fail2ban

Commit Graph

Author	SHA1	Message	Date
Yaroslav Halchenko	976a65bb89	Merge branch 'bsd_logs' of https://github.com/grooverdan/fail2ban * 'bsd_logs' of https://github.com/grooverdan/fail2ban: ENH: separate out regex and escape a . BF: missed MANIFEST include DOC: credits for bsd log DOC: bsd syslog files thanks to Nick Hilliard BF: change common.conf to handle formats of syslog -v and syslog -vv in BSD Conflicts: config/filter.d/common.conf	12 years ago
Daniel Black	de56347619	ENH: separate out regex and escape a .	12 years ago
Yaroslav Halchenko	e7cb0f8b8c	ENH: filter.d/sshd.conf -- allow for trailing "via IP" in logs	12 years ago
Yaroslav Halchenko	2143cdff39	Merge: opensolaris docs/fixes, no 'sed -i' in hostsdeny, sshd regex tuneups Origin: from https://github.com/jamesstout/fail2ban * 'OpenSolaris' of https://github.com/jamesstout/fail2ban: ENH: Removed unused log line BF: fail2ban.local needs section headers ENH: Use .local config files for logtarget and jail ENH+TST: ssh failure messages for OpenSolaris and OS X ENH: fail message matching for OpenSolaris and OS X ENH: extra daemon info regex ENH: actionunban back to a sed command Readme for config on Solaris create socket/pid dir if needed Extra patterns for Solaris change sed to perl for Solaris Conflicts: config/filter.d/sshd.conf	12 years ago
Yaroslav Halchenko	822a01018f	Merge pull request #205 from grooverdan/bsd_ssh BSD ssh improvements (casing, msg)	12 years ago
Daniel Black	40c56b10a0	EHN: enhance sshd filter for bsd.	12 years ago
Daniel Black	b3bd877d23	BF: change common.conf to handle formats of syslog -v and syslog -vv in BSD	12 years ago
Daniel Black	495f2dd877	DOC: purge of svn tags	12 years ago
Enrico Labedzki	36b0d78ff8	tight control of the filter for ASSP	12 years ago
Enrico Labedzki	24a8d07c20	added new date format support for ASSP SMTP Proxy	12 years ago
jamesstout	3367dbd987	ENH: fail message matching for OpenSolaris and OS X - OpenSolaris keyboard message matched by new regex 3 - Removed Bye Bye regex per https://github.com/fail2ban/fail2ban/issues/175#issuecomment-16538036 - PAM auth failure or error and first char case-insensitive, can also have chars after the hostname. e.g. Apr 29 16:53:38 Jamess-iMac.local sshd[47831]: error: PAM: authentication error for james from 205.186.180.101 via 192.168.1.201	12 years ago
jamesstout	d2a9537568	ENH: extra daemon info regex for matching log lines like: Mar 29 05:20:09 dusky sshd[19558]: [ID 800047 auth.info] Failed keyboard-interactive for james from 205.186.180.30 port 54520 ssh2 this matches [ID 800047 auth.info]	12 years ago
Daniel Black	0ac8746d05	ENH: Account for views in named filter. By Romain Riviere in gentoo bug #259458	12 years ago
jamesstout	10fcfb925d	Extra patterns for Solaris	12 years ago
Daniel Black	41b9f7b6ac	BF: filter.d/sshd "Did not receive identification string" relates to an exploit so document this in sshd-ddos.conf but leave it out of authentication based blocks in sshd.conf	12 years ago
Daniel Black	32d10e904a	ENH: more openssh fail messages from openssh source code (CVS 20121205)	12 years ago
Yaroslav Halchenko	99a5d78e37	ENH: for consistency (and future expansion ;)) -- rename to mysqld-auth	12 years ago
Yaroslav Halchenko	ffaa9697ee	Adjusting previous PR (MySQL logs) according to my comments	12 years ago
Yaroslav Halchenko	3e6be243bf	Merge branch 'Support_for_mysql_log_example' of https://github.com/arto-p/fail2ban * 'Support_for_mysql_log_example' of https://github.com/arto-p/fail2ban: Added testcase for MySQL date format to testcases/datedetectortestcase.py and example of MySQL log file. Added support for MySQL logfiles Conflicts: testcases/datedetectortestcase.py -- conflictde with other added test cases	12 years ago
Yaroslav Halchenko	72b06479a5	ENH: Slight tune ups for fresh SOGo filter + comment into the sample log file	12 years ago
Yaroslav Halchenko	105306e1a8	Merge remote-tracking branch 'pr/117/head' -- SOGo filters * pr/117/head: An example of failed logins against sogo Update sogo-auth.conf Update config/filter.d/sogo-auth.conf Create sogo-auth.conf Update config/jail.conf	12 years ago
Yaroslav Halchenko	91d5736c12	ENH: postfix filter -- react also on (450 4.7.1) with empty from/to. fixes #126	12 years ago
ArndRa	bba3fd8568	Update sogo-auth.conf included hint by user yarikoptic	12 years ago
Artur Penttinen	29d0df58be	Added support for MySQL logfiles	12 years ago
Pascal Borreli	a2b29b4875	Fixed typos	12 years ago
ArndRa	6cd358ee95	Update config/filter.d/sogo-auth.conf Comment line in the top altered to fit file name. My local file was named differently...	12 years ago
ArndRa	35bf84abad	Create sogo-auth.conf Regexp works with SOGo 2.0.5 or newer, following new feature implemented here: http://www.sogo.nu/bugs/view.php?id=2229	12 years ago
Yaroslav Halchenko	5f2d3832f7	NF: roundcube-auth filter (to close Debian #699442 , needing debian/jail.conf section)	12 years ago
Orion Poplawski	bb7628591c	Update config/filter.d/sshd.conf Do not trigger sshd bans on pam_unix authentication failures, this will trigger on successful logins on systems that use non-pam_unix authentication (sssd, ldap, etc.).	12 years ago
Yaroslav Halchenko	9a39292813	ENH: Added login authenticator failed regexp for exim filter	12 years ago
pigsyn	f336d9f876	Update config/filter.d/webmin-auth.conf Added '\s*$' to the regular expression to match the space written by webmin logs at line-endings	12 years ago
pigsyn	dc67b24270	Update config/filter.d/webmin-auth.conf Added a trailing '.*$' to each regex so they can find expressions in targeted log files.	12 years ago
Yaroslav Halchenko	3969e3f77b	ENH: dovecot.conf - require space(s) before rip/rhost log entry	12 years ago
hamilton5	266cdc29a6	Update config/filter.d/dovecot.conf even tho not on the fail2ban site.. suggested to not be greedy by yarikoptic	12 years ago
hamilton5	e040c6d8a3	Update config/filter.d/dovecot.conf site actually needs updated because of <HOST> alias per Notes above.	12 years ago
hamilton5	7ede1e8518	Update config/filter.d/dovecot.conf added failregex line for debian and centos per http://www.fail2ban.org/wiki/index.php/Talk:Dovecot	12 years ago
Yaroslav Halchenko	fc27e00290	ENH: tune up sshd-ddos to use common.conf and allow training spaces	12 years ago
Yaroslav Halchenko	6ecf4fd80a	Merge pull request #64 from sourcejedi/remove_sshd_rdns Misconfigured DNS should not ban successful ssh logins Per our discussion indeed better (and still as "safe") to not punish users behind bad DNS	12 years ago
Yaroslav Halchenko	282724a7f9	ENH: join both failregex for lighttpd-auth into a single one they are close in meaning should provide a slight run-time performance benefit	12 years ago
François Boulogne	958a1b0a40	Lighttpd: support auth.backend = "htdigest"	12 years ago
Yaroslav Halchenko	2082fee7b1	ENH: match possibly present "pam_unix(sshd:auth):" portion for sshd (Closes: #648020 )	13 years ago
Yaroslav Halchenko	6ad55f64b3	ENH: add wu-ftpd failregex for use against syslog (Closes: #514239 )	13 years ago
Alan Jenkins	8c38907016	Misconfigured DNS should not ban successful ssh logins Noticed while looking at the source (to see the point of ssh-ddos). POSSIBLE BREAK-IN ATTEMPT - sounds scary? But keep reading the message. It's not a login failure. It's a warning about reverse-DNS. The login can still succeed, and if it _does_ fail, that will be logged as normal. <exhibit n="1"> Jul 9 05:43:00 brick sshd[18971]: Address 200.41.233.234 maps to host234.advance.com. ar, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT! Jul 9 05:43:00 brick sshd[18971]: Invalid user html from 200.41.233.234 </exhibit> The problem (in my mind) is that some users are stuck with bad dns. The warning won't stop them from logging in. I'm pretty sure they can't even see it. But when they exceed a threshold number of logins - which could be all successful logins - fail2ban will trigger. fail2ban shouldn't adding additional checks to successful logins - it goes against the name fail2ban :) - the first X "POSSIBLE BREAK-IN ATTEMPT"s would be permitted anyway - if you want to ban bad DNS, the right way is PARANOID in /etc/hosts.deny I've checked the source of OpenSSH, and this will only affect the reverse-DNS error. (I won't be offended if you want to check for yourself though ;) <exhibit n="2"> $ grep -r -h -C1 'ATTEMPT' openssh-5.5p1/ logit("reverse mapping checking getaddrinfo for %.700s " "[%s] failed - POSSIBLE BREAK-IN ATTEMPT!", name, ntop); return xstrdup(ntop); -- logit("Address %.100s maps to %.600s, but this does not " "map back to the address - POSSIBLE BREAK-IN ATTEMPT!", ntop, name); $ </exhibit>	13 years ago
Petr Voralek	4007751191	ENH: catch failed ssh logins due to being listed in DenyUsers. Close gh-47 (Closes: #669063 )	13 years ago
Yaroslav Halchenko	71a3fb17e2	Merge remote-tracking branch 'gh-magicrhesus/master' * gh-magicrhesus/master: Add the INCLUDE section to use __pid_re feature Disable asterisk jail by default Change jail for asterisk, add support for SIP and SIP-TLS on TCP and UDP ports Change NOTICE by NOTICE%(__pid_re)s Remove custom bantime Add sample log file for asterisk Add $ at the end of the failregex Add asterisk support Conflicts: config/jail.conf -- placed asterisk jails before recidive and added blank lines after the jail headers	13 years ago
Xavier Devlamynck	8c00ce0a65	Add the INCLUDE section to use __pid_re feature	13 years ago
Xavier Devlamynck	c679a1a588	Change NOTICE by NOTICE%(__pid_re)s	13 years ago
Xavier D	d98cdb25d6	Add $ at the end of the failregex	13 years ago
Yaroslav Halchenko	25f1e8d98c	BF: allow trailing whitespace in few missing it regexes for sshd.conf	13 years ago
Yaroslav Halchenko	1807be5a8c	ENH: moved jail definition for recidive into jail.conf + swapped/commented durations + non-groupping ?: thanks @cepheid666 for the useful comments	13 years ago

1 2 3

130 Commits (152c619dc401e29089b7a2220eff6240758f3eb3)