github
/
fail2ban
mirror of https://github.com/fail2ban/fail2ban
1
0
Fork 0
Code Issues Releases Wiki Activity

Merge pull request #631 from grooverdan/sendmail 

ENH: add filter for sendmail-{auth,spam}. Closes gh-20
pull/633/head
Steven Hiscocks 2014-02-26 18:38:18 +00:00
parent 9be22a96a6 fe1725c603
commit 9b877928db
8 changed files with 107 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
ChangeLog
View File

@ -17,6 +17,7 @@ ver. 0.8.13 (2014/XX/XXX) - maintenance-only-from-now-on
- New Features: - New Features:
- filter nagios - detects unauthorized access to the nrpe daemon (Ivo Truxa) - filter nagios - detects unauthorized access to the nrpe daemon (Ivo Truxa)
- filter sendmail-{auth,spam} (jserrachinha and cepheid666).
- Enhancements: - Enhancements:
- filter pureftpd - added all translations of "Authentication failed for - filter pureftpd - added all translations of "Authentication failed for

2
MANIFEST
View File

@ -172,6 +172,8 @@ config/filter.d/qmail.conf
config/filter.d/pam-generic.conf config/filter.d/pam-generic.conf
config/filter.d/php-url-fopen.conf config/filter.d/php-url-fopen.conf
config/filter.d/postfix-sasl.conf config/filter.d/postfix-sasl.conf
config/filter.d/sendmail-auth.conf
config/filter.d/sendmail-spam.conf
config/filter.d/sieve.conf config/filter.d/sieve.conf
config/filter.d/solid-pop3d.conf config/filter.d/solid-pop3d.conf
config/filter.d/squid.conf config/filter.d/squid.conf

2
THANKS
View File

@ -21,6 +21,7 @@ Bas van den Dikkenberg
Beau Raines Beau Raines
Bill Heaton Bill Heaton
Carlos Alberto Lopez Perez Carlos Alberto Lopez Perez
cepheid666
Christian Rauch Christian Rauch
Christophe Carles Christophe Carles
Christoph Haas Christoph Haas
@ -49,6 +50,7 @@ Jonathan Lanning
Jonathan Underwood Jonathan Underwood
Joël Bertrand Joël Bertrand
JP Espinosa JP Espinosa
jserrachinha
Justin Shore Justin Shore
Kévin Drapel Kévin Drapel
kjohnsonecl kjohnsonecl

18
config/filter.d/sendmail-auth.conf Normal file
View File

@ -0,0 +1,18 @@
# Fail2Ban filter for sendmail authentication failures
#
[INCLUDES]
before = common.conf
[Definition]
_daemon = (?:sm-(mta|acceptingconnections))
failregex = ^%(__prefix_line)s\w{14}: (\S+ )?\[<HOST>\]( \(may be forged\))?: possible SMTP attack: command=AUTH, count=\d+$
ignoreregex =
# DEV Notes:
#
# Author: Daniel Black

33
config/filter.d/sendmail-spam.conf Normal file
View File

@ -0,0 +1,33 @@
# Fail2Ban filter for sendmail spam/relay type failures
#
# Some of the below failregex will only work properly, when the following
# options are set in the .mc file (see your Sendmail documentation on how
# to modify it and generate the corresponding .cf file):
#
# FEATURE(`delay_checks')
# FEATURE(`greet_pause', `500')
# FEATURE(`ratecontrol', `nodelay', `terminate')
# FEATURE(`conncontrol', `nodelay', `terminate')
#
# ratecontrol and conncontrol also need corresponding options ClientRate:
# and ClientConn: in the access file, see documentation for ratecontrol and
# conncontrol in the sendmail/cf/README file.
[INCLUDES]
before = common.conf
[Definition]
_daemon = (?:sm-(mta|acceptingconnections))
failregex = ^%(__prefix_line)s\w{14}: ruleset=check_rcpt, arg1=(?P<email>(<\S+@\S+>)?), relay=(\S+ )?\[<HOST>\]( \(may be forged\))?, reject=550 5\.7\.1 (?P=email)\.\.\. Relaying denied\. (IP name possibly forged \[(\d+\.){3}\d+\]|Proper authentication required\.)$
^%(__prefix_line)s\w{14}: ruleset=check_rcpt, arg1=, relay=(\S+ )?\[<HOST>\]( \(may be forged\))?, reject=(553 5\.1\.8 \.\.\. Domain of sender address \S+ does not exist|550 5\.7\.1 \.\.\. Rejected: (\d+\.){3}\d+\ listed at \S+)$
^%(__prefix_line)sruleset=check_relay, arg1=(?P<dom>\S+), arg2=<HOST>, relay=(?P=dom) \[(\d+\.){3}\d+\]( \(may be forged\))?, reject=421 4\.3\.2 Connection rate limit exceeded\.$
ignoreregex =
# DEV Notes:
#
# Author: Daniel Black and Fabian Wenk

15
config/jail.conf
View File

@ -157,6 +157,21 @@ logpath = /var/log/daemon.log
maxretry = 6 maxretry = 6
[sendmail-auth]
enabled = false
filter = sendmail-auth
action = iptables-multiport[name=sendmail-auth, port="submission,465,smtp", protocol=tcp]
logpath = /var/log/mail.log
[sendmail-spam]
enabled = false
filter = sendmail-spam
action = iptables[name=sendmail-spam, port=smtp, protocol=tcp]
logpath = /var/log/mail.log
# This jail forces the backend to "polling". # This jail forces the backend to "polling".
[sasl-iptables] [sasl-iptables]

12
testcases/files/logs/sendmail-auth Normal file
View File

@ -0,0 +1,12 @@
# failJSON: { "time": "2005-02-16T23:33:20", "match": true , "host": "190.5.230.178" }
Feb 16 23:33:20 smtp1 sm-mta[5133]: s1GNXHYB005133: [190.5.230.178]: possible SMTP attack: command=AUTH, count=5
# failJSON: { "time": "2005-02-16T23:40:36", "match": true , "host": "75.176.164.191" }
Feb 16 23:40:36 smtp1 sm-mta[5178]: s1GNeNqe005178: cpe-075-176-164-191.sc.res.rr.com [75.176.164.191]: possible SMTP attack: command=AUTH, count=5
# failJSON: { "time": "2005-02-24T12:10:15", "match": true , "host": "211.75.6.133" }
Feb 24 12:10:15 kismet sm-acceptingconnections[32053]: s1OHA28u032053: 211-75-6-133.HINET-IP.hinet.net [211.75.6.133]: possible SMTP attack: command=AUTH, count=6
# failJSON: { "time": "2005-02-24T13:00:17", "match": true , "host": "95.70.241.192" }
Feb 24 13:00:17 kismet sm-acceptingconnections[1499]: s1OHxxSn001499: 192.241.70.95.dsl.static.turk.net [95.70.241.192] (may be forged): possible SMTP attack: command=AUTH, count=6

24
testcases/files/logs/sendmail-spam Normal file
View File

@ -0,0 +1,24 @@
# failJSON: { "time": "2005-02-25T03:01:10", "match": true , "host": "128.68.136.133" }
Feb 25 03:01:10 kismet sm-acceptingconnections[27713]: s1P819mk027713: ruleset=check_rcpt, arg1=, relay=128-68-136-133.broadband.corbina.ru [128.68.136.133], reject=550 5.7.1 ... Relaying denied. Proper authentication required.
# failJSON: { "time": "2005-02-23T21:36:14", "match": true , "host": "80.253.155.119" }
Feb 23 21:36:14 petermurray sm-mta[22248]: s1NLaDQT022248: ruleset=check_rcpt, arg1=<dautareuk2@hotmail.it>, relay=int0.client.access.azadnet.net [80.253.155.119] (may be forged), reject=550 5.7.1 <dautareuk2@hotmail.it>... Relaying denied. IP name possibly forged [80.253.155.119]
# failJSON: { "time": "2005-02-24T07:33:59", "match": true , "host": "118.161.66.57" }
Feb 24 07:33:59 petermurray sm-mta[21134]: s1O7XtZJ021134: ruleset=check_rcpt, arg1=<sanjinn232@yahoo.com.tw>, relay=118-161-66-57.dynamic.hinet.net [118.161.66.57], reject=550 5.7.1 <sanjinn232@yahoo.com.tw>... Relaying denied. Proper authentication required.
# failJSON: { "time": "2005-02-23T07:57:28", "match": true , "host": "2.180.185.27" }
Feb 23 07:57:28 petermurray sm-mta[6519]: s1N7vR47006519: ruleset=check_rcpt, arg1=, relay=[2.180.185.27], reject=553 5.1.8 ... Domain of sender address camila.pinto@andrewweitzman.com does not exist
# failJSON: { "time": "2005-02-23T14:13:08", "match": true , "host": "85.60.238.161" }
Feb 23 14:13:08 petermurray sm-mta[17126]: s1NED81M017126: ruleset=check_rcpt, arg1=, relay=161.pool85-60-238.dynamic.orange.es [85.60.238.161], reject=553 5.1.8 ... Domain of sender address anabelaalvesd@dsldevice.lan does not exist
# failJSON: { "time": "2005-02-24T05:07:40", "match": true , "host": "202.53.73.138" }
Feb 24 05:07:40 petermurray sm-mta[716]: s1O57c6H000716: ruleset=check_rcpt, arg1=, relay=202.53.73.138.nettlinx.com [202.53.73.138] (may be forged), reject=553 5.1.8 ... Domain of sender address root@srv.montserv.com does not exist
# failJSON: { "time": "2005-02-23T07:00:08", "match": true , "host": "151.232.63.226" }
Feb 23 07:00:08 petermurray sm-mta[3992]: s1N706jo003992: ruleset=check_rcpt, arg1=, relay=[151.232.63.226], reject=550 5.7.1 ... Rejected: 151.232.63.226 listed at sbl-xbl.spamhaus.org
# failJSON: { "time": "2005-02-24T01:46:44", "match": true , "host": "217.21.54.82" }
Feb 24 01:46:44 petermurray sm-mta[24422]: ruleset=check_relay, arg1=leased-line-54-82.telecom.by, arg2=217.21.54.82, relay=leased-line-54-82.telecom.by [217.21.54.82], reject=421 4.3.2 Connection rate limit exceeded.