I had journalctl open and noticed an offender repeatedly hitting me with auth fails in postfix. I have a standard postfix-sasl filter on by default that, to my knowledge, is working well.
It wasn't catching this one offender, of course my curiosity kicked it as to why. So I compared a legit postfix ban with this particular entry and notice only that LOGIN was not in upper case.
legit ban = Jul 03 11:47:30 domain.ca postfix/smtpd[9298]: warning: unknown[87.120.84.169]: SASL LOGIN authentication failed: authentication failure
no catch = Jul 03 11:50:15 domain.ca postfix/smtpd[9554]: warning: unknown[190.119.186.242]: SASL login authentication failed: authentication failure
So I went into my filter /etc/fail2ban/filter.d/postfix-sasl.conf
added this:
failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/]*={0,2})?\s*$
^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL (?:login|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/]*={0,2})?\s*$
from this:
failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/]*={0,2})?\s*$
All I did was change the LOGIN to login and it caught this particular offender.
Since I suck at python regex, and I didn't find an easy doc. How would I go about to simply add one line that will catch upper and lower case for these entry variables (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) ?
ps
Since this is postfix generating the log, why would it be that it entered a LOGIN for one log, and login for another... different type or method of auth failed and the author wrote the entry of different caps for each maybe?
thank you
