From b288ccd6b656f724328d5eeb06539e1c0c958f5a Mon Sep 17 00:00:00 2001 From: girst Date: Sun, 6 Jan 2019 18:44:21 +0100 Subject: [PATCH 1/2] new filter: znc-adminlog --- ChangeLog | 1 + config/filter.d/znc-adminlog.conf | 18 ++++++++++++++++++ config/jail.conf | 7 +++++++ fail2ban/tests/files/logs/znc-adminlog | 7 +++++++ 4 files changed, 33 insertions(+) create mode 100644 config/filter.d/znc-adminlog.conf create mode 100644 fail2ban/tests/files/logs/znc-adminlog diff --git a/ChangeLog b/ChangeLog index 1ae33fff..de462a71 100644 --- a/ChangeLog +++ b/ChangeLog @@ -85,6 +85,7 @@ filter = flt[logtype=short] * `filter.d/common.conf`: differentiate `__prefix_line` for file/journal logtype's (speedup and fix parsing of systemd-journal); * `filter.d/traefik-auth.conf`: used to ban hosts, that were failed through traefik +* `filter.d/znc-adminlog.conf`: new filter for ZNC (IRC bouncer); requires the adminlog module to be loaded ### Enhancements * introduced new options: `dbmaxmatches` (fail2ban.conf) and `maxmatches` (jail.conf) to contol diff --git a/config/filter.d/znc-adminlog.conf b/config/filter.d/znc-adminlog.conf new file mode 100644 index 00000000..e2bad87b --- /dev/null +++ b/config/filter.d/znc-adminlog.conf @@ -0,0 +1,18 @@ +# Fail2Ban filter for ZNC (requires adminlog module) +# +# to use this module, enable the adminlog module from within ZNC and point +# logpath to its logfile (e.g. /var/lib/znc/moddata/adminlog/znc.log). + +[Definition] + +failregex = ^\[\] \[[^]]+\] failed to login from $ + +ignoreregex = + +# DEV Notes: +# Log format is: [] [] from +# [2018-10-27 01:40:17] [girst] connected to ZNC from 1.2.3.4 +# [2018-10-27 01:40:21] [girst] disconnected from ZNC from 1.2.3.4 +# [2018-10-27 01:40:55] [girst] failed to login from 1.2.3.4 +# +# Author: Tobias Girstmair (//gir.st/) diff --git a/config/jail.conf b/config/jail.conf index aabab430..dcb9a7fc 100644 --- a/config/jail.conf +++ b/config/jail.conf @@ -734,6 +734,13 @@ logpath = /var/log/freeswitch.log maxretry = 10 +# enable adminlog; it will log to a file inside znc's directory by default. +[znc-adminlog] + +port = 6667 +logpath = /var/lib/znc/moddata/adminlog/znc.log + + # To log wrong MySQL access attempts add to /etc/my.cnf in [mysqld] or # equivalent section: # log-warnings = 2 diff --git a/fail2ban/tests/files/logs/znc-adminlog b/fail2ban/tests/files/logs/znc-adminlog new file mode 100644 index 00000000..c4d1098d --- /dev/null +++ b/fail2ban/tests/files/logs/znc-adminlog @@ -0,0 +1,7 @@ +# failJSON: { "time": "2018-10-27T01:40:55", "match": true , "host": "1.2.3.4" } +[2018-10-27 01:40:55] [girst] failed to login from 1.2.3.4 + +# failJSON: { "match": false } +[2018-10-27 01:40:17] [girst] connected to ZNC from 1.2.3.4 +# failJSON: { "match": false } +[2018-10-27 01:40:21] [girst] disconnected from ZNC from 1.2.3.4 From a7dc3614c428fb8dc8038f8d837942218991fea6 Mon Sep 17 00:00:00 2001 From: girst Date: Wed, 12 Jun 2019 15:49:59 +0200 Subject: [PATCH 2/2] znc-adminlog: use `` instead of `` --- config/filter.d/znc-adminlog.conf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/config/filter.d/znc-adminlog.conf b/config/filter.d/znc-adminlog.conf index e2bad87b..9ba2b434 100644 --- a/config/filter.d/znc-adminlog.conf +++ b/config/filter.d/znc-adminlog.conf @@ -5,12 +5,12 @@ [Definition] -failregex = ^\[\] \[[^]]+\] failed to login from $ +failregex = ^\[\] \[[^]]+\] failed to login from $ ignoreregex = # DEV Notes: -# Log format is: [] [] from +# Log format is: [] [] from # [2018-10-27 01:40:17] [girst] connected to ZNC from 1.2.3.4 # [2018-10-27 01:40:21] [girst] disconnected from ZNC from 1.2.3.4 # [2018-10-27 01:40:55] [girst] failed to login from 1.2.3.4