Commit Graph

1439 Commits (22e9ccb3876112da231a4c89f7d3882e8ffdaaf9)

Author SHA1 Message Date
sebres 8069eef50c badips: try to fix sporadic test errors if badips-server timed out resp. not available (502 bad gateway or similar). 2018-04-05 12:31:29 +02:00
Michael Grant 57bc502d5c Update sendmail-reject.conf 2018-04-04 18:52:36 +02:00
Michael Grant 2ab6a5ae62 Update sendmail-auth.conf 2018-04-04 18:52:35 +02:00
Michael Grant 87520e8008 Sendmail logs IPv6 addresses with the prefix 'IPv6:'. Added (IPv6:)? before all <HOST> regexes to match the IPv6 address (but not the prefix). 2018-04-04 18:52:33 +02:00
Luis Aranguren fc76ccf192 Fixes abuseipdb curl cypher error and comment $f2bV_matches
Fixed https://github.com/fail2ban/fail2ban/issues/2044 #2044
and used https://github.com/fail2ban/fail2ban/issues/2039 to fix comment in abuseipdb.com only showing $f2bV_matches
2018-04-04 16:39:16 +02:00
Sergey G. Brester 7bbc26d67e
Merge pull request #2097 from benrubson/sni
Detect Apache SNI error / misredirect attempts
2018-04-04 16:31:38 +02:00
benrubson bd74f7ba8b Detect Apache SNI error / misredirect attempts, typos 2018-04-04 00:20:58 +02:00
sebres 8423f017e7 Merge branch 'sshd-ddos-mode-closed-preauth' into 0.10 2018-04-03 14:12:35 +02:00
sebres 4ee07adde6 Merge branch '0.10' into fix-sshd-filter-suff
# Conflicts resolved:
#	fail2ban/server/filter.py
2018-04-03 13:30:57 +02:00
benrubson 30dc22fb2e Detect Apache SNI error / misredirect attempts 2018-03-29 11:36:49 +02:00
sebres 4f6532f810 filter.d/sshd.conf: mode `ddos` (and `aggressive`) extended to catch `Connection closed by ... [preauth]`, so in DDOS mode it causes failure now on closed within preauth stage;
at least using both modes can ban port-scanners and prevent for other annoying "intruders", closing connection within preauth-stage (see gh-2085 for example).
2018-03-20 18:54:22 +01:00
sebres cd7f1354c6 remove end-anchors for expressions that are precise enough (with clear flow, simple branches, without catch-all's, etc.) 2018-03-20 18:47:42 +01:00
sebres c31eb1c562 quick optimization: normalizes pam-generic prefregex (more similar to the same regex within sshd-filter) + datepattern anchored now; 2018-03-20 16:00:21 +01:00
sebres 25cc42129a hold all user names affected by interim attempts in order to avoid forget a failures after success login:
intruder (as legitimate user) firstly tries to login with another user-name (brute-force), so hopes to reset failure counter by succeeded login;
this is fixed and covered in tests now;
sshd-filter extended to cover multiple-login attempts (also fully implements gh-2070);
2018-03-20 13:09:05 +01:00
sebres a9c94686b6 fixed multiple regexs matched 2018-03-20 09:09:42 +01:00
sebres 8028d3940d amend with better match of optional suffix-groups;
remove end-anchors for expressions are precise enough (with clear flow, simple branches, without catch-all's, etc.);
2018-03-19 17:29:26 +01:00
sebres 66d2436f21 filter.d/sshd.conf: extend suffix with optional port, move it to `prefregex` at end outside of the content 2018-03-19 16:50:49 +01:00
sebres 7b3442c4e2 amend to 185cb998e7c7f2509830bed4a9f2fe6179f77e7b: capture error prefix outside of the failure content; 2018-03-19 14:53:56 +01:00
sebres 185cb998e7 make `prefregex` more precise in order to avoid catch the content for non failure lines 2018-03-19 14:38:47 +01:00
sebres e8ffab28fb filter.d/apache-noscript.conf: extended to match "Primary script unknown", got from php-fpm module. 2018-03-19 14:23:24 +01:00
sebres a6fb33bdec filter.d/recidive.conf: fixed if logging into systemd-journal (SYSLOG) with daemon name in prefix, gh-2069 2018-03-09 13:56:38 +01:00
Sergey G. Brester b34ae5999e
action.d/hostdeny.conf: fixes IPv6 syntax
differentiate the IPv4 and IPv6 syntax (where it is enclosed in square brackets)
2018-03-05 19:35:10 +01:00
sebres caa2bdfee6 amendment for gh-2061: it looks like the port was added here also 2018-03-02 19:24:47 +01:00
sebres a3bcbe2d1b backwards-compatibility, test-cases and ChangeLog update 2018-03-02 19:15:10 +01:00
MatthieuBarbu 6b5516b851 fix sshd rule #2
in line 58, rule don't match with "%(__suff)s" but work fine if I replace with "%(__on_port_opt)s"
Debian 9 stretch : fail2ban 0.10.3
2018-03-02 18:40:36 +01:00
sebres 1d7aa2ff21 filter.d/sshd.conf: rewrite fix (for new ssh log-format) backwards compatible + test-cases extended to cover both cases 2018-03-02 18:17:17 +01:00
MatthieuBarbu 9f5c873526 fix sshd rule
just remove the space before ":11" line 52 because don't match on my Debian 9 stretch...
I don't know if this is wrong on all OS
2018-03-02 17:53:35 +01:00
sebres 8c291cad38 filter.d/asterisk.conf: fixed failregex prefix by log over remote syslog server (gh-2060) 2018-03-02 09:17:04 +01:00
Ben RUBSON b112250ef0 (Free)BSD IPFW does not allow 2 identical rules (#2054)
ipfw actionban fixed to allow same rule added several times (and actionunban to ignore error by deletion of missing rule)
2018-02-27 10:18:59 +01:00
Ben RUBSON 857767f04b Add 'any' badips.py bancategory (#2056)
action.d/badips.py: allow `any` as bancategory to retrieve IPs from all categories
2018-02-27 10:12:22 +01:00
sebres 07fcb24ff6 Merge pull request #2057 from benrubson/https
Use httpS with badips
2018-02-26 18:50:35 +01:00
sebres f52c67238a action.d/badips.py: code review, ban command covered, debug log-messages, etc; 2018-02-26 18:16:20 +01:00
benrubson fce2a50165 badips.py, solve a str() issue under FreeBSD 2018-02-26 15:55:21 +01:00
benrubson e2665d39fd Use httpS with badips 2018-02-26 09:58:37 +01:00
sebres e636567d23 filter.d/exim.conf: failregex extended with SMTP call dropped: too many syntax or protocol errors. 2018-02-19 09:50:46 +01:00
sebres 19a5a2f8c0 filter.d/murmur.conf: fixed detection of failures reading from journal (systemd-backend only):
- extended with optional prefix for the systemd-journal (with second date-pattern as optional match);
- added `journalmatch` filtering;
closes gh-2043
2018-02-09 11:43:55 +01:00
sebres 0be0e43d47 amend to 03b577d7b92a120e325abe20a99b6956a7e0657c: add new-line after matches via tag `<br>` without usage of interim variable 2018-01-30 12:52:26 +01:00
sebres 03b577d7b9 action.d/blocklist_de.conf: fixed tag substitution (in 0.10 it can be variables supplied via shell-arguments), expand `<matches>` with trailing newline;
tests extended;
closes gh-2028
2018-01-30 12:27:03 +01:00
Yaroslav Halchenko 527bb9a7c3 dos2unix for helpers-common.conf
Original report: http://bugs.debian.org/888110
2018-01-23 08:48:36 -05:00
sebres f69e28adfc action.d/pf.conf: compatibility fix - recognizes that parameter `port` specified as empty, with or without braces (should be more backwards compatible to 0.9 now). 2018-01-18 14:05:22 +01:00
sebres ed22ddbbbb Merge remote-tracking branch 'remotes/gh-upstream/master' into 0.10 2018-01-17 16:42:56 +01:00
sebres 63e906b2c1 regex rewritten: a bit fewer vulnerable now and using non-capturing groups, test-cases extended in order to cover trying of injection on user name 2018-01-17 16:35:32 +01:00
Benedikt Seidl fed6c49c2d nginx-http-auth: match usernames with spaces
# Conflicts:
#	ChangeLog
2018-01-17 16:35:31 +01:00
Sergey G. Brester b6c6565a7e
regex updated using non-capturing groups 2018-01-16 14:23:47 +01:00
riceru 6a1bbbf101
Update lighttpd-auth.conf
I have lighttpd 1.4.45 (Debian 9) and auth error log is different.
Now printing mod_auth and not http_auth.
I think that the change was in Lighttp 1.4.42
2018-01-16 12:39:55 +00:00
sebres 2b7b0da943 Merge remote-tracking branch 'remotes/gh-upstream/master' into 0.10 2018-01-15 18:16:43 +01:00
Serg G. Brester 7e05976ead
action.d/hostsdeny.conf: actionunban rewritten using sed, also dots in IP were escaped now.
Closes  #2000
2018-01-11 12:38:34 +01:00
sebres 2112145eb4 stop ban of legitimate users with multiple public keys (e. g. git, etc), thereby
differentiate between "invalid user" (going banned earlier) and valid users with public keys, for which the rejects of not valid public keys (failures) will be retarded up to "Too many authentication failures" resp. disconnect without success (accepted public key).
2018-01-10 19:07:20 +01:00
sebres 314e402fe0 filter.d/sendmail-auth.conf - extended daemon for Fedora 24/RHEL - the daemon name is "sendmail" (gh-1632) 2018-01-10 14:49:06 +01:00
sebres c30144b37a Merge branch '0.9' into 0.10
# Conflicts:
#	config/action.d/firewallcmd-ipset.conf
#	config/filter.d/asterisk.conf
# Merge-point after cherry-pick, no changes:
#	fail2ban/client/jailreader.py
#	fail2ban/helpers.py
2018-01-10 12:05:26 +01:00