diff --git a/ChangeLog b/ChangeLog index 20c05944..dfcbb5ed 100644 --- a/ChangeLog +++ b/ChangeLog @@ -64,6 +64,8 @@ ver. 0.8.11 (2013/XX/XXX) - loves-unittests * filter.d/perdition.conf -- filter added Mark McKinstry * action.d/apf.conf - add action for Advanced Policy Firewall (apf) + Amir Caspi and kjohnsonecl + * filter.d/uwimap-auth - filter for uwimap-auth IMAP/POP server - Enhancements: François Boulogne and Frédéric diff --git a/THANKS b/THANKS index b89b7e27..e70ca9c9 100644 --- a/THANKS +++ b/THANKS @@ -8,6 +8,7 @@ be added Adrien Clerc ache +Amir Caspi Andrey G. Grozin Andy Fragen Arturo 'Buanzo' Busleiman @@ -38,6 +39,7 @@ Joël Bertrand JP Espinosa Justin Shore Kévin Drapel +kjohnsonecl kojiro Manuel Arostegui Ramirez Marcel Dopita diff --git a/config/filter.d/uwimap-auth.conf b/config/filter.d/uwimap-auth.conf new file mode 100644 index 00000000..b166f3fc --- /dev/null +++ b/config/filter.d/uwimap-auth.conf @@ -0,0 +1,16 @@ +# Fail2Ban configuration file +# +# Author: Amir Caspi +# +[INCLUDES] + +before = common.conf + +[Definition] + +_daemon = (?:ipop3d|imapd) + +failregex = ^%(__prefix_line)sLogin (?:failed|excessive login failures|disabled|SYSTEM BREAK-IN ATTEMPT) user=\S* auth=\S* host=.*\[\]\s*$ + ^%(__prefix_line)sFailed .* override of user=.* host=.*\[\]\s*$ + +ignoreregex = diff --git a/config/jail.conf b/config/jail.conf index 4878122f..80b774e5 100644 --- a/config/jail.conf +++ b/config/jail.conf @@ -416,6 +416,12 @@ filter = perdition action = iptables-multiport[name=perdition,port="110,143,993,995"] logpath = /var/log/maillog +[uwimap-auth] +enabled = false +filter = uwimap-auth +action = iptables-multiport[name=perdition,port="110,143,993,995"] +logpath = /var/log/maillog + [osx-ssh-ipfw] enabled = false filter = sshd diff --git a/testcases/files/logs/uwimap-auth b/testcases/files/logs/uwimap-auth new file mode 100644 index 00000000..71317922 --- /dev/null +++ b/testcases/files/logs/uwimap-auth @@ -0,0 +1,22 @@ +# failJSON: { "time": "2005-07-03T20:56:53", "match": true , "host": "81.169.154.112" } +Jul 3 20:56:53 Linux2 imapd[666]: Login failed user=lizdy auth=lizdy host=h2066373.stratoserver.net [81.169.154.112] + +# failJSON: { "time": "2005-07-29T18:30:19", "match": true , "host": "198.52.115.74" } +Jul 29 18:30:19 Linux2 ipop3d[25745]: Login failed user=info auth=info host=74-115-52-198-dedicated.multacom.com [198.52.115.74] + +# http://lists.freebsd.org/pipermail/freebsd-questions/2005-January/072073.html +# failJSON: { "time": "2005-01-14T20:28:07", "match": true , "host": "198.52.115.74" } +Jan 14 20:28:07 grog imapd[19343]: Login excessive login failures user=user auth=user host=74-115-52-198-dedicated.multacom.com [198.52.115.74] + +#http://us.generation-nt.com/answer/uw-imapd-doesnt-authenticate-users-help-194297331.html +# failJSON: { "time": "2005-04-08T16:32:01", "match": true , "host": "198.52.115.74" } +Apr 8 16:32:01 abdon imapd[29087]: Login excessive login failures user=brada auth=brada host=xxxxxx [198.52.115.74] + + +# http://www.howtoforge.com/forums/showthread.php?t=3786 +# failJSON: { "time": "2005-04-08T16:32:01", "match": true , "host": "127.0.0.1" } +Apr 8 16:32:01 abdon imapd[21172]: Login disabled user=test auth=test host=localhost.localdomain [127.0.0.1] + +# http://mailman2.u.washington.edu/pipermail/imap-uw/2008-February/001889.html +# failJSON: { "time": "2005-02-23T12:36:01", "match": true , "host": "127.0.55.22" } +Feb 23 12:36:01 r2 imapd[3473]: Failed uwmaster override of user=pro1 host=r22.j.de [127.0.55.22]