From 504111b0b1e62eb882888b2e8acceaf547e6b9f5 Mon Sep 17 00:00:00 2001 From: Daniel Black Date: Mon, 16 Sep 2013 01:22:42 +1000 Subject: [PATCH 1/2] ENH: filter.d/recidive - anchor regex at start and support f2b SYSLOG target --- ChangeLog | 1 + config/filter.d/recidive.conf | 14 ++++++++++++-- testcases/files/logs/recidive | 4 ++++ 3 files changed, 17 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 633bebbb..b68e7ddc 100644 --- a/ChangeLog +++ b/ChangeLog @@ -66,6 +66,7 @@ ver. 0.8.11 (2013/XX/XXX) - loves-unittests and extra failure examples in sample logs * filter.d/apache-auth - added expressions for mod_authz, mod_auth and mod_auth_digest failures. + * filter.d/recidive -- support f2b syslog target and anchor regex at start Daniel Black & Georgiy Mernov & ftoppi & Мернов Георгий * filter.d/exim.conf -- regex hardening and extra failure examples in sample logs diff --git a/config/filter.d/recidive.conf b/config/filter.d/recidive.conf index bbb48008..5d1ab0dd 100644 --- a/config/filter.d/recidive.conf +++ b/config/filter.d/recidive.conf @@ -15,8 +15,18 @@ # for most jails, and shorewall for this one). # + +[INCLUDES] + +# Read common prefixes. If any customizations available -- read them from +# common.local +before = common.conf + [Definition] +_daemon = fail2ban.actions + + # The name of the jail that this filter is used for. In jail.conf, name the # jail using this filter 'recidive', or change this line! _jailname = recidive @@ -28,11 +38,11 @@ _jailname = recidive # (?:::f{4,6}:)?(?P\S+) # Values: TEXT # -failregex = fail2ban.actions:\s+WARNING\s+\[(?:.*)\]\s+Ban\s+ +failregex = ^(%(__prefix_line)s|,\d{3} fail2ban.actions:\s+)WARNING\s+\[(?:.*)\]\s+Ban\s+ # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT # # Ignore our own bans, to keep our counts exact. -ignoreregex = fail2ban.actions:\s+WARNING\s+\[%(_jailname)s\]\s+Ban\s+ +ignoreregex = ^(%(__prefix_line)s|,\d{3} fail2ban.actions:\s+)WARNING\s+\[%(_jailname)s\]\s+Ban\s+ diff --git a/testcases/files/logs/recidive b/testcases/files/logs/recidive index cf6df933..6af85137 100644 --- a/testcases/files/logs/recidive +++ b/testcases/files/logs/recidive @@ -4,3 +4,7 @@ 2006-02-13 16:07:31,183 fail2ban.actions: WARNING [sendmail] Unban 1.2.3.4 # failJSON: { "match": false } 2006-02-13 15:52:30,388 fail2ban.actions: WARNING [recidive] Ban 1.2.3.4 +# syslog example +# failJSON: { "time": "2004-09-16T00:44:55", "match": true , "host": "10.0.0.7" } +Sep 16 00:44:55 spaceman fail2ban.actions: WARNING [jail] Ban 10.0.0.7 + From 673cc4d77ff17c573cfb1b9602d4d2fc48bbeefd Mon Sep 17 00:00:00 2001 From: Daniel Black Date: Mon, 16 Sep 2013 18:43:56 +1000 Subject: [PATCH 2/2] ENH: anchor at end of recidive filter --- config/filter.d/recidive.conf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/config/filter.d/recidive.conf b/config/filter.d/recidive.conf index 5d1ab0dd..151bd18e 100644 --- a/config/filter.d/recidive.conf +++ b/config/filter.d/recidive.conf @@ -38,11 +38,11 @@ _jailname = recidive # (?:::f{4,6}:)?(?P\S+) # Values: TEXT # -failregex = ^(%(__prefix_line)s|,\d{3} fail2ban.actions:\s+)WARNING\s+\[(?:.*)\]\s+Ban\s+ +failregex = ^(%(__prefix_line)s|,\d{3} fail2ban.actions:\s+)WARNING\s+\[(?:.*)\]\s+Ban\s+\s*$ # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT # # Ignore our own bans, to keep our counts exact. -ignoreregex = ^(%(__prefix_line)s|,\d{3} fail2ban.actions:\s+)WARNING\s+\[%(_jailname)s\]\s+Ban\s+ +ignoreregex = ^(%(__prefix_line)s|,\d{3} fail2ban.actions:\s+)WARNING\s+\[%(_jailname)s\]\s+Ban\s+\s*$