From patchwork Tue Feb 4 07:59:33 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stefan Schantl X-Patchwork-Id: 2750 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 48BcYL1wDxz3xYC for ; Tue, 4 Feb 2020 07:59:50 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail02.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 48BcYH6MXzz6PY; Tue, 4 Feb 2020 07:59:47 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 48BcYG0yL5z2yXw; Tue, 4 Feb 2020 07:59:46 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 48BcY94NVlz2xbB for ; Tue, 4 Feb 2020 07:59:41 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (Client did not present a certificate) by mail01.ipfire.org (Postfix) with ESMTPSA id 48BcY827ZBz2Hw; Tue, 4 Feb 2020 07:59:40 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=201909ed25519; t=1580803180; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=2+LvniTNkn2ho/KJD9dt7h8NCg+O2yzjlhuO6DbMNZA=; b=MXRZ9q4GfHLckYtANqEhvPXfr6t3O1epKNOUtEtC9sYyP8Lv5S1Jx27aui/E0kt9+OHuHO 54wWqzpy6N6V5eAg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201909rsa; t=1580803180; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=2+LvniTNkn2ho/KJD9dt7h8NCg+O2yzjlhuO6DbMNZA=; b=TMKrP4Taeq9VeVcDlcyIOpt4T8p5eqo1WSPBW46S6Cw7sYGmtqZsrvEme0ulQbZjhd8AOK KNdnjOHwQdyasxoYcBBvaAo35nqWW4pANGRy1ySrdzPyKR6Guh12If5Oj+pPmPPiRV2PTu HVckULGwJXOQ728D8V1Ei3OHacwZGbOrr0wdnsnZJZy/HsaihvYbecrK79SkPTMFjKq7Q4 deXhr4kA9qcfsqCWhXS0s8W6kg1B+zQ1noamaSdg6rWbUo78Ac8vkLKCysh0h53uM3xxX5 xBvKW/VlQ4mL9/5/wPivtjSS//ojnjlYx78P3xCeJl+xcx6P6T6ACykxDu6ulQ== From: Stefan Schantl To: development@lists.ipfire.org Subject: [PATCH] guardian: Add upstream patch for HTTP parser. Date: Tue, 4 Feb 2020 08:59:33 +0100 Message-Id: <20200204075933.21338-1-stefan.schantl@ipfire.org> MIME-Version: 1.0 Authentication-Results: mail01.ipfire.org; auth=pass smtp.mailfrom=stefan.schantl@ipfire.org X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" Fixes #12289. Signed-off-by: Stefan Schantl Reviewed-by: Michael Tremer --- lfs/guardian | 5 ++- src/patches/guardian-2.0.2-http-parser.patch | 45 ++++++++++++++++++++ 2 files changed, 49 insertions(+), 1 deletion(-) create mode 100644 src/patches/guardian-2.0.2-http-parser.patch diff --git a/lfs/guardian b/lfs/guardian index a40480c0c..3e2c3347f 100644 --- a/lfs/guardian +++ b/lfs/guardian @@ -33,7 +33,7 @@ DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = guardian -PAK_VER = 18 +PAK_VER = 19 DEPS = "perl-inotify2 perl-Net-IP" @@ -79,6 +79,9 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axvf $(DIR_DL)/$(DL_FILE) + # Add upstream patches. + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/guardian-2.0.2-http-parser.patch + # Adjust path for firewall binaries. cd $(DIR_APP) && sed -i "s|/usr/sbin/|/sbin/|g" modules/IPtables.pm diff --git a/src/patches/guardian-2.0.2-http-parser.patch b/src/patches/guardian-2.0.2-http-parser.patch new file mode 100644 index 000000000..1ecae658c --- /dev/null +++ b/src/patches/guardian-2.0.2-http-parser.patch @@ -0,0 +1,45 @@ +commit 5028c7fde1fa15e4960f2fec3c025d0338382895 +Author: Stefan Schantl +Date: Tue Feb 4 07:55:48 2020 +0100 + + Parser: Adjust HTTP parser to be compatible with newer log format. + + Signed-off-by: Stefan Schantl + +diff --git a/modules/Parser.pm b/modules/Parser.pm +index 3880228..bcca88f 100644 +--- a/modules/Parser.pm ++++ b/modules/Parser.pm +@@ -302,7 +302,7 @@ sub message_parser_httpd (@) { + # been passed. + foreach my $line (@message) { + # This will catch brute-force attacks against htaccess logins (username). +- if ($line =~ /.*\[error\] \[client (.*)\] user(.*) not found:.*/) { ++ if ($line =~ /.*\[client (.*)\] .* user(.*) not found:.*/) { + # Store the grabbed IP-address. + $address = $1; + +@@ -311,7 +311,7 @@ sub message_parser_httpd (@) { + } + + # Detect htaccess password brute-forcing against a username. +- elsif ($line =~ /.*\[error\] \[client (.*)\] user(.*): authentication failure for.*/) { ++ elsif ($line =~ /.*\[client (.*)\] .* user(.*): authentication failure for.*/) { + # Store the extracted IP-address. + $address = $1; + +@@ -321,6 +321,14 @@ sub message_parser_httpd (@) { + + # Check if at least the IP-address information has been extracted. + if (defined ($address)) { ++ # Check if the address also contains a port value. ++ if ($address =~ m/:/) { ++ my ($add_address, $port) = split(/:/, $address); ++ ++ # Only process the address. ++ $address = $add_address; ++ } ++ + # Add the extracted values and event message to the actions array. + push(@actions, "count $address $name $message"); + }