- Added "pam-generic" filter and more configuration fixes. Thanks to Yaroslav Halchenko.

git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@677 a942ae1a-1317-0410-a47c-b1dcaea8d605
2008-03-10 22:03:34 +00:00 · 2008-03-10 22:03:34 +00:00 · d9f9a31802
parent d645a8fe47
commit d9f9a31802
4 changed files with 29 additions and 1 deletions
--- a/2
+++ b/2
@ -10,6 +10,8 @@ Fail2Ban (version 0.8.3)                           2008/??/??
 ver. 0.8.3 (2008/??/??) - stable
 ----------
 - Process failtickets as long as failmanager is not empty.
+- Added "pam-generic" filter and more configuration fixes.
+  Thanks to Yaroslav Halchenko.

 ver. 0.8.2 (2008/03/06) - stable
 ----------
--- a/1
+++ b/1
@ -68,6 +68,7 @@ config/filter.d/postfix.conf
 config/filter.d/proftpd.conf
 config/filter.d/pure-ftpd.conf
 config/filter.d/qmail.conf
+config/filter.d/pam-generic.conf
 config/filter.d/sasl.conf
 config/filter.d/sshd.conf
 config/filter.d/sshd-ddos.conf
--- a/config/filter.d/pam-generic.conf
+++ b/config/filter.d/pam-generic.conf
@ -0,0 +1,25 @@
+# Fail2Ban configuration file for generic PAM authentication errors
+#
+# Author: Yaroslav Halchenko
+#
+# $Revision:  $
+#
+
+[Definition]
+
+# if you want to catch only login erros from specific daemons, use smth like
+#_ttys_re=(?:ssh|pure-ftpd|ftp)
+# To catch all failed logins
+_ttys_re=\S*
+
+#
+# Shortcuts for easier comprehension of the failregex
+__pid_re=(?:\[\d+\])
+__pam_re=\(?pam_unix(?:\(\S+\))?\)?:?
+__pam_combs_re=(?:%(__pid_re)s?:\s+%(__pam_re)s|%(__pam_re)s%(__pid_re)s?:)
+
+# Option: failregex
+# Notes.: regex to match the password failures messages in the logfile.
+# Values: TEXT
+#
+failregex = \s\S+ \S+%(__pam_combs_re)s\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=%(_ttys_re)s ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$
--- a/config/filter.d/proftpd.conf
+++ b/config/filter.d/proftpd.conf
@ -14,7 +14,7 @@
 #          (?:::f{4,6}:)?(?P<host>\S+)
 # Values: TEXT
 #
-failregex = \(\S+\[<HOST>\]\)[: -]+ USER \S+: no such user found from \S+ \[[0-9.]+\] to \S+:\S+$
+failregex = \(\S+\[<HOST>\]\)[: -]+ USER \S+: no such user found from \S+ \[\S+\] to \S+:\S+$
            \(\S+\[<HOST>\]\)[: -]+ USER \S+ \(Login failed\): Incorrect password\.$
            \(\S+\[<HOST>\]\)[: -]+ SECURITY VIOLATION: \S+ login attempted\.$
            \(\S+\[<HOST>\]\)[: -]+ Maximum login attempts \(\d+\) exceeded$