mirror of https://github.com/fail2ban/fail2ban
Merge branch '0.10' into 0.11
sebres
commit
037a0be3ae
|
|
@ -45,6 +45,7 @@ ver. 0.10.1-dev-1 (2017/??/??) - development current edition
|
|||
-----------
|
||||
|
||||
### Fixes
|
||||
* fix Gentoo init script's shebang to use openrc-run instead of runscript (gh-1891)
|
||||
* jail "pass2allow-ftp" supply blocktype and returntype parameters to the action (gh-1884)
|
||||
* avoid using "ANSI_X3.4-1968" as preferred encoding (if missing environment variables
|
||||
'LANGUAGE', 'LC_ALL', 'LC_CTYPE', and 'LANG', see gh-1587).
|
||||
|
|
@ -63,6 +64,7 @@ ver. 0.10.1-dev-1 (2017/??/??) - development current edition
|
|||
human readable representation (opposite to `-d`);
|
||||
|
||||
### Enhancements
|
||||
* nftables actions are IPv6-capable now (gh-1893)
|
||||
* filter.d/dovecot.conf: introduced mode `aggressive` for cases like "disconnected before auth was ready" (gh-1880)
|
||||
|
||||
|
||||
|
|
@ -430,6 +432,7 @@ releases.
|
|||
* filter.d/asterisk.conf - fixed failregex AMI Asterisk authentification failed (see gh-1302)
|
||||
* filter.d/dovecot.conf - fixed failregex, see gh-1879 (partially cherry-picked from gh-1880)
|
||||
* filter.d/exim.conf - fixed failregex for case of flood attempts with `D=0s` (gh-1887)
|
||||
* filter.d/postfix-*.conf - added optional port regex (gh-1902)
|
||||
|
||||
### New Features
|
||||
|
||||
|
|
|
|||
|
|
@ -17,6 +17,6 @@ before = nftables-common.conf
|
|||
# Notes.: additional expressions for nftables filter rule
|
||||
# Values: nftables expressions
|
||||
#
|
||||
nftables_mode = ip protocol <protocol>
|
||||
nftables_mode = meta l4proto <protocol>
|
||||
|
||||
[Init]
|
||||
|
|
|
|||
|
|
@ -28,11 +28,11 @@ nftables_mode = <protocol> dport \{ <port> \}
|
|||
# Notes.: command executed once at the start of Fail2Ban.
|
||||
# Values: CMD
|
||||
#
|
||||
actionstart = <nftables> add set <nftables_family> <nftables_table> f2b-<name> \{ type <nftables_type>\; \}
|
||||
<nftables> insert rule <nftables_family> <nftables_table> <chain> %(nftables_mode)s ip saddr @f2b-<name> <blocktype>
|
||||
actionstart = <nftables> add set <nftables_family> <nftables_table> <set_name> \{ type <nftables_type>\; \}
|
||||
<nftables> insert rule <nftables_family> <nftables_table> <chain> %(nftables_mode)s <address_family> saddr @<set_name> <blocktype>
|
||||
|
||||
_nft_list = <nftables> --handle --numeric list chain <nftables_family> <nftables_table> <chain>
|
||||
_nft_get_handle_id = grep -m1 'ip saddr @f2b-<name> <blocktype> # handle' | grep -oe ' handle [0-9]*'
|
||||
_nft_get_handle_id = grep -m1 '<address_family> saddr @<set_name> <blocktype> # handle' | grep -oe ' handle [0-9]*'
|
||||
|
||||
# Option: actionstop
|
||||
# Notes.: command executed once at the end of Fail2Ban
|
||||
|
|
@ -40,13 +40,13 @@ _nft_get_handle_id = grep -m1 'ip saddr @f2b-<name> <blocktype> # handle' | grep
|
|||
#
|
||||
actionstop = HANDLE_ID=$(%(_nft_list)s | %(_nft_get_handle_id)s)
|
||||
<nftables> delete rule <nftables_family> <nftables_table> <chain> $HANDLE_ID
|
||||
<nftables> delete set <nftables_family> <nftables_table> f2b-<name>
|
||||
<nftables> delete set <nftables_family> <nftables_table> <set_name>
|
||||
|
||||
# Option: actioncheck
|
||||
# Notes.: command executed once before each actionban command
|
||||
# Values: CMD
|
||||
#
|
||||
actioncheck = <nftables> list chain <nftables_family> <nftables_table> <chain> | grep -q '@f2b-<name>[ \t]'
|
||||
actioncheck = <nftables> list chain <nftables_family> <nftables_table> <chain> | grep -q '@<set_name>[ \t]'
|
||||
|
||||
# Option: actionban
|
||||
# Notes.: command executed when banning an IP. Take care that the
|
||||
|
|
@ -54,7 +54,7 @@ actioncheck = <nftables> list chain <nftables_family> <nftables_table> <chain> |
|
|||
# Tags: See jail.conf(5) man page
|
||||
# Values: CMD
|
||||
#
|
||||
actionban = <nftables> add element <nftables_family> <nftables_table> f2b-<name> \{ <ip> \}
|
||||
actionban = <nftables> add element <nftables_family> <nftables_table> <set_name> \{ <ip> \}
|
||||
|
||||
# Option: actionunban
|
||||
# Notes.: command executed when unbanning an IP. Take care that the
|
||||
|
|
@ -62,7 +62,7 @@ actionban = <nftables> add element <nftables_family> <nftables_table> f2b-<name>
|
|||
# Tags: See jail.conf(5) man page
|
||||
# Values: CMD
|
||||
#
|
||||
actionunban = <nftables> delete element <nftables_family> <nftables_table> f2b-<name> \{ <ip> \}
|
||||
actionunban = <nftables> delete element <nftables_family> <nftables_table> <set_name> \{ <ip> \}
|
||||
|
||||
[Init]
|
||||
|
||||
|
|
@ -117,3 +117,19 @@ blocktype = reject
|
|||
# Notes.: Actual command to be executed, including common to all calls options
|
||||
# Values: STRING
|
||||
nftables = nft
|
||||
|
||||
# Option: set_name
|
||||
# Notes.: The name of the nft set used to store banned addresses
|
||||
# Values: STRING
|
||||
set_name = f2b-<name>
|
||||
|
||||
# Option: address_family
|
||||
# Notes.: The family of the banned addresses
|
||||
# Values: [ ip | ip6 ]
|
||||
address_family = ip
|
||||
|
||||
[Init?family=inet6]
|
||||
|
||||
nftables_type = ipv6_addr
|
||||
set_name = f2b-<name>6
|
||||
address_family = ip6
|
||||
|
|
|
|||
|
|
@ -16,29 +16,29 @@ _port = (?::\d+)?
|
|||
prefregex = ^%(__prefix_line)s<mdpr-<mode>> <F-CONTENT>.+</F-CONTENT>$
|
||||
|
||||
mdpr-normal = (?:NOQUEUE: reject:|improper command pipelining after \S+)
|
||||
mdre-normal=^RCPT from [^[]*\[<HOST>\]<_port>: 55[04] 5\.7\.1\s
|
||||
^RCPT from [^[]*\[<HOST>\]<_port>: 45[04] 4\.7\.1 (?:Service unavailable\b|Client host rejected: cannot find your (reverse )?hostname\b)
|
||||
^RCPT from [^[]*\[<HOST>\]<_port>: 450 4\.7\.1 (<[^>]*>)?: Helo command rejected: Host not found\b
|
||||
^EHLO from [^[]*\[<HOST>\]<_port>: 504 5\.5\.2 (<[^>]*>)?: Helo command rejected: need fully-qualified hostname\b
|
||||
^VRFY from [^[]*\[<HOST>\]<_port>: 550 5\.1\.1\s
|
||||
^RCPT from [^[]*\[<HOST>\]<_port>: 450 4\.1\.8 (<[^>]*>)?: Sender address rejected: Domain not found\b
|
||||
^from [^[]*\[<HOST>\]:?
|
||||
mdre-normal=^RCPT from [^[]*\[<HOST>\]%(_port)s: 55[04] 5\.7\.1\s
|
||||
^RCPT from [^[]*\[<HOST>\]%(_port)s: 45[04] 4\.7\.1 (?:Service unavailable\b|Client host rejected: cannot find your (reverse )?hostname\b)
|
||||
^RCPT from [^[]*\[<HOST>\]%(_port)s: 450 4\.7\.1 (<[^>]*>)?: Helo command rejected: Host not found\b
|
||||
^EHLO from [^[]*\[<HOST>\]%(_port)s: 504 5\.5\.2 (<[^>]*>)?: Helo command rejected: need fully-qualified hostname\b
|
||||
^VRFY from [^[]*\[<HOST>\]%(_port)s: 550 5\.1\.1\s
|
||||
^RCPT from [^[]*\[<HOST>\]%(_port)s: 450 4\.1\.8 (<[^>]*>)?: Sender address rejected: Domain not found\b
|
||||
^from [^[]*\[<HOST>\]%(_port)s:?
|
||||
|
||||
mdpr-auth = warning:
|
||||
mdre-auth = ^[^[]*\[<HOST>\]: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed:(?! Connection lost to authentication server| Invalid authentication mechanism)
|
||||
mdre-auth2= ^[^[]*\[<HOST>\]: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed:(?! Connection lost to authentication server)
|
||||
mdre-auth = ^[^[]*\[<HOST>\]%(_port)s: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed:(?! Connection lost to authentication server| Invalid authentication mechanism)
|
||||
mdre-auth2= ^[^[]*\[<HOST>\]%(_port)s: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed:(?! Connection lost to authentication server)
|
||||
# todo: check/remove "Invalid authentication mechanism" from ignore list, if gh-1243 will get finished (see gh-1297).
|
||||
|
||||
# Mode "rbl" currently included in mode "normal", but if needed for jail "postfix-rbl" only:
|
||||
mdpr-rbl = %(mdpr-normal)s
|
||||
mdre-rbl = ^RCPT from [^[]*\[<HOST>\]: [45]54 [45]\.7\.1 Service unavailable; Client host \[\S+\] blocked\b
|
||||
mdre-rbl = ^RCPT from [^[]*\[<HOST>\]%(_port)s: [45]54 [45]\.7\.1 Service unavailable; Client host \[\S+\] blocked\b
|
||||
|
||||
# Mode "rbl" currently included in mode "normal" (within 1st rule)
|
||||
mdpr-more = %(mdpr-normal)s
|
||||
mdre-more = %(mdre-normal)s
|
||||
|
||||
mdpr-ddos = lost connection after(?! DATA) [A-Z]+
|
||||
mdre-ddos = ^from [^[]*\[<HOST>\]:?
|
||||
mdre-ddos = ^from [^[]*\[<HOST>\]%(_port)s:?
|
||||
|
||||
mdpr-extra = (?:%(mdpr-auth)s|%(mdpr-normal)s)
|
||||
mdre-extra = %(mdre-auth)s
|
||||
|
|
|
|||
|
|
@ -101,6 +101,9 @@ Apr 12 02:24:11 xxx postfix/smtps/smtpd[42]: warning: astra4139.startdedicated.d
|
|||
# failJSON: { "time": "2005-08-03T15:30:49", "match": true , "host": "98.191.84.74" }
|
||||
Aug 3 15:30:49 ksusha postfix/smtpd[17041]: warning: mail.foldsandwalker.com[98.191.84.74]: SASL Plain authentication failed:
|
||||
|
||||
# failJSON: { "time": "2005-08-04T16:47:52", "match": true , "host": "192.0.2.237", "desc": "cover optional port after host" }
|
||||
Aug 4 16:47:52 mail3 postfix/smtpd[31152]: warning: unknown[192.0.2.237]:55729: SASL LOGIN authentication failed: authentication failure
|
||||
|
||||
# failJSON: { "time": "2004-11-04T09:11:01", "match": true , "host": "192.0.2.150", "desc": "without reason for fail, see gh-1245" }
|
||||
Nov 4 09:11:01 mail postfix/submission/smtpd[27133]: warning: unknown[192.0.2.150]: SASL PLAIN authentication failed:
|
||||
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
#!/sbin/runscript
|
||||
#!/sbin/openrc-run
|
||||
# This file is part of Fail2Ban.
|
||||
#
|
||||
# Fail2Ban is free software; you can redistribute it and/or modify
|
||||
|
|
|
|||
Loading…
Reference in New Issue