Merge branch '0.10' into 0.11

ChangeLog

@@ -74,6 +74,7 @@ ver. 0.10.3-dev-1 (20??/??/??) - development edition
   - amend to gh-1263 with better handling of multiple attempts (failures for different user-names recognized immediatelly);
   - mode `ddos` (and `aggressive`) extended to catch `Connection closed by ... [preauth]`, so in DDOS mode
     it counts failure on closing connection within preauth-stage (gh-2085);
+* `action.d/abuseipdb.conf`: fixed curl cypher errors and comment quote-issue (gh-2044, gh-2101);
 * `action.d/badips.py`: implicit convert IPAddr to str, solves an issue "expected string, IPAddr found" (gh-2059);
 * `action.d/hostsdeny.conf`: fixed IPv6 syntax (enclosed in square brackets, gh-2066);
 * (Free)BSD ipfw actionban fixed to allow same rule added several times (gh-2054);
@@ -81,6 +82,7 @@ ver. 0.10.3-dev-1 (20??/??/??) - development edition
 ### New Features
 
 ### Enhancements
+* `filter.d/apache-auth.conf`: detection of Apache SNI errors resp. misredirect attempts (gh-2017, gh-2097);
 * `filter.d/apache-noscript.conf`: extend failregex to match "Primary script unknown", e. g. from php-fpm (gh-2073);
 * date-detector extended with long epoch (`LEPOCH`) to parse milliseconds/microseconds posix-dates (gh-2029);
 * possibility to specify own regex-pattern to match epoch date-time, e. g. `^\[{EPOCH}\]` or `^\[{LEPOCH}\]` (gh-2038);

config/action.d/abuseipdb.conf

@@ -86,7 +86,7 @@ actioncheck =
 # Tags:    See jail.conf(5) man page
 # Values:  CMD
 #
-actionban = curl --fail --ciphers ecdhe_ecdsa_aes_256_sha --data 'key=<abuseipdb_apikey>' --data-urlencode 'comment=<matches>' --data 'ip=<ip>' --data 'category=<abuseipdb_category>' "https://www.abuseipdb.com/report/json"
+actionban = lgm=$(printf '%%s\n...' "<matches>"); curl --fail --tlsv1.1 --data "key=<abuseipdb_apikey>" --data-urlencode "comment=$lgm" --data "ip=<ip>" --data "category=<abuseipdb_category>" "https://www.abuseipdb.com/report/json"
 
 # Option:  actionunban
 # Notes.:  command executed when unbanning an IP. Take care that the

config/filter.d/apache-auth.conf

@@ -24,6 +24,8 @@ failregex = ^client (?:denied by server configuration|used wrong authentication
             ^%(auth_type)sunknown algorithm `(?:[^']*|.*?)' received\b
             ^invalid qop `(?:[^']*|.*?)' received\b
             ^%(auth_type)sinvalid nonce .*? received - user attempted time travel\b
+            ^Hostname \S+ provided via SNI(?:, but no hostname| and hostname \S+) provided\b
+            ^No hostname was provided via SNI for a name based virtual host\b
 
 ignoreregex = 
 

fail2ban/tests/files/logs/apache-auth

@@ -125,6 +125,15 @@
 # failJSON: { "time": "2013-11-18T22:39:33", "match": true , "host": "91.49.82.139" }
 [Mon Nov 18 22:39:33 2013] [error] [client 91.49.82.139] user gg not found: /, referer: http://sj.hopto.org/management.html
 
+# failJSON: { "time": "2018-03-28T01:31:42", "match": true , "host": "91.49.82.139" }
+[Wed Mar 28 01:31:42.355210 2018] [ssl:error] [pid 6586] [client 91.49.82.139:58028] AH02031: Hostname www.testdom.com provided via SNI, but no hostname provided in HTTP request
+
+# failJSON: { "time": "2018-03-28T01:31:42", "match": true , "host": "91.49.82.139" }
+[Wed Mar 28 01:31:42.355210 2018] [ssl:error] [pid 6586] [client 91.49.82.139:58028] AH02032: Hostname www.testdom.com provided via SNI and hostname dummy.com provided via HTTP have no compatible SSL setup
+
+# failJSON: { "time": "2018-03-28T01:31:42", "match": true , "host": "91.49.82.139" }
+[Wed Mar 28 01:31:42.355210 2018] [ssl:error] [pid 6586] [client 91.49.82.139:58028] AH02033: No hostname was provided via SNI for a name based virtual host
+
 # filterOptions: {"logging": "syslog"}
 
 # failJSON: { "time": "2005-02-15T16:23:00", "match": true , "host": "192.0.2.1", "desc": "using syslog (ErrorLog syslog)" }