github
/
fail2ban
mirror of https://github.com/fail2ban/fail2ban
1
0
Fork 0
Code Issues Releases Wiki Activity

added new date format support for ASSP SMTP Proxy

pull/193/merge
Enrico Labedzki 2013-04-28 10:44:31 +02:00 committed by Yaroslav Halchenko
parent 7b87afef48
commit 24a8d07c20
9 changed files with 79 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
ChangeLog
View File

@ -4,10 +4,10 @@
|_| \__,_|_|_/___|_.__/\__,_|_||_| |_| \__,_|_|_/___|_.__/\__,_|_||_|
================================================================================ ================================================================================
Fail2Ban (version 0.8.9) 2013/04/XX Fail2Ban (version 0.8.9) 2013/04/28
================================================================================ ================================================================================
ver. 0.8.9 (2013/04/XXX) - wanna-be-stable ver. 0.8.9 (2013/04/28) - wanna-be-stable
---------- ----------
Although primarily a bugfix release, it incorporates many new Although primarily a bugfix release, it incorporates many new
@ -68,6 +68,8 @@ Borreli, blotus:
Soulard Morgan Soulard Morgan
* [f336d9f] Add filter for webmin. Closes gh-99. * [f336d9f] Add filter for webmin. Closes gh-99.
- Enhancements: - Enhancements:
Enrico Labedzki
* [???????] Added Datew format for ASSP SMTP Proxy.
Steven Hiscocks Steven Hiscocks
* [3d6791f] Ensure restart of Actions after a check fails occurs * [3d6791f] Ensure restart of Actions after a check fails occurs
consistently. Closes gh-172. consistently. Closes gh-172.

1
THANKS
View File

@ -16,6 +16,7 @@ Daniel B. Cid
Daniel Black Daniel Black
David Nutter David Nutter
Eric Gerbier Eric Gerbier
Enrico Labedzki
Guillaume Delvit Guillaume Delvit
Hanno 'Rince' Wagner Hanno 'Rince' Wagner
Iain Lea Iain Lea

2
TODO
View File

@ -13,6 +13,8 @@ Legend:
# partially done # partially done
* done * done
- more detailed explaination in DEVELOP for new developers (eg. howto build this HEX numbers in ChangeLog)
- Run tests though all filters/examples files - (see sshd example file) as unit - Run tests though all filters/examples files - (see sshd example file) as unit
test test

33
config/filter.d/assp.conf Normal file
View File

@ -0,0 +1,33 @@
# Fail2Ban configuration file
# for Anti-Spam SMTP Proxy Server also known as ASSP
# Honmepage: http://www.magicvillage.de/~Fritz_Borgstedt/assp/0003D91C-8000001C/
# ProjektSite: http://sourceforge.net/projects/assp/?source=directory
#
# Author: Enrico Labedzki (enrico.labedzki@deiwos.de)
#
[Definition]
# Option: failregex
# Notes.: regex to match the SMTP failure messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>\S+)
# Values: TEXT
#
# Examples: Apr-27-13 02:33:09 Blocking 217.194.197.97 - too much AUTH errors (41);
# Dec-29-12 17:10:31 [SSL-out] 200.247.87.82 SSL negotiation with client failed: SSL accept attempt failed with unknown errorerror:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol;
# Dec-30-12 04:01:47 [SSL-out] 81.82.232.66 max sender authentication errors (5) exceeded
__assp_actions = (dropping|refusing)
failregex = <HOST> max sender authentication errors \(\d+\) exceeded -- %(__assp_actions)s connection - after reply: \d{3} \d{1}\.\d{1}.\d{1} Error: authentication failed: [a-zA-Z0-9]+;$
<HOST> SSL negotiation with client failed: SSL accept attempt failed with unknown error.*:unknown protocol;$
Blocking <HOST> - too much AUTH errors \(\d+\);$
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =

7
config/jail.conf
View File

@ -89,6 +89,13 @@ action = iptables[name=sasl, port=smtp, protocol=tcp]
sendmail-whois[name=sasl, dest=you@example.com] sendmail-whois[name=sasl, dest=you@example.com]
logpath = /var/log/mail.log logpath = /var/log/mail.log
# ASSP SMTP Proxy Jail
[assp]
enabled = false
port = 25,465,587
filter = assp
logpath = /root/path/to/assp/logs/maillog.txt
# Here we use TCP-Wrappers instead of Netfilter/Iptables. "ignoreregex" is # Here we use TCP-Wrappers instead of Netfilter/Iptables. "ignoreregex" is
# used to avoid banning the user "myuser". # used to avoid banning the user "myuser".

7
server/datedetector.py
View File

@ -29,7 +29,7 @@ __license__ = "GPL"
import time, logging import time, logging
from datetemplate import DateStrptime, DateTai64n, DateEpoch, DateISO8601 from datetemplate import DateStrptime, DateTai64n, DateEpoch, DateISO8601, DateASSPlike
from threading import Lock from threading import Lock
# Gets the instance of the logger. # Gets the instance of the logger.
@ -161,6 +161,11 @@ class DateDetector:
template.setRegex("^\d{2}\d{2}\d{2} +\d{1,2}:\d{2}:\d{2}") template.setRegex("^\d{2}\d{2}\d{2} +\d{1,2}:\d{2}:\d{2}")
template.setPattern("%y%m%d %H:%M:%S") template.setPattern("%y%m%d %H:%M:%S")
self._appendTemplate(template) self._appendTemplate(template)
# ASSP: Apr-27-13 02:33:06
template = DateASSPlike()
template.setName("ASSP like date format")
template.setRegex("^[a-zA-Z]{3}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}")
self._appendTemplate(template)
finally: finally:
self.__lock.release() self.__lock.release()

12
server/datetemplate.py
View File

@ -218,3 +218,15 @@ class DateISO8601(DateTemplate):
value = dateMatch.group() value = dateMatch.group()
date = list(iso8601.parse_date(value).timetuple()) date = list(iso8601.parse_date(value).timetuple())
return date return date
class DateASSPlike(DateTemplate):
def __init__(self):
DateTemplate.__init__(self)
def getDate(self, line):
# there is no need to parse the date.
# ASSP doesn't buffer the log output.
return MyTime.gmtime()

1
testcases/datedetectortestcase.py
View File

@ -85,6 +85,7 @@ class DateDetectorTest(unittest.TestCase):
"2005-01-23T21:59:59-05:00Z", #ISO 8601 with TZ "2005-01-23T21:59:59-05:00Z", #ISO 8601 with TZ
"<01/23/05@21:59:59>", "<01/23/05@21:59:59>",
"050123 21:59:59", # MySQL "050123 21:59:59", # MySQL
"Apr-27-13 01:27:45", # ASSP like
): ):
log = sdate + "[sshd] error: PAM: Authentication failure" log = sdate + "[sshd] error: PAM: Authentication failure"
# exclude # exclude

13
testcases/files/logs/assp Normal file
View File

@ -0,0 +1,13 @@
Apr-07-13 07:08:36 [SSL-out] 68.171.223.68 SSL negotiation with client failed: SSL accept attempt failed with unknown errorerror:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol;
Apr-07-13 07:08:36 [SSL-out] 68.171.223.68 SSL negotiation with client failed: SSL accept attempt failed with unknown errorerror:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol;
Apr-07-13 07:10:37 [SSL-out] 68.171.223.68 SSL negotiation with client failed: SSL accept attempt failed with unknown errorerror:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol;
Apr-07-13 07:12:37 [SSL-out] 68.171.223.68 SSL negotiation with client failed: SSL accept attempt failed with unknown errorerror:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol;
Apr-07-13 07:14:36 [SSL-out] 68.171.223.68 SSL negotiation with client failed: SSL accept attempt failed with unknown errorerror:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol;
Apr-27-13 02:25:09 Blocking 217.194.197.97 - too much AUTH errors (8);
Apr-27-13 02:25:09 Blocking 217.194.197.97 - too much AUTH errors (9);
Apr-27-13 02:25:09 Blocking 217.194.197.97 - too much AUTH errors (10);
Apr-27-13 02:25:10 [SSL-out] 217.194.197.97 max sender authentication errors (5) exceeded -- dropping connection - after reply: 535 5.7.8 Error: authentication failed: UGFzc3dvcmQ6;
Apr-27-13 02:25:10 [SSL-out] 217.194.197.97 max sender authentication errors (5) exceeded -- dropping connection - after reply: 535 5.7.8 Error: authentication failed: UGFzc3dvcmQ6;
Apr-27-13 02:25:10 [SSL-out] 217.194.197.97 max sender authentication errors (5) exceeded -- dropping connection - after reply: 535 5.7.8 Error: authentication failed: UGFzc3dvcmQ6;
Apr-27-13 02:25:11 [SSL-out] 217.194.197.97 max sender authentication errors (5) exceeded -- dropping connection - after reply: 535 5.7.8 Error: authentication failed: UGFzc3dvcmQ6;