Merge pull request #302 from grooverdan/perdition

ENH: new filter perdition.conf
2013-07-23 18:31:27 -07:00 · 2013-07-23 18:31:27 -07:00 · 2d52fc3d18
parent a012b54117 8f532f9148
commit 2d52fc3d18
5 changed files with 30 additions and 0 deletions
--- a/2
+++ b/2
@ -36,6 +36,8 @@ ver. 0.8.11 (2013/XX/XXX) - loves-unittests
  Daniel Black
   * filter.d/exim-spam.conf -- a splitout of exim's spam regexes
     with additions for greater control over filtering spam.
+  Christophe Carles & Daniel Black
+   * filter.d/perdition.conf -- filter added
 - Enhancements:
  Daniel Black
   * filter.d/{asterisk,assp,dovecot,proftpd}.conf -- regex hardening
--- a/1
+++ b/1
@ -11,6 +11,7 @@ Axel Thimm
 Bill Heaton
 Carlos Alberto Lopez Perez
 Christian Rauch
+Christophe Carles
 Christoph Haas
 Christos Psonis
 Daniel B. Cid
--- a/config/filter.d/perdition.conf
+++ b/config/filter.d/perdition.conf
@ -0,0 +1,16 @@
+# Fail2Ban configuration file
+#
+# Author: Christophe Carles and Daniel Black
+#
+#
+
+[INCLUDES]
+
+before = common.conf
+
+[Definition]
+
+_daemon=perdition.\S+
+
+failregex = ^%(__prefix_line)sAuth: <HOST>:\d+->(\d{1,3}\.){3}\d{1,3}:\d+ client-secure=\S+ authorisation_id=NONE authentication_id=".+" server="\S+" protocol=\S+ server-secure=\S+ status="failed: (local authentication failure|Re-Authentication Failure)"$
+            ^%(__prefix_line)sFatal Error reading authentication information from client <HOST>:\d+->(\d{1,3}\.){3}\d{1,3}:\d+: Exiting child$
--- a/config/jail.conf
+++ b/config/jail.conf
@ -419,3 +419,10 @@ enabled = false
 filter = exim-spam
 action = iptables-multiport[name=exim-spam,port="25,465,587"]
 logpath = /var/log/exim/mainlog
+
+[perdition]
+enabled = false
+filter = perdition
+action = iptables-multiport[name=perdition,port="110,143,993,995"]
+logpath = /var/log/maillog
+
--- a/testcases/files/logs/perdition
+++ b/testcases/files/logs/perdition
@ -0,0 +1,4 @@
+# failJSON: { "time": "2005-07-18T16:07:18", "match": true , "host": "192.168.8.100" }
+Jul 18 16:07:18 ares perdition.imaps[3194]: Auth: 192.168.8.100:2274->193.48.191.9:993 client-secure=ssl authorisation_id=NONE authentication_id="carles" server="imap.biotoul.fr:993" protocol=IMAP4S server-secure=ssl status="failed: Re-Authentication Failure"
+# failJSON: { "time": "2005-07-18T16:08:58", "match": true , "host": "192.168.8.100" }
+Jul 18 16:08:58 ares perdition.imaps[3194]: Fatal Error reading authentication information from client 192.168.8.100:2274->193.48.191.9:993: Exiting child