github
/
fail2ban
mirror of https://github.com/fail2ban/fail2ban
1
0
Fork 0
Code Issues Releases Wiki Activity
4,961 Commits
34 Branches
229 Tags
21 MiB
Commit Graph

4961 Commits (1707560df8033341e4fb8a2e79db3ea684b42386)

Author SHA1 Message Date
sebres 8ea00c1d5d fixed mistake in config (semicolon after space as comment in configs?) and coverage, suppress errors by unsupported flush, better space handling in helper _nft_get_handle_id, etc 2019-09-25 13:47:29 +02:00
sebres 492205d30e action.d/nftables.conf: implemented `actionflush` (allows flushing nftables sets resp. fast unban of all jail tickets at all) 2019-09-24 20:00:29 +02:00
sebres abc4d9fe37 allow to use multiple protocols in multiport (single set with multiple rules in chain): 
`banaction = nftables[type=multiport]` with `protocol="tcp,udp,sctp"` in jail replace 3 separate actions.
more robust if deleting multiple references to set (rules in chain)
 2019-09-24 19:44:59 +02:00
sebres c753ffb11d combine nftables actions to single action: 
- nftables-common is removed
- nftables-allports  is obsolete, replaced by nftables[type=allports]
- nftables-multiport is obsolete, replaced by nftables[type=multiport]
 2019-09-24 18:53:38 +02:00
sebres c59d49da22 nftables-allports: support multiple protocols in single rule; 
tests/servertestcase.py: added coverage for nftables actions
 2019-09-24 18:46:41 +02:00
Ririsoft dde51b4682 fix actionban/unban ip definition syntax 2019-09-24 13:01:14 +02:00
Monson Shao 1cda50ce05 Rewrite nftables variables based on nftables' logic. 
Add an example for redirecting.
 2019-09-24 13:01:13 +02:00
sebres 82ddaa5771 fix order of jail options in stream: 
* be sure usedns is before all regex(s) in stream (this option is also allowed in the config of filter now)
  * logpath after all log-related data (backend, date-pattern, etc)
 2019-09-11 19:38:42 +02:00
sebres 7b3ee3dadc allow to set all standard options of filter (like prefregex, journalmatch, etc) directly in jail (without filter or supplying parameters to filter); 
normalize stream generation of filter-related parameters across FilterReader and JailReader (uses stream generator of filter now);
test cases extended (testOverrideFilterOptInJail) to cover this possibility.
 2019-09-11 16:14:46 +02:00
sebres a36b70c7b5 filter.d/znc-adminlog.conf: support logging format of systemd-journal, bypass port after address (optional, removed end-anchor, see gh-2520) 2019-09-10 21:02:26 +02:00
sebres fbd4bfc595 extend murmur test cases to cover systemd journal log-format (gh-2520, note we don't use any time-stamp as systemd-backend does not expect it) 2019-09-10 19:46:44 +02:00
sebres e547927075 tests: extend server test cases for some stock jails (e. g. check issue with sendmail filters gh-2493 + covering `maxmatches` / `dbmaxmatches` in server tests) 2019-08-22 21:29:46 +02:00
sebres 65da15327e curtail some bothering continuously repeatable debug messages of filters (backend-related) to level 4 (below extra heavy-debug, so simplifying debugging and testing with level 5) 2019-08-22 21:17:45 +02:00
sebres 16b3993be6 actions: improve conditional execution of some operations, also allow to start action on demand (by first ban if `actionstart_on_demand` enabled) for non-conditional actions (backwards compatible, so actionstart_on_demand is on per default only for the actions having family-conditional sections); 
small bug fixing (stop/flush/restore env etc) and code simplification.
 2019-08-22 21:05:38 +02:00
sebres 39d9133baa amend to 7520d250b0 (#2444): don't use default flags (SYSTEM) if journalfiles are specified (similar journalflags set to 0); 
fix failure of testJournalFilesArg and cover both cases now.
 2019-07-29 14:23:53 +02:00
sebres 19052d9789 * Merge pull request #2406 from JoeHorn/0.11 
support bind-9.11.0 log format
 2019-07-29 13:23:25 +02:00
sebres 91923b5c07 don't need to match identifier exactly (@ is precise enough as prefix), not capturing group; 
`prefregex` extended, more selective now (denied/NOTAUTH suffix moved from `failregex`, so no catch-all there anymore);
update ChangeLog
 2019-07-29 13:21:00 +02:00
Sergey G. Brester 5a3859c163 Update named-refused 2019-07-29 13:06:51 +02:00
Joe Horn 4395469226 Update named-refused.conf 
Log format changed since ver. 9.11.0
Ref. ftp://ftp.isc.org/isc/bind9/9.11.0/RELEASE-NOTES-bind-9.11.0.html
"The logging format used for querylog has been altered. It now includes an additional field indicating the address in memory of the client object processing the query."
 2019-07-29 13:06:49 +02:00
Sergey G. Brester a395361de8
Merge pull request #2467 from sebres/logtype-option-rfc5424 
New option `logtype` value - `rfc5424`
 2019-07-24 00:02:04 +02:00
Sergey G. Brester 70280bfa12
Update ChangeLog 2019-07-24 00:00:24 +02:00
Sergey G. Brester d3b5befe44
update changelog (#2404) 2019-07-22 12:50:48 +02:00
Sergey G. Brester 0dfd4f1f41
Merge pull request #2404 from benrubson/badprotocol 
filter.d/sshd.conf: matches "Bad protocol version identification" in ddos and aggressive modes.
 2019-07-22 12:47:39 +02:00
Sergey G. Brester eb308d0fc8
add test for injection on version identification 2019-07-22 11:50:01 +02:00
Sergey G. Brester 119401fced
Merge pull request #2452 from benrubson/badips 
Badips key is only used to retrieve list
 2019-07-20 12:08:22 +02:00
Ben RUBSON a98315386d
Update zzz-sshd-obsolete-multiline.conf 2019-07-19 17:59:16 +02:00
Sergey G. Brester d5a5efcd5a
amend to #2174 for fail2ban.service, fix legacy path, closes gh-2474 2019-07-17 13:38:42 +02:00
Sergey G. Brester 7520d250b0
Merge pull request #2444 from sebres/gh-2392 
systemd-backend: switched default flags to SYSTEM_ONLY(4)
 2019-07-11 13:25:58 +02:00
sebres 5e980afbb8 filter.d/apache-noscript.conf: closes #2466 - matches "Primary script unknown" without "\n" (optional now) 2019-07-10 12:45:53 +02:00
sebres 62b1712d22 amend to #2387: 
- common.conf: rewritten using section-based handling round about option logtype;
- option `logtype` extended with `rfc5424` to cover RFC 5424 log-format (see #2309);
 2019-07-09 21:48:43 +02:00
sebres 595054639b tests/samplestestcase.py: fixes retrieving of microseconds by epoch (and comparison within tests factory) 2019-07-09 20:07:14 +02:00
Sergey G. Brester 5bc8d73220
test_badips.py: parameter `key` is removed in #2452 2019-06-26 20:52:37 +02:00
benrubson 8b171f7d25 Badips key is only used to retrieve list 2019-06-26 18:34:20 +02:00
sebres 4a2f4226b8 testIpToName: fixed for reverse IP of google dns (resolving another name now), more dynamic now 2019-06-26 17:28:09 +02:00
Sergey G. Brester 8a386103c1
Update ChangeLog 2019-06-25 15:49:07 +02:00
Sergey G. Brester 978c2fa8dd
Merge pull request #2448 from sebres/norm-mail-actions 
Normalization of mailing actions
 2019-06-25 15:39:12 +02:00
sebres e751be2c13 normalize, simplify and fix several mail actions (mail and sendmail actions are more similar now, sendmail is configurable via parameter `mailcmd`, etc); 
added test covering sendmail-whois-lines
 2019-06-15 23:14:41 +02:00
sebres 3d04a99d25 fail2ban-regex: (verbose only) avoid errors by dump of real options (if filter doesn't have some optional parameter, like `datepattern`) 2019-06-15 22:08:31 +02:00
sebres 809e7c4e82 Merge pull request #2264 from girst/0.11 (rebased to 0.10) 2019-06-12 16:28:32 +02:00
girst a7dc3614c4 znc-adminlog: use `<ADDR>` instead of `<HOST>` 2019-06-12 16:26:34 +02:00
girst b288ccd6b6 new filter: znc-adminlog 2019-06-12 16:25:50 +02:00
sebres 326f5d4e3f Merge fix of gh-2390 2019-06-12 11:43:07 +02:00
sebres 4c81338944 update ChangeLog (gh-2390) 2019-06-12 11:28:19 +02:00
sebres 22b9304562 action.d/badips.py: fix start of banaction on demand (which may be IP-family related), supplied action info with ticket instead of simulating it with dict; 
(closes gh-2390)
 2019-06-12 11:23:52 +02:00
sebres 9e44c30659 systemd-backend: switched default flags to SYSTEM_ONLY(4), that avoid to open the user session files, so can prevent "Too many open files" errors (like gh-2208) on a lot of user sessions; 
(following Orion's proposal in gh-2392)
 2019-06-12 00:42:01 +02:00
sebres 2725acb64b amend to 809acb69e5928c0e678ad25b43e53b567cb23a3b: extended to avoid the vice versa race (too many outdated tickets to unban) - max count of outdated tickets is restricted also. 2019-06-12 00:11:26 +02:00
sebres 3326ec95ce small amend (preparing to merge in 0.11): more precise test and avoid "expired bantime" (in 0.11) 2019-06-11 15:50:29 +02:00
sebres 93727abeb8 cherry-pick with_alt_time helper decorator from 0.11 2019-06-11 15:50:27 +02:00
sebres 809acb69e5 stability: avoid race condition - no unban if the bans occur continuously (e. g. banning action too slow, so new bans found each time during the default sleeptime); 
now unban will happen not later than 10 tickets get banned regardless there are still active bans available (precedence of ban is 10 now);
closes gh-2410
 2019-06-11 14:37:10 +02:00
sebres e5ae113215 filter.d/postfix.conf: extended with new postfix filter mode `errors` to match "too many errors" (gh-2439), 
also included within modes `normal`, `more` (`extra` and `aggressive`), since postfix
  parameter `smtpd_hard_error_limit` is default 20 (additionally consider `maxretry`)
 2019-06-07 16:14:02 +02:00