github
/
fail2ban
mirror of https://github.com/fail2ban/fail2ban
1
0
Fork 0
Code Issues Releases Wiki Activity

- Changed <HOST> template to be more restrictive. Debian bug #514163. 

git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@728 a942ae1a-1317-0410-a47c-b1dcaea8d605
_tent/ipv6_via_aInfo
Cyril Jaquier 2009-02-08 17:31:24 +00:00
parent 7fd0300a73
commit abd061bad8
21 changed files with 25 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
ChangeLog
View File

@ -33,6 +33,8 @@ ver. 0.8.4 (2008/??/??) - stable
Ravin. Tracker #2484115. Ravin. Tracker #2484115.
- Added cyrus-imap and sieve filters. Thanks to Jan Wagner. - Added cyrus-imap and sieve filters. Thanks to Jan Wagner.
Debian bug #513953. Debian bug #513953.
- Changed <HOST> template to be more restrictive. Debian bug
#514163.
ver. 0.8.3 (2008/07/17) - stable ver. 0.8.3 (2008/07/17) - stable
---------- ----------

2
config/filter.d/apache-auth.conf
View File

@ -11,7 +11,7 @@
# Notes.: regex to match the password failure messages in the logfile. The # Notes.: regex to match the password failure messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can # host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for # be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>\S+) # (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT # Values: TEXT
# #
failregex = [[]client <HOST>[]] user .* authentication failure failregex = [[]client <HOST>[]] user .* authentication failure

2
config/filter.d/apache-noscript.conf
View File

@ -11,7 +11,7 @@
# Notes.: regex to match the password failure messages in the logfile. The # Notes.: regex to match the password failure messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can # host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for # be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>\S+) # (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT # Values: TEXT
# #
failregex = [[]client <HOST>[]] (File does not exist|script not found or unable to stat): /\S*(\.php|\.asp|\.exe|\.pl) failregex = [[]client <HOST>[]] (File does not exist|script not found or unable to stat): /\S*(\.php|\.asp|\.exe|\.pl)

2
config/filter.d/common.conf
View File

@ -3,7 +3,7 @@
# #
# Author: Yaroslav Halchenko # Author: Yaroslav Halchenko
# #
# $Revision: $ # $Revision$
# #
[INCLUDES] [INCLUDES]

2
config/filter.d/courierlogin.conf
View File

@ -12,7 +12,7 @@
# Notes.: regex to match the password failures messages in the logfile. The # Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can # host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for # be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>\S+) # (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT # Values: TEXT
# #
failregex = LOGIN FAILED, .*, ip=\[<HOST>\]$ failregex = LOGIN FAILED, .*, ip=\[<HOST>\]$

2
config/filter.d/couriersmtp.conf
View File

@ -11,7 +11,7 @@
# Notes.: regex to match the password failures messages in the logfile. The # Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can # host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for # be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>\S+) # (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT # Values: TEXT
# #
failregex = error,relay=<HOST>,.*550 User unknown failregex = error,relay=<HOST>,.*550 User unknown

2
config/filter.d/cyrus-imap.conf
View File

@ -11,7 +11,7 @@
# Notes.: regex to match the password failures messages in the logfile. The # Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can # host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for # be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>\S+) # (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT # Values: TEXT
# #
failregex = : badlogin: .*\[<HOST>\] plaintext .*SASL\(-13\): authentication failure: checkpass failed$ failregex = : badlogin: .*\[<HOST>\] plaintext .*SASL\(-13\): authentication failure: checkpass failed$

2
config/filter.d/exim.conf
View File

@ -11,7 +11,7 @@
# Notes.: regex to match the password failures messages in the logfile. The # Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can # host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for # be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>\S+) # (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT # Values: TEXT
# #
failregex = \[<HOST>\] .*(?:rejected by local_scan|Unrouteable address) failregex = \[<HOST>\] .*(?:rejected by local_scan|Unrouteable address)

2
config/filter.d/postfix.conf
View File

@ -11,7 +11,7 @@
# Notes.: regex to match the password failures messages in the logfile. The # Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can # host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for # be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>\S+) # (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT # Values: TEXT
# #
failregex = reject: RCPT from (.*)\[<HOST>\]: 554 failregex = reject: RCPT from (.*)\[<HOST>\]: 554

2
config/filter.d/proftpd.conf
View File

@ -11,7 +11,7 @@
# Notes.: regex to match the password failures messages in the logfile. The # Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can # host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for # be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>\S+) # (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT # Values: TEXT
# #
failregex = \(\S+\[<HOST>\]\)[: -]+ USER \S+: no such user found from \S+ \[\S+\] to \S+:\S+$ failregex = \(\S+\[<HOST>\]\)[: -]+ USER \S+: no such user found from \S+ \[\S+\] to \S+:\S+$

2
config/filter.d/pure-ftpd.conf
View File

@ -16,7 +16,7 @@ __errmsg = (?:Authentication failed for user|Erreur d'authentification pour l'ut
# Notes.: regex to match the password failures messages in the logfile. The # Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can # host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for # be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>\S+) # (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT # Values: TEXT
# #
failregex = pure-ftpd(?:\[\d+\])?: (.+?@<HOST>) \[WARNING\] %(__errmsg)s \[.+\]$ failregex = pure-ftpd(?:\[\d+\])?: (.+?@<HOST>) \[WARNING\] %(__errmsg)s \[.+\]$

2
config/filter.d/qmail.conf
View File

@ -11,7 +11,7 @@
# Notes.: regex to match the password failures messages in the logfile. The # Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can # host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for # be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>\S+) # (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT # Values: TEXT
# #
failregex = (?:[\d,.]+[\d,.] rblsmtpd: |421 badiprbl: ip )<HOST> failregex = (?:[\d,.]+[\d,.] rblsmtpd: |421 badiprbl: ip )<HOST>

2
config/filter.d/sasl.conf
View File

@ -11,7 +11,7 @@
# Notes.: regex to match the password failures messages in the logfile. The # Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can # host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for # be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>\S+) # (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT # Values: TEXT
# #
failregex = (?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [A-Za-z0-9+/]*={0,2})?$ failregex = (?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [A-Za-z0-9+/]*={0,2})?$

2
config/filter.d/sshd-ddos.conf
View File

@ -11,7 +11,7 @@
# Notes.: regex to match the password failures messages in the logfile. The # Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can # host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for # be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>\S+) # (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT # Values: TEXT
# #
failregex = sshd(?:\[\d+\])?: Did not receive identification string from <HOST>$ failregex = sshd(?:\[\d+\])?: Did not receive identification string from <HOST>$

2
config/filter.d/sshd.conf
View File

@ -20,7 +20,7 @@ _daemon = sshd
# Notes.: regex to match the password failures messages in the logfile. The # Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can # host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for # be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>\S+) # (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT # Values: TEXT
# #
failregex = ^%(__prefix_line)s(?:error: PAM: )?Authentication failure for .* from <HOST>\s*$ failregex = ^%(__prefix_line)s(?:error: PAM: )?Authentication failure for .* from <HOST>\s*$

2
config/filter.d/vsftpd.conf
View File

@ -11,7 +11,7 @@
# Notes.: regex to match the password failures messages in the logfile. The # Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can # host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for # be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>\S+) # (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT # Values: TEXT
# #
failregex = vsftpd(?:\(pam_unix\))?(?:\[\d+\])?:.* authentication failure; .* rhost=<HOST>(?:\s+user=\S*)?\s*$ failregex = vsftpd(?:\(pam_unix\))?(?:\[\d+\])?:.* authentication failure; .* rhost=<HOST>(?:\s+user=\S*)?\s*$

2
config/filter.d/webmin-auth.conf
View File

@ -15,7 +15,7 @@
# Notes.: regex to match the password failure messages in the logfile. The # Notes.: regex to match the password failure messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can # host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for # be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>\S+) # (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT # Values: TEXT
# #
failregex = webmin.* Non-existent login as .+ from <HOST>$ failregex = webmin.* Non-existent login as .+ from <HOST>$

2
config/filter.d/xinetd-fail.conf
View File

@ -11,7 +11,7 @@
# Notes.: regex to match the password failures messages in the logfile. The # Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can # host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for # be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>\S+) # (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT # Values: TEXT
# #
# Cfr.: /var/log/(daemon\.|sys)log # Cfr.: /var/log/(daemon\.|sys)log

2
server/failregex.py
View File

@ -44,7 +44,7 @@ class Regex:
self._matchCache = None self._matchCache = None
# Perform shortcuts expansions. # Perform shortcuts expansions.
# Replace "<HOST>" with default regular expression for host. # Replace "<HOST>" with default regular expression for host.
regex = regex.replace("<HOST>", "(?:::f{4,6}:)?(?P<host>\S+)") regex = regex.replace("<HOST>", "(?:::f{4,6}:)?(?P<host>[\w\-.^_]+)")
if regex.lstrip() == '': if regex.lstrip() == '':
raise RegexException("Cannot add empty regex") raise RegexException("Cannot add empty regex")
try: try:

2
server/filter.py
View File

@ -492,7 +492,7 @@ import socket, struct
class DNSUtils: class DNSUtils:
IP_CRE = re.compile("(?:\d{1,3}\.){3}\d{1,3}") IP_CRE = re.compile("^(?:\d{1,3}\.){3}\d{1,3}$")
#@staticmethod #@staticmethod
def dnsToIp(dns): def dnsToIp(dns):

8
testcases/filtertestcase.py
View File

@ -99,7 +99,7 @@ class GetFailures(unittest.TestCase):
output = ('193.168.0.128', 3, 1124013599.0) output = ('193.168.0.128', 3, 1124013599.0)
self.__filter.addLogPath(GetFailures.FILENAME_01) self.__filter.addLogPath(GetFailures.FILENAME_01)
self.__filter.addFailRegex("(?:(?:Authentication failure|Failed [-/\w+]+) for(?: [iI](?:llegal|nvalid) user)?|[Ii](?:llegal|nvalid) user|ROOT LOGIN REFUSED) .*(?: from|FROM) (?:::f{4,6}:)?(?P<host>\S*)") self.__filter.addFailRegex("(?:(?:Authentication failure|Failed [-/\w+]+) for(?: [iI](?:llegal|nvalid) user)?|[Ii](?:llegal|nvalid) user|ROOT LOGIN REFUSED) .*(?: from|FROM) <HOST>")
self.__filter.getFailures(GetFailures.FILENAME_01) self.__filter.getFailures(GetFailures.FILENAME_01)
@ -116,7 +116,7 @@ class GetFailures(unittest.TestCase):
output = ('141.3.81.106', 4, 1124013539.0) output = ('141.3.81.106', 4, 1124013539.0)
self.__filter.addLogPath(GetFailures.FILENAME_02) self.__filter.addLogPath(GetFailures.FILENAME_02)
self.__filter.addFailRegex("Failed .* (?:::f{4,6}:)(?P<host>\S*)") self.__filter.addFailRegex("Failed .* from <HOST>")
self.__filter.getFailures(GetFailures.FILENAME_02) self.__filter.getFailures(GetFailures.FILENAME_02)
@ -133,7 +133,7 @@ class GetFailures(unittest.TestCase):
output = ('203.162.223.135', 6, 1124013544.0) output = ('203.162.223.135', 6, 1124013544.0)
self.__filter.addLogPath(GetFailures.FILENAME_03) self.__filter.addLogPath(GetFailures.FILENAME_03)
self.__filter.addFailRegex("error,relay=(?:::f{4,6}:)?(?P<host>\S*),.*550 User unknown") self.__filter.addFailRegex("error,relay=<HOST>,.*550 User unknown")
self.__filter.getFailures(GetFailures.FILENAME_03) self.__filter.getFailures(GetFailures.FILENAME_03)
@ -151,7 +151,7 @@ class GetFailures(unittest.TestCase):
('212.41.96.185', 4, 1124013598.0)] ('212.41.96.185', 4, 1124013598.0)]
self.__filter.addLogPath(GetFailures.FILENAME_04) self.__filter.addLogPath(GetFailures.FILENAME_04)
self.__filter.addFailRegex("Invalid user .* (?P<host>\S*)") self.__filter.addFailRegex("Invalid user .* <HOST>")
self.__filter.getFailures(GetFailures.FILENAME_04) self.__filter.getFailures(GetFailures.FILENAME_04)