diff --git a/ChangeLog b/ChangeLog index b4243e5b..0889c470 100644 --- a/ChangeLog +++ b/ChangeLog @@ -34,6 +34,9 @@ code-review and minor additions from Yaroslav Halchenko. * [..b6059f4] 'timeout' option for actions Close gh-60 and Debian bug #410077. Also it would now capture and include stdout and stderr into logging messages in case of error or at DEBUG loglevel. + Daniel Black and TESTOVIK + * Multiline filter for sendmail-spam. Close gh-418 + - Enhancements Steven Hiscocks * Replacing use of deprecated API (.warning, .assertEqual, etc) diff --git a/THANKS b/THANKS index e70ca9c9..7f0b2605 100644 --- a/THANKS +++ b/THANKS @@ -63,6 +63,7 @@ Sireyessire silviogarbes Stephen Gildea Steven Hiscocks +TESTOVIK Tom Pike Tyler Vaclav Misek diff --git a/config/filter.d/sendmail-spam.conf b/config/filter.d/sendmail-spam.conf new file mode 100644 index 00000000..c1477700 --- /dev/null +++ b/config/filter.d/sendmail-spam.conf @@ -0,0 +1,30 @@ +# Fail2ban filter for sendmail spam +# + +[INCLUDES] + +# Read common prefixes. If any customizations available -- read them from +# common.local +before = common.conf + +[Definition] + +_daemon = sendmail + +failregex = ^(?P<__prefix>%(__prefix_line)s\w+: )<[^@]+@[^>]+>\.\.\. No such user here(?P=__prefix)from=<[^@]+@[^>]+>, size=\d+, class=\d+, nrcpts=\d+, bodytype=\w+, proto=E?SMTP, daemon=MTA, relay=\S+ \[\]$ + +[Init] + +# "maxlines" is number of log lines to buffer for multi-line regex searches +maxlines = 10 + +# DEV NOTES: +# +# There can be a nunber of non-related lines between the first and second part +# of this regex maxlines of 10 is quite generious. Only one of the +# "No such user" lines needs to be matched before the line with the HOST. +# +# Note the capture __prefix, includes both the __prefix_lines (which includes +# the sendmail PID), but also the \w+ which the the sendmail assigned mail ID. +# +# Author: Daniel Black diff --git a/config/jail.conf b/config/jail.conf index a0d85825..845ed0d0 100644 --- a/config/jail.conf +++ b/config/jail.conf @@ -461,6 +461,10 @@ logpath = /var/log/postfix.log bantime = 300 +[sendmail-spam] + +logpath = /var/log/mail.log + # dovecot defaults to logging to the mail syslog facility # but can be set by syslog_facility in the dovecot configuration. [dovecot] diff --git a/fail2ban/tests/files/logs/sendmail-spam b/fail2ban/tests/files/logs/sendmail-spam new file mode 100644 index 00000000..c2669207 --- /dev/null +++ b/fail2ban/tests/files/logs/sendmail-spam @@ -0,0 +1,19 @@ + +# failJSON: { "match": false } +Nov 3 11:35:30 Microsoft sendmail[26254]: rA37ZTSC026254: ... No such user here +# failJSON: { "match": false } +Nov 3 11:35:30 Microsoft sendmail[26254]: rA37ZTSC026254: ... No such user here +# failJSON: { "match": false } +Nov 3 11:35:30 Microsoft sendmail[26254]: rA37ZTSC026254: ... No such user here +# failJSON: { "match": false } +Nov 3 11:35:30 Microsoft sendmail[26254]: rA37ZTSC026254: ... No such user here +# failJSON: { "match": false } +Nov 3 11:35:30 Microsoft sendmail[26254]: rA37ZTSC026254: ... No such user here +# failJSON: { "time": "2004-11-03T11:35:30", "match": true , "host": "95.32.23.163" } +Nov 3 11:35:30 Microsoft sendmail[26254]: rA37ZTSC026254: from=, size=0, class=0, nrcpts=0, bodytype=8BITMIME, proto=ESMTP, daemon=MTA, relay=163.23.32.95.dsl-dynamic.vsi.ru [95.32.23.163] + +# failJSON: { "match": false } +Nov 3 11:35:30 Microsoft sendmail[26254]: rA37ZTSC026254: ... No such user here +# Different mail ID shouldn't match +# failJSON: { "match": false } +Nov 3 11:35:30 Microsoft sendmail[26254]: rA37ZTSC026255: from=, size=0, class=0, nrcpts=0, bodytype=8BITMIME, proto=ESMTP, daemon=MTA, relay=163.23.32.95.dsl-dynamic.vsi.ru [95.32.23.163]