Sendername fail2ban et postfix

remyd59 · Juin 11, 2016, 12:36pm

Bonjour,

Je rencontre un problème avec Fail2ban et les notifications par email.
Lorsqu’un ban est détecté, fail2ban envoie un email à mon postfix mais le mail est droppé pour la raison suivante:
Sender address rejected: Domain not found

Ceci est normal au vu des restrictions que j’ai mis en place su mon postfix:
smtpd_sender_restrictions =
reject_non_fqdn_sender
reject_unknown_sender_domain

D’après les logs de mon postfix, le “from” du mail n’est pas ce que j’ai configuré dans fail2ban:

logpostfix:
Jun 11 13:18:41 mail postfix/smtpd[1030]: NOQUEUE: reject: RCPT from unknown[192.168.3.1]: 450 4.1.8 <fail2ban@RadiusDnsDhcp>: Sender address rejected: Domain
not found; from=<fail2ban@RadiusDnsDhcp> to=remy@mondomain.frr proto=ESMTP helo=

Alors que mon jail.conf est configuré comme suit:

[DEFAULT]
ignoreip = 127.0.0.1/8
ignorecommand =
bantime = 360000
findtime = 600
maxretry = 3
backend = auto
usedns = warn
destemail = remy@mail.mondomain.fr
*sendername = fail2ban@radius.mondomain.fr **
sender = fail2ban@radius.mondomain.fr
banaction = iptables-multiport
mta = sendmail
protocol = tcp
chain = INPUT
action_ = %(banaction)s[name=%(name)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
action_mw = %(banaction)s[name=%(name)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
%(mta)s-whois[name=%(name)s, dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s", sendername="%(sendername)s"]
action_mwl = %(banaction)s[name=%(name)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
%(mta)s-whois-lines[name=%(name)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s", sendername="%(sendername)s"]
action = %(action_mw)s
[ssh]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 6
[dropbear]
enabled = false
port = ssh
filter = dropbear
logpath = /var/log/auth.log
maxretry = 6
[pam-generic]
enabled = false
filter = pam-generic
port = all
banaction = iptables-allports
port = anyport
logpath = /var/log/auth.log
maxretry = 6
[xinetd-fail]
enabled = false
filter = xinetd-fail
port = all
banaction = iptables-multiport-log
logpath = /var/log/daemon.log
maxretry = 2
[ssh-ddos]
enabled = false
port = ssh
filter = sshd-ddos
logpath = /var/log/auth.log
maxretry = 6
[ssh-route]
enabled = false
filter = sshd
action = route
logpath = /var/log/sshd.log
maxretry = 6
[ssh-iptables-ipset4]
enabled = false
port = ssh
filter = sshd
banaction = iptables-ipset-proto4
logpath = /var/log/sshd.log
maxretry = 6
[ssh-iptables-ipset6]
enabled = false
port = ssh
filter = sshd
banaction = iptables-ipset-proto6
logpath = /var/log/sshd.log
maxretry = 6
[apache]
enabled = false
port = http,https
filter = apache-auth
logpath = /var/log/apache/error.log
maxretry = 6
[apache-multiport]
enabled = false
port = http,https
filter = apache-auth
logpath = /var/log/apache/error.log
maxretry = 6
[apache-noscript]
enabled = false
port = http,https
filter = apache-noscript
logpath = /var/log/apache/error.log
maxretry = 6
[apache-overflows]
enabled = false
port = http,https
filter = apache-overflows
logpath = /var/log/apache/error.log
maxretry = 2
[apache-modsecurity]
enabled = false
filter = apache-modsecurity
port = http,https
logpath = /var/log/apache/error.log
maxretry = 2
[apache-nohome]
enabled = false
filter = apache-nohome
port = http,https
logpath = /var/log/apache/error.log
maxretry = 2
[php-url-fopen]
enabled = false
port = http,https
filter = php-url-fopen
logpath = /var/www//logs/access_log
[lighttpd-fastcgi]
enabled = false
port = http,https
filter = lighttpd-fastcgi
logpath = /var/log/lighttpd/error.log
[lighttpd-auth]
enabled = false
port = http,https
filter = suhosin
logpath = /var/log/lighttpd/error.log
[nginx-http-auth]
enabled = false
filter = nginx-http-auth
port = http,https
logpath = /var/log/nginx/error.log
[roundcube-auth]
enabled = false
filter = roundcube-auth
port = http,https
logpath = /var/log/roundcube/userlogins
[sogo-auth]
enabled = false
filter = sogo-auth
port = http, https
logpath = /var/log/sogo/sogo.log
[vsftpd]
enabled = false
port = ftp,ftp-data,ftps,ftps-data
filter = vsftpd
logpath = /var/log/vsftpd.log
maxretry = 6
[proftpd]
enabled = false
port = ftp,ftp-data,ftps,ftps-data
filter = proftpd
logpath = /var/log/proftpd/proftpd.log
maxretry = 6
[pure-ftpd]
enabled = false
port = ftp,ftp-data,ftps,ftps-data
filter = pure-ftpd
logpath = /var/log/syslog
maxretry = 6
[wuftpd]
enabled = false
port = ftp,ftp-data,ftps,ftps-data
filter = wuftpd
logpath = /var/log/syslog
maxretry = 6
[postfix]
enabled = false
port = smtp,ssmtp,submission
filter = postfix
logpath = /var/log/mail.log
[couriersmtp]
enabled = false
port = smtp,ssmtp,submission
filter = couriersmtp
logpath = /var/log/mail.log
[courierauth]
enabled = false
port = smtp,ssmtp,submission,imap2,imap3,imaps,pop3,pop3s
filter = courierlogin
logpath = /var/log/mail.log
[sasl]
enabled = false
port = smtp,ssmtp,submission,imap2,imap3,imaps,pop3,pop3s
filter = postfix-sasl
logpath = /var/log/mail.log
[dovecot]
enabled = false
port = smtp,ssmtp,submission,imap2,imap3,imaps,pop3,pop3s
filter = dovecot
logpath = /var/log/mail.log
[mysqld-auth]
enabled = false
filter = mysqld-auth
port = 3306
logpath = /var/log/mysqld.log
[named-refused-tcp]
enabled = false
port = domain,953
protocol = tcp
filter = named-refused
logpath = /var/log/named/security.log
[freeswitch]
enabled = false
filter = freeswitch
logpath = /var/log/freeswitch.log
maxretry = 10
action = iptables-multiport[name=freeswitch-tcp, port=“5060,5061,5080,5081”, protocol=tcp]
iptables-multiport[name=freeswitch-udp, port=“5060,5061,5080,5081”, protocol=udp]
[ejabberd-auth]
enabled = false
filter = ejabberd-auth
port = xmpp-client
protocol = tcp
logpath = /var/log/ejabberd/ejabberd.log
[asterisk-tcp]
enabled = false
filter = asterisk
port = 5060,5061
protocol = tcp
logpath = /var/log/asterisk/messages
[asterisk-udp]
enabled = false
filter = asterisk
port = 5060,5061
protocol = udp
logpath = /var/log/asterisk/messages
[recidive]
enabled = false
filter = recidive
logpath = /var/log/fail2ban.log
action = iptables-allports[name=recidive]
sendmail-whois-lines[name=recidive, logpath=/var/log/fail2ban.log]
bantime = 604800 ; 1 week
findtime = 86400 ; 1 day
maxretry = 5
[ssh-blocklist]
enabled = false
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
sendmail-whois[name=SSH, dest="%(destemail)s", sender="%(sender)s", sendername="%(sendername)s"]
blocklist_de[email="%(sender)s", apikey=“xxxxxx”, service="%(filter)s"]
logpath = /var/log/sshd.log
maxretry = 20
[nagios]
enabled = false
filter = nagios
action = iptables[name=Nagios, port=5666, protocol=tcp]
sendmail-whois[name=Nagios, dest="%(destemail)s", sender="%(sender)s", sendername="%(sendername)s"]
logpath = /var/log/messages ; nrpe.cfg may define a different log_facility
maxretry = 1

Avez vous une idée de comment changer ce domaine source dans fail2ban?

Merci d’avance, n’hésitez pas à demandé si vous avez besoins de plus d’infos.

JoeChip · Juin 12, 2016, 11:57am

Bonjour,

L’adresse fail2ban@RadiusDnsDhcp ne te dit rien ?
Comment est configuré ton fichier mail-whois.conf ?

remyd59 · Juin 14, 2016, 3:57pm

Bonjour Joe,

Oui c’est le nom de ma machine.
Concernant mail-whois.conf
cat mail-whois.conf |grep -v “#” | sed ‘/^$/d’
[Definition]
actionstart = printf %%b “Hi,\n
The jail has been started successfully.\n
Regards,\n
Fail2Ban”|mail -s "[Fail2Ban] : started on uname -n"
actionstop = printf %%b “Hi,\n
The jail has been stopped.\n
Regards,\n
Fail2Ban”|mail -s "[Fail2Ban] : stopped on uname -n"
actioncheck =
actionban = printf %%b “Hi,\n
The IP has just been banned by Fail2Ban after
attempts against .\n\n
Here is more information about :\n
whois <ip> || echo missing whois program\n
Regards,\n
Fail2Ban”|mail -s "[Fail2Ban] : banned from uname -n"
actionunban =
[Init]
name = default
dest = root

et le who-is-lines.conf:
cat mail-whois-lines.conf |grep -v “#” | sed ‘/^$/d’
[Definition]
actionstart = printf %%b “Hi,\n
The jail has been started successfully.\n
Regards,\n
Fail2Ban”|mail -s "[Fail2Ban] : started on uname -n"
actionstop = printf %%b “Hi,\n
The jail has been stopped.\n
Regards,\n
Fail2Ban”|mail -s "[Fail2Ban] : stopped on uname -n"
actioncheck =
actionban = printf %%b “Hi,\n
The IP has just been banned by Fail2Ban after
attempts against .\n\n
Here is more information about :\n
whois <ip> || echo missing whois program\n\n
Lines containing IP: in \n
grep '[^0-9]<ip>[^0-9]' <logpath>\n\n
Regards,\n
Fail2Ban”|mail -s "[Fail2Ban] : banned from uname -n"
actionunban =
[Init]
name = default
dest = root
logpath = /dev/null