fail2ban: add script for check rules and test data

fail2ban/check_rules.sh

+#!/bin/sh
+
+fatal()
+{
+	echo "Error: $@" >&2
+	exit 1
+}
+
+test -d filter.d || cd /etc/fail2ban || fatal "Can't find fail2ban config"
+test -d test.d || fatal "Can't find test.d in $(pwd)."
+which fail2ban-regex >/dev/null || fatal
+
+for i in test.d/* ; do
+	FILTERNAME=$(basename $i)
+	FILTER=filter.d/$FILTERNAME.conf
+	test -r "$FILTER" || exit
+	echo
+	echo "Testing filter $FILTER with data..."
+	cat $i
+	TOTAL=$(fail2ban-regex -v $i $FILTER | grep "^Failregex:" | sed -e "s|Failregex: \([0-9]\+\) total.*|\1|g")
+	fail2ban-regex -v $i $FILTER #&& echo Success
+	TOTALTEST=$(cat $i | grep -v "^$" | grep -v "^#" | wc -l)
+	[ "$TOTAL" = "$TOTALTEST" ] || fatal "Regexped only $TOTAL tests from $TOTALTEST total! Fix rule $FILTER"
+done
+

fail2ban/test.d/cyrus-imap

+Oct 13 09:49:01 server cyrus/pop3[9401]: badlogin: ip45-39.ethernet.wplus.ru [94.188.39.45] plaintext ahtoh@office.etersoft.ru SASL(-1): generic failure: checkpass failed
+Oct 13 09:49:37 server cyrus/imap[9380]: badlogin: [78.25.121.98] plaintext forn@office.etersoft.ru SASL(-1): generic failure: checkpass failed
+Oct 14 19:09:35 server cyrus/pop3[1644]: badlogin: 200-170-193-170.static.spo.ifx.net.br [200.170.193.170] plaintext mark SASL(-13): user not found: checkpass failed
+Oct 14 20:36:30 server cyrus/imap[13426]: badlogin: priv.etersoft.ru [91.232.225.6] plaintext sologub SASL(-13): user not found: checkpass failed
+Oct 15 11:52:13 server cyrus/imaps[30170]: badlogin: [217.170.84.18] plain [SASL(-13): authentication failure: Password verification failed]

fail2ban/test.d/named-refused

+Oct 15 13:39:23 server named[4111]: error (unexpected RCODE REFUSED) resolving '158.107.4.210.in-addr.arpa/PTR/IN': 202.69.165.8#53
+Oct 15 13:38:34 server named[4111]: error (unexpected RCODE SERVFAIL) resolving '221.236.254.85.in-addr.arpa/PTR/IN': 193.0.9.6#53
+Oct 15 13:38:34 server named[4111]: error (FORMERR) resolving 'oreol.info/MX/IN': 207.189.109.119#53

fail2ban/test.d/postfix

+Oct 15 04:06:20 server postfix/smtpd[3592]: NOQUEUE: reject: RCPT from unknown[138.91.173.107]: 450 4.7.1 Client host rejected: cannot find your hostname, [138.91.173.107]; from=<jschmidt@outlook.com> to=<otechnik@azbyka.ru> proto=ESMTP helo=<ns.gimoe.com>
+Oct 15 04:19:50 server postfix/smtpd[8775]: NOQUEUE: reject: RCPT from flamincomod.ru[91.235.233.41]: 554 5.7.1 Service unavailable; Client host [91.235.233.41] blocked using bl.spamcop.net; Blocked - see http://www.spamcop.net/bl.shtml?91.235.233.41; from=<krajdenko_artem@flamincomod.ru> to=<info@omegasound.ru> proto=SMTP helo=<flamincomod.ru>
+Oct 15 09:16:54 server postfix/smtpd[13065]: warning: unknown[146.0.73.121]: SASL LOGIN authentication failed: authentication failure
+Oct 15 04:18:21 server postfix/smtpd[8780]: lost connection after DATA from unknown[86.122.173.157]
+Oct 15 04:18:50 server postfix/smtpd[8772]: lost connection after CONNECT from unknown[113.171.190.250]
+Oct 15 04:18:53 server postfix/smtpd[8831]: lost connection after RCPT from unknown[178.124.246.227]

fail2ban/test.d/vsftpd

+Wed Oct  9 12:14:45 2013 [pid 16470] [ftpkoochy] FAIL LOGIN: Client "95.32.141.118"