diff --git a/ChangeLog b/ChangeLog index 948cfcd6..c4a76979 100644 --- a/ChangeLog +++ b/ChangeLog @@ -17,6 +17,7 @@ ver. 0.8.13 (2014/XX/XXX) - maintenance-only-from-now-on - New Features: - filter nagios - detects unauthorized access to the nrpe daemon (Ivo Truxa) + - filter sendmail-{auth,spam} (jserrachinha and cepheid666). - Enhancements: - filter pureftpd - added all translations of "Authentication failed for diff --git a/MANIFEST b/MANIFEST index 9f2e5932..5d569e69 100644 --- a/MANIFEST +++ b/MANIFEST @@ -172,6 +172,8 @@ config/filter.d/qmail.conf config/filter.d/pam-generic.conf config/filter.d/php-url-fopen.conf config/filter.d/postfix-sasl.conf +config/filter.d/sendmail-auth.conf +config/filter.d/sendmail-spam.conf config/filter.d/sieve.conf config/filter.d/solid-pop3d.conf config/filter.d/squid.conf diff --git a/THANKS b/THANKS index c3ff109c..f7b77725 100644 --- a/THANKS +++ b/THANKS @@ -21,6 +21,7 @@ Bas van den Dikkenberg Beau Raines Bill Heaton Carlos Alberto Lopez Perez +cepheid666 Christian Rauch Christophe Carles Christoph Haas @@ -49,6 +50,7 @@ Jonathan Lanning Jonathan Underwood Joël Bertrand JP Espinosa +jserrachinha Justin Shore Kévin Drapel kjohnsonecl diff --git a/config/filter.d/sendmail-auth.conf b/config/filter.d/sendmail-auth.conf new file mode 100644 index 00000000..138fbb85 --- /dev/null +++ b/config/filter.d/sendmail-auth.conf @@ -0,0 +1,18 @@ +# Fail2Ban filter for sendmail authentication failures +# + +[INCLUDES] + +before = common.conf + +[Definition] + +_daemon = (?:sm-(mta|acceptingconnections)) + +failregex = ^%(__prefix_line)s\w{14}: (\S+ )?\[\]( \(may be forged\))?: possible SMTP attack: command=AUTH, count=\d+$ + +ignoreregex = + +# DEV Notes: +# +# Author: Daniel Black diff --git a/config/filter.d/sendmail-spam.conf b/config/filter.d/sendmail-spam.conf new file mode 100644 index 00000000..1f316f78 --- /dev/null +++ b/config/filter.d/sendmail-spam.conf @@ -0,0 +1,33 @@ +# Fail2Ban filter for sendmail spam/relay type failures +# +# Some of the below failregex will only work properly, when the following +# options are set in the .mc file (see your Sendmail documentation on how +# to modify it and generate the corresponding .cf file): +# +# FEATURE(`delay_checks') +# FEATURE(`greet_pause', `500') +# FEATURE(`ratecontrol', `nodelay', `terminate') +# FEATURE(`conncontrol', `nodelay', `terminate') +# +# ratecontrol and conncontrol also need corresponding options ClientRate: +# and ClientConn: in the access file, see documentation for ratecontrol and +# conncontrol in the sendmail/cf/README file. + +[INCLUDES] + +before = common.conf + +[Definition] + +_daemon = (?:sm-(mta|acceptingconnections)) + +failregex = ^%(__prefix_line)s\w{14}: ruleset=check_rcpt, arg1=(?P(<\S+@\S+>)?), relay=(\S+ )?\[\]( \(may be forged\))?, reject=550 5\.7\.1 (?P=email)\.\.\. Relaying denied\. (IP name possibly forged \[(\d+\.){3}\d+\]|Proper authentication required\.)$ + ^%(__prefix_line)s\w{14}: ruleset=check_rcpt, arg1=, relay=(\S+ )?\[\]( \(may be forged\))?, reject=(553 5\.1\.8 \.\.\. Domain of sender address \S+ does not exist|550 5\.7\.1 \.\.\. Rejected: (\d+\.){3}\d+\ listed at \S+)$ + ^%(__prefix_line)sruleset=check_relay, arg1=(?P\S+), arg2=, relay=(?P=dom) \[(\d+\.){3}\d+\]( \(may be forged\))?, reject=421 4\.3\.2 Connection rate limit exceeded\.$ + + +ignoreregex = + +# DEV Notes: +# +# Author: Daniel Black and Fabian Wenk diff --git a/testcases/files/logs/sendmail-auth b/testcases/files/logs/sendmail-auth new file mode 100644 index 00000000..7cc18c70 --- /dev/null +++ b/testcases/files/logs/sendmail-auth @@ -0,0 +1,12 @@ + +# failJSON: { "time": "2005-02-16T23:33:20", "match": true , "host": "190.5.230.178" } +Feb 16 23:33:20 smtp1 sm-mta[5133]: s1GNXHYB005133: [190.5.230.178]: possible SMTP attack: command=AUTH, count=5 + +# failJSON: { "time": "2005-02-16T23:40:36", "match": true , "host": "75.176.164.191" } +Feb 16 23:40:36 smtp1 sm-mta[5178]: s1GNeNqe005178: cpe-075-176-164-191.sc.res.rr.com [75.176.164.191]: possible SMTP attack: command=AUTH, count=5 + +# failJSON: { "time": "2005-02-24T12:10:15", "match": true , "host": "211.75.6.133" } +Feb 24 12:10:15 kismet sm-acceptingconnections[32053]: s1OHA28u032053: 211-75-6-133.HINET-IP.hinet.net [211.75.6.133]: possible SMTP attack: command=AUTH, count=6 + +# failJSON: { "time": "2005-02-24T13:00:17", "match": true , "host": "95.70.241.192" } +Feb 24 13:00:17 kismet sm-acceptingconnections[1499]: s1OHxxSn001499: 192.241.70.95.dsl.static.turk.net [95.70.241.192] (may be forged): possible SMTP attack: command=AUTH, count=6 diff --git a/testcases/files/logs/sendmail-spam b/testcases/files/logs/sendmail-spam new file mode 100644 index 00000000..14413482 --- /dev/null +++ b/testcases/files/logs/sendmail-spam @@ -0,0 +1,24 @@ +# failJSON: { "time": "2005-02-25T03:01:10", "match": true , "host": "128.68.136.133" } +Feb 25 03:01:10 kismet sm-acceptingconnections[27713]: s1P819mk027713: ruleset=check_rcpt, arg1=, relay=128-68-136-133.broadband.corbina.ru [128.68.136.133], reject=550 5.7.1 ... Relaying denied. Proper authentication required. + +# failJSON: { "time": "2005-02-23T21:36:14", "match": true , "host": "80.253.155.119" } +Feb 23 21:36:14 petermurray sm-mta[22248]: s1NLaDQT022248: ruleset=check_rcpt, arg1=, relay=int0.client.access.azadnet.net [80.253.155.119] (may be forged), reject=550 5.7.1 ... Relaying denied. IP name possibly forged [80.253.155.119] + +# failJSON: { "time": "2005-02-24T07:33:59", "match": true , "host": "118.161.66.57" } +Feb 24 07:33:59 petermurray sm-mta[21134]: s1O7XtZJ021134: ruleset=check_rcpt, arg1=, relay=118-161-66-57.dynamic.hinet.net [118.161.66.57], reject=550 5.7.1 ... Relaying denied. Proper authentication required. + +# failJSON: { "time": "2005-02-23T07:57:28", "match": true , "host": "2.180.185.27" } +Feb 23 07:57:28 petermurray sm-mta[6519]: s1N7vR47006519: ruleset=check_rcpt, arg1=, relay=[2.180.185.27], reject=553 5.1.8 ... Domain of sender address camila.pinto@andrewweitzman.com does not exist + +# failJSON: { "time": "2005-02-23T14:13:08", "match": true , "host": "85.60.238.161" } +Feb 23 14:13:08 petermurray sm-mta[17126]: s1NED81M017126: ruleset=check_rcpt, arg1=, relay=161.pool85-60-238.dynamic.orange.es [85.60.238.161], reject=553 5.1.8 ... Domain of sender address anabelaalvesd@dsldevice.lan does not exist + +# failJSON: { "time": "2005-02-24T05:07:40", "match": true , "host": "202.53.73.138" } +Feb 24 05:07:40 petermurray sm-mta[716]: s1O57c6H000716: ruleset=check_rcpt, arg1=, relay=202.53.73.138.nettlinx.com [202.53.73.138] (may be forged), reject=553 5.1.8 ... Domain of sender address root@srv.montserv.com does not exist + +# failJSON: { "time": "2005-02-23T07:00:08", "match": true , "host": "151.232.63.226" } +Feb 23 07:00:08 petermurray sm-mta[3992]: s1N706jo003992: ruleset=check_rcpt, arg1=, relay=[151.232.63.226], reject=550 5.7.1 ... Rejected: 151.232.63.226 listed at sbl-xbl.spamhaus.org + +# failJSON: { "time": "2005-02-24T01:46:44", "match": true , "host": "217.21.54.82" } +Feb 24 01:46:44 petermurray sm-mta[24422]: ruleset=check_relay, arg1=leased-line-54-82.telecom.by, arg2=217.21.54.82, relay=leased-line-54-82.telecom.by [217.21.54.82], reject=421 4.3.2 Connection rate limit exceeded. +