This article is about fail2ban and preventing Sendmail brute force password attacks. Also known as fail2ban’s worthless sendmail-auth configuration.
fail2ban comes with a completely worthless sendmail-auth filter. It looks for a failure notification from Sendmail that most likely will never happen anymore as previously the brute force attack would make one connection and issue multiple AUTH commands. This is no longer the case. The brute force attack makes one connection, issues an AUTH command then disconnects and re-connects. This never triggers the Sendmail “possible SMTP attack: command=AUTH” string.
So, what we need to do is something, anything that actually has some sort of real world value, like it actually working? That’d be helpful, right?
#cd /etc/fail2ban/filter.d/
#cp sendmail-auth.conf sendmail-auth.local
Now edit the .local file and replace the worthless regex
failregex = ^%(__prefix_line)s\w{14}: (\S+ )?\[<HOST>\]( \(may be forged\))?: possible SMTP attack: command=AUTH, count=\d+$
With this
failregex = \[<HOST>\] .*to MTA
\[<HOST>\] \(may be forged\)
\[<HOST>\], reject.*\.\.\. Relaying denied
Save the file, then we want to reload fail2ban
# fail2ban-client reload
