github
/
fail2ban
mirror of https://github.com/fail2ban/fail2ban
1
0
Fork 0
Code Issues Releases Wiki Activity

DOC: in filters, put user relevant doc at top, and developer info at bottom, and remove all the repetative blindly copied stuff that appears in the jail man page

pull/409/head
Daniel Black 2013-10-31 00:02:59 +11:00
parent de9977441a
commit 89fd792dfb
43 changed files with 281 additions and 518 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
config/filter.d/3proxy.conf
View File

@ -1,18 +1,18 @@
# Fail2Ban configuration file
# Fail2Ban filter for 3proxy
#
# Author: Daniel Black
#
# Requested by ykimon in https://github.com/fail2ban/fail2ban/issues/246
#
[Definition]
# Option: failregex
# Notes.: http://www.3proxy.ru/howtoe.asp#ERRORS indicates that 01-09 are
# all authentication problems (%E field)
# Log format is: "L%d-%m-%Y %H:%M:%S %z %N.%p %E %U %C:%c %R:%r %O %I %h %T"
# Values: TEXT
#
failregex = ^\s[+-]\d{4} \S+ \d{3}0[1-9] \S+ <HOST>:\d+ [\d.]+:\d+ \d+ \d+ \d+\s
ignoreregex =
# DEV Notes:
# http://www.3proxy.ru/howtoe.asp#ERRORS indicates that 01-09 are
# all authentication problems (%E field)
# Log format is: "L%d-%m-%Y %H:%M:%S %z %N.%p %E %U %C:%c %R:%r %O %I %h %T"
#
# Requested by ykimon in https://github.com/fail2ban/fail2ban/issues/246
# Author: Daniel Black

48
config/filter.d/apache-auth.conf
View File

@ -1,17 +1,33 @@
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
#
# Fail2Ban apache-auth filter
#
[INCLUDES]
# Read common prefixes. If any customizations available -- read them from
# common.local
# apache-common.local
before = apache-common.conf
[Definition]
failregex = ^%(_apache_error_client)s (AH01797: )?client denied by server configuration: (uri )?\S*\s*$
^%(_apache_error_client)s (AH01617: )?user .* authentication failure for "\S*": Password Mismatch$
^%(_apache_error_client)s (AH01618: )?user .* not found(: )?\S*\s*$
^%(_apache_error_client)s (AH01614: )?client used wrong authentication scheme: \S*\s*$
^%(_apache_error_client)s (AH\d+: )?Authorization of user \S+ to access \S* failed, reason: .*$
^%(_apache_error_client)s (AH0179[24]: )?(Digest: )?user .*: password mismatch: \S*\s*$
^%(_apache_error_client)s (AH0179[01]: |Digest: )user `.*' in realm `.+' (not found|denied by provider): \S*\s*$
^%(_apache_error_client)s (AH01631: )?user .*: authorization failure for "\S*":\s*$
^%(_apache_error_client)s (AH01775: )?(Digest: )?invalid nonce .* received - length is not \S+\s*$
^%(_apache_error_client)s (AH01788: )?(Digest: )?realm mismatch - got `.*' but expected `.+'\s*$
^%(_apache_error_client)s (AH01789: )?(Digest: )?unknown algorithm `.*' received: \S*\s*$
^%(_apache_error_client)s (AH01793: )?invalid qop `.*' received: \S*\s*$
^%(_apache_error_client)s (AH01777: )?(Digest: )?invalid nonce .* received - user attempted time travel\s*$
ignoreregex =
# DEV Notes:
#
# This filter matches the authorization failures of Apache. It takes the log messages
# from the modules in aaa that return HTTP_UNAUTHORIZED, HTTP_METHOD_NOT_ALLOWED or
# HTTP_FORBIDDEN and not AUTH_GENERAL_ERROR or HTTP_INTERNAL_SERVER_ERROR.
@ -34,23 +50,5 @@ before = apache-common.conf
# ^%(_apache_error_client)s (AH01779: )?user .*: one-time-nonce mismatch - sending new nonce\s*$
# ^%(_apache_error_client)s (AH02486: )?realm mismatch - got `.*' but no realm specified\s*$
#
failregex = ^%(_apache_error_client)s (AH01797: )?client denied by server configuration: (uri )?\S*\s*$
^%(_apache_error_client)s (AH01617: )?user .* authentication failure for "\S*": Password Mismatch$
^%(_apache_error_client)s (AH01618: )?user .* not found(: )?\S*\s*$
^%(_apache_error_client)s (AH01614: )?client used wrong authentication scheme: \S*\s*$
^%(_apache_error_client)s (AH\d+: )?Authorization of user \S+ to access \S* failed, reason: .*$
^%(_apache_error_client)s (AH0179[24]: )?(Digest: )?user .*: password mismatch: \S*\s*$
^%(_apache_error_client)s (AH0179[01]: |Digest: )user `.*' in realm `.+' (not found|denied by provider): \S*\s*$
^%(_apache_error_client)s (AH01631: )?user .*: authorization failure for "\S*":\s*$
^%(_apache_error_client)s (AH01775: )?(Digest: )?invalid nonce .* received - length is not \S+\s*$
^%(_apache_error_client)s (AH01788: )?(Digest: )?realm mismatch - got `.*' but expected `.+'\s*$
^%(_apache_error_client)s (AH01789: )?(Digest: )?unknown algorithm `.*' received: \S*\s*$
^%(_apache_error_client)s (AH01793: )?invalid qop `.*' received: \S*\s*$
^%(_apache_error_client)s (AH01777: )?(Digest: )?invalid nonce .* received - user attempted time travel\s*$
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
# Author: Cyril Jaquier
# Major edits by Daniel Black

26
config/filter.d/apache-badbots.conf
View File

@ -1,27 +1,21 @@
# Fail2Ban configuration file
#
# List of bad bots fetched from http://www.user-agents.org
# Generated on Sun Feb 11 01:09:15 EST 2007 by ./badbots.sh
#
# Author: Yaroslav Halchenko
#
#
# Regexp to catch known spambots and software alike. Please verify
# that it is your intent to block IPs which were driven by
# above mentioned bots.
[Definition]
badbotscustom = EmailCollector|WebEMailExtrac|TrackBack/1\.02|sogou music spider
badbots = atSpider/1\.0|autoemailspider|China Local Browse 2\.6|ContentSmartz|DataCha0s/2\.0|DBrowse 1\.4b|DBrowse 1\.4d|Demo Bot DOT 16b|Demo Bot Z 16b|DSurf15a 01|DSurf15a 71|DSurf15a 81|DSurf15a VA|EBrowse 1\.4b|Educate Search VxB|EmailSiphon|EmailWolf 1\.00|ESurf15a 15|ExtractorPro|Franklin Locator 1\.8|FSurf15a 01|Full Web Bot 0416B|Full Web Bot 0516B|Full Web Bot 2816B|Industry Program 1\.0\.x|ISC Systems iRc Search 2\.1|IUPUI Research Bot v 1\.9a|LARBIN-EXPERIMENTAL \(efp@gmx\.net\)|LetsCrawl\.com/1\.0 +http\://letscrawl\.com/|Lincoln State Web Browser|LWP\:\:Simple/5\.803|Mac Finder 1\.0\.xx|MFC Foundation Class Library 4\.0|Microsoft URL Control - 6\.00\.8xxx|Missauga Locate 1\.0\.0|Missigua Locator 1\.9|Missouri College Browse|Mizzu Labs 2\.2|Mo College 1\.9|Mozilla/2\.0 \(compatible; NEWT ActiveX; Win32\)|Mozilla/3\.0 \(compatible; Indy Library\)|Mozilla/4\.0 \(compatible; Advanced Email Extractor v2\.xx\)|Mozilla/4\.0 \(compatible; Iplexx Spider/1\.0 http\://www\.iplexx\.at\)|Mozilla/4\.0 \(compatible; MSIE 5\.0; Windows NT; DigExt; DTS Agent|Mozilla/4\.0 efp@gmx\.net|Mozilla/5\.0 \(Version\: xxxx Type\:xx\)|MVAClient|NASA Search 1\.0|Nsauditor/1\.x|PBrowse 1\.4b|PEval 1\.4b|Poirot|Port Huron Labs|Production Bot 0116B|Production Bot 2016B|Production Bot DOT 3016B|Program Shareware 1\.0\.2|PSurf15a 11|PSurf15a 51|PSurf15a VA|psycheclone|RSurf15a 41|RSurf15a 51|RSurf15a 81|searchbot admin@google\.com|sogou spider|sohu agent|SSurf15a 11 |TSurf15a 11|Under the Rainbow 2\.2|User-Agent\: Mozilla/4\.0 \(compatible; MSIE 6\.0; Windows NT 5\.1\)|WebVulnCrawl\.blogspot\.com/1\.0 libwww-perl/5\.803|Wells Search II|WEP Search 00
# Option: failregex
# Notes.: Regexp to catch known spambots and software alike. Please verify
# that it is your intent to block IPs which were driven by
# above mentioned bots.
# Values: TEXT
#
failregex = ^<HOST> -.*"(GET|POST).*HTTP.*"(?:%(badbots)s|%(badbotscustom)s)"$
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
# DEV Notes:
# List of bad bots fetched from http://www.user-agents.org
# Generated on Sun Feb 11 01:09:15 EST 2007 by ./badbots.sh
#
# Author: Yaroslav Halchenko

13
config/filter.d/apache-common.conf
View File

@ -1,21 +1,20 @@
# Generic configuration items (to be used as interpolations) in other
# apache filters
#
# Author: Yaroslav Halchenko
#
#
# apache filters.
[INCLUDES]
# Load customizations if any available
after = apache-common.local
[DEFAULT]
_apache_error_client = \[[^]]*\] \[(error|\S+:\S+)\]( \[pid \d+:\S+ \d+\])? \[client <HOST>(:\d{1,5})?\]
# Common prefix for [error] apache messages which also would include <HOST>
# Depending on the version it could be
# 2.2: [Sat Jun 01 11:23:08 2013] [error] [client 1.2.3.4]
# 2.4: [Thu Jun 27 11:55:44.569531 2013] [core:info] [pid 4101:tid 2992634688] [client 1.2.3.4:46652]
#
# Reference: https://github.com/fail2ban/fail2ban/issues/268
_apache_error_client = \[[^]]*\] \[(error|\S+:\S+)\]( \[pid \d+:\S+ \d+\])? \[client <HOST>(:\d{1,5})?\]
#
# Author: Yaroslav Halchenko

26
config/filter.d/apache-nohome.conf
View File

@ -1,28 +1,20 @@
# Fail2Ban configuration file
#
# Author: Yaroslav O. Halchenko <debian@onerussian.com>
#
# Fail2Ban filter to web requests for home directories on Apache servers
#
# Regex to match failures to find a home directory on a server, which
# became popular last days. Most often attacker just uses IP instead of
# domain name -- so expect to see them in generic error.log if you have
# per-domain log files.
[INCLUDES]
# Read common prefixes. If any customizations available -- read them from
# common.local
# overwrite with apache-common.local if _apache_error_client is incorrect.
before = apache-common.conf
[Definition]
# Option: failregex
# Notes.: regex to match failures to find a home directory on a server, which
# became popular last days. Most often attacker just uses IP instead of
# domain name -- so expect to see them in generic error.log if you have
# per-domain log files.
# Values: TEXT
#
failregex = ^%(_apache_error_client)s (AH00128: )?File does not exist: .*/~.*
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
# Author: Yaroslav O. Halchenko <debian@onerussian.com>

21
config/filter.d/apache-noscript.conf
View File

@ -1,29 +1,18 @@
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
# Fail2Ban filter to block web requests for scripts (on non scripted websites)
#
#
[INCLUDES]
# Read common prefixes. If any customizations available -- read them from
# common.local
# overwrite with apache-common.local if _apache_error_client is incorrect.
before = apache-common.conf
[Definition]
# Option: failregex
# Notes.: regex to match the password failure messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT
#
failregex = ^%(_apache_error_client)s (File does not exist|script not found or unable to stat): /\S*(\.php|\.asp|\.exe|\.pl)\s*$
^%(_apache_error_client)s script '/\S*(\.php|\.asp|\.exe|\.pl)\S*' not found or unable to stat\s*$
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
# Author: Cyril Jaquier

18
config/filter.d/apache-overflows.conf
View File

@ -1,25 +1,15 @@
# Fail2Ban configuration file
#
# Author: Tim Connors
#
# Fail2Ban filter to block web requests on a long or suspicious nature
#
[INCLUDES]
# Read common prefixes. If any customizations available -- read them from
# common.local
# overwrite with apache-common.local if _apache_error_client is incorrect.
before = apache-common.conf
[Definition]
# Option: failregex
# Notes.: Regexp to catch Apache overflow attempts.
# Values: TEXT
#
failregex = ^%(_apache_error_client)s (Invalid (method|URI) in request|request failed: URI too long|erroneous characters after protocol string)
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
# Author: Tim Connors

27
config/filter.d/assp.conf
View File

@ -1,33 +1,24 @@
# Fail2Ban configuration file
# for Anti-Spam SMTP Proxy Server also known as ASSP
# Fail2Ban filter for Anti-Spam SMTP Proxy Server also known as ASSP
#
# Honmepage: http://www.magicvillage.de/~Fritz_Borgstedt/assp/0003D91C-8000001C/
# ProjektSite: http://sourceforge.net/projects/assp/?source=directory
#
# Author: Enrico Labedzki (enrico.labedzki@deiwos.de)
#
[Definition]
# Option: failregex
# Notes.: regex to match the SMTP failure messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>\S+)
# Values: TEXT
#
# Examples: Apr-27-13 02:33:09 Blocking 217.194.197.97 - too much AUTH errors (41);
# Dec-29-12 17:10:31 [SSL-out] 200.247.87.82 SSL negotiation with client failed: SSL accept attempt failed with unknown errorerror:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol;
# Dec-30-12 04:01:47 [SSL-out] 81.82.232.66 max sender authentication errors (5) exceeded
__assp_actions = (?:dropping|refusing)
failregex = ^(:? \[SSL-out\])? <HOST> max sender authentication errors \(\d{,3}\) exceeded -- %(__assp_actions)s connection - after reply: \d{3} \d{1}\.\d{1}.\d{1} Error: authentication failed: \w+;$
^(?: \[SSL-out\])? <HOST> SSL negotiation with client failed: SSL accept attempt failed with unknown error.*:unknown protocol;$
^ Blocking <HOST> - too much AUTH errors \(\d{,3}\);$
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
# DEV Notes:
#
# Examples: Apr-27-13 02:33:09 Blocking 217.194.197.97 - too much AUTH errors (41);
# Dec-29-12 17:10:31 [SSL-out] 200.247.87.82 SSL negotiation with client failed: SSL accept attempt failed with unknown errorerror:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol;
# Dec-30-12 04:01:47 [SSL-out] 81.82.232.66 max sender authentication errors (5) exceeded
#
# Author: Enrico Labedzki (enrico.labedzki@deiwos.de)

24
config/filter.d/asterisk.conf
View File

@ -1,22 +1,11 @@
# Fail2Ban configuration file
# Fail2Ban filter for asterisk authentication failures
#
# Author: Xavier Devlamynck
#
#
[INCLUDES]
# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf
[Definition]
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile.
# Values: TEXT
#
__pid_re = (?:\[\d+\])
# All Asterisk log messages begin like this:
log_prefix= \[\]\s*(?:NOTICE|SECURITY)%(__pid_re)s:?(?:\[\S+\d*\])? \S+:\d*
failregex = ^%(log_prefix)s Registration from '[^']*' failed for '<HOST>(:\d+)?' - Wrong password$
@ -34,10 +23,7 @@ failregex = ^%(log_prefix)s Registration from '[^']*' failed for '<HOST>(:\d+)?'
^%(log_prefix)s (?:handle_request_subscribe: )?Sending fake auth rejection for (device|user) \d*<sip:[^@]+@<HOST>>;tag=\w+\S*$
^%(log_prefix)s SecurityEvent="(FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)",EventTV="[\d-]+",Severity="[\w]+",Service="[\w]+",EventVersion="\d+",AccountID="\d+",SessionID="0x[\da-f]+",LocalAddress="IPV[46]/(UD|TC)P/[\da-fA-F:.]+/\d+",RemoteAddress="IPV[46]/(UD|TC)P/<HOST>/\d+"(,Challenge="\w+",ReceivedChallenge="\w+")?(,ReceivedHash="[\da-f]+")?$
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
# Author: Xavier Devlamynck

5
config/filter.d/common.conf
View File

@ -1,9 +1,6 @@
# Generic configuration items (to be used as interpolations) in other
# filters or actions configurations
#
# Author: Yaroslav Halchenko
#
#
[INCLUDES]
@ -49,7 +46,6 @@ __md5hex = (?:[\da-f]{2}:){15}[\da-f]{2}
# <auth.info> appearing before the host as per testcases/files/logs/bsd/*.
__bsd_syslog_verbose = (<[^.]+\.[^.]+>)
#
# Common line prefixes (beginnings) which could be used in filters
#
# [bsdverbose]? [hostname] [vserver tag] daemon_id spaces
@ -57,3 +53,4 @@ __bsd_syslog_verbose = (<[^.]+\.[^.]+>)
# This can be optional (for instance if we match named native log files)
__prefix_line = \s*%(__bsd_syslog_verbose)s?\s*(?:%(__hostname)s )?(?:%(__kernel_prefix)s )?(?:@vserver_\S+ )?%(__daemon_combs_re)s?\s%(__daemon_extra_re)s?\s*
# Author: Yaroslav Halchenko

21
config/filter.d/courierlogin.conf
View File

@ -1,8 +1,4 @@
# Fail2Ban configuration file
#
# Author: Christoph Haas
# Modified by: Cyril Jaquier
#
# Fail2Ban filter for courier authentication failures
#
[INCLUDES]
@ -11,22 +7,13 @@
# common.local
before = common.conf
[Definition]
_daemon = (?:courier)?(?:imapd?|pop3d?)(?:login)?(?:-ssl)?
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT
#
failregex = ^%(__prefix_line)sLOGIN FAILED, user=.*, ip=\[<HOST>\]$
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
# Author: Christoph Haas
# Modified by: Cyril Jaquier

18
config/filter.d/couriersmtp.conf
View File

@ -1,6 +1,4 @@
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
# Fail2Ban filter to block relay attempts though a Courier smtp server
#
#
@ -10,22 +8,12 @@
# common.local
before = common.conf
[Definition]
_daemon = courieresmtpd
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT
#
failregex = ^%(__prefix_line)serror,relay=<HOST>,.*: 550 User unknown\.$
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
# Author: Cyril Jaquier

17
config/filter.d/cyrus-imap.conf
View File

@ -1,6 +1,5 @@
# Fail2Ban configuration file
# Fail2Ban filter for authentication failures on Cyrus imap server
#
# Author: Jan Wagner <waja@cyconet.org>
#
#
@ -10,22 +9,12 @@
# common.local
before = common.conf
[Definition]
_daemon = (?:cyrus/)?(?:imapd?|pop3d?)
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT
#
failregex = ^%(__prefix_line)sbadlogin: \S+ ?\[<HOST>\] \S+ .*?\[?SASL\(-13\): authentication failure: .*\]?$
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
# Author: Jan Wagner <waja@cyconet.org>

21
config/filter.d/dovecot.conf
View File

@ -1,7 +1,5 @@
# Fail2Ban configuration file for dovecot
# Fail2Ban filter Dovecot authentication and pop3/imap server
#
# Author: Martin Waschbuesch
# Daniel Black (rewrote with begin and end anchors)
[INCLUDES]
@ -10,17 +8,16 @@ before = common.conf
[Definition]
_daemon = (auth|dovecot(-auth)?|auth-worker)
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile.
# first regex is essentially a copy of pam-generic.conf
# Values: TEXT
#
failregex = ^%(__prefix_line)s(pam_unix(\(dovecot:auth\))?:)?\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=\S* rhost=<HOST>(\s+user=\S*)?\s*$
^%(__prefix_line)s(pop3|imap)-login: (Info: )?(Aborted login|Disconnected)(: Inactivity)? \(((no auth attempts|auth failed, \d+ attempts)( in \d+ secs)?|tried to use disabled \S+ auth)\):( user=<\S*>,)?( method=\S+,)? rip=<HOST>, lip=(\d{1,3}\.){3}\d{1,3}(, session=<\w+>)?(, TLS( handshaking)?(: Disconnected)?)?\s*$
^%(__prefix_line)s(Info|dovecot: auth\(default\)): pam\(\S+,<HOST>\): pam_authenticate\(\) failed: (User not known to the underlying authentication module: \d+ Time\(s\)|Authentication failure \(password mismatch\?\))\s*$
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
# DEV Notes:
# * the first regex is essentially a copy of pam-generic.conf
# * Probably doesn't do dovecot sql/ldap backends properly
#
# Author: Martin Waschbuesch
# Daniel Black (rewrote with begin and end anchors)

11
config/filter.d/exim-common.conf
View File

@ -1,17 +1,18 @@
# Fail2Ban configuration file for exim
#
# Author: Daniel Black
# Fail2Ban filter file for common exim expressions
#
# This is to be used by other exim filters
[INCLUDES]
# Load customizations if any available
#
after = exim-common.local
[Definition]
# From exim source code: ./src/receive.c:add_host_info_for_log
host_info = H=([\w.-]+ )?(\(\S+\) )?\[<HOST>\](:\d+)? (I=\[\S+\]:\d+ )?(U=\S+ )?(P=e?smtp )?
pid = ( \[\d+\])?
# DEV Notes:
# From exim source code: ./src/receive.c:add_host_info_for_log
#
# Author: Daniel Black

21
config/filter.d/exim-spam.conf
View File

@ -1,9 +1,5 @@
# Fail2Ban configuration file
# Fail2Ban filter for exim the spam rejection messages
#
# Author: Cyril Jaquier
# Daniel Black (rewrote with strong regexs)
#
[INCLUDES]
@ -11,19 +7,16 @@
# exim-common.local
before = exim-common.conf
[Definition]
# Option: failregex
# Notes.: This includes the spam rejection messages of exim.
# Note the %(host_info) defination contains a <HOST> match
failregex = ^%(pid)s \S+ F=(<>|\S+@\S+) %(host_info)srejected by local_scan\(\): .{0,256}$
^%(pid)s %(host_info)sF=(<>|[^@]+@\S+) rejected RCPT [^@]+@\S+: .*dnsbl.*\s*$
^%(pid)s \S+ %(host_info)sF=(<>|[^@]+@\S+) rejected after DATA: This message contains a virus \(\S+\)\.\s*$
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
# DEV Notes:
# The %(host_info) defination contains a <HOST> match
#
# Author: Cyril Jaquier
# Daniel Black (rewrote with strong regexs)

22
config/filter.d/exim.conf
View File

@ -1,7 +1,7 @@
# Fail2Ban configuration file
# Fail2Ban filter for exim
#
# Author: Cyril Jaquier
# Daniel Black (rewrote with strong regexs)
# This includes the rejection messages of exim. For spam and filter
# related bans use the exim-spam.conf
#
@ -11,22 +11,18 @@
# exim-common.local
before = exim-common.conf
[Definition]
# Option: failregex
# Notes.: This includes the rejection messages of exim. For spam and filter
# related bans use the exim-spam.conf
# Note the %(host_info) defination contains a <HOST> match
failregex = ^%(pid)s %(host_info)ssender verify fail for <\S+>: (?:Unknown user|Unrouteable address|all relevant MX records point to non-existent hosts)\s*$
^%(pid)s (plain|login) authenticator failed for (\S+ )?\(\S+\) \[<HOST>\]: 535 Incorrect authentication data( \(set_id=.*\)|: \d+ Time\(s\))?\s*$
^%(pid)s %(host_info)sF=(<>|[^@]+@\S+) rejected RCPT [^@]+@\S+: (relay not permitted|Sender verify failed|Unknown user)\s*$
^%(pid)s SMTP protocol synchronization error \(.*\): rejected (connection from|"\S+") %(host_info)s(next )?input=".*"\s*$
^%(pid)s SMTP call from \S+ \[<HOST>\](:\d+)? (I=\[\S+\]:\d+ )?dropped: too many nonmail commands \(last was "\S+"\)\s*$
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
# DEV Notes:
# The %(host_info) defination contains a <HOST> match
#
# Author: Cyril Jaquier
# Daniel Black (rewrote with strong regexs)

8
config/filter.d/gssftpd.conf
View File

@ -1,7 +1,4 @@
# Fail2Ban configuration file for gssftp
#
# Author: Kevin Zembower
# Edited: Daniel Black - syslog based daemon
# Fail2Ban filter file for gssftp
#
# Note: gssftp is part of the krb5-appl-servers in Fedora
#
@ -16,3 +13,6 @@ _daemon = ftpd
failregex = ^%(__prefix_line)srepeated login failures from <HOST> \(\S+\)$
ignoreregex =
# Author: Kevin Zembower
# Edited: Daniel Black - syslog based daemon

14
config/filter.d/lighttpd-auth.conf
View File

@ -1,18 +1,10 @@
# Fail2Ban configuration file
#
# Author: Francois Boulogne <fboulogne@april.org>
# Fail2Ban filter to match wrong passwords as notified by lighttpd's auth Module
#
[Definition]
# Option: failregex
# Notes.: regex to match wrong passwords as notified by lighttpd's auth Module
# Values: TEXT
#
failregex = ^: \(http_auth\.c\.\d+\) (password doesn\'t match .* username: .*|digest: auth failed for .*: wrong password|get_password failed), IP: <HOST>\s*$
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
# Author: Francois Boulogne <fboulogne@april.org>

27
config/filter.d/mysqld-auth.conf
View File

@ -1,7 +1,5 @@
# Fail2Ban configuration file for unsuccesfull MySQL authentication attempts
# Fail2Ban filter for unsuccesfull MySQL authentication attempts
#
# Authors: Artur Penttinen
# Yaroslav O. Halchenko
#
# To log wrong MySQL access attempts add to /etc/my.cnf in [mysqld]:
# log-error=/var/log/mysqld.log
@ -15,23 +13,20 @@
# common.local
before = common.conf
[Definition]
_daemon = mysqld
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT
# 130322 11:26:54 [Warning] Access denied for user 'root'@'127.0.0.1' (using password: YES)
#
failregex = ^%(__prefix_line)s(\d{6} \s?\d{1,2}:\d{2}:\d{2} )?\[Warning\] Access denied for user '\w+'@'<HOST>' (to database '[^']*'|\(using password: (YES|NO)\))*\s*$
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
# DEV Notes:
#
# Technically __prefix_line can equate to an empty string hence it can support
# syslog and non-syslog at once.
# Example:
# 130322 11:26:54 [Warning] Access denied for user 'root'@'127.0.0.1' (using password: YES)
#
# Authors: Artur Penttinen
# Yaroslav O. Halchenko

31
config/filter.d/named-refused.conf
View File

@ -1,13 +1,12 @@
# Fail2Ban configuration file for named (bind9). Trying to generalize the
# structure which is general to capture general patterns in log
# lines to cover different configurations/distributions
# Fail2Ban filter file for named (bind9).
#
# Author: Yaroslav Halchenko
# This filter blocks attacks against named (bind9) however it requires special
# configuration on bind.
#
# This filter blocks attacks against named (bind9).
# By default, logging is off with bind9 installation.
#
# By default, logging is off
# with bind9 installation. You will need something like this:
# You will need something like this in your named.conf to provide proper logging.
#
# logging {
# channel security_file {
@ -19,29 +18,31 @@
# security_file;
# };
# };
#
# in your named.conf to provide proper logging.
[Definition]
#
# Daemon name
_daemon=named
#
# Shortcuts for easier comprehension of the failregex
__pid_re=(?:\[\d+\])
__daemon_re=\(?%(_daemon)s(?:\(\S+\))?\)?:?
__daemon_combs_re=(?:%(__pid_re)s?:\s+%(__daemon_re)s|%(__daemon_re)s%(__pid_re)s?:)
# hostname daemon_id spaces
# this can be optional (for instance if we match named native log files)
__line_prefix=(?:\s\S+ %(__daemon_combs_re)s\s+)?
# note - (\.\d+)? is a really ugly catch of the microseconds not captured in
# in the date detector
#
failregex = ^%(__line_prefix)s(\.\d+)?( error:)?\s*client <HOST>#\S+( \([\S.]+\))?: (view (internal|external): )?query(?: \(cache\))? '.*' denied\s*$
^%(__line_prefix)s(\.\d+)?( error:)?\s*client <HOST>#\S+( \([\S.]+\))?: zone transfer '\S+/AXFR/\w+' denied\s*$
^%(__line_prefix)s(\.\d+)?( error:)?\s*client <HOST>#\S+( \([\S.]+\))?: bad zone transfer request: '\S+/IN': non-authoritative zone \(NOTAUTH\)\s*$
# DEV Notes:
# Trying to generalize the
# structure which is general to capture general patterns in log
# lines to cover different configurations/distributions
#
# (\.\d+)? is a really ugly catch of the microseconds not captured in the date detector
#
# Author: Yaroslav Halchenko

26
config/filter.d/pam-generic.conf
View File

@ -1,35 +1,29 @@
# Fail2Ban configuration file for generic PAM authentication errors
#
# Author: Yaroslav Halchenko
#
#
[INCLUDES]
before = common.conf
[Definition]
# if you want to catch only login erros from specific daemons, use smth like
# if you want to catch only login errors from specific daemons, use something like
#_ttys_re=(?:ssh|pure-ftpd|ftp)
# To catch all failed logins
#
# Default: catch all failed logins
_ttys_re=\S*
__pam_re=\(?pam_unix(?:\(\S+\))?\)?:?
_daemon = \S+
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile.
# Values: TEXT
#
failregex = ^%(__prefix_line)s%(__pam_re)s\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=%(_ttys_re)s ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$
# for linux-pam before 0.99.2.0 (late 2005)
ignoreregex =
# DEV Notes:
#
# for linux-pam before 0.99.2.0 (late 2005) (removed before 0.8.11 release)
# _daemon = \S*\(?pam_unix\)?
# failregex = ^%(__prefix_line)sauthentication failure; logname=\S* uid=\S* euid=\S* tty=%(_ttys_re)s ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
# Author: Yaroslav Halchenko

8
config/filter.d/perdition.conf
View File

@ -1,6 +1,4 @@
# Fail2Ban configuration file
#
# Author: Christophe Carles and Daniel Black
# Fail2Ban filter for perdition
#
#
@ -14,3 +12,7 @@ _daemon=perdition.\S+
failregex = ^%(__prefix_line)sAuth: <HOST>:\d+->(\d{1,3}\.){3}\d{1,3}:\d+ client-secure=\S+ authorisation_id=NONE authentication_id=".+" server="\S+" protocol=\S+ server-secure=\S+ status="failed: (local authentication failure|Re-Authentication Failure)"$
^%(__prefix_line)sFatal Error reading authentication information from client <HOST>:\d+->(\d{1,3}\.){3}\d{1,3}:\d+: Exiting child$
ignoreregex =
# Author: Christophe Carles and Daniel Black

31
config/filter.d/php-url-fopen.conf
View File

@ -1,23 +1,20 @@
# Fail2Ban configuration file
# Fail2Ban filter for URLs with a URL as a script parameters
# which can be an indication of a fopen url php injection
#
# Example of web requests in Apache access log:
# 66.185.212.172 - - [26/Mar/2009:08:44:20 -0500] "GET /index.php?n=http://eatmyfood.hostinginfive.com/pizza.htm? HTTP/1.1" 200 114 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)"
[Definition]
failregex = ^<HOST> -.*"(GET|POST).*\?.*\=http\:\/\/.* HTTP\/.*$
ignoreregex =
# DEV Notes:
#
# Author: Arturo 'Buanzo' Busleiman <buanzo@buanzo.com.ar>
# Version 2
# fixes the failregex so REFERERS that contain =http:// don't get blocked
# (mentioned by "fasuto" (no real email provided... blog comment) in this entry:
# http://blogs.buanzo.com.ar/2009/04/fail2ban-filter-for-php-injection-attacks.html#comment-1489
#
[Definition]
# Option: failregex
# Notes.: regex to match this kind of request:
#
# 66.185.212.172 - - [26/Mar/2009:08:44:20 -0500] "GET /index.php?n=http://eatmyfood.hostinginfive.com/pizza.htm? HTTP/1.1" 200 114 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)"
#
failregex = ^<HOST> -.*"(GET|POST).*\?.*\=http\:\/\/.* HTTP\/.*$
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
# Author: Arturo 'Buanzo' Busleiman <buanzo@buanzo.com.ar>

6
config/filter.d/postfix-sasl.conf
View File

@ -1,7 +1,4 @@
# Fail2Ban configuration file
#
# Author: Yaroslav Halchenko
#
# Fail2Ban filter for postfix authentication failures
#
[INCLUDES]
@ -14,3 +11,4 @@ _daemon = postfix/smtpd
failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/]*={0,2})?\s*$
# Author: Yaroslav Halchenko

18
config/filter.d/postfix.conf
View File

@ -1,6 +1,4 @@
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
# Fail2Ban filter for selected Postfix SMTP rejections
#
#
@ -10,24 +8,14 @@
# common.local
before = common.conf
[Definition]
_daemon = postfix/smtpd
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT
#
failregex = ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 554 5\.7\.1 .*$
^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 450 4\.7\.1 : Helo command rejected: Host not found; from=<> to=<> proto=ESMTP helo= *$
^%(__prefix_line)sNOQUEUE: reject: VRFY from \S+\[<HOST>\]: 550 5\.1\.1 .*$
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
# Author: Cyril Jaquier

8
config/filter.d/proftpd.conf
View File

@ -1,7 +1,4 @@
# Fail2Ban configuration file
#
# Author: Yaroslav Halchenko
# Daniel Black - hardening of regex
# Fail2Ban fitler for the Proftpd FTP daemon
#
[INCLUDES]
@ -20,3 +17,6 @@ failregex = ^%(__prefix_line)s%(__hostname)s \(\S+\[<HOST>\]\)[: -]+ USER .*: no
^%(__prefix_line)s%(__hostname)s \(\S+\[<HOST>\]\)[: -]+ Maximum login attempts \(\d+\) exceeded *$
ignoreregex =
# Author: Yaroslav Halchenko
# Daniel Black - hardening of regex

21
config/filter.d/pure-ftpd.conf
View File

@ -1,7 +1,5 @@
# Fail2Ban configuration file
# Fail2Ban filter for pureftp
#
# Author: Cyril Jaquier
# Modified: Yaroslav Halchenko for pure-ftpd
#
#
[INCLUDES]
@ -13,22 +11,9 @@ before = common.conf
# Error message specified in multiple languages
__errmsg = (?:Authentication failed for user|Erreur d'authentification pour l'utilisateur)
#
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT
#
#
_daemon = pure-ftpd
failregex = ^%(__prefix_line)s\(.+?@<HOST>\) \[WARNING\] %(__errmsg)s \[.+\]\s*$
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
# Author: Cyril Jaquier
# Modified: Yaroslav Halchenko for pure-ftpd

21
config/filter.d/qmail.conf
View File

@ -1,8 +1,11 @@
# Fail2Ban configuration file
# Fail2Ban filters for qmail RBL patches/fake proxies
#
# Author: Daniel Black
# the default djb RBL implementation doesn't log any rejections
# so is useless with this filter.
#
# One patch is here:
#
# http://www.tjsi.com/rblsmtpd/faq/ patch to rblsmtpd
[INCLUDES]
@ -12,11 +15,17 @@ before = common.conf
_daemon = (?:qmail|rblsmtpd)
#
# These seem to be for two or 3 different patches to qmail or rblsmtpd
# so you'll probably only ever see one of these.
failregex = ^%(__prefix_line)s\d+\.\d+ rblsmtpd: <HOST> pid \d+ \S+ 4\d\d \S+\s*$
^%(__prefix_line)s\d+\.\d+ qmail-smtpd: 4\d\d badiprbl: ip <HOST> rbl: \S+\s*$
^%(__prefix_line)s\S+ blocked <HOST> \S+ -\s*$
ignoreregex =
# DEV Notes:
#
# These seem to be for two or 3 different patches to qmail or rblsmtpd
# so you'll probably only ever see one of these regex's that match.
#
# ref: https://github.com/fail2ban/fail2ban/pull/386
#
# Author: Daniel Black

9
config/filter.d/recidive.conf
View File

@ -1,9 +1,8 @@
# Fail2Ban configuration file
# Fail2Ban filter for repeat bans
#
# Author: Tom Hendrikx, modifications by Amir Caspi
#
# This filter monitors the fail2ban log file, and enables you to add long
# time bans for ip addresses that get banned by fail2ban multiple times.
#
# Reasons to use this: block very persistent attackers for a longer time,
# stop receiving email notifications about the same attacker over and
# over again.
@ -13,8 +12,6 @@
# drawbacks, namely in that it works only with iptables, or if you use a
# different blocking mechanism for this jail versus others (e.g. hostsdeny
# for most jails, and shorewall for this one).
#
[INCLUDES]
@ -26,10 +23,10 @@ before = common.conf
_daemon = fail2ban\.actions
# The name of the jail that this filter is used for. In jail.conf, name the
# jail using this filter 'recidive', or change this line!
_jailname = recidive
failregex = ^(%(__prefix_line)s|,\d{3} fail2ban.actions:\s+)WARNING\s+\[(?!%(_jailname)s\])(?:.*)\]\s+Ban\s+<HOST>\s*$
# Author: Tom Hendrikx, modifications by Amir Caspi

14
config/filter.d/roundcube-auth.conf
View File

@ -1,6 +1,5 @@
# Fail2Ban configuration file for roundcube web server
#
# Author: Teodor Micu & Yaroslav Halchenko & terence namusonge
#
#
@ -10,17 +9,8 @@ before = common.conf
[Definition]
# Option: failregex
# Notes.: regex to match the password failure messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT
#
failregex = ^\s*(\[(\s[+-][0-9]{4})?\])?(%(__hostname)s roundcube: IMAP Error)?: (FAILED login|Login failed) for .*? from <HOST>(\. AUTHENTICATE .*)?\s*$
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
# Author: Teodor Micu & Yaroslav Halchenko & terence namusonge

6
config/filter.d/selinux-common.conf
View File

@ -1,7 +1,5 @@
# Fail2Ban configuration file for generic SELinux audit messages
#
# Author: Daniel Black
#
# This file is not intended to be used directly, and should be included into a
# filter file which would define following variables. See selinux-ssh.conf as
# and example.
@ -13,9 +11,11 @@
# _msg
#
# Also one of these variables must include <HOST>.
#
[Definition]
failregex = ^type=%(_type)s msg=audit\(:\d+\): (user )?pid=\d+ uid=%(_uid)s auid=%(_auid)s ses=\d+ subj=%(_subj)s msg='%(_msg)s'$
ignoreregex =
# Author: Daniel Black

13
config/filter.d/selinux-ssh.conf
View File

@ -1,11 +1,6 @@
# Fail2Ban configuration file for SELinux ssh authentication errors
#
# Author: Daniel Black
#
#
# Note: USER_LOGIN is ignored as this is the duplicate messsage
# ssh logs after 3 USER_AUTH failures.
#
[INCLUDES]
after = selinux-common.conf
@ -22,3 +17,9 @@ _terminal = ssh
_msg = op=\S+ acct=(?P<_quote_acct>"?)\S+(?P=_quote_acct) exe="%(_exe)s" hostname=(\?|(\d+\.){3}\d+) addr=<HOST> terminal=%(_terminal)s res=failed
# DEV Notes:
#
# Note: USER_LOGIN is ignored as this is the duplicate messsage
# ssh logs after 3 USER_AUTH failures.
#
# Author: Daniel Black

18
config/filter.d/sieve.conf
View File

@ -1,7 +1,4 @@
# Fail2Ban configuration file
#
# Author: Jan Wagner <waja@cyconet.org>
#
# Fail2Ban filter for sieve authentication failures
#
[INCLUDES]
@ -10,21 +7,12 @@
# common.local
before = common.conf
[Definition]
_deamon = (?:cyrus/)?(?:tim)?sieved?
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching.
# Values: TEXT
#
failregex = ^%(__prefix_line)sbadlogin: \S+ ?\[<HOST>\] \S+ authentication failure$
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
# Author: Jan Wagner <waja@cyconet.org>

23
config/filter.d/sogo-auth.conf
View File

@ -1,20 +1,17 @@
# /etc/fail2ban/filter.d/sogo-auth.conf
#
# Fail2Ban configuration file
# By Arnd Brandes
# SOGo
# Fail2ban filter for SOGo authentcation
#
# Log file usually in /var/log/sogo/sogo.log
[Definition]
# Option: failregex
# Filter Ban in /var/log/sogo/sogo.log
# Note: the error log may contain multiple hosts, whereas the first one
# is the client and all others are poxys. We match the first one, only
failregex = ^ sogod \[\d+\]: SOGoRootPage Login from '<HOST>' for user '.*' might not have worked( - password policy: \d* grace: -?\d* expire: -?\d* bound: -?\d*)?\s*$
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
#
# DEV Notes:
#
# The error log may contain multiple hosts, whereas the first one
# is the client and all others are poxys. We match the first one, only
#
# Author: Arnd Brandes

17
config/filter.d/sshd-ddos.conf
View File

@ -1,6 +1,4 @@
# Fail2Ban configuration file
#
# Author: Yaroslav Halchenko
# Fail2Ban ssh filter for at attempted exploit
#
# The regex here also relates to a exploit:
#
@ -20,17 +18,8 @@ before = common.conf
_daemon = sshd
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT
#
failregex = ^%(__prefix_line)sDid not receive identification string from <HOST>\s*$
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
# Author: Yaroslav Halchenko

20
config/filter.d/sshd.conf
View File

@ -1,7 +1,4 @@
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
#
# Fail2Ban filter for openssh
#
[INCLUDES]
@ -15,15 +12,6 @@ before = common.conf
_daemon = sshd
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT
#
#
failregex = ^%(__prefix_line)s(?:error: PAM: )?[aA]uthentication (?:failure|error) for .* from <HOST>( via \S+)?\s*$
^%(__prefix_line)s(?:error: PAM: )?User not known to the underlying authentication module for .* from <HOST>\s*$
^%(__prefix_line)sFailed \S+ for .* from <HOST>(?: port \d*)?(?: ssh\d*)?(: (ruser .{0,100}|(\S+ ID \S+ \(serial \d+\) CA )?\S+ %(__md5hex)s(, client user ".{0,100}", client host ".{0,100}")?))?\s*$
@ -36,8 +24,6 @@ failregex = ^%(__prefix_line)s(?:error: PAM: )?[aA]uthentication (?:failure|erro
^%(__prefix_line)sUser .+ from <HOST> not allowed because a group is listed in DenyGroups\s*$
^%(__prefix_line)sUser .+ from <HOST> not allowed because none of user's groups are listed in AllowGroups\s*$
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
# Author: Cyril Jaquier, Yaroslav Halchenko, Petr Voralek, Daniel Black

19
config/filter.d/suhosin.conf
View File

@ -1,6 +1,6 @@
# Fail2Ban configuration file
# Fail2Ban filter for suhosian PHP hardening
#
# Author: Arturo 'Buanzo' Busleiman <buanzo@buanzo.com.ar>
# This occurs with lighttpd or directly from the plugin
#
[INCLUDES]
@ -14,18 +14,15 @@ before = common.conf
_daemon = (?:lighttpd|suhosin)
# Option: failregex
# Notes.: regex to match ALERTS as notified by lighttpd's FastCGI Module
# Values: TEXT
#
# https://github.com/stefanesser/suhosin/blob/1fba865ab73cc98a3109f88d85eb82c1bfc29b37/log.c#L161
_lighttpd_prefix = (?:\(mod_fastcgi\.c\.\d+\) FastCGI-stderr:\s)
failregex = ^%(__prefix_line)s%(_lighttpd_prefix)s?ALERT - .* \(attacker '<HOST>', file '.*'(?:, line \d+)?\)$
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
# DEV Notes:
#
# https://github.com/stefanesser/suhosin/blob/1fba865ab73cc98a3109f88d85eb82c1bfc29b37/log.c#L161
#
# Author: Arturo 'Buanzo' Busleiman <buanzo@buanzo.com.ar>

7
config/filter.d/uwimap-auth.conf
View File

@ -1,7 +1,6 @@
# Fail2Ban configuration file
#
# Author: Amir Caspi
# Fail2Ban filter for uwimap
#
[INCLUDES]
before = common.conf
@ -14,3 +13,5 @@ failregex = ^%(__prefix_line)sLogin (?:failed|excessive login failures|disabled|
^%(__prefix_line)sFailed .* override of user=.* host=.*\[<HOST>\]\s*$
ignoreregex =
# Author: Amir Caspi

18
config/filter.d/vsftpd.conf
View File

@ -1,7 +1,4 @@
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
#
# Fail2Ban filter for vsftp
#
[INCLUDES]
@ -13,18 +10,9 @@ before = common.conf
__pam_re=\(?pam_unix(?:\(\S+\))?\)?:?
_daemon = vsftpd
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT
#
failregex = ^%(__prefix_line)s%(__pam_re)s\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=(ftp)? ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$
^ \[pid \d+\] \[.+\] FAIL LOGIN: Client "<HOST>"\s*$
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
# Author: Cyril Jaquier

16
config/filter.d/webmin-auth.conf
View File

@ -1,8 +1,4 @@
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
# Rule by : Delvit Guillaume
#
# Fail2Ban filter for webmin
#
[INCLUDES]
@ -15,10 +11,14 @@ _daemon = webmin
[Definition]
# patern : webmin[15673]: Non-existent login as toto from 86.0.6.217
# webmin[29544]: Invalid login as root from 86.0.6.217
#
failregex = ^%(__prefix_line)sNon-existent login as .+ from <HOST>\s*$
^%(__prefix_line)sInvalid login as .+ from <HOST>\s*$
ignoreregex =
# DEV Notes:
#
# pattern : webmin[15673]: Non-existent login as toto from 86.0.6.217
# webmin[29544]: Invalid login as root from 86.0.6.217
#
# Rule Author: Delvit Guillaume

12
config/filter.d/wuftpd.conf
View File

@ -1,7 +1,5 @@
# Fail2Ban configuration file for wuftpd
#
# Author: Yaroslav Halchenko
#
#
[INCLUDES]
@ -14,14 +12,8 @@ before = common.conf
_daemon = wu-ftpd
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile.
# Values: TEXT
#
failregex = ^%(__prefix_line)sfailed login from \S+ \[<HOST>\]\s*$
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
# Author: Yaroslav Halchenko

29
config/filter.d/xinetd-fail.conf
View File

@ -1,6 +1,6 @@
# Fail2Ban configuration file
# Fail2Ban filter for xinetd failures
#
# Author: Guido Bozzetto
# Cfr.: /var/log/(daemon\.|sys)log
#
#
@ -10,29 +10,18 @@
# common.local
before = common.conf
[Definition]
_daemon = xinetd
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT
#
# Cfr.: /var/log/(daemon\.|sys)log
# libwrap => tcp wrappers: hosts.(allow|deny)
# address => xinetd: deny_from|only_from
# load => xinetd: max_load (temporary problem)
#
failregex = ^%(__prefix_line)sFAIL: \S+ address from=<HOST>$
^%(__prefix_line)sFAIL: \S+ libwrap from=<HOST>$
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
# DEV Notes:
#
# libwrap => tcp wrappers: hosts.(allow|deny)
# address => xinetd: deny_from|only_from
#
# Author: Guido Bozzetto