• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

Unable to get Fail2Ban SASL filter to work

Chris1

Chris1

Regular Pleskian
Hi everyone,

I'm getting the following attempts every few minutes, I'd to put a stop to it with Fail2Ban but so far I've been unsuccessful. I get no IP bans in the Fail2Ban panel in Plesk 12.

Dec 3 23:24:14 XXX postfix/smtpd[2535]: warning: ca215.calcit.fastwebserver.de[146.0.42.84]: SASL LOGIN authentication failed: authentication failure

/etc/fail2ban/filter.d/sasl.conf
# Fail2Ban filter for postfix authentication failures
#
[INCLUDES]
before = common.conf
[Definition]
_daemon = postfix/smtpd
failregex = (?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed
ignoreregex =
# Author: Yaroslav Halchenko

/etc/fail2ban/jail.local
[sasl]
enabled = true
logpath = /var/log/maillog
filter = sasl
maxretry = 1
action = iptables[name=sasl, port=smtp, protocol=tcp]
port = smtp

I also have the following under [DEFAULT] in my jail.local file:
findtime = 600
bantime = 3600

A Fail2Ban regex test shows the following:


[root@XXX fail2ban]# fail2ban-regex /var/log/maillog /etc/fail2ban/filter.d/sasl.conf

Running tests
=============

Use failregex file : /etc/fail2ban/filter.d/sasl.conf
Use log file : /var/log/maillog


Results
=======

Failregex: 2329 total
|- #) [# of hits] regular expression
| 1) [2329] (?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
| [74635] MONTH Day Hour:Minute:Second
`-

Lines: 74635 lines, 0 ignored, 2329 matched, 72306 missed
Missed line(s): too many to print. Use --print-all-missed to print all 72306 lines
*****************************************

Could someone please assist with letting me know where I'm going wrong?

Kind regards,
Chris


 
Last edited:
There is should be already:

[root@ppu12-0 ~]# cat /etc/fail2ban/filter.d/postfix-sasl.conf
# Fail2Ban filter for postfix authentication failures
#

[INCLUDES]

before = common.conf

[Definition]

_daemon = postfix/smtpd

failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed:) [ A-Za-z0-9+/]*={0,2})?\s*$

# Author: Yaroslav Halchenko
Click to expand...

Have you tried to use it instead of adding own filter?
 
Hi IgorG,

Thank you for the reply.

I have but unfortunately I couldn't get anything to become banned, even if I set the maxretry to 1.

I have since changed the regex back to the one you have listed above.

I have an idea as to why it isn't working. I've noticed that my mail log time zone is set to +10 which equates to 16:29 however when I run the date function I get:

"Thu Dec 4 17:29:30 AEDT 2014" (which is +11)

I have it set to the correct time zone in Plesk. (Australia/Melbourne)

1.) How can I fix my log time zone?
2.) Would the timezone different affect Fail2Ban from working correctly?

Kind regards,
Chris
 
Hi IgorG,

I managed to fix the timestamps on the logs and a result the fail2ban issue by simply restarting the server. It seems fail2ban will not work correctly if the timestamps in the log file aren't correct.

I've got another issue now though. Since restarting the server my Server Health stats are reading incorrectly.

Apache CPU Usage: 954.5%
Mail server CPU usage: 1431.6%
MySQL CPU usage: 954.5%
Total CPU usage: 14913080.3%
Network throughput: 9544368.4 packets/sec

Any idea on how to fix this?

Kind regards,
Chris
 
Hi Chris1,

1) Fail2Ban listens for recent log entries. So if you have fixed your mail server's log file then it should work
2) Try to check - which process does consume CPU:
#top

3) Check fail2ban server's status:
#fail2ban-client status
 
You must log in or register to reply here.

Similar threads

wakabayashi
Resolved Fail2Ban - Postfix not working for SASL (bug?)
Replies
4
Views
2K
mizar
mizar
Bitpalast
Forwarded to devs Update to 18.0.63 #4 removed /etc/fail2ban/jail.local, crashed Fail2Ban
Replies
3
Views
1K
Sebahat.hadzhi
Sebahat.hadzhi
P
Input plesk fail2ban missing some important filter rules
Replies
2
Views
2K
PeterKi
P
S
Resolved Problem tuning fail2ban
Replies
5
Views
10K
nisamudeen97
nisamudeen97
A
Question Warnings in mail log [SASL LOGIN authentication failed]
Replies
1
Views
2K
Peter Debik
P
Back
Top