[Fail2ban-users] Postfix & sasl iptables rules missing submission port

Wed, 13 Jul 2016 15:44:44 -0700 

Hi,

I'm running fail2ban 0.8.13-1 on Debian 8. I've been using it since at least 
Debian 7, maybe earlier.

I've got some clown trying guess accounts via the submission port and they are 
persistent and quick enough that it's keeping valid users from accessing things.

Fail2ban appears to be reacting to the failed logins but it isn't keeping them 
out:

2016-07-13 15:26:51,856 fail2ban.actions[30444]: WARNING [sasl] Ban 
195.154.85.101
2016-07-13 15:27:00,876 fail2ban.actions[30444]: INFO    [sasl] 195.154.85.101 
already banned
2016-07-13 15:27:03,880 fail2ban.actions[30444]: INFO    [sasl] 195.154.85.101 
already banned

It adds a rule to iptables, but it is never hit:

Chain fail2ban-sasl (1 references)
  pkts bytes target     prot opt in     out     source               destination
     0     0 REJECT     all  --  any    any 
195-154-85-101.rev.poneytelecom.eu  anywhere             reject-with 
icmp-port-unreachable

I believe that is because they are connecting on the submission port, 587, and 
that isn't in the input chain rule:

  5402  384K fail2ban-sasl  tcp  --  any    any     anywhere 
anywhere             multiport dports smtp,urd,imap2,imap3,imaps,pop3,pop3s

It should be though, it's in jails.conf:

[sasl]

enabled  = false
port     = smtp,ssmtp,submission,imap2,imap3,imaps,pop3,pop3s
filter   = postfix-sasl
...


I tried adding ,587 to the end of the port list but still it doesn't say 
submission or 587.

I added a rule by hand and it stopped them dead:

# iptables -I INPUT 1 -p tcp -s 195.154.85.101 --dport 587 -j DROP

    16  1168 DROP       tcp  --  any    any 
195-154-85-101.rev.poneytelecom.eu  anywhere             tcp dpt:submission


Why would the fail2ban-sasl rule fail to include the submission port? I've 
tried 
searching around for an answer, maybe I'm not describing it correctly.

Thank-you for your thoughts,
-- 
Jacob Anawalt
Gecko Software, Inc.
[email protected]
435-752-8026

------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are 
consuming the most bandwidth. Provides multi-vendor support for NetFlow, 
J-Flow, sFlow and other flows. Make informed decisions using capacity planning
reports.http://sdm.link/zohodev2dev
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Reply via email to