From 58ae2a5a75abc8d9c7e4770332aaf5cfaa6e1c53 Mon Sep 17 00:00:00 2001 From: Yaroslav Halchenko Date: Mon, 30 Jul 2007 02:31:35 +0000 Subject: [PATCH] * Added new time template matching named log entries --- debian/changelog | 1 + debian/patches/00_named_logtimeformat.dpatch | 23 ++++++++++++++++++++ debian/patches/00_named_refused.dpatch | 9 ++++---- debian/patches/00list | 1 + 4 files changed, 30 insertions(+), 4 deletions(-) create mode 100755 debian/patches/00_named_logtimeformat.dpatch diff --git a/debian/changelog b/debian/changelog index cf4c0a54..ae178487 100644 --- a/debian/changelog +++ b/debian/changelog @@ -8,6 +8,7 @@ fail2ban (0.8.0-4) unstable; urgency=low * Added iptables-allports. * Use /var/run to keep socket file (closes: #425746) * Added a filter for named to catch refused/denied queries + * Added new time template matching named log entries * jail.conf has specification of protocol (default to tcp) to be provided to banaction * Adjusted failregex for sshd filter: diff --git a/debian/patches/00_named_logtimeformat.dpatch b/debian/patches/00_named_logtimeformat.dpatch new file mode 100755 index 00000000..672f86e5 --- /dev/null +++ b/debian/patches/00_named_logtimeformat.dpatch @@ -0,0 +1,23 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 00_named_logtimeformat.dpatch by Yaroslav Halchenko +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: No description. + +@DPATCH@ +diff -urNad trunk~/server/datedetector.py trunk/server/datedetector.py +--- trunk~/server/datedetector.py 2007-04-01 16:42:08.000000000 -0400 ++++ trunk/server/datedetector.py 2007-07-29 22:28:52.000000000 -0400 +@@ -80,6 +80,12 @@ + template.setRegex("\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}") + template.setPattern("%Y-%m-%d %H:%M:%S") + self.__templates.append(template) ++ # named 26-Jul-2007 15:20:52.252 ++ template = DateStrptime() ++ template.setName("Day-Month-Year Hour:Minute:Second[.Millisecond]") ++ template.setRegex("\d{2}-\S{3}-\d{4} \d{2}:\d{2}:\d{2}") ++ template.setPattern("%d-%b-%Y %H:%M:%S") ++ self.__templates.append(template) + # TAI64N + template = DateTai64n() + template.setName("TAI64N") diff --git a/debian/patches/00_named_refused.dpatch b/debian/patches/00_named_refused.dpatch index 872371c6..99152fd8 100755 --- a/debian/patches/00_named_refused.dpatch +++ b/debian/patches/00_named_refused.dpatch @@ -7,8 +7,8 @@ @DPATCH@ diff -urNad trunk~/config/filter.d/named-refused.conf trunk/config/filter.d/named-refused.conf --- trunk~/config/filter.d/named-refused.conf 1969-12-31 19:00:00.000000000 -0500 -+++ trunk/config/filter.d/named-refused.conf 2007-07-24 16:02:15.000000000 -0400 -@@ -0,0 +1,33 @@ ++++ trunk/config/filter.d/named-refused.conf 2007-07-29 22:31:22.000000000 -0400 +@@ -0,0 +1,34 @@ +# Fail2Ban configuration file for named (bind9). Trying to generalize the +# structure which is general to capture general patterns in log +# lines to cover different configurations/distributions @@ -32,7 +32,8 @@ diff -urNad trunk~/config/filter.d/named-refused.conf trunk/config/filter.d/name +__daemon_re=\(?%(_daemon)s(?:\(\S+\))?\)?:? +__daemon_combs_re=(?:%(__pid_re)s?:\s+%(__daemon_re)s|%(__daemon_re)s%(__pid_re)s?:) +# hostname daemon_id spaces -+__line_prefix=\s\S+ %(__daemon_combs_re)s\s+ ++# this can be optional (for instance if we match named native log files) ++__line_prefix=(?:\s\S+ %(__daemon_combs_re)s\s+)? + +# Option: failregex +# Notes.: regex to match the password failures messages in the logfile. @@ -44,7 +45,7 @@ diff -urNad trunk~/config/filter.d/named-refused.conf trunk/config/filter.d/name + diff -urNad trunk~/config/filter.d/named-refused.examples trunk/config/filter.d/named-refused.examples --- trunk~/config/filter.d/named-refused.examples 1969-12-31 19:00:00.000000000 -0500 -+++ trunk/config/filter.d/named-refused.examples 2007-07-24 16:02:15.000000000 -0400 ++++ trunk/config/filter.d/named-refused.examples 2007-07-29 22:30:29.000000000 -0400 @@ -0,0 +1,13 @@ +Jul 15 18:42:00 raid5 named[3888]: unexpected RCODE (SERVFAIL) resolving 'skira.de/NS/IN': 216.14.208.5#53 +Jul 15 18:42:01 raid5 named[3888]: unexpected RCODE (SERVFAIL) resolving 'skira.de/NS/IN': 216.14.208.4#53 diff --git a/debian/patches/00list b/debian/patches/00list index 27d00024..4db8fdb8 100644 --- a/debian/patches/00list +++ b/debian/patches/00list @@ -7,3 +7,4 @@ 00_ssh_strong_re 00_pam_generic 00_named_refused +00_named_logtimeformat