github
/
fail2ban
mirror of https://github.com/fail2ban/fail2ban
1
0
Fork 0
Code Issues Releases Wiki Activity

ENH: filter mysqld-auth can be a is a syslog based service so anchor it using syslog prefix

Browse Source
pull/356/head
Daniel Black 11 years ago
parent bb32295b50
commit ee497ff1cb
3 changed files with 9 additions and 2 deletions
Show Stats Download Patch File Download Diff File

1
ChangeLog
Unescape View File

@ -68,6 +68,7 @@ ver. 0.8.11 (2013/XX/XXX) - loves-unittests
and extra failure examples in sample logs
* filter.d/apache-auth - added expressions for mod_authz, mod_auth and
mod_auth_digest failures.
* filter.d/mysqld-auth.conf - mysql can use syslog
Daniel Black & Georgiy Mernov & ftoppi & Мернов Георгий
* filter.d/exim.conf -- regex hardening and extra failure examples in
sample logs

5
config/filter.d/mysqld-auth.conf
Unescape View File

@ -13,7 +13,7 @@ before = common.conf
[Definition]
#_daemon = mysqld
_daemon = mysqld
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
@ -22,7 +22,8 @@ before = common.conf
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT
# 130322 11:26:54 [Warning] Access denied for user 'root'@'127.0.0.1' (using password: YES)
failregex = Access denied for user '\w+'@'<HOST>' (to database '[^']*'|\(using password: (YES|NO)\))*\s*$
#
failregex = ^%(__prefix_line)s(\d{6} \s?\d{1,2}:\d{2}:\d{2} )?\[Warning\] Access denied for user '\w+'@'<HOST>' (to database '[^']*'|\(using password: (YES|NO)\))*\s*$
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.

5
testcases/files/logs/mysqld-auth
Unescape View File

@ -10,3 +10,8 @@
130324 19:01:39 [Warning] Access denied for user 'root'@'61.147.108.35' (using password: NO)
# failJSON: { "time": "2013-03-24T19:01:40", "match": true , "host": "61.147.108.35" }
130324 19:01:40 [Warning] Access denied for user 'root'@'61.147.108.35' (using password: YES)
# failJSON: { "time": "2013-09-16T21:30:26", "match": true , "host": "74.207.241.159" }
Sep 16 21:30:26 catinthehat mysqld: 130916 21:30:26 [Warning] Access denied for user 'hacker'@'74.207.241.159' (using password: YES)
# failJSON: { "time": "2013-09-16T21:30:32", "match": true , "host": "74.207.241.159" }
Sep 16 21:30:32 catinthehat mysqld: 130916 21:30:32 [Warning] Access denied for user 'hacker'@'74.207.241.159' (using password: NO)

Write Preview
Loading…
Cancel
Save