MRG: from master 2014-02-02

2014-02-02 13:21:16 +11:00 · 2014-02-02 13:21:16 +11:00 · 59b9045e88
parent 0f318c225e 1366ea382d
commit 59b9045e88
5 changed files with 39 additions and 12 deletions
--- a/5
+++ b/5
@ -83,10 +83,15 @@ ver. 0.8.13 (2014/XX/XXX) - maintaince-only-from-now-on
 - Fixes:
  - action firewallcmd-ipset had non-working actioncheck. Removed.
    redhat bug #1046816.
+  - filter pureftpd - added _daemon which got removed. Added

 - New Features:

 - Enhancements:
+  - filter pureftpd - added all translations of "Authentication failed for
+    user"
+  - filter dovecot - lip= was optional and extended TLS errors can occur.
+    Thanks Noel Butler.

 ver. 0.8.12 (2014/01/22) - things-can-only-get-better
 ----------
--- a/1
+++ b/1
@ -71,6 +71,7 @@ Michael Hanselmann
 Mika (mkl)
 Nick Munger
 onorua
+Noel Butler
 Patrick Börjesson
 Raphaël Marichez
 RealRancor
--- a/config/filter.d/dovecot.conf
+++ b/config/filter.d/dovecot.conf
@ -10,7 +10,7 @@ before = common.conf
 _daemon = (auth|dovecot(-auth)?|auth-worker)

 failregex = ^%(__prefix_line)s(pam_unix(\(dovecot:auth\))?:)?\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=\S* rhost=<HOST>(\s+user=\S*)?\s*$
-            ^%(__prefix_line)s(pop3|imap)-login: (Info: )?(Aborted login|Disconnected)(: Inactivity)? \(((no auth attempts|auth failed, \d+ attempts)( in \d+ secs)?|tried to use (disabled|disallowed) \S+ auth)\):( user=<\S*>,)?( method=\S+,)? rip=<HOST>, lip=(\d{1,3}\.){3}\d{1,3}(, TLS( handshaking)?(: Disconnected)?)?(, session=<\S+>)?\s*$
+            ^%(__prefix_line)s(pop3|imap)-login: (Info: )?(Aborted login|Disconnected)(: Inactivity)? \(((auth failed, \d+ attempts)( in \d+ secs)?|tried to use (disabled|disallowed) \S+ auth)\):( user=<\S*>,)?( method=\S+,)? rip=<HOST>(, lip=(\d{1,3}\.){3}\d{1,3})?(, TLS( handshaking(: SSL_accept\(\) failed: error:[\dA-F]+:SSL routines:[TLS\d]+_GET_CLIENT_HELLO:unknown protocol)?)?(: Disconnected)?)?(, session=<\S+>)?\s*$
            ^%(__prefix_line)s(Info|dovecot: auth\(default\)): pam\(\S+,<HOST>\): pam_authenticate\(\) failed: (User not known to the underlying authentication module: \d+ Time\(s\)|Authentication failure \(password mismatch\?\))\s*$

 ignoreregex = 
@ -22,6 +22,8 @@ journalmatch = _SYSTEMD_UNIT=dovecot.service
 # DEV Notes:
 # * the first regex is essentially a copy of pam-generic.conf
 # * Probably doesn't do dovecot sql/ldap backends properly
+# * Removed the 'no auth attempts' log lines from the matches because produces
+#    lots of false positives on misconfigured MTAs making regexp unuseable
 #
 # Author: Martin Waschbuesch
 #         Daniel Black (rewrote with begin and end anchors)
--- a/config/filter.d/pure-ftpd.conf
+++ b/config/filter.d/pure-ftpd.conf
@ -12,13 +12,19 @@ before = common.conf

 [Definition]

-# Error message specified in multiple languages
-__errmsg = (?:Authentication failed for user|Erreur d'authentification pour l'utilisateur)
+_daemon = pure-ftpd

-failregex = ^%(__prefix_line)s\(.+?@<HOST>\) \[WARNING\] %(__errmsg)s \[.+\]\s*$
+# Error message specified in multiple languages
+__errmsg = (?:<3A>ϥΪ<CFA5>\[.*\]<5D><><EFBFBD>ҥ<EFBFBD><D2A5><EFBFBD>|ʹ<><CAB9><EFBFBD><EFBFBD>\[.*\]<5D><>֤ʧ<D6A4><CAA7>|\[.*\] kullan<61>c<EFBFBD>s<EFBFBD> i<>in giri<72> hatal<61>|<7C><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> \[.*\]|Godkjennelse mislyktes for \[.*\]|Beh<65>righetskontroll misslyckas f<>r anv<6E>ndare \[.*\]|Autentifikacia uzivatela zlyhala \[.*\]|Autentificare esuata pentru utilizatorul \[.*\]|Autentica<63><61>o falhou para usu<73>rio \[.*\]|Autentyfikacja nie powiod<6F>a si<73> dla u<>ytkownika \[.*\]|Autorisatie faalde voor gebruiker \[.*\]|\[.*\] <20><><EFBFBD> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD>|Autenticazione falita per l'utente \[.*\]|Azonos<6F>t<EFBFBD>s sikertelen \[.*\] felhaszn<7A>l<EFBFBD>nak|\[.*\] c'est un batard, il connait pas son code|Erreur d'authentification pour l'utilisateur \[.*\]|Autentificaci<63>n fallida para el usuario \[.*\]|Authentication failed for user \[.*\]|Authentifizierung fehlgeschlagen f<>r Benutzer \[.*\].|Godkendelse mislykkedes for \[.*\]|Autentifikace u<>ivatele selhala \[.*\])
+
+failregex = ^%(__prefix_line)s\(.+?@<HOST>\) \[WARNING\] %(__errmsg)s\s*$

 ignoreregex = 

 # Author: Cyril Jaquier
 # Modified: Yaroslav Halchenko for pure-ftpd
 # Documentation thanks to Blake on http://www.fail2ban.org/wiki/index.php?title=Fail2ban:Community_Portal
+#
+# Only logs to syslog though facility can be changed configuration file/command line
+#
+# fgrep -r MSG_AUTH_FAILED_LOG pure-ftpd-1.0.36/src
--- a/fail2ban/tests/files/logs/dovecot
+++ b/fail2ban/tests/files/logs/dovecot
@ -19,19 +19,11 @@ Dec 12 11:19:11 dunnart dovecot: pop3-login: Aborted login (tried to use disallo
 Jun 13 16:30:54 platypus dovecot: imap-login: Disconnected (auth failed, 2 attempts): user=<username.bob>, method=PLAIN, rip=49.176.98.87, lip=113.212.99.194, TLS
 # failJSON: { "time": "2005-06-14T00:48:21", "match": true , "host": "59.167.242.100" }
 Jun 14 00:48:21 platypus dovecot: imap-login: Disconnected (auth failed, 1 attempts): method=PLAIN, rip=59.167.242.100, lip=113.212.99.194, TLS: Disconnected
-# failJSON: { "time": "2005-06-13T20:48:11", "match": true , "host": "121.44.24.254" }
-Jun 13 20:48:11 platypus dovecot: pop3-login: Disconnected (no auth attempts): rip=121.44.24.254, lip=113.212.99.194, TLS: Disconnected
-# failJSON: { "time": "2005-06-13T21:48:06", "match": true , "host": "180.200.180.81" }
-Jun 13 21:48:06 platypus dovecot: pop3-login: Disconnected: Inactivity (no auth attempts): rip=180.200.180.81, lip=113.212.99.194, TLS
-# failJSON: { "time": "2005-06-13T20:20:21", "match": true , "host": "180.189.168.166" }
-Jun 13 20:20:21 platypus dovecot: imap-login: Disconnected (no auth attempts): rip=180.189.168.166, lip=113.212.99.194, TLS handshaking: Disconnected
 # failJSON: { "time": "2005-06-23T00:52:43", "match": true , "host": "193.95.245.163" }
 Jun 23 00:52:43 vhost1-ua dovecot: pop3-login: Disconnected: Inactivity (auth failed, 1 attempts): user=<info>, method=PLAIN, rip=193.95.245.163, lip=176.214.13.210

 # failJSON: { "time": "2005-07-02T13:49:31", "match": true , "host": "192.51.100.13" }
 Jul 02 13:49:31 hostname dovecot[442]: pop3-login: Aborted login (auth failed, 1 attempts in 17 secs): user=<test>, method=PLAIN, rip=192.51.100.13, lip=203.0.113.17, session=<YADINsQCDs5BH8Pg>
-# failJSON: { "time": "2005-07-02T13:49:32", "match": true , "host": "192.51.100.13" }
-Jul 02 13:49:32 hostname dovecot[442]: pop3-login: Disconnected (no auth attempts in 58 secs): user=<>, rip=192.51.100.13, lip=203.0.113.17, session=<LgDINsQCkttVIMPg>

 # failJSON: { "time": "2005-07-02T13:49:32", "match": true , "host": "200.76.17.206" }
 Jul 02 13:49:32 hostname dovecot[442]: dovecot: auth(default): pam(account@MYSERVERNAME.com,200.76.17.206): pam_authenticate() failed: User not known to the underlying authentication module: 2 Time(s)
@ -48,3 +40,24 @@ Jan 13 20:51:05 valhalla dovecot: pop3-login: Disconnected: Inactivity (auth fai
 # failJSON: { "time": "2005-01-14T15:54:30", "match": true , "host": "1.2.3.4" }
 Jan 14 15:54:30 valhalla dovecot: pop3-login: Disconnected (auth failed, 1 attempts in 2 secs): user=<ivo>, method=PLAIN, rip=1.2.3.4, lip=1.1.2.2, TLS: Disconnected, session=<q454Xu/vMwBZApgg>

+
+# failJSON: { "time": "2005-01-29T09:33:58", "match": true , "host": "212.9.180.3" }
+Jan 29 09:33:58 pop3-login: Info: Aborted login (auth failed, 1 attempts in 2 secs): user=<grace>, method=PLAIN, rip=212.9.180.3
+
+# failJSON: { "time": "2005-01-29T09:34:17", "match": true , "host": "1.2.3.4" }
+Jan 29 09:34:17 pop3-login: Info: Aborted login (auth failed, 1 attempts in 62 secs): user=<carl.matx@sxxxxxxx.net>, method=PLAIN, rip=1.2.3.4, TLS
+
+# failJSON: { "time": "2005-01-29T09:38:03", "match": true , "host": "117.218.51.80" }
+Jan 29 09:38:03 pop3-login: Info: Disconnected: Inactivity (auth failed, 1 attempts in 178 secs): user=<suzanne>, method=PLAIN, rip=117.218.51.80
+
+# failJSON: { "time": "2005-01-29T09:38:46", "match": false , "host": "176.61.137.100" }
+Jan 29 09:38:46 pop3-login: Info: Disconnected (no auth attempts in 10 secs): user=<>, rip=176.61.137.100, TLS handshaking: SSL_accept() failed: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
+
+# failJSON: { "time": "2005-06-13T20:48:11", "match": false , "host": "121.44.24.254" }
+Jun 13 20:48:11 platypus dovecot: pop3-login: Disconnected (no auth attempts): rip=121.44.24.254, lip=113.212.99.194, TLS: Disconnected
+# failJSON: { "time": "2005-06-13T21:48:06", "match": false , "host": "180.200.180.81" }
+Jun 13 21:48:06 platypus dovecot: pop3-login: Disconnected: Inactivity (no auth attempts): rip=180.200.180.81, lip=113.212.99.194, TLS
+# failJSON: { "time": "2005-06-13T20:20:21", "match": false , "host": "180.189.168.166" }
+Jun 13 20:20:21 platypus dovecot: imap-login: Disconnected (no auth attempts): rip=180.189.168.166, lip=113.212.99.194, TLS handshaking: Disconnected
+# failJSON: { "time": "2005-07-02T13:49:32", "match": false , "host": "192.51.100.13" }
+Jul 02 13:49:32 hostname dovecot[442]: pop3-login: Disconnected (no auth attempts in 58 secs): user=<>, rip=192.51.100.13, lip=203.0.113.17, session=<LgDINsQCkttVIMPg>