github
/
fail2ban
mirror of https://github.com/fail2ban/fail2ban
1
0
Fork 0
Code Issues Releases Wiki Activity
5,202 Commits
32 Branches
229 Tags
18 MiB
Commit Graph

452 Commits (35591db3e854af89038e230b47a75b8978ed84fd)

Author SHA1 Message Date
sebres 6ce67a6d21 coverage 2018-07-05 16:27:36 +02:00
sebres 0eaa0ecd86 Merge branch '0.10' into 0.11 2018-06-14 12:36:22 +02:00
sebres 8cbe1e6b13 Merge pull request #2155 2018-06-14 12:35:57 +02:00
cheese1 43db4411de small typo 2018-06-14 12:35:04 +02:00
sebres 0d40dd42b1 Merge branch '0.10' into 0.11 2018-04-26 13:43:15 +02:00
sebres bba7a6c5cf amend to (gh-2067) / b34ae5999e0d8ee1af8939527305c13152844b3d: fix parameter in config (dynamic parameters stating with '_' are protected and don't allowed in command-actions); 
the interpolation of hostsdeny is test-covered now;
closes gh-2114.
 2018-04-17 18:59:24 +02:00
sebres 0707695146 Merge branch '0.10' into 0.11, version bump 
# Conflicts resolved:
#	fail2ban/server/database.py
 2018-04-05 12:58:11 +02:00
sebres 8069eef50c badips: try to fix sporadic test errors if badips-server timed out resp. not available (502 bad gateway or similar). 2018-04-05 12:31:29 +02:00
sebres 1fdad90b4d Merge branch '0.10' into 0.11 2018-04-04 16:49:57 +02:00
Luis Aranguren fc76ccf192 Fixes abuseipdb curl cypher error and comment $f2bV_matches 
Fixed https://github.com/fail2ban/fail2ban/issues/2044 #2044
and used https://github.com/fail2ban/fail2ban/issues/2039 to fix comment in abuseipdb.com only showing $f2bV_matches
 2018-04-04 16:39:16 +02:00
sebres 7dfd61f462 Merge branch '0.10' into 0.11-2 2018-04-03 14:14:44 +02:00
Sergey G. Brester b34ae5999e
action.d/hostdeny.conf: fixes IPv6 syntax 
differentiate the IPv4 and IPv6 syntax (where it is enclosed in square brackets)
 2018-03-05 19:35:10 +01:00
sebres 5ea76789c6 Merge branch '0.10' into 0.11 2018-03-02 17:18:37 +01:00
Ben RUBSON b112250ef0 (Free)BSD IPFW does not allow 2 identical rules (#2054) 
ipfw actionban fixed to allow same rule added several times (and actionunban to ignore error by deletion of missing rule)
 2018-02-27 10:18:59 +01:00
Ben RUBSON 857767f04b Add 'any' badips.py bancategory (#2056) 
action.d/badips.py: allow `any` as bancategory to retrieve IPs from all categories
 2018-02-27 10:12:22 +01:00
sebres 47a7f83a0b Merge branch '0.10' into 0.11 2018-02-26 19:30:54 +01:00
sebres 07fcb24ff6 Merge pull request #2057 from benrubson/https 
Use httpS with badips
 2018-02-26 18:50:35 +01:00
sebres f52c67238a action.d/badips.py: code review, ban command covered, debug log-messages, etc; 2018-02-26 18:16:20 +01:00
benrubson fce2a50165 badips.py, solve a str() issue under FreeBSD 2018-02-26 15:55:21 +01:00
benrubson e2665d39fd Use httpS with badips 2018-02-26 09:58:37 +01:00
sebres 201ae0dac2 Merge branch '0.10' into 0.11 2018-01-31 12:20:34 +01:00
sebres 0be0e43d47 amend to 03b577d7b92a120e325abe20a99b6956a7e0657c: add new-line after matches via tag `<br>` without usage of interim variable 2018-01-30 12:52:26 +01:00
sebres 03b577d7b9 action.d/blocklist_de.conf: fixed tag substitution (in 0.10 it can be variables supplied via shell-arguments), expand `<matches>` with trailing newline; 
tests extended;
closes gh-2028
 2018-01-30 12:27:03 +01:00
sebres faab77cc79 Merge branch '0.10' into 0.11, with resolved conflicts. 2018-01-24 17:56:58 +01:00
Yaroslav Halchenko 527bb9a7c3 dos2unix for helpers-common.conf 
Original report: http://bugs.debian.org/888110
 2018-01-23 08:48:36 -05:00
sebres 1ca3df877b Merge branch '0.10' into 0.11 2018-01-18 14:32:00 +01:00
sebres f69e28adfc action.d/pf.conf: compatibility fix - recognizes that parameter `port` specified as empty, with or without braces (should be more backwards compatible to 0.9 now). 2018-01-18 14:05:22 +01:00
sebres 576eeb70dd Merge branch '0.10' into 0.11 2018-01-15 18:17:18 +01:00
sebres 2b7b0da943 Merge remote-tracking branch 'remotes/gh-upstream/master' into 0.10 2018-01-15 18:16:43 +01:00
Serg G. Brester 7e05976ead
action.d/hostsdeny.conf: actionunban rewritten using sed, also dots in IP were escaped now. 
Closes  #2000
 2018-01-11 12:38:34 +01:00
sebres 0e68c9a720 Merge branch '0.10' into 0.11 2018-01-10 12:22:31 +01:00
sebres c30144b37a Merge branch '0.9' into 0.10 
# Conflicts:
#	config/action.d/firewallcmd-ipset.conf
#	config/filter.d/asterisk.conf
# Merge-point after cherry-pick, no changes:
#	fail2ban/client/jailreader.py
#	fail2ban/helpers.py
 2018-01-10 12:05:26 +01:00
sebres 131b94e11e firewallcmd-ipset-allports: implemented in `action.d/firewallcmd-ipset.conf` now (`action.d/firewallcmd-ipset-allports.conf` removed), usage: 
banaction = firewallcmd-ipset[actiontype="<allports>"]
 2018-01-10 10:58:03 +01:00
Danila Vershinin c190631f88 New ban action firewallcmd-ipset-allports. Closes #1167 2018-01-10 10:58:01 +01:00
sebres 5028f17f64 Merge branch '0.10' into 0.11, rewrite updateDb because it can be executed after repair, and some tables can be missing. 
# Conflicts:
#	fail2ban/server/database.py
#	fail2ban/tests/fail2banclienttestcase.py
#	fail2ban/tests/sockettestcase.py
 2017-12-22 17:05:45 +01:00
root 79f414c6a2 fix <family> typo 2017-12-09 15:55:45 +01:00
root 7c63eb2378 In the CentOS7 and epel environment, result of "firewall-cmd -direct -get -chains ipv4 filter" is displayed one line 
Changed to be multiple lines with reference to firewallcmd-multiport.conf
 2017-12-09 15:55:45 +01:00
sebres 309a1cb337 restore timeout for ipset-based actions: on some systems ipset created without default timeout may cause "Kernel error received: Unknown error -1" (gh-1994); 
thus new option `default-timeout` introduced (because of dynamical bantime in 0.10, it cannot be used here).
 2017-12-06 02:38:10 +01:00
sebres 6ccaa03e00 action.d/firewallcmd-ipset.conf: extended with actionflush to bulk unban resp. flush ipset 2017-12-06 01:10:56 +01:00
sebres 7e5d8f37fd Merge branch '0.10' into 0.11 
# Conflicts:
#	config/action.d/firewallcmd-ipset.conf
#	fail2ban/server/jail.py
#	fail2ban/tests/servertestcase.py
 2017-12-06 00:14:23 +01:00
sebres e384acca5f action.d/firewallcmd-ipset.conf: fixed create of set for ipv6 (missing `family inet6`) 2017-12-05 23:34:03 +01:00
sebres 5cc0abbb02 Merge branch '0.10' into 0.11 
# Conflicts:
#	fail2ban/tests/fail2banclienttestcase.py
 2017-11-28 16:37:51 +01:00
sebres 76f2865883 implemented new action "action.d/nginx-block-map.conf", used in order to ban not IP-related tickets via nginx (session blacklisting in nginx-location with map-file); 2017-11-28 13:42:41 +01:00
sebres 12419b75f2 Merge branch '0.10' into 0.11 
# Conflicts:
#	fail2ban/tests/servertestcase.py
 2017-10-30 14:02:41 +01:00
sebres 76f5e3659e Merge branch '0.10' into 0.11 2017-10-18 19:03:08 +02:00
sebres a1b863fcf6 action.d/pf.conf: extended with bulk-unban, command `actionflush` in order to flush all bans at once (by stop jail, resp. shutdown of fail2ban) 2017-10-17 20:12:48 +02:00
sebres 8726c9fb0a pf.conf: enclose ports in braces, multiple ports expecting this syntax `... any port {http, https}`. 
Note this would be backwards-incompatible change (for the people already enclosing multiports in braces in jail.local).
closes gh-1915
 2017-10-17 13:46:29 +02:00
Łukasz Wąsikowski a4f94d2619 Update pf.conf 
Fix comment, because current one won't work:

cat /etc/pf.conf
anchor f2b {
  sshd
}

# service pf reload
Reloading pf rules.
/etc/pf.conf:2: syntax error

New version:

cat /etc/pf.conf
anchor f2b {
  anchor sshd
}

# service pf reload
Reloading pf rules.
 2017-10-17 12:39:25 +02:00
sebres 037a0be3ae Merge branch '0.10' into 0.11 2017-10-02 15:43:55 +02:00
Louis Sautier 152c9d27d5
Fix nftables actions for IPv6 addresses, fixes #1893 
* add [Init?family=inet6] to nftables-common.conf and make nftable
  expressions more modular
* change "ip protocol" to "meta l4proto" in nftables-allports.conf
  since the former only works for IPv4
 2017-09-11 23:32:53 +02:00
sebres b80692f602 Merge branch '0.10' into 0.11 2017-08-18 15:44:43 +02:00
sebres 1d5fbb95ae Merge remote-tracking branch 'remotes/gh-upstream/master' into 0.10 2017-08-18 15:44:22 +02:00
Serg G. Brester b0e5efb631 bsd-ipfw.conf: sh-compliant redirect of stderr together with stdout 2017-08-18 15:26:09 +02:00
sebres 3be32adefb Replace not posix-compliant grep option: fgrep with `-q` option can cause 141 exit code in some cases (see gh-1389). 2017-08-18 14:37:29 +02:00
Jacques Distler f84e58e769 Tweaks to action.d/pf.conf 
Document recent changes.
Add an option to customize the pf block rule (surely, what the user
really wants, here, is "block quick").
 2017-08-18 13:31:34 +02:00
Jacques Distler d646d06e91 Tweaks to action.d/pf.conf 
Document recent changes.
Add an option to customize the pf block rule (surely, what the user
really wants, here, is "block quick").
 2017-08-17 09:13:32 -05:00
sebres 33874d6e53 action.d/pf.conf: anchored call arguments combined as `<pfctl>` parameter; 
test cases fixed;
 2017-08-16 17:51:07 +02:00
Alexander Köppe f6ccede2f1 Update pf.conf fixing #1863 
Fix #1863
Introduce own PF anchors for fail2ban rules.
 2017-08-16 17:51:05 +02:00
sebres 3f83b22de2 action.d/pf.conf: anchored call arguments combined as `<pfctl>` parameter; 
test cases fixed;
 2017-08-16 11:58:39 +02:00
Alexander Köppe 55baf93635 Update pf.conf fixing #1863 
Fix #1863
Introduce own PF anchors for fail2ban rules.
 2017-08-16 11:33:45 +02:00
Serg G. Brester b5dd5adb08 Merge pull request #1460 from sebres/0.10-full 
0.11 ban-time-incr
 2017-08-10 15:23:18 +02:00
sebres 30219b54c4 Merge remote-tracking branch 'remotes/gh-upstream/master' into 0.10 2017-08-09 16:38:29 +02:00
Serg G. Brester c0eb7752a8 Merge pull request #1651 from szepeviktor/patch-9 
Introduce Cloudflare API v4
 2017-08-09 16:28:52 +02:00
Serg G. Brester 2ed8a38eca Update cloudflare.conf 
Switch to API v1 to API v4 per default
 2017-08-09 16:27:53 +02:00
Serg G. Brester 5b7375c614 Merge pull request #1638 from roedie/shorewall-ipv6 
Add shorewall IPv6 support
 2017-08-09 15:54:57 +02:00
Bigard Florian f4551d02c9 Fix empty logfile.log in xarf login attack action 
Fix empty 3rd MIME part which contains the attack evidence (logfile.log).
 2017-07-25 13:44:29 +02:00
Serg G. Brester 6c030c5e10 Merge pull request #1717 from szepeviktor/patch-11 
Updated xarf-specification repo URL in xarf action
 2017-07-12 09:54:15 +02:00
sebres 33fcf8d809 Merge branch 'master' into 0.10 2017-07-03 12:43:48 +02:00
Serg G. Brester f27e053592 Update bsd-ipfw.conf 
increased starting rule number (lowest_rule_num = 111)
 2017-07-01 17:10:53 +02:00
sebres d2c39d2e45 Merge branch '0.10' into 0.10-full 
# Conflicts:
#	fail2ban/server/database.py - resolved and test-case with persistent ban-time fixed/extended (bantime presents in database)
 2017-06-16 09:35:27 +02:00
Serg G. Brester 80cc47b75f Update helpers-common.conf 
fixed grep pattern: escape dot-char in search-IP and more restrictive boundaries (IPv6-capable)
 2017-05-30 09:14:43 +02:00
Viktor Szépe 5bb6be0163 IPv6 address may overlap 2017-05-30 02:05:38 +02:00
sebres c21b4e4d56 [ban-time-incr] prolong ban, dynamic bantime, etc.: 
- dynamic bantime: introduces new action-tag `<bantime>` corresponds to the current ban-time of the ticket;
  Note: because it is dynamic, it should be normally removed from `jail.conf` (resp. `jail.local`).
- introduced new action command `actionprolong`, used for prolongation of the timeout (ban-time of the ticket);
- removed default `timeout` from `actionstart` of several actions;
- faster and safer function escapeTag (replacement at once in one run, '\n' and '\r' escaped also);
 2017-05-17 13:25:06 +02:00
sebres 99344d28c8 Introduces new tags with hostname: 
- `<fq-hostname>` - fully-qualified name of host (the same as `$(hostname -f)`)
- `<sh-hostname>` - short hostname (the same as `$(uname -n)`)

Execution of `uname -n` replaced in all mail actions with most interesting fully-qualified `<fq-hostname>`.
 2017-04-24 21:17:55 +02:00
Peter van der Does bb79e7f413
Parameter not needed 
The parameter '-s' causes an error as the <mailcmd> already has the parameter.
 2017-04-11 11:13:58 -04:00
sebres 97e8b42d34 dummy action extended with more examples and test-covered now 2017-03-30 13:02:37 +02:00
sebres d03872fbbf bulk unban: add new command `actionflush` default for several iptables/iptables-ipset actions (and common include): 
iptables-common
  iptables
  iptables-allports
  iptables-multiport-log
  iptables-multiport
  iptables-new
  iptables-ipset-proto4
  iptables-ipset-proto6
  iptables-ipset-proto6-allports

executing `actionflush` command covered for this actions now
 2017-03-29 23:24:11 +02:00
sebres 8bf79fa483 implemented execution of `actionstart` on demand, if action depends on `family` (closes gh-1741); 
new action parameter "actionstart_on_demand" (bool) can be set to prevent/allow starting action on demand (default retrieved automatically, if some conditional parameter `param?family=...` presents in action properties);
 2017-03-29 17:44:15 +02:00
Viktor Szépe d79267c424 Updated xarf-specification repo URL in xarf action 2017-03-14 20:47:31 +01:00
Serg G. Brester d042981954 Merge pull request #1655 from ajcollett/0.10 
Added config for AbuseIPDB
 2017-03-09 15:15:26 +01:00
Serg G. Brester b1f5ac9484 Update abuseipdb.conf 2017-03-09 13:33:11 +01:00
sebres 6a2c95da95 `action.d/sendmail-geoip-lines.conf` fixed using new tag `<ip-host>` (dns-cache and without external command execution); 
changelog updated;
 2017-03-08 16:51:08 +01:00
sebres d2a3d093c6 rewritten CallingMap: performance optimized, immutable, self-referencing, template possibility (used in new ActionInfo objects); 
new ActionInfo handling: saves content between actions, without interim copying (save original on demand, recoverable via reset);
test cases extended
 2017-02-24 11:54:24 +01:00
Serg G. Brester 2fa18a74c4 Merge branch 'master' into master 2017-02-17 09:06:09 +01:00
sebres 4bf09bf297 provides new tag `<ip-rev>` for PTR reversed representation of IP address; 
[action.d/complain.conf] fixed using this new tag;
 2017-02-16 13:38:20 +01:00
Christoph Theis 861ce4177c #1689: Make lowest rule number in action.d/bsd-ipfw.conf configurable 2017-02-14 18:31:42 +01:00
Jan Grewe 58c68b75f0 Remove double-quotes from email addresses 2017-02-08 14:16:13 +01:00
Jan Grewe 1bcf0de7c1 Update complain.conf 2017-02-07 21:39:46 +01:00
Jan Grewe 901eeff53d Make Abusix lookup compatible with Dash 2017-02-06 22:04:36 +01:00
sebres e8a1556562 Merge remote-tracking branch 'master' into 0.10 
# Conflicts:
#	fail2ban/tests/samplestestcase.py
 2017-01-21 16:59:41 +01:00
Juliano Jeziorny 1fe554dd25 Introduced Citrix Netscaler action 2017-01-19 14:30:25 +01:00
sebres 74a6afadd5 Mail-actions switched to use new option "norestored" instead of checking of variable `restored` during shell execution (prevents executing of such actions at all). 2017-01-16 09:40:48 +01:00
sebres ee3c787cc6 Recognize restored (from database) tickets after restart (tell action restored state of the ticket); 
Prevent executing of several actions (e.g. mail, send-mail etc) on restart (bans were already notified).
Test cases extended (smtp and by restart in ServerReloadTest).
Closes gh-1141
Closes gh-921
 2017-01-13 19:06:17 +01:00
sebres c9f32f75e6 Merge branch '0.9-fix-regex-using-journal' into 0.10-fix-regex-using-journal (merge point against 0.9 after back-porting gh-1660 from 0.10) 2017-01-10 11:25:41 +01:00
Andrew James Collett 1c41390f7c Restructured the way the catagories work. 
Jail.conf is cleaner and abuseipdb.conf is more flexible.
 2017-01-08 09:26:11 +02:00
Andrew James Collett 55e107310f Added config for AbuseIPDB, ony tested on Ubuntu 16.04 2017-01-07 14:24:54 +02:00
Viktor Szépe 81c1810f10 Introduce Cloudflare API v4 
In the cloudflare action everyone is suggested to use API v4.
And I don't dare to contribute any actual change.
 2016-12-31 21:30:57 +01:00
roedie 3adc16d266 Shorewall IPv6 suggested changes. 
Change files as suggested by sebres.
 2016-12-12 20:53:58 +01:00
Yaroslav Halchenko 31a1560eaa minor typos (thanks Vincent Lefevre, Debian #847785) 2016-12-11 15:13:11 -05:00
roedie 6e18508a07 Add shorewall IPv6 support 
Small patch which allow fail2ban to use shorewall for IPv6 bans.
 2016-12-11 20:44:54 +01:00