Commit Graph

6152 Commits (52399e6ef10f062ee7261fee21149907ed120336)

Author SHA1 Message Date
sebres 52399e6ef1 amend to #2351: providing the attempt via fail2bans protocol (Pickle, client command, etc) must follow ignore facilities (shall be ignored if matches ignoreip, ignoreself, ignorecommand etc) 2025-08-26 18:03:46 +02:00
sebres c9e1a1b087 silence warning "Unknown distribution option: 'test_suite'", seems not work anymore (2.x only?) - test suite shall be invoked using `bin/fail2ban-testcases` 2025-08-23 22:22:20 +02:00
sebres a055568500 GHA: update python 3.14.0-rc.2 2025-08-23 22:10:55 +02:00
sebres 0265df854e silence skipping tests output for python versions that basically can not have the modules 2025-08-23 22:00:03 +02:00
sebres a3d181c973 `filter.d/dovecot.conf`: new matches in `aggressive` mode:
- new variant for `no auth attempts in X secs` with `Login aborted` and `(no_auth_attempts)`;
- covered `disconnected during TLS handshake` with `no application protocol` and `no shared cipher`.
2025-08-23 20:22:08 +02:00
sebres 002719dca4 ChangeLog update 2025-08-23 20:18:59 +02:00
sebres c26fda9dbb `filter.d/dovecot.conf`: new matches in `aggressive` mode:
- new variant for `no auth attempts in X secs` with `Login aborted` and `(no_auth_attempts)`;
- covered `disconnected during TLS handshake` with `no application protocol` and `no shared cipher`.
2025-08-23 20:16:40 +02:00
sebres bdb5d99906 Log `Repeal Ban` instead of `Unban` on stop action, jail or fail2ban, because the tickets are "unbanned" temporary (till restart);
closes gh-4057
2025-08-19 11:37:01 +02:00
sebres 4e22c20559 fixes `ignoreip` prefix `file://` - it shall resolve absolute file name (starting with `/`) unless it starts with `./`;
relative paths are based relative the working dir;
to use it relative current config root (normally `/etc/fail2ban`), one can use interpolation `%(fail2ban_confpath)s`, e.g.:
  file://%(fail2ban_confpath)s/ignore-ipaddr-file
2025-08-12 23:46:10 +02:00
sebres 3ce6f344e3 fixes beautifier `get` `ignoreip` (explicit convert to string) 2025-08-12 23:26:42 +02:00
Sergey G. Brester bf4903538d
update ChangeLog (enhancement from #3291) 2025-08-08 10:29:02 +02:00
Sergey G. Brester 77ba28bae1
Merge pull request #3291 from ttyS4/patch-1
nftables.conf - add support for cidr notation and address ranges
2025-08-08 10:23:08 +02:00
Sergey G. Brester dc3268ce5d
servertestcase.py: adjust test coverage 2025-08-08 10:16:01 +02:00
Sergey G. Brester eb80b895d1
provides flags interval as `addr_options` now 2025-08-08 10:10:40 +02:00
Bill 6120a731d9
update nginx limit-req filter again (#4048)
amend to #4047 - removes unused ngx_limit_con_zones parameter.
2025-08-04 21:16:26 +02:00
Sergey G. Brester e16e982a45
Merge pull request #4047 from billfor/nginx
Update nginx-limit-req filter (extended to ban hosts failed by limit connection in ngx_http_limit_conn_module);
closes gh-3674
2025-08-04 11:34:35 +02:00
Sergey G. Brester dd58d440bc
Update ChangeLog 2025-08-04 11:32:10 +02:00
Sergey G. Brester e6516fd2b3
combine 2 REs to single regex
closes gh-3674
2025-08-04 11:24:51 +02:00
bill 0a91bf69a5 add filter for delayed requests and connection limiting 2025-08-04 00:27:45 -04:00
sebres d86a7aecca amend to #3979: removed mistaken double pipes in group matches 2025-07-31 17:38:28 +02:00
sebres ff3eca1d61 * Merge pull request #3527 from vafgoettlich/master
(partial merge, only postfix-backend)
2025-07-24 11:17:05 +02:00
sebres 0b255a8723 Merge pull request #3527 from vafgoettlich/master
(partial merge, only postfix-backend)
2025-07-24 11:14:03 +02:00
Sergey G. Brester 793d0c6555
Merge pull request #4037 from kusaka-0107/fix/asterisk-conf-regex
filter.d/asterisk: fix regex to match "No matching endpoint found" with retry info (like `after X tries in Y ms`)
2025-07-20 15:17:17 +02:00
Sergey G. Brester 7bb86822d0
Update ChangeLog 2025-07-20 15:15:38 +02:00
Sergey G. Brester 6d3bfa8781
revert RE back, but relive the end-anchor a bit (ignore any text without single quote, so also preventing false match by injection on foreign data) 2025-07-20 15:04:15 +02:00
177ac b309cf6b3c Add test line 2025-07-20 18:06:33 +09:00
177ac e97df4672a filter.d/asterisk: fix regex to match "No matching endpoint found" with retry info 2025-07-20 18:05:35 +09:00
sebres 1c2ace2958 GHA: update python 3.14.0-beta.4 2025-07-13 01:08:50 +02:00
sebres b710d5b6c7 `filter.d/sendmail-reject.conf` - also recognize "Domain of sender address ... does not resolve";
closes gh-4035
2025-07-13 01:03:53 +02:00
sebres dc899e438f avoid error "Unable to get failures" by stop (if file gets removed from filter, but filter already entered getFailures for the file);
closes gh-4032
2025-07-07 01:04:35 +02:00
sebres 86b9adb2f5 workflows/publish.yml: amend (allow manual trigger for publishing) 2025-06-16 22:09:46 +02:00
sebres 85faeab644 workflows/publish.yml: flow to publish package on pypi 2025-06-16 21:55:58 +02:00
Sergey G. Brester 9ef134c17d
Merge pull request #4016 from nabbi/dovecot-2.4
add Dovecot 2.4 support
2025-06-15 18:09:40 +02:00
Sergey G. Brester 8a4f373617
integrate new RE in already existing (combine new and old format) 2025-06-15 18:07:43 +02:00
Nic Boet 646832d5bd dovecot 2.4 into changelog
Signed-off-by: Nic Boet <nic@boet.cc>
2025-06-13 17:00:47 -05:00
Nic Boet 04ff4c060c Dovecot 2.4 filter support
Dovecot 2.4 release is a major upgrade
Logger event structure has changed, all messages are now
prefixed with:

        "Login aborted: " <reason> "auth failed"

Maintain 2.3 support as many folks have yet to migrate,
community edition is still receiving cretial security patches

Dovecot 2.4.1
Python 3.12.10

Signed-off-by: Nic Boet <nic@boet.cc>
2025-06-13 16:44:57 -05:00
Sergey G. Brester cfa3356e0f
Merge pull request #4001 from sebres/f2b-regex--inverted-out
fail2ban-regex: new feature `-i` or `--invert` to output not-matched lines by `-o` or `--out`
2025-06-03 22:23:19 +02:00
sebres 4254d6bcd3 man and changelog 2025-06-03 22:19:54 +02:00
Sergey G. Brester afe9bc08ec
Merge pull request #4006 from pzl/smtp-py-wrap
Line-wrap long messages in smtp.py
2025-06-02 12:40:45 +02:00
pzl a5d7127109
construct smtp.py email wrap long lines
RFC 5322 2.1.1 requires <=998 chars per line.
If matches are included, and are very long lines,
the email will be rejected. Constructing the mail
as a message instead of a subpart (mimetext) fixes this
2025-05-20 14:55:03 -04:00
sebres cca2de984f fail2ban-regex: implemented new feature `-i` or `--invert` - inverting the sense of matching, to output non-matching lines. 2025-05-06 18:15:05 +02:00
Sergey G. Brester f7aaaf50b8
`filter.d/exim.conf`: colon must be outside of F-RCPT group 2025-04-27 23:00:09 +02:00
sebres f0a083449a coverage for non zero journalflags 2025-04-24 00:12:26 +02:00
sebres 9ecf6150c8 increase max wait time a bit - some (systemd) tests may fail occasionally in fast mode 2025-04-24 00:11:45 +02:00
sebres cbc3cb431c amend to a0093b557e (systemd-review): flags cannot be specified simultaneously with files too; 2025-04-24 00:04:37 +02:00
Sergey G. Brester d731b385f9
Merge pull request #3909 from avcbvamorec/patch-1
Enhancement on iptables: allow bans to be effective on multiple chains at the same time
2025-04-17 12:46:51 +02:00
Sergey G. Brester 52d239483d
typo 2025-04-16 17:18:36 +02:00
sebres 0d4a926029 ChangeLog (enhancement and compat entries) 2025-04-16 17:13:58 +02:00
sebres cbe14c70c5 iptables.conf rewritten to affect all derivative actions (multiple chains are also supported by `iptables-ipset` etc);
iptables-xt_recent-echo.conf adjusted to be compatible to new syntax of inherited iptables.conf;
test coverage fixed to new handling
2025-04-16 16:56:46 +02:00
Arnaud 37f72f88ef Reverting chains to chain in order to preserve backward compatibilityu
backing to the option named "chain", using "iteredchain" a new variable to iterate over.
2025-04-16 16:06:29 +02:00