github
/
fail2ban
mirror of https://github.com/fail2ban/fail2ban
1
0
Fork 0
Code Issues Releases Wiki Activity

Merge pull request #283 from yarikoptic/master 

Roundcube failregex -- anchor at the beginning as well + mandate <HOST> to end with alphanumeric
pull/302/merge
Yaroslav Halchenko 2013-07-16 12:49:25 -07:00
parent 5bd186b854 90ec82669c
commit e4d759ac94
6 changed files with 21 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
ChangeLog
View File

@ -29,7 +29,7 @@ ver. 0.8.11 (2013/XX/XXX) - loves-unittests
Daniel Black Daniel Black
* action.d/hostsdeny -- NOTE: new dependancy 'ed'. Switched to use 'ed' across * action.d/hostsdeny -- NOTE: new dependancy 'ed'. Switched to use 'ed' across
all platforms to ensure permissions are the same before and after a ban - all platforms to ensure permissions are the same before and after a ban -
closes gh-266 closes gh-266
- New Features: - New Features:
Daniel Black & ykimon Daniel Black & ykimon
* filter.d/3proxy.conf -- filter added * filter.d/3proxy.conf -- filter added
@ -51,6 +51,8 @@ ver. 0.8.11 (2013/XX/XXX) - loves-unittests
* fail2ban-client -- log to standard error. Closes gh-264 * fail2ban-client -- log to standard error. Closes gh-264
* Fail to configure if not a single log file was found for an * Fail to configure if not a single log file was found for an
enabled jail. Closes gh-63 enabled jail. Closes gh-63
* <HOST> is now enforced to end with an alphanumeric
* filter.d/roundcube-auth.conf -- anchored version
Alexander Dietrich Alexander Dietrich
* action.d/sendmail-common.conf -- added common sendmail settings file * action.d/sendmail-common.conf -- added common sendmail settings file
and made the sender display name configurable and made the sender display name configurable

6
config/filter.d/roundcube-auth.conf
View File

@ -4,6 +4,10 @@
# #
# #
[INCLUDES]
before = common.conf
[Definition] [Definition]
# Option: failregex # Option: failregex
@ -13,7 +17,7 @@
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+) # (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT # Values: TEXT
# #
failregex = (FAILED login|Login failed) for .* from <HOST>\s*$ failregex = ^\s*(\[(\s\+[0-9]{4})?\])?(%(__hostname)s roundcube: IMAP Error)?: (FAILED login|Login failed) for .*? from <HOST>(\. AUTHENTICATE .*)?\s*$
# Option: ignoreregex # Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored. # Notes.: regex to ignore. If this regex matches, the line is ignored.

5
server/failregex.py
View File

@ -41,7 +41,7 @@ class Regex:
self._matchCache = None self._matchCache = None
# Perform shortcuts expansions. # Perform shortcuts expansions.
# Replace "<HOST>" with default regular expression for host. # Replace "<HOST>" with default regular expression for host.
regex = regex.replace("<HOST>", "(?:::f{4,6}:)?(?P<host>[\w\-.^_]+)") regex = regex.replace("<HOST>", "(?:::f{4,6}:)?(?P<host>[\w\-.^_]*\w)")
if regex.lstrip() == '': if regex.lstrip() == '':
raise RegexException("Cannot add empty regex") raise RegexException("Cannot add empty regex")
try: try:
@ -50,7 +50,8 @@ class Regex:
except sre_constants.error: except sre_constants.error:
raise RegexException("Unable to compile regular expression '%s'" % raise RegexException("Unable to compile regular expression '%s'" %
regex) regex)
def __str__(self):
return "%s(%r)" % (self.__class__.__name__, self._regex)
## ##
# Gets the regular expression. # Gets the regular expression.
# #

7
server/filter.py
View File

@ -294,7 +294,7 @@ class Filter(JailThread):
l = line l = line
l = l.rstrip('\r\n') l = l.rstrip('\r\n')
logSys.log(5, "Working on line %r", l) logSys.log(7, "Working on line %r", l)
timeMatch = self.dateDetector.matchTime(l) timeMatch = self.dateDetector.matchTime(l)
if timeMatch: if timeMatch:
# Lets split into time part and log part of the line # Lets split into time part and log part of the line
@ -349,19 +349,20 @@ class Filter(JailThread):
# @return a dict with IP and timestamp. # @return a dict with IP and timestamp.
def findFailure(self, timeLine, logLine, returnRawHost=False): def findFailure(self, timeLine, logLine, returnRawHost=False):
logSys.log(5, "Date: %r, message: %r", timeLine, logLine)
failList = list() failList = list()
# Checks if we must ignore this line. # Checks if we must ignore this line.
if self.ignoreLine(logLine): if self.ignoreLine(logLine):
# The ignoreregex matched. Return. # The ignoreregex matched. Return.
logSys.log(7, "Matched ignoreregex and was ignored")
return failList return failList
# Iterates over all the regular expressions. # Iterates over all the regular expressions.
for failRegex in self.__failRegex: for failRegex in self.__failRegex:
failRegex.search(logLine) failRegex.search(logLine)
if failRegex.hasMatched(): if failRegex.hasMatched():
# The failregex matched. # The failregex matched.
logSys.log(7, "Matched %s", failRegex)
date = self.dateDetector.getUnixTime(timeLine) date = self.dateDetector.getUnixTime(timeLine)
logSys.log(7, "Date: %r, message: %r",
timeLine, logLine)
if date is None: if date is None:
logSys.debug("Found a match for %r but no valid date/time " logSys.debug("Found a match for %r but no valid date/time "
"found for %r. Please file a detailed issue on" "found for %r. Please file a detailed issue on"

2
testcases/files/logs/roundcube-auth
View File

@ -2,3 +2,5 @@
[22-Jan-2013 22:28:21 +0200]: FAILED login for user1 from 192.0.43.10 [22-Jan-2013 22:28:21 +0200]: FAILED login for user1 from 192.0.43.10
# failJSON: { "time": "2005-05-26T07:12:40", "match": true , "host": "10.1.1.47" } # failJSON: { "time": "2005-05-26T07:12:40", "match": true , "host": "10.1.1.47" }
May 26 07:12:40 hamster roundcube: IMAP Error: Login failed for sales@example.com from 10.1.1.47 May 26 07:12:40 hamster roundcube: IMAP Error: Login failed for sales@example.com from 10.1.1.47
# failJSON: { "time": "2005-07-11T03:06:37", "match": true , "host": "1.2.3.4" }
Jul 11 03:06:37 myhostname roundcube: IMAP Error: Login failed for admin from 1.2.3.4. AUTHENTICATE PLAIN: A0002 NO Login failed. in /usr/share/roundcube/program/include/rcube_imap.php on line 205 (POST /wmail/?_task=login&_action=login)

8
testcases/servertestcase.py
View File

@ -334,9 +334,9 @@ class Transmitter(TransmitterBase):
"failed attempt from <HOST> again", "failed attempt from <HOST> again",
], ],
[ [
"user john at (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)", "user john at (?:::f{4,6}:)?(?P<host>[\w\-.^_]*\\w)",
"Admin user login from (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)", "Admin user login from (?:::f{4,6}:)?(?P<host>[\w\-.^_]*\\w)",
"failed attempt from (?:::f{4,6}:)?(?P<host>[\w\-.^_]+) again", "failed attempt from (?:::f{4,6}:)?(?P<host>[\w\-.^_]*\\w) again",
], ],
self.jailName self.jailName
) )
@ -359,7 +359,7 @@ class Transmitter(TransmitterBase):
], ],
[ [
"user john", "user john",
"Admin user login from (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)", "Admin user login from (?:::f{4,6}:)?(?P<host>[\w\-.^_]*\\w)",
"Dont match me!", "Dont match me!",
], ],
self.jailName self.jailName