From 228d25c548a3f62d8606054709fcb29ff3367775 Mon Sep 17 00:00:00 2001 From: Marcel Bischoff Date: Tue, 30 May 2017 20:27:44 +0200 Subject: [PATCH 1/3] Update Kerio Connect filter (#1455) * Update Kerio Connect filter Fixed regex for some log entries that did not get recognized and some additional error formats are added. * Add missing colon, GitHub address * Add filter tests * Add missing test --- config/filter.d/kerio.conf | 8 +++++++- fail2ban/tests/files/logs/kerio | 15 +++++++++++++++ 2 files changed, 22 insertions(+), 1 deletion(-) diff --git a/config/filter.d/kerio.conf b/config/filter.d/kerio.conf index 313c9b36..ec1c09df 100644 --- a/config/filter.d/kerio.conf +++ b/config/filter.d/kerio.conf @@ -3,9 +3,14 @@ [Definition] failregex = ^ SMTP Spam attack detected from , - ^ IP address found in DNS blacklist \S+, mail from \S+ to \S+$ + ^ IP address found in DNS blacklist ^ Relay attempt from IP address ^ Attempt to deliver to unknown recipient \S+, from \S+, IP address $ + ^ Failed SMTP login from + ^ SMTP: User \S+ doesn't exist. Attempt from IP address + ^ Client with IP address has no reverse DNS entry, connection rejected before SMTP greeting$ + ^ Administration login into Web Administration from failed: IP address not allowed$ + ^ Message from IP address , sender \S+ rejected: sender domain does not exist$ ignoreregex = @@ -16,5 +21,6 @@ datepattern = ^\[%%d/%%b/%%Y %%H:%%M:%%S\] # DEV NOTES: # # Author: A.P. Lawrence +# Updated by: M. Bischoff # # Based off: http://aplawrence.com/Kerio/fail2ban.html diff --git a/fail2ban/tests/files/logs/kerio b/fail2ban/tests/files/logs/kerio index c9368c22..f7aa0eb7 100644 --- a/fail2ban/tests/files/logs/kerio +++ b/fail2ban/tests/files/logs/kerio @@ -25,5 +25,20 @@ # failJSON: { "time": "2013-12-13T01:11:04", "match": true, "host": "218.85.253.185" } [13/Dec/2013 01:11:04] Attempt to deliver to unknown recipient , from , IP address 218.85.253.185 +# failJSON: { "time": "2017-05-29T17:29:29", "match": true, "host": "185.140.108.56" } +[29/May/2017 17:29:29] IP address 185.140.108.56 found in DNS blacklist SpamCop, mail from to rejected +# failJSON: { "time": "2017-05-17T19:43:42", "match": true, "host": "185.140.108.26" } +[17/May/2017 19:43:42] SMTP: User printer@verinion.com doesn't exist. Attempt from IP address 185.140.108.26. +# failJSON: { "time": "2017-05-17T19:44:25", "match": true, "host": "184.171.168.211" } +[17/May/2017 19:44:25] Client with IP address 184.171.168.211 has no reverse DNS entry, connection rejected before SMTP greeting + +# failJSON: { "time": "2017-05-17T19:45:27", "match": true, "host": "170.178.167.136" } +[17/May/2017 19:45:27] Administration login into Web Administration from 170.178.167.136 failed: IP address not allowed + +# failJSON: { "time": "2017-05-17T22:14:57", "match": true, "host": "67.211.219.82" } +[17/May/2017 22:14:57] Message from IP address 67.211.219.82, sender rejected: sender domain does not exist + +# failJSON: { "time": "2017-05-18T07:25:15", "match": true, "host": "212.92.127.112" } +[18/May/2017 07:25:15] Failed SMTP login from 212.92.127.112 with SASL method CRAM-MD5. From 5214c1c5d1611e0c4a8f3c960a4b833ee767f7bc Mon Sep 17 00:00:00 2001 From: "Serg G. Brester" Date: Tue, 30 May 2017 20:31:48 +0200 Subject: [PATCH 2/3] Update changelog (gh-1455) --- ChangeLog | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index c798768d..5f472f81 100644 --- a/ChangeLog +++ b/ChangeLog @@ -21,7 +21,7 @@ releases. ### New Features ### Enhancements - +* filter.d/kerio.conf - filter extended with new rules (see gh-1455) ver. 0.9.7 (2017/05/11) - awaiting-victory From b93e47b12f69419692fc8275358b498f01b30cbe Mon Sep 17 00:00:00 2001 From: Peter Nowee Date: Wed, 31 May 2017 15:24:21 +0200 Subject: [PATCH 3/3] dovecot: Match also when user field is empty Commit 5678d08 of 2016-11-26 changed: ( user=<\S*>,)? to: ( user=<[^>]+>,)? The change from `*` (zero or more times) to `+` (one or more times) may not have been intended. It will miss lines containing, for example: Aborted login (tried to use disallowed plaintext auth): user=<> This commit reverts the `+` back to `*`. --- config/filter.d/dovecot.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/filter.d/dovecot.conf b/config/filter.d/dovecot.conf index a3dc60bb..68c78c7a 100644 --- a/config/filter.d/dovecot.conf +++ b/config/filter.d/dovecot.conf @@ -10,7 +10,7 @@ before = common.conf _daemon = (auth|dovecot(-auth)?|auth-worker) failregex = ^%(__prefix_line)s(?:%(__pam_auth)s(?:\(dovecot:auth\))?:)?\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=\S* rhost=(?:\s+user=\S*)?\s*$ - ^%(__prefix_line)s(?:pop3|imap)-login: (?:Info: )?(?:Aborted login|Disconnected)(?::(?: [^ \(]+)+)? \((?:auth failed, \d+ attempts( in \d+ secs)?|tried to use (disabled|disallowed) \S+ auth)\):( user=<[^>]+>,)?( method=\S+,)? rip=(?:, lip=\S+)?(?:, TLS(?: handshaking(?:: SSL_accept\(\) failed: error:[\dA-F]+:SSL routines:[TLS\d]+_GET_CLIENT_HELLO:unknown protocol)?)?(: Disconnected)?)?(, session=<\S+>)?\s*$ + ^%(__prefix_line)s(?:pop3|imap)-login: (?:Info: )?(?:Aborted login|Disconnected)(?::(?: [^ \(]+)+)? \((?:auth failed, \d+ attempts( in \d+ secs)?|tried to use (disabled|disallowed) \S+ auth)\):( user=<[^>]*>,)?( method=\S+,)? rip=(?:, lip=\S+)?(?:, TLS(?: handshaking(?:: SSL_accept\(\) failed: error:[\dA-F]+:SSL routines:[TLS\d]+_GET_CLIENT_HELLO:unknown protocol)?)?(: Disconnected)?)?(, session=<\S+>)?\s*$ ^%(__prefix_line)s(?:Info|dovecot: auth\(default\)|auth-worker\(\d+\)): pam\(\S+,\): pam_authenticate\(\) failed: (User not known to the underlying authentication module: \d+ Time\(s\)|Authentication failure \(password mismatch\?\))\s*$ ^%(__prefix_line)s(?:auth|auth-worker\(\d+\)): (?:pam|passwd-file)\(\S+,\): unknown user\s*$ ^%(__prefix_line)s(?:auth|auth-worker\(\d+\)): Info: ldap\(\S*,,\S*\): invalid credentials\s*$