From b2e3affaa0d3d59f6c982ab4e4052f82349aa0cb Mon Sep 17 00:00:00 2001 From: Andrii Melnyk Date: Fri, 8 Jul 2016 04:50:57 +0300 Subject: [PATCH 1/8] adding openldap slapd filter --- ChangeLog | 2 ++ config/filter.d/slapd.conf | 17 +++++++++++++++++ config/jail.conf | 5 +++++ 3 files changed, 24 insertions(+) create mode 100644 config/filter.d/slapd.conf diff --git a/ChangeLog b/ChangeLog index 3f985b20..ad64ab78 100644 --- a/ChangeLog +++ b/ChangeLog @@ -30,6 +30,8 @@ ver. 0.9.5 (2016/XX/XXX) - wanna-be-released - New Features: * New Actions: - action.d/firewallcmd-rich-rules and action.d/firewallcmd-rich-logging (gh-1367) + * New filters: + - slapd - ban hosts, that were failed to connect with invalid credentials: error code 49 - Enhancements: * Extreme speedup of all sqlite database operations (gh-1436), diff --git a/config/filter.d/slapd.conf b/config/filter.d/slapd.conf new file mode 100644 index 00000000..9a4e14c5 --- /dev/null +++ b/config/filter.d/slapd.conf @@ -0,0 +1,17 @@ +# slapd (Stand-alone LDAP Daemon) openldap daemon filter +# +# Detecting invalid credentials: error code 49 +# http://www.openldap.org/doc/admin24/appendix-ldap-result-codes.html#invalidCredentials (49) + +[Definition] + +failregex = ^.* conn=(?P\d+) fd=\d+ ACCEPT from IP=\:\d+ .+$^.+ conn=(?P=pid) .* RESULT .* err=49 .*$ + +ignoreregex = + +[Init] + +# "maxlines" is number of log lines to buffer for multi-line regex searches +maxlines = 20 + +# Author: Andrii Melnyk diff --git a/config/jail.conf b/config/jail.conf index 941737ff..41d8d3b8 100644 --- a/config/jail.conf +++ b/config/jail.conf @@ -840,3 +840,8 @@ logencoding = utf-8 # See "haproxy-http-auth" filter for a brief cautionary note when setting # maxretry and findtime. logpath = /var/log/haproxy.log + +[slapd] +port = ldap,ldaps +filter = slapd +logpath = /var/log/slapd.log From c9ab669851ae8aeb7a11efc385bed5c1d61389f1 Mon Sep 17 00:00:00 2001 From: Andrii Melnyk Date: Fri, 8 Jul 2016 04:56:29 +0300 Subject: [PATCH 2/8] added sample log lines for slapd --- fail2ban/tests/files/logs/slapd | 9 +++++++++ 1 file changed, 9 insertions(+) create mode 100644 fail2ban/tests/files/logs/slapd diff --git a/fail2ban/tests/files/logs/slapd b/fail2ban/tests/files/logs/slapd new file mode 100644 index 00000000..19e78882 --- /dev/null +++ b/fail2ban/tests/files/logs/slapd @@ -0,0 +1,9 @@ +Jul 8 01:47:19 ldap-server slapd[1183]: conn=1022 fd=21 ACCEPT from IP=8.8.8.8:45011 (IP=0.0.0.0:636) +Jul 8 01:47:19 ldap-server slapd[1183]: conn=1022 fd=21 TLS established tls_ssf=256 ssf=256 +Jul 8 01:47:19 ldap-server slapd[1183]: conn=1022 op=0 EXT oid=1.3.6.1.4.1.6.1 +Jul 8 01:47:19 ldap-server slapd[1183]: conn=1022 op=0 STARTTLS +Jul 8 01:47:19 ldap-server slapd[1183]: conn=1022 op=0 RESULT oid= err=1 text=TLS already started +Jul 8 01:47:20 ldap-server slapd[1183]: conn=1022 op=1 BIND dn="uid=gipson,ou=people,dc=example,dc=com" method=128 +Jul 8 01:47:20 ldap-server slapd[1183]: conn=1022 op=1 RESULT tag=97 err=49 text= +Jul 8 01:47:20 ldap-server slapd[1183]: conn=1022 op=2 UNBIND +Jul 8 01:47:20 ldap-server slapd[1183]: conn=1022 fd=21 closed From c335663395d08267b6a4e562f3a3801ba5854d2e Mon Sep 17 00:00:00 2001 From: Andrii Melnyk Date: Fri, 8 Jul 2016 05:12:25 +0300 Subject: [PATCH 3/8] add info to log file --- fail2ban/tests/files/logs/slapd | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/fail2ban/tests/files/logs/slapd b/fail2ban/tests/files/logs/slapd index 19e78882..c4758dfb 100644 --- a/fail2ban/tests/files/logs/slapd +++ b/fail2ban/tests/files/logs/slapd @@ -1,9 +1,18 @@ +# failJSON: { "match": false } Jul 8 01:47:19 ldap-server slapd[1183]: conn=1022 fd=21 ACCEPT from IP=8.8.8.8:45011 (IP=0.0.0.0:636) +# failJSON: { "match": false } Jul 8 01:47:19 ldap-server slapd[1183]: conn=1022 fd=21 TLS established tls_ssf=256 ssf=256 +# failJSON: { "match": false } Jul 8 01:47:19 ldap-server slapd[1183]: conn=1022 op=0 EXT oid=1.3.6.1.4.1.6.1 +# failJSON: { "match": false } Jul 8 01:47:19 ldap-server slapd[1183]: conn=1022 op=0 STARTTLS +# failJSON: { "match": false } Jul 8 01:47:19 ldap-server slapd[1183]: conn=1022 op=0 RESULT oid= err=1 text=TLS already started +# failJSON: { "match": false } Jul 8 01:47:20 ldap-server slapd[1183]: conn=1022 op=1 BIND dn="uid=gipson,ou=people,dc=example,dc=com" method=128 +# failJSON: { "time": "2016-07-08T01:47:20", "match": true , "host": "8.8.8.8", "desc": "Multiline match for invalid credentials" } Jul 8 01:47:20 ldap-server slapd[1183]: conn=1022 op=1 RESULT tag=97 err=49 text= +# failJSON: { "match": false } Jul 8 01:47:20 ldap-server slapd[1183]: conn=1022 op=2 UNBIND +# failJSON: { "match": false } Jul 8 01:47:20 ldap-server slapd[1183]: conn=1022 fd=21 closed From dcb69b024221fb6a947cb18d6ec576490e165362 Mon Sep 17 00:00:00 2001 From: Andrii Melnyk Date: Fri, 8 Jul 2016 05:29:51 +0300 Subject: [PATCH 4/8] * add `__prefix_line` to regex * fix time in log file --- config/filter.d/slapd.conf | 10 +++++++++- fail2ban/tests/files/logs/slapd | 2 +- 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/config/filter.d/slapd.conf b/config/filter.d/slapd.conf index 9a4e14c5..0af6a4ea 100644 --- a/config/filter.d/slapd.conf +++ b/config/filter.d/slapd.conf @@ -3,9 +3,17 @@ # Detecting invalid credentials: error code 49 # http://www.openldap.org/doc/admin24/appendix-ldap-result-codes.html#invalidCredentials (49) +[INCLUDES] + +# Read common prefixes. If any customizations available -- read them from +# common.local +before = common.conf + [Definition] -failregex = ^.* conn=(?P\d+) fd=\d+ ACCEPT from IP=\:\d+ .+$^.+ conn=(?P=pid) .* RESULT .* err=49 .*$ +_daemon = slapd + +failregex = ^(?P<__prefix>%(__prefix_line)s).* conn=(?P\d+) fd=\d+ ACCEPT from IP=\:\d+ .+$(?P=__prefix).+ conn=(?P=pid) .* RESULT .* err=49 .*$ ignoreregex = diff --git a/fail2ban/tests/files/logs/slapd b/fail2ban/tests/files/logs/slapd index c4758dfb..db7cda87 100644 --- a/fail2ban/tests/files/logs/slapd +++ b/fail2ban/tests/files/logs/slapd @@ -10,7 +10,7 @@ Jul 8 01:47:19 ldap-server slapd[1183]: conn=1022 op=0 STARTTLS Jul 8 01:47:19 ldap-server slapd[1183]: conn=1022 op=0 RESULT oid= err=1 text=TLS already started # failJSON: { "match": false } Jul 8 01:47:20 ldap-server slapd[1183]: conn=1022 op=1 BIND dn="uid=gipson,ou=people,dc=example,dc=com" method=128 -# failJSON: { "time": "2016-07-08T01:47:20", "match": true , "host": "8.8.8.8", "desc": "Multiline match for invalid credentials" } +# failJSON: { "time": "2005-07-08T01:47:20", "match": true , "host": "8.8.8.8", "desc": "Multiline match for invalid credentials" } Jul 8 01:47:20 ldap-server slapd[1183]: conn=1022 op=1 RESULT tag=97 err=49 text= # failJSON: { "match": false } Jul 8 01:47:20 ldap-server slapd[1183]: conn=1022 op=2 UNBIND From 48c094f6125665dc17b2c7a6e51a928ef6eb9b86 Mon Sep 17 00:00:00 2001 From: Andrii Melnyk Date: Fri, 8 Jul 2016 13:45:10 +0300 Subject: [PATCH 5/8] improved failregex according to @sebres recomendations --- config/filter.d/slapd.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/filter.d/slapd.conf b/config/filter.d/slapd.conf index 0af6a4ea..23d9ee2d 100644 --- a/config/filter.d/slapd.conf +++ b/config/filter.d/slapd.conf @@ -13,7 +13,7 @@ before = common.conf _daemon = slapd -failregex = ^(?P<__prefix>%(__prefix_line)s).* conn=(?P\d+) fd=\d+ ACCEPT from IP=\:\d+ .+$(?P=__prefix).+ conn=(?P=pid) .* RESULT .* err=49 .*$ +failregex = ^(?P<__prefix>%(__prefix_line)s)conn=(?P<_conn_>\d+) fd=\d+ ACCEPT from IP=[^\n]+(?P=__prefix)conn=(?P=_conn_) op=\d+ RESULT(?:\s(?!err)\S+=\S*)* err=49\s ignoreregex = From 2c5a489bc77077775b9790d31a3ce5f89ca7f202 Mon Sep 17 00:00:00 2001 From: Andrii Melnyk Date: Fri, 8 Jul 2016 13:55:58 +0300 Subject: [PATCH 6/8] add PR id to ChangeLog --- ChangeLog | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index ad64ab78..ccac9a9d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -31,7 +31,7 @@ ver. 0.9.5 (2016/XX/XXX) - wanna-be-released * New Actions: - action.d/firewallcmd-rich-rules and action.d/firewallcmd-rich-logging (gh-1367) * New filters: - - slapd - ban hosts, that were failed to connect with invalid credentials: error code 49 + - slapd - ban hosts, that were failed to connect with invalid credentials: error code 49 (gh-1478) - Enhancements: * Extreme speedup of all sqlite database operations (gh-1436), From 7c5828dd2ae21f059039bc6767406914beab2d5a Mon Sep 17 00:00:00 2001 From: Andrii Melnyk Date: Wed, 13 Jul 2016 21:09:42 +0300 Subject: [PATCH 7/8] add trailing anchor to failregex --- config/filter.d/slapd.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/filter.d/slapd.conf b/config/filter.d/slapd.conf index 23d9ee2d..b80c288b 100644 --- a/config/filter.d/slapd.conf +++ b/config/filter.d/slapd.conf @@ -13,7 +13,7 @@ before = common.conf _daemon = slapd -failregex = ^(?P<__prefix>%(__prefix_line)s)conn=(?P<_conn_>\d+) fd=\d+ ACCEPT from IP=[^\n]+(?P=__prefix)conn=(?P=_conn_) op=\d+ RESULT(?:\s(?!err)\S+=\S*)* err=49\s +failregex = ^(?P<__prefix>%(__prefix_line)s)conn=(?P<_conn_>\d+) fd=\d+ ACCEPT from IP=[^\n]+(?P=__prefix)conn=(?P=_conn_) op=\d+ RESULT(?:\s(?!err)\S+=\S*)* err=49\s$ ignoreregex = From 7433b353ee591e0da2946d6c713d6c19e936fbca Mon Sep 17 00:00:00 2001 From: Andrii Melnyk Date: Thu, 14 Jul 2016 10:19:21 +0300 Subject: [PATCH 8/8] another variant of regex --- config/filter.d/slapd.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/filter.d/slapd.conf b/config/filter.d/slapd.conf index b80c288b..22cf4304 100644 --- a/config/filter.d/slapd.conf +++ b/config/filter.d/slapd.conf @@ -13,7 +13,7 @@ before = common.conf _daemon = slapd -failregex = ^(?P<__prefix>%(__prefix_line)s)conn=(?P<_conn_>\d+) fd=\d+ ACCEPT from IP=[^\n]+(?P=__prefix)conn=(?P=_conn_) op=\d+ RESULT(?:\s(?!err)\S+=\S*)* err=49\s$ +failregex = ^(?P<__prefix>%(__prefix_line)s)conn=(?P<_conn_>\d+) fd=\d+ ACCEPT from IP=:\d{1,5} \(IP=\S+\)\s*(?P=__prefix)conn=(?P=_conn_) op=\d+ RESULT(?:\s(?!err)\S+=\S*)* err=49 text=[\w\s]*$ ignoreregex =