MRG: from master 2014-03-02

2014-03-02 14:33:45 +11:00 · 2014-03-02 14:33:45 +11:00 · cc8ec826c5
parent beca72e188 11fc7941f5
commit cc8ec826c5
10 changed files with 168 additions and 10 deletions
--- a/1
+++ b/1
@ -90,6 +90,7 @@ ver. 0.8.13 (2014/XX/XXX) - maintenance-only-from-now-on

 - New Features:
  - filter nagios - detects unauthorized access to the nrpe daemon (Ivo Truxa)
+  - filter sendmail-{auth,reject} (jserrachinha and cepheid666 and fab23).

 - Enhancements:
  - filter pureftpd - added all translations of "Authentication failed for
--- a/5
+++ b/5
@ -202,6 +202,11 @@ config/filter.d/postfix.conf
 config/filter.d/proftpd.conf
 config/filter.d/pure-ftpd.conf
 config/filter.d/qmail.conf
+config/filter.d/pam-generic.conf
+config/filter.d/php-url-fopen.conf
+config/filter.d/postfix-sasl.conf
+config/filter.d/sendmail-auth.conf
+config/filter.d/sendmail-reject.conf
 config/filter.d/sieve.conf
 config/filter.d/solid-pop3d.conf
 config/filter.d/squid.conf
--- a/2
+++ b/2
@ -21,6 +21,7 @@ Bas van den Dikkenberg
 Beau Raines
 Bill Heaton
 Carlos Alberto Lopez Perez
+cepheid666
 Christian Rauch
 Christophe Carles
 Christoph Haas
@ -51,6 +52,7 @@ Jonathan Lanning
 Jonathan Underwood
 Joël Bertrand
 JP Espinosa
+jserrachinha
 Justin Shore
 Kévin Drapel
 kjohnsonecl
--- a/config/action.d/complain.conf
+++ b/config/action.d/complain.conf
@ -1,17 +1,16 @@
 # Fail2Ban configuration file
 #
-# Author: Russell Odom <russ@gloomytrousers.co.uk>
+# Author: Russell Odom <russ@gloomytrousers.co.uk>, Daniel Black
 # Sends a complaint e-mail to addresses listed in the whois record for an
 # offending IP address.
+# This uses the https://abusix.com/contactdb.html to lookup abuse contacts.
+#
+# DEPENDANCIES:
+# This requires the dig command from bind-utils
 #
 # You should provide the <logpath> in the jail config - lines from the log
 # matching the given IP address will be provided in the complaint as evidence.
 #
-# Note that we will try to use e-mail addresses that are most likely to be abuse
-# addresses (based on various keywords). If they aren't found we fall back on
-# any other addresses found in the whois record, with a few exceptions.
-# If no addresses are found, no e-mail is sent.
-#
 # WARNING
 # -------
 #
@ -55,10 +54,10 @@ actioncheck =
 # Tags:    See jail.conf(5) man page
 # Values:  CMD
 #
-actionban = ADDRESSES=`whois <ip> | perl -e 'while (<STDIN>) { next if /^changed|@(ripe|apnic)\.net/io; $m += (/abuse|trouble:|report|spam|security/io?3:0); if (/([a-z0-9_\-\.+]+@[a-z0-9\-]+(\.[[a-z0-9\-]+)+)/io) { while (s/([a-z0-9_\-\.+]+@[a-z0-9\-]+(\.[[a-z0-9\-]+)+)//io) { if ($m) { $a{lc($1)}=$m } else { $b{lc($1)}=$m } } $m=0 } else { $m && --$m } } if (%%a) {print join(",",keys(%%a))} else {print join(",",keys(%%b))}'`
+actionban = oifs=${IFS}; IFS=.;SEP_IP=( <ip> ); set -- ${SEP_IP}; ADDRESSES=$(dig +short -t txt -q $4.$3.$2.$1.abuse-contacts.abusix.org); IFS=${oifs}
 	    IP=<ip>
            if [ ! -z "$ADDRESSES" ]; then
-                (printf %%b "<message>\n"; date '+Note: Local timezone is %%z (%%Z)'; grep -E '(^|[^0-9])<ip>([^0-9]|$)' <logpath>) | <mailcmd> "Abuse from <ip>" <mailargs> $ADDRESSES
+                (printf %%b "<message>\n"; date '+Note: Local timezone is %%z (%%Z)'; grep -E '(^|[^0-9])<ip>([^0-9]|$)' <logpath>) | <mailcmd> "Abuse from <ip>" <mailargs> ${ADDRESSES//,/\" \"}
            fi

 # Option:  actionunban
@ -70,7 +69,7 @@ actionban = ADDRESSES=`whois <ip> | perl -e 'while (<STDIN>) { next if /^changed
 actionunban =

 [Init]
-message = Dear Sir/Madam,\n\nWe have detected abuse from the IP address $IP, which according to a whois lookup is on your network. We would appreciate if you would investigate and take action as appropriate.\n\nLog lines are given below, but please ask if you require any further information.\n\n(If you are not the correct person to contact about this please accept our apologies - your e-mail address was extracted from the whois record by an automated process. This mail was generated by Fail2Ban.)\n
+message = Dear Sir/Madam,\n\nWe have detected abuse from the IP address $IP, which according to a abusix.com is on your network. We would appreciate if you would investigate and take action as appropriate.\n\nLog lines are given below, but please ask if you require any further information.\n\n(If you are not the correct person to contact about this please accept our apologies - your e-mail address was extracted from the whois record by an automated process.)\n\n This mail was generated by Fail2Ban.\nThe recipient address of this report was provided by the Abuse Contact DB by abusix.com. abusix.com does not maintain the content of the database. All information which we pass out, derives from the RIR databases and is processed for ease of use. If you want to change or report non working abuse contacts please contact the appropriate RIR. If you have any further question, contact abusix.com directly via email (info@abusix.com). Information about the Abuse Contact Database can be found here: https://abusix.com/global-reporting/abuse-contact-db\nabusix.com is neither responsible nor liable for the content or accuracy of this message.\n

 # Path to the log files which contain relevant lines for the abuser IP
 #
--- a/config/filter.d/sendmail-auth.conf
+++ b/config/filter.d/sendmail-auth.conf
@ -0,0 +1,18 @@
+# Fail2Ban filter for sendmail authentication failures
+#
+
+[INCLUDES]
+
+before = common.conf
+
+[Definition]
+
+_daemon = (?:sm-(mta|acceptingconnections))
+
+failregex = ^%(__prefix_line)s\w{14}: (\S+ )?\[<HOST>\]( \(may be forged\))?: possible SMTP attack: command=AUTH, count=\d+$
+
+ignoreregex =
+
+# DEV Notes:
+#
+# Author: Daniel Black
--- a/config/filter.d/sendmail-reject.conf
+++ b/config/filter.d/sendmail-reject.conf
@ -0,0 +1,34 @@
+# Fail2Ban filter for sendmail spam/relay type failures
+#
+# Some of the below failregex will only work properly, when the following
+# options are set in the .mc file (see your Sendmail documentation on how
+# to modify it and generate the corresponding .cf file):
+#
+# FEATURE(`delay_checks')
+# FEATURE(`greet_pause', `500')
+# FEATURE(`ratecontrol', `nodelay', `terminate')
+# FEATURE(`conncontrol', `nodelay', `terminate')
+#
+# ratecontrol and conncontrol also need corresponding options ClientRate:
+# and ClientConn: in the access file, see documentation for ratecontrol and
+# conncontrol in the sendmail/cf/README file.
+
+[INCLUDES]
+
+before = common.conf
+
+[Definition]
+
+_daemon = (?:sm-(mta|acceptingconnections))
+
+failregex = ^%(__prefix_line)s\w{14}: ruleset=check_rcpt, arg1=(?P<email><\S+@\S+>), relay=(\S+ )?\[<HOST>\]( \(may be forged\))?, reject=(550 5\.7\.1 (?P=email)\.\.\. Relaying denied\. (IP name possibly forged \[(\d+\.){3}\d+\]|Proper authentication required\.|IP name lookup failed \[(\d+\.){3}\d+\])|553 5\.1\.8 (?P=email)\.\.\. Domain of sender address \S+ does not exist|550 5\.[71]\.1 (?P=email)\.\.\. (Rejected: .*|User unknown))$
+            ^%(__prefix_line)sruleset=check_relay, arg1=(?P<dom>\S+), arg2=<HOST>, relay=((?P=dom) )?\[(\d+\.){3}\d+\]( \(may be forged\))?, reject=421 4\.3\.2 (Connection rate limit exceeded\.|Too many open connections\.)$
+            ^%(__prefix_line)s\w{14}: rejecting commands from  (\S+ )?\[<HOST>\] due to pre-greeting traffic after \d+ seconds$
+            ^%(__prefix_line)s\w{14}: (\S+ )?\[<HOST>\]: ((?i)expn|vrfy) \S+ \[rejected\]$
+
+
+ignoreregex =
+
+# DEV Notes:
+#
+# Author: Daniel Black and Fabian Wenk
--- a/config/jail.conf
+++ b/config/jail.conf
@ -559,6 +559,18 @@ port     = smtp,465,submission
 logpath  = /var/log/mail.log


+[sendmail-auth]
+
+port    = submission,465,smtp
+logpath = /var/log/mail.log
+
+
+[sendmail-reject]
+
+port     = smtp
+logpath  = /var/log/mail.log
+
+
 [qmail-rbl]

 filter  = qmail
--- a/fail2ban/tests/files/logs/sendmail-auth
+++ b/fail2ban/tests/files/logs/sendmail-auth
@ -0,0 +1,12 @@
+
+# failJSON: { "time": "2005-02-16T23:33:20", "match": true , "host": "190.5.230.178" }
+Feb 16 23:33:20 smtp1 sm-mta[5133]: s1GNXHYB005133: [190.5.230.178]: possible SMTP attack: command=AUTH, count=5
+
+# failJSON: { "time": "2005-02-16T23:40:36", "match": true , "host": "75.176.164.191" }
+Feb 16 23:40:36 smtp1 sm-mta[5178]: s1GNeNqe005178: cpe-075-176-164-191.sc.res.rr.com [75.176.164.191]: possible SMTP attack: command=AUTH, count=5
+
+# failJSON: { "time": "2005-02-24T12:10:15", "match": true , "host": "211.75.6.133" }
+Feb 24 12:10:15 kismet sm-acceptingconnections[32053]: s1OHA28u032053: 211-75-6-133.HINET-IP.hinet.net [211.75.6.133]: possible SMTP attack: command=AUTH, count=6
+
+# failJSON: { "time": "2005-02-24T13:00:17", "match": true , "host": "95.70.241.192" }
+Feb 24 13:00:17 kismet sm-acceptingconnections[1499]: s1OHxxSn001499: 192.241.70.95.dsl.static.turk.net [95.70.241.192] (may be forged): possible SMTP attack: command=AUTH, count=6
--- a/fail2ban/tests/files/logs/sendmail-reject
+++ b/fail2ban/tests/files/logs/sendmail-reject
@ -0,0 +1,67 @@
+# failJSON: { "time": "2005-02-25T03:01:10", "match": true , "host": "128.68.136.133" }
+Feb 25 03:01:10 kismet sm-acceptingconnections[27713]: s1P819mk027713: ruleset=check_rcpt, arg1=<asservnew@freemailhost.ru>, relay=128-68-136-133.broadband.corbina.ru [128.68.136.133], reject=550 5.7.1 <asservnew@freemailhost.ru>... Relaying denied. Proper authentication required.
+
+# failJSON: { "time": "2005-02-23T21:36:14", "match": true , "host": "80.253.155.119" }
+Feb 23 21:36:14 petermurray sm-mta[22248]: s1NLaDQT022248: ruleset=check_rcpt, arg1=<dautareuk2@hotmail.it>, relay=int0.client.access.azadnet.net [80.253.155.119] (may be forged), reject=550 5.7.1 <dautareuk2@hotmail.it>... Relaying denied. IP name possibly forged [80.253.155.119]
+
+# failJSON: { "time": "2005-02-24T07:33:59", "match": true , "host": "118.161.66.57" }
+Feb 24 07:33:59 petermurray sm-mta[21134]: s1O7XtZJ021134: ruleset=check_rcpt, arg1=<sanjinn232@yahoo.com.tw>, relay=118-161-66-57.dynamic.hinet.net [118.161.66.57], reject=550 5.7.1 <sanjinn232@yahoo.com.tw>... Relaying denied. Proper authentication required.
+
+# failJSON: { "time": "2005-02-23T07:57:28", "match": true , "host": "2.180.185.27" }
+Feb 23 07:57:28 petermurray sm-mta[6519]: s1N7vR47006519: ruleset=check_rcpt, arg1=<camila.pinto@camilopinto.pt>, relay=[2.180.185.27], reject=553 5.1.8 <camila.pinto@camilopinto.pt>... Domain of sender address camila.pinto@andrewweitzman.com does not exist
+
+# failJSON: { "time": "2005-02-23T14:13:08", "match": true , "host": "85.60.238.161" }
+Feb 23 14:13:08 petermurray sm-mta[17126]: s1NED81M017126: ruleset=check_rcpt, arg1=<anabelaalvesd@camilopinto.pt>, relay=161.pool85-60-238.dynamic.orange.es [85.60.238.161], reject=553 5.1.8 <anabelaalvesd@camilopinto.pt>... Domain of sender address anabelaalvesd@dsldevice.lan does not exist
+
+# failJSON: { "time": "2005-02-24T05:07:40", "match": true , "host": "202.53.73.138" }
+Feb 24 05:07:40 petermurray sm-mta[716]: s1O57c6H000716: ruleset=check_rcpt, arg1=<camilo_pinto@camilopinto.pt>, relay=202.53.73.138.nettlinx.com [202.53.73.138] (may be forged), reject=553 5.1.8 <camilo_pinto@camilopinto.pt>... Domain of sender address root@srv.montserv.com does not exist
+
+# failJSON: { "time": "2005-02-23T07:00:08", "match": true , "host": "151.232.63.226" }
+Feb 23 07:00:08 petermurray sm-mta[3992]: s1N706jo003992: ruleset=check_rcpt, arg1=<joaofr@camilopinto.pt>, relay=[151.232.63.226], reject=550 5.7.1 <joaofr@camilopinto.pt>... Rejected: 151.232.63.226 listed at sbl-xbl.spamhaus.org
+
+# failJSON: { "time": "2005-02-23T04:36:21", "match": true , "host": "74.137.127.206" }
+Feb 23 04:36:21 kismet sm-acceptingconnections[12603]: s1N9aKAw012603: ruleset=check_rcpt, arg1=<user@host.com>, relay=74-137-127-206.dhcp.insightbb.com [74.137.127.206], reject=550 5.7.1 <user@host.com>... Rejected: IP in SpamCop blacklist, see: http://spamcop.net/bl.shtml?74.137.127.206
+
+# failJSON: { "time": "2005-02-23T04:38:57", "match": true , "host": "203.229.186.250" }
+Feb 23 04:38:57 kismet sm-acceptingconnections[16772]: s1N9csSZ016772: ruleset=check_rcpt, arg1=<user@host.com>, relay=[203.229.186.250], reject=550 5.7.1 <user@host.com>... Rejected: IP in Barracuda RBL, see: http://www.barracudacentral.org/reputation?ip=203.229.186.250
+
+# failJSON: { "time": "2005-02-23T06:06:04", "match": true , "host": "186.54.117.93" }
+Feb 23 06:06:04 kismet sm-acceptingconnections[18622]: s1NB63Bp018622: ruleset=check_rcpt, arg1=<user@host.com>, relay=r186-54-117-93.dialup.adsl.anteldata.net.uy [186.54.117.93], reject=550 5.7.1 <user@host.com>... Rejected: IP in SpamHaus PBL, see http://www.spamhaus.org/query/bl?ip=186.54.117.93
+
+# failJSON: { "time": "2005-02-24T01:46:44", "match": true , "host": "217.21.54.82" }
+Feb 24 01:46:44 petermurray sm-mta[24422]: ruleset=check_relay, arg1=leased-line-54-82.telecom.by, arg2=217.21.54.82, relay=leased-line-54-82.telecom.by [217.21.54.82], reject=421 4.3.2 Connection rate limit exceeded.
+
+
+# failJSON: { "time": "2005-02-27T15:49:07", "match": true , "host": "189.30.205.74" }
+Feb 27 15:49:07 batman sm-mta[88390]: ruleset=check_relay, arg1=189-30-205-74.paebv701.dsl.brasiltelecom.net.br, arg2=189.30.205.74, relay=189-30-205-74.paebv701.dsl.brasiltelecom.net.br [189.30.205.74], reject=421 4.3.2 Too many open connections.
+
+# failJSON: { "time": "2005-02-19T18:01:50", "match": true , "host": "196.213.73.146" }
+Feb 19 18:01:50 batman sm-mta[78152]: ruleset=check_relay, arg1=[196.213.73.146], arg2=196.213.73.146, relay=[196.213.73.146], reject=421 4.3.2 Connection rate limit exceeded.
+
+# failJSON: { "time": "2005-02-27T10:53:06", "match": true , "host": "209.15.212.253" }
+Feb 27 10:53:06 batman sm-mta[44307]: s1R9r60D044307: rejecting commands from  [209.15.212.253] due to pre-greeting traffic after 0 seconds
+
+# failJSON: { "time": "2005-02-27T15:44:18", "match": true , "host": "41.204.78.137" }
+Feb 27 15:44:18 batman sm-mta[87838]: s1REiHdq087838: ruleset=check_rcpt, arg1=<gert-jan@t-online.ch>, relay=[41.204.78.137], reject=550 5.7.1 <gert-jan@t-online.ch>... Relaying denied. IP name lookup failed [41.204.78.137]
+
+# failJSON: { "time": "2005-02-27T15:49:02", "match": true , "host": "189.30.205.74" }
+Feb 27 15:49:02 batman sm-mta[88377]: s1REn1un088377: ruleset=check_rcpt, arg1=<non-existing-user@example.com>, relay=189-30-205-74.paebv701.dsl.brasiltelecom.net.br [189.30.205.74], reject=550 5.1.1 <non-existing-user@example.com>... User unknown
+
+# failJSON: { "time": "2005-02-27T22:44:42", "match": true , "host": "123.69.106.50" }
+Feb 27 22:44:42 batman sm-mta[30972]: s1RLieRP030972: ruleset=check_rcpt, arg1=<existing-user@example.com>, relay=[123.69.106.50], reject=553 5.1.8 <existing-user@example.com>... Domain of sender address lf@ibuv.net does not exist
+
+# failJSON: { "time": "2005-02-23T21:18:47", "match": true , "host": "76.72.174.70" }
+Feb 23 21:18:47 batman sm-mta[93301]: s1NKIkZa093301: [76.72.174.70]: EXPN root [rejected]
+
+# failJSON: { "time": "2005-02-13T01:16:50", "match": true , "host": "217.193.142.180" }
+Feb 13 01:16:50 batman sm-mta[25815]: s1D0GoSs025815: [217.193.142.180]: expn info [rejected]
+
+# failJSON: { "time": "2005-02-22T14:02:44", "match": true , "host": "24.73.201.194" }
+Feb 22 14:02:44 batman sm-mta[4030]: s1MD2hsd004030: rrcs-24-73-201-194.se.biz.rr.com [24.73.201.194]: EXPN root [rejected]
+
+# failJSON: { "time": "2005-02-13T01:16:50", "match": true , "host": "217.193.142.180" }
+Feb 13 01:16:50 batman sm-mta[25815]: s1D0GoSs025815: [217.193.142.180]: vrfy info [rejected]
+
+# failJSON: { "time": "2005-02-22T14:02:44", "match": true , "host": "24.73.201.194" }
+Feb 22 14:02:44 batman sm-mta[4030]: s1MD2hsd004030: rrcs-24-73-201-194.se.biz.rr.com [24.73.201.194]: VRFY root [rejected]
+
--- a/man/jail.conf.5
+++ b/man/jail.conf.5
@ -134,7 +134,15 @@ filename(s) of the log files to be monitored. Globs -- paths containing * and ?
 Ensure syslog or the program that generates the log file isn't configured to compress repeated log messages to "\fI*last message repeated 5 time*s\fR" otherwise it will fail to detect. This is called \fIRepeatedMsgReduction\fR in rsyslog and should be \fIOff\fR.
 .TP
 .B action
-action(s) from \fI/etc/fail2ban/action.d/\fR without the \fI.conf\fR/\fI.local\fR extension. Arguments can be passed to actions to override the default values from the [Init] section in the action file. Arguments are specified by [name=value,name2=value]. Values can also be quoted. More that one action can be specified (in separate lines).
+action(s) from \fI/etc/fail2ban/action.d/\fR without the \fI.conf\fR/\fI.local\fR extension. Arguments can be passed to actions to override the default values from the [Init] section in the action file. Arguments are specified by:
+.RS
+.RS
+
+[name=value,name2=value,name3="values,values"]
+
+.RE
+Values can also be quoted (required when value includes a ","). More that one action can be specified (in separate lines).
+.RE
 .TP
 .B ignoreip
 list of IPs not to ban. They can include a CIDR mask too.