diff --git a/ChangeLog b/ChangeLog index 5bd6c74e..b63552af 100644 --- a/ChangeLog +++ b/ChangeLog @@ -74,6 +74,7 @@ ver. 0.10.3-dev-1 (20??/??/??) - development edition - amend to gh-1263 with better handling of multiple attempts (failures for different user-names recognized immediatelly); - mode `ddos` (and `aggressive`) extended to catch `Connection closed by ... [preauth]`, so in DDOS mode it counts failure on closing connection within preauth-stage (gh-2085); +* `action.d/abuseipdb.conf`: fixed curl cypher errors and comment quote-issue (gh-2044, gh-2101); * `action.d/badips.py`: implicit convert IPAddr to str, solves an issue "expected string, IPAddr found" (gh-2059); * `action.d/hostsdeny.conf`: fixed IPv6 syntax (enclosed in square brackets, gh-2066); * (Free)BSD ipfw actionban fixed to allow same rule added several times (gh-2054); @@ -81,6 +82,7 @@ ver. 0.10.3-dev-1 (20??/??/??) - development edition ### New Features ### Enhancements +* `filter.d/apache-auth.conf`: detection of Apache SNI errors resp. misredirect attempts (gh-2017, gh-2097); * `filter.d/apache-noscript.conf`: extend failregex to match "Primary script unknown", e. g. from php-fpm (gh-2073); * date-detector extended with long epoch (`LEPOCH`) to parse milliseconds/microseconds posix-dates (gh-2029); * possibility to specify own regex-pattern to match epoch date-time, e. g. `^\[{EPOCH}\]` or `^\[{LEPOCH}\]` (gh-2038); diff --git a/config/action.d/abuseipdb.conf b/config/action.d/abuseipdb.conf index 15e41fbe..279c299e 100644 --- a/config/action.d/abuseipdb.conf +++ b/config/action.d/abuseipdb.conf @@ -86,7 +86,7 @@ actioncheck = # Tags: See jail.conf(5) man page # Values: CMD # -actionban = curl --fail --ciphers ecdhe_ecdsa_aes_256_sha --data 'key=' --data-urlencode 'comment=' --data 'ip=' --data 'category=' "https://www.abuseipdb.com/report/json" +actionban = lgm=$(printf '%%s\n...' ""); curl --fail --tlsv1.1 --data "key=" --data-urlencode "comment=$lgm" --data "ip=" --data "category=" "https://www.abuseipdb.com/report/json" # Option: actionunban # Notes.: command executed when unbanning an IP. Take care that the diff --git a/config/filter.d/apache-auth.conf b/config/filter.d/apache-auth.conf index f2d5f793..6b2499a2 100644 --- a/config/filter.d/apache-auth.conf +++ b/config/filter.d/apache-auth.conf @@ -24,6 +24,8 @@ failregex = ^client (?:denied by server configuration|used wrong authentication ^%(auth_type)sunknown algorithm `(?:[^']*|.*?)' received\b ^invalid qop `(?:[^']*|.*?)' received\b ^%(auth_type)sinvalid nonce .*? received - user attempted time travel\b + ^Hostname \S+ provided via SNI(?:, but no hostname| and hostname \S+) provided\b + ^No hostname was provided via SNI for a name based virtual host\b ignoreregex = diff --git a/fail2ban/tests/files/logs/apache-auth b/fail2ban/tests/files/logs/apache-auth index d430e291..93040b1d 100644 --- a/fail2ban/tests/files/logs/apache-auth +++ b/fail2ban/tests/files/logs/apache-auth @@ -125,6 +125,15 @@ # failJSON: { "time": "2013-11-18T22:39:33", "match": true , "host": "91.49.82.139" } [Mon Nov 18 22:39:33 2013] [error] [client 91.49.82.139] user gg not found: /, referer: http://sj.hopto.org/management.html +# failJSON: { "time": "2018-03-28T01:31:42", "match": true , "host": "91.49.82.139" } +[Wed Mar 28 01:31:42.355210 2018] [ssl:error] [pid 6586] [client 91.49.82.139:58028] AH02031: Hostname www.testdom.com provided via SNI, but no hostname provided in HTTP request + +# failJSON: { "time": "2018-03-28T01:31:42", "match": true , "host": "91.49.82.139" } +[Wed Mar 28 01:31:42.355210 2018] [ssl:error] [pid 6586] [client 91.49.82.139:58028] AH02032: Hostname www.testdom.com provided via SNI and hostname dummy.com provided via HTTP have no compatible SSL setup + +# failJSON: { "time": "2018-03-28T01:31:42", "match": true , "host": "91.49.82.139" } +[Wed Mar 28 01:31:42.355210 2018] [ssl:error] [pid 6586] [client 91.49.82.139:58028] AH02033: No hostname was provided via SNI for a name based virtual host + # filterOptions: {"logging": "syslog"} # failJSON: { "time": "2005-02-15T16:23:00", "match": true , "host": "192.0.2.1", "desc": "using syslog (ErrorLog syslog)" }