[Fail2ban-users] sendmail rule does not block login attempts

Robert S Thu, 29 Jan 2015 12:46:26 -0800

I have the following config:

# /etc/fail2ban/jail.local
[sendmail-auth]
enabled  = true
filter   = sendmail-auth
action   = iptables-multiport-ulog[name=sendmail-auth,
port="smtp,smtps", protocol=tcp]
logpath  = /var/log/mail.log
maxretry = 6


# /etc/fail2ban/action.d/iptables-multiport-ulog.conf
[Definition]
actionstart = iptables -N fail2ban-<name>
              iptables -A fail2ban-<name> -j RETURN
              iptables -I <chain> 1 -p <protocol> -m multiport
--dports <port> -j fail2ban-<name>
              iptables -N fail2ban-<name>-ulog
              iptables -I fail2ban-<name>-ulog -j ULOG --ulog-prefix
"$(expr fail2ban-<name> : '\(.\{1,23\}\)'):DROP " -m limit --limit 6/m
--limit-burst 2
              iptables -A fail2ban-<name>-ulog -j DROP
actionstop = iptables -D <chain> -p <protocol> -m multiport --dports
<port> -j fail2ban-<name>
             iptables -F fail2ban-<name>
             iptables -F fail2ban-<name>-ulog
             iptables -X fail2ban-<name>
             iptables -X fail2ban-<name>-ulog
actioncheck = iptables -n -L fail2ban-<name>-ulog >/dev/null
actionban = iptables -I fail2ban-<name> 1 -s <ip> -j fail2ban-<name>-ulog
actionunban = iptables -D fail2ban-<name> -s <ip> -j fail2ban-<name>-ulog
[Init]
name = default
port = ssh
protocol = tcp
chain = INPUT

# /etc/fail2ban/filter.d/sendmail-auth.conf
[Definition]
failregex = (sm-mta|sendmail)(?:\[\d+\])?: .*: (.*)\[<HOST>\].*:
possible SMTP attack: command=AUTH, count=\d+$
            \[<HOST>\] (|\(may be forged\) )did not issue
MAIL/EXPN/VRFY/ETRN during connection to MTA
            AUTH failure \(LOGIN\): authentication failure \(-13\)
SASL\(-13\): authentication failure: checkpass failed, .* \[<HOST>\]$
ignoreregex =

The regex is scoring hits:
# fail2ban-regex  /var/log/mail.log /etc/fail2ban/filter.d/sendmail-auth.conf
[..]
Success, the total number of match is 374

But I'm still getting dozens of failed logins coming through:

# /var/log/mail.log
Jan 29 23:57:38 myserver saslauthd[2156]: do_auth         : auth
failure: [user=webmaster] [service=smtp] [realm=] [mech=pam]
[reason=PAM auth error]
Jan 29 23:57:38 myserver sm-mta[17759]: t0TCvXf3017759: AUTH failure
(LOGIN): authentication failure (-13) SASL(-13): authentication
failure: checkpass failed, relay=[46.17.100.149]
Jan 29 23:57:42 myserver saslauthd[2154]: pam_unix(smtp:auth):
authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Jan 29 23:57:44 myserver saslauthd[2154]: do_auth         : auth
failure: [user=webmaster] [service=smtp] [realm=] [mech=pam]
[reason=PAM auth error]
Jan 29 23:57:44 myserver sm-mta[17760]: t0TCvdHQ017760: AUTH failure
(LOGIN): authentication failure (-13) SASL(-13): authentication
failure: checkpass failed, relay=[46.17.100.149]
Jan 29 23:57:48 myserver saslauthd[2156]: pam_unix(smtp:auth):
authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Jan 29 23:57:49 myserver saslauthd[2156]: do_auth         : auth
failure: [user=oracle] [service=smtp] [realm=] [mech=pam] [reason=PAM
auth error]
Jan 29 23:57:49 myserver sm-mta[17761]: t0TCvjni017761: AUTH failure
(LOGIN): authentication failure (-13) SASL(-13): authentication
failure: checkpass failed, relay=[46.17.100.149]
Jan 29 23:57:53 myserver saslauthd[2158]: pam_unix(smtp:auth):
authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=

My fail2ban log shows the following:

2015-01-29 23:58:34,479 fail2ban.actions: WARNING [sendmail-auth] Ban
46.17.100.149
2015-01-29 23:59:10,533 fail2ban.actions: WARNING [sendmail-auth]
46.17.100.149 already banned
2015-01-29 23:59:45,570 fail2ban.actions: WARNING [sendmail-auth]
46.17.100.149 already banned
2015-01-30 00:00:22,609 fail2ban.actions: WARNING [sendmail-auth]
46.17.100.149 already banned
2015-01-30 00:00:57,647 fail2ban.actions: WARNING [sendmail-auth]
46.17.100.149 already banned
2015-01-30 00:01:33,686 fail2ban.actions: WARNING [sendmail-auth]
46.17.100.149 already banned
2015-01-30 00:02:09,724 fail2ban.actions: WARNING [sendmail-auth]
46.17.100.149 already banned
2015-01-30 00:02:46,765 fail2ban.actions: WARNING [sendmail-auth]
46.17.100.149 already banned
2015-01-30 00:03:22,803 fail2ban.actions: WARNING [sendmail-auth]
46.17.100.149 already banned
2015-01-30 00:08:35,134 fail2ban.actions: WARNING [sendmail-auth]
Unban 46.17.100.149

My firewall log reports that connections are dropped:

# /var/log/ulog/syslogemu.log

Jan 29 23:59:05 myserver fail2ban-sendmail-auth:DROP  IN=eth0 OUT=
MAC=00:14:0b:60:09:25:00:24:b2:6f:12:5a:08:00  SRC=46.17.100.149
DST=192.168.0.33 LEN=64 TOS=00 PREC=0x00 TTL=43 ID=3018 DF PROTO=TCP
SPT=42942 DPT=25 SEQ=2211492624 ACK=3251895256 WINDOW=244 ACK URGP=0
Jan 29 23:59:14 myserver fail2ban-sendmail-auth:DROP  IN=eth0 OUT=
MAC=00:14:0b:60:09:25:00:24:b2:6f:12:5a:08:00  SRC=46.17.100.149
DST=192.168.0.33 LEN=64 TOS=08 PREC=0x00 TTL=48 ID=44648 CE DF
PROTO=TCP SPT=43513 DPT=25 SEQ=1631474633 ACK=1094857551 WINDOW=244
ACK URGP=0
Jan 29 23:59:26 myserver fail2ban-sendmail-auth:DROP  IN=eth0 OUT=
MAC=00:14:0b:60:09:25:00:24:b2:6f:12:5a:08:00  SRC=46.17.100.149
DST=192.168.0.33 LEN=52 TOS=00 PREC=0x00 TTL=43 ID=41933 CE DF
PROTO=TCP SPT=43920 DPT=25 SEQ=2510917542 ACK=2695694693 WINDOW=244
ACK URGP=0
Jan 29 23:59:35 myserver fail2ban-sendmail-auth:DROP  IN=eth0 OUT=
MAC=00:14:0b:60:09:25:00:24:b2:6f:12:5a:08:00  SRC=46.17.100.149
DST=192.168.0.33 LEN=64 TOS=00 PREC=0x00 TTL=43 ID=41937 CE DF
PROTO=TCP SPT=43920 DPT=25 SEQ=2510917542 ACK=2695694693 WINDOW=244
ACK URGP=0
Jan 29 23:59:45 myserver fail2ban-sendmail-auth:DROP  IN=eth0 OUT=
MAC=00:14:0b:60:09:25:00:24:b2:6f:12:5a:08:00  SRC=46.17.100.149
DST=192.168.0.33 LEN=64 TOS=08 PREC=0x00 TTL=48 ID=32164 DF PROTO=TCP
SPT=44562 DPT=25 SEQ=4229237476 ACK=1694387035 WINDOW=244 ACK URGP=0
Jan 29 23:59:56 myserver fail2ban-sendmail-auth:DROP  IN=eth0 OUT=
MAC=00:14:0b:60:09:25:00:24:b2:6f:12:5a:08:00  SRC=46.17.100.149
DST=192.168.0.33 LEN=89 TOS=08 PREC=0x00 TTL=48 ID=30070 DF PROTO=TCP
SPT=44955 DPT=25 SEQ=1887556476 ACK=3101625078 WINDOW=244 ACK PSH
URGP=0

I'm using debian with fail2ban 0.8.6-3wheezy3

Can somebody please explain?

------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

[Fail2ban-users] sendmail rule does not block login attempts

Reply via email to