Merge branch 'enh/asterisk_and_dropbear_filters'

* enh/asterisk_and_dropbear_filters: ENH: hardened added dropbear failregex to avoid trailing .* and enclose username in '' minor: consistent indentation in dropbear.conf https://github.com/fail2ban/fail2ban/issues/306 fail2ban-users: Sebastian Arcus - Detect device auth failures on Asterisk 11
11 years ago · e7d5e466b9
parent c0456fd835 4e0ddc5f67
commit e7d5e466b9
4 changed files with 12 additions and 3 deletions
--- a/config/filter.d/asterisk.conf
+++ b/config/filter.d/asterisk.conf
@ -30,7 +30,7 @@ failregex = ^%(log_prefix)s Registration from '[^']*' failed for '<HOST>(:\d+)?'
            ^%(log_prefix)s Host <HOST> failed to authenticate as '[^']*'$
            ^%(log_prefix)s No registration for peer '[^']*' \(from <HOST>\)$
            ^%(log_prefix)s Host <HOST> failed MD5 authentication for '[^']*' \([^)]+\)$
-            ^%(log_prefix)s Failed to authenticate user [^@]+@<HOST>\S*$
+            ^%(log_prefix)s Failed to authenticate (user|device) [^@]+@<HOST>\S*$
            ^%(log_prefix)s (?:handle_request_subscribe: )?Sending fake auth rejection for (device|user) \d*<sip:[^@]+@<HOST>>;tag=\w+\S*$
            ^%(log_prefix)s SecurityEvent="(FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)",EventTV="[\d-]+",Severity="[\w]+",Service="[\w]+",EventVersion="\d+",AccountID="\d+",SessionID="0x[\da-f]+",LocalAddress="IPV[46]/(UD|TC)P/[\da-fA-F:.]+/\d+",RemoteAddress="IPV[46]/(UD|TC)P/<HOST>/\d+"(,Challenge="\w+",ReceivedChallenge="\w+")?(,ReceivedHash="[\da-f]+")?$

--- a/config/filter.d/dropbear.conf
+++ b/config/filter.d/dropbear.conf
@ -27,8 +27,9 @@ _daemon = dropbear
 # These match the unmodified dropbear messages. It isn't possible to
 # match the source of the 'exit before auth' messages from dropbear.
 #
-failregex = ^%(__prefix_line)slogin attempt for nonexistent user ('.*' )?from <HOST>:.*\s*$
-            ^%(__prefix_line)sbad password attempt for .+ from <HOST>:.*\s*$
+failregex = ^%(__prefix_line)s(L|l)ogin attempt for nonexistent user ('.*' )?from <HOST>:.*\s*$
+            ^%(__prefix_line)s(B|b)ad password attempt for .+ from <HOST>:.*\s*$
+            ^%(__prefix_line)sExit before auth \(user '.+', \d+ fails\): Max auth tries reached - user '.+' from <HOST>:\d+\s*$

 # The only line we need to match with the modified dropbear.

--- a/testcases/files/logs/asterisk
+++ b/testcases/files/logs/asterisk
@ -1,4 +1,6 @@
 # Sample log files for asterisk 
+# failJSON: { "time": "2013-07-25T07:26:43", "match": true , "host": "1.2.3.4" }
+[2013-07-25 07:26:43] NOTICE[26015][C-000006b2] chan_sip.c: Failed to authenticate device 101<sip:101@1.2.3.4>;tag=deadbeef
 # failJSON: { "time": "2012-02-13T17:21:54", "match": true , "host": "1.2.3.4" }
 [2012-02-13 17:21:54] NOTICE[1638] chan_sip.c: Registration from '<sip:301@example.com>' failed for '1.2.3.4' - Wrong password
 # failJSON: { "time": "2012-02-13T17:18:22", "match": true , "host": "1.2.3.4" }
--- a/testcases/files/logs/dropbear
+++ b/testcases/files/logs/dropbear
@ -0,0 +1,6 @@
+# failJSON: { "time": "2005-07-27T01:04:12", "match": true , "host": "1.2.3.4" }
+Jul 27 01:04:12 fail2ban-test dropbear[1335]: Bad password attempt for 'root' from 1.2.3.4:60588
+# failJSON: { "time": "2005-07-27T01:04:22", "match": true , "host": "1.2.3.4" }
+Jul 27 01:04:22 fail2ban-test dropbear[1335]: Exit before auth (user 'root', 10 fails): Max auth tries reached - user 'root' from 1.2.3.4:60588
+# failJSON: { "time": "2005-07-27T01:18:59", "match": true , "host": "1.2.3.4" }
+Jul 27 01:18:59 fail2ban-test dropbear[1477]: Login attempt for nonexistent user from 1.2.3.4:60794