- OpenSolaris keyboard message matched by new regex 3
- Removed Bye Bye regex per
https://github.com/fail2ban/fail2ban/issues/175#issuecomment-16538036
- PAM auth failure or error and first char case-insensitive, can also
have chars after the hostname. e.g.
Apr 29 16:53:38 Jamess-iMac.local sshd[47831]: error: PAM:
authentication error for james from 205.186.180.101 via 192.168.1.201
for matching log lines like:
Mar 29 05:20:09 dusky sshd[19558]: [ID 800047 auth.info] Failed
keyboard-interactive for james from 205.186.180.30 port 54520 ssh2
this matches [ID 800047 auth.info]
* 'Support_for_mysql_log_example' of https://github.com/arto-p/fail2ban:
Added testcase for MySQL date format to testcases/datedetectortestcase.py and example of MySQL log file.
Added support for MySQL logfiles
Conflicts:
testcases/datedetectortestcase.py -- conflictde with other added test cases
* pr/117/head:
An example of failed logins against sogo
Update sogo-auth.conf
Update config/filter.d/sogo-auth.conf
Create sogo-auth.conf
Update config/jail.conf
Do not trigger sshd bans on pam_unix authentication failures, this will trigger on successful logins on systems that use non-pam_unix authentication (sssd, ldap, etc.).
Noticed while looking at the source (to see the point of ssh-ddos).
POSSIBLE BREAK-IN ATTEMPT - sounds scary? But keep reading
the message. It's not a login failure. It's a warning about
reverse-DNS. The login can still succeed, and if it _does_ fail,
that will be logged as normal.
<exhibit n="1">
Jul 9 05:43:00 brick sshd[18971]: Address 200.41.233.234 maps to host234.advance.com.
ar, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Jul 9 05:43:00 brick sshd[18971]: Invalid user html from 200.41.233.234
</exhibit>
The problem (in my mind) is that some users are stuck with bad dns.
The warning won't stop them from logging in. I'm pretty sure they can't
even see it. But when they exceed a threshold number of logins -
which could be all successful logins - fail2ban will trigger.
fail2ban shouldn't adding additional checks to successful logins
- it goes against the name fail2ban :)
- the first X "POSSIBLE BREAK-IN ATTEMPT"s would be permitted anyway
- if you want to ban bad DNS, the right way is PARANOID in /etc/hosts.deny
I've checked the source of OpenSSH, and this will only affect the
reverse-DNS error. (I won't be offended if you want to check
for yourself though ;)
<exhibit n="2">
$ grep -r -h -C1 'ATTEMPT' openssh-5.5p1/
logit("reverse mapping checking getaddrinfo for %.700s "
"[%s] failed - POSSIBLE BREAK-IN ATTEMPT!", name, ntop);
return xstrdup(ntop);
--
logit("Address %.100s maps to %.600s, but this does not "
"map back to the address - POSSIBLE BREAK-IN ATTEMPT!",
ntop, name);
$
</exhibit>
* gh-magicrhesus/master:
Add the INCLUDE section to use __pid_re feature
Disable asterisk jail by default
Change jail for asterisk, add support for SIP and SIP-TLS on TCP and UDP ports
Change NOTICE by NOTICE%(__pid_re)s
Remove custom bantime
Add sample log file for asterisk
Add $ at the end of the failregex
Add asterisk support
Conflicts:
config/jail.conf -- placed asterisk jails before recidive and added blank lines after the jail headers
Based on previous work as documented in the bug by Amir and myself,
plus some enhancements and documentation added to the file itself rather
than a URL (they rot).
e.g.
Sep 25 12:51:04 myhost kernel: [773580.832329] sshd[25557]: Invalid user pgsql from 91.203.223.206
This fixes the sshd filter on Fedora 15, and probably other filters on
other newish distros too.
jamesstout