Fail2ban not banning postfix attacks

security
fail2ban
v7

(Reggie Ho) #1

NethServer Version: 7.3
Module: fail2ban v0.9.6

…On checking my maillog file this morning, I find an IP making continuous attempts or attacks to the postfix, somehow the fail2ban is not BANNING the IP. It seems the attacker is using my credential to login (root@xxx.xxx.xxx.xxx or admin@xxx.xxx.xxx.xxx where xxx.xxx.xxx.xxx is the Server IP. the attacker didn’t successfully login …) he kept attempting… Had to block it using the Firewall .

I think after recent update of the fail2ban it started to failed… it used to work before…

Appreciate if Stephane can take a look at the issue. Thanks again.

See Maillog file below…

Sep 5 08:42:37 mail postfix/smtpd[6215]: warning: hostname dsl-189-140-70-239.prod-infinitum.com.mx does not resolve to address 189.140.70.239: Name or service not known
Sep 5 08:42:37 mail postfix/smtpd[6215]: connect from unknown[189.140.70.239]
Sep 5 08:42:37 mail postfix/smtpd[6215]: warning: Illegal address syntax from unknown[189.140.70.239] in MAIL command: root@xxx.xxx.xxx.xxx
Sep 5 08:42:37 mail postfix/smtpd[6215]: lost connection after MAIL from unknown[189.140.70.239]
Sep 5 08:42:37 mail postfix/smtpd[6215]: disconnect from unknown[189.140.70.239]
Sep 5 08:42:42 mail postfix/smtpd[6215]: warning: hostname dsl-189-140-70-239.prod-infinitum.com.mx does not resolve to address 189.140.70.239: Name or service not known
Sep 5 08:42:42 mail postfix/smtpd[6215]: connect from unknown[189.140.70.239]
Sep 5 08:42:42 mail postfix/smtpd[6215]: warning: Illegal address syntax from unknown[189.140.70.239] in MAIL command: root@xxx.xxx.xxx.xxx
Sep 5 08:42:42 mail postfix/smtpd[6215]: lost connection after MAIL from unknown[189.140.70.239]
Sep 5 08:42:42 mail postfix/smtpd[6215]: disconnect from unknown[189.140.70.239]
Sep 5 08:42:46 mail postfix/smtpd[6223]: warning: hostname 213-159-251-144.dynamic.vega-ua.net does not resolve to address 213.159.251.144: Name or service not known
Sep 5 08:42:46 mail postfix/smtpd[6223]: connect from unknown[213.159.251.144]
Sep 5 08:42:47 mail postfix/smtpd[6223]: disconnect from unknown[213.159.251.144]
Sep 5 08:42:47 mail postfix/smtpd[6215]: warning: hostname dsl-189-140-70-239.prod-infinitum.com.mx does not resolve to address 189.140.70.239: Name or service not known
Sep 5 08:42:47 mail postfix/smtpd[6215]: connect from unknown[189.140.70.239]
Sep 5 08:42:47 mail postfix/smtpd[6215]: warning: Illegal address syntax from unknown[189.140.70.239] in MAIL command: root@xxx.xxx.xxx.xxx
Sep 5 08:42:47 mail postfix/smtpd[6215]: lost connection after MAIL from unknown[189.140.70.239]
Sep 5 08:42:47 mail postfix/smtpd[6215]: disconnect from unknown[189.140.70.239]
Sep 5 08:42:53 mail postfix/smtpd[6215]: warning: hostname dsl-189-140-70-239.prod-infinitum.com.mx does not resolve to address 189.140.70.239: Name or service not known
Sep 5 08:42:53 mail postfix/smtpd[6215]: connect from unknown[189.140.70.239]
Sep 5 08:42:53 mail postfix/smtpd[6215]: warning: Illegal address syntax from unknown[189.140.70.239] in MAIL command: root@xxx.xxx.xxx.xxx
Sep 5 08:42:53 mail postfix/smtpd[6215]: lost connection after MAIL from unknown[189.140.70.239]
Sep 5 08:42:53 mail postfix/smtpd[6215]: disconnect from unknown[189.140.70.239]


(Stéphane de Labrusse) #2

look at your filters in

cat /etc/fail2ban/filter.d/postfix*

this pattern is not looked. It needs a custom jail/filter files

Sep 5 08:42:53 mail postfix/smtpd[6215]: warning: Illegal address syntax from unknown[189.140.70.239] in MAIL command: root@xxx.xxx.xxx.xxx


(Reggie Ho) #3

Ok…I see I’d try that … Thnx again…