From dc899e438fc473366f02ddb6b9e84e1a24510c2b Mon Sep 17 00:00:00 2001 From: sebres Date: Mon, 7 Jul 2025 01:04:35 +0200 Subject: [PATCH 1/7] avoid error "Unable to get failures" by stop (if file gets removed from filter, but filter already entered getFailures for the file); closes gh-4032 --- fail2ban/server/filter.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/fail2ban/server/filter.py b/fail2ban/server/filter.py index 210ca084..942e0ba1 100644 --- a/fail2ban/server/filter.py +++ b/fail2ban/server/filter.py @@ -1111,8 +1111,8 @@ class FileFilter(Filter): def getFailures(self, filename, inOperation=None): if self.idle: return False log = self.getLog(filename) - if log is None: - logSys.error("Unable to get failures in %s", filename) + if log is None and self.active: + logSys.log(logging.MSG, "Unable to get failures in %s", filename) return False # We should always close log (file), otherwise may be locked (log-rotate, etc.) try: From b710d5b6c7b0249a257246b15ce6408630a5fe9c Mon Sep 17 00:00:00 2001 From: sebres Date: Sun, 13 Jul 2025 01:03:53 +0200 Subject: [PATCH 2/7] `filter.d/sendmail-reject.conf` - also recognize "Domain of sender address ... does not resolve"; closes gh-4035 --- ChangeLog | 1 + config/filter.d/sendmail-reject.conf | 4 ++-- fail2ban/tests/files/logs/sendmail-reject | 3 +++ 3 files changed, 6 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 5ccd2b7b..dc0bf8ec 100644 --- a/ChangeLog +++ b/ChangeLog @@ -84,6 +84,7 @@ ver. 1.1.1-dev-1 (20??/??/??) - development nightly edition * `filter.d/dovecot.conf` - add support for latest Dovecot 2.4 release (gh-4016) * `filter.d/proxmox.conf` - add support to Proxmox Web GUI (gh-2966) * `filter.d/openvpn.conf` - new filter and jail for openvpn recognizing failed TLS handshakes (gh-2702) +* `filter.d/sendmail-reject.conf` - also recognize "Domain of sender address ... does not resolve" (gh-4035) * `filter.d/vaultwarden.conf` - new filter and jail for Vaultwarden (gh-3979) * `fail2ban-regex` extended with new option `-i` or `--invert` to output not-matched lines by `-o` or `--out` (gh-4001) diff --git a/config/filter.d/sendmail-reject.conf b/config/filter.d/sendmail-reject.conf index 41035e5f..f969a060 100644 --- a/config/filter.d/sendmail-reject.conf +++ b/config/filter.d/sendmail-reject.conf @@ -25,12 +25,12 @@ addr = (?:(?:IPv6:)?|) prefregex = ^%(__prefix_line)s.+$ -cmnfailre = ^ruleset=check_rcpt, arg1=(?P<\S+@\S+>), relay=(\S+ )?\[%(addr)s\](?: \(may be forged\))?, reject=(?:550 5\.7\.1(?: (?P=email)\.\.\.)?(?: Relaying denied\.)? (?:IP name possibly forged \[(\d+\.){3}\d+\]|Proper authentication required\.|IP name lookup failed \[(\d+\.){3}\d+\]|Fix reverse DNS for \S+)|553 5\.1\.8(?: (?P=email)\.\.\.)? Domain of sender address \S+ does not exist|550 5\.[71]\.1 (?P=email)\.\.\. (Rejected: .*|User unknown))$ +cmnfailre = ^ruleset=check_rcpt, arg1=(?P<\S+@\S+>), relay=(\S+ )?\[%(addr)s\](?: \(may be forged\))?, reject=(?:550 5\.7\.1(?: (?P=email)\.\.\.)?(?: Relaying denied\.)? (?:IP name possibly forged \[(\d+\.){3}\d+\]|Proper authentication required\.|IP name lookup failed \[(\d+\.){3}\d+\]|Fix reverse DNS for \S+)|[45]5[13] [45]\.1\.8(?: (?P=email)\.\.\.)? Domain of sender address \S+ does not (?:exist|resolve)|550 5\.[71]\.1 (?P=email)\.\.\. (Rejected: .*|User unknown))$ ^ruleset=check_relay(?:, arg\d+=\S*)*, relay=(\S+ )?\[%(addr)s\](?: \(may be forged\))?, reject=421 4\.3\.2 (Connection rate limit exceeded\.|Too many open connections\.)$ ^rejecting commands from (\S* )?\[%(addr)s\] due to pre-greeting traffic after \d+ seconds$ ^(?:\S+ )?\[%(addr)s\]: (?:(?i)expn|vrfy) \S+ \[rejected\]$ ^<[^@]+@[^>]+>\.\.\. No such user here$ - ^from=<[^@]+@[^>]+>, size=\d+, class=\d+, nrcpts=\d+, bodytype=\w+, proto=E?SMTP, daemon=MTA, relay=\S+ \[%(addr)s\]$ + ^from=<[^@]+@[^>]+>, size=\d+, class=\d+, nrcpts=\d+, bodytype=\w+, proto=E?SMTP, daemon=\S+, relay=\S+ \[%(addr)s\]$ mdre-normal = diff --git a/fail2ban/tests/files/logs/sendmail-reject b/fail2ban/tests/files/logs/sendmail-reject index 8debe7ca..c219578e 100644 --- a/fail2ban/tests/files/logs/sendmail-reject +++ b/fail2ban/tests/files/logs/sendmail-reject @@ -57,6 +57,9 @@ Feb 27 15:49:02 batman sm-mta[88377]: s1REn1un088377: ruleset=check_rcpt, arg1=< # failJSON: { "time": "2005-02-27T22:44:42", "match": true , "host": "123.69.106.50" } Feb 27 22:44:42 batman sm-mta[30972]: s1RLieRP030972: ruleset=check_rcpt, arg1=, relay=[123.69.106.50], reject=553 5.1.8 ... Domain of sender address lf@ibuv.net does not exist +# failJSON: { "time": "2005-02-27T22:44:43", "match": true , "host": "192.0.2.100" } +Feb 27 22:44:43 batman sm-mta[4012]: 56CF8Qni004012: ruleset=check_rcpt, arg1=, relay=[192.0.2.100] (may be forged), reject=451 4.1.8 Domain of sender address test.whatever@service.example.com does not resolve + # failJSON: { "time": "2005-02-23T21:18:47", "match": true , "host": "76.72.174.70" } Feb 23 21:18:47 batman sm-mta[93301]: s1NKIkZa093301: [76.72.174.70]: EXPN root [rejected] From 1c2ace295821f983e95146de59dd63a5dc484abd Mon Sep 17 00:00:00 2001 From: sebres Date: Sun, 13 Jul 2025 01:08:50 +0200 Subject: [PATCH 3/7] GHA: update python 3.14.0-beta.4 --- .github/workflows/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 2c0ae72f..4f593361 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -22,7 +22,7 @@ jobs: runs-on: ubuntu-latest strategy: matrix: - python-version: [3.8, 3.9, '3.10', '3.11', '3.12', '3.13', '3.14.0-alpha.6', pypy3.11] + python-version: [3.8, 3.9, '3.10', '3.11', '3.12', '3.13', '3.14.0-beta.4', pypy3.11] fail-fast: false # Steps represent a sequence of tasks that will be executed as part of the job steps: From e97df4672a666803db865f3f1eb76be47e8f38cc Mon Sep 17 00:00:00 2001 From: 177ac Date: Sun, 20 Jul 2025 18:05:35 +0900 Subject: [PATCH 4/7] filter.d/asterisk: fix regex to match "No matching endpoint found" with retry info --- config/filter.d/asterisk.conf | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/config/filter.d/asterisk.conf b/config/filter.d/asterisk.conf index 0f801e0b..4aae47d3 100644 --- a/config/filter.d/asterisk.conf +++ b/config/filter.d/asterisk.conf @@ -27,7 +27,8 @@ failregex = ^Registration from '[^']*' failed for '(:\d+)?' - (?:Wrong pas ^hacking attempt detected ''$ ^SecurityEvent="(?:FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)"(?:(?:,(?!RemoteAddress=)\w+="[^"]*")*|.*?),RemoteAddress="IPV[46]/[^/"]+//\d+"(?:,(?!RemoteAddress=)\w+="[^"]*")*$ ^"Rejecting unknown SIP connection from (?::\d+)?"$ - ^Request (?:'[^']*' )?from '(?:[^']*|.*?)' failed for '(?::\d+)?'\s\(callid: [^\)]*\) - (?:No matching endpoint found|Not match Endpoint(?: Contact)? ACL|(?:Failed|Error) to authenticate)\s*$ + ^Request (?:'[^']*' )?from '(?:[^']*|.*?)' failed for '(?::\d+)?'\s\(callid: [^\)]*\) - No matching endpoint found(?:\s+after\s+\d+\s+tries\s+in\s+[\d.]+\s+ms)?\s*$ + ^Request (?:'[^']*' )?from '(?:[^']*|.*?)' failed for '(?::\d+)?'\s\(callid: [^\)]*\) - (?:Not match Endpoint(?: Contact)? ACL|(?:Failed|Error) to authenticate)\s*$ # FreePBX (todo: make optional in v.0.10): # ^(%(__prefix_line)s|\[\]\s*WARNING%(__pid_re)s:?(?:\[C-[\da-f]*\])? )[^:]+: Friendly Scanner from $ From b309cf6b3c065387f593f32d520ddfe1243f31c5 Mon Sep 17 00:00:00 2001 From: 177ac Date: Sun, 20 Jul 2025 18:06:33 +0900 Subject: [PATCH 5/7] Add test line --- fail2ban/tests/files/logs/asterisk | 2 ++ 1 file changed, 2 insertions(+) diff --git a/fail2ban/tests/files/logs/asterisk b/fail2ban/tests/files/logs/asterisk index 7f2ec967..fc497852 100644 --- a/fail2ban/tests/files/logs/asterisk +++ b/fail2ban/tests/files/logs/asterisk @@ -108,6 +108,8 @@ Nov 4 18:30:40 localhost asterisk[32229]: NOTICE[32257]: chan_sip.c:23417 in han # PJSip Errors # failJSON: { "time": "2016-05-06T07:08:09", "match": true, "host": "192.0.2.6" } [2016-05-06 07:08:09] NOTICE[17103] res_pjsip/pjsip_distributor.c: Request from '"test1" ' failed for '192.0.2.6:5678' (callid: deadbeef) - No matching endpoint found +# failJSON: { "time": "2016-05-06T07:08:09", "match": true, "host": "192.0.2.7", "desc": "Test for No matching endpoint found with retry counts (pattern 1)" } +[2016-05-06 07:08:09] NOTICE[17103] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '"test2" ' failed for '192.0.2.7:5679' (callid: cafebabe) - No matching endpoint found after 5 tries in 2.500 ms # # FreePBX Warnings # #_dis_failJSON: { "time": "2016-05-06T07:08:09", "match": true, "host": "192.0.2.4" } From 6d3bfa8781a79bd838a999b58ae587c4ed2aedbd Mon Sep 17 00:00:00 2001 From: "Sergey G. Brester" Date: Sun, 20 Jul 2025 15:04:15 +0200 Subject: [PATCH 6/7] revert RE back, but relive the end-anchor a bit (ignore any text without single quote, so also preventing false match by injection on foreign data) --- config/filter.d/asterisk.conf | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/config/filter.d/asterisk.conf b/config/filter.d/asterisk.conf index 4aae47d3..631ccbbc 100644 --- a/config/filter.d/asterisk.conf +++ b/config/filter.d/asterisk.conf @@ -27,8 +27,7 @@ failregex = ^Registration from '[^']*' failed for '(:\d+)?' - (?:Wrong pas ^hacking attempt detected ''$ ^SecurityEvent="(?:FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)"(?:(?:,(?!RemoteAddress=)\w+="[^"]*")*|.*?),RemoteAddress="IPV[46]/[^/"]+//\d+"(?:,(?!RemoteAddress=)\w+="[^"]*")*$ ^"Rejecting unknown SIP connection from (?::\d+)?"$ - ^Request (?:'[^']*' )?from '(?:[^']*|.*?)' failed for '(?::\d+)?'\s\(callid: [^\)]*\) - No matching endpoint found(?:\s+after\s+\d+\s+tries\s+in\s+[\d.]+\s+ms)?\s*$ - ^Request (?:'[^']*' )?from '(?:[^']*|.*?)' failed for '(?::\d+)?'\s\(callid: [^\)]*\) - (?:Not match Endpoint(?: Contact)? ACL|(?:Failed|Error) to authenticate)\s*$ + ^Request (?:'[^']*' )?from '(?:[^']*|.*?)' failed for '(?::\d+)?'\s\(callid: [^\)]*\) - (?:No matching endpoint found|Not match Endpoint(?: Contact)? ACL|(?:Failed|Error) to authenticate)\b[^']*$ # FreePBX (todo: make optional in v.0.10): # ^(%(__prefix_line)s|\[\]\s*WARNING%(__pid_re)s:?(?:\[C-[\da-f]*\])? )[^:]+: Friendly Scanner from $ From 7bb86822d0b1970baee4f1abb2580db06e209d25 Mon Sep 17 00:00:00 2001 From: "Sergey G. Brester" Date: Sun, 20 Jul 2025 15:15:38 +0200 Subject: [PATCH 7/7] Update ChangeLog --- ChangeLog | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ChangeLog b/ChangeLog index dc0bf8ec..7122879a 100644 --- a/ChangeLog +++ b/ChangeLog @@ -37,6 +37,8 @@ ver. 1.1.1-dev-1 (20??/??/??) - development nightly edition - rename `ipsettype` to `ipsetbackend` (gh-2620), parameter `ipsettype` will be used now to the real set type (gh-3760) * `filter.d/apache-noscript.conf` - consider new log-format with "AH02811: stderr from /..." (gh-3900) * `filter.d/apache-overflows.conf` - consider AH10244: invalid URI path (gh-3778, gh-3900) +* `filter.d/asterisk.conf` - fixed RE for "no matching endpoint" with retry info (like `after X tries in Y ms`) at end, + loosening of end anchor (ignore any simple text tokens at end if no single quote found), gh-4037 * `filter.d/exim.conf`: - several rules of mode `normal` moved to new mode `more`, because of too risky handling (gh-3940), thereby mode `aggressive` is not affected, because it fully includes mode `more` now;