github
/
fail2ban
mirror of https://github.com/fail2ban/fail2ban
1
0
Fork 0
Code Issues Releases Wiki Activity

ENH: multiline filter for sendmail-spam. Closes gh-418

pull/421/head
Daniel Black 2013-11-08 08:55:45 +11:00
parent 1405188bcc
commit cb982ef921
5 changed files with 47 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
ChangeLog
View File

@ -34,6 +34,9 @@ code-review and minor additions from Yaroslav Halchenko.
* [..b6059f4] 'timeout' option for actions Close gh-60 and Debian bug * [..b6059f4] 'timeout' option for actions Close gh-60 and Debian bug
#410077. Also it would now capture and include stdout and stderr #410077. Also it would now capture and include stdout and stderr
into logging messages in case of error or at DEBUG loglevel. into logging messages in case of error or at DEBUG loglevel.
Daniel Black and TESTOVIK
* Multiline filter for sendmail-spam. Close gh-418
- Enhancements - Enhancements
Steven Hiscocks Steven Hiscocks
* Replacing use of deprecated API (.warning, .assertEqual, etc) * Replacing use of deprecated API (.warning, .assertEqual, etc)

1
THANKS
View File

@ -63,6 +63,7 @@ Sireyessire
silviogarbes silviogarbes
Stephen Gildea Stephen Gildea
Steven Hiscocks Steven Hiscocks
TESTOVIK
Tom Pike Tom Pike
Tyler Tyler
Vaclav Misek Vaclav Misek

20
config/filter.d/sendmail-spam.conf Normal file
View File

@ -0,0 +1,20 @@
# Fail2ban filter for sendmail spam
#
[INCLUDES]
# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf
[Definition]
_daemon = sendmail
failregex = ^(?P<__prefix>%(__prefix_line)s\w+: )<\w+@[\w.-]+>\.\.\. No such user here<SKIPLINES>(?P=__prefix)from=<\w+@[\w.-]+>, size=\d+, class=\d+, nrcpts=\d+, bodytype=\w+, proto=E?SMTP, daemon=MTA, relay=[\w.-]+ \[<HOST>\]$
[Init]
# "maxlines" is number of log lines to buffer for multi-line regex searches
maxlines = 10

4
config/jail.conf
View File

@ -461,6 +461,10 @@ logpath = /var/log/postfix.log
bantime = 300 bantime = 300
[sendmail-spam]
logpath = /var/log/mail.log
# dovecot defaults to logging to the mail syslog facility # dovecot defaults to logging to the mail syslog facility
# but can be set by syslog_facility in the dovecot configuration. # but can be set by syslog_facility in the dovecot configuration.
[dovecot] [dovecot]

19
fail2ban/tests/files/logs/sendmail-spam Normal file
View File

@ -0,0 +1,19 @@
# failJSON: { "match": false }
Nov 3 11:35:30 Microsoft sendmail[26254]: rA37ZTSC026254: <arhipov@domain.com>... No such user here
# failJSON: { "match": false }
Nov 3 11:35:30 Microsoft sendmail[26254]: rA37ZTSC026254: <anatoliy@domain.com>... No such user here
# failJSON: { "match": false }
Nov 3 11:35:30 Microsoft sendmail[26254]: rA37ZTSC026254: <artem@domain.com>... No such user here
# failJSON: { "match": false }
Nov 3 11:35:30 Microsoft sendmail[26254]: rA37ZTSC026254: <anto@domain.com>... No such user here
# failJSON: { "match": false }
Nov 3 11:35:30 Microsoft sendmail[26254]: rA37ZTSC026254: <anton@domain.com>... No such user here
# failJSON: { "time": "2004-11-03T11:35:30", "match": true , "host": "95.32.23.163" }
Nov 3 11:35:30 Microsoft sendmail[26254]: rA37ZTSC026254: from=<davaojk25@domain.com>, size=0, class=0, nrcpts=0, bodytype=8BITMIME, proto=ESMTP, daemon=MTA, relay=163.23.32.95.dsl-dynamic.vsi.ru [95.32.23.163]
# failJSON: { "match": false }
Nov 3 11:35:30 Microsoft sendmail[26254]: rA37ZTSC026254: <anton@domain.com>... No such user here
# Different mail ID shouldn't match
# failJSON: { "match": false }
Nov 3 11:35:30 Microsoft sendmail[26254]: rA37ZTSC026255: from=<davaojk25@domain.com>, size=0, class=0, nrcpts=0, bodytype=8BITMIME, proto=ESMTP, daemon=MTA, relay=163.23.32.95.dsl-dynamic.vsi.ru [95.32.23.163]