diff --git a/config/filter.d/3proxy.conf b/config/filter.d/3proxy.conf index b22b4588..299c3a29 100644 --- a/config/filter.d/3proxy.conf +++ b/config/filter.d/3proxy.conf @@ -1,18 +1,18 @@ -# Fail2Ban configuration file +# Fail2Ban filter for 3proxy # -# Author: Daniel Black -# -# Requested by ykimon in https://github.com/fail2ban/fail2ban/issues/246 # [Definition] -# Option: failregex -# Notes.: http://www.3proxy.ru/howtoe.asp#ERRORS indicates that 01-09 are -# all authentication problems (%E field) -# Log format is: "L%d-%m-%Y %H:%M:%S %z %N.%p %E %U %C:%c %R:%r %O %I %h %T" -# Values: TEXT -# + failregex = ^\s[+-]\d{4} \S+ \d{3}0[1-9] \S+ :\d+ [\d.]+:\d+ \d+ \d+ \d+\s ignoreregex = + +# DEV Notes: +# http://www.3proxy.ru/howtoe.asp#ERRORS indicates that 01-09 are +# all authentication problems (%E field) +# Log format is: "L%d-%m-%Y %H:%M:%S %z %N.%p %E %U %C:%c %R:%r %O %I %h %T" +# +# Requested by ykimon in https://github.com/fail2ban/fail2ban/issues/246 +# Author: Daniel Black diff --git a/config/filter.d/apache-auth.conf b/config/filter.d/apache-auth.conf index b4061778..3df91c15 100644 --- a/config/filter.d/apache-auth.conf +++ b/config/filter.d/apache-auth.conf @@ -1,17 +1,33 @@ -# Fail2Ban configuration file -# -# Author: Cyril Jaquier -# +# Fail2Ban apache-auth filter # [INCLUDES] # Read common prefixes. If any customizations available -- read them from -# common.local +# apache-common.local before = apache-common.conf [Definition] + +failregex = ^%(_apache_error_client)s (AH01797: )?client denied by server configuration: (uri )?\S*\s*$ + ^%(_apache_error_client)s (AH01617: )?user .* authentication failure for "\S*": Password Mismatch$ + ^%(_apache_error_client)s (AH01618: )?user .* not found(: )?\S*\s*$ + ^%(_apache_error_client)s (AH01614: )?client used wrong authentication scheme: \S*\s*$ + ^%(_apache_error_client)s (AH\d+: )?Authorization of user \S+ to access \S* failed, reason: .*$ + ^%(_apache_error_client)s (AH0179[24]: )?(Digest: )?user .*: password mismatch: \S*\s*$ + ^%(_apache_error_client)s (AH0179[01]: |Digest: )user `.*' in realm `.+' (not found|denied by provider): \S*\s*$ + ^%(_apache_error_client)s (AH01631: )?user .*: authorization failure for "\S*":\s*$ + ^%(_apache_error_client)s (AH01775: )?(Digest: )?invalid nonce .* received - length is not \S+\s*$ + ^%(_apache_error_client)s (AH01788: )?(Digest: )?realm mismatch - got `.*' but expected `.+'\s*$ + ^%(_apache_error_client)s (AH01789: )?(Digest: )?unknown algorithm `.*' received: \S*\s*$ + ^%(_apache_error_client)s (AH01793: )?invalid qop `.*' received: \S*\s*$ + ^%(_apache_error_client)s (AH01777: )?(Digest: )?invalid nonce .* received - user attempted time travel\s*$ + +ignoreregex = + +# DEV Notes: +# # This filter matches the authorization failures of Apache. It takes the log messages # from the modules in aaa that return HTTP_UNAUTHORIZED, HTTP_METHOD_NOT_ALLOWED or # HTTP_FORBIDDEN and not AUTH_GENERAL_ERROR or HTTP_INTERNAL_SERVER_ERROR. @@ -34,23 +50,5 @@ before = apache-common.conf # ^%(_apache_error_client)s (AH01779: )?user .*: one-time-nonce mismatch - sending new nonce\s*$ # ^%(_apache_error_client)s (AH02486: )?realm mismatch - got `.*' but no realm specified\s*$ # -failregex = ^%(_apache_error_client)s (AH01797: )?client denied by server configuration: (uri )?\S*\s*$ - ^%(_apache_error_client)s (AH01617: )?user .* authentication failure for "\S*": Password Mismatch$ - ^%(_apache_error_client)s (AH01618: )?user .* not found(: )?\S*\s*$ - ^%(_apache_error_client)s (AH01614: )?client used wrong authentication scheme: \S*\s*$ - ^%(_apache_error_client)s (AH\d+: )?Authorization of user \S+ to access \S* failed, reason: .*$ - ^%(_apache_error_client)s (AH0179[24]: )?(Digest: )?user .*: password mismatch: \S*\s*$ - ^%(_apache_error_client)s (AH0179[01]: |Digest: )user `.*' in realm `.+' (not found|denied by provider): \S*\s*$ - ^%(_apache_error_client)s (AH01631: )?user .*: authorization failure for "\S*":\s*$ - ^%(_apache_error_client)s (AH01775: )?(Digest: )?invalid nonce .* received - length is not \S+\s*$ - ^%(_apache_error_client)s (AH01788: )?(Digest: )?realm mismatch - got `.*' but expected `.+'\s*$ - ^%(_apache_error_client)s (AH01789: )?(Digest: )?unknown algorithm `.*' received: \S*\s*$ - ^%(_apache_error_client)s (AH01793: )?invalid qop `.*' received: \S*\s*$ - ^%(_apache_error_client)s (AH01777: )?(Digest: )?invalid nonce .* received - user attempted time travel\s*$ - - -# Option: ignoreregex -# Notes.: regex to ignore. If this regex matches, the line is ignored. -# Values: TEXT -# -ignoreregex = +# Author: Cyril Jaquier +# Major edits by Daniel Black diff --git a/config/filter.d/apache-badbots.conf b/config/filter.d/apache-badbots.conf index f9c79472..9ee44c69 100644 --- a/config/filter.d/apache-badbots.conf +++ b/config/filter.d/apache-badbots.conf @@ -1,27 +1,21 @@ # Fail2Ban configuration file # -# List of bad bots fetched from http://www.user-agents.org -# Generated on Sun Feb 11 01:09:15 EST 2007 by ./badbots.sh -# -# Author: Yaroslav Halchenko -# -# +# Regexp to catch known spambots and software alike. Please verify +# that it is your intent to block IPs which were driven by +# above mentioned bots. + [Definition] badbotscustom = EmailCollector|WebEMailExtrac|TrackBack/1\.02|sogou music spider badbots = atSpider/1\.0|autoemailspider|China Local Browse 2\.6|ContentSmartz|DataCha0s/2\.0|DBrowse 1\.4b|DBrowse 1\.4d|Demo Bot DOT 16b|Demo Bot Z 16b|DSurf15a 01|DSurf15a 71|DSurf15a 81|DSurf15a VA|EBrowse 1\.4b|Educate Search VxB|EmailSiphon|EmailWolf 1\.00|ESurf15a 15|ExtractorPro|Franklin Locator 1\.8|FSurf15a 01|Full Web Bot 0416B|Full Web Bot 0516B|Full Web Bot 2816B|Industry Program 1\.0\.x|ISC Systems iRc Search 2\.1|IUPUI Research Bot v 1\.9a|LARBIN-EXPERIMENTAL \(efp@gmx\.net\)|LetsCrawl\.com/1\.0 +http\://letscrawl\.com/|Lincoln State Web Browser|LWP\:\:Simple/5\.803|Mac Finder 1\.0\.xx|MFC Foundation Class Library 4\.0|Microsoft URL Control - 6\.00\.8xxx|Missauga Locate 1\.0\.0|Missigua Locator 1\.9|Missouri College Browse|Mizzu Labs 2\.2|Mo College 1\.9|Mozilla/2\.0 \(compatible; NEWT ActiveX; Win32\)|Mozilla/3\.0 \(compatible; Indy Library\)|Mozilla/4\.0 \(compatible; Advanced Email Extractor v2\.xx\)|Mozilla/4\.0 \(compatible; Iplexx Spider/1\.0 http\://www\.iplexx\.at\)|Mozilla/4\.0 \(compatible; MSIE 5\.0; Windows NT; DigExt; DTS Agent|Mozilla/4\.0 efp@gmx\.net|Mozilla/5\.0 \(Version\: xxxx Type\:xx\)|MVAClient|NASA Search 1\.0|Nsauditor/1\.x|PBrowse 1\.4b|PEval 1\.4b|Poirot|Port Huron Labs|Production Bot 0116B|Production Bot 2016B|Production Bot DOT 3016B|Program Shareware 1\.0\.2|PSurf15a 11|PSurf15a 51|PSurf15a VA|psycheclone|RSurf15a 41|RSurf15a 51|RSurf15a 81|searchbot admin@google\.com|sogou spider|sohu agent|SSurf15a 11 |TSurf15a 11|Under the Rainbow 2\.2|User-Agent\: Mozilla/4\.0 \(compatible; MSIE 6\.0; Windows NT 5\.1\)|WebVulnCrawl\.blogspot\.com/1\.0 libwww-perl/5\.803|Wells Search II|WEP Search 00 -# Option: failregex -# Notes.: Regexp to catch known spambots and software alike. Please verify -# that it is your intent to block IPs which were driven by -# above mentioned bots. -# Values: TEXT -# failregex = ^ -.*"(GET|POST).*HTTP.*"(?:%(badbots)s|%(badbotscustom)s)"$ -# Option: ignoreregex -# Notes.: regex to ignore. If this regex matches, the line is ignored. -# Values: TEXT -# ignoreregex = + +# DEV Notes: +# List of bad bots fetched from http://www.user-agents.org +# Generated on Sun Feb 11 01:09:15 EST 2007 by ./badbots.sh +# +# Author: Yaroslav Halchenko diff --git a/config/filter.d/apache-common.conf b/config/filter.d/apache-common.conf index 134fad29..ca8f2417 100644 --- a/config/filter.d/apache-common.conf +++ b/config/filter.d/apache-common.conf @@ -1,21 +1,20 @@ # Generic configuration items (to be used as interpolations) in other -# apache filters -# -# Author: Yaroslav Halchenko -# -# +# apache filters. [INCLUDES] # Load customizations if any available after = apache-common.local - [DEFAULT] +_apache_error_client = \[[^]]*\] \[(error|\S+:\S+)\]( \[pid \d+:\S+ \d+\])? \[client (:\d{1,5})?\] + # Common prefix for [error] apache messages which also would include # Depending on the version it could be # 2.2: [Sat Jun 01 11:23:08 2013] [error] [client 1.2.3.4] # 2.4: [Thu Jun 27 11:55:44.569531 2013] [core:info] [pid 4101:tid 2992634688] [client 1.2.3.4:46652] +# # Reference: https://github.com/fail2ban/fail2ban/issues/268 -_apache_error_client = \[[^]]*\] \[(error|\S+:\S+)\]( \[pid \d+:\S+ \d+\])? \[client (:\d{1,5})?\] +# +# Author: Yaroslav Halchenko diff --git a/config/filter.d/apache-nohome.conf b/config/filter.d/apache-nohome.conf index 0eede317..358d6d32 100644 --- a/config/filter.d/apache-nohome.conf +++ b/config/filter.d/apache-nohome.conf @@ -1,28 +1,20 @@ -# Fail2Ban configuration file -# -# Author: Yaroslav O. Halchenko -# +# Fail2Ban filter to web requests for home directories on Apache servers # +# Regex to match failures to find a home directory on a server, which +# became popular last days. Most often attacker just uses IP instead of +# domain name -- so expect to see them in generic error.log if you have +# per-domain log files. [INCLUDES] -# Read common prefixes. If any customizations available -- read them from -# common.local +# overwrite with apache-common.local if _apache_error_client is incorrect. before = apache-common.conf [Definition] -# Option: failregex -# Notes.: regex to match failures to find a home directory on a server, which -# became popular last days. Most often attacker just uses IP instead of -# domain name -- so expect to see them in generic error.log if you have -# per-domain log files. -# Values: TEXT -# + failregex = ^%(_apache_error_client)s (AH00128: )?File does not exist: .*/~.* -# Option: ignoreregex -# Notes.: regex to ignore. If this regex matches, the line is ignored. -# Values: TEXT -# ignoreregex = + +# Author: Yaroslav O. Halchenko diff --git a/config/filter.d/apache-noscript.conf b/config/filter.d/apache-noscript.conf index 295e1b9f..4ecf349a 100644 --- a/config/filter.d/apache-noscript.conf +++ b/config/filter.d/apache-noscript.conf @@ -1,29 +1,18 @@ -# Fail2Ban configuration file -# -# Author: Cyril Jaquier +# Fail2Ban filter to block web requests for scripts (on non scripted websites) # # [INCLUDES] -# Read common prefixes. If any customizations available -- read them from -# common.local +# overwrite with apache-common.local if _apache_error_client is incorrect. before = apache-common.conf [Definition] -# Option: failregex -# Notes.: regex to match the password failure messages in the logfile. The -# host must be matched by a group named "host". The tag "" can -# be used for standard IP/hostname matching and is only an alias for -# (?:::f{4,6}:)?(?P[\w\-.^_]+) -# Values: TEXT -# failregex = ^%(_apache_error_client)s (File does not exist|script not found or unable to stat): /\S*(\.php|\.asp|\.exe|\.pl)\s*$ ^%(_apache_error_client)s script '/\S*(\.php|\.asp|\.exe|\.pl)\S*' not found or unable to stat\s*$ -# Option: ignoreregex -# Notes.: regex to ignore. If this regex matches, the line is ignored. -# Values: TEXT -# ignoreregex = + + +# Author: Cyril Jaquier diff --git a/config/filter.d/apache-overflows.conf b/config/filter.d/apache-overflows.conf index 1cf08db7..de1c770d 100644 --- a/config/filter.d/apache-overflows.conf +++ b/config/filter.d/apache-overflows.conf @@ -1,25 +1,15 @@ -# Fail2Ban configuration file -# -# Author: Tim Connors -# +# Fail2Ban filter to block web requests on a long or suspicious nature # [INCLUDES] -# Read common prefixes. If any customizations available -- read them from -# common.local +# overwrite with apache-common.local if _apache_error_client is incorrect. before = apache-common.conf [Definition] -# Option: failregex -# Notes.: Regexp to catch Apache overflow attempts. -# Values: TEXT -# failregex = ^%(_apache_error_client)s (Invalid (method|URI) in request|request failed: URI too long|erroneous characters after protocol string) -# Option: ignoreregex -# Notes.: regex to ignore. If this regex matches, the line is ignored. -# Values: TEXT -# ignoreregex = + +# Author: Tim Connors diff --git a/config/filter.d/assp.conf b/config/filter.d/assp.conf index 2854d898..2aa8958c 100644 --- a/config/filter.d/assp.conf +++ b/config/filter.d/assp.conf @@ -1,33 +1,24 @@ -# Fail2Ban configuration file -# for Anti-Spam SMTP Proxy Server also known as ASSP +# Fail2Ban filter for Anti-Spam SMTP Proxy Server also known as ASSP +# # Honmepage: http://www.magicvillage.de/~Fritz_Borgstedt/assp/0003D91C-8000001C/ # ProjektSite: http://sourceforge.net/projects/assp/?source=directory # -# Author: Enrico Labedzki (enrico.labedzki@deiwos.de) # [Definition] -# Option: failregex -# Notes.: regex to match the SMTP failure messages in the logfile. The -# host must be matched by a group named "host". The tag "" can -# be used for standard IP/hostname matching and is only an alias for -# (?:::f{4,6}:)?(?P\S+) -# Values: TEXT -# -# Examples: Apr-27-13 02:33:09 Blocking 217.194.197.97 - too much AUTH errors (41); -# Dec-29-12 17:10:31 [SSL-out] 200.247.87.82 SSL negotiation with client failed: SSL accept attempt failed with unknown errorerror:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol; -# Dec-30-12 04:01:47 [SSL-out] 81.82.232.66 max sender authentication errors (5) exceeded __assp_actions = (?:dropping|refusing) failregex = ^(:? \[SSL-out\])? max sender authentication errors \(\d{,3}\) exceeded -- %(__assp_actions)s connection - after reply: \d{3} \d{1}\.\d{1}.\d{1} Error: authentication failed: \w+;$ ^(?: \[SSL-out\])? SSL negotiation with client failed: SSL accept attempt failed with unknown error.*:unknown protocol;$ ^ Blocking - too much AUTH errors \(\d{,3}\);$ - -# Option: ignoreregex -# Notes.: regex to ignore. If this regex matches, the line is ignored. -# Values: TEXT -# ignoreregex = +# DEV Notes: +# +# Examples: Apr-27-13 02:33:09 Blocking 217.194.197.97 - too much AUTH errors (41); +# Dec-29-12 17:10:31 [SSL-out] 200.247.87.82 SSL negotiation with client failed: SSL accept attempt failed with unknown errorerror:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol; +# Dec-30-12 04:01:47 [SSL-out] 81.82.232.66 max sender authentication errors (5) exceeded +# +# Author: Enrico Labedzki (enrico.labedzki@deiwos.de) diff --git a/config/filter.d/asterisk.conf b/config/filter.d/asterisk.conf index fef43693..35906d11 100644 --- a/config/filter.d/asterisk.conf +++ b/config/filter.d/asterisk.conf @@ -1,22 +1,11 @@ -# Fail2Ban configuration file +# Fail2Ban filter for asterisk authentication failures # -# Author: Xavier Devlamynck -# -# - - -[INCLUDES] - -# Read common prefixes. If any customizations available -- read them from -# common.local -before = common.conf [Definition] -# Option: failregex -# Notes.: regex to match the password failures messages in the logfile. -# Values: TEXT -# +__pid_re = (?:\[\d+\]) + +# All Asterisk log messages begin like this: log_prefix= \[\]\s*(?:NOTICE|SECURITY)%(__pid_re)s:?(?:\[\S+\d*\])? \S+:\d* failregex = ^%(log_prefix)s Registration from '[^']*' failed for '(:\d+)?' - Wrong password$ @@ -34,10 +23,7 @@ failregex = ^%(log_prefix)s Registration from '[^']*' failed for '(:\d+)?' ^%(log_prefix)s (?:handle_request_subscribe: )?Sending fake auth rejection for (device|user) \d*>;tag=\w+\S*$ ^%(log_prefix)s SecurityEvent="(FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)",EventTV="[\d-]+",Severity="[\w]+",Service="[\w]+",EventVersion="\d+",AccountID="\d+",SessionID="0x[\da-f]+",LocalAddress="IPV[46]/(UD|TC)P/[\da-fA-F:.]+/\d+",RemoteAddress="IPV[46]/(UD|TC)P//\d+"(,Challenge="\w+",ReceivedChallenge="\w+")?(,ReceivedHash="[\da-f]+")?$ -# Option: ignoreregex -# Notes.: regex to ignore. If this regex matches, the line is ignored. -# Values: TEXT -# ignoreregex = +# Author: Xavier Devlamynck diff --git a/config/filter.d/common.conf b/config/filter.d/common.conf index a74d223e..b992e4b8 100644 --- a/config/filter.d/common.conf +++ b/config/filter.d/common.conf @@ -1,9 +1,6 @@ # Generic configuration items (to be used as interpolations) in other # filters or actions configurations # -# Author: Yaroslav Halchenko -# -# [INCLUDES] @@ -49,7 +46,6 @@ __md5hex = (?:[\da-f]{2}:){15}[\da-f]{2} # appearing before the host as per testcases/files/logs/bsd/*. __bsd_syslog_verbose = (<[^.]+\.[^.]+>) -# # Common line prefixes (beginnings) which could be used in filters # # [bsdverbose]? [hostname] [vserver tag] daemon_id spaces @@ -57,3 +53,4 @@ __bsd_syslog_verbose = (<[^.]+\.[^.]+>) # This can be optional (for instance if we match named native log files) __prefix_line = \s*%(__bsd_syslog_verbose)s?\s*(?:%(__hostname)s )?(?:%(__kernel_prefix)s )?(?:@vserver_\S+ )?%(__daemon_combs_re)s?\s%(__daemon_extra_re)s?\s* +# Author: Yaroslav Halchenko diff --git a/config/filter.d/courierlogin.conf b/config/filter.d/courierlogin.conf index f096325e..1170a63a 100644 --- a/config/filter.d/courierlogin.conf +++ b/config/filter.d/courierlogin.conf @@ -1,8 +1,4 @@ -# Fail2Ban configuration file -# -# Author: Christoph Haas -# Modified by: Cyril Jaquier -# +# Fail2Ban filter for courier authentication failures # [INCLUDES] @@ -11,22 +7,13 @@ # common.local before = common.conf - [Definition] _daemon = (?:courier)?(?:imapd?|pop3d?)(?:login)?(?:-ssl)? -# Option: failregex -# Notes.: regex to match the password failures messages in the logfile. The -# host must be matched by a group named "host". The tag "" can -# be used for standard IP/hostname matching and is only an alias for -# (?:::f{4,6}:)?(?P[\w\-.^_]+) -# Values: TEXT -# failregex = ^%(__prefix_line)sLOGIN FAILED, user=.*, ip=\[\]$ -# Option: ignoreregex -# Notes.: regex to ignore. If this regex matches, the line is ignored. -# Values: TEXT -# ignoreregex = + +# Author: Christoph Haas +# Modified by: Cyril Jaquier diff --git a/config/filter.d/couriersmtp.conf b/config/filter.d/couriersmtp.conf index 65ffa5d7..2b9a13f2 100644 --- a/config/filter.d/couriersmtp.conf +++ b/config/filter.d/couriersmtp.conf @@ -1,6 +1,4 @@ -# Fail2Ban configuration file -# -# Author: Cyril Jaquier +# Fail2Ban filter to block relay attempts though a Courier smtp server # # @@ -10,22 +8,12 @@ # common.local before = common.conf - [Definition] _daemon = courieresmtpd -# Option: failregex -# Notes.: regex to match the password failures messages in the logfile. The -# host must be matched by a group named "host". The tag "" can -# be used for standard IP/hostname matching and is only an alias for -# (?:::f{4,6}:)?(?P[\w\-.^_]+) -# Values: TEXT -# failregex = ^%(__prefix_line)serror,relay=,.*: 550 User unknown\.$ -# Option: ignoreregex -# Notes.: regex to ignore. If this regex matches, the line is ignored. -# Values: TEXT -# ignoreregex = + +# Author: Cyril Jaquier diff --git a/config/filter.d/cyrus-imap.conf b/config/filter.d/cyrus-imap.conf index 0ace92c1..3560234e 100644 --- a/config/filter.d/cyrus-imap.conf +++ b/config/filter.d/cyrus-imap.conf @@ -1,6 +1,5 @@ -# Fail2Ban configuration file +# Fail2Ban filter for authentication failures on Cyrus imap server # -# Author: Jan Wagner # # @@ -10,22 +9,12 @@ # common.local before = common.conf - [Definition] _daemon = (?:cyrus/)?(?:imapd?|pop3d?) -# Option: failregex -# Notes.: regex to match the password failures messages in the logfile. The -# host must be matched by a group named "host". The tag "" can -# be used for standard IP/hostname matching and is only an alias for -# (?:::f{4,6}:)?(?P[\w\-.^_]+) -# Values: TEXT -# failregex = ^%(__prefix_line)sbadlogin: \S+ ?\[\] \S+ .*?\[?SASL\(-13\): authentication failure: .*\]?$ -# Option: ignoreregex -# Notes.: regex to ignore. If this regex matches, the line is ignored. -# Values: TEXT -# ignoreregex = + +# Author: Jan Wagner diff --git a/config/filter.d/dovecot.conf b/config/filter.d/dovecot.conf index dd0e7678..2caa04b3 100644 --- a/config/filter.d/dovecot.conf +++ b/config/filter.d/dovecot.conf @@ -1,7 +1,5 @@ -# Fail2Ban configuration file for dovecot +# Fail2Ban filter Dovecot authentication and pop3/imap server # -# Author: Martin Waschbuesch -# Daniel Black (rewrote with begin and end anchors) [INCLUDES] @@ -10,17 +8,16 @@ before = common.conf [Definition] _daemon = (auth|dovecot(-auth)?|auth-worker) -# Option: failregex -# Notes.: regex to match the password failures messages in the logfile. -# first regex is essentially a copy of pam-generic.conf -# Values: TEXT -# + failregex = ^%(__prefix_line)s(pam_unix(\(dovecot:auth\))?:)?\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=\S* rhost=(\s+user=\S*)?\s*$ ^%(__prefix_line)s(pop3|imap)-login: (Info: )?(Aborted login|Disconnected)(: Inactivity)? \(((no auth attempts|auth failed, \d+ attempts)( in \d+ secs)?|tried to use disabled \S+ auth)\):( user=<\S*>,)?( method=\S+,)? rip=, lip=(\d{1,3}\.){3}\d{1,3}(, session=<\w+>)?(, TLS( handshaking)?(: Disconnected)?)?\s*$ ^%(__prefix_line)s(Info|dovecot: auth\(default\)): pam\(\S+,\): pam_authenticate\(\) failed: (User not known to the underlying authentication module: \d+ Time\(s\)|Authentication failure \(password mismatch\?\))\s*$ -# Option: ignoreregex -# Notes.: regex to ignore. If this regex matches, the line is ignored. -# Values: TEXT -# ignoreregex = + +# DEV Notes: +# * the first regex is essentially a copy of pam-generic.conf +# * Probably doesn't do dovecot sql/ldap backends properly +# +# Author: Martin Waschbuesch +# Daniel Black (rewrote with begin and end anchors) diff --git a/config/filter.d/exim-common.conf b/config/filter.d/exim-common.conf index 79d6ffbb..1c0a0a20 100644 --- a/config/filter.d/exim-common.conf +++ b/config/filter.d/exim-common.conf @@ -1,17 +1,18 @@ -# Fail2Ban configuration file for exim -# -# Author: Daniel Black +# Fail2Ban filter file for common exim expressions # +# This is to be used by other exim filters [INCLUDES] # Load customizations if any available -# after = exim-common.local [Definition] -# From exim source code: ./src/receive.c:add_host_info_for_log host_info = H=([\w.-]+ )?(\(\S+\) )?\[\](:\d+)? (I=\[\S+\]:\d+ )?(U=\S+ )?(P=e?smtp )? pid = ( \[\d+\])? +# DEV Notes: +# From exim source code: ./src/receive.c:add_host_info_for_log +# +# Author: Daniel Black diff --git a/config/filter.d/exim-spam.conf b/config/filter.d/exim-spam.conf index 55a6f5dd..15737b2f 100644 --- a/config/filter.d/exim-spam.conf +++ b/config/filter.d/exim-spam.conf @@ -1,9 +1,5 @@ -# Fail2Ban configuration file +# Fail2Ban filter for exim the spam rejection messages # -# Author: Cyril Jaquier -# Daniel Black (rewrote with strong regexs) -# - [INCLUDES] @@ -11,19 +7,16 @@ # exim-common.local before = exim-common.conf - [Definition] -# Option: failregex -# Notes.: This includes the spam rejection messages of exim. -# Note the %(host_info) defination contains a match - failregex = ^%(pid)s \S+ F=(<>|\S+@\S+) %(host_info)srejected by local_scan\(\): .{0,256}$ ^%(pid)s %(host_info)sF=(<>|[^@]+@\S+) rejected RCPT [^@]+@\S+: .*dnsbl.*\s*$ ^%(pid)s \S+ %(host_info)sF=(<>|[^@]+@\S+) rejected after DATA: This message contains a virus \(\S+\)\.\s*$ -# Option: ignoreregex -# Notes.: regex to ignore. If this regex matches, the line is ignored. -# Values: TEXT -# ignoreregex = + +# DEV Notes: +# The %(host_info) defination contains a match +# +# Author: Cyril Jaquier +# Daniel Black (rewrote with strong regexs) diff --git a/config/filter.d/exim.conf b/config/filter.d/exim.conf index a30c9503..5f786594 100644 --- a/config/filter.d/exim.conf +++ b/config/filter.d/exim.conf @@ -1,7 +1,7 @@ -# Fail2Ban configuration file +# Fail2Ban filter for exim # -# Author: Cyril Jaquier -# Daniel Black (rewrote with strong regexs) +# This includes the rejection messages of exim. For spam and filter +# related bans use the exim-spam.conf # @@ -11,22 +11,18 @@ # exim-common.local before = exim-common.conf - [Definition] -# Option: failregex -# Notes.: This includes the rejection messages of exim. For spam and filter -# related bans use the exim-spam.conf -# Note the %(host_info) defination contains a match - failregex = ^%(pid)s %(host_info)ssender verify fail for <\S+>: (?:Unknown user|Unrouteable address|all relevant MX records point to non-existent hosts)\s*$ ^%(pid)s (plain|login) authenticator failed for (\S+ )?\(\S+\) \[\]: 535 Incorrect authentication data( \(set_id=.*\)|: \d+ Time\(s\))?\s*$ ^%(pid)s %(host_info)sF=(<>|[^@]+@\S+) rejected RCPT [^@]+@\S+: (relay not permitted|Sender verify failed|Unknown user)\s*$ ^%(pid)s SMTP protocol synchronization error \(.*\): rejected (connection from|"\S+") %(host_info)s(next )?input=".*"\s*$ ^%(pid)s SMTP call from \S+ \[\](:\d+)? (I=\[\S+\]:\d+ )?dropped: too many nonmail commands \(last was "\S+"\)\s*$ -# Option: ignoreregex -# Notes.: regex to ignore. If this regex matches, the line is ignored. -# Values: TEXT -# ignoreregex = + +# DEV Notes: +# The %(host_info) defination contains a match +# +# Author: Cyril Jaquier +# Daniel Black (rewrote with strong regexs) diff --git a/config/filter.d/gssftpd.conf b/config/filter.d/gssftpd.conf index 5bce817b..5f9fb6a7 100644 --- a/config/filter.d/gssftpd.conf +++ b/config/filter.d/gssftpd.conf @@ -1,7 +1,4 @@ -# Fail2Ban configuration file for gssftp -# -# Author: Kevin Zembower -# Edited: Daniel Black - syslog based daemon +# Fail2Ban filter file for gssftp # # Note: gssftp is part of the krb5-appl-servers in Fedora # @@ -16,3 +13,6 @@ _daemon = ftpd failregex = ^%(__prefix_line)srepeated login failures from \(\S+\)$ ignoreregex = + +# Author: Kevin Zembower +# Edited: Daniel Black - syslog based daemon diff --git a/config/filter.d/lighttpd-auth.conf b/config/filter.d/lighttpd-auth.conf index b59a98a2..3bd01f29 100644 --- a/config/filter.d/lighttpd-auth.conf +++ b/config/filter.d/lighttpd-auth.conf @@ -1,18 +1,10 @@ -# Fail2Ban configuration file -# -# Author: Francois Boulogne +# Fail2Ban filter to match wrong passwords as notified by lighttpd's auth Module # [Definition] -# Option: failregex -# Notes.: regex to match wrong passwords as notified by lighttpd's auth Module -# Values: TEXT -# failregex = ^: \(http_auth\.c\.\d+\) (password doesn\'t match .* username: .*|digest: auth failed for .*: wrong password|get_password failed), IP: \s*$ -# Option: ignoreregex -# Notes.: regex to ignore. If this regex matches, the line is ignored. -# Values: TEXT -# ignoreregex = + +# Author: Francois Boulogne diff --git a/config/filter.d/mysqld-auth.conf b/config/filter.d/mysqld-auth.conf index 82c941ff..92dc9a99 100644 --- a/config/filter.d/mysqld-auth.conf +++ b/config/filter.d/mysqld-auth.conf @@ -1,7 +1,5 @@ -# Fail2Ban configuration file for unsuccesfull MySQL authentication attempts +# Fail2Ban filter for unsuccesfull MySQL authentication attempts # -# Authors: Artur Penttinen -# Yaroslav O. Halchenko # # To log wrong MySQL access attempts add to /etc/my.cnf in [mysqld]: # log-error=/var/log/mysqld.log @@ -15,23 +13,20 @@ # common.local before = common.conf - [Definition] _daemon = mysqld -# Option: failregex -# Notes.: regex to match the password failures messages in the logfile. The -# host must be matched by a group named "host". The tag "" can -# be used for standard IP/hostname matching and is only an alias for -# (?:::f{4,6}:)?(?P[\w\-.^_]+) -# Values: TEXT -# 130322 11:26:54 [Warning] Access denied for user 'root'@'127.0.0.1' (using password: YES) -# failregex = ^%(__prefix_line)s(\d{6} \s?\d{1,2}:\d{2}:\d{2} )?\[Warning\] Access denied for user '\w+'@'' (to database '[^']*'|\(using password: (YES|NO)\))*\s*$ -# Option: ignoreregex -# Notes.: regex to ignore. If this regex matches, the line is ignored. -# Values: TEXT -# ignoreregex = + +# DEV Notes: +# +# Technically __prefix_line can equate to an empty string hence it can support +# syslog and non-syslog at once. +# Example: +# 130322 11:26:54 [Warning] Access denied for user 'root'@'127.0.0.1' (using password: YES) +# +# Authors: Artur Penttinen +# Yaroslav O. Halchenko diff --git a/config/filter.d/named-refused.conf b/config/filter.d/named-refused.conf index c53aa3e1..be997bd4 100644 --- a/config/filter.d/named-refused.conf +++ b/config/filter.d/named-refused.conf @@ -1,13 +1,12 @@ -# Fail2Ban configuration file for named (bind9). Trying to generalize the -# structure which is general to capture general patterns in log -# lines to cover different configurations/distributions +# Fail2Ban filter file for named (bind9). # -# Author: Yaroslav Halchenko + +# This filter blocks attacks against named (bind9) however it requires special +# configuration on bind. # -# This filter blocks attacks against named (bind9). +# By default, logging is off with bind9 installation. # -# By default, logging is off -# with bind9 installation. You will need something like this: +# You will need something like this in your named.conf to provide proper logging. # # logging { # channel security_file { @@ -19,29 +18,31 @@ # security_file; # }; # }; -# -# in your named.conf to provide proper logging. [Definition] -# # Daemon name _daemon=named -# # Shortcuts for easier comprehension of the failregex + __pid_re=(?:\[\d+\]) __daemon_re=\(?%(_daemon)s(?:\(\S+\))?\)?:? __daemon_combs_re=(?:%(__pid_re)s?:\s+%(__daemon_re)s|%(__daemon_re)s%(__pid_re)s?:) + # hostname daemon_id spaces # this can be optional (for instance if we match named native log files) __line_prefix=(?:\s\S+ %(__daemon_combs_re)s\s+)? - -# note - (\.\d+)? is a really ugly catch of the microseconds not captured in -# in the date detector -# failregex = ^%(__line_prefix)s(\.\d+)?( error:)?\s*client #\S+( \([\S.]+\))?: (view (internal|external): )?query(?: \(cache\))? '.*' denied\s*$ ^%(__line_prefix)s(\.\d+)?( error:)?\s*client #\S+( \([\S.]+\))?: zone transfer '\S+/AXFR/\w+' denied\s*$ ^%(__line_prefix)s(\.\d+)?( error:)?\s*client #\S+( \([\S.]+\))?: bad zone transfer request: '\S+/IN': non-authoritative zone \(NOTAUTH\)\s*$ +# DEV Notes: +# Trying to generalize the +# structure which is general to capture general patterns in log +# lines to cover different configurations/distributions +# +# (\.\d+)? is a really ugly catch of the microseconds not captured in the date detector +# +# Author: Yaroslav Halchenko diff --git a/config/filter.d/pam-generic.conf b/config/filter.d/pam-generic.conf index 15aadf3e..aea47529 100644 --- a/config/filter.d/pam-generic.conf +++ b/config/filter.d/pam-generic.conf @@ -1,35 +1,29 @@ # Fail2Ban configuration file for generic PAM authentication errors # -# Author: Yaroslav Halchenko -# -# + [INCLUDES] before = common.conf [Definition] -# if you want to catch only login erros from specific daemons, use smth like +# if you want to catch only login errors from specific daemons, use something like #_ttys_re=(?:ssh|pure-ftpd|ftp) -# To catch all failed logins +# +# Default: catch all failed logins _ttys_re=\S* __pam_re=\(?pam_unix(?:\(\S+\))?\)?:? _daemon = \S+ -# Option: failregex -# Notes.: regex to match the password failures messages in the logfile. -# Values: TEXT -# failregex = ^%(__prefix_line)s%(__pam_re)s\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=%(_ttys_re)s ruser=\S* rhost=(?:\s+user=.*)?\s*$ -# for linux-pam before 0.99.2.0 (late 2005) +ignoreregex = + +# DEV Notes: +# +# for linux-pam before 0.99.2.0 (late 2005) (removed before 0.8.11 release) # _daemon = \S*\(?pam_unix\)? # failregex = ^%(__prefix_line)sauthentication failure; logname=\S* uid=\S* euid=\S* tty=%(_ttys_re)s ruser=\S* rhost=(?:\s+user=.*)?\s*$ - - -# Option: ignoreregex -# Notes.: regex to ignore. If this regex matches, the line is ignored. -# Values: TEXT # -ignoreregex = +# Author: Yaroslav Halchenko diff --git a/config/filter.d/perdition.conf b/config/filter.d/perdition.conf index 7fdca14b..c47dcac4 100644 --- a/config/filter.d/perdition.conf +++ b/config/filter.d/perdition.conf @@ -1,6 +1,4 @@ -# Fail2Ban configuration file -# -# Author: Christophe Carles and Daniel Black +# Fail2Ban filter for perdition # # @@ -14,3 +12,7 @@ _daemon=perdition.\S+ failregex = ^%(__prefix_line)sAuth: :\d+->(\d{1,3}\.){3}\d{1,3}:\d+ client-secure=\S+ authorisation_id=NONE authentication_id=".+" server="\S+" protocol=\S+ server-secure=\S+ status="failed: (local authentication failure|Re-Authentication Failure)"$ ^%(__prefix_line)sFatal Error reading authentication information from client :\d+->(\d{1,3}\.){3}\d{1,3}:\d+: Exiting child$ + +ignoreregex = + +# Author: Christophe Carles and Daniel Black diff --git a/config/filter.d/php-url-fopen.conf b/config/filter.d/php-url-fopen.conf index 68927e06..87bd04c8 100644 --- a/config/filter.d/php-url-fopen.conf +++ b/config/filter.d/php-url-fopen.conf @@ -1,23 +1,20 @@ -# Fail2Ban configuration file +# Fail2Ban filter for URLs with a URL as a script parameters +# which can be an indication of a fopen url php injection +# +# Example of web requests in Apache access log: +# 66.185.212.172 - - [26/Mar/2009:08:44:20 -0500] "GET /index.php?n=http://eatmyfood.hostinginfive.com/pizza.htm? HTTP/1.1" 200 114 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)" + +[Definition] + +failregex = ^ -.*"(GET|POST).*\?.*\=http\:\/\/.* HTTP\/.*$ + +ignoreregex = + +# DEV Notes: # -# Author: Arturo 'Buanzo' Busleiman # Version 2 # fixes the failregex so REFERERS that contain =http:// don't get blocked # (mentioned by "fasuto" (no real email provided... blog comment) in this entry: # http://blogs.buanzo.com.ar/2009/04/fail2ban-filter-for-php-injection-attacks.html#comment-1489 # - -[Definition] - -# Option: failregex -# Notes.: regex to match this kind of request: -# -# 66.185.212.172 - - [26/Mar/2009:08:44:20 -0500] "GET /index.php?n=http://eatmyfood.hostinginfive.com/pizza.htm? HTTP/1.1" 200 114 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)" -# -failregex = ^ -.*"(GET|POST).*\?.*\=http\:\/\/.* HTTP\/.*$ - -# Option: ignoreregex -# Notes.: regex to ignore. If this regex matches, the line is ignored. -# Values: TEXT -# -ignoreregex = +# Author: Arturo 'Buanzo' Busleiman diff --git a/config/filter.d/postfix-sasl.conf b/config/filter.d/postfix-sasl.conf index c720abc1..d232f86e 100644 --- a/config/filter.d/postfix-sasl.conf +++ b/config/filter.d/postfix-sasl.conf @@ -1,7 +1,4 @@ -# Fail2Ban configuration file -# -# Author: Yaroslav Halchenko -# +# Fail2Ban filter for postfix authentication failures # [INCLUDES] @@ -14,3 +11,4 @@ _daemon = postfix/smtpd failregex = ^%(__prefix_line)swarning: [-._\w]+\[\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/]*={0,2})?\s*$ +# Author: Yaroslav Halchenko diff --git a/config/filter.d/postfix.conf b/config/filter.d/postfix.conf index da981733..fd8519c9 100644 --- a/config/filter.d/postfix.conf +++ b/config/filter.d/postfix.conf @@ -1,6 +1,4 @@ -# Fail2Ban configuration file -# -# Author: Cyril Jaquier +# Fail2Ban filter for selected Postfix SMTP rejections # # @@ -10,24 +8,14 @@ # common.local before = common.conf - [Definition] _daemon = postfix/smtpd -# Option: failregex -# Notes.: regex to match the password failures messages in the logfile. The -# host must be matched by a group named "host". The tag "" can -# be used for standard IP/hostname matching and is only an alias for -# (?:::f{4,6}:)?(?P[\w\-.^_]+) -# Values: TEXT -# failregex = ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[\]: 554 5\.7\.1 .*$ ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[\]: 450 4\.7\.1 : Helo command rejected: Host not found; from=<> to=<> proto=ESMTP helo= *$ ^%(__prefix_line)sNOQUEUE: reject: VRFY from \S+\[\]: 550 5\.1\.1 .*$ -# Option: ignoreregex -# Notes.: regex to ignore. If this regex matches, the line is ignored. -# Values: TEXT -# ignoreregex = + +# Author: Cyril Jaquier diff --git a/config/filter.d/proftpd.conf b/config/filter.d/proftpd.conf index 66e4b6e7..bf8f9b5f 100644 --- a/config/filter.d/proftpd.conf +++ b/config/filter.d/proftpd.conf @@ -1,7 +1,4 @@ -# Fail2Ban configuration file -# -# Author: Yaroslav Halchenko -# Daniel Black - hardening of regex +# Fail2Ban fitler for the Proftpd FTP daemon # [INCLUDES] @@ -20,3 +17,6 @@ failregex = ^%(__prefix_line)s%(__hostname)s \(\S+\[\]\)[: -]+ USER .*: no ^%(__prefix_line)s%(__hostname)s \(\S+\[\]\)[: -]+ Maximum login attempts \(\d+\) exceeded *$ ignoreregex = + +# Author: Yaroslav Halchenko +# Daniel Black - hardening of regex diff --git a/config/filter.d/pure-ftpd.conf b/config/filter.d/pure-ftpd.conf index 2f910b8a..1698c9ec 100644 --- a/config/filter.d/pure-ftpd.conf +++ b/config/filter.d/pure-ftpd.conf @@ -1,7 +1,5 @@ -# Fail2Ban configuration file +# Fail2Ban filter for pureftp # -# Author: Cyril Jaquier -# Modified: Yaroslav Halchenko for pure-ftpd # # [INCLUDES] @@ -13,22 +11,9 @@ before = common.conf # Error message specified in multiple languages __errmsg = (?:Authentication failed for user|Erreur d'authentification pour l'utilisateur) -# -# Option: failregex -# Notes.: regex to match the password failures messages in the logfile. The -# host must be matched by a group named "host". The tag "" can -# be used for standard IP/hostname matching and is only an alias for -# (?:::f{4,6}:)?(?P[\w\-.^_]+) -# Values: TEXT -# -# -_daemon = pure-ftpd - failregex = ^%(__prefix_line)s\(.+?@\) \[WARNING\] %(__errmsg)s \[.+\]\s*$ -# Option: ignoreregex -# Notes.: regex to ignore. If this regex matches, the line is ignored. -# Values: TEXT -# ignoreregex = +# Author: Cyril Jaquier +# Modified: Yaroslav Halchenko for pure-ftpd diff --git a/config/filter.d/qmail.conf b/config/filter.d/qmail.conf index f1f47e01..62d499ce 100644 --- a/config/filter.d/qmail.conf +++ b/config/filter.d/qmail.conf @@ -1,8 +1,11 @@ -# Fail2Ban configuration file +# Fail2Ban filters for qmail RBL patches/fake proxies # -# Author: Daniel Black +# the default djb RBL implementation doesn't log any rejections +# so is useless with this filter. # +# One patch is here: # +# http://www.tjsi.com/rblsmtpd/faq/ patch to rblsmtpd [INCLUDES] @@ -12,11 +15,17 @@ before = common.conf _daemon = (?:qmail|rblsmtpd) -# -# These seem to be for two or 3 different patches to qmail or rblsmtpd -# so you'll probably only ever see one of these. - failregex = ^%(__prefix_line)s\d+\.\d+ rblsmtpd: pid \d+ \S+ 4\d\d \S+\s*$ ^%(__prefix_line)s\d+\.\d+ qmail-smtpd: 4\d\d badiprbl: ip rbl: \S+\s*$ ^%(__prefix_line)s\S+ blocked \S+ -\s*$ +ignoreregex = + +# DEV Notes: +# +# These seem to be for two or 3 different patches to qmail or rblsmtpd +# so you'll probably only ever see one of these regex's that match. +# +# ref: https://github.com/fail2ban/fail2ban/pull/386 +# +# Author: Daniel Black diff --git a/config/filter.d/recidive.conf b/config/filter.d/recidive.conf index 617e008a..b29acaf3 100644 --- a/config/filter.d/recidive.conf +++ b/config/filter.d/recidive.conf @@ -1,9 +1,8 @@ -# Fail2Ban configuration file +# Fail2Ban filter for repeat bans # -# Author: Tom Hendrikx, modifications by Amir Caspi -# # This filter monitors the fail2ban log file, and enables you to add long # time bans for ip addresses that get banned by fail2ban multiple times. +# # Reasons to use this: block very persistent attackers for a longer time, # stop receiving email notifications about the same attacker over and # over again. @@ -13,8 +12,6 @@ # drawbacks, namely in that it works only with iptables, or if you use a # different blocking mechanism for this jail versus others (e.g. hostsdeny # for most jails, and shorewall for this one). -# - [INCLUDES] @@ -26,10 +23,10 @@ before = common.conf _daemon = fail2ban\.actions - # The name of the jail that this filter is used for. In jail.conf, name the # jail using this filter 'recidive', or change this line! _jailname = recidive failregex = ^(%(__prefix_line)s|,\d{3} fail2ban.actions:\s+)WARNING\s+\[(?!%(_jailname)s\])(?:.*)\]\s+Ban\s+\s*$ +# Author: Tom Hendrikx, modifications by Amir Caspi diff --git a/config/filter.d/roundcube-auth.conf b/config/filter.d/roundcube-auth.conf index d36f5fef..279c5edd 100644 --- a/config/filter.d/roundcube-auth.conf +++ b/config/filter.d/roundcube-auth.conf @@ -1,6 +1,5 @@ # Fail2Ban configuration file for roundcube web server # -# Author: Teodor Micu & Yaroslav Halchenko & terence namusonge # # @@ -10,17 +9,8 @@ before = common.conf [Definition] -# Option: failregex -# Notes.: regex to match the password failure messages in the logfile. The -# host must be matched by a group named "host". The tag "" can -# be used for standard IP/hostname matching and is only an alias for -# (?:::f{4,6}:)?(?P[\w\-.^_]+) -# Values: TEXT -# failregex = ^\s*(\[(\s[+-][0-9]{4})?\])?(%(__hostname)s roundcube: IMAP Error)?: (FAILED login|Login failed) for .*? from (\. AUTHENTICATE .*)?\s*$ -# Option: ignoreregex -# Notes.: regex to ignore. If this regex matches, the line is ignored. -# Values: TEXT -# ignoreregex = + +# Author: Teodor Micu & Yaroslav Halchenko & terence namusonge diff --git a/config/filter.d/selinux-common.conf b/config/filter.d/selinux-common.conf index 333b43f2..7269e8f7 100644 --- a/config/filter.d/selinux-common.conf +++ b/config/filter.d/selinux-common.conf @@ -1,7 +1,5 @@ # Fail2Ban configuration file for generic SELinux audit messages # -# Author: Daniel Black -# # This file is not intended to be used directly, and should be included into a # filter file which would define following variables. See selinux-ssh.conf as # and example. @@ -13,9 +11,11 @@ # _msg # # Also one of these variables must include . -# + [Definition] failregex = ^type=%(_type)s msg=audit\(:\d+\): (user )?pid=\d+ uid=%(_uid)s auid=%(_auid)s ses=\d+ subj=%(_subj)s msg='%(_msg)s'$ ignoreregex = + +# Author: Daniel Black diff --git a/config/filter.d/selinux-ssh.conf b/config/filter.d/selinux-ssh.conf index 6e563a13..6955094f 100644 --- a/config/filter.d/selinux-ssh.conf +++ b/config/filter.d/selinux-ssh.conf @@ -1,11 +1,6 @@ # Fail2Ban configuration file for SELinux ssh authentication errors # -# Author: Daniel Black -# -# -# Note: USER_LOGIN is ignored as this is the duplicate messsage -# ssh logs after 3 USER_AUTH failures. -# + [INCLUDES] after = selinux-common.conf @@ -22,3 +17,9 @@ _terminal = ssh _msg = op=\S+ acct=(?P<_quote_acct>"?)\S+(?P=_quote_acct) exe="%(_exe)s" hostname=(\?|(\d+\.){3}\d+) addr= terminal=%(_terminal)s res=failed +# DEV Notes: +# +# Note: USER_LOGIN is ignored as this is the duplicate messsage +# ssh logs after 3 USER_AUTH failures. +# +# Author: Daniel Black diff --git a/config/filter.d/sieve.conf b/config/filter.d/sieve.conf index b2af6774..999b68a4 100644 --- a/config/filter.d/sieve.conf +++ b/config/filter.d/sieve.conf @@ -1,7 +1,4 @@ -# Fail2Ban configuration file -# -# Author: Jan Wagner -# +# Fail2Ban filter for sieve authentication failures # [INCLUDES] @@ -10,21 +7,12 @@ # common.local before = common.conf - [Definition] _deamon = (?:cyrus/)?(?:tim)?sieved? -# Option: failregex -# Notes.: regex to match the password failures messages in the logfile. The -# host must be matched by a group named "host". The tag "" can -# be used for standard IP/hostname matching. -# Values: TEXT -# failregex = ^%(__prefix_line)sbadlogin: \S+ ?\[\] \S+ authentication failure$ -# Option: ignoreregex -# Notes.: regex to ignore. If this regex matches, the line is ignored. -# Values: TEXT -# ignoreregex = + +# Author: Jan Wagner diff --git a/config/filter.d/sogo-auth.conf b/config/filter.d/sogo-auth.conf index 41e5bf46..d56c94f7 100644 --- a/config/filter.d/sogo-auth.conf +++ b/config/filter.d/sogo-auth.conf @@ -1,20 +1,17 @@ -# /etc/fail2ban/filter.d/sogo-auth.conf -# -# Fail2Ban configuration file -# By Arnd Brandes -# SOGo +# Fail2ban filter for SOGo authentcation # +# Log file usually in /var/log/sogo/sogo.log [Definition] -# Option: failregex -# Filter Ban in /var/log/sogo/sogo.log -# Note: the error log may contain multiple hosts, whereas the first one -# is the client and all others are poxys. We match the first one, only failregex = ^ sogod \[\d+\]: SOGoRootPage Login from '' for user '.*' might not have worked( - password policy: \d* grace: -?\d* expire: -?\d* bound: -?\d*)?\s*$ -# Option: ignoreregex -# Notes.: regex to ignore. If this regex matches, the line is ignored. -# Values: TEXT -# ignoreregex = + +# +# DEV Notes: +# +# The error log may contain multiple hosts, whereas the first one +# is the client and all others are poxys. We match the first one, only +# +# Author: Arnd Brandes diff --git a/config/filter.d/sshd-ddos.conf b/config/filter.d/sshd-ddos.conf index 58698ced..1fa87238 100644 --- a/config/filter.d/sshd-ddos.conf +++ b/config/filter.d/sshd-ddos.conf @@ -1,6 +1,4 @@ -# Fail2Ban configuration file -# -# Author: Yaroslav Halchenko +# Fail2Ban ssh filter for at attempted exploit # # The regex here also relates to a exploit: # @@ -20,17 +18,8 @@ before = common.conf _daemon = sshd -# Option: failregex -# Notes.: regex to match the password failures messages in the logfile. The -# host must be matched by a group named "host". The tag "" can -# be used for standard IP/hostname matching and is only an alias for -# (?:::f{4,6}:)?(?P[\w\-.^_]+) -# Values: TEXT -# failregex = ^%(__prefix_line)sDid not receive identification string from \s*$ -# Option: ignoreregex -# Notes.: regex to ignore. If this regex matches, the line is ignored. -# Values: TEXT -# ignoreregex = + +# Author: Yaroslav Halchenko diff --git a/config/filter.d/sshd.conf b/config/filter.d/sshd.conf index c4deb03a..08456177 100644 --- a/config/filter.d/sshd.conf +++ b/config/filter.d/sshd.conf @@ -1,7 +1,4 @@ -# Fail2Ban configuration file -# -# Author: Cyril Jaquier -# +# Fail2Ban filter for openssh # [INCLUDES] @@ -15,15 +12,6 @@ before = common.conf _daemon = sshd -# Option: failregex -# Notes.: regex to match the password failures messages in the logfile. The -# host must be matched by a group named "host". The tag "" can -# be used for standard IP/hostname matching and is only an alias for -# (?:::f{4,6}:)?(?P[\w\-.^_]+) -# Values: TEXT -# -# - failregex = ^%(__prefix_line)s(?:error: PAM: )?[aA]uthentication (?:failure|error) for .* from ( via \S+)?\s*$ ^%(__prefix_line)s(?:error: PAM: )?User not known to the underlying authentication module for .* from \s*$ ^%(__prefix_line)sFailed \S+ for .* from (?: port \d*)?(?: ssh\d*)?(: (ruser .{0,100}|(\S+ ID \S+ \(serial \d+\) CA )?\S+ %(__md5hex)s(, client user ".{0,100}", client host ".{0,100}")?))?\s*$ @@ -36,8 +24,6 @@ failregex = ^%(__prefix_line)s(?:error: PAM: )?[aA]uthentication (?:failure|erro ^%(__prefix_line)sUser .+ from not allowed because a group is listed in DenyGroups\s*$ ^%(__prefix_line)sUser .+ from not allowed because none of user's groups are listed in AllowGroups\s*$ -# Option: ignoreregex -# Notes.: regex to ignore. If this regex matches, the line is ignored. -# Values: TEXT -# ignoreregex = + +# Author: Cyril Jaquier, Yaroslav Halchenko, Petr Voralek, Daniel Black diff --git a/config/filter.d/suhosin.conf b/config/filter.d/suhosin.conf index f0bcea77..f125eadc 100644 --- a/config/filter.d/suhosin.conf +++ b/config/filter.d/suhosin.conf @@ -1,6 +1,6 @@ -# Fail2Ban configuration file +# Fail2Ban filter for suhosian PHP hardening # -# Author: Arturo 'Buanzo' Busleiman +# This occurs with lighttpd or directly from the plugin # [INCLUDES] @@ -14,18 +14,15 @@ before = common.conf _daemon = (?:lighttpd|suhosin) -# Option: failregex -# Notes.: regex to match ALERTS as notified by lighttpd's FastCGI Module -# Values: TEXT -# -# https://github.com/stefanesser/suhosin/blob/1fba865ab73cc98a3109f88d85eb82c1bfc29b37/log.c#L161 _lighttpd_prefix = (?:\(mod_fastcgi\.c\.\d+\) FastCGI-stderr:\s) failregex = ^%(__prefix_line)s%(_lighttpd_prefix)s?ALERT - .* \(attacker '', file '.*'(?:, line \d+)?\)$ -# Option: ignoreregex -# Notes.: regex to ignore. If this regex matches, the line is ignored. -# Values: TEXT -# ignoreregex = + +# DEV Notes: +# +# https://github.com/stefanesser/suhosin/blob/1fba865ab73cc98a3109f88d85eb82c1bfc29b37/log.c#L161 +# +# Author: Arturo 'Buanzo' Busleiman diff --git a/config/filter.d/uwimap-auth.conf b/config/filter.d/uwimap-auth.conf index b166f3fc..f734eb7f 100644 --- a/config/filter.d/uwimap-auth.conf +++ b/config/filter.d/uwimap-auth.conf @@ -1,7 +1,6 @@ -# Fail2Ban configuration file -# -# Author: Amir Caspi +# Fail2Ban filter for uwimap # + [INCLUDES] before = common.conf @@ -14,3 +13,5 @@ failregex = ^%(__prefix_line)sLogin (?:failed|excessive login failures|disabled| ^%(__prefix_line)sFailed .* override of user=.* host=.*\[\]\s*$ ignoreregex = + +# Author: Amir Caspi diff --git a/config/filter.d/vsftpd.conf b/config/filter.d/vsftpd.conf index e72b89eb..59ce49a3 100644 --- a/config/filter.d/vsftpd.conf +++ b/config/filter.d/vsftpd.conf @@ -1,7 +1,4 @@ -# Fail2Ban configuration file -# -# Author: Cyril Jaquier -# +# Fail2Ban filter for vsftp # [INCLUDES] @@ -13,18 +10,9 @@ before = common.conf __pam_re=\(?pam_unix(?:\(\S+\))?\)?:? _daemon = vsftpd -# Option: failregex -# Notes.: regex to match the password failures messages in the logfile. The -# host must be matched by a group named "host". The tag "" can -# be used for standard IP/hostname matching and is only an alias for -# (?:::f{4,6}:)?(?P[\w\-.^_]+) -# Values: TEXT -# failregex = ^%(__prefix_line)s%(__pam_re)s\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=(ftp)? ruser=\S* rhost=(?:\s+user=.*)?\s*$ ^ \[pid \d+\] \[.+\] FAIL LOGIN: Client ""\s*$ -# Option: ignoreregex -# Notes.: regex to ignore. If this regex matches, the line is ignored. -# Values: TEXT -# ignoreregex = + +# Author: Cyril Jaquier diff --git a/config/filter.d/webmin-auth.conf b/config/filter.d/webmin-auth.conf index b98075b5..18bf6361 100644 --- a/config/filter.d/webmin-auth.conf +++ b/config/filter.d/webmin-auth.conf @@ -1,8 +1,4 @@ -# Fail2Ban configuration file -# -# Author: Cyril Jaquier -# Rule by : Delvit Guillaume -# +# Fail2Ban filter for webmin # [INCLUDES] @@ -15,10 +11,14 @@ _daemon = webmin [Definition] -# patern : webmin[15673]: Non-existent login as toto from 86.0.6.217 -# webmin[29544]: Invalid login as root from 86.0.6.217 -# failregex = ^%(__prefix_line)sNon-existent login as .+ from \s*$ ^%(__prefix_line)sInvalid login as .+ from \s*$ ignoreregex = + +# DEV Notes: +# +# pattern : webmin[15673]: Non-existent login as toto from 86.0.6.217 +# webmin[29544]: Invalid login as root from 86.0.6.217 +# +# Rule Author: Delvit Guillaume diff --git a/config/filter.d/wuftpd.conf b/config/filter.d/wuftpd.conf index de98d02d..942de82a 100644 --- a/config/filter.d/wuftpd.conf +++ b/config/filter.d/wuftpd.conf @@ -1,7 +1,5 @@ # Fail2Ban configuration file for wuftpd # -# Author: Yaroslav Halchenko -# # [INCLUDES] @@ -14,14 +12,8 @@ before = common.conf _daemon = wu-ftpd -# Option: failregex -# Notes.: regex to match the password failures messages in the logfile. -# Values: TEXT -# failregex = ^%(__prefix_line)sfailed login from \S+ \[\]\s*$ -# Option: ignoreregex -# Notes.: regex to ignore. If this regex matches, the line is ignored. -# Values: TEXT -# ignoreregex = + +# Author: Yaroslav Halchenko diff --git a/config/filter.d/xinetd-fail.conf b/config/filter.d/xinetd-fail.conf index 253ce15d..d75e3d66 100644 --- a/config/filter.d/xinetd-fail.conf +++ b/config/filter.d/xinetd-fail.conf @@ -1,6 +1,6 @@ -# Fail2Ban configuration file +# Fail2Ban filter for xinetd failures # -# Author: Guido Bozzetto +# Cfr.: /var/log/(daemon\.|sys)log # # @@ -10,29 +10,18 @@ # common.local before = common.conf - [Definition] _daemon = xinetd -# Option: failregex -# Notes.: regex to match the password failures messages in the logfile. The -# host must be matched by a group named "host". The tag "" can -# be used for standard IP/hostname matching and is only an alias for -# (?:::f{4,6}:)?(?P[\w\-.^_]+) -# Values: TEXT -# -# Cfr.: /var/log/(daemon\.|sys)log -# libwrap => tcp wrappers: hosts.(allow|deny) -# address => xinetd: deny_from|only_from -# load => xinetd: max_load (temporary problem) -# - failregex = ^%(__prefix_line)sFAIL: \S+ address from=$ ^%(__prefix_line)sFAIL: \S+ libwrap from=$ -# Option: ignoreregex -# Notes.: regex to ignore. If this regex matches, the line is ignored. -# Values: TEXT -# ignoreregex = + +# DEV Notes: +# +# libwrap => tcp wrappers: hosts.(allow|deny) +# address => xinetd: deny_from|only_from +# +# Author: Guido Bozzetto