Commit Graph

1043 Commits (fix-pythonic-build-install)

Author SHA1 Message Date
Sergey G. Brester f7aaaf50b8
`filter.d/exim.conf`: colon must be outside of F-RCPT group 2025-04-27 23:00:09 +02:00
sebres c76e90fbb1 * Merge pull request #3940 from exim-pr-mode-more
`filter.d/exim.conf` - fewer REs by default, introduces mode `more`
2025-04-02 15:11:38 +02:00
Sergey G. Brester 6104444bb4
improve regex (anchored from left, no catch-alls, `<ADDR>` for IP, etc) 2025-04-01 17:28:58 +02:00
Rajib Sharia c7f7bc55bb
Create vaultwarden.conf
Filter for unsuccessful Vaultwarden authentication attempts
2025-04-01 20:36:53 +08:00
sebres ee421dfbd6 `filter.d/apache-noscript.conf` - consider new log-format with "AH02811: stderr from /...";
closes gh-3900
2025-03-28 22:52:51 +01:00
sebres 8ae6eaf39a `filter.d/postfix.conf` - default `_daemon` in prefix-line is loosened - can match everything starting with word postfix, like `postfix-example.com/smtpd`;
closes gh-3297
2025-03-10 22:35:26 +01:00
Sergey G. Brester c035428535
Merge pull request #3954 from luckylittle/feature/systemd-journal-vsftpd
`filter.d/vsftpd.conf` - fixed regex (if failures generated by systemd-journal)
2025-03-04 14:20:01 +01:00
sebres 94fe9cf4a8 more fixes, capture user names, more tests...
since line 7 matches successfully now (it was disabled in gh-358 because of obsolete format), it is marked as match:true (line can be removed later if unneeded)
2025-03-04 14:13:07 +01:00
sebres 1e06ab68b4 fixed filter (new regex is unneeded), tests format of failures produced by system journal 2025-03-04 13:47:59 +01:00
Sergey G. Brester 13a74feaad
2nd RE unneeded, fix single RE - bypass everything before open parenthesis 2025-03-04 13:02:50 +01:00
Lucian Maly 6e3bfd800c
Added author 2025-03-04 12:26:14 +11:00
Lucian Maly 9d7646e6c0
Added author 2025-03-04 12:25:27 +11:00
Lucian Maly fd1d0d25a8
Added regex for systemd-journal matches of lighttpd-auth 2025-03-04 12:20:24 +11:00
Lucian Maly 65d473fc8e
Added regex for systemd-journal matches of vsftpd 2025-03-04 11:43:38 +11:00
Sergey G. Brester c88967df2d
`filter.d/exim.conf` - introduces mode `more` (several rules moved from mode `normal` to `more`), because:
- they have basically nothing with authentication;
- they can cause false positives (e. g. someone sends several mails from google mailing server to wrong recipients and if they would cause "rejected RCPT - Unknown user", the google host gets banned;
- to avoid occasional ban of legitimate servers one'd need create large white-list for `ignoreip` or construct complex `ignorecommands` to exclude all legitimate servers of big players (like google, microsoft, GMX, etc);
2025-02-13 21:30:04 +01:00
sebres 882e6d5e00 `filter.d/exim.conf` - mode `aggressive` extended to catch dropped by ACL failures, e.g. "ACL: Country is banned" 2025-02-10 17:30:07 +01:00
Sergey G. Brester 6fb3532c45
Merge pull request #3931 from brianjmurrell/patch-2
`from '[^']*'` is not always present …
2025-01-30 14:06:00 +01:00
sebres b55c20594e `paths-common.conf`: changed default `mysql_log` path (default `logpath` of `mysqld-auth` jail without maintainer overrides); adjusted comments (`log_error_verbosity = 3` instead of `log-warnings = 2`)
closes gh-3932
2025-01-30 14:00:43 +01:00
sebres d2c60a168f combine several regexes to single RE 2025-01-30 01:13:49 +01:00
sebres e1fc569291 normalize jail (defaults, etc); added missing tests for all REs; common prefix for failregex, no catch-alls, etc 2025-01-30 01:13:48 +01:00
Philipp Burndorfer 88385eb6c1 New openvpn jail. 2025-01-30 01:13:46 +01:00
Brian J. Murrell 325613a8f8
from '[^']*' is not always present …
In the message from asterisk.

Signed-off-by: Brian J. Murrell <brian@interlinx.bc.ca>
2025-01-28 13:09:29 -05:00
sebres a796cc9b91 `filter.d/dropbear.conf`: failregex extended to match different format of "Exit before auth" message;
closes gh-3791
2024-12-27 16:43:33 +01:00
MichaIng eb8b44370a
Make Dropbear regex more compatible and simpler
Dropbear uses `strftime` `"%b %d %H:%M:%S` to print its timestamps, hence we know the day and time format, but the month could be localized. We hence allow any 3 word characters for it, and additionally simplify the day and time pattern into a single group.

Signed-off-by: MichaIng <micha@dietpi.com>
2024-12-27 14:00:36 +07:00
MichaIng dd9f359f5c
Fix Dropbear filter when logging to STDOUT
Since Debian Bookworm, the distribution ships Dropbear with a native systemd service instead of the default upstream init.d service, and accordingly uses the `-F` and `-E` flags, to run it in foreground and have it logging to STDOUT instead of syslog.

As usual, timestamps and also the PID are now included by the log message emitted by Dropbear, in addition to the systemd journal log prefix.

The Dropbear filter hence does not match anymore. This commit adds the PID and timestamp as optional pattern between prefix and fail log text, to support Dropbear on Debian Bookworm and newer (and likely new versions of other distros) without breaking the old pattern when running Dropbear without `-E` flag.

Additionally, for performance reasons, this commit adds a `journalmatch` entry, matching Debian's and Fedora's `dropbear.service` with `dropbear` executable/identifier, the most likely match for a Dropbear systemd service.

Signed-off-by: MichaIng <micha@dietpi.com>
2024-12-27 13:59:35 +07:00
sebres 89b5f3bb1e `filter.d/sshd.conf`: `ddos` and `aggressive` modes, regex extended for timeout before authentication (optional connection from part);
closes gh-3907
2024-12-26 14:24:15 +01:00
sebres 91c27d0600 `filter.d/freeswitch.conf`: bypass some new info in prefix before [WARNING] (changed default `_pref_line`);
closes gh-3143
2024-12-04 16:56:23 +01:00
sebres 54c0effceb filter.d/sshd.conf: amend to #3747/#3812 (new ssh version would log with `_COMM=sshd-session`) 2024-08-11 12:10:12 +02:00
sebres c769046a1f Revert "`filterd./sshd.conf`: fixed journalmatch (sshd.service seems to be renamed to ssh.service)" - it'd patched in debian branch.
This reverts commit 6fce23e7ba.
2024-08-11 11:55:39 +02:00
sebres 8e0a2366f0 Fixes unmatched tag (caused unmatched brace); review: combined to single regex, simple case without injection attempts faster, `<HOST>` replaced with `<ADDR>` (faster and fewer vulnerable on complex cases, since doesn't match text as hostname) etc. 2024-08-10 13:20:18 +02:00
Maksim Usmanov | Maks 35afe20ea0
Roundcube 1.4 change log format
From roundcube 1.4 log change format -> e92d8e31a3/program/lib/Roundcube/rcube_imap.php (L194)
2024-08-09 22:53:45 +02:00
sebres 9a558589d7 review (anchoring RE, etc) 2024-07-30 19:16:40 +02:00
Jose 83f2d59eee match numbers 2024-07-30 19:05:56 +02:00
Jose 07a7da8d8e Remove greedy catch-all before HOST 2024-07-30 19:05:55 +02:00
Jose ca45671db2 Add support to Proxmox Web GUI 2024-07-30 19:04:00 +02:00
sebres 93810fff75 consider CONNECT and other rejected commands as a valid `_pref`;
closes gh-3800
2024-07-26 19:25:36 +02:00
Sergey G. Brester 50ff131a0f
filter.d/sshd.conf: ungroup (unneeded for _daemon) 2024-07-03 19:35:28 +02:00
Fabian Dellwing 2fed408c05 Adjust sshd filter for OpenSSH 9.8 new daemon name 2024-07-02 08:51:51 +02:00
sebres 59c5e78ce9 `filter.d/apache-overflows.conf` - consider AH10244: invalid URI path;
closes gh-3778
2024-06-28 12:50:14 +02:00
sebres a7f3a04b0e `filter.d/recidive.conf` - restore possibility to set jail name in the filter, _jailname is positive now (but by default it uses now negative lookahead to exclude recidive jail);
closes gh-3769
2024-06-21 13:24:46 +02:00
Sergey G. Brester 6fce23e7ba
`filterd./sshd.conf`: fixed journalmatch (sshd.service seems to be renamed to ssh.service)
closes gh-3747
2024-06-10 01:40:59 +02:00
sebres 2c13cba73d loosening for denied suffix (would match no matter which reason in parenthesis);
add coverage for denied with "(allow-query-cache did not match)"
2024-03-25 16:35:20 +01:00
Rudimar Remontti fd7657f9a9 Update named-refused.conf 2024-03-25 16:35:16 +01:00
sebres 1ec9237e53 bypass additional pid in prefix (may be logged by syslog-ng, gh-3060); matches protocol error with authentication mechanism not supported 2024-03-25 15:52:06 +01:00
sebres c80908837f `filter.d/exim.conf`:
- messages are prefiltered by `prefregex` now
  - filter can bypass additional timestamp that may be logged via systemd-journal (gh-3060)
2024-03-25 15:31:23 +01:00
Vladimir Varlamov 8da0a99cde pid part may contain full hostname 2024-03-22 22:38:33 +03:00
Vladimir Varlamov 806a27cb4f final `<HOST>` to `<ADDR>` conversion 2024-03-22 22:38:33 +03:00
sebres e605415f61 simplify fields-group a bit (everything up to 4 chars long but H), so it'll be faster (no multiple branches) as well as would theoretically accept future enhancements of logged fields. 2024-03-22 16:47:54 +01:00
sebres c22a83933b let's use `<ADDR>` instead `<HOST>` - only IPs expected, since host-name bypassed before it (directly after H=) 2024-03-22 16:35:46 +01:00
Vladimir Varlamov df94ec4c52 filter.d/exim.conf: rewrite host line regex for all varied exim's log_selector states
Depending on Exim's log_selector settings, log lines may contain additional information about the connection. And also the line itself with the address of the remote host can vary greatly. But fortunately, all states can be found in the Exim code itself and taken into account. Makes it easier to add new regexps.
Closes #3263
2024-03-22 00:16:41 +03:00