diff --git a/THANKS b/THANKS index 27165492..891dba32 100644 --- a/THANKS +++ b/THANKS @@ -49,6 +49,7 @@ John Thoe Jacques Lav!gnotte Ioan Indreias Jason H Martin +Joel M Snyder Jonathan Kamens Jonathan Lanning Jonathan Underwood diff --git a/config/filter.d/oracleims.conf b/config/filter.d/oracleims.conf new file mode 100644 index 00000000..e951ff5d --- /dev/null +++ b/config/filter.d/oracleims.conf @@ -0,0 +1,61 @@ +# Fail2Ban configuration file +# for Oracle IMS with XML logging +# +# Author: Joel Snyder/jms@opus1.com/2014-June-01 +# +# + + +[INCLUDES] + +# Read common prefixes. +# If any customizations available -- read them from +# common.local +before = common.conf + + +[Definition] + +# Option: failregex +# Notes.: regex to match the password failures messages +# in the logfile. The host must be matched by a +# group named "host". The tag "" can +# be used for standard IP/hostname matching and is +# only an alias for +# (?:::f{4,6}:)?(?P[\w\-.^_]+) +# Values: TEXT +# +# +# CONFIGURATION REQUIREMENTS FOR ORACLE IMS v6 and ABOVE: +# +# In OPTION.DAT you must have LOG_FORMAT=4 and +# bit 5 of LOG_CONNECTION must be set. +# +# Many of these sub-fields are optional and can be turned on and off +# by the system manager. We need the "tr" field +# (transport information (present if bit 5 of LOG_CONNECTION is +# set and transport information is available)). +# "di" should be there by default if you have LOG_FORMAT=4. +# Do not use "mi" as this is not included by default. +# +# Typical line IF YOU ARE USING TAGGING ! ! ! is: +# +# Format is generally documented in the PORT_ACCESS mapping +# at http://docs.oracle.com/cd/E19563-01/819-4428/bgaur/index.html +# +# All that would be on one line. +# Note that you MUST have LOG_FORMAT=4 for this to work! +# + +failregex = ^.*tr="[A-Z]+\|[0-9.]+\|\d+\|\|\d+" ap="[^"]*" mi="Bad password" us="[^"]*" di="535 5.7.8 Bad username or password( \(Authentication failed\))?\."/>$ + +# Option: ignoreregex +# Notes.: regex to ignore. If this regex matches, the line is ignored. +# Values: TEXT +# +ignoreregex = diff --git a/config/jail.conf b/config/jail.conf index 7f7a7cbe..c42952d8 100644 --- a/config/jail.conf +++ b/config/jail.conf @@ -701,3 +701,11 @@ action = %(banaction)s[name=%(__name__)s-tcp, port="%(tcpport)s", protocol="tcp enabled = false logpath = /var/log/messages ; nrpe.cfg may define a different log_facility maxretry = 1 + + +[oracleims] +# see "oracleims" filter file for configuration requirement for Oracle IMS v6 and above +enabled = false +logpath = /opt/sun/comms/messaging64/log/mail.log_current +maxretry = 6 +banaction = iptables-allports diff --git a/fail2ban/tests/files/logs/oracleims b/fail2ban/tests/files/logs/oracleims new file mode 100644 index 00000000..aafb27af --- /dev/null +++ b/fail2ban/tests/files/logs/oracleims @@ -0,0 +1,19 @@ +# CONFIGURATION REQUIREMENTS FOR ORACLE IMS v6.3 and ABOVE: +# +# In OPTION.DAT you must have LOG_FORMAT=4 and +# bit 5 of LOG_CONNECTION must be set. +# +# Many of these sub-fields are optional and can be turned on and off +# by the system manager. We need the "tr" field +# (transport information (present if bit 5 of LOG_CONNECTION is +# set and transport information is available)). +# "di" should be there by default if you have LOG_FORMAT=4. +# +# failJSON: { "time": "2014-06-02T22:02:13", "match": false , "host": "23.122.129.179" } + +# failJSON: { "time": "2014-06-02T16:06:33", "match": true , "host": "89.96.245.78" } + +# failJSON: { "time": "2014-06-02T10:08:07", "match": true , "host": "71.95.206.106" } + +# failJSON: { "time": "2014-06-02T09:54:58", "match": true , "host": "151.1.71.144" } +