Maybe someone knows how to configure CSF to automatically permanent block IP which try wrong SMTP AUTH?
maillog:
Oct 24 17:26:46 cibilbndi postfix/smtpd[17230]: connect from unknown[185.234.216.132]
Oct 24 17:26:46 cibilbndi postfix/smtpd[17230]: warning: unknown[185.234.216.132]: SASL LOGIN authentication failed: Invalid authentication mechanism
Oct 24 17:26:46 cibilbndi postfix/smtpd[17230]: lost connection after AUTH from unknown[185.234.216.132]
Oct 24 17:26:46 cibilbndi postfix/smtpd[17230]: disconnect from unknown[185.234.216.132] ehlo=1 auth=0/1 commands=1/2
Oct 24 17:30:06 cibilbndi postfix/anvil[17232]: statistics: max connection rate 1/60s for (smtp:185.234.216.132) at Oct 24 17:26:46
Oct 24 17:30:06 cibilbndi postfix/anvil[17232]: statistics: max connection count 1 for (smtp:185.234.216.132) at Oct 24 17:26:46
Oct 24 17:30:06 cibilbndi postfix/anvil[17232]: statistics: max cache size 1 at Oct 24 17:26:46
Oct 24 17:34:18 cibilbndi postfix/smtpd[17469]: connect from unknown[185.234.216.132]
Oct 24 17:34:18 cibilbndi postfix/smtpd[17469]: warning: unknown[185.234.216.132]: SASL LOGIN authentication failed: Invalid authentication mechanism
Oct 24 17:34:18 cibilbndi postfix/smtpd[17469]: lost connection after AUTH from unknown[185.234.216.132]
Oct 24 17:34:18 cibilbndi postfix/smtpd[17469]: disconnect from unknown[185.234.216.132] ehlo=1 auth=0/1 commands=1/2
Oct 24 17:37:38 cibilbndi postfix/anvil[17471]: statistics: max connection rate 1/60s for (smtp:185.234.216.132) at Oct 24 17:34:18
Oct 24 17:37:38 cibilbndi postfix/anvil[17471]: statistics: max connection count 1 for (smtp:185.234.216.132) at Oct 24 17:34:18
Oct 24 17:37:38 cibilbndi postfix/anvil[17471]: statistics: max cache size 1 at Oct 24 17:34:18
Oct 24 17:41:57 cibilbndi postfix/smtpd[17523]: connect from unknown[185.234.216.132]
Oct 24 17:41:57 cibilbndi postfix/smtpd[17523]: warning: unknown[185.234.216.132]: SASL LOGIN authentication failed: Invalid authentication mechanism
Oct 24 17:41:57 cibilbndi postfix/smtpd[17523]: lost connection after AUTH from unknown[185.234.216.132]
Oct 24 17:41:57 cibilbndi postfix/smtpd[17523]: disconnect from unknown[185.234.216.132] ehlo=1 auth=0/1 commands=1/2
Oct 24 17:45:18 cibilbndi postfix/anvil[17525]: statistics: max connection rate 1/60s for (smtp:185.234.216.132) at Oct 24 17:41:57
Oct 24 17:45:18 cibilbndi postfix/anvil[17525]: statistics: max connection count 1 for (smtp:185.234.216.132) at Oct 24 17:41:57
Oct 24 17:45:18 cibilbndi postfix/anvil[17525]: statistics: max cache size 1 at Oct 24 17:41:57
Oct 24 17:49:42 cibilbndi postfix/smtpd[17580]: connect from unknown[185.234.216.132]
Oct 24 17:49:42 cibilbndi postfix/smtpd[17580]: warning: unknown[185.234.216.132]: SASL LOGIN authentication failed: Invalid authentication mechanism
Oct 24 17:49:42 cibilbndi postfix/smtpd[17580]: lost connection after AUTH from unknown[185.234.216.132]
Oct 24 17:49:42 cibilbndi postfix/smtpd[17580]: disconnect from unknown[185.234.216.132] ehlo=1 auth=0/1 commands=1/2
Oct 24 17:53:02 cibilbndi postfix/anvil[17582]: statistics: max connection rate 1/60s for (smtp:185.234.216.132) at Oct 24 17:49:42
Oct 24 17:53:02 cibilbndi postfix/anvil[17582]: statistics: max connection count 1 for (smtp:185.234.216.132) at Oct 24 17:49:42
Oct 24 17:53:02 cibilbndi postfix/anvil[17582]: statistics: max cache size 1 at Oct 24 17:49:42
Oct 24 17:57:30 cibilbndi postfix/smtpd[17641]: connect from unknown[185.234.216.132]
Oct 24 17:57:30 cibilbndi postfix/smtpd[17641]: warning: unknown[185.234.216.132]: SASL LOGIN authentication failed: Invalid authentication mechanism
Oct 24 17:57:30 cibilbndi postfix/smtpd[17641]: lost connection after AUTH from unknown[185.234.216.132]
Oct 24 17:57:30 cibilbndi postfix/smtpd[17641]: disconnect from unknown[185.234.216.132] ehlo=1 auth=0/1 commands=1/2
the above is close but missing ports to block and also the regex throws and error
if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^\S+\s+\d+\s+\S+ \S+ postfix\/smtpd\[\d+\]: warning:.\[(\d+\.\d+\.\d+\.\d+)\]: SASL [A-Z]? authentication failed/)) {
return (“Failed SASL login from”,$1,“mysaslmatch”,“5”,“25,465,587,993,995”,“14400”);
}
sed -i ‘s|^CUSTOM1_LOG =.*|CUSTOM1_LOG = “/var/log/maillog”|g’ /etc/csf/csf.conf
was getting errors due to the eq stuff anyone actually gotten this to work and tested? if so please provide full working code so we can add it to the CSF installer
thanks does not show an error so far from what i can tell might have to put this on a more actively targeted server now to see how well it does as the test server hasn’t got enough activity yet
Note, i had the same problem, but CSF/LFD would not restart
my fix, hoping correct, was there was an additional parameter now required with CSF 14.16, so added the “0” for disable cloudflare block (right at the end of the return)
now CSF does restart on server reboot, and not seeing the hundreds of SASL attempts:
if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /^\S+\s+\d+\s+\S+ \S+ postfix/smtpd[\d+]: warning:.[(\d+.\d+.\d+.\d+)]: SASL [A-Z]? authentication failed/)) {
return (“Failed SASL login from”,$1,“mysaslmatch”,“5”,“25,465,587,993,995”,“14400”,“0”);
}
test good for:
Aug 3 01:50:05 server postfix/smtpd[17966]: warning: user-27-96-111-119.knology.net[27.96.111.119]: SASL LOGIN authentication failed:
and
Aug 3 01:50:02 server postfix/smtpd[17753]: warning: unknown[190.42.219.68]: SASL login authentication failed: authentication failure