github
/
fail2ban
mirror of https://github.com/fail2ban/fail2ban
1
0
Fork 0
Code Issues Releases Wiki Activity

Merge remote-tracking branch 'remotes/gh-upstream/master' into 0.10

pull/1807/head
sebres 2017-06-12 13:11:45 +02:00
parent 1e5e0722f3 08591a52a4
commit bbea73d79d
4 changed files with 24 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
ChangeLog
View File

@ -323,7 +323,7 @@ releases.
### New Features
### Enhancements
* filter.d/kerio.conf - filter extended with new rules (see gh-1455)
ver. 0.9.7 (2017/05/11) - awaiting-victory

2
config/filter.d/dovecot.conf
View File

@ -13,7 +13,7 @@ _daemon = (dovecot(-auth)?|auth)
prefregex = ^%(__prefix_line)s(%(_auth_worker)s(?:\([^\)]+\))?: )?(?:%(__pam_auth)s(?:\(dovecot:auth\))?: |(?:pop3|imap)-login: )?(?:Info: )?<F-CONTENT>.+</F-CONTENT>$
failregex = ^authentication failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=\S* rhost=<HOST>(?:\s+user=\S*)?\s*$
^(?:Aborted login|Disconnected)(?::(?: [^ \(]+)+)? \((?:auth failed, \d+ attempts( in \d+ secs)?|tried to use (disabled|disallowed) \S+ auth)\):( user=<[^>]+>,)?( method=\S+,)? rip=<HOST>(?:, lip=\S+)?(?:, TLS(?: handshaking(?:: SSL_accept\(\) failed: error:[\dA-F]+:SSL routines:[TLS\d]+_GET_CLIENT_HELLO:unknown protocol)?)?(: Disconnected)?)?(, session=<\S+>)?\s*$
^(?:Aborted login|Disconnected)(?::(?: [^ \(]+)+)? \((?:auth failed, \d+ attempts( in \d+ secs)?|tried to use (disabled|disallowed) \S+ auth)\):( user=<[^>]*>,)?( method=\S+,)? rip=<HOST>(?:, lip=\S+)?(?:, TLS(?: handshaking(?:: SSL_accept\(\) failed: error:[\dA-F]+:SSL routines:[TLS\d]+_GET_CLIENT_HELLO:unknown protocol)?)?(: Disconnected)?)?(, session=<\S+>)?\s*$
^pam\(\S+,<HOST>\): pam_authenticate\(\) failed: (User not known to the underlying authentication module: \d+ Time\(s\)|Authentication failure \(password mismatch\?\))\s*$
^(?:pam|passwd-file)\(\S+,<HOST>\): unknown user\s*$
^ldap\(\S*,<HOST>,\S*\): invalid credentials\s*$

8
config/filter.d/kerio.conf
View File

@ -3,9 +3,14 @@
[Definition]
failregex = ^ SMTP Spam attack detected from <HOST>,
^ IP address <HOST> found in DNS blacklist \S+, mail from \S+ to \S+$
^ IP address <HOST> found in DNS blacklist
^ Relay attempt from IP address <HOST>
^ Attempt to deliver to unknown recipient \S+, from \S+, IP address <HOST>$
^ Failed SMTP login from <HOST>
^ SMTP: User \S+ doesn't exist. Attempt from IP address <HOST>
^ Client with IP address <HOST> has no reverse DNS entry, connection rejected before SMTP greeting$
^ Administration login into Web Administration from <HOST> failed: IP address not allowed$
^ Message from IP address <HOST>, sender \S+ rejected: sender domain does not exist$
ignoreregex =
@ -14,5 +19,6 @@ datepattern = ^\[%%d/%%b/%%Y %%H:%%M:%%S\]
# DEV NOTES:
#
# Author: A.P. Lawrence
# Updated by: M. Bischoff <https://github.com/herrbischoff>
#
# Based off: http://aplawrence.com/Kerio/fail2ban.html

15
fail2ban/tests/files/logs/kerio
View File

@ -25,5 +25,20 @@
# failJSON: { "time": "2013-12-13T01:11:04", "match": true, "host": "218.85.253.185" }
[13/Dec/2013 01:11:04] Attempt to deliver to unknown recipient <marge@aplawrence.com>, from <yu@rrd.com>, IP address 218.85.253.185
# failJSON: { "time": "2017-05-29T17:29:29", "match": true, "host": "185.140.108.56" }
[29/May/2017 17:29:29] IP address 185.140.108.56 found in DNS blacklist SpamCop, mail from <noreply-tjgqNffcgPfpbZtpDzasm@oakspaversusa.com> to <info@verinion.com> rejected
# failJSON: { "time": "2017-05-17T19:43:42", "match": true, "host": "185.140.108.26" }
[17/May/2017 19:43:42] SMTP: User printer@verinion.com doesn't exist. Attempt from IP address 185.140.108.26.
# failJSON: { "time": "2017-05-17T19:44:25", "match": true, "host": "184.171.168.211" }
[17/May/2017 19:44:25] Client with IP address 184.171.168.211 has no reverse DNS entry, connection rejected before SMTP greeting
# failJSON: { "time": "2017-05-17T19:45:27", "match": true, "host": "170.178.167.136" }
[17/May/2017 19:45:27] Administration login into Web Administration from 170.178.167.136 failed: IP address not allowed
# failJSON: { "time": "2017-05-17T22:14:57", "match": true, "host": "67.211.219.82" }
[17/May/2017 22:14:57] Message from IP address 67.211.219.82, sender <promo123@goodresponse.site> rejected: sender domain does not exist
# failJSON: { "time": "2017-05-18T07:25:15", "match": true, "host": "212.92.127.112" }
[18/May/2017 07:25:15] Failed SMTP login from 212.92.127.112 with SASL method CRAM-MD5.