From 666fd5eceb769dd121194a4c2ff8054379a751d7 Mon Sep 17 00:00:00 2001 From: Daniel Black Date: Sun, 2 Mar 2014 16:11:53 +1100 Subject: [PATCH 1/2] ENH: purge excessive jail variations --- config/common-paths.conf | 1 + config/fedora-paths.conf | 1 + config/jail.conf | 185 +++------------------------------------ 3 files changed, 14 insertions(+), 173 deletions(-) diff --git a/config/common-paths.conf b/config/common-paths.conf index 6a6c71ad..64eec744 100644 --- a/config/common-paths.conf +++ b/config/common-paths.conf @@ -54,3 +54,4 @@ dovecot_log = %(syslog_mail_warn)s # Seems to be set at compile time only to LOG_LOCAL0 (src/const.h) at Notice level solidpop3d_log = %(syslog_local0)s +mysql_log = %(syslog_daemon)s diff --git a/config/fedora-paths.conf b/config/fedora-paths.conf index cad2c106..5a6032d5 100644 --- a/config/fedora-paths.conf +++ b/config/fedora-paths.conf @@ -32,3 +32,4 @@ apache_access_log = /var/log/httpd/*access_log # proftpd_log = /var/log/proftpd/auth.log # Tested and it worked out in /var/log/messages so assuming syslog_ftp for now. +mysql_log = /var/lib/mysql/mysqld.log diff --git a/config/jail.conf b/config/jail.conf index fb064a0e..c1c68b8b 100644 --- a/config/jail.conf +++ b/config/jail.conf @@ -222,102 +222,6 @@ logpath = %(auditd_log)s maxretry = 5 -# Here we use TCP-Wrappers instead of Netfilter/Iptables. "ignoreregex" is -# used to avoid banning the user "myuser". -[ssh-tcpwrapper] - -filter = sshd -action = hostsdeny[daemon_list=sshd] - sendmail-whois[name=SSH, dest=you@example.com] -ignoreregex = for myuser from -logpath = %(sshd_log)s - - -# Here we use blackhole routes for not requiring any additional kernel support -# to store large volumes of banned IPs - -[sshd-route] - -filter = sshd -action = route -logpath = %(sshd_log)s - - -# Here we use a combination of Netfilter/Iptables and IPsets -# for storing large volumes of banned IPs -# -# IPset comes in two versions. See ipset -V for which one to use -# requires the ipset package and kernel support. -[sshd-iptables-ipset4] - -filter = sshd -action = iptables-ipset-proto4[name=SSH, port=ssh, protocol=tcp] -logpath = %(sshd_log)s - - -[sshd-iptables-ipset6] - -filter = sshd -action = iptables-ipset-proto6[name=SSH, port=ssh, protocol=tcp, bantime=600] -logpath = %(sshd_log)s - - -[sshd-apf] - -filter = sshd -action = apf[name=SSH] -logpath = %(sshd_log)s -maxretry = 5 - - -# This jail uses ipfw, the standard firewall on FreeBSD. The "ignoreip" -# option is overridden in this jail. Moreover, the action "mail-whois" defines -# the variable "name" which contains a comma using "". The characters '' are -# valid too. -[sshd-ipfw] - -filter = sshd -action = ipfw[localhost=192.168.0.1] - sendmail-whois[name="SSH,IPFW", dest=you@example.com] -logpath = %(sshd_log)s - - -# bsd-ipfw is ipfw used by BSD. It uses ipfw tables. -# table number must be unique. -# -# This will create a deny rule for that table ONLY if a rule -# for the table doesn't ready exist. -# -[sshd-bsd-ipfw] - -filter = sshd -action = bsd-ipfw[port=ssh,table=1] -logpath = %(sshd_log)s - - -[sshd-pf] -# PF is a BSD based firewall -filter = sshd -action = pf -logpath = %(sshd_log)s -maxretry= 5 - - -# ipfw for osx (less capabilities that BSD) -[osx-sshd-ipfw] - -filter = sshd -action = osx-ipfw -logpath = %(sshd_log)s - - -[osx-sshd-afctl] - -filter = sshd -action = osx-afctl[bantime=600] -logpath = %(sshd_log)s -maxretry = 5 - # # HTTP servers # @@ -518,26 +422,6 @@ port = ftp,ftp-data,ftps,ftps-data logpath = %(vsftpd_log)s -# Do not ban anybody. Just report information about the remote host. -# A notification is sent at most every 600 seconds (bantime). -[vsftpd-notification] - -filter = vsftpd -action = sendmail-whois[name=VSFTPD, dest=you@example.com] -logpath = %(vsftpd_log)s -maxretry = 5 -bantime = 1800 - - -# Same as above but with banning the IP address. -[vsftpd-iptables] - -filter = vsftpd -port = ftp,ftp-data,ftps,ftps-data -logpath = %(syslog_ftp)s -maxretry = 5 -bantime = 1800 - # # Mail servers # @@ -580,33 +464,10 @@ port = smtp,465,submission logpath = /service/qmail/log/main/current -# The hosts.deny path can be defined with the "file" argument if it is -# not in /etc. -[postfix-tcpwrapper] - -filter = postfix -action = hostsdeny[file=/not/a/standard/path/hosts.deny] - sendmail[name=Postfix, dest=you@example.com] -logpath = %(postfix_log)s -bantime = 300 - - -[sendmail-spam] - -logpath = %(syslog_mail_warn)s - - # dovecot defaults to logging to the mail syslog facility # but can be set by syslog_facility in the dovecot configuration. [dovecot] -port = pop3,pop3s,imap,imaps,submission,465,sieve -logpath = %(syslog_mail_warn)s - - -[dovecot-auth] - -filter = dovecot port = pop3,pop3s,imap,imaps,submission,465,sieve logpath = %(dovecot_log)s @@ -628,12 +489,15 @@ logpath = %(solidpop3d_log)s port = smtp,465,submission logpath = /var/log/exim/mainlog + [exim-spam] + port = smtp,465,submission logpath = /var/log/exim/mainlog [kerio] + port = imap,smtp,imaps,465 logpath = /opt/kerio/mailserver/store/logs/security.log @@ -746,46 +610,21 @@ logpath = /var/log/freeswitch.log maxretry = 10 -# Historical support (before https://github.com/fail2ban/fail2ban/issues/37 was fixed ) -# use [asterisk] for new jails -[asterisk-tcp] - -filter = asterisk -port = 5060,5061 -logpath = /var/log/asterisk/messages -maxretry = 10 - - -# Historical support (before https://github.com/fail2ban/fail2ban/issues/37 was fixed ) -# use [asterisk] for new jails -[asterisk-udp] - -filter = asterisk -port = 5060,5061 -protocol = udp -logpath = /var/log/asterisk/messages -maxretry = 10 - - # To log wrong MySQL access attempts add to /etc/my.cnf in [mysqld] or # equivalent section: -# log-error=/var/log/mysqld.log # log-warning = 2 +# +# for syslog (daemon facility) +# [mysqld_safe] +# syslog +# +# for own logfile +# [mysqld] +# log-error=/var/log/mysqld.log [mysqld-auth] port = 3306 -logpath = /var/log/mysqld.log -maxretry = 5 - - -# This requires my.cnf to contain (check the mysql version supports this) -# [mysqld_safe] -# syslog -[mysqld-syslog] - -port = 3306 -filter = mysqld-auth -logpath = %(syslog_daemon)s +logpath = %(mysql_log)s maxretry = 5 From 50d938e0bf12ef981ceb7860c99f5c30ba304d4d Mon Sep 17 00:00:00 2001 From: Daniel Black Date: Sun, 2 Mar 2014 16:28:23 +1100 Subject: [PATCH 2/2] MRG: merge filter sendmail-spam into sendmail-reject --- config/filter.d/sendmail-reject.conf | 20 +++++++++++++-- config/filter.d/sendmail-spam.conf | 30 ----------------------- fail2ban/tests/files/logs/sendmail-reject | 19 ++++++++++++++ fail2ban/tests/files/logs/sendmail-spam | 19 -------------- 4 files changed, 37 insertions(+), 51 deletions(-) delete mode 100644 config/filter.d/sendmail-spam.conf delete mode 100644 fail2ban/tests/files/logs/sendmail-spam diff --git a/config/filter.d/sendmail-reject.conf b/config/filter.d/sendmail-reject.conf index 3a897316..93b8343c 100644 --- a/config/filter.d/sendmail-reject.conf +++ b/config/filter.d/sendmail-reject.conf @@ -19,16 +19,32 @@ before = common.conf [Definition] -_daemon = (?:sm-(mta|acceptingconnections)) +_daemon = (?:(sm-(mta|acceptingconnections)|sendmail)) failregex = ^%(__prefix_line)s\w{14}: ruleset=check_rcpt, arg1=(?P<\S+@\S+>), relay=(\S+ )?\[\]( \(may be forged\))?, reject=(550 5\.7\.1 (?P=email)\.\.\. Relaying denied\. (IP name possibly forged \[(\d+\.){3}\d+\]|Proper authentication required\.|IP name lookup failed \[(\d+\.){3}\d+\])|553 5\.1\.8 (?P=email)\.\.\. Domain of sender address \S+ does not exist|550 5\.[71]\.1 (?P=email)\.\.\. (Rejected: .*|User unknown))$ ^%(__prefix_line)sruleset=check_relay, arg1=(?P\S+), arg2=, relay=((?P=dom) )?\[(\d+\.){3}\d+\]( \(may be forged\))?, reject=421 4\.3\.2 (Connection rate limit exceeded\.|Too many open connections\.)$ ^%(__prefix_line)s\w{14}: rejecting commands from (\S+ )?\[\] due to pre-greeting traffic after \d+ seconds$ ^%(__prefix_line)s\w{14}: (\S+ )?\[\]: ((?i)expn|vrfy) \S+ \[rejected\]$ + ^(?P<__prefix>%(__prefix_line)s\w+: )<[^@]+@[^>]+>\.\.\. No such user here(?P=__prefix)from=<[^@]+@[^>]+>, size=\d+, class=\d+, nrcpts=\d+, bodytype=\w+, proto=E?SMTP, daemon=MTA, relay=\S+ \[\]$ ignoreregex = -# DEV Notes: + +[Init] + +# "maxlines" is number of log lines to buffer for multi-line regex searches +maxlines = 10 + +# DEV NOTES: +# +# Regarding the last multiline regex: +# +# There can be a nunber of non-related lines between the first and second part +# of this regex maxlines of 10 is quite generious. Only one of the +# "No such user" lines needs to be matched before the line with the HOST. +# +# Note the capture __prefix, includes both the __prefix_lines (which includes +# the sendmail PID), but also the \w+ which the the sendmail assigned mail ID. # # Author: Daniel Black and Fabian Wenk diff --git a/config/filter.d/sendmail-spam.conf b/config/filter.d/sendmail-spam.conf deleted file mode 100644 index c1477700..00000000 --- a/config/filter.d/sendmail-spam.conf +++ /dev/null @@ -1,30 +0,0 @@ -# Fail2ban filter for sendmail spam -# - -[INCLUDES] - -# Read common prefixes. If any customizations available -- read them from -# common.local -before = common.conf - -[Definition] - -_daemon = sendmail - -failregex = ^(?P<__prefix>%(__prefix_line)s\w+: )<[^@]+@[^>]+>\.\.\. No such user here(?P=__prefix)from=<[^@]+@[^>]+>, size=\d+, class=\d+, nrcpts=\d+, bodytype=\w+, proto=E?SMTP, daemon=MTA, relay=\S+ \[\]$ - -[Init] - -# "maxlines" is number of log lines to buffer for multi-line regex searches -maxlines = 10 - -# DEV NOTES: -# -# There can be a nunber of non-related lines between the first and second part -# of this regex maxlines of 10 is quite generious. Only one of the -# "No such user" lines needs to be matched before the line with the HOST. -# -# Note the capture __prefix, includes both the __prefix_lines (which includes -# the sendmail PID), but also the \w+ which the the sendmail assigned mail ID. -# -# Author: Daniel Black diff --git a/fail2ban/tests/files/logs/sendmail-reject b/fail2ban/tests/files/logs/sendmail-reject index b7d37e5a..b326cf43 100644 --- a/fail2ban/tests/files/logs/sendmail-reject +++ b/fail2ban/tests/files/logs/sendmail-reject @@ -65,3 +65,22 @@ Feb 13 01:16:50 batman sm-mta[25815]: s1D0GoSs025815: [217.193.142.180]: vrfy in # failJSON: { "time": "2005-02-22T14:02:44", "match": true , "host": "24.73.201.194" } Feb 22 14:02:44 batman sm-mta[4030]: s1MD2hsd004030: rrcs-24-73-201-194.se.biz.rr.com [24.73.201.194]: VRFY root [rejected] + +# failJSON: { "match": false } +Nov 3 11:35:30 Microsoft sendmail[26254]: rA37ZTSC026254: ... No such user here +# failJSON: { "match": false } +Nov 3 11:35:30 Microsoft sendmail[26254]: rA37ZTSC026254: ... No such user here +# failJSON: { "match": false } +Nov 3 11:35:30 Microsoft sendmail[26254]: rA37ZTSC026254: ... No such user here +# failJSON: { "match": false } +Nov 3 11:35:30 Microsoft sendmail[26254]: rA37ZTSC026254: ... No such user here +# failJSON: { "match": false } +Nov 3 11:35:30 Microsoft sendmail[26254]: rA37ZTSC026254: ... No such user here +# failJSON: { "time": "2004-11-03T11:35:30", "match": true , "host": "95.32.23.163" } +Nov 3 11:35:30 Microsoft sendmail[26254]: rA37ZTSC026254: from=, size=0, class=0, nrcpts=0, bodytype=8BITMIME, proto=ESMTP, daemon=MTA, relay=163.23.32.95.dsl-dynamic.vsi.ru [95.32.23.163] + +# failJSON: { "match": false } +Nov 3 11:35:30 Microsoft sendmail[26254]: rA37ZTSC026254: ... No such user here +# Different mail ID shouldn't match +# failJSON: { "match": false } +Nov 3 11:35:30 Microsoft sendmail[26254]: rA37ZTSC026255: from=, size=0, class=0, nrcpts=0, bodytype=8BITMIME, proto=ESMTP, daemon=MTA, relay=163.23.32.95.dsl-dynamic.vsi.ru [95.32.23.163] diff --git a/fail2ban/tests/files/logs/sendmail-spam b/fail2ban/tests/files/logs/sendmail-spam deleted file mode 100644 index c2669207..00000000 --- a/fail2ban/tests/files/logs/sendmail-spam +++ /dev/null @@ -1,19 +0,0 @@ - -# failJSON: { "match": false } -Nov 3 11:35:30 Microsoft sendmail[26254]: rA37ZTSC026254: ... No such user here -# failJSON: { "match": false } -Nov 3 11:35:30 Microsoft sendmail[26254]: rA37ZTSC026254: ... No such user here -# failJSON: { "match": false } -Nov 3 11:35:30 Microsoft sendmail[26254]: rA37ZTSC026254: ... No such user here -# failJSON: { "match": false } -Nov 3 11:35:30 Microsoft sendmail[26254]: rA37ZTSC026254: ... No such user here -# failJSON: { "match": false } -Nov 3 11:35:30 Microsoft sendmail[26254]: rA37ZTSC026254: ... No such user here -# failJSON: { "time": "2004-11-03T11:35:30", "match": true , "host": "95.32.23.163" } -Nov 3 11:35:30 Microsoft sendmail[26254]: rA37ZTSC026254: from=, size=0, class=0, nrcpts=0, bodytype=8BITMIME, proto=ESMTP, daemon=MTA, relay=163.23.32.95.dsl-dynamic.vsi.ru [95.32.23.163] - -# failJSON: { "match": false } -Nov 3 11:35:30 Microsoft sendmail[26254]: rA37ZTSC026254: ... No such user here -# Different mail ID shouldn't match -# failJSON: { "match": false } -Nov 3 11:35:30 Microsoft sendmail[26254]: rA37ZTSC026255: from=, size=0, class=0, nrcpts=0, bodytype=8BITMIME, proto=ESMTP, daemon=MTA, relay=163.23.32.95.dsl-dynamic.vsi.ru [95.32.23.163]