Re: [Fail2ban-users] Adding to postfix filter

Sat, 17 Jul 2021 12:20:55 -0700 

> > I see several SASL entries in there already, but none appear to match:
> >
> > mdpr-auth = warning:
> > mdre-auth = ^[^[]*\[<HOST>\]%(_port)s: SASL
> > ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed:(?!
> > Connection lost to authentication server| Invalid authentication
> > mechanism)
> > mdre-auth2= ^[^[]*\[<HOST>\]%(_port)s: SASL
> > ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed:(?!
> > Connection lost to authentication server)
> >
> > Is the proper procedure to create an mdre-auth3, then add it to the
> > mdre-aggressive line?
> >
> > mdre-aggressive = %(mdre-auth2)s
> >                    %(mdre-normal)s
>
> It is certainly intended that this line should trigger a ban iff postfix
> jail uses
>
> mode = extra
>
> or
>
> mode = aggressive
>
> But I think there may be a problem with the mdre-auth2 regex; I am
> experimenting with removing '^[^[]*' from the front of it (in my
> postfix.local).

I've changed my system to use "mode = aggressive", but also noticed
the following in the logs (that existed prior to making the change):

2021-07-17 14:47:16,390 fail2ban.actions        [3111209]: NOTICE
[postfix] Ban 212.70.149.71
2021-07-17 14:47:16,394 fail2ban.actions        [3111209]: NOTICE
[postfix-sasl] Ban 24.249.23.200
2021-07-17 14:47:16,409 fail2ban.utils          [3111209]: ERROR
7f7e649c36f0 -- exec: iptables -w -N f2b-postfix
iptables -w -A f2b-postfix -j RETURN
iptables -w -I INPUT -p tcp --dport smtp,465,submission -j f2b-postfix
2021-07-17 14:47:16,410 fail2ban.utils          [3111209]: ERROR
7f7e649c36f0 -- stderr: "iptables v1.8.5 (legacy): invalid
port/service `smtp,465,submission' specified"
2021-07-17 14:47:16,411 fail2ban.utils          [3111209]: ERROR
7f7e649c36f0 -- stderr: "Try `iptables -h' or 'iptables --help' for
more information."
2021-07-17 14:47:16,413 fail2ban.utils          [3111209]: ERROR
7f7e649c36f0 -- returned 2
2021-07-17 14:47:16,414 fail2ban.actions        [3111209]: ERROR
Failed to execute ban jail 'postfix' action 'iptables' info
'ActionInfo({'ip': '212.70.149.71', 'family': 'inet4', 'fid':
<function Actions.ActionInfo.<lambda> at 0x7f7e64d7f280>,
'raw-ticket': <function Actions.ActionInfo.<lambda> at
0x7f7e64d7f940>})': Error starting action Jail('postfix')/iptables:
'Script error'

I'm trying to use iptables because I already have a number of rules,
and this is a more complicated system than a firewalld home system.

Thanks,
Alex


_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Reply via email to