Merge branch 'proftpd' of https://github.com/grooverdan/fail2ban

* 'proftpd' of https://github.com/grooverdan/fail2ban: ENH: proftpd chan accept usernames with spaces ENH: injection of fail data into USER field ENH: proftp regex hardening and log messages Conflicts: ChangeLog
2013-06-14 12:16:59 -04:00 · 2013-06-14 12:16:59 -04:00 · ec629ab4e8
parent ab2c738b43 9940cd1b6b
commit ec629ab4e8
3 changed files with 20 additions and 7 deletions
--- a/6
+++ b/6
@ -16,8 +16,10 @@ ver. 0.8.11 (2013/XX/XXX) - wanna-be-released
  
 - Enhancements:
  Daniel Black
-   * filter.d/{asterisk,assp,dovecot}.conf -- regex hardening and
-     extra failure examples in sample logs
+   * filter.d/{asterisk,assp,dovecot,proftpd}.conf -- regex hardening
+     and extra failure examples in sample logs
+  
+>>>>>>> 9940cd1b6b0146c2a088edab611e8d77e1d2984d

 ver. 0.8.10 (2013/06/12) - wanna-be-secure
 -----------
--- a/config/filter.d/proftpd.conf
+++ b/config/filter.d/proftpd.conf
@ -1,8 +1,15 @@
 # Fail2Ban configuration file
 #
 # Author: Yaroslav Halchenko
+#         Daniel Black - hardening of regex
 #
-#
+
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# common.local
+before = common.conf
+

 [Definition]

@ -13,10 +20,10 @@
 #          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
 # Values: TEXT
 #
-failregex = \(\S+\[<HOST>\]\)[: -]+ USER \S+: no such user found from \S+ \[\S+\] to \S+:\S+ *$
-            \(\S+\[<HOST>\]\)[: -]+ USER \S+ \(Login failed\): .*$
-            \(\S+\[<HOST>\]\)[: -]+ SECURITY VIOLATION: \S+ login attempted\. *$
-            \(\S+\[<HOST>\]\)[: -]+ Maximum login attempts \(\d+\) exceeded *$
+failregex = ^ %(__hostname)s %(__daemon_re)s%(__pid_re)s %(__hostname)s \(\S+\[<HOST>\]\)[: -]+ USER .*: no such user found from \S+ \[\S+\] to \S+:\S+ *$
+            ^ %(__hostname)s %(__daemon_re)s%(__pid_re)s %(__hostname)s \(\S+\[<HOST>\]\)[: -]+ USER .* \(Login failed\): .*$
+            ^ %(__hostname)s %(__daemon_re)s%(__pid_re)s %(__hostname)s \(\S+\[<HOST>\]\)[: -]+ SECURITY VIOLATION: .* login attempted\. *$
+            ^ %(__hostname)s %(__daemon_re)s%(__pid_re)s %(__hostname)s \(\S+\[<HOST>\]\)[: -]+ Maximum login attempts \(\d+\) exceeded *$

 # Option:  ignoreregex
 # Notes.:  regex to ignore. If this regex matches, the line is ignored.
--- a/testcases/files/logs/proftpd
+++ b/testcases/files/logs/proftpd
@ -1,5 +1,9 @@
 Jan 10 00:00:00 myhost proftpd[12345] myhost.domain.com (123.123.123.123[123.123.123.123]): USER username (Login failed): User in /etc/ftpusers
 Feb 1 00:00:00 myhost proftpd[12345] myhost.domain.com (123.123.123.123[123.123.123.123]): USER username: no such user found from 123.123.123.123 [123.123.123.123] to 234.234.234.234:21 
+Jun 09 07:30:58 platypus.ace-hosting.com.au proftpd[11864] platypus.ace-hosting.com.au (mail.bloodymonster.net[::ffff:67.227.224.66]): USER username (Login failed): Incorrect password.
+Jun 09 11:15:43 platypus.ace-hosting.com.au proftpd[17424] platypus.ace-hosting.com.au (::ffff:101.71.143.238[::ffff:101.71.143.238]): USER god: no such user found from ::ffff:101.71.143.238 [::ffff:101.71.143.238] to ::ffff:123.212.99.194:21
+Jun 13 22:07:23 platypus.ace-hosting.com.au proftpd[15719] platypus.ace-hosting.com.au (::ffff:59.167.242.100[::ffff:59.167.242.100]): SECURITY VIOLATION: root login attempted.
+Jun 14 00:09:59 platypus.ace-hosting.com.au proftpd[17839] platypus.ace-hosting.com.au (::ffff:59.167.242.100[::ffff:59.167.242.100]): USER platypus.ace-hosting.com.au proftpd[17424] platypus.ace-hosting.com.au (hihoinjection[1.2.3.44]): no such user found from ::ffff:59.167.242.100 [::ffff:59.167.242.100] to ::ffff:113.212.99.194:21