Merge pull request #1478 from gips0n/master

adding openldap slapd filter
2016-07-14 08:30:42 -04:00 · 2016-07-14 08:30:42 -04:00 · 28a0605f69
parent de5d911fd5 7433b353ee
commit 28a0605f69
4 changed files with 50 additions and 0 deletions
--- a/2
+++ b/2
@ -32,6 +32,8 @@ ver. 0.9.5 (2016/XX/XXX) - wanna-be-released
 - New Features:
   * New Actions:
     - action.d/firewallcmd-rich-rules and action.d/firewallcmd-rich-logging (gh-1367)
+   * New filters:
+     - slapd - ban hosts, that were failed to connect with invalid credentials: error code 49 (gh-1478)

 - Enhancements:
   * Extreme speedup of all sqlite database operations (gh-1436),
--- a/config/filter.d/slapd.conf
+++ b/config/filter.d/slapd.conf
@ -0,0 +1,25 @@
+# slapd (Stand-alone LDAP Daemon) openldap daemon filter
+#
+# Detecting invalid credentials: error code 49
+# http://www.openldap.org/doc/admin24/appendix-ldap-result-codes.html#invalidCredentials (49)
+
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# common.local
+before = common.conf
+
+[Definition]
+
+_daemon = slapd
+
+failregex = ^(?P<__prefix>%(__prefix_line)s)conn=(?P<_conn_>\d+) fd=\d+ ACCEPT from IP=<HOST>:\d{1,5} \(IP=\S+\)\s*<SKIPLINES>(?P=__prefix)conn=(?P=_conn_) op=\d+ RESULT(?:\s(?!err)\S+=\S*)* err=49 text=[\w\s]*$
+
+ignoreregex =
+
+[Init]
+
+# "maxlines" is number of log lines to buffer for multi-line regex searches
+maxlines = 20
+
+# Author: Andrii Melnyk
--- a/config/jail.conf
+++ b/config/jail.conf
@ -840,3 +840,8 @@ logencoding = utf-8
 # See "haproxy-http-auth" filter for a brief cautionary note when setting
 # maxretry and findtime.
 logpath  = /var/log/haproxy.log
+
+[slapd]
+port    = ldap,ldaps
+filter  = slapd
+logpath = /var/log/slapd.log
--- a/fail2ban/tests/files/logs/slapd
+++ b/fail2ban/tests/files/logs/slapd
@ -0,0 +1,18 @@
+# failJSON: { "match": false }
+Jul  8 01:47:19 ldap-server slapd[1183]: conn=1022 fd=21 ACCEPT from IP=8.8.8.8:45011 (IP=0.0.0.0:636)
+# failJSON: { "match": false }
+Jul  8 01:47:19 ldap-server slapd[1183]: conn=1022 fd=21 TLS established tls_ssf=256 ssf=256
+# failJSON: { "match": false }
+Jul  8 01:47:19 ldap-server slapd[1183]: conn=1022 op=0 EXT oid=1.3.6.1.4.1.6.1
+# failJSON: { "match": false }
+Jul  8 01:47:19 ldap-server slapd[1183]: conn=1022 op=0 STARTTLS
+# failJSON: { "match": false }
+Jul  8 01:47:19 ldap-server slapd[1183]: conn=1022 op=0 RESULT oid= err=1 text=TLS already started
+# failJSON: { "match": false }
+Jul  8 01:47:20 ldap-server slapd[1183]: conn=1022 op=1 BIND dn="uid=gipson,ou=people,dc=example,dc=com" method=128
+# failJSON: { "time": "2005-07-08T01:47:20", "match": true , "host": "8.8.8.8", "desc": "Multiline match for invalid credentials" }
+Jul  8 01:47:20 ldap-server slapd[1183]: conn=1022 op=1 RESULT tag=97 err=49 text=
+# failJSON: { "match": false }
+Jul  8 01:47:20 ldap-server slapd[1183]: conn=1022 op=2 UNBIND
+# failJSON: { "match": false }
+Jul  8 01:47:20 ldap-server slapd[1183]: conn=1022 fd=21 closed