I'm trying to stop an attack and logs with SASL LOGIN authentication failed for my mail server. However, I've been trying for a day and am still not able to achieve it. The logs continue to generate the attack with the same IP.

Machine

Linux server 5.4.0-109-generic #123-Ubuntu SMP Fri Apr 8 09:10:54 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux

Mail Logs in /var/log/mail.log

Apr 28 20:45:23 server postfix/smtpd[112579]: connect from unknown[5.34.207.81]
Apr 28 20:45:24 server postfix/smtpd[112409]: warning: unknown[5.34.207.81]: SASL LOGIN authentication failed: authentication failure
Apr 28 20:45:25 server postfix/smtpd[112409]: disconnect from unknown[5.34.207.81] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Apr 28 20:45:30 server postfix/smtpd[112599]: connect from unknown[5.34.207.81]
Apr 28 20:45:31 server postfix/smtpd[112579]: warning: unknown[5.34.207.81]: SASL LOGIN authentication failed: authentication failure
Apr 28 20:45:32 server postfix/smtpd[112579]: disconnect from unknown[5.34.207.81] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Apr 28 20:45:36 server postfix/smtpd[112409]: connect from unknown[5.34.207.81]
Apr 28 20:45:38 server postfix/smtpd[112599]: warning: unknown[5.34.207.81]: SASL LOGIN authentication failed: authentication failure
Apr 28 20:45:38 server postfix/smtpd[112599]: disconnect from unknown[5.34.207.81] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4

Fail2Ban with IPtables

/etc/fail2ban/jail.local

[postfix-sasl]

enabled  = true
port     = smtp,ssmtp,465,submission,imap,imaps,pop3,pop3s

bantime = 10m
filter   = postfix-sasl
#action   = iptables-multiport[name=postfix, port="smtp,ssmtp,465,submission,imap,imaps,pop3,pop3s", protocol=tcp]
logpath  = /var/log/mail.log
maxretry = 15

I did sudo service fail2ban restart and the wired thing is that I didn't see any chain with f2b-postfix.

So did a grep from fail2ban logs and here's the output:

Fail2Ban Logs in /var/log/fail2ban.log

2022-04-27 16:27:10,133 fail2ban.actions        [567]: NOTICE  [postfix-sasl] Unban 5.34.207.81
2022-04-27 16:27:45,391 fail2ban.actions        [567]: NOTICE  [postfix-sasl] Ban 5.34.207.81
2022-04-27 16:32:17,801 fail2ban.actions        [567]: NOTICE  [postfix-sasl] Unban 212.70.149.72
2022-04-27 22:37:46,299 fail2ban.actions        [567]: NOTICE  [postfix-sasl] Unban 5.34.207.81

Fail2Ban with UFW

In my research, I understand that Fail2Ban can work with UFW so I did some research for it and here's my config:

/etc/fail2ban/jail.local

[postfix-sasl]

enabled  = true
journalmatch =
backend = polling
bantime = -1    // Permanent ban? Maybe 
filter   = postfix-sasl
logpath  = /var/log/mail.log
maxretry = 15
banaction = ufw
findtime = 120

Worth to mention that I've manually input sudo ufw insert 1 deny from 5.34.207.81 to any with sudo ufw reload but unfortunately I'm still able to see the attack from the same IP at mail logs in /var/log/mail.log

Status: active

To                         Action      From
--                         ------      ----
Anywhere                   DENY        212.70.149.72             
Anywhere                   DENY        5.34.207.81

Filter For Both in Fail2Ban

/etc/fail2ban/filter.d/postfix-sasl.conf

[INCLUDES]
before = common.conf

[Definition]
_daemon = postfix/smtpd
failregex = ^(.*)\[<HOST>\]: SASL (?:LOGIN|PLAIN) authentication failed:(.*)$
ignoreregex =

Resources: Fail2ban with UFW

Appreciate it if someone can help me with this!

Worth noting that depending on the number of users you have you may want to lower the threshold, and based on the number of attacks maybe increase the ban time.

I don't use Postfix but instead use Exim.However, the challenges of blocking attackers are the same. Here you can see a status of my Fail2ban jail to give you an idea of the botnet sizes out there:

XXXX@XXXX:~# fail2ban-client status exim

Status for the jail: exim
|- Filter
| |- Currently failed: 0
| |- Total failed: 10380
| - File list: /var/log/exim4/mainlog - Actions
|- Currently banned: 1763
|- Total banned: 5644
`- Banned IP list: XXXXXXXXXXXX