Fail2ban und Postfix

[Deex]

Ich habe mir schon einige andere Threads durchgelesen dazu auf dieser Seite , bin jedoch nicht fündig geworden.

Mein Problem sind ständige Login-. Versuche auf dem Server, heute alleine.

Apr 6 12:34:54 z110 postfix/smtpd[19083]: warning: DSL212-235-31-158.bb.netvision.net.il[212.235.31.158]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Apr 6 12:34:56 z110 postfix/smtpd[19083]: warning: DSL212-235-31-158.bb.netvision.net.il[212.235.31.158]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Apr 6 12:34:58 z110 postfix/smtpd[19083]: warning: DSL212-235-31-158.bb.netvision.net.il[212.235.31.158]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Apr 6 12:35:00 z110 postfix/smtpd[19083]: warning: DSL212-235-31-158.bb.netvision.net.il[212.235.31.158]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Apr 6 12:35:01 z110 postfix/smtpd[19124]: warning: ::1: address not listed for hostname localhost
Apr 6 12:35:02 z110 postfix/smtpd[19083]: warning: DSL212-235-31-158.bb.netvision.net.il[212.235.31.158]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Apr 6 12:35:04 z110 postfix/smtpd[19083]: warning: DSL212-235-31-158.bb.netvision.net.il[212.235.31.158]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Apr 6 12:40:01 z110 postfix/smtpd[19768]: warning: ::1: address not listed for hostname localhost
Apr 6 12:45:01 z110 postfix/smtpd[20394]: warning: ::1: address not listed for hostname localhost
Apr 6 12:45:53 z110 postfix/smtpd[20394]: warning: unknown[195.89.38.162]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Apr 6 12:45:55 z110 postfix/smtpd[20394]: warning: unknown[195.89.38.162]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Apr 6 12:45:57 z110 postfix/smtpd[20394]: warning: unknown[195.89.38.162]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Apr 6 12:50:02 z110 postfix/smtpd[21026]: warning: ::1: address not listed for hostname localhost
Apr 6 12:55:01 z110 postfix/smtpd[21647]: warning: ::1: address not listed for hostname localhost
Apr 6 13:00:02 z110 postfix/smtpd[22265]: warning: ::1: address not listed for hostname localhost
Apr 6 13:05:02 z110 postfix/smtpd[22910]: warning: ::1: address not listed for hostname localhost
Apr 6 13:07:47 z110 postfix/smtpd[23458]: warning: host100-131-static.91-94-b.business.telecomitalia.it[94.91.131.100]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Apr 6 13:07:49 z110 postfix/smtpd[23458]: warning: host100-131-static.91-94-b.business.telecomitalia.it[94.91.131.100]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Apr 6 13:07:51 z110 postfix/smtpd[23458]: warning: host100-131-static.91-94-b.business.telecomitalia.it[94.91.131.100]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Apr 6 13:07:53 z110 postfix/smtpd[23458]: warning: host100-131-static.91-94-b.business.telecomitalia.it[94.91.131.100]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Apr 6 13:07:55 z110 postfix/smtpd[23458]: warning: host100-131-static.91-94-b.business.telecomitalia.it[94.91.131.100]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Apr 6 13:07:57 z110 postfix/smtpd[23458]: warning: host100-131-static.91-94-b.business.telecomitalia.it[94.91.131.100]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Apr 6 13:07:59 z110 postfix/smtpd[23458]: warning: host100-131-static.91-94-b.business.telecomitalia.it[94.91.131.100]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Apr 6 13:10:02 z110 postfix/smtpd[23547]: warning: ::1: address not listed for hostname localhost
Apr 6 13:15:01 z110 postfix/smtpd[24169]: warning: ::1: address not listed for hostname localhost
Apr 6 13:18:51 z110 postfix/smtpd[24741]: warning: unknown[151.12.152.26]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Apr 6 13:18:53 z110 postfix/smtpd[24741]: warning: unknown[151.12.152.26]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Apr 6 13:20:02 z110 postfix/smtpd[24741]: warning: ::1: address not listed for hostname localhost
Apr 6 13:25:01 z110 postfix/smtpd[25411]: warning: ::1: address not listed for hostname localhost
Apr 6 13:30:02 z110 postfix/smtpd[26034]: warning: ::1: address not listed for hostname localhost
Apr 6 13:35:01 z110 postfix/smtpd[26658]: warning: ::1: address not listed for hostname localhost
Apr 6 13:40:01 z110 postfix/smtpd[27284]: warning: ::1: address not listed for hostname localhost
Apr 6 13:41:46 z110 postfix/smtpd[27815]: warning: adsl-072-151-147-148.sip.mem.bellsouth.net[72.151.147.148]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Apr 6 13:41:48 z110 postfix/smtpd[27815]: warning: adsl-072-151-147-148.sip.mem.bellsouth.net[72.151.147.148]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Apr 6 13:41:50 z110 postfix/smtpd[27815]: warning: adsl-072-151-147-148.sip.mem.bellsouth.net[72.151.147.148]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Apr 6 13:45:02 z110 postfix/smtpd[27906]: warning: ::1: address not listed for hostname localhost
Apr 6 13:50:01 z110 postfix/smtpd[28530]: warning: ::1: address not listed for hostname localhost
Apr 6 13:55:02 z110 postfix/smtpd[29154]: warning: ::1: address not listed for hostname localhost
Apr 6 14:00:01 z110 postfix/smtpd[29779]: warning: ::1: address not listed for hostname localhost
Apr 6 14:04:23 z110 postfix/smtpd[30354]: warning: mail.blackmarket.at[213.129.242.61]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Apr 6 14:04:25 z110 postfix/smtpd[30354]: warning: mail.blackmarket.at[213.129.242.61]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Apr 6 14:04:27 z110 postfix/smtpd[30354]: warning: mail.blackmarket.at[213.129.242.61]: SASL LOGIN authentication failed: UGFzc3dvcmQ6

Nun wollte ich die mit Fail2Ban sperren,
hierfür nahm ich die sasl.conf in folgender Version

# Fail2Ban configuration file
#
# Author: Yaroslav Halchenko
#
# $Revision: 510 $
#

[Definition]

# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}?(?P<host>\S+)
# Values: TEXT
#
# Default
#failregex = : warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed$
# Debian Lenny
failregex = : warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =

Kurz um, mit diesen Einstellungen finde er nichts.

Meine local sieht so aus

[sasl]

enabled = true
port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter = sasl
logpath = /var/log/mail.log

Hat jemand eine idee woran es liegen könnte?
Liebe Grüße

 

[Brainfood]

/etc/fail2ban/filter.d/sasl.conf

# Fail2Ban configuration file
#
# Author: Yaroslav Halchenko
#
# $Revision: 728 $
#

[Definition]

# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT
#
failregex = (?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [A-Za-z0-9+/]*={0,2})?$

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

Regex Checks machst du wie folgt:

fail2ban-regex /var/log/mail.log /etc/fail2ban/filter.d/sasl.conf

syslog / mail.log / mail.warn etc.

 

[Brainfood]

Apr 6 12:40:01 z110 postfix/smtpd[19768]: warning: ::1: address not listed for hostname localhost

in meiner /etc/hosts steht:

::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts

Hast du in irgendeiner Postfix Config (main.cf etc) diesen ::1 Schmarn stehen?