From 9b7c35810ab1dc8f3e5afb29c1e742bc0b3e5527 Mon Sep 17 00:00:00 2001 From: JoelSnyder Date: Mon, 2 Jun 2014 22:55:59 -0700 Subject: [PATCH 1/6] Create oracleims.conf in filter.d for new filter Created oracleims.conf to catch messages from Sun/Oracle Communications Messaging Server v6.3 and above (including v7) --- config/filter.d/oracleims.conf | 59 ++++++++++++++++++++++++++++++++++ 1 file changed, 59 insertions(+) create mode 100644 config/filter.d/oracleims.conf diff --git a/config/filter.d/oracleims.conf b/config/filter.d/oracleims.conf new file mode 100644 index 00000000..e80d0b96 --- /dev/null +++ b/config/filter.d/oracleims.conf @@ -0,0 +1,59 @@ +# Fail2Ban configuration file +# for Oracle IMS with XML logging +# +# Author: Joel Snyder/jms@opus1.com/2014-June-01 +# +# + + +[INCLUDES] + +# Read common prefixes. +# If any customizations available -- read them from +# common.local +before = common.conf + + +[Definition] + +# Option: failregex +# Notes.: regex to match the password failures messages +# in the logfile. The host must be matched by a +# group named "host". The tag "" can +# be used for standard IP/hostname matching and is +# only an alias for +# (?:::f{4,6}:)?(?P[\w\-.^_]+) +# Values: TEXT +# +# +# CONFIGURATION REQUIREMENTS FOR ORACLE IMS v6 and ABOVE: +# +# In OPTION.DAT you must have LOG_FORMAT=4 and +# bit 5 of LOG_CONNECTION must be set. +# +# Many of these sub-fields are optional and can be turned on and off +# by the system manager. We need the "tr" field +# (transport information (present if bit 5 of LOG_CONNECTION is +# set and transport information is available)). +# "di" should be there by default if you have LOG_FORMAT=4. +# Do not use "mi" as this is not included by default. +# +# Typical line IF YOU ARE USING TAGGING ! ! ! is: +# +# +# All that would be on one line. +# Note that you MUST have LOG_FORMAT=4 for this to work! +# + +failregex = ^.*tr=".*\|.*\|\d+\|\|\d+" .+ Bad username or password.*"/>$ + +# Option: ignoreregex +# Notes.: regex to ignore. If this regex matches, the line is ignored. +# Values: TEXT +# +ignoreregex = From 54317d7c3b1c35de63f909cf16bf2de531030533 Mon Sep 17 00:00:00 2001 From: JoelSnyder Date: Mon, 2 Jun 2014 22:58:39 -0700 Subject: [PATCH 2/6] Create test for oracleims filter This test file shows configuration information for the application, three log lines that DO match the pattern, and one log line that does NOT match the pattern (the first one). --- fail2ban/tests/files/logs/oracleims | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 fail2ban/tests/files/logs/oracleims diff --git a/fail2ban/tests/files/logs/oracleims b/fail2ban/tests/files/logs/oracleims new file mode 100644 index 00000000..aafb27af --- /dev/null +++ b/fail2ban/tests/files/logs/oracleims @@ -0,0 +1,19 @@ +# CONFIGURATION REQUIREMENTS FOR ORACLE IMS v6.3 and ABOVE: +# +# In OPTION.DAT you must have LOG_FORMAT=4 and +# bit 5 of LOG_CONNECTION must be set. +# +# Many of these sub-fields are optional and can be turned on and off +# by the system manager. We need the "tr" field +# (transport information (present if bit 5 of LOG_CONNECTION is +# set and transport information is available)). +# "di" should be there by default if you have LOG_FORMAT=4. +# +# failJSON: { "time": "2014-06-02T22:02:13", "match": false , "host": "23.122.129.179" } + +# failJSON: { "time": "2014-06-02T16:06:33", "match": true , "host": "89.96.245.78" } + +# failJSON: { "time": "2014-06-02T10:08:07", "match": true , "host": "71.95.206.106" } + +# failJSON: { "time": "2014-06-02T09:54:58", "match": true , "host": "151.1.71.144" } + From 70ed93d8cc389f3a6ae01bcb8f6bbbf9c31c409f Mon Sep 17 00:00:00 2001 From: JoelSnyder Date: Mon, 9 Jun 2014 18:37:31 -0700 Subject: [PATCH 3/6] Update jail.conf for oracleims filter. This is the jail.conf update. Hopefully this will go into pull request #734. --- config/jail.conf | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/config/jail.conf b/config/jail.conf index 7f7a7cbe..c42952d8 100644 --- a/config/jail.conf +++ b/config/jail.conf @@ -701,3 +701,11 @@ action = %(banaction)s[name=%(__name__)s-tcp, port="%(tcpport)s", protocol="tcp enabled = false logpath = /var/log/messages ; nrpe.cfg may define a different log_facility maxretry = 1 + + +[oracleims] +# see "oracleims" filter file for configuration requirement for Oracle IMS v6 and above +enabled = false +logpath = /opt/sun/comms/messaging64/log/mail.log_current +maxretry = 6 +banaction = iptables-allports From c325e88634f9b0c933d279f32e61e1935e6260d2 Mon Sep 17 00:00:00 2001 From: JoelSnyder Date: Mon, 9 Jun 2014 18:38:22 -0700 Subject: [PATCH 4/6] Update THANKS Per Steven. --- THANKS | 1 + 1 file changed, 1 insertion(+) diff --git a/THANKS b/THANKS index 27165492..891dba32 100644 --- a/THANKS +++ b/THANKS @@ -49,6 +49,7 @@ John Thoe Jacques Lav!gnotte Ioan Indreias Jason H Martin +Joel M Snyder Jonathan Kamens Jonathan Lanning Jonathan Underwood From 5165d2f6ea19a7781902b1ca7c32ca2f6f0238d1 Mon Sep 17 00:00:00 2001 From: JoelSnyder Date: Mon, 9 Jun 2014 18:44:27 -0700 Subject: [PATCH 5/6] Update oracleims.conf to be 'less greedy' This assumes that the protocol is always a string, which it always is, and that the other four fields in the "tr" are always numeric (which they always are). See port_access documentation at http://docs.oracle.com/cd/E19563-01/819-4428/bgaur/index.html --- config/filter.d/oracleims.conf | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/config/filter.d/oracleims.conf b/config/filter.d/oracleims.conf index e80d0b96..083702ce 100644 --- a/config/filter.d/oracleims.conf +++ b/config/filter.d/oracleims.conf @@ -45,12 +45,14 @@ before = common.conf # mi="Bad password" # us="01ko8hqnoif09qx0np@imap.opus1.com" # di="535 5.7.8 Bad username or password (Authentication failed)."/> +# Format is generally documented in the PORT_ACCESS mapping +# at http://docs.oracle.com/cd/E19563-01/819-4428/bgaur/index.html # # All that would be on one line. # Note that you MUST have LOG_FORMAT=4 for this to work! # -failregex = ^.*tr=".*\|.*\|\d+\|\|\d+" .+ Bad username or password.*"/>$ +failregex = ^.*tr="[A-Z]+\|[0-9.]+\|\d+\|\|\d+" .+ Bad username or password.*"/>$ # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. From 994fe77e599c36eef8530429aedfbe6c73fd81b3 Mon Sep 17 00:00:00 2001 From: Yaroslav Halchenko Date: Tue, 10 Jun 2014 03:52:16 -0400 Subject: [PATCH 6/6] ENH: make oracleims failregex better anchored (more explicit) --- config/filter.d/oracleims.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/filter.d/oracleims.conf b/config/filter.d/oracleims.conf index 083702ce..e951ff5d 100644 --- a/config/filter.d/oracleims.conf +++ b/config/filter.d/oracleims.conf @@ -52,7 +52,7 @@ before = common.conf # Note that you MUST have LOG_FORMAT=4 for this to work! # -failregex = ^.*tr="[A-Z]+\|[0-9.]+\|\d+\|\|\d+" .+ Bad username or password.*"/>$ +failregex = ^.*tr="[A-Z]+\|[0-9.]+\|\d+\|\|\d+" ap="[^"]*" mi="Bad password" us="[^"]*" di="535 5.7.8 Bad username or password( \(Authentication failed\))?\."/>$ # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored.