Commit Graph

5521 Commits (467024797f07f2c488d12cafd8fd84f079a310a9)

Author SHA1 Message Date
Sergey G. Brester e74baae666
Merge pull request #3135 from sylvestre/patch-2
Add the Debian path to roundcube error logs
2021-10-25 12:11:42 +02:00
Sylvestre Ledru 3245b8018b
Add the Debian path to roundcube error logs 2021-10-23 17:38:20 +02:00
Sergey G. Brester 98c7dd04a4
Merge pull request #3037 from floppym/bug794931
tests: improve detection of readable systemd journal
2021-10-22 15:34:47 +02:00
Mike Gilbert d91d949e95 tests: improve detection of readable systemd journal
Look for system.journal in journal sub-directory.
Add -readable to the find command.

Bug: https://bugs.gentoo.org/794931
2021-10-19 11:08:04 -04:00
Sergey G. Brester 8e3a26bdeb
Merge pull request #3117 from fail2ban/gh-3116
filter.d/lighttpd-auth.conf: adjust to the current source code, avoid catch-all's, etc
2021-10-01 15:09:09 +02:00
Sergey G. Brester ba839af8ad
filter.d/lighttpd-auth.conf: adjusted to the current source code + avoiding catch-all's, etc (gh-3116) 2021-10-01 15:03:24 +02:00
Sergey G. Brester f8f59dd31a
added test cases covering different messages adjusted to new log-format (gh-3116) 2021-10-01 14:58:25 +02:00
Sergey G. Brester 5ee482bc9a
Merge pull request #3053 from db48x/fix-grammar-of-timestamp-warnings
Improve grammar and readability of timestamp warnings
2021-09-21 16:16:52 +02:00
Sergey G. Brester d086317cc8
Update filter.py 2021-09-21 16:05:53 +02:00
Sergey G. Brester 17eed32e03
Update filtertestcase.py 2021-09-21 16:00:37 +02:00
sebres 621d8cae17 restore backwards compatibility for date None 2021-09-20 02:20:22 +02:00
sebres ec043cd202 simplifying logic and shortening messages (delta in minutes; removed clock synchronization, because it is rarely an issue on fail2ban side, e. g. for remote logs only, etc) 2021-09-19 21:58:42 +02:00
Daniel Brooks d7afcde2e1 add a warning message for dates in the future
and a test that checks which message was output for which time deltas.
2021-09-19 19:39:52 +02:00
Daniel Brooks 1929e7a76b include more specific information in the warning 2021-09-19 19:39:49 +02:00
Daniel Brooks 320a3dcdd5 remove old warnings from filtertestcase.py
assertLogged only checks that at least one listed message is found, so
it isn’t necessary to repeat them in the test.
2021-09-19 19:39:45 +02:00
Daniel Brooks a98cc08b31 Updated the warning messages created when fail2ban sees unexpected timestamps
to improve their grammar and to remove jargon.

Partially fixes #2822
2021-09-19 19:39:41 +02:00
sebres d6b884f3b7 amend to fix gh-3098: no option `--disable-2to3` anymore 2021-09-19 18:52:34 +02:00
sebres 5ac303df8a fix gh-3098: build fails with error in fail2ban setup command: use_2to3 is invalid (setuptools 58+) 2021-09-19 18:49:18 +02:00
sebres 8d45deca86 Merge branch '0.10' into 0.11 2021-09-19 18:42:23 +02:00
sebres 974ba688d4 Merge branch 'patch-3098' into 0.10 2021-09-19 18:41:24 +02:00
Sergey G. Brester 7f22c4873a
remove 2to3 in setup (should be called outside before setup) 2021-09-19 18:36:02 +02:00
Sergey G. Brester 1414a44b8e
Update main.yml
CI: try to install dependencies via apt, add build test
2021-09-19 18:24:36 +02:00
sebres 64217fe018 Merge branch '0.10' into 0.11 2021-09-08 20:09:48 +02:00
sebres c0f9348db5 Merge branch 'sebres/gh-3097--fix-unh-except' into 0.10;
closes #3097
2021-09-08 20:08:30 +02:00
sebres d709ec8179 GH actions: use newest python version for 3.10 (3.10.0-rc.2) 2021-09-08 20:00:41 +02:00
sebres ba282b794c pyinotify: amend to 1e4a14fb25d88e32f3ca9c06fb1d6b8d3b4813ab: one fix more for sporadic runtime error "dictionary changed size during iteration" (watched files) 2021-09-08 19:56:02 +02:00
sebres e323c148e1 backend systemd: fixes error "local variable 'line' referenced before assignment", introduced in 55d7d9e214f72bbe4f39a2d17aa004d80bfc7299;
don't update database too often (every 10 ticks or ~ 10 seconds in production);
closes gh-3097
2021-09-08 19:44:49 +02:00
sebres 1e4a14fb25 pyinotify: fixes sporadic runtime error "dictionary changed size during iteration" (if something outside changes the pending dict during _checkPending evaluation) - simply deserialize to a list for iteration, without any lock, because unneeded here due to small and mostly empty dictionary (logrotate, etc), not to mention that pending check is normally called once per minute;
don't call process file inside of server thread calling of addLogPath (always retard it as pending event);
ensure to wake-up as soon as possible to process pending events (e. g. if file gets added).
2021-09-08 19:17:44 +02:00
sebres 2f99d5accb test coverage for unhandled exception in run of several filter (gh-3097) 2021-09-08 18:22:31 +02:00
sebres c03fe6682c merge 0.10 to 0.11 (GHSA-m985-3f3v-cwmm) 2021-07-07 12:04:46 +02:00
sebres e3f2fcfab4 merge point (GHSA-m985-3f3v-cwmm 0.9/0.10) 2021-07-07 11:50:49 +02:00
sebres 2ed414ed09 fixed possible RCE vulnerability, unset escape variable (default tilde) stops consider "~" char after new-line as composing escape sequence
closes GHSA-m985-3f3v-cwmm for 0.9
2021-07-07 11:46:28 +02:00
sebres 410a6ce5c8 fixed possible RCE vulnerability, unset escape variable (default tilde) stops consider "~" char after new-line as composing escape sequence 2021-06-21 17:12:53 +02:00
sebres d2f5c7de09 Merge branch '0.10' into 0.11 2021-05-29 21:24:11 +02:00
sebres 92f90038fa filter.d/dovecot.conf: extended to match prefix like `conn unix:auth-worker (uid=143): auth-worker<13247>:` (authenticate from external service like exim), gh-2553 2021-05-29 21:12:34 +02:00
sebres 8b984a0135 filter.d\exim-common.conf: pid-prefix extended to match `mx1 exim[...]:` (gh-2553) 2021-05-29 20:47:56 +02:00
sebres 6be1a5a0b1 filter.d/dovecot.conf: fixed "Authentication failure" regex, matches "Password mismatch" in title case (gh-2880) 2021-05-29 20:25:28 +02:00
sebres 8afea37494 filter.d/sendmail-auth.conf: covering several "authentication failure" messages, sendmail 8.16.1 (gh-2757) 2021-05-29 20:09:57 +02:00
sebres c5f1598a21 filter.d/postfix.conf: extended to cover new vectors:
- reject: BDAT/DATA from (gh-2927)
- (since regex is more precise now) token selector changed to `[A-Z]{4}`, e. g. no matter what a command is supplied now (RCPT, EHLO, VRFY, DATA, BDAT or something else)
- matches "Command rejected" and "Data command rejected" now
2021-05-29 19:48:24 +02:00
sebres ae3e9b9149 filter.d/postfix.conf: extended to cover 2 new vectors:
- RCPT from unknown, 504 5.5.2, need fully-qualified hostname, gh-2995
- 550 5.7.25 Client host rejected, gh-2996
review combining several regex to single one
2021-05-29 19:21:27 +02:00
sebres 87f717e0e0 filter.d/sendmail-reject.conf: fix reverse DNS for ... (gh-3012) 2021-05-29 18:45:59 +02:00
sebres 3312b8cb95 Merge branch '0.10' into 0.11 2021-05-25 23:18:33 +02:00
sebres 1627d4f573 filter.d/sendmail-auth.conf: user not found, closes gh-3030 2021-05-25 23:16:29 +02:00
Michael Orlitzky 78dddb75e6 files/fail2ban-openrc.init.in: add a comment about @RUNDIR@ in the future. 2021-05-14 07:50:34 -04:00
Michael Orlitzky 4d2841832c files/fail2ban-openrc.init.in: don't restart() with a broken config.
This commit adds a new function checkconfig() to the OpenRC service
script. All it does is run the server with the "--test" flag in
addition to the usual command-line arguments.

The new command is not user-facing, but lets us avoid restarting the
daemon with a broken config. That helps when the user changes his
configuration while the daemon is running, and then tries to restart()
not knowing that the new config is broken. A priori, we would stop the
daemon and then the error would only become visible when the subsequent
start() command failed. Refusing to stop() with a broken configuration
is a nicer thing to do.
2021-05-14 07:50:34 -04:00
Michael Orlitzky 87e9cff065 files/fail2ban-openrc.init.in: remove redundant "return" from start_pre.
OpenRC functions will exit with the return code from the last command
by default, so there's no need for the "|| return 1" in our
single-line start_pre() phase.
2021-05-14 07:50:34 -04:00
Michael Orlitzky 36a7abe82f files/fail2ban-openrc.init.in: mention that "reload" doesn't drop bans.
The description of the "reload" OpenRC command just said that it would
reload the configuration, which is true but not totally helpful. This
commit updates it to mention that your existing bans won't be dropped,
in contrast with the "restart" command that does drop your bans.
2021-05-14 07:50:34 -04:00
Michael Orlitzky dd0f348757 files/fail2ban-openrc.init: replace @BINDIR@ at build-time.
This commit renames fail2ban-openrc.init to fail2ban-openrc.init.in,
and replaces the hard-coded value "/usr/bin" with "@BINDIR@"
therein. At build-time, setup.py will replace that string with the
correct value, and rename the file (without the ".in" suffix).

This mimics the procedure done for "fail2ban-service.in" entirely.
2021-05-14 07:50:34 -04:00
Michael Orlitzky e6a9f109c5 files/fail2ban-openrc.init: force the socket location in the service script.
The socket location needs to be set in the service script for the same
reason that the PID file location does: because the service script is
taking responsibility for ensuring that its parent directory exists
and has the correct permissions. We can't do that if the end user is
allowed to move the PID file or socket somewhere else (without parsing
the config file, which has other security implications).
2021-05-14 07:50:28 -04:00
Michael Orlitzky 4e7419e71f files/fail2ban-openrc.conf: add back the "-x" example.
I've removed the stale socket cleanup from our OpenRC service script:

  * Cleaning up stale sockets isn't really the job of the service script.
  * The ability to ignore a stale socket is already built into the server.

With it gone, maybe the "-x" is a useful example to have in the conf
file (although it's commented-out by default, anyway).
2021-05-14 07:38:00 -04:00