From b8536490ef4d0413c5d28ae133e539e5e49996fd Mon Sep 17 00:00:00 2001 From: Daniel Black Date: Fri, 3 Jan 2014 19:32:29 +1100 Subject: [PATCH 1/3] ENH: filter for stunnel from fail2ban wiki --- ChangeLog | 1 + MANIFEST | 2 ++ config/filter.d/stunnel.conf | 8 ++++++++ fail2ban/tests/files/logs/stunnel | 2 ++ 4 files changed, 13 insertions(+) create mode 100644 config/filter.d/stunnel.conf create mode 100644 fail2ban/tests/files/logs/stunnel diff --git a/ChangeLog b/ChangeLog index 850495f3..bcfd2a00 100644 --- a/ChangeLog +++ b/ChangeLog @@ -55,6 +55,7 @@ configuration before relying on it. * Added action xarf-login-attack to report formatted attack messages according to the XARF standard (v0.2). Close gh-105 * Support PyPy + * Filter for stunnel - Enhancements * Multiline filter for sendmail-spam. Close gh-418 diff --git a/MANIFEST b/MANIFEST index 7566f610..5bdcd66d 100644 --- a/MANIFEST +++ b/MANIFEST @@ -136,6 +136,7 @@ fail2ban/tests/files/logs/selinux-ssh fail2ban/tests/files/logs/sendmail-spam fail2ban/tests/files/logs/sieve fail2ban/tests/files/logs/squid +fail2ban/tests/files/logs/stunnel fail2ban/tests/files/logs/suhosin fail2ban/tests/files/logs/sogo-auth fail2ban/tests/files/logs/solid-pop3d @@ -191,6 +192,7 @@ config/filter.d/sieve.conf config/filter.d/solid-pop3d.conf config/filter.d/sshd.conf config/filter.d/sshd-ddos.conf +config/filter.d/stunnel.conf config/filter.d/vsftpd.conf config/filter.d/webmin-auth.conf config/filter.d/wuftpd.conf diff --git a/config/filter.d/stunnel.conf b/config/filter.d/stunnel.conf new file mode 100644 index 00000000..33407f4e --- /dev/null +++ b/config/filter.d/stunnel.conf @@ -0,0 +1,8 @@ +# Fail2ban filter for stunnel +# Based off: http://www.fail2ban.org/wiki/index.php/Fail2ban:Community_Portal#stunnel4 + +[Definition] + +failregex = ^ LOG\d\[\d+:\d+\]:\ SSL_accept from :\d+ : (?P[\dA-F]+): error:(?P=CODE):SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate$ + +datepattern = ^%Y.%m.%d %H:%M:%S diff --git a/fail2ban/tests/files/logs/stunnel b/fail2ban/tests/files/logs/stunnel new file mode 100644 index 00000000..2aa1b2fc --- /dev/null +++ b/fail2ban/tests/files/logs/stunnel @@ -0,0 +1,2 @@ +# failJSON: { "time": "2011-11-21T142916", "matches": true, "host": "10.7.41.61" } +2011.11.21 14:29:16 LOG3[28228:140093368055552]: SSL_accept from 10.7.41.61:33454 : 140890C7: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate From 938ef689de8778042b1c03f1750b35f7ad129f1f Mon Sep 17 00:00:00 2001 From: Daniel Black Date: Sat, 4 Jan 2014 07:55:26 +1100 Subject: [PATCH 2/3] DOC: dev notes on stunnel --- config/filter.d/stunnel.conf | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/config/filter.d/stunnel.conf b/config/filter.d/stunnel.conf index 33407f4e..e9bd349e 100644 --- a/config/filter.d/stunnel.conf +++ b/config/filter.d/stunnel.conf @@ -1,8 +1,13 @@ # Fail2ban filter for stunnel -# Based off: http://www.fail2ban.org/wiki/index.php/Fail2ban:Community_Portal#stunnel4 [Definition] failregex = ^ LOG\d\[\d+:\d+\]:\ SSL_accept from :\d+ : (?P[\dA-F]+): error:(?P=CODE):SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate$ datepattern = ^%Y.%m.%d %H:%M:%S + +# DEV NOTES: +# +# Author: Daniel Black +# +# Based off: http://www.fail2ban.org/wiki/index.php/Fail2ban:Community_Portal#stunnel4 From c1535a43c757b51ef22690c5eba11e738c6e36b0 Mon Sep 17 00:00:00 2001 From: Daniel Black Date: Sat, 4 Jan 2014 07:57:47 +1100 Subject: [PATCH 3/3] BF: Fix failJSON for stunnel --- fail2ban/tests/files/logs/stunnel | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fail2ban/tests/files/logs/stunnel b/fail2ban/tests/files/logs/stunnel index 2aa1b2fc..169c6d39 100644 --- a/fail2ban/tests/files/logs/stunnel +++ b/fail2ban/tests/files/logs/stunnel @@ -1,2 +1,2 @@ -# failJSON: { "time": "2011-11-21T142916", "matches": true, "host": "10.7.41.61" } +# failJSON: { "time": "2011-11-21T14:29:16", "match": true, "host": "10.7.41.61" } 2011.11.21 14:29:16 LOG3[28228:140093368055552]: SSL_accept from 10.7.41.61:33454 : 140890C7: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate