From 0c869910eae722f2be9d79d22975400fcb2ef5cd Mon Sep 17 00:00:00 2001 From: Steven Hiscocks Date: Sat, 9 May 2015 10:26:14 +0100 Subject: [PATCH 1/5] BF: Fix fail2ban-regex not parsing journalmatch correctly --- ChangeLog | 1 + bin/fail2ban-regex | 4 ++-- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 71d84e719..8bc0ca7fd 100644 --- a/ChangeLog +++ b/ChangeLog @@ -10,6 +10,7 @@ ver. 0.9.3 (2015/XX/XXX) - wanna-be-released ----------- - Fixes: + * Fix fail2ban-regex not parsing journalmatch correctly from filter config - New Features: diff --git a/bin/fail2ban-regex b/bin/fail2ban-regex index b337ab5df..08bce1ee3 100755 --- a/bin/fail2ban-regex +++ b/bin/fail2ban-regex @@ -297,8 +297,8 @@ class Fail2banRegex(object): "read from %(value)s" % locals() return False elif command[2] == 'addjournalmatch': - journalmatch = command[3] - self.setJournalMatch(shlex.split(journalmatch)) + journalmatch = command[3:] + self.setJournalMatch(journalmatch) elif command[2] == 'datepattern': datepattern = command[3] self.setDatePattern(datepattern) From 964cdb5d9b9ed157b280d899da473f9621232cda Mon Sep 17 00:00:00 2001 From: Joern Muehlencord Date: Mon, 25 May 2015 13:44:50 +0200 Subject: [PATCH 2/5] add froxlor-auth filter and jail --- config/filter.d/froxlor-auth.conf | 37 ++++++++++++++++++++++++++ fail2ban/tests/files/logs/froxlor-auth | 5 ++++ 2 files changed, 42 insertions(+) create mode 100644 config/filter.d/froxlor-auth.conf create mode 100644 fail2ban/tests/files/logs/froxlor-auth diff --git a/config/filter.d/froxlor-auth.conf b/config/filter.d/froxlor-auth.conf new file mode 100644 index 000000000..04003263f --- /dev/null +++ b/config/filter.d/froxlor-auth.conf @@ -0,0 +1,37 @@ +# Fail2Ban configuration file to block repeated failed login attempts to Frolor installation(s) +# +# Froxlor needs to log to Syslog User (e.g. /var/log/user.log) with one of the following messages +# Froxlor: [Login Action ] Unknown user '' tried to login. +# Froxlor: [Login Action ] User '' tried to login with wrong password. +# +# Author: Joern Muehlencord +# + +[INCLUDES] + +# Read common prefixes. If any customizations available -- read them from +# common.local +before = common.conf + + +[Definition] + +_daemon = Froxlor + +# Option: failregex +# Notes.: regex to match the password failures messages in the logfile. The +# host must be matched by a group named "host". The tag "" can +# be used for standard IP/hostname matching and is only an alias for +# (?:::f{4,6}:)?(?P[\w\-.^_]+) +# Values: TEXT +# +failregex = ^%(__prefix_line)s\[Login Action \] Unknown user \S* tried to login.$ + ^%(__prefix_line)s\[Login Action \] User \S* tried to login with wrong password.$ + + +# Option: ignoreregex +# Notes.: regex to ignore. If this regex matches, the line is ignored. +# Values: TEXT +# +ignoreregex = + diff --git a/fail2ban/tests/files/logs/froxlor-auth b/fail2ban/tests/files/logs/froxlor-auth new file mode 100644 index 000000000..ba585c6d2 --- /dev/null +++ b/fail2ban/tests/files/logs/froxlor-auth @@ -0,0 +1,5 @@ +# failJSON: { "time": "2015-06-21T00:56:27", "match": true , "host": "1.2.3.4" } +May 21 00:56:27 jomu Froxlor: [Login Action 1.2.3.4] Unknown user 'user' tried to login. +# failJSON: { "time": "2015-06-21T00:57:38", "match": true , "host": "1.2.3.4" } +May 21 00:57:38 jomu Froxlor: [Login Action 83.87.126.64] User 'admin' tried to login with wrong password. + From 14a9a2d968ab50bc0f35bd85c31bc8ed13bf7f26 Mon Sep 17 00:00:00 2001 From: Joern Muehlencord Date: Mon, 25 May 2015 13:48:25 +0200 Subject: [PATCH 3/5] add froxlor-auth filter and jail 0 --- ChangeLog | 2 ++ config/jail.conf | 7 +++++++ fail2ban/tests/files/logs/froxlor-auth | 6 +++--- 3 files changed, 12 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 8bc0ca7fd..b7a9288ec 100644 --- a/ChangeLog +++ b/ChangeLog @@ -13,6 +13,8 @@ ver. 0.9.3 (2015/XX/XXX) - wanna-be-released * Fix fail2ban-regex not parsing journalmatch correctly from filter config - New Features: + - New filters: + - froxlor-auth Thanks Joern Muehlencord - Enhancements: diff --git a/config/jail.conf b/config/jail.conf index 732aeab96..cc96cd7a0 100644 --- a/config/jail.conf +++ b/config/jail.conf @@ -408,6 +408,13 @@ port = 10000 logpath = %(syslog_authpriv)s +[froxlor-auth] + +port = http,https +logpath = %(syslog_authpriv)s + + + # # HTTP Proxy servers # diff --git a/fail2ban/tests/files/logs/froxlor-auth b/fail2ban/tests/files/logs/froxlor-auth index ba585c6d2..2a2c2fc4b 100644 --- a/fail2ban/tests/files/logs/froxlor-auth +++ b/fail2ban/tests/files/logs/froxlor-auth @@ -1,5 +1,5 @@ -# failJSON: { "time": "2015-06-21T00:56:27", "match": true , "host": "1.2.3.4" } +# failJSON: { "time": "2005-05-21T00:56:27", "match": true , "host": "1.2.3.4" } May 21 00:56:27 jomu Froxlor: [Login Action 1.2.3.4] Unknown user 'user' tried to login. -# failJSON: { "time": "2015-06-21T00:57:38", "match": true , "host": "1.2.3.4" } -May 21 00:57:38 jomu Froxlor: [Login Action 83.87.126.64] User 'admin' tried to login with wrong password. +# failJSON: { "time": "2005-05-21T00:57:38", "match": true , "host": "1.2.3.4" } +May 21 00:57:38 jomu Froxlor: [Login Action 1.2.3.4] User 'admin' tried to login with wrong password. From 4296d1a9a99efb3ea9f8efc121e67864d4ad109c Mon Sep 17 00:00:00 2001 From: Joern Muehlencord Date: Mon, 25 May 2015 13:48:25 +0200 Subject: [PATCH 4/5] add froxlor-auth filter and jail --- ChangeLog | 2 ++ config/jail.conf | 7 +++++++ fail2ban/tests/files/logs/froxlor-auth | 6 +++--- 3 files changed, 12 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 8bc0ca7fd..b7a9288ec 100644 --- a/ChangeLog +++ b/ChangeLog @@ -13,6 +13,8 @@ ver. 0.9.3 (2015/XX/XXX) - wanna-be-released * Fix fail2ban-regex not parsing journalmatch correctly from filter config - New Features: + - New filters: + - froxlor-auth Thanks Joern Muehlencord - Enhancements: diff --git a/config/jail.conf b/config/jail.conf index 732aeab96..cc96cd7a0 100644 --- a/config/jail.conf +++ b/config/jail.conf @@ -408,6 +408,13 @@ port = 10000 logpath = %(syslog_authpriv)s +[froxlor-auth] + +port = http,https +logpath = %(syslog_authpriv)s + + + # # HTTP Proxy servers # diff --git a/fail2ban/tests/files/logs/froxlor-auth b/fail2ban/tests/files/logs/froxlor-auth index ba585c6d2..2a2c2fc4b 100644 --- a/fail2ban/tests/files/logs/froxlor-auth +++ b/fail2ban/tests/files/logs/froxlor-auth @@ -1,5 +1,5 @@ -# failJSON: { "time": "2015-06-21T00:56:27", "match": true , "host": "1.2.3.4" } +# failJSON: { "time": "2005-05-21T00:56:27", "match": true , "host": "1.2.3.4" } May 21 00:56:27 jomu Froxlor: [Login Action 1.2.3.4] Unknown user 'user' tried to login. -# failJSON: { "time": "2015-06-21T00:57:38", "match": true , "host": "1.2.3.4" } -May 21 00:57:38 jomu Froxlor: [Login Action 83.87.126.64] User 'admin' tried to login with wrong password. +# failJSON: { "time": "2005-05-21T00:57:38", "match": true , "host": "1.2.3.4" } +May 21 00:57:38 jomu Froxlor: [Login Action 1.2.3.4] User 'admin' tried to login with wrong password. From 8c4d4aa7fbcb6efb1853dc11720222c0a3aab4c9 Mon Sep 17 00:00:00 2001 From: Yaroslav Halchenko Date: Mon, 25 May 2015 10:42:19 -0400 Subject: [PATCH 5/5] minor: no tripple empty lines --- config/jail.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/jail.conf b/config/jail.conf index cc96cd7a0..18c27c1ff 100644 --- a/config/jail.conf +++ b/config/jail.conf @@ -414,7 +414,6 @@ port = http,https logpath = %(syslog_authpriv)s - # # HTTP Proxy servers # @@ -431,6 +430,7 @@ logpath = /var/log/squid/access.log port = 3128 logpath = /var/log/3proxy.log + # # FTP servers #