Merge pull request #590 from grooverdan/kerio

Kerio filter for #120 also fix fail2ban-regex for datepattern
11 years ago · 77aab8d97a
parent 703d337a39 97c7d391a4
commit 77aab8d97a
6 changed files with 56 additions and 0 deletions
--- a/2
+++ b/2
@ -56,6 +56,8 @@ configuration before relying on it.
     according to the XARF standard (v0.2). Close gh-105
   * Support PyPy
   * Add filter for apache-botsearch
+   * Add filter for kerio. Thanks Tony Lawrence for blog of regexs and
+     providing samples. Close gh-120
   * Filter for stunnel
   * Filter for Counter Strike 1.6. Thanks to onorua for logs.
     Close gh-347
--- a/2
+++ b/2
@ -122,6 +122,7 @@ fail2ban/tests/files/logs/freeswitch
 fail2ban/tests/files/logs/groupoffice
 fail2ban/tests/files/logs/gssftpd
 fail2ban/tests/files/logs/guacamole
+fail2ban/tests/files/logs/kerio
 fail2ban/tests/files/logs/lighttpd-auth
 fail2ban/tests/files/logs/mysqld-auth
 fail2ban/tests/files/logs/nsd
@ -182,6 +183,7 @@ config/filter.d/courier-smtp.conf
 config/filter.d/cyrus-imap.conf
 config/filter.d/exim.conf
 config/filter.d/gssftpd.conf
+config/filter.d/kerio.conf
 config/filter.d/suhosin.conf
 config/filter.d/named-refused.conf
 config/filter.d/openwebmail.conf
--- a/1
+++ b/1
@ -84,6 +84,7 @@ Steven Hiscocks
 TESTOVIK
 Tom Pike
 Tomas Pihl
+Tony Lawrence
 Tyler
 Vaclav Misek
 Vincent Deffontaines
--- a/config/filter.d/kerio.conf
+++ b/config/filter.d/kerio.conf
@ -0,0 +1,17 @@
+# Fail2ban filter for kerio
+
+[Definition]
+
+failregex = ^ SMTP Spam attack detected from <HOST>,
+            ^ IP address <HOST> found in DNS blacklist \S+, mail from \S+ to \S+$
+            ^ Relay attempt from IP address <HOST>
+            ^ Attempt to deliver to unknown recipient \S+, from \S+, IP address <HOST>$
+[Init]
+
+datepattern = ^[%%d/%%b/%%Y %%H:%%M:%%S]
+
+# DEV NOTES:
+# 
+# Author: A.P. Lawrence
+#
+# Based off: http://aplawrence.com/Kerio/fail2ban.html
--- a/config/jail.conf
+++ b/config/jail.conf
@ -614,6 +614,11 @@ port   = smtp,465,submission
 logpath = /var/log/exim/mainlog


+[kerio]
+port    = imap,smtp,imaps,465
+logpath = /opt/kerio/mailserver/store/logs/security.log
+
+
 #
 # Mail servers authenticators: might be used for smtp,ftp,imap servers, so
 # all relevant ports get banned
--- a/fail2ban/tests/files/logs/kerio
+++ b/fail2ban/tests/files/logs/kerio
@ -0,0 +1,29 @@
+# failJSON: { "time": "2011-06-17T17:00:45", "match": true, "host": "200.90.149.178" }
+[17/Jun/2011 17:00:45] Attempt to deliver to unknown recipient <advertise@aplawrence.com>, from <bekytnabvnvyx@aapug.org>, IP address 200.90.149.178
+
+# failJSON: { "time": "2014-01-18T06:41:25", "match": true, "host": "202.169.236.195" }
+[18/Jan/2014 06:41:25] SMTP Spam attack detected from 202.169.236.195, client closed connection before SMTP greeting
+
+# failJSON: { "time": "2014-01-18T06:42:12", "match": true, "host": "115.147.104.13" }
+[18/Jan/2014 06:42:12] SMTP Spam attack detected from 115.147.104.13, client sent data before SMTP greeting
+
+# failJSON: { "time": "2014-01-18T05:47:17", "match": true, "host": "112.140.49.130" }
+[18/Jan/2014 05:47:17] IP address 112.140.49.130 found in DNS blacklist UCEProtect1, mail from <infootransac@yahoo.com.hk> to <advertise@aplawrence.com>
+
+# failJSON: { "time": "2014-01-18T06:39:44", "match": true, "host": "91.232.105.66" }
+[18/Jan/2014 06:39:44] IP address 91.232.105.66 found in DNS blacklist BarracudaCentral, mail from <postmaster@ponetn.us> to <advertise@aplawrence.com>
+
+# failJSON: { "time": "2013-12-30T05:27:59", "match": true, "host": "64.31.59.75" }
+[30/Dec/2013 05:27:59] Relay attempt from IP address 64.31.59.75, mail from <smtp2001soho@yahoo.com> to <reply-abuse@bol.com.br> rejected
+
+# failJSON: { "time": "2013-12-30T19:24:28", "match": true, "host": "74.63.193.116" }
+[30/Dec/2013 19:24:28] Relay attempt from IP address 74.63.193.116, mail from <smtp2001soho@yahoo.com> to <reply-abuse@bol.com.br> rejected
+
+# failJSON: { "time": "2013-12-13T00:22:45", "match": true, "host": "23.108.148.156" }
+[13/Dec/2013 00:22:45] Attempt to deliver to unknown recipient <suzanne@aplawrence.com>, from <info@kaimingjx.com>, IP address 23.108.148.156
+
+# failJSON: { "time": "2013-12-13T01:11:04", "match": true, "host": "218.85.253.185" }
+[13/Dec/2013 01:11:04] Attempt to deliver to unknown recipient <marge@aplawrence.com>, from <yu@rrd.com>, IP address 218.85.253.185
+
+
+