github
/
fail2ban
mirror of https://github.com/fail2ban/fail2ban
1
0
Fork 0
Code Issues Releases Wiki Activity
6,101 Commits
34 Branches
230 Tags
19 MiB
Commit Graph

6101 Commits (1efac4810dd37432e24bc6ac99ab10a5fbb48c1f)

Author SHA1 Message Date
Binhao Qian 1efac4810d update jail.conf. 2025-04-17 03:42:28 +08:00
Binhao Qian 6da1248bce add filter to block unintended directory browsing 2025-04-17 03:36:59 +08:00
sebres c76e90fbb1 * Merge pull request #3940 from exim-pr-mode-more 
`filter.d/exim.conf` - fewer REs by default, introduces mode `more`
 2025-04-02 15:11:38 +02:00
Sergey G. Brester 6538d43a8e
Update ChangeLog 2025-04-02 14:57:03 +02:00
Sergey G. Brester bfd80ce522
Merge pull request #3979 from LearningSpot/vaultwarden 
Added jail for Vaultwarden
 2025-04-02 14:41:38 +02:00
Sergey G. Brester 70ce1cef08
Update ChangeLog 2025-04-02 14:40:04 +02:00
Sergey G. Brester 426eeca62a
fixed times in test-log (test suite working in TZ CET) 2025-04-02 13:52:58 +02:00
Sergey G. Brester 6104444bb4
improve regex (anchored from left, no catch-alls, `<ADDR>` for IP, etc) 2025-04-01 17:28:58 +02:00
Rajib Sharia cf9135983c
Update jail.conf 
Added jail for vaultwarden
 2025-04-01 20:40:15 +08:00
Rajib Sharia c7f7bc55bb
Create vaultwarden.conf 
Filter for unsuccessful Vaultwarden authentication attempts
 2025-04-01 20:36:53 +08:00
Rajib Sharia 6b57e46070
Create vaultwarden test log 2025-04-01 20:32:00 +08:00
sebres fc3e8a5d37 remove help command from protocol (the command was never supported); 
closes gh-3241
 2025-03-31 02:29:51 +02:00
sebres 1d6ff06856 amend to a0093b557e920d5635ee714b8ba87c4b588651fe: filter only readable journal files by retrieving non-rotated files (if user is not root) 2025-03-31 02:28:40 +02:00
sebres 767c89f863 satisfy spellcheck 2025-03-31 01:27:52 +02:00
sebres a0093b557e Merge branch 'systemd-review' 
Large set of fixes and enhancements for `systemd` and `auto` backends:
* fixes `systemd` bug with missing journal descriptor after rotation by reopening of journal if it is recognized as not alive (gh-3929)
* improve threaded clean-up of all filters, new thread functions `afterStop` (to force clean-up after stop) and `done`, invoking `afterStop` once
* ensure journal-reader is always closed (additional prevention against leaks and "too many open files"), thereby avoid sporadic segfault in systemd module (see https://github.com/systemd/python-systemd/issues/143)
* fixes `systemd` causing "too many open files" error for a lot of journal files and large amout of systemd jails (see new parameter `rotated` below, gh-3391);
* backend `systemd` extended with new parameter `rotated` (default `false`, as prevention against "too many open files"),
  that allows to monitor only actual journals and ignore now a lot of rotated files by default; so can drastically reduce
  amount of used file descriptors, normally to 1 or 2 descriptors per jail (gh-3391)
* implements automatic switch `backend = auto` to backend `systemd`, when the following is true (RFE gh-3768):
  - no files matching `logpath` found for this jail;
  - no `systemd_if_nologs = false` is specified for the jail (`true` by default);
  - option `journalmatch` is set for the jail or its filter (otherwise it'd be too heavy to allow all auto-jails,
    even if they have never been foreseen for journal monitoring);
  (option `skip_if_nologs` will be ignored if we could switch backend to `systemd`)
 2025-03-31 01:18:53 +02:00
sebres d5718503ad update changelog and documentation (new features and handling) 2025-03-31 01:13:02 +02:00
sebres 6b56259f9a amend, obtain argument namespace before we'll use it 2025-03-31 01:11:05 +02:00
sebres b2352f113e implements the feature of automatic switch `backend = auto` to backend `systemd`, when: 
- no files matching `logpath` found for this jail;
- no `systemd_if_nologs = false` (`true` by default) is specified for the jail;
- option `journalmatch` is set for the jail or its filter (otherwise it'd be too heavy to allow all auto-jails, even if they have never been foreseen for journal);
- option `skip_if_nologs` will be ignored if we could switch backend to `systemd`;
closes gh-3768
 2025-03-30 22:31:44 +02:00
sebres 5a2fd9b31c split new test to 2 tests (allows to cover `_globJournalFiles` even if system-journal is not available) 2025-03-30 20:13:39 +02:00
sebres 4eef68b3d3 backend `systemd` extended with new parameter `rotated` (default false, as prevention against "too many open files"), that allows to monitor only actual journals and ignore a lot of rotated files by default; so can drastically reduce amount of used file descriptors (to 1 or 2 per jail); 
closes #3391
 2025-03-30 19:03:32 +02:00
sebres 7a4985178f amend 2025-03-30 18:59:18 +02:00
sebres 786d5b7e9e test-suite: increase wait-time for fast-mode for long waiting intervals (stability, avoid sporadic errors) 2025-03-30 06:07:17 +02:00
sebres 191d1e9533 improve threaded clean-up of filters, new functions `afterStop` (to force clean-up after stop) and `done`, invoking `afterStop` once; ensure journal-reader is always closed (prevention against "too many open files"), thereby avoid sporadic segfault in systemd module (https://github.com/systemd/python-systemd/issues/143) 2025-03-30 06:04:49 +02:00
sebres 9f0b6382bf idle must be before anything else in loop (to avoid endless errors if something continuously fails and filter will be placed to idle state after 100 unhandled errors) 2025-03-30 06:04:47 +02:00
sebres f49d50b8fd ensure the reader is really closed before reopen (preventing leaks if some handles or whatever are still open) 2025-03-30 06:04:44 +02:00
sebres 994a0b69da fixes systemd bug with missing journal descriptor after rotation by reopening of journal if it is recognized (it is not alive); 
closes gh-3929
 2025-03-30 00:53:27 +01:00
Sergey G. Brester 16ae53e888
Update main.yml 
GHA: update python, 3.14.0-alpha.6 and pypy3.11
 2025-03-28 23:07:27 +01:00
sebres ee421dfbd6 `filter.d/apache-noscript.conf` - consider new log-format with "AH02811: stderr from /..."; 
closes gh-3900
 2025-03-28 22:52:51 +01:00
sebres b0d4eb07e5 command-line: test config shall output error directly and not using logger 2025-03-19 02:44:32 +01:00
sebres d02a613e89 configreaders: don't swallow return code by decoding error (whole jail or fail2ban config failed to read due to some error like encoding etc), so dump or test of config would get an error at end (and coverage for #3971) 2025-03-19 02:19:16 +01:00
sebres 8ae6eaf39a `filter.d/postfix.conf` - default `_daemon` in prefix-line is loosened - can match everything starting with word postfix, like `postfix-example.com/smtpd`; 
closes gh-3297
 2025-03-10 22:35:26 +01:00
Sergey G. Brester 505d51fd5d
Update PULL_REQUEST_TEMPLATE.md 2025-03-04 19:19:57 +01:00
sebres 4bb1fd519d test-suite: if failed, sample regexs factory would show responsible header line (failJSON) together with the error line 2025-03-04 14:39:24 +01:00
sebres cf9c8f1e9b test-suite: fixed sample regexs factory counting of line number (if it errors, the line number showing in error line was incorrect, because of missing increment) 2025-03-04 14:27:21 +01:00
Sergey G. Brester c035428535
Merge pull request #3954 from luckylittle/feature/systemd-journal-vsftpd 
`filter.d/vsftpd.conf` - fixed regex (if failures generated by systemd-journal)
 2025-03-04 14:20:01 +01:00
sebres 79346e4f2c updated ChangeLog 2025-03-04 14:15:14 +01:00
sebres 94fe9cf4a8 more fixes, capture user names, more tests... 
since line 7 matches successfully now (it was disabled in gh-358 because of obsolete format), it is marked as match:true (line can be removed later if unneeded)
 2025-03-04 14:13:07 +01:00
sebres 1e06ab68b4 fixed filter (new regex is unneeded), tests format of failures produced by system journal 2025-03-04 13:47:59 +01:00
Sergey G. Brester e9a42847bc
Merge pull request #3955 from luckylittle/feature/systemd-journal-lighttpd 
`filter.d/lighttpd-auth.conf` - fixed regex (if failures generated by systemd-journal), bypass several prefixes now
 2025-03-04 13:21:43 +01:00
Sergey G. Brester 3e9a4b4a48
Update ChangeLog 2025-03-04 13:20:54 +01:00
Sergey G. Brester 95cdf553f5
fixes test in lighttpd-auth: added failJSON to match the line 2025-03-04 13:09:21 +01:00
Sergey G. Brester 13a74feaad
2nd RE unneeded, fix single RE - bypass everything before open parenthesis 2025-03-04 13:02:50 +01:00
Lucian Maly 6e3bfd800c
Added author 2025-03-04 12:26:14 +11:00
Lucian Maly 9d7646e6c0
Added author 2025-03-04 12:25:27 +11:00
Lucian Maly f5ba525cd2
Added sample log line 2025-03-04 12:22:35 +11:00
Lucian Maly fd1d0d25a8
Added regex for systemd-journal matches of lighttpd-auth 2025-03-04 12:20:24 +11:00
Lucian Maly bd4cb606e5
Added sample log line 2025-03-04 11:47:49 +11:00
Lucian Maly 65d473fc8e
Added regex for systemd-journal matches of vsftpd 2025-03-04 11:43:38 +11:00
sebres e3ab969047 increase interval for up-to-date check (to 1 minute) after error, to avoid continuous flood in log on further possible errors 2025-03-04 00:07:31 +01:00
sebres 9145db8de3 small code review of FileIPAddrSet: encapsulate check for changed logic to _isModified and slightly increase coverage for it (latency, changed, unchanged) 2025-03-03 23:59:36 +01:00