fail2ban

Commit Graph

Author	SHA1	Message	Date
Michael Grant	2ab6a5ae62	Update sendmail-auth.conf	7 years ago
Michael Grant	87520e8008	Sendmail logs IPv6 addresses with the prefix 'IPv6:'. Added (IPv6:)? before all <HOST> regexes to match the IPv6 address (but not the prefix).	7 years ago
Sergey G. Brester	7bbc26d67e	Merge pull request #2097 from benrubson/sni Detect Apache SNI error / misredirect attempts	7 years ago
benrubson	bd74f7ba8b	Detect Apache SNI error / misredirect attempts, typos	7 years ago
sebres	8423f017e7	Merge branch 'sshd-ddos-mode-closed-preauth' into 0.10	7 years ago
sebres	4ee07adde6	Merge branch '0.10' into fix-sshd-filter-suff # Conflicts resolved: # fail2ban/server/filter.py	7 years ago
benrubson	30dc22fb2e	Detect Apache SNI error / misredirect attempts	7 years ago
sebres	4f6532f810	filter.d/sshd.conf: mode `ddos` (and `aggressive`) extended to catch `Connection closed by ... [preauth]`, so in DDOS mode it causes failure now on closed within preauth stage; at least using both modes can ban port-scanners and prevent for other annoying "intruders", closing connection within preauth-stage (see gh-2085 for example).	7 years ago
sebres	cd7f1354c6	remove end-anchors for expressions that are precise enough (with clear flow, simple branches, without catch-all's, etc.)	7 years ago
sebres	c31eb1c562	quick optimization: normalizes pam-generic prefregex (more similar to the same regex within sshd-filter) + datepattern anchored now;	7 years ago
sebres	25cc42129a	hold all user names affected by interim attempts in order to avoid forget a failures after success login: intruder (as legitimate user) firstly tries to login with another user-name (brute-force), so hopes to reset failure counter by succeeded login; this is fixed and covered in tests now; sshd-filter extended to cover multiple-login attempts (also fully implements gh-2070);	7 years ago
sebres	a9c94686b6	fixed multiple regexs matched	7 years ago
sebres	8028d3940d	amend with better match of optional suffix-groups; remove end-anchors for expressions are precise enough (with clear flow, simple branches, without catch-all's, etc.);	7 years ago
sebres	66d2436f21	filter.d/sshd.conf: extend suffix with optional port, move it to `prefregex` at end outside of the content	7 years ago
sebres	7b3442c4e2	amend to 185cb998e7c7f2509830bed4a9f2fe6179f77e7b: capture error prefix outside of the failure content;	7 years ago
sebres	185cb998e7	make `prefregex` more precise in order to avoid catch the content for non failure lines	7 years ago
sebres	e8ffab28fb	filter.d/apache-noscript.conf: extended to match "Primary script unknown", got from php-fpm module.	7 years ago
sebres	a6fb33bdec	filter.d/recidive.conf: fixed if logging into systemd-journal (SYSLOG) with daemon name in prefix, gh-2069	7 years ago
sebres	caa2bdfee6	amendment for gh-2061: it looks like the port was added here also	7 years ago
sebres	a3bcbe2d1b	backwards-compatibility, test-cases and ChangeLog update	7 years ago
MatthieuBarbu	6b5516b851	fix sshd rule #2 in line 58, rule don't match with "%(__suff)s" but work fine if I replace with "%(__on_port_opt)s" Debian 9 stretch : fail2ban 0.10.3	7 years ago
sebres	1d7aa2ff21	filter.d/sshd.conf: rewrite fix (for new ssh log-format) backwards compatible + test-cases extended to cover both cases	7 years ago
MatthieuBarbu	9f5c873526	fix sshd rule just remove the space before ":11" line 52 because don't match on my Debian 9 stretch... I don't know if this is wrong on all OS	7 years ago
sebres	8c291cad38	filter.d/asterisk.conf: fixed failregex prefix by log over remote syslog server (gh-2060)	7 years ago
sebres	e636567d23	filter.d/exim.conf: failregex extended with SMTP call dropped: too many syntax or protocol errors.	7 years ago
sebres	19a5a2f8c0	filter.d/murmur.conf: fixed detection of failures reading from journal (systemd-backend only): - extended with optional prefix for the systemd-journal (with second date-pattern as optional match); - added `journalmatch` filtering; closes gh-2043	7 years ago
sebres	ed22ddbbbb	Merge remote-tracking branch 'remotes/gh-upstream/master' into 0.10	7 years ago
sebres	63e906b2c1	regex rewritten: a bit fewer vulnerable now and using non-capturing groups, test-cases extended in order to cover trying of injection on user name	7 years ago
Benedikt Seidl	fed6c49c2d	nginx-http-auth: match usernames with spaces # Conflicts: # ChangeLog	7 years ago
Sergey G. Brester	b6c6565a7e	regex updated using non-capturing groups	7 years ago
riceru	6a1bbbf101	Update lighttpd-auth.conf I have lighttpd 1.4.45 (Debian 9) and auth error log is different. Now printing mod_auth and not http_auth. I think that the change was in Lighttp 1.4.42	7 years ago
sebres	2b7b0da943	Merge remote-tracking branch 'remotes/gh-upstream/master' into 0.10	7 years ago
sebres	2112145eb4	stop ban of legitimate users with multiple public keys (e. g. git, etc), thereby differentiate between "invalid user" (going banned earlier) and valid users with public keys, for which the rejects of not valid public keys (failures) will be retarded up to "Too many authentication failures" resp. disconnect without success (accepted public key).	7 years ago
sebres	314e402fe0	filter.d/sendmail-auth.conf - extended daemon for Fedora 24/RHEL - the daemon name is "sendmail" (gh-1632)	7 years ago
sebres	c30144b37a	Merge branch '0.9' into 0.10 # Conflicts: # config/action.d/firewallcmd-ipset.conf # config/filter.d/asterisk.conf # Merge-point after cherry-pick, no changes: # fail2ban/client/jailreader.py # fail2ban/helpers.py	7 years ago
Yannik Sembritzki	94f0b15c32	Allow faster parsing of hosts without ' characters in them	7 years ago
Yannik Sembritzki	b28dfb965a	Fix filter not catching asterisk requests with quote character in username (fixes #2010 )	7 years ago
sebres	2712f72650	Merge remote-tracking branch 'master' into 0.10	7 years ago
Kevin Maradona	6c705d572b	filter.d/nginx-limit-req.conf: nginx limit-req log-level can be set to warn or error therefore having this regex will include both of them.	7 years ago
sebres	2b68882502	filter.d/exim.conf: provides mode "aggressive" to ban flood resp. DDOS-similar failures; Closes #1983	7 years ago
sebres	7f89fbc33f	Merge remote-tracking branch 'remotes/gh-upstream/master' into 0.10	7 years ago
Serg G. Brester	4f63180611	Avoid injection using quotes after `auth` command; Added non-greedy fallback for quoted something (with lookahead simulated possessive greedy catch of non-quoted parts `[^"](?=")`). Note that because host-info's are hereafter (with foreign input in-between), we would not use greedy or non-greedy catch-alls (`.` or `.*?`) here (preventing performance losses).	7 years ago
Serg G. Brester	f59df2e156	Avoid any injecting on protocol (e. g. tries using camel-case) The phrase "AUTH command used when not advertised" is precise enough as anchor here, so prevent by any foreign-input (any auth protocol error).	7 years ago
Peter Nowee	aa158ac05f	Exim failregex: Include lower/mixed case AUTH When reporting the error `AUTH command used when not advertised`, Exim starts with `SMTP protocol error in "........."`. Here, Exim logs the SMTP command as it was provided by the connecting client. https://github.com/Exim/exim/blob/exim-4_89+fixes/src/src/smtp_in.c#L2850 According to RFC 5321 (SMTP) "[..] a command verb [..] MAY be encoded in upper case, lower case, or any mixture of upper and lower case with no impact on its meaning." https://tools.ietf.org/html/rfc5321#section-2.4 Lower case `auth login` brute-force attempts were seen in the wild and were not caught by the current failregex. This commit makes the failregex case-insensitive for the `AUTH` command, so that lower case (`auth`) or mixed case (`aUtH`) now also match. The failregex was already case-insensitive for the command arguments (e.g. `AUTH login` already matched).	7 years ago
SlowRiot	660d57e6ba	updating my email address	7 years ago
sebres	159957ab88	filter.d/sshd.conf: extended failregex for modes "extra"/"aggressive": now finds all possible (also future) forms of "no matching (cipher\|mac\|MAC\|compression method\|key exchange method\|host key type) found", see "ssherr.c" for all possible SSH_ERR_..._ALG_MATCH errors; obsolete (multi-line buffered) variant extended also. Closes gh-1943, gh-1944	7 years ago
sebres	0e66e3cc57	Merge branch 'master' into 0.10 # Conflicts: # config/filter.d/asterisk.conf	7 years ago
Michael Newton	d5d1fe679f	Remove invalid regex Resolves #1927	7 years ago
Harry Wood	ea1b663f85	typo spell "positive" (...but also somebody should finish this sentence)	7 years ago
sebres	e71f16f6ba	Merge branch 'master' into 0.10 # Conflicts resolved: # config/filter.d/dovecot.conf	7 years ago

1 2 3 4 5 ...

793 Commits (2ab6a5ae62bda7000841e2d3695a4a2bbc61779d)