mirror of https://github.com/fail2ban/fail2ban
* enh/oracle_msg_server: ENH: make oracleims failregex better anchored (more explicit) Update oracleims.conf to be 'less greedy' Update THANKS Update jail.conf for oracleims filter. Create test for oracleims filter Create oracleims.conf in filter.d for new filterpull/740/head
commit
93d5c363ca
@ -0,0 +1,61 @@
|
||||
# Fail2Ban configuration file
|
||||
# for Oracle IMS with XML logging
|
||||
#
|
||||
# Author: Joel Snyder/jms@opus1.com/2014-June-01
|
||||
#
|
||||
#
|
||||
|
||||
|
||||
[INCLUDES]
|
||||
|
||||
# Read common prefixes.
|
||||
# If any customizations available -- read them from
|
||||
# common.local
|
||||
before = common.conf
|
||||
|
||||
|
||||
[Definition]
|
||||
|
||||
# Option: failregex
|
||||
# Notes.: regex to match the password failures messages
|
||||
# in the logfile. The host must be matched by a
|
||||
# group named "host". The tag "<HOST>" can
|
||||
# be used for standard IP/hostname matching and is
|
||||
# only an alias for
|
||||
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
|
||||
# Values: TEXT
|
||||
#
|
||||
#
|
||||
# CONFIGURATION REQUIREMENTS FOR ORACLE IMS v6 and ABOVE:
|
||||
#
|
||||
# In OPTION.DAT you must have LOG_FORMAT=4 and
|
||||
# bit 5 of LOG_CONNECTION must be set.
|
||||
#
|
||||
# Many of these sub-fields are optional and can be turned on and off
|
||||
# by the system manager. We need the "tr" field
|
||||
# (transport information (present if bit 5 of LOG_CONNECTION is
|
||||
# set and transport information is available)).
|
||||
# "di" should be there by default if you have LOG_FORMAT=4.
|
||||
# Do not use "mi" as this is not included by default.
|
||||
#
|
||||
# Typical line IF YOU ARE USING TAGGING ! ! ! is:
|
||||
# <co ts="2014-06-02T09:45:50.29" pi="123f.3f8.4397"
|
||||
# sc="tcp_local" dr="+" ac="U"
|
||||
# tr="TCP|192.245.12.223|25|151.1.71.144|59762" ap="SMTP"
|
||||
# mi="Bad password"
|
||||
# us="01ko8hqnoif09qx0np@imap.opus1.com"
|
||||
# di="535 5.7.8 Bad username or password (Authentication failed)."/>
|
||||
# Format is generally documented in the PORT_ACCESS mapping
|
||||
# at http://docs.oracle.com/cd/E19563-01/819-4428/bgaur/index.html
|
||||
#
|
||||
# All that would be on one line.
|
||||
# Note that you MUST have LOG_FORMAT=4 for this to work!
|
||||
#
|
||||
|
||||
failregex = ^.*tr="[A-Z]+\|[0-9.]+\|\d+\|<HOST>\|\d+" ap="[^"]*" mi="Bad password" us="[^"]*" di="535 5.7.8 Bad username or password( \(Authentication failed\))?\."/>$
|
||||
|
||||
# Option: ignoreregex
|
||||
# Notes.: regex to ignore. If this regex matches, the line is ignored.
|
||||
# Values: TEXT
|
||||
#
|
||||
ignoreregex =
|
@ -0,0 +1,19 @@
|
||||
# CONFIGURATION REQUIREMENTS FOR ORACLE IMS v6.3 and ABOVE:
|
||||
#
|
||||
# In OPTION.DAT you must have LOG_FORMAT=4 and
|
||||
# bit 5 of LOG_CONNECTION must be set.
|
||||
#
|
||||
# Many of these sub-fields are optional and can be turned on and off
|
||||
# by the system manager. We need the "tr" field
|
||||
# (transport information (present if bit 5 of LOG_CONNECTION is
|
||||
# set and transport information is available)).
|
||||
# "di" should be there by default if you have LOG_FORMAT=4.
|
||||
#
|
||||
# failJSON: { "time": "2014-06-02T22:02:13", "match": false , "host": "23.122.129.179" }
|
||||
<co ts="2014-06-02T22:02:13.94" pi="72a9.3b4.3774" sc="tcp_submit" dr="+" ac="U" tr="TCP|192.245.12.223|465|23.122.129.179|60766" ap="SMTP/TLS-128-RC4" mi="Authentication successful - switched to channel tcp_submit" us="jaugustine@example.org" di="235 2.7.0 LOGIN authentication successful."/>
|
||||
# failJSON: { "time": "2014-06-02T16:06:33", "match": true , "host": "89.96.245.78" }
|
||||
<co ts="2014-06-02T16:06:33.99" pi="72aa.17f0.25622" sc="tcp_local" dr="+" ac="U" tr="TCP|192.245.12.223|25|89.96.245.78|4299" ap="SMTP" mi="Bad password" us="nic@transcend.com" di="535 5.7.8 Bad username or password (Authentication failed)."/>
|
||||
# failJSON: { "time": "2014-06-02T10:08:07", "match": true , "host": "71.95.206.106" }
|
||||
<co ts="2014-06-02T10:08:07.56" pi="123f.8e2.9022" sc="tcp_local" dr="+" ac="U" tr="TCP|192.245.12.223|25|71.95.206.106|56591" ap="SMTP" mi="Bad password" us="romeo.julieta@opus1.com" di="535 5.7.8 Bad username or password (Authentication failed)."/>
|
||||
# failJSON: { "time": "2014-06-02T09:54:58", "match": true , "host": "151.1.71.144" }
|
||||
<co ts="2014-06-02T09:54:58.82" pi="123f.715.7116" sc="tcp_local" dr="+" ac="U" tr="TCP|192.245.12.223|25|151.1.71.144|58406" ap="SMTP" mi="Bad password" us="01ko8hqnoif09qx0np@imap.opus1.com" di="535 5.7.8 Bad username or password (Authentication failed)."/>
|
Loading…
Reference in new issue