From daf57547c66d076f31ba640de08e092fa8ca8162 Mon Sep 17 00:00:00 2001 From: Marcel Waldvogel Date: Sat, 29 Jul 2017 19:58:06 +0200 Subject: [PATCH 1/2] Parse ejabberd 17.06 output E.g.: 2017-07-29 08:24:04.773 [info] <0.6668.0>@ejabberd_c2s:handle_auth_failure:433 (http_bind|ejabberd_bosh) Failed c2s PLAIN authentication for test@example.ch from ::FFFF:192.0.2.3: Invalid username or password --- config/filter.d/ejabberd-auth.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/filter.d/ejabberd-auth.conf b/config/filter.d/ejabberd-auth.conf index de27c1cd..052eea48 100644 --- a/config/filter.d/ejabberd-auth.conf +++ b/config/filter.d/ejabberd-auth.conf @@ -17,7 +17,7 @@ # Values: TEXT # failregex = ^=INFO REPORT==== ===\nI\(<0\.\d+\.0>:ejabberd_c2s:\d+\) : \([^)]+\) Failed authentication for \S+ from (?:IP )?(?: \({{(?:\d+,){3}\d+},\d+}\))?$ - ^(?:\.\d+)? \[info\] <0\.\d+\.\d>@ejabberd_c2s:\w+:\d+ \([^\)]+\) Failed authentication for \S+ from (?:IP )?$ + ^(?:\.\d+)? \[info\] <0\.\d+\.\d>@ejabberd_c2s:\w+:\d+ \([^\)]+\) Failed (?:c2s \w+ )?authentication for \S+ from (?:IP )?(?:::FFFF:)?(: .*)?$ # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. From ebd1e2c969a7568939626e3372e394a74e5a06ae Mon Sep 17 00:00:00 2001 From: Marcel Waldvogel Date: Sat, 29 Jul 2017 20:05:25 +0200 Subject: [PATCH 2/2] Add testcase --- fail2ban/tests/files/logs/ejabberd-auth | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/fail2ban/tests/files/logs/ejabberd-auth b/fail2ban/tests/files/logs/ejabberd-auth index cc04883f..9f03e6a4 100644 --- a/fail2ban/tests/files/logs/ejabberd-auth +++ b/fail2ban/tests/files/logs/ejabberd-auth @@ -13,4 +13,8 @@ I(<0.1440.0>:ejabberd_c2s:813) : ({socket_state,tls,{tlssock,#Port<0.6910>,#Port # new format: # failJSON: { "time": "2015-03-19T13:57:35", "match": true , "host": "192.0.2.6" } -2015-03-19 13:57:35.805 [info] <0.585.0>@ejabberd_c2s:wait_for_sasl_response:965 ({socket_state,p1_tls,{tlssock,#Port<0.6434>,#Port<0.6436>},<0.584.0>}) Failed authentication for robin@example.com from 192.0.2.6 \ No newline at end of file +2015-03-19 13:57:35.805 [info] <0.585.0>@ejabberd_c2s:wait_for_sasl_response:965 ({socket_state,p1_tls,{tlssock,#Port<0.6434>,#Port<0.6436>},<0.584.0>}) Failed authentication for robin@example.com from 192.0.2.6 + +# 17.06 "new" format: +# failJSON: { "time": "2017-07-29T08:24:04", "match": true , "host": "192.0.2.3" } +2017-07-29 08:24:04.773 [info] <0.6668.0>@ejabberd_c2s:handle_auth_failure:433 (http_bind|ejabberd_bosh) Failed c2s PLAIN authentication for test@example.ch from ::FFFF:192.0.2.3: Invalid username or password