diff --git a/config/filter.d/postfix-rbl.conf b/config/filter.d/postfix-rbl.conf deleted file mode 100644 index 0a9078f0..00000000 --- a/config/filter.d/postfix-rbl.conf +++ /dev/null @@ -1,19 +0,0 @@ -# Fail2Ban filter for Postfix's RBL based Blocked hosts -# -# - -[INCLUDES] - -# Read common prefixes. If any customizations available -- read them from -# common.local -before = common.conf - -[Definition] - -_daemon = postfix(-\w+)?/smtpd - -failregex = ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[\]: [45]54 [45]\.7\.1 Service unavailable; Client host \[\S+\] blocked\b - -ignoreregex = - -# Author: Lee Clemens diff --git a/config/filter.d/postfix-sasl.conf b/config/filter.d/postfix-sasl.conf deleted file mode 100644 index 1a24ca94..00000000 --- a/config/filter.d/postfix-sasl.conf +++ /dev/null @@ -1,21 +0,0 @@ -# Fail2Ban filter for postfix authentication failures -# - -[INCLUDES] - -before = common.conf - -[Definition] - -_daemon = postfix(-\w+)?/(?:submission/|smtps/)?smtp[ds] - -failregex = ^%(__prefix_line)swarning: [-._\w]+\[\]: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(:[ A-Za-z0-9+/:]*={0,2})?\s*$ - -ignoreregex = authentication failed: Connection lost to authentication server$ - -[Init] - -journalmatch = _SYSTEMD_UNIT=postfix.service - - -# Author: Yaroslav Halchenko diff --git a/config/filter.d/postfix.conf b/config/filter.d/postfix.conf index e6a3e5c2..b86b3d4d 100644 --- a/config/filter.d/postfix.conf +++ b/config/filter.d/postfix.conf @@ -13,15 +13,54 @@ before = common.conf _daemon = postfix(-\w+)?/\w+(?:/smtp[ds])? _port = (?::\d+)? -prefregex = ^%(__prefix_line)s(?:NOQUEUE: reject:|improper command pipelining) .+$ +prefregex = ^%(__prefix_line)s> .+$ -failregex = ^RCPT from [^[]*\[\]<_port>: 55[04] 5\.7\.1\s - ^RCPT from [^[]*\[\]<_port>: 450 4\.7\.1 Client host rejected: cannot find your (reverse )?hostname\b +mdpr-normal = (?:NOQUEUE: reject:|improper command pipelining after \S+) +mdre-normal=^RCPT from [^[]*\[\]<_port>: 55[04] 5\.7\.1\s + ^RCPT from [^[]*\[\]<_port>: 45[04] 4\.7\.1 (?:Service unavailable\b|Client host rejected: cannot find your (reverse )?hostname\b) ^RCPT from [^[]*\[\]<_port>: 450 4\.7\.1 (<[^>]*>)?: Helo command rejected: Host not found\b ^EHLO from [^[]*\[\]<_port>: 504 5\.5\.2 (<[^>]*>)?: Helo command rejected: need fully-qualified hostname\b ^VRFY from [^[]*\[\]<_port>: 550 5\.1\.1\s ^RCPT from [^[]*\[\]<_port>: 450 4\.1\.8 (<[^>]*>)?: Sender address rejected: Domain not found\b - ^after \S+ from [^[]*\[\]:? + ^from [^[]*\[\]:? + +mdpr-auth = warning: +mdre-auth = ^[^[]*\[\]: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed:(?! Connection lost to authentication server| Invalid authentication mechanism) +mdre-auth2= ^[^[]*\[\]: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed:(?! Connection lost to authentication server) +# todo: check/remove "Invalid authentication mechanism" from ignore list, if gh-1243 will get finished (see gh-1297). + +# Mode "rbl" currently included in mode "normal", but if needed for jail "postfix-rbl" only: +mdpr-rbl = %(mdpr-normal)s +mdre-rbl = ^RCPT from [^[]*\[\]: [45]54 [45]\.7\.1 Service unavailable; Client host \[\S+\] blocked\b + +# Mode "rbl" currently included in mode "normal" (within 1st rule) +mdpr-more = %(mdpr-normal)s +mdre-more = %(mdre-normal)s + +mdpr-ddos = lost connection after(?! DATA) [A-Z]+ +mdre-ddos = ^from [^[]*\[\]:? + +mdpr-extra = (?:%(mdpr-auth)s|%(mdpr-normal)s) +mdre-extra = %(mdre-auth)s + %(mdre-normal)s + +mdpr-aggressive = (?:%(mdpr-auth)s|%(mdpr-normal)s|%(mdpr-ddos)s) +mdre-aggressive = %(mdre-auth2)s + %(mdre-normal)s + + + +failregex = > + +# Parameter "mode": more (default combines normal and rbl), auth, normal, rbl, ddos, extra or aggressive (combines all) +# Usage example (for jail.local): +# [postfix] +# mode = aggressive +# # or another jail (rewrite filter parameters of jail): +# [postfix-rbl] +# filter = postfix[mode=rbl] +# +mode = more ignoreregex = diff --git a/config/jail.conf b/config/jail.conf index 21bc898e..71a8332f 100644 --- a/config/jail.conf +++ b/config/jail.conf @@ -533,14 +533,17 @@ backend = %(syslog_backend)s [postfix] - -port = smtp,465,submission -logpath = %(postfix_log)s -backend = %(postfix_backend)s +# To use another modes set filter parameter "mode" in jail.local: +mode = more +filter = postfix[mode=%(mode)s] +port = smtp,465,submission +logpath = %(postfix_log)s +backend = %(postfix_backend)s [postfix-rbl] +filter = postfix[mode=rbl] port = smtp,465,submission logpath = %(postfix_log)s backend = %(postfix_backend)s @@ -624,8 +627,9 @@ logpath = %(syslog_mail)s backend = %(syslog_backend)s -[postfix-sasl] +[postfix-auth] +filter = postfix[mode=auth] port = smtp,465,submission,imap3,imaps,pop3,pop3s # You might consider monitoring /var/log/mail.warn instead if you are # running postfix since it would provide the same log lines at the diff --git a/fail2ban/server/filter.py b/fail2ban/server/filter.py index a8f99998..e0a9340e 100644 --- a/fail2ban/server/filter.py +++ b/fail2ban/server/filter.py @@ -668,16 +668,19 @@ class Filter(JailThread): self.__lineBuffer + [tupleLine[:3]])[-self.__lineBufferSize:] else: orgBuffer = self.__lineBuffer = [tupleLine[:3]] - logSys.log(5, "Looking for failregex match of %r", self.__lineBuffer) + logSys.log(5, "Looking for match of %r", self.__lineBuffer) # Pre-filter fail regex (if available): preGroups = {} if self.__prefRegex: + if logSys.getEffectiveLevel() <= logging.HEAVYDEBUG: + logSys.log(5, " Looking for prefregex %r", self.__prefRegex.getRegex()) self.__prefRegex.search(self.__lineBuffer) if not self.__prefRegex.hasMatched(): + logSys.log(5, " Prefregex not matched") return failList preGroups = self.__prefRegex.getGroups() - logSys.log(7, "Pre-filter matched %s", preGroups) + logSys.log(7, " Pre-filter matched %s", preGroups) repl = preGroups.get('content') # Content replacement: if repl: @@ -686,17 +689,19 @@ class Filter(JailThread): # Iterates over all the regular expressions. for failRegexIndex, failRegex in enumerate(self.__failRegex): + if logSys.getEffectiveLevel() <= logging.HEAVYDEBUG: + logSys.log(5, " Looking for failregex %r", failRegex.getRegex()) failRegex.search(self.__lineBuffer, orgBuffer) if not failRegex.hasMatched(): continue # The failregex matched. - logSys.log(7, "Matched %s", failRegex) + logSys.log(7, " Matched %s", failRegex) # Checks if we must ignore this match. if self.ignoreLine(failRegex.getMatchedTupleLines()) \ is not None: # The ignoreregex matched. Remove ignored match. self.__lineBuffer = failRegex.getUnmatchedTupleLines() - logSys.log(7, "Matched ignoreregex and was ignored") + logSys.log(7, " Matched ignoreregex and was ignored") if not self.checkAllRegex: break else: diff --git a/fail2ban/tests/files/logs/postfix b/fail2ban/tests/files/logs/postfix index 7f24cdd0..54b8be99 100644 --- a/fail2ban/tests/files/logs/postfix +++ b/fail2ban/tests/files/logs/postfix @@ -1,3 +1,5 @@ +# filterOptions: [{}, {"mode": "normal"}, {"mode": "aggressive"}] + # per https://github.com/fail2ban/fail2ban/issues/125 # and https://github.com/fail2ban/fail2ban/issues/126 # failJSON: { "time": "2005-02-21T09:21:54", "match": true , "host": "192.0.43.10" } @@ -45,5 +47,92 @@ Jun 12 08:58:35 xxx postfix/smtpd[2931]: NOQUEUE: reject: RCPT from unknown[1.2. # failJSON: { "time": "2005-06-12T08:58:35", "match": true , "host": "1.2.3.4" } Jun 12 08:58:35 xxx postfix/smtpd[13533]: improper command pipelining after AUTH from unknown[1.2.3.4]: QUIT +# --------------------------------------- +# Test-cases of postfix-postscreen: +# --------------------------------------- + # failJSON: { "time": "2005-05-05T15:51:11", "match": true , "host": "216.245.194.173", "desc": "postfix postscreen / gh-1764" } May 5 15:51:11 xxx postfix/postscreen[1148]: NOQUEUE: reject: RCPT from [216.245.194.173]:60591: 550 5.7.1 Service unavailable; client [216.245.194.173] blocked using rbl.example.com; from=, to=, proto=ESMTP, helo= + +# --------------------------------------- +# Test-cases of postfix-rbl: +# --------------------------------------- +# filterOptions: [{}, {"mode": "rbl"}, {"mode": "aggressive"}] + +# failJSON: { "time": "2004-12-30T18:19:15", "match": true , "host": "93.184.216.34" } +Dec 30 18:19:15 xxx postfix/smtpd[1574]: NOQUEUE: reject: RCPT from badguy.example.com[93.184.216.34]: 454 4.7.1 Service unavailable; Client host [93.184.216.34] blocked using rbl.example.com; http://www.example.com/query?ip=93.184.216.34; from= to= proto=ESMTP helo= + +# failJSON: { "time": "2004-12-30T18:19:15", "match": true , "host": "93.184.216.34" } +Dec 30 18:19:15 xxx postfix-incoming/smtpd[1574]: NOQUEUE: reject: RCPT from badguy.example.com[93.184.216.34]: 454 4.7.1 Service unavailable; Client host [93.184.216.34] blocked using rbl.example.com; http://www.example.com/query?ip=93.184.216.34; from= to= proto=ESMTP helo= + +# failJSON: { "time": "2005-02-07T12:25:45", "match": true , "host": "87.236.233.182" } +Feb 7 12:25:45 xxx12345 postfix/smtpd[13275]: NOQUEUE: reject: RCPT from unknown[87.236.233.182]: 554 5.7.1 Service unavailable; Client host [87.236.233.182] blocked using rbl.example.com; https://www.example.com/query/ip/87.236.233.182; from= to= proto=SMTP helo= + +# --------------------------------------- +# Test-cases of postfix-sasl: +# --------------------------------------- +# filterOptions: [{"mode": "auth"}, {"mode": "aggressive"}] + +#1 Example from postfix from dbts #507990 +# failJSON: { "time": "2004-12-02T22:24:22", "match": true , "host": "114.44.142.233" } +Dec 2 22:24:22 hel postfix/smtpd[7676]: warning: 114-44-142-233.dynamic.hinet.net[114.44.142.233]: SASL CRAM-MD5 authentication failed: PDc3OTEwNTkyNTEyMzA2NDIuMTIyODI1MzA2MUBoZWw+ +#2 Example from postfix from dbts #573314 +# failJSON: { "time": "2005-03-10T13:33:30", "match": true , "host": "1.1.1.1" } +Mar 10 13:33:30 gandalf postfix/smtpd[3937]: warning: HOSTNAME[1.1.1.1]: SASL LOGIN authentication failed: authentication failure + +#3 Example from postfix post-debian changes to rename to add "submission" to syslog name +# failJSON: { "time": "2004-09-06T00:44:56", "match": true , "host": "82.221.106.233" } +Sep 6 00:44:56 trianon postfix/submission/smtpd[11538]: warning: unknown[82.221.106.233]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 + +#4 Example from postfix post-debian changes to rename to add "submission" to syslog name + downcase +# failJSON: { "time": "2004-09-06T00:44:57", "match": true , "host": "82.221.106.233" } +Sep 6 00:44:57 trianon postfix/submission/smtpd[11538]: warning: unknown[82.221.106.233]: SASL login authentication failed: UGFzc3dvcmQ6 + +#5 Example to add : +# failJSON: { "time": "2005-01-29T08:11:45", "match": true , "host": "1.1.1.1" } +Jan 29 08:11:45 mail postfix/smtpd[10752]: warning: unknown[1.1.1.1]: SASL LOGIN authentication failed: Password: + +# failJSON: { "time": "2005-01-29T08:11:45", "match": true , "host": "1.1.1.1" } +Jan 29 08:11:45 mail postfix-incoming/smtpd[10752]: warning: unknown[1.1.1.1]: SASL LOGIN authentication failed: Password: + +# failJSON: { "time": "2005-04-12T02:24:11", "match": true , "host": "62.138.2.143" } +Apr 12 02:24:11 xxx postfix/smtps/smtpd[42]: warning: astra4139.startdedicated.de[62.138.2.143]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 + +# failJSON: { "time": "2005-08-03T15:30:49", "match": true , "host": "98.191.84.74" } +Aug 3 15:30:49 ksusha postfix/smtpd[17041]: warning: mail.foldsandwalker.com[98.191.84.74]: SASL Plain authentication failed: + +# failJSON: { "time": "2004-11-04T09:11:01", "match": true , "host": "192.0.2.150", "desc": "without reason for fail, see gh-1245" } +Nov 4 09:11:01 mail postfix/submission/smtpd[27133]: warning: unknown[192.0.2.150]: SASL PLAIN authentication failed: + +#6 Example to ignore because due to a failed attempt to connect to authentication service - no malicious activities whatsoever +# failJSON: { "match": false } +Feb 3 08:29:28 mail postfix/smtpd[21022]: warning: unknown[1.1.1.1]: SASL LOGIN authentication failed: Connection lost to authentication server + +# filterOptions: [{"mode": "auth"}] + +# failJSON: { "match": false, "desc": "not aggressive" } +Jan 14 16:18:16 xxx postfix/smtpd[14933]: warning: host[192.0.2.5]: SASL CRAM-MD5 authentication failed: Invalid authentication mechanism + +# filterOptions: [{"mode": "aggressive"}] + +# failJSON: { "time": "2005-01-14T16:18:16", "match": true , "host": "192.0.2.5", "desc": "aggressive only" } +Jan 14 16:18:16 xxx postfix/smtpd[14933]: warning: host[192.0.2.5]: SASL CRAM-MD5 authentication failed: Invalid authentication mechanism + +# --------------------------------------- +# Test-cases of postfix DDOS mode: +# --------------------------------------- + +# filterOptions: [{"mode": "ddos"}, {"mode": "aggressive"}] + +# failJSON: { "time": "2005-02-18T09:45:10", "match": true , "host": "192.0.2.10" } +Feb 18 09:45:10 xxx postfix/smtpd[42]: lost connection after CONNECT from spammer.example.com[192.0.2.10] +# failJSON: { "time": "2005-02-18T09:45:12", "match": true , "host": "192.0.2.42" } +Feb 18 09:45:12 xxx postfix/smtpd[42]: lost connection after STARTTLS from spammer.example.com[192.0.2.42] +# failJSON: { "time": "2005-02-18T09:48:04", "match": true , "host": "192.0.2.23" } +Feb 18 09:48:04 xxx postfix/smtpd[23]: lost connection after AUTH from unknown[192.0.2.23] +# failJSON: { "time": "2005-02-18T09:48:04", "match": true , "host": "192.0.2.23" } +Feb 18 09:48:04 xxx postfix/smtpd[23]: lost connection after AUTH from unknown[192.0.2.23] + +# filterOptions: [{}, {"mode": "ddos"}, {"mode": "aggressive"}] +# failJSON: { "match": false, "desc": "don't affect lawful data (sporadical connection aborts within DATA-phase, see gh-1813 for discussion)" } +Feb 18 09:50:05 xxx postfix/smtpd[42]: lost connection after DATA from good-host.example.com[192.0.2.10] diff --git a/fail2ban/tests/files/logs/postfix-rbl b/fail2ban/tests/files/logs/postfix-rbl deleted file mode 100644 index 6aeac03b..00000000 --- a/fail2ban/tests/files/logs/postfix-rbl +++ /dev/null @@ -1,8 +0,0 @@ -# failJSON: { "time": "2004-12-30T18:19:15", "match": true , "host": "93.184.216.34" } -Dec 30 18:19:15 xxx postfix/smtpd[1574]: NOQUEUE: reject: RCPT from badguy.example.com[93.184.216.34]: 454 4.7.1 Service unavailable; Client host [93.184.216.34] blocked using rbl.example.com; http://www.example.com/query?ip=93.184.216.34; from= to= proto=ESMTP helo= - -# failJSON: { "time": "2004-12-30T18:19:15", "match": true , "host": "93.184.216.34" } -Dec 30 18:19:15 xxx postfix-incoming/smtpd[1574]: NOQUEUE: reject: RCPT from badguy.example.com[93.184.216.34]: 454 4.7.1 Service unavailable; Client host [93.184.216.34] blocked using rbl.example.com; http://www.example.com/query?ip=93.184.216.34; from= to= proto=ESMTP helo= - -# failJSON: { "time": "2005-02-07T12:25:45", "match": true , "host": "87.236.233.182" } -Feb 7 12:25:45 xxx12345 postfix/smtpd[13275]: NOQUEUE: reject: RCPT from unknown[87.236.233.182]: 554 5.7.1 Service unavailable; Client host [87.236.233.182] blocked using rbl.example.com; https://www.example.com/query/ip/87.236.233.182; from= to= proto=SMTP helo= diff --git a/fail2ban/tests/files/logs/postfix-sasl b/fail2ban/tests/files/logs/postfix-sasl deleted file mode 100644 index cdcb5121..00000000 --- a/fail2ban/tests/files/logs/postfix-sasl +++ /dev/null @@ -1,32 +0,0 @@ -#1 Example from postfix from dbts #507990 -# failJSON: { "time": "2004-12-02T22:24:22", "match": true , "host": "114.44.142.233" } -Dec 2 22:24:22 hel postfix/smtpd[7676]: warning: 114-44-142-233.dynamic.hinet.net[114.44.142.233]: SASL CRAM-MD5 authentication failed: PDc3OTEwNTkyNTEyMzA2NDIuMTIyODI1MzA2MUBoZWw+ -#2 Example from postfix from dbts #573314 -# failJSON: { "time": "2005-03-10T13:33:30", "match": true , "host": "1.1.1.1" } -Mar 10 13:33:30 gandalf postfix/smtpd[3937]: warning: HOSTNAME[1.1.1.1]: SASL LOGIN authentication failed: authentication failure - -#3 Example from postfix post-debian changes to rename to add "submission" to syslog name -# failJSON: { "time": "2004-09-06T00:44:56", "match": true , "host": "82.221.106.233" } -Sep 6 00:44:56 trianon postfix/submission/smtpd[11538]: warning: unknown[82.221.106.233]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 - -#4 Example from postfix post-debian changes to rename to add "submission" to syslog name + downcase -# failJSON: { "time": "2004-09-06T00:44:57", "match": true , "host": "82.221.106.233" } -Sep 6 00:44:57 trianon postfix/submission/smtpd[11538]: warning: unknown[82.221.106.233]: SASL login authentication failed: UGFzc3dvcmQ6 - -#5 Example to add : -# failJSON: { "time": "2005-01-29T08:11:45", "match": true , "host": "1.1.1.1" } -Jan 29 08:11:45 mail postfix/smtpd[10752]: warning: unknown[1.1.1.1]: SASL LOGIN authentication failed: Password: - -#6 Example to ignore because due to a failed attempt to connect to authentication service - no malicious activities whatsoever -# failJSON: { "time": "2005-02-03T08:29:28", "match": false , "host": "1.1.1.1" } -Feb 3 08:29:28 mail postfix/smtpd[21022]: warning: unknown[1.1.1.1]: SASL LOGIN authentication failed: Connection lost to authentication server - -# failJSON: { "time": "2005-01-29T08:11:45", "match": true , "host": "1.1.1.1" } -Jan 29 08:11:45 mail postfix-incoming/smtpd[10752]: warning: unknown[1.1.1.1]: SASL LOGIN authentication failed: Password: - -# failJSON: { "time": "2005-04-12T02:24:11", "match": true , "host": "62.138.2.143" } -Apr 12 02:24:11 xxx postfix/smtps/smtpd[42]: warning: astra4139.startdedicated.de[62.138.2.143]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 - -# failJSON: { "time": "2005-08-03T15:30:49", "match": true , "host": "98.191.84.74" } -Aug 3 15:30:49 ksusha postfix/smtpd[17041]: warning: mail.foldsandwalker.com[98.191.84.74]: SASL Plain authentication failed: -