From cb982ef9217bfa34b2fd86297a66a72921ba8c55 Mon Sep 17 00:00:00 2001 From: Daniel Black Date: Fri, 8 Nov 2013 08:55:45 +1100 Subject: [PATCH 1/2] ENH: multiline filter for sendmail-spam. Closes gh-418 --- ChangeLog | 3 +++ THANKS | 1 + config/filter.d/sendmail-spam.conf | 20 ++++++++++++++++++++ config/jail.conf | 4 ++++ fail2ban/tests/files/logs/sendmail-spam | 19 +++++++++++++++++++ 5 files changed, 47 insertions(+) create mode 100644 config/filter.d/sendmail-spam.conf create mode 100644 fail2ban/tests/files/logs/sendmail-spam diff --git a/ChangeLog b/ChangeLog index b4243e5b..0889c470 100644 --- a/ChangeLog +++ b/ChangeLog @@ -34,6 +34,9 @@ code-review and minor additions from Yaroslav Halchenko. * [..b6059f4] 'timeout' option for actions Close gh-60 and Debian bug #410077. Also it would now capture and include stdout and stderr into logging messages in case of error or at DEBUG loglevel. + Daniel Black and TESTOVIK + * Multiline filter for sendmail-spam. Close gh-418 + - Enhancements Steven Hiscocks * Replacing use of deprecated API (.warning, .assertEqual, etc) diff --git a/THANKS b/THANKS index e70ca9c9..7f0b2605 100644 --- a/THANKS +++ b/THANKS @@ -63,6 +63,7 @@ Sireyessire silviogarbes Stephen Gildea Steven Hiscocks +TESTOVIK Tom Pike Tyler Vaclav Misek diff --git a/config/filter.d/sendmail-spam.conf b/config/filter.d/sendmail-spam.conf new file mode 100644 index 00000000..d4d812c7 --- /dev/null +++ b/config/filter.d/sendmail-spam.conf @@ -0,0 +1,20 @@ +# Fail2ban filter for sendmail spam +# + +[INCLUDES] + +# Read common prefixes. If any customizations available -- read them from +# common.local +before = common.conf + +[Definition] + +_daemon = sendmail + +failregex = ^(?P<__prefix>%(__prefix_line)s\w+: )<\w+@[\w.-]+>\.\.\. No such user here(?P=__prefix)from=<\w+@[\w.-]+>, size=\d+, class=\d+, nrcpts=\d+, bodytype=\w+, proto=E?SMTP, daemon=MTA, relay=[\w.-]+ \[\]$ + +[Init] + +# "maxlines" is number of log lines to buffer for multi-line regex searches +maxlines = 10 + diff --git a/config/jail.conf b/config/jail.conf index a0d85825..845ed0d0 100644 --- a/config/jail.conf +++ b/config/jail.conf @@ -461,6 +461,10 @@ logpath = /var/log/postfix.log bantime = 300 +[sendmail-spam] + +logpath = /var/log/mail.log + # dovecot defaults to logging to the mail syslog facility # but can be set by syslog_facility in the dovecot configuration. [dovecot] diff --git a/fail2ban/tests/files/logs/sendmail-spam b/fail2ban/tests/files/logs/sendmail-spam new file mode 100644 index 00000000..c2669207 --- /dev/null +++ b/fail2ban/tests/files/logs/sendmail-spam @@ -0,0 +1,19 @@ + +# failJSON: { "match": false } +Nov 3 11:35:30 Microsoft sendmail[26254]: rA37ZTSC026254: ... No such user here +# failJSON: { "match": false } +Nov 3 11:35:30 Microsoft sendmail[26254]: rA37ZTSC026254: ... No such user here +# failJSON: { "match": false } +Nov 3 11:35:30 Microsoft sendmail[26254]: rA37ZTSC026254: ... No such user here +# failJSON: { "match": false } +Nov 3 11:35:30 Microsoft sendmail[26254]: rA37ZTSC026254: ... No such user here +# failJSON: { "match": false } +Nov 3 11:35:30 Microsoft sendmail[26254]: rA37ZTSC026254: ... No such user here +# failJSON: { "time": "2004-11-03T11:35:30", "match": true , "host": "95.32.23.163" } +Nov 3 11:35:30 Microsoft sendmail[26254]: rA37ZTSC026254: from=, size=0, class=0, nrcpts=0, bodytype=8BITMIME, proto=ESMTP, daemon=MTA, relay=163.23.32.95.dsl-dynamic.vsi.ru [95.32.23.163] + +# failJSON: { "match": false } +Nov 3 11:35:30 Microsoft sendmail[26254]: rA37ZTSC026254: ... No such user here +# Different mail ID shouldn't match +# failJSON: { "match": false } +Nov 3 11:35:30 Microsoft sendmail[26254]: rA37ZTSC026255: from=, size=0, class=0, nrcpts=0, bodytype=8BITMIME, proto=ESMTP, daemon=MTA, relay=163.23.32.95.dsl-dynamic.vsi.ru [95.32.23.163] From a8a131009875c35e727a4106d0e1df97290ed032 Mon Sep 17 00:00:00 2001 From: Daniel Black Date: Fri, 8 Nov 2013 10:54:10 +1100 Subject: [PATCH 2/2] ENH: sendmail-spam - loose regex on email and domain bits so more likely to match. Added dev notes and author attribution/blame --- config/filter.d/sendmail-spam.conf | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/config/filter.d/sendmail-spam.conf b/config/filter.d/sendmail-spam.conf index d4d812c7..c1477700 100644 --- a/config/filter.d/sendmail-spam.conf +++ b/config/filter.d/sendmail-spam.conf @@ -11,10 +11,20 @@ before = common.conf _daemon = sendmail -failregex = ^(?P<__prefix>%(__prefix_line)s\w+: )<\w+@[\w.-]+>\.\.\. No such user here(?P=__prefix)from=<\w+@[\w.-]+>, size=\d+, class=\d+, nrcpts=\d+, bodytype=\w+, proto=E?SMTP, daemon=MTA, relay=[\w.-]+ \[\]$ +failregex = ^(?P<__prefix>%(__prefix_line)s\w+: )<[^@]+@[^>]+>\.\.\. No such user here(?P=__prefix)from=<[^@]+@[^>]+>, size=\d+, class=\d+, nrcpts=\d+, bodytype=\w+, proto=E?SMTP, daemon=MTA, relay=\S+ \[\]$ [Init] # "maxlines" is number of log lines to buffer for multi-line regex searches maxlines = 10 +# DEV NOTES: +# +# There can be a nunber of non-related lines between the first and second part +# of this regex maxlines of 10 is quite generious. Only one of the +# "No such user" lines needs to be matched before the line with the HOST. +# +# Note the capture __prefix, includes both the __prefix_lines (which includes +# the sendmail PID), but also the \w+ which the the sendmail assigned mail ID. +# +# Author: Daniel Black