Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add log line for failed authentication attempts #1187

Merged
merged 1 commit into from
Oct 1, 2020
Merged

Add log line for failed authentication attempts #1187

merged 1 commit into from
Oct 1, 2020

Conversation

Jimver
Copy link
Contributor

@Jimver Jimver commented Aug 25, 2020
edited
Loading

This PR fixes #1182. In short, programs such as fail2ban rely on logs with events and IP addresses. This extra log entry makes it much easier to implement a regex for fail2ban.

I'm now working on a proper fail2ban jail configuration, I can commit that too if desired.

@willpower232
Copy link
Collaborator

Even if you just put the fail2ban configuration in here, that will be useful to someone.

@Igcorreia
Copy link

Small tutorial, first installs fail2ban. Edit Fail2Ban jail.local to:

[DEFAULT]
ignoreip = 127.0.0.1/8
bantime = 3600
findtime = 600
maxretry = 5

[sshd]
enabled = true

[postal-smtp]
enabled = true
logpath = /opt/postal/log/smtp_server.log
bantime = 86400
findtime = 86400
maxretry = 3

Now we need to create the postal-smtp filter in /etc/fail2ban/filter.d, name is postal-smtp.conf:

# ------------------------
# Custom Postal filter
# Author: Ignacio Correia (@igcorreia) & David Serodio
# PostalHQ
# Version 1.0.0
# ------------------------
# WARN: AUTH failure for ::ffff:(\b(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b)
# ------------------------

[Definition]
failregex = WARN: AUTH failure for ::ffff:<HOST>

ignoreregex =

To have a persist Ban, create a file called recidive.conf in /etc/fail2ban/jail.d:

# !!! WARNINGS !!! 
# 1. Make sure that your loglevel specified in fail2ban.conf/.local
#    is not at DEBUG level -- which might then cause fail2ban to fall into
#    an infinite loop constantly feeding itself with non-informative lines
# 2. If you increase bantime, you must increase value of dbpurgeage
#    to maintain entries for failed logins for sufficient amount of time.
#    The default is defined in fail2ban.conf and you can override it in fail2ban.local
[recidive]
enabled  = false
filter   = recidive
logpath  = /var/log/fail2ban.log
action   = iptables-allports[name=recidive]
           sendmail-whois-lines[name=recidive, logpath=/var/log/fail2ban.log]
bantime  = 604800  ; 1 week
findtime = 86400   ; 1 day
maxretry = 5

@sergioloera
Copy link

Small tutorial, first installs fail2ban. Edit Fail2Ban jail.local to:

[DEFAULT]
ignoreip = 127.0.0.1/8
bantime = 3600
findtime = 600
maxretry = 5

[sshd]
enabled = true

[postal-smtp]
enabled = true
logpath = /opt/postal/log/smtp_server.log
bantime = 86400
findtime = 86400
maxretry = 3

Now we need to create the postal-smtp filter in /etc/fail2ban/filter.d, name is postal-smtp.conf:

# ------------------------
# Custom Postal filter
# Author: Ignacio Correia (@igcorreia) & David Serodio
# PostalHQ
# Version 1.0.0
# ------------------------
# WARN: AUTH failure for ::ffff:(\b(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b)
# ------------------------

[Definition]
failregex = WARN: AUTH failure for ::ffff:<HOST>

ignoreregex =

To have a persist Ban, create a file called recidive.conf in /etc/fail2ban/jail.d:

# !!! WARNINGS !!! 
# 1. Make sure that your loglevel specified in fail2ban.conf/.local
#    is not at DEBUG level -- which might then cause fail2ban to fall into
#    an infinite loop constantly feeding itself with non-informative lines
# 2. If you increase bantime, you must increase value of dbpurgeage
#    to maintain entries for failed logins for sufficient amount of time.
#    The default is defined in fail2ban.conf and you can override it in fail2ban.local
[recidive]
enabled  = false
filter   = recidive
logpath  = /var/log/fail2ban.log
action   = iptables-allports[name=recidive]
           sendmail-whois-lines[name=recidive, logpath=/var/log/fail2ban.log]
bantime  = 604800  ; 1 week
findtime = 86400   ; 1 day
maxretry = 5

I followed this and got applied no problem, but I was tailing the log and wasn't seeing any IPs being banned:
:/etc/fail2ban/filter.d# fail2ban-client status postal-smtp
Status for the jail: postal-smtp
|- Filter
| |- Currently failed: 0
| |- Total failed: 0
| - File list: /opt/postal/log/smtp_server.log - Actions
|- Currently banned: 0
|- Total banned: 0
`- Banned IP list:
:/etc/fail2ban/filter.d#

[smtp.1:2224] [2020-09-20T12:35:12.825] DEBUG -- : [TOUFKG] Connection opened from ::ffff:212.70.149.20
[smtp.1:2224] [2020-09-20T12:35:12.825] DEBUG -- : [TOUFKG] Client identified as ::ffff:212.70.149.20
[smtp.1:2224] [2020-09-20T12:35:13.798] DEBUG -- : [TOUFKG] <= EHLO User
[smtp.1:2224] [2020-09-20T12:35:13.802] DEBUG -- : [TOUFKG] => 250-My capabilities are
[smtp.1:2224] [2020-09-20T12:35:13.802] DEBUG -- : [TOUFKG] => 250-STARTTLS
[smtp.1:2224] [2020-09-20T12:35:13.802] DEBUG -- : [TOUFKG] => 250 AUTH CRAM-MD5 PLAIN LOGIN
[smtp.1:2224] [2020-09-20T12:35:13.992] DEBUG -- : [QNLLAC] <= AUTH LOGIN
[smtp.1:2224] [2020-09-20T12:35:13.992] DEBUG -- : [QNLLAC] => 334 VXNlcm5hbWU6
[smtp.1:2224] [2020-09-20T12:35:14.939] DEBUG -- : [TOUFKG] <= RSET
[smtp.1:2224] [2020-09-20T12:35:14.940] DEBUG -- : [TOUFKG] => 250 OK
[smtp.1:2224] [2020-09-20T12:35:15.335] DEBUG -- : [QNLLAC] <= cHJvZHVjdHNAbXktaXQuc3VwcG9ydA==
[smtp.1:2224] [2020-09-20T12:35:15.335] DEBUG -- : [QNLLAC] => 334 UGFzc3dvcmQ6
[smtp.1:2224] [2020-09-20T12:35:16.051] DEBUG -- : [TOUFKG] <= AUTH LOGIN
[smtp.1:2224] [2020-09-20T12:35:16.051] DEBUG -- : [TOUFKG] => 334 VXNlcm5hbWU6
[smtp.1:2224] [2020-09-20T12:35:16.671] DEBUG -- : [QNLLAC] <= cHJvZHVjdHM=
[smtp.1:2224] [2020-09-20T12:35:16.674] DEBUG -- : [QNLLAC] => 535 Invalid credential
[smtp.1:2224] [2020-09-20T12:35:17.153] DEBUG -- : [TOUFKG] <= bWFpbDE4QG15LWl0LnN1cHBvcnQ=
[smtp.1:2224] [2020-09-20T12:35:17.153] DEBUG -- : [TOUFKG] => 334 UGFzc3dvcmQ6
[smtp.1:2224] [2020-09-20T12:35:17.976] DEBUG -- : [QNLLAC] <= QUIT
[smtp.1:2224] [2020-09-20T12:35:17.976] DEBUG -- : [QNLLAC] => 221 Closing Connection
[smtp.1:2224] [2020-09-20T12:35:17.976] DEBUG -- : [QNLLAC] Connection closed
[smtp.1:2224] [2020-09-20T12:35:18.108] DEBUG -- : [N5VMAT] Connection opened from ::ffff:212.70.149.20
[smtp.1:2224] [2020-09-20T12:35:18.108] DEBUG -- : [N5VMAT] Client identified as ::ffff:212.70.149.20
[smtp.1:2224] [2020-09-20T12:35:18.266] DEBUG -- : [TOUFKG] <= MTIzNDU=
[smtp.1:2224] [2020-09-20T12:35:18.268] DEBUG -- : [TOUFKG] => 535 Invalid credential
[smtp.1:2224] [2020-09-20T12:35:18.522] DEBUG -- : [Q3T4II] Connection opened from ::ffff:212.70.149.52
[smtp.1:2224] [2020-09-20T12:35:18.522] DEBUG -- : [Q3T4II] Client identified as ::ffff:212.70.149.52
[smtp.1:2224] [2020-09-20T12:35:19.046] DEBUG -- : [N5VMAT] <= EHLO User
[smtp.1:2224] [2020-09-20T12:35:19.052] DEBUG -- : [N5VMAT] => 250-My capabilities are
[smtp.1:2224] [2020-09-20T12:35:19.052] DEBUG -- : [N5VMAT] => 250-STARTTLS
[smtp.1:2224] [2020-09-20T12:35:19.053] DEBUG -- : [N5VMAT] => 250 AUTH CRAM-MD5 PLAIN LOGIN
[smtp.1:2224] [2020-09-20T12:35:19.322] DEBUG -- : [TOUFKG] <= QUIT
[smtp.1:2224] [2020-09-20T12:35:19.322] DEBUG -- : [TOUFKG] => 221 Closing Connection
[smtp.1:2224] [2020-09-20T12:35:19.322] DEBUG -- : [TOUFKG] Connection closed
root@vps258001:/etc/fail2ban/filter.d#

@willpower232
Copy link
Collaborator

@sergioloera the configuration is to ban after 5 failed attempts in one day so someone will need to reach that amount of failed attempts before you see any banning

@willpower232 willpower232 mentioned this pull request Oct 1, 2020
Closed
@catphish catphish merged commit 70d9ba6 into postalserver:master Oct 1, 2020
@isnuryusuf
Copy link

its work for me, thanks

fail2ban-client status postal-smtp
Status for the jail: postal-smtp
|- Filter
|  |- Currently failed:	7
|  |- Total failed:	403
|  `- File list:	/opt/postal/log/smtp_server.log
`- Actions
   |- Currently banned:	4
   |- Total banned:	4
   `- Banned IP list:	212.70.149.20 212.70.149.83 212.70.149.52 212.70.149.4

Chain f2b-postal-smtp (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    1    40 REJECT     all  --  *      *       212.70.149.4         0.0.0.0/0            reject-with icmp-port-unreachable
   12   762 REJECT     all  --  *      *       212.70.149.52        0.0.0.0/0            reject-with icmp-port-unreachable
   18  1052 REJECT     all  --  *      *       212.70.149.83        0.0.0.0/0            reject-with icmp-port-unreachable
   12   706 REJECT     all  --  *      *       212.70.149.20        0.0.0.0/0            reject-with icmp-port-unreachable
 2105  244K RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

@willpower232 willpower232 mentioned this pull request Nov 15, 2020
Closed
@phtmgt
Copy link

phtmgt commented Jul 18, 2022

Any idea how to use this with the new containerized setup of v2.0?

@maticomba
Copy link

Any idea how to use this with the new containerized setup of v2.0?

Hi, I made a small tutorial on how to achieve this with Ubuntu Server 22.04.1 and Postal v2.11.2.

https://github.com/maticomba/postal-smtp-fail2ban

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Bruteforce prevention
8 participants
@Jimver @willpower232 @Igcorreia @sergioloera @isnuryusuf @phtmgt @maticomba @catphish