Merge pull request #300 from kwirk/ejabberd-auth

ENH: Add ejabberd-auth filter and sample log lines

config/filter.d/ejabberd-auth.conf

@@ -0,0 +1,36 @@
+# Fail2Ban configuration file
+#
+# Author: Steven Hiscocks
+#
+#
+
+[Definition]
+
+# Option:  failregex
+# Notes.:  regex to match the password failures messages in the logfile. The
+#          host must be matched by a group named "host". The tag "<HOST>" can
+#          be used for standard IP/hostname matching and is only an alias for
+#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
+#          Multiline regexs should use tag "<SKIPLINES>" to separate lines.
+#          This allows lines between the matching lines to continue to be
+#          searched for other failures. This tag can be used multiple times.
+# Values:  TEXT
+#
+failregex = ^=INFO REPORT====  ===\nI\(<0\.\d+\.0>:ejabberd_c2s:\d+\) : \([^)]+\) Failed authentication for .+ from IP <HOST> \({{(?:\d+,){3}\d+},\d+}\)$
+
+# Option:  ignoreregex
+# Notes.:  regex to ignore. If this regex matches, the line is ignored.
+# Values:  TEXT
+#
+ignoreregex = 
+
+[Init]
+
+# "maxlines" is number of log lines to buffer for multi-line regex searches
+maxlines = 2
+
+# Option:  journalmatch
+# Notes.:  systemd journalctl style match filter for journal based backend
+# Values:  TEXT
+#
+journalmatch = 

fail2ban/tests/files/logs/ejabberd-auth

@@ -0,0 +1,9 @@
+# failJSON: { "match": false }
+=INFO REPORT==== 2013-07-14 17:53:40 ===
+# failJSON: { "match": false }
+I(<0.370.0>:ejabberd_listener:281) : (#Port<0.6910>) Accepted connection {{192,0,2,4},12716} -> {{198,51,100,2},5222}
+
+# failJSON: { "match": false }
+=INFO REPORT==== 2013-07-14 17:53:40 ===
+# failJSON: { "time": "2013-07-14T17:53:40", "match": true , "host": "192.0.2.4" }
+I(<0.1440.0>:ejabberd_c2s:813) : ({socket_state,tls,{tlssock,#Port<0.6910>,#Port<0.6912>},<0.1439.0>}) Failed authentication for user@example.com from IP 192.0.2.4 ({{192,0,2,4},12716})