Merge pull request #4068 from billfor/xarf

fix `dig` to filter out warnings and prevent them from being injected as emails
2025-09-15 17:23:32 +02:00 · 2025-09-15 17:23:32 +02:00 · 6c47bf6461
parent 9534bdac37 4539e6719c
commit 6c47bf6461
2 changed files with 13 additions and 8 deletions
--- a/1
+++ b/1
@ -36,6 +36,7 @@ ver. 1.1.1-dev-1 (20??/??/??) - development nightly edition
  - postfix backend switched to `systemd` (gh-3527)
 * `action.d/firewallcmd-ipset.conf`:
  - rename `ipsettype` to `ipsetbackend` (gh-2620), parameter `ipsettype` will be used now to the real set type (gh-3760)
+* `action.d/xarf-login-attack.conf` - ignore errors or warnings in output of `dig` provided as comment (gh-4068)
 * `filter.d/apache-noscript.conf` - consider new log-format with "AH02811: stderr from /..." (gh-3900)
 * `filter.d/apache-overflows.conf` - consider AH10244: invalid URI path (gh-3778, gh-3900)
 * `filter.d/asterisk.conf` - fixed RE for "no matching endpoint" with retry info (like `after X tries in Y ms`) at end, 
--- a/config/action.d/xarf-login-attack.conf
+++ b/config/action.d/xarf-login-attack.conf
@ -44,7 +44,13 @@ actioncheck =
 actionban = oifs=${IFS};
            RESOLVER_ADDR="%(addr_resolver)s"
            if [ "<debug>" -gt 0 ]; then echo "try to resolve $RESOLVER_ADDR"; fi
-            ADDRESSES=$(dig +short -t txt -q $RESOLVER_ADDR | tr -d '"')
+            ADDRESSES=$(dig +short -t txt -q $RESOLVER_ADDR | grep -v ';;' | tr -d '"')
+            if [ "<debug>" -gt 0 ]; then echo "returned address $ADDRESSES"; fi
+            if [ -z "$ADDRESSES" ]; then
+               echo "address for $RESOLVER_ADDR cannot be found or timeout from dig";
+               if [ "<debug>" -gt 0 ]; then exit 1; fi
+               exit 0
+            fi
            IFS=,; ADDRESSES=$(echo $ADDRESSES)
            IFS=${oifs}
            IP=<ip>
@ -55,13 +61,11 @@ actionban = oifs=${IFS};
            TLP=<tlp>
            PORT=<port>
            DATE=`LC_ALL=C date --date=@<time> +"%%a, %%d %%h %%Y %%T %%z"`
-            if [ ! -z "$ADDRESSES" ]; then
-                oifs=${IFS}; IFS=,; ADDRESSES=$(echo $ADDRESSES)
-                IFS=${oifs}
-                (printf -- %%b "<header>\n<message>\n<report>\n\n";
-                 date '+Note: Local timezone is %%z (%%Z)';
-                 printf -- %%b "\n<ipmatches>\n\n<footer>") | <mailcmd> <mailargs> $ADDRESSES
-            fi
+            oifs=${IFS}; IFS=,; ADDRESSES=$(echo $ADDRESSES)
+            IFS=${oifs}
+            (printf -- %%b "<header>\n<message>\n<report>\n\n";
+             date '+Note: Local timezone is %%z (%%Z)';
+             printf -- %%b "\n<ipmatches>\n\n<footer>") | <mailcmd> <mailargs> $ADDRESSES

 actionunban =