From b64bf3fa7b8b70c39e9fdff554f29d306543f7f4 Mon Sep 17 00:00:00 2001 From: Daniel Black Date: Sat, 5 Oct 2013 19:18:44 +1000 Subject: [PATCH 1/3] ENH: filter.d/webmin anchor at start and use syslog --- ChangeLog | 1 + config/filter.d/webmin-auth.conf | 23 ++++++++++------------- testcases/files/logs/webmin-auth | 4 ++++ 3 files changed, 15 insertions(+), 13 deletions(-) diff --git a/ChangeLog b/ChangeLog index 46b12528..96fefa45 100644 --- a/ChangeLog +++ b/ChangeLog @@ -84,6 +84,7 @@ ver. 0.8.11 (2013/XX/XXX) - loves-unittests regular expressions with the -D parameter. * filter.d/sshd - regex enhancements to support openssh-6.3. Closes Debian bug #722970 + * filter.d/webmin - anchored regex at start Daniel Black & Georgiy Mernov & ftoppi & Мернов Георгий * filter.d/exim.conf -- regex hardening and extra failure examples in sample logs diff --git a/config/filter.d/webmin-auth.conf b/config/filter.d/webmin-auth.conf index 67f6e73f..b98075b5 100644 --- a/config/filter.d/webmin-auth.conf +++ b/config/filter.d/webmin-auth.conf @@ -5,23 +5,20 @@ # # +[INCLUDES] + +before = common.conf + +[Definition] + +_daemon = webmin + [Definition] # patern : webmin[15673]: Non-existent login as toto from 86.0.6.217 # webmin[29544]: Invalid login as root from 86.0.6.217 # -# Option: failregex -# Notes.: regex to match the password failure messages in the logfile. The -# host must be matched by a group named "host". The tag "" can -# be used for standard IP/hostname matching and is only an alias for -# (?:::f{4,6}:)?(?P[\w\-.^_]+) -# Values: TEXT -# -failregex = webmin.* Non-existent login as .+ from \s*$ - webmin.* Invalid login as .+ from \s*$ +failregex = ^%(__prefix_line)sNon-existent login as .+ from \s*$ + ^%(__prefix_line)sInvalid login as .+ from \s*$ -# Option: ignoreregex -# Notes.: regex to ignore. If this regex matches, the line is ignored. -# Values: TEXT -# ignoreregex = diff --git a/testcases/files/logs/webmin-auth b/testcases/files/logs/webmin-auth index 424c114d..1ad9f2a6 100644 --- a/testcases/files/logs/webmin-auth +++ b/testcases/files/logs/webmin-auth @@ -7,3 +7,7 @@ Dec 13 08:15:18 sb1 webmin[25875]: Invalid login as root from 89.2.49.230 #2 User does not exists # failJSON: { "time": "2004-12-12T23:14:19", "match": true , "host": "188.40.105.142" } Dec 12 23:14:19 sb1 webmin[22134]: Non-existent login as robert from 188.40.105.142 + +# failJSON: { "time": "2004-09-25T10:38:11", "match": true , "host": "14.200.251.155" } +Sep 25 10:38:11 platypus webmin[27249]: Non-existent login as admin@goodeyedeer.com.au from 14.200.251.155 + From 0beea03914972ea735a66c14c8f742a8ba1861a1 Mon Sep 17 00:00:00 2001 From: Daniel Black Date: Wed, 9 Oct 2013 11:05:50 +1100 Subject: [PATCH 2/3] ENH: jail.conf example for webmin --- config/jail.conf | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/config/jail.conf b/config/jail.conf index 80b774e5..d637037c 100644 --- a/config/jail.conf +++ b/config/jail.conf @@ -439,3 +439,12 @@ enabled = false filter = sshd action = osx-afctl[bantime=600] logpath = /var/log/secure.log + +[webmin] +enabled = false +filter = webmin +action = iptables-multiport[name=webmin,port="10000"] +logpath = /var/log/auth.log + + + From 2a1d629d88608c1dd442618ea2ecc1f3633a2821 Mon Sep 17 00:00:00 2001 From: Daniel Black Date: Wed, 9 Oct 2013 11:08:44 +1100 Subject: [PATCH 3/3] BF: webmin -> webmin-auth --- config/jail.conf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/config/jail.conf b/config/jail.conf index d637037c..4604d98e 100644 --- a/config/jail.conf +++ b/config/jail.conf @@ -440,9 +440,9 @@ filter = sshd action = osx-afctl[bantime=600] logpath = /var/log/secure.log -[webmin] +[webmin-auth] enabled = false -filter = webmin +filter = webmin-auth action = iptables-multiport[name=webmin,port="10000"] logpath = /var/log/auth.log