Sergey G. Brester
f7aaaf50b8
`filter.d/exim.conf`: colon must be outside of F-RCPT group
2025-04-27 23:00:09 +02:00
sebres
c76e90fbb1
* Merge pull request #3940 from exim-pr-mode-more
...
`filter.d/exim.conf` - fewer REs by default, introduces mode `more`
2025-04-02 15:11:38 +02:00
Sergey G. Brester
6104444bb4
improve regex (anchored from left, no catch-alls, `<ADDR>` for IP, etc)
2025-04-01 17:28:58 +02:00
Rajib Sharia
c7f7bc55bb
Create vaultwarden.conf
...
Filter for unsuccessful Vaultwarden authentication attempts
2025-04-01 20:36:53 +08:00
sebres
ee421dfbd6
`filter.d/apache-noscript.conf` - consider new log-format with "AH02811: stderr from /...";
...
closes gh-3900
2025-03-28 22:52:51 +01:00
sebres
8ae6eaf39a
`filter.d/postfix.conf` - default `_daemon` in prefix-line is loosened - can match everything starting with word postfix, like `postfix-example.com/smtpd`;
...
closes gh-3297
2025-03-10 22:35:26 +01:00
Sergey G. Brester
c035428535
Merge pull request #3954 from luckylittle/feature/systemd-journal-vsftpd
...
`filter.d/vsftpd.conf` - fixed regex (if failures generated by systemd-journal)
2025-03-04 14:20:01 +01:00
sebres
94fe9cf4a8
more fixes, capture user names, more tests...
...
since line 7 matches successfully now (it was disabled in gh-358 because of obsolete format), it is marked as match:true (line can be removed later if unneeded)
2025-03-04 14:13:07 +01:00
sebres
1e06ab68b4
fixed filter (new regex is unneeded), tests format of failures produced by system journal
2025-03-04 13:47:59 +01:00
Sergey G. Brester
13a74feaad
2nd RE unneeded, fix single RE - bypass everything before open parenthesis
2025-03-04 13:02:50 +01:00
Lucian Maly
6e3bfd800c
Added author
2025-03-04 12:26:14 +11:00
Lucian Maly
9d7646e6c0
Added author
2025-03-04 12:25:27 +11:00
Lucian Maly
fd1d0d25a8
Added regex for systemd-journal matches of lighttpd-auth
2025-03-04 12:20:24 +11:00
Lucian Maly
65d473fc8e
Added regex for systemd-journal matches of vsftpd
2025-03-04 11:43:38 +11:00
Sergey G. Brester
c88967df2d
`filter.d/exim.conf` - introduces mode `more` (several rules moved from mode `normal` to `more`), because:
...
- they have basically nothing with authentication;
- they can cause false positives (e. g. someone sends several mails from google mailing server to wrong recipients and if they would cause "rejected RCPT - Unknown user", the google host gets banned;
- to avoid occasional ban of legitimate servers one'd need create large white-list for `ignoreip` or construct complex `ignorecommands` to exclude all legitimate servers of big players (like google, microsoft, GMX, etc);
2025-02-13 21:30:04 +01:00
sebres
882e6d5e00
`filter.d/exim.conf` - mode `aggressive` extended to catch dropped by ACL failures, e.g. "ACL: Country is banned"
2025-02-10 17:30:07 +01:00
Sergey G. Brester
6fb3532c45
Merge pull request #3931 from brianjmurrell/patch-2
...
`from '[^']*'` is not always present …
2025-01-30 14:06:00 +01:00
sebres
b55c20594e
`paths-common.conf`: changed default `mysql_log` path (default `logpath` of `mysqld-auth` jail without maintainer overrides); adjusted comments (`log_error_verbosity = 3` instead of `log-warnings = 2`)
...
closes gh-3932
2025-01-30 14:00:43 +01:00
sebres
d2c60a168f
combine several regexes to single RE
2025-01-30 01:13:49 +01:00
sebres
e1fc569291
normalize jail (defaults, etc); added missing tests for all REs; common prefix for failregex, no catch-alls, etc
2025-01-30 01:13:48 +01:00
Philipp Burndorfer
88385eb6c1
New openvpn jail.
2025-01-30 01:13:46 +01:00
Brian J. Murrell
325613a8f8
from '[^']*' is not always present …
...
In the message from asterisk.
Signed-off-by: Brian J. Murrell <brian@interlinx.bc.ca>
2025-01-28 13:09:29 -05:00
sebres
a796cc9b91
`filter.d/dropbear.conf`: failregex extended to match different format of "Exit before auth" message;
...
closes gh-3791
2024-12-27 16:43:33 +01:00
MichaIng
eb8b44370a
Make Dropbear regex more compatible and simpler
...
Dropbear uses `strftime` `"%b %d %H:%M:%S` to print its timestamps, hence we know the day and time format, but the month could be localized. We hence allow any 3 word characters for it, and additionally simplify the day and time pattern into a single group.
Signed-off-by: MichaIng <micha@dietpi.com>
2024-12-27 14:00:36 +07:00
MichaIng
dd9f359f5c
Fix Dropbear filter when logging to STDOUT
...
Since Debian Bookworm, the distribution ships Dropbear with a native systemd service instead of the default upstream init.d service, and accordingly uses the `-F` and `-E` flags, to run it in foreground and have it logging to STDOUT instead of syslog.
As usual, timestamps and also the PID are now included by the log message emitted by Dropbear, in addition to the systemd journal log prefix.
The Dropbear filter hence does not match anymore. This commit adds the PID and timestamp as optional pattern between prefix and fail log text, to support Dropbear on Debian Bookworm and newer (and likely new versions of other distros) without breaking the old pattern when running Dropbear without `-E` flag.
Additionally, for performance reasons, this commit adds a `journalmatch` entry, matching Debian's and Fedora's `dropbear.service` with `dropbear` executable/identifier, the most likely match for a Dropbear systemd service.
Signed-off-by: MichaIng <micha@dietpi.com>
2024-12-27 13:59:35 +07:00
sebres
89b5f3bb1e
`filter.d/sshd.conf`: `ddos` and `aggressive` modes, regex extended for timeout before authentication (optional connection from part);
...
closes gh-3907
2024-12-26 14:24:15 +01:00
sebres
91c27d0600
`filter.d/freeswitch.conf`: bypass some new info in prefix before [WARNING] (changed default `_pref_line`);
...
closes gh-3143
2024-12-04 16:56:23 +01:00
sebres
54c0effceb
filter.d/sshd.conf: amend to #3747/#3812 (new ssh version would log with `_COMM=sshd-session`)
2024-08-11 12:10:12 +02:00
sebres
c769046a1f
Revert "`filterd./sshd.conf`: fixed journalmatch (sshd.service seems to be renamed to ssh.service)" - it'd patched in debian branch.
...
This reverts commit 6fce23e7ba
.
2024-08-11 11:55:39 +02:00
sebres
8e0a2366f0
Fixes unmatched tag (caused unmatched brace); review: combined to single regex, simple case without injection attempts faster, `<HOST>` replaced with `<ADDR>` (faster and fewer vulnerable on complex cases, since doesn't match text as hostname) etc.
2024-08-10 13:20:18 +02:00
Maksim Usmanov | Maks
35afe20ea0
Roundcube 1.4 change log format
...
From roundcube 1.4 log change format -> e92d8e31a3/program/lib/Roundcube/rcube_imap.php (L194)
2024-08-09 22:53:45 +02:00
sebres
9a558589d7
review (anchoring RE, etc)
2024-07-30 19:16:40 +02:00
Jose
83f2d59eee
match numbers
2024-07-30 19:05:56 +02:00
Jose
07a7da8d8e
Remove greedy catch-all before HOST
2024-07-30 19:05:55 +02:00
Jose
ca45671db2
Add support to Proxmox Web GUI
2024-07-30 19:04:00 +02:00
sebres
93810fff75
consider CONNECT and other rejected commands as a valid `_pref`;
...
closes gh-3800
2024-07-26 19:25:36 +02:00
Sergey G. Brester
50ff131a0f
filter.d/sshd.conf: ungroup (unneeded for _daemon)
2024-07-03 19:35:28 +02:00
Fabian Dellwing
2fed408c05
Adjust sshd filter for OpenSSH 9.8 new daemon name
2024-07-02 08:51:51 +02:00
sebres
59c5e78ce9
`filter.d/apache-overflows.conf` - consider AH10244: invalid URI path;
...
closes gh-3778
2024-06-28 12:50:14 +02:00
sebres
a7f3a04b0e
`filter.d/recidive.conf` - restore possibility to set jail name in the filter, _jailname is positive now (but by default it uses now negative lookahead to exclude recidive jail);
...
closes gh-3769
2024-06-21 13:24:46 +02:00
Sergey G. Brester
6fce23e7ba
`filterd./sshd.conf`: fixed journalmatch (sshd.service seems to be renamed to ssh.service)
...
closes gh-3747
2024-06-10 01:40:59 +02:00
sebres
2c13cba73d
loosening for denied suffix (would match no matter which reason in parenthesis);
...
add coverage for denied with "(allow-query-cache did not match)"
2024-03-25 16:35:20 +01:00
Rudimar Remontti
fd7657f9a9
Update named-refused.conf
2024-03-25 16:35:16 +01:00
sebres
1ec9237e53
bypass additional pid in prefix (may be logged by syslog-ng, gh-3060); matches protocol error with authentication mechanism not supported
2024-03-25 15:52:06 +01:00
sebres
c80908837f
`filter.d/exim.conf`:
...
- messages are prefiltered by `prefregex` now
- filter can bypass additional timestamp that may be logged via systemd-journal (gh-3060)
2024-03-25 15:31:23 +01:00
Vladimir Varlamov
8da0a99cde
pid part may contain full hostname
2024-03-22 22:38:33 +03:00
Vladimir Varlamov
806a27cb4f
final `<HOST>` to `<ADDR>` conversion
2024-03-22 22:38:33 +03:00
sebres
e605415f61
simplify fields-group a bit (everything up to 4 chars long but H), so it'll be faster (no multiple branches) as well as would theoretically accept future enhancements of logged fields.
2024-03-22 16:47:54 +01:00
sebres
c22a83933b
let's use `<ADDR>` instead `<HOST>` - only IPs expected, since host-name bypassed before it (directly after H=)
2024-03-22 16:35:46 +01:00
Vladimir Varlamov
df94ec4c52
filter.d/exim.conf: rewrite host line regex for all varied exim's log_selector states
...
Depending on Exim's log_selector settings, log lines may contain additional information about the connection. And also the line itself with the address of the remote host can vary greatly. But fortunately, all states can be found in the Exim code itself and taken into account. Makes it easier to add new regexps.
Closes #3263
2024-03-22 00:16:41 +03:00