Merge remote-tracking branch 'remotes/gh-upstream/master' into 0.10

2018-01-15 18:16:43 +01:00 · 2018-01-15 18:16:43 +01:00 · 2b7b0da943
parent 2bce0c5e3e 7e05976ead
commit 2b7b0da943
4 changed files with 8 additions and 4 deletions
--- a/1
+++ b/1
@ -473,6 +473,7 @@ releases.
    - fixed failregex of "AUTH command used when not advertised" to better handle the foreign
      input SMTP command (lower/mixed case auth command, prevent injection) (gh-1979)
 * filter.d/postfix-*.conf - added optional port regex (gh-1902)
+* filter.d/sendmail-auth.conf - extended daemon for Fedora 24/RHEL - the daemon name is "sendmail" (gh-1632)

 ### New Features

--- a/config/action.d/hostsdeny.conf
+++ b/config/action.d/hostsdeny.conf
@ -31,8 +31,7 @@ actioncheck =
 # Tags:    See jail.conf(5) man page
 # Values:  CMD
 #
-actionban = IP=<ip> &&
-            printf %%b "<daemon_list>: $IP\n" >> <file>
+actionban = IP=<ip> && printf %%b "<daemon_list>: $IP\n" >> <file>

 # Option:  actionunban
 # Notes.:  command executed when unbanning an IP. Take care that the
@ -40,7 +39,7 @@ actionban = IP=<ip> &&
 # Tags:    See jail.conf(5) man page
 # Values:  CMD
 #
-actionunban = echo "/^<daemon_list>: <ip>$/<br>d<br>w<br>q" | ed <file>
+actionunban = IP=$(echo <ip> | sed 's/\./\\./g') && sed -i "/^<daemon_list>: $IP$/d" <file>

 [Init]

--- a/config/filter.d/sendmail-auth.conf
+++ b/config/filter.d/sendmail-auth.conf
@ -7,7 +7,7 @@ before = common.conf

 [Definition]

-_daemon = (?:sm-(mta|acceptingconnections))
+_daemon = (?:sendmail|sm-(?:mta|acceptingconnections))

 failregex = ^%(__prefix_line)s\w{14}: (\S+ )?\[<HOST>\]( \(may be forged\))?: possible SMTP attack: command=AUTH, count=\d+$

--- a/fail2ban/tests/files/logs/sendmail-auth
+++ b/fail2ban/tests/files/logs/sendmail-auth
@ -10,3 +10,7 @@ Feb 24 12:10:15 kismet sm-acceptingconnections[32053]: s1OHA28u032053: 211-75-6-

 # failJSON: { "time": "2005-02-24T13:00:17", "match": true , "host": "95.70.241.192" }
 Feb 24 13:00:17 kismet sm-acceptingconnections[1499]: s1OHxxSn001499: 192.241.70.95.dsl.static.turk.net [95.70.241.192] (may be forged): possible SMTP attack: command=AUTH, count=6
+
+# gh-1632, Fedora 24/RHEL - the daemon name is "sendmail":
+# failJSON: { "time": "2005-02-24T14:00:00", "match": true , "host": "192.0.2.1" }
+Feb 24 14:00:00 server sendmail[26592]: u0CB32qX026592: [192.0.2.1]: possible SMTP attack: command=AUTH, count=5