Forums

Subscribe via email Subscribe via email
Subscribe via rss
Guest
or Ask a Question
Add a reply View Replies (2) →
Sam Gann
Sam Gann
Offline
Issue

Attack Detector post-sasl

Resolved
0 votes
I think im having a problem with smtp part of Attack detector. Checking the the mail logs shows a bunch of ips trying to hack email server.
Checking the fail to ban logs and it shows the the ips that are trying to hack the email server and tries to ban those ips but then shows an error.

26]: INFO [postfix-sasl] Found 91.200.12.125
2016-12-20 01:35:41,042 fail2ban.filter [2126]: INFO [postfix-sasl] Found 91.200.12.125
2016-12-20 01:45:09,110 fail2ban.filter [2126]: INFO [postfix-sasl] Found 91.200.12.125
2016-12-20 01:54:34,104 fail2ban.filter [2126]: INFO [postfix-sasl] Found 91.200.12.125
2016-12-20 02:04:00,022 fail2ban.filter [2126]: INFO [postfix-sasl] Found 91.200.12.125
2016-12-20 02:13:25,322 fail2ban.filter [2126]: INFO [postfix-sasl] Found 91.200.12.125
2016-12-20 02:22:54,790 fail2ban.filter [2126]: INFO [postfix-sasl] Found 91.200.12.125
2016-12-20 02:32:23,477 fail2ban.filter [2126]: INFO [postfix-sasl] Found 91.200.12.125
2016-12-20 02:41:51,906 fail2ban.filter [2126]: INFO [postfix-sasl] Found 91.200.12.125
2016-12-20 02:46:32,904 fail2ban.filter [2126]: INFO [postfix-sasl] Found 80.82.77.83
2016-12-20 02:51:16,842 fail2ban.filter [2126]: INFO [postfix-sasl] Found 91.200.12.125
2016-12-20 03:00:45,832 fail2ban.filter [2126]: INFO [postfix-sasl] Found 91.200.12.125
2016-12-20 03:10:09,802 fail2ban.filter [2126]: INFO [postfix-sasl] Found 91.200.12.125
2016-12-20 03:19:40,984 fail2ban.filter [2126]: INFO [postfix-sasl] Found 91.200.12.125
2016-12-20 03:29:05,128 fail2ban.filter [2126]: INFO [postfix-sasl] Found 91.200.12.125
2016-12-20 03:38:36,840 fail2ban.filter [2126]: INFO [postfix-sasl] Found 91.200.12.125
2016-12-20 03:48:04,210 fail2ban.filter [2126]: INFO [postfix-sasl] Found 91.200.12.125
2016-12-20 03:57:39,687 fail2ban.filter [2126]: INFO [postfix-sasl] Found 91.200.12.125
2016-12-20 04:07:08,204 fail2ban.filter [2126]: INFO [postfix-sasl] Found 91.200.12.125
2016-12-20 04:16:39,563 fail2ban.filter [2126]: INFO [postfix-sasl] Found 91.200.12.125
2016-12-20 04:18:55,533 fail2ban.filter [2126]: INFO [postfix-sasl] Found 80.82.77.83
2016-12-20 04:26:04,696 fail2ban.filter [2126]: INFO [postfix-sasl] Found 91.200.12.125
2016-12-20 04:35:33,684 fail2ban.filter [2126]: INFO [postfix-sasl] Found 91.200.12.125
2016-12-20 04:45:02,503 fail2ban.filter [2126]: INFO [postfix-sasl] Found 91.200.12.125
2016-12-20 04:51:03,811 fail2ban.actions [2126]: NOTICE [postfix-sasl] Unban 108.35.48.154
2016-12-20 04:51:03,919 fail2ban.action [2126]: ERROR iptables -w -n -L INPUT | grep -q 'f2b-postfix-sasl[ \t]' -- stdout: ''
2016-12-20 04:51:03,919 fail2ban.action [2126]: ERROR iptables -w -n -L INPUT | grep -q 'f2b-postfix-sasl[ \t]' -- stderr: ''
2016-12-20 04:51:03,919 fail2ban.action [2126]: ERROR iptables -w -n -L INPUT | grep -q 'f2b-postfix-sasl[ \t]' -- returned 1
2016-12-20 04:51:03,920 fail2ban.CommandAction [2126]: ERROR Invariant check failed. Trying to restore a sane environment
2016-12-20 04:51:04,025 fail2ban.action [2126]: ERROR iptables -w -D INPUT -p tcp -m multiport --dports smtp,465,submission,imap3,imaps,pop3,pop3s -j f2b-postfix-sasl
iptables -w -F f2b-postfix-sasl
iptables -w -X f2b-postfix-sasl -- stdout: ''
2016-12-20 04:51:04,025 fail2ban.action [2126]: ERROR iptables -w -D INPUT -p tcp -m multiport --dports smtp,465,submission,imap3,imaps,pop3,pop3s -j f2b-postfix-sasl
iptables -w -F f2b-postfix-sasl
iptables -w -X f2b-postfix-sasl -- stderr: "iptables v1.4.21: Couldn't load target `f2b-postfix-sasl':No such file or directory\n\nTry `iptables -h' or 'iptables --help' for more information.\niptables: No chain/target/match by that name.\niptables: No chain/target/match by that name.\n"
2016-12-20 04:51:04,025 fail2ban.action [2126]: ERROR iptables -w -D INPUT -p tcp -m multiport --dports smtp,465,submission,imap3,imaps,pop3,pop3s -j f2b-postfix-sasl
iptables -w -F f2b-postfix-sasl
iptables -w -X f2b-postfix-sasl -- returned 1
2016-12-20 04:51:04,025 fail2ban.actions [2126]: ERROR Failed to execute unban jail 'postfix-sasl' action 'iptables-multiport' info '{'matches': u'2016-12-19T04:50:53.412132 gateway.ganncom.com postfix/smtpd[20494]: warning: static-108-35-48-154.nwrknj.fios.verizon.net[108.35.48.154]: SASL LOGIN authentication failed: authentication failure2016-12-19T04:50:55.986579 gateway.ganncom.com postfix/smtpd[20495]: warning: static-108-35-48-154.nwrknj.fios.verizon.net[108.35.48.154]: SASL LOGIN authentication failed: authentication failure2016-12-19T04:50:58.081102 gateway.ganncom.com postfix/smtpd[20455]: warning: static-108-35-48-154.nwrknj.fios.verizon.net[108.35.48.154]: SASL LOGIN authentication failed: authentication failure2016-12-19T04:51:00.752822 gateway.ganncom.com postfix/smtpd[20497]: warning: static-108-35-48-154.nwrknj.fios.verizon.net[108.35.48.154]: SASL LOGIN authentication failed: authentication failure2016-12-19T04:51:02.755586 gateway.ganncom.com postfix/smtpd[20495]: warning: static-108-35-48-154.nwrknj.fios.verizon.net[108.35.48.154]: SASL LOGIN authentication failed: authentication failure', 'ip': '108.35.48.154', 'time': 1482144662.919717, 'failures': 5}': Error stopping action
2016-12-20 04:54:34,937 fail2ban.filter [2126]: INFO [postfix-sasl] Found 91.200.12.125
2016-12-20 05:04:00,241 fail2ban.filter [2126]: INFO [postfix-sasl] Found 91.200.12.125
2016-12-20 05:13:32,935 fail2ban.filter [2126]: INFO [postfix-sasl] Found 91.200.12.125
2016-12-20 05:22:58,196 fail2ban.filter [2126]: INFO [postfix-sasl] Found 91.200.12.125
2016-12-20 05:32:31,216 fail2ban.filter [2126]: INFO [postfix-sasl] Found 91.200.12.125
2016-12-20 05:41:58,733 fail2ban.filter [2126]: INFO [postfix-sasl] Found 91.200.12.125
2016-12-20 05:51:32,822 fail2ban.filter [2126]: INFO [postfix-sasl] Found 91.200.12.125
2016-12-20 06:01:03,908 fail2ban.filter [2126]: INFO [postfix-sasl] Found 91.200.12.125
2016-12-20 06:10:42,010 fail2ban.filter [2126]: INFO [postfix-sasl] Found 91.200.12.125
2016-12-20 06:20:12,182 fail2ban.filter [2126]: INFO [postfix-sasl] Found 91.200.12.125
2016-12-20 06:29:50,196 fail2ban.filter [2126]: INFO [postfix-sasl] Found 91.200.12.125
2016-12-20 06:39:22,071 fail2ban.filter [2126]: INFO [postfix-sasl] Found 91.200.12.125
2016-12-20 06:49:00,114 fail2ban.filter [2126]: INFO [postfix-sasl] Found 91.200.12.125
2016-12-20 06:58:33,745 fail2ban.filter [2126]: INFO [postfix-sasl] Found 91.200.12.125
2016-12-20 07:08:14,682 fail2ban.filter [2126]: INFO [postfix-sasl] Found 91.200.12.125
2016-12-20 07:17:46,535 fail2ban.filter [2126]: INFO [postfix-sasl] Found 91.200.12.125
2016-12-20 07:27:23,117 fail2ban.filter [2126]: INFO [postfix-sasl] Found 91.200.12.125
2016-12-20 07:36:57,382 fail2ban.filter [2126]: INFO [postfix-sasl] Found 91.200.12.125
2016-12-20 07:46:34,066 fail2ban.filter [2126]: INFO [postfix-sasl] Found 91.200.12.125


Here's what the Attack Detector webpage inside clearos portal has blocked.

Log

IP Address Rule Date/Time
108.35.48.154 postfix-sasl 2016-12-19 - 04:51:02

From what im seeing the 91.200 ips should of been banned but there not.
Anyone else having same problem? or how to fix this?
Thanks
Merry Christmas.
In Attack Detector
Saturday, December 24 2016, 07:30 PM
Subscribe via email
Share this post:

Accepted Answer

Nick Howitt
Nick Howitt
Offline
Saturday, December 24 2016, 08:44 PM - #Permalink
Resolved
1 votes
Firstly there is a bug in app-attack-detector which remains un-acknowledged, so it is possible that your firewall had restarted at some point and wiped your jails. Anyway, fail2ban (f2b), the underlying package was restarted at 2016-12-24 12:14:42,429. This normally generates a bunch of errors which can be ignored as it stops. It is worse if the firewall has wiped the f2b chains, but it does not matter. All the chains are reset as f2b restarts, so by 2016-12-24 12:14:49,939 all your jails should have been in place again. Looking at your logs, all your jails are set to trigger after five failures in a 10 minute (600s) period, and in your case, your logs fall under this threshold. You can change it globally or per filter if you want; it is up to you.

To change globally you need to create a /etc/fail2ban/jail.local file and add your new default maxretry and/or findtime, perhaps under a section called [DEFAULT]. Look at the jail.conf to get an idea. To change it per-jail, again in the jail.local, add a section header [postfix-sasl] and put your new maxretry and/or findtime there. Reload f2b afterwards.
The reply is currently minimized Show
Responses (2)

  • Accepted Answer

    Sam Gann
    Sam Gann
    Offline
    Saturday, December 24 2016, 09:14 PM - #Permalink
    Resolved
    0 votes
    I will check in to the jail.local file and try setting the default max try to 3 and see what happens.

    Thanks for the reply.

    Merry Christmas.
    The reply is currently minimized Show

  • Accepted Answer

    Sam Gann
    Sam Gann
    Offline
    Saturday, December 24 2016, 07:54 PM - #Permalink
    Resolved
    0 votes
    Here some more logs from failtoban.

    Same Ip's 91.200 still not banned.

    016-12-24 09:46:03,906 fail2ban.filter [2388]: INFO [postfix-sasl] Found 91.200.12.125
    2016-12-24 09:55:29,093 fail2ban.filter [2388]: INFO [postfix-sasl] Found 91.200.12.125
    2016-12-24 10:04:55,831 fail2ban.filter [2388]: INFO [postfix-sasl] Found 91.200.12.125
    2016-12-24 10:14:18,209 fail2ban.filter [2388]: INFO [postfix-sasl] Found 91.200.12.125
    2016-12-24 10:23:45,221 fail2ban.filter [2388]: INFO [postfix-sasl] Found 91.200.12.125
    2016-12-24 10:30:35,719 fail2ban.filter [2388]: INFO [postfix-sasl] Found 80.82.77.83
    2016-12-24 10:33:10,111 fail2ban.filter [2388]: INFO [postfix-sasl] Found 91.200.12.125
    2016-12-24 10:35:23,331 fail2ban.filter [2388]: INFO [postfix-sasl] Found 195.22.126.189
    2016-12-24 10:42:38,876 fail2ban.filter [2388]: INFO [postfix-sasl] Found 91.200.12.125
    2016-12-24 10:52:04,747 fail2ban.filter [2388]: INFO [postfix-sasl] Found 91.200.12.125
    2016-12-24 11:01:32,891 fail2ban.filter [2388]: INFO [postfix-sasl] Found 91.200.12.125
    2016-12-24 11:10:57,444 fail2ban.filter [2388]: INFO [postfix-sasl] Found 91.200.12.125
    2016-12-24 11:20:23,320 fail2ban.filter [2388]: INFO [postfix-sasl] Found 91.200.12.125
    2016-12-24 11:24:28,181 fail2ban.filter [2388]: INFO [postfix-sasl] Found 80.82.77.83
    2016-12-24 11:29:45,723 fail2ban.filter [2388]: INFO [postfix-sasl] Found 91.200.12.125
    2016-12-24 11:39:13,256 fail2ban.filter [2388]: INFO [postfix-sasl] Found 91.200.12.125
    2016-12-24 11:48:37,463 fail2ban.filter [2388]: INFO [postfix-sasl] Found 91.200.12.125
    2016-12-24 12:14:42,429 fail2ban.server [2388]: INFO Stopping all jails
    2016-12-24 12:14:42,542 fail2ban.action [2388]: ERROR iptables -w -D INPUT -p tcp -m multiport --dports smtp,465,submission,imap3,imaps,pop3,pop3s -j f2b-postfix-sasl
    iptables -w -F f2b-postfix-sasl
    iptables -w -X f2b-postfix-sasl -- stdout: ''
    2016-12-24 12:14:42,542 fail2ban.action [2388]: ERROR iptables -w -D INPUT -p tcp -m multiport --dports smtp,465,submission,imap3,imaps,pop3,pop3s -j f2b-postfix-sasl
    iptables -w -F f2b-postfix-sasl
    iptables -w -X f2b-postfix-sasl -- stderr: "iptables v1.4.21: Couldn't load target `f2b-postfix-sasl':No such file or directory\n\nTry `iptables -h' or 'iptables --help' for more information.\niptables: No chain/target/match by that name.\niptables: No chain/target/match by that name.\n"
    2016-12-24 12:14:42,543 fail2ban.action [2388]: ERROR iptables -w -D INPUT -p tcp -m multiport --dports smtp,465,submission,imap3,imaps,pop3,pop3s -j f2b-postfix-sasl
    iptables -w -F f2b-postfix-sasl
    iptables -w -X f2b-postfix-sasl -- returned 1
    2016-12-24 12:14:42,543 fail2ban.actions [2388]: ERROR Failed to stop jail 'postfix-sasl' action 'iptables-multiport': Error stopping action
    2016-12-24 12:14:43,368 fail2ban.jail [2388]: INFO Jail 'postfix-sasl' stopped
    2016-12-24 12:14:43,541 fail2ban.action [2388]: ERROR iptables -w -D INPUT -p tcp -m multiport --dports ssh -j f2b-sshd
    iptables -w -F f2b-sshd
    iptables -w -X f2b-sshd -- stdout: ''
    2016-12-24 12:14:43,541 fail2ban.action [2388]: ERROR iptables -w -D INPUT -p tcp -m multiport --dports ssh -j f2b-sshd
    iptables -w -F f2b-sshd
    iptables -w -X f2b-sshd -- stderr: "iptables v1.4.21: Couldn't load target `f2b-sshd':No such file or directory\n\nTry `iptables -h' or 'iptables --help' for more information.\niptables: No chain/target/match by that name.\niptables: No chain/target/match by that name.\n"
    2016-12-24 12:14:43,542 fail2ban.action [2388]: ERROR iptables -w -D INPUT -p tcp -m multiport --dports ssh -j f2b-sshd
    iptables -w -F f2b-sshd
    iptables -w -X f2b-sshd -- returned 1
    2016-12-24 12:14:43,542 fail2ban.actions [2388]: ERROR Failed to stop jail 'sshd' action 'iptables-multiport': Error stopping action
    2016-12-24 12:14:44,369 fail2ban.jail [2388]: INFO Jail 'sshd' stopped
    2016-12-24 12:14:44,539 fail2ban.action [2388]: ERROR iptables -w -D INPUT -p tcp -m multiport --dports ssh -j f2b-sshd-ddos
    iptables -w -F f2b-sshd-ddos
    iptables -w -X f2b-sshd-ddos -- stdout: ''
    2016-12-24 12:14:44,540 fail2ban.action [2388]: ERROR iptables -w -D INPUT -p tcp -m multiport --dports ssh -j f2b-sshd-ddos
    iptables -w -F f2b-sshd-ddos
    iptables -w -X f2b-sshd-ddos -- stderr: "iptables v1.4.21: Couldn't load target `f2b-sshd-ddos':No such file or directory\n\nTry `iptables -h' or 'iptables --help' for more information.\niptables: No chain/target/match by that name.\niptables: No chain/target/match by that name.\n"
    2016-12-24 12:14:44,540 fail2ban.action [2388]: ERROR iptables -w -D INPUT -p tcp -m multiport --dports ssh -j f2b-sshd-ddos
    iptables -w -F f2b-sshd-ddos
    iptables -w -X f2b-sshd-ddos -- returned 1
    2016-12-24 12:14:44,540 fail2ban.actions [2388]: ERROR Failed to stop jail 'sshd-ddos' action 'iptables-multiport': Error stopping action
    2016-12-24 12:14:45,371 fail2ban.jail [2388]: INFO Jail 'sshd-ddos' stopped
    2016-12-24 12:14:45,376 fail2ban.server [2388]: INFO Exiting Fail2ban
    2016-12-24 12:14:49,750 fail2ban.server [6221]: INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.9.5
    2016-12-24 12:14:49,751 fail2ban.database [6221]: INFO Connected to fail2ban persistent database '/var/lib/fail2ban/fail2ban.sqlite3'
    2016-12-24 12:14:49,753 fail2ban.jail [6221]: INFO Creating new jail 'sshd'
    2016-12-24 12:14:49,769 fail2ban.jail [6221]: INFO Jail 'sshd' uses systemd
    2016-12-24 12:14:49,790 fail2ban.jail [6221]: INFO Initiated 'systemd' backend
    2016-12-24 12:14:49,792 fail2ban.filter [6221]: INFO Set maxRetry = 5
    2016-12-24 12:14:49,793 fail2ban.actions [6221]: INFO Set banTime = 86400
    2016-12-24 12:14:49,793 fail2ban.filter [6221]: INFO Set findtime = 600
    2016-12-24 12:14:49,794 fail2ban.filter [6221]: INFO Set maxlines = 10
    2016-12-24 12:14:49,874 fail2ban.filtersystemd [6221]: INFO Added journal match for: '_SYSTEMD_UNIT=sshd.service + _COMM=sshd'
    2016-12-24 12:14:49,885 fail2ban.jail [6221]: INFO Creating new jail 'sshd-ddos'
    2016-12-24 12:14:49,885 fail2ban.jail [6221]: INFO Jail 'sshd-ddos' uses systemd
    2016-12-24 12:14:49,886 fail2ban.jail [6221]: INFO Initiated 'systemd' backend
    2016-12-24 12:14:49,887 fail2ban.filter [6221]: INFO Set maxRetry = 5
    2016-12-24 12:14:49,888 fail2ban.actions [6221]: INFO Set banTime = 86400
    2016-12-24 12:14:49,888 fail2ban.filter [6221]: INFO Set findtime = 600
    2016-12-24 12:14:49,891 fail2ban.filtersystemd [6221]: INFO Added journal match for: '_SYSTEMD_UNIT=sshd.service + _COMM=sshd'
    2016-12-24 12:14:49,902 fail2ban.jail [6221]: INFO Creating new jail 'postfix-sasl'
    2016-12-24 12:14:49,902 fail2ban.jail [6221]: INFO Jail 'postfix-sasl' uses systemd
    2016-12-24 12:14:49,903 fail2ban.jail [6221]: INFO Initiated 'systemd' backend
    2016-12-24 12:14:49,904 fail2ban.filter [6221]: INFO Set maxRetry = 5
    2016-12-24 12:14:49,905 fail2ban.actions [6221]: INFO Set banTime = 86400
    2016-12-24 12:14:49,906 fail2ban.filter [6221]: INFO Set findtime = 600
    2016-12-24 12:14:49,911 fail2ban.filtersystemd [6221]: INFO Added journal match for: '_SYSTEMD_UNIT=postfix.service'
    2016-12-24 12:14:49,924 fail2ban.jail [6221]: INFO Jail 'sshd' started
    2016-12-24 12:14:49,928 fail2ban.jail [6221]: INFO Jail 'sshd-ddos' started
    2016-12-24 12:14:49,939 fail2ban.jail [6221]: INFO Jail 'postfix-sasl' started
    2016-12-24 12:18:09,078 fail2ban.filter [6221]: INFO [postfix-sasl] Found 80.82.77.83
    The reply is currently minimized Show
Your Reply