fail2ban

Commit Graph

Author	SHA1	Message	Date
sebres	83f626c4aa	(grave) closes gh-2431: replace newlines in message from systemd journal (otherwise multi-line parsing is broken, because removal of matched string from multi-line buffer window is confused by extra new-lines, so they are retained and got matched on every followed message).	6 years ago
Sergey G. Brester	7a463eb3f7	closes gh-2395: safe conversion of `SYSLOG_PID` or `_PID` (if journal entry contains a string instead of numeric)	6 years ago
sebres	1a9527e6a4	fixed catch-all on user (and simplifying)	6 years ago
jim	a7f3ba87f6	filter.d/sogo-auth.conf: fixes gh-2289 - matching auth-failures when behind a proxy; (broken by commit `72b06479a5`), replacement for gh-2290.	6 years ago
Yannik Sembritzki	547504873e	Add test case for new asterisk pjsip log syntax which includes the port	6 years ago
sebres	63e906b2c1	regex rewritten: a bit fewer vulnerable now and using non-capturing groups, test-cases extended in order to cover trying of injection on user name	7 years ago
Benedikt Seidl	fed6c49c2d	nginx-http-auth: match usernames with spaces # Conflicts: # ChangeLog	7 years ago
Sergey G. Brester	9a46590486	extended test-cases to cover new log-format (http_auth -> mod_auth)	7 years ago
sebres	314e402fe0	filter.d/sendmail-auth.conf - extended daemon for Fedora 24/RHEL - the daemon name is "sendmail" (gh-1632)	7 years ago
sebres	3d9a112c8f	cherry-pick newer version of extractOptions, in order to avoid large discrepancy between 0.10 and 0.9 config-parsers: allow to use dual parameter lists (coming through substitutions), e. g.: `name[p1=0, p2="..."][p3='...']`; simplified explanation: `][` treats as `,` in new version. cherry-picked from 0.10.	7 years ago
Serg G. Brester	a1d1498561	Restore log-entries not affected by #2011	7 years ago
Yannik Sembritzki	aab54bb0dd	don't replace normal test case with specialized test case	7 years ago
Yannik Sembritzki	eaf5e88692	replace actual offenders ip with 1.2.3.4	7 years ago
Yannik Sembritzki	184202c6aa	remove duplicate testcase	7 years ago
Yannik Sembritzki	a53ee46ad4	add test for asterisk pjsip attack with quote in username	7 years ago
Serg G. Brester	cbd63d9cd5	added test to cover quoted injecting on AUTH command	7 years ago
Peter Nowee	aa158ac05f	Exim failregex: Include lower/mixed case AUTH When reporting the error `AUTH command used when not advertised`, Exim starts with `SMTP protocol error in "........."`. Here, Exim logs the SMTP command as it was provided by the connecting client. https://github.com/Exim/exim/blob/exim-4_89+fixes/src/src/smtp_in.c#L2850 According to RFC 5321 (SMTP) "[..] a command verb [..] MAY be encoded in upper case, lower case, or any mixture of upper and lower case with no impact on its meaning." https://tools.ietf.org/html/rfc5321#section-2.4 Lower case `auth login` brute-force attempts were seen in the wild and were not caught by the current failregex. This commit makes the failregex case-insensitive for the `AUTH` command, so that lower case (`auth`) or mixed case (`aUtH`) now also match. The failregex was already case-insensitive for the command arguments (e.g. `AUTH login` already matched).	7 years ago
sebres	5708b8b90e	fixed test-cases covering dns2ip (IP of www.epfl.ch changed)	7 years ago
Michael Newton	3f715e8577	Remove tests	7 years ago
sebres	ea36e1b3fc	filter.d/dovecot.conf: fixed failregex to recognize pam_authenticate failures with "Permission denied" (gh-1897)	7 years ago
sebres	a2120a9de5	filter.d/postfix-*.conf - added optional port regex (closes gh-1902)	7 years ago
Serg G. Brester	db121a6f85	Update exim Test case covers flood attempts with `D=0s`	7 years ago
john	776d463e92	added missing colon to failJSON	7 years ago
john	4d8ba7b668	fixed test log file	7 years ago
john	44c4496e49	added sample log files	7 years ago
sebres	c312962029	filter.d/dovecot.conf: partially cherry-pick to 0.9 PR #1880 from sebres/0.10-fix-dovecot-regex (`d926e11a5c`) fixed failregex (without new mode aggressive)	7 years ago
Pavel Mihadyuk	4c1abe1cbf	phpmyadmin-syslog: removed excess file, fixed test, updated failregex	7 years ago
Pavel Mihadyuk	41994fcb56	Added filter for phpMyAdmin+syslog (>=4.7.0)	7 years ago
Pavel Mihadyuk	5b4bc2aafd	Added filter for phpMyAdmin+syslog (>=4.7.0). Closes #1713	7 years ago
sebres	5c538fb658	Recognize "unknown user" for additional auth-methods (pam, passwd-file, ldap, sql, etc); simplifying regular expressions (put "unknown user" and "invalid credentials" together as one regex).	7 years ago
sebres	a5b62a7f36	failregex extended and simplified (partially ported from gh-1409).	7 years ago
sebres	2ea22b9d30	test coverage for gh-1427	7 years ago
sebres	a1d0633e69	filter.d/asterisk.conf - fixed failregex AMI Asterisk authentification failed (see gh-1302): - optional space between NOTICE and pid; - optional part "Host " before IP-address;	7 years ago
sebres	9f55ed86df	fixed testCymruInfoNxdomain (since cymru does not provide ASN mapping info for "10.0.0.0" anymore)	7 years ago
Marcel Bischoff	228d25c548	Update Kerio Connect filter (#1455 ) * Update Kerio Connect filter Fixed regex for some log entries that did not get recognized and some additional error formats are added. * Add missing colon, GitHub address * Add filter tests * Add missing test	8 years ago
sebres	c7ddf1f940	[systemd-backend] implicit closing journal descriptor by stop filter. Partially cherry-picked from 0.10 (`d153555a07`)	8 years ago
Filippo Tessarotto	ff1c6718da	Postfix RBL: 554 & SMTP Cherry-pick of `607568f5da` (see gh-1686)	8 years ago
Yaroslav Halchenko	407b2ea936	life is going on	8 years ago
sebres	a5cdb9c977	exim test cases extended: cover short form of the logging (without session-id, gh-1771)	8 years ago
Yaroslav Halchenko	35280044ff	Preparing for 0.9.7 release	8 years ago
sebres	0600d51511	filter.d/exim.conf: added new reason for "rejected RCPT" regex: Unrouteable address	8 years ago
sebres	c546f85207	filter.d/exim.conf: cherry-picked from 0.10, match complex time like `D=2m42s` (closes gh-1766)	8 years ago
sebres	3161bcf78b	filter.d/exim.conf: optional part `(...)` after host-name before `[IP]`, normalized over whole config file. # Conflicts: # config/filter.d/exim.conf	8 years ago
Paul Brook	a639f0b083	BF: specify explicit time offset not a time zone name to avoid needing tzdata during testing	8 years ago
sebres	e8596cfce7	amend resp. restore of change from `59c35bc44a` (gh-129): - logging of "Log rotation detected" with new MSG level - introduces new log-level MSG (as INFO-2, 18)	8 years ago
sebres	8768776d68	filter.d/cyrus-imap.conf: fixed `failregex` - accept entries without login-info resp. hostname before IP address	8 years ago
sebres	c4dc698d98	evil symlink removed: does not supported by some file systems (e. g. development over net share)	8 years ago
sebres	9d06f0ee40	sshd-amend: optional space after port part	8 years ago
sebres	8aa9516d50	sshd.conf: fixed expression "received disconnect ... auth fail" - optional space after port part (gh-1652)	8 years ago
sebres	3276bd6d54	sshd: additionally aggressive filter rules - no matching cipher resp. no matching key exchange method (gh-1545, gh-1117)	8 years ago

1 2 3 4 5 ...

773 Commits (0.9)