Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

added a random rulenum to ipfw created rule #68

Closed
wants to merge 14 commits into
base: master
from
Copy path View file
@@ -15,6 +15,8 @@
# Values: TEXT
#
failregex = .*(?:pop3-login|imap-login):.*(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed).*rip=(?P<host>\S*),.*
dovecot.*\,<HOST>\): .*(?:No record for user|lookup failed|invalid|not enabled for mail).*$
dovecot.*failed.* rip\=<HOST>\, .*$

This comment has been minimized.

@yarikoptic

yarikoptic Mar 27, 2013

Member

example lines please (see my other comment below) -- also the last one seems to be too non-specific and possibly allowing injection


# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
Copy path View file
@@ -15,6 +15,7 @@
# Values: TEXT
#
failregex = (?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/]*={0,2})?\s*$
.*\[<HOST>\]: .*(?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed$

This comment has been minimized.

@yarikoptic

yarikoptic Mar 27, 2013

Member

this one reminds above one... what particular case are you aiming at? example log lines... ?


# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
Copy path View file
@@ -23,7 +23,7 @@ _daemon = sshd
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT
#
failregex = ^%(__prefix_line)s(?:error: PAM: )?Authentication failure for .* from <HOST>\s*$
failregex = ^%(__prefix_line)s(?:error: PAM: )?[aA](?:uthentication) (?:failure|error) for .* from <HOST>.*$
^%(__prefix_line)s(?:error: PAM: )?User not known to the underlying authentication module for .* from <HOST>\s*$
^%(__prefix_line)sFailed (?:password|publickey) for .* from <HOST>(?: port \d*)?(?: ssh\d*)?\s*$
^%(__prefix_line)sROOT LOGIN REFUSED.* FROM <HOST>\s*$
@@ -33,7 +33,7 @@ failregex = ^%(__prefix_line)s(?:error: PAM: )?Authentication failure for .* fro
^%(__prefix_line)s(?:pam_unix\(sshd:auth\):\s)?authentication failure; logname=\S* uid=\S* euid=\S* tty=\S* ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$
^%(__prefix_line)srefused connect from \S+ \(<HOST>\)\s*$
^%(__prefix_line)sAddress <HOST> .* POSSIBLE BREAK-IN ATTEMPT!*\s*$
^%(__prefix_line)sUser .+ from <HOST> not allowed because none of user's groups are listed in AllowGroups\s*$
^%(__prefix_line)sUser \S+ from <HOST> not allowed because none of user's groups are listed in AllowGroups\s*$

This comment has been minimized.

@yarikoptic

yarikoptic Mar 27, 2013

Member

is there any particular reason for \S instead of . here? On linux systems user names indeed will not have spaces... but I wonder if there is a real advantage here?

This comment has been minimized.

@afragen

afragen Jun 14, 2013

Author Contributor

Honestly I don't remember making that \S change.


# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
Copy path View file
@@ -0,0 +1,29 @@
# Fail2Ban configuration file
#
# Author: Andy Fragen
#
#

[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf


[Definition]

# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT
#
failregex = .*: Authentication: FAILED :: User Name: .* :: Viewer Address: <HOST> :: Type: .*$

This comment has been minimized.

@yarikoptic

yarikoptic Aug 2, 2012

Member

for which particular VNC it is?

This comment has been minimized.

@afragen

afragen Aug 2, 2012

Author Contributor

Honestly the only real references I could fine in a quick Google search was Apple VNC Server. But that filter picks up VNC probes and there are many of them I see.

This comment has been minimized.

@zosorock

zosorock Feb 13, 2013

do you guys have an idea on how to deal with lines like these in the system.log of Mountain Lion?
Feb 13 11:43:11 Manzana.local screensharingd[5664]: Authentication: FAILED :: User Name: fail2bantest :: Viewer Address: 192.168.91.123 :: Type: DH
Feb 13 11:43:43 --- last message repeated 20 times ---

When the person tries repeatedly to log in, OSX just modified the next line (X times) so the above regex does not match anymore.

This comment has been minimized.

@yarikoptic

yarikoptic Feb 13, 2013

Member

not sure about OSX but

https://www.google.com/search?q=fail2ban%20%22last%20message%20repeated%22

can give you the answer for Linux (Debian in particular with rsyslog)
resolution

Yaroslav O. Halchenko
http://neuro.debian.net http://www.pymvpa.org http://www.fail2ban.org
Postdoctoral Fellow, Department of Psychological and Brain Sciences
Dartmouth College, 419 Moore Hall, Hinman Box 6207, Hanover, NH 03755
Phone: +1 (603) 646-9834 Fax: +1 (603) 646-1419
WWW: http://www.linkedin.com/in/yarik

This comment has been minimized.

@zosorock

zosorock Feb 14, 2013

Thanks Yaroslav! I did a similar search that did not yield any helpful results but this one did. I ended up finding out that in OSX you have to modify /etc/asl.conf by adding this line to the end of it:

= dup_delay 0

and then either rebooting the machine or restarting syslog with

sudo launchctl unload /System/Library/LaunchDaemons/com.apple.syslogd.plist
sudo launchctl load /System/Library/LaunchDaemons/com.apple.syslogd.plist

Now it works as expected.

This comment has been minimized.

@yarikoptic

yarikoptic Mar 27, 2013

Member

for all new failregex'es and whole filters we now seek adding representative examples to the corresponding files under testcases/files/logs/ -- could you extend this PR with those and probably even merge master into it (or even better rebase on top of master if that is not too scary) -- we have diverged I believe a bit too far

sorry about the delay with this


# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
ProTip! Use n and p to navigate between commits in a pull request.
You can’t perform that action at this time.