Merge pull request #283 from yarikoptic/master

Roundcube failregex -- anchor at the beginning as well + mandate <HOST> to end with alphanumeric
2013-07-16 12:49:25 -07:00 · 2013-07-16 12:49:25 -07:00 · e4d759ac94
parent 5bd186b854 90ec82669c
commit e4d759ac94
6 changed files with 21 additions and 11 deletions
--- a/4
+++ b/4
@ -29,7 +29,7 @@ ver. 0.8.11 (2013/XX/XXX) - loves-unittests
  Daniel Black
  * action.d/hostsdeny -- NOTE: new dependancy 'ed'. Switched to use 'ed' across
    all platforms to ensure permissions are the same before and after a ban -
-		closes gh-266
+    closes gh-266
 - New Features:
  Daniel Black & ykimon
   * filter.d/3proxy.conf -- filter added
@ -51,6 +51,8 @@ ver. 0.8.11 (2013/XX/XXX) - loves-unittests
   * fail2ban-client -- log to standard error. Closes gh-264
   * Fail to configure if not a single log file was found for an
     enabled jail. Closes gh-63
+   * <HOST> is now enforced to end with an alphanumeric
+   * filter.d/roundcube-auth.conf -- anchored version
  Alexander Dietrich
   * action.d/sendmail-common.conf -- added common sendmail settings file
     and made the sender display name configurable
--- a/config/filter.d/roundcube-auth.conf
+++ b/config/filter.d/roundcube-auth.conf
@ -4,6 +4,10 @@
 #
 #

+[INCLUDES]
+
+before = common.conf
+
 [Definition]

 # Option:  failregex
@ -13,7 +17,7 @@
 #          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
 # Values:  TEXT
 #
-failregex = (FAILED login|Login failed) for .* from <HOST>\s*$
+failregex = ^\s*(\[(\s\+[0-9]{4})?\])?(%(__hostname)s roundcube: IMAP Error)?: (FAILED login|Login failed) for .*? from <HOST>(\. AUTHENTICATE .*)?\s*$

 # Option:  ignoreregex
 # Notes.:  regex to ignore. If this regex matches, the line is ignored.
--- a/server/failregex.py
+++ b/server/failregex.py
@ -41,7 +41,7 @@ class Regex:
 		self._matchCache = None
 		# Perform shortcuts expansions.
 		# Replace "<HOST>" with default regular expression for host.
-		regex = regex.replace("<HOST>", "(?:::f{4,6}:)?(?P<host>[\w\-.^_]+)")
+		regex = regex.replace("<HOST>", "(?:::f{4,6}:)?(?P<host>[\w\-.^_]*\w)")
 		if regex.lstrip() == '':
 			raise RegexException("Cannot add empty regex")
 		try:
@ -50,7 +50,8 @@ class Regex:
 		except sre_constants.error:
 			raise RegexException("Unable to compile regular expression '%s'" %
 								 regex)
-	
+	def __str__(self):
+		return "%s(%r)" % (self.__class__.__name__, self._regex)
 	##
 	# Gets the regular expression.
 	#
--- a/server/filter.py
+++ b/server/filter.py
@ -294,7 +294,7 @@ class Filter(JailThread):
 			l = line
 		l = l.rstrip('\r\n')

-		logSys.log(5, "Working on line %r", l)
+		logSys.log(7, "Working on line %r", l)
 		timeMatch = self.dateDetector.matchTime(l)
 		if timeMatch:
 			# Lets split into time part and log part of the line
@ -349,19 +349,20 @@ class Filter(JailThread):
 	# @return a dict with IP and timestamp.

 	def findFailure(self, timeLine, logLine, returnRawHost=False):
+		logSys.log(5, "Date: %r, message: %r", timeLine, logLine)
 		failList = list()
 		# Checks if we must ignore this line.
 		if self.ignoreLine(logLine):
 			# The ignoreregex matched. Return.
+			logSys.log(7, "Matched ignoreregex and was ignored")
 			return failList
 		# Iterates over all the regular expressions.
 		for failRegex in self.__failRegex:
 			failRegex.search(logLine)
 			if failRegex.hasMatched():
 				# The failregex matched.
+				logSys.log(7, "Matched %s", failRegex)
 				date = self.dateDetector.getUnixTime(timeLine)
-				logSys.log(7, "Date: %r, message: %r",
-							  timeLine, logLine)
 				if date is None:
 					logSys.debug("Found a match for %r but no valid date/time "
 								 "found for %r. Please file a detailed issue on"
--- a/testcases/files/logs/roundcube-auth
+++ b/testcases/files/logs/roundcube-auth
@ -2,3 +2,5 @@
 [22-Jan-2013 22:28:21 +0200]: FAILED login for user1 from 192.0.43.10
 # failJSON: { "time": "2005-05-26T07:12:40", "match": true , "host": "10.1.1.47" }
 May 26 07:12:40 hamster roundcube: IMAP Error: Login failed for sales@example.com from 10.1.1.47
+# failJSON: { "time": "2005-07-11T03:06:37", "match": true , "host": "1.2.3.4" }
+Jul 11 03:06:37 myhostname roundcube: IMAP Error: Login failed for admin from 1.2.3.4. AUTHENTICATE PLAIN: A0002 NO Login failed. in /usr/share/roundcube/program/include/rcube_imap.php on line 205 (POST /wmail/?_task=login&_action=login)
--- a/testcases/servertestcase.py
+++ b/testcases/servertestcase.py
@ -334,9 +334,9 @@ class Transmitter(TransmitterBase):
 				"failed attempt from <HOST> again",
 			],
 			[
-				"user john at (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)",
-				"Admin user login from (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)",
-				"failed attempt from (?:::f{4,6}:)?(?P<host>[\w\-.^_]+) again",
+				"user john at (?:::f{4,6}:)?(?P<host>[\w\-.^_]*\\w)",
+				"Admin user login from (?:::f{4,6}:)?(?P<host>[\w\-.^_]*\\w)",
+				"failed attempt from (?:::f{4,6}:)?(?P<host>[\w\-.^_]*\\w) again",
 			],
 			self.jailName
 		)
@ -359,7 +359,7 @@ class Transmitter(TransmitterBase):
 			],
 			[
 				"user john",
-				"Admin user login from (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)",
+				"Admin user login from (?:::f{4,6}:)?(?P<host>[\w\-.^_]*\\w)",
 				"Dont match me!",
 			],
 			self.jailName