fbpx

Fail2ban postfix-sasl banning not working for a newly install Virtualmin server

Background

It’s important to double check your server security at all times. We have found two instances where Fail2ban Postfix SASL banning on default installations of Virtualmin on Ubuntu servers do not work. It’s troubling also because at first glance is appears to be working, but only until you deep dive you will discover it’s not. The other worrying bit is Postfix SASL attacks are probably the most common problem on an email server.

Finding the problem is hard because if you /var/log/fail2ban.log it appears banning is taking place. But if you look closely you will see the same IP addresses repeating. The other big clue is in /var/log/mail.log you will see a flurry of activity the whole time.

The commands to reveal if the actual jails are there and what is taking place are:

fail2ban-client status

Once you identify the jail, you can then do

fail2ban-client status postfix-sasl

Fail2ban typically relies on two configuration sections, jail.local and in a file named similar to the jail, e.g. `/etc/fail2ban/filter.d/postfix-sasl.conf`

But we aware, the filter.d file could have a different name depending if a filter directive has been specified  in jail.local

Here is a typical jail.local

cat /etc/fail2ban/jail.local

...

[postfix-sasl]

enabled = true
port = smtp,465,submission,imap,imaps,pop3,pop3s
maxretry = 2
findtime = 60
bantime = 86400

On fresh Ubuntu 20.04 installations versus fresh fresh Ubuntu 18.04 servers the problems are different. The second part of this article addresses an Ubuntu 18.04 issue where `imap3` instead of imap appears in the jail. For now, on Ubuntu 20.04 this is the solution we implement a new section appending the numeric 2:

cat /etc/fail2ban/jail.local

# New aggressive jail, and new pointer to filter 
[postfix-sasl2]
enabled = true
port = smtp
filter = postfix-sasl2
logpath = /var/log/mail.log
maxretry = 2

This file of course reference the new filter postfix-sasl2 which looks like this:

cat /etc/fail2ban/filter.d/postfix-sasl2.conf 

# New filter because Postfix SASL filter does not work
#
# Fail2Ban filter for postfix authentication failures
#

[INCLUDES]
before = common.conf

[Definition]
_daemon = postfix/(submission/)?smtp(d|s)
failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/:]*={0,2})?\s*$
ignoreregex = authentication failed: Connection lost to authentication server$

[Init]
journalmatch = _SYSTEMD_UNIT=postfix.service
ignoreregex =

# Author: Yaroslav Halchenko

Remember to restart fail2ban.

A reference to where this solution was found is at the end of this article.

Ubuntu 18.04

This section addresses a problem on Ubuntu 18.04 and is very specific to an incorrect imap3 problem in the jail.

On a newly installed Virtualmin server, when you tail the /var/log/mail.log, you might note repeated attempt to break through your Postfix SASL authentication. This will confuse you because when you browse to the jails, you will see that postfix-sasl appears to be  enabled in [auth] mode.

Symptoms

Fail2ban doesn’t show on the UI when jails are broken. You have to stop and start the service. To see the actual error, service fail2ban restart. At that point lots of message might scroll up complaining about bans, such as the ones below.

ERROR Failed to execute ban jail 'postfix-sasl' action 'firewallcmd-ipset' info 'ActionInfo({'ip': '46.38.150.94', 'family': 'inet4', 'ip-rev': '94.150.38.46.', 'ip-host': None, 'fid': '46.38.150.94', 'failures': 13, 'time': 1594664763.3610485, 'matches':

2020-07-13 20:35:18,461 fail2ban.transmitter [42982]: ERROR Jail 'postfix-sasl' skipped, because of wrong configuration: Unable to read the filter 'postfix-sasl'

generic failure', 'ipfailures': 3243, 'ipjailfailures': 3243})': Error starting action Jail('postfix-sasl')/firewallcmd-ipset

Solution

The solution is to remove imap3 from the Fail2ban configuration for the postfix-sasl jail. This could be in various places, but look here first:

cat /etc/fail2ban/jail.local

The output should be similar to this:

[postfix-sasl]

enabled = true
port = smtp,465,submission,imap3,imaps,pop3,pop3s
maxretry = 2
findtime = 2
bantime = 86400
filter = postfix

Remove the 3 behind imap

On a subsequent start of Fail2ban, you should now see your bans taking effect:

2020-07-13 20:50:04,664 fail2ban.actions [48288]: NOTICE [postfix-sasl] Restore Ban 212.70.149.35
2020-07-13 20:50:05,300 fail2ban.actions [48288]: NOTICE [postfix-sasl] Restore Ban 46.38.145.247
2020-07-13 20:50:05,311 fail2ban.actions [48288]: NOTICE [postfix-sasl] Restore Ban 46.38.145.248
2020-07-13 20:50:05,320 fail2ban.actions [48288]: NOTICE [postfix-sasl] Restore Ban 46.38.145.250
2020-07-13 20:50:05,329 fail2ban.actions [48288]: NOTICE [postfix-sasl] Restore Ban 46.38.145.251
2020-07-13 20:50:05,339 fail2ban.actions [48288]: NOTICE [postfix-sasl] Restore Ban 46.38.145.252
2020-07-13 20:50:05,356 fail2ban.actions [48288]: NOTICE [postfix-sasl] Restore Ban 46.38.145.254
2020-07-13 20:50:05,366 fail2ban.actions [48288]: NOTICE [postfix-sasl] Restore Ban 46.38.145.5
2020-07-13 20:50:05,379 fail2ban.actions [48288]: NOTICE [postfix-sasl] Restore Ban 46.38.148.10
2020-07-13 20:50:05,393 fail2ban.actions [48288]: NOTICE [postfix-sasl] Restore Ban 46.38.148.2
2020-07-13 20:50:05,403 fail2ban.actions [48288]: NOTICE [postfix-sasl] Restore Ban 46.38.148.6
2020-07-13 20:50:05,415 fail2ban.actions [48288]: NOTICE [postfix-sasl] Restore Ban 46.38.150.142
2020-07-13 20:50:05,428 fail2ban.actions [48288]: NOTICE [postfix-sasl] Restore Ban 46.38.150.153
2020-07-13 20:50:05,440 fail2ban.actions [48288]: NOTICE [postfix-sasl] Restore Ban 46.38.150.188
2020-07-13 20:50:05,450 fail2ban.actions [48288]: NOTICE [postfix-sasl] Restore Ban 46.38.150.190
2020-07-13 20:50:05,464 fail2ban.actions [48288]: NOTICE [postfix-sasl] Restore Ban 46.38.150.191
2020-07-13 20:50:05,474 fail2ban.actions [48288]: NOTICE [postfix-sasl] Restore Ban 46.38.150.193
2020-07-13 20:50:05,487 fail2ban.actions [48288]: NOTICE [postfix-sasl] Restore Ban 46.38.150.203
2020-07-13 20:50:05,505 fail2ban.actions [48288]: NOTICE [postfix-sasl] Restore Ban 46.38.150.37
2020-07-13 20:50:05,521 fail2ban.actions [48288]: NOTICE [postfix-sasl] Restore Ban 46.38.150.94

References

Share this article

Share on facebook
Share on twitter
Share on linkedin

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to Top