Merge branch PR #193 ASSP SMTP Proxy support (with some manual squashing)

Origin: https://github.com/lenrico/fail2ban

Squashing was done via rebase -i 1524b076d6
to eliminate massive assp sample log file originally added

  fixed test date thx to steven
  tight control of the filter for ASSP
  as yaroslav wishes
  as daniel desires
  changed from DateASSPlike class to DateStrptime
  fixed little things
  added new date format support for ASSP SMTP Proxy

ChangeLog

@@ -7,7 +7,7 @@
 Fail2Ban (version 0.8.9)                                              2013/04/XX
 ================================================================================
 
-ver. 0.8.9 (2013/04/XXX) - wanna-be-stable
+ver. 0.8.9 (2013/04/XX) - wanna-be-stable
 ----------
 
 Although primarily a bugfix release, it incorporates many new
@@ -72,6 +72,8 @@ Borreli, blotus:
   Soulard Morgan
    * [f336d9f] Add filter for webmin. Closes gh-99.
 - Enhancements:
+  Enrico Labedzki
+   * [1524b07] Added Datew format for ASSP SMTP Proxy.
   Steven Hiscocks
    * [3d6791f] Ensure restart of Actions after a check fails occurs
      consistently. Closes gh-172.

THANKS

@@ -16,6 +16,7 @@ Daniel B. Cid
 Daniel Black
 David Nutter
 Eric Gerbier
+Enrico Labedzki
 Guillaume Delvit
 Hanno 'Rince' Wagner
 Iain Lea

TODO

@@ -13,6 +13,8 @@ Legend:
 # partially done
 * done
 
+- more detailed explaination in DEVELOP for new developers (eg. howto build this HEX numbers in ChangeLog)
+
 - Run tests though all filters/examples files - (see sshd example file) as unit
   test
 

config/filter.d/assp.conf

@@ -0,0 +1,33 @@
+# Fail2Ban configuration file
+# for Anti-Spam SMTP Proxy Server also known as ASSP
+#    Honmepage:   http://www.magicvillage.de/~Fritz_Borgstedt/assp/0003D91C-8000001C/
+#    ProjektSite: http://sourceforge.net/projects/assp/?source=directory
+#
+# Author: Enrico Labedzki (enrico.labedzki@deiwos.de)
+#
+
+[Definition] 
+
+# Option:  failregex
+# Notes.:  regex to match the SMTP failure messages in the logfile. The
+#          host must be matched by a group named "host". The tag "<HOST>" can
+#          be used for standard IP/hostname matching and is only an alias for
+#          (?:::f{4,6}:)?(?P<host>\S+)
+# Values:  TEXT
+#
+# Examples: Apr-27-13 02:33:09 Blocking 217.194.197.97 - too much AUTH errors (41);
+#           Dec-29-12 17:10:31 [SSL-out] 200.247.87.82 SSL negotiation with client failed: SSL accept attempt failed with unknown errorerror:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol;
+#           Dec-30-12 04:01:47 [SSL-out] 81.82.232.66 max sender authentication errors (5) exceeded 
+__assp_actions = (dropping|refusing)
+
+failregex = <HOST> max sender authentication errors \(\d{,3}\) exceeded -- %(__assp_actions)s connection - after reply: \d{3} \d{1}\.\d{1}.\d{1} Error: authentication failed: [a-zA-Z0-9]+;$
+			<HOST> SSL negotiation with client failed: SSL accept attempt failed with unknown error.*:unknown protocol;$
+			Blocking <HOST> - too much AUTH errors \(\d{,3}\);$
+
+
+# Option:  ignoreregex
+# Notes.:  regex to ignore. If this regex matches, the line is ignored.
+# Values:  TEXT
+#
+ignoreregex = 
+

config/jail.conf

@@ -89,6 +89,13 @@ action   = iptables[name=sasl, port=smtp, protocol=tcp]
            sendmail-whois[name=sasl, dest=you@example.com]
 logpath  = /var/log/mail.log
 
+# ASSP SMTP Proxy Jail
+[assp]
+enabled  = false
+filter   = assp
+action = iptables-multiport[name=assp,port="25,465,587"]
+logpath  = /root/path/to/assp/logs/maillog.txt
+
 # Here we use TCP-Wrappers instead of Netfilter/Iptables. "ignoreregex" is
 # used to avoid banning the user "myuser".
 

server/datedetector.py

@@ -155,6 +155,12 @@ class DateDetector:
 			template.setRegex("^\d{2}\d{2}\d{2} +\d{1,2}:\d{2}:\d{2}")
 			template.setPattern("%y%m%d %H:%M:%S")
 			self._appendTemplate(template)
+			# ASSP: Apr-27-13 02:33:06
+			template = DateStrptime()
+			template.setName("Month-Day-Year Hour:Minute:Second")
+			template.setRegex("^[a-zA-Z]{3}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}")
+			template.setPattern("%b-%d-%y %H:%M:%S")
+			self._appendTemplate(template)
 		finally:
 			self.__lock.release()
 	

server/datetemplate.py

@@ -218,3 +218,4 @@ class DateISO8601(DateTemplate):
 			value = dateMatch.group()
 			date = list(iso8601.parse_date(value).timetuple())
 		return date
+

testcases/datedetectortestcase.py

@@ -85,6 +85,7 @@ class DateDetectorTest(unittest.TestCase):
 			"2005-01-23T21:59:59-05:00Z", #ISO 8601 with TZ
 			"<01/23/05@21:59:59>",
 			"050123 21:59:59", # MySQL
+			"Jan-23-05 21:59:59", # ASSP like
 			):
 			log = sdate + "[sshd] error: PAM: Authentication failure"
 			# exclude

testcases/files/logs/assp

@@ -0,0 +1,13 @@
+Apr-07-13 07:08:36 [SSL-out] 68.171.223.68 SSL negotiation with client failed: SSL accept attempt failed with unknown errorerror:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol;
+Apr-07-13 07:08:36 [SSL-out] 68.171.223.68 SSL negotiation with client failed: SSL accept attempt failed with unknown errorerror:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol;
+Apr-07-13 07:10:37 [SSL-out] 68.171.223.68 SSL negotiation with client failed: SSL accept attempt failed with unknown errorerror:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol;
+Apr-07-13 07:12:37 [SSL-out] 68.171.223.68 SSL negotiation with client failed: SSL accept attempt failed with unknown errorerror:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol;
+Apr-07-13 07:14:36 [SSL-out] 68.171.223.68 SSL negotiation with client failed: SSL accept attempt failed with unknown errorerror:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol;
+Apr-27-13 02:25:09 Blocking 217.194.197.97 - too much AUTH errors (8);
+Apr-27-13 02:25:09 Blocking 217.194.197.97 - too much AUTH errors (9);
+Apr-27-13 02:25:09 Blocking 217.194.197.97 - too much AUTH errors (10);
+Apr-27-13 02:25:10 [SSL-out] 217.194.197.97 max sender authentication errors (5) exceeded -- dropping connection - after reply: 535 5.7.8 Error: authentication failed: UGFzc3dvcmQ6;
+Apr-27-13 02:25:10 [SSL-out] 217.194.197.97 max sender authentication errors (5) exceeded -- dropping connection - after reply: 535 5.7.8 Error: authentication failed: UGFzc3dvcmQ6;
+Apr-27-13 02:25:10 [SSL-out] 217.194.197.97 max sender authentication errors (5) exceeded -- dropping connection - after reply: 535 5.7.8 Error: authentication failed: UGFzc3dvcmQ6;
+Apr-27-13 02:25:11 [SSL-out] 217.194.197.97 max sender authentication errors (5) exceeded -- dropping connection - after reply: 535 5.7.8 Error: authentication failed: UGFzc3dvcmQ6;
+