FAIL2BAN filters. Any filter for this intrusion by internet search scanners?

Jan 19 22:49:00 intelligent-mahavira postfix/smtpd[670231]: connection established
   Jan 19 22:49:00 intelligent-mahavira postfix/smtpd[670231]: master_notify: status 0
   Jan 19 22:49:00 intelligent-mahavira postfix/smtpd[670231]: name_mask: resource
   Jan 19 22:49:00 intelligent-mahavira postfix/smtpd[670231]: name_mask: software
   Jan 19 22:49:00 intelligent-mahavira postfix/smtpd[670231]: connect from scanner-05.ch1.censys-scanner.com[162.142.125.57]
Jan 19 22:49:00 intelligent-mahavira postfix/smtpd[670231]: match_list_match: scanner-05.ch1.censys-scanner.com: no match
Jan 19 22:49:00 intelligent-mahavira postfix/smtpd[670231]: match_list_match: 162.142.125.57: no match
Jan 19 22:49:00 intelligent-mahavira postfix/smtpd[670231]: match_hostname: smtpd_authorized_xforward_hosts: scanner-05.ch1.censys-scanner.com ~? 12>
Jan 19 22:49:00 intelligent-mahavira postfix/smtpd[670231]: match_hostaddr: smtpd_authorized_xforward_hosts: 162.142.125.57 ~? 127.0.0.0/8
Jan 19 22:49:00 intelligent-mahavira postfix/smtpd[670231]: match_hostname: smtpd_authorized_xforward_hosts: scanner-05.ch1.censys-scanner.com ~? [:>
Jan 19 22:49:00 intelligent-mahavira postfix/smtpd[670231]: match_hostaddr: smtpd_authorized_xforward_hosts: 162.142.125.57 ~? [::1]/128
Jan 19 22:49:00 intelligent-mahavira postfix/smtpd[670231]: match_list_match: scanner-05.ch1.censys-scanner.com: no match
Jan 19 22:49:00 intelligent-mahavira postfix/smtpd[670231]: match_list_match: 162.142.125.57: no match
Jan 19 22:49:00 intelligent-mahavira postfix/smtpd[670231]: smtp_stream_setup: maxtime=3600 enable_deadline=0
Jan 19 22:49:00 intelligent-mahavira postfix/smtpd[670231]: match_list_match: scanner-05.ch1.censys-scanner.com: no match
Jan 19 22:49:00 intelligent-mahavira postfix/smtpd[670231]: match_list_match: 162.142.125.57: no match
Jan 19 22:49:00 intelligent-mahavira postfix/smtpd[670231]: auto_clnt_open: connected to private/anvil

this is all over my syslog.

i dont see any filters in fail2ban.

How do i write filters?

i wrote a regex to capture all of that ip address

push (@matches,$&) while($search_contents =~ /$regex/gm);

Next is i need to find a way to create filter in fail2ban

can you give me full file like in postfix.conf?

 can you give me full file?  here is postfix.conf  ---> 
# Fail2Ban filter for selected Postfix SMTP rejections
#
#

[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf

[Definition]

_daemon = postfix(-\w+)?/\w+(?:/smtp[ds])?
_port = (?::\d+)?

prefregex = ^%(__prefix_line)s<mdpr-<mode>> <F-CONTENT>.+</F-CONTENT>$

mdpr-normal = (?:NOQUEUE: reject:|improper command pipelining after \S+)
mdre-normal=^RCPT from [^[]*\[<HOST>\]%(_port)s: 55[04] 5\.7\.1\s
            ^RCPT from [^[]*\[<HOST>\]%(_port)s: 45[04] 4\.7\.1 (?:Service unavailable\b|Client host rejected: cannot find your (reverse )?hostname\b)
            ^RCPT from [^[]*\[<HOST>\]%(_port)s: 450 4\.7\.1 (<[^>]*>)?: Helo command rejected: Host not found\b
            ^EHLO from [^[]*\[<HOST>\]%(_port)s: 504 5\.5\.2 (<[^>]*>)?: Helo command rejected: need fully-qualified hostname\b
            ^VRFY from [^[]*\[<HOST>\]%(_port)s: 550 5\.1\.1\s
            ^RCPT from [^[]*\[<HOST>\]%(_port)s: 450 4\.1\.8 (<[^>]*>)?: Sender address rejected: Domain not found\b
            ^from [^[]*\[<HOST>\]%(_port)s:?

mdpr-auth = warning:
mdre-auth = ^[^[]*\[<HOST>\]%(_port)s: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed:(?! Connection lost to authentication server| Invalid authentication mechanism)
mdre-auth2= ^[^[]*\[<HOST>\]%(_port)s: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed:(?! Connection lost to authentication server)
# todo: check/remove "Invalid authentication mechanism" from ignore list, if gh-1243 will get finished (see gh-1297).

# Mode "rbl" currently included in mode "normal", but if needed for jail "postfix-rbl" only:
mdpr-rbl = %(mdpr-normal)s
mdre-rbl  = ^RCPT from [^[]*\[<HOST>\]%(_port)s: [45]54 [45]\.7\.1 Service unavailable; Client host \[\S+\] blocked\b

# Mode "rbl" currently included in mode "normal" (within 1st rule)
mdpr-more = %(mdpr-normal)s
mdre-more = %(mdre-normal)s

mdpr-ddos = lost connection after(?! DATA) [A-Z]+
mdre-ddos = ^from [^[]*\[<HOST>\]%(_port)s:?

mdpr-extra = (?:%(mdpr-auth)s|%(mdpr-normal)s)
mdre-extra = %(mdre-auth)s
            %(mdre-normal)s

mdpr-aggressive = (?:%(mdpr-auth)s|%(mdpr-normal)s|%(mdpr-ddos)s)
mdre-aggressive = %(mdre-auth2)s
                  %(mdre-normal)s

mdre-scanner=(?<=match: )(.*)(?=: no match)
mdpr-scanner=(?<=match: )(.*)(?=: no match)

failregex = <mdre-<mode>>

# Parameter "mode": more (default combines normal and rbl), auth, normal, rbl, ddos, extra or aggressive (combines all)
# Usage example (for jail.local):
#   [postfix]
#   mode = aggressive
#   # or another jail (rewrite filter parameters of jail):
#   [postfix-rbl]
#   filter = postfix[mode=rbl]
#
mode = more

ignoreregex =

[Init]

journalmatch = _SYSTEMD_UNIT=postfix.service

# Author: Cyril Jaquier

Weird. I found postfix_sasl filter in mediatemple not in amazon lightsail postfix.

That postfix_sasl works on Sasl failure.

Now i need to use it match this match error. Who is trying to login to my server and also how did they get my ip address? Does plesk give them out or mxlookup ( i used to check email working ).

here is postfix-sasl.conf can someone explain each line? and how do i use it to No match login errors

# Fail2Ban filter for postfix authentication failures
#


[INCLUDES]

before = common.conf

[Definition]

_daemon = postfix(-\w+)?/(?:submission/|smtps/)?smtp[ds]

failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(:[ A-Za-z0-9+/:]*={0,2})?\s*$

ignoreregex = authentication failed: Connection lost to authentication server$

[Init]

journalmatch = _SYSTEMD_UNIT=postfix.service


# Author: Yaroslav Halchenko


enter code here

i got this but i dont see fail2ban any ip using no match. fail2ban-regex -v /var/log/maillog /etc/fail2ban/filter.d/nomatch

Running tests
=============

Use   failregex filter file : nomatch, basedir: /etc/fail2ban
Use      datepattern : Default Detectors
Use         log file : /var/log/maillog
Use         encoding : UTF-8


Results
=======

Failregex: 100 total
|-  #) [# of hits] regular expression
|   1) [81] ^match_list_match: <ADDR>: <F-NOFAIL>no match</F-NOFAIL>
|      152.32.131.196  Fri Jan 21 06:52:15 2022
|      152.32.131.196  Fri Jan 21 06:52:15 2022
|      152.32.131.196  Fri Jan 21 06:52:15 2022
|      152.32.131.196  Fri Jan 21 06:52:15 2022
|      152.32.131.196  Fri Jan 21 06:52:16 2022
|      45.33.78.63  Fri Jan 21 07:01:15 2022
|      45.33.78.63  Fri Jan 21 07:01:15 2022
|      45.33.78.63  Fri Jan 21 07:01:17 2022
|      139.162.99.243  Fri Jan 21 08:19:03 2022
|      139.162.99.243  Fri Jan 21 08:19:03 2022
|      139.162.99.243  Fri Jan 21 08:19:03 2022
|      139.162.99.243  Fri Jan 21 08:19:03 2022
|      162.142.125.41  Fri Jan 21 08:48:58 2022
|      162.142.125.41  Fri Jan 21 08:48:58 2022
|      162.142.125.41  Fri Jan 21 08:48:58 2022
|      162.142.125.41  Fri Jan 21 08:48:58 2022
|      162.142.125.41  Fri Jan 21 08:48:58 2022
|      45.56.101.55  Fri Jan 21 10:13:22 2022
|      45.56.101.55  Fri Jan 21 10:13:22 2022
|      45.56.101.55  Fri Jan 21 10:13:22 2022
|      45.56.101.55  Fri Jan 21 10:13:22 2022
|      45.56.101.55  Fri Jan 21 10:13:22 2022
|      162.142.125.42  Fri Jan 21 10:31:18 2022
|      162.142.125.42  Fri Jan 21 10:31:18 2022
|      162.142.125.42  Fri Jan 21 10:31:19 2022
|      162.142.125.42  Fri Jan 21 10:31:19 2022
|      162.142.125.42  Fri Jan 21 10:31:19 2022
|      45.79.158.51  Fri Jan 21 11:02:09 2022
|      45.79.158.51  Fri Jan 21 11:02:09 2022
|      45.79.158.51  Fri Jan 21 11:02:11 2022
|      104.206.128.26  Fri Jan 21 12:07:17 2022
|      104.206.128.26  Fri Jan 21 12:07:17 2022
|      104.206.128.26  Fri Jan 21 12:07:17 2022
|      45.33.95.172  Fri Jan 21 12:15:12 2022
|      45.33.95.172  Fri Jan 21 12:15:12 2022
|      45.33.95.172  Fri Jan 21 12:15:12 2022
|      45.33.95.172  Fri Jan 21 12:15:12 2022
|      45.33.95.172  Fri Jan 21 12:15:12 2022
|      192.241.219.199  Fri Jan 21 13:24:46 2022
|      192.241.219.199  Fri Jan 21 13:24:46 2022
|      192.241.219.199  Fri Jan 21 13:24:46 2022
|      45.79.178.163  Fri Jan 21 14:13:30 2022
|      45.79.178.163  Fri Jan 21 14:13:30 2022
|      45.79.178.163  Fri Jan 21 14:13:30 2022
|      45.79.178.163  Fri Jan 21 14:13:30 2022
|      45.79.178.163  Fri Jan 21 14:13:30 2022
|      96.126.109.15  Fri Jan 21 16:13:44 2022
|      96.126.109.15  Fri Jan 21 16:13:44 2022
|      96.126.109.15  Fri Jan 21 16:13:44 2022
|      96.126.109.15  Fri Jan 21 16:13:44 2022
|      96.126.109.15  Fri Jan 21 16:13:44 2022
|      66.240.236.116  Fri Jan 21 17:29:42 2022
|      66.240.236.116  Fri Jan 21 17:29:42 2022
|      66.240.236.116  Fri Jan 21 17:29:42 2022
|      66.240.236.116  Fri Jan 21 17:29:43 2022
|      69.164.210.216  Fri Jan 21 18:13:10 2022
|      69.164.210.216  Fri Jan 21 18:13:10 2022
|      69.164.210.216  Fri Jan 21 18:13:10 2022
|      69.164.210.216  Fri Jan 21 18:13:10 2022
|      69.164.210.216  Fri Jan 21 18:13:10 2022
|      164.90.197.27  Fri Jan 21 19:06:22 2022
|      164.90.197.27  Fri Jan 21 19:06:22 2022
|      164.90.197.27  Fri Jan 21 19:06:22 2022
|      164.90.197.27  Fri Jan 21 19:06:52 2022
|      45.56.99.23  Fri Jan 21 20:14:25 2022
|      45.56.99.23  Fri Jan 21 20:14:25 2022
|      45.56.99.23  Fri Jan 21 20:14:25 2022
|      45.56.99.23  Fri Jan 21 20:14:25 2022
|      45.56.99.23  Fri Jan 21 20:14:25 2022
|      178.79.189.233  Fri Jan 21 20:22:36 2022
|      178.79.189.233  Fri Jan 21 20:22:36 2022
|      178.79.189.233  Fri Jan 21 20:22:36 2022
|      178.79.189.233  Fri Jan 21 20:22:38 2022
|      162.142.125.44  Fri Jan 21 20:29:10 2022
|      162.142.125.44  Fri Jan 21 20:29:10 2022
|      162.142.125.44  Fri Jan 21 20:29:10 2022
|      162.142.125.44  Fri Jan 21 20:29:10 2022
|      162.142.125.44  Fri Jan 21 20:29:10 2022
|      45.56.104.184  Fri Jan 21 21:00:33 2022
|      45.56.104.184  Fri Jan 21 21:00:33 2022
|      45.56.104.184  Fri Jan 21 21:00:35 2022
|   2) [19] ^auto_clnt_open: connected to private/anvil
|      152.32.131.196  Fri Jan 21 06:52:15 2022
|      45.33.78.63  Fri Jan 21 07:01:17 2022
|      139.162.99.243  Fri Jan 21 08:19:03 2022
|      162.142.125.41  Fri Jan 21 08:48:58 2022
|      45.56.101.55  Fri Jan 21 10:13:22 2022
|      162.142.125.42  Fri Jan 21 10:31:19 2022
|      45.79.158.51  Fri Jan 21 11:02:11 2022
|      104.206.128.26  Fri Jan 21 12:07:17 2022
|      45.33.95.172  Fri Jan 21 12:15:12 2022
|      192.241.219.199  Fri Jan 21 13:24:46 2022
|      45.79.178.163  Fri Jan 21 14:13:30 2022
|      96.126.109.15  Fri Jan 21 16:13:44 2022
|      66.240.236.116  Fri Jan 21 17:29:42 2022
|      69.164.210.216  Fri Jan 21 18:13:10 2022
|      164.90.197.27  Fri Jan 21 19:06:22 2022
|      45.56.99.23  Fri Jan 21 20:14:25 2022
|      178.79.189.233  Fri Jan 21 20:22:36 2022
|      162.142.125.44  Fri Jan 21 20:29:10 2022
|      45.56.104.184  Fri Jan 21 21:00:35 2022
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [3923] {^LN-BEG}(?:DAY )?MON Day %k:Minute:Second(?:\.Microseconds)?(?: ExYear)?
|  [0] {^LN-BEG}ExYear(?P<_sep>[-/.])Month(?P=_sep)Day(?:T|  ?)24hour:Minute:Second(?:[.,]Microseconds)?(?:\s*Zone offset)?
|  [0] {^LN-BEG}(?:DAY )?MON Day ExYear %k:Minute:Second(?:\.Microseconds)?
|  [0] {^LN-BEG}Day(?P<_sep>[-/])Month(?P=_sep)(?:ExYear|ExYear2) %k:Minute:Second
|  [0] {^LN-BEG}Day(?P<_sep>[-/])MON(?P=_sep)ExYear[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
|  [0] {^LN-BEG}Month/Day/ExYear:24hour:Minute:Second
|  [0] {^LN-BEG}Month-Day-ExYear %k:Minute:Second(?:\.Microseconds)?
|  [0] {^LN-BEG}Epoch
|  [0] {^LN-BEG}ExYear2ExMonthExDay  ?24hour:Minute:Second
|  [0] {^LN-BEG}MON Day, ExYear 12hour:Minute:Second AMPM
|  [0] {^LN-BEG}ExYearExMonthExDay(?:T|  ?)Ex24hourExMinuteExSecond(?:[.,]Microseconds)?(?:\s*Zone offset)?
|  [0] {^LN-BEG}(?:Zone name )?(?:DAY )?MON Day %k:Minute:Second(?:\.Microseconds)?(?: ExYear)?
|  [0] {^LN-BEG}(?:Zone offset )?(?:DAY )?MON Day %k:Minute:Second(?:\.Microseconds)?(?: ExYear)?
|  [0] {^LN-BEG}TAI64N
|  [0] {^LN-BEG}24hour:Minute:Second
|  [0] ^<Month/Day/ExYear2@24hour:Minute:Second>
|  [0] ^MON-Day-ExYear2 %k:Minute:Second
`-

Lines: 3923 lines, 0 ignored, 100 matched, 3823 missed
[processed in 0.25 sec]

Missed line(s): too many to print.  Use --print-all-missed to print all 3823 lines

enter image description here

Who is trying to login to my server and also how did they get my ip address?

These entries in your logs seem to be from Censys, an Internet-wide scanning service. They explain in "Censys Internet Scanning Intro" what they do.

And this 2021 master thesis from Carleton university goes into the details of what this and similar scanners do.

Also, whois 162.142.125.57 shows that the IP indeed belongs to Censys.

You could consider ignoring these connections, and adjusting your logging. Or you can opt out of Censys data collection.

Normally, the filter postfix with mode aggressive is intended to find such scanners:

[postfix]
mode = aggressive

How to test it with fail2ban-regex:

fail2ban-regex /path/to/log_or_systemd-journal postfix[logtype=short,mode=aggressive]

But I don't see any message that would match e. g. with some error or where the connection going rejected. Moreover auto_clnt_open: connected to private/anvil tells us that it got connected (although to anvil, what is a rate limiting daemon of postfix, but anyway).
So are there some other messages at end (from this session [670231])?
Or what exactly you'd like to consider here as a failure?

If you mean it must react on no match messages, here is your filter:

[Definition]

failregex = ^\s*\S+ postfix/smtpd\[[^\]]+]: match_list_match: <ADDR>: no match

Just the log seems to contain several entries with no match by single "session", so it'd cause multiple failures per single attempt (exactly 3 in this case), so you have to increase maxretry probably.

When it must be rather connected to private/anvil, here you go (this must work with fail2ban >= 0.10):

[Definition]

prefregex = ^\s*\S+ postfix/smtpd\[<F-MLFID>[^\]]+</F-MLFID>\]: <F-CONTENT>(?:match_list_match|auto_clnt_open).+</F-CONTENT>$

failregex = ^match_list_match: <ADDR>: <F-NOFAIL>no match</F-NOFAIL>
            ^auto_clnt_open: connected to private/anvil

There is official documentation Developing Filters. There are also many filters included in /etc/fail2ban/filter.d/