github
/
fail2ban
mirror of https://github.com/fail2ban/fail2ban
1
0
Fork 0
Code Issues Releases Wiki Activity

Merge branch PR #193 ASSP SMTP Proxy support (with some manual squashing) 

Origin: https://github.com/lenrico/fail2ban

Squashing was done via rebase -i 1524b076d6
to eliminate massive assp sample log file originally added

  fixed test date thx to steven
  tight control of the filter for ASSP
  as yaroslav wishes
  as daniel desires
  changed from DateASSPlike class to DateStrptime
  fixed little things
  added new date format support for ASSP SMTP Proxy
pull/193/merge
Yaroslav Halchenko 2013-05-03 00:57:49 -04:00
parent 8b7b213e3d fd01649a61
commit 89adcd7ff7
9 changed files with 67 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
ChangeLog
View File

@ -7,7 +7,7 @@
Fail2Ban (version 0.8.9) 2013/04/XX Fail2Ban (version 0.8.9) 2013/04/XX
================================================================================ ================================================================================
ver. 0.8.9 (2013/04/XXX) - wanna-be-stable ver. 0.8.9 (2013/04/XX) - wanna-be-stable
---------- ----------
Although primarily a bugfix release, it incorporates many new Although primarily a bugfix release, it incorporates many new
@ -72,6 +72,8 @@ Borreli, blotus:
Soulard Morgan Soulard Morgan
* [f336d9f] Add filter for webmin. Closes gh-99. * [f336d9f] Add filter for webmin. Closes gh-99.
- Enhancements: - Enhancements:
Enrico Labedzki
* [1524b07] Added Datew format for ASSP SMTP Proxy.
Steven Hiscocks Steven Hiscocks
* [3d6791f] Ensure restart of Actions after a check fails occurs * [3d6791f] Ensure restart of Actions after a check fails occurs
consistently. Closes gh-172. consistently. Closes gh-172.

1
THANKS
View File

@ -16,6 +16,7 @@ Daniel B. Cid
Daniel Black Daniel Black
David Nutter David Nutter
Eric Gerbier Eric Gerbier
Enrico Labedzki
Guillaume Delvit Guillaume Delvit
Hanno 'Rince' Wagner Hanno 'Rince' Wagner
Iain Lea Iain Lea

2
TODO
View File

@ -13,6 +13,8 @@ Legend:
# partially done # partially done
* done * done
- more detailed explaination in DEVELOP for new developers (eg. howto build this HEX numbers in ChangeLog)
- Run tests though all filters/examples files - (see sshd example file) as unit - Run tests though all filters/examples files - (see sshd example file) as unit
test test

33
config/filter.d/assp.conf Normal file
View File

@ -0,0 +1,33 @@
# Fail2Ban configuration file
# for Anti-Spam SMTP Proxy Server also known as ASSP
# Honmepage: http://www.magicvillage.de/~Fritz_Borgstedt/assp/0003D91C-8000001C/
# ProjektSite: http://sourceforge.net/projects/assp/?source=directory
#
# Author: Enrico Labedzki (enrico.labedzki@deiwos.de)
#
[Definition]
# Option: failregex
# Notes.: regex to match the SMTP failure messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>\S+)
# Values: TEXT
#
# Examples: Apr-27-13 02:33:09 Blocking 217.194.197.97 - too much AUTH errors (41);
# Dec-29-12 17:10:31 [SSL-out] 200.247.87.82 SSL negotiation with client failed: SSL accept attempt failed with unknown errorerror:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol;
# Dec-30-12 04:01:47 [SSL-out] 81.82.232.66 max sender authentication errors (5) exceeded
__assp_actions = (dropping|refusing)
failregex = <HOST> max sender authentication errors \(\d{,3}\) exceeded -- %(__assp_actions)s connection - after reply: \d{3} \d{1}\.\d{1}.\d{1} Error: authentication failed: [a-zA-Z0-9]+;$
<HOST> SSL negotiation with client failed: SSL accept attempt failed with unknown error.*:unknown protocol;$
Blocking <HOST> - too much AUTH errors \(\d{,3}\);$
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =

7
config/jail.conf
View File

@ -89,6 +89,13 @@ action = iptables[name=sasl, port=smtp, protocol=tcp]
sendmail-whois[name=sasl, dest=you@example.com] sendmail-whois[name=sasl, dest=you@example.com]
logpath = /var/log/mail.log logpath = /var/log/mail.log
# ASSP SMTP Proxy Jail
[assp]
enabled = false
filter = assp
action = iptables-multiport[name=assp,port="25,465,587"]
logpath = /root/path/to/assp/logs/maillog.txt
# Here we use TCP-Wrappers instead of Netfilter/Iptables. "ignoreregex" is # Here we use TCP-Wrappers instead of Netfilter/Iptables. "ignoreregex" is
# used to avoid banning the user "myuser". # used to avoid banning the user "myuser".

6
server/datedetector.py
View File

@ -155,6 +155,12 @@ class DateDetector:
template.setRegex("^\d{2}\d{2}\d{2} +\d{1,2}:\d{2}:\d{2}") template.setRegex("^\d{2}\d{2}\d{2} +\d{1,2}:\d{2}:\d{2}")
template.setPattern("%y%m%d %H:%M:%S") template.setPattern("%y%m%d %H:%M:%S")
self._appendTemplate(template) self._appendTemplate(template)
# ASSP: Apr-27-13 02:33:06
template = DateStrptime()
template.setName("Month-Day-Year Hour:Minute:Second")
template.setRegex("^[a-zA-Z]{3}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}")
template.setPattern("%b-%d-%y %H:%M:%S")
self._appendTemplate(template)
finally: finally:
self.__lock.release() self.__lock.release()

1
server/datetemplate.py
View File

@ -218,3 +218,4 @@ class DateISO8601(DateTemplate):
value = dateMatch.group() value = dateMatch.group()
date = list(iso8601.parse_date(value).timetuple()) date = list(iso8601.parse_date(value).timetuple())
return date return date

1
testcases/datedetectortestcase.py
View File

@ -85,6 +85,7 @@ class DateDetectorTest(unittest.TestCase):
"2005-01-23T21:59:59-05:00Z", #ISO 8601 with TZ "2005-01-23T21:59:59-05:00Z", #ISO 8601 with TZ
"<01/23/05@21:59:59>", "<01/23/05@21:59:59>",
"050123 21:59:59", # MySQL "050123 21:59:59", # MySQL
"Jan-23-05 21:59:59", # ASSP like
): ):
log = sdate + "[sshd] error: PAM: Authentication failure" log = sdate + "[sshd] error: PAM: Authentication failure"
# exclude # exclude

13
testcases/files/logs/assp Normal file
View File

@ -0,0 +1,13 @@
Apr-07-13 07:08:36 [SSL-out] 68.171.223.68 SSL negotiation with client failed: SSL accept attempt failed with unknown errorerror:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol;
Apr-07-13 07:08:36 [SSL-out] 68.171.223.68 SSL negotiation with client failed: SSL accept attempt failed with unknown errorerror:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol;
Apr-07-13 07:10:37 [SSL-out] 68.171.223.68 SSL negotiation with client failed: SSL accept attempt failed with unknown errorerror:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol;
Apr-07-13 07:12:37 [SSL-out] 68.171.223.68 SSL negotiation with client failed: SSL accept attempt failed with unknown errorerror:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol;
Apr-07-13 07:14:36 [SSL-out] 68.171.223.68 SSL negotiation with client failed: SSL accept attempt failed with unknown errorerror:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol;
Apr-27-13 02:25:09 Blocking 217.194.197.97 - too much AUTH errors (8);
Apr-27-13 02:25:09 Blocking 217.194.197.97 - too much AUTH errors (9);
Apr-27-13 02:25:09 Blocking 217.194.197.97 - too much AUTH errors (10);
Apr-27-13 02:25:10 [SSL-out] 217.194.197.97 max sender authentication errors (5) exceeded -- dropping connection - after reply: 535 5.7.8 Error: authentication failed: UGFzc3dvcmQ6;
Apr-27-13 02:25:10 [SSL-out] 217.194.197.97 max sender authentication errors (5) exceeded -- dropping connection - after reply: 535 5.7.8 Error: authentication failed: UGFzc3dvcmQ6;
Apr-27-13 02:25:10 [SSL-out] 217.194.197.97 max sender authentication errors (5) exceeded -- dropping connection - after reply: 535 5.7.8 Error: authentication failed: UGFzc3dvcmQ6;
Apr-27-13 02:25:11 [SSL-out] 217.194.197.97 max sender authentication errors (5) exceeded -- dropping connection - after reply: 535 5.7.8 Error: authentication failed: UGFzc3dvcmQ6;