github
/
fail2ban
mirror of https://github.com/fail2ban/fail2ban
1
0
Fork 0
Code Issues Releases Wiki Activity
1,944 Commits
34 Branches
229 Tags
21 MiB
Commit Graph

627 Commits (415f1876440272b2077019824af96a32f5d7664a)

Author SHA1 Message Date
Daniel Black d1faae3b3b BF: port not used in jail definition for freeswitch 2014-01-04 08:01:42 +11:00
Daniel Black a0c2de3e4d DOC: document incompatiblity between APF and iptables-* actions. Closes gh-510 2014-01-03 16:51:38 +11:00
Daniel Black 04d28fd2e1 ENH: add filter freeswitch - as raised on mailing list 2014-01-03 13:00:37 +11:00
Daniel Black 83f3aeb308 ENH: filter for horde 2014-01-02 23:12:36 +11:00
Daniel Black e8710b679d ENH: stronger regex for failregex 2013-12-31 08:22:52 +11:00
Daniel Black 856407379b ENH: add filter openwebmail. Closes gh-543. 2013-12-31 08:09:00 +11:00
Daniel Black ccb64e68b4 DOC: for exim-spam to say how to enable the log lines for the latest regex 2013-12-29 21:53:26 +00:00
Daniel Black b5f5ddf123 ENH: end anchor for exim-spam 2013-12-29 20:56:25 +00:00
Daniel Black d727ba639a ENH: exim-spam to include spamassassin log entry. Closes gh-533 2013-12-29 20:16:37 +00:00
Daniel Black c074773805 ENH: apache modsecurity from 0.9 branch 2013-12-29 07:06:13 +00:00
Daniel Black be382dae4d MRG: ufw changelog conflicts 2013-12-29 05:45:06 +00:00
Daniel Black 1f6ece2a40 Merge pull request #490 from grooverdan/firewallcmd-ipset 
ENH: add firewallcmd-ipset
 2013-12-28 21:43:49 -08:00
Daniel Black ddac79c15c TST: include blank ignorecommand in jail.conf to indicate default value and to raise test coverage 2013-12-25 11:01:31 +00:00
bes.internal ebd89ec077 New ignorecommand that is added to the ignoreip list from output of an external program 
ignorecommand update man and fix protocol help

ENH: run ignore command only after internal list has been examined. Change interface on ignorecommand to take IP as environment variable and return true if it is to be banned

ENH: ignore IP command to take tagged command

DOC: man pages for ingorecommand

TST: add test cases for ignorecommand
 2013-12-24 23:55:35 +03:00
Daniel Black 382d68f0fe DOC: perfork model for apache log format 2013-12-23 09:09:48 +00:00
Daniel Black 1b7df1181f BF: apache-2.4 log format fix. Closes gh-516 2013-12-23 08:28:40 +00:00
Yaroslav Halchenko 7af58b9984 Merge branch 'apache-noscripts' of https://github.com/grooverdan/fail2ban 
* 'apache-noscripts' of https://github.com/grooverdan/fail2ban:
  ENH: apache-noscript now matched php-cgi scripts. Closes gh-503

Conflicts:
	ChangeLog -- two new entries collided,  Reformatted the merged one a bit
 2013-12-22 22:28:57 -05:00
Daniel Black a9b7d33c51 ENH: apache-noscript now matched php-cgi scripts. Closes gh-503 2013-12-19 10:01:24 +00:00
Steven Hiscocks d22716ab63 ENH: Add nsd filter and amend DateEpoch to match date format 2013-12-18 22:31:54 +00:00
Daniel Black a398c51d6c ENH: simplify actioncheck on firewallcmd-new a little more 2013-12-15 22:36:47 +00:00
Daniel Black 9fe0a69852 ENH: add firewallcmd-ipset 2013-12-14 09:06:01 +00:00
Daniel Black 4ffc57e14f ENH: simplify firewallcmd-new actioncheck and provide output samples 2013-12-14 07:11:29 +00:00
Daniel Black ed816afbcd ENH: add badips action 2013-12-14 01:41:28 +00:00
Daniel Black 1ff52dfe4d DOC: document ufw a bit more. Change insertpos default to 1 to allow it to work if the user run ufw enable 2013-12-14 00:40:47 +00:00
Daniel Black f35345ecaa ENH: add ufw action based off Guilhem Lettron's work in lp-#701522. Closes gh-455 2013-12-14 00:34:12 +00:00
Daniel Black 13ccebe78f BF: fix actioncheck in firewallcmd 2013-12-13 23:40:51 +00:00
Daniel Black 9d532828fc BF: multiple _ separated values according to http://wiki.squid-cache.org/SquidFaq/SquidLogs#Squid_result_codes. Thanks Steven 2013-12-11 07:44:41 +11:00
Daniel Black 66374913ec ENH: add squid filter 2013-12-10 21:24:37 +11:00
Daniel Black db4c21acde BF/DOC: fix filename in documentation for filter.d/proftpd 2013-12-09 14:46:01 +11:00
Daniel Black e8eab11615 DOC: proftp - turn off ReverseDNS 2013-12-09 14:45:09 +11:00
Daniel Black f385439a41 MRG: ChangeLog merge 2013-12-09 09:28:42 +11:00
Daniel Black 36917d7517 BF: action.d/complain - match IP at beginning and end of lines 2013-12-09 09:21:55 +11:00
Daniel Black 135c759dbb Merge pull request #477 from kwirk/blocklist.de 
ENH: Added blocklist.de reporting API action
 2013-12-06 16:16:39 -08:00
Steven Hiscocks 630dd91dcd BF: Add [Init] section to blocklist.de action 2013-12-07 00:09:31 +00:00
Steven Hiscocks b3c173795e ENH: blocklist.de action error on HTTP response code 4xx 2013-12-06 08:22:21 +00:00
Daniel Black 51f2619878 Merge pull request #473 from grooverdan/whois-missing 
ENH: Whois missing in actions? Include output to say so
 2013-12-05 12:44:35 -08:00
Daniel Black e07ba41870 Merge pull request #463 from grooverdan/firewall-cmd-direct-new-length-too-long 
BF: firewall-cmd-direct-new was too long. Thanks Joel.
 2013-12-05 12:42:55 -08:00
Steven Hiscocks a19b33cc72 ENH: blocklist.de action added fail2ban version as user agent 2013-12-05 18:12:15 +00:00
Steven Hiscocks f742ed0e4b DOC: when to use blocklist.de reporting 
Taken from commit 1846056606
 2013-12-05 18:06:53 +00:00
Steven Hiscocks e810ec009d ENH: Added blocklist.de reporting API action 2013-12-05 08:22:20 +00:00
Daniel Black 4dc51e5def BF: put notice in email if whois program could not provide more information. Closes gh-471 2013-12-04 22:43:06 +11:00
Daniel Black 97d7f46bb7 DOC: correct grammar - s/Here are more information/Here is more information/ 2013-12-04 22:40:48 +11:00
Daniel Black 0495aa098e BF: grep matches on <ip> shouldn't include other IPs 2013-11-30 18:01:45 +11:00
Daniel Black 95845b7b65 BF: complain action could match too many IP addresses 2013-11-30 17:47:10 +11:00
Yaroslav Halchenko 3a5983ab0b Merge branch 'bf/syslog-format' of https://github.com/yarikoptic/fail2ban 
* 'bf/syslog-format' of https://github.com/yarikoptic/fail2ban:
  Changelog entries for the last changes
  ENH: added optional [PID] matching in recidive.conf
  ENH: reintroducing levelnameinto syslog msgs, time stamp and indentation in non-syslog msgs
  BF/ENH: include [PID] into logging msgs, remove indentation from syslog messages

Conflicts:
	ChangeLog
 2013-11-29 19:58:56 -05:00
Daniel Black 56b6bf7d25 ENH: reduce firewalld-cmd-new -> firewallcmd-new 2013-11-30 10:30:29 +11:00
Daniel Black 86a0a5962a BF: revert to fail2ban- prefix as f2b- was intended for 0.9 2013-11-30 08:05:20 +11:00
Yaroslav Halchenko 25e967f23b Merge branch 'mysqld-syslog-iptables-name-too-long' of https://github.com/grooverdan/fail2ban 
* 'mysqld-syslog-iptables-name-too-long' of https://github.com/grooverdan/fail2ban:
  BF: jail name mysqld-syslog-iptables too long. removed -iptables. Thanks Stefan (#447)

Conflicts:
	ChangeLog
 2013-11-29 10:02:31 -05:00
Daniel Black b9b2ddf996 BF: smtps not IANA standard. Closes #447 2013-11-29 21:47:53 +11:00
Daniel Black cade746307 BF: jail name mysqld-syslog-iptables too long. removed -iptables. Thanks Stefan (#447) 2013-11-29 21:45:11 +11:00
Daniel Black 9e53892708 BF: did remove instead of move 2013-11-29 19:26:24 +11:00
Daniel Black fb666b69ff BF: firewall-cmd-direct-new was too long. Thanks Joel. 2013-11-28 23:35:05 +11:00
Daniel Black f80fa7d7a0 Merge pull request #456 from grooverdan/apffix 
BF: add init section with name for action.d/apf. Closes #398
 2013-11-24 13:48:46 -08:00
Daniel Black 13223c33f5 MRG: recidive-protocol-all 2013-11-25 08:22:09 +11:00
Daniel Black dc154c792e BF: add init section with name for action.d/apf. Closes #398 2013-11-25 08:08:20 +11:00
Yaroslav Halchenko a26d4f42b7 ENH: added optional [PID] matching in recidive.conf 2013-11-24 10:21:02 -05:00
Daniel Black 9a82bc3c61 BF: kernel messages can have space. Thanks ag4ve(shawn). Closes #448 2013-11-24 18:21:02 +11:00
Yaroslav Halchenko 629e9ae445 Merge pull request #443 from grooverdan/apache-authfix 
BF: apache filters using error log weren't matched when referer existed ...
 2013-11-18 15:53:39 -08:00
Daniel Black 284f811c91 BF: apache filters using error log weren't matched when referer existed in HTTP header 2013-11-19 10:27:55 +11:00
Daniel Black 1ea68b2d0c DOC: filter.d/solid-pop3d - document lack of PAM support. Thanks to Jacques for the log messages 2013-11-18 09:44:26 +11:00
Daniel Black 0eea0a35db ENH: filter.d/solid-pop3d - added log messages and regexes 2013-11-18 08:58:23 +11:00
Daniel Black dab2ddb9da ENH: recidive jail to block all protocols. Closes #440 2013-11-18 07:57:16 +11:00
Daniel Black b3b9ea4559 ENH: jail for solid-pop3d 2013-11-18 07:42:45 +11:00
Daniel Black 88eff70774 ENH: filter.d/solid-pop3d added 2013-11-16 09:43:15 +11:00
Daniel Black 286d78e13c Merge pull request #430 from grooverdan/apache-overflows 
ENH: Apache overflows - httpd-2.4 message IDs + samples
 2013-11-12 12:46:52 -08:00
Daniel Black 50ca16e50e Merge pull request #431 from grooverdan/apache-noscript 
ENH: apache-2.4 message IDs for filter apache-noscript
 2013-11-12 12:46:09 -08:00
Daniel Black 947c6ff9cc Merge pull request #433 from grooverdan/asterisk 
BF/ENH: asterisk connection ID is a hex not decimal number. Add "Rejecting unknown SIP connection from " regex thanks to Jonathan Lanning
 2013-11-12 12:45:52 -08:00
Daniel Black 38503a5848 Merge pull request #434 from grooverdan/dos-resistant-dropbear 
ENH: DoS resistant dropbear filter
 2013-11-12 12:45:12 -08:00
Daniel Black 62b1f98dff Merge pull request #435 from grooverdan/dos-resistant-exim 
BF: exim filter to be DoS resistant
 2013-11-12 12:44:53 -08:00
Daniel Black be60518218 BF/ENH: DoS resistant roundcube-auth with test cases and more variation in IMAP error given 2013-11-12 18:57:01 +11:00
Daniel Black 52972164a2 BF: exim filter to be DoS resistant 2013-11-12 18:13:35 +11:00
Daniel Black c272573fe3 ENH: DoS resistant dropbear filter 2013-11-12 18:06:16 +11:00
Daniel Black eb9663eb4f BF/ENH: asterisk connection ID is a hex not decimal number. Add "Rejecting unknown SIP connection from <HOST>" regex thanks to Jonathan Lanning 2013-11-12 09:22:41 +11:00
Daniel Black 648d48c355 ENH: apache-2.4 message IDs for filter apache-noscript 2013-11-11 10:49:11 +11:00
Daniel Black a4718eb644 ENH: apache-overflow filter to have HTTP-2.4 message IDs and test samples 2013-11-11 10:38:02 +11:00
Daniel Black 87516eb92b ENH: apache-overflows - more detail on "request failed: URI too long (longer than %d)" with test case 2013-11-11 09:46:40 +11:00
Daniel Black c5021b55f6 Merge pull request #427 from yarikoptic/bf/nginx-regex-injection 
BF: anchor introduced nginx-http-auth at the end
 2013-11-08 17:23:03 -08:00
Yaroslav Halchenko ccd26578ec Merge pull request #425 from grooverdan/asterisk-simplify 
ENH: condense asterisk regexs for speed
 2013-11-08 14:42:35 -08:00
Yaroslav Halchenko ac061155f0 BF: anchor introduced nginx-http-auth at the end 
needed since request probably could be not a correct HTTP statement but continue with
all those to match till the end and then injected ", client: VICTIM, server..." thus allowing
injection.  We better anchor at the end then
 2013-11-08 14:40:52 -08:00
Yaroslav Halchenko ea8fce6308 Merge pull request #426 from yarikoptic/bf/openssh6.3-regex-injection 
openssh 6.3 regex injection vectors:  inject into ruser and/or exploiting pre-specified limits set for user provided data
 2013-11-08 14:35:18 -08:00
Yaroslav Halchenko bf245f9640 DOC: adding DEV Notes for for non-greedy matchin within sshd.conf 2013-11-08 14:34:31 -08:00
Daniel Black d6bbe03861 Merge pull request #424 from grooverdan/nginx-auth 
ENH: add filter.d/nginx-http-auth. Partially forfils #405
 2013-11-08 14:24:02 -08:00
Yaroslav Halchenko 750e0c1e3d BF: disallow exploiting of non-greedy .* in previous fix by providing too long rhost -- do not impose length limits for user-provided input 
since daemon might eventually change reported length and we would need to adjust anyways.  So limiting
in length does not provide additional security but allows for a possible injection vector
 2013-11-08 10:10:33 -08:00
Yaroslav Halchenko abb012ae5c BF: fixing injection for OpenSSH 6.3 -- making .* before <HOST> non-greedy 2013-11-08 10:00:37 -08:00
Daniel Black d7560d4041 ENH: condense asterisk regexs for speed 2013-11-08 10:24:50 +11:00
Daniel Black ab9d921162 BF: missed action in nginx-http-auth 2013-11-08 10:09:19 +11:00
Daniel Black a148d35d70 ENH: add filter.d/nginx-http-auth. Partially forfills #405 2013-11-08 10:06:40 +11:00
Yaroslav Halchenko 4522308354 ENH: regenerated config/filter.d/apache-badbots.conf 2013-11-07 14:26:18 -08:00
Daniel Black 0730db9b2b Merge pull request #416 from grooverdan/debian-bug-665925-wuftpd-pam 
BF:  wuftpd pam filter fix (Debian bug 665925)
 2013-11-05 18:39:01 -08:00
Daniel Black e55b24c533 BF: fix dovecot filter for newer failure message. Closes Debian bug #709324 2013-11-06 12:51:21 +11:00
Daniel Black 8b54523316 BF: fix to filter.d/wuftp to support pam authentication - Debian bug #665925 2013-11-06 12:13:37 +11:00
Daniel Black ac1f45d18c Merge pull request #412 from grooverdan/firewalld 
ENH: enhance firewall-cmd to use firewall-0.8.3's --remove-rules
 2013-11-05 16:46:18 -08:00
Daniel Black 87f68d7564 firewalld-0.3.8 release that support --remove-rules out so documenting this. 2013-11-06 11:37:56 +11:00
Daniel Black ee1edfbf0c BF: remove duplication definition secion in webmin-auth 2013-11-04 17:54:36 +11:00
Daniel Black b5c10488c1 Merge pull request #409 from grooverdan/filter-doco 
DOC: in filters, put user relevant doc at top, and developer info at bot...
 2013-10-30 15:11:46 -07:00
Daniel Black 5eddd5d12d DOC: document required firewalld version as > 0.3.7.1 2013-10-31 09:10:59 +11:00
Daniel Black 27d257d5a6 Merge pull request #408 from grooverdan/dropbear 
BF: filter.d/dropbear
 2013-10-30 14:43:07 -07:00
Daniel Black 8ac6081555 ENH: fix to use upstream --remove-rules 
https://fedorahosted.org/firewalld/ticket/10
 2013-10-31 01:23:00 +11:00
Daniel Black 93de46ac72 BF: maxretry=5 for ssh as per DEVELOP. align = in jail.conf 2013-10-31 00:52:47 +11:00
Daniel Black c3f9c9aa60 BF: filter.d/dropbear 
Add PAM failures which is in dropbear-2013.60 in srv-authpam.c

Patch
http://www.unchartedbackwaters.co.uk/files/dropbear/dropbear-0.52.patch
obviously has exit with lower case e so adjust regex for both.

svr-authpasswd.c in 2013.60 (at bottom) for second regex ends after the
IP so the regex was altered.

.*\s* can be compressed to .*
 2013-10-31 00:21:30 +11:00