Fail2Ban Regex Problem

sharingsunshine
sharingsunshine used Ask the Experts™
on
Need help with Fail2Ban not catching the "SASL LOGIN authentication failed" in this maillog.  I am running Centos 6.4

Feb 13 09:35:42 ip-172-31-22-236 postfix/smtpd[21234]: warning: unknown[185.222.209.14]: SASL LOGIN authentication failed: authentication failure
Feb 13 09:35:42 ip-172-31-22-236 postfix/smtpd[21234]: disconnect from unknown[185.222.209.14]
Feb 13 09:35:42 ip-172-31-22-236 postfix/smtpd[21237]: warning: unknown[80.211.189.134]: SASL LOGIN authentication failed: authentication failure
Feb 13 09:35:42 ip-172-31-22-236 postfix/smtpd[21237]: disconnect from unknown[80.211.189.134]

Open in new window


Here is the filter for postfix
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values:  TEXT
#
failregex = reject: RCPT from (.*)\[<HOST>\]: 554
            reject: RCPT from (.*)\[<HOST>\]: 450 4\.7\.1 : Helo command reject$
failregex = warning: (.*)\[<HOST>\]: SASL LOGIN authentication failed:

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

Open in new window


I know this doesn't work because i ran this test.
[root@ip-172-31-22-236 filter.d]# fail2ban-regex /var/log/mail.log /etc/fail2ban/filter.d/postfix.conf

Running tests
=============

Use regex file : /etc/fail2ban/filter.d/postfix.conf
Use single line: /var/log/mail.log


Results
=======

Failregex: 0 total

Ignoreregex: 0 total

Summary
=======

Sorry, no match

Look at the above section 'Running tests' which could contain important
information.

Open in new window


Thanks,
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
nociSoftware Engineer
Distinguished Expert 2018

Commented:
Is mail.log containing any records?, does the file exist?
This seems to hint it doesn't

Use single line: /var/log/mail.log

Open in new window


If there are missed (non-matched) lines i would expect something at the bottom of the report like (on one of my systems):

Lines: 72417 lines, 0 ignored, 533 matched, 71884 missed
[processed in 14.32 sec]

Missed line(s): too many to print.  Use --print-all-missed to print all 71884 lines

Open in new window

Author

Commented:
I am not sure I follow your question?  The first entry in this question is a portion of the maillog.  Is that sufficient?
nociSoftware Engineer
Distinguished Expert 2018

Commented:
The output in your fail2ban-regex output seems to tell it could not use this /var/log/mail.log.....
and is using the litteral string.

[root@ip-172-31-22-236 filter.d]# fail2ban-regex /var/log/mail.log /etc/fail2ban/filter.d/postfix.conf

Running tests
=============

Use regex file : /etc/fail2ban/filter.d/postfix.conf
Use single line: /var/log/mail.log


Results
=======
Learn SQL Server Core 2016

This course will introduce you to SQL Server Core 2016, as well as teach you about SSMS, data tools, installation, server configuration, using Management Studio, and writing and executing queries.

Author

Commented:
Well you both were close it should be maillog instead of mail.log.  Now when I run the test I get this output.

 {removed over a thousand ip's}

Date template hits:
168140 hit(s): MONTH Day Hour:Minute:Second

Success, the total number of match is 28878

Open in new window


Seems to me the regex is too general.  Or am I mistaking?
Software Engineer
Distinguished Expert 2018
Commented:
I would have expected a short list containing each REGEX, with the amount of hits next to them.
The number of hits might be accurate, i mean there might be thousands of hits.
You could count specific REGEX rules by grepping for a constant value  (The <HOST> match is too complex for egrep).
grep "SASL LOGIN authentication failed:" /var/log/maillog | wc -l    should be comparable to the amount reported by fail2ban-regex
(I am running version fail2ban  0.10.0)

Author

Commented:
This is what came out so looks like it was correct after all


[root@ip-172-31-22-236 ~]# grep "SASL LOGIN authentication failed:" /var/log/maillog | wc -l
29265

Thanks for your help.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial