-
-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Added filter and sample log file for qpsmtpd #3089
base: master
Are you sure you want to change the base?
Conversation
|
||
[Definition] | ||
|
||
failregex = ^.*535 LOGIN authentication failed for .* from <HOST>$ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We'll don't accept pull requests with vulnerable REs anymore - not anchored (^.*
is not an anchor) and several catch-all's (especially before <HOST>
).
- failregex = ^.*535 LOGIN authentication failed for .* from <HOST>$
+ failregex = ^[^\[]+\[\d+\]: 535 LOGIN authentication failed for <F-USER>\S+|.*?(?= from)</F-USER> from <ADDR>$
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks Sergey, I'll take a look at this and other changes, and resubmit.
failregex = ^.*535 LOGIN authentication failed for .* from <HOST>$ | ||
ignoreregex = | ||
|
||
datepattern = ^%%a %%b %%d %%H:%%M:%%S %%Y |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This datepattern
is one of default (anchored at begin) patterns of fail2ban, but you can indeed leave it if it is surely always this timestamp format (and not something configurable by system/in syslog).
@@ -0,0 +1,4 @@ | |||
Thu Aug 19 23:37:09 2021 host.domain.example.com[11793]: 535 LOGIN authentication failed for marta from 2.56.59.87 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The test cases missing JSON record describing what must be matched by filter (once per failure line), for instance:
+ # failJSON: { "time": "2021-08-19T23:37:09", "match": true , "host": "192.0.2.1" }
Thu Aug 19 23:37:09 2021 host.domain.example.com[11793]: 535 LOGIN authentication failed for marta from 192.0.2.1
otherwise test suite would fail in CI.
I've just had a tiny change accepted into qpsmtpd master, to now include an IP address in the log, starting with smtpd/qpsmtpd#301.
The included filter works in 0.10.2-2.1 in Debian Buster, but of course that version of qpsmtpd is not yet in a release.
Before submitting your PR, please review the following checklist:
against certain release version, choose
0.9
,0.10
or0.11
branch,for dev-edition use
master
branchfailregex
for filterX
with sample log lineswithin
fail2ban/tests/files/logs/X
file