Commit Graph

1994 Commits (fix-pythonic-build-install)

Author SHA1 Message Date
Jose ca45671db2 Add support to Proxmox Web GUI 2024-07-30 19:04:00 +02:00
sebres 93810fff75 consider CONNECT and other rejected commands as a valid `_pref`;
closes gh-3800
2024-07-26 19:25:36 +02:00
Sergey G. Brester 50ff131a0f
filter.d/sshd.conf: ungroup (unneeded for _daemon) 2024-07-03 19:35:28 +02:00
Fabian Dellwing 2fed408c05 Adjust sshd filter for OpenSSH 9.8 new daemon name 2024-07-02 08:51:51 +02:00
sebres 59c5e78ce9 `filter.d/apache-overflows.conf` - consider AH10244: invalid URI path;
closes gh-3778
2024-06-28 12:50:14 +02:00
sebres a7f3a04b0e `filter.d/recidive.conf` - restore possibility to set jail name in the filter, _jailname is positive now (but by default it uses now negative lookahead to exclude recidive jail);
closes gh-3769
2024-06-21 13:24:46 +02:00
Sergey G. Brester 6fce23e7ba
`filterd./sshd.conf`: fixed journalmatch (sshd.service seems to be renamed to ssh.service)
closes gh-3747
2024-06-10 01:40:59 +02:00
sebres 2533526827 extend ipset actions with new parameter `ipsettype` for the type of set (gh-3760), affected actions:
`action.d/firewallcmd-ipset.conf`, `action.d/iptables-ipset.conf`, `action.d/shorewall-ipset-proto6.conf`
2024-06-09 23:38:58 +02:00
sebres 17daf0ec78 `action.d/firewallcmd-ipset.conf`: rename `ipsettype` to `ipsetbackend` (`ipsettype` will be used now to the real set type);
amend to #2620
2024-06-09 23:32:03 +02:00
by 21bf636056
Update abuseipdb.conf
Corrected link for HP helper (see https://shaunc.com/blog/article/reporting-to-abuseipdb.com-with-fail2ban~kDoa-Hml95wW)
2024-05-20 15:34:24 +02:00
sebres c04e12dd8d Merge remote-tracking branch 'remotes/gh-upstream/0.11' 2024-04-29 11:03:33 +02:00
Sergey G. Brester 1434e3089c
Merge pull request #2455 from Thermi/improved-action-blocklist-de
Improved blocklist_de action to not resend bans that were already reported
2024-04-28 21:12:49 +02:00
sebres d0d0728523 cherry-pick from debian: debian default banactions are nftables, systemd backend for sshd
closes gh-3292
2024-04-26 02:26:55 +02:00
sebres 2c13cba73d loosening for denied suffix (would match no matter which reason in parenthesis);
add coverage for denied with "(allow-query-cache did not match)"
2024-03-25 16:35:20 +01:00
Rudimar Remontti fd7657f9a9 Update named-refused.conf 2024-03-25 16:35:16 +01:00
sebres 1ec9237e53 bypass additional pid in prefix (may be logged by syslog-ng, gh-3060); matches protocol error with authentication mechanism not supported 2024-03-25 15:52:06 +01:00
sebres c80908837f `filter.d/exim.conf`:
- messages are prefiltered by `prefregex` now
  - filter can bypass additional timestamp that may be logged via systemd-journal (gh-3060)
2024-03-25 15:31:23 +01:00
Vladimir Varlamov 8da0a99cde pid part may contain full hostname 2024-03-22 22:38:33 +03:00
Vladimir Varlamov 806a27cb4f final `<HOST>` to `<ADDR>` conversion 2024-03-22 22:38:33 +03:00
sebres e605415f61 simplify fields-group a bit (everything up to 4 chars long but H), so it'll be faster (no multiple branches) as well as would theoretically accept future enhancements of logged fields. 2024-03-22 16:47:54 +01:00
sebres c22a83933b let's use `<ADDR>` instead `<HOST>` - only IPs expected, since host-name bypassed before it (directly after H=) 2024-03-22 16:35:46 +01:00
Vladimir Varlamov df94ec4c52 filter.d/exim.conf: rewrite host line regex for all varied exim's log_selector states
Depending on Exim's log_selector settings, log lines may contain additional information about the connection. And also the line itself with the address of the remote host can vary greatly. But fortunately, all states can be found in the Exim code itself and taken into account. Makes it easier to add new regexps.
Closes #3263
2024-03-22 00:16:41 +03:00
Anton Samets 0c125ec9c9
filter.d/postfix.conf: add Sender address rejected: Malformed DNS server reply (#3590)
* add Sender address rejected: Malformed DNS server reply
2024-03-19 20:30:45 +01:00
Sergey G. Brester f63868b3e8
filter.d/apache-common.conf: remote besides client, gh-3622 2024-03-15 22:36:40 +01:00
Sergey G. Brester 529eb79ddb
Merge pull request #3692 from pingou2712/postfixSystemd
Change journalmatch postfix
2024-03-13 02:34:03 +01:00
Vincent Laffargue d260ed31d2 Maintain backward compatibility Postfix SYSTEMD_UNIT 2024-03-12 04:42:36 +01:00
Sergey G. Brester dd3c78ecab
filter.d/recidive.conf: conditional RE depending on logtype (for file or journal) 2024-03-11 17:49:06 +01:00
Vincent Laffargue 0b63fc312d Change Regex Recidive and journalmatch For Systemd Match 2024-03-10 10:56:35 +01:00
Vincent Laffargue 93082ead79 Change journalmatch postfix 2024-03-10 10:10:03 +01:00
Sergey G. Brester 45d7f3cb97
no space in any case 2024-03-08 11:43:46 +01:00
László Károlyi ff701e94c3
Add to postfix syslog daemon format 2024-03-07 20:23:50 +01:00
sebres 4f679a56e0 filter.d/sshd.conf: ddos/aggressive mode extended to match new messages caused by port scanner, wrong payload on ssh port:
- message authentication code incorrect [preauth]
  - connection corrupted [preauth]
  - timeout before authentication
closes gh-3486
2024-02-13 16:53:21 +01:00
Logic-32 b161e55ca7 Adding STARTTLS test with the help of aiosmtp. Make sure SMTP specifies host/port in addition to connect() due to bug with starttls. 2023-12-30 16:42:31 +01:00
Sergey G. Brester 6fb3198a41 attempt to fix action for 2.x
self.host cannot be supplied to SMTP because it can contain port (but `connect` takes place few lines below)
2023-12-30 16:42:27 +01:00
Logic-32 6a1da5e164 Removing logging in favor of just throwing. Removing user from message as it doesn't add any value. 2023-12-30 16:42:23 +01:00
Logic-32 419e380870 Add support for TLS SMTP connections. 2023-12-30 16:42:18 +01:00
sebres 3190febb27 IPv6 fix (second IP logged in form for IPv6); pam authentication failure (part of gh-3410) 2023-12-30 15:10:37 +01:00
sebres 093cd763ce filter.d/postfix.conf: "rejected" extended to match "Access denied" too;
closes gh-3474
2023-12-15 01:03:30 +01:00
sebres ff4a2a12fc filter.d/postfix.conf: avoid double counting ('lost connection after AUTH' together with message 'disconnect ...');
closes gh-3505
2023-12-15 00:32:48 +01:00
Sergey G. Brester 5277e91013
Merge pull request #3503 from repcsi/pf_allproto
BSD Pf allproto actiontype to block all communication from source on IP level
2023-12-10 16:11:05 +01:00
sebres 0abba5dc6e more filters for nginx error-log supporting journal format now, added generalized include and __prefix_line 2023-12-10 15:21:20 +01:00
sebres b245225b13 filter.d/nginx-http-auth.conf: added optional prefix to support systemd-journal format and additional timestamp (optionally) in prefix 2023-12-10 14:39:21 +01:00
repcsi 199759f0ba added pf[protocol=all] options as recommended by sebres 2023-12-10 11:20:39 +01:00
Viktor Szépe 1427625528 Fix more typos 2023-11-22 16:32:05 +00:00
Yaroslav Halchenko 8ef0d3c7a9 [DATALAD RUNCMD] run codespell throughout fixing typo automagically
=== Do not change lines below ===
{
 "chain": [],
 "cmd": "codespell -w",
 "exit": 0,
 "extra_inputs": [],
 "inputs": [],
 "outputs": [],
 "pwd": "."
}
^^^ Do not change lines above ^^^
2023-11-18 10:04:04 -05:00
Yaroslav Halchenko 81b2eb32d6 Add pragma to ignore a codespell-detected typoin postfix.conf 2023-11-18 10:03:50 -05:00
Sergey G. Brester eed319e896
gh-3604: filter.d/slapd.conf - switched to single-line processing
closes gh-3604
2023-10-18 16:06:56 +02:00
Sergey G. Brester 183f805ae3
amend 2023-10-16 11:41:05 +02:00
Sergey G. Brester 7931b67325
mysqld-auth.conf: better RE, optional suffix, non-capturing groups 2023-10-16 11:35:53 +02:00
Aliaksandr Yurchyk c55e9949dc
Fix issue with Mariadb 10.3 failed message 2023-10-16 01:35:15 +03:00
Sergey G. Brester f8f8c046a2
Merge pull request #3469 from vitkabele/routeros-auth
New filter: routeros-auth.conf
2023-09-02 18:56:04 +02:00
nodiscc 77f80e8c3f
action.d/*ipset*: make maxelem ipset option configurable through banaction arguments
- previously there was no way to override this value and ipsets would stop being updated when full (Hash is full, cannot add more elements)
- preserve ipset's default value of 65536
- update tests
- Closes #3549
2023-08-23 12:19:07 +02:00
sebres 99ff701678 remove support of python 2.x 2023-06-16 16:29:08 +02:00
sebres eebef0089c avoid double counting for "maximum authentication attempts exceeded" ("Disconnecting ..." is no failure anymore, now it's helper only);
closes gh-3485
2023-06-13 18:49:26 +02:00
Sergey G. Brester 66e195b0f3
jail.conf: comment only (time abbr format), no function changes
closes gh-3522
2023-06-10 14:15:52 +02:00
Sergey G. Brester 809b904106
filter.d/exim.conf: fixes "dropped: too many ..." regex and also matches unrecognized commands new vector 2023-04-24 15:40:53 +02:00
Sergey G. Brester e73748c442
Merge branch 'master' into mikrotik 2023-04-13 19:09:00 +02:00
Sergey G. Brester 9cbf59c827
anchored datepattern and added journalmatch (if monitoring systemd journal) 2023-03-23 12:16:13 +01:00
Sergey G. Brester 2c0360d178
Merge branch 'master' into nginx-forbidden 2023-03-23 12:01:50 +01:00
Sergey G. Brester c7f8b75e7e
action.d/cloudflare-token.conf: fixes #3479, url-encode args by unban 2023-03-15 15:03:48 +01:00
Duncan Bellamy 7dc32971f8 changed missed names 2023-03-08 12:16:35 +00:00
Duncan Bellamy 9b1417a169 apply suggestions 2023-03-08 09:29:03 +00:00
Sergey G. Brester d46ec3a555 add jail boundary to flush command for more precise targeting of jail (if some name may be equal to prefix of other name) 2023-03-08 09:17:13 +00:00
Duncan Bellamy 5781675a7d change startcomment and comment so correct rules are flushed 2023-03-08 09:17:13 +00:00
Duncan Bellamy ac2076ef4f change unban back to find comment so correct entry always deleted 2023-03-08 09:17:13 +00:00
Duncan Bellamy 0e3e9b1d7f Add flushaction
Change unban to find by ip address not comment
2023-03-08 09:17:13 +00:00
Duncan Bellamy 9997807fb3 Add action for mikrotik routerOS 2023-03-08 09:17:13 +00:00
Vít Kabele a2c77429b9 New filter: routeros-auth.conf (Closes #3469)
Add filter to detect failed login attempts in the log produced by
MikroTik RouterOS.

- Add the filter to jail.conf
- Add testcase for the filter

Signed-off-by: Vít Kabele <vit@kabele.me>
2023-03-02 09:25:24 +01:00
Sergey G. Brester efbbcb41ea
non capturing group 2022-11-18 12:32:15 +01:00
Sergey G. Brester 996553f330
review, simplify regex and capture user name 2022-11-18 12:31:11 +01:00
Andrey Alekseenko df91b047d2 Dante SOCKS server: handle "1 byte/second" case
Thanks to @Loriowar and @sebres for pointing it out
2022-11-17 23:22:56 +01:00
Andrey Alekseenko 05c162ef10 Create filter for Dante SOCKS server 2022-11-17 23:22:55 +01:00
Sergey G. Brester ae5fe2e003
amend to #3405, eliminate catch-all 2022-11-15 14:29:59 +01:00
sebres cbb097a2b3 small amend (non capturing group) 2022-11-14 18:56:01 +01:00
sebres 82506f0586 filter.d/selinux-ssh.conf, filter.d/selinux-common.conf: fixes #3405 (new format with GS and additional parameters, e. g. grantors) 2022-11-14 18:51:06 +01:00
sebres d8e2b03a24 `filter.d/named-refused.conf` extended (closes gh-3388):
- support BIND named log categories
  - allow `info:` as possible error prefix too ("query (cache) denied" may occur as info)
2022-11-03 11:41:21 +01:00
sebres ca2b94c522 fixes gh-3370: resolve extremely long search by repeated apply of non-greedy RE `(?:: (?:[^\(]+|\w+\([^\)]*\))+)?` with following branches (it may be extremely slow up to infinite search depending on message); added new regression tests
amend to gh-3210: fixes regression and matches new format in aggressive mode too
2022-10-04 14:10:45 +02:00
Jeff Johnson f9f78ed9d2
IPThreat integration (#3349)
new IPThreat action
2022-09-13 11:01:46 +02:00
sebres d6896eb26d New logtarget: systemd-journal;
rebased #1403 from da2x:feature-systemd-journal
2022-08-29 12:30:05 +02:00
sebres a08b925468 Merge branch '0.11' 2022-08-17 16:59:02 +02:00
sebres 467024797f Merge branch '0.10' into 0.11 2022-08-17 16:56:10 +02:00
Sergey G. Brester e289a1155e
Merge pull request #3269 from Logic-32/feature/cloudflare-token
Adding support for Cloudflare Token API.
2022-08-09 16:56:17 +02:00
Sergey G. Brester 514cca9ade
filter.d/sendmail-auth.conf: detect failures without user part 2022-08-01 09:20:28 +02:00
Sergey G. Brester a2264dcef0
Merge pull request #2636 from brianjmurrell/patch-2
FreeIPA renames named to named-pkcs11
2022-06-21 14:19:16 +02:00
Sergey G. Brester 3e9321e71b
non-capturing group and any variant of suffix 2022-06-21 14:15:38 +02:00
sebres 9272cce13d Merge branch '0.11' 2022-06-02 21:06:12 +02:00
sebres a69d42cea5 Merge branch '0.10' into 0.11 2022-06-02 21:04:43 +02:00
Sergey G. Brester fbfc85d8c0
common.conf: fixed typo in comment (rfc5424 for logtype)
no functional changes; closes #3274
2022-05-12 18:09:09 +02:00
Logic-32 d11ad3b90f Adding jail name to notes to disambiguate between jails. 2022-05-07 20:52:39 -06:00
Logic-32 e89b2c0ff7 Moving inet6 family block to the end so other config doesn't get added to it. 2022-05-07 20:41:33 -06:00
Logic-32 7e7b9f4a35 Adding support for Cloudflare Token API.
Closes #3080
2022-04-27 14:19:18 -06:00
sebres a2431158f6 implements new interpolation variable `%(fail2ban_confpath)s` (automatically substituted from config-reader path, default `/etc/fail2ban` or `/usr/local/etc/fail2ban` depending on distribution); `ignorecommands_dir` is unneeded anymore, thus removed from `paths-common.conf`;
fixes gh-3005
2022-02-09 17:10:19 +01:00
sebres 13520a0494 Merge branch '0.11' 2022-02-09 15:45:17 +01:00
sebres 8ac49b5858 Merge branch '0.10' into 0.11 2022-02-09 15:44:35 +01:00
László Károlyi f380d6202d cherry pick #3210 from master 2022-02-09 15:43:21 +01:00
sebres 498e473a10 filter.d/courier-auth.conf: consider optional port after IP, regex is rewritten without catch-all's and right anchor, so it is more stable against further modifications now;
closes #3211
2022-02-09 12:18:23 +01:00
sebres 810386a265 filter.d/dovecot.conf: parse everything in parenthesis by auth-worker info, e. g. can match (pid=...,uid=...) too
(amend to 92f90038fa)
2022-02-08 19:21:37 +01:00
Sergey G. Brester dfc866ea41
improve RE to solve conflict with expected another open parenthesis 2022-01-27 17:50:28 +01:00
László Károlyi 0f1706d4a1
Adjusting for updated dovecot log format
This should now match:

`Disconnected: Connection closed: read(size=1003) failed: Connection reset by peer (auth failed, 1 attempts in 0 secs): user=<sales@karolyi.hu>, rip=183.111.188.94, lip=127.0.0.19, session=<Lsz0Oo7WXti3b7xe>`

the issue is the `read(size=1003)` that probably has been added lately and which causes the rule not to discover the log message.
2022-01-27 11:28:20 +00:00
sebres 06d2623c5e iptables and iptables-ipset actions extended to support multiple protocols with single action for multiport or oneport type (back-ported from nftables action);
amend to gh-980 fixing several actions (correctly supporting new enhancements now)
2022-01-26 21:51:11 +01:00