github
/
fail2ban
mirror of https://github.com/fail2ban/fail2ban
1
0
Fork 0
Code Issues Releases Wiki Activity
Browse Source

filter.d/postfix.conf: avoid double counting ('lost connection after AUTH' together with message 'disconnect ...'); 

closes gh-3505
pull/3381/head
sebres 11 months ago
parent
cabcc9b3f4
commit
ff4a2a12fc
2 changed files with 5 additions and 4 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 2
      config/filter.d/postfix.conf
  2. 7
      fail2ban/tests/files/logs/postfix

2
config/filter.d/postfix.conf
Unescape View File

@ -38,7 +38,7 @@ mdre-more = %(mdre-normal)s
# Includes some of the log messages described in
# <http://www.postfix.org/POSTSCREEN_README.html>.
mdpr-ddos = (?:lost connection after(?! DATA) [A-Z]+|disconnect(?= from \S+(?: \S+=\d+)* auth=0/(?:[1-9]|\d\d+))|(?:PREGREET \d+|HANGUP) after \S+|COMMAND (?:TIME|COUNT|LENGTH) LIMIT)
mdpr-ddos = (?:lost connection after (?!(?:DATA|AUTH)\b)[A-Z]+|disconnect(?= from \S+(?: \S+=\d+)* auth=0/(?:[1-9]|\d\d+))|(?:PREGREET \d+|HANGUP) after \S+|COMMAND (?:TIME|COUNT|LENGTH) LIMIT)
mdre-ddos = ^from [^[]*\[<HOST>\]%(_port)s:?
mdpr-extra = (?:%(mdpr-auth)s|%(mdpr-normal)s)

7
fail2ban/tests/files/logs/postfix
Unescape View File

@ -159,10 +159,11 @@ Feb 10 13:26:34 srv postfix/smtpd[123]: disconnect from unknown[192.0.2.2] ehlo=
Feb 18 09:45:10 xxx postfix/smtpd[42]: lost connection after CONNECT from spammer.example.com[192.0.2.10]
# failJSON: { "time": "2005-02-18T09:45:12", "match": true , "host": "192.0.2.42" }
Feb 18 09:45:12 xxx postfix/smtpd[42]: lost connection after STARTTLS from spammer.example.com[192.0.2.42]
# failJSON: { "match": false, "desc": "avoid double counting (with next failure message 'disconnect ...'), gh-3505" }
Feb 18 09:48:04 xxx postfix/smtpd[50903]: lost connection after AUTH from unknown[192.0.2.23]
# failJSON: { "time": "2005-02-18T09:48:04", "match": true , "host": "192.0.2.23" }
Feb 18 09:48:04 xxx postfix/smtpd[23]: lost connection after AUTH from unknown[192.0.2.23]
# failJSON: { "time": "2005-02-18T09:48:04", "match": true , "host": "192.0.2.23" }
Feb 18 09:48:04 xxx postfix/smtpd[23]: lost connection after AUTH from unknown[192.0.2.23]
Feb 18 09:48:04 xxx postfix/smtpd[50903]: disconnect from unknown[192.0.2.23] ehlo=1 auth=0/1 rset=1 commands=2/3
# failJSON: { "time": "2004-12-23T19:39:13", "match": true , "host": "192.0.2.2" }
Dec 23 19:39:13 xxx postfix/postscreen[21057]: PREGREET 14 after 0.08 from [192.0.2.2]:59415: EHLO ylmf-pc\r\n

Write Preview
Loading…
Cancel
Save