New install, postfix / IMAP

I’ve installed crowdsec and netfilter-blocker. The server is a postfix server, also running IMAP.

The install did not detect postfix (!) so I did this in acquis.yaml, is this correct?

#Generated acquisition file - wizard.sh (service: sshd) / files : /var/log/secure
filenames:
  - /var/log/secure
labels:
  type: syslog
---
#Generated acquisition file - wizard.sh (service: linux) / files : /var/log/messages
filenames:
  - /var/log/messages
labels:
  type: syslog
---

filenames:
  - /var/log/maillog
labels:
  type: syslog
---

I have this now after running for 10 minutes:

time="2020-10-24T14:43:41+10:00" level=info msg="Buckets Metrics:"
+--------+---------------+-----------+--------------+--------+---------+
| BUCKET | CURRENT COUNT | OVERFLOWS | INSTANCIATED | POURED | EXPIRED |
+--------+---------------+-----------+--------------+--------+---------+
+--------+---------------+-----------+--------------+--------+---------+
time="2020-10-24T14:43:41+10:00" level=info msg="Acquisition Metrics:"
+-------------------+------------+--------------+----------------+------------------------+
|      SOURCE       | LINES READ | LINES PARSED | LINES UNPARSED | LINES POURED TO BUCKET |
+-------------------+------------+--------------+----------------+------------------------+
| /var/log/maillog  |        326 | -            |            326 | -                      |
| /var/log/messages |          7 | -            |              7 | -                      |
| /var/log/secure   |          5 | -            |              5 | -                      |
+-------------------+------------+--------------+----------------+------------------------+
time="2020-10-24T14:43:41+10:00" level=info msg="Parser Metrics:"
+----------------------------------+------+--------+----------+
|             PARSERS              | HITS | PARSED | UNPARSED |
+----------------------------------+------+--------+----------+
| child-crowdsecurity/postfix-logs |   68 | -      |       68 |
| crowdsecurity/postfix-logs       |   34 | -      |       34 |
| crowdsecurity/syslog-logs        |  338 |    338 | -        |
+----------------------------------+------+--------+----------+

I assume this is now reading Postfix logs ok and work as intended?

I have temporarily disabled fail2ban to see how this goes. In fail2ban I have had the following rules active on this server: postfix, postfix-rbl, postfix-postscreen, postfix-sasl.

I’m not sure yet that crowdsec is going to cover all of those scenarios - what is included in the out of the box postfix collection? All of those jails trigger regularly in fail2ban.

Thanks for your feedback.

I guess what we’ve now is something near postfix+postfix-sasl. In fact, we are kind of stuck with the log I managed to get. If you care to provide the logs you want to be taken care of, we will improve the scenario.

By the way postfix-rbl works by detecting when postfix rejects any mail because of sender being in rbl and then fail2ban is blocking them. We could improve our bouncers or add a new one to directly ban rbl blacklisted sender without further postfix configuration.

I hope I answered your questions. Feel free to raise any more issues, we’ll definetely look into it, as we want postfix senario to be well fitted.

OK, the current setup is as follows:
I use fail2ban’s default postfix filter (mode = more) with default 3 attempts, then IP block. Additionally I run postfix-sasl and postfix-rbl with maxretry of 1. My setup is well tuned with blacklists over a few years, and if a RBL is failed it’s an instant ban, same with a sasl auth failure on the submission port.
My postscreen filter is a custom one (also called with a maxretry of 1) I use to block a botnet which is a fairly constant source of attempts:

[INCLUDES]
before = common.conf

[Definition]
_daemon = postfix/postscreen
failregex = ^%(__prefix_line)sPREGREET \d+ after \d+\.\d+ from \[<HOST>\]:\d+: EHLO ylmf-pc\\r\\n
ignoreregex =

[Init]

journalmatch = _SYSTEMD_UNIT=postfix.service

I have also at times had other regex in there getting blocked at the postscreen stage, but the current setup seems to work OK.

I can send logs and a snapshot of fail2ban-regex printed hits - let me know where I can securely submit.

Oh, and a way to disable ipv6 configuration to prevent unnecessary fatal errors in the log would be good.

Hello @Swallowtail,

What do you mean about fatal errors and ipv6 ? Normally crowdsec (and the bouncers) should handle this pretty well !

ps: we’re going to provide you an email address and gpg pubkey soon so you can provide some logs to us

thanks,

Ok, to securely send us logs, you can use gpg encrypted mail or text via support@crowdsec.net with the gpg public fingerprint 0x8c332d31 (the key is stored on http://keys.gnupg.net/)

Or either use the the following public armored output:

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQGNBF+VOSUBDADP6bxKDv88CdLBNhQMFNI37LE82vyfIAQmrGszON1m1EtL/LSQ
b/vC9mmlkUmJHM+bdxJ0BSl/xlWwrXjHVpaZNoluQDngVUe62cybN4tpFCvtVTMr
lo4Y0UhETgOmBFxaQLVd7Xc/jaSZGoHtSzh9hpGHg9pKrcYviG0MR173JYQfilw3
L8yJ+K/oUUpvh2MRRwXiCNUVLtTppb7oxlcdExb0Px2PcaC34e/M30xFwiu7VJFj
0D7IIdKs6gvZuqwkNSUBF8/jtuzzM/YGzJHIdvOj15z+81/o/e6p3xvY/IKmyXC/
1FMD8f4g5T/5fNDVq6QgJLel/g0bJ+kG75ccXfY45xKFo/YhdQ2Wg9JQX5Yjc5k7
5AI0iuJjatXlym2Ek1niPEqR5H0C/KXFG4mPyCu9wzJu11jtY34e5TNYl9DA31F6
81BbMmVFg4EbhYSN/2DuxpCvt2qQpk33bmdT7tFWcd2hYB/bSq2f8+K6ho50Sqwk
PK68LNZzi5ZXqGEAEQEAAbQnQ3Jvd2RTZWMgc3VwcG9ydCA8c3VwcG9ydEBjcm93
ZHNlYy5uZXQ+iQHUBBMBCgA+FiEEpRXNfWM+DON/Satp2MpQXYwzLTEFAl+VOSUC
GwMFCQPCZwAFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQ2MpQXYwzLTEhuwwA
wWdsuSrTC4ryVOYnfHRcT2b/rfbJXIUYXqAy75qsdUGwvueYdYSBMCMXqRB65J+J
juofCF0kTQKuhjtyJezwUfr5C+Sd08JWlZwf9F7CO83/ztLOPIUUp69H3m9heW7C
+A/Lpq3epALytC/QSkDHYnKBBZbLhoR/7WXhdLFvh+A475/ggn4GAOnZMg8WULpR
Kisu1GbEBPcVr1Xl6VTYVX5ghA/1W2WTY/NxAcLhCiJO/ENeka7xy4EKdCE5pDxM
QO/fnpCHsWDIHTxpCx+JAhdkb2BIvzSiF2+o+9y+vwzcPxdGemx7y8MjSGXIp1xp
TJparq309nljh+wqI6w/K+NjzNn/qJL0tpGqiHQXtYDbi86KaAXT9IYCGAIP36w8
XUHYGgo0s6zMEP1NEFHWAgGy5elO403vm+NO5vpHv59FTjgoK2UcjeSjqtAYwzvc
bWQ6wZHwhoqD0WevFcAMmgdbebyOdPoA7+8eCPnkjER4eKxE23ffFU75HDuQNRYk
uQGNBF+VOSUBDADNHEm33IcwhO+uJQxjKtcF0DdAMqbjU5cXxeryo1i7A1WkTH5/
wHfyJAmtLrY4abkQ1LEJ4bMYKdJz2vmvWq0fKCAXC18yLnxU+l0Ld4tWME8hJ/Wh
p+aePsW5BdLpHQeqmQ5MCsw1cZllbURcee22hLJ/PIM2bRsZp7goSj4wXBFjhJyq
EepVmasI17dBbIBFWBSSIJW4UnSBk+Zqbj6C6PDmsket68qcEebsqduWXPxegAzh
IIFD2qhC5t+nn5i+hPwKZN5ZYLQJeAjI4Z7wi3FIBZCzZ214421BbohxPo+GKkFp
mUQ7ZrIa+goHXAcj6ZHMeNNP0lsJRl91lK6NVu3p+Ygl0+wbMOAqDRguMfFdbnV8
gcoYpAyk4YFCfgVQLuKGaYcGjcMP8+nZnPsbaTwbUKkjDAUo+JGmrB4XyAQPugZq
TiUN+lYgTs0cJALEQkKTh2w10TPyV6/YsYDSSnwJeVDIpNCQVg5EB0eRvhaCs9fd
dVni1C5RMcb+Q4MAEQEAAYkBvAQYAQoAJhYhBKUVzX1jPgzjf0mradjKUF2MMy0x
BQJflTklAhsMBQkDwmcAAAoJENjKUF2MMy0xkIcL/johqZbyHskQIaTfQUgASbbu
bdLXSrIkB8Ort9WULxdqs8hveFy6RjXFJWFitFHk46Bj6FJ1ZykfozL+k9uOGrL9
lBk1e3bhqMVhW1o00DufgawNU2FU9NuH/rCuGpum9DE0cc1fFmQ3pjeiHV55GYxr
BGuyyals1ORwK06h+1VFMHrGB12SR7Imgo7FWuexhgLyOK4t1MXg3E4h72qaowpj
5B45qG9jUXgIFKR1D8G8tPeDYLbd37pskNDFozzfAe/H2fqmEjQxMLHrk7J8I3wQ
FPvKIvUF8M3NqZjyaFSiisOn32AS3RAsI8RuD4T2XgpE2L6e29u3RpJkvhPbcAN6
w0W8yw3z1/2uHSvYbwoH1cn4akAikYR9aVVHv86AvNlr0BguqWdzEfiGT6mcJ/hH
2sGQJ1nJRgGpAlx/2HpsLJxhJwLVbXSDSk6Bu2T9G/VIda95niVgq6MfE9GSS+MS
ucVcwqjIXn/9V6+pFZ11soXNKuTk4Wx+uO2r/i5bVA==
=Edl+
-----END PGP PUBLIC KEY BLOCK-----

Re the errors it’s not a huge issue, but the netfilter blocker tries to run ipv6 rules, even though my machine does not have the protocol active:

time="24-10-2020 14:17:56" level=fatal msg="iptables init failed: Error while insert set in iptables (/usr/sbin/ip6tables -I INPUT -m set --match-set crowdsec6-blacklists src -j DROP): exit status 1 --> Could not open socket to kernel: Address family not supported by protocol\n"
time="24-10-2020 14:18:34" level=error msg="error while removing set entry in iptables : exit status 1 --> Could not open socket to kernel: Address family not supported by protocol\n"

Ideally there should be a config to disable the attempt, or detection if IPv6 is active before attempting to insert the rules.

Hey @Swallowtail

Nice spot indeed, I opened an issue here : https://github.com/crowdsecurity/cs-netfilter-blocker/issues/12

Great.

Logs are emailed with pgp.

Hello @Swallowtail

Thanks for the logs, we have created the missing scenarios and we should come back to you tomorrow so you/we can test it!

Hello there,

I just finished this postfix/postscreen scenarios.

You can test this scenario. For now, we are only testing it, so it’s kind of hidden in the hub. You can install it using cscli:

cscli update --branch postfix
cscli install collection crowdsecurity/postfix --branch postfix --force

collection with 2 L :slight_smile:
I will check that :wink:

Did you by any chance get some time to check on this ? We would be very thrilled to have some feedback :slight_smile:

I just checked, the service crashed last week:

time="02-11-2020 05:00:48" level=error msg="API init failed, won't push/pull : api signin: HTTP request creation failed: Post https://tmsov6x2n9.execute-api.eu-west-1.amazonaws.com/v1/signin: dial tcp: lookup tmsov6x2n9.execute-api.eu-west-1.amazonaws.com on 192.168.1.145:53: read udp 192.168.1.235:54434->192.168.1.145:53: i/o timeout"
time="02-11-2020 05:00:48" level=fatal msg="failed to initialize outputs : failed to load api : api signin: HTTP request creation failed: Post https://tmsov6x2n9.execute-api.eu-west-1.amazonaws.com/v1/signin: dial tcp: lookup tmsov6x2n9.execute-api.eu-west-1.amazonaws.com on 192.168.1.145:53: read udp 192.168.1.235:54434->192.168.1.145:53: i/o timeout"

It looks like my DNS server was non-responsive - but the service crashing needs some work…

In terms of the bans, I have fail2ban set more aggressively than crowdsec is running, so I am not sure I am going to see much additional benefit. But I’ll keep running for a while and post some logs back here.

Hello @Swallowtail !

Thanks for the feedback !

Would you mind sharing what kind of changes you made, so that we can offer similar behaviour with crowdsec ?

Thanks !

Late reply, I know - sorry… and long post :open_mouth:

I’ve been running crowdsec in parallel to fail2ban and probably will leave them both running for now. I like crowdsec, although not totally sure yet that I am as across what it is doing as I am for fail2ban.

For Postfix I run the following in my fail2ban jail.local file:
[postfix]

enabled  = true
mode    = normal
port    = smtp,465,submission
logpath = %(postfix_log)s
backend = %(postfix_backend)s

[postfix-rbl]

enabled  = true
filter   = postfix[mode=rbl]
port     = smtp,465,submission
logpath  = %(postfix_log)s
backend  = %(postfix_backend)s
maxretry = 1

[postfix-sasl]

enabled  = true
filter   = postfix[mode=auth]
port     = smtp,465,submission,imap,imaps,pop3,pop3s
logpath  = %(postfix_log)s
backend  = %(postfix_backend)s
maxretry = 1

[postscreen]

enabled=true
port     = smtp,465,submission
logpath  = %(postfix_log)s
backend  = %(postfix_backend)s
bantime  = 2592000
maxretry = 1

This means that a single externally-initiated rbl fail, sasl password fail, or postscreen fail results in a ban. The postfix filter and jail works very well, the postscreen filter catches is ‘ylmf-pc’ botnet, so it bans for a month.

The postscreen filter contains:

[INCLUDES]
before = common.conf

[Definition]
_daemon = postfix/postscreen
failregex = ^%(__prefix_line)sPREGREET \d+ after \d+\.\d+ from \[<HOST>\]:\d+: EHLO ylmf-pc\\r\\n
            NOQUEUE: reject: RCPT from (.*)\[<HOST>\]:([0-9]{4,5}:)? 454 4.7.1.*Relay access denied
ignoreregex =

[Init]

journalmatch = _SYSTEMD_UNIT=postfix.service

The postfix rbl lists I use are tested over years of use and work well for me, so I have an aggressive “one strike” ban policy on postfix-rbl. Sasl fails are the same - my users don’t normally come in that way, so zero tolerance for auth fails.

My fail2ban postfix filter is out of the box, no changes - just enabled in ‘normal’ mode, ‘rbl’ mode (1 strike) by the second call, and ‘auth’ mode (1 strike) by the third call.

And I can see fail2ban fails coming through and getting entered into firewall rules:

]# cat /var/log/fail2ban.log | grep "Ban "
    2021-02-10 07:00:47,719 fail2ban.actions        [923]: NOTICE  [postfix-rbl] Ban 168.245.28.80
    2021-02-10 08:43:30,799 fail2ban.actions        [923]: NOTICE  [postfix] Ban 91.134.231.66
    2021-02-10 20:05:38,296 fail2ban.actions        [923]: NOTICE  [postfix-sasl] Ban 82.177.122.227
    2021-02-11 01:33:10,259 fail2ban.actions        [923]: NOTICE  [postfix-sasl] Ban 45.167.11.3

Crowdsec appears to be catching stuff:

]# cscli hub list
INFO[0000] Loaded 13 collecs, 18 parsers, 21 scenarios, 3 post-overflow parsers
INFO[0000] unmanaged items : 55 local, 0 tainted
INFO[0000] PARSERS:
--------------------------------------------------------------------------------------------------------------
 NAME                            📦 STATUS    VERSION  LOCAL PATH
--------------------------------------------------------------------------------------------------------------
 crowdsecurity/sshd-logs         ✔️  enabled  0.1      /etc/crowdsec/parsers/s01-parse/sshd-logs.yaml
 crowdsecurity/whitelists        ✔️  enabled  0.1      /etc/crowdsec/parsers/s02-enrich/whitelists.yaml
 crowdsecurity/geoip-enrich      ✔️  enabled  0.2      /etc/crowdsec/parsers/s02-enrich/geoip-enrich.yaml
 crowdsecurity/syslog-logs       ✔️  enabled  0.1      /etc/crowdsec/parsers/s00-raw/syslog-logs.yaml
 crowdsecurity/iptables-logs     ✔️  enabled  0.1      /etc/crowdsec/parsers/s01-parse/iptables-logs.yaml
 crowdsecurity/postfix-logs      ✔️  enabled  0.2      /etc/crowdsec/parsers/s01-parse/postfix-logs.yaml
 crowdsecurity/postscreen-logs   ✔️  enabled  0.1      /etc/crowdsec/parsers/s01-parse/postscreen-logs.yaml
 crowdsecurity/dateparse-enrich  ✔️  enabled  0.1      /etc/crowdsec/parsers/s02-enrich/dateparse-enrich.yaml
--------------------------------------------------------------------------------------------------------------
INFO[0000] SCENARIOS:
-----------------------------------------------------------------------------------------------------------------------
 NAME                                     📦 STATUS    VERSION  LOCAL PATH
-----------------------------------------------------------------------------------------------------------------------
 crowdsecurity/iptables-scan-multi_ports  ✔️  enabled  0.1      /etc/crowdsec/scenarios/iptables-scan-multi_ports.yaml
 crowdsecurity/ssh-bf                     ✔️  enabled  0.1      /etc/crowdsec/scenarios/ssh-bf.yaml
 crowdsecurity/postfix-spam               ✔️  enabled  0.2      /etc/crowdsec/scenarios/postfix-spam.yaml
-----------------------------------------------------------------------------------------------------------------------
INFO[0000] COLLECTIONS:
---------------------------------------------------------------------------------------
 NAME                    📦 STATUS    VERSION  LOCAL PATH
---------------------------------------------------------------------------------------
 crowdsecurity/postfix   ✔️  enabled  0.2      /etc/crowdsec/collections/postfix.yaml
 crowdsecurity/sshd      ✔️  enabled  0.1      /etc/crowdsec/collections/sshd.yaml
 crowdsecurity/iptables  ✔️  enabled  0.1      /etc/crowdsec/collections/iptables.yaml
 crowdsecurity/linux     ✔️  enabled  0.2      /etc/crowdsec/collections/linux.yaml
---------------------------------------------------------------------------------------
INFO[0000] POSTOVERFLOWS:
--------------------------------------
 NAME  📦 STATUS  VERSION  LOCAL PATH
--------------------------------------
--------------------------------------

Metrics:

]# cscli metrics
INFO[0000] Buckets Metrics:
+------------------------------+---------------+-----------+--------------+--------+---------+
|            BUCKET            | CURRENT COUNT | OVERFLOWS | INSTANCIATED | POURED | EXPIRED |
+------------------------------+---------------+-----------+--------------+--------+---------+
| crowdsecurity/postfix-spam   | -             | -         |          499 |    504 |     499 |
| crowdsecurity/postscreen-rbl | -             |      5294 |         5294 | -      | -       |
+------------------------------+---------------+-----------+--------------+--------+---------+
INFO[0000] Acquisition Metrics:
+-------------------+------------+--------------+----------------+------------------------+
|      SOURCE       | LINES READ | LINES PARSED | LINES UNPARSED | LINES POURED TO BUCKET |
+-------------------+------------+--------------+----------------+------------------------+
| /var/log/maillog  |     143706 |         5923 |         137783 |                    504 |
| /var/log/messages |       6969 | -            |           6969 | -                      |
| /var/log/secure   |        115 |           27 |             88 | -                      |
+-------------------+------------+--------------+----------------+------------------------+
INFO[0000] Parser Metrics:
+-------------------------------------+--------+--------+----------+
|               PARSERS               |  HITS  | PARSED | UNPARSED |
+-------------------------------------+--------+--------+----------+
| child-crowdsecurity/postfix-logs    |  43999 |    629 |    43370 |
| child-crowdsecurity/postscreen-logs |  30097 |   5294 |    24803 |
| child-crowdsecurity/sshd-logs       |    526 |     27 |      499 |
| crowdsecurity/dateparse-enrich      |   5950 |   5950 | -        |
| crowdsecurity/geoip-enrich          |   5950 |   5950 | -        |
| crowdsecurity/postfix-logs          |  14989 |    629 |    14360 |
| crowdsecurity/postscreen-logs       |  30097 |   5294 |    24803 |
| crowdsecurity/sshd-logs             |    111 |     27 |       84 |
| crowdsecurity/syslog-logs           | 150790 | 150790 | -        |
| crowdsecurity/whitelists            |   5950 |   5950 | -        |
+-------------------------------------+--------+--------+----------+

And bans:

]# cscli decisions list
+-------+----------+-------------------+------------------------------+--------+---------+--------------------------------+--------+-------------------+----------+
|  ID   |  SOURCE  |    SCOPE:VALUE    |            REASON            | ACTION | COUNTRY |               AS               | EVENTS |    EXPIRATION     | ALERT ID |
+-------+----------+-------------------+------------------------------+--------+---------+--------------------------------+--------+-------------------+----------+
| 60496 | crowdsec | Ip:103.149.12.29  | crowdsecurity/postscreen-rbl | ban    |         |                                |      1 | 1h15m36.21447193s |    11385 |
| 60488 | crowdsec | Ip:193.239.147.98 | crowdsecurity/postscreen-rbl | ban    |         |                                |      1 | 39m1.481871957s   |    11377 |
| 60485 | crowdsec | Ip:103.114.105.83 | crowdsecurity/postscreen-rbl | ban    |         |  VIETNAM POSTS AND             |      1 | 22m56.888637507s  |    11374 |
|       |          |                   |                              |        |         | TELECOMMUNICATIONS GROUP       |        |                   |          |
| 60483 | crowdsec | Ip:103.207.38.234 | crowdsecurity/postscreen-rbl | ban    | VN      |  VNPT Corp                     |      1 | 16m9.504475056s   |    11372 |
| 60481 | crowdsec | Ip:141.98.10.143  | crowdsecurity/postscreen-rbl | ban    |         |                                |      1 | 7m2.063749882s    |    11370 |
| 60480 | crowdsec | Ip:45.148.10.69   | crowdsecurity/postscreen-rbl | ban    |         |                                |      1 | 2m10.204645422s   |    11369 |
+-------+----------+-------------------+------------------------------+--------+---------+--------------------------------+--------+-------------------+----------+

But, those IPs don’t match what fail2ban is catching:

]# cat /var/log/fail2ban.log | grep "Ban "
2021-02-10 07:00:47,719 fail2ban.actions        [923]: NOTICE  [postfix-rbl] Ban 168.245.28.80
2021-02-10 08:43:30,799 fail2ban.actions        [923]: NOTICE  [postfix] Ban 91.134.231.66
2021-02-10 20:05:38,296 fail2ban.actions        [923]: NOTICE  [postfix-sasl] Ban 82.177.122.227
2021-02-11 01:33:10,259 fail2ban.actions        [923]: NOTICE  [postfix-sasl] Ban 45.167.11.3

It may well be that crowdsec is catching those also, and it’s passed them back out?

These are the events that triggered the above fail2ban bans:

Immediate ban under postfix-sasl filter:

Feb 11 01:33:10 emp07 postfix/submission/smtpd[31878]: warning: unknown[45.167.11.3]: SASL PLAIN authentication failed: authentication failure

Immediate ban under postfix-sasl filter:

Feb 10 20:05:38 emp07 postfix/submission/smtpd[19706]: warning: unknown[82.177.122.227]: SASL PLAIN authentication failed: authentication failure

Three strikes, then ban under normal postfix filter:

Feb 10 08:43:28 emp07 postfix/postscreen[25723]: CONNECT from [91.134.231.66]:52643 to [192.168.1.235]:25
Feb 10 08:43:28 emp07 postfix/dnsblog[25725]: addr 91.134.231.66 listed by domain hostkarma.junkemailfilter.com as 127.0.1.1
Feb 10 08:43:28 emp07 postfix/dnsblog[25725]: addr 91.134.231.66 listed by domain hostkarma.junkemailfilter.com as 127.0.0.4
Feb 10 08:43:28 emp07 postfix/postscreen[25723]: PASS OLD [91.134.231.66]:52643
Feb 10 08:43:28 emp07 postfix/smtpd[25735]: warning: hostname jan.leacloud.us does not resolve to address 91.134.231.66
Feb 10 08:43:28 emp07 postfix/smtpd[25735]: connect from unknown[91.134.231.66]
Feb 10 08:43:29 emp07 postfix/smtpd[25735]: Anonymous TLS connection established from unknown[91.134.231.66]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Feb 10 08:43:30 emp07 postfix/smtpd[25735]: NOQUEUE: reject: RCPT from unknown[91.134.231.66]: 450 4.1.8 <bounce@fulfillteam.us>: Sender address rejected: Domain not found; from=<bounce@fulfillteam.us> to=<aaaa@aaaa.net> proto=ESMTP helo=<jan.leacloud.us>

Immediate ban under postfix-rbl filter

Feb 10 07:00:38 emp07 postfix/postscreen[21746]: CONNECT from [168.245.28.80]:7788 to [192.168.1.235]:25
Feb 10 07:00:38 emp07 postfix/dnsblog[21753]: addr 168.245.28.80 listed by domain zen.spamhaus.org as 127.0.0.2
Feb 10 07:00:38 emp07 postfix/dnsblog[21756]: addr 168.245.28.80 listed by domain hostkarma.junkemailfilter.com as 127.0.1.1
Feb 10 07:00:38 emp07 postfix/dnsblog[21756]: addr 168.245.28.80 listed by domain hostkarma.junkemailfilter.com as 127.0.0.1
Feb 10 07:00:39 emp07 postfix/dnsblog[21757]: addr 168.245.28.80 listed by domain wl.mailspike.net as 127.0.0.17
Feb 10 07:00:44 emp07 postfix/postscreen[21746]: PASS NEW [168.245.28.80]:7788
Feb 10 07:00:45 emp07 postfix/smtpd[21758]: connect from o15.sg.m.dripemail2.com[168.245.28.80]
Feb 10 07:00:46 emp07 postfix/smtpd[21758]: Anonymous TLS connection established from o15.sg.m.dripemail2.com[168.245.28.80]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Feb 10 07:00:47 emp07 postfix/smtpd[21758]: NOQUEUE: reject: RCPT from o15.sg.m.dripemail2.com[168.245.28.80]: 554 5.7.1 Service unavailable; Client host [168.245.28.80] blocked using zen.spamhaus.org; https://www.spamhaus.org/sbl/query/SBL509183; from=<bounces+2693180-aea9-aaaa=aaaa.net@m.dripemail2.com> to=<aaaa@aaaa.net> proto=ESMTP helo=<o15.sg.m.dripemail2.com>
Feb 10 07:00:47 emp07 postfix/smtpd[21758]: disconnect from o15.sg.m.dripemail2.com[168.245.28.80]

OK, so here is another one… fail2ban just triggered a ban on this one:

Feb 11 21:02:42 emp07 postfix/submission/smtpd[30864]: warning: unknown[82.202.64.32]: SASL LOGIN authentication failed: authentication failure

With my above “1 strike” policy, this triggered an immediate ban on the SASL AUTH fail, going through the postfix-sasl filter of fail2ban.

Crowdsec has not banned this, and nothing in the crowdsec logs indicates it has been parsed.

So I guess my queries are - how do I control crowdsec with the granularity I do fail2ban? As I am not yet seeing how it does what I need :slight_smile:

Hello !

no worries, thanks for the feedback :slight_smile:

Looking at the hub’s postfix scenarios, crowdsecurity/postscreen-rbl is a “one strike”, but crowdsecurity/postfix-spam is a “six strike” (if I follow your terminology).

Thus, as we can see in your metrics, while postscreen-rbl is triggered a lot, postfix-spam isn’t at all.

By default, crowdsec’s ban duration is 4 hours (and after those 4 hours, it won’t appear in cscli decisions list), so you might want to look at either logs (/var/log/crowdsec.log) or cscli alerts list :slight_smile:

So if you want crowdsec to be as strict as your existing policies, you can edit the existing scenarios (as pointed out by cscli scenarios list for example) or create your own ones.

We are looking to introduce an easy way for the user to “overload” some parameters of the scenario (in your case, the “strikes” count), I’ll keep you posted on this.

A side note : if you want to compare crowdsec’s behaviour, you can process “cold logs” with crowdsec ? ie. crowdsec -file /var/log/mail.log -type syslog (where type is the same as the one you have in your /etc/crowdsec/acquis.yaml for the given file)

I hope I answered your questions, please let me know :slight_smile:

I get the following when trying to process “cold” logs (great idea btw).

[root@emp07 ~]# crowdsec -file /var/log/maillog -type syslog
INFO[0000] single file mode : log_media=stdout daemonize=true
INFO[13-02-2021 22:00:18] Crowdsec v1.0.5-564c4155a80fe0b051a8576d08267f24a0607bfb
INFO[13-02-2021 22:00:18] Loading prometheus collectors
WARN[13-02-2021 22:00:18] prometheus: listen tcp 127.0.0.1:6060: bind: address already in use
INFO[13-02-2021 22:00:18] Loading grok library /etc/crowdsec//patterns/
FATA[13-02-2021 22:00:18] listen tcp 127.0.0.1:8080: bind: address already in use

Yes, this is where I think fail2ban is still easier. I’ll be interested to see how you go with making crowdsec more tweakable like this.

E.g. my “one strike” ban on SASL auth fails - it’s quite simple to tweak in fail2ban (probably just because I’m used to it). I’ll have a look at the scenarios in the crowdsec files.

1 Like