diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 2c0ae72f..4f593361 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -22,7 +22,7 @@ jobs: runs-on: ubuntu-latest strategy: matrix: - python-version: [3.8, 3.9, '3.10', '3.11', '3.12', '3.13', '3.14.0-alpha.6', pypy3.11] + python-version: [3.8, 3.9, '3.10', '3.11', '3.12', '3.13', '3.14.0-beta.4', pypy3.11] fail-fast: false # Steps represent a sequence of tasks that will be executed as part of the job steps: diff --git a/ChangeLog b/ChangeLog index 5ccd2b7b..7122879a 100644 --- a/ChangeLog +++ b/ChangeLog @@ -37,6 +37,8 @@ ver. 1.1.1-dev-1 (20??/??/??) - development nightly edition - rename `ipsettype` to `ipsetbackend` (gh-2620), parameter `ipsettype` will be used now to the real set type (gh-3760) * `filter.d/apache-noscript.conf` - consider new log-format with "AH02811: stderr from /..." (gh-3900) * `filter.d/apache-overflows.conf` - consider AH10244: invalid URI path (gh-3778, gh-3900) +* `filter.d/asterisk.conf` - fixed RE for "no matching endpoint" with retry info (like `after X tries in Y ms`) at end, + loosening of end anchor (ignore any simple text tokens at end if no single quote found), gh-4037 * `filter.d/exim.conf`: - several rules of mode `normal` moved to new mode `more`, because of too risky handling (gh-3940), thereby mode `aggressive` is not affected, because it fully includes mode `more` now; @@ -84,6 +86,7 @@ ver. 1.1.1-dev-1 (20??/??/??) - development nightly edition * `filter.d/dovecot.conf` - add support for latest Dovecot 2.4 release (gh-4016) * `filter.d/proxmox.conf` - add support to Proxmox Web GUI (gh-2966) * `filter.d/openvpn.conf` - new filter and jail for openvpn recognizing failed TLS handshakes (gh-2702) +* `filter.d/sendmail-reject.conf` - also recognize "Domain of sender address ... does not resolve" (gh-4035) * `filter.d/vaultwarden.conf` - new filter and jail for Vaultwarden (gh-3979) * `fail2ban-regex` extended with new option `-i` or `--invert` to output not-matched lines by `-o` or `--out` (gh-4001) diff --git a/config/filter.d/asterisk.conf b/config/filter.d/asterisk.conf index 0f801e0b..631ccbbc 100644 --- a/config/filter.d/asterisk.conf +++ b/config/filter.d/asterisk.conf @@ -27,7 +27,7 @@ failregex = ^Registration from '[^']*' failed for '(:\d+)?' - (?:Wrong pas ^hacking attempt detected ''$ ^SecurityEvent="(?:FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)"(?:(?:,(?!RemoteAddress=)\w+="[^"]*")*|.*?),RemoteAddress="IPV[46]/[^/"]+//\d+"(?:,(?!RemoteAddress=)\w+="[^"]*")*$ ^"Rejecting unknown SIP connection from (?::\d+)?"$ - ^Request (?:'[^']*' )?from '(?:[^']*|.*?)' failed for '(?::\d+)?'\s\(callid: [^\)]*\) - (?:No matching endpoint found|Not match Endpoint(?: Contact)? ACL|(?:Failed|Error) to authenticate)\s*$ + ^Request (?:'[^']*' )?from '(?:[^']*|.*?)' failed for '(?::\d+)?'\s\(callid: [^\)]*\) - (?:No matching endpoint found|Not match Endpoint(?: Contact)? ACL|(?:Failed|Error) to authenticate)\b[^']*$ # FreePBX (todo: make optional in v.0.10): # ^(%(__prefix_line)s|\[\]\s*WARNING%(__pid_re)s:?(?:\[C-[\da-f]*\])? )[^:]+: Friendly Scanner from $ diff --git a/fail2ban/server/filter.py b/fail2ban/server/filter.py index 210ca084..942e0ba1 100644 --- a/fail2ban/server/filter.py +++ b/fail2ban/server/filter.py @@ -1111,8 +1111,8 @@ class FileFilter(Filter): def getFailures(self, filename, inOperation=None): if self.idle: return False log = self.getLog(filename) - if log is None: - logSys.error("Unable to get failures in %s", filename) + if log is None and self.active: + logSys.log(logging.MSG, "Unable to get failures in %s", filename) return False # We should always close log (file), otherwise may be locked (log-rotate, etc.) try: diff --git a/fail2ban/tests/files/logs/asterisk b/fail2ban/tests/files/logs/asterisk index 7f2ec967..fc497852 100644 --- a/fail2ban/tests/files/logs/asterisk +++ b/fail2ban/tests/files/logs/asterisk @@ -108,6 +108,8 @@ Nov 4 18:30:40 localhost asterisk[32229]: NOTICE[32257]: chan_sip.c:23417 in han # PJSip Errors # failJSON: { "time": "2016-05-06T07:08:09", "match": true, "host": "192.0.2.6" } [2016-05-06 07:08:09] NOTICE[17103] res_pjsip/pjsip_distributor.c: Request from '"test1" ' failed for '192.0.2.6:5678' (callid: deadbeef) - No matching endpoint found +# failJSON: { "time": "2016-05-06T07:08:09", "match": true, "host": "192.0.2.7", "desc": "Test for No matching endpoint found with retry counts (pattern 1)" } +[2016-05-06 07:08:09] NOTICE[17103] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '"test2" ' failed for '192.0.2.7:5679' (callid: cafebabe) - No matching endpoint found after 5 tries in 2.500 ms # # FreePBX Warnings # #_dis_failJSON: { "time": "2016-05-06T07:08:09", "match": true, "host": "192.0.2.4" } diff --git a/fail2ban/tests/files/logs/sendmail-reject b/fail2ban/tests/files/logs/sendmail-reject index b2d38d7a..98943d17 100644 --- a/fail2ban/tests/files/logs/sendmail-reject +++ b/fail2ban/tests/files/logs/sendmail-reject @@ -57,6 +57,9 @@ Feb 27 15:49:02 batman sm-mta[88377]: s1REn1un088377: ruleset=check_rcpt, arg1=< # failJSON: { "time": "2005-02-27T22:44:42", "match": true , "host": "123.69.106.50" } Feb 27 22:44:42 batman sm-mta[30972]: s1RLieRP030972: ruleset=check_rcpt, arg1=, relay=[123.69.106.50], reject=553 5.1.8 ... Domain of sender address lf@ibuv.net does not exist +# failJSON: { "time": "2005-02-27T22:44:43", "match": true , "host": "192.0.2.100" } +Feb 27 22:44:43 batman sm-mta[4012]: 56CF8Qni004012: ruleset=check_rcpt, arg1=, relay=[192.0.2.100] (may be forged), reject=451 4.1.8 Domain of sender address test.whatever@service.example.com does not resolve + # failJSON: { "time": "2005-02-23T21:18:47", "match": true , "host": "76.72.174.70" } Feb 23 21:18:47 batman sm-mta[93301]: s1NKIkZa093301: [76.72.174.70]: EXPN root [rejected]