github
/
fail2ban
mirror of https://github.com/fail2ban/fail2ban
1
0
Fork 0
Code Issues Releases Wiki Activity

Merge remote-tracking branch 'origin/master' into pr-1039 

* origin/master:
  minor: no tripple empty lines
  add froxlor-auth filter and jail
  add froxlor-auth filter and jail 0
  add froxlor-auth filter and jail
  BF: Fix fail2ban-regex not parsing journalmatch correctly
pull/1068/head
Yaroslav Halchenko 2015-05-25 10:50:34 -04:00
parent a61cd4687e 8c4d4aa7fb
commit eb091d9b8c
5 changed files with 54 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
ChangeLog
View File

@ -12,8 +12,11 @@ ver. 0.9.3 (2015/XX/XXX) - wanna-be-released
- Fixes: - Fixes:
* filter.d/dovecot.conf - also match unknown user in passwd-file. * filter.d/dovecot.conf - also match unknown user in passwd-file.
Thanks Anton Shestakov Thanks Anton Shestakov
* Fix fail2ban-regex not parsing journalmatch correctly from filter config
- New Features: - New Features:
- New filters:
- froxlor-auth Thanks Joern Muehlencord
- Enhancements: - Enhancements:

4
bin/fail2ban-regex
View File

@ -297,8 +297,8 @@ class Fail2banRegex(object):
"read from %(value)s" % locals() "read from %(value)s" % locals()
return False return False
elif command[2] == 'addjournalmatch': elif command[2] == 'addjournalmatch':
journalmatch = command[3] journalmatch = command[3:]
self.setJournalMatch(shlex.split(journalmatch)) self.setJournalMatch(journalmatch)
elif command[2] == 'datepattern': elif command[2] == 'datepattern':
datepattern = command[3] datepattern = command[3]
self.setDatePattern(datepattern) self.setDatePattern(datepattern)

37
config/filter.d/froxlor-auth.conf Normal file
View File

@ -0,0 +1,37 @@
# Fail2Ban configuration file to block repeated failed login attempts to Frolor installation(s)
#
# Froxlor needs to log to Syslog User (e.g. /var/log/user.log) with one of the following messages
# <syslog prefix> Froxlor: [Login Action <HOST>] Unknown user '<USER>' tried to login.
# <syslog prefix> Froxlor: [Login Action <HOST>] User '<USER>' tried to login with wrong password.
#
# Author: Joern Muehlencord
#
[INCLUDES]
# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf
[Definition]
_daemon = Froxlor
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT
#
failregex = ^%(__prefix_line)s\[Login Action <HOST>\] Unknown user \S* tried to login.$
^%(__prefix_line)s\[Login Action <HOST>\] User \S* tried to login with wrong password.$
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =

7
config/jail.conf
View File

@ -408,6 +408,12 @@ port = 10000
logpath = %(syslog_authpriv)s logpath = %(syslog_authpriv)s
[froxlor-auth]
port = http,https
logpath = %(syslog_authpriv)s
# #
# HTTP Proxy servers # HTTP Proxy servers
# #
@ -424,6 +430,7 @@ logpath = /var/log/squid/access.log
port = 3128 port = 3128
logpath = /var/log/3proxy.log logpath = /var/log/3proxy.log
# #
# FTP servers # FTP servers
# #

5
fail2ban/tests/files/logs/froxlor-auth Normal file
View File

@ -0,0 +1,5 @@
# failJSON: { "time": "2005-05-21T00:56:27", "match": true , "host": "1.2.3.4" }
May 21 00:56:27 jomu Froxlor: [Login Action 1.2.3.4] Unknown user 'user' tried to login.
# failJSON: { "time": "2005-05-21T00:57:38", "match": true , "host": "1.2.3.4" }
May 21 00:57:38 jomu Froxlor: [Login Action 1.2.3.4] User 'admin' tried to login with wrong password.