Merge branch 'master' into 0.10

# Conflicts:
#	config/filter.d/asterisk.conf

ChangeLog

@@ -425,7 +425,10 @@ releases.
     - Fixes resources greedy expression (see gh-1790);
     - Rewritten without end-anchor ($), because of potential vulnerability on very long URLs.
 * filter.d/apache-badbots.conf - extended to recognize Jorgee Vulnerability Scanner (gh-1882)
-* filter.d/asterisk.conf - fixed failregex AMI Asterisk authentification failed (see gh-1302)
+* filter.d/asterisk.conf
+    - fixed failregex AMI Asterisk authentification failed (see gh-1302)
+    - removed invalid (vulnerable) regex blocking IPs using forign data (from header "from")
+      thus not the IP-address that really originates the request (see gh-1927)
 * filter.d/dovecot.conf:
     - fixed failregex, see gh-1879 (partially cherry-picked from gh-1880)
     - extended to match pam_authenticate failures with "Permission denied" (gh-1897)

config/filter.d/apache-botsearch.conf

@@ -3,7 +3,7 @@
 # This filter is aimed at blocking specific URLs that don't exist. This
 # could be a set of URLs places in a Disallow: directive in robots.txt or
 # just some web services that don't exist caused bots are searching for
-# exploitable content. This filter is designed to have a low false postitive
+# exploitable content. This filter is designed to have a low false positive
 # rate due.
 #
 # An alternative to this is the apache-noscript filter which blocks all
@@ -36,4 +36,4 @@ webroot = /var/www/
 
 # DEV Notes:
 #
-# Author: Daniel Black
+# Author: Daniel Black

config/filter.d/asterisk.conf

@@ -24,7 +24,6 @@ failregex = ^Registration from '[^']*' failed for '<HOST>(:\d+)?' - (?:Wrong pas
             ^Call from '[^']*' \(<HOST>:\d+\) to extension '[^']*' rejected because extension not found in context
             ^(?:Host )?<HOST> (?:failed (?:to authenticate\b|MD5 authentication\b)|tried to authenticate with nonexistent user\b)
             ^No registration for peer '[^']*' \(from <HOST>\)$
-            ^Failed to authenticate (?:user|device) [^@]+@<HOST>\S*$
             ^hacking attempt detected '<HOST>'$
             ^SecurityEvent="(?:FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)"(?:(?:,(?!RemoteAddress=)\w+="[^"]*")*|.*?),RemoteAddress="IPV[46]/(UDP|TCP|WS)/<HOST>/\d+"(?:,(?!RemoteAddress=)\w+="[^"]*")*$
             ^"Rejecting unknown SIP connection from <HOST>"$

fail2ban/tests/files/logs/asterisk

@@ -1,6 +1,4 @@
 # Sample log files for asterisk 
-# failJSON: { "time": "2013-07-25T07:26:43", "match": true , "host": "1.2.3.4" }
-[2013-07-25 07:26:43] NOTICE[26015][C-000006b2] chan_sip.c: Failed to authenticate device 101<sip:101@1.2.3.4>;tag=deadbeef
 # failJSON: { "time": "2012-02-13T17:21:54", "match": true , "host": "1.2.3.4" }
 [2012-02-13 17:21:54] NOTICE[1638] chan_sip.c: Registration from '<sip:301@example.com>' failed for '1.2.3.4' - Wrong password
 # failJSON: { "time": "2012-02-13T17:18:22", "match": true , "host": "1.2.3.4" }
@@ -19,8 +17,6 @@
 [2012-02-13 17:39:20] NOTICE[1638] chan_iax2.c: No registration for peer 'Fail2ban' (from 1.2.3.4)
 # failJSON: { "time": "2012-02-13T17:44:26", "match": true , "host": "1.2.3.4" }
 [2012-02-13 17:44:26] NOTICE[1638] chan_iax2.c: Host 1.2.3.4 failed MD5 authentication for 'Fail2ban' (e7df7cd2ca07f4f1ab415d457a6e1c13 != 53ac4bc41ee4ec77888ed4aa50677247)
-# failJSON: { "time": "2012-02-13T17:37:07", "match": true , "host": "1.2.3.4" }
-[2012-02-13 17:37:07] NOTICE[1638] chan_sip.c: Failed to authenticate user "Fail2ban" <sip:301@1.2.3.4>;tag=1r698745234
 # failJSON: { "time": "2013-02-05T23:44:42", "match": true , "host": "1.2.3.4" }
 [2013-02-05 23:44:42] NOTICE[436][C-00000fa9] chan_sip.c: Call from '' (1.2.3.4:10836) to extension '0972598285108' rejected because extension not found in context 'default'.
 # failJSON: { "time": "2013-03-26T15:47:54", "match": true , "host": "1.2.3.4" }