Fixes #12289.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org --- lfs/guardian | 5 ++- src/patches/guardian-2.0.2-http-parser.patch | 45 ++++++++++++++++++++ 2 files changed, 49 insertions(+), 1 deletion(-) create mode 100644 src/patches/guardian-2.0.2-http-parser.patch
diff --git a/lfs/guardian b/lfs/guardian index a40480c0c..3e2c3347f 100644 --- a/lfs/guardian +++ b/lfs/guardian @@ -33,7 +33,7 @@ DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP)
PROG = guardian -PAK_VER = 18 +PAK_VER = 19
DEPS = "perl-inotify2 perl-Net-IP"
@@ -79,6 +79,9 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axvf $(DIR_DL)/$(DL_FILE)
+ # Add upstream patches. + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/guardian-2.0.2-http-parser.patch + # Adjust path for firewall binaries. cd $(DIR_APP) && sed -i "s|/usr/sbin/|/sbin/|g" modules/IPtables.pm
diff --git a/src/patches/guardian-2.0.2-http-parser.patch b/src/patches/guardian-2.0.2-http-parser.patch new file mode 100644 index 000000000..1ecae658c --- /dev/null +++ b/src/patches/guardian-2.0.2-http-parser.patch @@ -0,0 +1,45 @@ +commit 5028c7fde1fa15e4960f2fec3c025d0338382895 +Author: Stefan Schantl stefan.schantl@ipfire.org +Date: Tue Feb 4 07:55:48 2020 +0100 + + Parser: Adjust HTTP parser to be compatible with newer log format. + + Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org + +diff --git a/modules/Parser.pm b/modules/Parser.pm +index 3880228..bcca88f 100644 +--- a/modules/Parser.pm ++++ b/modules/Parser.pm +@@ -302,7 +302,7 @@ sub message_parser_httpd (@) { + # been passed. + foreach my $line (@message) { + # This will catch brute-force attacks against htaccess logins (username). +- if ($line =~ /.*[error] [client (.*)] user(.*) not found:.*/) { ++ if ($line =~ /.*[client (.*)] .* user(.*) not found:.*/) { + # Store the grabbed IP-address. + $address = $1; + +@@ -311,7 +311,7 @@ sub message_parser_httpd (@) { + } + + # Detect htaccess password brute-forcing against a username. +- elsif ($line =~ /.*[error] [client (.*)] user(.*): authentication failure for.*/) { ++ elsif ($line =~ /.*[client (.*)] .* user(.*): authentication failure for.*/) { + # Store the extracted IP-address. + $address = $1; + +@@ -321,6 +321,14 @@ sub message_parser_httpd (@) { + + # Check if at least the IP-address information has been extracted. + if (defined ($address)) { ++ # Check if the address also contains a port value. ++ if ($address =~ m/:/) { ++ my ($add_address, $port) = split(/:/, $address); ++ ++ # Only process the address. ++ $address = $add_address; ++ } ++ + # Add the extracted values and event message to the actions array. + push(@actions, "count $address $name $message"); + }
Reviewed-by: Michael Tremer michael.tremer@ipfire.org
On 4 Feb 2020, at 07:59, Stefan Schantl stefan.schantl@ipfire.org wrote:
Fixes #12289.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
lfs/guardian | 5 ++- src/patches/guardian-2.0.2-http-parser.patch | 45 ++++++++++++++++++++ 2 files changed, 49 insertions(+), 1 deletion(-) create mode 100644 src/patches/guardian-2.0.2-http-parser.patch
diff --git a/lfs/guardian b/lfs/guardian index a40480c0c..3e2c3347f 100644 --- a/lfs/guardian +++ b/lfs/guardian @@ -33,7 +33,7 @@ DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP)
PROG = guardian -PAK_VER = 18 +PAK_VER = 19
DEPS = "perl-inotify2 perl-Net-IP"
@@ -79,6 +79,9 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axvf $(DIR_DL)/$(DL_FILE)
- # Add upstream patches.
- cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/guardian-2.0.2-http-parser.patch
- # Adjust path for firewall binaries. cd $(DIR_APP) && sed -i "s|/usr/sbin/|/sbin/|g" modules/IPtables.pm
diff --git a/src/patches/guardian-2.0.2-http-parser.patch b/src/patches/guardian-2.0.2-http-parser.patch new file mode 100644 index 000000000..1ecae658c --- /dev/null +++ b/src/patches/guardian-2.0.2-http-parser.patch @@ -0,0 +1,45 @@ +commit 5028c7fde1fa15e4960f2fec3c025d0338382895 +Author: Stefan Schantl stefan.schantl@ipfire.org +Date: Tue Feb 4 07:55:48 2020 +0100
- Parser: Adjust HTTP parser to be compatible with newer log format.
- Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
+diff --git a/modules/Parser.pm b/modules/Parser.pm +index 3880228..bcca88f 100644 +--- a/modules/Parser.pm ++++ b/modules/Parser.pm +@@ -302,7 +302,7 @@ sub message_parser_httpd (@) {
- # been passed.
- foreach my $line (@message) {
# This will catch brute-force attacks against htaccess logins (username).+- if ($line =~ /.*[error] [client (.*)] user(.*) not found:.*/) { ++ if ($line =~ /.*[client (.*)] .* user(.*) not found:.*/) {
# Store the grabbed IP-address.$address = $1;+@@ -311,7 +311,7 @@ sub message_parser_httpd (@) {
}# Detect htaccess password brute-forcing against a username.+- elsif ($line =~ /.*[error] [client (.*)] user(.*): authentication failure for.*/) { ++ elsif ($line =~ /.*[client (.*)] .* user(.*): authentication failure for.*/) {
# Store the extracted IP-address.$address = $1;+@@ -321,6 +321,14 @@ sub message_parser_httpd (@) {
# Check if at least the IP-address information has been extracted.if (defined ($address)) {++ # Check if the address also contains a port value. ++ if ($address =~ m/:/) { ++ my ($add_address, $port) = split(/:/, $address); ++ ++ # Only process the address. ++ $address = $add_address; ++ } ++
# Add the extracted values and event message to the actions array.push(@actions, "count $address $name $message");}-- 2.25.0
-
Michael Tremer -
Stefan Schantl