My Daily Logwatch reports a large amount of SMTP Authentication errors like the following:
--------------------- sasl auth daemon Begin ------------------------ **Unmatched Entries** :auth failure: [user=smr@clarky.net] [service=smtp] [realm=clarky.net] [mech=pam] [reason=PAM auth error] : auth failure: [user=megaplan@clarky.net] [service=smtp] [realm=clarky.net] [mech=pam] [reason=PAM auth error] : auth failure: [user=pdf@clarky.net] [service=smtp] [realm=clarky.net] [mech=pam] [reason=PAM auth error] : auth failure: [user=development@clarky.net] [service=smtp] [realm=clarky.net] [mech=pam] [reason=PAM auth error]
This can cause a large amount of lines reported on the email report.
To counter this, here are the steps on an Ubuntu system.
1.Edit /etc/csf/csf.conf to find CUSTOM1_LOG and edit the content to:
CUSTOM1_LOG= "/var/log/mail.log"
2. Add the regex to catch the failed attempts against SASL by adding the following regular expression in /usr/local/csf/bin/regex.custom.pm:
if (($lgfile eq $config{
CUSTOM1_LOG}) and ($line =~ /^\S+\s+\d+\s+\S+ \S+ postfix\/smtpd\[\d+\]: warning:.*\[(\d+\.\d+\.\d+\.\d+)\]: SASL [A-Z]*? authentication failed/)) {
return ("Failed SASL login from",$1,"mysaslmatch","3","25","3600");
}
3. restart CSF and LFD:
#csf -r #service lfd restart #systemctl restart lfd
After that, be prepared to get a lot of emails about the blocked IPs for the set time (default is 3600 seconds or 1 hour). They eventually taper out with the most offending IP’s getting permanently blocked 🙂