My Community Dashboard

Sam Gann
View Full Profile
  • Sam Gann
    Sam Gann started a new discussion, Attack Detector post-sasl

    Attack Detector post-sasl

    Attack Detector

    I think im having a problem with smtp part of Attack detector. Checking the the mail logs shows a bunch of ips trying to hack email server.
    Checking the fail to ban logs and it shows the the ips that are trying to hack the email server and tries to ban those ips but then shows an error.

    26]: INFO [postfix-sasl] Found 91.200.12.125
    2016-12-20 01:35:41,042 fail2ban.filter [2126]: INFO [postfix-sasl] Found 91.200.12.125
    2016-12-20 01:45:09,110 fail2ban.filter [2126]: INFO [postfix-sasl] Found 91.200.12.125
    2016-12-20 01:54:34,104 fail2ban.filter [2126]: INFO [postfix-sasl] Found 91.200.12.125
    2016-12-20 02:04:00,022 fail2ban.filter [2126]: INFO [postfix-sasl] Found 91.200.12.125
    2016-12-20 02:13:25,322 fail2ban.filter [2126]: INFO [postfix-sasl] Found 91.200.12.125
    2016-12-20 02:22:54,790 fail2ban.filter [2126]: INFO [postfix-sasl] Found 91.200.12.125
    2016-12-20 02:32:23,477 fail2ban.filter [2126]: INFO [postfix-sasl] Found 91.200.12.125
    2016-12-20 02:41:51,906 fail2ban.filter [2126]: INFO [postfix-sasl] Found 91.200.12.125
    2016-12-20 02:46:32,904 fail2ban.filter [2126]: INFO [postfix-sasl] Found 80.82.77.83
    2016-12-20 02:51:16,842 fail2ban.filter [2126]: INFO [postfix-sasl] Found 91.200.12.125
    2016-12-20 03:00:45,832 fail2ban.filter [2126]: INFO [postfix-sasl] Found 91.200.12.125
    2016-12-20 03:10:09,802 fail2ban.filter [2126]: INFO [postfix-sasl] Found 91.200.12.125
    2016-12-20 03:19:40,984 fail2ban.filter [2126]: INFO [postfix-sasl] Found 91.200.12.125
    2016-12-20 03:29:05,128 fail2ban.filter [2126]: INFO [postfix-sasl] Found 91.200.12.125
    2016-12-20 03:38:36,840 fail2ban.filter [2126]: INFO [postfix-sasl] Found 91.200.12.125
    2016-12-20 03:48:04,210 fail2ban.filter [2126]: INFO [postfix-sasl] Found 91.200.12.125
    2016-12-20 03:57:39,687 fail2ban.filter [2126]: INFO [postfix-sasl] Found 91.200.12.125
    2016-12-20 04:07:08,204 fail2ban.filter [2126]: INFO [postfix-sasl] Found 91.200.12.125
    2016-12-20 04:16:39,563 fail2ban.filter [2126]: INFO [postfix-sasl] Found 91.200.12.125
    2016-12-20 04:18:55,533 fail2ban.filter [2126]: INFO [postfix-sasl] Found 80.82.77.83
    2016-12-20 04:26:04,696 fail2ban.filter [2126]: INFO [postfix-sasl] Found 91.200.12.125
    2016-12-20 04:35:33,684 fail2ban.filter [2126]: INFO [postfix-sasl] Found 91.200.12.125
    2016-12-20 04:45:02,503 fail2ban.filter [2126]: INFO [postfix-sasl] Found 91.200.12.125
    2016-12-20 04:51:03,811 fail2ban.actions [2126]: NOTICE [postfix-sasl] Unban 108.35.48.154
    2016-12-20 04:51:03,919 fail2ban.action [2126]: ERROR iptables -w -n -L INPUT | grep -q 'f2b-postfix-sasl[ \t]' -- stdout: ''
    2016-12-20 04:51:03,919 fail2ban.action [2126]: ERROR iptables -w -n -L INPUT | grep -q 'f2b-postfix-sasl[ \t]' -- stderr: ''
    2016-12-20 04:51:03,919 fail2ban.action [2126]: ERROR iptables -w -n -L INPUT | grep -q 'f2b-postfix-sasl[ \t]' -- returned 1
    2016-12-20 04:51:03,920 fail2ban.CommandAction [2126]: ERROR Invariant check failed. Trying to restore a sane environment
    2016-12-20 04:51:04,025 fail2ban.action [2126]: ERROR iptables -w -D INPUT -p tcp -m multiport --dports smtp,465,submission,imap3,imaps,pop3,pop3s -j f2b-postfix-sasl
    iptables -w -F f2b-postfix-sasl
    iptables -w -X f2b-postfix-sasl -- stdout: ''
    2016-12-20 04:51:04,025 fail2ban.action [2126]: ERROR iptables -w -D INPUT -p tcp -m multiport --dports smtp,465,submission,imap3,imaps,pop3,pop3s -j f2b-postfix-sasl
    iptables -w -F f2b-postfix-sasl
    iptables -w -X f2b-postfix-sasl -- stderr: "iptables v1.4.21: Couldn't load target `f2b-postfix-sasl':No such file or directory\n\nTry `iptables -h' or 'iptables --help' for more information.\niptables: No chain/target/match by that name.\niptables: No chain/target/match by that name.\n"
    2016-12-20 04:51:04,025 fail2ban.action [2126]: ERROR iptables -w -D INPUT -p tcp -m multiport --dports smtp,465,submission,imap3,imaps,pop3,pop3s -j f2b-postfix-sasl
    iptables -w -F f2b-postfix-sasl
    iptables -w -X f2b-postfix-sasl -- returned 1
    2016-12-20 04:51:04,025 fail2ban.actions [2126]: ERROR Failed to execute unban jail 'postfix-sasl' action 'iptables-multiport' info '{'matches': u'2016-12-19T04:50:53.412132 gateway.ganncom.com postfix/smtpd[20494]: warning: static-108-35-48-154.nwrknj.fios.verizon.net[108.35.48.154]: SASL LOGIN authentication failed: authentication failure2016-12-19T04:50:55.986579 gateway.ganncom.com postfix/smtpd[20495]: warning: static-108-35-48-154.nwrknj.fios.verizon.net[108.35.48.154]: SASL LOGIN authentication failed: authentication failure2016-12-19T04:50:58.081102 gateway.ganncom.com postfix/smtpd[20455]: warning: static-108-35-48-154.nwrknj.fios.verizon.net[108.35.48.154]: SASL LOGIN authentication failed: authentication failure2016-12-19T04:51:00.752822 gateway.ganncom.com postfix/smtpd[20497]: warning: static-108-35-48-154.nwrknj.fios.verizon.net[108.35.48.154]: SASL LOGIN authentication failed: authentication failure2016-12-19T04:51:02.755586 gateway.ganncom.com postfix/smtpd[20495]: warning: static-108-35-48-154.nwrknj.fios.verizon.net[108.35.48.154]: SASL LOGIN authentication failed: authentication failure', 'ip': '108.35.48.154', 'time': 1482144662.919717, 'failures': 5}': Error stopping action
    2016-12-20 04:54:34,937 fail2ban.filter [2126]: INFO [postfix-sasl] Found 91.200.12.125
    2016-12-20 05:04:00,241 fail2ban.filter [2126]: INFO [postfix-sasl] Found 91.200.12.125
    2016-12-20 05:13:32,935 fail2ban.filter [2126]: INFO [postfix-sasl] Found 91.200.12.125
    2016-12-20 05:22:58,196 fail2ban.filter [2126]: INFO [postfix-sasl] Found 91.200.12.125
    2016-12-20 05:32:31,216 fail2ban.filter [2126]: INFO [postfix-sasl] Found 91.200.12.125
    2016-12-20 05:41:58,733 fail2ban.filter [2126]: INFO [postfix-sasl] Found 91.200.12.125
    2016-12-20 05:51:32,822 fail2ban.filter [2126]: INFO [postfix-sasl] Found 91.200.12.125
    2016-12-20 06:01:03,908 fail2ban.filter [2126]: INFO [postfix-sasl] Found 91.200.12.125
    2016-12-20 06:10:42,010 fail2ban.filter [2126]: INFO [postfix-sasl] Found 91.200.12.125
    2016-12-20 06:20:12,182 fail2ban.filter [2126]: INFO [postfix-sasl] Found 91.200.12.125
    2016-12-20 06:29:50,196 fail2ban.filter [2126]: INFO [postfix-sasl] Found 91.200.12.125
    2016-12-20 06:39:22,071 fail2ban.filter [2126]: INFO [postfix-sasl] Found 91.200.12.125
    2016-12-20 06:49:00,114 fail2ban.filter [2126]: INFO [postfix-sasl] Found 91.200.12.125
    2016-12-20 06:58:33,745 fail2ban.filter [2126]: INFO [postfix-sasl] Found 91.200.12.125
    2016-12-20 07:08:14,682 fail2ban.filter [2126]: INFO [postfix-sasl] Found 91.200.12.125
    2016-12-20 07:17:46,535 fail2ban.filter [2126]: INFO [postfix-sasl] Found 91.200.12.125
    2016-12-20 07:27:23,117 fail2ban.filter [2126]: INFO [postfix-sasl] Found 91.200.12.125
    2016-12-20 07:36:57,382 fail2ban.filter [2126]: INFO [postfix-sasl] Found 91.200.12.125
    2016-12-20 07:46:34,066 fail2ban.filter [2126]: INFO [postfix-sasl] Found 91.200.12.125


    Here's what the Attack Detector webpage inside clearos portal has blocked.

    Log

    IP Address Rule Date/Time
    108.35.48.154 postfix-sasl 2016-12-19 - 04:51:02

    From what im seeing the 91.200 ips should of been banned but there not.
    Anyone else having same problem? or how to fix this?
    Thanks
    Merry Christmas.