From 26b472f70f8bd7e8dcd390a750a804f32e934e9a Mon Sep 17 00:00:00 2001 From: Steven Hiscocks Date: Thu, 18 Jul 2013 21:31:51 +0100 Subject: [PATCH] ENH: Add ejabberd-auth filter and sample log lines --- config/filter.d/ejabberd-auth.conf | 36 +++++++++++++++++++++++++ fail2ban/tests/files/logs/ejabberd-auth | 9 +++++++ 2 files changed, 45 insertions(+) create mode 100644 config/filter.d/ejabberd-auth.conf create mode 100644 fail2ban/tests/files/logs/ejabberd-auth diff --git a/config/filter.d/ejabberd-auth.conf b/config/filter.d/ejabberd-auth.conf new file mode 100644 index 00000000..0025fc42 --- /dev/null +++ b/config/filter.d/ejabberd-auth.conf @@ -0,0 +1,36 @@ +# Fail2Ban configuration file +# +# Author: Steven Hiscocks +# +# + +[Definition] + +# Option: failregex +# Notes.: regex to match the password failures messages in the logfile. The +# host must be matched by a group named "host". The tag "" can +# be used for standard IP/hostname matching and is only an alias for +# (?:::f{4,6}:)?(?P[\w\-.^_]+) +# Multiline regexs should use tag "" to separate lines. +# This allows lines between the matching lines to continue to be +# searched for other failures. This tag can be used multiple times. +# Values: TEXT +# +failregex = ^=INFO REPORT==== ===\nI\(<0\.\d+\.0>:ejabberd_c2s:\d+\) : \([^)]+\) Failed authentication for .+ from IP \({{(?:\d+,){3}\d+},\d+}\)$ + +# Option: ignoreregex +# Notes.: regex to ignore. If this regex matches, the line is ignored. +# Values: TEXT +# +ignoreregex = + +[Init] + +# "maxlines" is number of log lines to buffer for multi-line regex searches +maxlines = 2 + +# Option: journalmatch +# Notes.: systemd journalctl style match filter for journal based backend +# Values: TEXT +# +journalmatch = diff --git a/fail2ban/tests/files/logs/ejabberd-auth b/fail2ban/tests/files/logs/ejabberd-auth new file mode 100644 index 00000000..4d07ec9c --- /dev/null +++ b/fail2ban/tests/files/logs/ejabberd-auth @@ -0,0 +1,9 @@ +# failJSON: { "match": false } +=INFO REPORT==== 2013-07-14 17:53:40 === +# failJSON: { "match": false } +I(<0.370.0>:ejabberd_listener:281) : (#Port<0.6910>) Accepted connection {{192,0,2,4},12716} -> {{198,51,100,2},5222} + +# failJSON: { "match": false } +=INFO REPORT==== 2013-07-14 17:53:40 === +# failJSON: { "time": "2013-07-14T17:53:40", "match": true , "host": "192.0.2.4" } +I(<0.1440.0>:ejabberd_c2s:813) : ({socket_state,tls,{tlssock,#Port<0.6910>,#Port<0.6912>},<0.1439.0>}) Failed authentication for user@example.com from IP 192.0.2.4 ({{192,0,2,4},12716})