diff --git a/ChangeLog b/ChangeLog index 9e514089..5bdb9be4 100644 --- a/ChangeLog +++ b/ChangeLog @@ -390,13 +390,18 @@ releases. * filter.d/apache-overflows.conf: - Fixes resources greedy expression (see gh-1790); - Rewritten without end-anchor ($), because of potential vulnerability on very long URLs. +* filter.d/apache-badbots.conf - extended to recognize Jorgee Vulnerability Scanner (gh-1882) * filter.d/asterisk.conf - fixed failregex AMI Asterisk authentification failed (see gh-1302) +* filter.d/dovecot.conf - fixed failregex, see gh-1879 (partially cherry-picked from gh-1880) +* filter.d/exim.conf - fixed failregex for case of flood attempts with `D=0s` (gh-1887) ### New Features ### Enhancements * action.d/cloudflare.conf - Cloudflare API v4 implementation (gh-1651) * filter.d/kerio.conf - filter extended with new rules (see gh-1455) +* filter.d/phpmyadmin-syslog.conf - new filter for phpMyAdmin using syslog for auth logging +* filter.d/zoneminder.conf - new filter for ZoneMinder (gh-1376) ver. 0.9.7 (2017/05/11) - awaiting-victory diff --git a/config/filter.d/apache-badbots.conf b/config/filter.d/apache-badbots.conf index f42aa159..12d4105b 100644 --- a/config/filter.d/apache-badbots.conf +++ b/config/filter.d/apache-badbots.conf @@ -7,7 +7,7 @@ [Definition] -badbotscustom = EmailCollector|WebEMailExtrac|TrackBack/1\.02|sogou music spider +badbotscustom = EmailCollector|WebEMailExtrac|TrackBack/1\.02|sogou music spider|(?:Mozilla/\d+\.\d+ )?Jorgee badbots = Atomic_Email_Hunter/4\.0|atSpider/1\.0|autoemailspider|bwh3_user_agent|China Local Browse 2\.6|ContactBot/0\.2|ContentSmartz|DataCha0s/2\.0|DBrowse 1\.4b|DBrowse 1\.4d|Demo Bot DOT 16b|Demo Bot Z 16b|DSurf15a 01|DSurf15a 71|DSurf15a 81|DSurf15a VA|EBrowse 1\.4b|Educate Search VxB|EmailSiphon|EmailSpider|EmailWolf 1\.00|ESurf15a 15|ExtractorPro|Franklin Locator 1\.8|FSurf15a 01|Full Web Bot 0416B|Full Web Bot 0516B|Full Web Bot 2816B|Guestbook Auto Submitter|Industry Program 1\.0\.x|ISC Systems iRc Search 2\.1|IUPUI Research Bot v 1\.9a|LARBIN-EXPERIMENTAL \(efp@gmx\.net\)|LetsCrawl\.com/1\.0 \+http\://letscrawl\.com/|Lincoln State Web Browser|LMQueueBot/0\.2|LWP\:\:Simple/5\.803|Mac Finder 1\.0\.xx|MFC Foundation Class Library 4\.0|Microsoft URL Control - 6\.00\.8xxx|Missauga Locate 1\.0\.0|Missigua Locator 1\.9|Missouri College Browse|Mizzu Labs 2\.2|Mo College 1\.9|MVAClient|Mozilla/2\.0 \(compatible; NEWT ActiveX; Win32\)|Mozilla/3\.0 \(compatible; Indy Library\)|Mozilla/3\.0 \(compatible; scan4mail \(advanced version\) http\://www\.peterspages\.net/?scan4mail\)|Mozilla/4\.0 \(compatible; Advanced Email Extractor v2\.xx\)|Mozilla/4\.0 \(compatible; Iplexx Spider/1\.0 http\://www\.iplexx\.at\)|Mozilla/4\.0 \(compatible; MSIE 5\.0; Windows NT; DigExt; DTS Agent|Mozilla/4\.0 efp@gmx\.net|Mozilla/5\.0 \(Version\: xxxx Type\:xx\)|NameOfAgent \(CMS Spider\)|NASA Search 1\.0|Nsauditor/1\.x|PBrowse 1\.4b|PEval 1\.4b|Poirot|Port Huron Labs|Production Bot 0116B|Production Bot 2016B|Production Bot DOT 3016B|Program Shareware 1\.0\.2|PSurf15a 11|PSurf15a 51|PSurf15a VA|psycheclone|RSurf15a 41|RSurf15a 51|RSurf15a 81|searchbot admin@google\.com|ShablastBot 1\.0|snap\.com beta crawler v0|Snapbot/1\.0|Snapbot/1\.0 \(Snap Shots, \+http\://www\.snap\.com\)|sogou develop spider|Sogou Orion spider/3\.0\(\+http\://www\.sogou\.com/docs/help/webmasters\.htm#07\)|sogou spider|Sogou web spider/3\.0\(\+http\://www\.sogou\.com/docs/help/webmasters\.htm#07\)|sohu agent|SSurf15a 11 |TSurf15a 11|Under the Rainbow 2\.2|User-Agent\: Mozilla/4\.0 \(compatible; MSIE 6\.0; Windows NT 5\.1\)|VadixBot|WebVulnCrawl\.unknown/1\.0 libwww-perl/5\.803|Wells Search II|WEP Search 00 failregex = ^ -.*"(GET|POST|HEAD).*HTTP.*"(?:%(badbots)s|%(badbotscustom)s)"$ diff --git a/config/filter.d/exim.conf b/config/filter.d/exim.conf index 2151a161..3c362490 100644 --- a/config/filter.d/exim.conf +++ b/config/filter.d/exim.conf @@ -22,7 +22,7 @@ failregex = ^%(pid)s %(host_info)ssender verify fail for <\S+>: (?:Unknown user| ^%(pid)s SMTP protocol synchronization error \([^)]*\): rejected (?:connection from|"\S+") %(host_info)s(?:next )?input=".*"\s*$ ^%(pid)s SMTP call from \S+ %(host_info)sdropped: too many nonmail commands \(last was "\S+"\)\s*$ ^%(pid)s SMTP protocol error in "AUTH \S*(?: \S*)?" %(host_info)sAUTH command used when not advertised\s*$ - ^%(pid)s no MAIL in SMTP connection from (?:[^\[\( ]* )?(?:\(\S*\) )?%(host_info)sD=\d\S+s(?: C=\S*)?\s*$ + ^%(pid)s no MAIL in SMTP connection from (?:[^\[\( ]* )?(?:\(\S*\) )?%(host_info)sD=\d\S*s(?: C=\S*)?\s*$ ^%(pid)s (?:[\w\-]+ )?SMTP connection from (?:[^\[\( ]* )?(?:\(\S*\) )?%(host_info)sclosed by DROP in ACL\s*$ ignoreregex = diff --git a/config/filter.d/phpmyadmin-syslog.conf b/config/filter.d/phpmyadmin-syslog.conf new file mode 100644 index 00000000..5b0862bb --- /dev/null +++ b/config/filter.d/phpmyadmin-syslog.conf @@ -0,0 +1,18 @@ +# Fail2Ban fitler for the phpMyAdmin-syslog +# + +[INCLUDES] + +before = common.conf + +[Definition] + +_daemon = phpMyAdmin + +failregex = ^%(__prefix_line)suser denied: (?:\S+|.*?) \(mysql-denied\) from \s*$ + +ignoreregex = + + +# Author: Pavel Mihadyuk +# Regex fixes: Serg G. Brester diff --git a/config/filter.d/zoneminder.conf b/config/filter.d/zoneminder.conf new file mode 100644 index 00000000..cc82755a --- /dev/null +++ b/config/filter.d/zoneminder.conf @@ -0,0 +1,21 @@ +# Fail2Ban filter for Zoneminder login failures + +[INCLUDES] +before = apache-common.conf + +[Definition] + +# pattern: [Wed Apr 27 23:12:07.736196 2016] [:error] [pid 2460] [client 10.1.1.1:47296] WAR [Login denied for user "test"], referer: https://zoneminderurl/index.php +# +# +# Option: failregex +# Notes.: regex to match the password failure messages in the logfile. + +failregex = ^%(_apache_error_client)s WAR \[Login denied for user "[^"]*"\] + +ignoreregex = + +# Notes: +# Tested on Zoneminder 1.29.0 +# +# Author: John Marzella diff --git a/config/jail.conf b/config/jail.conf index 7c696176..a9a93eb0 100644 --- a/config/jail.conf +++ b/config/jail.conf @@ -875,3 +875,17 @@ logpath = /var/log/slapd.log port = smtp,ssmtp filter = domino-smtp logpath = /home/domino01/data/IBM_TECHNICAL_SUPPORT/console.log + +[phpmyadmin-syslog] +port = http,https +filter = phpmyadmin-syslog +logpath = %(syslog_authpriv)s +backend = %(syslog_backend)s + + +[zoneminder] +# Zoneminder HTTP/HTTPS web interface auth +# Logs auth failures to apache2 error log +port = http,https +logpath = %(apache_error_log)s + diff --git a/fail2ban/tests/files/logs/exim b/fail2ban/tests/files/logs/exim index 8f3ac1bb..f87d393b 100644 --- a/fail2ban/tests/files/logs/exim +++ b/fail2ban/tests/files/logs/exim @@ -53,7 +53,7 @@ # failJSON: { "time": "2016-03-21T06:38:05", "match": true , "host": "49.212.207.15" } 2016-03-21 06:38:05 [5718] no MAIL in SMTP connection from www3005.sakura.ne.jp [49.212.207.15]:28890 I=[172.89.0.6]:25 D=21s C=EHLO,STARTTLS # failJSON: { "time": "2016-03-21T06:57:36", "match": true , "host": "122.165.71.116" } -2016-03-21 06:57:36 [5908] no MAIL in SMTP connection from [122.165.71.116]:2056 I=[172.89.0.6]:25 D=10s +2016-03-21 06:57:36 [5908] no MAIL in SMTP connection from [122.165.71.116]:2056 I=[172.89.0.6]:25 D=0s # failJSON: { "time": "2016-03-21T06:57:36", "match": true , "host": "122.165.71.116" } 2016-03-21 06:57:36 [5908] no MAIL in SMTP connection from [122.165.71.116] I=[172.89.0.6]:25 D=10s # failJSON: { "time": "2016-03-21T04:07:49", "match": true , "host": "174.137.147.204" } diff --git a/fail2ban/tests/files/logs/phpmyadmin-syslog b/fail2ban/tests/files/logs/phpmyadmin-syslog new file mode 100644 index 00000000..f32a2476 --- /dev/null +++ b/fail2ban/tests/files/logs/phpmyadmin-syslog @@ -0,0 +1,2 @@ +# failJSON: { "time": "2004-08-22T14:50:22", "match": true , "host": "192.0.2.1" } +Aug 22 14:50:22 eurostream phpMyAdmin[16358]: user denied: root (mysql-denied) from 192.0.2.1 diff --git a/fail2ban/tests/files/logs/zoneminder b/fail2ban/tests/files/logs/zoneminder new file mode 100644 index 00000000..abd49869 --- /dev/null +++ b/fail2ban/tests/files/logs/zoneminder @@ -0,0 +1,2 @@ +# failJSON: { "time": "2016-03-28T16:50:49", "match": true , "host": "10.1.1.1" } +[Mon Mar 28 16:50:49.522240 2016] [:error] [pid 1795] [client 10.1.1.1:50700] WAR [Login denied for user "username1"], referer: https://zoneminder/