diary at Telent Netowrks

Fail2ban or ban 2 fail#

Tue, 22 Dec 2020 20:52:45 +0000

One of the things that made yesterday's "why does google hate me" (I suppose it is fair to say that the feeling is mutual) introspection so frustrating was the sheer volume of crap that cascades through my syslog systemd journal making it quite hard to see what's going on. Most of it seems to be bots trying not-very-hard to look for open SMTP relays, and a particularly tedious strain is the ones that try to authenticate as

Apr 04 12:46:20 vritual postfix/smtpd[5250]: warning:
 unknown[]: SASL LOGIN authentication failed: UGFzc3dvcmQ6

I really do literally mean UGFzc3dvcmQ6 there. A web search will confirm that I'm not the only one to see this, and it's not the string of random alphanumerics you might think it is on first glance:

$ echo -n Password: | base64 

So I thought I might see about applying the banhammer, and as fail2ban is included in NixOS, let's set ourselves up a rule. This required a lot of futzing around in the "obvious in retrospect" space, so here is what I did that eventually worked.

  environment.etc."fail2ban/filter.d/postfix-login-failed.conf".text = ''

before = common.conf


_daemon = postfix(-\w+)?/\w+(?:/smtp[ds])?

failregex = warning:.*\[<HOST>\]: SASL LOGIN authentication failed: UGFzc3dvcmQ6$ ignoreregex =


journalmatch = _SYSTEMD_UNIT=postfix.service


services.fail2ban.jails.postfix-login-failed = '' filter = postfix-login-failed enabled = true action = iptables-multiport[name=SMTP, port="smtp,submission,submissions,imap,imaps"] '';

Things to look out for:

Observationally, most of the hosts trying to login to my server with the password Password: seem to be the same ones trying to send mail in six other ways, so this rule cuts out a lot of all the kinds of postfix lognoise.