Re: [Fail2ban-users] Need SMTP Ban help

2018-05-17 Thread Jody Whitesides 
I’ve tested my MTU settings and they’re working perfectly fine, so it wouldn’t 
be on my end for an MTU thing.

I also did another lookup of the "offending" IPs and they’re all coming from 
CloudFlare, which is a bit baffling to me as I’m not using CloudFlare. Which 
begs the question, why is CloudFlare attempting to connect to my email server.

Jody

> On May 17, 2018, at 2:24 AM, Yves via Fail2ban-users 
>  wrote:
> 
>> I'd also check your IPv6 connectivity (including ICMPv6) to the client, 
>> these timeouts are more likely caused by MTU problems than malicious intent.
> I wouldn't know, but if you're right, this is indeed the _first_ thing to 
> check! :-)



smime.p7s
Description: S/MIME cryptographic signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] Need SMTP Ban help

2018-05-17 Thread Marat Khalili 

17.05.2018 11:24, Yves via Fail2ban-users пишет:
* one for you: After Fail2ban has successfully matched the regex from 
line #1 to line #6, will it resume log parsing at line #6 (next byte) 
or #7 (next line), or will it resume log parsing at line #2? For this 
solution to work, it must be the latter. 


Frankly, I don't know, but it's easy to check experimentally for 
specific version of fail2ban. I never considered skipping lines a 
problem, unless someone can reliably bypass your filter completely.


--

With Best Regards,
Marat Khalili


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] Need SMTP Ban help

2018-05-17 Thread Marat Khalili 

16.05.2018 21:09, Jody Whitesides wrote:
Actually there would be a few other attempts in between line 2 and 6 
there. Thus, I’d like to create a filter that can figure out the hex 
thing before the 'mta event' as that is what ties the first part’s 
attempt to the fact that its failing. Then I’d like to ban that host, 
both the IPv4 and IPv6 ones that are doing what ever it is they’re 
attempting to do.


You can use multiline regular expressions for the hex part. Here's one 
example of how it is done (__machine, __pid1 and __pid2 all match among 
the lines): 
https://github.com/qm2k/burp_integration/blob/master/etc/fail2ban/filter.d/burp-auth.conf


I'd also check your IPv6 connectivity (including ICMPv6) to the client, 
these timeouts are more likely caused by MTU problems than malicious intent.


--

With Best Regards,
Marat Khalili


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] Need SMTP Ban help

2018-05-17 Thread Yves via Fail2ban-users 

Hi Jody,

Le 16/05/2018 à 20:09, Jody Whitesides a écrit :

[…] Here’s what it looks like:

14:27:39 myserver smtpd[8069]: 7ddc60038b38020a mta event=connecting 
address=smtp+tls://104.28.23.114:25 host=104.28.23.114
14:27:54 myserver smtpd[8069]: smtp-out: Enabling route [] <-> 
104.28.22.114 (104.28.22.114)
14:28:15 myserver smtpd[989]: smtp-out: Enabling route [] <-> 
IPv6:2400:cb00:2048:1::681c:1672 (2400:cb00:2048:1::681c:1672)
14:28:31 myserver smtpd[989]: edd53f4be38a36a0 mta event=error 
reason=Connection timeout
14:28:31 myserver smtpd[989]: smtp-out: Disabling route [] <-> 
IPv6:2400:cb00:2048:1::681c:1772 (2400:cb00:2048:1::681c:1772) for 15s
14:28:45 myserver smtpd[8069]: 7ddc60038b38020a mta event=error 
reason=Connection timeout


Actually there would be a few other attempts in between line 2 and 6 
there. Thus, I’d like to create a filter that can figure out the hex 
thing before the 'mta event' as that is what ties the first part’s 
attempt to the fact that its failing. Then I’d like to ban that host, 
both the IPv4 and IPv6 ones that are doing what ever it is they’re 
attempting to do.


Does this make sense?

This was my attempt:

^.*mta event=connecting address=.*\n.*smtp-out: Enabling route\s*$

But it didn’t work. […]


I do not see any reason why you wouldn’t be able to match any one of 
these lines, which are properly formatted, with Fail2ban.
However, as you rightly say yourself, the tricky part comes from the hex 
thing… To my knowledge, Fail2ban does not have a notion of “context”, 
that would allow to attach line 6 to line 1, or line 4 to whatever 
corresponding line came before…


You *might* be interested in a tool that I wrote, that should be able to 
handle this situation: Pyruse.

https://yalis.fr/git/yves/pyruse

There is one condition for using Pyruse: your logs have to be in 
systemd-journald.


Starting from there, you can use the “DNAT-correcting actions” to 
achieve your goal with:


```json

|{ "filter": "filter_pcre", "args": { "field": "MESSAGE", "re": "^||(.*) mta event=connecting ||address=.* host=(.*)$", "save": [ "hash", "hostIP"] } }, { "action": 
"action_dnatCapture", "args": { "saddr": "hostIP", "addr": "hash" } }|


```

and:

```json

|{ "filter": "filter_pcre", "args": { "field": "MESSAGE", "re": "^(.*)||mta event=error reason=Connection timeout$", "save": [ "hostIP"] }, { 
"action": "action_dnatReplace", "args": { "addr": "hostIP", "saddrInto": 
"hostIP" } }, { "action": "action_email", "args": { "message": "Mail 
attack from {hostIP}." } }|


```

That’s the general idea; it can be optimized (see the documentation). 
And you can replace (or complement) the email at the end with a ban of 
your choice (nftables, or ipset).


I hope this helps…
Cheers,

Yves.
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

[Fail2ban-users] Need SMTP Ban help

2018-05-16 Thread Jody Whitesides 
Hi there, I’m a bit of a noob at the whole fail2ban thing, and I’m wondering if 
you might know how to add something to it. In the past 24 hours, I’ve had a 
couple of IP addresses that are doing something strange. I’m not exactly sure 
if they’re attempting to break into the mail server, but I’d like to see about 
banning them.

I attempted to add more to the failregex, but I couldn’t get it to work.

Its coming in on smtp, and its for smtp-out, under mta.

Here’s what it looks like:

14:27:39 myserver smtpd[8069]: 7ddc60038b38020a mta event=connecting 
address=smtp+tls://104.28.23.114:25  
host=104.28.23.114
14:27:54 myserver smtpd[8069]: smtp-out: Enabling route [] <-> 104.28.22.114 
(104.28.22.114)
14:28:15 myserver smtpd[989]: smtp-out: Enabling route [] <-> 
IPv6:2400:cb00:2048:1::681c:1672 (2400:cb00:2048:1::681c:1672)
14:28:31 myserver smtpd[989]: edd53f4be38a36a0 mta event=error 
reason=Connection timeout
14:28:31 myserver smtpd[989]: smtp-out: Disabling route [] <-> 
IPv6:2400:cb00:2048:1::681c:1772 (2400:cb00:2048:1::681c:1772) for 15s
14:28:45 myserver smtpd[8069]: 7ddc60038b38020a mta event=error 
reason=Connection timeout

Actually there would be a few other attempts in between line 2 and 6 there. 
Thus, I’d like to create a filter that can figure out the hex thing before the 
'mta event' as that is what ties the first part’s attempt to the fact that its 
failing. Then I’d like to ban that host, both the IPv4 and IPv6 ones that are 
doing what ever it is they’re attempting to do.

Does this make sense?

This was my attempt:

^.*mta event=connecting address=.*\n.*smtp-out: Enabling route\s*$

But it didn’t work. Any help you could point my way, or explain on how to write 
a useful filter for fail2ban would be appreciated.

Thank you for your time,

Jody

smime.p7s
Description: S/MIME cryptographic signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users