From 8768776d68d4271bb166af36870d12eab2bbca9c Mon Sep 17 00:00:00 2001 From: sebres Date: Thu, 9 Mar 2017 16:13:45 +0100 Subject: [PATCH 01/25] filter.d/cyrus-imap.conf: fixed `failregex` - accept entries without login-info resp. hostname before IP address --- config/filter.d/cyrus-imap.conf | 2 +- fail2ban/tests/files/logs/cyrus-imap | 3 +++ 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/config/filter.d/cyrus-imap.conf b/config/filter.d/cyrus-imap.conf index 73764d9d..31dfda60 100644 --- a/config/filter.d/cyrus-imap.conf +++ b/config/filter.d/cyrus-imap.conf @@ -13,7 +13,7 @@ before = common.conf _daemon = (?:cyrus/)?(?:imap(d|s)?|pop3(d|s)?) -failregex = ^%(__prefix_line)sbadlogin: \S+ ?\[\] \S+ .*?\[?SASL\(-13\): (authentication failure|user not found): .*\]?$ +failregex = ^%(__prefix_line)sbadlogin: [^\[]*\[\] \S+ .*?\[?SASL\(-13\): (authentication failure|user not found): .*\]?$ ignoreregex = diff --git a/fail2ban/tests/files/logs/cyrus-imap b/fail2ban/tests/files/logs/cyrus-imap index f1edff06..c0ec54cb 100644 --- a/fail2ban/tests/files/logs/cyrus-imap +++ b/fail2ban/tests/files/logs/cyrus-imap @@ -16,3 +16,6 @@ Dec 30 16:03:27 somehost imapd[2517]: badlogin: local-somehost[1.2.3.4] OTP [SAS Jul 17 22:55:56 derry cyrus/imaps[7568]: badlogin: serafinat.xxxxxx [1.2.3.4] plain [SASL(-13): user not found: user: pressy@derry property: cmusaslsecretPLAIN not found in sasldb] # failJSON: { "time": "2005-07-18T16:46:42", "match": true , "host": "1.2.3.4" } Jul 18 16:46:42 derry cyrus/imaps[27449]: badlogin: serafinat.xxxxxx [1.2.3.4] PLAIN [SASL(-13): user not found: Password verification failed] + +# failJSON: { "time": "2005-03-08T05:25:21", "match": true , "host": "192.0.2.4", "desc": "entry without loginname/hostname before IP" } +Mar 8 05:25:21 host imap[22130]: badlogin: [192.0.2.4] plain [SASL(-13): authentication failure: Password verification failed] \ No newline at end of file From 0f8cb1749fdfe4e6a81e07a9cead1beefcd0de5b Mon Sep 17 00:00:00 2001 From: sebres Date: Thu, 9 Mar 2017 16:15:45 +0100 Subject: [PATCH 02/25] Update ChangeLog --- ChangeLog | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ChangeLog b/ChangeLog index 2a7e6638..e6114caa 100644 --- a/ChangeLog +++ b/ChangeLog @@ -33,6 +33,8 @@ releases. and suffix (logged from several ssh versions), according to gh-1206; * filter.d/suhosin.conf - greedy catch-all before `` fixed (potential vulnerability) +* filter.d/cyrus-imap.conf + - accept entries without login-info resp. hostname before IP address (gh-1707) * Filter tests extended with check of all config-regexp, that contains greedy catch-all before ``, that is hard-anchored at end or precise sub expression after `` From 52c19503715ac5e21aa98e5cc6bfcfd36c9acda3 Mon Sep 17 00:00:00 2001 From: "Serg G. Brester" Date: Fri, 24 Mar 2017 19:03:17 +0100 Subject: [PATCH 03/25] Update mysqld-auth.conf small typo, closes gh-1725 (Thx @seth-reeser) --- config/filter.d/mysqld-auth.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/filter.d/mysqld-auth.conf b/config/filter.d/mysqld-auth.conf index 3ad70cb7..31bd2056 100644 --- a/config/filter.d/mysqld-auth.conf +++ b/config/filter.d/mysqld-auth.conf @@ -1,4 +1,4 @@ -# Fail2Ban filter for unsuccesfull MySQL authentication attempts +# Fail2Ban filter for unsuccesful MySQL authentication attempts # # # To log wrong MySQL access attempts add to /etc/my.cnf in [mysqld]: From e8596cfce755080baee24ceda500b7deb81cb11a Mon Sep 17 00:00:00 2001 From: sebres Date: Mon, 27 Mar 2017 11:27:41 +0200 Subject: [PATCH 04/25] amend resp. restore of change from 59c35bc44a175a672e084bc30511dfa3436ff052 (gh-129): - logging of "Log rotation detected" with new MSG level - introduces new log-level MSG (as INFO-2, 18) --- fail2ban/__init__.py | 2 ++ fail2ban/server/filter.py | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/fail2ban/__init__.py b/fail2ban/__init__.py index cd92dbab..7c752e24 100644 --- a/fail2ban/__init__.py +++ b/fail2ban/__init__.py @@ -34,7 +34,9 @@ Below derived from: https://mail.python.org/pipermail/tutor/2007-August/056243.html """ +logging.MSG = logging.INFO - 2 logging.NOTICE = logging.INFO + 5 +logging.addLevelName(logging.MSG, 'MSG') logging.addLevelName(logging.NOTICE, 'NOTICE') diff --git a/fail2ban/server/filter.py b/fail2ban/server/filter.py index 459a47d0..066ee68f 100644 --- a/fail2ban/server/filter.py +++ b/fail2ban/server/filter.py @@ -820,7 +820,7 @@ class FileContainer: ## sys.stdout.flush() # Compare hash and inode if self.__hash != myHash or self.__ino != stats.st_ino: - logSys.info("Log rotation detected for %s" % self.__filename) + logSys.log(logging.MSG, "Log rotation detected for %s" % self.__filename) self.__hash = myHash self.__ino = stats.st_ino self.__pos = 0 From 7982d1e627913a8cde7bf840bbf3fcb8cb25deda Mon Sep 17 00:00:00 2001 From: sebres Date: Mon, 27 Mar 2017 11:31:41 +0200 Subject: [PATCH 05/25] Update ChangeLog --- ChangeLog | 1 + 1 file changed, 1 insertion(+) diff --git a/ChangeLog b/ChangeLog index e6114caa..213e2c0e 100644 --- a/ChangeLog +++ b/ChangeLog @@ -46,6 +46,7 @@ releases. - filter.d/domino-smtp: IBM Domino SMTP task (gh-1603) ### Enhancements +* Introduced new log-level `MSG` (as INFO-2, equivalent to 18) ver. 0.9.6 (2016/12/10) - stretch-is-coming From a639f0b083c213bde4ff3dcfbbb9fbcab0dd55f8 Mon Sep 17 00:00:00 2001 From: Paul Brook Date: Sun, 16 Apr 2017 12:11:05 -0400 Subject: [PATCH 06/25] BF: specify explicit time offset not a time zone name to avoid needing tzdata during testing --- fail2ban/tests/utils.py | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/fail2ban/tests/utils.py b/fail2ban/tests/utils.py index 9155dc37..54861050 100644 --- a/fail2ban/tests/utils.py +++ b/fail2ban/tests/utils.py @@ -95,7 +95,10 @@ def setUpMyTime(): # Set the time to a fixed, known value # Sun Aug 14 12:00:00 CEST 2005 # yoh: we need to adjust TZ to match the one used by Cyril so all the timestamps match - os.environ['TZ'] = 'Europe/Zurich' + # This offset corresponds to Europe/Zurich timezone. Specifying it + # explicitly allows to avoid requiring tzdata package to be installed during + # testing. See https://bugs.debian.org/855920 for more information + os.environ['TZ'] = 'CET-01CEST-02,M3.5.0,M10.5.0' time.tzset() MyTime.setTime(1124013600) From 3161bcf78b86ee5916d85c9551ba2efedede9d84 Mon Sep 17 00:00:00 2001 From: sebres Date: Mon, 24 Apr 2017 19:13:38 +0200 Subject: [PATCH 07/25] filter.d/exim.conf: optional part `(...)` after host-name before `[IP]`, normalized over whole config file. # Conflicts: # config/filter.d/exim.conf --- config/filter.d/exim.conf | 6 +++--- fail2ban/tests/files/logs/exim | 3 +++ 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/config/filter.d/exim.conf b/config/filter.d/exim.conf index a1d699c0..27d73426 100644 --- a/config/filter.d/exim.conf +++ b/config/filter.d/exim.conf @@ -14,13 +14,13 @@ before = exim-common.conf [Definition] failregex = ^%(pid)s %(host_info)ssender verify fail for <\S+>: (?:Unknown user|Unrouteable address|all relevant MX records point to non-existent hosts)\s*$ - ^%(pid)s \w+ authenticator failed for (\S+ )?\(\S+\) \[\](?::\d+)?(?: I=\[\S+\](:\d+)?)?: 535 Incorrect authentication data( \(set_id=.*\)|: \d+ Time\(s\))?\s*$ + ^%(pid)s \w+ authenticator failed for (?:[^\[\( ]* )?(?:\(\S*\) )?\[\](?::\d+)?(?: I=\[\S+\](:\d+)?)?: 535 Incorrect authentication data( \(set_id=.*\)|: \d+ Time\(s\))?\s*$ ^%(pid)s %(host_info)sF=(?:<>|[^@]+@\S+) rejected RCPT [^@]+@\S+: (?:relay not permitted|Sender verify failed|Unknown user)\s*$ ^%(pid)s SMTP protocol synchronization error \([^)]*\): rejected (?:connection from|"\S+") %(host_info)s(?:next )?input=".*"\s*$ ^%(pid)s SMTP call from \S+ %(host_info)sdropped: too many nonmail commands \(last was "\S+"\)\s*$ ^%(pid)s SMTP protocol error in "AUTH \S*(?: \S*)?" %(host_info)sAUTH command used when not advertised\s*$ - ^%(pid)s no MAIL in SMTP connection from (?:\S* )?(?:\(\S*\) )?%(host_info)sD=\d+s(?: C=\S*)?\s*$ - ^%(pid)s \S+ SMTP connection from (?:\S* )?(?:\(\S*\) )?%(host_info)sclosed by DROP in ACL\s*$ + ^%(pid)s no MAIL in SMTP connection from (?:[^\[\( ]* )?(?:\(\S*\) )?%(host_info)sD=\d+s(?: C=\S*)?\s*$ + ^%(pid)s ([\w\-]+ )?SMTP connection from (?:[^\[\( ]* )?(?:\(\S*\) )?%(host_info)sclosed by DROP in ACL\s*$ ignoreregex = diff --git a/fail2ban/tests/files/logs/exim b/fail2ban/tests/files/logs/exim index 9053bf8d..44d9e34b 100644 --- a/fail2ban/tests/files/logs/exim +++ b/fail2ban/tests/files/logs/exim @@ -67,3 +67,6 @@ 2016-04-01 11:09:21 [18648] SMTP protocol error in "AUTH LOGIN" H=host.example.com (SERVER) [192.0.2.1]:4692 I=[172.89.0.6]:25 AUTH command used when not advertised # failJSON: { "time": "2016-03-27T16:48:48", "match": true , "host": "192.0.2.1" } 2016-03-27 16:48:48 [21478] 1akDqs-0005aQ-9b SMTP connection from host.example.com (SERVER) [192.0.2.1]:47714 I=[172.89.0.6]:25 closed by DROP in ACL + +# failJSON: { "time": "2017-04-23T22:45:59", "match": true , "host": "192.0.2.2", "desc": "optional part (...)" } +2017-04-23 22:45:59 fixed_login authenticator failed for bad.host.example.com [192.0.2.2]:54412 I=[172.89.0.6]:587: 535 Incorrect authentication data (set_id=user@example.com) From 462442a5174a7f260d4bc2029336548bf0f1e167 Mon Sep 17 00:00:00 2001 From: sebres Date: Tue, 25 Apr 2017 10:04:45 +0200 Subject: [PATCH 08/25] Update ChangeLog #1757 --- ChangeLog | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ChangeLog b/ChangeLog index 213e2c0e..7d5929d7 100644 --- a/ChangeLog +++ b/ChangeLog @@ -22,6 +22,8 @@ releases. (0.10th resp. IPv6 relevant only, amend for gh-1479) * config/pathes-freebsd.conf - Fixed filenames for apache and nginx log files (gh-1667) +* filter.d/exim.conf + - optional part `(...)` after host-name before `[IP]` (gh-1751) * filter.d/sshd.conf - new aggressive rules (gh-864): - Connection reset by peer (multi-line rule during authorization process) From c546f852070377455985169d7efaadd65bb85e34 Mon Sep 17 00:00:00 2001 From: sebres Date: Sun, 7 May 2017 13:02:32 +0200 Subject: [PATCH 09/25] filter.d/exim.conf: cherry-picked from 0.10, match complex time like `D=2m42s` (closes gh-1766) --- config/filter.d/exim-common.conf | 4 +++- config/filter.d/exim.conf | 6 +++--- fail2ban/tests/files/logs/exim | 2 ++ 3 files changed, 8 insertions(+), 4 deletions(-) diff --git a/config/filter.d/exim-common.conf b/config/filter.d/exim-common.conf index 0e1b74fa..b3b25750 100644 --- a/config/filter.d/exim-common.conf +++ b/config/filter.d/exim-common.conf @@ -9,7 +9,9 @@ after = exim-common.local [Definition] -host_info = (?:H=([\w.-]+ )?(?:\(\S+\) )?)?\[\](?::\d+)? (?:I=\[\S+\](:\d+)? )?(?:U=\S+ )?(?:P=e?smtp )? +host_info_pre = (?:H=([\w.-]+ )?(?:\(\S+\) )?)? +host_info_suf = (?::\d+)?(?: I=\[\S+\](:\d+)?)?(?: U=\S+)?(?: P=e?smtp)?(?: F=(?:<>|[^@]+@\S+))?\s +host_info = %(host_info_pre)s\[\]%(host_info_suf)s pid = (?: \[\d+\])? # DEV Notes: diff --git a/config/filter.d/exim.conf b/config/filter.d/exim.conf index 27d73426..c5352008 100644 --- a/config/filter.d/exim.conf +++ b/config/filter.d/exim.conf @@ -15,12 +15,12 @@ before = exim-common.conf failregex = ^%(pid)s %(host_info)ssender verify fail for <\S+>: (?:Unknown user|Unrouteable address|all relevant MX records point to non-existent hosts)\s*$ ^%(pid)s \w+ authenticator failed for (?:[^\[\( ]* )?(?:\(\S*\) )?\[\](?::\d+)?(?: I=\[\S+\](:\d+)?)?: 535 Incorrect authentication data( \(set_id=.*\)|: \d+ Time\(s\))?\s*$ - ^%(pid)s %(host_info)sF=(?:<>|[^@]+@\S+) rejected RCPT [^@]+@\S+: (?:relay not permitted|Sender verify failed|Unknown user)\s*$ + ^%(pid)s %(host_info)srejected RCPT [^@]+@\S+: (?:relay not permitted|Sender verify failed|Unknown user)\s*$ ^%(pid)s SMTP protocol synchronization error \([^)]*\): rejected (?:connection from|"\S+") %(host_info)s(?:next )?input=".*"\s*$ ^%(pid)s SMTP call from \S+ %(host_info)sdropped: too many nonmail commands \(last was "\S+"\)\s*$ ^%(pid)s SMTP protocol error in "AUTH \S*(?: \S*)?" %(host_info)sAUTH command used when not advertised\s*$ - ^%(pid)s no MAIL in SMTP connection from (?:[^\[\( ]* )?(?:\(\S*\) )?%(host_info)sD=\d+s(?: C=\S*)?\s*$ - ^%(pid)s ([\w\-]+ )?SMTP connection from (?:[^\[\( ]* )?(?:\(\S*\) )?%(host_info)sclosed by DROP in ACL\s*$ + ^%(pid)s no MAIL in SMTP connection from (?:[^\[\( ]* )?(?:\(\S*\) )?%(host_info)sD=\d\S+s(?: C=\S*)?\s*$ + ^%(pid)s (?:[\w\-]+ )?SMTP connection from (?:[^\[\( ]* )?(?:\(\S*\) )?%(host_info)sclosed by DROP in ACL\s*$ ignoreregex = diff --git a/fail2ban/tests/files/logs/exim b/fail2ban/tests/files/logs/exim index 44d9e34b..144335d7 100644 --- a/fail2ban/tests/files/logs/exim +++ b/fail2ban/tests/files/logs/exim @@ -63,6 +63,8 @@ # failJSON: { "time": "2016-04-01T11:08:39", "match": true , "host": "192.0.2.1" } 2016-04-01 11:08:39 [18643] no MAIL in SMTP connection from host.example.com (SERVER) [192.0.2.1]:1418 I=[172.89.0.6]:25 D=34s C=EHLO,AUTH +# failJSON: { "time": "2016-04-01T11:08:40", "match": true , "host": "192.0.2.2" } +2016-04-01 11:08:40 [18643] no MAIL in SMTP connection from host.example.com (SERVER) [192.0.2.2]:1418 I=[172.89.0.6]:25 D=2m42s C=QUIT # failJSON: { "time": "2016-04-01T11:09:21", "match": true , "host": "192.0.2.1" } 2016-04-01 11:09:21 [18648] SMTP protocol error in "AUTH LOGIN" H=host.example.com (SERVER) [192.0.2.1]:4692 I=[172.89.0.6]:25 AUTH command used when not advertised # failJSON: { "time": "2016-03-27T16:48:48", "match": true , "host": "192.0.2.1" } From 3d64d705f30c31bfb3a45468b5ee18e7c3dbc18f Mon Sep 17 00:00:00 2001 From: sebres Date: Sun, 7 May 2017 13:17:43 +0200 Subject: [PATCH 10/25] try to fix travis integration of pypy3: setuptools recently dropped support for Python 3.0 - 3.2, but old pypy3 based on Python 3.2.5 --- .travis.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index 9ef607da..40376075 100644 --- a/.travis.yml +++ b/.travis.yml @@ -10,7 +10,9 @@ python: # - 3.2 - 3.3 - 3.4 - - pypy3 + # disabled since setuptools dropped support for Python 3.0 - 3.2 + # - pypy3 + - pypy3.3-5.2-alpha1 before_install: - if [[ $TRAVIS_PYTHON_VERSION == 2* || $TRAVIS_PYTHON_VERSION == 'pypy' ]]; then export F2B_PY_2=true && echo "Set F2B_PY_2"; fi - if [[ $TRAVIS_PYTHON_VERSION == 3* || $TRAVIS_PYTHON_VERSION == 'pypy3' ]]; then export F2B_PY_3=true && echo "Set F2B_PY_3"; fi From 0600d51511c348a0a3e2fc20fa823fbe235df6c9 Mon Sep 17 00:00:00 2001 From: sebres Date: Sun, 7 May 2017 13:53:06 +0200 Subject: [PATCH 11/25] filter.d/exim.conf: added new reason for "rejected RCPT" regex: Unrouteable address --- config/filter.d/exim.conf | 2 +- fail2ban/tests/files/logs/exim | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/config/filter.d/exim.conf b/config/filter.d/exim.conf index c5352008..7848fe00 100644 --- a/config/filter.d/exim.conf +++ b/config/filter.d/exim.conf @@ -15,7 +15,7 @@ before = exim-common.conf failregex = ^%(pid)s %(host_info)ssender verify fail for <\S+>: (?:Unknown user|Unrouteable address|all relevant MX records point to non-existent hosts)\s*$ ^%(pid)s \w+ authenticator failed for (?:[^\[\( ]* )?(?:\(\S*\) )?\[\](?::\d+)?(?: I=\[\S+\](:\d+)?)?: 535 Incorrect authentication data( \(set_id=.*\)|: \d+ Time\(s\))?\s*$ - ^%(pid)s %(host_info)srejected RCPT [^@]+@\S+: (?:relay not permitted|Sender verify failed|Unknown user)\s*$ + ^%(pid)s %(host_info)srejected RCPT [^@]+@\S+: (?:relay not permitted|Sender verify failed|Unknown user|Unrouteable address)\s*$ ^%(pid)s SMTP protocol synchronization error \([^)]*\): rejected (?:connection from|"\S+") %(host_info)s(?:next )?input=".*"\s*$ ^%(pid)s SMTP call from \S+ %(host_info)sdropped: too many nonmail commands \(last was "\S+"\)\s*$ ^%(pid)s SMTP protocol error in "AUTH \S*(?: \S*)?" %(host_info)sAUTH command used when not advertised\s*$ diff --git a/fail2ban/tests/files/logs/exim b/fail2ban/tests/files/logs/exim index 144335d7..326cdf28 100644 --- a/fail2ban/tests/files/logs/exim +++ b/fail2ban/tests/files/logs/exim @@ -72,3 +72,5 @@ # failJSON: { "time": "2017-04-23T22:45:59", "match": true , "host": "192.0.2.2", "desc": "optional part (...)" } 2017-04-23 22:45:59 fixed_login authenticator failed for bad.host.example.com [192.0.2.2]:54412 I=[172.89.0.6]:587: 535 Incorrect authentication data (set_id=user@example.com) +# failJSON: { "time": "2017-05-01T07:42:42", "match": true , "host": "192.0.2.3", "desc": "rejected RCPT - Unrouteable address" } +2017-05-01 07:42:42 H=some.rev.dns.if.found (the.connector.reports.this.name) [192.0.2.3] F= rejected RCPT : Unrouteable address From bea3a62a37a6bbfdf65057d6769147a2bfe7cd5f Mon Sep 17 00:00:00 2001 From: sebres Date: Sun, 7 May 2017 13:56:24 +0200 Subject: [PATCH 12/25] update ChangeLog --- ChangeLog | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ChangeLog b/ChangeLog index 7d5929d7..c60ff660 100644 --- a/ChangeLog +++ b/ChangeLog @@ -24,6 +24,8 @@ releases. - Fixed filenames for apache and nginx log files (gh-1667) * filter.d/exim.conf - optional part `(...)` after host-name before `[IP]` (gh-1751) + - new reason "Unrouteable address" for "rejected RCPT" regex (gh-1762) + - match of complex time like `D=2m42s` in regex "no MAIL in SMTP connection" (gh-1766) * filter.d/sshd.conf - new aggressive rules (gh-864): - Connection reset by peer (multi-line rule during authorization process) From 663d526d7481228a7da568e2baf8b08e2924a3e1 Mon Sep 17 00:00:00 2001 From: Yaroslav Halchenko Date: Wed, 10 May 2017 21:31:09 -0400 Subject: [PATCH 13/25] Added newly added files to MANIFEST --- MANIFEST | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/MANIFEST b/MANIFEST index b12e3163..e91ccff0 100644 --- a/MANIFEST +++ b/MANIFEST @@ -37,6 +37,7 @@ config/action.d/mail-whois-common.conf config/action.d/mail-whois.conf config/action.d/mail-whois-lines.conf config/action.d/mynetwatchman.conf +config/action.d/netscaler.conf config/action.d/nftables-allports.conf config/action.d/nftables-common.conf config/action.d/nftables-multiport.conf @@ -83,6 +84,7 @@ config/filter.d/courier-auth.conf config/filter.d/courier-smtp.conf config/filter.d/cyrus-imap.conf config/filter.d/directadmin.conf +config/filter.d/domino-smtp.conf config/filter.d/dovecot.conf config/filter.d/dropbear.conf config/filter.d/drupal-auth.conf @@ -138,6 +140,7 @@ config/filter.d/sogo-auth.conf config/filter.d/solid-pop3d.conf config/filter.d/squid.conf config/filter.d/squirrelmail.conf +config/filter.d/sshd-aggressive.conf config/filter.d/sshd.conf config/filter.d/sshd-ddos.conf config/filter.d/stunnel.conf @@ -278,6 +281,7 @@ fail2ban/tests/files/logs/courier-auth fail2ban/tests/files/logs/courier-smtp fail2ban/tests/files/logs/cyrus-imap fail2ban/tests/files/logs/directadmin +fail2ban/tests/files/logs/domino-smtp fail2ban/tests/files/logs/dovecot fail2ban/tests/files/logs/dropbear fail2ban/tests/files/logs/drupal-auth @@ -330,6 +334,7 @@ fail2ban/tests/files/logs/solid-pop3d fail2ban/tests/files/logs/squid fail2ban/tests/files/logs/squirrelmail fail2ban/tests/files/logs/sshd +fail2ban/tests/files/logs/sshd-aggressive fail2ban/tests/files/logs/sshd-ddos fail2ban/tests/files/logs/stunnel fail2ban/tests/files/logs/suhosin From 35280044ffdb6a8166fc6ad5497cfae7032c71a6 Mon Sep 17 00:00:00 2001 From: Yaroslav Halchenko Date: Wed, 10 May 2017 21:38:57 -0400 Subject: [PATCH 14/25] Preparing for 0.9.7 release --- ChangeLog | 4 ++-- README.md | 2 +- fail2ban/version.py | 2 +- man/fail2ban-client.1 | 4 ++-- man/fail2ban-regex.1 | 2 +- man/fail2ban-server.1 | 4 ++-- man/fail2ban-testcases.1 | 2 +- 7 files changed, 10 insertions(+), 10 deletions(-) diff --git a/ChangeLog b/ChangeLog index c60ff660..ec855ab0 100644 --- a/ChangeLog +++ b/ChangeLog @@ -7,7 +7,7 @@ Fail2Ban: Changelog =================== -ver. 0.9.x (2016/??/??) - wanna-be-released +ver. 0.9.7 (2017/05/11) - awaiting-victory ----------- 0.9.x line is no longer heavily developed. If you are interested in @@ -40,7 +40,7 @@ releases. * filter.d/cyrus-imap.conf - accept entries without login-info resp. hostname before IP address (gh-1707) * Filter tests extended with check of all config-regexp, that contains greedy catch-all - before ``, that is hard-anchored at end or precise sub expression after `` + before ``, that is hard-anchored at end or precise sub expression after `` ### New Features * New Actions: diff --git a/README.md b/README.md index 3f0e3253..89844d1d 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ / _|__ _(_) |_ ) |__ __ _ _ _ | _/ _` | | |/ /| '_ \/ _` | ' \ |_| \__,_|_|_/___|_.__/\__,_|_||_| - v0.9.6.dev0 2016/??/?? + v0.9.7 2017/05/11 ## Fail2Ban: ban hosts that cause multiple authentication errors diff --git a/fail2ban/version.py b/fail2ban/version.py index c2a8dc59..e8344517 100644 --- a/fail2ban/version.py +++ b/fail2ban/version.py @@ -24,4 +24,4 @@ __author__ = "Cyril Jaquier, Yaroslav Halchenko, Steven Hiscocks, Daniel Black" __copyright__ = "Copyright (c) 2004 Cyril Jaquier, 2005-2016 Yaroslav Halchenko, 2013-2014 Steven Hiscocks, Daniel Black" __license__ = "GPL-v2+" -version = "0.9.6.dev0" +version = "0.9.7" diff --git a/man/fail2ban-client.1 b/man/fail2ban-client.1 index ff3e5f77..34a9d894 100644 --- a/man/fail2ban-client.1 +++ b/man/fail2ban-client.1 @@ -1,12 +1,12 @@ .\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.4. -.TH FAIL2BAN-CLIENT "1" "December 2016" "fail2ban-client v0.9.6" "User Commands" +.TH FAIL2BAN-CLIENT "1" "May 2017" "fail2ban-client v0.9.7" "User Commands" .SH NAME fail2ban-client \- configure and control the server .SH SYNOPSIS .B fail2ban-client [\fI\,OPTIONS\/\fR] \fI\,\/\fR .SH DESCRIPTION -Fail2Ban v0.9.6 reads log file that contains password failure report +Fail2Ban v0.9.7 reads log file that contains password failure report and bans the corresponding IP addresses using firewall rules. .SH OPTIONS .TP diff --git a/man/fail2ban-regex.1 b/man/fail2ban-regex.1 index 1ed2c327..d117ee38 100644 --- a/man/fail2ban-regex.1 +++ b/man/fail2ban-regex.1 @@ -1,5 +1,5 @@ .\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.4. -.TH FAIL2BAN-REGEX "1" "December 2016" "fail2ban-regex 0.9.6" "User Commands" +.TH FAIL2BAN-REGEX "1" "May 2017" "fail2ban-regex 0.9.7" "User Commands" .SH NAME fail2ban-regex \- test Fail2ban "failregex" option .SH SYNOPSIS diff --git a/man/fail2ban-server.1 b/man/fail2ban-server.1 index 5278302c..b71f6b52 100644 --- a/man/fail2ban-server.1 +++ b/man/fail2ban-server.1 @@ -1,12 +1,12 @@ .\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.4. -.TH FAIL2BAN-SERVER "1" "December 2016" "fail2ban-server v0.9.6" "User Commands" +.TH FAIL2BAN-SERVER "1" "May 2017" "fail2ban-server v0.9.7" "User Commands" .SH NAME fail2ban-server \- start the server .SH SYNOPSIS .B fail2ban-server [\fI\,OPTIONS\/\fR] .SH DESCRIPTION -Fail2Ban v0.9.6 reads log file that contains password failure report +Fail2Ban v0.9.7 reads log file that contains password failure report and bans the corresponding IP addresses using firewall rules. .PP Only use this command for debugging purpose. Start the server with diff --git a/man/fail2ban-testcases.1 b/man/fail2ban-testcases.1 index 658555ac..3d250f5c 100644 --- a/man/fail2ban-testcases.1 +++ b/man/fail2ban-testcases.1 @@ -1,5 +1,5 @@ .\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.4. -.TH FAIL2BAN-TESTCASES "1" "December 2016" "fail2ban-testcases 0.9.6" "User Commands" +.TH FAIL2BAN-TESTCASES "1" "May 2017" "fail2ban-testcases 0.9.7" "User Commands" .SH NAME fail2ban-testcases \- run Fail2Ban unit-tests .SH SYNOPSIS From a5cdb9c977fb640df2a12b3110235c2472042456 Mon Sep 17 00:00:00 2001 From: sebres Date: Thu, 11 May 2017 09:10:45 +0200 Subject: [PATCH 15/25] exim test cases extended: cover short form of the logging (without session-id, gh-1771) --- fail2ban/tests/files/logs/exim | 2 ++ 1 file changed, 2 insertions(+) diff --git a/fail2ban/tests/files/logs/exim b/fail2ban/tests/files/logs/exim index 326cdf28..8f3ac1bb 100644 --- a/fail2ban/tests/files/logs/exim +++ b/fail2ban/tests/files/logs/exim @@ -60,6 +60,8 @@ 2016-03-21 04:07:49 [25874] 1ahr79-0006jK-G9 SMTP connection from (voyeur.webair.com) [174.137.147.204]:44884 I=[172.89.0.6]:25 closed by DROP in ACL # failJSON: { "time": "2016-03-21T04:33:13", "match": true , "host": "206.214.71.53" } 2016-03-21 04:33:13 [26074] 1ahrVl-0006mY-79 SMTP connection from riveruse.com [206.214.71.53]:39865 I=[172.89.0.6]:25 closed by DROP in ACL +# failJSON: { "time": "2016-03-21T04:33:14", "match": true , "host": "192.0.2.33", "desc": "short form without optional session-id" } +2016-03-21 04:33:14 SMTP connection from (some.domain) [192.0.2.33] closed by DROP in ACL # failJSON: { "time": "2016-04-01T11:08:39", "match": true , "host": "192.0.2.1" } 2016-04-01 11:08:39 [18643] no MAIL in SMTP connection from host.example.com (SERVER) [192.0.2.1]:1418 I=[172.89.0.6]:25 D=34s C=EHLO,AUTH From 407b2ea936b836cbe9cdb59fc8e40fcce6d2959e Mon Sep 17 00:00:00 2001 From: Yaroslav Halchenko Date: Thu, 11 May 2017 11:17:27 -0400 Subject: [PATCH 16/25] life is going on --- ChangeLog | 15 +++++++++++++-- README.md | 6 +++--- RELEASE | 14 +++++++------- fail2ban/version.py | 2 +- 4 files changed, 24 insertions(+), 13 deletions(-) diff --git a/ChangeLog b/ChangeLog index ec855ab0..8e7ebdb0 100644 --- a/ChangeLog +++ b/ChangeLog @@ -6,14 +6,25 @@ Fail2Ban: Changelog =================== - -ver. 0.9.7 (2017/05/11) - awaiting-victory +ver. 0.9.8 (2016/XX/XXX) - wanna-be-released ----------- 0.9.x line is no longer heavily developed. If you are interested in new features (e.g. IPv6 support), please consider 0.10 branch and its releases. + +### Fixes + +### New Features + +### Enhancements + + + +ver. 0.9.7 (2017/05/11) - awaiting-victory +----------- + ### Fixes * Fixed a systemd-journal handling in fail2ban-regex (gh-1657) * filter.d/sshd.conf diff --git a/README.md b/README.md index 89844d1d..1138a3ac 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ / _|__ _(_) |_ ) |__ __ _ _ _ | _/ _` | | |/ /| '_ \/ _` | ' \ |_| \__,_|_|_/___|_.__/\__,_|_||_| - v0.9.7 2017/05/11 + v0.9.7.dev0 2017/??/?? ## Fail2Ban: ban hosts that cause multiple authentication errors @@ -39,8 +39,8 @@ Optional: To install, just do: - tar xvfj fail2ban-0.9.6.tar.bz2 - cd fail2ban-0.9.6 + tar xvfj fail2ban-0.9.7.tar.bz2 + cd fail2ban-0.9.7 python setup.py install This will install Fail2Ban into the python library directory. The executable diff --git a/RELEASE b/RELEASE index c4f62d7a..0a3e0497 100644 --- a/RELEASE +++ b/RELEASE @@ -53,7 +53,7 @@ Preparation or an alternative for comparison with previous release - git diff 0.9.6 | grep -B2 'index 0000000..' | grep -B1 'new file mode' | sed -n -e '/^diff /s,.* b/,,gp' >> MANIFEST + git diff 0.9.7 | grep -B2 'index 0000000..' | grep -B1 'new file mode' | sed -n -e '/^diff /s,.* b/,,gp' >> MANIFEST sort MANIFEST | uniq | sponge MANIFEST * Run:: @@ -66,24 +66,24 @@ Preparation * Which indicates that testcases/files/logs/mysqld.log has been moved or is a directory:: - tar -C /tmp -jxf dist/fail2ban-0.9.6.tar.bz2 + tar -C /tmp -jxf dist/fail2ban-0.9.7.tar.bz2 * clean up current directory:: - diff -rul --exclude \*.pyc . /tmp/fail2ban-0.9.6/ + diff -rul --exclude \*.pyc . /tmp/fail2ban-0.9.7/ * Only differences should be files that you don't want distributed. * Ensure the tests work from the tarball:: - cd /tmp/fail2ban-0.9.6/ && bin/fail2ban-testcases + cd /tmp/fail2ban-0.9.7/ && bin/fail2ban-testcases * Add/finalize the corresponding entry in the ChangeLog * To generate a list of committers use e.g.:: - git shortlog -sn 0.9.6.. | sed -e 's,^[ 0-9\t]*,,g' | tr '\n' '\|' | sed -e 's:|:, :g' + git shortlog -sn 0.9.7.. | sed -e 's,^[ 0-9\t]*,,g' | tr '\n' '\|' | sed -e 's:|:, :g' * Ensure the top of the ChangeLog has the right version and current date. * Ensure the top entry of the ChangeLog has the right version and current date. @@ -106,7 +106,7 @@ Preparation * Tag the release by using a signed (and annotated) tag. Cut/paste release ChangeLog entry as tag annotation:: - git tag -s 0.9.6 + git tag -s 0.9.8 Pre Release =========== @@ -190,7 +190,7 @@ Post Release Add the following to the top of the ChangeLog:: - ver. 0.9.8 (2016/XX/XXX) - wanna-be-released + ver. 0.9.9 (2016/XX/XXX) - wanna-be-released ----------- ### Fixes diff --git a/fail2ban/version.py b/fail2ban/version.py index e8344517..3f4edc54 100644 --- a/fail2ban/version.py +++ b/fail2ban/version.py @@ -24,4 +24,4 @@ __author__ = "Cyril Jaquier, Yaroslav Halchenko, Steven Hiscocks, Daniel Black" __copyright__ = "Copyright (c) 2004 Cyril Jaquier, 2005-2016 Yaroslav Halchenko, 2013-2014 Steven Hiscocks, Daniel Black" __license__ = "GPL-v2+" -version = "0.9.7" +version = "0.9.7.dev0" From ff1c6718da50f3d7eaf447bd399211f1fde7708b Mon Sep 17 00:00:00 2001 From: Filippo Tessarotto Date: Tue, 7 Feb 2017 12:58:04 +0100 Subject: [PATCH 17/25] Postfix RBL: 554 & SMTP Cherry-pick of 607568f5da9e6b962c43d59280d72bd678c08afa (see gh-1686) --- config/filter.d/postfix-rbl.conf | 2 +- fail2ban/tests/files/logs/postfix-rbl | 3 +++ 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/config/filter.d/postfix-rbl.conf b/config/filter.d/postfix-rbl.conf index c3f8c332..0a9078f0 100644 --- a/config/filter.d/postfix-rbl.conf +++ b/config/filter.d/postfix-rbl.conf @@ -12,7 +12,7 @@ before = common.conf _daemon = postfix(-\w+)?/smtpd -failregex = ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[\]: 454 4\.7\.1 Service unavailable; Client host \[\S+\] blocked using .* from=<\S*> to=<\S+> proto=ESMTP helo=<\S*>$ +failregex = ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[\]: [45]54 [45]\.7\.1 Service unavailable; Client host \[\S+\] blocked\b ignoreregex = diff --git a/fail2ban/tests/files/logs/postfix-rbl b/fail2ban/tests/files/logs/postfix-rbl index eff01bf9..6aeac03b 100644 --- a/fail2ban/tests/files/logs/postfix-rbl +++ b/fail2ban/tests/files/logs/postfix-rbl @@ -3,3 +3,6 @@ Dec 30 18:19:15 xxx postfix/smtpd[1574]: NOQUEUE: reject: RCPT from badguy.examp # failJSON: { "time": "2004-12-30T18:19:15", "match": true , "host": "93.184.216.34" } Dec 30 18:19:15 xxx postfix-incoming/smtpd[1574]: NOQUEUE: reject: RCPT from badguy.example.com[93.184.216.34]: 454 4.7.1 Service unavailable; Client host [93.184.216.34] blocked using rbl.example.com; http://www.example.com/query?ip=93.184.216.34; from= to= proto=ESMTP helo= + +# failJSON: { "time": "2005-02-07T12:25:45", "match": true , "host": "87.236.233.182" } +Feb 7 12:25:45 xxx12345 postfix/smtpd[13275]: NOQUEUE: reject: RCPT from unknown[87.236.233.182]: 554 5.7.1 Service unavailable; Client host [87.236.233.182] blocked using rbl.example.com; https://www.example.com/query/ip/87.236.233.182; from= to= proto=SMTP helo= From f099558bcff64a65f8dc3e185838e1ce3c391576 Mon Sep 17 00:00:00 2001 From: sebres Date: Mon, 15 May 2017 15:43:16 +0200 Subject: [PATCH 18/25] try to fix travis build for pypy3 (after switch to 'pypy3.3-5.2-alpha1' the test cases seems to never run anymore). --- .travis.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.travis.yml b/.travis.yml index 40376075..dc5b1e8f 100644 --- a/.travis.yml +++ b/.travis.yml @@ -14,8 +14,9 @@ python: # - pypy3 - pypy3.3-5.2-alpha1 before_install: - - if [[ $TRAVIS_PYTHON_VERSION == 2* || $TRAVIS_PYTHON_VERSION == 'pypy' ]]; then export F2B_PY_2=true && echo "Set F2B_PY_2"; fi - - if [[ $TRAVIS_PYTHON_VERSION == 3* || $TRAVIS_PYTHON_VERSION == 'pypy3' ]]; then export F2B_PY_3=true && echo "Set F2B_PY_3"; fi + - echo "running under $TRAVIS_PYTHON_VERSION" + - if [[ $TRAVIS_PYTHON_VERSION == 2* || $TRAVIS_PYTHON_VERSION == pypy* && $TRAVIS_PYTHON_VERSION != pypy3* ]]; then export F2B_PY_2=true && echo "Set F2B_PY_2"; fi + - if [[ $TRAVIS_PYTHON_VERSION == 3* || $TRAVIS_PYTHON_VERSION == pypy3* ]]; then export F2B_PY_3=true && echo "Set F2B_PY_3"; fi - travis_retry sudo apt-get update -qq # Set this so sudo executes the correct python binary # Anything not using sudo will already have the correct environment From c7ddf1f940aa30f7d31dc1bf6e4d895713a6e38b Mon Sep 17 00:00:00 2001 From: sebres Date: Fri, 19 May 2017 15:36:06 +0200 Subject: [PATCH 19/25] [systemd-backend] implicit closing journal descriptor by stop filter. Partially cherry-picked from 0.10 (d153555a07ec81dabe4678ea06c8e644afc8ec40) --- ChangeLog | 2 ++ fail2ban/server/filtersystemd.py | 7 +++++++ 2 files changed, 9 insertions(+) diff --git a/ChangeLog b/ChangeLog index 8e7ebdb0..c798768d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -15,6 +15,8 @@ releases. ### Fixes +* Fix for systemd-backend: fail2ban hits the ulimit (out of file descriptors), see gh-991. + Partially back-ported from v.0.10. ### New Features diff --git a/fail2ban/server/filtersystemd.py b/fail2ban/server/filtersystemd.py index 908112a7..73db618e 100644 --- a/fail2ban/server/filtersystemd.py +++ b/fail2ban/server/filtersystemd.py @@ -291,6 +291,13 @@ class FilterSystemd(JournalFilter): # pragma: systemd no cover except FailManagerEmpty: self.failManager.cleanup(MyTime.time()) + # close journal: + try: + if self.__journal: + self.__journal.close() + except Exception as e: # pragma: no cover + logSys.error("Close journal failed: %r", e, + exc_info=logSys.getEffectiveLevel()<=logging.DEBUG) logSys.debug((self.jail is not None and self.jail.name or "jailless") +" filter terminated") return True From 228d25c548a3f62d8606054709fcb29ff3367775 Mon Sep 17 00:00:00 2001 From: Marcel Bischoff Date: Tue, 30 May 2017 20:27:44 +0200 Subject: [PATCH 20/25] Update Kerio Connect filter (#1455) * Update Kerio Connect filter Fixed regex for some log entries that did not get recognized and some additional error formats are added. * Add missing colon, GitHub address * Add filter tests * Add missing test --- config/filter.d/kerio.conf | 8 +++++++- fail2ban/tests/files/logs/kerio | 15 +++++++++++++++ 2 files changed, 22 insertions(+), 1 deletion(-) diff --git a/config/filter.d/kerio.conf b/config/filter.d/kerio.conf index 313c9b36..ec1c09df 100644 --- a/config/filter.d/kerio.conf +++ b/config/filter.d/kerio.conf @@ -3,9 +3,14 @@ [Definition] failregex = ^ SMTP Spam attack detected from , - ^ IP address found in DNS blacklist \S+, mail from \S+ to \S+$ + ^ IP address found in DNS blacklist ^ Relay attempt from IP address ^ Attempt to deliver to unknown recipient \S+, from \S+, IP address $ + ^ Failed SMTP login from + ^ SMTP: User \S+ doesn't exist. Attempt from IP address + ^ Client with IP address has no reverse DNS entry, connection rejected before SMTP greeting$ + ^ Administration login into Web Administration from failed: IP address not allowed$ + ^ Message from IP address , sender \S+ rejected: sender domain does not exist$ ignoreregex = @@ -16,5 +21,6 @@ datepattern = ^\[%%d/%%b/%%Y %%H:%%M:%%S\] # DEV NOTES: # # Author: A.P. Lawrence +# Updated by: M. Bischoff # # Based off: http://aplawrence.com/Kerio/fail2ban.html diff --git a/fail2ban/tests/files/logs/kerio b/fail2ban/tests/files/logs/kerio index c9368c22..f7aa0eb7 100644 --- a/fail2ban/tests/files/logs/kerio +++ b/fail2ban/tests/files/logs/kerio @@ -25,5 +25,20 @@ # failJSON: { "time": "2013-12-13T01:11:04", "match": true, "host": "218.85.253.185" } [13/Dec/2013 01:11:04] Attempt to deliver to unknown recipient , from , IP address 218.85.253.185 +# failJSON: { "time": "2017-05-29T17:29:29", "match": true, "host": "185.140.108.56" } +[29/May/2017 17:29:29] IP address 185.140.108.56 found in DNS blacklist SpamCop, mail from to rejected +# failJSON: { "time": "2017-05-17T19:43:42", "match": true, "host": "185.140.108.26" } +[17/May/2017 19:43:42] SMTP: User printer@verinion.com doesn't exist. Attempt from IP address 185.140.108.26. +# failJSON: { "time": "2017-05-17T19:44:25", "match": true, "host": "184.171.168.211" } +[17/May/2017 19:44:25] Client with IP address 184.171.168.211 has no reverse DNS entry, connection rejected before SMTP greeting + +# failJSON: { "time": "2017-05-17T19:45:27", "match": true, "host": "170.178.167.136" } +[17/May/2017 19:45:27] Administration login into Web Administration from 170.178.167.136 failed: IP address not allowed + +# failJSON: { "time": "2017-05-17T22:14:57", "match": true, "host": "67.211.219.82" } +[17/May/2017 22:14:57] Message from IP address 67.211.219.82, sender rejected: sender domain does not exist + +# failJSON: { "time": "2017-05-18T07:25:15", "match": true, "host": "212.92.127.112" } +[18/May/2017 07:25:15] Failed SMTP login from 212.92.127.112 with SASL method CRAM-MD5. From 5214c1c5d1611e0c4a8f3c960a4b833ee767f7bc Mon Sep 17 00:00:00 2001 From: "Serg G. Brester" Date: Tue, 30 May 2017 20:31:48 +0200 Subject: [PATCH 21/25] Update changelog (gh-1455) --- ChangeLog | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index c798768d..5f472f81 100644 --- a/ChangeLog +++ b/ChangeLog @@ -21,7 +21,7 @@ releases. ### New Features ### Enhancements - +* filter.d/kerio.conf - filter extended with new rules (see gh-1455) ver. 0.9.7 (2017/05/11) - awaiting-victory From b93e47b12f69419692fc8275358b498f01b30cbe Mon Sep 17 00:00:00 2001 From: Peter Nowee Date: Wed, 31 May 2017 15:24:21 +0200 Subject: [PATCH 22/25] dovecot: Match also when user field is empty Commit 5678d08 of 2016-11-26 changed: ( user=<\S*>,)? to: ( user=<[^>]+>,)? The change from `*` (zero or more times) to `+` (one or more times) may not have been intended. It will miss lines containing, for example: Aborted login (tried to use disallowed plaintext auth): user=<> This commit reverts the `+` back to `*`. --- config/filter.d/dovecot.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/filter.d/dovecot.conf b/config/filter.d/dovecot.conf index a3dc60bb..68c78c7a 100644 --- a/config/filter.d/dovecot.conf +++ b/config/filter.d/dovecot.conf @@ -10,7 +10,7 @@ before = common.conf _daemon = (auth|dovecot(-auth)?|auth-worker) failregex = ^%(__prefix_line)s(?:%(__pam_auth)s(?:\(dovecot:auth\))?:)?\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=\S* rhost=(?:\s+user=\S*)?\s*$ - ^%(__prefix_line)s(?:pop3|imap)-login: (?:Info: )?(?:Aborted login|Disconnected)(?::(?: [^ \(]+)+)? \((?:auth failed, \d+ attempts( in \d+ secs)?|tried to use (disabled|disallowed) \S+ auth)\):( user=<[^>]+>,)?( method=\S+,)? rip=(?:, lip=\S+)?(?:, TLS(?: handshaking(?:: SSL_accept\(\) failed: error:[\dA-F]+:SSL routines:[TLS\d]+_GET_CLIENT_HELLO:unknown protocol)?)?(: Disconnected)?)?(, session=<\S+>)?\s*$ + ^%(__prefix_line)s(?:pop3|imap)-login: (?:Info: )?(?:Aborted login|Disconnected)(?::(?: [^ \(]+)+)? \((?:auth failed, \d+ attempts( in \d+ secs)?|tried to use (disabled|disallowed) \S+ auth)\):( user=<[^>]*>,)?( method=\S+,)? rip=(?:, lip=\S+)?(?:, TLS(?: handshaking(?:: SSL_accept\(\) failed: error:[\dA-F]+:SSL routines:[TLS\d]+_GET_CLIENT_HELLO:unknown protocol)?)?(: Disconnected)?)?(, session=<\S+>)?\s*$ ^%(__prefix_line)s(?:Info|dovecot: auth\(default\)|auth-worker\(\d+\)): pam\(\S+,\): pam_authenticate\(\) failed: (User not known to the underlying authentication module: \d+ Time\(s\)|Authentication failure \(password mismatch\?\))\s*$ ^%(__prefix_line)s(?:auth|auth-worker\(\d+\)): (?:pam|passwd-file)\(\S+,\): unknown user\s*$ ^%(__prefix_line)s(?:auth|auth-worker\(\d+\)): Info: ldap\(\S*,,\S*\): invalid credentials\s*$ From 2b358bc1a4c985c07120d8b4bc7e025339926bdc Mon Sep 17 00:00:00 2001 From: sebres Date: Thu, 15 Jun 2017 11:16:19 +0200 Subject: [PATCH 23/25] filter.d/apache-overflows.conf: rewritten without end-anchor ($), because apache-log could contain very long URLs (and/or referrer), the parsing of it anchored way may be very vulnerable (at least as regards the system resources, see gh-1790). --- config/filter.d/apache-overflows.conf | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/config/filter.d/apache-overflows.conf b/config/filter.d/apache-overflows.conf index 74e44b8e..02a2ef20 100644 --- a/config/filter.d/apache-overflows.conf +++ b/config/filter.d/apache-overflows.conf @@ -8,11 +8,15 @@ before = apache-common.conf [Definition] -failregex = ^%(_apache_error_client)s ((AH0013[456]: )?Invalid (method|URI) in request .*( - possible attempt to establish SSL connection on non-SSL port)?|(AH00565: )?request failed: URI too long \(longer than \d+\)|request failed: erroneous characters after protocol string: .*|AH00566: request failed: invalid characters in URI)(, referer: \S+)?$ +failregex = ^%(_apache_error_client)s (?:(?:AH0013[456]: )?Invalid (method|URI) in request\b|(?:AH00565: )?request failed: URI too long \(longer than \d+\)|request failed: erroneous characters after protocol string:|(?:AH00566: )?request failed: invalid characters in URI\b) ignoreregex = # DEV Notes: +# +# [sebres] Because this apache-log could contain very long URLs (and/or referrer), +# the parsing of it anchored way may be very vulnerable (at least as regards +# the system resources, see gh-1790). Thus rewritten without end-anchor ($). # # fgrep -r 'URI too long' httpd-2.* # httpd-2.2.25/server/protocol.c: "request failed: URI too long (longer than %d)", r->server->limit_req_line); From e1234a5249d7d9ca604970d80c54353a86b60aba Mon Sep 17 00:00:00 2001 From: sebres Date: Thu, 15 Jun 2017 11:40:07 +0200 Subject: [PATCH 24/25] ChangeLog update --- ChangeLog | 3 +++ 1 file changed, 3 insertions(+) diff --git a/ChangeLog b/ChangeLog index 5f472f81..e99bab04 100644 --- a/ChangeLog +++ b/ChangeLog @@ -17,6 +17,9 @@ releases. ### Fixes * Fix for systemd-backend: fail2ban hits the ulimit (out of file descriptors), see gh-991. Partially back-ported from v.0.10. +* filter.d/apache-overflows.conf: + - Fixes resources greedy expression (see gh-1790); + - Rewritten without end-anchor ($), because of potential vulnerability on very long URLs. ### New Features From 6110ba9cc34e212d0ff6ac5be4b3d5bebadef794 Mon Sep 17 00:00:00 2001 From: "Serg G. Brester" Date: Fri, 30 Jun 2017 18:00:01 +0200 Subject: [PATCH 25/25] filter.d/proftpd.conf: added option `journalmatch` for systemd backend (closes gh-1613) --- config/filter.d/proftpd.conf | 3 +++ 1 file changed, 3 insertions(+) diff --git a/config/filter.d/proftpd.conf b/config/filter.d/proftpd.conf index 4bc0ba01..303be5e5 100644 --- a/config/filter.d/proftpd.conf +++ b/config/filter.d/proftpd.conf @@ -23,5 +23,8 @@ failregex = ^%(__prefix_line)s%(__hostname)s \(\S+\[\]\)[: -]+ USER .*: no ignoreregex = +[Init] +journalmatch = _SYSTEMD_UNIT=proftpd.service + # Author: Yaroslav Halchenko # Daniel Black - hardening of regex