From fd7657f9a982dd1e7c913f0a9a210c2e6b2afcbd Mon Sep 17 00:00:00 2001 From: Rudimar Remontti Date: Tue, 19 Mar 2024 19:53:40 -0300 Subject: [PATCH 1/3] Update named-refused.conf --- config/filter.d/named-refused.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/filter.d/named-refused.conf b/config/filter.d/named-refused.conf index 798f66e65..1d4be1fe7 100644 --- a/config/filter.d/named-refused.conf +++ b/config/filter.d/named-refused.conf @@ -37,7 +37,7 @@ _category_re = (?:%(_category)s: )? # this can be optional (for instance if we match named native log files) __line_prefix=\s*(?:\S+ %(__daemon_combs_re)s\s+)?%(_category_re)s -prefregex = ^%(__line_prefix)s(?:(?:error|info):\s*)?client(?: @\S*)? #\S+(?: \([\S.]+\))?: .+\s(?:denied|\(NOTAUTH\))\s*$ +prefregex = ^%(__line_prefix)s(?:(?:error|info):\s*)?client(?: @\S*)? #\S+(?: \([\S.]+\))?: .+\s(?:denied|denied \(allow-query-cache did not match\)|\(NOTAUTH\))\s*$ failregex = ^(?:view (?:internal|external): )?query(?: \(cache\))? ^zone transfer From 2c13cba73d6ec81627de0ac697458eb44ebc1215 Mon Sep 17 00:00:00 2001 From: sebres Date: Mon, 25 Mar 2024 16:26:34 +0100 Subject: [PATCH 2/3] loosening for denied suffix (would match no matter which reason in parenthesis); add coverage for denied with "(allow-query-cache did not match)" --- config/filter.d/named-refused.conf | 2 +- fail2ban/tests/files/logs/named-refused | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/config/filter.d/named-refused.conf b/config/filter.d/named-refused.conf index 1d4be1fe7..5e8b0624d 100644 --- a/config/filter.d/named-refused.conf +++ b/config/filter.d/named-refused.conf @@ -37,7 +37,7 @@ _category_re = (?:%(_category)s: )? # this can be optional (for instance if we match named native log files) __line_prefix=\s*(?:\S+ %(__daemon_combs_re)s\s+)?%(_category_re)s -prefregex = ^%(__line_prefix)s(?:(?:error|info):\s*)?client(?: @\S*)? #\S+(?: \([\S.]+\))?: .+\s(?:denied|denied \(allow-query-cache did not match\)|\(NOTAUTH\))\s*$ +prefregex = ^%(__line_prefix)s(?:(?:error|info):\s*)?client(?: @\S*)? #\S+(?: \([\S.]+\))?: .+\s(?:denied(?: \([^\)]*\))?|\(NOTAUTH\))\s*$ failregex = ^(?:view (?:internal|external): )?query(?: \(cache\))? ^zone transfer diff --git a/fail2ban/tests/files/logs/named-refused b/fail2ban/tests/files/logs/named-refused index 5ef42074f..94bd5204b 100644 --- a/fail2ban/tests/files/logs/named-refused +++ b/fail2ban/tests/files/logs/named-refused @@ -18,6 +18,8 @@ Aug 17 08:20:22 catinthehat named[2954]: client 223.252.23.219#56275: zone trans # BIND9 ver: BIND 9.9.3-rpz2+rl.13208.13-P2-RedHat-9.9.3-4.P2.el6 (Extended Support Version) # failJSON: { "time": "2013-08-23T10:32:56", "match": true , "host": "82.207.95.42" } 23-Aug-2013 10:32:56.621 client 82.207.95.42#40278 (redginseng.com.ua): query (cache) 'redginseng.com.ua/A/IN' denied +# failJSON: { "time": "2013-08-23T18:41:28", "match": true , "host": "192.0.2.3", "desc": "denied with allow-query-cache did not match, gh-2697" } +23-Aug-2013 18:41:28.090 client @0x7f7c95c76968 192.0.2.3#60683 (example.com): query (cache) 'example.com/A/IN' denied (allow-query-cache did not match) # failJSON: { "time": "2013-08-27T17:49:45", "match": true , "host": "59.167.242.100" } 27-Aug-2013 17:49:45.330 client 59.167.242.100#44281 (watt.kiev.ua): zone transfer 'watt.kiev.ua/AXFR/IN' denied From 44f32d6132d52ca1ed30116ddd05c18ee6a05f88 Mon Sep 17 00:00:00 2001 From: sebres Date: Mon, 25 Mar 2024 16:32:50 +0100 Subject: [PATCH 3/3] changelog --- ChangeLog | 1 + 1 file changed, 1 insertion(+) diff --git a/ChangeLog b/ChangeLog index 25b141161..f3d2181cb 100644 --- a/ChangeLog +++ b/ChangeLog @@ -35,6 +35,7 @@ ver. 1.0.3-dev-1 (20??/??/??) - development nightly edition - filter can bypass additional timestamp or pid that may be logged via systemd-journal or syslog-ng (gh-3060) - rewrite host line regex for all varied exim's log_selector states (gh-3263) - fixed "dropped: too many ..." regex, also matching unrecognized commands now (gh-3502) +* `filter.d/named-refused.conf` - denied allows any reason in parenthesis as suffix (gh-3697) * `filter.d/nginx-forbidden.conf` - new filter to ban forbidden locations, e. g. using `deny` directive (gh-2226) * `filter.d/sshd.conf`: - avoid double counting for "maximum authentication attempts exceeded" (gh-3502)