From: Mark C. <ch...@sw...> - 2014-05-04 21:00:20
|
Steven, thank you very much for your helpful and thoughtful reply. I've now read up on (?P<name>...) and see how that combined with <SKIPLINES> will handily solve the problem. I'm stuck at the moment because FreeBSD doesn't have 0.9 yet and in this case I need to use what's available from the package manager. So I can't do it yet, but I know what to do when 0.9 is available. Oh, and the sendmail-reject.conf you linked to looks like it is already good, so I likely won't have any real work to do. Thanks! Mark On Sat, May 03, 2014 at 09:11:07PM +0100, Steven Hiscocks wrote: > On 03/05/14 19:33, Mark Costlow wrote: > > Hello. I have a couple of questions about the regexes in the > > sendmail filter shown here: http://www.fail2ban.org/wiki/index.php/Sendmail > I'm not familiar with sendmail, but I believe some of these regexs may > be susceptible to denial of service e.g. email address `"[192.168.1.1] > to MTA"@example.com` is a valid email address which will match! > > > > I'm specifically concerned with the User unknown portion: > > > > (User unknown)\n* \[<HOST>\] > > > > 1. How does the newline work in this context? Does fail2ban > > separately parse the next line and eat the timestamp, so that > > " \[<HOST>\]" becomes like another failregex to match against the > > next line? i.e. is " \[<HOST>\]" anchored to the beginning of that > > next line, or can it be anywhere? If the latter, why does it not > > need a ".*" to eat the intervening text? > I think your right that this does indeed need a .* to properly capture > the line. However I'm unfamiliar with sendmail so I may be wrong. As > with single line regexs, all timestamps are stripped out for multi line. > Also, the correct way to handle regexs over multiple lines (where you do > not know if they are indeed one after another) is to use `<SKIPLINES>` > option. This will allow non matched lines between matching lines to be > kept and not lost. See jail.conf(5) man page > > > > 2. On a busy mail server, the "related" line which would have the > > IP address on it might not immediately follow the "User unknown" > > line. You can tie them together by QID, but they're not adjacent. > > Does the above regex work in that environment? > You should be able to tie them together with a common element to the > line. This generally can be done with (?P<name>...) and (?P=name) > regexs. See: https://docs.python.org/2/library/re.html > Also see example for sshd filter, which uses the fact that the line > prefix is the same (as the line prefix contains the PID, which should be > different for each connection for sshd). > > > > It occurred to me fail2ban might be doing some magic to concatenate > > log lines with the same QID but I couldn't find any evidence of that. > I wish there was some magic in Fail2Ban ;-) > > > > Thanks in advance, > > > > Mark > > > Also note that the latest filter has a multiline regex for invalid user, > but it does seem different to the one on the wiki. Might be worth > checking out as it may already have a regex for you: > https://github.com/fail2ban/fail2ban/blob/50d938e0bf12ef981ceb7860c99f5c30ba304d4d/config/filter.d/sendmail-reject.conf > > If you do find a new filter for sendmail, please share it here or on > github, and we can add it to upstream so everyone can benefit. If your > not sure about building the regex, any example log lines you have not > already in the Fail2Ban tests would also be great. see: > https://github.com/fail2ban/fail2ban/tree/master/fail2ban/tests/files/logs > > Thanks ??? > -- > Steven Hiscocks > > ------------------------------------------------------------------------------ > "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE > Instantly run your Selenium tests across 300+ browser/OS combos. Get > unparalleled scalability from the best Selenium testing platform available. > Simple to use. Nothing to install. Get started now for free." > http://p.sf.net/sfu/SauceLabs > _______________________________________________ > Fail2ban-users mailing list > Fai...@li... > https://lists.sourceforge.net/lists/listinfo/fail2ban-users -- Mark Costlow | Southwest Cyberport | Fax: +1-505-232-7975 ch...@sw... | Web: www.swcp.com | Voice: +1-505-232-7992 Mail Minder - Intelligent Push Notifications for Email on the iPhone http://mailminderapp.com/download or in the App Store |