diff --git a/config/filter.d/courier-smtp.conf b/config/filter.d/courier-smtp.conf index 7df385bf..fc0afc26 100644 --- a/config/filter.d/courier-smtp.conf +++ b/config/filter.d/courier-smtp.conf @@ -13,7 +13,7 @@ before = common.conf _daemon = courieresmtpd failregex = ^%(__prefix_line)serror,relay=,.*: 550 User (<.*> )?unknown\.?$ - ^%(__prefix_line)serror,relay=,msg="535 Authentication failed\.",cmd:( AUTH \S+)?( [0-9a-zA-Z\+/=]+)?$ + ^%(__prefix_line)serror,relay=,msg="535 Authentication failed\.",cmd:( AUTH \S+)?( [0-9a-zA-Z\+/=]+)?(?: \S+)$ ignoreregex = diff --git a/config/jail.conf b/config/jail.conf index 36c4eecb..a65c7a46 100644 --- a/config/jail.conf +++ b/config/jail.conf @@ -94,6 +94,7 @@ backend = auto # but it will be logged as a warning. # no: if a hostname is encountered, will not be used for banning, # but it will be logged as info. +# raw: use raw value (no hostname), allow use it for no-host filters/actions (example user) usedns = warn # "logencoding" specifies the encoding of the log files handled by the jail diff --git a/fail2ban/client/fail2banregex.py b/fail2ban/client/fail2banregex.py index e2222792..aa55a0ff 100644 --- a/fail2ban/client/fail2banregex.py +++ b/fail2ban/client/fail2banregex.py @@ -125,6 +125,8 @@ Report bugs to https://github.com/fail2ban/fail2ban/issues help="set custom pattern used to match date/times"), Option("-e", "--encoding", help="File encoding. Default: system locale"), + Option("-r", "--raw", action='store_true', + help="Raw hosts, don't resolve dns"), Option("-L", "--maxlines", type=int, default=0, help="maxlines for multi-line regex"), Option("-m", "--journalmatch", @@ -238,6 +240,7 @@ class Fail2banRegex(object): self.encoding = opts.encoding else: self.encoding = locale.getpreferredencoding() + self.raw = True if opts.raw else False def decode_line(self, line): return FileContainer.decode_line('', self.encoding, line) @@ -341,7 +344,7 @@ class Fail2banRegex(object): orgLineBuffer = self._filter._Filter__lineBuffer fullBuffer = len(orgLineBuffer) >= self._filter.getMaxLines() try: - line, ret = self._filter.processLine(line, date, checkAllRegex=True) + line, ret = self._filter.processLine(line, date, checkAllRegex=True, returnRawHost=self.raw) for match in ret: # Append True/False flag depending if line was matched by # more than one regex diff --git a/fail2ban/server/filter.py b/fail2ban/server/filter.py index 59d2e0d7..c1cd2d09 100644 --- a/fail2ban/server/filter.py +++ b/fail2ban/server/filter.py @@ -171,7 +171,7 @@ class Filter(JailThread): if isinstance(value, bool): value = {True: 'yes', False: 'no'}[value] value = value.lower() # must be a string by now - if not (value in ('yes', 'no', 'warn')): + if not (value in ('yes', 'warn', 'no', 'raw')): logSys.error("Incorrect value %r specified for usedns. " "Using safe 'no'" % (value,)) value = 'no' @@ -520,7 +520,7 @@ class Filter(JailThread): self.__lineBuffer = failRegex.getUnmatchedTupleLines() try: host = failRegex.getHost() - if returnRawHost: + if returnRawHost or self.__useDns == "raw": failList.append([failRegexIndex, IPAddr(host), date, failRegex.getMatchedLines()]) if not checkAllRegex: diff --git a/fail2ban/tests/fail2banregextestcase.py b/fail2ban/tests/fail2banregextestcase.py index 49d6a3a6..3321ffd8 100644 --- a/fail2ban/tests/fail2banregextestcase.py +++ b/fail2ban/tests/fail2banregextestcase.py @@ -132,6 +132,15 @@ class Fail2banRegexTest(LogCaptureTestCase): self.assertLogged('Dez 31 11:59:59 [sshd] error: PAM: Authentication failure for kevin from 193.168.0.128') self.assertLogged('Dec 31 11:59:59 [sshd] error: PAM: Authentication failure for kevin from 87.142.124.10') + def testDirectRE_1raw(self): + (opts, args, fail2banRegex) = _Fail2banRegex( + "--print-all-matched", "--raw", + Fail2banRegexTest.FILENAME_01, + Fail2banRegexTest.RE_00 + ) + self.assertTrue(fail2banRegex.start(opts, args)) + self.assertLogged('Lines: 19 lines, 0 ignored, 16 matched, 3 missed') + def testDirectRE_2(self): (opts, args, fail2banRegex) = _Fail2banRegex( "--print-all-matched", diff --git a/fail2ban/tests/files/logs/courier-smtp b/fail2ban/tests/files/logs/courier-smtp index 7beaf856..ab99d322 100644 --- a/fail2ban/tests/files/logs/courier-smtp +++ b/fail2ban/tests/files/logs/courier-smtp @@ -10,3 +10,5 @@ Jul 6 03:42:28 whistler courieresmtpd: error,relay=::ffff:1.2.3.4,from=<>,to=,to=<>: 550 User unknown. # failJSON: { "time": "2004-08-14T12:51:04", "match": true , "host": "1.2.3.4" } Aug 14 12:51:04 HOSTNAME courieresmtpd: error,relay=::ffff:1.2.3.4,from=,to=: 550 User unknown. +# failJSON: { "time": "2004-08-14T12:51:04", "match": true , "host": "1.2.3.4" } +Aug 14 12:51:04 mail.server courieresmtpd[26762]: error,relay=::ffff:1.2.3.4,msg="535 Authentication failed.",cmd: AUTH PLAIN AAAAABBBBCCCCWxlZA== admin