filter.d/postfix.conf: normalized several postfix-filters using parameter `mode` (as discussed in gh-1813);

introduced parameter `mode`: more (default, combines normal and rbl), auth, normal, rbl, ddos, extra or aggressive (combines all) replacement for gh-1239, gh-1697, gh-1764; closes gh-1245, gh-1297.
2017-07-10 20:49:28 +02:00 · 2017-07-10 20:49:28 +02:00 · aa92b68d4a
parent 36d42d7f0b
commit aa92b68d4a
8 changed files with 150 additions and 93 deletions
--- a/config/filter.d/postfix-rbl.conf
+++ b/config/filter.d/postfix-rbl.conf
@ -1,19 +0,0 @@
-# Fail2Ban filter for Postfix's RBL based Blocked hosts
-#
-#
-
-[INCLUDES]
-
-# Read common prefixes. If any customizations available -- read them from
-# common.local
-before = common.conf
-
-[Definition]
-
-_daemon = postfix(-\w+)?/smtpd
-
-failregex = ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: [45]54 [45]\.7\.1 Service unavailable; Client host \[\S+\] blocked\b
-
-ignoreregex =
-
-# Author: Lee Clemens
--- a/config/filter.d/postfix-sasl.conf
+++ b/config/filter.d/postfix-sasl.conf
@ -1,21 +0,0 @@
-# Fail2Ban filter for postfix authentication failures
-#
-
-[INCLUDES]
-
-before = common.conf
-
-[Definition]
-
-_daemon = postfix(-\w+)?/(?:submission/|smtps/)?smtp[ds]
-
-failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(:[ A-Za-z0-9+/:]*={0,2})?\s*$
-
-ignoreregex = authentication failed: Connection lost to authentication server$
-
-[Init]
-
-journalmatch = _SYSTEMD_UNIT=postfix.service
-
-
-# Author: Yaroslav Halchenko
--- a/config/filter.d/postfix.conf
+++ b/config/filter.d/postfix.conf
@ -13,15 +13,54 @@ before = common.conf
 _daemon = postfix(-\w+)?/\w+(?:/smtp[ds])?
 _port = (?::\d+)?

-prefregex = ^%(__prefix_line)s(?:NOQUEUE: reject:|improper command pipelining) <F-CONTENT>.+</F-CONTENT>$
+prefregex = ^%(__prefix_line)s<mdpr-<mode>> <F-CONTENT>.+</F-CONTENT>$

-failregex = ^RCPT from [^[]*\[<HOST>\]<_port>: 55[04] 5\.7\.1\s
-            ^RCPT from [^[]*\[<HOST>\]<_port>: 450 4\.7\.1 Client host rejected: cannot find your (reverse )?hostname\b
+mdpr-normal = (?:NOQUEUE: reject:|improper command pipelining after \S+)
+mdre-normal=^RCPT from [^[]*\[<HOST>\]<_port>: 55[04] 5\.7\.1\s
+            ^RCPT from [^[]*\[<HOST>\]<_port>: 45[04] 4\.7\.1 (?:Service unavailable\b|Client host rejected: cannot find your (reverse )?hostname\b)
            ^RCPT from [^[]*\[<HOST>\]<_port>: 450 4\.7\.1 (<[^>]*>)?: Helo command rejected: Host not found\b
            ^EHLO from [^[]*\[<HOST>\]<_port>: 504 5\.5\.2 (<[^>]*>)?: Helo command rejected: need fully-qualified hostname\b
            ^VRFY from [^[]*\[<HOST>\]<_port>: 550 5\.1\.1\s
            ^RCPT from [^[]*\[<HOST>\]<_port>: 450 4\.1\.8 (<[^>]*>)?: Sender address rejected: Domain not found\b
-            ^after \S+ from [^[]*\[<HOST>\]:?
+            ^from [^[]*\[<HOST>\]:?
+
+mdpr-auth = warning:
+mdre-auth = ^[^[]*\[<HOST>\]: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed:(?! Connection lost to authentication server| Invalid authentication mechanism)
+mdre-auth2= ^[^[]*\[<HOST>\]: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed:(?! Connection lost to authentication server)
+# todo: check/remove "Invalid authentication mechanism" from ignore list, if gh-1243 will get finished (see gh-1297).
+
+# Mode "rbl" currently included in mode "normal", but if needed for jail "postfix-rbl" only:
+mdpr-rbl = %(mdpr-normal)s
+mdre-rbl  = ^RCPT from [^[]*\[<HOST>\]: [45]54 [45]\.7\.1 Service unavailable; Client host \[\S+\] blocked\b
+
+# Mode "rbl" currently included in mode "normal" (within 1st rule)
+mdpr-more = %(mdpr-normal)s
+mdre-more = %(mdre-normal)s
+
+mdpr-ddos = lost connection after(?! DATA) [A-Z]+
+mdre-ddos = ^from [^[]*\[<HOST>\]:?
+
+mdpr-extra = (?:%(mdpr-auth)s|%(mdpr-normal)s)
+mdre-extra = %(mdre-auth)s
+            %(mdre-normal)s
+
+mdpr-aggressive = (?:%(mdpr-auth)s|%(mdpr-normal)s|%(mdpr-ddos)s)
+mdre-aggressive = %(mdre-auth2)s
+                  %(mdre-normal)s
+
+
+
+failregex = <mdre-<mode>>
+
+# Parameter "mode": more (default combines normal and rbl), auth, normal, rbl, ddos, extra or aggressive (combines all)
+# Usage example (for jail.local):
+#   [postfix]
+#   mode = aggressive
+#   # or another jail (rewrite filter parameters of jail):
+#   [postfix-rbl]
+#   filter = postfix[mode=rbl]
+#
+mode = more

 ignoreregex = 

--- a/config/jail.conf
+++ b/config/jail.conf
@ -533,14 +533,17 @@ backend  = %(syslog_backend)s


 [postfix]
-
-port     = smtp,465,submission
-logpath  = %(postfix_log)s
-backend  = %(postfix_backend)s
+# To use another modes set filter parameter "mode" in jail.local:
+mode    = more
+filter  = postfix[mode=%(mode)s]
+port    = smtp,465,submission
+logpath = %(postfix_log)s
+backend = %(postfix_backend)s


 [postfix-rbl]

+filter   = postfix[mode=rbl]
 port     = smtp,465,submission
 logpath  = %(postfix_log)s
 backend  = %(postfix_backend)s
@ -624,8 +627,9 @@ logpath  = %(syslog_mail)s
 backend  = %(syslog_backend)s


-[postfix-sasl]
+[postfix-auth]

+filter   = postfix[mode=auth]
 port     = smtp,465,submission,imap3,imaps,pop3,pop3s
 # You might consider monitoring /var/log/mail.warn instead if you are
 # running postfix since it would provide the same log lines at the
--- a/fail2ban/server/filter.py
+++ b/fail2ban/server/filter.py
@ -668,16 +668,19 @@ class Filter(JailThread):
 				self.__lineBuffer + [tupleLine[:3]])[-self.__lineBufferSize:]
 		else:
 			orgBuffer = self.__lineBuffer = [tupleLine[:3]]
-		logSys.log(5, "Looking for failregex match of %r", self.__lineBuffer)
+		logSys.log(5, "Looking for match of %r", self.__lineBuffer)

 		# Pre-filter fail regex (if available):
 		preGroups = {}
 		if self.__prefRegex:
+			if logSys.getEffectiveLevel() <= logging.HEAVYDEBUG:
+				logSys.log(5, "  Looking for prefregex %r", self.__prefRegex.getRegex())
 			self.__prefRegex.search(self.__lineBuffer)
 			if not self.__prefRegex.hasMatched():
+				logSys.log(5, "  Prefregex not matched")
 				return failList
 			preGroups = self.__prefRegex.getGroups()
-			logSys.log(7, "Pre-filter matched %s", preGroups)
+			logSys.log(7, "  Pre-filter matched %s", preGroups)
 			repl = preGroups.get('content')
 			# Content replacement:
 			if repl:
@ -686,17 +689,19 @@ class Filter(JailThread):

 		# Iterates over all the regular expressions.
 		for failRegexIndex, failRegex in enumerate(self.__failRegex):
+			if logSys.getEffectiveLevel() <= logging.HEAVYDEBUG:
+				logSys.log(5, "  Looking for failregex %r", failRegex.getRegex())
 			failRegex.search(self.__lineBuffer, orgBuffer)
 			if not failRegex.hasMatched():
 				continue
 			# The failregex matched.
-			logSys.log(7, "Matched %s", failRegex)
+			logSys.log(7, "  Matched %s", failRegex)
 			# Checks if we must ignore this match.
 			if self.ignoreLine(failRegex.getMatchedTupleLines()) \
 					is not None:
 				# The ignoreregex matched. Remove ignored match.
 				self.__lineBuffer = failRegex.getUnmatchedTupleLines()
-				logSys.log(7, "Matched ignoreregex and was ignored")
+				logSys.log(7, "  Matched ignoreregex and was ignored")
 				if not self.checkAllRegex:
 					break
 				else:
--- a/fail2ban/tests/files/logs/postfix
+++ b/fail2ban/tests/files/logs/postfix
@ -1,3 +1,5 @@
+# filterOptions: [{}, {"mode": "normal"}, {"mode": "aggressive"}]
+
 # per https://github.com/fail2ban/fail2ban/issues/125
 # and https://github.com/fail2ban/fail2ban/issues/126
 # failJSON: { "time": "2005-02-21T09:21:54", "match": true , "host": "192.0.43.10" }
@ -45,5 +47,92 @@ Jun 12 08:58:35 xxx postfix/smtpd[2931]: NOQUEUE: reject: RCPT from unknown[1.2.
 # failJSON: { "time": "2005-06-12T08:58:35", "match": true , "host": "1.2.3.4" }
 Jun 12 08:58:35 xxx postfix/smtpd[13533]: improper command pipelining after AUTH from unknown[1.2.3.4]: QUIT

+# ---------------------------------------
+# Test-cases of postfix-postscreen:
+# ---------------------------------------
+
 # failJSON: { "time": "2005-05-05T15:51:11", "match": true , "host": "216.245.194.173", "desc": "postfix postscreen / gh-1764" }
 May  5 15:51:11 xxx postfix/postscreen[1148]: NOQUEUE: reject: RCPT from [216.245.194.173]:60591: 550 5.7.1 Service unavailable; client [216.245.194.173] blocked using rbl.example.com; from=<spammer@example.com>, to=<goodguy@example.com>, proto=ESMTP, helo=<badguy.example.com>
+
+# ---------------------------------------
+# Test-cases of postfix-rbl:
+# ---------------------------------------
+# filterOptions: [{}, {"mode": "rbl"}, {"mode": "aggressive"}]
+
+# failJSON: { "time": "2004-12-30T18:19:15", "match": true , "host": "93.184.216.34" }
+Dec 30 18:19:15 xxx postfix/smtpd[1574]: NOQUEUE: reject: RCPT from badguy.example.com[93.184.216.34]: 454 4.7.1 Service unavailable; Client host [93.184.216.34] blocked using rbl.example.com; http://www.example.com/query?ip=93.184.216.34; from=<spammer@example.com> to=<goodguy@example.com> proto=ESMTP helo=<badguy.example.com>
+
+# failJSON: { "time": "2004-12-30T18:19:15", "match": true , "host": "93.184.216.34" }
+Dec 30 18:19:15 xxx postfix-incoming/smtpd[1574]: NOQUEUE: reject: RCPT from badguy.example.com[93.184.216.34]: 454 4.7.1 Service unavailable; Client host [93.184.216.34] blocked using rbl.example.com; http://www.example.com/query?ip=93.184.216.34; from=<spammer@example.com> to=<goodguy@example.com> proto=ESMTP helo=<badguy.example.com>
+
+# failJSON: { "time": "2005-02-07T12:25:45", "match": true , "host": "87.236.233.182" }
+Feb  7 12:25:45 xxx12345 postfix/smtpd[13275]: NOQUEUE: reject: RCPT from unknown[87.236.233.182]: 554 5.7.1 Service unavailable; Client host [87.236.233.182] blocked using rbl.example.com; https://www.example.com/query/ip/87.236.233.182; from=<spammer@example.com> to=<goodguy@example.com> proto=SMTP helo=<WIN-5N8GBBS0R5I>
+
+# ---------------------------------------
+# Test-cases of postfix-sasl:
+# ---------------------------------------
+# filterOptions: [{"mode": "auth"}, {"mode": "aggressive"}]
+
+#1 Example from postfix from dbts #507990
+# failJSON: { "time": "2004-12-02T22:24:22", "match": true , "host": "114.44.142.233" }
+Dec  2 22:24:22 hel postfix/smtpd[7676]: warning: 114-44-142-233.dynamic.hinet.net[114.44.142.233]: SASL CRAM-MD5 authentication failed: PDc3OTEwNTkyNTEyMzA2NDIuMTIyODI1MzA2MUBoZWw+
+#2 Example from postfix from dbts #573314
+# failJSON: { "time": "2005-03-10T13:33:30", "match": true , "host": "1.1.1.1" }
+Mar 10 13:33:30 gandalf postfix/smtpd[3937]: warning: HOSTNAME[1.1.1.1]: SASL LOGIN authentication failed: authentication failure
+
+#3 Example from postfix post-debian changes to rename to add "submission" to syslog name
+# failJSON: { "time": "2004-09-06T00:44:56", "match": true , "host": "82.221.106.233" }
+Sep  6 00:44:56 trianon postfix/submission/smtpd[11538]: warning: unknown[82.221.106.233]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
+
+#4 Example from postfix post-debian changes to rename to add "submission" to syslog name + downcase
+# failJSON: { "time": "2004-09-06T00:44:57", "match": true , "host": "82.221.106.233" }
+Sep  6 00:44:57 trianon postfix/submission/smtpd[11538]: warning: unknown[82.221.106.233]: SASL login authentication failed: UGFzc3dvcmQ6
+
+#5 Example to add :
+# failJSON: { "time": "2005-01-29T08:11:45", "match": true , "host": "1.1.1.1" }
+Jan 29 08:11:45 mail postfix/smtpd[10752]: warning: unknown[1.1.1.1]: SASL LOGIN authentication failed: Password:
+
+# failJSON: { "time": "2005-01-29T08:11:45", "match": true , "host": "1.1.1.1" }
+Jan 29 08:11:45 mail postfix-incoming/smtpd[10752]: warning: unknown[1.1.1.1]: SASL LOGIN authentication failed: Password:
+
+# failJSON: { "time": "2005-04-12T02:24:11", "match": true , "host": "62.138.2.143" }
+Apr 12 02:24:11 xxx postfix/smtps/smtpd[42]: warning: astra4139.startdedicated.de[62.138.2.143]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
+
+# failJSON: { "time": "2005-08-03T15:30:49", "match": true , "host": "98.191.84.74" }
+Aug 3 15:30:49 ksusha postfix/smtpd[17041]: warning: mail.foldsandwalker.com[98.191.84.74]: SASL Plain authentication failed:
+
+# failJSON: { "time": "2004-11-04T09:11:01", "match": true , "host": "192.0.2.150", "desc": "without reason for fail, see gh-1245" }
+Nov  4 09:11:01 mail postfix/submission/smtpd[27133]: warning: unknown[192.0.2.150]: SASL PLAIN authentication failed:
+
+#6 Example to ignore because due to a failed attempt to connect to authentication service - no malicious activities whatsoever
+# failJSON: { "match": false }
+Feb  3 08:29:28 mail postfix/smtpd[21022]: warning: unknown[1.1.1.1]: SASL LOGIN authentication failed: Connection lost to authentication server
+
+# filterOptions: [{"mode": "auth"}]
+
+# failJSON: { "match": false, "desc": "not aggressive" }
+Jan 14 16:18:16 xxx postfix/smtpd[14933]: warning: host[192.0.2.5]: SASL CRAM-MD5 authentication failed: Invalid authentication mechanism
+
+# filterOptions: [{"mode": "aggressive"}]
+
+# failJSON: { "time": "2005-01-14T16:18:16", "match": true , "host": "192.0.2.5", "desc": "aggressive only" }
+Jan 14 16:18:16 xxx postfix/smtpd[14933]: warning: host[192.0.2.5]: SASL CRAM-MD5 authentication failed: Invalid authentication mechanism
+
+# ---------------------------------------
+# Test-cases of postfix DDOS mode:
+# ---------------------------------------
+
+# filterOptions: [{"mode": "ddos"}, {"mode": "aggressive"}]
+
+# failJSON: { "time": "2005-02-18T09:45:10", "match": true , "host": "192.0.2.10" }
+Feb 18 09:45:10 xxx postfix/smtpd[42]: lost connection after CONNECT from spammer.example.com[192.0.2.10]
+# failJSON: { "time": "2005-02-18T09:45:12", "match": true , "host": "192.0.2.42" }
+Feb 18 09:45:12 xxx postfix/smtpd[42]: lost connection after STARTTLS from spammer.example.com[192.0.2.42]
+# failJSON: { "time": "2005-02-18T09:48:04", "match": true , "host": "192.0.2.23" }
+Feb 18 09:48:04 xxx postfix/smtpd[23]: lost connection after AUTH from unknown[192.0.2.23]
+# failJSON: { "time": "2005-02-18T09:48:04", "match": true , "host": "192.0.2.23" }
+Feb 18 09:48:04 xxx postfix/smtpd[23]: lost connection after AUTH from unknown[192.0.2.23]
+
+# filterOptions: [{}, {"mode": "ddos"}, {"mode": "aggressive"}]
+# failJSON: { "match": false, "desc": "don't affect lawful data (sporadical connection aborts within DATA-phase, see gh-1813 for discussion)" }
+Feb 18 09:50:05 xxx postfix/smtpd[42]: lost connection after DATA from good-host.example.com[192.0.2.10]
--- a/fail2ban/tests/files/logs/postfix-rbl
+++ b/fail2ban/tests/files/logs/postfix-rbl
@ -1,8 +0,0 @@
-# failJSON: { "time": "2004-12-30T18:19:15", "match": true , "host": "93.184.216.34" }
-Dec 30 18:19:15 xxx postfix/smtpd[1574]: NOQUEUE: reject: RCPT from badguy.example.com[93.184.216.34]: 454 4.7.1 Service unavailable; Client host [93.184.216.34] blocked using rbl.example.com; http://www.example.com/query?ip=93.184.216.34; from=<spammer@example.com> to=<goodguy@example.com> proto=ESMTP helo=<badguy.example.com>
-
-# failJSON: { "time": "2004-12-30T18:19:15", "match": true , "host": "93.184.216.34" }
-Dec 30 18:19:15 xxx postfix-incoming/smtpd[1574]: NOQUEUE: reject: RCPT from badguy.example.com[93.184.216.34]: 454 4.7.1 Service unavailable; Client host [93.184.216.34] blocked using rbl.example.com; http://www.example.com/query?ip=93.184.216.34; from=<spammer@example.com> to=<goodguy@example.com> proto=ESMTP helo=<badguy.example.com>
-
-# failJSON: { "time": "2005-02-07T12:25:45", "match": true , "host": "87.236.233.182" }
-Feb  7 12:25:45 xxx12345 postfix/smtpd[13275]: NOQUEUE: reject: RCPT from unknown[87.236.233.182]: 554 5.7.1 Service unavailable; Client host [87.236.233.182] blocked using rbl.example.com; https://www.example.com/query/ip/87.236.233.182; from=<spammer@example.com> to=<goodguy@example.com> proto=SMTP helo=<WIN-5N8GBBS0R5I>
--- a/fail2ban/tests/files/logs/postfix-sasl
+++ b/fail2ban/tests/files/logs/postfix-sasl
@ -1,32 +0,0 @@
-#1 Example from postfix from dbts #507990
-# failJSON: { "time": "2004-12-02T22:24:22", "match": true , "host": "114.44.142.233" }
-Dec  2 22:24:22 hel postfix/smtpd[7676]: warning: 114-44-142-233.dynamic.hinet.net[114.44.142.233]: SASL CRAM-MD5 authentication failed: PDc3OTEwNTkyNTEyMzA2NDIuMTIyODI1MzA2MUBoZWw+
-#2 Example from postfix from dbts #573314
-# failJSON: { "time": "2005-03-10T13:33:30", "match": true , "host": "1.1.1.1" }
-Mar 10 13:33:30 gandalf postfix/smtpd[3937]: warning: HOSTNAME[1.1.1.1]: SASL LOGIN authentication failed: authentication failure
-
-#3 Example from postfix post-debian changes to rename to add "submission" to syslog name
-# failJSON: { "time": "2004-09-06T00:44:56", "match": true , "host": "82.221.106.233" }
-Sep  6 00:44:56 trianon postfix/submission/smtpd[11538]: warning: unknown[82.221.106.233]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
-
-#4 Example from postfix post-debian changes to rename to add "submission" to syslog name + downcase
-# failJSON: { "time": "2004-09-06T00:44:57", "match": true , "host": "82.221.106.233" }
-Sep  6 00:44:57 trianon postfix/submission/smtpd[11538]: warning: unknown[82.221.106.233]: SASL login authentication failed: UGFzc3dvcmQ6
-
-#5 Example to add :
-# failJSON: { "time": "2005-01-29T08:11:45", "match": true , "host": "1.1.1.1" }
-Jan 29 08:11:45 mail postfix/smtpd[10752]: warning: unknown[1.1.1.1]: SASL LOGIN authentication failed: Password:
-
-#6 Example to ignore because due to a failed attempt to connect to authentication service - no malicious activities whatsoever
-# failJSON: { "time": "2005-02-03T08:29:28", "match": false , "host": "1.1.1.1" }
-Feb  3 08:29:28 mail postfix/smtpd[21022]: warning: unknown[1.1.1.1]: SASL LOGIN authentication failed: Connection lost to authentication server
-
-# failJSON: { "time": "2005-01-29T08:11:45", "match": true , "host": "1.1.1.1" }
-Jan 29 08:11:45 mail postfix-incoming/smtpd[10752]: warning: unknown[1.1.1.1]: SASL LOGIN authentication failed: Password:
-
-# failJSON: { "time": "2005-04-12T02:24:11", "match": true , "host": "62.138.2.143" }
-Apr 12 02:24:11 xxx postfix/smtps/smtpd[42]: warning: astra4139.startdedicated.de[62.138.2.143]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
-
-# failJSON: { "time": "2005-08-03T15:30:49", "match": true , "host": "98.191.84.74" }
-Aug 3 15:30:49 ksusha postfix/smtpd[17041]: warning: mail.foldsandwalker.com[98.191.84.74]: SASL Plain authentication failed:
-