From 47dd8fb8972d9916e4a4d9672e26776cfa3e3c01 Mon Sep 17 00:00:00 2001 From: Lars Kneschke Date: Mon, 13 Jan 2014 06:04:59 +0100 Subject: [PATCH 1/3] ENH: filter for Tine 2.0 --- ChangeLog | 1 + config/filter.d/tine20.conf | 13 +++++++++++++ config/jail.conf | 11 +++++++++++ testcases/files/logs/tine20 | 2 ++ 4 files changed, 27 insertions(+) create mode 100644 config/filter.d/tine20.conf create mode 100644 testcases/files/logs/tine20 diff --git a/ChangeLog b/ChangeLog index 2ca227ff..de804b5f 100644 --- a/ChangeLog +++ b/ChangeLog @@ -54,6 +54,7 @@ ver. 0.8.12 (2013/12/XX) - things-can-only-get-better ...: Auth fail". Thanks Marcel Dopita. Closes gh-289 - Added filter.d/ejabberd-auth - Improved ACL-handling for Asterisk + - Added filter.d/tine20 - New Features: diff --git a/config/filter.d/tine20.conf b/config/filter.d/tine20.conf new file mode 100644 index 00000000..a878d890 --- /dev/null +++ b/config/filter.d/tine20.conf @@ -0,0 +1,13 @@ +# Fail2Ban filter for Tine 2.0 authentication +# +# Enable logging with: +# $config['info_log']='/var/log/tine20/tine20.log'; +# + +[Definition] + +failregex = Login with username .* from failed + +ignoreregex = + +# Author: mkl from Tine20.org forum diff --git a/config/jail.conf b/config/jail.conf index 5dcce02c..827e2287 100644 --- a/config/jail.conf +++ b/config/jail.conf @@ -442,6 +442,17 @@ logpath = /var/log/horde/horde.log action = iptables-multiport[name=horde, port="http,https"] maxretry = 5 +[tine20] + +enabled = false +filter = tine20 +logpath = /var/log/tine20/tine20.log +action = iptables-multiport[name=tine20, port="http,https"] +# Tine 2.0 logs are in UTC instead of my servers local time (= CET = UTC+1). Need to increase findtime by one hour (3600 + 600 = 4200). +# ( see: https://www.tine20.org/forum/viewtopic.php?f=12&t=976#p4746 ) +# findtime: The counter is set to zero if no match is found within "findtime" seconds. +findtime = 4200 +maxretry = 5 # Ban attackers that try to use PHP's URL-fopen() functionality # through GET/POST variables. - Experimental, with more than a year diff --git a/testcases/files/logs/tine20 b/testcases/files/logs/tine20 new file mode 100644 index 00000000..87d5c8ae --- /dev/null +++ b/testcases/files/logs/tine20 @@ -0,0 +1,2 @@ +# failJSON: { "time": "2014-01-13T05:02:22", "match": true, "host": "127.0.0.1" } +78017 00cff -- none -- - 2014-01-13T05:02:22+00:00 WARN (4): Tinebase_Controller::login::106 Login with username sdfsadf from 127.0.0.1 failed (-1)! From 36d38043ba3cfe0e67f35c741809bc306e39cc1b Mon Sep 17 00:00:00 2001 From: Daniel Black Date: Wed, 22 Jan 2014 18:12:48 +1100 Subject: [PATCH 2/3] DOC: thanks Lars for the filter base and log samples --- THANKS | 1 + 1 file changed, 1 insertion(+) diff --git a/THANKS b/THANKS index d983cf85..72bbdbda 100644 --- a/THANKS +++ b/THANKS @@ -53,6 +53,7 @@ Justin Shore Kévin Drapel kjohnsonecl kojiro +Lars Kneschke Lee Clemens Manuel Arostegui Ramirez Marcel Dopita From c8ae064b791edc0a83ddf9bd5e90f9ac174ed56e Mon Sep 17 00:00:00 2001 From: Daniel Black Date: Wed, 22 Jan 2014 22:16:03 +1100 Subject: [PATCH 3/3] ENH: tighten regex and change failJSON to support timezone. Closes gh-583 --- THANKS | 1 + config/filter.d/tine20.conf | 12 ++++++++++-- fail2ban/tests/files/logs/tine20 | 7 +++++++ testcases/files/logs/tine20 | 2 -- 4 files changed, 18 insertions(+), 4 deletions(-) create mode 100644 fail2ban/tests/files/logs/tine20 delete mode 100644 testcases/files/logs/tine20 diff --git a/THANKS b/THANKS index 72bbdbda..cef5d506 100644 --- a/THANKS +++ b/THANKS @@ -67,6 +67,7 @@ mEDI Merijn Schering Michael C. Haller Michael Hanselmann +Mika (mkl) Nick Munger onorua Patrick Börjesson diff --git a/config/filter.d/tine20.conf b/config/filter.d/tine20.conf index a878d890..0fa6eccd 100644 --- a/config/filter.d/tine20.conf +++ b/config/filter.d/tine20.conf @@ -6,8 +6,16 @@ [Definition] -failregex = Login with username .* from failed +failregex = ^[\da-f]{5,} [\da-f]{5,} (-- none --|.*?)( \d+(\.\d+)?(h|m|s|ms)){0,2} - WARN \(\d+\): Tinebase_Controller::login::\d+ Login with username .*? from failed \(-[13]\)!$ ignoreregex = -# Author: mkl from Tine20.org forum +# Author: Mika (mkl) from Tine20.org forum: https://www.tine20.org/forum/viewtopic.php?f=2&t=15688&p=54766 +# Editor: Daniel Black +# Advisor: Lars Kneschke +# +# Usernames can contain spaces. +# +# Authentication: http://git.tine20.org/git?p=tine20;a=blob;f=tine20/Tinebase/Controller.php#l105 +# Logger: http://git.tine20.org/git?p=tine20;a=blob;f=tine20/Tinebase/Log/Formatter.php +# formatMicrotimeDiff: http://git.tine20.org/git?p=tine20;a=blob;f=tine20/Tinebase/Helper.php#l276 diff --git a/fail2ban/tests/files/logs/tine20 b/fail2ban/tests/files/logs/tine20 new file mode 100644 index 00000000..dbb9f424 --- /dev/null +++ b/fail2ban/tests/files/logs/tine20 @@ -0,0 +1,7 @@ +# Wrong username (-1) error +# failJSON: { "time": "2014-01-13T06:02:22", "match": true, "host": "127.0.0.1" } +78017 00cff -- none -- - 2014-01-13T05:02:22+00:00 WARN (4): Tinebase_Controller::login::106 Login with username sdfsadf from 127.0.0.1 failed (-1)! + +# Wrong password (-3) error +# failJSON: { "time": "2014-01-21T05:38:14", "match": true, "host": "127.0.0.1" } +8e035 ffff3 -- none -- - 2014-01-21T04:38:14+00:00 WARN (4): Tinebase_Controller::login::106 Login with username testuser from 127.0.0.1 failed (-3)! diff --git a/testcases/files/logs/tine20 b/testcases/files/logs/tine20 deleted file mode 100644 index 87d5c8ae..00000000 --- a/testcases/files/logs/tine20 +++ /dev/null @@ -1,2 +0,0 @@ -# failJSON: { "time": "2014-01-13T05:02:22", "match": true, "host": "127.0.0.1" } -78017 00cff -- none -- - 2014-01-13T05:02:22+00:00 WARN (4): Tinebase_Controller::login::106 Login with username sdfsadf from 127.0.0.1 failed (-1)!