25e006e137
review and small tweaks (more precise and safe RE)
2020-11-09 13:43:59 +01:00
df659a0cbc
Add Bitwarden syslog support
2020-11-09 13:34:39 +01:00
472bdc437b
Merge pull request #2723 from benrubson/softether
...
Add SoftEtherVPN jail
2020-11-09 13:23:25 +01:00
010e76406f
small tweaks (both 2nd time and facility are optional, avoid catch-all, etc)
2020-11-09 13:19:25 +01:00
d4adec7797
Merge branch '0.9' into 0.10
2020-11-09 12:44:07 +01:00
5430091acb
jail `counter-strike`: removed link to site with redirect to malicious page (gh-2868)
2020-11-09 12:43:34 +01:00
ec873e2dc3
Add SoftEtherVPN jail
2020-11-05 23:56:30 +01:00
02525d7b6f
filter.d/sshd.conf: mode `ddos` (and `aggressive`) extended with new rule closing flood attack vector, matching:
...
error: kex_exchange_identification: Connection closed by remote host
(gh-2850)
2020-10-08 21:07:51 +02:00
2817a8144c
`action.d/bsd-ipfw.conf`: small amend (gh-2836) simplifying awk condition/code (position starts from `<lowest_rule_num>` and increases whilst used)
2020-09-29 13:33:40 +02:00
1418bcdf5b
`action.d/bsd-ipfw.conf`: fixed selection of rule-no by large list or initial `lowest_rule_num`, exit code can't be larger than 255 (gh-2836)
2020-09-29 12:35:49 +02:00
d977d81ef7
action.d/abuseipdb.conf: removed broken link, simplified usage example, fixed typos
2020-09-17 12:39:08 +02:00
a038fd5dfe
`action.d/firewallcmd-*.conf` (multiport only): fixed port range selector, replacing `:` with `-`;
...
small optimizations on `firewallcmd-rich-rules.conf` and `firewallcmd-rich-logging.conf` simplifying both and provide a dependency (rich-logging is a derivative of rich-rules);
closes gh-2821
2020-09-03 16:41:23 +02:00
ed20d457b2
jail.conf: removed action parameter `name` that set on jail-name (`name=%(__name__)s` is default in action reader)
2020-09-02 20:14:31 +02:00
db1f3477cc
amend to 3f04cba9f92a1827d0cb3dcb51e57d9f60900b4a: sendmail-auth has 2 failregex now, so rewritten with prefregex
2020-08-27 18:07:42 +02:00
3f04cba9f9
filter `sendmail-auth` extended to follow new authentication failure message introduced in sendmail 8.16.1, AUTH_FAIL_LOG_USER (gh-2757)
2020-08-27 17:44:25 +02:00
07fa9f2912
fixes gh-2787: allow to match `did not issue MAIL/EXPN/VRFY/ETRN during connection` non-anchored with extra mode (default names may deviate);
...
additionally provides common addr-tag for IPv4/IPv6 (`(?:IPv6:<IP6>|<IP4>)`) and test-coverage for IPv6
2020-08-27 17:04:19 +02:00
1707560df8
Enhance Guacamole jail
2020-08-25 13:01:50 +02:00
9100d07c03
Merge branch '0.10-ipset-tout' into 0.10, amend to #2703 : resolves names conflict (command action timeout and ipset timeout); closes #2790
2020-08-04 13:53:21 +02:00
62a6771b33
Merge remote-tracking branch 'sebres:0.10' into 0.10; closes gh-2763
...
action.d/nftables.conf (type=multiport only): fixed port range selector (replacing `:` with `-`)
2020-08-04 13:51:20 +02:00
73a8175bb0
resolves names conflict (command action timeout and ipset timeout); closes gh-2790
2020-08-04 13:22:02 +02:00
08dbe4abd5
fixed comment for loglevel, default is INFO
2020-07-03 13:45:29 +02:00
309c8dddd7
action.d/nftables.conf (type=multiport only): fixed port range selector (replacing `:` with `-`)
2020-06-24 19:20:36 +02:00
5a0edf61c9
filter.d/sshd.conf: normalizing of user pattern in all RE's, allowing empty user (gh-2749)
2020-06-08 14:38:26 +02:00
368aa9e775
Merge pull request #2689 from benrubson/gitlab
...
New Gitlab jail
2020-05-04 19:19:13 +02:00
01e92ce4a6
added fallback using tr and sed (jq is optional now)
2020-04-27 19:26:46 +02:00
1c1b671c74
Update cloudflare.conf
2020-04-27 19:26:44 +02:00
5b8fc3b51a
cloudflare: fixes ip to id conversion by unban using jq
...
normalized URIs and parameters, notes gets a jail-name (should be possible to differentiate the same IP across several jails)
2020-04-27 19:26:43 +02:00
852670bc99
CloudFlare started to indent their API responses
...
We need to use https://github.com/stedolan/jq to parse it.
2020-04-27 19:26:39 +02:00
8b3b9addd1
Change tool from 'cut' to 'sed'
...
Sed regex was tested - it works.
2020-04-27 19:12:36 +02:00
5da2422f61
Fix actionunban
...
Add command to remove new line character. Needed for working removing rule from cloudflare firewall.
2020-04-27 19:12:35 +02:00
87a1a2f1a1
action.d/*-ipset*.conf: several ipset actions fixed (no timeout per default anymore), so no discrepancy between ipset and fail2ban (removal from ipset will be managed by fail2ban only)
2020-04-25 14:52:38 +02:00
6b90ca820f
filter.d/traefik-auth.conf: filter extended with parameter mode (`normal`, `ddos`, `aggressive`) to handle the match of username differently:
...
- `normal`: matches 401 with supplied username only
- `ddos`: matches 401 without supplied username only
- `aggressive`: matches 401 and any variant (with and without username)
closes gh-2693
2020-04-23 13:08:24 +02:00
affd9cef5f
filter.d/courier-smtp.conf: prefregex extended to consider port in log-message (closes gh-2697)
2020-04-21 13:32:17 +02:00
06b46e92eb
jail.conf: don't specify `action` directly in jails (use `action_` or `banaction` instead);
...
no mails-action added per default anymore (e. g. to allow that `action = %(action_mw)s` should be specified per jail or in default section in jail.local), closes gh-2357;
ensure we've unique action name per jail (also if parameter `actname` is not set but name deviates from standard name, gh-2686);
don't use %(banaction)s interpolation because it can be complex value (containing `[...]`), so would bother the action interpolation.
2020-04-15 19:00:49 +02:00
2912bc640b
New Gitlab jail
2020-04-09 16:42:08 +02:00
136781d627
filter.d/sshd.conf: fixed regex for mode `extra` - "No authentication methods available" (supported seems to be optional now, gh-2682)
2020-04-08 12:17:59 +02:00
22a04dae05
Merge branch '0.9' into 0.10 (gh-2246)
2020-03-18 16:11:53 +01:00
b1e1cab4b7
Merge pull request #2246 from shaneforsythe/shaneforsythe-patch-2
...
Improve regex in proftpd.conf
2020-03-18 15:49:18 +01:00
606bf110c9
filter.d/sshd.conf (mode `ddos`): fixed "connection reset" regex (seems to have same syntax now as closed), so both regex's combined now to single RE
...
(closes gh-2662)
2020-03-16 17:31:39 +01:00
42714d0849
filter.d/common.conf: closes gh-2650, avoid substitute of default values in related `lt_*` section, `__prefix_line` should be interpolated in definition section (after the config considers all sections that can overwrite it);
...
amend to 62b1712d22#2387 , backend-related option `logtype`);
testSampleRegexsZZZ-GENERIC-EXAMPLE covering now negative case also (other daemon in prefix line)
2020-03-05 13:47:11 +01:00
ab3a7fc6d2
filter.d/sshd.conf: mode `ddos` (and aggressive) extended to detect port scanner sending unexpected ident string after connect
2020-02-17 16:24:42 +01:00
9137c7bb23
filter processing:
...
- avoid duplicates in "matches" (previously always added matches of pending failures to every next real failure, or nofail-helper recognized IP, now first failure only);
- several optimizations of merge mechanism (multi-line parsing);
fail2ban-regex: better output handling, extended with tag substitution (ex.: `-o 'fail <ip>, user <F-USER>: <msg>'`); consider a string containing new-line as multi-line log-excerpt (not as a single log-line)
filter.d/sshd.conf: introduced parameter `publickey` (allowing change behavior of "Failed publickey" failures):
- `nofail` (default) - consider failed publickey (legitimate users) as no failure (helper to get IP and user-name only)
- `invalid` - consider failed publickey for invalid users only;
- `any` - consider failed publickey for valid users too;
- `ignore` - ignore "Failed publickey ..." failures (don't consider failed publickey at all)
tests/samplestestcase.py: SampleRegexsFactory gets new failJSON option `constraint` to allow ignore of some tests depending on filter name, options and test parameters
2020-02-13 12:28:07 +01:00
1492ab2247
improve processing of pending failures (lines without ID/IP) - fail2ban-regex would show those in matched lines now (as well as increase count of matched RE);
...
avoid overwrite of data with empty tags by ticket constructed from multi-line failures;
amend to d1b7e2b5fb2b389d04845369d7d29db65425dcf2: better output (as well as ignoring of pending lines) using `--out msg`;
filter.d/sshd.conf: don't forget mlf-cache on "disconnecting: too many authentication failures" - message does not have IP (must be followed by "closed [preauth]" to obtain host-IP).
2020-02-11 18:44:36 +01:00
774dda6105
filter.d/postfix.conf: extended mode ddos and aggressive covering multiple disconnects without auth
2020-02-10 13:29:16 +01:00
34d63fccfe
close gh-2629 - jail.conf (action_blocklist_de interpolation): replace service parameter (use jail name instead of filter, which can be empty)
2020-02-10 13:03:55 +01:00
569dea2b19
filter.d/mysqld-auth.conf: capture user name in filter (can be more strict if user switched, used in action or fail2ban-regex output);
...
also add coverage for mariadb 10.4 log format (gh-2611)
2020-01-22 17:24:40 +01:00
ec37b1942c
action.d/nginx-block-map.conf: fixed backslash substitution (different echo behavior in some shells, gh-2596)
2020-01-14 11:39:13 +01:00
f77398c49d
filter.d/sshd.conf: captures `Disconnected from ... [preauth]`, preauth phase only, different handling by `extra` (with supplied user only) and `ddos`/`aggressive` mode (`normal` mode is not affected, used there just as a helper with `<F-NOFAIL>` to capture IP for multiline failures without IP);
...
closes gh-2115, gh-2362.
2020-01-09 20:53:53 +01:00
67fd75c88e
pass2allow-ftp: inverted handling - action should prohibit access per default for any IP, so reset start on demand parameter for this action (will be started immediately).
2020-01-06 21:13:40 +01:00
8f6ba15325
avoid unhandled exception during flush, better invariant check (and repair), avoid repair by unban/stop etc...
2019-12-27 21:30:41 +01:00
sebres