From 9e1fa4ff73a1566ae0c381930b6eaae9880b0f29 Mon Sep 17 00:00:00 2001 From: Amir Caspi Date: Fri, 29 Mar 2019 17:38:30 -0600 Subject: [PATCH 1/7] Update sendmail-reject Added loglines to show TLSMTA and MSA port IDs (RHEL/CentOS sendmail default for ports 465 and 587, respectively) --- fail2ban/tests/files/logs/sendmail-reject | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/fail2ban/tests/files/logs/sendmail-reject b/fail2ban/tests/files/logs/sendmail-reject index 44f8eb92..a76cbf4b 100644 --- a/fail2ban/tests/files/logs/sendmail-reject +++ b/fail2ban/tests/files/logs/sendmail-reject @@ -95,3 +95,8 @@ Nov 3 11:35:30 Microsoft sendmail[26254]: rA37ZTSC026255: from= Date: Fri, 29 Mar 2019 17:39:27 -0600 Subject: [PATCH 2/7] Update sendmail-reject.conf On some distros (e.g., CentOS 7), sendmail default config labels port 465 as TLSMTA and port 587 as MSA. Update failregex to reflect. Relevant loglines included in https://github.com/fail2ban/fail2ban/commit/9e1fa4ff73a1566ae0c381930b6eaae9880b0f29 --- config/filter.d/sendmail-reject.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/filter.d/sendmail-reject.conf b/config/filter.d/sendmail-reject.conf index 985eac8b..dd58f3e7 100644 --- a/config/filter.d/sendmail-reject.conf +++ b/config/filter.d/sendmail-reject.conf @@ -32,7 +32,7 @@ cmnfailre = ^ruleset=check_rcpt, arg1=(?P<\S+@\S+>), relay=(\S+ )?\[(?:IP mdre-normal = -mdre-extra = ^(?:\S+ )?\[(?:IPv6:|)\](?: \(may be forged\))? did not issue (?:[A-Z]{4}[/ ]?)+during connection to M(?:TA|SP)(?:-\w+)?$ +mdre-extra = ^(?:\S+ )?\[(?:IPv6:|)\](?: \(may be forged\))? did not issue (?:[A-Z]{4}[/ ]?)+during connection to (?:TLS)?M(?:TA|SP|SA)(?:-\w+)?$ mdre-aggressive = %(mdre-extra)s From eed1de0ceb992315c6824ca79e512df861bab39b Mon Sep 17 00:00:00 2001 From: Amir Caspi Date: Fri, 29 Mar 2019 17:47:52 -0600 Subject: [PATCH 3/7] Update ChangeLog Updated to reflect sendmail-reject changes https://github.com/fail2ban/fail2ban/commit/9e1fa4ff73a1566ae0c381930b6eaae9880b0f29 and https://github.com/fail2ban/fail2ban/commit/ffd5d0db78af01afcdf7a2c615dc26b8558ad8f1 --- ChangeLog | 3 +++ 1 file changed, 3 insertions(+) diff --git a/ChangeLog b/ChangeLog index e20f6ccc..4389fa88 100644 --- a/ChangeLog +++ b/ChangeLog @@ -43,6 +43,9 @@ ver. 0.10.5-dev-1 (20??/??/??) - development edition * `filter.d/mysqld-auth.conf`: - MYSQL 8.0.13 compatibility (log-error-verbosity = 3), log-format contains few additional words enclosed in brackets after "[Note]" (gh-2314) +* `filter.d/sshd.conf`: + - `mode=extra` now captures port IDs of `TLSMTA` and `MSA` (defaults for ports 465 and 587 on some distros) + * `files/fail2ban.service.in`: fixed systemd-unit template - missing nftables dependency (gh-2313) * several `action.d/mail*`: fixed usage with multiple log files (ultimate fix for gh-976, gh-2341) From 7ac2f167f99597ecd90eef8d42bc4a068a592a90 Mon Sep 17 00:00:00 2001 From: Amir Caspi Date: Fri, 29 Mar 2019 17:49:22 -0600 Subject: [PATCH 4/7] Update ChangeLog Fixing typo I introduced in commit https://github.com/fail2ban/fail2ban/commit/eed1de0ceb992315c6824ca79e512df861bab39b --- ChangeLog | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 4389fa88..71b5f536 100644 --- a/ChangeLog +++ b/ChangeLog @@ -43,7 +43,7 @@ ver. 0.10.5-dev-1 (20??/??/??) - development edition * `filter.d/mysqld-auth.conf`: - MYSQL 8.0.13 compatibility (log-error-verbosity = 3), log-format contains few additional words enclosed in brackets after "[Note]" (gh-2314) -* `filter.d/sshd.conf`: +* `filter.d/sendmail-reject.conf`: - `mode=extra` now captures port IDs of `TLSMTA` and `MSA` (defaults for ports 465 and 587 on some distros) * `files/fail2ban.service.in`: fixed systemd-unit template - missing nftables dependency (gh-2313) From 76816285e886eee0a53ba5c64c50101fbd87a760 Mon Sep 17 00:00:00 2001 From: Amir Caspi Date: Fri, 29 Mar 2019 18:21:47 -0600 Subject: [PATCH 5/7] Update sendmail-reject Fixing timestamps to 2005 (oops) --- fail2ban/tests/files/logs/sendmail-reject | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/fail2ban/tests/files/logs/sendmail-reject b/fail2ban/tests/files/logs/sendmail-reject index a76cbf4b..b6911c4d 100644 --- a/fail2ban/tests/files/logs/sendmail-reject +++ b/fail2ban/tests/files/logs/sendmail-reject @@ -96,7 +96,7 @@ Mar 6 16:55:28 s192-168-0-1 sm-mta[20949]: v26LtRA0020949: some-host-24.example # failJSON: { "time": "2005-03-07T15:04:37", "match": true , "host": "192.0.2.195", "desc": "wrong resp. non RFC compiant (ddos prelude?), MSP-mode, (may be forged)" } Mar 7 15:04:37 s192-168-0-1 sm-mta[18624]: v27K4Vj8018624: some-host-24.example.org [192.0.2.195] (may be forged) did not issue MAIL/EXPN/VRFY/ETRN during connection to MSP-v4 -# failJSON: { "time": "2019-03-29T22:33:47", "match": true , "host": "104.152.52.29", "desc": "wrong resp. non RFC compiant (ddos prelude?), TLSMTA-mode" } +# failJSON: { "time": "2005-03-29T22:33:47", "match": true , "host": "104.152.52.29", "desc": "wrong resp. non RFC compiant (ddos prelude?), TLSMTA-mode" } Mar 29 22:33:47 kismet sm-mta[23221]: x2TMXH7Y023221: internettl.org [104.152.52.29] (may be forged) did not issue MAIL/EXPN/VRFY/ETRN during connection to TLSMTA -# failJSON: { "time": "2019-03-29T22:51:42", "match": true , "host": "104.152.52.29", "desc": "wrong resp. non RFC compiant (ddos prelude?), MSA-mode" } +# failJSON: { "time": "2005-03-29T22:51:42", "match": true , "host": "104.152.52.29", "desc": "wrong resp. non RFC compiant (ddos prelude?), MSA-mode" } Mar 29 22:51:42 kismet sm-mta[24202]: x2TMpAlI024202: internettl.org [104.152.52.29] (may be forged) did not issue MAIL/EXPN/VRFY/ETRN during connection to MSA From 6c7093c66dce9f695cde24149a78650868083617 Mon Sep 17 00:00:00 2001 From: "Sergey G. Brester" Date: Thu, 4 Apr 2019 02:28:50 +0200 Subject: [PATCH 6/7] minor amend, refolding branches (SP|SA -> S[PA]) --- config/filter.d/sendmail-reject.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/filter.d/sendmail-reject.conf b/config/filter.d/sendmail-reject.conf index dd58f3e7..e6814a00 100644 --- a/config/filter.d/sendmail-reject.conf +++ b/config/filter.d/sendmail-reject.conf @@ -32,7 +32,7 @@ cmnfailre = ^ruleset=check_rcpt, arg1=(?P<\S+@\S+>), relay=(\S+ )?\[(?:IP mdre-normal = -mdre-extra = ^(?:\S+ )?\[(?:IPv6:|)\](?: \(may be forged\))? did not issue (?:[A-Z]{4}[/ ]?)+during connection to (?:TLS)?M(?:TA|SP|SA)(?:-\w+)?$ +mdre-extra = ^(?:\S+ )?\[(?:IPv6:|)\](?: \(may be forged\))? did not issue (?:[A-Z]{4}[/ ]?)+during connection to (?:TLS)?M(?:TA|S[PA])(?:-\w+)?$ mdre-aggressive = %(mdre-extra)s From ec9f698f5bba95b4e785c1b55f59aa6dda82eeed Mon Sep 17 00:00:00 2001 From: "Sergey G. Brester" Date: Thu, 4 Apr 2019 02:55:09 +0200 Subject: [PATCH 7/7] removed new-line --- ChangeLog | 1 - 1 file changed, 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 71b5f536..65ee4268 100644 --- a/ChangeLog +++ b/ChangeLog @@ -45,7 +45,6 @@ ver. 0.10.5-dev-1 (20??/??/??) - development edition enclosed in brackets after "[Note]" (gh-2314) * `filter.d/sendmail-reject.conf`: - `mode=extra` now captures port IDs of `TLSMTA` and `MSA` (defaults for ports 465 and 587 on some distros) - * `files/fail2ban.service.in`: fixed systemd-unit template - missing nftables dependency (gh-2313) * several `action.d/mail*`: fixed usage with multiple log files (ultimate fix for gh-976, gh-2341)