Postfix SASL support for sshguard
sshguard is a great tool for securing internet-facing servers. I've been using it for some some to protect from ssh brute-force attacks and IMAP server attacks.
However, the current version does not include attack signatures for Postfix, and my servers are seeing hundreds of brute-force connection attempts. These show up in logs like:
Oct 19 19:56:07 longbeach postfix/smtpd: warning: unknown[18.104.22.168]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Oct 19 19:56:21 longbeach postfix/smtpd: warning: unknown[22.214.171.124]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Anyway, I decided to check out the code and look at adding support for these lines. It was fairly simple, the only real complication was that the yacc-based parser did not accept the two-part process name ("postfix/smtpd"). A quick rule tweak took care of that.
Now sshguard picks up the SASL authentication failures nicely:
Oct 19 21:08:53 longbeach sshguard: Blocking 126.96.36.199:4 for >0secs: 40 danger in 4 attacks over 33 seconds (all: 120d in 3 abuses over 1931s).
You can get the current version patch here.
Apply the patch by running this command after unpacking the sshguard source:
patch -p0 < sshguard-postfix-sasl.patch
Update Sep 14 2014
David Winterburn kindly sent an update - the rule was not working on his OSX installation of Postfix, which did not append any text after the 'authentication failed' string. The patch is updated with his fix.
Update Jan 9 2014
The original patch had a flaw in that it did not detect lines that had a resolved hostname (instaed of being reported as 'unknown'). I've updated the patch at the link above.