From 8f4142226291d12500a494eb88bb7a069101005d Mon Sep 17 00:00:00 2001 From: Daniel Black Date: Tue, 17 Sep 2013 10:09:19 +1000 Subject: [PATCH 1/4] TST: domains need to exist for fail2ban-regex to work --- testcases/files/logs/pam-generic | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/testcases/files/logs/pam-generic b/testcases/files/logs/pam-generic index dc7efeee..a7d1def8 100644 --- a/testcases/files/logs/pam-generic +++ b/testcases/files/logs/pam-generic @@ -9,6 +9,6 @@ May 15 18:02:12 localhost proftpd: (pam_unix) authentication failure; logname= u # failJSON: { "time": "2004-11-25T17:12:13", "match": true , "host": "192.168.10.3" } Nov 25 17:12:13 webmail pop(pam_unix)[4920]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=192.168.10.3 user=mailuser # failJSON: { "time": "2005-07-19T18:11:26", "match": true , "host": "www3.google.com" } -Jul 19 18:11:26 srv2 vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=an8767 rhost=www3.google.com +Jul 19 18:11:26 srv2 vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=an8767 rhost=www.google.com # failJSON: { "time": "2005-07-19T18:11:26", "match": true , "host": "www3.google.com" } -Jul 19 18:11:26 srv2 vsftpd: pam_unix: authentication failure; logname= uid=0 euid=0 tty=ftp ruser=an8767 rhost=www3.google.com +Jul 19 18:11:26 srv2 vsftpd: pam_unix: authentication failure; logname= uid=0 euid=0 tty=ftp ruser=an8767 rhost=www.google.com From 7e756dfadaad7a8d93ce1105f999b4a1bfea07df Mon Sep 17 00:00:00 2001 From: Daniel Black Date: Tue, 17 Sep 2013 10:48:09 +1000 Subject: [PATCH 2/4] TST: correct failJSON for www3.google.com -> www.google.com changes. Disable test case for pre-0.99.2.0 version of linux-pam failure messages --- testcases/files/logs/pam-generic | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/testcases/files/logs/pam-generic b/testcases/files/logs/pam-generic index a7d1def8..c6312a9b 100644 --- a/testcases/files/logs/pam-generic +++ b/testcases/files/logs/pam-generic @@ -6,9 +6,12 @@ May 12 09:47:54 vaio sshd[16004]: (pam_unix) authentication failure; logname= ui May 12 09:48:03 vaio sshd[16021]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=71-13-115-12.static.mdsn.wi.charter.com # failJSON: { "time": "2005-05-15T18:02:12", "match": true , "host": "66.232.129.62" } May 15 18:02:12 localhost proftpd: (pam_unix) authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=66.232.129.62 user=mark -# failJSON: { "time": "2004-11-25T17:12:13", "match": true , "host": "192.168.10.3" } -Nov 25 17:12:13 webmail pop(pam_unix)[4920]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=192.168.10.3 user=mailuser -# failJSON: { "time": "2005-07-19T18:11:26", "match": true , "host": "www3.google.com" } + +# linux-pam messages before commit f0f9c4479303b5a9c37667cf07f58426dc081676 (release 0.99.2.0 ) +# disable_failJSON: { "time": "2004-11-25T17:12:13", "match": true , "host": "192.168.10.3" } +# Nov 25 17:12:13 webmail pop(pam_unix)[4920]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=192.168.10.3 user=mailuser + +# failJSON: { "time": "2005-07-19T18:11:26", "match": true , "host": "www.google.com" } Jul 19 18:11:26 srv2 vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=an8767 rhost=www.google.com -# failJSON: { "time": "2005-07-19T18:11:26", "match": true , "host": "www3.google.com" } +# failJSON: { "time": "2005-07-19T18:11:26", "match": true , "host": "www.google.com" } Jul 19 18:11:26 srv2 vsftpd: pam_unix: authentication failure; logname= uid=0 euid=0 tty=ftp ruser=an8767 rhost=www.google.com From 30bb1a77a3d0214cb941cd65df7c8c520d5f46d8 Mon Sep 17 00:00:00 2001 From: Daniel Black Date: Tue, 17 Sep 2013 10:50:46 +1000 Subject: [PATCH 3/4] ENH: added syslog prefix to pam-generic filter. Disable regex match for pre 2006 (< 0.99.2.0) versions on linux-pam --- ChangeLog | 2 ++ config/filter.d/pam-generic.conf | 15 ++++++++++----- 2 files changed, 12 insertions(+), 5 deletions(-) diff --git a/ChangeLog b/ChangeLog index 2001158b..c4d4afcc 100644 --- a/ChangeLog +++ b/ChangeLog @@ -68,6 +68,8 @@ ver. 0.8.11 (2013/XX/XXX) - loves-unittests and extra failure examples in sample logs * filter.d/apache-auth - added expressions for mod_authz, mod_auth and mod_auth_digest failures. + * filter.d/pam-generic - added syslog prefix. Disabled support for + linux-pam before version 0.99.2.0 (2005) Daniel Black & Georgiy Mernov & ftoppi & Мернов Георгий * filter.d/exim.conf -- regex hardening and extra failure examples in sample logs diff --git a/config/filter.d/pam-generic.conf b/config/filter.d/pam-generic.conf index eaeb122f..15aadf3e 100644 --- a/config/filter.d/pam-generic.conf +++ b/config/filter.d/pam-generic.conf @@ -3,6 +3,9 @@ # Author: Yaroslav Halchenko # # +[INCLUDES] + +before = common.conf [Definition] @@ -11,17 +14,19 @@ # To catch all failed logins _ttys_re=\S* -# -# Shortcuts for easier comprehension of the failregex -__pid_re=(?:\[\d+\]) __pam_re=\(?pam_unix(?:\(\S+\))?\)?:? -__pam_combs_re=(?:%(__pid_re)s?:\s+%(__pam_re)s|%(__pam_re)s%(__pid_re)s?:) +_daemon = \S+ # Option: failregex # Notes.: regex to match the password failures messages in the logfile. # Values: TEXT # -failregex = \s\S+ \S+%(__pam_combs_re)s\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=%(_ttys_re)s ruser=\S* rhost=(?:\s+user=.*)?\s*$ +failregex = ^%(__prefix_line)s%(__pam_re)s\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=%(_ttys_re)s ruser=\S* rhost=(?:\s+user=.*)?\s*$ + +# for linux-pam before 0.99.2.0 (late 2005) +# _daemon = \S*\(?pam_unix\)? +# failregex = ^%(__prefix_line)sauthentication failure; logname=\S* uid=\S* euid=\S* tty=%(_ttys_re)s ruser=\S* rhost=(?:\s+user=.*)?\s*$ + # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. From ad5fb81f4b081088ceeeabcdbd9119eec062f32e Mon Sep 17 00:00:00 2001 From: Daniel Black Date: Tue, 17 Sep 2013 21:18:24 +1000 Subject: [PATCH 4/4] TST: failJSON set match to false on longer supported pam version --- testcases/files/logs/pam-generic | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/testcases/files/logs/pam-generic b/testcases/files/logs/pam-generic index c6312a9b..e562ac7f 100644 --- a/testcases/files/logs/pam-generic +++ b/testcases/files/logs/pam-generic @@ -7,9 +7,9 @@ May 12 09:48:03 vaio sshd[16021]: (pam_unix) authentication failure; logname= ui # failJSON: { "time": "2005-05-15T18:02:12", "match": true , "host": "66.232.129.62" } May 15 18:02:12 localhost proftpd: (pam_unix) authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=66.232.129.62 user=mark -# linux-pam messages before commit f0f9c4479303b5a9c37667cf07f58426dc081676 (release 0.99.2.0 ) -# disable_failJSON: { "time": "2004-11-25T17:12:13", "match": true , "host": "192.168.10.3" } -# Nov 25 17:12:13 webmail pop(pam_unix)[4920]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=192.168.10.3 user=mailuser +# linux-pam messages before commit f0f9c4479303b5a9c37667cf07f58426dc081676 (release 0.99.2.0 ) - nolonger supported +# failJSON: { "time": "2004-11-25T17:12:13", "match": false } +Nov 25 17:12:13 webmail pop(pam_unix)[4920]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=192.168.10.3 user=mailuser # failJSON: { "time": "2005-07-19T18:11:26", "match": true , "host": "www.google.com" } Jul 19 18:11:26 srv2 vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=an8767 rhost=www.google.com