sebres
c7a86b4616
action.d/firewallcmd-ipset.conf: amend to #2620 :
...
- combines actions `firewallcmd-ipset` and `firewallcmd-ipset-native` (parameter `ipsettype=firewalld`);
- IPv6-capability for firewalld ipset;
- no internal timeout handling by default;
- no permanent rules yet
2021-05-29 22:59:55 +02:00
Sergey G. Brester
2a508da5a0
Merge pull request #2620 from mspolitaev/master
...
Using native firewalld ipset implementation
2021-05-29 21:30:55 +02:00
usernamepi
4f8427178a
Missing comment "#" ( #3022 )
...
Missed this ... but the logs showed it.
2021-05-07 18:23:40 +02:00
usernamepi
88f779ed24
ufw.conf, amend to #3018 - add missing option for comment ( #3019 )
2021-05-06 23:23:39 +02:00
Sergey G. Brester
8f6a8df3a4
added new options `kill-mode` and `kill`, which makes the drop of all connections optional
2021-05-06 21:47:06 +02:00
Sergey G. Brester
5debaa4cac
option "add", can be set to "insert <num>" instead of prepend (customization or backwards compat)
2021-05-06 20:23:58 +02:00
usernamepi
e4e7a83cff
Update ufw.conf
...
Prerequisites:
* The ss command is available, kernel is compiled with option CONFIG_INET_DIAG_DESTROY.
* Ufw version is => 0.36 (released in 2018)
* Now using "prepend" instead of "insert" to be able to handle IPv6 addresses correctly. The current action will fail for IPv6 addresses.
* Now application names containing a space should handled correctly, solves https://github.com/fail2ban/fail2ban/pull/1532
* Now closing IPv4 and IPv6 connections (if any) from the ip that is being banned. The current action will leave them open.
Using ss to accomplish this. For this to work the kernel needs to be compiled with the CONFIG_INET_DIAG_DESTROY option.
My system apparently is compiled that way.
2021-05-06 13:44:36 +02:00
Sergey G. Brester
d74dd9321b
Merge pull request #2565 from caronc/0.11
...
Add Apprise Support (50+ Notifications)
2021-04-04 00:24:21 +02:00
sebres
3eaefe8da0
Merge branch '0.10' into 0.11
2021-03-03 18:16:47 +01:00
sebres
63acc862b1
`action.d/nginx-block-map.conf`: reload nginx only if it is running (also avoid error in nginx-errorlog, gh-2949) and better test coverage for the action
2021-02-24 18:21:42 +01:00
sebres
fb6315ea5e
Merge branch '0.10' into 0.11
2021-02-24 13:16:36 +01:00
sebres
6f4b6ec8cc
action.d/badips.* removed (badips.com is no longer active, gh-2889)
2021-02-24 13:05:04 +01:00
sebres
dbc77c47c3
Merge branch '0.10' into 0.11
2021-01-21 19:11:01 +01:00
Sergey G. Brester
5f3f4d1e2f
action.d/cloudflare.conf: better IPv6 capability
...
closes gh-2891
2021-01-11 15:23:40 +01:00
sebres
6ef69b48ca
Merge branch '0.10' into 0.11
2020-11-05 16:12:31 +01:00
sebres
2817a8144c
`action.d/bsd-ipfw.conf`: small amend (gh-2836) simplifying awk condition/code (position starts from `<lowest_rule_num>` and increases whilst used)
2020-09-29 13:33:40 +02:00
sebres
1418bcdf5b
`action.d/bsd-ipfw.conf`: fixed selection of rule-no by large list or initial `lowest_rule_num`, exit code can't be larger than 255 (gh-2836)
2020-09-29 12:35:49 +02:00
sebres
d253e60a8b
Merge branch '0.10' into 0.11
2020-09-23 19:39:50 +02:00
Sergey G. Brester
d977d81ef7
action.d/abuseipdb.conf: removed broken link, simplified usage example, fixed typos
2020-09-17 12:39:08 +02:00
sebres
74b73bce8a
Merge branch '0.10' into 0.11
2020-09-04 13:09:47 +02:00
sebres
a038fd5dfe
`action.d/firewallcmd-*.conf` (multiport only): fixed port range selector, replacing `:` with `-`;
...
small optimizations on `firewallcmd-rich-rules.conf` and `firewallcmd-rich-logging.conf` simplifying both and provide a dependency (rich-logging is a derivative of rich-rules);
closes gh-2821
2020-09-03 16:41:23 +02:00
Sergey G. Brester
70c601e9e5
involve config parameter (replaces hard-coded path); fixed typo in actionban (looks like copy&paste from trimmed tty)
2020-09-02 20:47:05 +02:00
Chris Caron
2216fd8da4
Add Apprise Support (50+ Notifications)
2020-08-04 19:04:05 -04:00
sebres
067b76fc9e
Merge branch '0.10' into 0.11
2020-08-04 15:40:59 +02:00
sebres
9100d07c03
Merge branch '0.10-ipset-tout' into 0.10, amend to #2703 : resolves names conflict (command action timeout and ipset timeout); closes #2790
2020-08-04 13:53:21 +02:00
sebres
73a8175bb0
resolves names conflict (command action timeout and ipset timeout); closes gh-2790
2020-08-04 13:22:02 +02:00
sebres
309c8dddd7
action.d/nftables.conf (type=multiport only): fixed port range selector (replacing `:` with `-`)
2020-06-24 19:20:36 +02:00
sebres
1588200274
Merge branch '0.10' into 0.11
2020-05-25 18:58:05 +02:00
Sergey G. Brester
01e92ce4a6
added fallback using tr and sed (jq is optional now)
2020-04-27 19:26:46 +02:00
Sergey G. Brester
1c1b671c74
Update cloudflare.conf
2020-04-27 19:26:44 +02:00
Sergey G. Brester
5b8fc3b51a
cloudflare: fixes ip to id conversion by unban using jq
...
normalized URIs and parameters, notes gets a jail-name (should be possible to differentiate the same IP across several jails)
2020-04-27 19:26:43 +02:00
Viktor Szépe
852670bc99
CloudFlare started to indent their API responses
...
We need to use https://github.com/stedolan/jq to parse it.
2020-04-27 19:26:39 +02:00
Ilya
8b3b9addd1
Change tool from 'cut' to 'sed'
...
Sed regex was tested - it works.
2020-04-27 19:12:36 +02:00
Ilya
5da2422f61
Fix actionunban
...
Add command to remove new line character. Needed for working removing rule from cloudflare firewall.
2020-04-27 19:12:35 +02:00
sebres
87a1a2f1a1
action.d/*-ipset*.conf: several ipset actions fixed (no timeout per default anymore), so no discrepancy between ipset and fail2ban (removal from ipset will be managed by fail2ban only)
2020-04-25 14:52:38 +02:00
sebres
ceeba99f25
replace internals of several iptables-ipset actions using internals of iptables include:
...
- better check mechanism (using `-C`, option `--check` is available long time);
- additionally iptables-ipset is a common action for iptables-ipset-proto6-* now (which become obsolete now);
- many features of different iptables actions are combinable as single chain/rule (can be supplied to action as parameters);
- tests adjusted.
2020-02-14 12:16:26 +01:00
sebres
d26209e2c6
first attempt to make certain standard actions breakdown safe starting with iptables:
...
- better check mechanism (using `-C`, option `--check` is available long time);
- additionally iptables is a replacement for iptables-common now, several actions using this as include now become obsolete;
- many features of different iptables actions are combinable as single chain/rule (can be supplied to action as parameters);
2020-02-14 12:16:25 +01:00
Mihail Politaev
303861d7c7
Using native firewalld ipset implementation
...
By creating additional action file firewallcmd-ipset-native.conf
2020-01-30 21:17:32 +02:00
sebres
70e47c9621
Merge branch '0.10' into 0.11
2020-01-14 11:44:35 +01:00
sebres
ec37b1942c
action.d/nginx-block-map.conf: fixed backslash substitution (different echo behavior in some shells, gh-2596)
2020-01-14 11:39:13 +01:00
sebres
3515d06979
Merge branch '0.10' into 0.11
2019-10-18 19:19:21 +02:00
sebres
85ec605358
nftables: amend to gh-2254 - implemented shutdown of action (proper clean-up) - at stop it checks now the last set was deleted and removes table completely (if table does not contain any set);
...
this is avoided if some sets were added manually or can be avoided via overwriting of parameter `_nft_shutdown_table`, for example:
banaction = nftables[_nft_shutdown_table=''][...]
2019-10-18 19:01:16 +02:00
sebres
51af193402
nftables: add options allowing to specify own table (default `f2b-table`) and chain (default `f2b-chain`)
2019-10-18 18:54:02 +02:00
sebres
955d690e56
regrouping expressions with curly braces, added more escapes (better handling in posix shell)
2019-10-18 18:34:48 +02:00
sebres
0824ad0d73
Merge branch '0.10' into 0.11
2019-10-18 12:04:38 +02:00
sebres
8ea00c1d5d
fixed mistake in config (semicolon after space as comment in configs?) and coverage, suppress errors by unsupported flush, better space handling in helper _nft_get_handle_id, etc
2019-09-25 13:47:29 +02:00
sebres
492205d30e
action.d/nftables.conf: implemented `actionflush` (allows flushing nftables sets resp. fast unban of all jail tickets at all)
2019-09-24 20:00:29 +02:00
sebres
abc4d9fe37
allow to use multiple protocols in multiport (single set with multiple rules in chain):
...
`banaction = nftables[type=multiport]` with `protocol="tcp,udp,sctp"` in jail replace 3 separate actions.
more robust if deleting multiple references to set (rules in chain)
2019-09-24 19:44:59 +02:00
sebres
c753ffb11d
combine nftables actions to single action:
...
- nftables-common is removed
- nftables-allports is obsolete, replaced by nftables[type=allports]
- nftables-multiport is obsolete, replaced by nftables[type=multiport]
2019-09-24 18:53:38 +02:00
sebres
c59d49da22
nftables-allports: support multiple protocols in single rule;
...
tests/servertestcase.py: added coverage for nftables actions
2019-09-24 18:46:41 +02:00
Ririsoft
dde51b4682
fix actionban/unban ip definition syntax
2019-09-24 13:01:14 +02:00
Monson Shao
1cda50ce05
Rewrite nftables variables based on nftables' logic.
...
Add an example for redirecting.
2019-09-24 13:01:13 +02:00
sebres
581f13c2db
Merge branch '0.10' into 0.11
2019-07-22 19:07:15 +02:00
Sergey G. Brester
846b3316db
amend, remove NL
2019-06-29 12:04:02 +02:00
Sergey G. Brester
4ae00485b0
revert acktionban back, use norestored option
2019-06-29 12:03:01 +02:00
Noel Kuntze
9327218843
Improved blocklist_de action to not resend bans that were already reported
2019-06-29 01:39:38 +02:00
benrubson
8b171f7d25
Badips key is only used to retrieve list
2019-06-26 18:34:20 +02:00
sebres
80f97eaf02
Merge branch '0.10' into 0.11
2019-06-26 17:29:08 +02:00
sebres
e751be2c13
normalize, simplify and fix several mail actions (mail and sendmail actions are more similar now, sendmail is configurable via parameter `mailcmd`, etc);
...
added test covering sendmail-whois-lines
2019-06-15 23:14:41 +02:00
sebres
2e7a600851
Merge branch '0.10' into 0.11
2019-06-12 11:44:05 +02:00
sebres
22b9304562
action.d/badips.py: fix start of banaction on demand (which may be IP-family related), supplied action info with ticket instead of simulating it with dict;
...
(closes gh-2390)
2019-06-12 11:23:52 +02:00
sebres
3d4044084a
Merge branch '0.10' into 0.11
2019-06-07 14:48:10 +02:00
Sergey G. Brester
7dbd3a07eb
cut comment to limit documented on abuseipdb, additionally use curl in quiet mode
2019-06-07 14:39:55 +02:00
Carlos Ferreira
7b73cb7639
Switch to AbuseIPDB API v2
2019-06-07 14:39:52 +02:00
sebres
ca85ddc866
Merge branch '0.10' into 0.11
2019-05-10 16:23:50 +02:00
sebres
d8d71c5a22
action.d/helpers-common.conf: grep arguments are rewritten - using options `-wF` to match only whole words and fixed string (not as pattern)
2019-05-10 16:17:13 +02:00
chtheis
fa727586ff
Fix grep pattern to deal with Apache's error log
...
Apache's error log appends the port to the IP address, other logs don't.
2019-05-10 16:04:27 +02:00
sebres
74eac6c94f
Merge branch '0.10' into 0.11
2019-05-02 15:28:44 +02:00
sebres
23d2281e57
action.d/nginx-block-map.conf: small fix with better RE-rule for removal of ID (token/session) via sed (anchored now)
2019-05-02 15:22:45 +02:00
Sergey G. Brester
b318eb7e33
closes gh-2408: prevent execution of action `abuseipdb` for restored tickets
2019-04-29 10:45:37 +02:00
sebres
17a4f81e23
Merge branch '0.10' into 0.11
2019-03-27 13:46:56 +01:00
sebres
e8401a7e65
action.d/xarf-login-attack.conf: fixes gh-2372, correction for split of addresses, interpolation is shell-independent now, etc;
...
extended with option `boundary`, additionally dynamic boundary part is used (is not so predictable as it was previously);
2019-03-16 00:05:06 +01:00
sebres
324f0ed7cc
Merge branch '0.10' into 0.11
2019-03-01 12:36:07 +01:00
sebres
5126068099
loglevel and shortloglevel combined to single parameter loglevel, below an example logging summary with NOTICE and rest with DEBUG log-levels:
...
action = badips.py[... , loglevel="debug, notice"]
2019-02-22 14:05:19 +01:00
benrubson
689938ee99
Add a shortloglevel badips.py option
2019-02-22 13:32:46 +01:00
sebres
a3b7a0525a
Merge branch '0.10' into 0.11
2019-02-22 13:22:52 +01:00
sebres
140243328f
coverage: try to avoid sporadic "coverage decreased" in CI
2019-02-22 13:20:40 +01:00
todgru
39ed016a1e
fix: correct spelling category
2019-01-14 22:08:38 -08:00
sebres
b49c1ab4b3
Merge branch '0.10' into 0.11
2018-11-21 13:06:44 +01:00
sebres
555b29e8e6
Merge remote-tracking branch 'remotes/gh-upstream/master' into 0.10
2018-11-21 13:05:42 +01:00
dienteperro
0df221b54b
"be" instead of "me" in shorewall.conf
2018-11-15 14:34:51 -05:00
sebres
f9f7e29295
Merge branch '0.10' into 0.11 (version bump after r.0.10.4)
2018-10-04 13:08:25 +02:00
Sergey G. Brester
1752c19b6f
Merge pull request #2205 from benrubson/patch-1
...
Add loglevel option to badips.py
2018-10-02 13:12:03 +02:00
Sergey G. Brester
65676baf8c
fixed py3 incompatibility (for some reasons this file seems to be excluded from 2to3), anyway not needed, because int-type is already checked in str2LogLevel
2018-10-02 13:00:20 +02:00
Sergey G. Brester
4b751c84c3
badips.py: Rewrite new bool option "log" as "loglevel" and revert default to log-level (DEBUG).
2018-10-02 12:32:15 +02:00
sebres
8a0c06ba9e
Merge branch '0.10' into 0.11
2018-09-14 11:01:40 +02:00
sebres
d01fe9d22a
action.d/*.conf: correct comments for actionstart/actionstop
2018-09-12 16:01:57 +02:00
Ben RUBSON
9d7c0e00c1
Also log number of IPs removed/added
2018-09-08 09:28:42 +02:00
Ben RUBSON
70e53b55c5
Typo
2018-08-19 22:39:18 +02:00
Ben RUBSON
ec4c4b12c1
Add yes/no log option to badips.py
2018-08-19 22:35:09 +02:00
sebres
9de1657aab
Merge branch '0.10' into 0.11
2018-07-06 11:43:56 +02:00
sebres
6ce67a6d21
coverage
2018-07-05 16:27:36 +02:00
sebres
0eaa0ecd86
Merge branch '0.10' into 0.11
2018-06-14 12:36:22 +02:00
sebres
8cbe1e6b13
Merge pull request #2155
2018-06-14 12:35:57 +02:00
cheese1
43db4411de
small typo
2018-06-14 12:35:04 +02:00
sebres
0d40dd42b1
Merge branch '0.10' into 0.11
2018-04-26 13:43:15 +02:00
sebres
bba7a6c5cf
amend to (gh-2067) / b34ae5999e0d8ee1af8939527305c13152844b3d: fix parameter in config (dynamic parameters stating with '_' are protected and don't allowed in command-actions);
...
the interpolation of hostsdeny is test-covered now;
closes gh-2114.
2018-04-17 18:59:24 +02:00
sebres
0707695146
Merge branch '0.10' into 0.11, version bump
...
# Conflicts resolved:
# fail2ban/server/database.py
2018-04-05 12:58:11 +02:00
sebres
8069eef50c
badips: try to fix sporadic test errors if badips-server timed out resp. not available (502 bad gateway or similar).
2018-04-05 12:31:29 +02:00
sebres
1fdad90b4d
Merge branch '0.10' into 0.11
2018-04-04 16:49:57 +02:00