Merge pull request #372 from grooverdan/uw-imap

ENH: filter.d/uwimap-auth added. Closes #18
2013-10-01 15:13:11 -07:00 · 2013-10-01 15:13:11 -07:00 · ba8183b116
parent 5fe87c45f2 262616f7a7
commit ba8183b116
5 changed files with 48 additions and 0 deletions
--- a/2
+++ b/2
@ -64,6 +64,8 @@ ver. 0.8.11 (2013/XX/XXX) - loves-unittests
   * filter.d/perdition.conf -- filter added
  Mark McKinstry
   * action.d/apf.conf - add action for Advanced Policy Firewall (apf)
+  Amir Caspi and kjohnsonecl
+   * filter.d/uwimap-auth - filter for uwimap-auth IMAP/POP server

 - Enhancements:
  François Boulogne and Frédéric
--- a/2
+++ b/2
@ -8,6 +8,7 @@ be added

 Adrien Clerc
 ache
+Amir Caspi
 Andrey G. Grozin
 Andy Fragen
 Arturo 'Buanzo' Busleiman
@ -38,6 +39,7 @@ Joël Bertrand
 JP Espinosa
 Justin Shore
 Kévin Drapel
+kjohnsonecl
 kojiro
 Manuel Arostegui Ramirez
 Marcel Dopita
--- a/config/filter.d/uwimap-auth.conf
+++ b/config/filter.d/uwimap-auth.conf
@ -0,0 +1,16 @@
+# Fail2Ban configuration file
+#
+# Author: Amir Caspi
+#
+[INCLUDES]
+
+before = common.conf
+
+[Definition]
+
+_daemon = (?:ipop3d|imapd)
+
+failregex = ^%(__prefix_line)sLogin (?:failed|excessive login failures|disabled|SYSTEM BREAK-IN ATTEMPT) user=\S* auth=\S* host=.*\[<HOST>\]\s*$ 
+            ^%(__prefix_line)sFailed .* override of user=.* host=.*\[<HOST>\]\s*$
+
+ignoreregex = 
--- a/config/jail.conf
+++ b/config/jail.conf
@ -416,6 +416,12 @@ filter = perdition
 action = iptables-multiport[name=perdition,port="110,143,993,995"]
 logpath = /var/log/maillog

+[uwimap-auth]
+enabled = false
+filter = uwimap-auth
+action = iptables-multiport[name=perdition,port="110,143,993,995"]
+logpath = /var/log/maillog
+
 [osx-ssh-ipfw]
 enabled = false
 filter = sshd
--- a/testcases/files/logs/uwimap-auth
+++ b/testcases/files/logs/uwimap-auth
@ -0,0 +1,22 @@
+# failJSON: { "time": "2005-07-03T20:56:53", "match": true , "host": "81.169.154.112" }
+Jul 3 20:56:53 Linux2 imapd[666]: Login failed user=lizdy auth=lizdy host=h2066373.stratoserver.net [81.169.154.112]
+
+# failJSON: { "time": "2005-07-29T18:30:19", "match": true , "host": "198.52.115.74" }
+Jul 29 18:30:19 Linux2 ipop3d[25745]: Login failed user=info auth=info host=74-115-52-198-dedicated.multacom.com [198.52.115.74]
+
+# http://lists.freebsd.org/pipermail/freebsd-questions/2005-January/072073.html
+# failJSON: { "time": "2005-01-14T20:28:07", "match": true , "host": "198.52.115.74" }
+Jan 14 20:28:07 grog imapd[19343]: Login excessive login failures user=user auth=user host=74-115-52-198-dedicated.multacom.com [198.52.115.74]
+
+#http://us.generation-nt.com/answer/uw-imapd-doesnt-authenticate-users-help-194297331.html
+# failJSON: { "time": "2005-04-08T16:32:01", "match": true , "host": "198.52.115.74" }
+Apr 8 16:32:01 abdon imapd[29087]: Login excessive login failures user=brada auth=brada host=xxxxxx [198.52.115.74]
+
+
+# http://www.howtoforge.com/forums/showthread.php?t=3786
+# failJSON: { "time": "2005-04-08T16:32:01", "match": true , "host": "127.0.0.1" }
+Apr 8 16:32:01 abdon imapd[21172]: Login disabled user=test auth=test host=localhost.localdomain [127.0.0.1]
+
+# http://mailman2.u.washington.edu/pipermail/imap-uw/2008-February/001889.html
+# failJSON: { "time": "2005-02-23T12:36:01", "match": true , "host": "127.0.55.22" }
+Feb 23 12:36:01 r2 imapd[3473]: Failed uwmaster override of user=pro1  host=r22.j.de [127.0.55.22]