fail2ban and SASL

[colifato]

One question.. i have a lot of SASL login failures, and my question is if fail2ban don`t block these attempts..

Jul 23 19:01:10 server1 postfix/smtpd[3583]: disconnect from 70-91-145-229-jax-fl.hfc.comcastbusiness.net[70.91.145.229]
Jul 23 19:01:20 server1 postfix/smtpd[3580]: warning: hostname 93-152-59-168.nws.mops2.co.uk does not resolve to address 93.152.59.168
Jul 23 19:01:20 server1 postfix/smtpd[3580]: connect from unknown[93.152.59.168]
Jul 23 19:01:21 server1 postfix/smtpd[3580]: warning: SASL authentication failure: Password verification failed
Jul 23 19:01:21 server1 postfix/smtpd[3580]: warning: unknown[93.152.59.168]: SASL PLAIN authentication failed: authentication failure
Jul 23 19:01:21 server1 postfix/smtpd[3580]: warning: unknown[93.152.59.168]: SASL LOGIN authentication failed: authentication failure
Jul 23 19:01:22 server1 postfix/smtpd[3580]: disconnect from unknown[93.152.59.168]
Jul 23 19:01:24 server1 postfix/smtpd[3583]: connect from unknown[14.162.68.221]
Jul 23 19:01:25 server1 postfix/smtpd[3583]: warning: SASL authentication failure: Password verification failed
Jul 23 19:01:25 server1 postfix/smtpd[3583]: warning: unknown[14.162.68.221]: SASL PLAIN authentication failed: authentication failure
Jul 23 19:01:26 server1 postfix/smtpd[3583]: warning: unknown[14.162.68.221]: SASL LOGIN authentication failed: authentication failure
Jul 23 19:01:26 server1 postfix/smtpd[3583]: disconnect from unknown[14.162.68.221]
Jul 23 19:01:27 server1 postfix/smtpd[3583]: connect from unknown[14.162.68.221]
Jul 23 19:01:27 server1 postfix/smtpd[3563]: warning: hostname 93-152-59-168.nws.mops2.co.uk does not resolve to address 93.152.59.168
Jul 23 19:01:27 server1 postfix/smtpd[3563]: connect from unknown[93.152.59.168]
Jul 23 19:01:27 server1 postfix/smtpd[3583]: warning: SASL authentication failure: Password verification failed
Jul 23 19:01:27 server1 postfix/smtpd[3583]: warning: unknown[14.162.68.221]: SASL PLAIN authentication failed: authentication failure
Jul 23 19:01:28 server1 postfix/smtpd[3563]: warning: SASL authentication failure: Password verification failed
Jul 23 19:01:28 server1 postfix/smtpd[3563]: warning: unknown[93.152.59.168]: SASL PLAIN authentication failed: authentication failure
Jul 23 19:01:28 server1 postfix/smtpd[3583]: warning: unknown[14.162.68.221]: SASL LOGIN authentication failed: authentication failure
Jul 23 19:01:29 server1 postfix/smtpd[3563]: warning: unknown[93.152.59.168]: SASL LOGIN authentication failed: authentication failure
Jul 23 19:01:29 server1 postfix/smtpd[3583]: disconnect from unknown[14.162.68.221]
Jul 23 19:01:29 server1 postfix/smtpd[3563]: disconnect from unknown[93.152.59.168]
Jul 23 19:01:30 server1 postfix/smtpd[3580]: connect from ns1.auto-special.net[178.32.156.222]
Jul 23 19:01:30 server1 postfix/smtpd[3580]: 993DF300530: client=ns1.auto-special.net[178.32.156.222]
Jul 23 19:01:30 server1 postfix/cleanup[3638]: 993DF300530: message-id=<ace903b5d47a250b5350bdfd3054a3ba@envios.auto-special.net>
Jul 23 19:01:30 server1 postfix/qmgr[1953]: 993DF300530: from=<noreply@auto-special.net>, size=2197, nrcpt=1 (queue active)
Jul 23 19:01:30 server1 postfix/smtpd[3580]: disconnect from ns1.auto-special.net[178.32.156.222]



How to block?

[earnolmartin]

Yeah, a lot of bots and hackers try to probe your server every way possible. 

You can configure fail2ban to ban it.  Just setup a fail2ban filter.