Merge branch 'fail2ban:master' into crowdsec

fail2ban · Dec 20, 2022 · f824149 · f824149
2 parents 928d221 + 432e7e1
commit f824149
Show file tree

Hide file tree

Showing 7 changed files with 35 additions and 3 deletions.
diff --git a/config/filter.d/dante.conf b/config/filter.d/dante.conf
@@ -0,0 +1,16 @@
+# Fail2Ban filter for dante
+#
+# Make sure you have "log: error" set in your "client pass" directive
+#
+
+[INCLUDES]
+before = common.conf
+
+[Definition]
+_daemon = danted
+
+failregex = ^%(__prefix_line)sinfo: block\(1\): tcp/accept \]: <HOST>\.\d+ [\d.]+: error after reading \d+ bytes? in \d+ seconds?: (?:could not access |system password authentication failed for )user "<F-USER>[^"]+</F-USER>"
+
+[Init]
+journalmatch = _SYSTEMD_UNIT=danted.service
+
diff --git a/config/filter.d/selinux-common.conf b/config/filter.d/selinux-common.conf
@@ -14,7 +14,7 @@
 
 [Definition]
 
-failregex = ^type=%(_type)s msg=audit\(:\d+\): (user )?pid=\d+ uid=%(_uid)s auid=%(_auid)s ses=\d+ subj=%(_subj)s msg='%(_msg)s'$
+failregex = ^type=%(_type)s msg=audit\(:\d+\): (?:user )?pid=\d+ uid=%(_uid)s auid=%(_auid)s ses=\d+ subj=%(_subj)s msg='%(_msg)s'(?:\x1D|$)
 
 ignoreregex =
 

diff --git a/config/filter.d/selinux-ssh.conf b/config/filter.d/selinux-ssh.conf
@@ -15,7 +15,9 @@ _subj = (?:unconfined_u|system_u):system_r:sshd_t:s0-s0:c0\.c1023
 _exe  =/usr/sbin/sshd
 _terminal = ssh
 
-_msg = op=\S+ acct=(?P<_quote_acct>"?)\S+(?P=_quote_acct) exe="%(_exe)s" hostname=(\?|(\d+\.){3}\d+) addr=<HOST> terminal=%(_terminal)s res=failed
+_anygrp = (?!acct=|exe=|addr=|terminal=|res=)\w+=(?:"[^"]+"|\S*)
+
+_msg = (?:%(_anygrp)s )*acct=(?:"<F-USER>[^"]+</F-USER>"|<F-ALT_USER>\S+</F-ALT_USER>) exe="%(_exe)s" (?:%(_anygrp)s )*addr=<ADDR> terminal=%(_terminal)s res=failed
 
 # DEV Notes:
 #

diff --git a/config/jail.conf b/config/jail.conf
@@ -978,3 +978,8 @@ banaction = %(banaction_allports)s
 [monitorix]
 port	= 8080
 logpath = /var/log/monitorix-httpd
+
+[dante]
+port    = 1080
+logpath = %(syslog_daemon)s
+
diff --git a/fail2ban/client/configreader.py b/fail2ban/client/configreader.py
@@ -277,7 +277,7 @@ def getOptions(self, sec, options, pOptions=None, shouldExist=False, convert=Tru
 				# TODO: validate error handling here.
 			except NoOptionError:
 				if not optvalue is None:
-					logSys.warning("'%s' not defined in '%s'. Using default one: %r"
+					logSys.debug("'%s' not defined in '%s'. Using default one: %r"
 								% (optname, sec, optvalue))
 					values[optname] = optvalue
 				# elif logSys.getEffectiveLevel() <= logLevel:

diff --git a/fail2ban/tests/files/logs/dante b/fail2ban/tests/files/logs/dante
@@ -0,0 +1,6 @@
+# failJSON: { "time": "2005-04-14T15:35:03", "match": true , "host": "1.2.3.4" }
+Apr 14 15:35:03 vps111111 danted[17969]: info: block(1): tcp/accept ]: 1.2.3.4.50550 0.0.0.0.1080: error after reading 35 bytes in 0 seconds: could not access user "roooooooot"'s records in the system password file: no system error
+# failJSON: { "time": "2005-04-14T15:44:26", "match": true , "host": "1.2.3.4" }
+Apr 14 15:44:26 vps111111 danted[1846]: info: block(1): tcp/accept ]: 1.2.3.4.57178 0.0.0.0.1080: error after reading 18 bytes in 0 seconds: system password authentication failed for user "aland"
+# failJSON: { "time": "2005-04-14T15:44:26", "match": true , "host": "1.2.3.4" }
+Apr 14 15:44:26 vps111111 danted[1846]: info: block(1): tcp/accept ]: 1.2.3.4.57178 0.0.0.0.1080: error after reading 1 byte in 1 second: system password authentication failed for user "aland"
diff --git a/fail2ban/tests/files/logs/selinux-ssh b/fail2ban/tests/files/logs/selinux-ssh
@@ -27,3 +27,6 @@ type=USER_AUTH msg=audit(1383116263.000:603): pid=12887 uid=0 auid=4294967295 se
 
 # failJSON: { "time": "2013-10-30T07:54:08", "match": false , "host": "192.168.3.100" } 
 type=USER_LOGIN msg=audit(1383116048.000:595): pid=12354 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login acct="dan" exe="/usr/sbin/sshd" hostname=? addr=192.168.3.100 terminal=ssh res=failed'
+
+# failJSON: { "time": "2022-11-14T00:11:11", "match": true , "host": "192.0.2.111" } 
+type=USER_AUTH msg=audit(1668381071.000:373474): pid=173582 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:authentication grantors=? acct="root" exe="/usr/sbin/sshd" hostname=192.0.2.111 addr=192.0.2.111 terminal=ssh res=failed'UID="root" AUID="unset"