Amir Caspi wrote:
> Hi all,
>
> I'm setting up a new CentOS 7 server with f2b 0.9.7 (from EPEL) and I'm
> having trouble with one of my sendmail rules. I set up a custom rule to
> ban servers that fail SMTP AUTH and then hang up... while I would normally
> want to ban these guys using the PAM failure, unfortunately the current
> cyrus-sasl implementation means that saslauthd doesn't log the remote
> host, or send the rhost info to PAM to log... so this is (right now) the
> only way to do it.
>
> Unfortunately, although my filter matches just fine using fail2ban-regex,
> the server is never triggering that filter.
>
> The filter is sendmail-noauth.conf, as follows:
> failregex = ^%(__prefix_line)s\w{14}: (\S+ )?\[<HOST>\]( \(may be
> forged\))? did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA$
>
> It's enabled in jail.local as follows, with default maxretry = 3, findtime
> = 600, bantime = 600:
> [sendmail-noauth]
> enabled = true
> port = submission,465,smtp
> logpath = %(syslog_mail)s
> backend = %(syslog_backend)s
>
> This is on CentOS 7, so I'm loading paths_fedora.conf which has
> syslog_mail = /var/log/maillog and syslog_backend = systemd. Default
> action is mwl so I get the email notification.
>
> /var/log/maillog has hundreds of lines from the same offender:
> Mar 26 02:40:53 servername sm-mta[10953]: x2Q2eiHC010953:
> mta9.imxonlines.co.za [91.212.150.89] (may be forged) did not issue
> MAIL/EXPN/VRFY/ETRN during connection to MTA
>
> If I MANUALLY ban the IP using fail2ban-client, the resulting email is
> looking up the correct lines from the correct logfile.
>
> So, in short: fail2ban-regex matches just fine, and manual banning shows
> that the correct logfile is being read. But automated banning is not
> working.
>
> This same rule works just fine on my old CentOS 5 box using f2b 0.8.14.
>
> Can anyone help? I have no idea why it's not banning when fail2ban-regex
> works fine, as does manual banning.
>
On Debian I don't have a sendmail-noauth.conf filter but I do have a
sendmail-auth.conf filter.
I don't know if this is the same for Centos but it may be worth checking
that the filter name is correct.
Regards
Rob
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
