postfix sasl custom regex not working

[rick111]

Hi

I've read through quite a few posts on this forum and no one else seems to have the issue I'm having. I can't even get csf to register the postfix sasl attacks.

Centos 6.3
/etc/csf/regex.custom.pm

Code: Select all

if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^\S+\s+\d+\s+\S+ \S+ postfix\/smtpd\[\d+\]: warning:.*\[(\d+\.\d+\.\d+\.\d+)\]: SASL [A-Za-z]*? authentication failed/)) {
return ("Failed SASL login from",$1,"mysaslmatch","3","25","600");
}

POP3D_LOG and CUSTOM1_LOG both point to /var/log/maillog

I've tried a few variations of the rules from this forum but not seem to pick up the auth failures.

Example of auth failure

Code: Select all

Sep  5 14:02:38 li622-171 postfix/smtpd[5710]: connect from removed[5.135.157.207]
Sep  5 14:02:41 li622-171 postfix/smtpd[5710]: warning: removed[5.135.157.207]: SASL login authentication failed: authentication failure
Sep  5 14:02:52 li622-171 postfix/smtpd[5710]: NOQUEUE: reject: RCPT from removed[5.135.157.207]: 554 5.7.1 <removed>: Relay access denied; from=<removed> to=<tremoved> proto=ESMTP helo=<NanoOVH>

I've tried it many times, but the attempt is never blocked.

Thanks

[rick111]

So something strange happened over the weekend. With all my tests I couldn't ban SASL fails, but then I got this.

Code: Select all

Sep  8 19:41:17 li622-171 postfix/smtpd[16954]: warning: unknown[89.248.172.122]: SASL LOGIN authentication failed: authentication failure 
Sep  8 19:43:29 li622-171 postfix/smtpd[16954]: warning: unknown[89.248.172.122]: SASL LOGIN authentication failed: bad protocol / cancel 
Sep  8 19:43:53 li622-171 postfix/smtpd[16954]: warning: unknown[89.248.172.122]: SASL LOGIN authentication failed: authentication failure

Code: Select all

Sep  8 19:43:55 li622-171 lfd[17033]: (mysaslmatch) Failed SASL login from 89.248.172.122 (NL/Netherlands/-): 3 in the last 3600 secs - *Blocked in csf* [LF_CUSTOMTRIGGER]

So then I tried again myself

Code: Select all

Sep  9 14:29:17 li622-171 postfix/smtpd[2155]: warning: unknown[5.135.157.207]: SASL login authentication failed: authentication failure

No ban.......... very confusing.

[rick111]

I was editing /etc/cfs/regex.custom.pm instead of /usr/local/csf/bin/regex.custom.pm..................

fixed now

[rick111]

reference as I come back to this post to help configure the rule, you change the custom_log location in /etc/csf/csf.conf

and for debian the mail file is /var/log/mail.log

to restart csf
su
csf -r (however i think it's lfd you need to restart which i did via webmin)

[coolbit]

Not working, i have Centos 7.4.1708

Feb 7 12:43:39 web postfix/smtpd[13401]: lost connection after AUTH from unknown[49.71.245.68]
Feb 7 12:43:39 web postfix/smtpd[13401]: disconnect from unknown[49.71.245.68]
Feb 7 12:43:39 web postfix/smtpd[15593]: connect from unknown[49.71.245.68]
Feb 7 12:43:43 web postfix/smtpd[13647]: warning: hostname walkerj2351.example.com does not resolve to address 91.200.12.232: Name or service not known
Feb 7 12:43:43 web postfix/smtpd[13647]: connect from unknown[91.200.12.232]
Feb 7 12:43:43 web postfix/smtpd[15593]: warning: unknown[49.71.245.68]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Feb 7 12:43:43 web postfix/smtpd[15593]: lost connection after AUTH from unknown[49.71.245.68]
Feb 7 12:43:43 web postfix/smtpd[15593]: disconnect from unknown[49.71.245.68]
Feb 7 12:43:44 web postfix/smtpd[13401]: connect from unknown[49.71.245.68]
Feb 7 12:43:45 web postfix/smtpd[13647]: warning: unknown[91.200.12.232]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Feb 7 12:43:45 web postfix/smtpd[13647]: lost connection after AUTH from unknown[91.200.12.232]
Feb 7 12:43:45 web postfix/smtpd[13647]: disconnect from unknown[91.200.12.232]
Feb 7 12:43:51 web postfix/smtpd[13401]: warning: unknown[49.71.245.68]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Feb 7 12:43:52 web postfix/smtpd[15593]: connect from unknown[49.71.245.68]
Feb 7 12:43:52 web postfix/smtpd[13401]: lost connection after AUTH from unknown[49.71.245.68]
Feb 7 12:43:52 web postfix/smtpd[13401]: disconnect from unknown[49.71.245.68]
Feb 7 12:43:59 web postfix/smtpd[13647]: connect from mailsrv6.interactivebrokers.com[206.106.137.86]
Feb 7 12:43:59 web postfix/smtpd[13647]: Anonymous TLS connection established from mailsrv6.interactivebrokers.com[206.106.137.86]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Feb 7 12:44:04 web postfix/smtpd[15593]: warning: unknown[49.71.245.68]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Feb 7 12:44:04 web postfix/smtpd[15593]: lost connection after AUTH from unknown[49.71.245.68]
Feb 7 12:44:04 web postfix/smtpd[15593]: disconnect from unknown[49.71.245.68]
Feb 7 12:44:07 web postfix/smtpd[13401]: connect from unknown[49.71.245.68]

On my /etc/csf/csf.conf
CUSTOM10_LOG = "/var/log/maillog"

On my /usr/local/csf/bin/regex.custom.pm
if (($lgfile eq $config{CUSTOM10_LOG}) and ($line =~ /^\S+\s+\d+\s+\S+ \S+ postfix\/smtpd\[\d+\]: warning:.*\[(\d+\.\d+\.\d+\.\d+)\]: SASL [A-Za-z]*? authentication failed/)) {
return ("Failed SASL login from",$1,"mysaslmatch","3","25","600");
}