diff --git a/ChangeLog b/ChangeLog index ca7864fc..bd5faa9b 100644 --- a/ChangeLog +++ b/ChangeLog @@ -43,6 +43,8 @@ releases. - optimized failregex to match all of "Failed any-method for ... from " (gh-1479) - eliminated possible complex injections (on user-name resp. auth-info, see gh-1479) - optional port part after host (see gh-1533, gh-1581) +* `filter.d/squid.conf` + - Recognize 407 Proxy Authentication Required as failures (gh-1615) ### New Features diff --git a/config/filter.d/squid.conf b/config/filter.d/squid.conf index e26cab9c..aa51207b 100644 --- a/config/filter.d/squid.conf +++ b/config/filter.d/squid.conf @@ -1,10 +1,10 @@ -# Fail2Ban filter for Squid attempted proxy bypasses +# Fail2Ban filter for Squid attempted proxy bypasses and bruteforcing # # [Definition] -failregex = ^\s+\d\s\s+[A-Z_]+_DENIED/403 .*$ +failregex = ^\s+\d\s\s+[A-Z_]+_DENIED/40[37] .*$ ^\s+\d\s\s+NONE/405 .*$ ignoreregex = diff --git a/fail2ban/tests/files/logs/squid b/fail2ban/tests/files/logs/squid index 300a8ac5..62ca326c 100644 --- a/fail2ban/tests/files/logs/squid +++ b/fail2ban/tests/files/logs/squid @@ -11,3 +11,6 @@ # failJSON: { "time": "2013-12-09T00:09:06.000", "match": true , "host": "175.42.91.151" } 1386544146.000 1 175.42.91.151 TCP_DENIED/403 3745 GET http://pkfsp.ru/wp-content/uploads/proxyc/engine.php - HIER_NONE/- text/html + +# failJSON: { "time": "2016-11-21T01:12:54.000", "match": true, "host": "98.189.78.228" } +1479687174.000 1 98.189.78.228 TCP_DENIED/407 4259 CONNECT www.google.com:443 tgu1 HIER_NONE/- text/html