github
/
fail2ban
mirror of https://github.com/fail2ban/fail2ban
1
0
Fork 0
Code Issues Releases Wiki Activity
1,897 Commits
33 Branches
229 Tags
20 MiB
Commit Graph

420 Commits (256c732bcdada8ee33c74bca7011589aa52c2ad2)

Author SHA1 Message Date
Daniel Black 657da2041c BF: dovecot filters, session characters and order of session/tls in log messages 2014-01-15 08:02:47 +11:00
Ivo Truxa 4765bc757c BF Dovecot auth failures 
I am sorry, I installed the Win GIT, but still did not learn how to work with it, so am posting here again. This time, I'll avoid posting two pull requests, so please fix the dovecot.filter for me, if you don't mind.

This current filter does not match authentication errors in my Dovecot logs (two different lines attached). First of all the session string is at the end (after the optional TLS string), and not before it as it is now in the filter. I don't see it anywhere in the other logs here in the opposite order, hence I assume it is the rule for all installations. And then, the session ID can include also other characters than those matched by \w+ (i.e. the slash and the plus signs in my case), hence it needs to be \S+ instead. Personally, I'd do the regex much less restrictive than it is, but if I follow the current logics, the following form works:

<pre>^%(__prefix_line)s(pop3|imap)-login: (Info: )?(Aborted login|Disconnected)(: Inactivity)? \(((no auth attempts|auth failed, \d+ attempts)( in \d+ secs)?|tried to use disabled \S+ auth)\):( user=&lt;\S*&gt;,)?( method=\S+,)? rip=&lt;HO
ST&gt;, lip=(\d{1,3}\.){3}\d{1,3}(, TLS( handshaking)?(: Disconnected)?)?(, session=&lt;\S+&gt;)?\s*$</pre>
 2014-01-14 17:59:40 +01:00
Daniel Black 01e5ae1234 Merge pull request #584 from grooverdan/exim-auth 
ENH: Exim auth
 2014-01-13 02:20:47 -08:00
Daniel Black 353b84a648 Merge branch 'patch-4' of https://github.com/truxoft/fail2ban into exim-auth 2014-01-13 19:25:46 +11:00
Ivo Truxa 9f107403e8 Update exim 
When using Dovecot authentication for Exim, which is relatively common, the current regex for catching authentication failures needs a small tweak. The current plain|login options are too limiting and will only work in the cases when only the Exim's rudimentary built-in authentication is used. There can be not only the dovecot_login shown in this log example, but also dovecot_plain, ntlm, cram, cyrus, md5, and plenty of others. In fact many admins may opt for their own authentication labels, when setting up Exim. For this reason the regex should catch any label. I suggest modifying the regex in the following way:

<pre>^%(pid)s \w+ authenticator failed for (\S+ )?\(\S+\) \[<HOST>\]: 535 Incorrect authentication data( \(set_id=.*\)|: \d+ Time\(s\))?\s*$</pre>
 2014-01-13 01:18:09 +01:00
Daniel Black 6b0e6b9bca ENH: add improper command pipelining postfix filter 2014-01-13 06:59:59 +11:00
Tomas Pihl b52a4441fd Support ACL-events without AccountID. Typically happens when a registration 
from an unknown domain is performed.

Add credits
 2014-01-12 01:28:55 +01:00
Daniel Black 928f566d19 Merge pull request #576 from kwirk/ejabberd-filter 
ENH: ejabberd filter
 2014-01-09 14:52:18 -08:00
Steven Hiscocks 128112d51c ENH: ejabberd filter 2014-01-09 22:47:17 +00:00
Daniel Black cd5aab5ff1 TST: for tag substition, multiple on same line 2014-01-10 09:20:56 +11:00
Daniel Black 755af0a51e Merge pull request #562 from grooverdan/jail.conf-complete_and_correct 
ENH: Jail.conf now has all filters and TST: a mechanism to test this is truee
 2014-01-06 12:08:45 -08:00
Daniel Black 50eab4df81 ENH: add filter groupoffice. Closes gh-566 2014-01-06 21:56:22 +11:00
Daniel Black a8e0498389 BF: add expression for ssh filter for code 3: SSH2_DISCONNECT_KEY_EXCHANGE_FAILED. closes gh-289 2014-01-05 21:26:26 +11:00
Daniel Black c700910155 TST: ensure stock jail has all filters 2014-01-05 21:06:30 +11:00
Daniel Black 23f0b854da MRG: merge in freeswitch 2014-01-04 12:24:40 +11:00
Daniel Black 69b3a1cf64 BF: catchin DEBUG messages will result in duplicates 2014-01-04 12:10:51 +11:00
Daniel Black 36533de6bc ENH: more filter expressions for freeswitch. Anchored existing one at end too 2014-01-04 08:21:22 +11:00
Daniel Black 04d28fd2e1 ENH: add filter freeswitch - as raised on mailing list 2014-01-03 13:00:37 +11:00
Daniel Black 83f3aeb308 ENH: filter for horde 2014-01-02 23:12:36 +11:00
Daniel Black e2faa312c1 TST: test case for horde 2014-01-02 23:11:39 +11:00
Daniel Black 856407379b ENH: add filter openwebmail. Closes gh-543. 2013-12-31 08:09:00 +11:00
Daniel Black 3d79e1612b MRG: test cases on exim-spam 2013-12-29 21:38:00 +00:00
Ivo Truxa d2658e063c Update exim-spam 
An example with no valid FROM email address and host without reverse DNS record
 2013-12-29 22:33:08 +01:00
Ivo Truxa bb88cfaddb Update exim-spam 
attached sample Exim log line to demonstrate a silently tossed message as described at https://github.com/fail2ban/fail2ban/issues/533
 2013-12-29 18:53:04 +01:00
Daniel Black 6666f41ee6 ENH: apache modsecurity filter 2013-12-29 06:59:47 +00:00
Yaroslav Halchenko c6a7bc2221 BF(2.4): remove use of "with" for python 2.4 for now (since we list it as supported) 2013-12-27 01:54:54 -05:00
Yaroslav Halchenko 952de51cf1 ENH: per original discussion, and changes which followed, better not to ignore absent failregex -- all filters (but included common) should have it 2013-12-27 01:47:15 -05:00
Yaroslav Halchenko 4e165c9692 ENH: FilterReader - use the set methods (improve coverage), test getters, use os.path.join 2013-12-27 01:43:23 -05:00
Yaroslav Halchenko 0141a6dbe7 TST: add few more rudimentary tests for Regex to complete its coverage 2013-12-27 01:29:02 -05:00
bes.internal 55d76ac373 TST: add test for IgnoreCommand at server 2013-12-25 00:58:00 +03:00
bes.internal ebd89ec077 New ignorecommand that is added to the ignoreip list from output of an external program 
ignorecommand update man and fix protocol help

ENH: run ignore command only after internal list has been examined. Change interface on ignorecommand to take IP as environment variable and return true if it is to be banned

ENH: ignore IP command to take tagged command

DOC: man pages for ingorecommand

TST: add test cases for ignorecommand
 2013-12-24 23:55:35 +03:00
Daniel Black 1b7df1181f BF: apache-2.4 log format fix. Closes gh-516 2013-12-23 08:28:40 +00:00
Yaroslav Halchenko 7af58b9984 Merge branch 'apache-noscripts' of https://github.com/grooverdan/fail2ban 
* 'apache-noscripts' of https://github.com/grooverdan/fail2ban:
  ENH: apache-noscript now matched php-cgi scripts. Closes gh-503

Conflicts:
	ChangeLog -- two new entries collided,  Reformatted the merged one a bit
 2013-12-22 22:28:57 -05:00
Daniel Black 7a9252bd0e TST BF: local defination 2013-12-22 12:08:10 +00:00
Daniel Black 2a67ef519c TST: missing logpath raises IOError 2013-12-22 08:43:57 +00:00
Daniel Black 2d688a5a03 TST: improve polling test case to ensure isModified only returns True once (file static) 2013-12-22 07:47:24 +00:00
Daniel Black a9b7d33c51 ENH: apache-noscript now matched php-cgi scripts. Closes gh-503 2013-12-19 10:01:24 +00:00
Steven Hiscocks d22716ab63 ENH: Add nsd filter and amend DateEpoch to match date format 2013-12-18 22:31:54 +00:00
Daniel Black dd79889904 Merge pull request #484 from grooverdan/more-more-tests 
BF/TST: fix internals of jailreader and add test cases
 2013-12-16 02:29:50 -08:00
Daniel Black 729929ada9 TST: jails can occur in any order once parsed. Sort results to facilitate comparison 2013-12-16 10:21:46 +00:00
Daniel Black 5c26bcbd2b TST: hopefully normalise config so that consistent test results occur on travis and locally 2013-12-16 10:07:41 +00:00
Daniel Black 603095bc16 BF: errors in a jail prevents further sections from being parsed. Closes #485 2013-12-14 07:00:41 +00:00
Daniel Black b39729a2ab BF: fix unintential typo 2013-12-14 06:51:36 +00:00
Daniel Black 2dac984b97 Merge pull request #482 from grooverdan/squid 
ENH: add squid filter
 2013-12-13 15:31:38 -08:00
Daniel Black 18f0e58caa TST: increase coverage in jailreader 2013-12-13 11:41:40 +00:00
Daniel Black f6fb737e6c TST: remove commented test print 2013-12-13 10:55:15 +00:00
Daniel Black e916fcdce4 TST: test case for actions and filters missing in a jail 2013-12-13 10:51:38 +00:00
Daniel Black 1407b955e6 TST: more client/jailreader tests 2013-12-13 10:03:51 +00:00
Daniel Black c6d14dcf0e TST: complete coverage of splitAction 2013-12-12 20:35:30 +00:00
Daniel Black 3036afca91 TST: check dangling link log message 2013-12-12 10:13:57 +00:00