How to configure CSF to permanent block wrong SMTP AUTH?

Support and Discussion General Discussion
1

Maybe someone knows how to configure CSF to automatically permanent block IP which try wrong SMTP AUTH?

maillog:
Oct 24 17:26:46 cibilbndi postfix/smtpd[17230]: connect from unknown[185.234.216.132]
Oct 24 17:26:46 cibilbndi postfix/smtpd[17230]: warning: unknown[185.234.216.132]: SASL LOGIN authentication failed: Invalid authentication mechanism
Oct 24 17:26:46 cibilbndi postfix/smtpd[17230]: lost connection after AUTH from unknown[185.234.216.132]
Oct 24 17:26:46 cibilbndi postfix/smtpd[17230]: disconnect from unknown[185.234.216.132] ehlo=1 auth=0/1 commands=1/2
Oct 24 17:30:06 cibilbndi postfix/anvil[17232]: statistics: max connection rate 1/60s for (smtp:185.234.216.132) at Oct 24 17:26:46
Oct 24 17:30:06 cibilbndi postfix/anvil[17232]: statistics: max connection count 1 for (smtp:185.234.216.132) at Oct 24 17:26:46
Oct 24 17:30:06 cibilbndi postfix/anvil[17232]: statistics: max cache size 1 at Oct 24 17:26:46
Oct 24 17:34:18 cibilbndi postfix/smtpd[17469]: connect from unknown[185.234.216.132]
Oct 24 17:34:18 cibilbndi postfix/smtpd[17469]: warning: unknown[185.234.216.132]: SASL LOGIN authentication failed: Invalid authentication mechanism
Oct 24 17:34:18 cibilbndi postfix/smtpd[17469]: lost connection after AUTH from unknown[185.234.216.132]
Oct 24 17:34:18 cibilbndi postfix/smtpd[17469]: disconnect from unknown[185.234.216.132] ehlo=1 auth=0/1 commands=1/2
Oct 24 17:37:38 cibilbndi postfix/anvil[17471]: statistics: max connection rate 1/60s for (smtp:185.234.216.132) at Oct 24 17:34:18
Oct 24 17:37:38 cibilbndi postfix/anvil[17471]: statistics: max connection count 1 for (smtp:185.234.216.132) at Oct 24 17:34:18
Oct 24 17:37:38 cibilbndi postfix/anvil[17471]: statistics: max cache size 1 at Oct 24 17:34:18
Oct 24 17:41:57 cibilbndi postfix/smtpd[17523]: connect from unknown[185.234.216.132]
Oct 24 17:41:57 cibilbndi postfix/smtpd[17523]: warning: unknown[185.234.216.132]: SASL LOGIN authentication failed: Invalid authentication mechanism
Oct 24 17:41:57 cibilbndi postfix/smtpd[17523]: lost connection after AUTH from unknown[185.234.216.132]
Oct 24 17:41:57 cibilbndi postfix/smtpd[17523]: disconnect from unknown[185.234.216.132] ehlo=1 auth=0/1 commands=1/2
Oct 24 17:45:18 cibilbndi postfix/anvil[17525]: statistics: max connection rate 1/60s for (smtp:185.234.216.132) at Oct 24 17:41:57
Oct 24 17:45:18 cibilbndi postfix/anvil[17525]: statistics: max connection count 1 for (smtp:185.234.216.132) at Oct 24 17:41:57
Oct 24 17:45:18 cibilbndi postfix/anvil[17525]: statistics: max cache size 1 at Oct 24 17:41:57
Oct 24 17:49:42 cibilbndi postfix/smtpd[17580]: connect from unknown[185.234.216.132]
Oct 24 17:49:42 cibilbndi postfix/smtpd[17580]: warning: unknown[185.234.216.132]: SASL LOGIN authentication failed: Invalid authentication mechanism
Oct 24 17:49:42 cibilbndi postfix/smtpd[17580]: lost connection after AUTH from unknown[185.234.216.132]
Oct 24 17:49:42 cibilbndi postfix/smtpd[17580]: disconnect from unknown[185.234.216.132] ehlo=1 auth=0/1 commands=1/2
Oct 24 17:53:02 cibilbndi postfix/anvil[17582]: statistics: max connection rate 1/60s for (smtp:185.234.216.132) at Oct 24 17:49:42
Oct 24 17:53:02 cibilbndi postfix/anvil[17582]: statistics: max connection count 1 for (smtp:185.234.216.132) at Oct 24 17:49:42
Oct 24 17:53:02 cibilbndi postfix/anvil[17582]: statistics: max cache size 1 at Oct 24 17:49:42
Oct 24 17:57:30 cibilbndi postfix/smtpd[17641]: connect from unknown[185.234.216.132]
Oct 24 17:57:30 cibilbndi postfix/smtpd[17641]: warning: unknown[185.234.216.132]: SASL LOGIN authentication failed: Invalid authentication mechanism
Oct 24 17:57:30 cibilbndi postfix/smtpd[17641]: lost connection after AUTH from unknown[185.234.216.132]
Oct 24 17:57:30 cibilbndi postfix/smtpd[17641]: disconnect from unknown[185.234.216.132] ehlo=1 auth=0/1 commands=1/2

2

Would require some custom regex rules for this best place to get help or inspiration would be on CSF’s forum
https://forum.configserver.com/viewtopic.php?f=6&t=8718

3

anyone got this working, csf’s lfd works great in detecting ftp etc, but mail is not since its focused for exim instead of postfix

4

OK in order to block SASL PLAIN authentication failures we need to add a custom regex.

  1. in /etc/csf/csf.conf define
    CUSTOM1_LOG = “/var/log/maillog”

  2. Add this regex to /usr/local/csf/bin/*regex.custom.pm

if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^\S+\s+\d+\s+\S+ \S+ postfix\/smtpd\[\d+\]: warning:.\[(\d+\.\d+\.\d+\.\d+)\]: SASL [A-Z]? authentication failed/)) {
return (“Failed SASL login from”,$1,“mysaslmatch”,“5”,“list of ports to block this IP”,“14400”);
}

  1. restart CSF
    csf -r
5

Very useful, thank you very much

6

the above is close but missing ports to block and also the regex throws and error
if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^\S+\s+\d+\s+\S+ \S+ postfix\/smtpd\[\d+\]: warning:.\[(\d+\.\d+\.\d+\.\d+)\]: SASL [A-Z]? authentication failed/)) {
return (“Failed SASL login from”,$1,“mysaslmatch”,“5”,“25,465,587,993,995”,“14400”);
}

sed -i ‘s|^CUSTOM1_LOG =.*|CUSTOM1_LOG = “/var/log/maillog”|g’ /etc/csf/csf.conf

cat >> /usr/local/csf/bin/regex.custom.pm <<EOL
if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^\S+\s+\d+\s+\S+ \S+ postfix\/smtpd\[\d+\]: warning:.\[(\d+\.\d+\.\d+\.\d+)\]: SASL [A-Z]*? authentication failed/)) {
return (“Failed SASL login from”,$1,“mysaslmatch”,“5”,“25,465,587,993,995”,“14400”);
}
EOL

was getting errors due to the eq stuff anyone actually gotten this to work and tested? if so please provide full working code so we can add it to the CSF installer

7

Regarding the ports, of course, should be listed as needs.
I missed the eq error, as I was focused only to check if block work and it blocked the IP.

On my test works well and banned after 5th failed login
lfd - (mysaslmatch) Failed SASL login from xx.xx.xx.xx (xx/xxxxxx/-): 5 in the last 3600 secs

Now I play with regex but seems that my phone doesn’t want to connect to smtp anymore :frowning:

8

Please try this regex, for me is running OK.

if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /^\S+\s+\d+\s+\S+ \S+ postfix\/smtps\/smtpd\[\d+\]: warning:.\[(\d+\.\d+\.\d+\.\d+)\]: SASL [A-Z]? authentication failed/)) {
return (“Failed SASL login from”,$1,“mysaslmatch”,“5”,“25,465,587,993,995”,“14400”);
}

9

thanks does not show an error so far from what i can tell might have to put this on a more actively targeted server now to see how well it does as the test server hasn’t got enough activity yet

put it within this section too.

[Album] imgur.com

automating it to insert into this section is going to be tricky due to all the special characters

10

Note, i had the same problem, but CSF/LFD would not restart
my fix, hoping correct, was there was an additional parameter now required with CSF 14.16, so added the “0” for disable cloudflare block (right at the end of the return)
now CSF does restart on server reboot, and not seeing the hundreds of SASL attempts:

if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /^\S+\s+\d+\s+\S+ \S+ postfix/smtpd[\d+]: warning:.[(\d+.\d+.\d+.\d+)]: SASL [A-Z]? authentication failed/)) {
return (“Failed SASL login from”,$1,“mysaslmatch”,“5”,“25,465,587,993,995”,“14400”,“0”);
}

11

note, updated further.
you can test your regex at https://regex101.com/

test good for:
Aug 3 01:50:05 server postfix/smtpd[17966]: warning: user-27-96-111-119.knology.net[27.96.111.119]: SASL LOGIN authentication failed:
and
Aug 3 01:50:02 server postfix/smtpd[17753]: warning: unknown[190.42.219.68]: SASL login authentication failed: authentication failure

using regex of:
^\S+\s+\d+\s+\S+ \S+ postfix/smtpd[\d+]: warning:\s+\S+[(\d+.\d+.\d+.\d+)]: SASL \S+ authentication failed

if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /^\S+\s+\d+\s+\S+ \S+ postfix/smtpd[\d+]: warning:\s+\S+[(\d+.\d+.\d+.\d+)]: SASL \S+ authentication failed/)) {
return (“Failed SASL login from”,$1,“mysaslmatch”,“5”,“25,465,587,993,995”,“14400”,“0”);
}