From c88967df2d2907b5a3d1440678b8c4860d221442 Mon Sep 17 00:00:00 2001 From: "Sergey G. Brester" Date: Thu, 13 Feb 2025 21:30:04 +0100 Subject: [PATCH 1/3] `filter.d/exim.conf` - introduces mode `more` (several rules moved from mode `normal` to `more`), because: - they have basically nothing with authentication; - they can cause false positives (e. g. someone sends several mails from google mailing server to wrong recipients and if they would cause "rejected RCPT - Unknown user", the google host gets banned; - to avoid occasional ban of legitimate servers one'd need create large white-list for `ignoreip` or construct complex `ignorecommands` to exclude all legitimate servers of big players (like google, microsoft, GMX, etc); --- config/filter.d/exim.conf | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/config/filter.d/exim.conf b/config/filter.d/exim.conf index bc36ebf0..de7f6901 100644 --- a/config/filter.d/exim.conf +++ b/config/filter.d/exim.conf @@ -15,17 +15,19 @@ before = exim-common.conf prefregex = ^%(__prefix_line)s.+$ -failregex = ^%(host_info)s sender verify fail for <\S+>: (?:Unknown user|Unrouteable address|all relevant MX records point to non-existent hosts)\s*$ - ^\s?\w+ authenticator failed for%(host_info)s: 535 Incorrect authentication data(?: \(set_id=.*\)|: \d+ Time\(s\))?\s*$ - ^%(host_info)s rejected RCPT [^@]+@\S+: (?:relay not permitted|Sender verify failed|Unknown user|Unrouteable address)\s*$ +failregex = ^\s?\w+ authenticator failed for%(host_info)s: 535 Incorrect authentication data(?: \(set_id=.*\)|: \d+ Time\(s\))?\s*$ + > + +mdre-more = ^%(host_info)s sender verify fail for <\S+>: (?:Unknown user|Unrouteable address|all relevant MX records point to non-existent hosts)\s*$ + ^%(host_info)s rejected RCPT (?:[^@]+@\S+:)? ^\s?SMTP protocol synchronization error \([^)]*\): rejected (?:connection from|"\S+")%(host_info)s (?:next )?input=".*"\s*$ ^\s?SMTP call from%(host_info)s dropped: too many (?:(?:nonmail|unrecognized) commands|syntax or protocol errors) ^\s?SMTP protocol error in "[^"]+(?:"+[^"]*(?="))*?"%(host_info)s [A-Z]+ (?:command used when not advertised|authentication mechanism not supported)\s*$ ^\s?no MAIL in SMTP connection from%(host_info)s ^\s?(?:[\w\-]+ )?SMTP connection from%(host_info)s closed by DROP in ACL\s*$ - > -mdre-aggressive = ^\s?no host name found for IP address $ +mdre-aggressive = %(mdre-more)s + ^\s?no host name found for IP address $ ^\s?no IP address found for host \S+ \(during SMTP connection from%(host_info)s\)$ ^%(host_info)s dropped by '[^']+' ACL: From 6d4b487eb9b5d1d488e9da523e056653546f8e29 Mon Sep 17 00:00:00 2001 From: "Sergey G. Brester" Date: Thu, 13 Feb 2025 21:42:52 +0100 Subject: [PATCH 2/3] adjust exim-log in the test factory --- fail2ban/tests/files/logs/exim | 71 +++++++++++++++++----------------- 1 file changed, 35 insertions(+), 36 deletions(-) diff --git a/fail2ban/tests/files/logs/exim b/fail2ban/tests/files/logs/exim index 3bb6c444..eed5e4c7 100644 --- a/fail2ban/tests/files/logs/exim +++ b/fail2ban/tests/files/logs/exim @@ -6,6 +6,41 @@ 2013-06-12 03:57:58 login authenticator failed for (ylmf-pc) [120.196.140.45]: 535 Incorrect authentication data: 1 Time(s) # failJSON: { "time": "2013-06-12T13:18:11", "match": true , "host": "101.66.165.86" } 2013-06-12 13:18:11 login authenticator failed for (USER-KVI9FGS9KP) [101.66.165.86]: 535 Incorrect authentication data + +# 'https://github.com/fail2ban/fail2ban/pull/251#issuecomment-23001227' +# failJSON: { "time": "2013-08-20T07:48:02", "match": true , "host": "85.25.92.177" } +2013-08-20 07:48:02 login authenticator failed for static-ip-85-25-92-177.inaddr.ip-pool.com (USER) [85.25.92.177]: 535 Incorrect authentication data: 1 Time(s) +# failJSON: { "time": "2013-08-20T23:30:05", "match": true , "host": "91.218.72.71" } +2013-08-20 23:30:05 plain authenticator failed for ([192.168.2.102]) [91.218.72.71]: 535 Incorrect authentication data: 1 Time(s) +# failJSON: { "time": "2013-09-02T09:19:07", "match": true , "host": "118.233.20.68" } +2013-09-02 09:19:07 login authenticator failed for (gkzwsoju) [118.233.20.68]: 535 Incorrect authentication data +# failJSON: { "time": "2014-01-12T02:07:48", "match": true , "host": "85.214.85.40" } +2014-01-12 02:07:48 dovecot_login authenticator failed for h1832461.stratoserver.net (User) [85.214.85.40]: 535 Incorrect authentication data (set_id=scanner) +# failJSON: { "time": "2019-10-22T03:39:17", "match": true , "host": "192.0.2.37", "desc": "pid-prefix in form of 'hostname exim[...]:', gh-2553" } +2019-10-22 03:39:17 mx1.fqdn.local exim[29786]: dovecot_login authenticator failed for (User) [192.0.2.37]: 535 Incorrect authentication data (set_id=test@domain.com) +# failJSON: { "time": "2014-12-02T03:00:23", "match": true , "host": "193.254.202.35" } +2014-12-02 03:00:23 auth_plain authenticator failed for (rom182) [193.254.202.35]:41556 I=[10.0.0.1]:25: 535 Incorrect authentication data (set_id=webmaster) +# failJSON: { "time": "2017-04-23T22:45:59", "match": true , "host": "192.0.2.2", "desc": "optional part (...)" } +2017-04-23 22:45:59 fixed_login authenticator failed for bad.host.example.com [192.0.2.2]:54412 I=[172.89.0.6]:587: 535 Incorrect authentication data (set_id=user@example.com) +# failJSON: { "time": "2024-03-21T19:26:06", "match": true , "host": "194.169.175.1" } +2024-03-21 19:26:06 dovecot_login authenticator failed for (User) [194.169.175.1]:21298 I=[22.33.44.55]:465 Ci=30416: 535 Incorrect authentication data (set_id=uaf589@example.com) + +## no matches with `mode = normal`: + +# failJSON: { "match": false , "desc": "aggressive mode only" } +2017-12-03 08:32:00 no host name found for IP address 192.0.2.8 +# failJSON: { "match": false , "desc": "aggressive mode only" } +2017-12-03 08:51:35 no IP address found for host test.example.com (during SMTP connection from [192.0.2.9]) +# failJSON: { "match": false , "desc": "aggressive mode only" } +2022-04-03 21:53:53 no IP address found for host hos-t.example.tld (during SMTP connection from [63.85.123.6]:49390 I=[31.130.202.17]:25) + +# filterOptions: {"logtype": "journal"} + +# failJSON: { "match": true , "host": "192.0.2.27", "desc": "systemd-journal entry with additional timestamp, gh-3060" } +mail.example.com exim[3751842]: 2021-07-17 23:20:49 plain_server authenticator failed for ([192.0.2.17]) [192.0.2.27]: 535 Incorrect authentication data + +# filterOptions: [{"mode": "more"}, {"mode": "aggressive"}] + # failJSON: { "time": "2013-06-10T10:10:59", "match": true , "host": "193.169.56.211" } 2013-06-10 10:10:59 H=ufficioestampa.it (srv.ufficioestampa.it) [193.169.56.211] sender verify fail for : Unrouteable address # http://forum.lissyara.su/viewtopic.php?f=20&t=29857 @@ -35,24 +70,6 @@ # failJSON: { "time": "2013-06-15T16:36:49", "match": true , "host": "111.67.203.116" } 2013-06-15 16:36:49 H=altmx.marsukov.com [111.67.203.116] F= rejected RCPT : Unknown user -# 'https://github.com/fail2ban/fail2ban/pull/251#issuecomment-23001227' -# failJSON: { "time": "2013-08-20T07:48:02", "match": true , "host": "85.25.92.177" } -2013-08-20 07:48:02 login authenticator failed for static-ip-85-25-92-177.inaddr.ip-pool.com (USER) [85.25.92.177]: 535 Incorrect authentication data: 1 Time(s) -# failJSON: { "time": "2013-08-20T23:30:05", "match": true , "host": "91.218.72.71" } -2013-08-20 23:30:05 plain authenticator failed for ([192.168.2.102]) [91.218.72.71]: 535 Incorrect authentication data: 1 Time(s) - -# failJSON: { "time": "2013-09-02T09:19:07", "match": true , "host": "118.233.20.68" } -2013-09-02 09:19:07 login authenticator failed for (gkzwsoju) [118.233.20.68]: 535 Incorrect authentication data - -# failJSON: { "time": "2014-01-12T02:07:48", "match": true , "host": "85.214.85.40" } -2014-01-12 02:07:48 dovecot_login authenticator failed for h1832461.stratoserver.net (User) [85.214.85.40]: 535 Incorrect authentication data (set_id=scanner) - -# failJSON: { "time": "2019-10-22T03:39:17", "match": true , "host": "192.0.2.37", "desc": "pid-prefix in form of 'hostname exim[...]:', gh-2553" } -2019-10-22 03:39:17 mx1.fqdn.local exim[29786]: dovecot_login authenticator failed for (User) [192.0.2.37]: 535 Incorrect authentication data (set_id=test@domain.com) - -# failJSON: { "time": "2014-12-02T03:00:23", "match": true , "host": "193.254.202.35" } -2014-12-02 03:00:23 auth_plain authenticator failed for (rom182) [193.254.202.35]:41556 I=[10.0.0.1]:25: 535 Incorrect authentication data (set_id=webmaster) - # failJSON: { "time": "2016-03-18T00:34:06", "match": true , "host": "45.32.34.167" } 2016-03-18 00:34:06 [7513] SMTP protocol error in "AUTH LOGIN" H=(ylmf-pc) [45.32.34.167]:60723 I=[172.89.0.6]:587 AUTH command used when not advertised # failJSON: { "time": "2016-03-19T18:40:44", "match": true , "host": "92.45.204.170" } @@ -86,8 +103,6 @@ # failJSON: { "time": "2016-03-27T16:48:48", "match": true , "host": "192.0.2.1" } 2016-03-27 16:48:48 [21478] 1akDqs-0005aQ-9b SMTP connection from host.example.com (SERVER) [192.0.2.1]:47714 I=[172.89.0.6]:25 closed by DROP in ACL -# failJSON: { "time": "2017-04-23T22:45:59", "match": true , "host": "192.0.2.2", "desc": "optional part (...)" } -2017-04-23 22:45:59 fixed_login authenticator failed for bad.host.example.com [192.0.2.2]:54412 I=[172.89.0.6]:587: 535 Incorrect authentication data (set_id=user@example.com) # failJSON: { "time": "2017-05-01T07:42:42", "match": true , "host": "192.0.2.3", "desc": "rejected RCPT - Unrouteable address" } 2017-05-01 07:42:42 H=some.rev.dns.if.found (the.connector.reports.this.name) [192.0.2.3] F= rejected RCPT : Unrouteable address @@ -98,20 +113,9 @@ # failJSON: { "time": "2017-11-28T14:14:32", "match": true , "host": "192.0.2.6", "desc": "quoted injecting on AUTH command" } 2017-11-28 14:14:32 SMTP protocol error in "aUtH lOgIn" H=(test) [8.8.8.8]" H=(roxzgj) [192.0.2.6] AUTH command used when not advertised -# failJSON: { "time": "2024-03-21T19:26:06", "match": true , "host": "194.169.175.1" } -2024-03-21 19:26:06 dovecot_login authenticator failed for (User) [194.169.175.1]:21298 I=[22.33.44.55]:465 Ci=30416: 535 Incorrect authentication data (set_id=uaf589@example.com) # failJSON: { "time": "2024-03-21T09:18:51", "match": true , "host": "9.12.1.21" } 2024-03-21 09:18:51 H=m05.horp.tld [9.12.1.21]:43030 I=[194.169.175.2]:25 Ci=7326 CV=no SNI=mail.leone.tld F= rejected RCPT : relay not permitted -## no matches with `mode = normal`: - -# failJSON: { "match": false , "desc": "aggressive mode only" } -2017-12-03 08:32:00 no host name found for IP address 192.0.2.8 -# failJSON: { "match": false , "desc": "aggressive mode only" } -2017-12-03 08:51:35 no IP address found for host test.example.com (during SMTP connection from [192.0.2.9]) -# failJSON: { "match": false , "desc": "aggressive mode only" } -2022-04-03 21:53:53 no IP address found for host hos-t.example.tld (during SMTP connection from [63.85.123.6]:49390 I=[31.130.202.17]:25) - # filterOptions: [{"mode": "aggressive"}] # failJSON: { "time": "2017-12-03T08:32:00", "match": true , "host": "192.0.2.8", "desc": "no host found for IP" } @@ -122,8 +126,3 @@ 2022-04-03 21:53:53 no IP address found for host hos-t.example.tld (during SMTP connection from [63.85.123.6]:49390 I=[31.130.202.17]:25) # failJSON: { "time": "2022-04-03T21:53:54", "match": true , "host": "192.0.2.101", "desc": "dropped by ACL" } 2022-04-03 21:53:54 H=[192.0.2.101]:62839 dropped by 'connect' ACL: Country is banned - -# filterOptions: {"logtype": "journal"} - -# failJSON: { "match": true , "host": "192.0.2.27", "desc": "systemd-journal entry with additional timestamp, gh-3060" } -mail.example.com exim[3751842]: 2021-07-17 23:20:49 plain_server authenticator failed for ([192.0.2.17]) [192.0.2.27]: 535 Incorrect authentication data From 6538d43a8e638150dd6ea0b7641bcf583cb31f62 Mon Sep 17 00:00:00 2001 From: "Sergey G. Brester" Date: Wed, 2 Apr 2025 14:57:03 +0200 Subject: [PATCH 3/3] Update ChangeLog --- ChangeLog | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index f087fbf2..7a232c5d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -23,7 +23,10 @@ ver. 1.1.1-dev-1 (20??/??/??) - development nightly edition * `action.d/firewallcmd-ipset.conf`: - rename `ipsettype` to `ipsetbackend` (gh-2620), parameter `ipsettype` will be used now to the real set type (gh-3760) * `filter.d/apache-overflows.conf` - consider AH10244: invalid URI path (gh-3778) -* `filter.d/exim.conf` - mode `aggressive` extended to catch dropped by ACL failures, e.g. "ACL: Country is banned" +* `filter.d/exim.conf`: + - several rules of mode `normal` moved to new mode `more`, because of too risky handling (gh-3940), so to use it as before + set `mode = more` for exim jail, thereby mode `aggressive` is not affected, because it fully includes mode `more` now); + - mode `aggressive` extended to catch dropped by ACL failures, e.g. "ACL: Country is banned" * `filter.d/freeswitch.conf` - bypass some new info in prefix before [WARNING] (changed default `_pref_line`), FreeSWITCH log line prefix has changed in newer versions (gh-3143) * `filter.d/postfix.conf` - consider CONNECT and other rejected commands as a valid `_pref` (gh-3800)