github
/
fail2ban
mirror of https://github.com/fail2ban/fail2ban
1
0
Fork 0
Code Issues Releases Wiki Activity

Merge pull request #545 from grooverdan/openwebmail 

ENH: add filter openwebmail. Closes gh-543.
pull/550/head
Steven Hiscocks 2013-12-30 15:15:05 -08:00
parent 934058cc06 e8710b679d
commit 71869dd6e1
5 changed files with 38 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
ChangeLog
View File

@ -45,14 +45,14 @@ ver. 0.8.12 (2013/12/XX) - things-can-only-get-better
- added ufw action. Thanks Guilhem Lettron. lp-#701522
- exim-spam filter to match spamassassin log entry for option SAdevnull.
Thanks Ivo Truxa. Closes gh-533
- Added filter.d/openwebmail filter thanks Ivo Truxa. Closes gh-543
- New Features:
Daniel Black
* filter.d/solid-pop3d -- added thanks to Jacques Lav!gnotte on mailinglist.
* Add filter for apache-modsecurity
Bas van den Dikkenberg & Steven Hiscocks
* filter.d/nsd.conf -- also amended Unix date template to match nsd format
- filter.d/solid-pop3d -- added thanks to Jacques Lav!gnotte on mailinglist.
- Add filter for apache-modsecurity
- filter.d/nsd.conf -- also amended Unix date template to match nsd format
- Added filter.d/openwebmail filter thanks Ivo Truxa. Closes gh-543
- Enhancements:
- loglines now also report "[PID]" after the name portion

2
MANIFEST
View File

@ -63,6 +63,7 @@ testcases/files/logs/suhosin
testcases/files/logs/mysqld-auth
testcases/files/logs/named-refused
testcases/files/logs/nginx-http-auth
testcases/files/logs/openwebmail
testcases/files/logs/pam-generic
testcases/files/logs/postfix
testcases/files/logs/proftpd
@ -150,6 +151,7 @@ config/filter.d/exim.conf
config/filter.d/gssftpd.conf
config/filter.d/suhosin.conf
config/filter.d/named-refused.conf
config/filter.d/openwebmail.conf
config/filter.d/postfix.conf
config/filter.d/proftpd.conf
config/filter.d/pure-ftpd.conf

15
config/filter.d/openwebmail.conf Normal file
View File

@ -0,0 +1,15 @@
# Fail2Ban filter for Openwebmail
# banning hosts with authentication errors in /var/log/openwebmail.log
# OpenWebMail http://openwebmail.org
#
[Definition]
failregex = ^ - \[\d+\] \(<HOST>\) (?P<USER>\S+) - login error - (no such user - loginname=(?P=USER)|auth_unix.pl, ret -4, Password incorrect)$
^ - \[\d+\] \(<HOST>\) (?P<USER>\S+) - userinfo error - auth_unix.pl, ret -4, User (?P=USER) doesn't exist$
ignoreregex =
# DEV Notes:
#
# Author: Ivo Truxa (c) 2013 truXoft.com

10
config/jail.conf
View File

@ -285,6 +285,16 @@ action = iptables-multiport[name=SOGo, port="http,https"]
logpath = /var/log/sogo/sogo.log
[openwebmail]
enabled = false
filter = openwebmail
logpath = /var/log/openwebmail.log
action = ipfw
sendmail-whois[name=openwebmail, dest=you@example.com]
maxretry = 5
# Ban attackers that try to use PHP's URL-fopen() functionality
# through GET/POST variables. - Experimental, with more than a year
# of usage in production environments.

6
testcases/files/logs/openwebmail Normal file
View File

@ -0,0 +1,6 @@
# failJSON: { "time": "2013-12-28T19:03:53", "match": true , "host": "178.123.108.196" }
Sat Dec 28 19:03:53 2013 - [72926] (178.123.108.196) gsdfg - userinfo error - auth_unix.pl, ret -4, User gsdfg doesn't exist
# failJSON: { "time": "2013-12-28T19:04:03", "match": true , "host": "178.123.108.196" }
Sat Dec 28 19:04:03 2013 - [72926] (178.123.108.196) gsdfg - login error - no such user - loginname=gsdfg
# failJSON: { "time": "2013-12-28T19:05:38", "match": true , "host": "178.123.108.196" }
Sat Dec 28 19:05:38 2013 - [73540] (178.123.108.196) myname - login error - auth_unix.pl, ret -4, Password incorrect