Custom Regex for Postfix SASL Auth attacks
Posted: 05 May 2021, 09:35
Hi guys,
I'm running Postfix on a generic Centos 8 server and I'm trying to lock it down with CSF. I've done a fresh install, reviewed the conf, set testing ="0" and restarted the service.
The postfix maillog (/var/log/maillog) is showing a lot of SASL authentication failures like this:
I've created an entry for CUSTOM_LOG1 in /etc/csf/csf.conf:
and I've added the following snippet (borrowed and modified from other threads on here) to /usr/local/csf/bin/regex.custom.pm
After restarting the csf service I can see the SASL auth attacks in the maillog, but the regex doesn't appear to trigger.
I get the feeling I'm missing something obvious, any ideas?
Ked
I'm running Postfix on a generic Centos 8 server and I'm trying to lock it down with CSF. I've done a fresh install, reviewed the conf, set testing ="0" and restarted the service.
The postfix maillog (/var/log/maillog) is showing a lot of SASL authentication failures like this:
Code: Select all
May 5 09:21:38 myserver postfix/smtps/smtpd[98947]: connect from unknown[5.188.206.147]
May 5 09:21:39 myserver postfix/smtps/smtpd[98947]: Anonymous TLS connection established from unknown[5.188.206.147]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
May 5 09:21:44 myserver postfix/smtps/smtpd[98947]: warning: unknown[5.188.206.147]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
May 5 09:21:44 myserver postfix/smtps/smtpd[98947]: lost connection after AUTH from unknown[5.188.206.147]
May 5 09:21:44 myserver postfix/smtps/smtpd[98947]: disconnect from unknown[5.188.206.147] ehlo=1 auth=0/1 commands=1/2
Code: Select all
CUSTOM1_LOG = "/var/log/maillog"
Code: Select all
if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =/^\S+\s+\d+\s+\S+ \S+ postfix\/smtps\/smtpd\[\d+\]: warning:.*\[(\d+\.\d+\.\d+\.\d+)\]: SASL [A-Z]*? authentication failed/)) {
return ("Failed SASL login from",$1,"mysaslmatch","1","","3600","0");
}
I get the feeling I'm missing something obvious, any ideas?
Ked