From 5b4bc2aafda544dcd606dc68c1706247be6992f0 Mon Sep 17 00:00:00 2001
From: Pavel Mihadyuk <p_mihadyuk@wargaming.net>
Date: Tue, 22 Aug 2017 18:19:55 +0300
Subject: [PATCH 01/20] Added filter for phpMyAdmin+syslog (>=4.7.0). Closes
 #1713

---
 ChangeLog                                       |  1 +
 config/filter.d/phpmyadmin-syslog.conf          | 17 +++++++++++++++++
 .../tests/files/logs/phpmyadmin-syslog.conf     |  2 ++
 3 files changed, 20 insertions(+)
 create mode 100644 config/filter.d/phpmyadmin-syslog.conf
 create mode 100644 fail2ban/tests/files/logs/phpmyadmin-syslog.conf

diff --git a/ChangeLog b/ChangeLog
index 5aa24b510..4b1e5e61d 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -30,6 +30,7 @@ releases.
 ### Enhancements
 * action.d/cloudflare.conf - Cloudflare API v4 implementation (gh-1651)
 * filter.d/kerio.conf - filter extended with new rules (see gh-1455)
+* filter.d/phpmyadmin-syslog.conf - new filter for phpMyAdmin using syslog for auth logging
 
 
 ver. 0.9.7 (2017/05/11) - awaiting-victory
diff --git a/config/filter.d/phpmyadmin-syslog.conf b/config/filter.d/phpmyadmin-syslog.conf
new file mode 100644
index 000000000..79eac71aa
--- /dev/null
+++ b/config/filter.d/phpmyadmin-syslog.conf
@@ -0,0 +1,17 @@
+# Fail2Ban fitler for the phpMyAdmin-syslog
+#
+
+[INCLUDES]
+
+before = common.conf
+
+[Definition]
+
+_daemon = phpMyAdmin
+
+failregex = ^%(__prefix_line)suser denied: .* \(mysql-denied\) from <HOST>\s*$
+
+ignoreregex =
+
+
+# Author: Pavel Mihadyuk
diff --git a/fail2ban/tests/files/logs/phpmyadmin-syslog.conf b/fail2ban/tests/files/logs/phpmyadmin-syslog.conf
new file mode 100644
index 000000000..eef6e3b24
--- /dev/null
+++ b/fail2ban/tests/files/logs/phpmyadmin-syslog.conf
@@ -0,0 +1,2 @@
+# failJSON: { "time": "2017-08-22T14:50:22", "match": true , "host": "81.62.21.201" }
+Aug 22 14:50:22 eurostream phpMyAdmin[16358]: user denied: root (mysql-denied) from 81.62.21.201

From 41994fcb5609bc36ea5f137b65d5e797ea27cefc Mon Sep 17 00:00:00 2001
From: Pavel Mihadyuk <p_mihadyuk@wargaming.net>
Date: Tue, 22 Aug 2017 18:46:33 +0300
Subject: [PATCH 02/20] Added filter for phpMyAdmin+syslog (>=4.7.0)

---
 fail2ban/tests/files/logs/phpmyadmin-syslog | 2 ++
 1 file changed, 2 insertions(+)
 create mode 100644 fail2ban/tests/files/logs/phpmyadmin-syslog

diff --git a/fail2ban/tests/files/logs/phpmyadmin-syslog b/fail2ban/tests/files/logs/phpmyadmin-syslog
new file mode 100644
index 000000000..eef6e3b24
--- /dev/null
+++ b/fail2ban/tests/files/logs/phpmyadmin-syslog
@@ -0,0 +1,2 @@
+# failJSON: { "time": "2017-08-22T14:50:22", "match": true , "host": "81.62.21.201" }
+Aug 22 14:50:22 eurostream phpMyAdmin[16358]: user denied: root (mysql-denied) from 81.62.21.201

From d09304b897e4499fbf8095344e9818a71a2ba6fd Mon Sep 17 00:00:00 2001
From: Pavel Mihadyuk <p_mihadyuk@wargaming.net>
Date: Tue, 22 Aug 2017 19:00:48 +0300
Subject: [PATCH 03/20] phpmyadmin-syslog: added default jail config

---
 config/jail.conf | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/config/jail.conf b/config/jail.conf
index 9296b6af1..cf652fe28 100644
--- a/config/jail.conf
+++ b/config/jail.conf
@@ -860,3 +860,9 @@ logpath = /var/log/slapd.log
 port    = smtp,ssmtp
 filter  = domino-smtp
 logpath = /home/domino01/data/IBM_TECHNICAL_SUPPORT/console.log
+
+[phpmyadmin-syslog]
+port    = http,https
+filter  = phpmyadmin-syslog
+logpath = %(syslog_authpriv)s
+backend = %(syslog_backend)s

From 4c1abe1cbf08005f20aae01eea735feeed251a8e Mon Sep 17 00:00:00 2001
From: Pavel Mihadyuk <p_mihadyuk@wargaming.net>
Date: Wed, 23 Aug 2017 16:55:16 +0300
Subject: [PATCH 04/20] phpmyadmin-syslog: removed excess file, fixed test,
 updated failregex

---
 config/filter.d/phpmyadmin-syslog.conf           | 3 ++-
 fail2ban/tests/files/logs/phpmyadmin-syslog      | 4 ++--
 fail2ban/tests/files/logs/phpmyadmin-syslog.conf | 2 --
 3 files changed, 4 insertions(+), 5 deletions(-)
 delete mode 100644 fail2ban/tests/files/logs/phpmyadmin-syslog.conf

diff --git a/config/filter.d/phpmyadmin-syslog.conf b/config/filter.d/phpmyadmin-syslog.conf
index 79eac71aa..5b0862bb4 100644
--- a/config/filter.d/phpmyadmin-syslog.conf
+++ b/config/filter.d/phpmyadmin-syslog.conf
@@ -9,9 +9,10 @@ before = common.conf
 
 _daemon = phpMyAdmin
 
-failregex = ^%(__prefix_line)suser denied: .* \(mysql-denied\) from <HOST>\s*$
+failregex = ^%(__prefix_line)suser denied: (?:\S+|.*?) \(mysql-denied\) from <HOST>\s*$
 
 ignoreregex =
 
 
 # Author: Pavel Mihadyuk
+# Regex fixes: Serg G. Brester
diff --git a/fail2ban/tests/files/logs/phpmyadmin-syslog b/fail2ban/tests/files/logs/phpmyadmin-syslog
index eef6e3b24..f32a2476b 100644
--- a/fail2ban/tests/files/logs/phpmyadmin-syslog
+++ b/fail2ban/tests/files/logs/phpmyadmin-syslog
@@ -1,2 +1,2 @@
-# failJSON: { "time": "2017-08-22T14:50:22", "match": true , "host": "81.62.21.201" }
-Aug 22 14:50:22 eurostream phpMyAdmin[16358]: user denied: root (mysql-denied) from 81.62.21.201
+# failJSON: { "time": "2004-08-22T14:50:22", "match": true , "host": "192.0.2.1" }
+Aug 22 14:50:22 eurostream phpMyAdmin[16358]: user denied: root (mysql-denied) from 192.0.2.1
diff --git a/fail2ban/tests/files/logs/phpmyadmin-syslog.conf b/fail2ban/tests/files/logs/phpmyadmin-syslog.conf
deleted file mode 100644
index eef6e3b24..000000000
--- a/fail2ban/tests/files/logs/phpmyadmin-syslog.conf
+++ /dev/null
@@ -1,2 +0,0 @@
-# failJSON: { "time": "2017-08-22T14:50:22", "match": true , "host": "81.62.21.201" }
-Aug 22 14:50:22 eurostream phpMyAdmin[16358]: user denied: root (mysql-denied) from 81.62.21.201

From c312962029bdae1d3908c04fe86b7717c6938a34 Mon Sep 17 00:00:00 2001
From: sebres <serg.brester@sebres.de>
Date: Fri, 1 Sep 2017 10:57:41 +0200
Subject: [PATCH 05/20] filter.d/dovecot.conf: partially cherry-pick to 0.9 PR
 #1880 from sebres/0.10-fix-dovecot-regex
 (d926e11a5c0d5a0d3a724f04f7b4540c6d873b4b) fixed failregex (without new mode
 aggressive)

---
 config/filter.d/dovecot.conf      | 13 ++++++++-----
 fail2ban/tests/files/logs/dovecot |  3 +++
 2 files changed, 11 insertions(+), 5 deletions(-)

diff --git a/config/filter.d/dovecot.conf b/config/filter.d/dovecot.conf
index d4b495767..cf217bcbd 100644
--- a/config/filter.d/dovecot.conf
+++ b/config/filter.d/dovecot.conf
@@ -7,12 +7,15 @@ before = common.conf
 
 [Definition]
 
-_daemon = (auth|dovecot(-auth)?|auth-worker)
+_auth_worker = (?:dovecot: )?auth(?:-worker)?
+_daemon = (?:dovecot(?:-auth)?|auth)
 
-failregex = ^%(__prefix_line)s(?:%(__pam_auth)s(?:\(dovecot:auth\))?:)?\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=\S* rhost=<HOST>(?:\s+user=\S*)?\s*$
-            ^%(__prefix_line)s(?:pop3|imap)-login: (?:Info: )?(?:Aborted login|Disconnected)(?::(?: [^ \(]+)+)? \((?:auth failed, \d+ attempts( in \d+ secs)?|tried to use (disabled|disallowed) \S+ auth)\):( user=<[^>]*>,)?( method=\S+,)? rip=<HOST>(?:, lip=\S+)?(?:, TLS(?: handshaking(?:: SSL_accept\(\) failed: error:[\dA-F]+:SSL routines:[TLS\d]+_GET_CLIENT_HELLO:unknown protocol)?)?(: Disconnected)?)?(, session=<\S+>)?\s*$
-            ^%(__prefix_line)s(?:Info|dovecot: auth\(default\)|auth-worker\(\d+\)): pam\(\S+,<HOST>\): pam_authenticate\(\) failed: (User not known to the underlying authentication module: \d+ Time\(s\)|Authentication failure \(password mismatch\?\))\s*$
-            ^%(__prefix_line)s(?:auth|auth-worker\(\d+\)): (?:Info: )?[a-z\-]{3,15}\(\S*,<HOST>(?:,\S*)?\): (?:unknown user|invalid credentials)\s*$
+__prefregex = ^%(__prefix_line)s(?:%(_auth_worker)s(?:\([^\)]+\))?: )?(?:%(__pam_auth)s(?:\(dovecot:auth\))?: |(?:pop3|imap)-login: )?(?:Info: )?
+
+failregex = ^%(__prefregex)sauthentication failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=\S* rhost=<HOST>(?:\s+user=\S*)?\s*$
+            ^%(__prefregex)s(?:Aborted login|Disconnected)(?::(?: [^ \(]+)+)? \((?:auth failed, \d+ attempts(?: in \d+ secs)?|tried to use (?:disabled|disallowed) \S+ auth)\):(?: user=<[^>]*>,)?(?: method=\S+,)? rip=<HOST>(?:[^>]*(?:, session=<\S+>)?)\s*$
+            ^%(__prefregex)spam\(\S+,<HOST>\): pam_authenticate\(\) failed: (?:User not known to the underlying authentication module: \d+ Time\(s\)|Authentication failure \(password mismatch\?\))\s*$
+            ^%(__prefregex)s[a-z\-]{3,15}\(\S*,<HOST>(?:,\S*)?\): (?:unknown user|invalid credentials)\s*$
 
 ignoreregex = 
 
diff --git a/fail2ban/tests/files/logs/dovecot b/fail2ban/tests/files/logs/dovecot
index 1614ff8cc..f564b76ea 100644
--- a/fail2ban/tests/files/logs/dovecot
+++ b/fail2ban/tests/files/logs/dovecot
@@ -81,3 +81,6 @@ Mar 23 06:10:52 auth: Info: ldap(dog,52.37.139.121,): invalid credentials
 Jul 26 11:11:21 hostname dovecot: imap-login: Disconnected: Too many invalid commands (tried to use disallowed plaintext auth): user=<test>, rip=192.0.2.1, lip=192.168.1.1, session=<S5dIdTFCDKUWWMbU>
 # failJSON: { "time": "2005-07-26T11:12:19", "match": true , "host": "192.0.2.2" }
 Jul 26 11:12:19 hostname dovecot: imap-login: Disconnected: Too many invalid commands (auth failed, 1 attempts in 17 secs): user=<test>, method=PLAIN, rip=192.0.2.2, lip=192.168.1.1, TLS, session=<g3ZKeDECFqlWWMbU>
+
+# failJSON: { "time": "2004-08-28T06:38:51", "match": true , "host": "192.0.2.3" }
+Aug 28 06:38:51 s166-62-100-187 dovecot: imap-login: Disconnected (auth failed, 1 attempts in 9 secs): user=<administrator@example.com>, method=PLAIN, rip=192.0.2.3, lip=192.168.1.2, TLS: Disconnected, TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)

From a90f6c4ae817873c2e3090a0dd24c457636b2e6e Mon Sep 17 00:00:00 2001
From: john <john@terabyteit.com.au>
Date: Tue, 29 Mar 2016 21:25:25 +1100
Subject: [PATCH 06/20] added zoneminder jail and filter

# Conflicts:
#	config/jail.conf
---
 config/jail.conf | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/config/jail.conf b/config/jail.conf
index cf652fe28..870d7f43c 100644
--- a/config/jail.conf
+++ b/config/jail.conf
@@ -866,3 +866,14 @@ port    = http,https
 filter  = phpmyadmin-syslog
 logpath = %(syslog_authpriv)s
 backend = %(syslog_backend)s
+
+
+[zoneminder]
+# Zoneminder HTTP/HTTPS web interface auth
+# Logs auth failures to apache2 error log
+enabled = false
+port    = http,https
+filter  = zoneminder
+logpath = /var/log/apache*/*error.log
+maxretry = 3
+

From 08878d22dda512b2d01d0649a1cf0e86023d9b2d Mon Sep 17 00:00:00 2001
From: john <john@terabyteit.com.au>
Date: Tue, 29 Mar 2016 21:31:26 +1100
Subject: [PATCH 07/20] added zoneminder.conf filter

---
 config/filter.d/zoneminder.conf | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)
 create mode 100644 config/filter.d/zoneminder.conf

diff --git a/config/filter.d/zoneminder.conf b/config/filter.d/zoneminder.conf
new file mode 100644
index 000000000..00da76d9f
--- /dev/null
+++ b/config/filter.d/zoneminder.conf
@@ -0,0 +1,23 @@
+# Fail2Ban filter for Zoneminder login failures
+#
+
+[Definition]
+
+# patern :      [client 10.1.1.1:38022] WAR [Login denied for user "test"], referer: https://zoneminderurl/
+#
+#
+# Option:  failregex
+# Notes.:  regex to match the password failure messages in the logfile. The
+#          host must be matched by a group named "host". The tag "<HOST>" can
+#          be used for standard IP/hostname matching and is only an alias for
+#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
+
+
+failregex = [[]client <HOST>:\d\d\d\d\d] WAR [[]Login denied for user
+
+ignoreregex =
+
+# Notes:
+#	Tested on Zoneminder 1.29.0
+#
+# Author: John Marzella

From 44c4496e49a0a37995ba452e52f42f957c2422dc Mon Sep 17 00:00:00 2001
From: john <john@terabyteit.com.au>
Date: Tue, 29 Mar 2016 21:43:36 +1100
Subject: [PATCH 08/20] added sample log files

---
 fail2ban/tests/files/logs/zoneminder | 6 ++++++
 1 file changed, 6 insertions(+)
 create mode 100644 fail2ban/tests/files/logs/zoneminder

diff --git a/fail2ban/tests/files/logs/zoneminder b/fail2ban/tests/files/logs/zoneminder
new file mode 100644
index 000000000..c27a0c7b6
--- /dev/null
+++ b/fail2ban/tests/files/logs/zoneminder
@@ -0,0 +1,6 @@
+[Mon Mar 28 10:51:24.201977 2016] [:error] [pid 29646] [client 10.1.1.2:46454] INF [Login successful for user "gooduser1"]
+[Mon Mar 28 16:50:45.522240 2016] [:error] [pid 1795] [client 10.1.1.1:50700] WAR [Login denied for user "baduser1"], referer: https://zoneminder/
+[Mon Mar 28 16:50:46.522240 2016] [:error] [pid 1795] [client 10.1.1.1:50700] WAR [Login denied for user "baduser1"], referer: https://zoneminder/
+[Mon Mar 28 16:50:47.522240 2016] [:error] [pid 1795] [client 10.1.1.1:50700] WAR [Login denied for user "baduser1"], referer: https://zoneminder/
+[Mon Mar 28 16:50:48.522240 2016] [:error] [pid 1795] [client 10.1.1.1:50700] WAR [Login denied for user "baduser1"], referer: https://zoneminder/
+[Mon Mar 28 16:50:49.522240 2016] [:error] [pid 1795] [client 10.1.1.1:50700] WAR [Login denied for user "baduser1"], referer: https://zoneminder/

From 4d8ba7b668de0e3cbf82c7986d60fc6dcfa70d90 Mon Sep 17 00:00:00 2001
From: john <john@terabyteit.com.au>
Date: Wed, 30 Mar 2016 15:36:48 +1100
Subject: [PATCH 09/20] fixed test log file

---
 fail2ban/tests/files/logs/zoneminder | 8 ++------
 1 file changed, 2 insertions(+), 6 deletions(-)

diff --git a/fail2ban/tests/files/logs/zoneminder b/fail2ban/tests/files/logs/zoneminder
index c27a0c7b6..63d8bbd4c 100644
--- a/fail2ban/tests/files/logs/zoneminder
+++ b/fail2ban/tests/files/logs/zoneminder
@@ -1,6 +1,2 @@
-[Mon Mar 28 10:51:24.201977 2016] [:error] [pid 29646] [client 10.1.1.2:46454] INF [Login successful for user "gooduser1"]
-[Mon Mar 28 16:50:45.522240 2016] [:error] [pid 1795] [client 10.1.1.1:50700] WAR [Login denied for user "baduser1"], referer: https://zoneminder/
-[Mon Mar 28 16:50:46.522240 2016] [:error] [pid 1795] [client 10.1.1.1:50700] WAR [Login denied for user "baduser1"], referer: https://zoneminder/
-[Mon Mar 28 16:50:47.522240 2016] [:error] [pid 1795] [client 10.1.1.1:50700] WAR [Login denied for user "baduser1"], referer: https://zoneminder/
-[Mon Mar 28 16:50:48.522240 2016] [:error] [pid 1795] [client 10.1.1.1:50700] WAR [Login denied for user "baduser1"], referer: https://zoneminder/
-[Mon Mar 28 16:50:49.522240 2016] [:error] [pid 1795] [client 10.1.1.1:50700] WAR [Login denied for user "baduser1"], referer: https://zoneminder/
+# failJSON { "time": "2016-03-28T16:50:49", "match": true , "host": "10.1.1.1" }
+[Mon Mar 28 16:50:49.522240 2016] [:error] [pid 1795] [client 10.1.1.1:50700] WAR [Login denied for user "username1"], referer: https://zoneminder/

From 776d463e9299283318e53145eceded5256bc2703 Mon Sep 17 00:00:00 2001
From: john <john@terabyteit.com.au>
Date: Wed, 30 Mar 2016 15:46:37 +1100
Subject: [PATCH 10/20] added missing colon to failJSON

---
 fail2ban/tests/files/logs/zoneminder | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fail2ban/tests/files/logs/zoneminder b/fail2ban/tests/files/logs/zoneminder
index 63d8bbd4c..abd49869e 100644
--- a/fail2ban/tests/files/logs/zoneminder
+++ b/fail2ban/tests/files/logs/zoneminder
@@ -1,2 +1,2 @@
-# failJSON { "time": "2016-03-28T16:50:49", "match": true , "host": "10.1.1.1" }
+# failJSON: { "time": "2016-03-28T16:50:49", "match": true , "host": "10.1.1.1" }
 [Mon Mar 28 16:50:49.522240 2016] [:error] [pid 1795] [client 10.1.1.1:50700] WAR [Login denied for user "username1"], referer: https://zoneminder/

From 3d45fd2713b32c423d1f499fb5509f6be9c10a0b Mon Sep 17 00:00:00 2001
From: john <john@terabyteit.com.au>
Date: Fri, 1 Apr 2016 22:16:30 +1100
Subject: [PATCH 11/20] implemented yarikoptic's suggestions in fail2ban pull
 request #1376

---
 config/filter.d/zoneminder.conf | 4 ++--
 config/jail.conf                | 3 +--
 2 files changed, 3 insertions(+), 4 deletions(-)

diff --git a/config/filter.d/zoneminder.conf b/config/filter.d/zoneminder.conf
index 00da76d9f..83b1463ac 100644
--- a/config/filter.d/zoneminder.conf
+++ b/config/filter.d/zoneminder.conf
@@ -3,7 +3,7 @@
 
 [Definition]
 
-# patern :      [client 10.1.1.1:38022] WAR [Login denied for user "test"], referer: https://zoneminderurl/
+# pattern: [client 10.1.1.1:38022] WAR [Login denied for user "test"], referer: https://zoneminderurl/
 #
 #
 # Option:  failregex
@@ -13,7 +13,7 @@
 #          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
 
 
-failregex = [[]client <HOST>:\d\d\d\d\d] WAR [[]Login denied for user
+failregex = ^[[]client <HOST>:\d\d\d\d\d] WAR [[]Login denied for user \S*], referer: \S*$
 
 ignoreregex =
 
diff --git a/config/jail.conf b/config/jail.conf
index 870d7f43c..83a41c51f 100644
--- a/config/jail.conf
+++ b/config/jail.conf
@@ -873,7 +873,6 @@ backend = %(syslog_backend)s
 # Logs auth failures to apache2 error log
 enabled = false
 port    = http,https
-filter  = zoneminder
-logpath = /var/log/apache*/*error.log
+logpath = %(apache_error_log)s
 maxretry = 3
 

From 5c3a666380d8591976b757c53a17c374d17f30dd Mon Sep 17 00:00:00 2001
From: john <john@terabyteit.com.au>
Date: Fri, 1 Apr 2016 22:30:41 +1100
Subject: [PATCH 12/20] fixed incomplete regex after adding anchors

---
 config/filter.d/zoneminder.conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/config/filter.d/zoneminder.conf b/config/filter.d/zoneminder.conf
index 83b1463ac..c804626e5 100644
--- a/config/filter.d/zoneminder.conf
+++ b/config/filter.d/zoneminder.conf
@@ -13,7 +13,7 @@
 #          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
 
 
-failregex = ^[[]client <HOST>:\d\d\d\d\d] WAR [[]Login denied for user \S*], referer: \S*$
+failregex = ^.*? [[]client <HOST>:\d\d\d\d\d] WAR [[]Login denied for user \S*], referer: \S*$
 
 ignoreregex =
 

From 7013729a1f86de4f38da5297cfb5eae2c4b4abf3 Mon Sep 17 00:00:00 2001
From: john <john@terabyteit.com.au>
Date: Thu, 28 Apr 2016 14:19:29 +1000
Subject: [PATCH 13/20] removed redundant options for zoneminder from jail.conf

---
 config/jail.conf | 2 --
 1 file changed, 2 deletions(-)

diff --git a/config/jail.conf b/config/jail.conf
index 83a41c51f..29ad4c966 100644
--- a/config/jail.conf
+++ b/config/jail.conf
@@ -871,8 +871,6 @@ backend = %(syslog_backend)s
 [zoneminder]
 # Zoneminder HTTP/HTTPS web interface auth
 # Logs auth failures to apache2 error log
-enabled = false
 port    = http,https
 logpath = %(apache_error_log)s
-maxretry = 3
 

From ac95449bbb9c46e879b33540885e7d77ecd01814 Mon Sep 17 00:00:00 2001
From: john <john@terabyteit.com.au>
Date: Sat, 30 Apr 2016 15:26:36 +1000
Subject: [PATCH 14/20] changed zoneminder regex as per Sebres and yarikoptic
 recommendations

---
 config/filter.d/zoneminder.conf | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/config/filter.d/zoneminder.conf b/config/filter.d/zoneminder.conf
index c804626e5..aa3b4e6da 100644
--- a/config/filter.d/zoneminder.conf
+++ b/config/filter.d/zoneminder.conf
@@ -3,7 +3,7 @@
 
 [Definition]
 
-# pattern: [client 10.1.1.1:38022] WAR [Login denied for user "test"], referer: https://zoneminderurl/
+# pattern: [Wed Apr 27 23:12:07.736196 2016] [:error] [pid 2460] [client 10.1.1.1:47296] WAR [Login denied for user "test"], referer: https://zoneminderurl/index.php
 #
 #
 # Option:  failregex
@@ -13,7 +13,7 @@
 #          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
 
 
-failregex = ^.*? [[]client <HOST>:\d\d\d\d\d] WAR [[]Login denied for user \S*], referer: \S*$
+failregex = ^\[\](?: \[:error\])?(?: \[pid \d+\])? \[client <HOST>:\d+\] WAR \[Login denied for user "[^"]*"\]
 
 ignoreregex =
 

From 4163f329688e89c3d551423a0e3d9be02adb9897 Mon Sep 17 00:00:00 2001
From: sebres <serg.brester@sebres.de>
Date: Mon, 4 Sep 2017 11:48:01 +0200
Subject: [PATCH 15/20] small review, prefix replaced with
 `%(_apache_error_client)s` from apache-common.conf include

---
 config/filter.d/zoneminder.conf | 12 +++++-------
 1 file changed, 5 insertions(+), 7 deletions(-)

diff --git a/config/filter.d/zoneminder.conf b/config/filter.d/zoneminder.conf
index aa3b4e6da..cc82755af 100644
--- a/config/filter.d/zoneminder.conf
+++ b/config/filter.d/zoneminder.conf
@@ -1,5 +1,7 @@
 # Fail2Ban filter for Zoneminder login failures
-#
+
+[INCLUDES]
+before = apache-common.conf
 
 [Definition]
 
@@ -7,13 +9,9 @@
 #
 #
 # Option:  failregex
-# Notes.:  regex to match the password failure messages in the logfile. The
-#          host must be matched by a group named "host". The tag "<HOST>" can
-#          be used for standard IP/hostname matching and is only an alias for
-#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
-
+# Notes.:  regex to match the password failure messages in the logfile.
 
-failregex = ^\[\](?: \[:error\])?(?: \[pid \d+\])? \[client <HOST>:\d+\] WAR \[Login denied for user "[^"]*"\]
+failregex = ^%(_apache_error_client)s WAR \[Login denied for user "[^"]*"\]
 
 ignoreregex =
 

From fafefc029393bd33d6d593d4adbdea957a86e3d8 Mon Sep 17 00:00:00 2001
From: Vladimir Chumak <coder.ua@gmail.com>
Date: Sun, 3 Sep 2017 14:07:55 +0300
Subject: [PATCH 16/20] Add Jorgee Vulnerability Scanner protect

Details for Jorgee Vulnerability Scanner: https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=30164
---
 config/filter.d/apache-badbots.conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/config/filter.d/apache-badbots.conf b/config/filter.d/apache-badbots.conf
index 48b306661..c00852c4b 100644
--- a/config/filter.d/apache-badbots.conf
+++ b/config/filter.d/apache-badbots.conf
@@ -7,7 +7,7 @@
 
 [Definition]
 
-badbotscustom = EmailCollector|WebEMailExtrac|TrackBack/1\.02|sogou music spider
+badbotscustom = EmailCollector|WebEMailExtrac|TrackBack/1\.02|sogou music spider|Jorgee|Mozilla/5\.0 Jorgee
 badbots = Atomic_Email_Hunter/4\.0|atSpider/1\.0|autoemailspider|bwh3_user_agent|China Local Browse 2\.6|ContactBot/0\.2|ContentSmartz|DataCha0s/2\.0|DBrowse 1\.4b|DBrowse 1\.4d|Demo Bot DOT 16b|Demo Bot Z 16b|DSurf15a 01|DSurf15a 71|DSurf15a 81|DSurf15a VA|EBrowse 1\.4b|Educate Search VxB|EmailSiphon|EmailSpider|EmailWolf 1\.00|ESurf15a 15|ExtractorPro|Franklin Locator 1\.8|FSurf15a 01|Full Web Bot 0416B|Full Web Bot 0516B|Full Web Bot 2816B|Guestbook Auto Submitter|Industry Program 1\.0\.x|ISC Systems iRc Search 2\.1|IUPUI Research Bot v 1\.9a|LARBIN-EXPERIMENTAL \(efp@gmx\.net\)|LetsCrawl\.com/1\.0 \+http\://letscrawl\.com/|Lincoln State Web Browser|LMQueueBot/0\.2|LWP\:\:Simple/5\.803|Mac Finder 1\.0\.xx|MFC Foundation Class Library 4\.0|Microsoft URL Control - 6\.00\.8xxx|Missauga Locate 1\.0\.0|Missigua Locator 1\.9|Missouri College Browse|Mizzu Labs 2\.2|Mo College 1\.9|MVAClient|Mozilla/2\.0 \(compatible; NEWT ActiveX; Win32\)|Mozilla/3\.0 \(compatible; Indy Library\)|Mozilla/3\.0 \(compatible; scan4mail \(advanced version\) http\://www\.peterspages\.net/?scan4mail\)|Mozilla/4\.0 \(compatible; Advanced Email Extractor v2\.xx\)|Mozilla/4\.0 \(compatible; Iplexx Spider/1\.0 http\://www\.iplexx\.at\)|Mozilla/4\.0 \(compatible; MSIE 5\.0; Windows NT; DigExt; DTS Agent|Mozilla/4\.0 efp@gmx\.net|Mozilla/5\.0 \(Version\: xxxx Type\:xx\)|NameOfAgent \(CMS Spider\)|NASA Search 1\.0|Nsauditor/1\.x|PBrowse 1\.4b|PEval 1\.4b|Poirot|Port Huron Labs|Production Bot 0116B|Production Bot 2016B|Production Bot DOT 3016B|Program Shareware 1\.0\.2|PSurf15a 11|PSurf15a 51|PSurf15a VA|psycheclone|RSurf15a 41|RSurf15a 51|RSurf15a 81|searchbot admin@google\.com|ShablastBot 1\.0|snap\.com beta crawler v0|Snapbot/1\.0|Snapbot/1\.0 \(Snap Shots&#44; \+http\://www\.snap\.com\)|sogou develop spider|Sogou Orion spider/3\.0\(\+http\://www\.sogou\.com/docs/help/webmasters\.htm#07\)|sogou spider|Sogou web spider/3\.0\(\+http\://www\.sogou\.com/docs/help/webmasters\.htm#07\)|sohu agent|SSurf15a 11 |TSurf15a 11|Under the Rainbow 2\.2|User-Agent\: Mozilla/4\.0 \(compatible; MSIE 6\.0; Windows NT 5\.1\)|VadixBot|WebVulnCrawl\.unknown/1\.0 libwww-perl/5\.803|Wells Search II|WEP Search 00
 
 failregex = ^<HOST> -.*"(GET|POST|HEAD).*HTTP.*"(?:%(badbots)s|%(badbotscustom)s)"$

From 4bc226a692b06eb61e9a54146cd70ca91e0bf9ea Mon Sep 17 00:00:00 2001
From: sebres <serg.brester@sebres.de>
Date: Tue, 5 Sep 2017 10:59:16 +0200
Subject: [PATCH 17/20] optimized regex

---
 config/filter.d/apache-badbots.conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/config/filter.d/apache-badbots.conf b/config/filter.d/apache-badbots.conf
index c00852c4b..cc7e6549d 100644
--- a/config/filter.d/apache-badbots.conf
+++ b/config/filter.d/apache-badbots.conf
@@ -7,7 +7,7 @@
 
 [Definition]
 
-badbotscustom = EmailCollector|WebEMailExtrac|TrackBack/1\.02|sogou music spider|Jorgee|Mozilla/5\.0 Jorgee
+badbotscustom = EmailCollector|WebEMailExtrac|TrackBack/1\.02|sogou music spider|(?:Mozilla/\d+\.\d+ )?Jorgee
 badbots = Atomic_Email_Hunter/4\.0|atSpider/1\.0|autoemailspider|bwh3_user_agent|China Local Browse 2\.6|ContactBot/0\.2|ContentSmartz|DataCha0s/2\.0|DBrowse 1\.4b|DBrowse 1\.4d|Demo Bot DOT 16b|Demo Bot Z 16b|DSurf15a 01|DSurf15a 71|DSurf15a 81|DSurf15a VA|EBrowse 1\.4b|Educate Search VxB|EmailSiphon|EmailSpider|EmailWolf 1\.00|ESurf15a 15|ExtractorPro|Franklin Locator 1\.8|FSurf15a 01|Full Web Bot 0416B|Full Web Bot 0516B|Full Web Bot 2816B|Guestbook Auto Submitter|Industry Program 1\.0\.x|ISC Systems iRc Search 2\.1|IUPUI Research Bot v 1\.9a|LARBIN-EXPERIMENTAL \(efp@gmx\.net\)|LetsCrawl\.com/1\.0 \+http\://letscrawl\.com/|Lincoln State Web Browser|LMQueueBot/0\.2|LWP\:\:Simple/5\.803|Mac Finder 1\.0\.xx|MFC Foundation Class Library 4\.0|Microsoft URL Control - 6\.00\.8xxx|Missauga Locate 1\.0\.0|Missigua Locator 1\.9|Missouri College Browse|Mizzu Labs 2\.2|Mo College 1\.9|MVAClient|Mozilla/2\.0 \(compatible; NEWT ActiveX; Win32\)|Mozilla/3\.0 \(compatible; Indy Library\)|Mozilla/3\.0 \(compatible; scan4mail \(advanced version\) http\://www\.peterspages\.net/?scan4mail\)|Mozilla/4\.0 \(compatible; Advanced Email Extractor v2\.xx\)|Mozilla/4\.0 \(compatible; Iplexx Spider/1\.0 http\://www\.iplexx\.at\)|Mozilla/4\.0 \(compatible; MSIE 5\.0; Windows NT; DigExt; DTS Agent|Mozilla/4\.0 efp@gmx\.net|Mozilla/5\.0 \(Version\: xxxx Type\:xx\)|NameOfAgent \(CMS Spider\)|NASA Search 1\.0|Nsauditor/1\.x|PBrowse 1\.4b|PEval 1\.4b|Poirot|Port Huron Labs|Production Bot 0116B|Production Bot 2016B|Production Bot DOT 3016B|Program Shareware 1\.0\.2|PSurf15a 11|PSurf15a 51|PSurf15a VA|psycheclone|RSurf15a 41|RSurf15a 51|RSurf15a 81|searchbot admin@google\.com|ShablastBot 1\.0|snap\.com beta crawler v0|Snapbot/1\.0|Snapbot/1\.0 \(Snap Shots&#44; \+http\://www\.snap\.com\)|sogou develop spider|Sogou Orion spider/3\.0\(\+http\://www\.sogou\.com/docs/help/webmasters\.htm#07\)|sogou spider|Sogou web spider/3\.0\(\+http\://www\.sogou\.com/docs/help/webmasters\.htm#07\)|sohu agent|SSurf15a 11 |TSurf15a 11|Under the Rainbow 2\.2|User-Agent\: Mozilla/4\.0 \(compatible; MSIE 6\.0; Windows NT 5\.1\)|VadixBot|WebVulnCrawl\.unknown/1\.0 libwww-perl/5\.803|Wells Search II|WEP Search 00
 
 failregex = ^<HOST> -.*"(GET|POST|HEAD).*HTTP.*"(?:%(badbots)s|%(badbotscustom)s)"$

From 2cd02b731b3e79b9fd052cc348416124cc57f785 Mon Sep 17 00:00:00 2001
From: "Serg G. Brester" <github@sebres.de>
Date: Thu, 7 Sep 2017 15:28:46 +0200
Subject: [PATCH 18/20] filter.d/exim.conf: fixed failregex for case of `D=0s`

Closes gh-1886
---
 config/filter.d/exim.conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/config/filter.d/exim.conf b/config/filter.d/exim.conf
index 7848fe00d..eb56feffd 100644
--- a/config/filter.d/exim.conf
+++ b/config/filter.d/exim.conf
@@ -19,7 +19,7 @@ failregex = ^%(pid)s %(host_info)ssender verify fail for <\S+>: (?:Unknown user|
             ^%(pid)s SMTP protocol synchronization error \([^)]*\): rejected (?:connection from|"\S+") %(host_info)s(?:next )?input=".*"\s*$
             ^%(pid)s SMTP call from \S+ %(host_info)sdropped: too many nonmail commands \(last was "\S+"\)\s*$
             ^%(pid)s SMTP protocol error in "AUTH \S*(?: \S*)?" %(host_info)sAUTH command used when not advertised\s*$
-            ^%(pid)s no MAIL in SMTP connection from (?:[^\[\( ]* )?(?:\(\S*\) )?%(host_info)sD=\d\S+s(?: C=\S*)?\s*$
+            ^%(pid)s no MAIL in SMTP connection from (?:[^\[\( ]* )?(?:\(\S*\) )?%(host_info)sD=\d\S*s(?: C=\S*)?\s*$
             ^%(pid)s (?:[\w\-]+ )?SMTP connection from (?:[^\[\( ]* )?(?:\(\S*\) )?%(host_info)sclosed by DROP in ACL\s*$
 
 ignoreregex = 

From db121a6f8577c1fb348d8ed7b0f6c1a999c6a28c Mon Sep 17 00:00:00 2001
From: "Serg G. Brester" <github@sebres.de>
Date: Thu, 7 Sep 2017 15:32:35 +0200
Subject: [PATCH 19/20] Update exim

Test case covers flood attempts with `D=0s`
---
 fail2ban/tests/files/logs/exim | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fail2ban/tests/files/logs/exim b/fail2ban/tests/files/logs/exim
index 8f3ac1bb5..f87d393ba 100644
--- a/fail2ban/tests/files/logs/exim
+++ b/fail2ban/tests/files/logs/exim
@@ -53,7 +53,7 @@
 # failJSON: { "time": "2016-03-21T06:38:05", "match": true , "host": "49.212.207.15" }
 2016-03-21 06:38:05 [5718] no MAIL in SMTP connection from www3005.sakura.ne.jp [49.212.207.15]:28890 I=[172.89.0.6]:25 D=21s C=EHLO,STARTTLS
 # failJSON: { "time": "2016-03-21T06:57:36", "match": true , "host": "122.165.71.116" }
-2016-03-21 06:57:36 [5908] no MAIL in SMTP connection from [122.165.71.116]:2056 I=[172.89.0.6]:25 D=10s
+2016-03-21 06:57:36 [5908] no MAIL in SMTP connection from [122.165.71.116]:2056 I=[172.89.0.6]:25 D=0s
 # failJSON: { "time": "2016-03-21T06:57:36", "match": true , "host": "122.165.71.116" }
 2016-03-21 06:57:36 [5908] no MAIL in SMTP connection from [122.165.71.116] I=[172.89.0.6]:25 D=10s
 # failJSON: { "time": "2016-03-21T04:07:49", "match": true , "host": "174.137.147.204" }

From 983b128c5439cacfbc560c600266051b4bf6de6e Mon Sep 17 00:00:00 2001
From: "Serg G. Brester" <github@sebres.de>
Date: Fri, 8 Sep 2017 11:07:48 +0200
Subject: [PATCH 20/20] Update ChangeLog

several fixes of 0.9th branch
---
 ChangeLog | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/ChangeLog b/ChangeLog
index 32b8999d3..ae7d51c36 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -25,7 +25,10 @@ releases.
 * filter.d/apache-overflows.conf:
     - Fixes resources greedy expression (see gh-1790);
     - Rewritten without end-anchor ($), because of potential vulnerability on very long URLs.
+* filter.d/apache-badbots.conf - extended to recognize Jorgee Vulnerability Scanner (gh-1882)
 * filter.d/asterisk.conf - fixed failregex AMI Asterisk authentification failed (see gh-1302)
+* filter.d/dovecot.conf - fixed failregex, see gh-1879 (partially cherry-picked from gh-1880)
+* filter.d/exim.conf - fixed failregex for case of flood attempts with `D=0s` (gh-1887)
 
 ### New Features
 
@@ -33,6 +36,7 @@ releases.
 * action.d/cloudflare.conf - Cloudflare API v4 implementation (gh-1651)
 * filter.d/kerio.conf - filter extended with new rules (see gh-1455)
 * filter.d/phpmyadmin-syslog.conf - new filter for phpMyAdmin using syslog for auth logging
+* filter.d/zoneminder.conf - new filter for ZoneMinder (gh-1376)
 
 
 ver. 0.9.7 (2017/05/11) - awaiting-victory