Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Added filter and sample log file for qpsmtpd #3089

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Added filter and sample log file for qpsmtpd #3089

wants to merge 2 commits into from

Conversation

tlavoie
Copy link

@tlavoie tlavoie commented Aug 19, 2021

I've just had a tiny change accepted into qpsmtpd master, to now include an IP address in the log, starting with smtpd/qpsmtpd#301.

The included filter works in 0.10.2-2.1 in Debian Buster, but of course that version of qpsmtpd is not yet in a release.

Before submitting your PR, please review the following checklist:

  • [ Y] CHOOSE CORRECT BRANCH: if filing a bugfix/enhancement
    against certain release version, choose 0.9, 0.10 or 0.11 branch,
    for dev-edition use master branch
  • [ N] CONSIDER adding a unit test if your PR resolves an issue
  • [ N] LIST ISSUES this PR resolves
  • [ Y] MAKE SURE this PR doesn't break existing tests
  • [ Y] KEEP PR small so it could be easily reviewed.
  • [ Y] AVOID making unnecessary stylistic changes in unrelated code
  • [ Y] ACCOMPANY each new failregex for filter X with sample log lines
    within fail2ban/tests/files/logs/X file

sebres
sebres requested changes Aug 20, 2021
View reviewed changes
config/filter.d/qpsmtpd.conf

[Definition]

failregex = ^.*535 LOGIN authentication failed for .* from <HOST>$
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We'll don't accept pull requests with vulnerable REs anymore - not anchored (^.* is not an anchor) and several catch-all's (especially before <HOST>).

- failregex = ^.*535 LOGIN authentication failed for .* from <HOST>$
+ failregex = ^[^\[]+\[\d+\]: 535 LOGIN authentication failed for <F-USER>\S+|.*?(?= from)</F-USER> from <ADDR>$

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks Sergey, I'll take a look at this and other changes, and resubmit.

config/filter.d/qpsmtpd.conf
failregex = ^.*535 LOGIN authentication failed for .* from <HOST>$
ignoreregex =

datepattern = ^%%a %%b %%d %%H:%%M:%%S %%Y
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This datepattern is one of default (anchored at begin) patterns of fail2ban, but you can indeed leave it if it is surely always this timestamp format (and not something configurable by system/in syslog).

fail2ban/tests/files/logs/qpsmtpd
@@ -0,0 +1,4 @@
Thu Aug 19 23:37:09 2021 host.domain.example.com[11793]: 535 LOGIN authentication failed for marta from 2.56.59.87
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The test cases missing JSON record describing what must be matched by filter (once per failure line), for instance:

+ # failJSON: { "time": "2021-08-19T23:37:09", "match": true , "host": "192.0.2.1" }
  Thu Aug 19 23:37:09 2021 host.domain.example.com[11793]: 535 LOGIN authentication failed for marta from 192.0.2.1

otherwise test suite would fail in CI.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sebres sebres sebres requested changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@tlavoie @sebres