mdre-auth2= ^[^[]*\[<HOST>\]: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed:
You may be able to keep the (?! Connection lost to authentication server) as it may be a must-not-match. My regex ability becomes a little ropey here.
If you change the filter, you should it in postfix.local
Nick
On 22/05/2020 17:20, Horst Templer
wrote:
Hi Nick,
many thanks for your quick reply.
It takes some time to find our what you mean, but finally I manage to switch the copied filter.d/postfix.local to mode = aggeressive.
I'm a very bad and unexperienced programmer, so understanding code, takes a while.
After that the command:
fail2ban-regex /var/log/zimbra.log /etc/fail2ban/filter.d/postfix.local
give me the following result.
Results
=======
Failregex: 1313 total
|- #) [# of hits] regular _expression_
| 1) [641] ^[^[]*\[<HOST>\](?::\d+)?: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed:(?! Connection lost to authentication server)
| 2) [4] ^RCPT from [^[]*\[<HOST>\](?::\d+)?: 55[04] 5\.7\.1\s
| 8) [668] ^from [^[]*\[<HOST>\](?::\d+)?:?
So I think the right regex is now active.
But when I reload the config, nothing happens after one hour.
There must be another failure at my config, I think.
Or maybe at my thinking and understanding.
Do you have an Idea?
The result of fail2ban-client -d gives me now the following output:
fail2ban-client -d
['set', 'syslogsocket', 'auto']
['set', 'loglevel', 'INFO']
['set', 'logtarget', '/var/log/fail2ban.log']
['set', 'dbfile', '/var/lib/fail2ban/fail2ban.sqlite3']
['set', 'dbpurgeage', '1d']
['add', 'sshd', 'auto']
['set', 'sshd', 'maxlines', 1]
['set', 'sshd', 'prefregex', '^<F-MLFID>(?:\\[\\])?\\s*(?:<[^.]+\\.[^.]+>\\s+)?(?:\\S+\\s+)?(?:kernel: \\[ *\\d+\\.\\d+\\]\\s+)?(?:@vserver_\\S+\\s+)?(?:(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)\\s+)?(?:\\[ID \\d+ \\S+\\]\\s+)?</F-MLFID>(?:(?:error|fatal): (?:PAM: )?)?<F-CONTENT>.+</F-CONTENT>$']
['multi-set', 'sshd', 'addfailregex', ['^[aA]uthentication (?:failure|error|failed) for <F-USER>.*</F-USER> from <HOST>( via \\S+)?\\s*(?: \\[preauth\\])?\\s*$', '^User not known to the underlying authentication module for <F-USER>.*</F-USER> from <HOST>\\s*(?: \\[preauth\\])?\\s*$', '^Failed \\S+ for invalid user <F-USER>(?P<cond_user>\\S+)|(?:(?! from ).)*?</F-USER> from <HOST>(?: port \\d+)?(?: on \\S+(?: port \\d+)?)?(?: ssh\\d*)?(?(cond_user): |(?:(?:(?! from ).)*)$)', '^Failed \\b(?!publickey)\\S+ for (?P<cond_inv>invalid user )?<F-USER>(?P<cond_user>\\S+)|(?(cond_inv)(?:(?! from ).)*?|[^:]+)</F-USER> from <HOST>(?: port \\d+)?(?: on \\S+(?: port \\d+)?)?(?: ssh\\d*)?(?(cond_user): |(?:(?:(?! from ).)*)$)', '^<F-USER>ROOT</F-USER> LOGIN REFUSED.* FROM <HOST>\\s*(?: \\[preauth\\])?\\s*$', '^[iI](?:llegal|nvalid) user <F-USER>.*?</F-USER> from <HOST>(?: port \\d+)?(?: on \\S+(?: port \\d+)?)?\\s*$', '^User <F-USER>.+</F-USER> from <HOST> not allowed because not listed in AllowUsers\\s*(?: \\[preauth\\])?\\s*$', '^User <F-USER>.+</F-USER> from <HOST> not allowed because listed in DenyUsers\\s*(?: \\[preauth\\])?\\s*$', '^User <F-USER>.+</F-USER> from <HOST> not allowed because not in any group\\s*(?: \\[preauth\\])?\\s*$', '^refused connect from \\S+ \\(<HOST>\\)\\s*(?: \\[preauth\\])?\\s*$', '^Received <F-MLFFORGET>disconnect</F-MLFFORGET> from <HOST>(?: port \\d+)?(?: on \\S+(?: port \\d+)?)?:\\s*3: .*: Auth fail(?: \\[preauth\\])?\\s*$', '^User <F-USER>.+</F-USER> from <HOST> not allowed because a group is listed in DenyGroups\\s*(?: \\[preauth\\])?\\s*$', "^User <F-USER>.+</F-USER> from <HOST> not allowed because none of user's groups are listed in AllowGroups\\s*(?: \\[preauth\\])?\\s*$", '^pam_unix\\(sshd:auth\\):\\s+authentication failure;\\s*logname=\\S*\\s*uid=\\d*\\s*euid=\\d*\\s*tty=\\S*\\s*ruser=<F-USER>\\S*</F-USER>\\s*rhost=<HOST>\\s.*(?: \\[preauth\\])?\\s*$', '^(error: )?maximum authentication attempts exceeded for <F-USER>.*</F-USER> from <HOST>(?: port \\d+)?(?: on \\S+(?: port \\d+)?)?(?: ssh\\d*)?(?: \\[preauth\\])?\\s*$', '^User <F-USER>.+</F-USER> not allowed because account is locked(?: \\[preauth\\])?\\s*', '^<F-MLFFORGET>Disconnecting</F-MLFFORGET>: Too many authentication failures(?: for <F-USER>.+?</F-USER>)?(?: \\[preauth\\])?\\s*', '^<F-NOFAIL>Received <F-MLFFORGET>disconnect</F-MLFFORGET></F-NOFAIL> from <HOST>: 11:', '^<F-NOFAIL>Connection <F-MLFFORGET>closed</F-MLFFORGET></F-NOFAIL> by <HOST>(?: \\[preauth\\])?\\s*$', '^<F-MLFFORGET><F-NOFAIL>Accepted publickey</F-NOFAIL></F-MLFFORGET> for \\S+ from <HOST>(?:\\s|$)', '^<F-NOFAIL>Connection from</F-NOFAIL> <HOST>']]
['set', 'sshd', 'datepattern', '{^LN-BEG}']
['set', 'sshd', 'addjournalmatch', '_SYSTEMD_UNIT=sshd.service', '+', '_COMM=sshd']
['set', 'sshd', 'addlogpath', '/var/log/auth.log', 'head']
['set', 'sshd', 'logencoding', 'auto']
['set', 'sshd', 'maxretry', 5]
['set', 'sshd', 'findtime', '15m']
['set', 'sshd', 'bantime', '10m']
['set', 'sshd', 'usedns', 'warn']
['set', 'sshd', 'ignorecommand', '']
['set', 'sshd', 'addignoreip', '127.0.0.1/8']
['set', 'sshd', 'addignoreip', '::1']
['set', 'sshd', 'addignoreip', '<My VPN Network>']
['set', 'sshd', 'addignoreip', '<Another IP>']
['set', 'sshd', 'addaction', 'shorewall']
['multi-set', 'sshd', 'action', 'shorewall', [['actionstart', ''], ['actionstop', ''], ['actioncheck', ''], ['actionban', 'shorewall<family> logdrop <ip>'], ['actionunban', 'shorewall<family> allow <ip>'], ['name', 'sshd'], ['bantime', '10m'], ['port', 'ssh'], ['protocol', 'tcp'], ['chain', '<known/chain>'], ['actname', 'shorewall'], ['family', ''], ['blocktype', 'logdrop'], ['family?family=inet6', '6']]]
['add', 'postfix', 'auto']
['set', 'postfix', 'prefregex', '^(?:\\[\\])?\\s*(?:<[^.]+\\.[^.]+>\\s+)?(?:\\S+\\s+)?(?:kernel: \\[ *\\d+\\.\\d+\\]\\s+)?(?:@vserver_\\S+\\s+)?(?:(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?postfix(-\\w+)?/\\w+(?:/smtp[ds])?(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?postfix(-\\w+)?/\\w+(?:/smtp[ds])?(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)\\s+)?(?:\\[ID \\d+ \\S+\\]\\s+)?(?:warning:|(?:NOQUEUE: reject:|improper command pipelining after \\S+)|lost connection after(?! DATA) [A-Z]+) <F-CONTENT>.+</F-CONTENT>$']
['multi-set', 'postfix', 'addfailregex', ['^[^[]*\\[<HOST>\\](?::\\d+)?: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed:(?! Connection lost to authentication server)', '^RCPT from [^[]*\\[<HOST>\\](?::\\d+)?: 55[04] 5\\.7\\.1\\s', '^RCPT from [^[]*\\[<HOST>\\](?::\\d+)?: 45[04] 4\\.7\\.1 (?:Service unavailable\\b|Client host rejected: cannot find your (reverse )?hostname\\b)', '^RCPT from [^[]*\\[<HOST>\\](?::\\d+)?: 450 4\\.7\\.1 (<[^>]*>)?: Helo command rejected: Host not found\\b', '^EHLO from [^[]*\\[<HOST>\\](?::\\d+)?: 504 5\\.5\\.2 (<[^>]*>)?: Helo command rejected: need fully-qualified hostname\\b', '^VRFY from [^[]*\\[<HOST>\\](?::\\d+)?: 550 5\\.1\\.1\\s', '^RCPT from [^[]*\\[<HOST>\\](?::\\d+)?: 450 4\\.1\\.8 (<[^>]*>)?: Sender address rejected: Domain not found\\b', '^from [^[]*\\[<HOST>\\](?::\\d+)?:?']]
['set', 'postfix', 'datepattern', '{^LN-BEG}']
['set', 'postfix', 'addjournalmatch', '_SYSTEMD_UNIT=postfix.service']
['set', 'postfix', 'addlogpath', '/var/log/zimbra.log', 'head']
['set', 'postfix', 'logencoding', 'auto']
['set', 'postfix', 'maxretry', 3]
['set', 'postfix', 'findtime', '15m']
['set', 'postfix', 'bantime', '-1']
['set', 'postfix', 'usedns', 'warn']
['set', 'postfix', 'ignorecommand', '']
['set', 'postfix', 'addignoreip', '127.0.0.1/8']
['set', 'postfix', 'addignoreip', '::1']
['set', 'postfix', 'addignoreip', '<My VPN Network>']
['set', 'postfix', 'addignoreip', '<Another IP>']
['set', 'postfix', 'addaction', 'shorewall']
['multi-set', 'postfix', 'action', 'shorewall', [['actionstart', ''], ['actionstop', ''], ['actioncheck', ''], ['actionban', 'shorewall<family> logdrop <ip>'], ['actionunban', 'shorewall<family> allow <ip>'], ['actname', 'shorewall'], ['name', 'postfix'], ['family', ''], ['blocktype', 'logdrop'], ['family?family=inet6', '6']]]
['start', 'sshd']
['start', 'postfix']
Many thanks for your time and help.
Best regards
Horst
Am 22.05.2020 um 09:27 schrieb Nick Howitt:
Why not start with the mdre-auth2 filter in the postfix.conf jail. I think it is one character out from what you want. You could create filter.d/postfix.local to override the line. See further down the file for how to activate the different modes.
Nick
On 22/05/2020 07:04, Horst Templer via Fail2ban-users wrote:
Dear Mam and Sir, a very friendly attacker try to brute force my Zimbra mail server at the moment.I call him friendly cause his attack is very slow. He takes his time and the time from one try to the next is about 3 minutes. So I'm not in a hurry in this case. My problem is to find a working regex, coming from the postfix of my installation. My goal is to block such slow requests Here are the information about my installation: I got a server running on Ubuntu 18.04. Inside this server, reside a Zimbra installation inside of a docker container, also running a full Ubuntu 18.04. The setup is very complex, but running fine. The logs of this container are transmited to the master host by syslog. The master host runs a fail2ban to control the zimbra logfile and control the firewall. The firewall is based on shorewall. The fail2ban installation is tested with SSH and is working fine. For the following examples, logfiles and configution file, I have to hide myself and the attacker. So I will change domains, and IPs to the following data. My domain will be: example.com The Attacker will have the the IP: 123.23.32.12 (This IP has nothing to do with the real attacker and belongs to a company in India, and has nothing do do with myself. For my case it is a randomly chosen IP and only chosen as example!) At first the fail2ban config I had changed to my needs: I copy the jail.conf to jail.local and made the following changes: Ignoreip = <The original IPs and some additions> findtime = 15m destemail = <My Email address> #banaction = iptables-multiport banaction = shorewall #banaction_allports = iptables-allports banaction_allports = shorewall [sasl] enabled = true port = smtp,465,submission filter = postfix-sasl logpath = /var/log/zimbra.log maxretry = 3 I copy the file action.d/shorewall.conf to action.d/shorewall.local: #blocktype = reject blocktype = logdrop I create a new file in filter.d/postfix-sasl.conf # Fail2Ban filter for postfix authentication failures [INCLUDES] before = common.conf [Definition] _daemon = postfix/smtpd failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/]*={0,2})?\s*$ This regex is not working, as I think. Here the logentry that my zimbra create: May 22 05:31:36 mail postfix/smtps/smtpd[13994]: connect from unknown[123.23.32.12] May 22 05:31:51 mail /postfix-script[13655]: the Postfix mail system is running: PID: 3677 May 22 05:32:02 mail postfix/smtps/smtpd[13994]: Anonymous TLS connection established from unknown[123.23.32.12]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) May 22 05:32:04 mail /postfix-script[14148]: the Postfix mail system is running: PID: 3677 May 22 05:32:54 mail /postfix-script[14573]: the Postfix mail system is running: PID: 3677 May 22 05:33:05 mail saslauthd[3484]: zmauth: authenticating against elected url 'https://mail.example.com:7073/service/admin/soap/' ... May 22 05:33:05 mail saslauthd[3484]: zmpost: url='' returned buffer->data='', hti->error='' May 22 05:33:05 mail saslauthd[3484]: auth_zimbra: spl...@example.com auth failed: authentication failed for [spl...@example.com] May 22 05:33:05 mail saslauthd[3484]: do_auth : auth failure: [user=spl...@example.com] [service=smtp] [realm=example.com] [mech=zimbra] [reason=Unknown] May 22 05:33:05 mail postfix/smtps/smtpd[13994]: warning: unknown[123.23.32.12]: SASL LOGIN authentication failed: authentication failure May 22 05:33:19 mail postfix/smtps/smtpd[13994]: lost connection after AUTH from unknown[123.23.32.12] May 22 05:33:19 mail postfix/smtps/smtpd[13994]: disconnect from unknown[123.23.32.12] ehlo=1 auth=0/1 rset=1 commands=2/3 I had checked that the port 7073 is not accessable from outside. This request is made by the postfix daemon only to check the auth. The relevant log entry to match is the following: May 22 05:33:05 mail postfix/smtps/smtpd[13994]: warning: unknown[123.23.32.12]: SASL LOGIN authentication failed: authentication failure This is the regex I build by myself to catch this logline: ^(?P<SYSDATE>\w+\s+\d+\s\d+:\d+:\d+)\s+(?P<MYHOST>\w+)\s+(?P<PROCESS>((\w+/\w+/\w+)|(\w+/\w+)|(\w+))\[\d+\]\:)\s(?P<LEVEL>warning\:\s)\w+\[(?P<HOST>\d+\.\d+\.\d+\.\d+)\]\:\s(?P<MSG>(SASL|sasl)\s(LOGIN|login)\sauthentication\ sfailed.*) But since I'm not really good at regex, this logline mach at the website I build it, but not at the fail2ban server. This is the output of: fail2ban-regex -v /var/log/zimbra.log /etc/fail2ban/filter.d/postfix.conf Running tests ============= Use failregex filter file : postfix, basedir: /etc/fail2ban Use datepattern : Default Detectors Use log file : /var/log/zimbra.log Use encoding : UTF-8 Results ======= Failregex: 1 total |- #) [# of hits] regular _expression_ | 1) [1] ^RCPT from [^[]*\[<HOST>\](?::\d+)?: 55[04] 5\.7\.1\s | 45.143.223.126 Thu May 21 20:24:11 2020 | 2) [0] ^RCPT from [^[]*\[<HOST>\](?::\d+)?: 45[04] 4\.7\.1 (?:Service unavailable\b|Client host rejected: cannot find your (reverse )?hostname\b) | 3) [0] ^RCPT from [^[]*\[<HOST>\](?::\d+)?: 450 4\.7\.1 (<[^>]*>)?: Helo command rejected: Host not found\b | 4) [0] ^EHLO from [^[]*\[<HOST>\](?::\d+)?: 504 5\.5\.2 (<[^>]*>)?: Helo command rejected: need fully-qualified hostname\b | 5) [0] ^VRFY from [^[]*\[<HOST>\](?::\d+)?: 550 5\.1\.1\s | 6) [0] ^RCPT from [^[]*\[<HOST>\](?::\d+)?: 450 4\.1\.8 (<[^>]*>)?: Sender address rejected: Domain not found\b | 7) [0] ^from [^[]*\[<HOST>\](?::\d+)?:? `- Ignoreregex: 0 total Date template hits: |- [# of hits] date format | [7694] {^LN-BEG}(?:DAY )?MON Day %k:Minute:Second(?:\.Microseconds)?(?: ExYear)? | [0] {^LN-BEG}ExYear(?P<_sep>[-/.])Month(?P=_sep)Day(?:T| ?)24hour:Minute:Second(?:[.,]Microseconds)?(?:\s*Zone offset)? | [0] {^LN-BEG}(?:DAY )?MON Day ExYear %k:Minute:Second(?:\.Microseconds)? | [0] {^LN-BEG}Day(?P<_sep>[-/])Month(?P=_sep)(?:ExYear|ExYear2) %k:Minute:Second | [0] {^LN-BEG}Day(?P<_sep>[-/])MON(?P=_sep)ExYear[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)? | [0] {^LN-BEG}Month/Day/ExYear:24hour:Minute:Second | [0] {^LN-BEG}Month-Day-ExYear %k:Minute:Second(?:\.Microseconds)? | [0] {^LN-BEG}Epoch | [0] {^LN-BEG}ExYear2ExMonthExDay ?24hour:Minute:Second | [0] {^LN-BEG}MON Day, ExYear 12hour:Minute:Second AMPM | [0] {^LN-BEG}ExYearExMonthExDay(?:T| ?)Ex24hourExMinuteExSecond(?:[.,]Microseconds)?(?:\s*Zone offset)? | [0] {^LN-BEG}(?:Zone name )?(?:DAY )?MON Day %k:Minute:Second(?:\.Microseconds)?(?: ExYear)? | [0] {^LN-BEG}(?:Zone offset )?(?:DAY )?MON Day %k:Minute:Second(?:\.Microseconds)?(?: ExYear)? | [0] {^LN-BEG}TAI64N | [0] {^LN-BEG}24hour:Minute:Second | [0] ^<Month/Day/ExYear2@24hour:Minute:Second> | [0] ^MON-Day-ExYear2 %k:Minute:Second `- Lines: 7694 lines, 0 ignored, 1 matched, 7693 missed [processed in 0.24 sec] Missed line(s): too many to print. Use --print-all-missed to print all 7693 lines I hope to include all relevant information into my post and there is someone who can help me. Best regards Hosrt
_______________________________________________ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users
_______________________________________________ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users
