Page 1 of 1

Custom Regex for Postfix SASL Auth attacks

Posted: 05 May 2021, 09:35
by Ked
Hi guys,

I'm running Postfix on a generic Centos 8 server and I'm trying to lock it down with CSF. I've done a fresh install, reviewed the conf, set testing ="0" and restarted the service.

The postfix maillog (/var/log/maillog) is showing a lot of SASL authentication failures like this:

Code: Select all

May  5 09:21:38 myserver postfix/smtps/smtpd[98947]: connect from unknown[5.188.206.147]
May  5 09:21:39 myserver postfix/smtps/smtpd[98947]: Anonymous TLS connection established from unknown[5.188.206.147]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
May  5 09:21:44 myserver postfix/smtps/smtpd[98947]: warning: unknown[5.188.206.147]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
May  5 09:21:44 myserver postfix/smtps/smtpd[98947]: lost connection after AUTH from unknown[5.188.206.147]
May  5 09:21:44 myserver postfix/smtps/smtpd[98947]: disconnect from unknown[5.188.206.147] ehlo=1 auth=0/1 commands=1/2
I've created an entry for CUSTOM_LOG1 in /etc/csf/csf.conf:

Code: Select all

CUSTOM1_LOG = "/var/log/maillog"
and I've added the following snippet (borrowed and modified from other threads on here) to /usr/local/csf/bin/regex.custom.pm

Code: Select all

if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =/^\S+\s+\d+\s+\S+ \S+ postfix\/smtps\/smtpd\[\d+\]: warning:.*\[(\d+\.\d+\.\d+\.\d+)\]: SASL [A-Z]*? authentication failed/)) {
    return ("Failed SASL login from",$1,"mysaslmatch","1","","3600","0");
}
After restarting the csf service I can see the SASL auth attacks in the maillog, but the regex doesn't appear to trigger.

I get the feeling I'm missing something obvious, any ideas?

Ked

Re: Custom Regex for Postfix SASL Auth attacks

Posted: 19 May 2021, 07:02
by Sergio
Hi.
Try this one:

Code: Select all

if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =/^\S+\s+\S+\s+\S+ myserver postfix\/smtps\/smtpd\[\d+\]\: warning\: unknown\[(\S+)\]\: SASL LOGIN authentication failed\: \S+/)) {
    return ("Failed SASL login from",$1,"SecmasSASL","1","","3600","0");
}
Sergio