From b52a4441fda6eed0dcb5c0a344e4802024f02fc4 Mon Sep 17 00:00:00 2001 From: Tomas Pihl Date: Sat, 11 Jan 2014 15:10:02 +0100 Subject: [PATCH 1/4] Support ACL-events without AccountID. Typically happens when a registration from an unknown domain is performed. Add credits --- ChangeLog | 1 + THANKS | 1 + config/filter.d/asterisk.conf | 2 +- testcases/files/logs/asterisk | 2 ++ 4 files changed, 5 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index a286cf0f..2ca227ff 100644 --- a/ChangeLog +++ b/ChangeLog @@ -53,6 +53,7 @@ ver. 0.8.12 (2013/12/XX) - things-can-only-get-better - Added to sshd filter expression for "Received disconnect from : 3: ...: Auth fail". Thanks Marcel Dopita. Closes gh-289 - Added filter.d/ejabberd-auth + - Improved ACL-handling for Asterisk - New Features: diff --git a/THANKS b/THANKS index efbcbe75..38e29fe6 100644 --- a/THANKS +++ b/THANKS @@ -80,6 +80,7 @@ Stefan Tatschner Stephen Gildea Steven Hiscocks Tom Pike +Tomas Pihl Tyler Vaclav Misek Vincent Deffontaines diff --git a/config/filter.d/asterisk.conf b/config/filter.d/asterisk.conf index 3c1a97df..7bb2c709 100644 --- a/config/filter.d/asterisk.conf +++ b/config/filter.d/asterisk.conf @@ -15,7 +15,7 @@ failregex = ^%(log_prefix)s Registration from '[^']*' failed for '(:\d+)?' ^%(log_prefix)s Host failed MD5 authentication for '[^']*' \([^)]+\)$ ^%(log_prefix)s Failed to authenticate (user|device) [^@]+@\S*$ ^%(log_prefix)s (?:handle_request_subscribe: )?Sending fake auth rejection for (device|user) \d*>;tag=\w+\S*$ - ^%(log_prefix)s SecurityEvent="(FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)",EventTV="[\d-]+",Severity="[\w]+",Service="[\w]+",EventVersion="\d+",AccountID="\d+",SessionID="0x[\da-f]+",LocalAddress="IPV[46]/(UD|TC)P/[\da-fA-F:.]+/\d+",RemoteAddress="IPV[46]/(UD|TC)P//\d+"(,Challenge="\w+",ReceivedChallenge="\w+")?(,ReceivedHash="[\da-f]+")?$ + ^%(log_prefix)s SecurityEvent="(FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)",EventTV="[\d-]+",Severity="[\w]+",Service="[\w]+",EventVersion="\d+",AccountID="\d*",SessionID="0x[\da-f]+",LocalAddress="IPV[46]/(UD|TC)P/[\da-fA-F:.]+/\d+",RemoteAddress="IPV[46]/(UD|TC)P//\d+"(,Challenge="\w+",ReceivedChallenge="\w+")?(,ReceivedHash="[\da-f]+")?(,ACLName="\w+")?$ ^\[\]\s*WARNING%(__pid_re)s:?(?:\[C-[\da-f]*\])? Ext\. s: "Rejecting unknown SIP connection from "$ ignoreregex = diff --git a/testcases/files/logs/asterisk b/testcases/files/logs/asterisk index 60c89d5f..a2535156 100644 --- a/testcases/files/logs/asterisk +++ b/testcases/files/logs/asterisk @@ -40,6 +40,8 @@ [2009-12-22 16:35:24] NOTICE[14916]: chan_sip.c:15644 handle_request_subscribe: Sending fake auth rejection for user ;tag=6pwd6erg54 # failJSON: { "time": "2013-07-06T09:09:25", "match": true , "host": "141.255.164.106" } [2013-07-06 09:09:25] SECURITY[3308] res_security_log.c: SecurityEvent="InvalidPassword",EventTV="1373098165-824497",Severity="Error",Service="SIP",EventVersion="2",AccountID="972592891005",SessionID="0x88aab6c",LocalAddress="IPV4/UDP/92.28.73.180/5060",RemoteAddress="IPV4/UDP/141.255.164.106/5084",Challenge="41d26de5",ReceivedChallenge="41d26de5",ReceivedHash="7a6a3a2e95a05260aee612896e1b4a39" +# failJSON: { "time": "2014-01-10T16:39:06", "match": true , "host": "50.30.42.14" } +[2014-01-10 16:39:06] SECURITY[1503] res_security_log.c: SecurityEvent="FailedACL",EventTV="1389368346-880526",Severity="Error",Service="SIP",EventVersion="1",AccountID="",SessionID="0x7ff408103b18",LocalAddress="IPV4/UDP/83.11.20.23/5060",RemoteAddress="IPV4/UDP/50.30.42.14/5066",ACLName="domain_must_match" # failJSON: { "time": "2013-11-11T14:33:38", "match": true , "host": "192.168.55.152" } [2013-11-11 14:33:38] WARNING[6756][C-0000001d] Ext. s: "Rejecting unknown SIP connection from 192.168.55.152" From 6b0e6b9bcacb9c173f082abd4544cf29450ef62f Mon Sep 17 00:00:00 2001 From: Daniel Black Date: Mon, 13 Jan 2014 06:59:59 +1100 Subject: [PATCH 2/4] ENH: add improper command pipelining postfix filter --- ChangeLog | 5 ++--- config/filter.d/postfix.conf | 1 + testcases/files/logs/postfix | 10 ++++++++++ 3 files changed, 13 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 2ca227ff..aebfa829 100644 --- a/ChangeLog +++ b/ChangeLog @@ -54,6 +54,8 @@ ver. 0.8.12 (2013/12/XX) - things-can-only-get-better ...: Auth fail". Thanks Marcel Dopita. Closes gh-289 - Added filter.d/ejabberd-auth - Improved ACL-handling for Asterisk + - loglines now also report "[PID]" after the name portion + - Added improper command pipelining to postfix filter. - New Features: @@ -65,9 +67,6 @@ ver. 0.8.12 (2013/12/XX) - things-can-only-get-better - Added filter for freeswitch. Thanks Jim and editors and authors of http://wiki.freeswitch.org/wiki/Fail2ban -- Enhancements: - - loglines now also report "[PID]" after the name portion - ver. 0.8.11 (2013/11/13) - loves-unittests-and-tight-DoS-free-filter-regexes ----------- diff --git a/config/filter.d/postfix.conf b/config/filter.d/postfix.conf index fd8519c9..7330f10c 100644 --- a/config/filter.d/postfix.conf +++ b/config/filter.d/postfix.conf @@ -15,6 +15,7 @@ _daemon = postfix/smtpd failregex = ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[\]: 554 5\.7\.1 .*$ ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[\]: 450 4\.7\.1 : Helo command rejected: Host not found; from=<> to=<> proto=ESMTP helo= *$ ^%(__prefix_line)sNOQUEUE: reject: VRFY from \S+\[\]: 550 5\.1\.1 .*$ + ^%(__prefix_line)simproper command pipelining after \S+ from [^[]*\[\]:?$ ignoreregex = diff --git a/testcases/files/logs/postfix b/testcases/files/logs/postfix index 122ad8e5..ccf2f8bc 100644 --- a/testcases/files/logs/postfix +++ b/testcases/files/logs/postfix @@ -10,3 +10,13 @@ Jul 18 23:12:56 xxx postfix/smtpd[8738]: NOQUEUE: reject: RCPT from foo[192.51.1 Jul 18 23:12:56 xxx postfix/smtpd[8738]: NOQUEUE: reject: RCPT from foo[192.51.100.43]: 554 5.7.1 : Sender address rejected: match bad.domain; from= to= proto=SMTP helo=<192.51.100.43> # failJSON: { "time": "2005-08-10T10:55:38", "match": true , "host": "72.53.132.234" } Aug 10 10:55:38 f-vanier-bourgeois postfix/smtpd[2162]: NOQUEUE: reject: VRFY from 72-53-132-234.cpe.distributel.net[72.53.132.234]: 550 5.1.1 : Recipient address rejected: User unknown in local recipient tab + + +# failJSON: { "time": "2005-01-12T11:07:49", "match": true , "host": "181.21.131.88" } +Jan 12 11:07:49 emf1pt2-2-35-70 postfix/smtpd[13767]: improper command pipelining after DATA from unknown[181.21.131.88]: + +# failJSON: { "time": "2004-12-25T02:35:54", "match": true , "host": "173.10.140.217" } +Dec 25 02:35:54 platypus postfix/smtpd[9144]: improper command pipelining after RSET from 173-10-140-217-BusName-washingtonDC.hfc.comcastbusiness.net[173.10.140.217] + +# failJSON: { "time": "2004-12-18T02:05:46", "match": true , "host": "216.245.198.245" } +Dec 18 02:05:46 platypus postfix/smtpd[16349]: improper command pipelining after NOOP from unknown[216.245.198.245] From 9f107403e807093687d65359646f4e6817f3446d Mon Sep 17 00:00:00 2001 From: Ivo Truxa Date: Mon, 13 Jan 2014 01:18:09 +0100 Subject: [PATCH 3/4] Update exim When using Dovecot authentication for Exim, which is relatively common, the current regex for catching authentication failures needs a small tweak. The current plain|login options are too limiting and will only work in the cases when only the Exim's rudimentary built-in authentication is used. There can be not only the dovecot_login shown in this log example, but also dovecot_plain, ntlm, cram, cyrus, md5, and plenty of others. In fact many admins may opt for their own authentication labels, when setting up Exim. For this reason the regex should catch any label. I suggest modifying the regex in the following way:
^%(pid)s \w+ authenticator failed for (\S+ )?\(\S+\) \[\]: 535 Incorrect authentication data( \(set_id=.*\)|: \d+ Time\(s\))?\s*$
--- testcases/files/logs/exim | 3 +++ 1 file changed, 3 insertions(+) diff --git a/testcases/files/logs/exim b/testcases/files/logs/exim index 89fa7f87..84aedcfa 100644 --- a/testcases/files/logs/exim +++ b/testcases/files/logs/exim @@ -37,3 +37,6 @@ # failJSON: { "time": "2013-09-02T09:19:07", "match": true , "host": "118.233.20.68" } 2013-09-02 09:19:07 login authenticator failed for (gkzwsoju) [118.233.20.68]: 535 Incorrect authentication data + +# failJSON: { "time": "2014-01-12T02:07:48", "match": true , "host": "85.214.85.40" } +2014-01-12 02:07:48 dovecot_login authenticator failed for h1832461.stratoserver.net (User) [85.214.85.40]: 535 Incorrect authentication data (set_id=scanner) From 2d8c0b26e443b5b91b16019b7a76dbeb09be3f0c Mon Sep 17 00:00:00 2001 From: Ivo Truxa Date: Mon, 13 Jan 2014 01:38:49 +0100 Subject: [PATCH 4/4] Matching any Exim authentication name As explained in https://github.com/grooverdan/fail2ban/pull/4, in Exim there can be used plenty of other standard authentication names, and in fact the names can be custom. The failregex in Exim filter should catch authentication errors regardless of the name of the authentication. Hence replacing the plain|login with the general \w+ --- config/filter.d/exim.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/filter.d/exim.conf b/config/filter.d/exim.conf index 66743390..b5028f0e 100644 --- a/config/filter.d/exim.conf +++ b/config/filter.d/exim.conf @@ -14,7 +14,7 @@ before = exim-common.conf [Definition] failregex = ^%(pid)s %(host_info)ssender verify fail for <\S+>: (?:Unknown user|Unrouteable address|all relevant MX records point to non-existent hosts)\s*$ - ^%(pid)s (plain|login) authenticator failed for (\S+ )?\(\S+\) \[\]: 535 Incorrect authentication data( \(set_id=.*\)|: \d+ Time\(s\))?\s*$ + ^%(pid)s \w+ authenticator failed for (\S+ )?\(\S+\) \[\]: 535 Incorrect authentication data( \(set_id=.*\)|: \d+ Time\(s\))?\s*$ ^%(pid)s %(host_info)sF=(<>|[^@]+@\S+) rejected RCPT [^@]+@\S+: (relay not permitted|Sender verify failed|Unknown user)\s*$ ^%(pid)s SMTP protocol synchronization error \([^)]*\): rejected (connection from|"\S+") %(host_info)s(next )?input=".*"\s*$ ^%(pid)s SMTP call from \S+ \[\](:\d+)? (I=\[\S+\]:\d+ )?dropped: too many nonmail commands \(last was "\S+"\)\s*$