From ef903db3c97d56948edfee1bcf7a02c89ee1a093 Mon Sep 17 00:00:00 2001 From: Daniel Black Date: Sun, 25 Aug 2013 22:44:30 +1000 Subject: [PATCH 1/4] ENH: filter.d/named-refused.conf - BIND 9.9.3 regex changes. Closes gh-333 --- ChangeLog | 1 + config/filter.d/named-refused.conf | 4 ++-- testcases/files/logs/named-refused | 4 ++++ 3 files changed, 7 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 8fe5f763..b40b1bc6 100644 --- a/ChangeLog +++ b/ChangeLog @@ -53,6 +53,7 @@ ver. 0.8.11 (2013/XX/XXX) - loves-unittests Daniel Black & Georgiy Mernov & ftoppi & Мернов Георгий * filter.d/exim.conf -- regex hardening and extra failure examples in sample logs + * filter.d/named-refused.conf - BIND 9.9.3 regex changes Daniel Black & Sebastian Arcus * filter.d/asterisk -- more regexes Yaroslav Halchenko diff --git a/config/filter.d/named-refused.conf b/config/filter.d/named-refused.conf index e30afee7..00c721e3 100644 --- a/config/filter.d/named-refused.conf +++ b/config/filter.d/named-refused.conf @@ -25,8 +25,8 @@ __line_prefix=(?:\s\S+ %(__daemon_combs_re)s\s+)? # Notes.: regex to match the password failures messages in the logfile. # Values: TEXT # -failregex = %(__line_prefix)sclient #\S+: (view (internal|external): )?query(?: \(cache\))? '.*' denied\s*$ - %(__line_prefix)sclient #\S+: zone transfer '\S+/AXFR/\w+' denied\s*$ +failregex = %(__line_prefix)sclient #\S+( \([\S.]+\))?: (view (internal|external): )?query(?: \(cache\))? '.*' denied\s*$ + %(__line_prefix)sclient #\S+( \([\S.]+\))?: zone transfer '\S+/AXFR/\w+' denied\s*$ # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. diff --git a/testcases/files/logs/named-refused b/testcases/files/logs/named-refused index 04b0e34f..82765876 100644 --- a/testcases/files/logs/named-refused +++ b/testcases/files/logs/named-refused @@ -14,4 +14,8 @@ Jul 24 14:23:36 raid5 named[3935]: client 62.109.4.89#9334: view external: query 11-Aug-2013 03:36:11.372 error: client 1.2.3.4#52115: zone transfer 'domain.com/AXFR/IN' denied # failJSON: { "time": "2004-08-17T08:20:22", "match": true , "host": "223.252.23.219" } Aug 17 08:20:22 catinthehat named[2954]: client 223.252.23.219#56275: zone transfer 'openquery.eu/AXFR/IN' denied +# https://github.com/fail2ban/fail2ban/issues/333 +# BIND9 ver: BIND 9.9.3-rpz2+rl.13208.13-P2-RedHat-9.9.3-4.P2.el6 (Extended Support Version) +# failJSON: { "time": "2013-08-23T10:32:56", "match": true , "host": "82.207.95.42" } +23-Aug-2013 10:32:56.621 client 82.207.95.42#40278 (redginseng.com.ua): query (cache) 'redginseng.com.ua/A/IN' denied From a401d1164430c237b728582780c1160e63485737 Mon Sep 17 00:00:00 2001 From: Daniel Black Date: Wed, 28 Aug 2013 00:53:08 +1000 Subject: [PATCH 2/4] ENH: add regex for bad zone transfer request/ TST: add test for bind-9.9 zone transfer denied --- config/filter.d/named-refused.conf | 1 + testcases/files/logs/named-refused | 4 ++++ 2 files changed, 5 insertions(+) diff --git a/config/filter.d/named-refused.conf b/config/filter.d/named-refused.conf index 00c721e3..21afb07d 100644 --- a/config/filter.d/named-refused.conf +++ b/config/filter.d/named-refused.conf @@ -27,6 +27,7 @@ __line_prefix=(?:\s\S+ %(__daemon_combs_re)s\s+)? # failregex = %(__line_prefix)sclient #\S+( \([\S.]+\))?: (view (internal|external): )?query(?: \(cache\))? '.*' denied\s*$ %(__line_prefix)sclient #\S+( \([\S.]+\))?: zone transfer '\S+/AXFR/\w+' denied\s*$ + %(__line_prefix)sclient #\S+( \([\S.]+\))?: bad zone transfer request: '\S+/IN': non-authoritative zone \(NOTAUTH\)\s*$ # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. diff --git a/testcases/files/logs/named-refused b/testcases/files/logs/named-refused index 82765876..8a539ee9 100644 --- a/testcases/files/logs/named-refused +++ b/testcases/files/logs/named-refused @@ -19,3 +19,7 @@ Aug 17 08:20:22 catinthehat named[2954]: client 223.252.23.219#56275: zone trans # failJSON: { "time": "2013-08-23T10:32:56", "match": true , "host": "82.207.95.42" } 23-Aug-2013 10:32:56.621 client 82.207.95.42#40278 (redginseng.com.ua): query (cache) 'redginseng.com.ua/A/IN' denied +# failJSON: { "time": "2013-08-27T17:49:45", "match": true , "host": "59.167.242.100" } +27-Aug-2013 17:49:45.330 client 59.167.242.100#44281 (watt.kiev.ua): zone transfer 'watt.kiev.ua/AXFR/IN' denied +# failJSON: { "time": "2013-08-27T16:58:31", "match": true , "host": "176.9.92.38" } +Aug 27 16:58:31 vhost1-ua named[29206]: client 176.9.92.38#42592 (simmarket.com.ua): bad zone transfer request: 'simmarket.com.ua/IN': non-authoritative zone (NOTAUTH) From cbed57bffd4aedd9fa1aba0ac6098aaba22bff2c Mon Sep 17 00:00:00 2001 From: Daniel Black Date: Wed, 28 Aug 2013 08:52:56 +1000 Subject: [PATCH 3/4] TST: fix year in named-bind test case --- testcases/files/logs/named-refused | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/testcases/files/logs/named-refused b/testcases/files/logs/named-refused index 8a539ee9..7414a1b3 100644 --- a/testcases/files/logs/named-refused +++ b/testcases/files/logs/named-refused @@ -21,5 +21,5 @@ Aug 17 08:20:22 catinthehat named[2954]: client 223.252.23.219#56275: zone trans # failJSON: { "time": "2013-08-27T17:49:45", "match": true , "host": "59.167.242.100" } 27-Aug-2013 17:49:45.330 client 59.167.242.100#44281 (watt.kiev.ua): zone transfer 'watt.kiev.ua/AXFR/IN' denied -# failJSON: { "time": "2013-08-27T16:58:31", "match": true , "host": "176.9.92.38" } +# failJSON: { "time": "2004-08-27T16:58:31", "match": true , "host": "176.9.92.38" } Aug 27 16:58:31 vhost1-ua named[29206]: client 176.9.92.38#42592 (simmarket.com.ua): bad zone transfer request: 'simmarket.com.ua/IN': non-authoritative zone (NOTAUTH) From 15f2f3897259ed23c7fd1da1f94807c405fa9c18 Mon Sep 17 00:00:00 2001 From: Daniel Black Date: Wed, 28 Aug 2013 12:32:40 +1000 Subject: [PATCH 4/4] ENH: anchor regex at start --- config/filter.d/named-refused.conf | 17 ++++++----------- 1 file changed, 6 insertions(+), 11 deletions(-) diff --git a/config/filter.d/named-refused.conf b/config/filter.d/named-refused.conf index 21afb07d..1b6f4d4d 100644 --- a/config/filter.d/named-refused.conf +++ b/config/filter.d/named-refused.conf @@ -21,16 +21,11 @@ __daemon_combs_re=(?:%(__pid_re)s?:\s+%(__daemon_re)s|%(__daemon_re)s%(__pid_re) # this can be optional (for instance if we match named native log files) __line_prefix=(?:\s\S+ %(__daemon_combs_re)s\s+)? -# Option: failregex -# Notes.: regex to match the password failures messages in the logfile. -# Values: TEXT -# -failregex = %(__line_prefix)sclient #\S+( \([\S.]+\))?: (view (internal|external): )?query(?: \(cache\))? '.*' denied\s*$ - %(__line_prefix)sclient #\S+( \([\S.]+\))?: zone transfer '\S+/AXFR/\w+' denied\s*$ - %(__line_prefix)sclient #\S+( \([\S.]+\))?: bad zone transfer request: '\S+/IN': non-authoritative zone \(NOTAUTH\)\s*$ -# Option: ignoreregex -# Notes.: regex to ignore. If this regex matches, the line is ignored. -# Values: TEXT +# note - (\.\d+)? is a really ugly catch of the microseconds not captured in +# in the date detector # -ignoreregex = +failregex = ^%(__line_prefix)s(\.\d+)?( error:)?\s*client #\S+( \([\S.]+\))?: (view (internal|external): )?query(?: \(cache\))? '.*' denied\s*$ + ^%(__line_prefix)s(\.\d+)?( error:)?\s*client #\S+( \([\S.]+\))?: zone transfer '\S+/AXFR/\w+' denied\s*$ + ^%(__line_prefix)s(\.\d+)?( error:)?\s*client #\S+( \([\S.]+\))?: bad zone transfer request: '\S+/IN': non-authoritative zone \(NOTAUTH\)\s*$ +