ENH: add filter openwebmail. Closes gh-543.

11 years ago · 856407379b
5 changed files with 38 additions and 5 deletions
--- a/10
+++ b/10
@ -45,14 +45,14 @@ ver. 0.8.12 (2013/12/XX) - things-can-only-get-better
  - added ufw action. Thanks Guilhem Lettron. lp-#701522
  - exim-spam filter to match spamassassin log entry for option SAdevnull.
    Thanks Ivo Truxa. Closes gh-533
+  - Added filter.d/openwebmail filter thanks Ivo Truxa. Closes gh-543

 - New Features:

-  Daniel Black
-   * filter.d/solid-pop3d -- added thanks to Jacques Lav!gnotte on mailinglist.
-   * Add filter for apache-modsecurity
-  Bas van den Dikkenberg & Steven Hiscocks
-   * filter.d/nsd.conf -- also amended Unix date template to match nsd format
+  - filter.d/solid-pop3d -- added thanks to Jacques Lav!gnotte on mailinglist.
+  - Add filter for apache-modsecurity
+  - filter.d/nsd.conf -- also amended Unix date template to match nsd format
+  - Added filter.d/openwebmail filter thanks Ivo Truxa. Closes gh-543

 - Enhancements:
  - loglines now also report "[PID]" after the name portion
--- a/2
+++ b/2
@ -63,6 +63,7 @@ testcases/files/logs/suhosin
 testcases/files/logs/mysqld-auth
 testcases/files/logs/named-refused
 testcases/files/logs/nginx-http-auth
+testcases/files/logs/openwebmail
 testcases/files/logs/pam-generic
 testcases/files/logs/postfix
 testcases/files/logs/proftpd
@ -150,6 +151,7 @@ config/filter.d/exim.conf
 config/filter.d/gssftpd.conf
 config/filter.d/suhosin.conf
 config/filter.d/named-refused.conf
+config/filter.d/openwebmail.conf
 config/filter.d/postfix.conf
 config/filter.d/proftpd.conf
 config/filter.d/pure-ftpd.conf
--- a/config/filter.d/openwebmail.conf
+++ b/config/filter.d/openwebmail.conf
@ -0,0 +1,15 @@
+# Fail2Ban filter for Openwebmail
+# banning hosts with authentication errors in /var/log/openwebmail.log
+# OpenWebMail http://openwebmail.org
+#
+
+[Definition]
+
+failregex = ^ - \[\d+\] \(<HOST>\) .* login error .+$
+            ^ - \[\d+\] \(<HOST>\) .* doesn't exist$
+
+ignoreregex =
+
+# DEV Notes:
+#
+# Author: Ivo Truxa (c) 2013 truXoft.com
--- a/config/jail.conf
+++ b/config/jail.conf
@ -285,6 +285,16 @@ action   = iptables-multiport[name=SOGo, port="http,https"]
 logpath  = /var/log/sogo/sogo.log


+[openwebmail]
+
+enabled  = false
+filter   = openwebmail
+logpath  = /var/log/openwebmail.log
+action   = ipfw
+           sendmail-whois[name=openwebmail, dest=you@example.com]
+maxretry = 5
+
+
 # Ban attackers that try to use PHP's URL-fopen() functionality
 # through GET/POST variables. - Experimental, with more than a year
 # of usage in production environments.
--- a/testcases/files/logs/openwebmail
+++ b/testcases/files/logs/openwebmail
@ -0,0 +1,6 @@
+# failJSON: { "time": "2013-12-28T19:03:53", "match": true , "host": "178.123.108.196" }
+Sat Dec 28 19:03:53 2013 - [72926] (178.123.108.196) gsdfg - userinfo error - auth_unix.pl, ret -4, User gsdfg doesn't exist
+# failJSON: { "time": "2013-12-28T19:04:03", "match": true , "host": "178.123.108.196" }
+Sat Dec 28 19:04:03 2013 - [72926] (178.123.108.196) gsdfg - login error - no such user - loginname=gsdfg
+# failJSON: { "time": "2013-12-28T19:05:38", "match": true , "host": "178.123.108.196" }
+Sat Dec 28 19:05:38 2013 - [73540] (178.123.108.196) myname - login error - auth_unix.pl, ret -4, Password incorrect