diff --git a/config/filter.d/asterisk.conf b/config/filter.d/asterisk.conf index e4e5de5f..fef43693 100644 --- a/config/filter.d/asterisk.conf +++ b/config/filter.d/asterisk.conf @@ -30,7 +30,7 @@ failregex = ^%(log_prefix)s Registration from '[^']*' failed for '(:\d+)?' ^%(log_prefix)s Host failed to authenticate as '[^']*'$ ^%(log_prefix)s No registration for peer '[^']*' \(from \)$ ^%(log_prefix)s Host failed MD5 authentication for '[^']*' \([^)]+\)$ - ^%(log_prefix)s Failed to authenticate user [^@]+@\S*$ + ^%(log_prefix)s Failed to authenticate (user|device) [^@]+@\S*$ ^%(log_prefix)s (?:handle_request_subscribe: )?Sending fake auth rejection for (device|user) \d*>;tag=\w+\S*$ ^%(log_prefix)s SecurityEvent="(FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)",EventTV="[\d-]+",Severity="[\w]+",Service="[\w]+",EventVersion="\d+",AccountID="\d+",SessionID="0x[\da-f]+",LocalAddress="IPV[46]/(UD|TC)P/[\da-fA-F:.]+/\d+",RemoteAddress="IPV[46]/(UD|TC)P//\d+"(,Challenge="\w+",ReceivedChallenge="\w+")?(,ReceivedHash="[\da-f]+")?$ diff --git a/config/filter.d/dropbear.conf b/config/filter.d/dropbear.conf index c822d08c..350747c6 100644 --- a/config/filter.d/dropbear.conf +++ b/config/filter.d/dropbear.conf @@ -27,8 +27,9 @@ _daemon = dropbear # These match the unmodified dropbear messages. It isn't possible to # match the source of the 'exit before auth' messages from dropbear. # -failregex = ^%(__prefix_line)slogin attempt for nonexistent user ('.*' )?from :.*\s*$ - ^%(__prefix_line)sbad password attempt for .+ from :.*\s*$ +failregex = ^%(__prefix_line)s(L|l)ogin attempt for nonexistent user ('.*' )?from :.*\s*$ + ^%(__prefix_line)s(B|b)ad password attempt for .+ from :.*\s*$ + ^%(__prefix_line)sExit before auth \(user '.+', \d+ fails\): Max auth tries reached - user '.+' from :\d+\s*$ # The only line we need to match with the modified dropbear. diff --git a/testcases/files/logs/asterisk b/testcases/files/logs/asterisk index ec2fec7c..b2eb7738 100644 --- a/testcases/files/logs/asterisk +++ b/testcases/files/logs/asterisk @@ -1,4 +1,6 @@ # Sample log files for asterisk +# failJSON: { "time": "2013-07-25T07:26:43", "match": true , "host": "1.2.3.4" } +[2013-07-25 07:26:43] NOTICE[26015][C-000006b2] chan_sip.c: Failed to authenticate device 101;tag=deadbeef # failJSON: { "time": "2012-02-13T17:21:54", "match": true , "host": "1.2.3.4" } [2012-02-13 17:21:54] NOTICE[1638] chan_sip.c: Registration from '' failed for '1.2.3.4' - Wrong password # failJSON: { "time": "2012-02-13T17:18:22", "match": true , "host": "1.2.3.4" } diff --git a/testcases/files/logs/dropbear b/testcases/files/logs/dropbear new file mode 100644 index 00000000..414c3c7a --- /dev/null +++ b/testcases/files/logs/dropbear @@ -0,0 +1,6 @@ +# failJSON: { "time": "2005-07-27T01:04:12", "match": true , "host": "1.2.3.4" } +Jul 27 01:04:12 fail2ban-test dropbear[1335]: Bad password attempt for 'root' from 1.2.3.4:60588 +# failJSON: { "time": "2005-07-27T01:04:22", "match": true , "host": "1.2.3.4" } +Jul 27 01:04:22 fail2ban-test dropbear[1335]: Exit before auth (user 'root', 10 fails): Max auth tries reached - user 'root' from 1.2.3.4:60588 +# failJSON: { "time": "2005-07-27T01:18:59", "match": true , "host": "1.2.3.4" } +Jul 27 01:18:59 fail2ban-test dropbear[1477]: Login attempt for nonexistent user from 1.2.3.4:60794