Many of 'failed mail authenticatication' in /var/log/maillog

Follow

Comments

8 comments

  • Avatar
    Larry Nedry

    Fail2Ban won't work for this issue as the log entry does not include the IP address of the attacker.

    0
    Comment actions Permalink
  • Avatar
    Konstantin Annikov

    Hello, 

    Thank you for bringing our attention to the article.

    In fact, the mentioned log entry is followed by another one from postfix like that: 

    Feb 28 12:49:24 example postfix/smtpd[14640]: warning: unknown[203.0.113.2]: SASL LOGIN authentication failed: authentication failure

    So, fail2ban will work in this case.
    I have edited the article and added the log entry. 

    0
    Comment actions Permalink
  • Avatar
    Bob B

    Is there a similar article available for the same issue but with proftpd on Linux?  My RMM monitoring keeps alerting on a large number of failed logins but Fail2Ban's banned list is very small.  

    0
    Comment actions Permalink
  • Avatar
    Daria Gavrilova

    Hello @Bob B,

    The most probable cause of such behavior is that the Time interval for detection of subsequent attacks is not enough to stop this breach attempts, so the Fail2Ban's banned list is very small.

    To solve this issue, please follow next steps:

    1. Log into Plesk;
    2. Go to Tools & Settings > IP Address Banning (Fail2Ban) > Time interval for detection of subsequent attacks and increase this value to the required time span according to the /var/log/messages log file.

    In case if it does not help, please create a request to Plesk Technical Support: How to submit a request to Plesk support?

    0
    Comment actions Permalink
  • Avatar
    Alexander Koch (Edited )

    Hi,

    i think there are a big issue on the sasl jail, because we have a lot of lines like this  in maillog:

     

    Jul 31 13:12:40 mx02 postfix/smtpd[31704]: warning: unknown[1.2.3.4]: SASL LOGIN authentication failed: authentication failure
    Jul 31 13:12:41 mx02 postfix/smtpd[31704]: disconnect from unknown[1.2.3.4]

    grep -ri 1.2.3.4 /var/log/maillog | grep warnin | grep -v hostname | wc -l
    669

    This means, 669 lines like this: Jul 31 13:12:40 mx02 postfix/smtpd[31704]: warning: unknown[1.2.3.4]: SASL LOGIN authentication failed: authentication failure

    And fail2ban is do nothing against this, so i checked the regex from filter.d/plesk-saslauthd.conf and there are only issues:

    fail2ban-regex /var/log/maillog /etc/fail2ban/filter.d/postfix-sasl.conf

    Running tests
    =============

    Use failregex filter file : postfix-sasl, basedir: /etc/fail2ban
    Use log file : /var/log/maillog
    Use encoding : UTF-8


    Results
    =======

    Failregex: 1865 total
    |- #) [# of hits] regular expression
    | 1) [1865] ^(?:\[\])?\s*(?:<[^.]+\.[^.]+>\s+)?(?:\S+\s+)?(?:kernel: \[ *\d+\.\d+\]\s+)?(?:@vserver_\S+\s+)?(?:(?:(?:\[\d+\])?:\s+[\[\(]?postfix(-\w+)?/(?:submission/|smtps/)?smtp[ds](?:\(\S+\))?[\]\)]?:?|[\[\(]?postfix(-\w+)?/(?:submission/|smtps/)?smtp[ds](?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)\s+)?(?:\[ID \d+ \S+\]\s+)?warning: [-._\w]+\[<HOST>\]: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(:[ A-Za-z0-9+/:]*={0,2})?\s*$
    `-

    Ignoreregex: 0 total

    Date template hits:
    |- [# of hits] date format
    | [15600] (?:DAY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?: Year)?
    `-

    Lines: 15600 lines, 0 ignored, 1865 matched, 13735 missed
    [processed in 1.51 sec]

    Missed line(s): too many to print. Use --print-all-missed to print all 13735 lines

    So this means it has 1865 matches, but i there wont be blocked anything. In Plesk WebUI ist the filter activated, but /etc/fail2ban/jail.d/plesk.conf all is enabled = false and there is no section with postfix-sasl, there exists only [plesk-xxx] sections.

    UPDATE:
    This shows the fail2ban.log
    fail2ban.filter [1001]: INFO [plesk-postfix] Found 1.2.3.4
    fail2ban.filter [1001]: WARNING Unable to find a corresponding IP address for 1.2.3.4 [Errno -9] Address family for hostname not supported

    0
    Comment actions Permalink
  • Avatar
    Alisa Kasyanova

    @Alexander Koch

    >>> WARNING Unable to find a corresponding IP address for ...
    You may ignore these warnings, please refer to https://support.plesk.com/hc/en-us/articles/115000065429-Fail2Ban-warning-Address-family-for-hostname-not-supported

    >>> And fail2ban is do nothing against this
    Check the "Tools & Settings > IP Address Banning (Fail2Ban) > Time interval for detection of subsequent attacks" value. If it is quite big, then it may be not enough to detect the attack. Check the maillog, how often these messages appear? Decrease the value accordingly.

    0
    Comment actions Permalink
  • Avatar
    Alexander Koch (Edited )

    Hi Alisa,

    thanks for the respond. The Time Interval was default 600, so i decreased it to 30, but no help.

    I have a lot of Lines like this in the Log:

    Aug 2 09:09:39 mx02 postfix/smtpd[14984]: warning: hostname ip-38-50.ZervDNS does not resolve to address 92.118.38.50
    Aug 2 09:09:39 mx02 postfix/smtpd[14984]: connect from unknown[92.118.38.50]
    Aug 2 09:09:39 mx02 plesk_saslauthd[17683]: listen=6, status=5, dbpath='/var/spool/postfix/plesk/passwd.db', keypath='/var/spool/postfix/plesk/passwd_db_key', chroot=0, unprivileged=1
    Aug 2 09:09:39 mx02 plesk_saslauthd[17683]: privileges set to (89:89) (effective 89:89)
    Aug 2 09:09:39 mx02 plesk_saslauthd[17683]: No such user 'stan@domain.com' in mail authorization database
    Aug 2 09:09:39 mx02 plesk_saslauthd[17683]: failed mail authentication attempt for user 'stan@domain.com' (password len=9)
    Aug 2 09:09:39 mx02 postfix/smtpd[14984]: warning: unknown[92.118.38.50]: SASL LOGIN authentication failed: authentication failure
    Aug 2 09:09:39 mx02 postfix/smtpd[14984]: disconnect from unknown[92.118.38.50]

    grep 92.118.38.50 /var/log/maillog | 'authentication failed' | wc -l
    444

    Only today 444 times the IP 92.118.38.50 is shown, and fail2ban isnt working.

    Any ideas?

    0
    Comment actions Permalink
  • Avatar
    Daria Gavrilova

    Hello @Alexander Koch,

    Thank you for the update.

    To investigate the issue deeper, please create a request to Plesk Technical Support: How to submit a request to Plesk support?

    0
    Comment actions Permalink

Please sign in to leave a comment.

Have more questions? Submit a request