Fail2Ban Regex Problem

Need help with Fail2Ban not catching the "SASL LOGIN authentication failed" in this maillog.  I am running Centos 6.4

Feb 13 09:35:42 ip-172-31-22-236 postfix/smtpd[21234]: warning: unknown[185.222.209.14]: SASL LOGIN authentication failed: authentication failure
Feb 13 09:35:42 ip-172-31-22-236 postfix/smtpd[21234]: disconnect from unknown[185.222.209.14]
Feb 13 09:35:42 ip-172-31-22-236 postfix/smtpd[21237]: warning: unknown[80.211.189.134]: SASL LOGIN authentication failed: authentication failure
Feb 13 09:35:42 ip-172-31-22-236 postfix/smtpd[21237]: disconnect from unknown[80.211.189.134]

Open in new window


Here is the filter for postfix
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values:  TEXT
#
failregex = reject: RCPT from (.*)\[<HOST>\]: 554
            reject: RCPT from (.*)\[<HOST>\]: 450 4\.7\.1 : Helo command reject$
failregex = warning: (.*)\[<HOST>\]: SASL LOGIN authentication failed:

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

Open in new window


I know this doesn't work because i ran this test.
[root@ip-172-31-22-236 filter.d]# fail2ban-regex /var/log/mail.log /etc/fail2ban/filter.d/postfix.conf

Running tests
=============

Use regex file : /etc/fail2ban/filter.d/postfix.conf
Use single line: /var/log/mail.log


Results
=======

Failregex: 0 total

Ignoreregex: 0 total

Summary
=======

Sorry, no match

Look at the above section 'Running tests' which could contain important
information.

Open in new window


Thanks,
sharingsunshineAsked:
Who is Participating?
 
nociConnect With a Mentor Software EngineerCommented:
I would have expected a short list containing each REGEX, with the amount of hits next to them.
The number of hits might be accurate, i mean there might be thousands of hits.
You could count specific REGEX rules by grepping for a constant value  (The <HOST> match is too complex for egrep).
grep "SASL LOGIN authentication failed:" /var/log/maillog | wc -l    should be comparable to the amount reported by fail2ban-regex
(I am running version fail2ban  0.10.0)
0
 
nociSoftware EngineerCommented:
Is mail.log containing any records?, does the file exist?
This seems to hint it doesn't

Use single line: /var/log/mail.log

Open in new window


If there are missed (non-matched) lines i would expect something at the bottom of the report like (on one of my systems):

Lines: 72417 lines, 0 ignored, 533 matched, 71884 missed
[processed in 14.32 sec]

Missed line(s): too many to print.  Use --print-all-missed to print all 71884 lines

Open in new window

0
 
sharingsunshineAuthor Commented:
I am not sure I follow your question?  The first entry in this question is a portion of the maillog.  Is that sufficient?
0
Prepare for an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program curriculum features two internationally recognized certifications from the EC-Council at no additional time or cost.

 
nociSoftware EngineerCommented:
The output in your fail2ban-regex output seems to tell it could not use this /var/log/mail.log.....
and is using the litteral string.

[root@ip-172-31-22-236 filter.d]# fail2ban-regex /var/log/mail.log /etc/fail2ban/filter.d/postfix.conf

Running tests
=============

Use regex file : /etc/fail2ban/filter.d/postfix.conf
Use single line: /var/log/mail.log


Results
=======
0
 
sharingsunshineAuthor Commented:
Well you both were close it should be maillog instead of mail.log.  Now when I run the test I get this output.

 {removed over a thousand ip's}

Date template hits:
168140 hit(s): MONTH Day Hour:Minute:Second

Success, the total number of match is 28878

Open in new window


Seems to me the regex is too general.  Or am I mistaking?
0
 
sharingsunshineAuthor Commented:
This is what came out so looks like it was correct after all


[root@ip-172-31-22-236 ~]# grep "SASL LOGIN authentication failed:" /var/log/maillog | wc -l
29265

Thanks for your help.
0
All Courses

From novice to tech pro — start learning today.