f5f204ca7c
Improved changes of gh-1458:
...
`[^']*` after callid was wrong, changed to `[^\)]*`;
regexp anchored at the end;
almost the same regex grouped to one;
Closes #1458
2016-07-08 11:45:25 +02:00
72a157b8f2
Improve PJSIP log support for asterisk 13+ with different callID (Squash gh-1458)
...
Change the asterisk pjsip filter to don't take the callId part
Add optional part between "Request" and "from"
Listed all log message from asterisk
2016-07-08 11:45:22 +02:00
dcb69b0242
* add `__prefix_line` to regex
...
* fix time in log file
2016-07-08 05:29:51 +03:00
b2e3affaa0
adding openldap slapd filter
2016-07-08 04:50:57 +03:00
af8b650a37
badip timeout option introduced, set to 30 seconds in our test cases ( #1463 )
...
cherry-picked from 0.10 (little bit modified in test_badips.py, because no --fast option in test cases)
2016-06-13 12:56:53 +02:00
636a93f58b
Merge pull request #1438 from yarikoptic/bf-exim
...
exim filters -- make wider use of host_info helper str susbstitution + fix for #1430
2016-06-07 21:35:52 -04:00
f85fb45b29
Asterisk pjsip ( #1456 )
...
* Improve PJSIP log support for Asterisk 13+
* Update changelog: filter.d/asterisk.conf - fix security log support for PJSIP and Asterisk 13+
* Change pjsip regexp with sebres observation, thanks to @nturcksin
2016-06-07 11:40:35 +02:00
6434661480
RF: for consistency use (?:XXX)? instead of (?:|XXX)
2016-05-30 12:12:53 -04:00
48a8324662
ENH: use non-capturing regex groups in exim-common and exim filters
2016-05-30 11:02:12 -04:00
8ec4e1189e
use raw host (don't use textToIp) if usedns exactly `raw`, because `usedns = no` should ignore no ip failures
2016-05-30 15:34:21 +02:00
9bb869b8d4
ENH: courier-smtp -- allow for trailing username (no spaces) in the logline
...
Closes #1440
2016-05-21 22:17:09 -04:00
8b8cf2a660
ENH: exim filters -- make more use of %(host_info)s which in turn made more flexible
2016-05-21 10:29:09 -04:00
743a531eb5
BF: make :port and I=[ip]:port optional for a "AUTH command used when not advertised"
...
Closes #1430
2016-05-21 10:29:01 -04:00
52377984cd
back to mandatory space, ungrouping of sub parameters in `__prefix_line` + small code review;
2016-05-19 17:57:48 +02:00
25af11215b
test case for generic common moved to `./fail2ban/tests/config/filter.d/zzz-generic-example.conf` to prevent shipping it with fail2ban installations
2016-05-17 20:08:46 +02:00
cb4f9be8b2
the date brackets removed from filters using `__prefix_line`, because `__prefix_line` already contains the date ambit;
2016-05-17 11:55:02 +02:00
de813acf51
extends generic `__prefix_line` with optional brackets for the date ambit (gh-1421), added new parameter `__date_ambit` + test case added;
2016-05-17 11:54:43 +02:00
3e49522b7a
fixes unexpected extra regex-space in generic `__prefix_line` (gh-1405, misleadingly committed in d2a9537568);
...
all optional spaces normalized in generic include `common.conf` + test cases are extended (using new example pseudo-filter and test log `zzz-generic-example`);
2016-05-13 20:26:37 +02:00
bdc2d07946
fix suhosin_log in common paths - log files should be separated using "\n":
...
prevents to throw an error "File option must be 'head' or 'tail'", if jail suhosin will be enabled.
2016-05-11 18:49:04 +02:00
d889918f19
update doc url
...
direct to confluence page. no code changes.
2016-04-24 21:35:18 -07:00
aa303acfd6
Merge pull request #1381 from theDogOfPavlov/patch-3
...
Tightened up exim regexes to catch rDNS entries
2016-04-23 18:27:38 -04:00
7712310d2d
Be more backward compatible on matching postfix/smtps/smtpd
...
Support trailing smtps also and not only smtpd.
suggested by @sebres
2016-04-14 13:54:58 +02:00
1a299409e5
Fix postfix/smtps/smtpd matching.
2016-04-14 12:10:58 +02:00
1eb51b1bc2
Tightened up regexes to catch rDNS entries
2016-04-01 18:07:01 +01:00
db2dd070ad
Merge pull request #1356 from opoplawski/bug-1354
...
Fedora use mariadb by default, fix log path
2016-03-31 22:11:10 -04:00
b9b7ecbf6b
Merge pull request #1357 from sebres/monit-new-fltr
...
monit filter fixup for the new version (gh-1355)
2016-03-26 11:39:26 +01:00
3d239215cd
Two new firewalld actions with rich rules for firewalld-0.3.1+ (gh-1367)
...
closes #1367
2016-03-25 17:28:30 +01:00
ac27c9cb96
Merge branch 'patch-2' (gh-1371)
2016-03-25 17:05:23 +01:00
0effe76971
Merge pull request #1370 from theDogOfPavlov/patch-1
...
Added regex for LDAP authentication failures
2016-03-25 15:30:39 +01:00
e9202fa0b2
Placed failure (illumos) at end of regex
2016-03-24 00:43:15 -04:00
fe1475be95
Additional exim regexes to cover common attacks...
2016-03-21 05:59:59 +00:00
cf2aa9c1c0
Added regex for LDAP authentication failures
2016-03-21 05:53:23 +00:00
25c2334bc8
SmartOS PAM Authentication failed (not failURE)
...
SmartOS (and likely other Illumos platforms) enter log entries for failed sshd logins of the form:
`Authentication failed for USER from HOST`
The current sshd.conf regex matches `failure` -- add to this a match for `failed` to support Illumos
2016-03-16 13:52:01 -04:00
bd25a43417
define journalmatch setting for pure-ftps
2016-03-11 18:19:53 +01:00
f3f813a925
- mysqld does not log login attempts to the journal.
...
- Add /var/log/mysqld.log to mysql_log
2016-03-09 13:52:50 -07:00
37c9075fad
fixed monit filter: failregex find now both previous and new versions:
...
- failregex of previous monit version merged as single expression;
- extended failregex with new monit "access denied" version;
2016-03-09 20:06:14 +01:00
dfc65018da
Fedora use mariadb by default, fix log path
2016-03-09 11:36:06 -07:00
385b50e4a9
Merge pull request #1343 from denics/master
...
adding wp-admin to bot search
2016-03-07 10:23:37 -05:00
ed0e572bfc
added wp-admin
...
bot are very annoying and I am getting a lot of checks on wp-admin. This should calm them.
2016-03-02 16:52:03 +01:00
6ffbc1ffad
ENH: revert back to having detailed suffix anchored at the end for mysqld-auto.conf
...
As discussed in https://github.com/fail2ban/fail2ban/pull/1333#discussion_r54100127
2016-02-28 12:07:46 -05:00
3e31145c33
Merge pull request #1331 from whyscream/postfix-multi-instance-support
...
Add support for matching postfix multi-instance daemon names by default
2016-02-28 12:00:24 -05:00
667785b608
mysqld: failregex fixed (accepts different log level, more secure expression now);
...
closes #1332
2016-02-24 17:17:51 +01:00
6c606cf98f
Add support for matching postfix multi-instance daemon names by default
2016-02-23 20:23:04 +01:00
905c87ca4a
Merge pull request #1310 from yarikoptic/pr-1288
...
NF: HAProxy HTTP Auth filter
2016-02-11 08:35:48 -05:00
d8e81eb417
regexp rewritten (few vulnerable as previous) + test case added
2016-02-08 12:01:25 +01:00
257b7049d8
Update asterisk filter: changed regex for "Call from ...". Sometimes extension can have a plus symbol (+) because they can be phone number.
...
Closes #1309
2016-02-08 11:51:37 +01:00
b5a07741c8
Add new regex into postfix filter. The new regexp is able to detect bad formatted SMTP EHLO command
2016-02-08 11:11:59 +01:00
3f437b32db
Merge remote-tracking branch 'pr/1288/head'
...
* pr/1288/head:
Update haproxy-http-auth.conf
Added HAProxy HTTP Auth filter
Conflicts:
config/jail.conf - resolved + removed unnecessary filter/enabled (defaults should be as good)
2016-01-28 08:51:45 -05:00
377ea32441
Merge pull request #1295 from obounaim/master
...
The sender option is ignored by some actions
2016-01-28 08:48:22 -05:00
fe14c8fa05
Merge pull request #1292 from albel727/master
...
Add nftables actions
2016-01-24 23:55:50 +01:00
d7b46509d8
Update haproxy-http-auth.conf
...
Updated failregex to be more strict
2016-01-12 08:37:33 +10:00
40c0bed82c
action_mw, action_mwl, action_cf_mwl ignore the "sender" option when sending a notification email.
...
This commit adds "sender="%(sender)s"" to the three actions to correct this issue.
2016-01-10 00:05:03 +01:00
5d0d96a5cb
Merge pull request #1286 from yarikoptic/enh-jail
...
ENH: harmonize jail.conf + 1 more test that passed bantime is non-degenerate and int
2016-01-08 08:51:08 -05:00
985e8938a4
Refactor nftables actionstop into smaller parts
2016-01-06 17:39:54 +06:00
9779eeb986
Add nftables_type/family/table parameters
2016-01-06 17:33:14 +06:00
260c30535d
Escape curly braces in nftables actions
2016-01-06 17:13:30 +06:00
1983e15580
Add empty line between parameters in nftables-common.conf
2016-01-06 16:55:29 +06:00
f7f91a8bd4
Refactor common code out of nftables-multiport/allports.conf
2016-01-05 19:03:47 +06:00
69f5623f83
code simplifying (remove duplication): agent will be always supplied as parameter from jail.conf
2016-01-04 09:30:32 +01:00
618e97bce8
Add nftables actions
2016-01-04 01:36:28 +06:00
ac31121432
amend to fix fail2ban-version: correct user-agent for badips.py "Fail2Ban/ver", changeable within jail/config now;
2015-12-31 02:32:17 +01:00
e133762a28
Added HAProxy HTTP Auth filter
2015-12-31 11:16:23 +10:00
cf334421bd
Provides fail2ban version to jail (as interpolation variable during parse of jail.conf);
...
BF: use `fail2ban_agent` as user-agent in actions badips, blocklist_de, etc. (closes #1271 , closes #1272 )
2015-12-31 01:38:25 +01:00
28c9832293
RF: harmonize jail.conf (no explicit enabled=false in jails, match filter name for screesharingd, etc)
2015-12-29 19:43:52 -05:00
69aa1feac0
Merge "Mac OS Screen Sharing filter" PR 1232
...
* pr/1232/head:
removed system.log
Removed old svn revision comment
removed false matches
Removed includes comment for screensharing jail
Now using a literal logpath for screensharing jail
Fixed blatant typo in regex
clarified comments on sample log format
Fixed name (again?)
Made screensharing jail off by default
Changed regex prequel
added entry for new screensharingd filter
name change & new sample data
Added json metadata
Sample log for test case
Replaced .* with literal
Update jail.conf
Added new path variable for system.log
Added in settings for screensharingd filter
Created file
Conflicts:
ChangeLog - moved to New Features
config/jail.conf - kept at the end
2015-12-29 19:36:59 -05:00
26dd6d7425
Merge pull request #1258 from aleksandrs-ledovskis/feature/postfix-domain-not-found-failregex
...
Add 'Sender address rejected: Domain not found' Postfix failregex
2015-12-18 09:23:54 -05:00
8d12dba245
Merge remote-tracking branch 'upstream/master'
2015-12-17 18:01:17 +00:00
ead2d509dc
Updated 'murmur' filter to use new double-anchored regex based on @yarikoptic's suggestions.
2015-12-17 17:45:24 +00:00
5d6cead996
ENH: sshd filter -- match new "maximum auth attempts exceeded" ( Closes #1269 )
2015-12-13 23:21:04 -05:00
106c3eab9a
Added filter and jail for murmur/mumble-server.
2015-11-29 15:56:56 +00:00
fa59a6850f
Add 'Sender address rejected: Domain not found' Postfix failregex
...
Signed-off-by: Aleksandrs Ļedovskis <aleksandrs@ledovskis.lv>
2015-11-22 12:01:15 +02:00
c656cb0d36
Merge branch 'master' into journaldefault
...
Conflicts:
ChangeLog
2015-11-13 15:22:59 -07:00
ba76f4ca2f
Fix typo
2015-11-02 15:21:14 -07:00
69bb532db0
removed system.log
2015-11-02 09:26:45 -08:00
3e16f33dbe
Removed old svn revision comment
2015-11-02 09:08:47 -08:00
eef7771b4e
Merge pull request #1238 from sebres/fix/gh-1216
...
Fixed directly defined banaction for allports jails like pam-generic, recidive, etc
2015-10-31 13:17:04 +01:00
e825e977cc
Nginx log paths extended (prefixed with "*" wildcard)
...
closes gh-1237
2015-10-30 17:51:30 +01:00
f359ed8c36
Fixed directly defined banaction for allports jails like pam-generic, recidive, etc with new default variable `banaction_allports` (+ man entries for both variables added);
...
closes gh-1216
2015-10-30 15:36:18 +01:00
5839a3bd80
Removed includes comment for screensharing jail
2015-10-29 16:07:54 -07:00
53b39162a1
Shortly, much faster and stable version of regexp (possible because expression is start-anchored and does not contains closely to catch-all sub expressions)
2015-10-29 23:55:23 +01:00
6884593ab8
New filter `nginx-limit-req` ban hosts, that were failed through nginx by limit request processing rate (ngx_http_limit_req_module)
2015-10-29 23:15:20 +01:00
0661aece46
Merge branch 'master' into journaldefault
...
Conflicts:
ChangeLog
2015-10-29 15:22:37 -06:00
65bc5cf6ba
Now using a literal logpath for screensharing jail
2015-10-29 09:03:01 -07:00
cabd46f069
Fixed blatant typo in regex
...
However, still failing test, even though ```PYTHONPATH=. fail2ban-regex -v fail2ban/tests/files/logs/screensharingd /etc/fail2ban/filter.d/screensharingd.conf``` gives desired result
2015-10-28 20:58:25 -07:00
acee68a9ee
Made screensharing jail off by default
...
Also added note about requiring paths-osx.conf.
2015-10-28 15:11:11 -07:00
4b4d5a95b7
Changed regex prequel
...
Use standard prefix macro instead of literal daemon name.
2015-10-27 21:30:20 -07:00
4c3f778b82
Replaced .* with literal
...
Per Serg's suggestions. Possible I'm missing some auth attempt types, but I couldn't find anything where literal wasn't sufficient.
2015-10-27 10:33:30 -07:00
d17d837b8c
Update jail.conf
...
Added logencoding to screensharing jail to avoid encoding error messages in fail2ban log
2015-10-27 10:28:07 -07:00
de14946542
Added new path variable for system.log
...
Logging location for the majority of Mac OS daemons.
2015-10-26 18:02:07 -07:00
80546c6164
Added in settings for screensharingd filter
2015-10-26 17:50:49 -07:00
3ec725a2ba
Created file
...
From https://github.com/beezwax/filemaker-fail2ban/blob/master/fail2ban/filter.d/screensharingd.conf
2015-10-26 17:35:38 -07:00
2861a957a9
filter for openhab domotic software authentication failure with the rest api and web interface + test cases;
...
closes gh-1223
2015-10-26 15:48:23 +01:00
2c576c64f8
Change domain filter regex
...
Change domain filter regex since there are other Google crawlers.
See "Google crawlers"
<https://support.google.com/webmasters/answer/1061943?hl=en >
2015-10-20 10:46:00 +02:00
74fcb219ab
Enhanced Google domain detection in apache-fakegooglebot
...
Previously, an attacker could fake a domain like
crawl-1-1-1-1.googlebot.com.fake.net and get resolved. This change
avoids to resolve fake Google domains.
2015-10-20 10:45:53 +02:00
3a9cf2b3da
Add and use default_backend to set individual backend defaults to auto
2015-10-19 19:50:03 -06:00
ced7be94b2
Fix postfix_log typo
2015-10-19 19:43:10 -06:00
75d33c0f09
Add *_backend options for services to allow distros to set the default backend
...
per service.
Set default to systemd for Fedora as appropriate.
2015-10-18 20:18:50 -06:00
a28e6b442e
Add check in apache-fakegooglebot to protect against PTR fake record
...
An attacker may return a PTR record which fakes a Googlebot's domain
name. This modification resolves the PTR records to verify it.
See "Verifying Googlebot":
<https://support.google.com/webmasters/answer/80553?vid=1-635800030504666679-1963774919 >
2015-10-13 17:11:49 +02:00
617302fcc2
Updated route.conf to clear warnings
...
Does not throw warnings when starting/restarting by adding three lines of code.
2015-10-09 18:16:36 -07:00
2696ede251
mysqld-auth: Updated "Access denied ..." regex for MySQL 5.6 and later
...
closes gh-1211
2015-10-07 14:34:13 +02:00
36919d9f97
ssh.conf: Fix disconnect "Auth fail" matching
...
The regex for matching against "Auth fail" disconnect log message does
not match against current versions of ssh. OpenSSH 5.9 introduced
privilege separation of the pre-auth process, which included
[logging through monitor.c](http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/monitor.c.diff?r1=1.113&r2=1.114 )
which adds " [preauth]" to the end of each message and causes the log
level to be prepended to each message.
It also fails to match against clients which send a disconnect message
with a description that is either empty or includes a space, since this
is the content in the log message after the disconnect code, per
[packet.c:1785](http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/packet.c?annotate=1.215 ),
which was matched by \S+. Although I have not observed this yet, I
couldn't find anything which would preclude it in [RFC
4253](https://tools.ietf.org/html/rfc4253#section-11.1 ) and since the
message is attacker-controlled it provides a way to avoid getting
banned.
This commit fixes both issues.
Signed-off-by: Kevin Locke <kevin@kevinlocke.name>
2015-10-02 15:46:29 -07:00
0d8968daa9
Added CloudFlare API error codes URL
2015-09-30 16:07:45 +02:00
ff06176e9e
Merge remote-tracking branch 'origin/master' into enh-split-comma
...
* origin/master:
DOC: changelog for the timeout change
Set Timeout at urlopen to 3 seconds
README :: init/service example mentions debian based systems as the example
README :: fitted paragraph style
BF: disable testing on python 3.2 until coverage gets a fix
README :: Some style/grammar tweaks, and init/service script mention. Re: #1193
Set Timeout at urlopen to 3 seconds
2015-09-27 00:52:14 -04:00
2895d981fa
Set Timeout at urlopen to 3 seconds
2015-09-26 21:26:55 +02:00
8cf614e221
ENH: allow to split ignoreip by space and/or comma ( Closes #1197 )
...
Way too many people ran into this gotcha, so lets just do it
2015-09-23 12:13:52 -04:00
55e542b273
Merge remote-tracking branch 'pr/1170/head' -- opensuse paths
...
* pr/1170/head:
Updated ChangeLog regarding openSUSE's path config
Added configuration for opensuse path
2015-09-17 21:59:45 -04:00
835b3ff483
Update apache-badbots.conf
...
Useragent strings including `+http` need to be escaped to be valid.
2015-09-05 00:12:28 -04:00
f7af93a677
Added configuration for opensuse path
2015-08-26 15:25:59 +02:00
d278fbca30
Fixed line suspected to be faulty
2015-08-26 14:48:55 +02:00
c37009aec7
Merge branch 'grep-m1k' of github.com:szepeviktor/fail2ban
...
* 'grep-m1k' of github.com:szepeviktor/fail2ban:
Limit the number of log lines in *-lines.conf actions
Conflicts:
ChangeLog -- took both versions and adjusted the new one
for -n 1000 change
2015-07-27 22:37:46 -04:00
38c320798d
Merge pull request #1127 from yarikoptic/enh-iptables-w-close-1122
...
WIP ENH Add <lockingopt> (Close : #1122 ) and <iptables> to define the iptables call
2015-07-27 22:30:54 -04:00
0041bc3770
DOC: Changelog for shorewall-ipset-proto6.conf + adjusted its description
2015-07-26 23:10:08 -04:00
de2f9504c0
Merge pull request #978 from ediazrod/patch-2
...
shorewall-ipset-proto6.conf for shorewall
2015-07-26 23:00:58 -04:00
65cd218e10
Merge remote-tracking branch 'origin/master'
...
* origin/master:
ipjailmatches is on one line with its description in man jail.conf
Added a space between IP address and the following colon
2015-07-26 22:47:43 -04:00
c8b3ee10a0
Limit the number of log lines in *-lines.conf actions
2015-07-27 02:35:21 +02:00
a19cb1b2b9
Merge 923d807ef8 into cf2feea987
2015-07-25 01:23:39 +00:00
3c0d7f5a4c
BF: do not wrap iptables into itself. Thanks Lee
2015-07-24 11:59:53 -04:00
ebdfbae559
Added a space between IP address and the following colon
2015-07-24 09:33:47 +02:00
749d3c160c
BF: symbiosis-blacklist-allports now also requires iptables-common.conf
2015-07-23 21:53:37 -04:00
916937bb6a
RF: use <iptables> to take effect of it being a parameter
2015-07-23 21:38:10 -04:00
31dc4e2263
ENH: added lockingopt option for iptables actions, made iptables cmd itself a parameter
2015-07-23 21:34:20 -04:00
7a011fca1b
DOC: adjusted comment in pass2allow-ftp to my suggested wording
2015-07-16 21:55:20 -04:00
948b12e5df
Fixed definition of knocking_url for pass2allow
2015-07-14 18:35:51 +02:00
b638e807ad
Explicitly stating that knocking_url needs to be customized
2015-07-13 18:12:04 +02:00
586703dcc2
Test, changelog and fixes to pass2allow
2015-07-13 16:46:04 +02:00
5b7e1de2f4
Instead of allow-iptables-multiport actions swap blocktype and (new) returntype
2015-07-11 18:20:09 +02:00
5d60700c0c
Added pass2allow (knocking with fail2ban)
2015-07-10 16:22:43 +02:00
a3b8257b73
Add HEAD method verb to apache-badbots, nginx-badbots
2015-07-07 17:45:40 +02:00
8c4c17a880
Merge pull request #1004 from tsabi/fix-lc_time
...
Fix of LC_TIME usage, it should be LC_ALL
2015-07-05 21:36:37 -04:00
e38b4b8cb3
Merge pull request #1051 from leeclemens/bf/roundcube
...
Update regex to work with roundcube 1.0.5 and 1.1.1
2015-07-05 21:35:49 -04:00
3e902d7b3a
Define roundcube_errors_log in paths-common.conf
...
Remove from paths-debian
2015-07-04 14:46:31 -04:00
fdc3172aec
Fix PEP8 E302 expected 2 blank lines, found X
2015-07-04 13:47:40 -04:00
f7444f16b8
Add optional session id prefix for roundcube 1.1.1
2015-07-04 11:06:51 -04:00
2796534a5d
Update regex to work with roundcube 1.0.5 on CentOS 6
2015-07-04 11:02:04 -04:00
b65a8b065d
Other actions do not dive into this gory descriptions, but we do.
2015-07-03 19:17:50 +02:00
2063ce4b23
All the arguments must be listed in [Init]
2015-07-01 14:48:44 +02:00
79457112e9
Updated CF action
2015-07-01 09:38:36 +02:00
345820d2aa
Merge pull request #1056 from ipoddubny/asterisk_security_log
...
Fix support for Asterisk security log
2015-05-25 12:50:13 -04:00
f41872f034
Merge pull request #1013 from szepeviktor/patch-4
...
Non-US locale warning for proftpd
2015-05-25 10:51:51 -04:00
eb091d9b8c
Merge remote-tracking branch 'origin/master' into pr-1039
...
* origin/master:
minor: no tripple empty lines
add froxlor-auth filter and jail
add froxlor-auth filter and jail 0
add froxlor-auth filter and jail
BF: Fix fail2ban-regex not parsing journalmatch correctly
2015-05-25 10:50:34 -04:00
8c4d4aa7fb
minor: no tripple empty lines
2015-05-25 10:42:19 -04:00
4296d1a9a9
add froxlor-auth filter and jail
2015-05-25 13:51:06 +02:00
964cdb5d9b
add froxlor-auth filter and jail
2015-05-25 13:44:50 +02:00
7a4e6fa6e5
Asterisk security log: add support for websocket protocol events
...
Thanks to @kcormier.
2015-05-25 08:13:30 +03:00
988d9a08da
Asterisk security log: accept events containing Response/ExpectedResponse
...
Event containing Challenge may come without ReceivedChallenge, but with
Response and ExpectedResponse.
Also Challenge now accepts '/' character, since it is used at least by PJSIP.
2015-05-25 08:12:51 +03:00
189265a323
Asterisk security log: accept SessionID of PJSIP events
...
Unlike chan_sip and manager, PJSIP populates SessionID using
Call-Id header of a related SIP message.
As Call-Id of a SIP message can contain almost anything,
the regular expression for SessionID has been loosened.
2015-05-25 08:11:34 +03:00
ab2ac1a367
Asterisk security log: accept <unknown> in AccountID
2015-05-24 12:47:55 +03:00
977f9955e7
Asterisk security log: accept EventTV in ISO8601
...
Asterisk uses ISO8601 dates in security log since version 12.
Closes #988
2015-05-24 12:46:54 +03:00
56e5821c06
Match unknown user in dovecot's passwd-file auth database
2015-04-30 16:53:10 +08:00
7ae0ef2408
Fix actions in ufw.conf
...
On Ubuntu 15.04 the ufw action was not working.
- With empty <application>, receiving errors:
2015-04-24 16:28:35,204 fail2ban.filter [8527]: INFO [sshd] Found 43.255.190.157
2015-04-24 16:28:35,695 fail2ban.actions [8527]: NOTICE [sshd] Ban 43.255.190.157
2015-04-24 16:28:35,802 fail2ban.action [8527]: ERROR [ -n "" ] && app="app " -- stdout: b''
2015-04-24 16:28:35,803 fail2ban.action [8527]: ERROR [ -n "" ] && app="app " -- stderr: b''
2015-04-24 16:28:35,803 fail2ban.action [8527]: ERROR [ -n "" ] && app="app " -- returned 1
- With action = ufw[application=OpenSSH], it was silently not doing
anything (no errors after "Ban x.x.x.x", but no IP addresses in ufw
status).
Re-arranged the bash commands on two lines, and it works with or without
<application>.
2015-04-28 11:39:00 -07:00
sebres