Use anchored failregex for filters to avoid possible DoS -- postfix.conf

Manually picked up from the 0.8 branch limiting lines only to the existing failregex
pull/757/head
Yaroslav Halchenko 2014-06-22 11:50:16 -04:00
parent 264e7813d9
commit aff0f8233f
2 changed files with 17 additions and 1 deletions

View File

@ -5,6 +5,12 @@
# $Revision$
#
[INCLUDES]
# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf
[Definition]
# Option: failregex
@ -14,7 +20,9 @@
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT
#
failregex = reject: RCPT from (.*)\[<HOST>\]: 554
_daemon = postfix/smtpd
failregex = ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 554 5\.7\.1 .*$
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.

8
debian/changelog vendored
View File

@ -1,3 +1,11 @@
fail2ban (0.8.6-3wheezy3) wheezy-security; urgency=high
* Use anchored failregex for filters to avoid possible DoS
- CVE-2013-7176: postfix.conf - anchored on the front, expects
"postfix/smtpd" prefix in the log line
--
fail2ban (0.8.6-3wheezy2) wheezy-security; urgency=high
* Anchor apache- filters failregexes to avoid possible DoS on servers