Debian Bug report logs - #507990
fail2ban: postfix SASL login failures are not detected

version graph

Package: fail2ban; Maintainer for fail2ban is Yaroslav Halchenko <debian@onerussian.com>; Source for fail2ban is src:fail2ban.

Reported by: Udo Rader <udo.rader@bestsolution.at>

Date: Sat, 6 Dec 2008 17:27:02 UTC

Severity: normal

Found in version fail2ban/0.8.3-2

Fixed in version fail2ban/0.8.3-6

Done: Yaroslav Halchenko <debian@onerussian.com>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Yaroslav Halchenko <debian@onerussian.com>:
Bug#507990; Package fail2ban. (Sat, 06 Dec 2008 17:27:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Udo Rader <udo.rader@bestsolution.at>:
New Bug report received and forwarded. Copy sent to Yaroslav Halchenko <debian@onerussian.com>. (Sat, 06 Dec 2008 17:27:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Udo Rader <udo.rader@bestsolution.at>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: fail2ban: postfix SASL login failures are not detected
Date: Sat, 06 Dec 2008 18:23:43 +0100
Package: fail2ban
Version: 0.8.3-2
Severity: normal

when using postfix with dovecot as the SASL authenticator, it logs failed
login attempts like this:

----CUT----
Dec  2 22:24:22 hel postfix/smtpd[7676]: warning: 114-44-142-233.dynamic.hinet.net[114.44.142.233]: SASL CRAM-MD5 authentication failed: PDc3OTEwNTkyNTEyMzA2NDIuMTIyODI1MzA2MUBoZWw+
Dec  2 22:24:32 hel postfix/smtpd[7676]: warning: 114-44-142-233.dynamic.hinet.net[114.44.142.233]: SASL CRAM-MD5 authentication failed: PDkxNjk1MjY1MzY1NjIzMzAuMTIyODI1MzA3MUBoZWw+
----CUT----

the current pattern in /etc/fail2ban/filters.d/sasl.conf does not match
those lines. Adding the line below fixes it:

----CUT----
--- sasl.conf.orig	2008-12-06 18:16:21.000000000 +0100
+++ sasl.conf	2008-12-06 18:21:37.000000000 +0100
@@ -15,6 +15,7 @@
 # Values: TEXT
 #
 failregex = : warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed$
+            : warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed: \w+
 
 # Option:  ignoreregex
 # Notes.:  regex to ignore. If this regex matches, the line is ignored.
----CUT----

Furthermore, at least with postfix (don't know with exim etc.),
authentication failures have log priority warn and are thus logged
into /var/log/mail.warn. So using /var/log/mail.warn instead of
/var/log/mail.log would be a good idea as well, because mail.log
is significantly larger than mail.warn

-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.22-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages fail2ban depends on:
ii  lsb-base                      3.2-18     Linux Standard Base 3.2 init scrip
ii  python                        2.5.2-3    An interactive high-level object-o
ii  python-central                0.6.8      register and build utility for Pyt

Versions of packages fail2ban recommends:
ii  iptables                1.3.8.0debian1-1 administration tools for packet fi
ii  whois                   4.7.24           the GNU whois client

-- no debconf information




Reply sent to Yaroslav Halchenko <debian@onerussian.com>:
You have taken responsibility. (Thu, 09 Jul 2009 06:24:05 GMT) Full text and rfc822 format available.

Notification sent to Udo Rader <udo.rader@bestsolution.at>:
Bug acknowledged by developer. (Thu, 09 Jul 2009 06:24:05 GMT) Full text and rfc822 format available.

Message #10 received at 507990-close@bugs.debian.org (full text, mbox):

From: Yaroslav Halchenko <debian@onerussian.com>
To: 507990-close@bugs.debian.org
Subject: Bug#507990: fixed in fail2ban 0.8.3-6
Date: Thu, 09 Jul 2009 06:02:04 +0000
Source: fail2ban
Source-Version: 0.8.3-6

We believe that the bug you reported is fixed in the latest version of
fail2ban, which is due to be installed in the Debian FTP archive:

fail2ban_0.8.3-6.diff.gz
  to pool/main/f/fail2ban/fail2ban_0.8.3-6.diff.gz
fail2ban_0.8.3-6.dsc
  to pool/main/f/fail2ban/fail2ban_0.8.3-6.dsc
fail2ban_0.8.3-6_all.deb
  to pool/main/f/fail2ban/fail2ban_0.8.3-6_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 507990@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Yaroslav Halchenko <debian@onerussian.com> (supplier of updated fail2ban package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 09 Jul 2009 01:08:40 -0400
Source: fail2ban
Binary: fail2ban
Architecture: source all
Version: 0.8.3-6
Distribution: unstable
Urgency: low
Maintainer: Yaroslav Halchenko <debian@onerussian.com>
Changed-By: Yaroslav Halchenko <debian@onerussian.com>
Description: 
 fail2ban   - bans IPs that cause multiple authentication errors
Closes: 500824 507986 507990 512193 513953 514163 519557 530078
Changes: 
 fail2ban (0.8.3-6) unstable; urgency=low
 .
   * Time to shake the ground with upload to unstable.
   * Merged upstream's development as of SVN revision 732:
      - Fixed maxretry/findtime rate. Many thanks to Christos Psonis.
        Tracker #2019714.
      - Made the named-refused regex a bit less restrictive in order to match
        logs with "view". Thanks to Stephen Gildea.
      - Use timetuple instead of utctimetuple for ISO 8601. Maybe not a 100%
        correct fix but seems to work. Tracker #2500276.
      - Changed <HOST> template to be more restrictive (closes: #514163).
      - Added cyrus-imap and sieve filters. Thanks to Jan Wagner.  (closes:
        #513953).
      - Pull a commit from Yaroslav git repo. BF: addressing added bang to ssh
        log (closes: #512193).
      - Added missing semi-colon in the bind9 example. Thanks to Yaroslav
        Halchenko.
      - Added NetBSD ipfilter (ipf command) action. Thanks to Ed Ravin. Tracker
        #2484115.
      - Improved SASL filter. Thanks to Loic Pefferkorn. Tracker #2310410.
        (closes: #507990)
      - Added CPanel date format. Thanks to David Collins. Tracker #1967610.
      - Added nagios script. Thanks to Sebastian Mueller.
      - Removed print.
      - Removed begin-line anchor for "standard" timestamp (closes: #500824)
      - Remove socket file on startup is fail2ban crashed. Thanks to Detlef
        Reichelt.
   * Added a comment into Debian-shipped jail.conf about sasl logpath -- it
     might preferable to monitor warn.log in case of postfix (To complete react
     to #507990) (git branch up/fixes). Also added sasl example log file (git
     branch up/log_examples).
   * Removing minor bashism in ipmasq example file (closes: #530078).
     Thanks Raphael Geissert (git branch up/ipmasq)
   * Allow for trailing spaces in proftpd logs (closes: #507986)
     (git branch up/fixes).
   * Removed duplicate entry for DataCha0s/2\.0 in badbots (closes: #519557)
     (git branch up/fixes).
   * Adjusted Git-vcs field to point to git:// .
   * Thanks lintian fixes:
     - Boosted policy to 3.8.2 (no changes are due).
     - Boosted debhelper compatibility to 5.
     - Misspell in README.Debian
     - Removing stale /var/run/fail2ban from dirs -- should be created by
       init script
Checksums-Sha1: 
 1e55684a17db058ab5c2698cec4592a431dd1014 1196 fail2ban_0.8.3-6.dsc
 d58a6dc0de62a139127755adfcb5c6c2058d848c 47660 fail2ban_0.8.3-6.diff.gz
 d2055e7e153b905a72d9e304d1879e6bd1924592 92332 fail2ban_0.8.3-6_all.deb
Checksums-Sha256: 
 6f7b0933473b9a2f7a889f4fd5ae8ad91c283fd1ed15b4753da86a2bff8c67b5 1196 fail2ban_0.8.3-6.dsc
 3237a4ac043470a519099dc2ed92f4d8571d75ae56fc10ce198747716a120ed0 47660 fail2ban_0.8.3-6.diff.gz
 745ffffd51ea92baf9549f0ab5cd1cb1a8a2b50ced5f2e891ce76db2cd97b6d8 92332 fail2ban_0.8.3-6_all.deb
Files: 
 cbdcc0c552dc9b7531fe8af98c4f11e2 1196 net optional fail2ban_0.8.3-6.dsc
 128fb35873a015e58084084a03740224 47660 net optional fail2ban_0.8.3-6.diff.gz
 786b3c4a7d3fb2313d6a7c4cde8b831a 92332 net optional fail2ban_0.8.3-6_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkpVhlMACgkQjRFFY3XAJMgR+gCgxr0OhPstTCZhdLpaAYBk+c7t
bLsAnA4R4i4hx5pkYDK3cs90XC7pg6Kt
=OPgc
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 16 Aug 2009 07:37:59 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 16 05:29:59 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.