mirror of https://github.com/fail2ban/fail2ban
Merge tag '0.8.11' into debian
* tag '0.8.11': DOC: finalise 0.8.11 release BF/ENH: DoS resistant roundcube-auth with test cases and more variation in IMAP error given BF: exim filter to be DoS resistant ENH: DoS resistant dropbear filter BF/ENH: asterisk connection ID is a hex not decimal number. Add "Rejecting unknown SIP connection from <HOST>" regex thanks to Jonathan Lanning ENH: apache-2.4 message IDs for filter apache-noscript TST: change source URL ENH: apache-overflow filter to have HTTP-2.4 message IDs and test samples ENH: apache-overflows - more detail on "request failed: URI too long (longer than %d)" with test case TST: end of json in sshd sample log TST: fix space in sshd sample log TST: test case that shows injection DOC: more on filter regexes - DEVELOP DOC: filter regex debugging BF: anchor introduced nginx-http-auth at the endpull/808/head
commit
b2f5a79eeb
13
ChangeLog
13
ChangeLog
|
@ -4,10 +4,10 @@
|
||||||
|_| \__,_|_|_/___|_.__/\__,_|_||_|
|
|_| \__,_|_|_/___|_.__/\__,_|_||_|
|
||||||
|
|
||||||
================================================================================
|
================================================================================
|
||||||
Fail2Ban (version 0.8.11.pre1) 2013/10/30
|
Fail2Ban (version 0.8.11) 2013/11/13
|
||||||
================================================================================
|
================================================================================
|
||||||
|
|
||||||
ver. 0.8.11 (2013/11/XXX) - loves-unittests-and-tight-DoS-free-filter-regexes
|
ver. 0.8.11 (2013/11/13) - loves-unittests-and-tight-DoS-free-filter-regexes
|
||||||
-----------
|
-----------
|
||||||
|
|
||||||
In light of CVE-2013-2178 that triggered our last release we have put
|
In light of CVE-2013-2178 that triggered our last release we have put
|
||||||
|
@ -23,6 +23,12 @@ please provide us with example log lines on the github issue tracker
|
||||||
http://github.com/fail2ban/fail2ban/issues and NOT on a random blog in
|
http://github.com/fail2ban/fail2ban/issues and NOT on a random blog in
|
||||||
some obscure corner of the Internet.
|
some obscure corner of the Internet.
|
||||||
|
|
||||||
|
Many thanks to our contributors for this release Daniel Black, Yaroslav
|
||||||
|
Halchenko, Steven Hiscocks, Mark McKinstry, Andy Fragen, Orion Poplawski,
|
||||||
|
Alexander Dietrich, JP Espinosa, Jamyn Shanley, Beau Raines, François
|
||||||
|
Boulogne and others who have helped on IRC and mailing list, logged issues
|
||||||
|
and bug requests.
|
||||||
|
|
||||||
- IMPORTANT incompatible changes:
|
- IMPORTANT incompatible changes:
|
||||||
Filter name changes:
|
Filter name changes:
|
||||||
* 'lighttpd-fastcgi' filter has been renamed to 'suhosin'
|
* 'lighttpd-fastcgi' filter has been renamed to 'suhosin'
|
||||||
|
@ -32,6 +38,9 @@ some obscure corner of the Internet.
|
||||||
those filters were used.
|
those filters were used.
|
||||||
|
|
||||||
- Fixes:
|
- Fixes:
|
||||||
|
Jonathan Lanning
|
||||||
|
* filter.d/asterisk -- identified another regex for blocking. Also channel
|
||||||
|
ID is hex not decimal as noted in sample logs provided.
|
||||||
Daniel Black & Marcel Dopita
|
Daniel Black & Marcel Dopita
|
||||||
* filter.d/apache-auth -- fixed and apache auth samples provide. Closes gh-286
|
* filter.d/apache-auth -- fixed and apache auth samples provide. Closes gh-286
|
||||||
Yaroslav Halchenko
|
Yaroslav Halchenko
|
||||||
|
|
97
DEVELOP
97
DEVELOP
|
@ -289,15 +289,19 @@ TIP: Some applications log spaces at the end. If you are not sure add \s*$ as
|
||||||
the end part of the regex.
|
the end part of the regex.
|
||||||
|
|
||||||
If your regex is not matching, http://www.debuggex.com/?flavor=python can help
|
If your regex is not matching, http://www.debuggex.com/?flavor=python can help
|
||||||
to tune it:
|
to tune it. fail2ban-regex -D ... will present Debuggex URLs for the regexs
|
||||||
|
and sample log files that you pass into it.
|
||||||
|
|
||||||
|
In general use when using regex debuggers for generating fail2ban filters:
|
||||||
* use regex from the ./fail2ban-regex output (to ensure all substitutions are
|
* use regex from the ./fail2ban-regex output (to ensure all substitutions are
|
||||||
done) and replace <HOST> with (?&.ipv4). Make sure that regex type set to
|
done)
|
||||||
Python;
|
* replace <HOST> with (?&.ipv4)
|
||||||
* for the test data put your log output with the time removed;
|
* make sure that regex type set to Python
|
||||||
- when you have fixed the regex put it back into your filter file.
|
* for the test data put your log output with the date/time removed
|
||||||
|
|
||||||
Please spread the good word about debuggex - Serge Toarca is kindly continuing
|
When you have fixed the regex put it back into your filter file.
|
||||||
|
|
||||||
|
Please spread the good word about Debuggex - Serge Toarca is kindly continuing
|
||||||
its free availability to Open Source developers.
|
its free availability to Open Source developers.
|
||||||
|
|
||||||
Finishing up:
|
Finishing up:
|
||||||
|
@ -327,7 +331,7 @@ failregex, while matching inserted text to the <HOST> part, they have the
|
||||||
ability to deny any host they choose.
|
ability to deny any host they choose.
|
||||||
|
|
||||||
So the <HOST> part must be anchored on text generated by the application, and
|
So the <HOST> part must be anchored on text generated by the application, and
|
||||||
not the user, to a extent sufficient to prevent user inserting the entire text
|
not the user, to an extent sufficient to prevent user inserting the entire text
|
||||||
matching this or any other failregex.
|
matching this or any other failregex.
|
||||||
|
|
||||||
Ideally filter regex should anchor at the beginning and at the end of log line.
|
Ideally filter regex should anchor at the beginning and at the end of log line.
|
||||||
|
@ -377,7 +381,7 @@ Note if we'd just had the expression:
|
||||||
Then provided the user put a space in their command they would have never been
|
Then provided the user put a space in their command they would have never been
|
||||||
banned.
|
banned.
|
||||||
|
|
||||||
2. Filter regex can match other user injected data
|
2. Unanchored regex can match other user injected data
|
||||||
|
|
||||||
From the Apache vulnerability CVE-2013-2178
|
From the Apache vulnerability CVE-2013-2178
|
||||||
( original ref: https://vndh.net/note:fail2ban-089-denial-service ).
|
( original ref: https://vndh.net/note:fail2ban-089-denial-service ).
|
||||||
|
@ -398,7 +402,82 @@ Now the log line will be:
|
||||||
As this log line doesn't match other expressions hence it matches the above
|
As this log line doesn't match other expressions hence it matches the above
|
||||||
regex and blocks 192.168.33.1 as a denial of service from the HTTP requester.
|
regex and blocks 192.168.33.1 as a denial of service from the HTTP requester.
|
||||||
|
|
||||||
3. Application generates two identical log messages with different meanings
|
3. Over greedy pattern matching
|
||||||
|
|
||||||
|
From: https://github.com/fail2ban/fail2ban/pull/426
|
||||||
|
|
||||||
|
An example ssh log (simplified)
|
||||||
|
|
||||||
|
Sep 29 17:15:02 spaceman sshd[12946]: Failed password for user from 127.0.0.1 port 20000 ssh1: ruser remoteuser
|
||||||
|
|
||||||
|
As we assume username can include anything including spaces its prudent to put
|
||||||
|
.* here. The remote user can also exist as anything so lets not make assumptions again.
|
||||||
|
|
||||||
|
failregex = ^%(__prefix_line)sFailed \S+ for .* from <HOST>( port \d*)?( ssh\d+)?(: ruser .*)?$
|
||||||
|
|
||||||
|
So this works. The problem is if the .* after remote user is injected by the
|
||||||
|
user to be 'from 1.2.3.4'. The resultant log line is.
|
||||||
|
|
||||||
|
Sep 29 17:15:02 spaceman sshd[12946]: Failed password for user from 127.0.0.1 port 20000 ssh1: ruser from 1.2.3.4
|
||||||
|
|
||||||
|
Testing with:
|
||||||
|
|
||||||
|
fail2ban-regex -v 'Sep 29 17:15:02 Failed password for user from 127.0.0.1 port 20000 ssh1: ruser from 1.2.3.4' '^ Failed \S+ for .* from <HOST>( port \d*)?( ssh\d+)?(: ruser .*)?$'
|
||||||
|
|
||||||
|
TIP: I've removed the bit that matches __prefix_line from the regex and log.
|
||||||
|
|
||||||
|
Shows:
|
||||||
|
|
||||||
|
1) [1] ^ Failed \S+ for .* from <HOST>( port \d*)?( ssh\d+)?(: ruser .*)?$
|
||||||
|
1.2.3.4 Sun Sep 29 17:15:02 2013
|
||||||
|
|
||||||
|
It should of matched 127.0.0.1. So the first greedy part of the greedy regex
|
||||||
|
matched until the end of the string. The was no "from <HOST>" so the regex
|
||||||
|
engine worked backwards from the end of the string until this was matched.
|
||||||
|
|
||||||
|
The result was that 1.2.3.4 was matched, injected by the user, and the wrong IP
|
||||||
|
was banned.
|
||||||
|
|
||||||
|
The solution here is to make the first .* non-greedy with .*?. Here it matches
|
||||||
|
as little as required and the fail2ban-regex tool shows the output:
|
||||||
|
|
||||||
|
fail2ban-regex -v 'Sep 29 17:15:02 Failed password for user from 127.0.0.1 port 20000 ssh1: ruser from 1.2.3.4' '^ Failed \S+ for .*? from <HOST>( port \d*)?( ssh\d+)?(: ruser .*)?$'
|
||||||
|
|
||||||
|
1) [1] ^ Failed \S+ for .*? from <HOST>( port \d*)?( ssh\d+)?(: ruser .*)?$
|
||||||
|
127.0.0.1 Sun Sep 29 17:15:02 2013
|
||||||
|
|
||||||
|
So the general case here is a log line that contains:
|
||||||
|
|
||||||
|
(fixed_data_1)<HOST>(fixed_data_2)(user_injectable_data)
|
||||||
|
|
||||||
|
Where the regex that matches fixed_data_1 is gready and matches the entire
|
||||||
|
string, before moving backwards and user_injectable_data can match the entire
|
||||||
|
string.
|
||||||
|
|
||||||
|
Another case:
|
||||||
|
|
||||||
|
ref: https://www.debuggex.com/r/CtAbeKMa2sDBEfA2/0
|
||||||
|
|
||||||
|
A webserver logs the following without URL escaping:
|
||||||
|
|
||||||
|
[error] 2865#0: *66647 user "xyz" was not found in "/file", client: 1.2.3.1, server: www.host.com, request: "GET ", client: 3.2.1.1, server: fake.com, request: "GET exploited HTTP/3.3", host: "injected.host", host: "www.myhost.com"
|
||||||
|
|
||||||
|
regex:
|
||||||
|
|
||||||
|
failregex = ^ \[error\] \d+#\d+: \*\d+ user "\S+":? (?:password mismatch|was not found in ".*"), client: <HOST>, server: \S+, request: "\S+ .+ HTTP/\d+\.\d+", host: "\S+"
|
||||||
|
|
||||||
|
The .* matches to the end of the string. Finds that it can't continue to match
|
||||||
|
", client ... so it moves from the back and find that the user injected web URL:
|
||||||
|
|
||||||
|
", client: 3.2.1.1, server: fake.com, request: "GET exploited HTTP/3.3", host: "injected.host
|
||||||
|
|
||||||
|
In this case there is a fixed host: "www.myhost.com" at the end so the solution
|
||||||
|
is to anchor the regex at the end with a $.
|
||||||
|
|
||||||
|
If this wasn't the case then first .* needed to be made so it didn't capture
|
||||||
|
beyond <HOST>.
|
||||||
|
|
||||||
|
4. Application generates two identical log messages with different meanings
|
||||||
|
|
||||||
If the application generates the following two messages under different
|
If the application generates the following two messages under different
|
||||||
circumstances:
|
circumstances:
|
||||||
|
|
3
MANIFEST
3
MANIFEST
|
@ -60,6 +60,7 @@ testcases/files/logs/exim
|
||||||
testcases/files/logs/suhosin
|
testcases/files/logs/suhosin
|
||||||
testcases/files/logs/mysqld-auth
|
testcases/files/logs/mysqld-auth
|
||||||
testcases/files/logs/named-refused
|
testcases/files/logs/named-refused
|
||||||
|
testcases/files/logs/nginx-http-auth
|
||||||
testcases/files/logs/pam-generic
|
testcases/files/logs/pam-generic
|
||||||
testcases/files/logs/postfix
|
testcases/files/logs/postfix
|
||||||
testcases/files/logs/proftpd
|
testcases/files/logs/proftpd
|
||||||
|
@ -139,6 +140,7 @@ config/filter.d/apache-badbots.conf
|
||||||
config/filter.d/apache-nohome.conf
|
config/filter.d/apache-nohome.conf
|
||||||
config/filter.d/apache-noscript.conf
|
config/filter.d/apache-noscript.conf
|
||||||
config/filter.d/apache-overflows.conf
|
config/filter.d/apache-overflows.conf
|
||||||
|
config/filter.d/nginx-http-auth.conf
|
||||||
config/filter.d/courierlogin.conf
|
config/filter.d/courierlogin.conf
|
||||||
config/filter.d/couriersmtp.conf
|
config/filter.d/couriersmtp.conf
|
||||||
config/filter.d/cyrus-imap.conf
|
config/filter.d/cyrus-imap.conf
|
||||||
|
@ -239,3 +241,4 @@ files/bash-completion
|
||||||
files/fail2ban-tmpfiles.conf
|
files/fail2ban-tmpfiles.conf
|
||||||
files/fail2ban.service
|
files/fail2ban.service
|
||||||
files/ipmasq-ZZZzzz_fail2ban.rul
|
files/ipmasq-ZZZzzz_fail2ban.rul
|
||||||
|
files/gen_badbots
|
||||||
|
|
|
@ -2,7 +2,7 @@
|
||||||
/ _|__ _(_) |_ ) |__ __ _ _ _
|
/ _|__ _(_) |_ ) |__ __ _ _ _
|
||||||
| _/ _` | | |/ /| '_ \/ _` | ' \
|
| _/ _` | | |/ /| '_ \/ _` | ' \
|
||||||
|_| \__,_|_|_/___|_.__/\__,_|_||_|
|
|_| \__,_|_|_/___|_.__/\__,_|_||_|
|
||||||
v0.8.11-pre1 2013/10/30
|
v0.8.11 2013/11/13
|
||||||
|
|
||||||
## Fail2Ban: ban hosts that cause multiple authentication errors
|
## Fail2Ban: ban hosts that cause multiple authentication errors
|
||||||
|
|
||||||
|
|
1
THANKS
1
THANKS
|
@ -34,6 +34,7 @@ Guillaume Delvit
|
||||||
Hanno 'Rince' Wagner
|
Hanno 'Rince' Wagner
|
||||||
Iain Lea
|
Iain Lea
|
||||||
Jonathan Kamens
|
Jonathan Kamens
|
||||||
|
Jonathan Lanning
|
||||||
Jonathan Underwood
|
Jonathan Underwood
|
||||||
Joël Bertrand
|
Joël Bertrand
|
||||||
JP Espinosa
|
JP Espinosa
|
||||||
|
|
|
@ -24,4 +24,4 @@ __author__ = "Cyril Jaquier, Yaroslav Halchenko"
|
||||||
__copyright__ = "Copyright (c) 2004 Cyril Jaquier, 2011-2013 Yaroslav Halchenko"
|
__copyright__ = "Copyright (c) 2004 Cyril Jaquier, 2011-2013 Yaroslav Halchenko"
|
||||||
__license__ = "GPL"
|
__license__ = "GPL"
|
||||||
|
|
||||||
version = "0.8.11.pre1"
|
version = "0.8.11"
|
||||||
|
|
|
@ -9,10 +9,16 @@ before = apache-common.conf
|
||||||
|
|
||||||
[Definition]
|
[Definition]
|
||||||
|
|
||||||
failregex = ^%(_apache_error_client)s (File does not exist|script not found or unable to stat): /\S*(\.php|\.asp|\.exe|\.pl)\s*$
|
failregex = ^%(_apache_error_client)s ((AH001(28|30): )?File does not exist|(AH01264: )?script not found or unable to stat): /\S*(\.php|\.asp|\.exe|\.pl)\s*$
|
||||||
^%(_apache_error_client)s script '/\S*(\.php|\.asp|\.exe|\.pl)\S*' not found or unable to stat\s*$
|
^%(_apache_error_client)s script '/\S*(\.php|\.asp|\.exe|\.pl)\S*' not found or unable to stat\s*$
|
||||||
|
|
||||||
ignoreregex =
|
ignoreregex =
|
||||||
|
|
||||||
|
|
||||||
|
# DEV Notes:
|
||||||
|
#
|
||||||
|
# https://wiki.apache.org/httpd/ListOfErrors for apache error IDs
|
||||||
|
#
|
||||||
|
# Second regex, script '/\S*(\.php|\.asp|\.exe|\.pl)\S*' not found or unable to stat\s*$ is Before http-2.2
|
||||||
|
#
|
||||||
# Author: Cyril Jaquier
|
# Author: Cyril Jaquier
|
||||||
|
|
|
@ -8,8 +8,29 @@ before = apache-common.conf
|
||||||
|
|
||||||
[Definition]
|
[Definition]
|
||||||
|
|
||||||
failregex = ^%(_apache_error_client)s (Invalid (method|URI) in request|request failed: URI too long|erroneous characters after protocol string)
|
failregex = ^%(_apache_error_client)s ((AH0013[456]: )?Invalid (method|URI) in request .*( - possible attempt to establish SSL connection on non-SSL port)?|(AH00565: )?request failed: URI too long \(longer than \d+\)|request failed: erroneous characters after protocol string: .*|AH00566: request failed: invalid characters in URI)$
|
||||||
|
|
||||||
ignoreregex =
|
ignoreregex =
|
||||||
|
|
||||||
|
# DEV Notes:
|
||||||
|
#
|
||||||
|
# fgrep -r 'URI too long' httpd-2.*
|
||||||
|
# httpd-2.2.25/server/protocol.c: "request failed: URI too long (longer than %d)", r->server->limit_req_line);
|
||||||
|
# httpd-2.4.4/server/protocol.c: "request failed: URI too long (longer than %d)",
|
||||||
|
#
|
||||||
|
# fgrep -r 'in request' ../httpd-2.* | fgrep Invalid
|
||||||
|
# httpd-2.2.25/server/core.c: "Invalid URI in request %s", r->the_request);
|
||||||
|
# httpd-2.2.25/server/core.c: "Invalid method in request %s", r->the_request);
|
||||||
|
# httpd-2.2.25/docs/manual/rewrite/flags.html.fr:avertissements 'Invalid URI in request'.
|
||||||
|
# httpd-2.4.4/server/core.c: "Invalid URI in request %s", r->the_request);
|
||||||
|
# httpd-2.4.4/server/core.c: "Invalid method in request %s - possible attempt to establish SSL connection on non-SSL port", r->the_request);
|
||||||
|
# httpd-2.4.4/server/core.c: "Invalid method in request %s", r->the_request);
|
||||||
|
#
|
||||||
|
# fgrep -r 'invalid characters in URI' httpd-2.*
|
||||||
|
# httpd-2.4.4/server/protocol.c: "request failed: invalid characters in URI");
|
||||||
|
#
|
||||||
|
# http://svn.apache.org/viewvc/httpd/httpd/trunk/server/core.c?r1=739382&r2=739620&pathrev=739620
|
||||||
|
# ...possible attempt to establish SSL connection on non-SSL port
|
||||||
|
#
|
||||||
|
# https://wiki.apache.org/httpd/ListOfErrors
|
||||||
# Author: Tim Connors
|
# Author: Tim Connors
|
||||||
|
|
|
@ -6,7 +6,7 @@
|
||||||
__pid_re = (?:\[\d+\])
|
__pid_re = (?:\[\d+\])
|
||||||
|
|
||||||
# All Asterisk log messages begin like this:
|
# All Asterisk log messages begin like this:
|
||||||
log_prefix= \[\]\s*(?:NOTICE|SECURITY)%(__pid_re)s:?(?:\[\S+\d*\])? \S+:\d*
|
log_prefix= \[\]\s*(?:NOTICE|SECURITY)%(__pid_re)s:?(?:\[C-[\da-f]*\])? \S+:\d*
|
||||||
|
|
||||||
failregex = ^%(log_prefix)s Registration from '[^']*' failed for '<HOST>(:\d+)?' - (Wrong password|No matching peer found|Username/auth name mismatch|Device does not match ACL|Peer is not supposed to register|ACL error \(permit/deny\)|Not a local domain)$
|
failregex = ^%(log_prefix)s Registration from '[^']*' failed for '<HOST>(:\d+)?' - (Wrong password|No matching peer found|Username/auth name mismatch|Device does not match ACL|Peer is not supposed to register|ACL error \(permit/deny\)|Not a local domain)$
|
||||||
^%(log_prefix)s Call from '[^']*' \(<HOST>:\d+\) to extension '\d+' rejected because extension not found in context 'default'\.$
|
^%(log_prefix)s Call from '[^']*' \(<HOST>:\d+\) to extension '\d+' rejected because extension not found in context 'default'\.$
|
||||||
|
@ -16,6 +16,7 @@ failregex = ^%(log_prefix)s Registration from '[^']*' failed for '<HOST>(:\d+)?'
|
||||||
^%(log_prefix)s Failed to authenticate (user|device) [^@]+@<HOST>\S*$
|
^%(log_prefix)s Failed to authenticate (user|device) [^@]+@<HOST>\S*$
|
||||||
^%(log_prefix)s (?:handle_request_subscribe: )?Sending fake auth rejection for (device|user) \d*<sip:[^@]+@<HOST>>;tag=\w+\S*$
|
^%(log_prefix)s (?:handle_request_subscribe: )?Sending fake auth rejection for (device|user) \d*<sip:[^@]+@<HOST>>;tag=\w+\S*$
|
||||||
^%(log_prefix)s SecurityEvent="(FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)",EventTV="[\d-]+",Severity="[\w]+",Service="[\w]+",EventVersion="\d+",AccountID="\d+",SessionID="0x[\da-f]+",LocalAddress="IPV[46]/(UD|TC)P/[\da-fA-F:.]+/\d+",RemoteAddress="IPV[46]/(UD|TC)P/<HOST>/\d+"(,Challenge="\w+",ReceivedChallenge="\w+")?(,ReceivedHash="[\da-f]+")?$
|
^%(log_prefix)s SecurityEvent="(FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)",EventTV="[\d-]+",Severity="[\w]+",Service="[\w]+",EventVersion="\d+",AccountID="\d+",SessionID="0x[\da-f]+",LocalAddress="IPV[46]/(UD|TC)P/[\da-fA-F:.]+/\d+",RemoteAddress="IPV[46]/(UD|TC)P/<HOST>/\d+"(,Challenge="\w+",ReceivedChallenge="\w+")?(,ReceivedHash="[\da-f]+")?$
|
||||||
|
^\[\]\s*WARNING%(__pid_re)s:?(?:\[C-[\da-f]*\])? Ext\. s: "Rejecting unknown SIP connection from <HOST>"$
|
||||||
|
|
||||||
ignoreregex =
|
ignoreregex =
|
||||||
|
|
||||||
|
|
|
@ -23,8 +23,8 @@ before = common.conf
|
||||||
|
|
||||||
_daemon = dropbear
|
_daemon = dropbear
|
||||||
|
|
||||||
failregex = ^%(__prefix_line)s[Ll]ogin attempt for nonexistent user ('.*' )?from <HOST>:.*$
|
failregex = ^%(__prefix_line)s[Ll]ogin attempt for nonexistent user ('.*' )?from <HOST>:\d+$
|
||||||
^%(__prefix_line)s[Bb]ad (PAM )?password attempt for .+ from <HOST>.*$
|
^%(__prefix_line)s[Bb]ad (PAM )?password attempt for .+ from <HOST>(:\d+)?$
|
||||||
^%(__prefix_line)s[Ee]xit before auth \(user '.+', \d+ fails\): Max auth tries reached - user '.+' from <HOST>:\d+\s*$
|
^%(__prefix_line)s[Ee]xit before auth \(user '.+', \d+ fails\): Max auth tries reached - user '.+' from <HOST>:\d+\s*$
|
||||||
|
|
||||||
ignoreregex =
|
ignoreregex =
|
||||||
|
@ -37,5 +37,12 @@ ignoreregex =
|
||||||
#
|
#
|
||||||
# The second last failregex line we need to match with the modified dropbear.
|
# The second last failregex line we need to match with the modified dropbear.
|
||||||
#
|
#
|
||||||
|
# For the second regex the following apply:
|
||||||
|
#
|
||||||
|
# http://www.netmite.com/android/mydroid/external/dropbear/svr-authpam.c
|
||||||
|
# http://svn.dd-wrt.com/changeset/16642#file64
|
||||||
|
#
|
||||||
|
# http://svn.dd-wrt.com/changeset/16642/src/router/dropbear/svr-authpasswd.c
|
||||||
|
#
|
||||||
# Author: Francis Russell
|
# Author: Francis Russell
|
||||||
# Zak B. Elep
|
# Zak B. Elep
|
||||||
|
|
|
@ -16,7 +16,7 @@ before = exim-common.conf
|
||||||
failregex = ^%(pid)s %(host_info)ssender verify fail for <\S+>: (?:Unknown user|Unrouteable address|all relevant MX records point to non-existent hosts)\s*$
|
failregex = ^%(pid)s %(host_info)ssender verify fail for <\S+>: (?:Unknown user|Unrouteable address|all relevant MX records point to non-existent hosts)\s*$
|
||||||
^%(pid)s (plain|login) authenticator failed for (\S+ )?\(\S+\) \[<HOST>\]: 535 Incorrect authentication data( \(set_id=.*\)|: \d+ Time\(s\))?\s*$
|
^%(pid)s (plain|login) authenticator failed for (\S+ )?\(\S+\) \[<HOST>\]: 535 Incorrect authentication data( \(set_id=.*\)|: \d+ Time\(s\))?\s*$
|
||||||
^%(pid)s %(host_info)sF=(<>|[^@]+@\S+) rejected RCPT [^@]+@\S+: (relay not permitted|Sender verify failed|Unknown user)\s*$
|
^%(pid)s %(host_info)sF=(<>|[^@]+@\S+) rejected RCPT [^@]+@\S+: (relay not permitted|Sender verify failed|Unknown user)\s*$
|
||||||
^%(pid)s SMTP protocol synchronization error \(.*\): rejected (connection from|"\S+") %(host_info)s(next )?input=".*"\s*$
|
^%(pid)s SMTP protocol synchronization error \([^)]*\): rejected (connection from|"\S+") %(host_info)s(next )?input=".*"\s*$
|
||||||
^%(pid)s SMTP call from \S+ \[<HOST>\](:\d+)? (I=\[\S+\]:\d+ )?dropped: too many nonmail commands \(last was "\S+"\)\s*$
|
^%(pid)s SMTP call from \S+ \[<HOST>\](:\d+)? (I=\[\S+\]:\d+ )?dropped: too many nonmail commands \(last was "\S+"\)\s*$
|
||||||
|
|
||||||
ignoreregex =
|
ignoreregex =
|
||||||
|
@ -24,5 +24,9 @@ ignoreregex =
|
||||||
# DEV Notes:
|
# DEV Notes:
|
||||||
# The %(host_info) defination contains a <HOST> match
|
# The %(host_info) defination contains a <HOST> match
|
||||||
#
|
#
|
||||||
|
# SMTP protocol synchronization error \([^)]*\) <- This needs to be non-greedy
|
||||||
|
# to void capture beyond ")" to avoid a DoS Injection vulnerabilty as input= is
|
||||||
|
# user injectable data.
|
||||||
|
#
|
||||||
# Author: Cyril Jaquier
|
# Author: Cyril Jaquier
|
||||||
# Daniel Black (rewrote with strong regexs)
|
# Daniel Black (rewrote with strong regexs)
|
||||||
|
|
|
@ -4,7 +4,7 @@
|
||||||
[Definition]
|
[Definition]
|
||||||
|
|
||||||
|
|
||||||
failregex = ^ \[error\] \d+#\d+: \*\d+ user "\S+":? (password mismatch|was not found in ".*"), client: <HOST>, server: \S+, request: "\S+ \S+ HTTP/\d+\.\d+", host: "\S+"
|
failregex = ^ \[error\] \d+#\d+: \*\d+ user "\S+":? (password mismatch|was not found in ".*"), client: <HOST>, server: \S+, request: "\S+ \S+ HTTP/\d+\.\d+", host: "\S+"\s*$
|
||||||
|
|
||||||
ignoreregex =
|
ignoreregex =
|
||||||
|
|
||||||
|
|
|
@ -9,8 +9,21 @@ before = common.conf
|
||||||
|
|
||||||
[Definition]
|
[Definition]
|
||||||
|
|
||||||
failregex = ^\s*(\[(\s[+-][0-9]{4})?\])?(%(__hostname)s roundcube: IMAP Error)?: (FAILED login|Login failed) for .*? from <HOST>(\. AUTHENTICATE .*)?\s*$
|
failregex = ^\s*(\[(\s[+-][0-9]{4})?\])?(%(__hostname)s roundcube: IMAP Error)?: (FAILED login|Login failed) for .*? from <HOST>(\. .* in .*?/rcube_imap\.php on line \d+ \(\S+ \S+\))?$
|
||||||
|
|
||||||
ignoreregex =
|
ignoreregex =
|
||||||
|
# DEV Notes:
|
||||||
# Author: Teodor Micu & Yaroslav Halchenko & terence namusonge
|
#
|
||||||
|
# Source: https://github.com/roundcube/roundcubemail/blob/master/program/lib/Roundcube/rcube_imap.php#L180
|
||||||
|
#
|
||||||
|
# Part after <HOST> comes straight from IMAP server up until the " in ....."
|
||||||
|
# Earlier versions didn't log the IMAP response hence optional.
|
||||||
|
#
|
||||||
|
# DoS resistance:
|
||||||
|
#
|
||||||
|
# Assume that the user can inject "from <HOST>" into the imap response
|
||||||
|
# somehow. Write test cases around this to ensure that the combination of
|
||||||
|
# arbitary user input and IMAP response doesn't inject the wrong IP for
|
||||||
|
# fail2ban
|
||||||
|
#
|
||||||
|
# Author: Teodor Micu & Yaroslav Halchenko & terence namusonge & Daniel Black
|
||||||
|
|
|
@ -1,12 +1,12 @@
|
||||||
.\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.40.12.
|
.\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.40.4.
|
||||||
.TH FAIL2BAN-CLIENT "1" "October 2013" "fail2ban-client v0.8.11.pre1" "User Commands"
|
.TH FAIL2BAN-CLIENT "1" "November 2013" "fail2ban-client v0.8.11" "User Commands"
|
||||||
.SH NAME
|
.SH NAME
|
||||||
fail2ban-client \- configure and control the server
|
fail2ban-client \- configure and control the server
|
||||||
.SH SYNOPSIS
|
.SH SYNOPSIS
|
||||||
.B fail2ban-client
|
.B fail2ban-client
|
||||||
[\fIOPTIONS\fR] \fI<COMMAND>\fR
|
[\fIOPTIONS\fR] \fI<COMMAND>\fR
|
||||||
.SH DESCRIPTION
|
.SH DESCRIPTION
|
||||||
Fail2Ban v0.8.11.pre1 reads log file that contains password failure report
|
Fail2Ban v0.8.11 reads log file that contains password failure report
|
||||||
and bans the corresponding IP addresses using firewall rules.
|
and bans the corresponding IP addresses using firewall rules.
|
||||||
.SH OPTIONS
|
.SH OPTIONS
|
||||||
.TP
|
.TP
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
.\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.40.12.
|
.\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.40.4.
|
||||||
.TH FAIL2BAN-REGEX "1" "October 2013" "fail2ban-regex 0.8.11.pre1" "User Commands"
|
.TH FAIL2BAN-REGEX "1" "November 2013" "fail2ban-regex 0.8.11" "User Commands"
|
||||||
.SH NAME
|
.SH NAME
|
||||||
fail2ban-regex \- test Fail2ban "failregex" option
|
fail2ban-regex \- test Fail2ban "failregex" option
|
||||||
.SH SYNOPSIS
|
.SH SYNOPSIS
|
||||||
|
|
|
@ -1,12 +1,12 @@
|
||||||
.\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.40.12.
|
.\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.40.4.
|
||||||
.TH FAIL2BAN-SERVER "1" "October 2013" "fail2ban-server v0.8.11.pre1" "User Commands"
|
.TH FAIL2BAN-SERVER "1" "November 2013" "fail2ban-server v0.8.11" "User Commands"
|
||||||
.SH NAME
|
.SH NAME
|
||||||
fail2ban-server \- start the server
|
fail2ban-server \- start the server
|
||||||
.SH SYNOPSIS
|
.SH SYNOPSIS
|
||||||
.B fail2ban-server
|
.B fail2ban-server
|
||||||
[\fIOPTIONS\fR]
|
[\fIOPTIONS\fR]
|
||||||
.SH DESCRIPTION
|
.SH DESCRIPTION
|
||||||
Fail2Ban v0.8.11.pre1 reads log file that contains password failure report
|
Fail2Ban v0.8.11 reads log file that contains password failure report
|
||||||
and bans the corresponding IP addresses using firewall rules.
|
and bans the corresponding IP addresses using firewall rules.
|
||||||
.PP
|
.PP
|
||||||
Only use this command for debugging purpose. Start the server with
|
Only use this command for debugging purpose. Start the server with
|
||||||
|
|
|
@ -1,4 +1,25 @@
|
||||||
|
# http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=574182
|
||||||
# failJSON: { "time": "2010-03-16T15:39:29", "match": true , "host": "58.179.109.179" }
|
# failJSON: { "time": "2010-03-16T15:39:29", "match": true , "host": "58.179.109.179" }
|
||||||
[Tue Mar 16 15:39:29 2010] [error] [client 58.179.109.179] Invalid URI in request \xf9h\xa9\xf3\x88\x8cXKj \xbf-l*4\x87n\xe4\xfe\xd4\x1d\x06\x8c\xf8m\\rS\xf6n\xeb\x8
|
[Tue Mar 16 15:39:29 2010] [error] [client 58.179.109.179] Invalid URI in request \xf9h\xa9\xf3\x88\x8cXKj \xbf-l*4\x87n\xe4\xfe\xd4\x1d\x06\x8c\xf8m\\rS\xf6n\xeb\x8
|
||||||
# failJSON: { "time": "2010-03-15T15:44:47", "match": true , "host": "121.222.2.133" }
|
# failJSON: { "time": "2010-03-15T15:44:47", "match": true , "host": "121.222.2.133" }
|
||||||
[Mon Mar 15 15:44:47 2010] [error] [client 121.222.2.133] Invalid URI in request n\xed*\xbe*\xab\xefd\x80\xb5\xae\xf6\x01\x10M?\xf2\xce\x13\x9c\xd7\xa0N\xa7\xdb%0\xde\xe0\xfc\xd2\xa0\xfe\xe9w\xee\xc4`v\x9b[{\x0c:\xcb\x93\xc6\xa0\x93\x9c`l\\\x8d\xc9
|
[Mon Mar 15 15:44:47 2010] [error] [client 121.222.2.133] Invalid URI in request n\xed*\xbe*\xab\xefd\x80\xb5\xae\xf6\x01\x10M?\xf2\xce\x13\x9c\xd7\xa0N\xa7\xdb%0\xde\xe0\xfc\xd2\xa0\xfe\xe9w\xee\xc4`v\x9b[{\x0c:\xcb\x93\xc6\xa0\x93\x9c`l\\\x8d\xc9
|
||||||
|
|
||||||
|
# http://forum.nconf.org/viewtopic.php?f=14&t=427&p=1488
|
||||||
|
# failJSON: { "time": "2010-07-30T11:23:54", "match": true , "host": "10.85.6.69" }
|
||||||
|
[Fri Jul 30 11:23:54 2010] [error] [client 10.85.6.69] request failed: URI too long (longer than 8190)
|
||||||
|
# failJSON: { "time": "2010-10-27T23:16:37", "match": true , "host": "187.117.240.164" }
|
||||||
|
[Wed Oct 27 23:16:37 2010] [error] [client 187.117.240.164] Invalid URI in request x\xb2\xa1:SMl\xcc{\xfd"\xd1\x91\x84!d\x0e~\xf6:\xfbVu\xdf\xc3\xdb[\xa9\xfe\xd3lpz\x92\xbf\x9f5\xa3\xbbvF\xbc\xee\x1a\xb1\xb0\xf8K\xecE\xbc\xe8r\xacx=\xc7>\xb5\xbd\xa3\xda\xe9\xf09\x95"fd\x1c\x05\x1c\xd5\xf3#:\x91\xe6WE\xdb\xadN;k14;\xdcr\xad\x9e\xa8\xde\x95\xc3\xebw\xa0\xb1N\x8c~\xf1\xcfSY\xd5zX\xd7\x0f\vH\xe4\xb5(\xcf,3\xc98\x19\xefYq@\xd2I\x96\xfb\xc7\xa9\xae._{S\xd1\x9c\xad\x17\xdci\x9b\xca\x93\xafSM\xb8\x99\xd9|\xc2\xd8\xc9\xe7\xe9O\x99\xad\x19\xc3V]\xcc\xddR\xf7$\xaa\xb8\x18\xe0f\xb8\xff
|
||||||
|
|
||||||
|
|
||||||
|
# Could be apache-2.2 or earlier
|
||||||
|
# http://www.aota.net/forums/showthread.php?t=15796
|
||||||
|
# failJSON: { "time": "2003-11-14T16:11:55", "match": true , "host": "1.2.3.4" }
|
||||||
|
[Fri Nov 14 16:11:55 2003] [error] [client 1.2.3.4] request failed: erroneous characters after protocol string: User-Agent: Mozilla/5.0 (Windows; U; Win98; en-US; m18) Gecko/20001108 Netscape6/6.0
|
||||||
|
|
||||||
|
# http://forum.directadmin.com/showthread.php?t=22412
|
||||||
|
# failJSON: { "time": "2007-11-15T03:09:59", "match": true , "host": "89.189.71.87" }
|
||||||
|
[Thu Nov 15 03:09:59 2007] [error] [client 89.189.71.87] Invalid method in request NOOP
|
||||||
|
|
||||||
|
# https://issues.apache.org/bugzilla/show_bug.cgi?id=46123
|
||||||
|
# failJSON: { "time": "2008-10-29T11:55:14", "match": true , "host": "127.0.0.1" }
|
||||||
|
[Wed Oct 29 11:55:14 2008] [error] [client 127.0.0.1] Invalid method in request \x16\x03\x01 - possible attempt to establish SSL connection when the server isn't expecting it
|
||||||
|
|
|
@ -40,3 +40,6 @@
|
||||||
[2009-12-22 16:35:24] NOTICE[14916]: chan_sip.c:15644 handle_request_subscribe: Sending fake auth rejection for user <sip:CS@192.168.2.102>;tag=6pwd6erg54
|
[2009-12-22 16:35:24] NOTICE[14916]: chan_sip.c:15644 handle_request_subscribe: Sending fake auth rejection for user <sip:CS@192.168.2.102>;tag=6pwd6erg54
|
||||||
# failJSON: { "time": "2013-07-06T09:09:25", "match": true , "host": "141.255.164.106" }
|
# failJSON: { "time": "2013-07-06T09:09:25", "match": true , "host": "141.255.164.106" }
|
||||||
[2013-07-06 09:09:25] SECURITY[3308] res_security_log.c: SecurityEvent="InvalidPassword",EventTV="1373098165-824497",Severity="Error",Service="SIP",EventVersion="2",AccountID="972592891005",SessionID="0x88aab6c",LocalAddress="IPV4/UDP/92.28.73.180/5060",RemoteAddress="IPV4/UDP/141.255.164.106/5084",Challenge="41d26de5",ReceivedChallenge="41d26de5",ReceivedHash="7a6a3a2e95a05260aee612896e1b4a39"
|
[2013-07-06 09:09:25] SECURITY[3308] res_security_log.c: SecurityEvent="InvalidPassword",EventTV="1373098165-824497",Severity="Error",Service="SIP",EventVersion="2",AccountID="972592891005",SessionID="0x88aab6c",LocalAddress="IPV4/UDP/92.28.73.180/5060",RemoteAddress="IPV4/UDP/141.255.164.106/5084",Challenge="41d26de5",ReceivedChallenge="41d26de5",ReceivedHash="7a6a3a2e95a05260aee612896e1b4a39"
|
||||||
|
|
||||||
|
# failJSON: { "time": "2013-11-11T14:33:38", "match": true , "host": "192.168.55.152" }
|
||||||
|
[2013-11-11 14:33:38] WARNING[6756][C-0000001d] Ext. s: "Rejecting unknown SIP connection from 192.168.55.152"
|
||||||
|
|
|
@ -4,3 +4,21 @@
|
||||||
May 26 07:12:40 hamster roundcube: IMAP Error: Login failed for sales@example.com from 10.1.1.47
|
May 26 07:12:40 hamster roundcube: IMAP Error: Login failed for sales@example.com from 10.1.1.47
|
||||||
# failJSON: { "time": "2005-07-11T03:06:37", "match": true , "host": "1.2.3.4" }
|
# failJSON: { "time": "2005-07-11T03:06:37", "match": true , "host": "1.2.3.4" }
|
||||||
Jul 11 03:06:37 myhostname roundcube: IMAP Error: Login failed for admin from 1.2.3.4. AUTHENTICATE PLAIN: A0002 NO Login failed. in /usr/share/roundcube/program/include/rcube_imap.php on line 205 (POST /wmail/?_task=login&_action=login)
|
Jul 11 03:06:37 myhostname roundcube: IMAP Error: Login failed for admin from 1.2.3.4. AUTHENTICATE PLAIN: A0002 NO Login failed. in /usr/share/roundcube/program/include/rcube_imap.php on line 205 (POST /wmail/?_task=login&_action=login)
|
||||||
|
|
||||||
|
# Made up to attempts to inject a DoS on the server. Assume the user can manipulate the IMAP error response
|
||||||
|
#
|
||||||
|
# user = admin from 127.0.0.1
|
||||||
|
# failJSON: { "time": "2005-07-11T03:06:37", "match": true , "host": "1.2.3.4" }
|
||||||
|
Jul 11 03:06:37 myhostname roundcube: IMAP Error: Login failed for admin from 127.0.0.1 from 1.2.3.4. AUTHENTICATE PLAIN: A0002 NO Login failed. in /usr/share/roundcube/program/include/rcube_imap.php on line 205 (POST /wmail/?_task=login&_action=login)
|
||||||
|
#
|
||||||
|
# IMAP server logs user=${username}
|
||||||
|
# failJSON: { "time": "2005-07-11T03:06:37", "match": true , "host": "1.2.3.4" }
|
||||||
|
Jul 11 03:06:37 myhostname roundcube: IMAP Error: Login failed for admin from 127.0.0.1 from 1.2.3.4. AUTHENTICATE PLAIN: A0002 NO Login failed. user=admin from 127.0.0.1 in /usr/share/roundcube/program/include/rcube_imap.php on line 205 (POST /wmail/?_task=login&_action=login)
|
||||||
|
#
|
||||||
|
# Old roundcube version - no IMAP response
|
||||||
|
# failJSON: { "time": "2005-07-11T03:06:37", "match": true , "host": "1.2.3.4" }
|
||||||
|
Jul 11 03:06:37 myhostname roundcube: IMAP Error: Login failed for admin from 127.0.0.1 from 1.2.3.4
|
||||||
|
#
|
||||||
|
# user = admin from 127.0.0.1 in
|
||||||
|
# failJSON: { "time": "2005-07-11T03:06:37", "match": true , "host": "1.2.3.4" }
|
||||||
|
Jul 11 03:06:37 myhostname roundcube: IMAP Error: Login failed for admin from 127.0.0.1 in from 1.2.3.4. AUTHENTICATE PLAIN: A0002 NO Login failed. user=admin from 127.0.0.1 in in /usr/share/roundcube/program/include/rcube_imap.php on line 205 (POST /wmail/?_task=login&_action=login)
|
||||||
|
|
|
@ -100,3 +100,6 @@ Sep 29 17:15:02 spaceman sshd[12946]: Failed password for user from 127.0.0.1 po
|
||||||
|
|
||||||
# failJSON: { "time": "2004-09-29T17:15:02", "match": true , "host": "127.0.0.1", "desc": "Injecting while exhausting initially present {0,100} match length limits set for ruser etc" }
|
# failJSON: { "time": "2004-09-29T17:15:02", "match": true , "host": "127.0.0.1", "desc": "Injecting while exhausting initially present {0,100} match length limits set for ruser etc" }
|
||||||
Sep 29 17:15:02 spaceman sshd[12946]: Failed password for user from 127.0.0.1 port 20000 ssh1: ruser XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX from 1.2.3.4
|
Sep 29 17:15:02 spaceman sshd[12946]: Failed password for user from 127.0.0.1 port 20000 ssh1: ruser XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX from 1.2.3.4
|
||||||
|
|
||||||
|
# failJSON: { "time": "2004-11-11T08:04:51", "match": true , "host": "127.0.0.1", "desc": "Injecting on username ssh 'from 10.10.1.1'@localhost" }
|
||||||
|
Nov 11 08:04:51 redbamboo sshd[2737]: Failed password for invalid user from 10.10.1.1 from 127.0.0.1 port 58946 ssh2
|
||||||
|
|
Loading…
Reference in New Issue