Avatar of sharingsunshine
sharingsunshineFlag for United States of America asked on

Fail2Ban Regex Problem

Need help with Fail2Ban not catching the "SASL LOGIN authentication failed" in this maillog.  I am running Centos 6.4

Feb 13 09:35:42 ip-172-31-22-236 postfix/smtpd[21234]: warning: unknown[185.222.209.14]: SASL LOGIN authentication failed: authentication failure
Feb 13 09:35:42 ip-172-31-22-236 postfix/smtpd[21234]: disconnect from unknown[185.222.209.14]
Feb 13 09:35:42 ip-172-31-22-236 postfix/smtpd[21237]: warning: unknown[80.211.189.134]: SASL LOGIN authentication failed: authentication failure
Feb 13 09:35:42 ip-172-31-22-236 postfix/smtpd[21237]: disconnect from unknown[80.211.189.134]

Open in new window


Here is the filter for postfix
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values:  TEXT
#
failregex = reject: RCPT from (.*)\[<HOST>\]: 554
            reject: RCPT from (.*)\[<HOST>\]: 450 4\.7\.1 : Helo command reject$
failregex = warning: (.*)\[<HOST>\]: SASL LOGIN authentication failed:

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

Open in new window


I know this doesn't work because i ran this test.
[root@ip-172-31-22-236 filter.d]# fail2ban-regex /var/log/mail.log /etc/fail2ban/filter.d/postfix.conf

Running tests
=============

Use regex file : /etc/fail2ban/filter.d/postfix.conf
Use single line: /var/log/mail.log


Results
=======

Failregex: 0 total

Ignoreregex: 0 total

Summary
=======

Sorry, no match

Look at the above section 'Running tests' which could contain important
information.

Open in new window


Thanks,
Linux SecurityCyber SecurityLinux DistributionsRegular Expressions

Avatar of undefined
Last Comment
sharingsunshine

8/22/2022 - Mon
noci

Is mail.log containing any records?, does the file exist?
This seems to hint it doesn't

Use single line: /var/log/mail.log

Open in new window


If there are missed (non-matched) lines i would expect something at the bottom of the report like (on one of my systems):

Lines: 72417 lines, 0 ignored, 533 matched, 71884 missed
[processed in 14.32 sec]

Missed line(s): too many to print.  Use --print-all-missed to print all 71884 lines

Open in new window

ASKER
sharingsunshine

I am not sure I follow your question?  The first entry in this question is a portion of the maillog.  Is that sufficient?
noci

The output in your fail2ban-regex output seems to tell it could not use this /var/log/mail.log.....
and is using the litteral string.

[root@ip-172-31-22-236 filter.d]# fail2ban-regex /var/log/mail.log /etc/fail2ban/filter.d/postfix.conf

Running tests
=============

Use regex file : /etc/fail2ban/filter.d/postfix.conf
Use single line: /var/log/mail.log


Results
=======
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
ASKER
sharingsunshine

Well you both were close it should be maillog instead of mail.log.  Now when I run the test I get this output.

 {removed over a thousand ip's}

Date template hits:
168140 hit(s): MONTH Day Hour:Minute:Second

Success, the total number of match is 28878

Open in new window


Seems to me the regex is too general.  Or am I mistaking?
ASKER CERTIFIED SOLUTION
noci

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
ASKER
sharingsunshine

This is what came out so looks like it was correct after all


[root@ip-172-31-22-236 ~]# grep "SASL LOGIN authentication failed:" /var/log/maillog | wc -l
29265

Thanks for your help.