github
/
fail2ban
mirror of https://github.com/fail2ban/fail2ban
1
0
Fork 0
Code Issues Releases Wiki Activity
1,876 Commits
34 Branches
229 Tags
22 MiB
Commit Graph

210 Commits (08b4f3e5f262acb39bca783efdb67a50ae6c30f5)

Author SHA1 Message Date
Daniel Black 353b84a648 Merge branch 'patch-4' of https://github.com/truxoft/fail2ban into exim-auth 2014-01-13 19:25:46 +11:00
Ivo Truxa 9f107403e8 Update exim 
When using Dovecot authentication for Exim, which is relatively common, the current regex for catching authentication failures needs a small tweak. The current plain|login options are too limiting and will only work in the cases when only the Exim's rudimentary built-in authentication is used. There can be not only the dovecot_login shown in this log example, but also dovecot_plain, ntlm, cram, cyrus, md5, and plenty of others. In fact many admins may opt for their own authentication labels, when setting up Exim. For this reason the regex should catch any label. I suggest modifying the regex in the following way:

<pre>^%(pid)s \w+ authenticator failed for (\S+ )?\(\S+\) \[<HOST>\]: 535 Incorrect authentication data( \(set_id=.*\)|: \d+ Time\(s\))?\s*$</pre>
 2014-01-13 01:18:09 +01:00
Tomas Pihl b52a4441fd Support ACL-events without AccountID. Typically happens when a registration 
from an unknown domain is performed.

Add credits
 2014-01-12 01:28:55 +01:00
Steven Hiscocks 128112d51c ENH: ejabberd filter 2014-01-09 22:47:17 +00:00
Daniel Black 50eab4df81 ENH: add filter groupoffice. Closes gh-566 2014-01-06 21:56:22 +11:00
Daniel Black a8e0498389 BF: add expression for ssh filter for code 3: SSH2_DISCONNECT_KEY_EXCHANGE_FAILED. closes gh-289 2014-01-05 21:26:26 +11:00
Daniel Black 23f0b854da MRG: merge in freeswitch 2014-01-04 12:24:40 +11:00
Daniel Black 69b3a1cf64 BF: catchin DEBUG messages will result in duplicates 2014-01-04 12:10:51 +11:00
Daniel Black 36533de6bc ENH: more filter expressions for freeswitch. Anchored existing one at end too 2014-01-04 08:21:22 +11:00
Daniel Black 04d28fd2e1 ENH: add filter freeswitch - as raised on mailing list 2014-01-03 13:00:37 +11:00
Daniel Black 83f3aeb308 ENH: filter for horde 2014-01-02 23:12:36 +11:00
Daniel Black e2faa312c1 TST: test case for horde 2014-01-02 23:11:39 +11:00
Daniel Black 856407379b ENH: add filter openwebmail. Closes gh-543. 2013-12-31 08:09:00 +11:00
Daniel Black 3d79e1612b MRG: test cases on exim-spam 2013-12-29 21:38:00 +00:00
Ivo Truxa d2658e063c Update exim-spam 
An example with no valid FROM email address and host without reverse DNS record
 2013-12-29 22:33:08 +01:00
Ivo Truxa bb88cfaddb Update exim-spam 
attached sample Exim log line to demonstrate a silently tossed message as described at https://github.com/fail2ban/fail2ban/issues/533
 2013-12-29 18:53:04 +01:00
Daniel Black 6666f41ee6 ENH: apache modsecurity filter 2013-12-29 06:59:47 +00:00
Daniel Black 1b7df1181f BF: apache-2.4 log format fix. Closes gh-516 2013-12-23 08:28:40 +00:00
Yaroslav Halchenko 7af58b9984 Merge branch 'apache-noscripts' of https://github.com/grooverdan/fail2ban 
* 'apache-noscripts' of https://github.com/grooverdan/fail2ban:
  ENH: apache-noscript now matched php-cgi scripts. Closes gh-503

Conflicts:
	ChangeLog -- two new entries collided,  Reformatted the merged one a bit
 2013-12-22 22:28:57 -05:00
Daniel Black a9b7d33c51 ENH: apache-noscript now matched php-cgi scripts. Closes gh-503 2013-12-19 10:01:24 +00:00
Steven Hiscocks d22716ab63 ENH: Add nsd filter and amend DateEpoch to match date format 2013-12-18 22:31:54 +00:00
Daniel Black 66374913ec ENH: add squid filter 2013-12-10 21:24:37 +11:00
Yaroslav Halchenko a26d4f42b7 ENH: added optional [PID] matching in recidive.conf 2013-11-24 10:21:02 -05:00
Daniel Black 24c143b411 Merge pull request #445 from grooverdan/suhosin 
TST: more test cases for suhosin
 2013-11-19 15:23:59 -08:00
Daniel Black 015b403df0 TST: more test cases for suhosin 2013-11-20 10:01:06 +11:00
Yaroslav Halchenko 629e9ae445 Merge pull request #443 from grooverdan/apache-authfix 
BF: apache filters using error log weren't matched when referer existed ...
 2013-11-18 15:53:39 -08:00
Daniel Black 284f811c91 BF: apache filters using error log weren't matched when referer existed in HTTP header 2013-11-19 10:27:55 +11:00
Yaroslav Halchenko 491165c929 Merge pull request #438 from grooverdan/solid-pop3d 
ENH: filter for Solid-pop3d
 2013-11-17 17:34:46 -08:00
Daniel Black 1ea68b2d0c DOC: filter.d/solid-pop3d - document lack of PAM support. Thanks to Jacques for the log messages 2013-11-18 09:44:26 +11:00
Daniel Black 0eea0a35db ENH: filter.d/solid-pop3d - added log messages and regexes 2013-11-18 08:58:23 +11:00
Yaroslav Halchenko d4f6ca4f85 ENH: adding custom date format for proftpd when logging in its own log file (default on Debian) -- includes milliseconds 
Should resolve Debian #648276
 2013-11-16 22:15:58 -05:00
Daniel Black 88eff70774 ENH: filter.d/solid-pop3d added 2013-11-16 09:43:15 +11:00
Daniel Black 286d78e13c Merge pull request #430 from grooverdan/apache-overflows 
ENH: Apache overflows - httpd-2.4 message IDs + samples
 2013-11-12 12:46:52 -08:00
Daniel Black 947c6ff9cc Merge pull request #433 from grooverdan/asterisk 
BF/ENH: asterisk connection ID is a hex not decimal number. Add "Rejecting unknown SIP connection from " regex thanks to Jonathan Lanning
 2013-11-12 12:45:52 -08:00
Daniel Black be60518218 BF/ENH: DoS resistant roundcube-auth with test cases and more variation in IMAP error given 2013-11-12 18:57:01 +11:00
Daniel Black eb9663eb4f BF/ENH: asterisk connection ID is a hex not decimal number. Add "Rejecting unknown SIP connection from <HOST>" regex thanks to Jonathan Lanning 2013-11-12 09:22:41 +11:00
Daniel Black c81ed53805 TST: change source URL 2013-11-11 10:40:12 +11:00
Daniel Black a4718eb644 ENH: apache-overflow filter to have HTTP-2.4 message IDs and test samples 2013-11-11 10:38:02 +11:00
Daniel Black 87516eb92b ENH: apache-overflows - more detail on "request failed: URI too long (longer than %d)" with test case 2013-11-11 09:46:40 +11:00
Daniel Black d90130234d TST: end of json in sshd sample log 2013-11-11 08:29:54 +11:00
Daniel Black 061a26c408 TST: fix space in sshd sample log 2013-11-11 08:28:09 +11:00
Daniel Black d955714d26 TST: test case that shows injection 2013-11-11 08:11:32 +11:00
Yaroslav Halchenko ea8fce6308 Merge pull request #426 from yarikoptic/bf/openssh6.3-regex-injection 
openssh 6.3 regex injection vectors:  inject into ruser and/or exploiting pre-specified limits set for user provided data
 2013-11-08 14:35:18 -08:00
Yaroslav Halchenko 750e0c1e3d BF: disallow exploiting of non-greedy .* in previous fix by providing too long rhost -- do not impose length limits for user-provided input 
since daemon might eventually change reported length and we would need to adjust anyways.  So limiting
in length does not provide additional security but allows for a possible injection vector
 2013-11-08 10:10:33 -08:00
Yaroslav Halchenko abb012ae5c BF: fixing injection for OpenSSH 6.3 -- making .* before <HOST> non-greedy 2013-11-08 10:00:37 -08:00
Daniel Black a148d35d70 ENH: add filter.d/nginx-http-auth. Partially forfills #405 2013-11-08 10:06:40 +11:00
Daniel Black 0730db9b2b Merge pull request #416 from grooverdan/debian-bug-665925-wuftpd-pam 
BF:  wuftpd pam filter fix (Debian bug 665925)
 2013-11-05 18:39:01 -08:00
Daniel Black e55b24c533 BF: fix dovecot filter for newer failure message. Closes Debian bug #709324 2013-11-06 12:51:21 +11:00
Daniel Black 8b54523316 BF: fix to filter.d/wuftp to support pam authentication - Debian bug #665925 2013-11-06 12:13:37 +11:00
Daniel Black 95f3f38682 MRG: merge ChangeLog and jail.conf 2013-10-30 20:19:41 +11:00