Re: [Fail2ban-users] Need SMTP Ban help
I’ve tested my MTU settings and they’re working perfectly fine, so it wouldn’t be on my end for an MTU thing. I also did another lookup of the "offending" IPs and they’re all coming from CloudFlare, which is a bit baffling to me as I’m not using CloudFlare. Which begs the question, why is CloudFlare attempting to connect to my email server. Jody > On May 17, 2018, at 2:24 AM, Yves via Fail2ban-users >wrote: > >> I'd also check your IPv6 connectivity (including ICMPv6) to the client, >> these timeouts are more likely caused by MTU problems than malicious intent. > I wouldn't know, but if you're right, this is indeed the _first_ thing to > check! :-) smime.p7s Description: S/MIME cryptographic signature -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users
Re: [Fail2ban-users] Need SMTP Ban help
17.05.2018 11:24, Yves via Fail2ban-users пишет: * one for you: After Fail2ban has successfully matched the regex from line #1 to line #6, will it resume log parsing at line #6 (next byte) or #7 (next line), or will it resume log parsing at line #2? For this solution to work, it must be the latter. Frankly, I don't know, but it's easy to check experimentally for specific version of fail2ban. I never considered skipping lines a problem, unless someone can reliably bypass your filter completely. -- With Best Regards, Marat Khalili -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users
Re: [Fail2ban-users] Need SMTP Ban help
16.05.2018 21:09, Jody Whitesides wrote: Actually there would be a few other attempts in between line 2 and 6 there. Thus, I’d like to create a filter that can figure out the hex thing before the 'mta event' as that is what ties the first part’s attempt to the fact that its failing. Then I’d like to ban that host, both the IPv4 and IPv6 ones that are doing what ever it is they’re attempting to do. You can use multiline regular expressions for the hex part. Here's one example of how it is done (__machine, __pid1 and __pid2 all match among the lines): https://github.com/qm2k/burp_integration/blob/master/etc/fail2ban/filter.d/burp-auth.conf I'd also check your IPv6 connectivity (including ICMPv6) to the client, these timeouts are more likely caused by MTU problems than malicious intent. -- With Best Regards, Marat Khalili -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users
Re: [Fail2ban-users] Need SMTP Ban help
Hi Jody, Le 16/05/2018 à 20:09, Jody Whitesides a écrit : […] Here’s what it looks like: 14:27:39 myserver smtpd[8069]: 7ddc60038b38020a mta event=connecting address=smtp+tls://104.28.23.114:25 host=104.28.23.114 14:27:54 myserver smtpd[8069]: smtp-out: Enabling route [] <-> 104.28.22.114 (104.28.22.114) 14:28:15 myserver smtpd[989]: smtp-out: Enabling route [] <-> IPv6:2400:cb00:2048:1::681c:1672 (2400:cb00:2048:1::681c:1672) 14:28:31 myserver smtpd[989]: edd53f4be38a36a0 mta event=error reason=Connection timeout 14:28:31 myserver smtpd[989]: smtp-out: Disabling route [] <-> IPv6:2400:cb00:2048:1::681c:1772 (2400:cb00:2048:1::681c:1772) for 15s 14:28:45 myserver smtpd[8069]: 7ddc60038b38020a mta event=error reason=Connection timeout Actually there would be a few other attempts in between line 2 and 6 there. Thus, I’d like to create a filter that can figure out the hex thing before the 'mta event' as that is what ties the first part’s attempt to the fact that its failing. Then I’d like to ban that host, both the IPv4 and IPv6 ones that are doing what ever it is they’re attempting to do. Does this make sense? This was my attempt: ^.*mta event=connecting address=.*\n.*smtp-out: Enabling route\s*$ But it didn’t work. […] I do not see any reason why you wouldn’t be able to match any one of these lines, which are properly formatted, with Fail2ban. However, as you rightly say yourself, the tricky part comes from the hex thing… To my knowledge, Fail2ban does not have a notion of “context”, that would allow to attach line 6 to line 1, or line 4 to whatever corresponding line came before… You *might* be interested in a tool that I wrote, that should be able to handle this situation: Pyruse. https://yalis.fr/git/yves/pyruse There is one condition for using Pyruse: your logs have to be in systemd-journald. Starting from there, you can use the “DNAT-correcting actions” to achieve your goal with: ```json |{ "filter": "filter_pcre", "args": { "field": "MESSAGE", "re": "^||(.*) mta event=connecting ||address=.* host=(.*)$", "save": [ "hash", "hostIP"] } }, { "action": "action_dnatCapture", "args": { "saddr": "hostIP", "addr": "hash" } }| ``` and: ```json |{ "filter": "filter_pcre", "args": { "field": "MESSAGE", "re": "^(.*)||mta event=error reason=Connection timeout$", "save": [ "hostIP"] }, { "action": "action_dnatReplace", "args": { "addr": "hostIP", "saddrInto": "hostIP" } }, { "action": "action_email", "args": { "message": "Mail attack from {hostIP}." } }| ``` That’s the general idea; it can be optimized (see the documentation). And you can replace (or complement) the email at the end with a ban of your choice (nftables, or ipset). I hope this helps… Cheers, Yves. -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users
[Fail2ban-users] Need SMTP Ban help
Hi there, I’m a bit of a noob at the whole fail2ban thing, and I’m wondering if you might know how to add something to it. In the past 24 hours, I’ve had a couple of IP addresses that are doing something strange. I’m not exactly sure if they’re attempting to break into the mail server, but I’d like to see about banning them. I attempted to add more to the failregex, but I couldn’t get it to work. Its coming in on smtp, and its for smtp-out, under mta. Here’s what it looks like: 14:27:39 myserver smtpd[8069]: 7ddc60038b38020a mta event=connecting address=smtp+tls://104.28.23.114:25host=104.28.23.114 14:27:54 myserver smtpd[8069]: smtp-out: Enabling route [] <-> 104.28.22.114 (104.28.22.114) 14:28:15 myserver smtpd[989]: smtp-out: Enabling route [] <-> IPv6:2400:cb00:2048:1::681c:1672 (2400:cb00:2048:1::681c:1672) 14:28:31 myserver smtpd[989]: edd53f4be38a36a0 mta event=error reason=Connection timeout 14:28:31 myserver smtpd[989]: smtp-out: Disabling route [] <-> IPv6:2400:cb00:2048:1::681c:1772 (2400:cb00:2048:1::681c:1772) for 15s 14:28:45 myserver smtpd[8069]: 7ddc60038b38020a mta event=error reason=Connection timeout Actually there would be a few other attempts in between line 2 and 6 there. Thus, I’d like to create a filter that can figure out the hex thing before the 'mta event' as that is what ties the first part’s attempt to the fact that its failing. Then I’d like to ban that host, both the IPv4 and IPv6 ones that are doing what ever it is they’re attempting to do. Does this make sense? This was my attempt: ^.*mta event=connecting address=.*\n.*smtp-out: Enabling route\s*$ But it didn’t work. Any help you could point my way, or explain on how to write a useful filter for fail2ban would be appreciated. Thank you for your time, Jody smime.p7s Description: S/MIME cryptographic signature -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users