Merge pull request #569 from grooverdan/master_to_0.9

MRG: Master to 0.9

ChangeLog

@@ -92,7 +92,9 @@ ver. 0.8.12 (2013/12/XX) - things-can-only-get-better
   - Fix apache-common for apache-2.4 log file format. Thanks Mark White.
     Closes gh-516
   - Asynchat changed to use push method which verifys whether all data was
-    send. This ensures that all data is sent before closing the connection.
+	  send. This ensures that all data is sent before closing the connection.
+  - Removed unnecessary reference to as yet undeclared $jail_name when checking
+    a specific jail in nagios script.
 
 - Enhancements:
   - added firewallcmd-ipset action
@@ -108,13 +110,20 @@ ver. 0.8.12 (2013/12/XX) - things-can-only-get-better
   - exim-spam filter to match spamassassin log entry for option SAdevnull.
     Thanks Ivo Truxa. Closes gh-533
   - filter.d/nsd.conf -- also amended Unix date template to match nsd format
+  - Added to sshd filter expression for "Received disconnect from <HOST>: 3:
+    ...: Auth fail". Thanks Marcel Dopita. Closes gh-289
   - loglines now also report "[PID]" after the name portion
 
 - New Features:
 
-  - Added filter for solid-pop3d -- thanks to Jacques Lav!gnotte on mailinglist.
-  - Added filter for apache-modsecurity
-  - Added filter for openwebmail thanks Ivo Truxa. Closes gh-543
+  - filter.d/solid-pop3d -- added thanks to Jacques Lav!gnotte on mailinglist.
+  - Add filter for apache-modsecurity
+  - filter.d/nsd.conf -- also amended Unix date template to match nsd format
+  - Added openwebmail filter thanks Ivo Truxa. Closes gh-543
+  - Added filter for freeswitch. Thanks Jim and editors and authors of 
+    http://wiki.freeswitch.org/wiki/Fail2ban
+  - Added groupoffice filter thanks to logs from Merijn Schering.
+    Closes gh-566
   - Added filter for horde
 
 ver. 0.8.11 (2013/11/13) - loves-unittests-and-tight-DoS-free-filter-regexes

MANIFEST

@@ -116,6 +116,8 @@ fail2ban/tests/files/logs/dropbear
 fail2ban/tests/files/logs/ejabberd-auth
 fail2ban/tests/files/logs/exim
 fail2ban/tests/files/logs/exim-spam
+fail2ban/tests/files/logs/freeswitch
+fail2ban/tests/files/logs/groupoffice
 fail2ban/tests/files/logs/gssftpd
 fail2ban/tests/files/logs/guacamole
 fail2ban/tests/files/logs/lighttpd-auth
@@ -213,6 +215,8 @@ config/filter.d/3proxy.conf
 config/filter.d/apache-common.conf
 config/filter.d/exim-common.conf
 config/filter.d/exim-spam.conf
+config/filter.d/freeswitch.conf
+config/filter.d/groupoffice.conf
 config/filter.d/perdition.conf
 config/filter.d/uwimap-auth.conf
 config/filter.d/courier-auth.conf

THANKS

@@ -62,6 +62,7 @@ Markus Hoffmann
 Marvin Rouge
 mEDI
 Мернов Георгий
+Merijn Schering
 Michael C. Haller
 Michael Hanselmann
 Nick Munger

config/action.d/apf.conf

@@ -1,45 +1,17 @@
 # Fail2Ban configuration file
+# https://www.rfxn.com/projects/advanced-policy-firewall/
 #
-# Author: Mark McKinstry
+# Note: APF doesn't play nicely with other actions. It has been observed to
+# remove bans created by other iptables based actions. If you are going to use
+# this action, use it for all of your jails.
 #
+# DON'T MIX APF and other IPTABLES based actions
 [Definition]
 
-# Option:  actionstart
-# Notes.:  command executed once at the start of Fail2Ban.
-# Values:  CMD
-#
 actionstart = 
-
-# Option:  actionstop
-# Notes.:  command executed once at the end of Fail2Ban
-# Values:  CMD
-#
 actionstop = 
-
-# Option:  actioncheck
-# Notes.:  command executed once before each actionban command
-# Values:  CMD
-#
 actioncheck = 
-
-# Option:  actionban
-# Notes.:  command executed when banning an IP. Take care that the
-#          command is executed with Fail2Ban user rights.
-# Tags:    <ip>  IP address
-#          <failures>  number of failures
-#          <time>  unix timestamp of the ban time
-# Values:  CMD
-#
 actionban = apf --deny <ip> "banned by Fail2Ban <name>"
-
-# Option:  actionunban
-# Notes.:  command executed when unbanning an IP. Take care that the
-#          command is executed with Fail2Ban user rights.
-# Tags:    <ip>  IP address
-#          <failures>  number of failures
-#          <time>  unix timestamp of the ban time
-# Values:  CMD
-#
 actionunban = apf --remove <ip>
 
 [Init]
@@ -48,3 +20,6 @@ actionunban = apf --remove <ip>
 #
 name = default
 
+# DEV NOTES:
+#
+# Author: Mark McKinstry

config/filter.d/freeswitch.conf

@@ -0,0 +1,23 @@
+# Fail2Ban configuration file
+#
+# Enable "log-auth-failures" on each Sofia profile to monitor
+# <param name="log-auth-failures" value="true"/>
+# -- this requires a high enough loglevel on your logs to save these messages.
+#
+# In the fail2ban jail.local file for this filter set ignoreip to the internal
+# IP addresses on your LAN.
+#
+
+[Definition]
+
+failregex = ^\.\d+ \[WARNING\] sofia_reg\.c:\d+ SIP auth (failure|challenge) \((REGISTER|INVITE)\) on sofia profile \'[^']+\' for \[.*\] from ip <HOST>$
+            ^\.\d+ \[WARNING\] sofia_reg\.c:\d+ Can't find user \[\d+@\d+\.\d+\.\d+\.\d+\] from <HOST>$
+
+ignoreregex =
+
+# Author: Rupa SChomaker, soapee01, Daniel Black
+# http://wiki.freeswitch.org/wiki/Fail2ban
+# Thanks to Jim on mailing list of samples and guidance
+#
+# No need to match the following. Its a duplicate of the SIP auth regex.
+#  ^\.\d+ \[DEBUG\] sofia\.c:\d+ IP <HOST> Rejected by acl "\S+"\. Falling back to Digest auth\.$

config/filter.d/groupoffice.conf

@@ -0,0 +1,14 @@
+# Fail2Ban filter for Group-Office
+#
+# Enable logging with:
+# $config['info_log']='/home/groupoffice/log/info.log';
+#
+
+[Definition]
+
+failregex = ^\[\]LOGIN FAILED for user: "\S+" from IP: <HOST>$
+
+
+
+# Author: Daniel Black
+

config/filter.d/pure-ftpd.conf

@@ -1,7 +1,11 @@
 # Fail2Ban filter for pureftp
 #
+# Disable hostname based logging by:
 #
+# Start pure-ftpd with the -H switch or on Ubuntu 'echo yes > /etc/pure-ftpd/conf/DontResolve'
 #
+#
+
 [INCLUDES]
 
 before = common.conf
@@ -17,3 +21,4 @@ ignoreregex =
 
 # Author: Cyril Jaquier
 # Modified: Yaroslav Halchenko for pure-ftpd
+# Documentation thanks to Blake on http://www.fail2ban.org/wiki/index.php?title=Fail2ban:Community_Portal

config/filter.d/sshd.conf

@@ -20,6 +20,7 @@ failregex = ^%(__prefix_line)s(?:error: PAM: )?[aA]uthentication (?:failure|erro
             ^%(__prefix_line)sUser .+ from <HOST> not allowed because listed in DenyUsers\s*$
             ^%(__prefix_line)sUser .+ from <HOST> not allowed because not in any group\s*$
             ^%(__prefix_line)srefused connect from \S+ \(<HOST>\)\s*$
+            ^%(__prefix_line)sReceived disconnect from <HOST>: 3: \S+: Auth fail$
             ^%(__prefix_line)sUser .+ from <HOST> not allowed because a group is listed in DenyGroups\s*$
             ^%(__prefix_line)sUser .+ from <HOST> not allowed because none of user's groups are listed in AllowGroups\s*$
             ^(?P<__prefix>%(__prefix_line)s)User .+ not allowed because account is locked<SKIPLINES>(?P=__prefix)(?:error: )?Received disconnect from <HOST>: 11: Bye Bye \[preauth\]$

config/filter.d/vsftpd.conf

@@ -1,5 +1,8 @@
 # Fail2Ban filter for vsftp
 #
+# Configure VSFTP for "dual_log_enable=YES", and have fail2ban watch
+# /var/log/vsftpd.log instead of /var/log/secure. vsftpd.log file shows the
+# incoming ip address rather than domain names.
 
 [INCLUDES]
 
@@ -16,3 +19,4 @@ failregex = ^%(__prefix_line)s%(__pam_re)s\s+authentication failure; logname=\S*
 ignoreregex = 
 
 # Author: Cyril Jaquier
+# Documentation from fail2ban wiki