Re: [Fail2ban-users] Use Fail2ban to protect Postfix/Dovecot on CentOS 7

Mon, 29 Mar 2021 22:49:07 -0700 

----- Message from Nicolas Kovacs <i...@microlinux.fr> ---------
   Date: Tue, 30 Mar 2021 06:58:29 +0200
   From: Nicolas Kovacs <i...@microlinux.fr>
Subject: [Fail2ban-users] Use Fail2ban to protect Postfix/Dovecot on CentOS 7
     To: fail2ban-users@lists.sourceforge.net



Hi,

My main mail server is running CentOS 7 with Postfix and Dovecot.

Last week I was surprised to see that Postfix had some troubles on this
machine, according to Icinga. I took a peek at the logs:

# journalctl -p err
Mar 28 04:37:02 sd-151768 postfix/smtpd[2786]: fatal: no SASL authentication
mechanisms
Mar 28 04:37:02 sd-151768 postfix/smtpd[2788]: fatal: no SASL authentication
mechanisms
Mar 28 04:37:02 sd-151768 postfix/smtpd[2790]: fatal: no SASL authentication
mechanisms
Mar 28 04:37:02 sd-151768 postfix/smtpd[2792]: fatal: no SASL authentication
mechanisms
Mar 28 04:37:02 sd-151768 postfix/smtpd[2794]: fatal: no SASL authentication
mechanisms
...

And in /var/log/maillog I found a tsunami of these:

Mar 28 03:18:33 sd-151768 postfix/smtpd[29589]: warning:
unknown[45.227.253.115]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Mar 28 03:18:33 sd-151768 postfix/smtpd[29589]: lost connection after AUTH from 
unknown[45.227.253.115]
Mar 28 03:18:33 sd-151768 postfix/smtpd[29589]: disconnect from
unknown[45.227.253.115]
My first reaction was to manually ban the IP addresses / networks which caused 
the flood, using my firewall:

# firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source
address='45.227.253.0/24' reject"
# firewall-cmd --reload
I'm already using fail2ban in conjunction with firewalld to prevent brute force 
SSH attacks.

Can I use it in a similar configuration to stop Postfix from getting flooded
and brought down to its knees?

Thanks & cheers from the sunny South of France,

Niki



----- End message from Nicolas Kovacs <i...@microlinux.fr> -----
A quick test on my server with the postfix filter enabled with your log entries shows all you need to do is enable the Postfix filter at an auth or extra level: 

[root@emp87 ~]# fail2ban-regex test postfix[mode=extra] --print-all-matched

Running tests
=============

Use   failregex filter file : postfix, basedir: /etc/fail2ban
Use   filter options : {'mode': 'extra'}
Use      datepattern : {^LN-BEG} : Default Detectors
Use         log file : test
Use         encoding : UTF-8


Results
=======

Prefregex: 1 total
| ^(?:\[\])?\s*(?:<[^.]+\.[^.]+>\s+)?(?:\S+\s+)?(?:kernel:\s?\[ *\d+\.\d+\]:?\s+)?(?:@vserver_\S+\s+)?(?:(?:(?:\[\d+\])?:\s+[\[\(]?postfix(-\w+)?/\w+(?:/smtp[ds])?(?:\(\S+\))?[\]\)]?:?|[\[\(]?postfix(-\w+)?/\w+(?:/smtp[ds])?(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)\s+)?(?:\[ID \d+ \S+\]\s+)?(?:warning:|(?:\w+: reject:|(?:improper command pipelining|too many errors) after \S+)) (?P<content>.+)$ 
`-

Failregex: 1 total
|-  #) [# of hits] regular expression
| 1) [1] ^[^[]*\[<HOST>\](?::\d+)?: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed:(?! Connection lost to authentication server| Invalid authentication mechanism) 
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
| [3] {^LN-BEG}(?:DAY )?MON Day %k:Minute:Second(?:\.Microseconds)?(?: ExYear)? 
`-

Lines: 3 lines, 0 ignored, 1 matched, 2 missed
[processed in 0.00 sec]

|- Matched line(s):
| Mar 28 03:18:33 sd-151768 postfix/smtpd[29589]: warning: unknown[45.227.253.115]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 
`-
|- Missed line(s):
| Mar 28 03:18:33 sd-151768 postfix/smtpd[29589]: lost connection after AUTH from unknown[45.227.253.115] | Mar 28 03:18:33 sd-151768 postfix/smtpd[29589]: disconnect from unknown[45.227.253.115] 

--
Simon Wilson
M: 0400 12 11 16



_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Reply via email to