Bonjour,
Un petit pb avec fial2ban. J’ai une IP qui génère une erreur de log Postfix quasiment toutes les minutes depuis des jours:
fail2ban > grep 212.70.149.71 /var/log/mail.warn
Apr 4 00:00:48 ks307144 postfix/smtps/smtpd[13880]: warning: unknown[212.70.149.71]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Apr 4 00:02:28 ks307144 postfix/smtps/smtpd[13880]: warning: unknown[212.70.149.71]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Apr 4 00:04:08 ks307144 postfix/smtps/smtpd[13880]: warning: unknown[212.70.149.71]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
...
Apr 8 10:10:16 ks307144 postfix/smtps/smtpd[10643]: warning: unknown[212.70.149.71]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Apr 8 10:11:55 ks307144 postfix/smtps/smtpd[10643]: warning: unknown[212.70.149.71]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Apr 8 10:13:35 ks307144 postfix/smtps/smtpd[10643]: warning: unknown[212.70.149.71]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Apr 8 10:15:09 ks307144 postfix/smtps/smtpd[10643]: warning: unknown[212.70.149.71]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Apr 8 10:16:50 ks307144 postfix/smtps/smtpd[10643]: warning: unknown[212.70.149.71]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Apr 8 10:23:16 ks307144 postfix/smtps/smtpd[10643]: warning: unknown[212.70.149.71]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Apr 8 10:24:56 ks307144 postfix/smtps/smtpd[10643]: warning: unknown[212.70.149.71]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Fail2ban la déclare bannie mais je ne la vois pas, ni en recidive, ni dans iptables:
fail2ban > date
jeudi 8 avril 2021, 10:25:38 (UTC+0200)
fail2ban > fail2ban-client status postfix-sasl
Status for the jail: postfix-sasl
|- Filter
| |- Currently failed: 0
| |- Total failed: 34018
| `- File list: /var/log/mail.warn
`- Actions
|- Currently banned: 1
|- Total banned: 30
`- Banned IP list: 212.70.149.71
fail2ban > fail2ban-client status recidive|grep 212.70.149.71
fail2ban > iptables -S |grep 212.70.149.71
fail2ban >
La configuration jail.conf:
[DEFAULT]
maxretry = 3
bantime = 3600
findtime = 600
...
[postfix-sasl]
enabled = true
port = smtp,465,submission,imap3,imaps,pop3,pop3s
logpath = /var/log/mail.warn
backend = %(postfix_backend)s
...
[recidive]
logpath = /var/log/fail2ban.log
banaction = %(banaction_allports)s
bantime = 14d
findtime = 1d
...
fail2ban > cat filter.d/postfix-sasl.conf
# Fail2Ban filter for postfix authentication failures
#
[INCLUDES]
before = common.conf
[Definition]
_daemon = postfix(-\w+)?/(?:submission/|smtps/)?smtp[ds]
failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(:[ A-Za-z0-9+/:]*={0,2})?\s*$
ignoreregex = authentication failed: Connection lost to authentication server$
[Init]
journalmatch = _SYSTEMD_UNIT=postfix.service
# Author: Yaroslav Halchenko
et fail2ban.log:
...
2021-04-08 10:20:03,027 fail2ban.actions [27312]: WARNING [postfix-sasl] 212.70.149.71 already banned
2021-04-08 10:21:40,574 fail2ban.filter [27312]: INFO [postfix-sasl] Found 212.70.149.71 - 2021-04-08 10:21:40
2021-04-08 10:23:16,705 fail2ban.filter [27312]: INFO [postfix-sasl] Found 212.70.149.71 - 2021-04-08 10:23:16
2021-04-08 10:24:56,041 fail2ban.filter [27312]: INFO [postfix-sasl] Found 212.70.149.71 - 2021-04-08 10:24:56
2021-04-08 10:24:56,614 fail2ban.actions [27312]: WARNING [postfix-sasl] 212.70.149.71 already banned
2021-04-08 10:26:32,374 fail2ban.filter [27312]: INFO [postfix-sasl] Found 212.70.149.71 - 2021-04-08 10:26:32
2021-04-08 10:28:10,508 fail2ban.filter [27312]: INFO [postfix-sasl] Found 212.70.149.71 - 2021-04-08 10:28:10
2021-04-08 10:29:49,845 fail2ban.filter [27312]: INFO [postfix-sasl] Found 212.70.149.71 - 2021-04-08 10:29:49
Si quelqu’un peut me mettre sur la voie, merci