From 856407379bce4898a5c8f291fa43f1f3499638d7 Mon Sep 17 00:00:00 2001 From: Daniel Black Date: Tue, 31 Dec 2013 08:09:00 +1100 Subject: [PATCH] ENH: add filter openwebmail. Closes gh-543. --- ChangeLog | 10 +++++----- MANIFEST | 2 ++ config/filter.d/openwebmail.conf | 15 +++++++++++++++ config/jail.conf | 10 ++++++++++ testcases/files/logs/openwebmail | 6 ++++++ 5 files changed, 38 insertions(+), 5 deletions(-) create mode 100644 config/filter.d/openwebmail.conf create mode 100644 testcases/files/logs/openwebmail diff --git a/ChangeLog b/ChangeLog index 70361a53..c092037a 100644 --- a/ChangeLog +++ b/ChangeLog @@ -45,14 +45,14 @@ ver. 0.8.12 (2013/12/XX) - things-can-only-get-better - added ufw action. Thanks Guilhem Lettron. lp-#701522 - exim-spam filter to match spamassassin log entry for option SAdevnull. Thanks Ivo Truxa. Closes gh-533 + - Added filter.d/openwebmail filter thanks Ivo Truxa. Closes gh-543 - New Features: - Daniel Black - * filter.d/solid-pop3d -- added thanks to Jacques Lav!gnotte on mailinglist. - * Add filter for apache-modsecurity - Bas van den Dikkenberg & Steven Hiscocks - * filter.d/nsd.conf -- also amended Unix date template to match nsd format + - filter.d/solid-pop3d -- added thanks to Jacques Lav!gnotte on mailinglist. + - Add filter for apache-modsecurity + - filter.d/nsd.conf -- also amended Unix date template to match nsd format + - Added filter.d/openwebmail filter thanks Ivo Truxa. Closes gh-543 - Enhancements: - loglines now also report "[PID]" after the name portion diff --git a/MANIFEST b/MANIFEST index 83cab61e..a8195b54 100644 --- a/MANIFEST +++ b/MANIFEST @@ -63,6 +63,7 @@ testcases/files/logs/suhosin testcases/files/logs/mysqld-auth testcases/files/logs/named-refused testcases/files/logs/nginx-http-auth +testcases/files/logs/openwebmail testcases/files/logs/pam-generic testcases/files/logs/postfix testcases/files/logs/proftpd @@ -150,6 +151,7 @@ config/filter.d/exim.conf config/filter.d/gssftpd.conf config/filter.d/suhosin.conf config/filter.d/named-refused.conf +config/filter.d/openwebmail.conf config/filter.d/postfix.conf config/filter.d/proftpd.conf config/filter.d/pure-ftpd.conf diff --git a/config/filter.d/openwebmail.conf b/config/filter.d/openwebmail.conf new file mode 100644 index 00000000..00cdc87e --- /dev/null +++ b/config/filter.d/openwebmail.conf @@ -0,0 +1,15 @@ +# Fail2Ban filter for Openwebmail +# banning hosts with authentication errors in /var/log/openwebmail.log +# OpenWebMail http://openwebmail.org +# + +[Definition] + +failregex = ^ - \[\d+\] \(\) .* login error .+$ + ^ - \[\d+\] \(\) .* doesn't exist$ + +ignoreregex = + +# DEV Notes: +# +# Author: Ivo Truxa (c) 2013 truXoft.com diff --git a/config/jail.conf b/config/jail.conf index 8104f464..e9441416 100644 --- a/config/jail.conf +++ b/config/jail.conf @@ -285,6 +285,16 @@ action = iptables-multiport[name=SOGo, port="http,https"] logpath = /var/log/sogo/sogo.log +[openwebmail] + +enabled = false +filter = openwebmail +logpath = /var/log/openwebmail.log +action = ipfw + sendmail-whois[name=openwebmail, dest=you@example.com] +maxretry = 5 + + # Ban attackers that try to use PHP's URL-fopen() functionality # through GET/POST variables. - Experimental, with more than a year # of usage in production environments. diff --git a/testcases/files/logs/openwebmail b/testcases/files/logs/openwebmail new file mode 100644 index 00000000..8c2ded65 --- /dev/null +++ b/testcases/files/logs/openwebmail @@ -0,0 +1,6 @@ +# failJSON: { "time": "2013-12-28T19:03:53", "match": true , "host": "178.123.108.196" } +Sat Dec 28 19:03:53 2013 - [72926] (178.123.108.196) gsdfg - userinfo error - auth_unix.pl, ret -4, User gsdfg doesn't exist +# failJSON: { "time": "2013-12-28T19:04:03", "match": true , "host": "178.123.108.196" } +Sat Dec 28 19:04:03 2013 - [72926] (178.123.108.196) gsdfg - login error - no such user - loginname=gsdfg +# failJSON: { "time": "2013-12-28T19:05:38", "match": true , "host": "178.123.108.196" } +Sat Dec 28 19:05:38 2013 - [73540] (178.123.108.196) myname - login error - auth_unix.pl, ret -4, Password incorrect