Merge branch 'enh/oracle_msg_server'

* enh/oracle_msg_server: ENH: make oracleims failregex better anchored (more explicit) Update oracleims.conf to be 'less greedy' Update THANKS Update jail.conf for oracleims filter. Create test for oracleims filter Create oracleims.conf in filter.d for new filter
11 years ago · 93d5c363ca
parent dd75d35420 994fe77e59
commit 93d5c363ca
4 changed files with 89 additions and 0 deletions
--- a/1
+++ b/1
@ -49,6 +49,7 @@ John Thoe
 Jacques Lav!gnotte
 Ioan Indreias
 Jason H Martin
 Joel M Snyder
 Jonathan Kamens
 Jonathan Lanning
 Jonathan Underwood
--- a/config/filter.d/oracleims.conf
+++ b/config/filter.d/oracleims.conf
@ -0,0 +1,61 @@
 # Fail2Ban configuration file
 # for Oracle IMS with XML logging
 #
 # Author: Joel Snyder/jms@opus1.com/2014-June-01
 #
 #
 [INCLUDES]
 # Read common prefixes.
 # If any customizations available -- read them from
 # common.local
 before = common.conf
 [Definition]
 # Option:  failregex
 # Notes.:  regex to match the password failures messages
 # in the logfile. The host must be matched by a
 # group named "host". The tag "<HOST>" can
 # be used for standard IP/hostname matching and is
 # only an alias for
 #          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
 # Values:  TEXT
 #
 #
 # CONFIGURATION REQUIREMENTS FOR ORACLE IMS v6 and ABOVE:
 #
 # In OPTION.DAT you must have LOG_FORMAT=4 and
 #  bit 5 of LOG_CONNECTION must be set. 
 #
 # Many of these sub-fields are optional and can be turned on and off
 # by the system manager.  We need the "tr" field
 #  (transport information (present if bit 5 of LOG_CONNECTION is
 # set and transport information is available)).
 # "di" should be there by default if you have LOG_FORMAT=4.
 # Do not use "mi" as this is not included by default.
 #
 # Typical line IF YOU ARE USING TAGGING ! ! ! is:
 # <co ts="2014-06-02T09:45:50.29" pi="123f.3f8.4397"
 # sc="tcp_local" dr="+" ac="U"
 # tr="TCP|192.245.12.223|25|151.1.71.144|59762" ap="SMTP"
 # mi="Bad password"
 # us="01ko8hqnoif09qx0np@imap.opus1.com"
 # di="535 5.7.8 Bad username or password (Authentication failed)."/>
 # Format is generally documented in the PORT_ACCESS mapping 
 # at http://docs.oracle.com/cd/E19563-01/819-4428/bgaur/index.html
 #
 # All that would be on one line.
 # Note that you MUST have LOG_FORMAT=4 for this to work!
 #
 failregex = ^.*tr="[A-Z]+\|[0-9.]+\|\d+\|<HOST>\|\d+" ap="[^"]*" mi="Bad password" us="[^"]*" di="535 5.7.8 Bad username or password( \(Authentication failed\))?\."/>$
 # Option:  ignoreregex
 # Notes.:  regex to ignore. If this regex matches, the line is ignored.
 # Values:  TEXT
 #
 ignoreregex =
--- a/config/jail.conf
+++ b/config/jail.conf
@ -701,3 +701,11 @@ action  = %(banaction)s[name=%(__name__)s-tcp, port="%(tcpport)s", protocol="tcp
 enabled  = false
 logpath  = /var/log/messages     ; nrpe.cfg may define a different log_facility
 maxretry = 1
 [oracleims]
 # see "oracleims" filter file for configuration requirement for Oracle IMS v6 and above
 enabled = false
 logpath = /opt/sun/comms/messaging64/log/mail.log_current
 maxretry = 6
 banaction = iptables-allports
--- a/fail2ban/tests/files/logs/oracleims
+++ b/fail2ban/tests/files/logs/oracleims
@ -0,0 +1,19 @@
 # CONFIGURATION REQUIREMENTS FOR ORACLE IMS v6.3 and ABOVE:
 #
 # In OPTION.DAT you must have LOG_FORMAT=4 and
 #  bit 5 of LOG_CONNECTION must be set. 
 #
 # Many of these sub-fields are optional and can be turned on and off
 # by the system manager.  We need the "tr" field
 #  (transport information (present if bit 5 of LOG_CONNECTION is
 # set and transport information is available)).
 # "di" should be there by default if you have LOG_FORMAT=4.
 #
 # failJSON: { "time": "2014-06-02T22:02:13", "match": false , "host": "23.122.129.179" }
 <co ts="2014-06-02T22:02:13.94" pi="72a9.3b4.3774" sc="tcp_submit" dr="+" ac="U" tr="TCP|192.245.12.223|465|23.122.129.179|60766" ap="SMTP/TLS-128-RC4" mi="Authentication successful - switched to channel tcp_submit" us="jaugustine@example.org" di="235 2.7.0 LOGIN authentication successful."/>
 # failJSON: { "time": "2014-06-02T16:06:33", "match": true , "host": "89.96.245.78" }
 <co ts="2014-06-02T16:06:33.99" pi="72aa.17f0.25622" sc="tcp_local" dr="+" ac="U" tr="TCP|192.245.12.223|25|89.96.245.78|4299" ap="SMTP" mi="Bad password" us="nic@transcend.com" di="535 5.7.8 Bad username or password (Authentication failed)."/>
 # failJSON: { "time": "2014-06-02T10:08:07", "match": true , "host": "71.95.206.106" }
 <co ts="2014-06-02T10:08:07.56" pi="123f.8e2.9022" sc="tcp_local" dr="+" ac="U" tr="TCP|192.245.12.223|25|71.95.206.106|56591" ap="SMTP" mi="Bad password" us="romeo.julieta@opus1.com" di="535 5.7.8 Bad username or password (Authentication failed)."/>
 # failJSON: { "time": "2014-06-02T09:54:58", "match": true , "host": "151.1.71.144" }
 <co ts="2014-06-02T09:54:58.82" pi="123f.715.7116" sc="tcp_local" dr="+" ac="U" tr="TCP|192.245.12.223|25|151.1.71.144|58406" ap="SMTP" mi="Bad password" us="01ko8hqnoif09qx0np@imap.opus1.com" di="535 5.7.8 Bad username or password (Authentication failed)."/>