fail2ban

Commit Graph

Author	SHA1	Message	Date
sebres	2fe1479484	Merge branch '_0.9/gh-1849' into 0.10	7 years ago
sebres	5c538fb658	Recognize "unknown user" for additional auth-methods (pam, passwd-file, ldap, sql, etc); simplifying regular expressions (put "unknown user" and "invalid credentials" together as one regex).	7 years ago
sebres	0ef5b7c4d4	small amend to gh-1850: removed greedy catch-all at end.	7 years ago
Marcel Waldvogel	daf57547c6	Parse ejabberd 17.06 output E.g.: 2017-07-29 08:24:04.773 [info] <0.6668.0>@ejabberd_c2s:handle_auth_failure:433 (http_bind\|ejabberd_bosh) Failed c2s PLAIN authentication for test@example.ch from ::FFFF:192.0.2.3: Invalid username or password	7 years ago
Bigard Florian	f4551d02c9	Fix empty logfile.log in xarf login attack action Fix empty 3rd MIME part which contains the attack evidence (logfile.log).	7 years ago
sebres	1a562bed0f	Merge remote-tracking branch 'master' into 0.10 # Conflicts: # config/filter.d/asterisk.conf	7 years ago
sebres	a5b62a7f36	failregex extended and simplified (partially ported from gh-1409).	7 years ago
sebres	098abae4e6	Remove greedy catch-all before `<HOST>`, make regex more universal, fewer prone to errors (should avoid future changes, if some optional parameters coming again before/after `RemoteAddress`) + non-captured groups now. Test for possible injection (5.6.7.8 in session-id) already available, line 59 (thus already covered).	7 years ago
Kirill	4c0c7b97c0	Update asterisk.conf to new log message I got an issue like this: [2016-05-15 22:53:00] SECURITY[26428] res_security_log.c: SecurityEvent="FailedACL",EventTV="2016-05-15T22:53:00.203+0300",Severity="Error",Service="AMI",EventVersion="1",AccountID="admin",SessionID="0x7fb580001518",LocalAddress="IPV4/TCP/0.0.0.0/5038",RemoteAddress="IPV4/TCP/78.129.227.4/62389",SessionTV="1970-01-01T03:00:00.000+0300" # [sebres] rebased to current master and resolving conflicts.	7 years ago
Serg G. Brester	34cb55fd91	Merge pull request #1695 from benrubson/issue1693 Apache, detect syslog prefix	7 years ago
sebres	0e33125129	be more precise using common `__prefix_line` expression (set `_daemon` to recognize apache and httpd only)	7 years ago
sebres	b561af45ef	apache-common.conf: introduced parameter `logging` for possibility to match lines, if apache logs into syslog/systemd journal; added test cases to cover `apache-auth[logging=syslog]`.	7 years ago
benrubson	b662cf03ac	Apache, detect syslog prefix, simple example	7 years ago
Serg G. Brester	6c030c5e10	Merge pull request #1717 from szepeviktor/patch-11 Updated xarf-specification repo URL in xarf action	7 years ago
sebres	7217ef5c9e	filter.d/ejabberd-auth.conf: fixed ejabberd filter - accept new log-format with `wait_for_sasl_response` instead of `wait_for_feature_request` + optional part "IP " (gh-993)	7 years ago
sebres	dae4988aea	filter.d/roundcube-auth.conf: fixes failregex not working with `X-Real-IP` or/and `X-Forwarded-For` (gh-1303)	7 years ago
sebres	e26cc5de45	restore backwards compatibility (jail postfix-sasl); changelog update	7 years ago
sebres	aa92b68d4a	filter.d/postfix.conf: normalized several postfix-filters using parameter `mode` (as discussed in gh-1813); introduced parameter `mode`: more (default, combines normal and rbl), auth, normal, rbl, ddos, extra or aggressive (combines all) replacement for gh-1239, gh-1697, gh-1764; closes gh-1245, gh-1297.	7 years ago
sebres	d32a3913cf	postfix postscreen (resp. other RBL's compatibility fix) / gh-1764	7 years ago
Serg G. Brester	57ea38c342	Update paths-debian.conf Fixed mail.log path since in the default rsyslog configuration of debians the `mail.warn` is commented now (see `/etc/rsyslog.d/50-default.conf`: `#mail.warn -/var/log/mail.warn`). Closes gh-1687	8 years ago
sebres	546cd55342	Merge branch 'master' into 0.10	8 years ago
sebres	a1d0633e69	filter.d/asterisk.conf - fixed failregex AMI Asterisk authentification failed (see gh-1302): - optional space between NOTICE and pid; - optional part "Host " before IP-address;	8 years ago
sebres	33fcf8d809	Merge branch 'master' into 0.10	8 years ago
Serg G. Brester	1307e0a5b9	Merge pull request #1760 from szepeviktor/patch-12 Courier may complain about the method only	8 years ago
Serg G. Brester	f27e053592	Update bsd-ipfw.conf increased starting rule number (lowest_rule_num = 111)	8 years ago
Serg G. Brester	001c0898d6	Merge branch 'master' into master	8 years ago
Serg G. Brester	6110ba9cc3	filter.d/proftpd.conf: added option `journalmatch` for systemd backend (closes gh-1613)	8 years ago
sebres	37ca4f17c2	filter.d/roundcube-auth.conf: added missing entry `journalmatch` from original gh-1783.	8 years ago
Serg G. Brester	986dd3107d	Merge branch '0.10' into patch-12	8 years ago
sebres	d3ae70beb6	filter.d/roundcube-auth.conf: Use the same filter-file and jail also when logging errors to journal instead to a local file. Additionally fixes more complex injections on username.	8 years ago
Johannes Weberhofer	691c080dc7	Added roundcube authentication filter, new jail and log-examples	8 years ago
Serg G. Brester	3294840c2a	Merge pull request #1801 from jeaye/postfix-updates filter.d/postfix.conf: update to the latest postfix logging format	8 years ago
Serg G. Brester	efeca8fdeb	postfix.conf: removes unneeded end-anchoring like `.*$`, etc. also removes several dynamic content at end, which are of no avail there. Additionally normalizes optional part (mail-ID) after reason number.	8 years ago
sebres	dcdf677438	Merge remote-tracking branch 'master' into 0.10	8 years ago
sebres	2b358bc1a4	filter.d/apache-overflows.conf: rewritten without end-anchor ($), because apache-log could contain very long URLs (and/or referrer), the parsing of it anchored way may be very vulnerable (at least as regards the system resources, see gh-1790).	8 years ago
jeaye	6f3d425c4d	Update postfix filters and tests	8 years ago
sebres	bbea73d79d	Merge remote-tracking branch 'remotes/gh-upstream/master' into 0.10	8 years ago
Serg G. Brester	d56554ecf3	Merge pull request #1688 from felixonmars/arch-config Add a path configuration for Arch Linux	8 years ago
Peter Nowee	b93e47b12f	dovecot: Match also when user field is empty Commit `5678d08` of 2016-11-26 changed: ( user=<\S>,)? to: ( user=<[^>]+>,)? The change from `` (zero or more times) to `+` (one or more times) may not have been intended. It will miss lines containing, for example: Aborted login (tried to use disallowed plaintext auth): user=<> This commit reverts the `+` back to `*`.	8 years ago
Marcel Bischoff	228d25c548	Update Kerio Connect filter (#1455 ) * Update Kerio Connect filter Fixed regex for some log entries that did not get recognized and some additional error formats are added. * Add missing colon, GitHub address * Add filter tests * Add missing test	8 years ago
Serg G. Brester	80cc47b75f	Update helpers-common.conf fixed grep pattern: escape dot-char in search-IP and more restrictive boundaries (IPv6-capable)	8 years ago
Viktor Szépe	5bb6be0163	IPv6 address may overlap	8 years ago
Filippo Tessarotto	ff1c6718da	Postfix RBL: 554 & SMTP Cherry-pick of `607568f5da` (see gh-1686)	8 years ago
sebres	b13d9d4e22	Merge branch 'master' into 0.10	8 years ago
sebres	0600d51511	filter.d/exim.conf: added new reason for "rejected RCPT" regex: Unrouteable address	8 years ago
sebres	49e237209e	Merge branch 'master' into 0.10	8 years ago
sebres	c546f85207	filter.d/exim.conf: cherry-picked from 0.10, match complex time like `D=2m42s` (closes gh-1766)	8 years ago
Viktor Szépe	ac256a822b	Make courier-auth regexp a non-captured group	8 years ago
Viktor Szépe	4bb8a58dcf	Courier may complain about the method only > Mar 30 22:29:18 szerver imapd-ssl: LOGIN FAILED, method=PLAIN, ip=[::ffff:1.2.3.4]	8 years ago
Seth Reeser	c3426ba5f6	Update botsearch-common.conf (#1759 ) * Update botsearch-common.conf, apache-modsecurity.conf: typo and missing new-line	8 years ago
sebres	8839bcbb09	Merge remote-tracking branch master into 0.10	8 years ago
sebres	99344d28c8	Introduces new tags with hostname: - `<fq-hostname>` - fully-qualified name of host (the same as `$(hostname -f)`) - `<sh-hostname>` - short hostname (the same as `$(uname -n)`) Execution of `uname -n` replaced in all mail actions with most interesting fully-qualified `<fq-hostname>`.	8 years ago
sebres	3161bcf78b	filter.d/exim.conf: optional part `(...)` after host-name before `[IP]`, normalized over whole config file. # Conflicts: # config/filter.d/exim.conf	8 years ago
sebres	507034c5be	filter.d/apache-auth.conf: joined some similar expressions	8 years ago
Serg G. Brester	6dfd080e20	Update apache-auth.conf remove forgotten referer, that may prevent failure recognition (belongs to gh-1645)	8 years ago
Serg G. Brester	311f8fea83	Merge branch '0.10' into issue1644	8 years ago
Peter van der Does	bb79e7f413	Parameter not needed The parameter '-s' causes an error as the <mailcmd> already has the parameter.	8 years ago
Serg G. Brester	4f0f22702a	Update haproxy-http-auth.conf little bit more precise expression	8 years ago
Georges Racinet	4fc6323ff0	haproxy-http-auth: avoid port number in IPv6 addresses The solution taken is to consume the port number explicitely in the regexp.	8 years ago
sebres	97e8b42d34	dummy action extended with more examples and test-covered now	8 years ago
sebres	d03872fbbf	bulk unban: add new command `actionflush` default for several iptables/iptables-ipset actions (and common include): iptables-common iptables iptables-allports iptables-multiport-log iptables-multiport iptables-new iptables-ipset-proto4 iptables-ipset-proto6 iptables-ipset-proto6-allports executing `actionflush` command covered for this actions now	8 years ago
sebres	8bf79fa483	implemented execution of `actionstart` on demand, if action depends on `family` (closes gh-1741); new action parameter "actionstart_on_demand" (bool) can be set to prevent/allow starting action on demand (default retrieved automatically, if some conditional parameter `param?family=...` presents in action properties);	8 years ago
Seth Reeser	c82495353f	Update mysqld-auth.conf (#1725 )	8 years ago
Serg G. Brester	52c1950371	Update mysqld-auth.conf small typo, closes gh-1725 (Thx @seth-reeser)	8 years ago
sebres	5e93bf9bd3	Introduced new option "ignoreself", specifies whether the local resp. own IP addresses should be ignored (default is true). Fail2ban will not ban a host which matches such addresses. Option "ignoreip" affects additionally to "ignoreself" and don't need to include the DNS resp. IPs of the host self.	8 years ago
sebres	f13fac5ae9	amend to 5561423be3b2d4636f5484183c3ad470fd326d06: fixed incorrect failure counting despite the `<F-NOFAIL>` marked regex; extra: introduced new tag `<F-MLFFORGET>` as mark to forget current multi-line MLFID (e. g. connection closed); Closes gh-1727	8 years ago
sebres	5561423be3	filter.d/sshd.conf: fixed failregex format - some parts are optional, new ddos more precise rule (Connection reset by with host entry); closes gh-1719	8 years ago
Viktor Szépe	d79267c424	Updated xarf-specification repo URL in xarf action	8 years ago
sebres	0c1707afda	filter.d/sshd.conf: - optional parameter `mode` rewritten: normal (default), ddos, extra or aggressive (combines all), see sshd for regex details); test cases reformatted (since "filterOptions", we don't need multiple test log-files anymore);	8 years ago
sebres	7e442c5b27	filter.d/sendmail-reject.conf: - rewritten using `prefregex` and used MLFID-related multi-line parsing (by using tag `<F-MLFID>` instead of buffering with `maxlines`); - optional parameter `mode` introduced: normal (default), extra or aggressive (see sendmail-reject for regex details); test cases extended	8 years ago
sebres	52ed6597b2	Merge remote-tracking branch 'remotes/gh-upstream/master' into 0.10	8 years ago
sebres	8768776d68	filter.d/cyrus-imap.conf: fixed `failregex` - accept entries without login-info resp. hostname before IP address	8 years ago
Serg G. Brester	d042981954	Merge pull request #1655 from ajcollett/0.10 Added config for AbuseIPDB	8 years ago
Serg G. Brester	b1f5ac9484	Update abuseipdb.conf	8 years ago
Serg G. Brester	62fa02241f	Update jail.conf	8 years ago
sebres	6a2c95da95	`action.d/sendmail-geoip-lines.conf` fixed using new tag `<ip-host>` (dns-cache and without external command execution); changelog updated;	8 years ago
sebres	d2a3d093c6	rewritten CallingMap: performance optimized, immutable, self-referencing, template possibility (used in new ActionInfo objects); new ActionInfo handling: saves content between actions, without interim copying (save original on demand, recoverable via reset); test cases extended	8 years ago
sebres	35efca5941	Better multi-line handling introduced: single-line parsing with caching of needed failure information to process in further lines. Many times faster and fewer CPU-hungry because of parsing with `maxlines=1`, so without line buffering (scrolling of the buffer-window). Combination of tags `<F-MLFID>` and `<F-NOFAIL>` can be used now to process multi-line logs using single-line expressions: - tag `<F-MLFID>`: used to identify resp. store failure info for groups of log-lines with the same identifier (e. g. combined failure-info for the same conn-id by `<F-MLFID>(?:conn-id)</F-MLFID>`, see sshd.conf for example) - tag `<F-NOFAIL>`: used as mark for no-failure (helper to accumulate common failure-info); filter.d/sshd.conf: [sshd], [sshd-ddos], [sshd-aggressive] optimized with pre-filtering using new option `prefregex` and new multi-line handling.	8 years ago
sebres	22afdbd536	Several filters optimized with pre-filtering using new option `prefregex`	8 years ago
sebres	4ff8d051f4	Introduced new filter option `prefregex` for pre-filtering using single regular expression; Some filters extended with user name; [filter.d/pam-generic.conf]: grave fix injection on user name to host fixed; test-cases in testSampleRegexsFactory can now check the captured groups (using additionally fields in failJSON structure)	8 years ago
Serg G. Brester	2fa18a74c4	Merge branch 'master' into master	8 years ago
sebres	4bf09bf297	provides new tag `<ip-rev>` for PTR reversed representation of IP address; [action.d/complain.conf] fixed using this new tag;	8 years ago
Serg G. Brester	7f63809afb	Merge branch '0.10' into patch-1	8 years ago
Christoph Theis	861ce4177c	#1689 : Make lowest rule number in action.d/bsd-ipfw.conf configurable	8 years ago
Felix Yan	68d829c1dd	Add a path configuration for Arch Linux	8 years ago
Jan Grewe	58c68b75f0	Remove double-quotes from email addresses	8 years ago
Jan Grewe	1bcf0de7c1	Update complain.conf	8 years ago
Filippo Tessarotto	607568f5da	Postfix RBL: 554 & SMTP	8 years ago
Jan Grewe	901eeff53d	Make Abusix lookup compatible with Dash	8 years ago
sebres	1823571e0f	Merge branch 'ssh-filter-new-regexp' into 0.10	8 years ago
sebres	9d06f0ee40	sshd-amend: optional space after port part	8 years ago
sebres	e8a1556562	Merge remote-tracking branch 'master' into 0.10 # Conflicts: # fail2ban/tests/samplestestcase.py	8 years ago
sebres	54a8c681ce	suhosin.conf: removed greedy match	8 years ago
sebres	8aa9516d50	sshd.conf: fixed expression "received disconnect ... auth fail" - optional space after port part (gh-1652)	8 years ago
sebres	3276bd6d54	sshd: additionally aggressive filter rules - no matching cipher resp. no matching key exchange method (gh-1545, gh-1117)	8 years ago
sebres	628789f9a9	sshd: conditional parameter "mode" for sshd jail (normal, ddos, aggressive) filter sshd-ddos and new filter sshd-aggressive are both derivation of sshd-filter	8 years ago
sebres	dd373dba9f	test all config-regexp, that contains greedy catch-all before <HOST>, that is hard-anchored at end or precise sub expression after <HOST>; new ssh rule(s) added: - Connection reset by peer (multi-line rule during authorization process); - No supported authentication methods available; Single line and multi-line expression optimized, added optional prefixes and suffix (logged from several ssh versions); closes gh-864	8 years ago
Christian Brandlehner	a4d8426401	Support for IBM Domino SMTP task (#1603 ) filter.d/domino-smtp.conf	8 years ago
Serg G. Brester	40f294e6bf	Merge pull request #1663 from jjeziorny/netscaler-action Introduced citrix netscaler action	8 years ago
Juliano Jeziorny	1fe554dd25	Introduced Citrix Netscaler action	8 years ago

1 2 3 4 5 ...

1365 Commits (4a2fc8b7e85554ac819e30b48d300550a9cced10)