diff --git a/ChangeLog b/ChangeLog index 3f9a5415..775d7044 100644 --- a/ChangeLog +++ b/ChangeLog @@ -87,6 +87,7 @@ ver. 0.8.11 (2013/XX/XXX) - loves-unittests regular expressions with the -D parameter. * filter.d/sshd - regex enhancements to support openssh-6.3. Closes Debian bug #722970 + * filter.d/webmin - anchored regex at start Daniel Black & Georgiy Mernov & ftoppi & Мернов Георгий * filter.d/exim.conf -- regex hardening and extra failure examples in sample logs diff --git a/config/filter.d/webmin-auth.conf b/config/filter.d/webmin-auth.conf index 67f6e73f..b98075b5 100644 --- a/config/filter.d/webmin-auth.conf +++ b/config/filter.d/webmin-auth.conf @@ -5,23 +5,20 @@ # # +[INCLUDES] + +before = common.conf + +[Definition] + +_daemon = webmin + [Definition] # patern : webmin[15673]: Non-existent login as toto from 86.0.6.217 # webmin[29544]: Invalid login as root from 86.0.6.217 # -# Option: failregex -# Notes.: regex to match the password failure messages in the logfile. The -# host must be matched by a group named "host". The tag "" can -# be used for standard IP/hostname matching and is only an alias for -# (?:::f{4,6}:)?(?P[\w\-.^_]+) -# Values: TEXT -# -failregex = webmin.* Non-existent login as .+ from \s*$ - webmin.* Invalid login as .+ from \s*$ +failregex = ^%(__prefix_line)sNon-existent login as .+ from \s*$ + ^%(__prefix_line)sInvalid login as .+ from \s*$ -# Option: ignoreregex -# Notes.: regex to ignore. If this regex matches, the line is ignored. -# Values: TEXT -# ignoreregex = diff --git a/config/jail.conf b/config/jail.conf index 1562903b..177db4c4 100644 --- a/config/jail.conf +++ b/config/jail.conf @@ -439,3 +439,12 @@ enabled = false filter = sshd action = osx-afctl[bantime=600] logpath = /var/log/secure.log + +[webmin-auth] +enabled = false +filter = webmin-auth +action = iptables-multiport[name=webmin,port="10000"] +logpath = /var/log/auth.log + + + diff --git a/testcases/files/logs/webmin-auth b/testcases/files/logs/webmin-auth index 424c114d..1ad9f2a6 100644 --- a/testcases/files/logs/webmin-auth +++ b/testcases/files/logs/webmin-auth @@ -7,3 +7,7 @@ Dec 13 08:15:18 sb1 webmin[25875]: Invalid login as root from 89.2.49.230 #2 User does not exists # failJSON: { "time": "2004-12-12T23:14:19", "match": true , "host": "188.40.105.142" } Dec 12 23:14:19 sb1 webmin[22134]: Non-existent login as robert from 188.40.105.142 + +# failJSON: { "time": "2004-09-25T10:38:11", "match": true , "host": "14.200.251.155" } +Sep 25 10:38:11 platypus webmin[27249]: Non-existent login as admin@goodeyedeer.com.au from 14.200.251.155 +