You're right again You should add fail2ban regex to wiki.
ROFLMAO
I'm no genius..... just try and see the logic. The timeout issue is really a bit of a 'red herring' here and really only serves to confuse things.
OK, until we can resolve qpsmtpd.... how can we stop some of this?
fail2ban gets a little confusing as the qpsmtpd.conf filter looks at both qpsmtpd and sqpsmtpd logs.
Couple of points - the first line in the fail2ban qpsmtpd.conf regex will not work (in my experience see
https://bugs.contribs.org/show_bug.cgi?id=8955 which I have reopened) The second one will.
Here's the regex:
failregex = ^\s*\d+\s*logging::logterse plugin \(deny\): ` <HOST>\s*.*90\d.*msg denied before queued$
^\s*\d+\s*\(deny\) logging::logterse: ` <HOST>\s*.*90\d.*msg denied before queued$
Here's the sort of lines we are looking for (or similar) from both qpsmptd and sqpsmtpd:
(deny) logging::logterse: ` 71.6.199.23 ubuntu1619923.aspadmin.com openssl.client.net tls 901 TLS Negotiation Failed msg denied before queued
(deny) logging::logterse: ` 191.53.200.26 191-53-200-26.dvl-wr.mastercabo.com.br tls 903 Cannot establish SSL session msg denied before queued
The first regex line used to match the old logs, so we need the second line.
There is also an issue with my old regex from
https://bugs.contribs.org/show_bug.cgi?id=8952Here's the old regex:
^\s*\d+\s*count_unrecognized_commands plugin \(unrecognized_command\): Unrecognized command 'auth' '<HOST>'$
This will not work with the newer qpsmtpd as the log line has changed, and it also won't see things like this:
2018-10-25 16:29:29.485465500.s:49001:@400000005bd14c80027ed8ec 31545 Accepted connection 1/40 from 71.6.199.23 / ubuntu1619923.aspadmin.com
2018-10-25 16:29:29.485465500.s:49002:@400000005bd14c8002804434 31545 Connection from ubuntu1619923.aspadmin.com [71.6.199.23]
2018-10-25 16:29:29.485465500.s:49005:@400000005bd14c81116bc144 31545 (connect) earlytalker: pass, not spontaneous
2018-10-25 16:29:29.485465500.s:49006:@400000005bd14c811182df3c 31545 (connect) relay: skip, no match
2018-10-25 16:29:29.485465500.s:49007:@400000005bd14c81118a0f14 31545 (connect) ident::geoip: US
2018-10-25 16:29:29.485465500.s:49008:@400000005bd14c8111cb0014 31545 (connect) dnsbl: karma -1 (-1)
2018-10-25 16:29:29.485465500.s:49009:@400000005bd14c8111cb4e34 31545 (connect) dnsbl: fail, NAUGHTY, zen.spamhaus.org
2018-10-25 16:29:29.485465500.s:49010:@400000005bd14c8111ceebfc 31545 220 esmith.myserver.com ESMTP
2018-10-25 16:29:29.485465500.s:49011:@400000005bd14c811a2876ec 31545 dispatching EHLO openssl.client.net
2018-10-25 16:29:29.485465500.s:49012:@400000005bd14c811abfbd7c 31545 (ehlo) helo: pass
2018-10-25 16:29:29.485465500.s:49013:@400000005bd14c811acc409c 31545 250-myserver.com Hi ubuntu1619923.aspadmin.com [71.6.199.23]
2018-10-25 16:29:29.485465500.s:49014:@400000005bd14c811acd4a3c 31545 250-PIPELINING
2018-10-25 16:29:29.485465500.s:49015:@400000005bd14c811acd8ca4 31545 250-8BITMIME
2018-10-25 16:29:29.485465500.s:49016:@400000005bd14c811acdea64 31545 250-SIZE 20000000
2018-10-25 16:29:29.485465500.s:49017:@400000005bd14c811ace4ff4 31545 250 STARTTLS
2018-10-25 16:29:29.485465500.s:49018:@400000005bd14c812326bdbc 31545 dispatching STARTTLS
2018-10-25 16:29:29.485465500.s:49019:@400000005bd14c81232857e4 31545 220 Go ahead with TLS
2018-10-25 16:29:29.485465500.s:49022:@400000005bd14c812b88284c 31545 (deny) logging::logterse: ` 71.6.199.23 ubuntu1619923.aspadmin.com openssl.client.net tls 901 TLS Negotiation Failed msg denied before queued
2018-10-25 16:29:29.485465500.s:49023:@400000005bd14c812b8a08c4 31545 500 TLS Negotiation Failed
2018-10-25 16:29:29.485465500.s:49025:@400000005bd14c9e030d78a4 31545 dispatching ����1=H<��_,��b�+
2018-10-25 16:29:29.485465500.s:49026:@400000005bd14c9e035873f4 31545 (unrecognized_command) count_unrecognized_commands: '����1=h<��_,��b�+', (1)
2018-10-25 16:29:29.485465500.s:49027:@400000005bd14c9e03587bc4 31545 500 Unrecognized command
It seem to throw this in the fail2ban logs:
fail2ban.filter [26870]: WARNING Error decoding line from '/var/log/qpsmtpd/current' with 'UTF-8'. Consider setting logencoding=utf-8 (or another appropriate encoding) for this jail. Continuing to process line ignoring invalid characters: '@400000005bd1d6182eba1ad4 24134 dispatching \x05\x00\x80\x03\x00\x80\x01\x00\x80\x07\x00\xc0\x86\x8eD\xae%[\x9e\xae\x14K\x7fe\xfe\x06\x11\xc9\n'
I have made a note on the bug and will look at it again next week.
But in my case I don't think it was an attack, only an unfortunate DOS from a single IP spammer.
And its throttle kept making new connections before old ones were closed, thus hitting 10/10.
Yes, can be a single spammy IP but it keeps banging away which creates the DoS. It should be stopped before that happens which is what Instances per IP should do.
Qpsmtpd / TLS plugin doesn't care about timeout.
Possibly it should, but that is another issue.....