Merge pull request #1783 from weberhofer/0.10

filter.d/roundcube-auth.conf: Fixed failregex when logging errors to journal instead to a local file.
Additionally fixes more complex injections on username.
pull/1760/head^2
Serg G. Brester 8 years ago committed by GitHub
commit f3ba66d1c6

@ -28,6 +28,9 @@ TODO: implementing of options resp. other tasks from PR #1346
* `filter.d/haproxy-http-auth`: do not mistake client port for part of an IPv6 address (gh-1745) * `filter.d/haproxy-http-auth`: do not mistake client port for part of an IPv6 address (gh-1745)
* `filter.d/postfix-sasl.conf` * `filter.d/postfix-sasl.conf`
- updated to latest postfix formats - updated to latest postfix formats
* `filter.d/roundcube-auth.conf`:
- fixed regex when logging authentication errors to journal instead to a local file (gh-1159);
- additionally fixed more complex injections on username (e. g. using dot after fake host).
* `action.d/complain.conf` * `action.d/complain.conf`
- fixed using new tag `<ip-rev>` (sh/dash compliant now) - fixed using new tag `<ip-rev>` (sh/dash compliant now)
* `action.d/sendmail-geoip-lines.conf` * `action.d/sendmail-geoip-lines.conf`

@ -13,8 +13,10 @@ before = common.conf
[Definition] [Definition]
failregex = ^\s*(\[\])?(%(__hostname)s\s*(roundcube:)?\s*(<[\w]+>)? IMAP Error)?: (FAILED login|Login failed) for .*? from <HOST>(\. .* in .*?/rcube_imap\.php on line \d+ \(\S+ \S+\))?$ prefregex = ^\s*(\[\])?(%(__hostname)s\s*(?:roundcube(?:\[(\d*)\])?:)?\s*(<[\w]+>)? IMAP Error)?: <F-CONTENT>.+</F-CONTENT>$
^\[\]:\s*(<[\w]+>)? Failed login for [\w\-\.\+]+(@[\w\-\.\+]+\.[a-zA-Z]{2,6})? from <HOST> in session \w+( \(error: \d\))?$
failregex = ^(?:FAILED login|Login failed) for <F-USER>.*</F-USER> from <HOST>(\. (?:(?! from ).)*(?: user=(?P=user))? in \S+\.php on line \d+ \(\S+ \S+\))?$
^(?:<[\w]+> )?Failed login for <F-USER>.*</F-USER> from <HOST> in session \w+( \(error: \d\))?$
ignoreregex = ignoreregex =
# DEV Notes: # DEV Notes:

@ -383,6 +383,8 @@ logpath = %(lighttpd_error_log)s
port = http,https port = http,https
logpath = %(roundcube_errors_log)s logpath = %(roundcube_errors_log)s
# Use following line in your jail.local if roundcube logs to journal.
#backend = %(syslog_backend)s
[openwebmail] [openwebmail]

@ -8,19 +8,27 @@ Jul 11 03:06:37 myhostname roundcube: IMAP Error: Login failed for admin from 1.
# Made up to attempts to inject a DoS on the server. Assume the user can manipulate the IMAP error response # Made up to attempts to inject a DoS on the server. Assume the user can manipulate the IMAP error response
# #
# user = admin from 127.0.0.1 # user = admin from 127.0.0.1
# failJSON: { "time": "2005-07-11T03:06:37", "match": true , "host": "1.2.3.4" } # failJSON: { "time": "2005-07-11T03:06:37", "match": true , "host": "1.2.3.4", "desc": "Injecting on username 1" }
Jul 11 03:06:37 myhostname roundcube: IMAP Error: Login failed for admin from 127.0.0.1 from 1.2.3.4. AUTHENTICATE PLAIN: A0002 NO Login failed. in /usr/share/roundcube/program/include/rcube_imap.php on line 205 (POST /wmail/?_task=login&_action=login) Jul 11 03:06:37 myhostname roundcube: IMAP Error: Login failed for admin from 127.0.0.1 from 1.2.3.4. AUTHENTICATE PLAIN: A0002 NO Login failed. in /usr/share/roundcube/program/include/rcube_imap.php on line 205 (POST /wmail/?_task=login&_action=login)
# user = admin from 127.0.0.1.
# failJSON: { "time": "2005-07-11T03:06:37", "match": true , "host": "1.2.3.4", "desc": "Injecting on username 1 (with dot)" }
Jul 11 03:06:37 myhostname roundcube: IMAP Error: Login failed for admin from 127.0.0.1. from 1.2.3.4. AUTHENTICATE PLAIN: A0002 NO Login failed. in /usr/share/roundcube/program/include/rcube_imap.php on line 205 (POST /wmail/?_task=login&_action=login)
#
# #
# IMAP server logs user=${username} # IMAP server logs user=${username}
# failJSON: { "time": "2005-07-11T03:06:37", "match": true , "host": "1.2.3.4" } # failJSON: { "time": "2005-07-11T03:06:37", "match": true , "host": "1.2.3.4", "desc": "Injecting on username 2" }
Jul 11 03:06:37 myhostname roundcube: IMAP Error: Login failed for admin from 127.0.0.1 from 1.2.3.4. AUTHENTICATE PLAIN: A0002 NO Login failed. user=admin from 127.0.0.1 in /usr/share/roundcube/program/include/rcube_imap.php on line 205 (POST /wmail/?_task=login&_action=login) Jul 11 03:06:37 myhostname roundcube: IMAP Error: Login failed for admin from 127.0.0.1 from 1.2.3.4. AUTHENTICATE PLAIN: A0002 NO Login failed. user=admin from 127.0.0.1 in /usr/share/roundcube/program/include/rcube_imap.php on line 205 (POST /wmail/?_task=login&_action=login)
# #
# IMAP server logs user=${username}
# failJSON: { "time": "2005-07-11T03:06:37", "match": true , "host": "1.2.3.4", "desc": "Injecting on username 2 (with dot)" }
Jul 11 03:06:37 myhostname roundcube: IMAP Error: Login failed for admin from 127.0.0.1. from 1.2.3.4. AUTHENTICATE PLAIN: A0002 NO Login failed. user=admin from 127.0.0.1. in /usr/share/roundcube/program/include/rcube_imap.php on line 205 (POST /wmail/?_task=login&_action=login)
#
# Old roundcube version - no IMAP response # Old roundcube version - no IMAP response
# failJSON: { "time": "2005-07-11T03:06:37", "match": true , "host": "1.2.3.4" } # failJSON: { "time": "2005-07-11T03:06:37", "match": true , "host": "1.2.3.4", "desc": "Injecting on username 3" }
Jul 11 03:06:37 myhostname roundcube: IMAP Error: Login failed for admin from 127.0.0.1 from 1.2.3.4 Jul 11 03:06:37 myhostname roundcube: IMAP Error: Login failed for admin from 127.0.0.1 from 1.2.3.4
# #
# user = admin from 127.0.0.1 in # user = admin from 127.0.0.1 in
# failJSON: { "time": "2005-07-11T03:06:37", "match": true , "host": "1.2.3.4" } # failJSON: { "time": "2005-07-11T03:06:37", "match": true , "host": "1.2.3.4", "desc": "Injecting on username 4" }
Jul 11 03:06:37 myhostname roundcube: IMAP Error: Login failed for admin from 127.0.0.1 in from 1.2.3.4. AUTHENTICATE PLAIN: A0002 NO Login failed. user=admin from 127.0.0.1 in in /usr/share/roundcube/program/include/rcube_imap.php on line 205 (POST /wmail/?_task=login&_action=login) Jul 11 03:06:37 myhostname roundcube: IMAP Error: Login failed for admin from 127.0.0.1 in from 1.2.3.4. AUTHENTICATE PLAIN: A0002 NO Login failed. user=admin from 127.0.0.1 in in /usr/share/roundcube/program/include/rcube_imap.php on line 205 (POST /wmail/?_task=login&_action=login)
# Roundcube 1.0.5 CentOS 6 (/var/log/roundcubemail/errors) # Roundcube 1.0.5 CentOS 6 (/var/log/roundcubemail/errors)
@ -40,3 +48,6 @@ Jul 11 03:06:37 myhostname roundcube: IMAP Error: Login failed for admin from 12
# Roundcube 1.1.1 (/var/log/roundcubemail/userlogins) # Roundcube 1.1.1 (/var/log/roundcubemail/userlogins)
# failJSON: { "time": "2015-05-10T19:02:52", "match": true , "host": "1.2.3.4" } # failJSON: { "time": "2015-05-10T19:02:52", "match": true , "host": "1.2.3.4" }
[10-May-2015 13:02:52 -0400]: <4z506z6r> Failed login for admin@example.com from 1.2.3.4 in session 4z506z6rvddstv6k7jz08hxo27 (error: 0) [10-May-2015 13:02:52 -0400]: <4z506z6r> Failed login for admin@example.com from 1.2.3.4 in session 4z506z6rvddstv6k7jz08hxo27 (error: 0)
# failJSON: { "time": "2005-05-19T06:07:48", "match": true , "host": "192.0.2.1", "desc": "Roundcube logged to journald instead to a local file."}
May 19 06:07:48 server roundcube[21296]: <crk9n97i> IMAP Error: Login failed for test from 192.0.2.1. AUTHENTICATE PLAIN: Authentication failed. in /usr/share/php5/Roundcube/rcube_imap.php on line 193 (POST /mail/?_task=login&_action=login)

Loading…
Cancel
Save