ENH: filter.d/selinxu added. Closes #296

pull/374/merge^2
Daniel Black 11 years ago
parent c8e8478502
commit a1eaa5f755

@ -64,6 +64,8 @@ ver. 0.8.11 (2013/XX/XXX) - loves-unittests
* filter.d/perdition.conf -- filter added * filter.d/perdition.conf -- filter added
Mark McKinstry Mark McKinstry
* action.d/apf.conf - add action for Advanced Policy Firewall (apf) * action.d/apf.conf - add action for Advanced Policy Firewall (apf)
Steven Hiscocks and Daniel Black
* filter.d/selinux -- add SELinux date and filter
- Enhancements: - Enhancements:
François Boulogne and Frédéric François Boulogne and Frédéric

@ -0,0 +1,19 @@
# Fail2Ban configuration file for generic Selinux Errors authentication errors
#
# Author: Daniel Black
#
#
[Definition]
_type = USER_(LOGIN|ERR|AUTH)
_uid = 0
_auid = \d+
_subj = (?:unconfined_u|system_u):system_r:sshd_t:s0-s0:c0\.c1023
_exe =/usr/sbin/sshd
_terminal = ssh
_msg = op=\S+ acct=(?P<_quote_acct>"?)\S+(?P=_quote_acct) exe="%(_exe)s" hostname=(\?|(\d+\.){3}\d+) addr=<HOST> terminal=%(_terminal)s res=failed
failregex = ^type=%(_type)s msg=audit\(:\d+\): user pid=\d+ uid=%(_uid)s auid=%(_auid)s ses=\d+ subj=%(_subj)s msg='%(_msg)s'$

@ -0,0 +1,23 @@
# failJSON: { "time": "2013-07-09T02:45:16", "match": true , "host": "173.242.116.187" }
type=USER_LOGIN msg=audit(1373330716.415:4063): user pid=11998 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login acct="root" exe="/usr/sbin/sshd" hostname=? addr=173.242.116.187 terminal=ssh res=failed'
# failJSON: { "time": "2013-07-09T02:45:17", "match": true , "host": "173.242.116.187" }
type=USER_LOGIN msg=audit(1373330717.441:4068): user pid=12000 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login acct=28756E6B6E6F776E207573657229 exe="/usr/sbin/sshd" hostname=? addr=173.242.116.187 terminal=ssh res=failed'
# failJSON: { "time": "2013-07-09T02:45:17", "match": true , "host": "173.242.116.187" }
type=USER_ERR msg=audit(1373330717.575:4070): user pid=12000 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:bad_ident acct="?" exe="/usr/sbin/sshd" hostname=173.242.116.187 addr=173.242.116.187 terminal=ssh res=failed'
# failJSON: { "time": "2013-07-09T02:45:17", "match": true , "host": "173.242.116.187" }
type=USER_LOGIN msg=audit(1373330717.576:4073): user pid=12000 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login acct=28696E76616C6964207573657229 exe="/usr/sbin/sshd" hostname=? addr=173.242.116.187 terminal=ssh res=failed'
# failJSON: { "time": "2013-06-30T01:02:08", "match": true , "host": "113.240.248.18" }
type=USER_LOGIN msg=audit(1372546928.726:52008): user pid=21569 uid=0 auid=0 ses=76 subj=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login acct="sshd" exe="/usr/sbin/sshd" hostname=? addr=113.240.248.18 terminal=ssh res=failed'
# failJSON: { "time": "2013-06-30T03:58:20", "match": true , "host": "113.240.248.18" }
type=USER_ERR msg=audit(1372557500.401:61747): user pid=23684 uid=0 auid=0 ses=76 subj=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:bad_ident acct="?" exe="/usr/sbin/sshd" hostname=113.240.248.18 addr=113.240.248.18 terminal=ssh res=failed'
# failJSON: { "time": "2013-06-30T03:58:20", "match": true , "host": "113.240.248.18" }
type=USER_LOGIN msg=audit(1372557500.402:61750): user pid=23684 uid=0 auid=0 ses=76 subj=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login acct=28696E76616C6964207573657229 exe="/usr/sbin/sshd" hostname=? addr=113.240.248.18 terminal=ssh res=failed'
# failJSON: { "time": "2013-07-06T18:48:00", "match": true , "host": "194.228.20.113" }
type=USER_AUTH msg=audit(1373129280.772:9): user pid=1277 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=pubkey acct="root" exe="/usr/sbin/sshd" hostname=? addr=194.228.20.113 terminal=ssh res=failed'
Loading…
Cancel
Save