diff --git a/ChangeLog b/ChangeLog index 5e625c1c..701c418c 100644 --- a/ChangeLog +++ b/ChangeLog @@ -90,6 +90,7 @@ ver. 0.8.13 (2014/XX/XXX) - maintenance-only-from-now-on - New Features: - filter nagios - detects unauthorized access to the nrpe daemon (Ivo Truxa) + - filter sendmail-{auth,reject} (jserrachinha and cepheid666 and fab23). - Enhancements: - filter pureftpd - added all translations of "Authentication failed for diff --git a/MANIFEST b/MANIFEST index 7a997382..e4643583 100644 --- a/MANIFEST +++ b/MANIFEST @@ -202,6 +202,11 @@ config/filter.d/postfix.conf config/filter.d/proftpd.conf config/filter.d/pure-ftpd.conf config/filter.d/qmail.conf +config/filter.d/pam-generic.conf +config/filter.d/php-url-fopen.conf +config/filter.d/postfix-sasl.conf +config/filter.d/sendmail-auth.conf +config/filter.d/sendmail-reject.conf config/filter.d/sieve.conf config/filter.d/solid-pop3d.conf config/filter.d/squid.conf diff --git a/THANKS b/THANKS index f7df14c4..30b8f023 100644 --- a/THANKS +++ b/THANKS @@ -21,6 +21,7 @@ Bas van den Dikkenberg Beau Raines Bill Heaton Carlos Alberto Lopez Perez +cepheid666 Christian Rauch Christophe Carles Christoph Haas @@ -51,6 +52,7 @@ Jonathan Lanning Jonathan Underwood Joël Bertrand JP Espinosa +jserrachinha Justin Shore Kévin Drapel kjohnsonecl diff --git a/config/action.d/complain.conf b/config/action.d/complain.conf index 62331f19..c0175831 100644 --- a/config/action.d/complain.conf +++ b/config/action.d/complain.conf @@ -1,17 +1,16 @@ # Fail2Ban configuration file # -# Author: Russell Odom +# Author: Russell Odom , Daniel Black # Sends a complaint e-mail to addresses listed in the whois record for an # offending IP address. +# This uses the https://abusix.com/contactdb.html to lookup abuse contacts. +# +# DEPENDANCIES: +# This requires the dig command from bind-utils # # You should provide the in the jail config - lines from the log # matching the given IP address will be provided in the complaint as evidence. # -# Note that we will try to use e-mail addresses that are most likely to be abuse -# addresses (based on various keywords). If they aren't found we fall back on -# any other addresses found in the whois record, with a few exceptions. -# If no addresses are found, no e-mail is sent. -# # WARNING # ------- # @@ -55,10 +54,10 @@ actioncheck = # Tags: See jail.conf(5) man page # Values: CMD # -actionban = ADDRESSES=`whois | perl -e 'while () { next if /^changed|@(ripe|apnic)\.net/io; $m += (/abuse|trouble:|report|spam|security/io?3:0); if (/([a-z0-9_\-\.+]+@[a-z0-9\-]+(\.[[a-z0-9\-]+)+)/io) { while (s/([a-z0-9_\-\.+]+@[a-z0-9\-]+(\.[[a-z0-9\-]+)+)//io) { if ($m) { $a{lc($1)}=$m } else { $b{lc($1)}=$m } } $m=0 } else { $m && --$m } } if (%%a) {print join(",",keys(%%a))} else {print join(",",keys(%%b))}'` +actionban = oifs=${IFS}; IFS=.;SEP_IP=( ); set -- ${SEP_IP}; ADDRESSES=$(dig +short -t txt -q $4.$3.$2.$1.abuse-contacts.abusix.org); IFS=${oifs} IP= if [ ! -z "$ADDRESSES" ]; then - (printf %%b "\n"; date '+Note: Local timezone is %%z (%%Z)'; grep -E '(^|[^0-9])([^0-9]|$)' ) | "Abuse from " $ADDRESSES + (printf %%b "\n"; date '+Note: Local timezone is %%z (%%Z)'; grep -E '(^|[^0-9])([^0-9]|$)' ) | "Abuse from " ${ADDRESSES//,/\" \"} fi # Option: actionunban @@ -70,7 +69,7 @@ actionban = ADDRESSES=`whois | perl -e 'while () { next if /^changed actionunban = [Init] -message = Dear Sir/Madam,\n\nWe have detected abuse from the IP address $IP, which according to a whois lookup is on your network. We would appreciate if you would investigate and take action as appropriate.\n\nLog lines are given below, but please ask if you require any further information.\n\n(If you are not the correct person to contact about this please accept our apologies - your e-mail address was extracted from the whois record by an automated process. This mail was generated by Fail2Ban.)\n +message = Dear Sir/Madam,\n\nWe have detected abuse from the IP address $IP, which according to a abusix.com is on your network. We would appreciate if you would investigate and take action as appropriate.\n\nLog lines are given below, but please ask if you require any further information.\n\n(If you are not the correct person to contact about this please accept our apologies - your e-mail address was extracted from the whois record by an automated process.)\n\n This mail was generated by Fail2Ban.\nThe recipient address of this report was provided by the Abuse Contact DB by abusix.com. abusix.com does not maintain the content of the database. All information which we pass out, derives from the RIR databases and is processed for ease of use. If you want to change or report non working abuse contacts please contact the appropriate RIR. If you have any further question, contact abusix.com directly via email (info@abusix.com). Information about the Abuse Contact Database can be found here: https://abusix.com/global-reporting/abuse-contact-db\nabusix.com is neither responsible nor liable for the content or accuracy of this message.\n # Path to the log files which contain relevant lines for the abuser IP # diff --git a/config/filter.d/sendmail-auth.conf b/config/filter.d/sendmail-auth.conf new file mode 100644 index 00000000..138fbb85 --- /dev/null +++ b/config/filter.d/sendmail-auth.conf @@ -0,0 +1,18 @@ +# Fail2Ban filter for sendmail authentication failures +# + +[INCLUDES] + +before = common.conf + +[Definition] + +_daemon = (?:sm-(mta|acceptingconnections)) + +failregex = ^%(__prefix_line)s\w{14}: (\S+ )?\[\]( \(may be forged\))?: possible SMTP attack: command=AUTH, count=\d+$ + +ignoreregex = + +# DEV Notes: +# +# Author: Daniel Black diff --git a/config/filter.d/sendmail-reject.conf b/config/filter.d/sendmail-reject.conf new file mode 100644 index 00000000..3a897316 --- /dev/null +++ b/config/filter.d/sendmail-reject.conf @@ -0,0 +1,34 @@ +# Fail2Ban filter for sendmail spam/relay type failures +# +# Some of the below failregex will only work properly, when the following +# options are set in the .mc file (see your Sendmail documentation on how +# to modify it and generate the corresponding .cf file): +# +# FEATURE(`delay_checks') +# FEATURE(`greet_pause', `500') +# FEATURE(`ratecontrol', `nodelay', `terminate') +# FEATURE(`conncontrol', `nodelay', `terminate') +# +# ratecontrol and conncontrol also need corresponding options ClientRate: +# and ClientConn: in the access file, see documentation for ratecontrol and +# conncontrol in the sendmail/cf/README file. + +[INCLUDES] + +before = common.conf + +[Definition] + +_daemon = (?:sm-(mta|acceptingconnections)) + +failregex = ^%(__prefix_line)s\w{14}: ruleset=check_rcpt, arg1=(?P<\S+@\S+>), relay=(\S+ )?\[\]( \(may be forged\))?, reject=(550 5\.7\.1 (?P=email)\.\.\. Relaying denied\. (IP name possibly forged \[(\d+\.){3}\d+\]|Proper authentication required\.|IP name lookup failed \[(\d+\.){3}\d+\])|553 5\.1\.8 (?P=email)\.\.\. Domain of sender address \S+ does not exist|550 5\.[71]\.1 (?P=email)\.\.\. (Rejected: .*|User unknown))$ + ^%(__prefix_line)sruleset=check_relay, arg1=(?P\S+), arg2=, relay=((?P=dom) )?\[(\d+\.){3}\d+\]( \(may be forged\))?, reject=421 4\.3\.2 (Connection rate limit exceeded\.|Too many open connections\.)$ + ^%(__prefix_line)s\w{14}: rejecting commands from (\S+ )?\[\] due to pre-greeting traffic after \d+ seconds$ + ^%(__prefix_line)s\w{14}: (\S+ )?\[\]: ((?i)expn|vrfy) \S+ \[rejected\]$ + + +ignoreregex = + +# DEV Notes: +# +# Author: Daniel Black and Fabian Wenk diff --git a/config/jail.conf b/config/jail.conf index a8646763..f96a959a 100644 --- a/config/jail.conf +++ b/config/jail.conf @@ -559,6 +559,18 @@ port = smtp,465,submission logpath = /var/log/mail.log +[sendmail-auth] + +port = submission,465,smtp +logpath = /var/log/mail.log + + +[sendmail-reject] + +port = smtp +logpath = /var/log/mail.log + + [qmail-rbl] filter = qmail diff --git a/fail2ban/tests/files/logs/sendmail-auth b/fail2ban/tests/files/logs/sendmail-auth new file mode 100644 index 00000000..7cc18c70 --- /dev/null +++ b/fail2ban/tests/files/logs/sendmail-auth @@ -0,0 +1,12 @@ + +# failJSON: { "time": "2005-02-16T23:33:20", "match": true , "host": "190.5.230.178" } +Feb 16 23:33:20 smtp1 sm-mta[5133]: s1GNXHYB005133: [190.5.230.178]: possible SMTP attack: command=AUTH, count=5 + +# failJSON: { "time": "2005-02-16T23:40:36", "match": true , "host": "75.176.164.191" } +Feb 16 23:40:36 smtp1 sm-mta[5178]: s1GNeNqe005178: cpe-075-176-164-191.sc.res.rr.com [75.176.164.191]: possible SMTP attack: command=AUTH, count=5 + +# failJSON: { "time": "2005-02-24T12:10:15", "match": true , "host": "211.75.6.133" } +Feb 24 12:10:15 kismet sm-acceptingconnections[32053]: s1OHA28u032053: 211-75-6-133.HINET-IP.hinet.net [211.75.6.133]: possible SMTP attack: command=AUTH, count=6 + +# failJSON: { "time": "2005-02-24T13:00:17", "match": true , "host": "95.70.241.192" } +Feb 24 13:00:17 kismet sm-acceptingconnections[1499]: s1OHxxSn001499: 192.241.70.95.dsl.static.turk.net [95.70.241.192] (may be forged): possible SMTP attack: command=AUTH, count=6 diff --git a/fail2ban/tests/files/logs/sendmail-reject b/fail2ban/tests/files/logs/sendmail-reject new file mode 100644 index 00000000..b7d37e5a --- /dev/null +++ b/fail2ban/tests/files/logs/sendmail-reject @@ -0,0 +1,67 @@ +# failJSON: { "time": "2005-02-25T03:01:10", "match": true , "host": "128.68.136.133" } +Feb 25 03:01:10 kismet sm-acceptingconnections[27713]: s1P819mk027713: ruleset=check_rcpt, arg1=, relay=128-68-136-133.broadband.corbina.ru [128.68.136.133], reject=550 5.7.1 ... Relaying denied. Proper authentication required. + +# failJSON: { "time": "2005-02-23T21:36:14", "match": true , "host": "80.253.155.119" } +Feb 23 21:36:14 petermurray sm-mta[22248]: s1NLaDQT022248: ruleset=check_rcpt, arg1=, relay=int0.client.access.azadnet.net [80.253.155.119] (may be forged), reject=550 5.7.1 ... Relaying denied. IP name possibly forged [80.253.155.119] + +# failJSON: { "time": "2005-02-24T07:33:59", "match": true , "host": "118.161.66.57" } +Feb 24 07:33:59 petermurray sm-mta[21134]: s1O7XtZJ021134: ruleset=check_rcpt, arg1=, relay=118-161-66-57.dynamic.hinet.net [118.161.66.57], reject=550 5.7.1 ... Relaying denied. Proper authentication required. + +# failJSON: { "time": "2005-02-23T07:57:28", "match": true , "host": "2.180.185.27" } +Feb 23 07:57:28 petermurray sm-mta[6519]: s1N7vR47006519: ruleset=check_rcpt, arg1=, relay=[2.180.185.27], reject=553 5.1.8 ... Domain of sender address camila.pinto@andrewweitzman.com does not exist + +# failJSON: { "time": "2005-02-23T14:13:08", "match": true , "host": "85.60.238.161" } +Feb 23 14:13:08 petermurray sm-mta[17126]: s1NED81M017126: ruleset=check_rcpt, arg1=, relay=161.pool85-60-238.dynamic.orange.es [85.60.238.161], reject=553 5.1.8 ... Domain of sender address anabelaalvesd@dsldevice.lan does not exist + +# failJSON: { "time": "2005-02-24T05:07:40", "match": true , "host": "202.53.73.138" } +Feb 24 05:07:40 petermurray sm-mta[716]: s1O57c6H000716: ruleset=check_rcpt, arg1=, relay=202.53.73.138.nettlinx.com [202.53.73.138] (may be forged), reject=553 5.1.8 ... Domain of sender address root@srv.montserv.com does not exist + +# failJSON: { "time": "2005-02-23T07:00:08", "match": true , "host": "151.232.63.226" } +Feb 23 07:00:08 petermurray sm-mta[3992]: s1N706jo003992: ruleset=check_rcpt, arg1=, relay=[151.232.63.226], reject=550 5.7.1 ... Rejected: 151.232.63.226 listed at sbl-xbl.spamhaus.org + +# failJSON: { "time": "2005-02-23T04:36:21", "match": true , "host": "74.137.127.206" } +Feb 23 04:36:21 kismet sm-acceptingconnections[12603]: s1N9aKAw012603: ruleset=check_rcpt, arg1=, relay=74-137-127-206.dhcp.insightbb.com [74.137.127.206], reject=550 5.7.1 ... Rejected: IP in SpamCop blacklist, see: http://spamcop.net/bl.shtml?74.137.127.206 + +# failJSON: { "time": "2005-02-23T04:38:57", "match": true , "host": "203.229.186.250" } +Feb 23 04:38:57 kismet sm-acceptingconnections[16772]: s1N9csSZ016772: ruleset=check_rcpt, arg1=, relay=[203.229.186.250], reject=550 5.7.1 ... Rejected: IP in Barracuda RBL, see: http://www.barracudacentral.org/reputation?ip=203.229.186.250 + +# failJSON: { "time": "2005-02-23T06:06:04", "match": true , "host": "186.54.117.93" } +Feb 23 06:06:04 kismet sm-acceptingconnections[18622]: s1NB63Bp018622: ruleset=check_rcpt, arg1=, relay=r186-54-117-93.dialup.adsl.anteldata.net.uy [186.54.117.93], reject=550 5.7.1 ... Rejected: IP in SpamHaus PBL, see http://www.spamhaus.org/query/bl?ip=186.54.117.93 + +# failJSON: { "time": "2005-02-24T01:46:44", "match": true , "host": "217.21.54.82" } +Feb 24 01:46:44 petermurray sm-mta[24422]: ruleset=check_relay, arg1=leased-line-54-82.telecom.by, arg2=217.21.54.82, relay=leased-line-54-82.telecom.by [217.21.54.82], reject=421 4.3.2 Connection rate limit exceeded. + + +# failJSON: { "time": "2005-02-27T15:49:07", "match": true , "host": "189.30.205.74" } +Feb 27 15:49:07 batman sm-mta[88390]: ruleset=check_relay, arg1=189-30-205-74.paebv701.dsl.brasiltelecom.net.br, arg2=189.30.205.74, relay=189-30-205-74.paebv701.dsl.brasiltelecom.net.br [189.30.205.74], reject=421 4.3.2 Too many open connections. + +# failJSON: { "time": "2005-02-19T18:01:50", "match": true , "host": "196.213.73.146" } +Feb 19 18:01:50 batman sm-mta[78152]: ruleset=check_relay, arg1=[196.213.73.146], arg2=196.213.73.146, relay=[196.213.73.146], reject=421 4.3.2 Connection rate limit exceeded. + +# failJSON: { "time": "2005-02-27T10:53:06", "match": true , "host": "209.15.212.253" } +Feb 27 10:53:06 batman sm-mta[44307]: s1R9r60D044307: rejecting commands from [209.15.212.253] due to pre-greeting traffic after 0 seconds + +# failJSON: { "time": "2005-02-27T15:44:18", "match": true , "host": "41.204.78.137" } +Feb 27 15:44:18 batman sm-mta[87838]: s1REiHdq087838: ruleset=check_rcpt, arg1=, relay=[41.204.78.137], reject=550 5.7.1 ... Relaying denied. IP name lookup failed [41.204.78.137] + +# failJSON: { "time": "2005-02-27T15:49:02", "match": true , "host": "189.30.205.74" } +Feb 27 15:49:02 batman sm-mta[88377]: s1REn1un088377: ruleset=check_rcpt, arg1=, relay=189-30-205-74.paebv701.dsl.brasiltelecom.net.br [189.30.205.74], reject=550 5.1.1 ... User unknown + +# failJSON: { "time": "2005-02-27T22:44:42", "match": true , "host": "123.69.106.50" } +Feb 27 22:44:42 batman sm-mta[30972]: s1RLieRP030972: ruleset=check_rcpt, arg1=, relay=[123.69.106.50], reject=553 5.1.8 ... Domain of sender address lf@ibuv.net does not exist + +# failJSON: { "time": "2005-02-23T21:18:47", "match": true , "host": "76.72.174.70" } +Feb 23 21:18:47 batman sm-mta[93301]: s1NKIkZa093301: [76.72.174.70]: EXPN root [rejected] + +# failJSON: { "time": "2005-02-13T01:16:50", "match": true , "host": "217.193.142.180" } +Feb 13 01:16:50 batman sm-mta[25815]: s1D0GoSs025815: [217.193.142.180]: expn info [rejected] + +# failJSON: { "time": "2005-02-22T14:02:44", "match": true , "host": "24.73.201.194" } +Feb 22 14:02:44 batman sm-mta[4030]: s1MD2hsd004030: rrcs-24-73-201-194.se.biz.rr.com [24.73.201.194]: EXPN root [rejected] + +# failJSON: { "time": "2005-02-13T01:16:50", "match": true , "host": "217.193.142.180" } +Feb 13 01:16:50 batman sm-mta[25815]: s1D0GoSs025815: [217.193.142.180]: vrfy info [rejected] + +# failJSON: { "time": "2005-02-22T14:02:44", "match": true , "host": "24.73.201.194" } +Feb 22 14:02:44 batman sm-mta[4030]: s1MD2hsd004030: rrcs-24-73-201-194.se.biz.rr.com [24.73.201.194]: VRFY root [rejected] + diff --git a/man/jail.conf.5 b/man/jail.conf.5 index 89d42b9d..c730d16c 100644 --- a/man/jail.conf.5 +++ b/man/jail.conf.5 @@ -134,7 +134,15 @@ filename(s) of the log files to be monitored. Globs -- paths containing * and ? Ensure syslog or the program that generates the log file isn't configured to compress repeated log messages to "\fI*last message repeated 5 time*s\fR" otherwise it will fail to detect. This is called \fIRepeatedMsgReduction\fR in rsyslog and should be \fIOff\fR. .TP .B action -action(s) from \fI/etc/fail2ban/action.d/\fR without the \fI.conf\fR/\fI.local\fR extension. Arguments can be passed to actions to override the default values from the [Init] section in the action file. Arguments are specified by [name=value,name2=value]. Values can also be quoted. More that one action can be specified (in separate lines). +action(s) from \fI/etc/fail2ban/action.d/\fR without the \fI.conf\fR/\fI.local\fR extension. Arguments can be passed to actions to override the default values from the [Init] section in the action file. Arguments are specified by: +.RS +.RS + +[name=value,name2=value,name3="values,values"] + +.RE +Values can also be quoted (required when value includes a ","). More that one action can be specified (in separate lines). +.RE .TP .B ignoreip list of IPs not to ban. They can include a CIDR mask too.