01e92ce4a6
added fallback using tr and sed (jq is optional now)
2020-04-27 19:26:46 +02:00
1c1b671c74
Update cloudflare.conf
2020-04-27 19:26:44 +02:00
5b8fc3b51a
cloudflare: fixes ip to id conversion by unban using jq
...
normalized URIs and parameters, notes gets a jail-name (should be possible to differentiate the same IP across several jails)
2020-04-27 19:26:43 +02:00
852670bc99
CloudFlare started to indent their API responses
...
We need to use https://github.com/stedolan/jq to parse it.
2020-04-27 19:26:39 +02:00
8b3b9addd1
Change tool from 'cut' to 'sed'
...
Sed regex was tested - it works.
2020-04-27 19:12:36 +02:00
5da2422f61
Fix actionunban
...
Add command to remove new line character. Needed for working removing rule from cloudflare firewall.
2020-04-27 19:12:35 +02:00
87a1a2f1a1
action.d/*-ipset*.conf: several ipset actions fixed (no timeout per default anymore), so no discrepancy between ipset and fail2ban (removal from ipset will be managed by fail2ban only)
2020-04-25 14:52:38 +02:00
6b90ca820f
filter.d/traefik-auth.conf: filter extended with parameter mode (`normal`, `ddos`, `aggressive`) to handle the match of username differently:
...
- `normal`: matches 401 with supplied username only
- `ddos`: matches 401 without supplied username only
- `aggressive`: matches 401 and any variant (with and without username)
closes gh-2693
2020-04-23 13:08:24 +02:00
affd9cef5f
filter.d/courier-smtp.conf: prefregex extended to consider port in log-message (closes gh-2697)
2020-04-21 13:32:17 +02:00
06b46e92eb
jail.conf: don't specify `action` directly in jails (use `action_` or `banaction` instead);
...
no mails-action added per default anymore (e. g. to allow that `action = %(action_mw)s` should be specified per jail or in default section in jail.local), closes gh-2357;
ensure we've unique action name per jail (also if parameter `actname` is not set but name deviates from standard name, gh-2686);
don't use %(banaction)s interpolation because it can be complex value (containing `[...]`), so would bother the action interpolation.
2020-04-15 19:00:49 +02:00
2912bc640b
New Gitlab jail
2020-04-09 16:42:08 +02:00
136781d627
filter.d/sshd.conf: fixed regex for mode `extra` - "No authentication methods available" (supported seems to be optional now, gh-2682)
2020-04-08 12:17:59 +02:00
38b32a9a72
Merge branch '0.10' into 0.11
2020-03-18 19:53:55 +01:00
22a04dae05
Merge branch '0.9' into 0.10 (gh-2246)
2020-03-18 16:11:53 +01:00
b1e1cab4b7
Merge pull request #2246 from shaneforsythe/shaneforsythe-patch-2
...
Improve regex in proftpd.conf
2020-03-18 15:49:18 +01:00
606bf110c9
filter.d/sshd.conf (mode `ddos`): fixed "connection reset" regex (seems to have same syntax now as closed), so both regex's combined now to single RE
...
(closes gh-2662)
2020-03-16 17:31:39 +01:00
32f02ef3b3
Merge branch '0.10' into 0.11
2020-03-05 14:01:14 +01:00
42714d0849
filter.d/common.conf: closes gh-2650, avoid substitute of default values in related `lt_*` section, `__prefix_line` should be interpolated in definition section (after the config considers all sections that can overwrite it);
...
amend to 62b1712d22#2387 , backend-related option `logtype`);
testSampleRegexsZZZ-GENERIC-EXAMPLE covering now negative case also (other daemon in prefix line)
2020-03-05 13:47:11 +01:00
e6ca04ca9d
Merge branch '0.10' into 0.11 + version bump (back to dev)
2020-02-25 16:10:31 +01:00
ab3a7fc6d2
filter.d/sshd.conf: mode `ddos` (and aggressive) extended to detect port scanner sending unexpected ident string after connect
2020-02-17 16:24:42 +01:00
7282cf91b0
Merge branch '0.10' into 0.11
2020-02-14 12:13:29 +01:00
9137c7bb23
filter processing:
...
- avoid duplicates in "matches" (previously always added matches of pending failures to every next real failure, or nofail-helper recognized IP, now first failure only);
- several optimizations of merge mechanism (multi-line parsing);
fail2ban-regex: better output handling, extended with tag substitution (ex.: `-o 'fail <ip>, user <F-USER>: <msg>'`); consider a string containing new-line as multi-line log-excerpt (not as a single log-line)
filter.d/sshd.conf: introduced parameter `publickey` (allowing change behavior of "Failed publickey" failures):
- `nofail` (default) - consider failed publickey (legitimate users) as no failure (helper to get IP and user-name only)
- `invalid` - consider failed publickey for invalid users only;
- `any` - consider failed publickey for valid users too;
- `ignore` - ignore "Failed publickey ..." failures (don't consider failed publickey at all)
tests/samplestestcase.py: SampleRegexsFactory gets new failJSON option `constraint` to allow ignore of some tests depending on filter name, options and test parameters
2020-02-13 12:28:07 +01:00
1492ab2247
improve processing of pending failures (lines without ID/IP) - fail2ban-regex would show those in matched lines now (as well as increase count of matched RE);
...
avoid overwrite of data with empty tags by ticket constructed from multi-line failures;
amend to d1b7e2b5fb2b389d04845369d7d29db65425dcf2: better output (as well as ignoring of pending lines) using `--out msg`;
filter.d/sshd.conf: don't forget mlf-cache on "disconnecting: too many authentication failures" - message does not have IP (must be followed by "closed [preauth]" to obtain host-IP).
2020-02-11 18:44:36 +01:00
774dda6105
filter.d/postfix.conf: extended mode ddos and aggressive covering multiple disconnects without auth
2020-02-10 13:29:16 +01:00
34d63fccfe
close gh-2629 - jail.conf (action_blocklist_de interpolation): replace service parameter (use jail name instead of filter, which can be empty)
2020-02-10 13:03:55 +01:00
a7c68ea19f
Merge branch '0.10' into 0.11
2020-01-28 21:47:55 +01:00
569dea2b19
filter.d/mysqld-auth.conf: capture user name in filter (can be more strict if user switched, used in action or fail2ban-regex output);
...
also add coverage for mariadb 10.4 log format (gh-2611)
2020-01-22 17:24:40 +01:00
70e47c9621
Merge branch '0.10' into 0.11
2020-01-14 11:44:35 +01:00
ec37b1942c
action.d/nginx-block-map.conf: fixed backslash substitution (different echo behavior in some shells, gh-2596)
2020-01-14 11:39:13 +01:00
4860d69909
Merge branch '0.10' into 0.11
2020-01-09 20:55:00 +01:00
f77398c49d
filter.d/sshd.conf: captures `Disconnected from ... [preauth]`, preauth phase only, different handling by `extra` (with supplied user only) and `ddos`/`aggressive` mode (`normal` mode is not affected, used there just as a helper with `<F-NOFAIL>` to capture IP for multiline failures without IP);
...
closes gh-2115, gh-2362.
2020-01-09 20:53:53 +01:00
587e4ff573
Merge branch '0.10' into 0.11
...
(conflicts resolved)
2020-01-08 21:27:23 +01:00
67fd75c88e
pass2allow-ftp: inverted handling - action should prohibit access per default for any IP, so reset start on demand parameter for this action (will be started immediately).
2020-01-06 21:13:40 +01:00
8f6ba15325
avoid unhandled exception during flush, better invariant check (and repair), avoid repair by unban/stop etc...
2019-12-27 21:30:41 +01:00
e763c657c4
Let's get back to WRN
2019-11-27 00:32:10 +01:00
d7b707b09d
Update bitwarden.conf
2019-11-27 00:09:22 +01:00
869327e9b1
Update bitwarden.conf
2019-11-25 22:17:58 +01:00
79caeaa520
Create bitwarden.conf
2019-11-25 22:05:29 +01:00
30e742a849
Update jail.conf
2019-11-25 21:57:41 +01:00
ef394b3cf0
Update jail.conf
2019-11-25 21:55:45 +01:00
24d1ea9aa2
Merge branch '0.10' into 0.11
2019-11-25 01:58:55 +01:00
e4c2f303bd
Merge pull request #2550 from CPbN/centreonjail
...
Add Centreon jail
2019-11-15 01:53:20 +01:00
0e8a8edb5e
filter.d/sendmail-*.conf: both filters have same `__prefix_line` now (and same RE for ID, 14-20 chars long, optional) + adjusted test cases (gh-2563)
2019-11-08 13:15:40 +01:00
548e2e0054
sendmail-auth.conf: filter updated for longer mail IDs (up to 20, see gh-2562)
2019-11-08 12:42:09 +01:00
5cf064a112
monit: accepting both logpath's: monit and monit.log, closes gh-2495
2019-11-04 12:18:12 +01:00
9e699646f8
Add Centreon jail
2019-10-24 14:37:18 +02:00
18ba714f97
Add Centreon jail
2019-10-23 09:14:26 +02:00
3515d06979
Merge branch '0.10' into 0.11
2019-10-18 19:19:21 +02:00
85ec605358
nftables: amend to gh-2254 - implemented shutdown of action (proper clean-up) - at stop it checks now the last set was deleted and removes table completely (if table does not contain any set);
...
this is avoided if some sets were added manually or can be avoided via overwriting of parameter `_nft_shutdown_table`, for example:
banaction = nftables[_nft_shutdown_table=''][...]
2019-10-18 19:01:16 +02:00
51af193402
nftables: add options allowing to specify own table (default `f2b-table`) and chain (default `f2b-chain`)
2019-10-18 18:54:02 +02:00
955d690e56
regrouping expressions with curly braces, added more escapes (better handling in posix shell)
2019-10-18 18:34:48 +02:00
0824ad0d73
Merge branch '0.10' into 0.11
2019-10-18 12:04:38 +02:00
54298fe761
Merge pull request #2254
...
Nftables: isolate fail2ban rules into a dedicated table and chain
2019-10-18 11:43:38 +02:00
d1a73d3004
filter.d/apache-auth.conf:
...
- ignore errors from mod_evasive in `normal` mode (mode-controlled now) (gh-2548);
- extended with option `mode` - `normal` (default) and `aggressive`
close gh-2548
2019-10-18 11:26:19 +02:00
8c6a547215
Merge branch '0.10' into 0.11
2019-10-11 03:01:46 +02:00
50595b70fd
filter.d/mysqld-auth.conf: ISO timestamp format (dual time) within log message
...
(https://serverfault.com/questions/982126/fail2ban-fails-to-recognize-ip )
2019-10-11 01:31:07 +02:00
9e28b6c65f
filter.d/asterisk.conf: relaxing protocol RE-part before IP in RemoteAddress (gh-2531)
2019-09-26 21:46:26 +02:00
8ea00c1d5d
fixed mistake in config (semicolon after space as comment in configs?) and coverage, suppress errors by unsupported flush, better space handling in helper _nft_get_handle_id, etc
2019-09-25 13:47:29 +02:00
492205d30e
action.d/nftables.conf: implemented `actionflush` (allows flushing nftables sets resp. fast unban of all jail tickets at all)
2019-09-24 20:00:29 +02:00
abc4d9fe37
allow to use multiple protocols in multiport (single set with multiple rules in chain):
...
`banaction = nftables[type=multiport]` with `protocol="tcp,udp,sctp"` in jail replace 3 separate actions.
more robust if deleting multiple references to set (rules in chain)
2019-09-24 19:44:59 +02:00
c753ffb11d
combine nftables actions to single action:
...
- nftables-common is removed
- nftables-allports is obsolete, replaced by nftables[type=allports]
- nftables-multiport is obsolete, replaced by nftables[type=multiport]
2019-09-24 18:53:38 +02:00
c59d49da22
nftables-allports: support multiple protocols in single rule;
...
tests/servertestcase.py: added coverage for nftables actions
2019-09-24 18:46:41 +02:00
dde51b4682
fix actionban/unban ip definition syntax
2019-09-24 13:01:14 +02:00
1cda50ce05
Rewrite nftables variables based on nftables' logic.
...
Add an example for redirecting.
2019-09-24 13:01:13 +02:00
990c410877
Merge branch '0.10' into 0.11
...
# Conflicts (resolved):
# fail2ban/client/jailreader.py
2019-09-11 16:18:09 +02:00
a36b70c7b5
filter.d/znc-adminlog.conf: support logging format of systemd-journal, bypass port after address (optional, removed end-anchor, see gh-2520)
2019-09-10 21:02:26 +02:00
1cdd618232
Merge branch '0.10' into 0.11
2019-07-29 13:26:37 +02:00
5d5253dd70
Merge branch '0.10' into 0.11
2019-07-29 13:25:49 +02:00
91923b5c07
don't need to match identifier exactly (@ is precise enough as prefix), not capturing group;
...
`prefregex` extended, more selective now (denied/NOTAUTH suffix moved from `failregex`, so no catch-all there anymore);
update ChangeLog
2019-07-29 13:21:00 +02:00
4395469226
Update named-refused.conf
...
Log format changed since ver. 9.11.0
Ref. ftp://ftp.isc.org/isc/bind9/9.11.0/RELEASE-NOTES-bind-9.11.0.html
"The logging format used for querylog has been altered. It now includes an additional field indicating the address in memory of the client object processing the query."
2019-07-29 13:06:49 +02:00
a395361de8
Merge pull request #2467 from sebres/logtype-option-rfc5424
...
New option `logtype` value - `rfc5424`
2019-07-24 00:02:04 +02:00
581f13c2db
Merge branch '0.10' into 0.11
2019-07-22 19:07:15 +02:00
0dfd4f1f41
Merge pull request #2404 from benrubson/badprotocol
...
filter.d/sshd.conf: matches "Bad protocol version identification" in ddos and aggressive modes.
2019-07-22 12:47:39 +02:00
119401fced
Merge pull request #2452 from benrubson/badips
...
Badips key is only used to retrieve list
2019-07-20 12:08:22 +02:00
af611db859
Merge branch '0.10' into 0.11
2019-07-10 12:47:03 +02:00
5e980afbb8
filter.d/apache-noscript.conf: closes #2466 - matches "Primary script unknown" without "\n" (optional now)
2019-07-10 12:45:53 +02:00
62b1712d22
amend to #2387 :
...
- common.conf: rewritten using section-based handling round about option logtype;
- option `logtype` extended with `rfc5424` to cover RFC 5424 log-format (see #2309 );
2019-07-09 21:48:43 +02:00
8b171f7d25
Badips key is only used to retrieve list
2019-06-26 18:34:20 +02:00
80f97eaf02
Merge branch '0.10' into 0.11
2019-06-26 17:29:08 +02:00
e751be2c13
normalize, simplify and fix several mail actions (mail and sendmail actions are more similar now, sendmail is configurable via parameter `mailcmd`, etc);
...
added test covering sendmail-whois-lines
2019-06-15 23:14:41 +02:00
5045c4bb00
Merge branch '0.10' into 0.11
2019-06-12 16:28:57 +02:00
a7dc3614c4
znc-adminlog: use `<ADDR>` instead of `<HOST>`
2019-06-12 16:26:34 +02:00
b288ccd6b6
new filter: znc-adminlog
2019-06-12 16:25:50 +02:00
2e7a600851
Merge branch '0.10' into 0.11
2019-06-12 11:44:05 +02:00
22b9304562
action.d/badips.py: fix start of banaction on demand (which may be IP-family related), supplied action info with ticket instead of simulating it with dict;
...
(closes gh-2390)
2019-06-12 11:23:52 +02:00
0ed3a63151
Merge branch '0.10' into 0.11
2019-06-07 16:29:38 +02:00
e5ae113215
filter.d/postfix.conf: extended with new postfix filter mode `errors` to match "too many errors" (gh-2439),
...
also included within modes `normal`, `more` (`extra` and `aggressive`), since postfix
parameter `smtpd_hard_error_limit` is default 20 (additionally consider `maxretry`)
2019-06-07 16:14:02 +02:00
3b2f75414c
filter.d/postfix.conf: extended regexp's to accept variable suffix code in status of postfix for precise messages (gh-2442)
2019-06-07 15:40:55 +02:00
3d4044084a
Merge branch '0.10' into 0.11
2019-06-07 14:48:10 +02:00
7dbd3a07eb
cut comment to limit documented on abuseipdb, additionally use curl in quiet mode
2019-06-07 14:39:55 +02:00
7b73cb7639
Switch to AbuseIPDB API v2
2019-06-07 14:39:52 +02:00
5137cd2ec8
Merge branch '0.10' into 0.11
2019-05-14 21:40:50 +02:00
49bf6132cc
amend for 3036ed18893b6aae6619e53201aa53deb701b94f: eliminate "invalid sequence" warnings
2019-05-14 21:40:33 +02:00
f69a8693fc
Merge branch '0.10' into 0.11
2019-05-14 20:19:29 +02:00
0426a24719
filter.d/postfix.conf: (closes gh-2426) filter extended to catch "5.1.1" (Recipient address rejected: User unknown in local recipient table) with RCPT (and some session-id instead of "NOQUEUE")
2019-05-14 15:27:20 +02:00
ca85ddc866
Merge branch '0.10' into 0.11
2019-05-10 16:23:50 +02:00
d8d71c5a22
action.d/helpers-common.conf: grep arguments are rewritten - using options `-wF` to match only whole words and fixed string (not as pattern)
2019-05-10 16:17:13 +02:00
fa727586ff
Fix grep pattern to deal with Apache's error log
...
Apache's error log appends the port to the IP address, other logs don't.
2019-05-10 16:04:27 +02:00
74eac6c94f
Merge branch '0.10' into 0.11
2019-05-02 15:28:44 +02:00
23d2281e57
action.d/nginx-block-map.conf: small fix with better RE-rule for removal of ID (token/session) via sed (anchored now)
2019-05-02 15:22:45 +02:00
Sergey G. Brester