Support for IBM Domino SMTP task (#1603)

filter.d/domino-smtp.conf
2017-01-20 08:44:20 +01:00 · 2017-01-20 08:44:20 +01:00 · a4d8426401
parent 40f294e6bf
commit a4d8426401
3 changed files with 60 additions and 0 deletions
--- a/config/filter.d/domino-smtp.conf
+++ b/config/filter.d/domino-smtp.conf
@ -0,0 +1,47 @@
+# Fail2Ban configuration file for IBM Domino SMTP Server TASK to detect failed login attempts
+#
+# Author: Christian Brandlehner
+#
+# $Revision: 003 $
+#
+# Configuration:
+# Set the following Domino Server parameters in notes.ini:
+#       console_log_enabled=1
+#       log_sessions=2
+# You also have to use a date and time format supported by fail2ban. Recommended notes.ini configuration is:
+#       DateOrder=DMY
+#       DateSeparator=-
+#       ClockType=24_Hour
+#       TimeSeparator=:
+#
+# Depending on your locale you might have to tweak the date and time format so fail2ban can read the log
+
+#[INCLUDES]
+# Read common prefixes. If any customizations available -- read them from
+# common.local
+#before = common.conf
+
+[Definition]
+# Option:  failregex
+# Notes.:  regex to match the password failure messages in the logfile. The
+#          host must be matched by a group named "host". The tag "<HOST>" can
+#          be used for standard IP/hostname matching and is only an alias for
+#          (?:::f{4,6}:)?(?P<host>\S+)
+# Values:  TEXT
+#
+# Sample log entries (used different time formats and an extra sample with process info in front of date)
+# 01-23-2009 19:54:51   SMTP Server: Authentication failed for user postmaster ; connecting host 1.2.3.4
+# [28325:00010-3735542592] 22-06-2014 09:56:12   smtp: postmaster [1.2.3.4] authentication failure using internet password
+# 08-09-2014 06:14:27   smtp: postmaster [1.2.3.4] authentication failure using internet password
+# 08-09-2014 06:14:27   SMTP Server: Authentication failed for user postmaster ; connecting host 1.2.3.4
+
+__prefix = (?:\[[^\]]+\])?\s+
+failregex = ^%(__prefix)sSMTP Server: Authentication failed for user .*? \; connecting host <HOST>$
+            ^%(__prefix)ssmtp: (?:[^\[]+ )*\[<HOST>\] authentication failure using internet password\s*$
+# Option:  ignoreregex
+# Notes.:  regex to ignore. If this regex matches, the line is ignored.
+# Values:  TEXT
+#
+
+ignoreregex =
+
--- a/config/jail.conf
+++ b/config/jail.conf
@ -853,3 +853,8 @@ logpath  = /var/log/haproxy.log
 port    = ldap,ldaps
 filter  = slapd
 logpath = /var/log/slapd.log
+
+[domino-smtp]
+port    = smtp,ssmtp
+filter  = domino-smtp
+logpath = /home/domino01/data/IBM_TECHNICAL_SUPPORT/console.log
--- a/fail2ban/tests/files/logs/domino-smtp
+++ b/fail2ban/tests/files/logs/domino-smtp
@ -0,0 +1,8 @@
+# failJSON: { "time": "2005-07-03T23:07:20", "match": true , "host": "1.2.3.4" }
+03-07-2005 23:07:20   SMTP Server: Authentication failed for user postmaster ; connecting host 1.2.3.4
+# failJSON: { "time": "2014-06-22T09:56:12", "match": true , "host": "1.2.3.4" }
+[28325:00010-3735542592] 22-06-2014 09:56:12   smtp: postmaster [1.2.3.4] authentication failure using internet password
+# failJSON: { "time": "2014-09-08T06:14:27", "match": true , "host": "1.2.3.4" }
+08-09-2014 06:14:27   smtp: postmaster [1.2.3.4] authentication failure using internet password
+# failJSON: { "time": "2016-11-07T22:21:20", "match": true , "host": "1.2.3.4" }
+2016-11-07 22:21:20   smtp: postmaster [1.2.3.4] authentication failure using internet password