From b31a018e7ca6983bb0babf83c054e9cf36085cb3 Mon Sep 17 00:00:00 2001
From: Cool Fire <coolfire@insomnia247.nl>
Date: Fri, 8 Feb 2019 16:54:11 +0100
Subject: [PATCH 1/5] Add override for dovecot failed logins on debian

---
 config/paths-debian.conf | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/config/paths-debian.conf b/config/paths-debian.conf
index 50ff948b..ae45e72e 100644
--- a/config/paths-debian.conf
+++ b/config/paths-debian.conf
@@ -31,6 +31,8 @@ apache_error_log = /var/log/apache2/*error.log
 apache_access_log = /var/log/apache2/*access.log
 
 
+dovecot_log = /var/log/mail.log
+
 # was in debian squeezy but not in wheezy
 # /etc/proftpd/proftpd.conf (SystemLog)
 proftpd_log = /var/log/proftpd/proftpd.log

From 27526e431b31add8181b6dcd88ab5022021eccea Mon Sep 17 00:00:00 2001
From: Cool Fire <coolfire@insomnia247.nl>
Date: Wed, 13 Feb 2019 10:10:24 +0100
Subject: [PATCH 2/5] Changes static logfile string to variable

Since we don't want to re-declare a log file name we already
have a varialbe for, use the existing variable to set dovecot_log.
---
 config/paths-debian.conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/config/paths-debian.conf b/config/paths-debian.conf
index ae45e72e..0904668b 100644
--- a/config/paths-debian.conf
+++ b/config/paths-debian.conf
@@ -31,7 +31,7 @@ apache_error_log = /var/log/apache2/*error.log
 apache_access_log = /var/log/apache2/*access.log
 
 
-dovecot_log = /var/log/mail.log
+dovecot_log = %(syslog_mail)s
 
 # was in debian squeezy but not in wheezy
 # /etc/proftpd/proftpd.conf (SystemLog)

From ec2b5dc483060032499b50d67772ebcee9c8d732 Mon Sep 17 00:00:00 2001
From: sebres <serg.brester@sebres.de>
Date: Fri, 15 Mar 2019 22:28:08 +0100
Subject: [PATCH 3/5] fixed log-level in error case (logging error instead of
 Level 39)

---
 fail2ban/server/utils.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/fail2ban/server/utils.py b/fail2ban/server/utils.py
index d88c29b8..2bde3f4d 100644
--- a/fail2ban/server/utils.py
+++ b/fail2ban/server/utils.py
@@ -244,8 +244,8 @@ class Utils():
 				return False if not output else (False, stdout, stderr, retcode)
 
 		std_level = logging.DEBUG if retcode in success_codes else logging.ERROR
-		if std_level > logSys.getEffectiveLevel():
-			if logCmd: logCmd(std_level-1); logCmd = None
+		if std_level >= logSys.getEffectiveLevel():
+			if logCmd: logCmd(std_level-1 if std_level == logging.DEBUG else logging.ERROR); logCmd = None
 		# if we need output (to return or to log it): 
 		if output or std_level >= logSys.getEffectiveLevel():
 

From e8401a7e65c699e4a3ecbd42951d5bada90871ca Mon Sep 17 00:00:00 2001
From: sebres <serg.brester@sebres.de>
Date: Sat, 16 Mar 2019 00:05:06 +0100
Subject: [PATCH 4/5] action.d/xarf-login-attack.conf: fixes gh-2372,
 correction for split of addresses, interpolation is shell-independent now,
 etc; extended with option `boundary`, additionally dynamic boundary part is
 used (is not so predictable as it was previously);

---
 config/action.d/xarf-login-attack.conf | 28 ++++++++++++++++++++------
 1 file changed, 22 insertions(+), 6 deletions(-)

diff --git a/config/action.d/xarf-login-attack.conf b/config/action.d/xarf-login-attack.conf
index 2b135c43..f348b2c4 100644
--- a/config/action.d/xarf-login-attack.conf
+++ b/config/action.d/xarf-login-attack.conf
@@ -41,7 +41,12 @@ actionstop =
 
 actioncheck =
 
-actionban = oifs=${IFS}; IFS=.;SEP_IP=( <ip> ); set -- ${SEP_IP}; ADDRESSES=$(dig +short -t txt -q $4.$3.$2.$1.abuse-contacts.abusix.org); IFS=${oifs}
+actionban = oifs=${IFS};
+            RESOLVER_ADDR="%(addr_resolver)s"
+            if [ "<debug>" -gt 0 ]; then echo "try to resolve $RESOLVER_ADDR"; fi
+            ADDRESSES=$(dig +short -t txt -q $RESOLVER_ADDR | tr -d '"')
+            IFS=,; ADDRESSES=$(echo $ADDRESSES)
+            IFS=${oifs}
             IP=<ip>
             FROM=<sender>
             SERVICE=<service>
@@ -51,26 +56,37 @@ actionban = oifs=${IFS}; IFS=.;SEP_IP=( <ip> ); set -- ${SEP_IP}; ADDRESSES=$(di
             PORT=<port>
             DATE=`LC_ALL=C date --date=@<time> +"%%a, %%d %%h %%Y %%T %%z"`
             if [ ! -z "$ADDRESSES" ]; then
+                oifs=${IFS}; IFS=,; ADDRESSES=$(echo $ADDRESSES)
+                IFS=${oifs}
                 (printf -- %%b "<header>\n<message>\n<report>\n\n";
                  date '+Note: Local timezone is %%z (%%Z)';
-                 printf -- %%b "\n<ipmatches>\n\n<footer>") | <mailcmd> <mailargs> ${ADDRESSES//,/\" \"}
+                 printf -- %%b "\n<ipmatches>\n\n<footer>") | <mailcmd> <mailargs> $ADDRESSES
             fi
 
 actionunban =
 
-[Init]
+# Server as resolver used in dig command
+#
+addr_resolver = <ip-rev>abuse-contacts.abusix.org
+
+# Option: boundary
+# Notes:  This can be overwritten to be safe for possible predictions
+boundary = bfbb0f920793ac03cb8634bde14d8a1e
+
+_boundary = Abuse<time>-<boundary>
+
 # Option: header
 # Notes:  This is really a fixed value
-header  = Subject: abuse report about $IP - $DATE\nAuto-Submitted: auto-generated\nX-XARF: PLAIN\nContent-Transfer-Encoding: 7bit\nContent-Type: multipart/mixed; charset=utf8;\n  boundary=Abuse-bfbb0f920793ac03cb8634bde14d8a1e;\n\n--Abuse-bfbb0f920793ac03cb8634bde14d8a1e\nMIME-Version: 1.0\nContent-Transfer-Encoding: 7bit\nContent-Type: text/plain; charset=utf-8;\n
+header  = Subject: abuse report about $IP - $DATE\nAuto-Submitted: auto-generated\nX-XARF: PLAIN\nContent-Transfer-Encoding: 7bit\nContent-Type: multipart/mixed; charset=utf8;\n  boundary=%(_boundary)s;\n\n--%(_boundary)s\nMIME-Version: 1.0\nContent-Transfer-Encoding: 7bit\nContent-Type: text/plain; charset=utf-8;\n
 
 # Option: footer
 # Notes:  This is really a fixed value and needs to match the report and header
 #         mime delimiters
-footer = \n\n--Abuse-bfbb0f920793ac03cb8634bde14d8a1e--
+footer = \n\n--%(_boundary)s--
 
 # Option: report
 # Notes:  Intended to be fixed
-report =  --Abuse-bfbb0f920793ac03cb8634bde14d8a1e\nMIME-Version: 1.0\nContent-Transfer-Encoding: 7bit\nContent-Type: text/plain; charset=utf-8; name=\"report.txt\";\n\n---\nReported-From: $FROM\nCategory: abuse\nReport-ID: $REPORTID\nReport-Type: login-attack\nService: $SERVICE\nVersion: 0.2\nUser-Agent: Fail2ban v0.9\nDate: $DATE\nSource-Type: ip-address\nSource: $IP\nPort: $PORT\nSchema-URL: http://www.x-arf.org/schema/abuse_login-attack_0.1.2.json\nAttachment: text/plain\nOccurances: $FAILURES\nTLP: $TLP\n\n\n--Abuse-bfbb0f920793ac03cb8634bde14d8a1e\nMIME-Version: 1.0\nContent-Transfer-Encoding: 7bit\nContent-Type: text/plain; charset=utf8; name=\"logfile.log\";
+report =  --%(_boundary)s\nMIME-Version: 1.0\nContent-Transfer-Encoding: 7bit\nContent-Type: text/plain; charset=utf-8; name=\"report.txt\";\n\n---\nReported-From: $FROM\nCategory: abuse\nReport-ID: $REPORTID\nReport-Type: login-attack\nService: $SERVICE\nVersion: 0.2\nUser-Agent: Fail2ban v0.9\nDate: $DATE\nSource-Type: ip-address\nSource: $IP\nPort: $PORT\nSchema-URL: http://www.x-arf.org/schema/abuse_login-attack_0.1.2.json\nAttachment: text/plain\nOccurances: $FAILURES\nTLP: $TLP\n\n\n--%(_boundary)s\nMIME-Version: 1.0\nContent-Transfer-Encoding: 7bit\nContent-Type: text/plain; charset=utf8; name=\"logfile.log\";
 
 # Option: Message
 # Notes:  This can be modified by the users

From a7ccbd46dc34d7744248ec38ab35df38ffaacc47 Mon Sep 17 00:00:00 2001
From: sebres <serg.brester@sebres.de>
Date: Sat, 16 Mar 2019 00:06:09 +0100
Subject: [PATCH 5/5] test cases extended to cover xarf-login-attack action

---
 fail2ban/tests/servertestcase.py | 44 +++++++++++++++++++++++++++++---
 1 file changed, 40 insertions(+), 4 deletions(-)

diff --git a/fail2ban/tests/servertestcase.py b/fail2ban/tests/servertestcase.py
index a8722238..aba5dd7f 100644
--- a/fail2ban/tests/servertestcase.py
+++ b/fail2ban/tests/servertestcase.py
@@ -1866,12 +1866,19 @@ class ServerConfigReaderTests(LogCaptureTestCase):
 
 	def _executeMailCmd(self, realCmd, timeout=60):
 		# replace pipe to mail with pipe to cat:
-		realCmd = re.sub(r'\)\s*\|\s*mail\b([^\n]*)',
-			r') | cat; printf "\\n... | "; echo mail \1', realCmd)
+		cmd = realCmd
+		if isinstance(realCmd, list):
+			cmd = realCmd[0]
+		cmd = re.sub(r'\)\s*\|\s*mail\b([^\n]*)',
+			r') | cat; printf "\\n... | "; echo mail \1', cmd)
 		# replace abuse retrieving (possible no-network), just replace first occurrence of 'dig...':
-		realCmd = re.sub(r'\bADDRESSES=\$\(dig\s[^\n]+',
+		cmd = re.sub(r'\bADDRESSES=\$\(dig\s[^\n]+',
 			lambda m: 'ADDRESSES="abuse-1@abuse-test-server, abuse-2@abuse-test-server"',
-				realCmd, 1)
+				cmd, 1)
+		if isinstance(realCmd, list):
+			realCmd[0] = cmd
+		else:
+			realCmd = cmd
 		# execute action:
 		return _actions.CommandAction.executeCmd(realCmd, timeout=timeout)
 
@@ -1926,6 +1933,31 @@ class ServerConfigReaderTests(LogCaptureTestCase):
 					'mail -s Hostname: test-host, family: inet6 - Abuse from 2001:db8::1 abuse-1@abuse-test-server abuse-2@abuse-test-server',
 				),
 			}),
+			# xarf-login-attack --
+			('j-xarf-abuse', 
+				'xarf-login-attack['
+				  'name=%(__name__)s, mailcmd="mail", mailargs="",' +
+				  # test reverse ip:
+				  'debug=1' +
+				  ']',
+			{
+				'ip4-ban': (
+					# test reverse ip:
+					'try to resolve 10.124.142.87.abuse-contacts.abusix.org',
+					'We have detected abuse from the IP address 87.142.124.10',
+					'Dec 31 11:59:59 [sshd] error: PAM: Authentication failure for kevin from 87.142.124.10',
+					'Dec 31 11:55:01 [sshd] error: PAM: Authentication failure for test from 87.142.124.10',
+					# both abuse mails should be separated with space:
+					'mail abuse-1@abuse-test-server abuse-2@abuse-test-server',
+				),
+				'ip6-ban': (
+					# test reverse ip:
+					'try to resolve 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.abuse-contacts.abusix.org',
+					'We have detected abuse from the IP address 2001:db8::1',
+					# both abuse mails should be separated with space:
+					'mail abuse-1@abuse-test-server abuse-2@abuse-test-server',
+				),
+			}),
 		)
 		server = TestServer()
 		transm = server._Server__transm
@@ -1963,6 +1995,10 @@ class ServerConfigReaderTests(LogCaptureTestCase):
 					self.pruneLog('# === %s ===' % test)
 					ticket = BanTicket(ip)
 					ticket.setAttempt(100)
+					ticket.setMatches([
+						'Dec 31 11:59:59 [sshd] error: PAM: Authentication failure for kevin from 87.142.124.10',
+						'Dec 31 11:55:01 [sshd] error: PAM: Authentication failure for test from 87.142.124.10'
+					])
 					ticket = _actions.Actions.ActionInfo(ticket, dmyjail)
 					action.ban(ticket)
 					self.assertLogged(*tests[test], all=True)