Re: [Fail2ban-users] Question about sendmail user-unknown blocking

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Steven, thank you very much for your helpful and thoughtful reply.

I've now read up on (?P<name>...) and see how that combined
with <SKIPLINES> will handily solve the problem.  I'm stuck
at the moment because FreeBSD doesn't have 0.9 yet and in
this case I need to use what's available from the package
manager.  So I can't do it yet, but I know what to do when
0.9 is available.

Oh, and the sendmail-reject.conf you linked to looks like
it is already good, so I likely won't have any real work
to do.

Thanks!

Mark

On Sat, May 03, 2014 at 09:11:07PM +0100, Steven Hiscocks wrote:
> On 03/05/14 19:33, Mark Costlow wrote:
> > Hello.  I have a couple of questions about the regexes in the
> > sendmail filter shown here: http://www.fail2ban.org/wiki/index.php/Sendmail
> I'm not familiar with sendmail, but I believe some of these regexs may 
> be susceptible to denial of service e.g. email address `"[192.168.1.1] 
> to MTA"@example.com` is a valid email address which will match!
> >
> > I'm specifically concerned with the User unknown portion:
> >
> >              (User unknown)\n* \[<HOST>\]
> >
> > 1. How does the newline work in this context?  Does fail2ban
> > separately parse the next line and eat the timestamp, so that
> > " \[<HOST>\]" becomes like another failregex to match against the
> > next line?  i.e. is " \[<HOST>\]" anchored to the beginning of that
> > next line, or can it be anywhere?  If the latter, why does it not
> > need a ".*" to eat the intervening text?
> I think your right that this does indeed need a .* to properly capture 
> the line. However I'm unfamiliar with sendmail so I may be wrong. As 
> with single line regexs, all timestamps are stripped out for multi line. 
> Also, the correct way to handle regexs over multiple lines (where you do 
> not know if they are indeed one after another) is to use `<SKIPLINES>` 
> option. This will allow non matched lines between matching lines to be 
> kept and not lost. See jail.conf(5) man page
> >
> > 2. On a busy mail server, the "related" line which would have the
> > IP address on it might not immediately follow the "User unknown"
> > line.  You can tie them together by QID, but they're not adjacent.
> > Does the above regex work in that environment?
> You should be able to tie them together with a common element to the 
> line. This generally can be done with (?P<name>...) and (?P=name) 
> regexs. See: https://docs.python.org/2/library/re.html
> Also see example for sshd filter, which uses the fact that the line 
> prefix is the same (as the line prefix contains the PID, which should be 
> different for each connection for sshd).
> >
> > It occurred to me fail2ban might be doing some magic to concatenate
> > log lines with the same QID but I couldn't find any evidence of that.
> I wish there was some magic in Fail2Ban ;-)
> >
> > Thanks in advance,
> >
> > Mark
> >
> Also note that the latest filter has a multiline regex for invalid user, 
> but it does seem different to the one on the wiki. Might be worth 
> checking out as it may already have a regex for you: 
> https://github.com/fail2ban/fail2ban/blob/50d938e0bf12ef981ceb7860c99f5c30ba304d4d/config/filter.d/sendmail-reject.conf
> 
> If you do find a new filter for sendmail, please share it here or on 
> github, and we can add it to upstream so everyone can benefit. If your 
> not sure about building the regex, any example log lines you have not 
> already in the Fail2Ban tests would also be great. see: 
> https://github.com/fail2ban/fail2ban/tree/master/fail2ban/tests/files/logs
> 
> Thanks ???
> -- 
> Steven Hiscocks
> 
> ------------------------------------------------------------------------------
> "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
> Instantly run your Selenium tests across 300+ browser/OS combos.  Get 
> unparalleled scalability from the best Selenium testing platform available.
> Simple to use. Nothing to install. Get started now for free."
> http://p.sf.net/sfu/SauceLabs
> _______________________________________________
> Fail2ban-users mailing list
> Fai...@li...
> https://lists.sourceforge.net/lists/listinfo/fail2ban-users

-- 
Mark Costlow    | Southwest Cyberport | Fax:   +1-505-232-7975
ch...@sw... | Web:   www.swcp.com | Voice: +1-505-232-7992

Mail Minder - Intelligent Push Notifications for Email on the iPhone
http://mailminderapp.com/download  or in the App Store