Merge "Mac OS Screen Sharing filter" PR 1232

* pr/1232/head:
  removed system.log
  Removed old svn revision comment
  removed false matches
  Removed includes comment for screensharing jail
  Now using a literal logpath for screensharing jail
  Fixed blatant typo in regex
  clarified comments on sample log format
  Fixed name (again?)
  Made screensharing jail off by default
  Changed regex prequel
  added entry for new screensharingd filter
  name change & new sample data
  Added json metadata
  Sample log for test case
  Replaced .* with literal
  Update jail.conf
  Added new path variable for system.log
  Added in settings for screensharingd filter
  Created file

Conflicts:
	ChangeLog - moved to New Features
	config/jail.conf  - kept at the end

ChangeLog

@@ -48,6 +48,7 @@ ver. 0.9.4 (2015/XX/XXX) - wanna-be-released
      - murmur - bans TCP and UDP from the bad host on the default murmur port.
    * sshd filter got new failregex to match "maximum authentication
      attempts exceeded" (introduced in openssh 6.8)
+   * Added filter for Mac OS screen sharing (VNC) daemon
 
 - Enhancements:
    * Do not rotate empty log files

config/filter.d/screensharingd.conf

@@ -0,0 +1,31 @@
+# Fail2Ban configuration file
+#
+# Author: Simon Brown
+#
+# Filter for Mac OS X Screen Sharing service
+
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# common.local
+before = common.conf
+
+
+[Definition]
+
+_daemon = screensharingd
+
+# Option:  failregex
+# Notes.:  regex to match the password failures messages in the logfile. The
+#          host must be matched by a group named "host". The tag "<HOST>" can
+#          be used for standard IP/hostname matching and is only an alias for
+#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
+# Values:  TEXT
+#
+failregex = ^%(__prefix_line)sAuthentication: FAILED :: User Name: .+ :: Viewer Address: <HOST> :: Type: DH$
+
+# Option:  ignoreregex
+# Notes.:  regex to ignore. If this regex matches, the line is ignored.
+# Values:  TEXT
+#
+ignoreregex =

config/jail.conf

@@ -830,3 +830,12 @@ filter   = murmur
 action   = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol=tcp, chain="%(chain)s", actname=%(banaction)s-tcp]
            %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol=udp, chain="%(chain)s", actname=%(banaction)s-udp]
 logpath  = /var/log/mumble-server/mumble-server.log
+
+
+[screensharing]
+# For Mac OS Screen Sharing Service (VNC)
+enabled  = false
+filter   = screensharingd
+logpath  = /var/log/system.log
+logencoding=utf-8
+maxretry = 4

fail2ban/tests/files/logs/screensharingd

@@ -0,0 +1,12 @@
+# NOTE: dates here include years -- this is not the typical configuration for the system.log
+# file on Mac OS. However, without it the test routines will use 2004 as the year and matches will not pass.
+#
+# failJSON: { "match": false }
+Oct 27 2015 09:24:46 test1.beezwax.net screensharingd[1170]: Authentication: SUCCEEDED :: User Name: simon :: Viewer Address: 192.168.5.247 :: Type: DH
+#
+# failJSON: { "time": "2015-10-27T12:35:40", "match": true , "host": "192.168.5.247" }
+Oct 27 2015 12:35:40 test1.beezwax.net screensharingd[1170]: Authentication: FAILED :: User Name: sdfsdfs () mro :: Viewer Address: 192.168.5.247 :: Type: DH
+# failJSON: { "time": "2015-10-27T12:35:50", "match": true , "host": "192.168.5.247" }
+Oct 27 2015 12:35:50 test1.beezwax.net screensharingd[1170]: Authentication: FAILED :: User Name: brown_s :: :: Viewer Address: 192.168.5.247 :: Type: DH
+# failJSON: { "time": "2015-10-27T12:26:01", "match": true , "host": "192.168.5.247" }
+Oct 27 2015 12:26:01 test1.beezwax.net screensharingd[1170]: Authentication: FAILED :: User Name: brown @! s:: :: Viewer Address: 192.168.5.247 :: Type: DH