Commit Graph

1477 Commits (3fcb0a868d1a53ca42cd78fd477ce9f8c75427cc)

Author SHA1 Message Date
sebres 7f89fbc33f Merge remote-tracking branch 'remotes/gh-upstream/master' into 0.10 2017-12-01 15:53:11 +01:00
Serg G. Brester 4f63180611
Avoid injection using quotes after `auth` command;
Added non-greedy fallback for quoted something (with lookahead simulated possessive greedy catch of non-quoted parts `[^"]*(?=")`).
Note that because host-info's are hereafter (with foreign input in-between), we would not use greedy or non-greedy catch-alls (`.*` or `.*?`) here (preventing performance losses).
2017-11-30 12:32:24 +01:00
Serg G. Brester f59df2e156
Avoid any injecting on protocol (e. g. tries using camel-case)
The phrase "AUTH command used when not advertised" is precise enough as anchor here, so prevent by any foreign-input (any auth protocol error).
2017-11-29 20:55:48 +01:00
Peter Nowee aa158ac05f
Exim failregex: Include lower/mixed case AUTH
When reporting the error `AUTH command used when not advertised`, Exim
starts with `SMTP protocol error in "........."`. Here, Exim logs the
SMTP command as it was provided by the connecting client.
https://github.com/Exim/exim/blob/exim-4_89+fixes/src/src/smtp_in.c#L2850

According to RFC 5321 (SMTP) "[..] a command verb [..] MAY be encoded
in upper case, lower case, or any mixture of upper and lower case with
no impact on its meaning."
https://tools.ietf.org/html/rfc5321#section-2.4

Lower case `auth login` brute-force attempts were seen in the wild and
were not caught by the current failregex.

This commit makes the failregex case-insensitive for the `AUTH`
command, so that lower case (`auth`) or mixed case (`aUtH`) now also
match. The failregex was already case-insensitive for the command
arguments (e.g. `AUTH login` already matched).
2017-11-29 15:14:43 +01:00
SlowRiot 660d57e6ba updating my email address 2017-11-29 10:43:15 +01:00
sebres 76f2865883 implemented new action "action.d/nginx-block-map.conf", used in order to ban not IP-related tickets via nginx (session blacklisting in nginx-location with map-file); 2017-11-28 13:42:41 +01:00
sebres f31195a4fc added new logtarget "SYSOUT" to log from fail2ban working in foreground as systemd-service (in opposite to "STDOUT" don't log time-stamps). 2017-11-26 23:03:29 +01:00
sebres 159957ab88 filter.d/sshd.conf: extended failregex for modes "extra"/"aggressive": now finds all possible (also future) forms of "no matching (cipher|mac|MAC|compression method|key exchange method|host key type) found", see "ssherr.c" for all possible SSH_ERR_..._ALG_MATCH errors;
obsolete (multi-line buffered) variant extended also.

Closes gh-1943, gh-1944
2017-11-23 22:21:42 +01:00
sebres 7e756da2b9 Merge remote-tracking branch 'remotes/gh-upstream/master' into 0.10 2017-11-06 18:56:31 +01:00
sebres eba68a8f37 config/paths-common.conf: Added initial values for `syslog_authpriv`, `syslog_mail` in order to avoid errors while parsing/interpolating configuration;
Note the systemd-backend does not need the logpath at all;
Some defaults normalized (minimized configs, don't need to overwrite values in distribution-related path if equal).
2017-11-03 14:15:07 +01:00
Serg G. Brester 9876dd44f9 replace port imap3 with imap everywhere, since imap3 is not a standard port and old rarely (if ever) used and missing on some systems
(see gh-1942)
2017-11-03 14:03:06 +01:00
Jeff Potter 4a2fc8b7e8 Include imap (port 143) in courier-auth ports
imap was missing from the list of ports, preventing fail2ban from blocking connections on standard IMAP port 143.
2017-11-03 14:01:19 +01:00
sebres b615a98540 jail.conf: avoid overwriting of default value of the parameter `chain` of several actions (where default chain != INPUT);
test-cases extended to cover the same logic (use `<known/chain>` instead of fix value `INPUT`);
Closes gh-1949
2017-10-30 13:32:52 +01:00
Serg G. Brester e07a8cda07 Update jail.conf
Documentation of parameters for action blocklist_de, closes gh-1940
2017-10-27 15:26:17 +02:00
Serg G. Brester 1a8fb6290d Merge pull request #1926 from sebres/0.10-pf-actionflush
action.d/pf.conf: wildcard anchoring example + bulk-unban with command `actionflush`
2017-10-19 16:35:46 +02:00
sebres 0e66e3cc57 Merge branch 'master' into 0.10
# Conflicts:
#	config/filter.d/asterisk.conf
2017-10-18 19:00:23 +02:00
Michael Newton d5d1fe679f Remove invalid regex
Resolves #1927
2017-10-17 14:44:23 -07:00
sebres a1b863fcf6 action.d/pf.conf: extended with bulk-unban, command `actionflush` in order to flush all bans at once (by stop jail, resp. shutdown of fail2ban) 2017-10-17 20:12:48 +02:00
sebres 8726c9fb0a pf.conf: enclose ports in braces, multiple ports expecting this syntax `... any port {http, https}`.
Note this would be backwards-incompatible change (for the people already enclosing multiports in braces in jail.local).
closes gh-1915
2017-10-17 13:46:29 +02:00
Łukasz Wąsikowski a4f94d2619 Update pf.conf
Fix comment, because current one won't work:

cat /etc/pf.conf
anchor f2b {
  sshd
}

# service pf reload
Reloading pf rules.
/etc/pf.conf:2: syntax error

New version:

cat /etc/pf.conf
anchor f2b {
  anchor sshd
}

# service pf reload
Reloading pf rules.
2017-10-17 12:39:25 +02:00
Harry Wood ea1b663f85 typo
spell "positive" (...but also somebody should finish this sentence)
2017-10-16 01:15:58 +01:00
sebres e71f16f6ba Merge branch 'master' into 0.10
# Conflicts resolved:
#	config/filter.d/dovecot.conf
2017-10-04 09:57:18 +02:00
sebres ea36e1b3fc filter.d/dovecot.conf: fixed failregex to recognize pam_authenticate failures with "Permission denied" (gh-1897) 2017-10-04 09:55:37 +02:00
sebres 8c804a2290 Merge branch 'master' into 0.10
# Conflicts resolved:
#	config/filter.d/postfix-rbl.conf
#	config/filter.d/postfix-sasl.conf
#	config/filter.d/postfix.conf
#	fail2ban/tests/files/logs/postfix-sasl
2017-10-02 15:41:30 +02:00
sebres a2120a9de5 filter.d/postfix-*.conf - added optional port regex (closes gh-1902) 2017-10-02 15:31:55 +02:00
Louis Sautier 152c9d27d5
Fix nftables actions for IPv6 addresses, fixes #1893
* add [Init?family=inet6] to nftables-common.conf and make nftable
  expressions more modular
* change "ip protocol" to "meta l4proto" in nftables-allports.conf
  since the former only works for IPv4
2017-09-11 23:32:53 +02:00
sebres b185e7cb04 Merge remote-tracking branch 'upstream/master' into 0.10 2017-09-08 11:11:05 +02:00
Serg G. Brester fd83260bd8 jail "pass2allow-ftp" should supply blocktype to action
closes gh-1884
2017-09-07 18:51:08 +02:00
Serg G. Brester bb97e66627 Merge pull request #1882 from coderua/patch-1
Add Jorgee Vulnerability Scanner protect
2017-09-07 15:52:31 +02:00
Serg G. Brester 2cd02b731b filter.d/exim.conf: fixed failregex for case of `D=0s`
Closes gh-1886
2017-09-07 15:28:46 +02:00
sebres 4bc226a692 optimized regex 2017-09-05 10:59:16 +02:00
Vladimir Chumak fafefc0293 Add Jorgee Vulnerability Scanner protect
Details for Jorgee Vulnerability Scanner: https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=30164
2017-09-05 10:56:43 +02:00
sebres 4163f32968 small review, prefix replaced with `%(_apache_error_client)s` from apache-common.conf include 2017-09-04 11:48:01 +02:00
john ac95449bbb changed zoneminder regex as per Sebres and yarikoptic recommendations 2017-09-04 11:37:09 +02:00
john 7013729a1f removed redundant options for zoneminder from jail.conf 2017-09-04 11:37:05 +02:00
john 5c3a666380 fixed incomplete regex after adding anchors 2017-09-04 11:37:03 +02:00
john 3d45fd2713 implemented yarikoptic's suggestions in fail2ban pull request #1376 2017-09-04 11:37:00 +02:00
john 08878d22dd added zoneminder.conf filter 2017-09-04 11:36:50 +02:00
john a90f6c4ae8 added zoneminder jail and filter
# Conflicts:
#	config/jail.conf
2017-09-04 11:36:47 +02:00
sebres c312962029 filter.d/dovecot.conf: partially cherry-pick to 0.9 PR #1880 from sebres/0.10-fix-dovecot-regex (d926e11a5c)
fixed failregex (without new mode aggressive)
2017-09-01 10:57:41 +02:00
sebres 2cfc53c08e remove capturing groups 2017-09-01 10:25:09 +02:00
sebres 9b8563f35e - fixes regex for message `imap-login: Disconnected (auth failed, X attempts) ...` has to many variations on additional info after `<HOST>`,
leave it end-anchored because variable part `user=<[^>]*>` (before `<HOST>`) to avoid injecting, but can be safe rewritten using `[^>]*` in opposite to "greedy" `user=<[^>]*>`.
- introduces mode `aggressive` and extends regex for this mode to match:
  * no auth attempts (previously removed in gh-601, because of lots of false positives on misconfigured MTAs)
  * disconnected before auth was ready
  * client didn't finish SASL auth
2017-09-01 09:56:21 +02:00
Serg G. Brester a287d0a05c Merge pull request #1872 from kmzby/master
Added filter for phpMyAdmin+syslog
2017-08-25 12:22:58 +02:00
Pavel Mihadyuk 4c1abe1cbf phpmyadmin-syslog: removed excess file, fixed test, updated failregex 2017-08-23 16:56:18 +03:00
Pavel Mihadyuk d09304b897 phpmyadmin-syslog: added default jail config 2017-08-22 19:00:48 +03:00
Pavel Mihadyuk 5b4bc2aafd Added filter for phpMyAdmin+syslog (>=4.7.0). Closes #1713 2017-08-22 18:20:01 +03:00
sebres 1d5fbb95ae Merge remote-tracking branch 'remotes/gh-upstream/master' into 0.10 2017-08-18 15:44:22 +02:00
Serg G. Brester b0e5efb631 bsd-ipfw.conf: sh-compliant redirect of stderr together with stdout 2017-08-18 15:26:09 +02:00
sebres 3be32adefb Replace not posix-compliant grep option: fgrep with `-q` option can cause 141 exit code in some cases (see gh-1389). 2017-08-18 14:37:29 +02:00
Jacques Distler f84e58e769 Tweaks to action.d/pf.conf
Document recent changes.
Add an option to customize the pf block rule (surely, what the user
really wants, here, is "block quick").
2017-08-18 13:31:34 +02:00
sebres 33874d6e53 action.d/pf.conf: anchored call arguments combined as `<pfctl>` parameter;
test cases fixed;
2017-08-16 17:51:07 +02:00
Alexander Köppe f6ccede2f1 Update pf.conf fixing #1863
Fix #1863
Introduce own PF anchors for fail2ban rules.
2017-08-16 17:51:05 +02:00
sebres 30219b54c4 Merge remote-tracking branch 'remotes/gh-upstream/master' into 0.10 2017-08-09 16:38:29 +02:00
Serg G. Brester c0eb7752a8 Merge pull request #1651 from szepeviktor/patch-9
Introduce Cloudflare API v4
2017-08-09 16:28:52 +02:00
Serg G. Brester 2ed8a38eca Update cloudflare.conf
Switch to API v1 to API v4 per default
2017-08-09 16:27:53 +02:00
Serg G. Brester da7072d40e Merge pull request #1846 from Chocobozzz/patch-3
Fix empty logfile.log in xarf login attack action
2017-08-09 16:21:47 +02:00
sebres 94b163936a Merge remote-tracking branch 'remotes/gh-upstream/master' into 0.10
Removed init section (not needed in filter for 0.10).

# Conflicts:
#	config/filter.d/sendmail-reject.conf
2017-08-09 16:16:31 +02:00
Serg G. Brester af25a9d203 Merge pull request #1566 from opoplawski/journalmatch
Add sendmail journalmatch options
2017-08-09 16:14:10 +02:00
Orion Poplawski 84f552881c Add sendmail journalmatch options 2017-08-09 16:03:34 +02:00
Serg G. Brester 5b7375c614 Merge pull request #1638 from roedie/shorewall-ipv6
Add shorewall IPv6 support
2017-08-09 15:54:57 +02:00
sebres e52f483557 Config reader's: introduced new syntax `%(section/option)s`, in opposite to extended interpolation of python 3 `${section:option}` work with all supported python version in fail2ban and this syntax is like our another features like `%(known/option)s`, etc.;
Variable `default_backend` switched to `%(default/backend)s`, so totally backwards compatible now, but now the setting of parameter `backend` in default section of `jail.local` can overwrite default backend also.
Test cases extended: test targeted section options "section/option" (default and cross sections options);
2017-08-08 20:21:44 +02:00
sebres 5ce8d4f741 fixes default backend handling (as default used value of `known/backend`, which can now be overridden in default section of jail.local);
introduces fallback for `known/option`: interpolate missing `known/option` as `option` from default section
2017-08-08 18:41:15 +02:00
sebres 2fe1479484 Merge branch '_0.9/gh-1849' into 0.10 2017-08-07 18:07:36 +02:00
sebres 5c538fb658 Recognize "unknown user" for additional auth-methods (pam, passwd-file, ldap, sql, etc); simplifying regular expressions (put "unknown user" and "invalid credentials" together as one regex). 2017-08-07 18:04:09 +02:00
sebres 0ef5b7c4d4 small amend to gh-1850: removed greedy catch-all at end. 2017-08-07 15:24:16 +02:00
Marcel Waldvogel daf57547c6 Parse ejabberd 17.06 output
E.g.:
2017-07-29 08:24:04.773 [info] <0.6668.0>@ejabberd_c2s:handle_auth_failure:433 (http_bind|ejabberd_bosh) Failed c2s PLAIN authentication for test@example.ch from ::FFFF:192.0.2.3: Invalid username or password
2017-07-29 19:58:06 +02:00
Bigard Florian f4551d02c9 Fix empty logfile.log in xarf login attack action
Fix empty 3rd MIME part which contains the attack evidence (logfile.log).
2017-07-25 13:44:29 +02:00
sebres 1a562bed0f Merge remote-tracking branch 'master' into 0.10
# Conflicts:
#	config/filter.d/asterisk.conf
2017-07-19 08:57:23 +02:00
sebres a5b62a7f36 failregex extended and simplified (partially ported from gh-1409). 2017-07-18 16:34:22 +02:00
sebres 098abae4e6 Remove greedy catch-all before `<HOST>`, make regex more universal, fewer prone to errors (should avoid future changes, if some optional parameters coming again before/after `RemoteAddress`) + non-captured groups now.
Test for possible injection (5.6.7.8 in session-id) already available, line 59 (thus already covered).
2017-07-18 16:09:53 +02:00
Kirill 4c0c7b97c0 Update asterisk.conf to new log message
I got an issue like this:
[2016-05-15 22:53:00] SECURITY[26428] res_security_log.c: SecurityEvent="FailedACL",EventTV="2016-05-15T22:53:00.203+0300",Severity="Error",Service="AMI",EventVersion="1",AccountID="admin",SessionID="0x7fb580001518",LocalAddress="IPV4/TCP/0.0.0.0/5038",RemoteAddress="IPV4/TCP/78.129.227.4/62389",SessionTV="1970-01-01T03:00:00.000+0300"

# [sebres] rebased to current master and resolving conflicts.
2017-07-18 15:40:32 +02:00
Serg G. Brester 34cb55fd91 Merge pull request #1695 from benrubson/issue1693
Apache, detect syslog prefix
2017-07-14 02:05:23 +02:00
sebres 0e33125129 be more precise using common `__prefix_line` expression (set `_daemon` to recognize apache and httpd only) 2017-07-12 11:59:02 +02:00
sebres b561af45ef apache-common.conf: introduced parameter `logging` for possibility to match lines, if apache logs into syslog/systemd journal;
added test cases to cover `apache-auth[logging=syslog]`.
2017-07-12 11:45:44 +02:00
benrubson b662cf03ac Apache, detect syslog prefix, simple example 2017-07-12 11:36:34 +02:00
Serg G. Brester 6c030c5e10 Merge pull request #1717 from szepeviktor/patch-11
Updated xarf-specification repo URL in xarf action
2017-07-12 09:54:15 +02:00
sebres 7217ef5c9e filter.d/ejabberd-auth.conf: fixed ejabberd filter - accept new log-format with `wait_for_sasl_response` instead of `wait_for_feature_request` + optional part "IP " (gh-993) 2017-07-11 15:25:51 +02:00
sebres dae4988aea filter.d/roundcube-auth.conf: fixes failregex not working with `X-Real-IP` or/and `X-Forwarded-For` (gh-1303) 2017-07-11 14:59:24 +02:00
sebres e26cc5de45 restore backwards compatibility (jail postfix-sasl); changelog update 2017-07-11 11:57:48 +02:00
sebres aa92b68d4a filter.d/postfix.conf: normalized several postfix-filters using parameter `mode` (as discussed in gh-1813);
introduced parameter `mode`: more (default, combines normal and rbl), auth, normal, rbl, ddos, extra or aggressive (combines all)
replacement for gh-1239, gh-1697, gh-1764; closes gh-1245, gh-1297.
2017-07-10 20:49:28 +02:00
sebres d32a3913cf postfix postscreen (resp. other RBL's compatibility fix) / gh-1764 2017-07-10 15:38:24 +02:00
Serg G. Brester 57ea38c342 Update paths-debian.conf
Fixed mail.log path since in the default rsyslog configuration of debians the `mail.warn` is commented now (see `/etc/rsyslog.d/50-default.conf`: `#mail.warn -/var/log/mail.warn`).
Closes gh-1687
2017-07-05 19:57:30 +02:00
sebres 546cd55342 Merge branch 'master' into 0.10 2017-07-03 13:02:25 +02:00
sebres a1d0633e69 filter.d/asterisk.conf - fixed failregex AMI Asterisk authentification failed (see gh-1302):
- optional space between NOTICE and pid;
- optional part "Host " before IP-address;
2017-07-03 12:57:28 +02:00
sebres 33fcf8d809 Merge branch 'master' into 0.10 2017-07-03 12:43:48 +02:00
Serg G. Brester 1307e0a5b9 Merge pull request #1760 from szepeviktor/patch-12
Courier may complain about the method only
2017-07-03 12:00:36 +02:00
Serg G. Brester f27e053592 Update bsd-ipfw.conf
increased starting rule number (lowest_rule_num = 111)
2017-07-01 17:10:53 +02:00
Serg G. Brester 001c0898d6 Merge branch 'master' into master 2017-06-30 18:07:38 +02:00
Serg G. Brester 6110ba9cc3 filter.d/proftpd.conf: added option `journalmatch` for systemd backend (closes gh-1613) 2017-06-30 18:00:01 +02:00
sebres 37ca4f17c2 filter.d/roundcube-auth.conf: added missing entry `journalmatch` from original gh-1783. 2017-06-26 11:24:10 +02:00
Serg G. Brester 986dd3107d Merge branch '0.10' into patch-12 2017-06-19 18:37:28 +02:00
sebres d3ae70beb6 filter.d/roundcube-auth.conf: Use the same filter-file and jail also when logging errors to journal instead to a local file.
Additionally fixes more complex injections on username.
2017-06-19 18:12:13 +02:00
Johannes Weberhofer 691c080dc7 Added roundcube authentication filter, new jail and log-examples 2017-06-19 16:52:42 +02:00
Serg G. Brester 3294840c2a Merge pull request #1801 from jeaye/postfix-updates
filter.d/postfix.conf: update to the latest postfix logging format
2017-06-19 16:44:37 +02:00
Serg G. Brester efeca8fdeb postfix.conf: removes unneeded end-anchoring like `.*$`, etc.
also removes several dynamic content at end, which are of no avail there.
Additionally normalizes optional part (mail-ID) after reason number.
2017-06-19 16:25:46 +02:00
sebres dcdf677438 Merge remote-tracking branch 'master' into 0.10 2017-06-15 11:49:51 +02:00
sebres 2b358bc1a4 filter.d/apache-overflows.conf: rewritten without end-anchor ($), because apache-log could contain very long URLs (and/or referrer), the parsing of it anchored way may be very vulnerable (at least as regards the system resources, see gh-1790). 2017-06-15 11:16:19 +02:00
jeaye 6f3d425c4d
Update postfix filters and tests 2017-06-12 18:56:19 -07:00
sebres bbea73d79d Merge remote-tracking branch 'remotes/gh-upstream/master' into 0.10 2017-06-12 13:11:45 +02:00
Serg G. Brester d56554ecf3 Merge pull request #1688 from felixonmars/arch-config
Add a path configuration for Arch Linux
2017-06-06 10:55:13 +02:00
Peter Nowee b93e47b12f
dovecot: Match also when user field is empty
Commit 5678d08 of 2016-11-26 changed:

    ( user=<\S*>,)?

to:

    ( user=<[^>]+>,)?

The change from `*` (zero or more times) to `+` (one or more times) may
not have been intended. It will miss lines containing, for example:

    Aborted login (tried to use disallowed plaintext auth): user=<>

This commit reverts the `+` back to `*`.
2017-05-31 15:54:30 +02:00
Marcel Bischoff 228d25c548 Update Kerio Connect filter (#1455)
* Update Kerio Connect filter

Fixed regex for some log entries that did not get recognized and some additional error formats are added.

* Add missing colon, GitHub address

* Add filter tests

* Add missing test
2017-05-30 20:27:44 +02:00
Serg G. Brester 80cc47b75f Update helpers-common.conf
fixed grep pattern: escape dot-char in search-IP and more restrictive boundaries (IPv6-capable)
2017-05-30 09:14:43 +02:00
Viktor Szépe 5bb6be0163 IPv6 address may overlap 2017-05-30 02:05:38 +02:00
Filippo Tessarotto ff1c6718da Postfix RBL: 554 & SMTP
Cherry-pick of 607568f5da (see gh-1686)
2017-05-15 14:42:37 +02:00
sebres b13d9d4e22 Merge branch 'master' into 0.10 2017-05-07 21:29:12 +02:00
sebres 0600d51511 filter.d/exim.conf: added new reason for "rejected RCPT" regex: Unrouteable address 2017-05-07 14:02:38 +02:00
sebres 49e237209e Merge branch 'master' into 0.10 2017-05-07 13:32:12 +02:00
sebres c546f85207 filter.d/exim.conf: cherry-picked from 0.10, match complex time like `D=2m42s` (closes gh-1766) 2017-05-07 13:02:32 +02:00
Viktor Szépe ac256a822b Make courier-auth regexp a non-captured group 2017-04-28 16:58:24 +02:00
Viktor Szépe 4bb8a58dcf Courier may complain about the method only
> Mar 30 22:29:18 szerver imapd-ssl: LOGIN FAILED, method=PLAIN, ip=[::ffff:1.2.3.4]
2017-04-28 15:49:59 +02:00
Seth Reeser c3426ba5f6 Update botsearch-common.conf (#1759)
* Update botsearch-common.conf, apache-modsecurity.conf: typo and missing new-line
2017-04-26 20:14:39 +02:00
sebres 8839bcbb09 Merge remote-tracking branch master into 0.10 2017-04-25 10:07:19 +02:00
sebres 99344d28c8 Introduces new tags with hostname:
- `<fq-hostname>` - fully-qualified name of host (the same as `$(hostname -f)`)
- `<sh-hostname>` - short hostname (the same as `$(uname -n)`)

Execution of `uname -n` replaced in all mail actions with most interesting fully-qualified `<fq-hostname>`.
2017-04-24 21:17:55 +02:00
sebres 3161bcf78b filter.d/exim.conf: optional part `(...)` after host-name before `[IP]`, normalized over whole config file.
# Conflicts:
#	config/filter.d/exim.conf
2017-04-24 19:21:26 +02:00
sebres 507034c5be filter.d/apache-auth.conf: joined some similar expressions 2017-04-24 15:32:44 +02:00
Serg G. Brester 6dfd080e20 Update apache-auth.conf
remove forgotten referer, that may prevent failure recognition (belongs to gh-1645)
2017-04-21 11:17:13 +02:00
Serg G. Brester 311f8fea83 Merge branch '0.10' into issue1644 2017-04-21 10:32:29 +02:00
Peter van der Does bb79e7f413
Parameter not needed
The parameter '-s' causes an error as the <mailcmd> already has the parameter.
2017-04-11 11:13:58 -04:00
Serg G. Brester 4f0f22702a Update haproxy-http-auth.conf
little bit more precise expression
2017-04-11 09:11:08 +02:00
Georges Racinet 4fc6323ff0 haproxy-http-auth: avoid port number in IPv6 addresses
The solution taken is to consume the port number explicitely in
the regexp.
2017-04-07 13:59:22 +02:00
sebres 97e8b42d34 dummy action extended with more examples and test-covered now 2017-03-30 13:02:37 +02:00
sebres d03872fbbf bulk unban: add new command `actionflush` default for several iptables/iptables-ipset actions (and common include):
iptables-common
  iptables
  iptables-allports
  iptables-multiport-log
  iptables-multiport
  iptables-new
  iptables-ipset-proto4
  iptables-ipset-proto6
  iptables-ipset-proto6-allports

executing `actionflush` command covered for this actions now
2017-03-29 23:24:11 +02:00
sebres 8bf79fa483 implemented execution of `actionstart` on demand, if action depends on `family` (closes gh-1741);
new action parameter "actionstart_on_demand" (bool) can be set to prevent/allow starting action on demand (default retrieved automatically, if some conditional parameter `param?family=...` presents in action properties);
2017-03-29 17:44:15 +02:00
Seth Reeser c82495353f Update mysqld-auth.conf (#1725) 2017-03-24 19:03:20 +01:00
Serg G. Brester 52c1950371 Update mysqld-auth.conf
small typo, closes gh-1725 (Thx @seth-reeser)
2017-03-24 19:03:17 +01:00
sebres 5e93bf9bd3 Introduced new option "ignoreself", specifies whether the local resp. own IP addresses should be ignored (default is true).
Fail2ban will not ban a host which matches such addresses.

Option "ignoreip" affects additionally to "ignoreself" and don't need to include the DNS resp. IPs of the host self.
2017-03-23 15:52:31 +01:00
sebres f13fac5ae9 amend to 5561423be3b2d4636f5484183c3ad470fd326d06: fixed incorrect failure counting despite the `<F-NOFAIL>` marked regex;
extra: introduced new tag `<F-MLFFORGET>` as mark to forget current multi-line MLFID (e. g. connection closed);
Closes gh-1727
2017-03-21 00:15:57 +01:00
sebres 5561423be3 filter.d/sshd.conf: fixed failregex format - some parts are optional, new ddos more precise rule (Connection reset by with host entry);
closes gh-1719
2017-03-15 18:01:20 +01:00
Viktor Szépe d79267c424 Updated xarf-specification repo URL in xarf action 2017-03-14 20:47:31 +01:00
sebres 0c1707afda filter.d/sshd.conf:
- optional parameter `mode` rewritten: normal (default), ddos, extra or aggressive (combines all), see sshd for regex details);

test cases reformatted (since "filterOptions", we don't need multiple test log-files anymore);
2017-03-10 22:09:11 +01:00
sebres 7e442c5b27 filter.d/sendmail-reject.conf:
- rewritten using `prefregex` and used MLFID-related multi-line parsing (by using tag `<F-MLFID>` instead of buffering with `maxlines`);
- optional parameter `mode` introduced: normal (default), extra or aggressive (see sendmail-reject for regex details);

test cases extended
2017-03-10 21:44:19 +01:00
sebres 52ed6597b2 Merge remote-tracking branch 'remotes/gh-upstream/master' into 0.10 2017-03-09 16:27:14 +01:00
sebres 8768776d68 filter.d/cyrus-imap.conf: fixed `failregex` - accept entries without login-info resp. hostname before IP address 2017-03-09 16:13:45 +01:00
Serg G. Brester d042981954 Merge pull request #1655 from ajcollett/0.10
Added config for AbuseIPDB
2017-03-09 15:15:26 +01:00
Serg G. Brester b1f5ac9484 Update abuseipdb.conf 2017-03-09 13:33:11 +01:00
Serg G. Brester 62fa02241f Update jail.conf 2017-03-09 13:31:40 +01:00
sebres 6a2c95da95 `action.d/sendmail-geoip-lines.conf` fixed using new tag `<ip-host>` (dns-cache and without external command execution);
changelog updated;
2017-03-08 16:51:08 +01:00
sebres d2a3d093c6 rewritten CallingMap: performance optimized, immutable, self-referencing, template possibility (used in new ActionInfo objects);
new ActionInfo handling: saves content between actions, without interim copying (save original on demand, recoverable via reset);
test cases extended
2017-02-24 11:54:24 +01:00
sebres 35efca5941 Better multi-line handling introduced: single-line parsing with caching of needed failure information to process in further lines.
Many times faster and fewer CPU-hungry because of parsing with `maxlines=1`, so without line buffering (scrolling of the buffer-window).
Combination of tags `<F-MLFID>` and `<F-NOFAIL>` can be used now to process multi-line logs using single-line expressions:
- tag `<F-MLFID>`: used to identify resp. store failure info for groups of log-lines with the same identifier (e. g. combined failure-info for the same conn-id by `<F-MLFID>(?:conn-id)</F-MLFID>`, see sshd.conf for example)
- tag `<F-NOFAIL>`: used as mark for no-failure (helper to accumulate common failure-info);
filter.d/sshd.conf: [sshd], [sshd-ddos], [sshd-aggressive] optimized with pre-filtering using new option `prefregex` and new multi-line handling.
2017-02-22 22:19:43 +01:00
sebres 22afdbd536 Several filters optimized with pre-filtering using new option `prefregex` 2017-02-21 15:54:59 +01:00
sebres 4ff8d051f4 Introduced new filter option `prefregex` for pre-filtering using single regular expression;
Some filters extended with user name;
[filter.d/pam-generic.conf]: grave fix injection on user name to host fixed;
test-cases in testSampleRegexsFactory can now check the captured groups (using additionally fields in failJSON structure)
2017-02-20 16:54:17 +01:00
Serg G. Brester 2fa18a74c4 Merge branch 'master' into master 2017-02-17 09:06:09 +01:00
sebres 4bf09bf297 provides new tag `<ip-rev>` for PTR reversed representation of IP address;
[action.d/complain.conf] fixed using this new tag;
2017-02-16 13:38:20 +01:00
Serg G. Brester 7f63809afb Merge branch '0.10' into patch-1 2017-02-15 20:33:36 +01:00
Christoph Theis 861ce4177c #1689: Make lowest rule number in action.d/bsd-ipfw.conf configurable 2017-02-14 18:31:42 +01:00
Felix Yan 68d829c1dd
Add a path configuration for Arch Linux 2017-02-14 18:43:01 +08:00
Jan Grewe 58c68b75f0 Remove double-quotes from email addresses 2017-02-08 14:16:13 +01:00
Jan Grewe 1bcf0de7c1 Update complain.conf 2017-02-07 21:39:46 +01:00
Filippo Tessarotto 607568f5da Postfix RBL: 554 & SMTP 2017-02-07 15:26:06 +01:00