info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Unable to block SMTP AUTH failures with fail2ban
1,222 views
Skip to first unread message
Robert S
Jan 27, 2015, 4:43:17 PM1/27/15
to
I have been receiving dozens of these messages in my /var/log/auth.log:
Jan 27 19:06:03 myserver saslauthd[2155]: do_auth : auth failure: [user=test] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
Jan 27 19:06:07 myserver saslauthd[2158]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Jan 27 19:06:09 myserver saslauthd[2158]: do_auth : auth failure: [user=test] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
Jan 27 19:06:13 myserver saslauthd[2157]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Jan 27 19:06:15 myserver saslauthd[2157]: do_auth : auth failure: [user=test] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
Jan 27 19:06:19 myserver saslauthd[2154]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=admin
Jan 27 19:06:21 myserver saslauthd[2154]: do_auth : auth failure: [user=admin] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
Jan 27 19:06:25 myserver saslauthd[2156]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=admin
Jan 27 19:06:27 myserver saslauthd[2156]: do_auth : auth failure: [user=admin] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
Corresponding messages in my syslog look like this:
Jan 28 06:26:45 myserver sm-mta[18977]: t0RJLeYI018977: [46.17.100.149] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
Jan 28 06:26:51 myserver sm-mta[18978]: t0RJLkcF018978: [46.17.100.149] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
Jan 28 06:26:57 myserver sm-mta[18979]: t0RJLqEu018979: [46.17.100.149] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
Jan 28 06:27:03 myserver sm-mta[18980]: t0RJLwBp018980: [46.17.100.149] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
Jan 28 06:27:09 myserver sm-mta[18981]: t0RJM4MU018981: [46.17.100.149] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
Jan 28 06:27:15 myserver sm-mta[18982]: t0RJMA8J018982: [46.17.100.149] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
Jan 28 06:27:21 myserver sm-mta[18983]: t0RJMGCp018983: [46.17.100.149] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
Jan 28 06:38:26 myserver sm-mta[18984]: t0RJMMKQ018984: [46.17.100.149] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
I am unable to create a fail2ban rule to block these because the auth.log messages do not contain an IP address.
Relavent configs:
#/etc/mail/sasl/Sendmail.conf.2
pwcheck_method: saslauthd
allowanonymouslogin: 0
allowplaintext: 1
mech_list: EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN
# /etc/mail/sendmail.mc
include(`/etc/mail/sasl/sasl.m4')dnl
define(`confAUTH_OPTIONS', `p,y')dnl
# sendmail -d0.4 -bv root
Version 8.14.4
Compiled with: DNSMAP LDAPMAP LDAP_REFERRALS LOG MAP_REGEX MATCHGECOS
MILTER MIME7TO8 MIME8TO7 NAMED_BIND NETINET NETINET6 NETUNIX
NEWDB NIS NISPLUS PIPELINING SASLv2 SCANF SOCKETMAP STARTTLS
TCPWRAPPERS USERDB USE_LDAP_INIT XDEBUG
Canonical name: myserver.mydomain.com
UUCP nodename: myserver.mydomain.com
a.k.a.: www.mydomain.com
a.k.a.: mail.mydomain.com
a.k.a.: mydomain.com
a.k.a.: myserver
a.k.a.: [192.168.0.33]
a.k.a.: [127.0.0.1]
============ SYSTEM IDENTITY (after readcf) ============
(short domain name) $w = myserver
(canonical domain name) $j = mydomain.com
(subdomain name) $m = mydomain.com
(node name) $k = myserver.mydomain.com
========================================================
robert... deliverable: mailer local, user robert
debian 7.7
I realise that there have been a lot of similar posts, but I've never found a solution. I could block the 'did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA' lines for a large number of attemts, but I'd probably block legitimate traffic.
Is there a way that I can log the IP address in my auth.log? - This would allow me to write a fail2ban filter.
myserver and my domain are, of course, fictional.
Jan 27 19:06:03 myserver saslauthd[2155]: do_auth : auth failure: [user=test] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
Jan 27 19:06:07 myserver saslauthd[2158]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Jan 27 19:06:09 myserver saslauthd[2158]: do_auth : auth failure: [user=test] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
Jan 27 19:06:13 myserver saslauthd[2157]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Jan 27 19:06:15 myserver saslauthd[2157]: do_auth : auth failure: [user=test] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
Jan 27 19:06:19 myserver saslauthd[2154]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=admin
Jan 27 19:06:21 myserver saslauthd[2154]: do_auth : auth failure: [user=admin] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
Jan 27 19:06:25 myserver saslauthd[2156]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=admin
Jan 27 19:06:27 myserver saslauthd[2156]: do_auth : auth failure: [user=admin] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
Corresponding messages in my syslog look like this:
Jan 28 06:26:45 myserver sm-mta[18977]: t0RJLeYI018977: [46.17.100.149] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
Jan 28 06:26:51 myserver sm-mta[18978]: t0RJLkcF018978: [46.17.100.149] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
Jan 28 06:26:57 myserver sm-mta[18979]: t0RJLqEu018979: [46.17.100.149] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
Jan 28 06:27:03 myserver sm-mta[18980]: t0RJLwBp018980: [46.17.100.149] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
Jan 28 06:27:09 myserver sm-mta[18981]: t0RJM4MU018981: [46.17.100.149] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
Jan 28 06:27:15 myserver sm-mta[18982]: t0RJMA8J018982: [46.17.100.149] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
Jan 28 06:27:21 myserver sm-mta[18983]: t0RJMGCp018983: [46.17.100.149] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
Jan 28 06:38:26 myserver sm-mta[18984]: t0RJMMKQ018984: [46.17.100.149] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
I am unable to create a fail2ban rule to block these because the auth.log messages do not contain an IP address.
Relavent configs:
#/etc/mail/sasl/Sendmail.conf.2
pwcheck_method: saslauthd
allowanonymouslogin: 0
allowplaintext: 1
mech_list: EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN
# /etc/mail/sendmail.mc
include(`/etc/mail/sasl/sasl.m4')dnl
define(`confAUTH_OPTIONS', `p,y')dnl
# sendmail -d0.4 -bv root
Version 8.14.4
Compiled with: DNSMAP LDAPMAP LDAP_REFERRALS LOG MAP_REGEX MATCHGECOS
MILTER MIME7TO8 MIME8TO7 NAMED_BIND NETINET NETINET6 NETUNIX
NEWDB NIS NISPLUS PIPELINING SASLv2 SCANF SOCKETMAP STARTTLS
TCPWRAPPERS USERDB USE_LDAP_INIT XDEBUG
Canonical name: myserver.mydomain.com
UUCP nodename: myserver.mydomain.com
a.k.a.: www.mydomain.com
a.k.a.: mail.mydomain.com
a.k.a.: mydomain.com
a.k.a.: myserver
a.k.a.: [192.168.0.33]
a.k.a.: [127.0.0.1]
============ SYSTEM IDENTITY (after readcf) ============
(short domain name) $w = myserver
(canonical domain name) $j = mydomain.com
(subdomain name) $m = mydomain.com
(node name) $k = myserver.mydomain.com
========================================================
robert... deliverable: mailer local, user robert
debian 7.7
I realise that there have been a lot of similar posts, but I've never found a solution. I could block the 'did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA' lines for a large number of attemts, but I'd probably block legitimate traffic.
Is there a way that I can log the IP address in my auth.log? - This would allow me to write a fail2ban filter.
myserver and my domain are, of course, fictional.
Carl Byington
Jan 27, 2015, 6:30:54 PM1/27/15
to
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Tue, 27 Jan 2015 13:43:15 -0800, Robert S wrote:
> Is there a way that I can log the IP address in my auth.log? - This
> would
> allow me to write a fail2ban filter.
I see entries like:
Jan 27 11:49:20 host sendmail[10786]: t0RJnKws010786: AUTH failure
(LOGIN): authentication failure (-13) SASL(-13): authentication failure:
checkpass failed, relay=38-106-32-91.infinitelyvirtual.com
[38.106.32.91] (may be forged)
with
define(`confLOG_LEVEL', `20')
Those messages might appear at some lower log level also.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
iEYEARECAAYFAlTIH30ACgkQL6j7milTFsEcZgCdHkO2qEU+sMqG8dw1HVUicvIa
EWYAnA+IWNfD3j4eeYWUhTuwUuc7Y1EM
=e/BA
-----END PGP SIGNATURE-----
Hash: SHA1
On Tue, 27 Jan 2015 13:43:15 -0800, Robert S wrote:
> Is there a way that I can log the IP address in my auth.log? - This
> would
> allow me to write a fail2ban filter.
Jan 27 11:49:20 host sendmail[10786]: t0RJnKws010786: AUTH failure
(LOGIN): authentication failure (-13) SASL(-13): authentication failure:
checkpass failed, relay=38-106-32-91.infinitelyvirtual.com
[38.106.32.91] (may be forged)
with
define(`confLOG_LEVEL', `20')
Those messages might appear at some lower log level also.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
iEYEARECAAYFAlTIH30ACgkQL6j7milTFsEcZgCdHkO2qEU+sMqG8dw1HVUicvIa
EWYAnA+IWNfD3j4eeYWUhTuwUuc7Y1EM
=e/BA
-----END PGP SIGNATURE-----
Robert S
Jan 27, 2015, 7:25:23 PM1/27/15
to
Sadly that doesn't make any difference:
auth.log:
Jan 28 11:19:24 myserver saslauthd[2156]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=robert
Jan 28 11:19:26 debian saslauthd[2156]: DEBUG: auth_pam: pam_authenticate failed: Authentication failure
Jan 28 11:19:26 myserver saslauthd[2156]: do_auth : auth failure: [user=robert] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
mail.log:
Jan 28 11:19:24 mydomain sm-mta[26014]: STARTTLS=server, relay=anotherdomain.com.au [59.167.254.44], version=TLSv1/SSLv3, verify=NOT, cipher=AES256-SHA, bits=256/256
Jan 28 11:19:26 mydomain sm-mta[26014]: t0S0JNRS026014: anotherdomain.com.au [59.167.254.44] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
auth.log:
Jan 28 11:19:24 myserver saslauthd[2156]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=robert
Jan 28 11:19:26 debian saslauthd[2156]: DEBUG: auth_pam: pam_authenticate failed: Authentication failure
Jan 28 11:19:26 myserver saslauthd[2156]: do_auth : auth failure: [user=robert] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
mail.log:
Jan 28 11:19:24 mydomain sm-mta[26014]: STARTTLS=server, relay=anotherdomain.com.au [59.167.254.44], version=TLSv1/SSLv3, verify=NOT, cipher=AES256-SHA, bits=256/256
Jan 28 11:19:26 mydomain sm-mta[26014]: t0S0JNRS026014: anotherdomain.com.au [59.167.254.44] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
Robert S
Jan 27, 2015, 7:37:03 PM1/27/15
to
Ooops - there's a punctuation error. This works now (log level 10):
define(`confLOG_LEVEL',10)dnl
Many thanks for fixing an old problem :-)
define(`confLOG_LEVEL',10)dnl
Many thanks for fixing an old problem :-)
0 new messages