github
/
fail2ban
mirror of https://github.com/fail2ban/fail2ban
1
0
Fork 0
Code Issues Releases Wiki Activity
2,606 Commits
33 Branches
229 Tags
19 MiB
Commit Graph

434 Commits (1d23a4dc4fede8c0095472bfc3fbe317715a55b1)

Author SHA1 Message Date
Daniel Black 061a26c408 TST: fix space in sshd sample log 2013-11-11 08:28:09 +11:00
Daniel Black d955714d26 TST: test case that shows injection 2013-11-11 08:11:32 +11:00
Yaroslav Halchenko ea8fce6308 Merge pull request #426 from yarikoptic/bf/openssh6.3-regex-injection 
openssh 6.3 regex injection vectors:  inject into ruser and/or exploiting pre-specified limits set for user provided data
 2013-11-08 14:35:18 -08:00
Yaroslav Halchenko 750e0c1e3d BF: disallow exploiting of non-greedy .* in previous fix by providing too long rhost -- do not impose length limits for user-provided input 
since daemon might eventually change reported length and we would need to adjust anyways.  So limiting
in length does not provide additional security but allows for a possible injection vector
 2013-11-08 10:10:33 -08:00
Yaroslav Halchenko abb012ae5c BF: fixing injection for OpenSSH 6.3 -- making .* before <HOST> non-greedy 2013-11-08 10:00:37 -08:00
Daniel Black a148d35d70 ENH: add filter.d/nginx-http-auth. Partially forfills #405 2013-11-08 10:06:40 +11:00
Daniel Black 0730db9b2b Merge pull request #416 from grooverdan/debian-bug-665925-wuftpd-pam 
BF:  wuftpd pam filter fix (Debian bug 665925)
 2013-11-05 18:39:01 -08:00
Daniel Black e55b24c533 BF: fix dovecot filter for newer failure message. Closes Debian bug #709324 2013-11-06 12:51:21 +11:00
Daniel Black 8b54523316 BF: fix to filter.d/wuftp to support pam authentication - Debian bug #665925 2013-11-06 12:13:37 +11:00
Daniel Black 95f3f38682 MRG: merge ChangeLog and jail.conf 2013-10-30 20:19:41 +11:00
Daniel Black e3150044fd BF: fix selinux 
TST: ignore *common.conf files in test cases as these are included
BF: Remove USER_LOGIN from selinux-ssh as its a duplicate message
ENH: add sample jail.conf
 2013-10-30 20:05:49 +11:00
Daniel Black 0f85aef609 Merge pull request #407 from grooverdan/dovecot-jail 
ENH: Dovecot jail
 2013-10-29 15:15:19 -07:00
Daniel Black 7596b96d4f TST: fix date in test comparison for dovecot 2013-10-30 09:05:09 +11:00
Daniel Black cde389cadc ENH: additional tweek to dovecot regex based on http://chrisgilligan.com/portfolio/fail2ban-regex/ 2013-10-29 10:15:54 +11:00
Daniel Black d451c2a231 FIX: vsftp improvements from Rich Mellor on mailing list 2013-10-26 09:51:25 +11:00
Daniel Black b61fe0f12d Merge pull request #378 from grooverdan/sasl 
ENH: filter.d/postfix-sasl - anchor regex at start and rename from filter.d/sasl
 2013-10-22 04:51:24 -07:00
Daniel Black 92f9e049ee TST: rename test log file to match 2013-10-22 22:44:49 +11:00
Daniel Black 445c6e6009 Merge pull request #392 from grooverdan/config_order 
ENH: order config as jail.conf, jail.d/*.conf, jail.local, jail.d/*.local
 2013-10-14 04:25:05 -07:00
Daniel Black e417a2112c Merge pull request #386 from grooverdan/qmail 
ENH: filter.d/qmail - anchor at start. Add another regex
 2013-10-14 04:24:32 -07:00
Daniel Black e227568c3b Merge pull request #384 from grooverdan/dovecot-325 
ENH: added to dovecot filter. closes gh-325
 2013-10-14 04:23:03 -07:00
Daniel Black d6d51e352c ENH: order config as jail.conf, jail.d/*.conf, jail.local, jail.d/*.local. closes gh-388 2013-10-11 00:06:13 +11:00
Daniel Black 351eb5ec8f ENH: filter.d/qmail - anchor at start. Add another regex for http://www.tjsi.com/rblsmtpd/faq/ patch to rblsmtpd 2013-10-09 16:44:48 +11:00
Daniel Black 2d1bd54439 Merge pull request #379 from grooverdan/webmin 
ENH: filter.d/webmin anchor at start and use syslog
 2013-10-08 20:13:14 -07:00
Daniel Black d60f470096 ENH: added to dovecot filter. closes gh-325 2013-10-09 10:09:06 +11:00
Daniel Black bc10c90ffe ENH: filter.d/vsftpd - disable regex for Pam pre 0.99.2.0 2013-10-05 20:02:30 +10:00
Daniel Black b64bf3fa7b ENH: filter.d/webmin anchor at start and use syslog 2013-10-05 19:18:44 +10:00
Daniel Black caf284d518 DOC: ChangeLog deconflict 2013-10-02 09:11:15 +10:00
Daniel Black 23dd734aa9 Merge pull request #366 from grooverdan/dovecot 
ENH: dovecot regex to match failure reported by Bob Cohen on mailing lis...
 2013-10-01 15:50:39 -07:00
Daniel Black f998e01590 Merge pull request #359 from grooverdan/pureftpd 
ENH: Pureftpd syslog prefixing and filter achoring
 2013-10-01 15:14:33 -07:00
Daniel Black ba8183b116 Merge pull request #372 from grooverdan/uw-imap 
ENH: filter.d/uwimap-auth added. Closes #18
 2013-10-01 15:13:11 -07:00
Daniel Black 262616f7a7 ENH: filter.d/uwimap-auth - failure of an admin override to regex 2013-10-01 22:32:57 +10:00
Daniel Black 9211179d30 ENH: filter.d/uwimap-auth - add "disabled" to regex 2013-10-01 22:10:33 +10:00
Daniel Black 4649cf9608 ENH: separate selinux and selinux-ssh 2013-10-01 20:21:45 +10:00
Daniel Black cbdf4ceedd TST: test cases for uw-imapd thanks to Internet 2013-10-01 10:21:11 +10:00
Yaroslav Halchenko fab3772a60 TST: explicitly test date patterns being anchored or not 2013-09-30 20:15:24 -04:00
Daniel Black a1eaa5f755 ENH: filter.d/selinxu added. Closes #296 2013-10-01 09:59:15 +10:00
Yaroslav Halchenko c35d2844bd Merge pull request #371 from grooverdan/ssh-6.3 
BF: fix regex for openssh-6.3
 2013-09-30 16:32:14 -07:00
Yaroslav Halchenko c7728331c7 Merge pull request #369 from yarikoptic/master 
Dealing with dangling symlinks -- avoid adding those files to server for monitoring
 2013-09-30 16:28:54 -07:00
Steven Hiscocks a8f2448349 ENH: Allow SE Linux epoch date detection 2013-09-30 20:58:24 +01:00
Daniel Black b3b62d65bf ENH: filter.d/uwimap-auth added. Closes #18 2013-09-29 18:06:27 +10:00
Daniel Black 1eeb6e94bd BF: fix regex for openssh-6.3 2013-09-29 17:28:33 +10:00
Daniel Black 8a458b45bc TST: dummyjail in own class 2013-09-29 15:57:03 +10:00
Daniel Black 86d3ee5373 TST: py2.5 compatibility - no with 2013-09-29 15:46:15 +10:00
Daniel Black 723ea964a7 TST: failmanager get/sets on FailTotal and MaxTime 2013-09-29 15:12:44 +10:00
Daniel Black bcc16789d0 TST: test elements of DateTemplate base class 2013-09-29 15:02:38 +10:00
Daniel Black b576c4718d TST: add test cases for Actions 2013-09-29 14:52:59 +10:00
Daniel Black 891b436874 TST: more complete Action testing 2013-09-29 14:17:31 +10:00
Yaroslav Halchenko dcaacad7e3 BF: do not pass dangling symlinks to the server to be monitored 
This is more of a workaround I guess than a "solution".  Ideally server
should be more clever and allow adding symlinks which eventually might
point to existing file.  But that is probably would be too much complication
for a rare use case.  User on the mailing list informed that then server
does not monitor even other files, thus as a quick workaround -- do not even add dangling links
 2013-09-28 22:16:34 -04:00
Yaroslav Halchenko cf76019cca TST: that we do receive IOError if trying to feed broken symlink into path to be monitored by server 2013-09-28 21:59:11 -04:00
Daniel Black 4b5ecbccd1 ENH: debuggex URLs with fail2ban-regex 2013-09-22 13:20:17 +10:00
Daniel Black 8c2a5612ed DOC: resolve ChangeLog conflicts 2013-09-19 19:38:28 +10:00
Daniel Black 3be7dcd701 DOC: resolve ChangeLog conflicts 2013-09-19 19:23:02 +10:00
Daniel Black 89e0520675 ENH: dovecot regex to match failure reported by Bob Cohen on mailing list 2013-09-19 08:25:50 +10:00
Daniel Black 9ce1e33313 TST: pureftpd - everything I've seen suggests that pureftpd only does syslog - even back to 2004. Not sure how this second example came into existance 2013-09-17 22:24:28 +10:00
Daniel Black ad5fb81f4b TST: failJSON set match to false on longer supported pam version 2013-09-17 21:18:24 +10:00
Daniel Black bec723b21d TST: failJSON date fix 2013-09-17 10:51:48 +10:00
Daniel Black 7e756dfada TST: correct failJSON for www3.google.com -> www.google.com changes. Disable test case for pre-0.99.2.0 version of linux-pam failure messages 2013-09-17 10:48:09 +10:00
Daniel Black 8f41422262 TST: domains need to exist for fail2ban-regex to work 2013-09-17 10:09:19 +10:00
Daniel Black ee497ff1cb ENH: filter mysqld-auth can be a is a syslog based service so anchor it using syslog prefix 2013-09-17 07:57:19 +10:00
Daniel Black 504111b0b1 ENH: filter.d/recidive - anchor regex at start and support f2b SYSLOG target 2013-09-16 01:22:42 +10:00
Yaroslav Halchenko f1adf75b59 ENH: basic testing for iso8601 code which had no explicit tests + spit out ValueError for incorrect type of input and ParseError otherwise 2013-09-12 23:12:18 -04:00
Daniel Black 317e82e144 TST: one more exim test case 2013-09-02 17:10:49 +10:00
Yaroslav Halchenko cd100ce274 Merge pull request #342 from grooverdan/datedetector_test 
TST: improve datedetector error reporting
 2013-08-31 06:53:59 -07:00
Daniel Black 6b0e2289d4 Merge pull request #335 from grooverdan/gh-333-bind 
ENH: filter.d/named-refused.conf - BIND 9.9.3 regex changes. Closes gh-333
 2013-08-30 21:34:22 -07:00
Daniel Black 2acaef9d89 TST: more detail in assertion 2013-08-29 09:17:13 +10:00
Daniel Black f2a60daea1 TST/BF: assertIsNotNone replaced with assertNotEqual for python 2.4 compatibility 2013-08-28 12:55:21 +10:00
Daniel Black 13b4f176ab TST: improve datedetector error reporting 2013-08-28 12:41:20 +10:00
Daniel Black cbed57bffd TST: fix year in named-bind test case 2013-08-28 08:52:56 +10:00
Daniel Black a401d11644 ENH: add regex for bad zone transfer request/ TST: add test for bind-9.9 zone transfer denied 2013-08-28 00:53:08 +10:00
Yaroslav Halchenko 265a85ec1f RF: do not catch for now "invalid nonce \S* received - hash is not \S*" -- imho needs more analysis 2013-08-26 09:48:56 -04:00
François Boulogne e133b9f1d1 MAINT: add support for lightty1.4.31 2013-08-25 21:29:43 +02:00
Daniel Black ca4729e943 ENH: filter.d/exim.conf - add authentication failures for "plain" authentication 2013-08-25 23:02:10 +10:00
Daniel Black ef903db3c9 ENH: filter.d/named-refused.conf - BIND 9.9.3 regex changes. Closes gh-333 2013-08-25 22:44:30 +10:00
Daniel Black cfb7dba268 DOC: merge ChangeLog 2013-08-25 21:26:13 +10:00
Daniel Black b589533d69 Merge branch 'master' into kwirk-merge 
Conflicts:
	ChangeLog
	testcases/files/logs/dropbear
 2013-08-25 21:21:14 +10:00
Daniel Black 62c13c15d6 TST: reorder and condense error message for Multiple regexs matched 2013-08-25 21:02:30 +10:00
Daniel Black 9a1df3501b TST: display details of duplicate matches 2013-08-25 20:19:42 +10:00
Daniel Black cb61fcd326 TST: standardise output format on Time mismatch test 2013-08-25 18:11:54 +10:00
Daniel Black 8e467437b2 TST: fix year on asctime 2013-08-25 18:09:39 +10:00
Yaroslav Halchenko c84a2e595a ENH(BF): put 'standard' template after more detailed ones with day of week and year 
otherwise years present in the freshly contributed by Dan apache regexes do not match
although should have.  I had also to adjust failing now vsftpd test
 2013-08-25 17:52:12 +10:00
Daniel Black 21914d155e TST: add failJSON data 2013-08-25 17:49:09 +10:00
Daniel Black 1d9702be32 TST: datetime mismatch to show error line 2013-08-25 17:34:36 +10:00
Daniel Black 0204cec5ce TST: www.example.com DNS changed 2013-08-25 17:06:10 +10:00
Daniel Black a9eb8a76c6 merge of change log and apache-auth differences 2013-08-25 16:51:35 +10:00
Steven Hiscocks 53d8a46e8a Merge pull request #7 from grooverdan/gh-303-merge 
Gh 303 merge
 2013-08-21 12:20:48 -07:00
Daniel Black ed42b08789 TST: merge dropbear log samples 2013-08-19 21:25:33 +10:00
Daniel Black 61d43608ae ENH: filter.d/postfix - add filter for VRFY. Closes gh-322 2013-08-19 18:42:39 +10:00
Daniel Black 4f39d2b1fd TST: fix failJson year 2013-08-18 23:04:53 +10:00
Daniel Black 444e989dd5 TST: another zone transfer refused example for file named-refused 2013-08-18 22:49:59 +10:00
Daniel Black 5d451bc4d6 ENH: add refused zone tranfer to named-refused filter. closes #323 2013-08-18 22:19:31 +10:00
Yaroslav Halchenko 2aa8ddea4d BF: fixed up conditioning of tests under cygwin (still 3 fail) 2013-08-08 22:58:06 -04:00
Yaroslav Halchenko 511e0ace2e TST: Even more of conditioning of tests for cygwin 2013-08-08 22:35:07 -04:00
Yaroslav Halchenko e4dad8dfc9 TST: SYSLOG present only on Linuxes thus do not test if not Linux 2013-08-08 22:00:17 -04:00
Yaroslav Halchenko e7d5e466b9 Merge branch 'enh/asterisk_and_dropbear_filters' 
* enh/asterisk_and_dropbear_filters:
  ENH: hardened added dropbear failregex to avoid trailing .* and enclose username in ''
  minor: consistent indentation in dropbear.conf
  https://github.com/fail2ban/fail2ban/issues/306
  fail2ban-users: Sebastian Arcus - Detect device auth failures on Asterisk 11
 2013-08-08 09:59:24 -04:00
Yaroslav Halchenko 547c123cfb BF: example.com is pointing to another IP now. Closes #313 
This is a permanent change according to private correspondence with
David Closson @ IANN, thus replaced 192.0.43.10 with updated IP
93.184.216.119, while leaving 192.0.43.10 as is in the sample log
files (it is still within IANN dedicated testing network).
 2013-08-07 22:56:57 -04:00
Daniel Black c0a2e50559 TST: apache auth - opaque value 2013-08-06 17:13:09 +10:00
Daniel Black 7b2773889d TST: apache-auth filter - nonce timetravel tests + other expression fixes 2013-07-29 02:29:04 +10:00
Daniel Black 52aaa1c9bb TST: bad include of vim swap files 2013-07-28 22:01:51 +10:00
Daniel Black 0fb04cb2f0 ENH: filter enhancements on mod-digest (with test cases) for apache-auth (httpd-2.4.4) 2013-07-28 22:00:55 +10:00
Steven Hiscocks 1e270078b4 TST: Warn if date templates overlap in default detectors 2013-07-27 20:21:05 +01:00
Jamyn Shanley a355fab91b https://github.com/fail2ban/fail2ban/issues/306 
Fix regex for latest dropbear (keep backwards compatibility). Add test case logfiles.

Signed-off-by: Jamyn Shanley <jshanley@gmail.com>
 2013-07-27 03:43:32 +00:00
Jamyn Shanley 8936f2cd02 fail2ban-users: Sebastian Arcus - Detect device auth failures on Asterisk 11 2013-07-27 00:06:06 +00:00
Steven Hiscocks bf021ebd97 TST: Mandate that all filters and each regex has sample log entry 2013-07-26 17:05:17 +01:00
Steven Hiscocks 1c7d28d1ea TST: Add qmail sample log 2013-07-26 17:03:14 +01:00
Steven Hiscocks 5437f5fe90 TST: Add gssftpd sample log 2013-07-26 17:02:53 +01:00
Steven Hiscocks f7d8e68738 TST: Add apache-badbots sample log 2013-07-26 12:32:29 +01:00
Yaroslav Halchenko 1721991755 Merge pull request #304 from yarikoptic/master 
RF(ENH): JailsReader.getOptions -- avoid code duplication when asking for 1 jail or all

upon @kwirk blessing ;)
 2013-07-25 18:45:10 -07:00
Yaroslav Halchenko 3b52eca608 ENH+TST: Ticket -- drop unused/bogus get|setFile + enh __str__ + basic testing 2013-07-22 12:09:33 -04:00
Yaroslav Halchenko 149a83545f TST: basic test for reading of a bogus jail 2013-07-22 11:52:51 -04:00
Steven Hiscocks 37f240bef0 TST: Add sample log for php-url-fopen filter 2013-07-21 22:13:37 +01:00
Steven Hiscocks cf1e5bdbc2 ENH: Tweak proftpd regex and add sample logs 
Needed to add optional ":" post __pid_re, and for consistency, decided
to make use of __prefix_line instead which includes this.
 2013-07-21 22:03:49 +01:00
Steven Hiscocks e59a4960a3 TST: Add additional sample log line for apache-noscript 2013-07-21 16:48:12 +01:00
Steven Hiscocks 8b9bafda79 ENH: Change lighttpd-fastcgi to suhosin, and improve regex and samples 
suhosin is hardened php implmentation, which will log the alerts (as
seen in samples) to stderr, which is picked up by fastcgi webserver
(e.g. lighttpd, apache, nginx)
 2013-07-21 16:35:37 +01:00
Steven Hiscocks 4033857f63 ENH: Improve xinetd-fail regex and add sample logs 2013-07-21 15:44:09 +01:00
Steven Hiscocks b5ffbced37 TST: Sample test cases now handle ignoreregex and add recidive samples 2013-07-21 15:31:32 +01:00
Steven Hiscocks e7b7815de3 TST: Add additional sshd sample logs 2013-07-21 15:22:44 +01:00
Steven Hiscocks a11f91b835 ENH: Improve cyrus-imap regex and add extra sample line 2013-07-20 17:28:28 +01:00
Steven Hiscocks 534be189dc ENH: Improve sieve regex and add sample line 2013-07-20 17:26:09 +01:00
Steven Hiscocks d791ba12ba TST: Add sample log for dropbear filter 2013-07-20 16:54:28 +01:00
Steven Hiscocks ab671b0b1a ENH: Improve wuftpd failregex, drop duplicate pam regex and add sample 
For wu-ftpd configured to use pam, the pam filter used be used, as regex
is more robust.
 2013-07-20 16:34:24 +01:00
Steven Hiscocks 57a6c11260 ENH: Improve courierlogin regex and add sample logs 2013-07-20 15:53:18 +01:00
Steven Hiscocks bd175f0267 ENH: Improve cyrus-imap regex and add sample log file 2013-07-20 15:38:29 +01:00
Steven Hiscocks 83a80a29ea ENH: Improve couriersmtp and add sample logs 2013-07-20 15:34:00 +01:00
Steven Hiscocks eb2f0c9272 ENH: Improve postfix regex and add more samples 2013-07-20 15:31:21 +01:00
Daniel Black 5cfe108186 ENH: filter enhancements (with test cases) for apache-auth (httpd-2.4.4) 2013-07-20 22:21:08 +10:00
Daniel Black bdcde678d1 TST: fix year 2013-07-20 15:15:02 +10:00
Daniel Black fcf79b475f ENH: new filter perdition.conf 2013-07-19 20:14:53 +10:00
Steven Hiscocks a012b54117 TST: Add additional postfix filter sample 2013-07-18 22:17:31 +01:00
Steven Hiscocks 2a3a627322 TST: Add sample for sieve regex 2013-07-18 22:17:14 +01:00
Daniel Black fa85be2eea DOC/TST: fix configuration path for apache-auth test cases 2013-07-18 08:37:05 +10:00
Daniel Black 8ce9c78474 TST: apache-auth digest logs 2013-07-18 00:36:17 +10:00
Daniel Black 4eca2c0bd5 TST: apache-auth client denied by server configuration 2013-07-17 23:24:19 +10:00
Daniel Black e0292913eb ENH/TST: filter, testcase and log entry for apache-auth authorization scheme mod_authz_owner 2013-07-17 23:05:04 +10:00
Daniel Black 40cc336cd5 TST: testcases and logs for apache-auth basic 2013-07-17 22:46:04 +10:00
Steven Hiscocks bf05f2ac95 Merge branch 'filter-failregex-return' 
Conflicts:
	server/filter.py
 2013-07-16 21:17:18 +01:00
Yaroslav Halchenko f6a8a04cf3 ENH: roundcube-auth - adopt for current format with trailing error message. thanks @kwirk for the review/feedback 
I also used non-greedy .*? for the login portion since not sure if space could
be there and trying to minimize possibility of reacting on injected "from
<HOST>" somewhere within the trailing .*
 2013-07-16 15:07:32 -04:00
Yaroslav Halchenko 0a02cfe9e8 ENH: <HOST> must end with alphanumeric \w (not a dot or a dash etc) 
Otherwise <HOST> regexp might swallow period in the sentence right after the address.
I have decided to enforce alphanumeric instead of switching to non-greedy +? ... because
I think it is closer to what we actually want here
 2013-07-16 15:03:06 -04:00
Steven Hiscocks 1a2b6442a0 ENH+BF+TST: Filter now returns reference to failregex and ignoreregex 
This avoids duplication of code across fail2ban-regex and samples test
cases. This also now more neatly resolves the issue of double counting
date templates matches in fail2ban-regex.
In addition, the samples test cases now also print a warning message
that not all regexs have samples for them, with future plan to change
this to an assertion.
 2013-07-15 22:22:13 +01:00
Steven Hiscocks 4855cae487 Merge branch 'sample-log-meta-data' 
Conflicts:
    testcases/files/logs/dovecot
 2013-07-14 18:29:36 +01:00
Steven Hiscocks 1116f23151 TST: Sample log regex test now warns if no log for a filter 
Also checks that at least some tests are present
 2013-07-14 18:19:16 +01:00
Steven Hiscocks 728399c39e Merge pull request #281 from kwirk/dovecot-filter 
ENH: dovecot filter additions for session, time value and blank user
 2013-07-14 05:18:04 -07:00
Steven Hiscocks 94376bfbe1 TST: Handle lack of `json` library in python2.5 for samples test case 2013-07-14 11:15:45 +01:00
Steven Hiscocks 40f67c64b8 TST: Test sample logs' entries are matched by filter regexs 2013-07-13 23:03:01 +01:00
Daniel Black 1bb427cc14 TST: remove dup test log entry 2013-07-12 09:09:24 +10:00
Daniel Black 6ce41a611d BF: fix filter on apache-auth. Closes #286 2013-07-11 22:13:51 +10:00
Daniel Black 5412d7336f DOC: ChangeLog confict 2013-07-09 08:23:44 +10:00
Yaroslav Halchenko 5f04b4954f Merge pull request #280 from yarikoptic/master 
BF+ENHs: polling backend tracks ino and size now in addition to mtime, filters do not read file unless it has content + few other minor issues
 2013-07-07 08:33:55 -07:00
Daniel Black 619603fe05 BF: match asterisk InvalidPassword correctly 2013-07-07 17:48:20 +10:00
Steven Hiscocks bfa2b9dec3 ENH: dovecot filter additions for session, time value and blank user 2013-07-05 18:36:02 +01:00
Yaroslav Halchenko 47ac39fb34 TST: minor enhancement to test failure msg 2013-07-02 23:37:41 -04:00