Merge pull request #603 from truxoft/master

ENH: Nagios filter

ChangeLog

@@ -16,6 +16,7 @@ ver. 0.8.13 (2014/XX/XXX) - maintenance-only-from-now-on
   - filter pureftpd - added _daemon which got removed. Added
 
 - New Features:
+  - filter nagios - detects unauthorized access to the nrpe daemon (Ivo Truxa)
 
 - Enhancements:
   - filter pureftpd - added all translations of "Authentication failed for

config/filter.d/nagios.conf

@@ -0,0 +1,17 @@
+# Fail2Ban filter for Nagios Remote Plugin Executor (nrpe2)
+# Detecting unauthorized access to the nrpe2 daemon 
+# typically logged in /var/log/messages syslog
+#
+
+[INCLUDES]
+# Read syslog common prefixes
+before = common.conf
+
+[Definition]
+_daemon     = nrpe
+failregex   = ^%(__prefix_line)sHost <HOST> is not allowed to talk to us!\s*$
+ignoreregex =
+
+# DEV Notes:
+# 
+# Author: Ivo Truxa - 2014/02/03

config/jail.conf

@@ -758,3 +758,14 @@ action   = iptables[name=SSH, port=ssh, protocol=tcp]
            blocklist_de[email="fail2ban@example.com", apikey="xxxxxx", service=%(filter)s]
 logpath  = /var/log/sshd.log
 maxretry = 20
+
+
+# consider low maxretry and a long bantime
+# nobody except your own Nagios server should ever probe nrpe
+[nagios]
+enabled  = false
+filter   = nagios
+action   = iptables[name=Nagios, port=5666, protocol=tcp]
+           sendmail-whois[name=Nagios, dest=you@example.com, sender=fail2ban@example.com, sendername="Fail2Ban"]
+logpath  = /var/log/messages     ; nrpe.cfg may define a different log_facility
+maxretry = 1

testcases/files/logs/nagios

@@ -0,0 +1,4 @@
+# Access of unauthorized host in /var/log/messages
+# failJSON: { "time": "2005-02-03T11:22:44", "match": true , "host": "50.97.225.132" }
+Feb  3 11:22:44 valhalla nrpe[63284]: Host 50.97.225.132 is not allowed to talk to us!
+