Merge pull request #438 from grooverdan/solid-pop3d

ENH: filter for Solid-pop3d
pull/444/head
Yaroslav Halchenko 2013-11-17 17:34:46 -08:00
commit 491165c929
5 changed files with 69 additions and 0 deletions

View File

@ -17,6 +17,9 @@ ver. 0.8.12 (2013/12/XX) - things-can-only-get-better
- New Features: - New Features:
Daniel Black
* filter.d/solid-pop3d -- added thanks to Jacques Lav!gnotte on mailinglist.
- Enhancements: - Enhancements:

1
THANKS
View File

@ -33,6 +33,7 @@ Georgiy Mernov
Guillaume Delvit Guillaume Delvit
Hanno 'Rince' Wagner Hanno 'Rince' Wagner
Iain Lea Iain Lea
Jacques Lav!gnotte
Jonathan Kamens Jonathan Kamens
Jonathan Lanning Jonathan Lanning
Jonathan Underwood Jonathan Underwood

View File

@ -0,0 +1,32 @@
# Fail2Ban filter for unsuccesful solid-pop3 authentication attempts
#
# Doesn't currently provide PAM support as PAM log messages don't include rhost as
# remote IP.
#
[INCLUDES]
before = common.conf
[Definition]
_daemon = solid-pop3d
failregex = ^%(__prefix_line)sauthentication failed: (no such user|can't map user name): .*? - <HOST>$
^%(__prefix_line)s(APOP )?authentication failed for (mapped )?user .*? - <HOST>$
^%(__prefix_line)sroot login not allowed - <HOST>$
^%(__prefix_line)scan't find APOP secret for user .*? - <HOST>$
ignoreregex =
# DEV Notes:
#
# solid-pop3d needs to be compiled with --enable-logextend to support
# IP addresses in log messages.
#
# solid-pop3d-0.15/src/main.c contains all authentication errors
# except for PAM authentication messages ( src/authenticate.c )
#
# A pam authentication failure message (note no IP for rhost).
# Nov 17 23:17:50 emf1pt2-2-35-70 solid-pop3d[17176]: pam_unix(solid-pop3d:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=jacques
#
# Authors: Daniel Black

View File

@ -518,6 +518,14 @@ action = iptables-multiport[name=dovecot-auth, port="pop3,pop3s,imap,imaps,subm
logpath = /var/log/secure logpath = /var/log/secure
[solid-pop3d]
enabled = false
filter = solid-pop3d
action = iptables-multiport[name=solid-pop3, port="pop3,pop3s", protocol=tcp]
logpath = /var/log/mail.log
[selinux-ssh] [selinux-ssh]
enabled = false enabled = false
filter = selinux-ssh filter = selinux-ssh

View File

@ -0,0 +1,25 @@
# failJSON: { "time": "2004-11-15T00:34:53", "match": true , "host": "123.33.44.45" }
Nov 15 00:34:53 rmc1pt2-2-35-70 solid-pop3d[3822]: authentication failed: no such user: adrian - 123.33.44.45
# All below are manufactured from looking at log
# failJSON: { "time": "2004-11-15T00:34:53", "match": true , "host": "123.33.44.45" }
Nov 15 00:34:53 rmc1pt2-2-35-70 solid-pop3d[3822]: authentication failed: can't map user name: adrian - 123.33.44.45
# failJSON: { "time": "2004-11-15T00:34:53", "match": true , "host": "123.33.44.45" }
Nov 15 00:34:53 rmc1pt2-2-35-70 solid-pop3d[3822]: authentication failed for user adrain - 123.33.44.45
# failJSON: { "time": "2004-11-15T00:34:53", "match": true , "host": "123.33.44.45" }
Nov 15 00:34:53 rmc1pt2-2-35-70 solid-pop3d[3822]: authentication failed for mapped user adrain - 123.33.44.45
# failJSON: { "time": "2004-11-15T00:34:53", "match": true , "host": "123.33.44.45" }
Nov 15 00:34:53 rmc1pt2-2-35-70 solid-pop3d[3822]: root login not allowed - 123.33.44.45
# failJSON: { "time": "2004-11-15T00:34:53", "match": true , "host": "123.33.44.45" }
Nov 15 00:34:53 rmc1pt2-2-35-70 solid-pop3d[3822]: can't find APOP secret for user adrian - 123.33.44.45
# failJSON: { "time": "2004-11-15T00:34:53", "match": true , "host": "123.33.44.45" }
Nov 15 00:34:53 rmc1pt2-2-35-70 solid-pop3d[3822]: APOP authentication failed for user adrian - 123.33.44.45
# Real log messages again:
# failJSON: { "time": "2004-11-17T23:10:03", "match": true , "host": "190.16.165.230" }
Nov 17 23:10:03 emf1pt2-2-35-70 solid-pop3d[16993]: authentication failed for user jacques - 190.16.165.230