Bug#961831: fail2ban: ejabberd-auth jail has incorrect failregex

[Gerald Turner]

Package: fail2ban
Version: 0.10.2-2.1
Severity: minor

Dear Maintainer,

The ejabberd-auth.conf needs a couple tweaks to failregex in order to be
compatible with current version ejabberd.

Attached is ejabberd.log showing two failed login attempts.

The existing regex is looking for "info" that should be "warning", as
well as the erlang <0.pid.thread> stuff (not really sure what it is) has
to allow more than one digit after the last dot.  Diff attached.

-- System Information:
Debian Release: 10.4
  APT prefers stable
  APT policy: (701, 'stable'), (500, 'stable-updates')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-9-cloud-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages fail2ban depends on:
ii  lsb-base  10.2019051400
ii  python3   3.7.3-1

Versions of packages fail2ban recommends:
ii  iptables           1.8.2-4
ii  nftables           0.9.0-2
ii  python             2.7.16-1
ii  python3-pyinotify  0.9.6-1
ii  python3-systemd    234-2+b1
ii  whois              5.4.3

Versions of packages fail2ban suggests:
ii  bsd-mailx [mailx]            8.1.2-0.20180807cvs-1
ii  mailutils [mailx]            1:3.5-3
ii  monit                        1:5.26.0-1~bpo10+1
ii  rsyslog [system-log-daemon]  8.1901.0-1
ii  sqlite3                      3.27.2-3

-- Configuration Files:
/etc/logrotate.d/fail2ban changed [not included]

-- no debconf information

-- 
Gerald Turner <gtur...@unzane.com>        Encrypted mail preferred!
OpenPGP: 4096R / CA89 B27A 30FA 66C5 1B80  3858 EC94 2276 FDB8 716D

2020-04-17 09:20:53.767 [warning] 
<0.27283.25>@ejabberd_c2s:handle_auth_failure:452 (tls|<0.27283.25>) Failed c2s 
PLAIN authentication for alexeylom960...@example.com from 
::ffff:185.244.172.37: Invalid username or password
2020-04-17 10:11:15.556 [warning] 
<0.27727.25>@ejabberd_c2s:handle_auth_failure:452 (tls|<0.27727.25>) Failed c2s 
PLAIN authentication for aralda243...@example.com from ::ffff:185.244.172.37: 
Invalid username or password

--- ejabberd-auth.conf	2020-05-29 16:38:39.881910606 -0700
+++ ejabberd-auth.local	2020-05-29 16:39:15.097336217 -0700
@@ -16,8 +16,7 @@
 #          searched for other failures. This tag can be used multiple times.
 # Values:  TEXT
 #
-failregex = ^=INFO REPORT====  ===\nI\(<0\.\d+\.0>:ejabberd_c2s:\d+\) : \([^)]+\) Failed authentication for \S+ from (?:IP )?<HOST>(?: \({{(?:\d+,){3}\d+},\d+}\))?$
-            ^(?:\.\d+)? \[info\] <0\.\d+\.\d>@ejabberd_c2s:\w+:\d+ \([^\)]+\) Failed (?:c2s \w+ )?authentication for \S+ from (?:IP )?(?:::FFFF:)?<HOST>(?:: |$)
+failregex = ^(?:\.\d+)? \[(info|warning)\] <0\.\d+\.\d+>@ejabberd_c2s:\w+:\d+ \([^\)]+\) Failed (?:c2s \w+ )?authentication for \S+ from (?:IP )?(?:::FFFF:)?<HOST>(?:: |$)
 
 # Option:  ignoreregex
 # Notes.:  regex to ignore. If this regex matches, the line is ignored.

signature.asc
Description: PGP signature