fail2ban/config/filter.d/common.conf

# Generic configuration items (to be used as interpolations) in other
# filters  or actions configurations
#
# Author: Yaroslav Halchenko
#
# $Revision$
#

[INCLUDES]

# Load customizations if any available
after = common.local


[DEFAULT]

# Daemon definition is to be specialized (if needed) in .conf file
_daemon = \S*

#
# Shortcuts for easier comprehension of the failregex
#
# PID.
# EXAMPLES: [123]
__pid_re = (?:\[\d+\])

# Daemon name (with optional source_file:line or whatever)
# EXAMPLES: pam_rhosts_auth, [sshd], pop(pam_unix)
__daemon_re = [\[\(]?%(_daemon)s(?:\(\S+\))?[\]\)]?:?

# Combinations of daemon name and PID
# EXAMPLES: sshd[31607], pop(pam_unix)[4920]
__daemon_combs_re = (?:%(__pid_re)s?:\s+%(__daemon_re)s|%(__daemon_re)s%(__pid_re)s?:)

# Some messages have a kernel prefix with a timestamp
# EXAMPLES: kernel: [769570.846956]
__kernel_prefix = kernel: \[\d+\.\d+\]

__hostname = \S+

#
# Common line prefixes (beginnings) which could be used in filters
#
#      [bsdverbose]? [hostname] [vserver tag] daemon_id spaces
# 
# bsdverbose is where syslogd is started with -v or -vv and results in <4.3> or
# <auth.info> appearing before the host as per testcases/files/logs/bsd/*.
#
# This can be optional (for instance if we match named native log files)
__prefix_line = \s*(<[^.]+.[^.]+>)?\s*(?:%(__hostname)s )?(?:%(__kernel_prefix)s )?(?:@vserver_\S+ )?%(__daemon_combs_re)s?\s*
- Added "full line failregex" patch. Thanks to Yaroslav Halchenko. It will be possible to create stronger failregex against log injection git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@621 a942ae1a-1317-0410-a47c-b1dcaea8d605 17 years ago			`# Generic configuration items (to be used as interpolations) in other`
			`# filters or actions configurations`
			`#`
			`# Author: Yaroslav Halchenko`
			`#`
- Changed <HOST> template to be more restrictive. Debian bug #514163. git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@728 a942ae1a-1317-0410-a47c-b1dcaea8d605 16 years ago			`# $Revision$`
- Added "full line failregex" patch. Thanks to Yaroslav Halchenko. It will be possible to create stronger failregex against log injection git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@621 a942ae1a-1317-0410-a47c-b1dcaea8d605 17 years ago			`#`

			`[INCLUDES]`

			`# Load customizations if any available`
- Fixed fail2ban-regex. It support "includes" in configuration files. - Modified "includes" to be more generic. We will probably support URL in the future. - Small refactoring. git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@656 a942ae1a-1317-0410-a47c-b1dcaea8d605 17 years ago			`after = common.local`
- Added "full line failregex" patch. Thanks to Yaroslav Halchenko. It will be possible to create stronger failregex against log injection git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@621 a942ae1a-1317-0410-a47c-b1dcaea8d605 17 years ago

			`[DEFAULT]`

			`# Daemon definition is to be specialized (if needed) in .conf file`
			`_daemon = \S*`

			`#`
			`# Shortcuts for easier comprehension of the failregex`
			`#`
			`# PID.`
			`# EXAMPLES: [123]`
			`__pid_re = (?:\[\d+\])`

			`# Daemon name (with optional source_file:line or whatever)`
			`# EXAMPLES: pam_rhosts_auth, [sshd], pop(pam_unix)`
			`__daemon_re = [\[\(]?%(_daemon)s(?:\(\S+\))?[\]\)]?:?`

			`# Combinations of daemon name and PID`
			`# EXAMPLES: sshd[31607], pop(pam_unix)[4920]`
			`__daemon_combs_re = (?:%(__pid_re)s?:\s+%(__daemon_re)s\|%(__daemon_re)s%(__pid_re)s?:)`

Recognise time-stamped kernel messages e.g. Sep 25 12:51:04 myhost kernel: [773580.832329] sshd[25557]: Invalid user pgsql from 91.203.223.206 This fixes the sshd filter on Fedora 15, and probably other filters on other newish distros too. 13 years ago			`# Some messages have a kernel prefix with a timestamp`
			`# EXAMPLES: kernel: [769570.846956]`
			`__kernel_prefix = kernel: \[\d+\.\d+\]`

			`__hostname = \S+`

- Added "full line failregex" patch. Thanks to Yaroslav Halchenko. It will be possible to create stronger failregex against log injection git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@621 a942ae1a-1317-0410-a47c-b1dcaea8d605 17 years ago			`#`
			`# Common line prefixes (beginnings) which could be used in filters`
			`#`
BF: change common.conf to handle formats of syslog -v and syslog -vv in BSD 12 years ago			`# [bsdverbose]? [hostname] [vserver tag] daemon_id spaces`
			`#`
			`# bsdverbose is where syslogd is started with -v or -vv and results in <4.3> or`
			`# <auth.info> appearing before the host as per testcases/files/logs/bsd/*.`
			`#`
			`# This can be optional (for instance if we match named native log files)`
			`__prefix_line = \s(<[^.]+.[^.]+>)?\s(?:%(__hostname)s )?(?:%(__kernel_prefix)s )?(?:@vserver_\S+ )?%(__daemon_combs_re)s?\s*`