From 7f38b80d351cc51cd3273ad93cd1939a4b1abe1e Mon Sep 17 00:00:00 2001 From: sebres Date: Sat, 3 Apr 2021 20:16:47 +0200 Subject: [PATCH] precise regex (left anchor and fewer catch-all's); fixed tests (added failJSON and more tests for some corner-cases around new RE) --- config/filter.d/mssql-auth.conf | 2 +- fail2ban/tests/files/logs/mssql-auth | 14 +++++++++++--- 2 files changed, 12 insertions(+), 4 deletions(-) diff --git a/config/filter.d/mssql-auth.conf b/config/filter.d/mssql-auth.conf index a1813c83..65bbd917 100644 --- a/config/filter.d/mssql-auth.conf +++ b/config/filter.d/mssql-auth.conf @@ -2,7 +2,7 @@ [Definition] -failregex = Logon\s+Login failed for user ('.*')(.*)\[CLIENT: \]$ +failregex = ^\s*Logon\s+Login failed for user '(?:[^']*|.*)'\. [^'\[]+\[CLIENT: \]$ # DEV Notes: diff --git a/fail2ban/tests/files/logs/mssql-auth b/fail2ban/tests/files/logs/mssql-auth index 5a97f53e..1c9b65ec 100644 --- a/fail2ban/tests/files/logs/mssql-auth +++ b/fail2ban/tests/files/logs/mssql-auth @@ -1,3 +1,11 @@ -2020-02-24 16:05:21.00 Logon Login failed for user 'Backend'. Reason: Could not find a login matching the name provided. [CLIENT: 212.96.131.253] -2020-02-24 16:30:25.88 Logon Login failed for user '===)jf02hüas9ä##22f'. Reason: Could not find a login matching the name provided. [CLIENT: 148.86.203.199] -2020-02-24 16:31:12.20 Logon Login failed for user ''. Reason: An attempt to login using SQL authentication failed. Server is configured for Integrated authentication only. [CLIENT: 105.254.136.171] \ No newline at end of file +# failJSON: { "time": "2020-02-24T16:05:21", "match": true , "host": "192.0.2.1" } +2020-02-24 16:05:21.00 Logon Login failed for user 'Backend'. Reason: Could not find a login matching the name provided. [CLIENT: 192.0.2.1] +# failJSON: { "time": "2020-02-24T16:30:25", "match": true , "host": "192.0.2.2" } +2020-02-24 16:30:25.88 Logon Login failed for user '===)jf02hüas9ä##22f'. Reason: Could not find a login matching the name provided. [CLIENT: 192.0.2.2] +# failJSON: { "time": "2020-02-24T16:31:12", "match": true , "host": "192.0.2.3" } +2020-02-24 16:31:12.20 Logon Login failed for user ''. Reason: An attempt to login using SQL authentication failed. Server is configured for Integrated authentication only. [CLIENT: 192.0.2.3] + +# failJSON: { "time": "2020-02-24T16:31:26", "match": true , "host": "192.0.2.4", "user":"O'Leary" } +2020-02-24 16:31:26.01 Logon Login failed for user 'O'Leary'. Reason: Could not find a login matching the name provided. [CLIENT: 192.0.2.4] +# failJSON: { "time": "2020-02-24T16:31:26", "match": false, "desc": "test injection in possibly unescaped foreign input" } +2020-02-24 16:31:26.02 Wrong data received: Logon Login failed for user 'test'. Reason: Could not find a login matching the name provided. [CLIENT: 192.0.2.5]