ENH: add filter openwebmail. Closes gh-543.

ChangeLog

@@ -45,14 +45,14 @@ ver. 0.8.12 (2013/12/XX) - things-can-only-get-better
   - added ufw action. Thanks Guilhem Lettron. lp-#701522
   - exim-spam filter to match spamassassin log entry for option SAdevnull.
     Thanks Ivo Truxa. Closes gh-533
+  - Added filter.d/openwebmail filter thanks Ivo Truxa. Closes gh-543
 
 - New Features:
 
-  Daniel Black
+  - filter.d/solid-pop3d -- added thanks to Jacques Lav!gnotte on mailinglist.
-   * filter.d/solid-pop3d -- added thanks to Jacques Lav!gnotte on mailinglist.
+  - Add filter for apache-modsecurity
-   * Add filter for apache-modsecurity
+  - filter.d/nsd.conf -- also amended Unix date template to match nsd format
-  Bas van den Dikkenberg & Steven Hiscocks
+  - Added filter.d/openwebmail filter thanks Ivo Truxa. Closes gh-543
-   * filter.d/nsd.conf -- also amended Unix date template to match nsd format
 
 - Enhancements:
   - loglines now also report "[PID]" after the name portion

MANIFEST

@@ -63,6 +63,7 @@ testcases/files/logs/suhosin
 testcases/files/logs/mysqld-auth
 testcases/files/logs/named-refused
 testcases/files/logs/nginx-http-auth
+testcases/files/logs/openwebmail
 testcases/files/logs/pam-generic
 testcases/files/logs/postfix
 testcases/files/logs/proftpd
@@ -150,6 +151,7 @@ config/filter.d/exim.conf
 config/filter.d/gssftpd.conf
 config/filter.d/suhosin.conf
 config/filter.d/named-refused.conf
+config/filter.d/openwebmail.conf
 config/filter.d/postfix.conf
 config/filter.d/proftpd.conf
 config/filter.d/pure-ftpd.conf

config/filter.d/openwebmail.conf

@@ -0,0 +1,15 @@
+# Fail2Ban filter for Openwebmail
+# banning hosts with authentication errors in /var/log/openwebmail.log
+# OpenWebMail http://openwebmail.org
+#
+
+[Definition]
+
+failregex = ^ - \[\d+\] \(<HOST>\) .* login error .+$
+            ^ - \[\d+\] \(<HOST>\) .* doesn't exist$
+
+ignoreregex =
+
+# DEV Notes:
+#
+# Author: Ivo Truxa (c) 2013 truXoft.com

config/jail.conf

@@ -285,6 +285,16 @@ action   = iptables-multiport[name=SOGo, port="http,https"]
 logpath  = /var/log/sogo/sogo.log
 
 
+[openwebmail]
+
+enabled  = false
+filter   = openwebmail
+logpath  = /var/log/openwebmail.log
+action   = ipfw
+           sendmail-whois[name=openwebmail, dest=you@example.com]
+maxretry = 5
+
+
 # Ban attackers that try to use PHP's URL-fopen() functionality
 # through GET/POST variables. - Experimental, with more than a year
 # of usage in production environments.

testcases/files/logs/openwebmail

@@ -0,0 +1,6 @@
+# failJSON: { "time": "2013-12-28T19:03:53", "match": true , "host": "178.123.108.196" }
+Sat Dec 28 19:03:53 2013 - [72926] (178.123.108.196) gsdfg - userinfo error - auth_unix.pl, ret -4, User gsdfg doesn't exist
+# failJSON: { "time": "2013-12-28T19:04:03", "match": true , "host": "178.123.108.196" }
+Sat Dec 28 19:04:03 2013 - [72926] (178.123.108.196) gsdfg - login error - no such user - loginname=gsdfg
+# failJSON: { "time": "2013-12-28T19:05:38", "match": true , "host": "178.123.108.196" }
+Sat Dec 28 19:05:38 2013 - [73540] (178.123.108.196) myname - login error - auth_unix.pl, ret -4, Password incorrect