Dear Mam and Sir, a very friendly attacker try to brute force my Zimbra mail server at the moment.
I call him friendly cause his attack is very slow.
He takes his time and the time from one try to the next is about 3 minutes.
So I'm not in a hurry in this case.
My problem is to find a working regex, coming from the postfix of my
installation.
My goal is to block such slow requests
Here are the information about my installation:
I got a server running on Ubuntu 18.04.
Inside this server, reside a Zimbra installation inside of a docker
container, also running a full Ubuntu 18.04.
The setup is very complex, but running fine.
The logs of this container are transmited to the master host by syslog.
The master host runs a fail2ban to control the zimbra logfile and
control the firewall.
The firewall is based on shorewall.
The fail2ban installation is tested with SSH and is working fine.
For the following examples, logfiles and configution file, I have to
hide myself and the attacker.
So I will change domains, and IPs to the following data.
My domain will be: example.com
The Attacker will have the the IP: 123.23.32.12
(This IP has nothing to do with the real attacker and belongs to a
company in India, and has nothing do do with myself. For my case it is a
randomly chosen IP and only chosen as example!)
At first the fail2ban config I had changed to my needs:
I copy the jail.conf to jail.local and made the following changes:
Ignoreip = <The original IPs and some additions>
findtime = 15m
destemail = <My Email address>
#banaction = iptables-multiport
banaction = shorewall
#banaction_allports = iptables-allports
banaction_allports = shorewall
[sasl]
enabled = true
port = smtp,465,submission
filter = postfix-sasl
logpath = /var/log/zimbra.log
maxretry = 3
I copy the file action.d/shorewall.conf to action.d/shorewall.local:
#blocktype = reject
blocktype = logdrop
I create a new file in filter.d/postfix-sasl.conf
# Fail2Ban filter for postfix authentication failures
[INCLUDES]
before = common.conf
[Definition]
_daemon = postfix/smtpd
failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL
(?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [
A-Za-z0-9+/]*={0,2})?\s*$
This regex is not working, as I think.
Here the logentry that my zimbra create:
May 22 05:31:36 mail postfix/smtps/smtpd[13994]: connect from
unknown[123.23.32.12]
May 22 05:31:51 mail /postfix-script[13655]: the Postfix mail system is
running: PID: 3677
May 22 05:32:02 mail postfix/smtps/smtpd[13994]: Anonymous TLS
connection established from unknown[123.23.32.12]: TLSv1.2 with cipher
ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
May 22 05:32:04 mail /postfix-script[14148]: the Postfix mail system is
running: PID: 3677
May 22 05:32:54 mail /postfix-script[14573]: the Postfix mail system is
running: PID: 3677
May 22 05:33:05 mail saslauthd[3484]: zmauth: authenticating against
elected url 'https://mail.example.com:7073/service/admin/soap/' ...
May 22 05:33:05 mail saslauthd[3484]: zmpost:
url='https://mail.example.com:7073/service/admin/soap/' returned
buffer->data='<soap:Envelope
xmlns:soap="http://www.w3.org/2003/05/soap-envelope";><soap:Header><context
xmlns="urn:zimbra"/></soap:Header><soap:Body><soap:Fault><soap:Code><soap:Value>soap:Sender</soap:Value></soap:Code><soap:Reason><soap:Text>authentication
failed for
[spl...@example.com]</soap:Text></soap:Reason><soap:Detail><Error
xmlns="urn:zimbra"><Code>account.AUTH_FAILED</Code><Trace>qtp1143371233-2136:1590125585452:6833dafe1464eb76</Trace></Error></soap:Detail></soap:Fault></soap:Body></soap:Envelope>',
hti->error=''
May 22 05:33:05 mail saslauthd[3484]: auth_zimbra: spl...@example.com
auth failed: authentication failed for [spl...@example.com]
May 22 05:33:05 mail saslauthd[3484]: do_auth : auth failure:
[user=spl...@example.com] [service=smtp] [realm=example.com]
[mech=zimbra] [reason=Unknown]
May 22 05:33:05 mail postfix/smtps/smtpd[13994]: warning:
unknown[123.23.32.12]: SASL LOGIN authentication failed: authentication
failure
May 22 05:33:19 mail postfix/smtps/smtpd[13994]: lost connection after
AUTH from unknown[123.23.32.12]
May 22 05:33:19 mail postfix/smtps/smtpd[13994]: disconnect from
unknown[123.23.32.12] ehlo=1 auth=0/1 rset=1 commands=2/3
I had checked that the port 7073 is not accessable from outside.
This request is made by the postfix daemon only to check the auth.
The relevant log entry to match is the following:
May 22 05:33:05 mail postfix/smtps/smtpd[13994]: warning:
unknown[123.23.32.12]: SASL LOGIN authentication failed: authentication
failure
This is the regex I build by myself to catch this logline:
^(?P<SYSDATE>\w+\s+\d+\s\d+:\d+:\d+)\s+(?P<MYHOST>\w+)\s+(?P<PROCESS>((\w+/\w+/\w+)|(\w+/\w+)|(\w+))\[\d+\]\:)\s(?P<LEVEL>warning\:\s)\w+\[(?P<HOST>\d+\.\d+\.\d+\.\d+)\]\:\s(?P<MSG>(SASL|sasl)\s(LOGIN|login)\sauthentication\
sfailed.*)
But since I'm not really good at regex, this logline mach at the website
I build it, but not at the fail2ban server.
This is the output of:
fail2ban-regex -v /var/log/zimbra.log
/etc/fail2ban/filter.d/postfix.conf
Running tests
=============
Use failregex filter file : postfix, basedir: /etc/fail2ban
Use datepattern : Default Detectors
Use log file : /var/log/zimbra.log
Use encoding : UTF-8
Results
=======
Failregex: 1 total
|- #) [# of hits] regular expression
| 1) [1] ^RCPT from [^[]*\[<HOST>\](?::\d+)?: 55[04] 5\.7\.1\s
| 45.143.223.126 Thu May 21 20:24:11 2020
| 2) [0] ^RCPT from [^[]*\[<HOST>\](?::\d+)?: 45[04] 4\.7\.1
(?:Service unavailable\b|Client host rejected: cannot find your (reverse
)?hostname\b)
| 3) [0] ^RCPT from [^[]*\[<HOST>\](?::\d+)?: 450 4\.7\.1 (<[^>]*>)?:
Helo command rejected: Host not found\b
| 4) [0] ^EHLO from [^[]*\[<HOST>\](?::\d+)?: 504 5\.5\.2 (<[^>]*>)?:
Helo command rejected: need fully-qualified hostname\b
| 5) [0] ^VRFY from [^[]*\[<HOST>\](?::\d+)?: 550 5\.1\.1\s
| 6) [0] ^RCPT from [^[]*\[<HOST>\](?::\d+)?: 450 4\.1\.8 (<[^>]*>)?:
Sender address rejected: Domain not found\b
| 7) [0] ^from [^[]*\[<HOST>\](?::\d+)?:?
`-
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [7694] {^LN-BEG}(?:DAY )?MON Day
%k:Minute:Second(?:\.Microseconds)?(?: ExYear)?
| [0] {^LN-BEG}ExYear(?P<_sep>[-/.])Month(?P=_sep)Day(?:T|
?)24hour:Minute:Second(?:[.,]Microseconds)?(?:\s*Zone offset)?
| [0] {^LN-BEG}(?:DAY )?MON Day ExYear %k:Minute:Second(?:\.Microseconds)?
| [0] {^LN-BEG}Day(?P<_sep>[-/])Month(?P=_sep)(?:ExYear|ExYear2)
%k:Minute:Second
| [0] {^LN-BEG}Day(?P<_sep>[-/])MON(?P=_sep)ExYear[
:]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
| [0] {^LN-BEG}Month/Day/ExYear:24hour:Minute:Second
| [0] {^LN-BEG}Month-Day-ExYear %k:Minute:Second(?:\.Microseconds)?
| [0] {^LN-BEG}Epoch
| [0] {^LN-BEG}ExYear2ExMonthExDay ?24hour:Minute:Second
| [0] {^LN-BEG}MON Day, ExYear 12hour:Minute:Second AMPM
| [0] {^LN-BEG}ExYearExMonthExDay(?:T|
?)Ex24hourExMinuteExSecond(?:[.,]Microseconds)?(?:\s*Zone offset)?
| [0] {^LN-BEG}(?:Zone name )?(?:DAY )?MON Day
%k:Minute:Second(?:\.Microseconds)?(?: ExYear)?
| [0] {^LN-BEG}(?:Zone offset )?(?:DAY )?MON Day
%k:Minute:Second(?:\.Microseconds)?(?: ExYear)?
| [0] {^LN-BEG}TAI64N
| [0] {^LN-BEG}24hour:Minute:Second
| [0] ^<Month/Day/ExYear2@24hour:Minute:Second>
| [0] ^MON-Day-ExYear2 %k:Minute:Second
`-
Lines: 7694 lines, 0 ignored, 1 matched, 7693 missed
[processed in 0.24 sec]
Missed line(s): too many to print. Use --print-all-missed to print all
7693 lines
I hope to include all relevant information into my post and there is
someone who can help me.
Best regards
Hosrt
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users
