fail2ban failing to ban (!) POP3 brute force

Forums

Offline

fail2ban failing to ban (!) POP3 brute force

Resolved

0 votes

This thread helped me to install fail2ban from fail2ban-0.8.2-3.el5.rf.noarch.rpm and it is working well to block ssh brute force attacks.

Now I need it to block POP3 brute force attempts. The ClearOS default setup disables the users account after 5 failed attempts rather than block the intruders IP - very annoying if one has a common user name like paul or office or accounts etc. Snort does also not seem to do anything against these attacks.

From the above thread I have followed Tim's suggestion for modifications to

/etc/fail2ban/jail.conf



[sasl-iptables]



enabled  = true

filter   = sasl

action   = iptables-multiport[name=sasl, port="smtp,pop3", protocol=tcp]

           sendmail-whois[name=sasl, dest=xyz@xyz]

logpath  = /var/log/maillog

/etc/fail2ban/filter.d/sasl.conf



failregex = (?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed

However the above regex nor the default fail2ban one are able to trigger on the log entries for POP3 attempts. In my maillog the attempts show up as follows:



Mar 4 10:55:53 mail pop3[11365]: badlogin: [186.73.177.66] plaintext zb SASL(-13): authentication failure: checkpass failed

Mar 4 10:56:01 mail pop3[11388]: badlogin: [186.73.177.66] plaintext zb SASL(-13): authentication failure: checkpass failed

Mar 4 10:56:09 mail pop3[11394]: badlogin: [186.73.177.66] plaintext cecilia SASL(-13): authentication failure: checkpass failed

Mar 4 10:56:16 mail pop3[11398]: badlogin: [186.73.177.66] plaintext cecilia SASL(-13): authentication failure: checkpass failed

Mar 4 10:56:21 mail pop3[11399]: badlogin: [186.73.177.66] plaintext plcmspip SASL(-13): authentication failure: checkpass failed

Mar 5 03:22:09 mail pop3[25619]: badlogin: No-RDNS-Record [204.188.217.212] plaintext support SASL(-13): authentication failure: checkpass failed

Mar 5 03:22:13 mail pop3[25619]: badlogin: No-RDNS-Record [204.188.217.212] plaintext spam SASL(-13): authentication failure: checkpass failed

Mar 5 03:22:13 mail pop3[25620]: badlogin: No-RDNS-Record [204.188.217.212] plaintext support SASL(-13): authentication failure: checkpass failed

Mar 5 03:22:13 mail pop3[25621]: badlogin: No-RDNS-Record [204.188.217.212] plaintext help SASL(-13): authentication failure: checkpass failed

Mar 13 05:35:23 mail pop3[23690]: badlogin: [218.19.175.164] plaintext admin@co.tz SASL(-13): authentication failure: checkpass failed

Mar 13 05:35:29 mail pop3[23696]: badlogin: [218.19.175.164] plaintext admin@co.tz SASL(-13): authentication failure: checkpass failed

Mar 13 05:35:35 mail pop3[23697]: badlogin: [218.19.175.164] plaintext admin@co.tz SASL(-13): authentication failure: checkpass failed

Mar 13 05:35:45 mail pop3[23698]: badlogin: [218.19.175.164] plaintext admin@co.tz SASL(-13): authentication failure: checkpass failed

Mar 13 05:35:51 mail pop3[23735]: badlogin: [218.19.175.164] plaintext admin@co.tz SASL(-13): authentication failure: checkpass failed

Mar 13 05:35:57 mail pop3[23759]: badlogin: [218.19.175.164] plaintext support@co.tz SASL(-13): authentication failure: checkpass failed

Mar 13 05:36:03 mail pop3[23761]: badlogin: [218.19.175.164] plaintext webmaster@co.tz SASL(-13): authentication failure: checkpass failed

Mar 13 05:36:09 mail pop3[23770]: badlogin: [218.19.175.164] plaintext test@co.tz SASL(-13): authentication failure: checkpass failed

I have tried fiddling with the regex changing 'warning:' to 'badlogin:' and various combinations with and without 'failure' and 'failed' but nothing works. Which mainly goes to show that I still have no clue about regexes even after reading through many tutorials!

Can anyone please suggest a regex that should work? Or am I barking up the wrong tree?

Thanks in advance
Paul

In Intrusion Detection and Prevention

Tuesday, March 13 2012, 09:46 AM