web-dev-qa-db-fra.com

Fail2ban rate quelques tentatives de relais

J'ai quelques tentatives de relais comme celles-ci dans mon mail.log (ils totalisent 281 tentatives de connexion en moins de 3 minutes):

May 16 04:58:30 MyServer postfix/smtpd[18950]: connect from unknown[xx.yy.zzz.www]
May 16 04:58:30 MyServer postfix/smtpd[18951]: warning: xx.yy.zzz.www: hostname xx-yy-zzz-www.network.domain verification failed: No address associated with hostname
May 16 04:58:30 MyServer postfix/smtpd[18951]: connect from unknown[xx.yy.zzz.www]
May 16 04:58:31 MyServer postfix/smtpd[18947]: warning: unknown[xx.yy.zzz.www]: SASL LOGIN authentication failed: authentication failure
May 16 04:58:31 MyServer postfix/smtpd[18952]: warning: xx.yy.zzz.www: hostname xx-yy-zzz-www.network.domain verification failed: No address associated with hostname
May 16 04:58:31 MyServer postfix/smtpd[18952]: connect from unknown[xx.yy.zzz.www]
May 16 04:58:31 MyServer postfix/smtpd[18947]: disconnect from unknown[xx.yy.zzz.www]
May 16 04:58:32 MyServer postfix/smtpd[18922]: warning: unknown[xx.yy.zzz.www]: SASL LOGIN authentication failed: authentication failure
May 16 04:58:32 MyServer postfix/smtpd[18947]: warning: xx.yy.zzz.www: hostname xx-yy-zzz-www.network.domain verification failed: No address associated with hostname
May 16 04:58:32 MyServer postfix/smtpd[18947]: connect from unknown[xx.yy.zzz.www]
May 16 04:58:33 MyServer postfix/smtpd[18953]: warning: xx.yy.zzz.www: hostname xx-yy-zzz-www.network.domain verification failed: No address associated with hostname
May 16 04:58:33 MyServer postfix/smtpd[18953]: connect from unknown[xx.yy.zzz.www]
May 16 04:58:33 MyServer postfix/smtpd[18922]: disconnect from unknown[xx.yy.zzz.www]
May 16 04:58:33 MyServer postfix/smtpd[18948]: warning: unknown[xx.yy.zzz.www]: SASL LOGIN authentication failed: authentication failure
May 16 04:58:33 MyServer postfix/smtpd[18949]: warning: unknown[xx.yy.zzz.www]: SASL LOGIN authentication failed: authentication failure
May 16 04:58:33 MyServer postfix/smtpd[18922]: warning: xx.yy.zzz.www: hostname xx-yy-zzz-www.network.domain verification failed: No address associated with hostname
May 16 04:58:33 MyServer postfix/smtpd[18922]: connect from unknown[xx.yy.zzz.www]
May 16 04:58:34 MyServer postfix/smtpd[18948]: disconnect from unknown[xx.yy.zzz.www]
May 16 04:58:34 MyServer postfix/smtpd[18949]: disconnect from unknown[xx.yy.zzz.www]
May 16 04:58:34 MyServer postfix/smtpd[18948]: warning: xx.yy.zzz.www: hostname xx-yy-zzz-www.network.domain verification failed: No address associated with hostname
May 16 04:58:34 MyServer postfix/smtpd[18948]: connect from unknown[xx.yy.zzz.www]
May 16 04:58:34 MyServer postfix/smtpd[18949]: warning: xx.yy.zzz.www: hostname xx-yy-zzz-www.network.domain verification failed: No address associated with hostname
May 16 04:58:34 MyServer postfix/smtpd[18949]: connect from unknown[xx.yy.zzz.www]
May 16 04:58:35 MyServer postfix/smtpd[18950]: warning: unknown[xx.yy.zzz.www]: SASL LOGIN authentication failed: authentication failure
May 16 04:58:35 MyServer postfix/smtpd[18951]: warning: unknown[xx.yy.zzz.www]: SASL LOGIN authentication failed: authentication failure
May 16 04:58:35 MyServer postfix/smtpd[18950]: disconnect from unknown[xx.yy.zzz.www]

Je suppose que le filtre sasl (qui est activé) devrait s'en occuper, mais ip n'est jamais interdit. Il semble qu'il n'y ait aucune correspondance avec l'expression failregex dans le filtre sasl.conf:

# Fail2Ban configuration file
#
# Author: Yaroslav Halchenko
#
# $Revision: 728 $
#

[Definition]

# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
#          Host must be matched by a group named "Host". The tag "<Host>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<Host>[\w\-.^_]+)
# Values: TEXT
#
failregex = (?i): warning: [-._\w]+\[<Host>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [A-Za-z0-9+/]*={0,2})?$

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

Un indice sur ce qui échoue ici? Une façon de corriger le problème?

Edit: Une question plus simple qui pourrait être un début pour résoudre ce problème: faites ces avertissements de connexion SASL dans mail.log correspond à l'expression failregex? Je ne sais pas vraiment comment le tester, et je n'ai pas assez de connaissances sur la sintax regex pour le faire moi-même.

Merci d'avance.

fail2ban
3
luri

La dernière partie de l'expression régulière ne correspond pas à "l'échec de l'authentification"

La partie défaillante de l'expression régulière semble correspondre à une chaîne base64:

(: [A-Za-z0-9+/]*={0,2})?*={0,2})?

Étant donné que "l'échec de l'authentification" doit être définitivement bloqué, je suggère de remplacer cette partie de l'expression régulière par:

(: ([A-Za-z0-9+/]*={0,2})?*={0,2})|authentication failure)?

Ceci est un ajout à l'ancienne règle et correspondrait à : authentication failure.

1
Lekensteyn