fail2ban: add modified filters

c8276258 · Vitaly Lipatov · a43dd60c · c8276258 · c8276258 · c8276258
Commit c8276258 authored Oct 15, 2013 by Vitaly Lipatov
Hide whitespace changes
Inline Side-by-side

Showing with 110 additions and 0 deletions

cyrus-imap.conf fail2ban/filter.d/cyrus-imap.conf +33 -0

named-refused.conf fail2ban/filter.d/named-refused.conf +42 -0

postfix.conf fail2ban/filter.d/postfix.conf +35 -0

No files found.
--- a/fail2ban/filter.d/cyrus-imap.conf
+++ b/fail2ban/filter.d/cyrus-imap.conf
+# Fail2Ban configuration file
+#
+# Author: Jan Wagner <waja@cyconet.org>
+#
+# $Revision: 728 $
+#
+[Definition]
+# Option:  failregex
+# Notes.:  regex to match the password failures messages in the logfile. The
+#          host must be matched by a group named "host". The tag "<HOST>" can
+#          be used for standard IP/hostname matching and is only an alias for
+#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
+# Values:  TEXT
+#
+# badlogin: rpf1.mail.ru [94.100.189.35] APOP (<4039281676.1323170172@mail.etersoft.ru>) SASL(-13): authentication failure: login incorrect
+# badlogin: mail-yw0-f37.google.com [209.85.213.37] plaintext vb@rusk.ru SASL(-13): authentication failure: checkpass failed
+# badlogin: 91.98.49.195.pol.ir [91.98.49.195] plaintext test SASL(-13): user not found: checkpass failed
+failregex = : badlogin: .*\[<HOST>\] plaintext .*SASL\(.*\): (authentication|generic) failure: checkpass failed$
+	    : badlogin: .*\[<HOST>\] plaintext .*SASL\(-13\): user not found: checkpass failed$
+	    : badlogin: .*\[<HOST>\] LOGIN \[SASL\(-13\): authentication failure: checkpass failed\]$
+	    : badlogin: .*\[<HOST>\] (?:CRAM-MD5|NTLM) \[SASL\(-13\): authentication failure: incorrect (?:digest|NTLM) response\]$
+	    : badlogin: .*\[<HOST>\] DIGEST-MD5 \[SASL\(-13\): authentication failure: client response doesn't match what we generated\]$
+	    : badlogin: .*\[<HOST>\] APOP .*SASL\(-13\): authentication failure: login incorrect$
+	    : badlogin: .*\[<HOST>\] .*SASL\(-13\): user not found$
+	    : badlogin: .*\[<HOST>\] plain .*SASL\(-13\): authentication failure: Password verification failed]$
+# Option:  ignoreregex
+# Notes.:  regex to ignore. If this regex matches, the line is ignored.
+# Values:  TEXT
+#
+ignoreregex = 
--- a/fail2ban/filter.d/named-refused.conf
+++ b/fail2ban/filter.d/named-refused.conf
+# Fail2Ban configuration file for named (bind9). Trying to generalize the
+#          structure which is general to capture general patterns in log
+#          lines to cover different configurations/distributions
+#
+# Author: Yaroslav Halchenko
+#
+# $Revision$
+#
+[Definition]
+# 
+# Daemon name
+_daemon=named
+#
+# Shortcuts for easier comprehension of the failregex
+__pid_re=(?:\[\d+\])
+__daemon_re=\(?%(_daemon)s(?:\(\S+\))?\)?:?
+__daemon_combs_re=(?:%(__pid_re)s?:\s+%(__daemon_re)s|%(__daemon_re)s%(__pid_re)s?:)
+#       hostname       daemon_id         spaces
+# this can be optional (for instance if we match named native log files)
+__line_prefix=(?:\s\S+ %(__daemon_combs_re)s\s+)?
+# Option: failregex
+# Notes.: regex to match the password failures messages in the logfile.
+# Values: TEXT
+#
+#failregex = %(__line_prefix)sclient <HOST>#.+: query(?: \(cache\))? '.*' denied\s*$
+# Oct 10 17:03:30 server named[24036]: error (unexpected RCODE SERVFAIL) resolving 'utoli.org.ru/A/IN': 109.70.26.36#53
+failregex = error \(unexpected RCODE SERVFAIL\) resolving \'.*/IN\': <HOST>#53$
+            error \(unexpected RCODE REFUSED\) resolving '.*/IN': <HOST>#53$
+            error \(FORMERR\) resolving '.*/IN': <HOST>#53$
+# named[24036]: DNS format error from 204.13.160.143#53 resolving ja.ru/MX for client 91.232.225.46#33549: Name ru (SOA) not subdomain of zone ja.ru -- invalid response
+#failregex = $
+# Option:  ignoreregex
+# Notes.:  regex to ignore. If this regex matches, the line is ignored.
+# Values:  TEXT
+#
+ignoreregex = 
--- a/fail2ban/filter.d/postfix.conf
+++ b/fail2ban/filter.d/postfix.conf
+# Fail2Ban configuration file
+#
+# Author: Cyril Jaquier
+#
+# $Revision: 728 $
+#
+[Definition]
+# Option:  failregex
+# Notes.:  regex to match the password failures messages in the logfile. The
+#          host must be matched by a group named "host". The tag "<HOST>" can
+#          be used for standard IP/hostname matching and is only an alias for
+#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
+# Values:  TEXT
+#
+# NOQUEUE: reject: RCPT from mail.alarko.kz[91.147.96.166]
+# warning: unknown[115.133.138.42]: SASL LOGIN authentication failed: generic failure
+# NOQUEUE: reject: RCPT from flamincomod.ru[91.235.233.41]: 554 5.7.1 Service unavailable; Client host [91.235.233.41] blocked using 
+failregex = NOQUEUE: reject: RCPT from .*\[<HOST>\]: [45]50
+            NOQUEUE: reject_warning: RCPT from .*\[<HOST>\]: [45]50
+            NOQUEUE: reject: RCPT from .*\[<HOST>\]: [45]54 5\.7\.1 Service unavailable; Client host .* blocked using.*
+            lost connection after EHLO from .*\[<HOST>\]
+            lost connection after AUTH from .*\[<HOST>\]
+            lost connection after CONNECT from .*\[<HOST>\]
+            lost connection after RCPT from .*\[<HOST>\]
+            lost connection after DATA.* from .*\[<HOST>\]
+            warning: .*\[<HOST>\]: SASL LOGIN authentication failed:
+# Option:  ignoreregex
+# Notes.:  regex to ignore. If this regex matches, the line is ignored.
+# Values:  TEXT
+#
+ignoreregex =