From d22716ab63a6e38c3f2c5c40c15c9fd2e2d3c421 Mon Sep 17 00:00:00 2001 From: Steven Hiscocks Date: Wed, 18 Dec 2013 22:31:54 +0000 Subject: [PATCH] ENH: Add nsd filter and amend DateEpoch to match date format --- ChangeLog | 2 ++ THANKS | 1 + config/filter.d/nsd.conf | 26 ++++++++++++++++++++++++++ server/datetemplate.py | 2 +- testcases/files/logs/nsd | 4 ++++ 5 files changed, 34 insertions(+), 1 deletion(-) create mode 100644 config/filter.d/nsd.conf create mode 100644 testcases/files/logs/nsd diff --git a/ChangeLog b/ChangeLog index 77fd6a03..e9b3d638 100644 --- a/ChangeLog +++ b/ChangeLog @@ -40,6 +40,8 @@ ver. 0.8.12 (2013/12/XX) - things-can-only-get-better Daniel Black * filter.d/solid-pop3d -- added thanks to Jacques Lav!gnotte on mailinglist. + Bas van den Dikkenberg & Steven Hiscocks + * filter.d/nsd.conf -- also amended Unix date template to match nsd format - Enhancements: - loglines now also report "[PID]" after the name portion diff --git a/THANKS b/THANKS index 84f96b9a..b9b86043 100644 --- a/THANKS +++ b/THANKS @@ -16,6 +16,7 @@ Andrey G. Grozin Andy Fragen Arturo 'Buanzo' Busleiman Axel Thimm +Bas van den Dikkenberg Beau Raines Bill Heaton Carlos Alberto Lopez Perez diff --git a/config/filter.d/nsd.conf b/config/filter.d/nsd.conf new file mode 100644 index 00000000..cd4ce35f --- /dev/null +++ b/config/filter.d/nsd.conf @@ -0,0 +1,26 @@ +# Fail2Ban configuration file +# +# Author: Bas van den Dikkenberg +# +# + +[INCLUDES] + +# Read common prefixes. If any customizations available -- read them from +# common.local +before = common.conf + + +[Definition] + +_daemon = nsd + +# Option: failregex +# Notes.: regex to match the password failures messages in the logfile. The +# host must be matched by a group named "host". The tag "" can +# be used for standard IP/hostname matching and is only an alias for +# (?:::f{4,6}:)?(?P[\w\-.^_]+) +# Values: TEXT + +failregex = ^\[\]%(__prefix_line)sinfo: ratelimit block .* query TYPE255$ + ^\[\]%(__prefix_line)sinfo: .* refused, no acl matches\.$ diff --git a/server/datetemplate.py b/server/datetemplate.py index decaee1c..33c69703 100644 --- a/server/datetemplate.py +++ b/server/datetemplate.py @@ -78,7 +78,7 @@ class DateEpoch(DateTemplate): def __init__(self): DateTemplate.__init__(self) - self.setRegex("(?:^|(?P(?<=audit\()))\d{10}(?:\.\d{3,6})?(?(selinux)(?=:\d+\)))") + self.setRegex("(?:^|(?P(?<=^\[))|(?P(?<=audit\()))\d{10}(?:\.\d{3,6})?(?(selinux)(?=:\d+\))(?(square)(?=\])))") def getDate(self, line): date = None diff --git a/testcases/files/logs/nsd b/testcases/files/logs/nsd new file mode 100644 index 00000000..a33a52a9 --- /dev/null +++ b/testcases/files/logs/nsd @@ -0,0 +1,4 @@ +# failJSON: { "time": "2013-12-17T14:58:14", "match": true , "host": "192.0.2.105" } +[1387288694] nsd[7745]: info: ratelimit block example.com. type any target 192.0.2.0/24 query 192.0.2.105 TYPE255 +# failJSON: { "time": "2013-12-18T07:42:15", "match": true , "host": "192.0.2.115" } +[1387348935] nsd[23600]: info: axfr for zone domain.nl. from client 192.0.2.115 refused, no acl matches.