new filter: znc-adminlog

ChangeLog

@@ -85,6 +85,7 @@ filter = flt[logtype=short]
 * `filter.d/common.conf`: differentiate `__prefix_line` for file/journal logtype's (speedup and fix parsing
   of systemd-journal);
 * `filter.d/traefik-auth.conf`: used to ban hosts, that were failed through traefik
+* `filter.d/znc-adminlog.conf`: new filter for ZNC (IRC bouncer); requires the adminlog module to be loaded
 
 ### Enhancements
 * introduced new options: `dbmaxmatches` (fail2ban.conf) and `maxmatches` (jail.conf) to contol

config/filter.d/znc-adminlog.conf

@@ -0,0 +1,18 @@
+# Fail2Ban filter for ZNC (requires adminlog module)
+#
+# to use this module, enable the adminlog module from within ZNC and point
+# logpath to its logfile (e.g. /var/lib/znc/moddata/adminlog/znc.log).
+
+[Definition]
+
+failregex = ^\[\] \[[^]]+\] failed to login from <HOST>$
+
+ignoreregex = 
+
+# DEV Notes:
+# Log format is: [<DATE+TIME>] [<USERNAME>] <ACTION> from <HOST>
+# [2018-10-27 01:40:17] [girst] connected to ZNC from 1.2.3.4
+# [2018-10-27 01:40:21] [girst] disconnected from ZNC from 1.2.3.4
+# [2018-10-27 01:40:55] [girst] failed to login from 1.2.3.4
+#
+# Author: Tobias Girstmair (//gir.st/)

config/jail.conf

@@ -734,6 +734,13 @@ logpath  = /var/log/freeswitch.log
 maxretry = 10
 
 
+# enable adminlog; it will log to a file inside znc's directory by default.
+[znc-adminlog]
+
+port     = 6667
+logpath  = /var/lib/znc/moddata/adminlog/znc.log
+
+
 # To log wrong MySQL access attempts add to /etc/my.cnf in [mysqld] or
 # equivalent section:
 # log-warnings = 2

fail2ban/tests/files/logs/znc-adminlog

@@ -0,0 +1,7 @@
+# failJSON: { "time": "2018-10-27T01:40:55", "match": true , "host": "1.2.3.4" }
+[2018-10-27 01:40:55] [girst] failed to login from 1.2.3.4
+
+# failJSON: { "match": false }
+[2018-10-27 01:40:17] [girst] connected to ZNC from 1.2.3.4
+# failJSON: { "match": false }
+[2018-10-27 01:40:21] [girst] disconnected from ZNC from 1.2.3.4