Postfix + Fail2Ban Funktioniert bei mir oder nicht?

[dommi81]

Hallo,

nachdem ich gestern an einen Threat teilnahm in dem es um Postfix als Spamschleudern ging überprüfte ich mal meine logs ob bei mir alles im grünen Bereich ist. Dort fand ich dan folgende Einträge:

mail.log

Nov 13 14:26:55 webinterface pop3d: Disconnected, ip=[::ffff:46.16.247.162]
Nov 13 14:26:55 webinterface pop3d: Connection, ip=[::ffff:46.16.247.162]
Nov 13 14:26:55 webinterface pop3d: LOGIN FAILED, user=george, ip=[::ffff:46.16.247.162]
Nov 13 14:27:01 webinterface pop3d: Disconnected, ip=[::ffff:46.16.247.162]
Nov 13 14:27:04 webinterface pop3d: Connection, ip=[::ffff:46.16.247.162]
Nov 13 14:27:06 webinterface pop3d: LOGIN FAILED, user=testtest, ip=[::ffff:46.16.247.162]
Nov 13 14:27:11 webinterface pop3d: Disconnected, ip=[::ffff:46.16.247.162]
Nov 13 14:27:14 webinterface pop3d: Connection, ip=[::ffff:46.16.247.162]
Nov 13 14:27:14 webinterface pop3d: LOGIN FAILED, user=pamela, ip=[::ffff:46.16.247.162]
Nov 13 14:27:19 webinterface pop3d: Disconnected, ip=[::ffff:46.16.247.162]
Nov 13 14:27:22 webinterface pop3d: Connection, ip=[::ffff:46.16.247.162]
Nov 13 14:27:23 webinterface pop3d: LOGIN FAILED, user=tracy, ip=[::ffff:46.16.247.162]
Nov 13 14:27:28 webinterface pop3d: Disconnected, ip=[::ffff:46.16.247.162]
Nov 13 14:27:28 webinterface pop3d: Connection, ip=[::ffff:46.16.247.162]
Nov 13 14:27:28 webinterface pop3d: LOGIN FAILED, user=student, ip=[::ffff:46.16.247.162]
Nov 13 14:27:33 webinterface pop3d: Connection, ip=[::ffff:46.16.247.162]
Nov 13 14:27:33 webinterface pop3d: LOGIN FAILED, user=james, ip=[::ffff:46.16.247.162]
Nov 13 14:27:33 webinterface pop3d: Disconnected, ip=[::ffff:46.16.247.162]
Nov 13 14:27:38 webinterface pop3d: Disconnected, ip=[::ffff:46.16.247.162]
Nov 13 14:27:42 webinterface pop3d: Connection, ip=[::ffff:46.16.247.162]
Nov 13 14:27:42 webinterface pop3d: LOGIN FAILED, user=oracle, ip=[::ffff:46.16.247.162]
Nov 13 14:27:47 webinterface pop3d: Disconnected, ip=[::ffff:46.16.247.162]
Nov 13 14:27:47 webinterface pop3d: Connection, ip=[::ffff:46.16.247.162]
Nov 13 14:27:49 webinterface pop3d: LOGIN FAILED, user=test1, ip=[::ffff:46.16.247.162]
Nov 13 14:27:54 webinterface pop3d: Disconnected, ip=[::ffff:46.16.247.162]
Nov 13 14:27:57 webinterface pop3d: Connection, ip=[::ffff:46.16.247.162]
Nov 13 14:27:58 webinterface pop3d: LOGIN FAILED, user=ashley, ip=[::ffff:46.16.247.162]
Nov 13 14:28:03 webinterface pop3d: Disconnected, ip=[::ffff:46.16.247.162]
Nov 13 14:28:13 webinterface pop3d: Connection, ip=[::ffff:46.16.247.162]
Nov 13 14:28:13 webinterface pop3d: LOGIN FAILED, user=success, ip=[::ffff:46.16.247.162]
Nov 13 14:28:19 webinterface pop3d: Disconnected, ip=[::ffff:46.16.247.162]
Nov 13 14:28:22 webinterface pop3d: Connection, ip=[::ffff:46.16.247.162]
Nov 13 14:28:22 webinterface pop3d: LOGIN FAILED, user=mark, ip=[::ffff:46.16.247.162]
Nov 13 14:28:28 webinterface pop3d: Connection, ip=[::ffff:46.16.247.162]
Nov 13 14:28:28 webinterface pop3d: Disconnected, ip=[::ffff:46.16.247.162]
Nov 13 14:28:28 webinterface pop3d: LOGIN FAILED, user=ben, ip=[::ffff:46.16.247.162]
Nov 13 14:28:33 webinterface pop3d: Disconnected, ip=[::ffff:46.16.247.162]
Nov 13 14:28:36 webinterface pop3d: Connection, ip=[::ffff:46.16.247.162]
Nov 13 14:28:36 webinterface pop3d: LOGIN FAILED, user=postmaster, ip=[::ffff:46.16.247.162]
Nov 13 14:28:41 webinterface pop3d: Disconnected, ip=[::ffff:46.16.247.162]
Nov 13 14:28:44 webinterface pop3d: Connection, ip=[::ffff:46.16.247.162]
Nov 13 14:28:44 webinterface pop3d: LOGIN FAILED, user=admin, ip=[::ffff:46.16.247.162]
Nov 13 14:28:50 webinterface pop3d: Disconnected, ip=[::ffff:46.16.247.162]

Der Typ/Bot hat das auch schon stunden und tage vorher gemacht und es befinnden sich massig einträge in der Log.
Läuft da was schief, weil ich dachte die IP wird gleich geblockt über fail2ban nach wenigen versuchen.
Habe auch in der Fail2ban log keine Einträge was diese IP betrifft.
Und in der jail.conf steht bei postfix auch kein "retry" und kein "bantime" etc drinnen.
Das einzige was anmuten lässt das der Filter überhaupt funktioniert ist die eMail und Log beim starten/stoppen von fail2ban.

Hier mal meine jail.conf:

# Fail2Ban configuration file.
#
# This file was composed for Debian systems from the original one
#  provided now under /usr/share/doc/fail2ban/examples/jail.conf
#  for additional examples.
#
# To avoid merges during upgrades DO NOT MODIFY THIS FILE
# and rather provide your changes in /etc/fail2ban/jail.local
#
# Author: Yaroslav O. Halchenko <debian@onerussian.com>
#
# $Revision: 281 $
#

# The DEFAULT allows a global definition of the options. They can be override
# in each jail afterwards.

[DEFAULT]

# "ignoreip" can be an IP address, a CIDR mask or a DNS host
ignoreip = 127.0.0.1
bantime  = 600
maxretry = 3

# "backend" specifies the backend used to get files modification. Available
# options are "gamin", "polling" and "auto".
# yoh: For some reason Debian shipped python-gamin didn't work as expected
#      This issue left ToDo, so polling is default backend for now
backend = polling

#
# Destination email address used solely for the interpolations in
# jail.{conf,local} configuration files.
destemail = geheim@geheim.de

#
# ACTIONS
#

# Default banning action (e.g. iptables, iptables-new,
# iptables-multiport, shorewall, etc) It is used to define 
# action_* variables. Can be overriden globally or per 
# section within jail.local file
banaction = iptables-multiport

# email action. Since 0.8.1 upstream fail2ban uses sendmail
# MTA for the mailing. Change mta configuration parameter to mail
# if you want to revert to conventional 'mail'.
mta = sendmail

# Default protocol
protocol = tcp

#
# Action shortcuts. To be used to define action parameter

# The simplest action to take: ban only
action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s]

# ban & send an e-mail with whois report to the destemail.
action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s]
              %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s]

# ban & send an e-mail with whois report and relevant log lines
# to the destemail.
action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s]
               %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s]
 
# Choose default action.  To change, just override value of 'action' with the
# interpolation to the chosen action shortcut (e.g.  action_mw, action_mwl, etc) in jail.local
# globally (section [DEFAULT]) or per specific section 
action = %(action_mwl)s

#
# JAILS
#

# Next jails corresponds to the standard configuration in Fail2ban 0.6 which
# was shipped in Debian. Enable any defined here jail by including
#
# [SECTION_NAME] 
# enabled = true

#
# in /etc/fail2ban/jail.local.
#
# Optionally you may override any other parameter (e.g. banaction,
# action, port, logpath, etc) in that section within jail.local

[ssh]

enabled = true
port	= ssh
filter	= sshd
logpath  = /var/log/auth.log
maxretry = 2

# Generic filter for pam. Has to be used with action which bans all ports
# such as iptables-allports, shorewall
[pam-generic]

enabled = false
# pam-generic filter can be customized to monitor specific subset of 'tty's
filter	= pam-generic
# port actually must be irrelevant but lets leave it all for some possible uses
port = all
banaction = iptables-allports
port     = anyport
logpath  = /var/log/auth.log
maxretry = 3

[xinetd-fail]

enabled   = false
filter    = xinetd-fail
port      = all
banaction = iptables-multiport-log
logpath   = /var/log/daemon.log
maxretry  = 2


[ssh-ddos]

enabled = true
port    = ssh
filter  = sshd-ddos
logpath  = /var/log/auth.log
maxretry = 2

#
# HTTP servers
#

[apache]

enabled = true
port	= http,https
filter	= apache-auth
logpath = /var/log/apache*/*error.log
maxretry = 3

# default action is now multiport, so apache-multiport jail was left
# for compatibility with previous (<0.7.6-2) releases
[apache-multiport]

enabled   = true
port	  = http,https
filter	  = apache-auth
logpath   = /var/log/apache*/*error.log
maxretry  = 2

[apache-noscript]

enabled = true
port    = http,https
filter  = apache-noscript
logpath = /var/log/apache*/*error.log
maxretry = 2

[apache-overflows]

enabled = true
port    = http,https
filter  = apache-overflows
logpath = /var/log/apache*/*error.log
maxretry = 2

#
# FTP servers
#

[vsftpd]

enabled  = false
port	 = ftp,ftp-data,ftps,ftps-data
filter   = vsftpd
logpath  = /var/log/vsftpd.log
# or overwrite it in jails.local to be
# logpath = /var/log/auth.log
# if you want to rely on PAM failed login attempts
# vsftpd's failregex should match both of those formats
maxretry = 6


[proftpd]

enabled  = true
port	 = ftp,ftp-data,ftps,ftps-data,221
filter   = proftpd
logpath  = /var/log/proftpd/proftpd.log
maxretry = 3


[wuftpd]

enabled  = false
port	 = ftp,ftp-data,ftps,ftps-data
filter   = wuftpd
logpath  = /var/log/auth.log
maxretry = 6


#
# Mail servers
#

[postfix]

enabled  = true
port	 = smtp,ssmtp
filter   = postfix
logpath  = /var/log/mail.log


[couriersmtp]

enabled  = false
port	 = smtp,ssmtp
filter   = couriersmtp
logpath  = /var/log/mail.log


#
# Mail servers authenticators: might be used for smtp,ftp,imap servers, so
# all relevant ports get banned
#

[courierauth]

enabled  = false
port	 = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter   = courierlogin
logpath  = /var/log/mail.log


[sasl]

enabled  = false
port	 = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter   = sasl
logpath  = /var/log/mail.log


# DNS Servers


# These jails block attacks against named (bind9). By default, logging is off
# with bind9 installation. You will need something like this:
#
# logging {
#     channel security_file {
#         file "/var/log/named/security.log" versions 3 size 30m;
#         severity dynamic;
#         print-time yes;
#     };
#     category security {
#         security_file;
#     };
# }
#
# in your named.conf to provide proper logging

# Word of Caution:
# Given filter can lead to DoS attack against your DNS server
# since there is no way to assure that UDP packets come from the
# real source IP
[named-refused-udp]

enabled  = false
port     = domain,953
protocol = udp
filter   = named-refused
logpath  = /var/log/named/security.log

[named-refused-tcp]

enabled  = false
port     = domain,953
protocol = tcp
filter   = named-refused
logpath  = /var/log/named/security.log

Ist das alles in Ordnung so?

MfG
Dominik

 

[Jammy]

Ist es nicht so das man die jail.conf in jail.local umbennen muss?

 

[danton]

Theoretisch sollte auch das Ändern in der jail.conf funktionieren, aber durch die jail.local sind die Änderungen nach einem Update noch vorhanden.
Fail2Ban kann aber nichts sperren, wenn dafür keine Jail aktiviert ist. Die fehlerhaften Logins kommen ja vom Pop3-Daemon und nicht von Postfix. Entsprechend muß auch eine passende Jail existieren und auch aktiviert sein. Ich bin mir jetzt nicht sicher, wie die Regex des courierauth ausschaut, ob die auf die entsprechenden Zeilen paßt.