I am NO GOOD at regex - and as such i can not seem to match the plesk mail log string that indicates a brute force smtp attack -
my log looks like this:
May 19 03:24:58 gohhllc smtp_auth[22702]: SMTP connect from mail.globaltrbilisim.com [213.144.99.201]
May 19 03:24:58 gohhllc smtp_auth[22702]: No such user 'chuong#drophit.net' in mail authorization database
May 19 03:24:58 gohhllc smtp_auth[22702]: FAILED: chuong#drophit.net - password incorrect from mail.globaltrbilisim.com [213.144.99.201]
In some cases it also looks like this
May 19 03:25:22 gohhllc smtp_auth[23056]: SMTP connect from 89-97-124-22.fweds-spc.it [89.97.124.22]
May 19 03:25:22 gohhllc smtp_auth[23056]: FAILED: element - password incorrect from 89-97-124-22.fweds-spc.it [89.97.124.22]
My regex attempts to match both username failures and password look like this
failregex = No such user '.*' in mail authorization database
FAILED: .* - password incorrect from [<HOST>]
Along with 20+ other combos with no avail - most of the time teh result is an error like this
Unable to compile regular expression 'FAILED:
Thanks
I worked through this and using http://www.regexr.com/ i was able to write a fairly easy regex (i guess im getting better at it) to make this work.
The resulting statement for smtp-auth when using Pleask and Qmail (atleast on my server) is
failregex = FAILED: [-/\w]+ - password incorrect from <HOST>
AS for "no such user" entries i was unable to make this work as there is no hostname in the log file for this entry and fail2ban requires the hostname :(
Related
I have a very simple situation but I can't figure out how regex works...
I have an application generating a log only when a login problem occurs. So there is no line in log except in case of wrong login or in case of attempt to reset a password too many times. So potentially, I don't even need to search a particular string in log, any entry matches. Here is a log example :
2019-10-20 18:44:35 127.0.0.1 login.php : Authentication error - account not initialized : client XXXX, login YYYY
2019-10-20 21:31:17 127.0.0.1 login.php : Authentication error - password error : client XXXX, login XXXX
2019-10-20 21:29:39 127.0.0.1 login.php : Authentication error - client contains wrong chars : client XXXX, login YYYY
2019-10-21 06:25:25 127.0.0.1 login.php : Authentication error - account locked : client XXXX, login YYYY
2019-10-21 06:48:11 127.0.0.1 user.php : Authentication - Unlocking : client XXXX, login YYYYY
I have a problem with regular expression cause I can't understand how it works (for years). All I tried give me errors when I start fail2ban : Unable to compile regular expression, No failure-id group in 'Authentication error', ... Damned, it looks so easy !
Finally...
[INCLUDES]
before = common.conf
[Definition]
failregex = <HOST> .* Authentication
Please note this works but I found without understand anything. If someone has a link where how fail2ban works is explained. I found many but none of them have clear explanations.
The main trick is the fact that error.log files look different from tutorials and you need to rewrite failregex manually. Another trick is that <HOST> is a predefined regexp that tries to match an ip but it could match something like datetime instead
In such case like
[Tue Nov 08 03:03:03.349852] bla-bla [client 1.2.3.4:5] bla-bla xxx bla-bla
In case you're banning when xxx appear
[Definition]
failregex = client <HOST>(.*)xxx
Sadly quick google search upon fail2ban and tutorials indeed explain little. I also wanted to ban by simple string match.
I'm having a strange problem. I followed few guides from the net. My goal is to create a SMTP postfix that will use Cyrus SASL to authenticate users upon sending email with different imap server.
Making all more simple: have to transfer/replace current smtp server with new one as current is on public cloud and gets on black lists pretty often.
What I managed so far is:
Working Postfix
Authentication working when using :
testsaslauthd -u user#domain.com -p password
I'm getting Ok "Success" so I assume sasl itself work.
When I invoke saslfinger -s
I'm getting:
There is no smtpd.conf that defines what SASL should do for Postfix.
SMTP AUTH can't work!
but it seems that all is fine within the configuration files:
/etc/postfix/sasls/smtp.conf:
pwcheck_method: saslauthd
mech_list: PLAIN LOGIN
/etc/postfix/main.cf:
smtpd_recipient_restrictions = reject_invalid_hostname,
permit permit_mynetworks,
permit_sasl_authenticated
disable_vrfy_command = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
/etc/default/saslauthd-postfix:
START=yes
MECHANISMS="rimap"
MECH_OPTIONS="domain.com -r"
OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd"
I'm running postfix chroot'ed so had to create a symlink but like I said. It all seems to work independently, just need to be linked somehow.
When I try to setup account in outlook, I got wrong name or password.
The log on Debian says:
May 11 23:35:43 smtp-test postfix/smtpd[741]: warning: unknown[192.168.108.1]: SASL NTLM authentication failed: authentication failure
May 11 23:35:43 smtp-test postfix/smtpd[741]: warning: SASL authentication failure: unable to canonify user and get auxprops
May 11 23:35:43 smtp-test postfix/smtpd[741]: warning: unknown[192.168.108.1]: SASL DIGEST-MD5 authentication failed: authentication failure
May 11 23:35:43 smtp-test postfix/smtpd[741]: warning: unknown[192.168.108.1]: SASL LOGIN authentication failed: authentication failure
May 11 23:35:43 smtp-test postfix/smtpd[741]: lost connection after AUTH from unknown[192.168.108.1]
May 11 23:35:43 smtp-test postfix/smtpd[741]: disconnect from unknown[192.168.108.1]
Strange thing is it tries NTLM(not mentioned anywhere) instead of RIMAP. And cannot make canonical name of user even after adding -r switch that should combine name and realm/domain name.
I guess that is related to first warning from saslfinger but cannot find the cause.
All updated to newest available versions.
Any help?
I was following this guide to setup an LDAP server on CentOS 6.6: http://www.learnitguide.net/2016/01/configure-openldap-server-on-rhel7.html. I know the guide is for RHEL, but I think the vast majority of steps should be the same. I went through the tutorial and everything seems to work right except for sshing into the server as an LDAP user. As root I am able to su to any LDAP user. getent passwd username returns appropriate results. But every time I try to ssh in as a user I get permission denied and these messages show up in /var/log/secure:
Aug 8 22:13:14 servername sshd[5900]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=rhostname user=username
Aug 8 22:13:14 servername sshd[5900]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=rhostname user=username
Aug 8 22:13:14 servername sshd[5900]: pam_sss(sshd:auth): received for user username: 6 (Permission denied)
Aug 8 22:13:17 servername sshd[5900]: Failed password for username from rhostIPaddress port 34758 ssh2
I was hoping maybe someone may know of a step that guide left out that would cause this behavior. Thanks.
Turns out the self signed certificate I was using needed to have the IP address as the common name as opposed to the FQDN, not sure why that is but it's working now.
Information that can help others.
In my case this message was a time difference problem between the FreeIPA server and the clients. The command systemctl status sssd -l presented the message (skew clock too great).
This message from the Kerberos authentication server appears if the difference hour in servers is too large (more than three or four minutes).
OS: Ubuntu Server
I recently installed Postfix, Dovecot to setup a mail server on my own VPS ( using this tutorial: Email with Postfix, Dovecot, Mysql)
Imaps server uses port 993 for Authentication, and Postfix uses port 25 to send mails.
In this tutorial, users stored in a Database ( so imaps use mysql to authenticate users).
i'm sure every thing works fine with imaps and postfix , because few days ago i installed Kmail client (on my linux) and receive mails from my server. sending mails also works fine, i sent a mail to Gmail and google received it without a problem (in my "Gmail inbox" not spam folder)
So to get to my Emails from a web mail client, i installed Roundcube on /var/www/mail directory.
I configured Roundcube many times. but each time it gives me this Error:
IMAP Error: Login failed for [me#mydomain] from X.x.X.x . Empty
startup greeting (localhost:993) in
/var/www/mm/program/lib/Roundcube/rcube_imap.php on line 184 (POST
/mm/?_task=login?_task=login&_action=login)
When i do log in from roundcube, imap server says ( in /var/log/mail.log ):
May 20 07:05:16 my-server dovecot: imap-login: Disconnected (no auth
attempts): rip=::1, lip=::1, TLS handshaking: Disconnected
Here is my roundcube config file :
$config['db_dsnw'] = 'mysql://roundcubeuser:myPassword#localhost/roundcubemail';
// ----------------------------------
// IMAP
// ----------------------------------
$config['debug_level'] = 13;
$config['default_host'] = 'ssl://127.0.0.1';
$config['default_port'] = 993;
// ----------------------------------
// SMTP
// ----------------------------------
$config['smtp_server'] = 'ssl://localhost';
What's the problem? i really have no idea what is happening !
Thank you.
I'm using postfix + dovecot + roundcube a few months now and it's working for me. In my configuration, postfix rejects plaintext sessions, so roundcube has to connect with ssl - and it's working.
This is from my main.inc.php. I don't remember editing anything here, it's just the initial config created during the installation.
Now that I'm looking at it, default_port doesn't make any sense, I think it's just ignored.
// To use SSL/TLS connection, enter hostname with prefix ssl:// or tls://
// Supported replacement variables:
// %n - http hostname ($_SERVER['SERVER_NAME'])
// %d - domain (http hostname without the first part)
// %s - domain name after the '#' from e-mail address provided at login screen
// For example %n = mail.domain.tld, %d = domain.tld
// TCP port used for IMAP connections
$rcmail_config['default_port'] = 143;
$rcmail_config['default_host'] = array("ssl://localhost:993");
// TCP port used for IMAP connections
$rcmail_config['default_port'] = 143;
In case the other answer does not work, this is what worked for me. My config.inc.php now contains:
$config['default_host'] = 'ssl://localhost';
$config['default_port'] = 993;
NOTE: using tls://localhost did not work for me. I had to specify ssl:// as the URI scheme.
Via PhpMyAdmin, I also ran this SQL command (all my user accounts are on the same machine that runs RoundCube):
UPDATE `rc_users` SET `mail_host`='ssl://localhost'
I got the port number 993 from running sudo netstat -tulnp in order to determine the port on which Dovecot was listening.
I am on a Windows Vista 64-bit Enterprise machine with Subsystem for Unix Applications installed and the applications downloaded. I am attempting to use RSH to connect to a FreeBSD server. The command I would like to execute is:
rsh host.suffix1.company.com command
The .rhosts file in my home directory on host.suffix1.company.com looks like this:
+ myusername
+ mydomain\myusername
+ mydomain/myusername
+ myusername#mydomain
+ +
mycomputer.suffix2 myusername
mycomputer.suffix2 +
mycomputer.suffix2.company.com myusername
mycomputer.suffix2.company.com +
I know + + is bad, but let's ignore that for now. When I run this:
rsh host.suffix1.company.com command
I get the following error:
rshd: Login incorrect.
However, when I run
rsh -l myusername host.suffix1.company.com command
this works flawlessly. What I'd like to know is:
What is SUA sending as the username when I don't specify it via -l?
How can I change what SUA is sending?
I'm assuming that here SUA is sending some form of mydomain\myusername, but I'm wondering what other entries I might need to make to the rhosts file to allow this and why the + + isn't allowing this?
I would guess that examining syslog (or another appropriate log?) on the freebsd box could give you the login name from the failed login. On my linux machine I get the lines like the following from the frequent ssh attacks:
May 19 19:57:40 anton sshd[29795]: Failed password for invalid user mercedes from 124.217.246.181 port 49198 ssh2
May 19 19:57:40 anton sshd[29796]: Received disconnect from 124.217.246.181: 11: Bye Bye
May 19 19:57:45 anton unix_chkpwd[29802]: password check failed for user (games)
May 19 19:57:45 anton sshd[29799]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=ns1.1oasis.net user=games
May 19 19:57:48 anton sshd[29799]: Failed password for games from 124.217.246.181 port 49956 ssh2
This is from sshd, but I would be surprised if not rshd is not able to log something similar (although it might be off by default and needs to be enabled).
For guesses on what the rsh client made by microsoft gets the name from I have few ideas. A traditional unix rsh would of course get the name from /etc/passwd, reading it indirectly with getpwent() (failing that it might fall back to environmental variables LOGNAME or USER?). Is "myusername" present in c:\windows\system\etc\passwd (or whatever SUA maps as /etc/passwd)?