Fail2Ban Regex Problem

Need help with Fail2Ban not catching the "SASL LOGIN authentication failed" in this maillog.  I am running Centos 6.4

Feb 13 09:35:42 ip-172-31-22-236 postfix/smtpd[21234]: warning: unknown[185.222.209.14]: SASL LOGIN authentication failed: authentication failure
Feb 13 09:35:42 ip-172-31-22-236 postfix/smtpd[21234]: disconnect from unknown[185.222.209.14]
Feb 13 09:35:42 ip-172-31-22-236 postfix/smtpd[21237]: warning: unknown[80.211.189.134]: SASL LOGIN authentication failed: authentication failure
Feb 13 09:35:42 ip-172-31-22-236 postfix/smtpd[21237]: disconnect from unknown[80.211.189.134]

Open in new window


Here is the filter for postfix
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values:  TEXT
#
failregex = reject: RCPT from (.*)\[<HOST>\]: 554
            reject: RCPT from (.*)\[<HOST>\]: 450 4\.7\.1 : Helo command reject$
failregex = warning: (.*)\[<HOST>\]: SASL LOGIN authentication failed:

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

Open in new window


I know this doesn't work because i ran this test.
[root@ip-172-31-22-236 filter.d]# fail2ban-regex /var/log/mail.log /etc/fail2ban/filter.d/postfix.conf

Running tests
=============

Use regex file : /etc/fail2ban/filter.d/postfix.conf
Use single line: /var/log/mail.log


Results
=======

Failregex: 0 total

Ignoreregex: 0 total

Summary
=======

Sorry, no match

Look at the above section 'Running tests' which could contain important
information.

Open in new window


Thanks,
sharingsunshineAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

nociSoftware EngineerCommented:
Is mail.log containing any records?, does the file exist?
This seems to hint it doesn't

Use single line: /var/log/mail.log

Open in new window


If there are missed (non-matched) lines i would expect something at the bottom of the report like (on one of my systems):

Lines: 72417 lines, 0 ignored, 533 matched, 71884 missed
[processed in 14.32 sec]

Missed line(s): too many to print.  Use --print-all-missed to print all 71884 lines

Open in new window

0
sharingsunshineAuthor Commented:
I am not sure I follow your question?  The first entry in this question is a portion of the maillog.  Is that sufficient?
0
nociSoftware EngineerCommented:
The output in your fail2ban-regex output seems to tell it could not use this /var/log/mail.log.....
and is using the litteral string.

[root@ip-172-31-22-236 filter.d]# fail2ban-regex /var/log/mail.log /etc/fail2ban/filter.d/postfix.conf

Running tests
=============

Use regex file : /etc/fail2ban/filter.d/postfix.conf
Use single line: /var/log/mail.log


Results
=======
0
Choose an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

sharingsunshineAuthor Commented:
Well you both were close it should be maillog instead of mail.log.  Now when I run the test I get this output.

 {removed over a thousand ip's}

Date template hits:
168140 hit(s): MONTH Day Hour:Minute:Second

Success, the total number of match is 28878

Open in new window


Seems to me the regex is too general.  Or am I mistaking?
0
nociSoftware EngineerCommented:
I would have expected a short list containing each REGEX, with the amount of hits next to them.
The number of hits might be accurate, i mean there might be thousands of hits.
You could count specific REGEX rules by grepping for a constant value  (The <HOST> match is too complex for egrep).
grep "SASL LOGIN authentication failed:" /var/log/maillog | wc -l    should be comparable to the amount reported by fail2ban-regex
(I am running version fail2ban  0.10.0)
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
sharingsunshineAuthor Commented:
This is what came out so looks like it was correct after all


[root@ip-172-31-22-236 ~]# grep "SASL LOGIN authentication failed:" /var/log/maillog | wc -l
29265

Thanks for your help.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux Security

From novice to tech pro — start learning today.