From fcf79b475f26884a584617f3fd5ff66afa6df371 Mon Sep 17 00:00:00 2001 From: Daniel Black Date: Fri, 19 Jul 2013 20:14:53 +1000 Subject: [PATCH 1/7] ENH: new filter perdition.conf --- ChangeLog | 2 ++ THANKS | 1 + config/filter.d/perdition.conf | 16 ++++++++++++++++ testcases/files/logs/perdition | 4 ++++ 4 files changed, 23 insertions(+) create mode 100644 config/filter.d/perdition.conf create mode 100644 testcases/files/logs/perdition diff --git a/ChangeLog b/ChangeLog index a6a6ab23..4139dfe1 100644 --- a/ChangeLog +++ b/ChangeLog @@ -36,6 +36,8 @@ ver. 0.8.11 (2013/XX/XXX) - loves-unittests Daniel Black * filter.d/exim-spam.conf -- a splitout of exim's spam regexes with additions for greater control over filtering spam. + Christophe Carles & Daniel Black + * filter.d/perdition.conf -- filter added - Enhancements: Daniel Black * filter.d/{asterisk,assp,dovecot,proftpd}.conf -- regex hardening diff --git a/THANKS b/THANKS index af790f67..b853c0dc 100644 --- a/THANKS +++ b/THANKS @@ -11,6 +11,7 @@ Axel Thimm Bill Heaton Carlos Alberto Lopez Perez Christian Rauch +Christophe Carles Christoph Haas Christos Psonis Daniel B. Cid diff --git a/config/filter.d/perdition.conf b/config/filter.d/perdition.conf new file mode 100644 index 00000000..e7cb0f7d --- /dev/null +++ b/config/filter.d/perdition.conf @@ -0,0 +1,16 @@ +# Fail2Ban configuration file +# +# Author: Christophe Carles and Daniel Black +# +# + +[INCLUDES] + +before = common.conf + +[Definition] + +_daemon=perdition.imaps + +failregex = ^%(__prefix_line)sAuth: :\d+->(\d{1,3}\.){3}\d{1,3}:\d+ client-secure=\S+ authorisation_id=NONE authentication_id="\S+" server="\S+" protocol=\S+ server-secure=\S+ status="failed: Re-Authentication Failure"$ + ^%(__prefix_line)sFatal Error reading authentication information from client :\d+->(\d{1,3}\.){3}\d{1,3}:\d+: Exiting child$ diff --git a/testcases/files/logs/perdition b/testcases/files/logs/perdition new file mode 100644 index 00000000..2304e372 --- /dev/null +++ b/testcases/files/logs/perdition @@ -0,0 +1,4 @@ +# failJSON: { "time": "2013-07-18T16:07:18", "match": true , "host": "192.168.8.100" } +Jul 18 16:07:18 ares perdition.imaps[3194]: Auth: 192.168.8.100:2274->193.48.191.9:993 client-secure=ssl authorisation_id=NONE authentication_id="carles" server="imap.biotoul.fr:993" protocol=IMAP4S server-secure=ssl status="failed: Re-Authentication Failure" +# failJSON: { "time": "2013-07-18T16:08:58", "match": true , "host": "192.168.8.100" } +Jul 18 16:08:58 ares perdition.imaps[3194]: Fatal Error reading authentication information from client 192.168.8.100:2274->193.48.191.9:993: Exiting child From eea5b071e61ba5cd5f4943100dc4bc0a278cf358 Mon Sep 17 00:00:00 2001 From: Daniel Black Date: Fri, 19 Jul 2013 20:27:15 +1000 Subject: [PATCH 2/7] ENH: jail for perdition --- config/jail.conf | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/config/jail.conf b/config/jail.conf index e3b92038..735f028c 100644 --- a/config/jail.conf +++ b/config/jail.conf @@ -419,3 +419,10 @@ enabled = false filter = exim-spam action = iptables-multiport[name=exim-spam,port="25,465,587"] logpath = /var/log/exim/mainlog + +[perdition] +enabled = false +filter = perdition +action = iptables-multiport[name=perdition="110,143,993,995"] +logpath = /var/log/maillog + From 6fdfd8d356838512bf8582b8bc2cff0cfb5fade9 Mon Sep 17 00:00:00 2001 From: Daniel Black Date: Sat, 20 Jul 2013 15:09:25 +1000 Subject: [PATCH 3/7] BF: fix port --- config/jail.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/jail.conf b/config/jail.conf index 735f028c..07f9cacc 100644 --- a/config/jail.conf +++ b/config/jail.conf @@ -423,6 +423,6 @@ logpath = /var/log/exim/mainlog [perdition] enabled = false filter = perdition -action = iptables-multiport[name=perdition="110,143,993,995"] +action = iptables-multiport[name=perdition,port="110,143,993,995"] logpath = /var/log/maillog From bdcde678d199a360f39e03fa27719fc0fa68fbc6 Mon Sep 17 00:00:00 2001 From: Daniel Black Date: Sat, 20 Jul 2013 15:15:02 +1000 Subject: [PATCH 4/7] TST: fix year --- testcases/files/logs/perdition | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/testcases/files/logs/perdition b/testcases/files/logs/perdition index 2304e372..24848e6f 100644 --- a/testcases/files/logs/perdition +++ b/testcases/files/logs/perdition @@ -1,4 +1,4 @@ -# failJSON: { "time": "2013-07-18T16:07:18", "match": true , "host": "192.168.8.100" } +# failJSON: { "time": "2005-07-18T16:07:18", "match": true , "host": "192.168.8.100" } Jul 18 16:07:18 ares perdition.imaps[3194]: Auth: 192.168.8.100:2274->193.48.191.9:993 client-secure=ssl authorisation_id=NONE authentication_id="carles" server="imap.biotoul.fr:993" protocol=IMAP4S server-secure=ssl status="failed: Re-Authentication Failure" -# failJSON: { "time": "2013-07-18T16:08:58", "match": true , "host": "192.168.8.100" } +# failJSON: { "time": "2005-07-18T16:08:58", "match": true , "host": "192.168.8.100" } Jul 18 16:08:58 ares perdition.imaps[3194]: Fatal Error reading authentication information from client 192.168.8.100:2274->193.48.191.9:993: Exiting child From abc41460799fb10b710b2684c0408240ef90d1ec Mon Sep 17 00:00:00 2001 From: Daniel Black Date: Wed, 24 Jul 2013 10:27:12 +1000 Subject: [PATCH 5/7] ENH: perdition proxies other types hence daemon can include (perdidtion.(imap|pop)s?|managesieve). Also support local authentication resulting in the log message: local authentication failure --- config/filter.d/perdition.conf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/config/filter.d/perdition.conf b/config/filter.d/perdition.conf index e7cb0f7d..41980cb1 100644 --- a/config/filter.d/perdition.conf +++ b/config/filter.d/perdition.conf @@ -10,7 +10,7 @@ before = common.conf [Definition] -_daemon=perdition.imaps +_daemon=perdition.\S+ -failregex = ^%(__prefix_line)sAuth: :\d+->(\d{1,3}\.){3}\d{1,3}:\d+ client-secure=\S+ authorisation_id=NONE authentication_id="\S+" server="\S+" protocol=\S+ server-secure=\S+ status="failed: Re-Authentication Failure"$ +failregex = ^%(__prefix_line)sAuth: :\d+->(\d{1,3}\.){3}\d{1,3}:\d+ client-secure=\S+ authorisation_id=NONE authentication_id="\S+" server="\S+" protocol=\S+ server-secure=\S+ status="failed: (local authentication failure|Re-Authentication Failure)"$ ^%(__prefix_line)sFatal Error reading authentication information from client :\d+->(\d{1,3}\.){3}\d{1,3}:\d+: Exiting child$ From 7d7ef081457f7c55137e18f3235b3c36c356ee3b Mon Sep 17 00:00:00 2001 From: Daniel Black Date: Wed, 24 Jul 2013 10:44:52 +1000 Subject: [PATCH 6/7] ENH: authentication_id can be an imap4 quoted string, whatever that is, so using .+ as its id --- config/filter.d/perdition.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/filter.d/perdition.conf b/config/filter.d/perdition.conf index 41980cb1..7fdca14b 100644 --- a/config/filter.d/perdition.conf +++ b/config/filter.d/perdition.conf @@ -12,5 +12,5 @@ before = common.conf _daemon=perdition.\S+ -failregex = ^%(__prefix_line)sAuth: :\d+->(\d{1,3}\.){3}\d{1,3}:\d+ client-secure=\S+ authorisation_id=NONE authentication_id="\S+" server="\S+" protocol=\S+ server-secure=\S+ status="failed: (local authentication failure|Re-Authentication Failure)"$ +failregex = ^%(__prefix_line)sAuth: :\d+->(\d{1,3}\.){3}\d{1,3}:\d+ client-secure=\S+ authorisation_id=NONE authentication_id=".+" server="\S+" protocol=\S+ server-secure=\S+ status="failed: (local authentication failure|Re-Authentication Failure)"$ ^%(__prefix_line)sFatal Error reading authentication information from client :\d+->(\d{1,3}\.){3}\d{1,3}:\d+: Exiting child$ From 8f532f9148a79a4caea77275660aa7fe18e3d14e Mon Sep 17 00:00:00 2001 From: Daniel Black Date: Wed, 24 Jul 2013 11:29:58 +1000 Subject: [PATCH 7/7] NIT: space remove --- config/jail.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/jail.conf b/config/jail.conf index 07f9cacc..8d086da4 100644 --- a/config/jail.conf +++ b/config/jail.conf @@ -424,5 +424,5 @@ logpath = /var/log/exim/mainlog enabled = false filter = perdition action = iptables-multiport[name=perdition,port="110,143,993,995"] -logpath = /var/log/maillog +logpath = /var/log/maillog