26b91862fc
introduces a parameter `mta_dname` (default `\S+`) to allow more complex REs to match custom MTA daemon names (e.g. with spaces etc)
2025-09-02 19:41:40 +02:00
13876e93ad
fixes the inconsistency with F-MLFID ("ID" matched by `(?:\w{14,20}: )?` is optional in message); simplify PR
2025-09-02 19:11:04 +02:00
9e72e78f34
filter.d/sendmail-reject.conf: support BSD log format. match user unknown messages. add aggressive mode for lost input channel and relaying denied messages
2025-09-01 22:34:53 -04:00
c26fda9dbb
`filter.d/dovecot.conf`: new matches in `aggressive` mode:
...
- new variant for `no auth attempts in X secs` with `Login aborted` and `(no_auth_attempts)`;
- covered `disconnected during TLS handshake` with `no application protocol` and `no shared cipher`.
2025-08-23 20:16:40 +02:00
77ba28bae1
Merge pull request #3291 from ttyS4/patch-1
...
nftables.conf - add support for cidr notation and address ranges
2025-08-08 10:23:08 +02:00
eb80b895d1
provides flags interval as `addr_options` now
2025-08-08 10:10:40 +02:00
6120a731d9
update nginx limit-req filter again ( #4048 )
...
amend to #4047 - removes unused ngx_limit_con_zones parameter.
2025-08-04 21:16:26 +02:00
e16e982a45
Merge pull request #4047 from billfor/nginx
...
Update nginx-limit-req filter (extended to ban hosts failed by limit connection in ngx_http_limit_conn_module);
closes gh-3674
2025-08-04 11:34:35 +02:00
e6516fd2b3
combine 2 REs to single regex
...
closes gh-3674
2025-08-04 11:24:51 +02:00
0a91bf69a5
add filter for delayed requests and connection limiting
2025-08-04 00:27:45 -04:00
d86a7aecca
amend to #3979 : removed mistaken double pipes in group matches
2025-07-31 17:38:28 +02:00
ff3eca1d61
* Merge pull request #3527 from vafgoettlich/master
...
(partial merge, only postfix-backend)
2025-07-24 11:17:05 +02:00
0b255a8723
Merge pull request #3527 from vafgoettlich/master
...
(partial merge, only postfix-backend)
2025-07-24 11:14:03 +02:00
6d3bfa8781
revert RE back, but relive the end-anchor a bit (ignore any text without single quote, so also preventing false match by injection on foreign data)
2025-07-20 15:04:15 +02:00
e97df4672a
filter.d/asterisk: fix regex to match "No matching endpoint found" with retry info
2025-07-20 18:05:35 +09:00
b710d5b6c7
`filter.d/sendmail-reject.conf` - also recognize "Domain of sender address ... does not resolve";
...
closes gh-4035
2025-07-13 01:03:53 +02:00
8a4f373617
integrate new RE in already existing (combine new and old format)
2025-06-15 18:07:43 +02:00
04ff4c060c
Dovecot 2.4 filter support
...
Dovecot 2.4 release is a major upgrade
Logger event structure has changed, all messages are now
prefixed with:
"Login aborted: " <reason> "auth failed"
Maintain 2.3 support as many folks have yet to migrate,
community edition is still receiving cretial security patches
Dovecot 2.4.1
Python 3.12.10
Signed-off-by: Nic Boet <nic@boet.cc>
2025-06-13 16:44:57 -05:00
a5d7127109
construct smtp.py email wrap long lines
...
RFC 5322 2.1.1 requires <=998 chars per line.
If matches are included, and are very long lines,
the email will be rejected. Constructing the mail
as a message instead of a subpart (mimetext) fixes this
2025-05-20 14:55:03 -04:00
f7aaaf50b8
`filter.d/exim.conf`: colon must be outside of F-RCPT group
2025-04-27 23:00:09 +02:00
52d239483d
typo
2025-04-16 17:18:36 +02:00
cbe14c70c5
iptables.conf rewritten to affect all derivative actions (multiple chains are also supported by `iptables-ipset` etc);
...
iptables-xt_recent-echo.conf adjusted to be compatible to new syntax of inherited iptables.conf;
test coverage fixed to new handling
2025-04-16 16:56:46 +02:00
37f72f88ef
Reverting chains to chain in order to preserve backward compatibilityu
...
backing to the option named "chain", using "iteredchain" a new variable to iterate over.
2025-04-16 16:06:29 +02:00
139151ec81
Update iptables.conf - allow bans to be efective on multiple chains at the same time
...
This patch allows the ban to be applied on the INPUT and the FORWARD chain at the time. May be useful at least on routing devices and on docker hosting machines.
2025-04-16 16:06:28 +02:00
c76e90fbb1
* Merge pull request #3940 from exim-pr-mode-more
...
`filter.d/exim.conf` - fewer REs by default, introduces mode `more`
2025-04-02 15:11:38 +02:00
6104444bb4
improve regex (anchored from left, no catch-alls, `<ADDR>` for IP, etc)
2025-04-01 17:28:58 +02:00
cf9135983c
Update jail.conf
...
Added jail for vaultwarden
2025-04-01 20:40:15 +08:00
c7f7bc55bb
Create vaultwarden.conf
...
Filter for unsuccessful Vaultwarden authentication attempts
2025-04-01 20:36:53 +08:00
ee421dfbd6
`filter.d/apache-noscript.conf` - consider new log-format with "AH02811: stderr from /...";
...
closes gh-3900
2025-03-28 22:52:51 +01:00
8ae6eaf39a
`filter.d/postfix.conf` - default `_daemon` in prefix-line is loosened - can match everything starting with word postfix, like `postfix-example.com/smtpd`;
...
closes gh-3297
2025-03-10 22:35:26 +01:00
c035428535
Merge pull request #3954 from luckylittle/feature/systemd-journal-vsftpd
...
`filter.d/vsftpd.conf` - fixed regex (if failures generated by systemd-journal)
2025-03-04 14:20:01 +01:00
94fe9cf4a8
more fixes, capture user names, more tests...
...
since line 7 matches successfully now (it was disabled in gh-358 because of obsolete format), it is marked as match:true (line can be removed later if unneeded)
2025-03-04 14:13:07 +01:00
1e06ab68b4
fixed filter (new regex is unneeded), tests format of failures produced by system journal
2025-03-04 13:47:59 +01:00
13a74feaad
2nd RE unneeded, fix single RE - bypass everything before open parenthesis
2025-03-04 13:02:50 +01:00
6e3bfd800c
Added author
2025-03-04 12:26:14 +11:00
9d7646e6c0
Added author
2025-03-04 12:25:27 +11:00
fd1d0d25a8
Added regex for systemd-journal matches of lighttpd-auth
2025-03-04 12:20:24 +11:00
65d473fc8e
Added regex for systemd-journal matches of vsftpd
2025-03-04 11:43:38 +11:00
c9b5e845ba
`action.d/cloudflare-token.conf`: fixes `actionunban` retrieving of CF-ID from IP:
...
force adding parameters to URL as query string (add `-G` to curl);
closes gh-3952
2025-03-01 20:19:35 +01:00
e5199aee92
action.d/ufw.conf: update comment:
...
fix syntax in example, because `dst` as command parameter doesn't have precedence over or-expression, so second `sport` would ignore `dst` and kill any connection for https regardless the IP
2025-03-01 00:23:55 +01:00
c88967df2d
`filter.d/exim.conf` - introduces mode `more` (several rules moved from mode `normal` to `more`), because:
...
- they have basically nothing with authentication;
- they can cause false positives (e. g. someone sends several mails from google mailing server to wrong recipients and if they would cause "rejected RCPT - Unknown user", the google host gets banned;
- to avoid occasional ban of legitimate servers one'd need create large white-list for `ignoreip` or construct complex `ignorecommands` to exclude all legitimate servers of big players (like google, microsoft, GMX, etc);
2025-02-13 21:30:04 +01:00
882e6d5e00
`filter.d/exim.conf` - mode `aggressive` extended to catch dropped by ACL failures, e.g. "ACL: Country is banned"
2025-02-10 17:30:07 +01:00
6fb3532c45
Merge pull request #3931 from brianjmurrell/patch-2
...
`from '[^']*'` is not always present …
2025-01-30 14:06:00 +01:00
b55c20594e
`paths-common.conf`: changed default `mysql_log` path (default `logpath` of `mysqld-auth` jail without maintainer overrides); adjusted comments (`log_error_verbosity = 3` instead of `log-warnings = 2`)
...
closes gh-3932
2025-01-30 14:00:43 +01:00
b8ab346257
Merge branch 'fail2ban:master' into patch-2
2025-01-29 19:36:54 -05:00
d2c60a168f
combine several regexes to single RE
2025-01-30 01:13:49 +01:00
e1fc569291
normalize jail (defaults, etc); added missing tests for all REs; common prefix for failregex, no catch-alls, etc
2025-01-30 01:13:48 +01:00
88385eb6c1
New openvpn jail.
2025-01-30 01:13:46 +01:00
155a0855f2
silence codespell
2025-01-29 21:59:35 +01:00
325613a8f8
from '[^']*' is not always present …
...
In the message from asterisk.
Signed-off-by: Brian J. Murrell <brian@interlinx.bc.ca>
2025-01-28 13:09:29 -05:00
sebres