github
/
fail2ban
mirror of https://github.com/fail2ban/fail2ban
1
0
Fork 0
Code Issues Releases Wiki Activity
3,735 Commits
34 Branches
230 Tags
21 MiB
Commit Graph

773 Commits (0.9)

Author SHA1 Message Date
sebres 3276bd6d54 sshd: additionally aggressive filter rules - no matching cipher resp. no matching key exchange method (gh-1545, gh-1117) 2017-01-21 15:57:05 +01:00
sebres 628789f9a9 sshd: conditional parameter "mode" for sshd jail (normal, ddos, aggressive) 
filter sshd-ddos and new filter sshd-aggressive are both derivation of sshd-filter
 2017-01-21 15:54:49 +01:00
sebres dd373dba9f test all config-regexp, that contains greedy catch-all before <HOST>, that is hard-anchored at end or precise sub expression after <HOST>; 
new ssh rule(s) added:
- Connection reset by peer (multi-line rule during authorization process);
- No supported authentication methods available;
Single line and multi-line expression optimized, added optional prefixes and suffix (logged from several ssh versions);
closes gh-864
 2017-01-21 15:53:48 +01:00
Christian Brandlehner a4d8426401 Support for IBM Domino SMTP task (#1603) 
filter.d/domino-smtp.conf
 2017-01-20 08:44:20 +01:00
sebres 2009f1c434 fail2ban-regex: fix for systemd-journal (see gh-1657) 2017-01-10 11:13:18 +01:00
Yaroslav Halchenko 4a1fd888f0 Carry on development 2016-12-11 00:49:09 -05:00
Yaroslav Halchenko 482252dbd4 ENH: prep for 0.9.6 release (as of tomorrow) 2016-12-09 09:35:03 -05:00
sebres 45f1d811c9 Merge branch 'alex1702-1586' 2016-11-28 18:54:02 +01:00
sebres 425170cef3 code review, makes the test cases workable, added dev-notes 2016-11-28 18:39:07 +01:00
sebres 931eab84b5 `filter.d/apache-modsecurity.conf` 
- fixed for newer version (one space, closes gh-1626)
reviewed and optimized:
  - non-greedy catch-all replaced for safer match
  - unneeded catch-all anchoring removed
  - non-capturing groups
 2016-11-28 11:28:27 +01:00
sebres 5678d08a79 filter.d/dovecot.conf update: 
- fixes failregex, that ignores failures through some irrelevant info (closes #1623);
- ignores whole additionally irrelevant info in anchored regex before fixed failure data `\((?:auth failed, \d+ attempts( in \d+ secs)?|tried to use (disabled|disallowed) \S+ auth)\)`
- review, IPv6 compatibility fix, non-capturing groups
 2016-11-26 16:50:37 +01:00
sebres b5433f48b7 amend after code review of merge gh-1581 2016-11-11 11:09:46 +01:00
sebres bee6e7376b Merge branch 'aclindsa:master' 2016-11-11 10:58:40 +01:00
sebres dab5f56609 Merge branch 'fix-gh-1477' 2016-11-11 10:17:07 +01:00
Alex 8ac28e5dcb Make changes and add test file 2016-11-10 13:09:32 +01:00
Aaron Lindsay 7805f9972d filter.d/sshd.conf: Match 'Invalid user' with 'port \d*' 2016-10-15 15:52:19 -04:00
sebres 84c3eb3e0e filter.d/sendmail-reject.conf: double space (should be by missing dns-host only) 
Closes #1578
 2016-10-15 14:53:45 +02:00
Serg G. Brester 1071db2256 filter.py: easy-fix to use sha1 instead of md5 if its usage prohibited by some systems following strict standards (like FIPS) 
closes gh-1540
 2016-09-20 00:00:26 +02:00
sebres 9fb167b5e1 filter.d/vsftpd.conf: optional reason message after FAIL LOGIN, closes #1543 2016-09-09 09:20:15 +02:00
sebres 7ac9890bf6 forgotten obsolete code removed 2016-09-06 16:51:06 +02:00
sebres 51fd9a1027 amend to activate performance-fix (respect findtime before search of match) + code coverage 2016-09-06 16:33:16 +02:00
sebres 57458a462e allow to set default or preferred encoding for other filters (e.g. to decode bytes from journal) 
# Conflicts:
#	fail2ban/server/filter.py
 2016-09-06 15:26:10 +02:00
sebres 3119f81705 fixed journal systemd ascii/utf-8 default converting (see gh-1341, gh-1344) 2016-09-06 15:25:59 +02:00
Yaroslav Halchenko f6258c7b69 Merge branch 'rf-exc' 
* rf-exc:
  RF: Replace old fashioned "except E , e" with "except E as e" (Closes #1537)
 2016-09-06 08:16:40 -04:00
Yaroslav Halchenko b875e51cd7 RF: Replace old fashioned "except E , e" with "except E as e" (Closes #1537) 2016-09-04 23:25:09 -04:00
sebres 5f35b52b9a test cases extended 
several test-case functionality cherry picked from 0.10 (SkipTest, with_tmpdir)
 2016-09-01 16:17:06 +02:00
sebres 35b5fea038 backend "systemd" can be used as prefix now - `backend = systemd[...]` 2016-09-01 16:17:04 +02:00
sebres 7ed6cab120 jail configuration extended with new syntax to pass options to the backend (see gh-1408), 
examples:
  - `backend = systemd[journalpath=/run/log/journal/machine-1]`
  - `backend = systemd[journalfiles="/run/log/journal/machine-1/system.journal, /run/log/journal/machine-1/user.journal"]`
  - `backend = systemd[journalflags=2]`
 2016-09-01 16:17:02 +02:00
sebres 1c4733ef89 [systemd] added new constructor parameters like journalpath, journalfiles and journalflags for systemd backup 
optimized FilterSystemd method `run`: better wait in idle (no busy-loop), better poll handling, the ban will executed anywhere (at least at 100th log-entry), also if we have never ending logging in this jail (e.g. extremely logging or too many failures)
systemd test cases extended
 2016-08-24 20:55:06 +02:00
sebres 4a1d720344 filter.d/asterisk.conf: another part ` chan_sip.c:28468 handle_request_register:` in log prefix 2016-08-22 14:10:50 +02:00
sebres 2c54f90469 sshd-filter: better universal regexp, that matches more complex different injects, using conditional expressions (on username and auth-info section), see new test cases also. 2016-08-19 10:19:12 +02:00
sebres a544c5abac sshd-filter: recognized "Failed publickey for" now (gh-1477) + improved regexp (not anchored now to recognize all "Failed anything for ... from <HOST>" 
ChangeLog entry added
 2016-08-18 21:38:55 +02:00
sebres 9935cf19c1 description provided, ChangeLog entries added 2016-08-15 19:54:11 +02:00
sebres 0bdee2556f testAmbiguousDatePattern rewritten with DateDetector/DatePatternRegex directly (moved to misctestcase.py) 2016-08-15 19:35:11 +02:00
sebres 8e09be5fc8 test cases for boundaries for date-pattern extended (negative/positive, left/right) 2016-08-15 18:53:35 +02:00
sebres 7f55be3fad amend to b6bb2f88c1dbb111647269590d80d95f72c81c3e: datepattern right word boundary - prevents confusions if end of date-pattern (e.g. optional year part) misleadingly match not date values (see gh-1507) 
test cases extended to check ambiguous "unbound" patterns in log lines (match/miss resp. positive/negative cases)
 2016-08-15 16:51:55 +02:00
sebres c49fe12f70 fix fail2banregextestcase using setUpMyTime/tearDownMyTime: always use correct static time as base-time (using mock up MyTime), correct datetimes inside test 2016-08-15 12:57:39 +02:00
sebres 6cdc1ce685 compatibility fix (virtualenv, running test cases in py3) 
# Conflicts:
#	MANIFEST
 2016-08-12 17:59:24 +02:00
sebres 38d53a72fd introduces new command "fail2ban-python", as automatically created symlink to python executable, where fail2ban currently installed (resp. its modules are located); 
fixed pythonic filters and test scripts (running via "fail2ban-python" now);
fixed test case "testSetupInstallRoot" not for default python (also using direct call, out of virtualenv);

# Conflicts:
#	config/filter.d/ignorecommands/apache-fakegooglebot
#	fail2ban/tests/files/config/apache-auth/digest.py
#	fail2ban/tests/files/ignorecommand.py
#	fail2ban/tests/misctestcase.py
 2016-08-12 17:58:37 +02:00
maksyms 9ddbd642f7 Accept no space after "failed:" (#1501) 
yoh: Squashed to ease cherry-picking into 0.9

* accept no space after "failed:"

fix issue #1497

* accept no space after "failed:"

* Update postfix-sasl

* Update postfix-sasl

* Update postfix-sasl
 2016-08-08 17:09:47 -04:00
sebres 70658d7a19 Merge pull request #1494 from rhardy613/master (branch 'sebres:pr-1494') 2016-08-08 18:49:32 +02:00
rhardy613 66fe5a77ce Fix ASSP filter to work with both ASSP V1 and V2 
ASSP V1 development stopped at the end of 2014 and it is now deprecated.
All users were urged to upgrade to ASSP V2 which is still actively
developed.
fail2ban 0.9.5 (and trunk) still have code which only understands ASSP
V1 logs.
This means the filter ignores brute force attacks against ASSP. This fix
adds V2 support.
 2016-08-05 23:18:51 -04:00
rhardy613 890a3dcbb9 Fix ASSP filter to work with current release of ASSP 
ASSP V1 development stopped at the end of 2014 and it is now deprecated.
All users were urged to upgrade to ASSP V2 which is still actively
developed. For some reason fail2ban 0.9.5 (and trunk) still have code
which only understands ASSP V1 logs. This means the filter ignores brute
force attacks against ASSP.
Now updated with anchored patterns tested against 6 months of log data.
 2016-08-05 17:26:47 -04:00
sebres 8b1225f177 several amend fixes after cherry pick from 10th branch 2016-08-01 14:07:37 +02:00
sebres 3e330604c7 several test cases rewritten using new assertIn, assertNotIn (better as own from unittest, because support generators beautifying, etc.) 
+ new forward compatibility method assertRaisesRegexp;
+ methods assertIn, assertNotIn, assertRaisesRegexp are test covered now;
+ easy-fix for distributions compatible test cases (e.g. fedora default backend is 'systemd'), (closes gh-1353, closes gh-1490)

cherry picked from 9d56079756 (0.10 branch)
 2016-08-01 13:52:05 +02:00
rhardy613 f73746d846 Fix ASSP filter to work with current release of ASSP 
ASSP V1 development stopped at the end of 2014 and it is now deprecated.
All users were urged to upgrade to ASSP V2 which is still actively
developed. For some reason fail2ban 0.9.5 (and trunk) still have code
which only understands ASSP V1 logs. This means the filter ignores brute
force attacks against ASSP.
 2016-07-31 13:50:52 -04:00
Yaroslav Halchenko dca5ff44c2 Merge branch 'bf-common-zzz' 
* bf-common-zzz:
  BF: do not rely on long relative path to upstairs config - symlink common.conf
 2016-07-14 22:25:07 -04:00
Yaroslav Halchenko 687ea8d333 BF: do not rely on long relative path to upstairs config - symlink common.conf 2016-07-14 22:15:22 -04:00
Yaroslav Halchenko 5714ac201b DOC: preparations for 0.9.5 release 2016-07-14 21:35:49 -04:00
Yaroslav Halchenko 28a0605f69 Merge pull request #1478 from gips0n/master 
adding openldap slapd filter
 2016-07-14 08:30:42 -04:00
nturcksin 72a157b8f2 Improve PJSIP log support for asterisk 13+ with different callID (Squash gh-1458) 
Change the asterisk pjsip filter to don't take the callId part
Add optional part between "Request" and "from"
Listed all log message from asterisk
 2016-07-08 11:45:22 +02:00
Andrii Melnyk dcb69b0242 * add `__prefix_line` to regex 
* fix time in log file
 2016-07-08 05:29:51 +03:00
Andrii Melnyk c335663395 add info to log file 2016-07-08 05:12:25 +03:00
Andrii Melnyk c9ab669851 added sample log lines for slapd 2016-07-08 04:56:29 +03:00
Serg G. Brester af8b650a37 badip timeout option introduced, set to 30 seconds in our test cases (#1463) 
cherry-picked from 0.10 (little bit modified in test_badips.py, because no --fast option in test cases)
 2016-06-13 12:56:53 +02:00
Yaroslav Halchenko 636a93f58b Merge pull request #1438 from yarikoptic/bf-exim 
exim filters -- make wider use of host_info helper str susbstitution + fix for #1430
 2016-06-07 21:35:52 -04:00
Ludovic Gasc f85fb45b29 Asterisk pjsip (#1456) 
* Improve PJSIP log support for Asterisk 13+

* Update changelog: filter.d/asterisk.conf - fix security log support for PJSIP and Asterisk 13+

* Change pjsip regexp with sebres observation, thanks to @nturcksin
 2016-06-07 11:40:35 +02:00
Yaroslav Halchenko ced6c8307b BF: finalize that sample log line for exim4 
was intended in 743a531eb5 to be an entry without a port
after the [host]
 2016-06-02 20:57:27 -04:00
sebres b3bb8b20bf amend for new option of `usedns=raw` - forgotten validation fix inside setUseDns 2016-05-31 17:45:44 +02:00
sebres 8ec4e1189e use raw host (don't use textToIp) if usedns exactly `raw`, because `usedns = no` should ignore no ip failures 2016-05-30 15:34:21 +02:00
sebres c33e25bab6 fail2ban-regex: extended with option '--raw' (switch to raw host, prevent resolving of ip) 2016-05-30 14:08:37 +02:00
sebres b7787f4af4 use raw host (don't use textToIp) if usedns not yes or warn 2016-05-30 14:08:33 +02:00
Yaroslav Halchenko e01cd8ab03 Merge pull request #1444 from yarikoptic/enh-courier-username 
ENH: courier-smtp -- allow for trailing username (no spaces) in the logline
 2016-05-26 19:26:35 -04:00
sebres 858c5c0d00 Merge branch 'gh-1417' 2016-05-26 11:14:09 +02:00
sebres a80043ce80 amend for gh-1419: tags substitution bug - wrong recognition of cyclic recursion, new test cases covered this 2016-05-26 11:13:33 +02:00
sebres 156065e70d splitwords: prevent to split to empty values by multiple separator characters together 2016-05-23 15:33:45 +02:00
Yaroslav Halchenko 9bb869b8d4 ENH: courier-smtp -- allow for trailing username (no spaces) in the logline 
Closes #1440
 2016-05-21 22:17:09 -04:00
Yaroslav Halchenko 01d0506ea0 ENH: splitcommaspace -> splitwords allow to split ignoreip entries with new lines 
Closes #1432
 2016-05-21 10:55:27 -04:00
Yaroslav Halchenko 8b8cf2a660 ENH: exim filters -- make more use of %(host_info)s which in turn made more flexible 2016-05-21 10:29:09 -04:00
Yaroslav Halchenko 743a531eb5 BF: make :port and I=[ip]:port optional for a "AUTH command used when not advertised" 
Closes #1430
 2016-05-21 10:29:01 -04:00
sebres 1718c8dbe9 pypy: switch journal mode after upgrade (save it during the upgrade), to prevent errors like "database table is locked" 2016-05-20 15:12:32 +02:00
sebres db9e724038 extremely speedup of all database operations: 
- (synchronous = OFF) write data through OS without syncing
- (journal_mode = MEMORY) use memory for the transaction logging
 2016-05-20 12:06:04 +02:00
sebres 25af11215b test case for generic common moved to `./fail2ban/tests/config/filter.d/zzz-generic-example.conf` to prevent shipping it with fail2ban installations 2016-05-17 20:08:46 +02:00
sebres de813acf51 extends generic `__prefix_line` with optional brackets for the date ambit (gh-1421), added new parameter `__date_ambit` + test case added; 2016-05-17 11:54:43 +02:00
sebres 3e49522b7a fixes unexpected extra regex-space in generic `__prefix_line` (gh-1405, misleadingly committed in d2a9537568); 
all optional spaces normalized in generic include `common.conf` + test cases are extended (using new example pseudo-filter and test log `zzz-generic-example`);
 2016-05-13 20:26:37 +02:00
sebres a4b8f6e49e [part. cherry-picked from 0.10] invalid recursion check in substituteRecursiveTags: for example action `bsd-ipfw` produced ValueError('properties contain self referencing definitions and cannot be resolved...') 
test cases extended for exactly this case;
closes gh-1417
 2016-05-13 14:12:17 +02:00
Daniel Aleksandersen 75eb240846 Assert https not http 
Resolves test regression from issue #1395.
 2016-04-30 16:18:56 +02:00
Yaroslav Halchenko 2948026a60 Merge pull request #1395 from Aeyoun/patch-2 
Use HTTPS in Debuggex URLs
 2016-04-27 21:14:16 -04:00
Yaroslav Halchenko 340a5a23f4 BF+ENH: fixed up testing querying cymru information + assert_dict_equal helper 2016-04-26 09:30:36 -04:00
Daniel Aleksandersen add67227f4 Use HTTPS in Debuggex URLs 2016-04-24 02:20:02 +02:00
Yaroslav Halchenko aa303acfd6 Merge pull request #1381 from theDogOfPavlov/patch-3 
Tightened up exim regexes to catch rDNS entries
 2016-04-23 18:27:38 -04:00
Alexandre Perrin 1a299409e5 Fix postfix/smtps/smtpd matching. 2016-04-14 12:10:58 +02:00
theDogOfPavlov fcca1413b0 rDNS tests 
added additional tests to cover logs with rDNS
 2016-04-01 18:47:19 +01:00
Serg G. Brester b9b7ecbf6b Merge pull request #1357 from sebres/monit-new-fltr 
monit filter fixup for the new version (gh-1355)
 2016-03-26 11:39:26 +01:00
sebres ac27c9cb96 Merge branch 'patch-2' (gh-1371) 2016-03-25 17:05:23 +01:00
theDogOfPavlov 33ef2311e7 added tests to cover exim regex additions 2016-03-23 11:58:03 +00:00
theDogOfPavlov eaf6bbb08f add test to catch LDAP auth failures 2016-03-23 11:47:31 +00:00
sebres 37c9075fad fixed monit filter: failregex find now both previous and new versions: 
- failregex of previous monit version merged as single expression;
- extended failregex with new monit "access denied" version;
 2016-03-09 20:06:14 +01:00
Yaroslav Halchenko d533c0761d Merge pull request #1349 from yarikoptic/bf-tests-use-configdir 
BF: use tests.utils.CONFIG_DIR instead of fixed one (Closes #1348)
 2016-03-08 09:11:34 -05:00
Yaroslav Halchenko 634e68036e Get ready for further developments 2016-03-08 08:36:29 -05:00
Yaroslav Halchenko bb0dc17a87 BF: use tests.utils.CONFIG_DIR instead of fixed one (Closes #1348) 2016-03-07 22:40:36 -05:00
Yaroslav Halchenko 5ffc15ac68 Changes for the 0.9.4 release 2016-03-07 21:45:44 -05:00
sebres e075815833 datedetector: epoch time expression fix (now 10-11 chars, only whole number - anchored ^...\b or by special case within [], audit()) + test cases extended (positive/negative) 2016-03-07 17:57:22 +01:00
Yaroslav Halchenko a11c878fb2 ENH(TST): a hypothetical example to show/test needing trailing anchoring 2016-02-28 12:12:36 -05:00
Yaroslav Halchenko 3e31145c33 Merge pull request #1331 from whyscream/postfix-multi-instance-support 
Add support for matching postfix multi-instance daemon names by default
 2016-02-28 12:00:24 -05:00
sebres 667785b608 mysqld: failregex fixed (accepts different log level, more secure expression now); 
closes #1332
 2016-02-24 17:17:51 +01:00
Tom Hendrikx 6c606cf98f Add support for matching postfix multi-instance daemon names by default 2016-02-23 20:23:04 +01:00
Yaroslav Halchenko 905c87ca4a Merge pull request #1310 from yarikoptic/pr-1288 
NF: HAProxy HTTP Auth filter
 2016-02-11 08:35:48 -05:00
sebres d8e81eb417 regexp rewritten (few vulnerable as previous) + test case added 2016-02-08 12:01:25 +01:00
3eBoP 257b7049d8 Update asterisk filter: changed regex for "Call from ...". Sometimes extension can have a plus symbol (+) because they can be phone number. 
Closes #1309
 2016-02-08 11:51:37 +01:00