[Fail2ban-users] Differents troubles on FAIL2BAN

Fri, 18 Sep 2015 09:18:09 -0700 

Hi everyone:
I have a postfix server mounted in a opensuse 13.1. 

My problem start when i found several login attempt into SASL postfix. So i am 
suffering a forcebrute sasl login attack.

The most curious is that postfix do not generate a line like this found on 
internet:
"Oct 21 10:19:49 server1 postfix/smtpd[2715]: warning: unknown[116.12.154.18]: 
SASL LOGIN authentication failed: authentication failure"

But generate:
"lost connection after AUTH from unknown[170.178.174.188]"

And others where "AUTH" is replaced by EHLO and CONNECT

This make me edit "postfix-sasl.conf" and add new rules:
failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|
PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/]*={0,2})?
\s*$

        ^%(__prefix_line)slost connection after AUTH from .*\[<HOST>\]$

        ^%(__prefix_line)slost connection after EHLO from .*\[<HOST>\]$

        ^%(__prefix_line)slost connection after CONNECT from .*\[<HOST>\]$

        ^%(__prefix_line)slost connection after MAIL from .*\[<HOST>\]$

        ^%(__prefix_line)sIllegal address syntax from .*\[<HOST>\]$

        ^%(__prefix_line)swarning: Connection rate limit exceeded .*\[<HOST>\] 
for 
service smtp$


I found some strange things:
1) Banned IPs still are allowed to connect
2) if i run iptables -L |grep "170\.178\.174\.188", does not appear nothing
3) if i write: iptables -A INPUT -s 65.55.44.100 -j DROP
and after run: iptables -L, the ip did not appear listed.

4) Searching one explanation on the logs i found some stranges things:

/var/log/fail2ban.log see a lot of warnings:

#2015-09-17 18:35:18,554 fail2ban.filter [4711]: WARNING Unable to find a 
corresponding IP address for unknown: [Errno -2] Name or service not known

picking up one i go to "/var/log/mail" and in this time i only found is:
#2015-09-17T18:35:16.195314-03:00 schweb postfix/smtpd[22042]: warning: 
hostname asociados.bancocredicoop.coop does not resolve to address 
200.47.24.44: Name or service not known

This line is of a real bank and not attacker. 

Thanks in advance
Christian

-- 
En un mundo sin fronteras.... ¿Quién necesita Puertas y Ventanas?
EN INGLES: In a world without frontiers, who needs Gates and Windows
http://www.schdev.com.ar
http://gnc2.schdev.com.ar

------------------------------------------------------------------------------
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Reply via email to