Fail2ban or ban 2 fail
Tue, 22 Dec 2020 20:52:45 +0000
One of the things that made yesterday's "why does google hate me" (I
suppose it is fair to say that the feeling is mutual) introspection so
frustrating was the sheer volume of crap that cascades through my
syslog systemd journal making it quite hard to see what's going
on. Most of it seems to be bots trying not-very-hard to look for open
SMTP relays, and a particularly tedious strain is the ones that try to
Apr 04 12:46:20 vritual postfix/smtpd: warning: unknown[184.108.40.206]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
I really do literally mean
UGFzc3dvcmQ6 there. A web search will confirm that I'm
not the only one to see this, and it's not the string
of random alphanumerics you might think it is on first glance:
$ echo -n Password: | base64 UGFzc3dvcmQ6
So I thought I might see about applying the banhammer, and as fail2ban is included in NixOS, let's set ourselves up a rule. This required a lot of futzing around in the "obvious in retrospect" space, so here is what I did that eventually worked.
environment.etc."fail2ban/filter.d/postfix-login-failed.conf".text = '' [INCLUDES]
before = common.conf
_daemon = postfix(-\w+)?/\w+(?:/smtp[ds])?
failregex = warning:.*\[<HOST>\]: SASL LOGIN authentication failed: UGFzc3dvcmQ6$ ignoreregex =
journalmatch = _SYSTEMD_UNIT=postfix.service
services.fail2ban.jails.postfix-login-failed = '' filter = postfix-login-failed enabled = true action = iptables-multiport[name=SMTP, port="smtp,submission,submissions,imap,imaps"] '';
Things to look out for:
/etc/fail2ban/filter.dis full of filter rules (essentially, regexes plus boilerplate) - none of them are applicable to this quite specific use case, but we can add our own file to that directory.
journalmatchentry is copied from
- you need
enabled = truebecause otherwise it seems to default false.
Observationally, most of the hosts trying to login to my server with the password
Password: seem to be the same ones trying to send mail in six other ways, so this rule cuts out a lot of all the kinds of postfix lognoise.