Commit Graph

4575 Commits (1ca3df877b726444e93d95234f4771a002de4d71)

Author SHA1 Message Date
sebres aa92b68d4a filter.d/postfix.conf: normalized several postfix-filters using parameter `mode` (as discussed in gh-1813);
introduced parameter `mode`: more (default, combines normal and rbl), auth, normal, rbl, ddos, extra or aggressive (combines all)
replacement for gh-1239, gh-1697, gh-1764; closes gh-1245, gh-1297.
2017-07-10 20:49:28 +02:00
sebres 36d42d7f0b SampleRegexsFactory: introduce opportunity to supply multiple options combinations (check lines using filters with several options), see for example filter sshd.conf 2017-07-10 19:57:02 +02:00
sebres d32a3913cf postfix postscreen (resp. other RBL's compatibility fix) / gh-1764 2017-07-10 15:38:24 +02:00
Serg G. Brester 57ea38c342 Update paths-debian.conf
Fixed mail.log path since in the default rsyslog configuration of debians the `mail.warn` is commented now (see `/etc/rsyslog.d/50-default.conf`: `#mail.warn -/var/log/mail.warn`).
Closes gh-1687
2017-07-05 19:57:30 +02:00
sebres 546cd55342 Merge branch 'master' into 0.10 2017-07-03 13:02:25 +02:00
Serg G. Brester d05d9f4c28 Merge pull request #1816 from sebres/fix-gh-1302
filter.d/asterisk.conf - fixed failregex AMI Asterisk authentification failed
2017-07-03 12:59:46 +02:00
sebres a1d0633e69 filter.d/asterisk.conf - fixed failregex AMI Asterisk authentification failed (see gh-1302):
- optional space between NOTICE and pid;
- optional part "Host " before IP-address;
2017-07-03 12:57:28 +02:00
sebres 33fcf8d809 Merge branch 'master' into 0.10 2017-07-03 12:43:48 +02:00
sebres 9f55ed86df fixed testCymruInfoNxdomain (since cymru does not provide ASN mapping info for "10.0.0.0" anymore) 2017-07-03 12:41:54 +02:00
Serg G. Brester 1307e0a5b9 Merge pull request #1760 from szepeviktor/patch-12
Courier may complain about the method only
2017-07-03 12:00:36 +02:00
Serg G. Brester 205edff65d Merge pull request #1690 from chtheis/master
#1689: Make lowest rule number in action.d/bsd-ipfw.conf configurable
2017-07-01 17:16:50 +02:00
Serg G. Brester f27e053592 Update bsd-ipfw.conf
increased starting rule number (lowest_rule_num = 111)
2017-07-01 17:10:53 +02:00
Serg G. Brester 001c0898d6 Merge branch 'master' into master 2017-06-30 18:07:38 +02:00
Serg G. Brester 6110ba9cc3 filter.d/proftpd.conf: added option `journalmatch` for systemd backend (closes gh-1613) 2017-06-30 18:00:01 +02:00
sebres 5974b0fb35 amend to merge PR gh-1783: restores lost entry `journalmatch` for `filter.d/roundcube-auth.conf` 2017-06-26 11:32:34 +02:00
sebres 37ca4f17c2 filter.d/roundcube-auth.conf: added missing entry `journalmatch` from original gh-1783. 2017-06-26 11:24:10 +02:00
Serg G. Brester 986dd3107d Merge branch '0.10' into patch-12 2017-06-19 18:37:28 +02:00
Serg G. Brester f3ba66d1c6 Merge pull request #1783 from weberhofer/0.10
filter.d/roundcube-auth.conf: Fixed failregex when logging errors to journal instead to a local file.
Additionally fixes more complex injections on username.
2017-06-19 18:34:08 +02:00
sebres 9b0f39a17d ChangeLog updated 2017-06-19 18:12:37 +02:00
sebres d3ae70beb6 filter.d/roundcube-auth.conf: Use the same filter-file and jail also when logging errors to journal instead to a local file.
Additionally fixes more complex injections on username.
2017-06-19 18:12:13 +02:00
Johannes Weberhofer 691c080dc7 Added roundcube authentication filter, new jail and log-examples 2017-06-19 16:52:42 +02:00
Serg G. Brester 3294840c2a Merge pull request #1801 from jeaye/postfix-updates
filter.d/postfix.conf: update to the latest postfix logging format
2017-06-19 16:44:37 +02:00
Serg G. Brester efeca8fdeb postfix.conf: removes unneeded end-anchoring like `.*$`, etc.
also removes several dynamic content at end, which are of no avail there.
Additionally normalizes optional part (mail-ID) after reason number.
2017-06-19 16:25:46 +02:00
sebres d2c39d2e45 Merge branch '0.10' into 0.10-full
# Conflicts:
#	fail2ban/server/database.py - resolved and test-case with persistent ban-time fixed/extended (bantime presents in database)
2017-06-16 09:35:27 +02:00
Serg G. Brester bb283776d7 Merge pull request #1807 from sebres/fix-gh-1806
bug-fix: restoring of tickets from database for jails with persistent ban
2017-06-15 18:42:39 +02:00
sebres fd32e908e3 fixes restoring of tickets from database for jails with persistent ban (if `bantime = -1`) 2017-06-15 18:28:37 +02:00
sebres dcdf677438 Merge remote-tracking branch 'master' into 0.10 2017-06-15 11:49:51 +02:00
Serg G. Brester d54c40bba5 Merge pull request #1805 from sebres/fix-gh-1790
filter.d/apache-overflows.conf: rewritten without end-anchor ($)...
2017-06-15 11:48:45 +02:00
sebres e1234a5249 ChangeLog update 2017-06-15 11:47:16 +02:00
sebres 2b358bc1a4 filter.d/apache-overflows.conf: rewritten without end-anchor ($), because apache-log could contain very long URLs (and/or referrer), the parsing of it anchored way may be very vulnerable (at least as regards the system resources, see gh-1790). 2017-06-15 11:16:19 +02:00
jeaye 6f3d425c4d
Update postfix filters and tests 2017-06-12 18:56:19 -07:00
sebres bbea73d79d Merge remote-tracking branch 'remotes/gh-upstream/master' into 0.10 2017-06-12 13:11:45 +02:00
Serg G. Brester 1e5e0722f3 Merge pull request #1792 from gracinet/1773_logtimezone
New logtimezone jail option, zone abbreviations, new date-pattern tokens %Exz, %ExZ
2017-06-12 12:32:44 +02:00
Serg G. Brester 23c2d05250 Update changelog (new enhancements from gh-1792) 2017-06-09 20:51:28 +02:00
Georges Racinet 12259bb3c7 man and ChangeLog for logtimezone 2017-06-09 20:39:03 +02:00
sebres 030f89bf7a Implemented zone abbreviations (DST, etc.) and abbr+-offset functionality (accept zones like 'CET+0100'), for the list of abbreviations see strptime.TZ_STR;
Tokens `%z` and `%Z` are more precise now;
Introduced new tokens `%Exz` and `%ExZ` that fully support zone abbreviations and/or offset-based zones;

# TODO: because python currently does not support mixing of case-sensitive with case-insensitive matching,
#       check how TZ (in uppercase) can be combined with %a/%b etc. (that are currently case-insensitive),
#       to avoid invalid date-time recognition in strings like '11-Aug-2013 03:36:11.372 error ...'
#       with wrong TZ "error", which is at least not backwards compatible.
#       Hence %z currently match literal Z|UTC|GMT only (and offset-based), and %Exz - all zone abbreviations.
2017-06-09 20:29:34 +02:00
sebres 39c4acf6bd small amend white-spaces (no functional changes) + a bit optimized `zone2offset` 2017-06-09 15:52:14 +02:00
sebres 9f41d1e381 Normalize zone2offset (usable within reGroupDictStrptime), tests simplified and extended with more cases (covers precedence of input-zone over default, etc.) 2017-06-09 14:55:44 +02:00
sebres 8cb4ae0242 Code review and small optimizations, prepared to provide offset-based time zones for date-detectors (parsing of input-string) 2017-06-09 13:55:30 +02:00
Serg G. Brester d56554ecf3 Merge pull request #1688 from felixonmars/arch-config
Add a path configuration for Arch Linux
2017-06-06 10:55:13 +02:00
Serg G. Brester 5482e0bbe7 Merge pull request #1794 from szepeviktor/patch-15
fixed grep pattern: escape dot-char in search-IP and more restrictive boundaries (IPv6-capability)
2017-05-31 19:05:43 +02:00
Serg G. Brester 08591a52a4 Merge pull request #1796 from peternowee/fix-dovecot-empty-user
dovecot: revert `<[^>]+>` back to `<[^>]*>` - allows empty user again [mistakenly changed in 5678d08]
2017-05-31 19:03:34 +02:00
Peter Nowee b93e47b12f
dovecot: Match also when user field is empty
Commit 5678d08 of 2016-11-26 changed:

    ( user=<\S*>,)?

to:

    ( user=<[^>]+>,)?

The change from `*` (zero or more times) to `+` (one or more times) may
not have been intended. It will miss lines containing, for example:

    Aborted login (tried to use disallowed plaintext auth): user=<>

This commit reverts the `+` back to `*`.
2017-05-31 15:54:30 +02:00
Serg G. Brester 5214c1c5d1 Update changelog (gh-1455) 2017-05-30 20:31:48 +02:00
Marcel Bischoff 228d25c548 Update Kerio Connect filter (#1455)
* Update Kerio Connect filter

Fixed regex for some log entries that did not get recognized and some additional error formats are added.

* Add missing colon, GitHub address

* Add filter tests

* Add missing test
2017-05-30 20:27:44 +02:00
Serg G. Brester 80cc47b75f Update helpers-common.conf
fixed grep pattern: escape dot-char in search-IP and more restrictive boundaries (IPv6-capable)
2017-05-30 09:14:43 +02:00
Viktor Szépe 5bb6be0163 IPv6 address may overlap 2017-05-30 02:05:38 +02:00
Georges Racinet e8f2173904 New logtimezone jail option
This new option allows to force the time zone on log lines
that don't bear a time zone indication (GitHub issue #1773), so it behaves
actually with respect to log line contents as a default time zone.

For the time being, only fixed offset timezones (UTC or UTC[+-]hhmm) are
supported, but the implementation is designed to later on treat the case
of logical timezones with DST, e.g., Europe/Paris etc.

In particular, the timezone name gets passed all the way to the strptime
module, and the resulting offset is computed for the given log line, even
though for now, it doesn't actually depend on it.

Also, the DateTemplate subclass gets to choose whether to use it or not.
For instance, it doesn't make sense to apply a time zone offset to
Unix timestamps.

The drawback is to introduce an API change for DateTemplate. I hope it's
internal enough for that not being a problem.
2017-05-23 17:39:37 +02:00
sebres 2b08847f3a Reintegrate 'master' into 0.10 (merge point) + small code review 2017-05-19 16:32:13 +02:00
sebres c7ddf1f940 [systemd-backend] implicit closing journal descriptor by stop filter.
Partially cherry-picked from 0.10 (d153555a07)
2017-05-19 15:36:06 +02:00