From d1fad22ac129260364c6dfc103497195a6c8984e Mon Sep 17 00:00:00 2001 From: sebres Date: Mon, 2 Oct 2017 15:59:14 +0200 Subject: [PATCH 1/2] Avoid exact duplicates by addIgnoreIP (closes gh-1900) --- fail2ban/server/filter.py | 5 ++++- fail2ban/tests/servertestcase.py | 9 ++++----- 2 files changed, 8 insertions(+), 6 deletions(-) diff --git a/fail2ban/server/filter.py b/fail2ban/server/filter.py index c4f29878..c309bbb2 100644 --- a/fail2ban/server/filter.py +++ b/fail2ban/server/filter.py @@ -458,7 +458,10 @@ class Filter(JailThread): return # Create IP address object ip = IPAddr(ipstr) - + # Avoid exact duplicates + if ip in self.__ignoreIpList: + logSys.warn(" Ignore duplicate %r (%r), already in ignore list", ip, ipstr) + return # log and append to ignore list logSys.debug(" Add %r to ignore list (%r)", ip, ipstr) self.__ignoreIpList.append(ip) diff --git a/fail2ban/tests/servertestcase.py b/fail2ban/tests/servertestcase.py index 0b888407..1d963d0c 100644 --- a/fail2ban/tests/servertestcase.py +++ b/fail2ban/tests/servertestcase.py @@ -441,17 +441,16 @@ class Transmitter(TransmitterBase): self.assertEqual( self.transm.proceed(["set", self.jailName, "addignoreip", value]), (0, [value])) - # Will allow duplicate - #NOTE: Should duplicates be allowed, or silent ignore like logpath? + # Duplicates ignored self.assertEqual( self.transm.proceed(["set", self.jailName, "addignoreip", value]), - (0, [value, value])) + (0, [value])) self.assertEqual( self.transm.proceed(["get", self.jailName, "ignoreip"]), - (0, [value, value])) + (0, [value])) self.assertEqual( self.transm.proceed(["set", self.jailName, "delignoreip", value]), - (0, [value])) + (0, [])) self.assertEqual( self.transm.proceed(["get", self.jailName, "ignoreself"]), From ea36e1b3fc22f67b2faedb8cb57ae1b19d9f6e08 Mon Sep 17 00:00:00 2001 From: sebres Date: Wed, 4 Oct 2017 09:49:35 +0200 Subject: [PATCH 2/2] filter.d/dovecot.conf: fixed failregex to recognize pam_authenticate failures with "Permission denied" (gh-1897) --- ChangeLog | 4 +++- config/filter.d/dovecot.conf | 2 +- fail2ban/tests/files/logs/dovecot | 3 +++ 3 files changed, 7 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 1c4620d3..fce432ed 100644 --- a/ChangeLog +++ b/ChangeLog @@ -27,7 +27,9 @@ releases. - Rewritten without end-anchor ($), because of potential vulnerability on very long URLs. * filter.d/apache-badbots.conf - extended to recognize Jorgee Vulnerability Scanner (gh-1882) * filter.d/asterisk.conf - fixed failregex AMI Asterisk authentification failed (see gh-1302) -* filter.d/dovecot.conf - fixed failregex, see gh-1879 (partially cherry-picked from gh-1880) +* filter.d/dovecot.conf: + - fixed failregex, see gh-1879 (partially cherry-picked from gh-1880) + - extended to match pam_authenticate failures with "Permission denied" (gh-1897) * filter.d/exim.conf - fixed failregex for case of flood attempts with `D=0s` (gh-1887) * filter.d/postfix-*.conf - added optional port regex (gh-1902) diff --git a/config/filter.d/dovecot.conf b/config/filter.d/dovecot.conf index cf217bcb..9497c601 100644 --- a/config/filter.d/dovecot.conf +++ b/config/filter.d/dovecot.conf @@ -14,7 +14,7 @@ __prefregex = ^%(__prefix_line)s(?:%(_auth_worker)s(?:\([^\)]+\))?: )?(?:%(__pam failregex = ^%(__prefregex)sauthentication failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=\S* rhost=(?:\s+user=\S*)?\s*$ ^%(__prefregex)s(?:Aborted login|Disconnected)(?::(?: [^ \(]+)+)? \((?:auth failed, \d+ attempts(?: in \d+ secs)?|tried to use (?:disabled|disallowed) \S+ auth)\):(?: user=<[^>]*>,)?(?: method=\S+,)? rip=(?:[^>]*(?:, session=<\S+>)?)\s*$ - ^%(__prefregex)spam\(\S+,\): pam_authenticate\(\) failed: (?:User not known to the underlying authentication module: \d+ Time\(s\)|Authentication failure \(password mismatch\?\))\s*$ + ^%(__prefregex)spam\(\S+,(?:,\S*)?\): pam_authenticate\(\) failed: (?:User not known to the underlying authentication module: \d+ Time\(s\)|Authentication failure \(password mismatch\?\)|Permission denied)\s*$ ^%(__prefregex)s[a-z\-]{3,15}\(\S*,(?:,\S*)?\): (?:unknown user|invalid credentials)\s*$ ignoreregex = diff --git a/fail2ban/tests/files/logs/dovecot b/fail2ban/tests/files/logs/dovecot index f564b76e..f15a0de4 100644 --- a/fail2ban/tests/files/logs/dovecot +++ b/fail2ban/tests/files/logs/dovecot @@ -43,6 +43,9 @@ Jan 29 05:13:50 mail dovecot: auth: passwd-file(username,1.2.3.4): unknown user # failJSON: { "time": "2005-01-29T13:54:06", "match": true , "host": "192.0.2.5" } Jan 29 13:54:06 auth-worker(22401): Info: sql(admin@example.de,192.0.2.5,): unknown user +# failJSON: { "time": "2005-01-29T14:38:51", "match": true , "host": "192.0.2.6", "desc": "PAM Permission denied (gh-1897)" } +Jan 29 14:38:51 example.com dovecot[24941]: auth-worker(30165): pam(user@example.com,192.0.2.6,): pam_authenticate() failed: Permission denied + # failJSON: { "time": "2005-04-19T05:22:20", "match": true , "host": "80.255.3.104" } Apr 19 05:22:20 vm5 auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=informix rhost=80.255.3.104