I have a Postfix + fail2ban configured to ban when it encounters SASL auth
errors. While most SALS errors do result in a ban, the following does not:
"SASL LOGIN authentication failed: Invalid authentication mechanism”
I dug into this a bit on the fail2ban GitHub site and found an issue
(https://github.com/fail2ban/fail2ban/issues/1297
<https://github.com/fail2ban/fail2ban/issues/1297>) from a few years back where
someone asked for fail2ban to be modified so a very similar error would be
ignored. From what I gather, the reasoning was that these errors are not
indicative of activity that would warrant a ban. However, this is not always
true as there are definitely situations where this error could be seen on
properly configured Postfix hosts and a bad actor is trying to get in.
After a bit more research, it seems that in v0.10, changes were made to the
filter.d/postfix.conf file where the above errors are ignored. This is the
specific code to which I refer:
mdre-auth = ^[^[]*\[<HOST>\]%(_port)s: SASL
((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed:(?! Connection lost
to authentication server| Invalid authentication mechanism)
If I understand this correctly, the message "Invalid authentication mechanism”
is excluded from a match. Perhaps I have this wrong and if so, then please set
me straight. However, if I got this correct, then I was thinking I could add
the following to a filter.d/postfix.local file which would hopefully result in
a ban:
[Definition]
mdre-auth3= ^[^[]*\[<HOST>\]%(_port)s: SASL
((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed: Invalid
authentication mechanism
Please let me know your thoughts on this and thanks in advance for taking the
time...
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
