From fe1475be952c8d76527bbe4b0c1249b0e6b10bf4 Mon Sep 17 00:00:00 2001 From: theDogOfPavlov Date: Mon, 21 Mar 2016 05:59:59 +0000 Subject: [PATCH 1/3] Additional exim regexes to cover common attacks... --- config/filter.d/exim.conf | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/config/filter.d/exim.conf b/config/filter.d/exim.conf index 11fd03d1..1af15430 100644 --- a/config/filter.d/exim.conf +++ b/config/filter.d/exim.conf @@ -14,10 +14,13 @@ before = exim-common.conf [Definition] failregex = ^%(pid)s %(host_info)ssender verify fail for <\S+>: (?:Unknown user|Unrouteable address|all relevant MX records point to non-existent hosts)\s*$ - ^%(pid)s \w+ authenticator failed for (\S+ )?\(\S+\) \[\](:\d+)?( I=\[\S+\](:\d+)?)?: 535 Incorrect authentication data( \(set_id=.*\)|: \d+ Time\(s\))?\s*$ - ^%(pid)s %(host_info)sF=(<>|[^@]+@\S+) rejected RCPT [^@]+@\S+: (relay not permitted|Sender verify failed|Unknown user)\s*$ - ^%(pid)s SMTP protocol synchronization error \([^)]*\): rejected (connection from|"\S+") %(host_info)s(next )?input=".*"\s*$ - ^%(pid)s SMTP call from \S+ \[\](:\d+)? (I=\[\S+\](:\d+)? )?dropped: too many nonmail commands \(last was "\S+"\)\s*$ + ^%(pid)s \w+ authenticator failed for (\S+ )?\(\S+\) \[\](:\d+)?( I=\[\S+\](:\d+)?)?: 535 Incorrect authentication data( \(set_id=.*\)|: \d+ Time\(s\))?\s*$ + ^%(pid)s %(host_info)sF=(<>|[^@]+@\S+) rejected RCPT [^@]+@\S+: (relay not permitted|Sender verify failed|Unknown user)\s*$ + ^%(pid)s SMTP protocol synchronization error \([^)]*\): rejected (connection from|"\S+") %(host_info)s(next )?input=".*"\s*$ + ^%(pid)s SMTP call from \S+ \[\](:\d+)? (I=\[\S+\](:\d+)? )?dropped: too many nonmail commands \(last was "\S+"\)\s*$ + ^%(pid)s SMTP protocol error in "AUTH LOGIN(| \S*)" H=\(\S*\) \[\]\:\d+ I=\[\S*\]\:\d+ AUTH command used when not advertised\s*$ + ^%(pid)s no MAIL in SMTP connection from (|\S* )\[\]\:\d+ I=\[\S*\]\:\d+ D=\d+s(| C=\S*)\s*$ + ^%(pid)s \S+ SMTP connection from (|\S* )(|\(\S*\))\[\]\:\d+ I=\[\S*\]\:\d+ closed by DROP in ACL\s*$ ignoreregex = @@ -30,3 +33,4 @@ ignoreregex = # # Author: Cyril Jaquier # Daniel Black (rewrote with strong regexs) +# Martin O'Neal (added additional regexs to detect authentication failures, protocol errors, and drops) From 28e246b5d78f59753dcc6eacb94ef021d051e4c9 Mon Sep 17 00:00:00 2001 From: theDogOfPavlov Date: Wed, 23 Mar 2016 11:52:09 +0000 Subject: [PATCH 2/3] added note to cover additional exim filters --- ChangeLog | 1 + 1 file changed, 1 insertion(+) diff --git a/ChangeLog b/ChangeLog index 7681e425..48829ef0 100644 --- a/ChangeLog +++ b/ChangeLog @@ -15,6 +15,7 @@ ver. 0.9.5 (2015/XX/XXX) - wanna-be-released - Enhancements: * journald journalmatch for pure-ftpd (gh-1362) + * added additional regex filters for exim ver. 0.9.4 (2016/03/08) - for-you-ladies From 33ef2311e7b6d31d940bec14358109841e1bed89 Mon Sep 17 00:00:00 2001 From: theDogOfPavlov Date: Wed, 23 Mar 2016 11:58:03 +0000 Subject: [PATCH 3/3] added tests to cover exim regex additions --- fail2ban/tests/files/logs/exim | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/fail2ban/tests/files/logs/exim b/fail2ban/tests/files/logs/exim index c015eb29..36185604 100644 --- a/fail2ban/tests/files/logs/exim +++ b/fail2ban/tests/files/logs/exim @@ -43,3 +43,16 @@ # failJSON: { "time": "2014-12-02T03:00:23", "match": true , "host": "193.254.202.35" } 2014-12-02 03:00:23 auth_plain authenticator failed for (rom182) [193.254.202.35]:41556 I=[10.0.0.1]:25: 535 Incorrect authentication data (set_id=webmaster) + +# failJSON: { "time": "2016-03-18T00:34:06", "match": true , "host": "45.32.34.167" } +2016-03-18 00:34:06 [7513] SMTP protocol error in "AUTH LOGIN" H=(ylmf-pc) [45.32.34.167]:60723 I=[172.89.0.6]:587 AUTH command used when not advertised +# failJSON: { "time": "2016-03-19T18:40:44", "match": true , "host": "92.45.204.170" } +2016-03-19 18:40:44 [26221] SMTP protocol error in "AUTH LOGIN aW5mb0BtYW5iYXQub3Jn" H=([127.0.0.1]) [92.45.204.170]:14243 I=[172.89.0.6]:587 AUTH command used when not advertised +# failJSON: { "time": "2016-03-21T06:38:05", "match": true , "host": "49.212.207.15" } +2016-03-21 06:38:05 [5718] no MAIL in SMTP connection from www3005.sakura.ne.jp [49.212.207.15]:28890 I=[172.89.0.6]:25 D=21s C=EHLO,STARTTLS +# failJSON: { "time": "2016-03-21T06:57:36", "match": true , "host": "122.165.71.116" } +2016-03-21 06:57:36 [5908] no MAIL in SMTP connection from [122.165.71.116]:2056 I=[172.89.0.6]:25 D=10s +# failJSON: { "time": "2016-03-21T04:07:49", "match": true , "host": "174.137.147.204" } +2016-03-21 04:07:49 [25874] 1ahr79-0006jK-G9 SMTP connection from (voyeur.webair.com) [174.137.147.204]:44884 I=[172.89.0.6]:25 closed by DROP in ACL +# failJSON: { "time": "2016-03-21T04:33:13", "match": true , "host": "206.214.71.53" } +2016-03-21 04:33:13 [26074] 1ahrVl-0006mY-79 SMTP connection from riveruse.com [206.214.71.53]:39865 I=[172.89.0.6]:25 closed by DROP in ACL