\\.[^.]+>)?\\s*(?:\\S+ )?(?:kernel: \\[ *\\d+\\.\\d+\\] 
)?(?:@vserver_\\S+ 
)?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?postfix/smtpd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?postfix/smtpd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)?\\s(?:\\[ID
 \\d+ \\S+\\])?\\s*warning: [-._\\w]+\\[<HOST>\\]: SASL 
(?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ 
A-Za-z0-9+/]*={0,2})?\\s*$']


It had 19 attempts in the first 24 hours, far more than the 10 maxretry 
configured (nearly by a factor of two), and 11 in the following 24 hours, plus 
3 others, for a total of 36 attempts

root@messagerie[10.10.10.19] ~/SCRIPTS/MAIL # grep  2.139.229.39 
/var/log/mail.warn.1 
Sep 14 11:56:11 messagerie postfix/smtpd[34392]: warning: 
39.red-2-139-229.staticip.rima-tde.net[2.139.229.39]: SASL LOGIN authentication 
failed: UGFzc3dvcmQ6
Sep 14 12:23:30 messagerie postfix/smtpd[38425]: warning: 
39.red-2-139-229.staticip.rima-tde.net[2.139.229.39]: SASL LOGIN authentication 
failed: UGFzc3dvcmQ6
Sep 14 14:53:44 messagerie postfix/smtpd[55061]: warning: 
39.red-2-139-229.staticip.rima-tde.net[2.139.229.39]: SASL LOGIN authentication 
failed: UGFzc3dvcmQ6
Sep 14 15:24:51 messagerie postfix/smtpd[51822]: warning: 
39.red-2-139-229.staticip.rima-tde.net[2.139.229.39]: SASL LOGIN authentication 
failed: UGFzc3dvcmQ6
Sep 14 16:09:21 messagerie postfix/smtpd[58682]: warning: 
39.red-2-139-229.staticip.rima-tde.net[2.139.229.39]: SASL LOGIN authentication 
failed: UGFzc3dvcmQ6
Sep 14 17:23:55 messagerie postfix/smtpd[63313]: warning: 
39.red-2-139-229.staticip.rima-tde.net[2.139.229.39]: SASL LOGIN authentication 
failed: UGFzc3dvcmQ6
Sep 14 17:30:39 messagerie postfix/smtpd[63313]: warning: 
39.red-2-139-229.staticip.rima-tde.net[2.139.229.39]: SASL LOGIN authentication 
failed: UGFzc3dvcmQ6
Sep 14 18:51:09 messagerie postfix/smtpd[1634]: warning: 
39.red-2-139-229.staticip.rima-tde.net[2.139.229.39]: SASL LOGIN authentication 
failed: UGFzc3dvcmQ6
Sep 14 19:04:43 messagerie postfix/smtpd[2202]: warning: 
39.red-2-139-229.staticip.rima-tde.net[2.139.229.39]: SASL LOGIN authentication 
failed: UGFzc3dvcmQ6
Sep 14 20:46:44 messagerie postfix/smtpd[4874]: warning: 
39.red-2-139-229.staticip.rima-tde.net[2.139.229.39]: SASL LOGIN authentication 
failed: UGFzc3dvcmQ6
Sep 14 21:27:24 messagerie postfix/smtpd[5654]: warning: 
39.red-2-139-229.staticip.rima-tde.net[2.139.229.39]: SASL LOGIN authentication 
failed: UGFzc3dvcmQ6
Sep 14 21:40:56 messagerie postfix/smtpd[5654]: warning: 
39.red-2-139-229.staticip.rima-tde.net[2.139.229.39]: SASL LOGIN authentication 
failed: UGFzc3dvcmQ6
Sep 14 22:04:41 messagerie postfix/smtpd[5654]: warning: 
39.red-2-139-229.staticip.rima-tde.net[2.139.229.39]: SASL LOGIN authentication 
failed: UGFzc3dvcmQ6
Sep 15 00:27:32 messagerie postfix/smtpd[9260]: warning: 
39.red-2-139-229.staticip.rima-tde.net[2.139.229.39]: SASL LOGIN authentication 
failed: UGFzc3dvcmQ6
Sep 15 02:22:29 messagerie postfix/smtpd[15942]: warning: 
39.red-2-139-229.staticip.rima-tde.net[2.139.229.39]: SASL LOGIN authentication 
failed: UGFzc3dvcmQ6
Sep 15 04:05:28 messagerie postfix/smtpd[18713]: warning: 
39.red-2-139-229.staticip.rima-tde.net[2.139.229.39]: SASL LOGIN authentication 
failed: UGFzc3dvcmQ6
Sep 15 08:51:57 messagerie postfix/smtpd[26630]: warning: 
39.red-2-139-229.staticip.rima-tde.net[2.139.229.39]: SASL LOGIN authentication 
failed: UGFzc3dvcmQ6
Sep 15 09:28:31 messagerie postfix/smtpd[27272]: warning: 
39.red-2-139-229.staticip.rima-tde.net[2.139.229.39]: SASL LOGIN authentication 
failed: UGFzc3dvcmQ6
Sep 15 10:25:28 messagerie postfix/smtpd[27943]: warning: 
39.red-2-139-229.staticip.rima-tde.net[2.139.229.39]: SASL LOGIN authentication 
failed: UGFzc3dvcmQ6

--- less than 24 hours , 19 attempts ----

Sep 15 12:10:52 messagerie postfix/smtpd[31898]: warning: 
39.red-2-139-229.staticip.rima-tde.net[2.139.229.39]: SASL LOGIN authentication 
failed: UGFzc3dvcmQ6
Sep 15 14:47:49 messagerie postfix/smtpd[36892]: warning: 
39.red-2-139-229.staticip.rima-tde.net[2.139.229.39]: SASL LOGIN authentication 
failed: UGFzc3dvcmQ6
Sep 15 19:34:48 messagerie postfix/smtpd[45045]: warning: 
39.red-2-139-229.staticip.rima-tde.net[2.139.229.39]: SASL LOGIN authentication 
failed: UGFzc3dvcmQ6
Sep 15 21:29:18 messagerie postfix/smtpd[47890]: warning: 
39.red-2-139-229.staticip.rima-tde.net[2.139.229.39]: SASL LOGIN authentication 
failed: UGFzc3dvcmQ6
Sep 15 21:57:39 messagerie postfix/smtpd[48234]: warning: 
39.red-2-139-229.staticip.rima-tde.net[2.139.229.39]: SASL LOGIN authentication 
failed: UGFzc3dvcmQ6
Sep 15 22:11:43 messagerie postfix/smtpd[48234]: warning: 
39.red-2-139-229.staticip.rima-tde.net[2.139.229.39]: SASL LOGIN authentication 
failed: UGFzc3dvcmQ6
Sep 16 01:43:17 messagerie postfix/smtpd[56386]: warning: 
39.red-2-139-229.staticip.rima-tde.net[2.139.229.39]: SASL LOGIN authentication 
failed: UGFzc3dvcmQ6
Sep 16 04:08:04 messagerie postfix/smtpd[59243]: warning: 
39.red-2-139-229.staticip.rima-tde.net[2.139.229.39]: SASL LOGIN authentication 
failed: UGFzc3dvcmQ6
Sep 16 06:06:34 messagerie postfix/smtpd[61984]: warning: 
39.red-2-139-229.staticip.rima-tde.net[2.139.229.39]: SASL LOGIN authentication 
failed: UGFzc3dvcmQ6
Sep 16 10:07:22 messagerie postfix/smtpd[3019]: warning: 
39.red-2-139-229.staticip.rima-tde.net[2.139.229.39]: SASL LOGIN authentication 
failed: UGFzc3dvcmQ6

Sep 16 11:48:31 messagerie postfix/smtpd[5676]: warning: 
39.red-2-139-229.staticip.rima-tde.net[2.139.229.39]: SASL LOGIN authentication 
failed: UGFzc3dvcmQ6

--- less than 24 hours, 11 attempts ---
Sep 16 15:57:47 messagerie postfix/smtpd[12907]: warning: 
39.red-2-139-229.staticip.rima-tde.net[2.139.229.39]: SASL LOGIN authentication 
failed: UGFzc3dvcmQ6
Sep 16 16:49:52 messagerie postfix/smtpd[14043]: warning: 
39.red-2-139-229.staticip.rima-tde.net[2.139.229.39]: SASL LOGIN authentication 
failed: UGFzc3dvcmQ6
Sep 16 17:56:26 messagerie postfix/smtpd[15798]: warning: 
39.red-2-139-229.staticip.rima-tde.net[2.139.229.39]: SASL LOGIN authentication 
failed: UGFzc3dvcmQ6
Sep 16 23:18:18 messagerie postfix/smtpd[23541]: warning: 
39.red-2-139-229.staticip.rima-tde.net[2.139.229.39]: SASL LOGIN authentication 
failed: UGFzc3dvcmQ6
Sep 17 00:55:30 messagerie postfix/smtpd[29593]: warning: 
39.red-2-139-229.staticip.rima-tde.net[2.139.229.39]: SASL LOGIN authentication 
failed: UGFzc3dvcmQ6
Sep 17 04:03:45 messagerie postfix/smtpd[33811]: warning: 
39.red-2-139-229.staticip.rima-tde.net[2.139.229.39]: SASL LOGIN authentication 
failed: UGFzc3dvcmQ6
root@messagerie[10.10.10.19] ~/SCRIPTS/MAIL # grep  2.139.229.39 
/var/log/mail.warn.1 | wc -l
36
root@messagerie[10.10.10.19] ~/SCRIPTS/MAIL # 

2) Proof that it hasn't been banned
-----------------------------------

root@messagerie[10.10.10.19] ~/SCRIPTS/MAIL # zgrep 2.139.229.39 
/var/log/fail2ban.log*
root@messagerie[10.10.10.19] ~/SCRIPTS/MAIL #   


FULL CONFIGURATION
==================

Here's my configuration for the postfix jails : I have postix, postfix-sasl and 
postfix-sasl-long.

The postfix jail is for rejected mail
The postfix-sasl jail is for login failures (3 in 5 minutes)
The postfix-sasl-long jail is for login failures in a longer period of time (10 
in 24 hours)

root@messagerie[10.10.10.19] ~ # fail2ban-client -d | grep postfix
WARNING 'ignoreregex' not defined in 'Definition'. Using default one: ''
WARNING 'ignoreregex' not defined in 'Definition'. Using default one: ''
['add', 'postfix', 'auto']
['set', 'postfix', 'usedns', 'warn']
['set', 'postfix', 'addlogpath', '/var/log/mail.log']
['set', 'postfix', 'maxretry', 3]
['set', 'postfix', 'addignoreip', '127.0.0.1/8']
['set', 'postfix', 'addignoreip', '10.10.10.0/24']
['set', 'postfix', 'addignoreip', '172.16.0.0/16']
['set', 'postfix', 'addignoreip', '192.168.0.0/16']
['set', 'postfix', 'ignorecommand', '']
['set', 'postfix', 'findtime', 600]
['set', 'postfix', 'bantime', 86400]
['set', 'postfix', 'addfailregex', '^\\s*(<[^.]+\\.[^.]+>)?\\s*(?:\\S+ 
)?(?:kernel: \\[ *\\d+\\.\\d+\\] )?(?:@vserver_\\S+ 
)?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?postfix/smtpd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?postfix/smtpd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)?\\s(?:\\[ID
 \\d+ \\S+\\])?\\s*NOQUEUE: reject: RCPT from \\S+\\[<HOST>\\]: 554 5\\.7\\.1 
.*$']
['set', 'postfix', 'addfailregex', '^\\s*(<[^.]+\\.[^.]+>)?\\s*(?:\\S+ 
)?(?:kernel: \\[ *\\d+\\.\\d+\\] )?(?:@vserver_\\S+ 
)?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?postfix/smtpd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?postfix/smtpd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)?\\s(?:\\[ID
 \\d+ \\S+\\])?\\s*NOQUEUE: reject: RCPT from \\S+\\[<HOST>\\]: 450 4\\.7\\.1 : 
Helo command rejected: Host not found; from=<> to=<> proto=ESMTP helo= *$']
['set', 'postfix', 'addfailregex', '^\\s*(<[^.]+\\.[^.]+>)?\\s*(?:\\S+ 
)?(?:kernel: \\[ *\\d+\\.\\d+\\] )?(?:@vserver_\\S+ 
)?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?postfix/smtpd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?postfix/smtpd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)?\\s(?:\\[ID
 \\d+ \\S+\\])?\\s*NOQUEUE: reject: VRFY from \\S+\\[<HOST>\\]: 550 5\\.1\\.1 
.*$']
['set', 'postfix', 'addfailregex', '^\\s*(<[^.]+\\.[^.]+>)?\\s*(?:\\S+ 
)?(?:kernel: \\[ *\\d+\\.\\d+\\] )?(?:@vserver_\\S+ 
)?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?postfix/smtpd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?postfix/smtpd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)?\\s(?:\\[ID
 \\d+ \\S+\\])?\\s*improper command pipelining after \\S+ from 
[^[]*\\[<HOST>\\]:?$']
['set', 'postfix', 'addaction', 'shorewall']
['set', 'postfix', 'actionban', 'shorewall', 'shorewall <blocktype> <ip>']
['set', 'postfix', 'actionstop', 'shorewall', '']
['set', 'postfix', 'actionstart', 'shorewall', '']
['set', 'postfix', 'actionunban', 'shorewall', 'shorewall allow <ip>']
['set', 'postfix', 'actioncheck', 'shorewall', '']
['set', 'postfix', 'setcinfo', 'shorewall', 'blocktype', 'reject']
['add', 'postfix-sasl', 'auto']
['set', 'postfix-sasl', 'usedns', 'warn']
['set', 'postfix-sasl', 'addlogpath', '/var/log/mail.warn']
['set', 'postfix-sasl', 'maxretry', 3]
['set', 'postfix-sasl', 'addignoreip', '127.0.0.1/8']
['set', 'postfix-sasl', 'addignoreip', '10.10.10.0/24']
['set', 'postfix-sasl', 'addignoreip', '172.16.0.0/16']
['set', 'postfix-sasl', 'addignoreip', '192.168.0.0/16']
['set', 'postfix-sasl', 'ignorecommand', '']
['set', 'postfix-sasl', 'findtime', 600]
['set', 'postfix-sasl', 'bantime', 86400]
['set', 'postfix-sasl', 'addfailregex', '^\\s*(<[^.]+\\.[^.]+>)?\\s*(?:\\S+ 
)?(?:kernel: \\[ *\\d+\\.\\d+\\] )?(?:@vserver_\\S+ 
)?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?postfix/smtpd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?postfix/smtpd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)?\\s(?:\\[ID
 \\d+ \\S+\\])?\\s*warning: [-._\\w]+\\[<HOST>\\]: SASL 
(?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ 
A-Za-z0-9+/]*={0,2})?\\s*$']
['set', 'postfix-sasl', 'addaction', 'shorewall']
['set', 'postfix-sasl', 'actionban', 'shorewall', 'shorewall <blocktype> <ip>']
['set', 'postfix-sasl', 'actionstop', 'shorewall', '']
['set', 'postfix-sasl', 'actionstart', 'shorewall', '']
['set', 'postfix-sasl', 'actionunban', 'shorewall', 'shorewall allow <ip>']
['set', 'postfix-sasl', 'actioncheck', 'shorewall', '']
['set', 'postfix-sasl', 'setcinfo', 'shorewall', 'blocktype', 'reject']
['add', 'postfix-sasl-long', 'auto']
['set', 'postfix-sasl-long', 'usedns', 'warn']
['set', 'postfix-sasl-long', 'addlogpath', '/var/log/mail.warn']
['set', 'postfix-sasl-long', 'maxretry', 10]
['set', 'postfix-sasl-long', 'addignoreip', '127.0.0.1/8']
['set', 'postfix-sasl-long', 'addignoreip', '10.10.10.0/24']
['set', 'postfix-sasl-long', 'addignoreip', '172.16.0.0/16']
['set', 'postfix-sasl-long', 'addignoreip', '192.168.0.0/16']
['set', 'postfix-sasl-long', 'ignorecommand', '']
['set', 'postfix-sasl-long', 'findtime', 86400]
['set', 'postfix-sasl-long', 'bantime', 432000]
['set', 'postfix-sasl-long', 'addfailregex', 
'^\\s*(<[^.]+\\.[^.]+>)?\\s*(?:\\S+ )?(?:kernel: \\[ *\\d+\\.\\d+\\] 
)?(?:@vserver_\\S+ 
)?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?postfix/smtpd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?postfix/smtpd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)?\\s(?:\\[ID
 \\d+ \\S+\\])?\\s*warning: [-._\\w]+\\[<HOST>\\]: SASL 
(?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ 
A-Za-z0-9+/]*={0,2})?\\s*$']
['set', 'postfix-sasl-long', 'addaction', 'shorewall']
['set', 'postfix-sasl-long', 'actionban', 'shorewall', 'shorewall <blocktype> 
<ip>']
['set', 'postfix-sasl-long', 'actionstop', 'shorewall', '']
['set', 'postfix-sasl-long', 'actionstart', 'shorewall', '']
['set', 'postfix-sasl-long', 'actionunban', 'shorewall', 'shorewall allow <ip>']
['set', 'postfix-sasl-long', 'actioncheck', 'shorewall', '']
['set', 'postfix-sasl-long', 'setcinfo', 'shorewall', 'blocktype', 'reject']
['start', 'postfix']
['start', 'postfix-sasl']
['start', 'postfix-sasl-long']

In particular, we have the following configuration for the postfix-sasl jail 
that should have banned fhe first IP 163.172.20.242

['set', 'postfix-sasl', 'addlogpath', '/var/log/mail.warn']
['set', 'postfix-sasl', 'maxretry', 3]
['set', 'postfix-sasl', 'findtime', 600]
['set', 'postfix-sasl', 'bantime', 86400]
['set', 'postfix-sasl', 'addfailregex', '^\\s*(<[^.]+\\.[^.]+>)?\\s*(?:\\S+ 
)?(?:kernel: \\[ *\\d+\\.\\d+\\] )?(?:@vserver_\\S+ 
)?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?postfix/smtpd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?postfix/smtpd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)?\\s(?:\\[ID
 \\d+ \\S+\\])?\\s*warning: [-._\\w]+\\[<HOST>\\]: SASL 
(?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ 
A-Za-z0-9+/]*={0,2})?\\s*$']


And this config for postfix-sasl-long that should have banned the second IP 
2.139.229.39

['set', 'postfix-sasl-long', 'addlogpath', '/var/log/mail.warn']
['set', 'postfix-sasl-long', 'maxretry', 10]
['set', 'postfix-sasl-long', 'findtime', 86400]
['set', 'postfix-sasl-long', 'bantime', 432000]
['set', 'postfix-sasl-long', 'addfailregex', 
'^\\s*(<[^.]+\\.[^.]+>)?\\s*(?:\\S+ )?(?:kernel: \\[ *\\d+\\.\\d+\\] 
)?(?:@vserver_\\S+ 
)?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?postfix/smtpd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?postfix/smtpd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)?\\s(?:\\[ID
 \\d+ \\S+\\])?\\s*warning: [-._\\w]+\\[<HOST>\\]: SASL 
(?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ 
A-Za-z0-9+/]*={0,2})?\\s*$']


Any hints appreciated.

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Reply via email to