Merge branch '0.10' into 0.11

2018-08-03 12:06:13 +02:00 · 2018-08-03 12:06:13 +02:00 · 606761b3c7
parent eb1156b099 6ad9bb56a0
commit 606761b3c7
3 changed files with 46 additions and 6 deletions
--- a/8
+++ b/8
@ -64,6 +64,14 @@ ver. 0.10.4-dev-1 (20??/??/??) - development edition
 * `filter.d/dovecot.conf`: 
  - failregex enhancement to catch sql password mismatch errors (gh-2153);
  - disconnected with "proxy dest auth failed" (gh-2184);
 * `filter.d/freeswitch.conf`:
  - provide compatibility for log-format from gh-2193:
    * extended with new default date-pattern `^(?:%%Y-)?%%m-%%d[ T]%%H:%%M:%%S(?:\.%%f)?` to cover
      `YYYY-mm-dd HH:MM::SS.ms` as well as `mm-dd HH:MM::SS.ms` (so year is optional);
    * more optional arguments in log-line (so accept [WARN] as well as [WARNING] and optional [SOFIA] hereafter);
  - extended with mode parameter, allows to avoid matching of messages like `auth challenge (REGISTER)`
    (see gh-2163) (currently `extra` as default to be backwards-compatible), see comments in filter
    how to set it to mode `normal`.
 * `action.d/hostsdeny.conf`: fix parameter in config (dynamic parameters stating with '_' are protected 
  and don't allowed in command-actions), see gh-2114;
 * decoding stability fix by wrong encoded characters like utf-8 surrogate pairs, etc (gh-2171):
--- a/config/filter.d/freeswitch.conf
+++ b/config/filter.d/freeswitch.conf
@ -18,17 +18,39 @@ before = common.conf
 _daemon = freeswitch
-# Prefix contains common prefix line (server, daemon, etc.) and 2 datetimes if used systemd backend
+# Parameter "mode": normal, ddos or extra (default, combines all)
-_pref_line = ^%(__prefix_line)s(?:\d+-\d+-\d+ \d+:\d+:\d+\.\d+)?
+# Usage example (for jail.local):
 #   [freeswitch]
 #   mode = normal
 #   # or with rewrite filter parameters of jail:
 #   [freeswitch-ddos]
 #   filter = freeswitch[mode=ddos]
 #
 mode = extra
-failregex = %(_pref_line)s \[WARNING\] sofia_reg\.c:\d+ SIP auth (failure|challenge) \((REGISTER|INVITE)\) on sofia profile \'[^']+\' for \[[^\]]*\] from ip <HOST>$
+# Prefix contains common prefix line (server, daemon, etc.) and 2 datetimes if used systemd backend
-            %(_pref_line)s \[WARNING\] sofia_reg\.c:\d+ Can't find user \[[^@]+@[^\]]+\] from <HOST>$
+_pref_line = ^%(__prefix_line)s(?:(?:\d+-)?\d+-\d+ \d+:\d+:\d+\.\d+)?
 prefregex = ^%(_pref_line)s \[WARN(?:ING)?\](?: \[SOFIA\])? \[?sofia_reg\.c:\d+\]? <F-CONTENT>.+</F-CONTENT>$
 cmnfailre = ^Can't find user \[[^@]+@[^\]]+\] from <HOST>$
 mdre-normal = %(cmnfailre)s
              ^SIP auth failure \((REGISTER|INVITE)\) on sofia profile \'[^']+\' for \[[^\]]*\] from ip <HOST>$
 mdre-ddos   = ^SIP auth (?:failure|challenge) \((REGISTER|INVITE)\) on sofia profile \'[^']+\' for \[[^\]]*\] from ip <HOST>$
 mdre-extra  = %(cmnfailre)s
              <mdre-ddos>
 failregex = <mdre-<mode>>
 ignoreregex =
-datepattern = {^LN-BEG}
+datepattern = ^(?:%%Y-)?%%m-%%d[ T]%%H:%%M:%%S(?:\.%%f)?
              {^LN-BEG}
-# Author: Rupa SChomaker, soapee01, Daniel Black
+# Author: Rupa SChomaker, soapee01, Daniel Black, Sergey Brester aka sebres
 # https://freeswitch.org/confluence/display/FREESWITCH/Fail2Ban
 # Thanks to Jim on mailing list of samples and guidance
 #
--- a/fail2ban/tests/files/logs/freeswitch
+++ b/fail2ban/tests/files/logs/freeswitch
@ -1,5 +1,10 @@
 # filterOptions: [{}, {"mode": "ddos"}]
 # failJSON: { "time": "2013-12-31T17:39:54", "match": true, "host": "81.94.202.251" }
 2013-12-31 17:39:54.767815 [WARNING] sofia_reg.c:1533 SIP auth challenge (INVITE) on sofia profile 'internal' for [011448708752617@192.168.2.51] from ip 81.94.202.251
 # filterOptions: [{}, {"mode": "normal"}]
 # failJSON: { "time": "2013-12-31T17:39:54", "match": true, "host": "5.11.47.236" }
 2013-12-31 17:39:54.767815 [WARNING] sofia_reg.c:1478 SIP auth failure (INVITE) on sofia profile 'internal' for [000972543480510@192.168.2.51] from ip 5.11.47.236
 # failJSON: { "time": "2013-12-31T17:39:54", "match": false }
@ -14,3 +19,8 @@
 2016-09-25T18:57:58.150982 www.srv.tld freeswitch[122921]: 2016-09-25 18:57:58.150982 [WARNING] sofia_reg.c:2889 Can't find user [201@::1] from 192.0.2.1
 # failJSON: { "time": "2016-09-25T18:57:58", "match": true, "host": "192.0.2.2", "desc": "Systemd dual time with prefix - 2nd expr" }
 2016-09-25T18:57:58.150982 www.srv.tld freeswitch[122921]: 2016-09-25 18:57:58.150982 [WARNING] sofia_reg.c:1720 SIP auth failure (INVITE) on sofia profile 'sipinterface_1' for [9810972597751739@::1] from ip 192.0.2.2
 # failJSON: { "time": "2005-08-03T07:56:53", "match": true, "host": "192.0.2.3", "desc": "optional year in datepattern and bit different format (gh-2193)" }
 08-03 07:56:53.026292 [WARN] [SOFIA] [sofia_reg.c:4130] Can't find user [101@148.251.134.154] from 192.0.2.3
 # failJSON: { "time": "2005-08-03T08:10:21", "match": true, "host": "192.0.2.4", "desc": "optional year in datepattern and bit different format (gh-2193)" }
 08-03 08:10:21.026299 [WARN] [SOFIA] [sofia_reg.c:2248] SIP auth failure (INVITE) on sofia profile 'external' for [41801148436701961@148.251.134.154] from ip 192.0.2.4