Merge remote-tracking branch 'origin/master' into pr-1039

* origin/master: minor: no tripple empty lines add froxlor-auth filter and jail add froxlor-auth filter and jail 0 add froxlor-auth filter and jail BF: Fix fail2ban-regex not parsing journalmatch correctly
10 years ago · eb091d9b8c
parent a61cd4687e 8c4d4aa7fb
commit eb091d9b8c
5 changed files with 54 additions and 2 deletions
--- a/3
+++ b/3
@ -12,8 +12,11 @@ ver. 0.9.3 (2015/XX/XXX) - wanna-be-released
 - Fixes:
   * filter.d/dovecot.conf - also match unknown user in passwd-file.
     Thanks Anton Shestakov
+   * Fix fail2ban-regex not parsing journalmatch correctly from filter config

 - New Features:
+   - New filters:
+     - froxlor-auth  Thanks Joern Muehlencord

 - Enhancements:

--- a/bin/fail2ban-regex
+++ b/bin/fail2ban-regex
@ -297,8 +297,8 @@ class Fail2banRegex(object):
 							  "read from %(value)s" % locals()
 						return False
 				elif command[2] == 'addjournalmatch':
-					journalmatch = command[3]
-					self.setJournalMatch(shlex.split(journalmatch))
+					journalmatch = command[3:]
+					self.setJournalMatch(journalmatch)
 				elif command[2] == 'datepattern':
 					datepattern = command[3]
 					self.setDatePattern(datepattern)
--- a/config/filter.d/froxlor-auth.conf
+++ b/config/filter.d/froxlor-auth.conf
@ -0,0 +1,37 @@
+# Fail2Ban configuration file to block repeated failed login attempts to Frolor installation(s)
+# 
+# Froxlor needs to log to Syslog User (e.g. /var/log/user.log) with one of the following messages
+# <syslog prefix> Froxlor: [Login Action <HOST>] Unknown user '<USER>' tried to login.
+# <syslog prefix> Froxlor: [Login Action <HOST>] User '<USER>' tried to login with wrong password.
+#
+# Author: Joern Muehlencord
+#
+
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# common.local
+before = common.conf
+
+
+[Definition]
+
+_daemon = Froxlor
+
+# Option:  failregex
+# Notes.:  regex to match the password failures messages in the logfile. The
+#          host must be matched by a group named "host". The tag "<HOST>" can
+#          be used for standard IP/hostname matching and is only an alias for
+#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
+# Values:  TEXT
+#
+failregex = ^%(__prefix_line)s\[Login Action <HOST>\] Unknown user \S* tried to login.$
+            ^%(__prefix_line)s\[Login Action <HOST>\] User \S* tried to login with wrong password.$
+
+
+# Option:  ignoreregex
+# Notes.:  regex to ignore. If this regex matches, the line is ignored.
+# Values:  TEXT
+#
+ignoreregex =
+
--- a/config/jail.conf
+++ b/config/jail.conf
@ -408,6 +408,12 @@ port    = 10000
 logpath = %(syslog_authpriv)s


+[froxlor-auth]
+
+port    = http,https
+logpath  = %(syslog_authpriv)s
+
+
 #
 # HTTP Proxy servers
 #
@ -424,6 +430,7 @@ logpath = /var/log/squid/access.log
 port    = 3128
 logpath = /var/log/3proxy.log

+
 #
 # FTP servers
 #
--- a/fail2ban/tests/files/logs/froxlor-auth
+++ b/fail2ban/tests/files/logs/froxlor-auth
@ -0,0 +1,5 @@
+# failJSON: { "time": "2005-05-21T00:56:27", "match": true , "host": "1.2.3.4" }
+May 21 00:56:27 jomu Froxlor: [Login Action 1.2.3.4] Unknown user 'user' tried to login.
+# failJSON: { "time": "2005-05-21T00:57:38", "match": true , "host": "1.2.3.4" }
+May 21 00:57:38 jomu Froxlor: [Login Action 1.2.3.4] User 'admin' tried to login with wrong password.
+