added new date format support for ASSP SMTP Proxy

2013-04-28 10:44:31 +02:00 · 2013-04-28 10:44:31 +02:00 · 24a8d07c20
parent 7b87afef48
commit 24a8d07c20
9 changed files with 79 additions and 3 deletions
--- a/6
+++ b/6
@ -4,10 +4,10 @@
                       |_| \__,_|_|_/___|_.__/\__,_|_||_|

 ================================================================================
-Fail2Ban (version 0.8.9)                                              2013/04/XX
+Fail2Ban (version 0.8.9)                                              2013/04/28
 ================================================================================

-ver. 0.8.9 (2013/04/XXX) - wanna-be-stable
+ver. 0.8.9 (2013/04/28) - wanna-be-stable
 ----------

 Although primarily a bugfix release, it incorporates many new
@ -68,6 +68,8 @@ Borreli, blotus:
  Soulard Morgan
   * [f336d9f] Add filter for webmin. Closes gh-99.
 - Enhancements:
+  Enrico Labedzki
+   * [???????] Added Datew format for ASSP SMTP Proxy.
  Steven Hiscocks
   * [3d6791f] Ensure restart of Actions after a check fails occurs
     consistently. Closes gh-172.
--- a/1
+++ b/1
@ -16,6 +16,7 @@ Daniel B. Cid
 Daniel Black
 David Nutter
 Eric Gerbier
+Enrico Labedzki
 Guillaume Delvit
 Hanno 'Rince' Wagner
 Iain Lea
--- a/2
+++ b/2
@ -13,6 +13,8 @@ Legend:
 # partially done
 * done

+- more detailed explaination in DEVELOP for new developers (eg. howto build this HEX numbers in ChangeLog)
+
 - Run tests though all filters/examples files - (see sshd example file) as unit
  test

--- a/config/filter.d/assp.conf
+++ b/config/filter.d/assp.conf
@ -0,0 +1,33 @@
+# Fail2Ban configuration file
+# for Anti-Spam SMTP Proxy Server also known as ASSP
+#    Honmepage:   http://www.magicvillage.de/~Fritz_Borgstedt/assp/0003D91C-8000001C/
+#    ProjektSite: http://sourceforge.net/projects/assp/?source=directory
+#
+# Author: Enrico Labedzki (enrico.labedzki@deiwos.de)
+#
+
+[Definition] 
+
+# Option:  failregex
+# Notes.:  regex to match the SMTP failure messages in the logfile. The
+#          host must be matched by a group named "host". The tag "<HOST>" can
+#          be used for standard IP/hostname matching and is only an alias for
+#          (?:::f{4,6}:)?(?P<host>\S+)
+# Values:  TEXT
+#
+# Examples: Apr-27-13 02:33:09 Blocking 217.194.197.97 - too much AUTH errors (41);
+#           Dec-29-12 17:10:31 [SSL-out] 200.247.87.82 SSL negotiation with client failed: SSL accept attempt failed with unknown errorerror:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol;
+#           Dec-30-12 04:01:47 [SSL-out] 81.82.232.66 max sender authentication errors (5) exceeded 
+__assp_actions = (dropping|refusing)
+
+failregex = <HOST> max sender authentication errors \(\d+\) exceeded -- %(__assp_actions)s connection - after reply: \d{3} \d{1}\.\d{1}.\d{1} Error: authentication failed: [a-zA-Z0-9]+;$
+			<HOST> SSL negotiation with client failed: SSL accept attempt failed with unknown error.*:unknown protocol;$
+			Blocking <HOST> - too much AUTH errors \(\d+\);$
+
+
+# Option:  ignoreregex
+# Notes.:  regex to ignore. If this regex matches, the line is ignored.
+# Values:  TEXT
+#
+ignoreregex = 
+
--- a/config/jail.conf
+++ b/config/jail.conf
@ -89,6 +89,13 @@ action   = iptables[name=sasl, port=smtp, protocol=tcp]
           sendmail-whois[name=sasl, dest=you@example.com]
 logpath  = /var/log/mail.log

+# ASSP SMTP Proxy Jail
+[assp]
+enabled  = false
+port     = 25,465,587
+filter   = assp
+logpath  = /root/path/to/assp/logs/maillog.txt
+
 # Here we use TCP-Wrappers instead of Netfilter/Iptables. "ignoreregex" is
 # used to avoid banning the user "myuser".

--- a/server/datedetector.py
+++ b/server/datedetector.py
@ -29,7 +29,7 @@ __license__ = "GPL"

 import time, logging

-from datetemplate import DateStrptime, DateTai64n, DateEpoch, DateISO8601
+from datetemplate import DateStrptime, DateTai64n, DateEpoch, DateISO8601, DateASSPlike
 from threading import Lock

 # Gets the instance of the logger.
@ -161,6 +161,11 @@ class DateDetector:
 			template.setRegex("^\d{2}\d{2}\d{2} +\d{1,2}:\d{2}:\d{2}")
 			template.setPattern("%y%m%d %H:%M:%S")
 			self._appendTemplate(template)
+			# ASSP: Apr-27-13 02:33:06
+			template = DateASSPlike()
+			template.setName("ASSP like date format")
+			template.setRegex("^[a-zA-Z]{3}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}")
+			self._appendTemplate(template)
 		finally:
 			self.__lock.release()
 	
--- a/server/datetemplate.py
+++ b/server/datetemplate.py
@ -218,3 +218,15 @@ class DateISO8601(DateTemplate):
 			value = dateMatch.group()
 			date = list(iso8601.parse_date(value).timetuple())
 		return date
+
+
+class DateASSPlike(DateTemplate):
+
+	def __init__(self):
+		DateTemplate.__init__(self)
+
+	def getDate(self, line):
+		# there is no need to parse the date.
+		# ASSP doesn't buffer the log output.
+		return MyTime.gmtime()
+
--- a/testcases/datedetectortestcase.py
+++ b/testcases/datedetectortestcase.py
@ -85,6 +85,7 @@ class DateDetectorTest(unittest.TestCase):
 			"2005-01-23T21:59:59-05:00Z", #ISO 8601 with TZ
 			"<01/23/05@21:59:59>",
 			"050123 21:59:59", # MySQL
+			"Apr-27-13 01:27:45", # ASSP like
 			):
 			log = sdate + "[sshd] error: PAM: Authentication failure"
 			# exclude
--- a/testcases/files/logs/assp
+++ b/testcases/files/logs/assp
@ -0,0 +1,13 @@
+Apr-07-13 07:08:36 [SSL-out] 68.171.223.68 SSL negotiation with client failed: SSL accept attempt failed with unknown errorerror:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol;
+Apr-07-13 07:08:36 [SSL-out] 68.171.223.68 SSL negotiation with client failed: SSL accept attempt failed with unknown errorerror:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol;
+Apr-07-13 07:10:37 [SSL-out] 68.171.223.68 SSL negotiation with client failed: SSL accept attempt failed with unknown errorerror:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol;
+Apr-07-13 07:12:37 [SSL-out] 68.171.223.68 SSL negotiation with client failed: SSL accept attempt failed with unknown errorerror:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol;
+Apr-07-13 07:14:36 [SSL-out] 68.171.223.68 SSL negotiation with client failed: SSL accept attempt failed with unknown errorerror:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol;
+Apr-27-13 02:25:09 Blocking 217.194.197.97 - too much AUTH errors (8);
+Apr-27-13 02:25:09 Blocking 217.194.197.97 - too much AUTH errors (9);
+Apr-27-13 02:25:09 Blocking 217.194.197.97 - too much AUTH errors (10);
+Apr-27-13 02:25:10 [SSL-out] 217.194.197.97 max sender authentication errors (5) exceeded -- dropping connection - after reply: 535 5.7.8 Error: authentication failed: UGFzc3dvcmQ6;
+Apr-27-13 02:25:10 [SSL-out] 217.194.197.97 max sender authentication errors (5) exceeded -- dropping connection - after reply: 535 5.7.8 Error: authentication failed: UGFzc3dvcmQ6;
+Apr-27-13 02:25:10 [SSL-out] 217.194.197.97 max sender authentication errors (5) exceeded -- dropping connection - after reply: 535 5.7.8 Error: authentication failed: UGFzc3dvcmQ6;
+Apr-27-13 02:25:11 [SSL-out] 217.194.197.97 max sender authentication errors (5) exceeded -- dropping connection - after reply: 535 5.7.8 Error: authentication failed: UGFzc3dvcmQ6;
+