Merge pull request #576 from kwirk/ejabberd-filter

ENH: ejabberd filter

ChangeLog

@@ -52,6 +52,7 @@ ver. 0.8.12 (2013/12/XX) - things-can-only-get-better
     Closes gh-566
   - Added to sshd filter expression for "Received disconnect from <HOST>: 3:
     ...: Auth fail". Thanks Marcel Dopita. Closes gh-289
+  - Added filter.d/ejabberd-auth
 
 - New Features:
 

config/filter.d/ejabberd-auth.conf

@@ -0,0 +1,19 @@
+# Fail2Ban configuration file
+#
+# Author: Steven Hiscocks
+#
+#
+
+[Definition]
+
+# Option:  failregex
+# Notes.:  regex to match the password failures messages in the logfile. The
+#          host must be matched by a group named "host". The tag "<HOST>" can
+#          be used for standard IP/hostname matching and is only an alias for
+#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
+#          Multiline regexs should use tag "<SKIPLINES>" to separate lines.
+#          This allows lines between the matching lines to continue to be
+#          searched for other failures. This tag can be used multiple times.
+# Values:  TEXT
+#
+failregex = ^(?:\.\d+)? \[info\] <0\.\d+\.\d>@ejabberd_c2s:wait_for_feature_request:\d+ \([^\)]+\) Failed authentication for \S+ from IP <HOST>$

testcases/files/logs/ejabberd-auth

@@ -0,0 +1,2 @@
+# failJSON: { "time": "2014-01-07T18:09:08", "match": true , "host": "1.2.3.4" }
+2014-01-07 18:09:08.512 [info] <0.22741.1>@ejabberd_c2s:wait_for_feature_request:662 ({socket_state,p1_tls,{tlssock,#Port<0.24718>,#Port<0.24720>},<0.22740.1>}) Failed authentication for test@example.com from IP 1.2.3.4