0

Can anyone help me with a special f2b Filter to track down recurring login fails on a specific mailbox? i don't want to limit fails to global postfix jail. Therefore i need a extra filter.

I also think I need some more regex, as in my line with Mailbox there's no IP, right?

Here content:

Sep 14 22:00:28 host01 plesk_saslauthd[7633]: failed mail authentication attempt for user 'office@customer-domain.de' (password len=9)
Sep 14 22:00:28 host01 postfix/smtpd[6772]: warning: SASL authentication failure: Password verification failed
Sep 14 22:00:28 host01 postfix/smtpd[6772]: warning: unknown[190.124.18.242]: SASL PLAIN authentication failed: authentication failure

Jail shall trigger if office@customer-domain.de got fail, but it needs probably the IP from Line 3?!

I need this because attacker only runs ONCE false Password and than moves to another IP. I want to track this down only for one Mailbox to have him banned after 1 Fail. To Change the globally postfix trigger to one fail only is to strong and bad for real users.

Here is the Postfix Jail: 

[INCLUDES]
before = common.conf

[Definition]
_daemon = postfix(-\w+)?/(?:submission/|smtps/)?smtp[ds]
failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(:[ A-Za-z0-9+/:]*={0,2})?\s*$
ignoreregex = authentication failed: Connection lost to authentication server$

[Init]
journalmatch = _SYSTEMD_UNIT=postfix.service
Alorsons
  • 1
  • 1
  • 1
    The existing postfix jails should cover this already. Why do you need something special? – Michael Hampton Sep 14 '18 at 20:28
  • AS the attacker reduced the logins trys to ONCE and then switch IP. Therefore i want to only track down this try on a specific Mailbox... – Alorsons Sep 15 '18 at 08:10
  • You're a bit stuck. The first line here is the only one that includes the mailbox. While fail2ban has had multiline matches for a number of years, there is no anchoring element (like a process id), that will match both the mailbox and the IP of the user/bot that failed the authentication attempt. You can't just depend on these 3 lines in order because another failure could be mingled in with these error messages. – danblack Sep 15 '18 at 10:02
  • @danblack I am not able to write regex. Its the default. But i want to trigger ONLY my Sample above. I want a Jail for one Mailbox if possible..... – Alorsons Sep 15 '18 at 10:06
  • The existing rule matches the third line in your sample. This line doesn't have a mailbox in that line so a regex rule can't be written to include it. Reliable multiline rules aren't possible because the there is no reliable way to match the postfix/smtpd failure line to the first log line that mentions the mailbox. – danblack Sep 15 '18 at 10:26

1 Answers1

0

The existing rule matches the third line in your sample. This line doesn't have a mailbox in that line so a regex rule can't be written to include it.

Reliable multiline rules aren't possible because the there is no reliable way to match the postfix/smtpd failure line to the first log line that mentions the mailbox.

danblack
  • 1,249
  • 13
  • 15