2ab6a5ae62
Update sendmail-auth.conf
2018-04-04 18:52:35 +02:00
87520e8008
Sendmail logs IPv6 addresses with the prefix 'IPv6:'. Added (IPv6:)? before all <HOST> regexes to match the IPv6 address (but not the prefix).
2018-04-04 18:52:33 +02:00
1fdad90b4d
Merge branch '0.10' into 0.11
2018-04-04 16:49:57 +02:00
fc76ccf192
Fixes abuseipdb curl cypher error and comment $f2bV_matches
...
Fixed https://github.com/fail2ban/fail2ban/issues/2044 #2044
and used https://github.com/fail2ban/fail2ban/issues/2039 to fix comment in abuseipdb.com only showing $f2bV_matches
2018-04-04 16:39:16 +02:00
7bbc26d67e
Merge pull request #2097 from benrubson/sni
...
Detect Apache SNI error / misredirect attempts
2018-04-04 16:31:38 +02:00
bd74f7ba8b
Detect Apache SNI error / misredirect attempts, typos
2018-04-04 00:20:58 +02:00
7dfd61f462
Merge branch '0.10' into 0.11-2
2018-04-03 14:14:44 +02:00
8423f017e7
Merge branch 'sshd-ddos-mode-closed-preauth' into 0.10
2018-04-03 14:12:35 +02:00
4ee07adde6
Merge branch '0.10' into fix-sshd-filter-suff
...
# Conflicts resolved:
# fail2ban/server/filter.py
2018-04-03 13:30:57 +02:00
30dc22fb2e
Detect Apache SNI error / misredirect attempts
2018-03-29 11:36:49 +02:00
4f6532f810
filter.d/sshd.conf: mode `ddos` (and `aggressive`) extended to catch `Connection closed by ... [preauth]`, so in DDOS mode it causes failure now on closed within preauth stage;
...
at least using both modes can ban port-scanners and prevent for other annoying "intruders", closing connection within preauth-stage (see gh-2085 for example).
2018-03-20 18:54:22 +01:00
cd7f1354c6
remove end-anchors for expressions that are precise enough (with clear flow, simple branches, without catch-all's, etc.)
2018-03-20 18:47:42 +01:00
c31eb1c562
quick optimization: normalizes pam-generic prefregex (more similar to the same regex within sshd-filter) + datepattern anchored now;
2018-03-20 16:00:21 +01:00
25cc42129a
hold all user names affected by interim attempts in order to avoid forget a failures after success login:
...
intruder (as legitimate user) firstly tries to login with another user-name (brute-force), so hopes to reset failure counter by succeeded login;
this is fixed and covered in tests now;
sshd-filter extended to cover multiple-login attempts (also fully implements gh-2070);
2018-03-20 13:09:05 +01:00
a9c94686b6
fixed multiple regexs matched
2018-03-20 09:09:42 +01:00
8028d3940d
amend with better match of optional suffix-groups;
...
remove end-anchors for expressions are precise enough (with clear flow, simple branches, without catch-all's, etc.);
2018-03-19 17:29:26 +01:00
66d2436f21
filter.d/sshd.conf: extend suffix with optional port, move it to `prefregex` at end outside of the content
2018-03-19 16:50:49 +01:00
7b3442c4e2
amend to 185cb998e7c7f2509830bed4a9f2fe6179f77e7b: capture error prefix outside of the failure content;
2018-03-19 14:53:56 +01:00
185cb998e7
make `prefregex` more precise in order to avoid catch the content for non failure lines
2018-03-19 14:38:47 +01:00
e8ffab28fb
filter.d/apache-noscript.conf: extended to match "Primary script unknown", got from php-fpm module.
2018-03-19 14:23:24 +01:00
a6fb33bdec
filter.d/recidive.conf: fixed if logging into systemd-journal (SYSLOG) with daemon name in prefix, gh-2069
2018-03-09 13:56:38 +01:00
b34ae5999e
action.d/hostdeny.conf: fixes IPv6 syntax
...
differentiate the IPv4 and IPv6 syntax (where it is enclosed in square brackets)
2018-03-05 19:35:10 +01:00
2b282ead09
Merge branch '0.10' into 0.11
2018-03-02 19:48:15 +01:00
caa2bdfee6
amendment for gh-2061: it looks like the port was added here also
2018-03-02 19:24:47 +01:00
a3bcbe2d1b
backwards-compatibility, test-cases and ChangeLog update
2018-03-02 19:15:10 +01:00
6b5516b851
fix sshd rule #2
...
in line 58, rule don't match with "%(__suff)s" but work fine if I replace with "%(__on_port_opt)s"
Debian 9 stretch : fail2ban 0.10.3
2018-03-02 18:40:36 +01:00
1d7aa2ff21
filter.d/sshd.conf: rewrite fix (for new ssh log-format) backwards compatible + test-cases extended to cover both cases
2018-03-02 18:17:17 +01:00
9f5c873526
fix sshd rule
...
just remove the space before ":11" line 52 because don't match on my Debian 9 stretch...
I don't know if this is wrong on all OS
2018-03-02 17:53:35 +01:00
5ea76789c6
Merge branch '0.10' into 0.11
2018-03-02 17:18:37 +01:00
8c291cad38
filter.d/asterisk.conf: fixed failregex prefix by log over remote syslog server (gh-2060)
2018-03-02 09:17:04 +01:00
b112250ef0
(Free)BSD IPFW does not allow 2 identical rules ( #2054 )
...
ipfw actionban fixed to allow same rule added several times (and actionunban to ignore error by deletion of missing rule)
2018-02-27 10:18:59 +01:00
857767f04b
Add 'any' badips.py bancategory ( #2056 )
...
action.d/badips.py: allow `any` as bancategory to retrieve IPs from all categories
2018-02-27 10:12:22 +01:00
47a7f83a0b
Merge branch '0.10' into 0.11
2018-02-26 19:30:54 +01:00
07fcb24ff6
Merge pull request #2057 from benrubson/https
...
Use httpS with badips
2018-02-26 18:50:35 +01:00
f52c67238a
action.d/badips.py: code review, ban command covered, debug log-messages, etc;
2018-02-26 18:16:20 +01:00
fce2a50165
badips.py, solve a str() issue under FreeBSD
2018-02-26 15:55:21 +01:00
e2665d39fd
Use httpS with badips
2018-02-26 09:58:37 +01:00
a5155f55e7
Merge branch '0.10' into 0.11
2018-02-21 09:31:35 +01:00
e636567d23
filter.d/exim.conf: failregex extended with SMTP call dropped: too many syntax or protocol errors.
2018-02-19 09:50:46 +01:00
19a5a2f8c0
filter.d/murmur.conf: fixed detection of failures reading from journal (systemd-backend only):
...
- extended with optional prefix for the systemd-journal (with second date-pattern as optional match);
- added `journalmatch` filtering;
closes gh-2043
2018-02-09 11:43:55 +01:00
201ae0dac2
Merge branch '0.10' into 0.11
2018-01-31 12:20:34 +01:00
0be0e43d47
amend to 03b577d7b92a120e325abe20a99b6956a7e0657c: add new-line after matches via tag `<br>` without usage of interim variable
2018-01-30 12:52:26 +01:00
03b577d7b9
action.d/blocklist_de.conf: fixed tag substitution (in 0.10 it can be variables supplied via shell-arguments), expand `<matches>` with trailing newline;
...
tests extended;
closes gh-2028
2018-01-30 12:27:03 +01:00
faab77cc79
Merge branch '0.10' into 0.11, with resolved conflicts.
2018-01-24 17:56:58 +01:00
527bb9a7c3
dos2unix for helpers-common.conf
...
Original report: http://bugs.debian.org/888110
2018-01-23 08:48:36 -05:00
1ca3df877b
Merge branch '0.10' into 0.11
2018-01-18 14:32:00 +01:00
f69e28adfc
action.d/pf.conf: compatibility fix - recognizes that parameter `port` specified as empty, with or without braces (should be more backwards compatible to 0.9 now).
2018-01-18 14:05:22 +01:00
38b3290516
Merge branch '0.10' into 0.11
2018-01-17 16:43:45 +01:00
ed22ddbbbb
Merge remote-tracking branch 'remotes/gh-upstream/master' into 0.10
2018-01-17 16:42:56 +01:00
63e906b2c1
regex rewritten: a bit fewer vulnerable now and using non-capturing groups, test-cases extended in order to cover trying of injection on user name
2018-01-17 16:35:32 +01:00
fed6c49c2d
nginx-http-auth: match usernames with spaces
...
# Conflicts:
# ChangeLog
2018-01-17 16:35:31 +01:00
b6c6565a7e
regex updated using non-capturing groups
2018-01-16 14:23:47 +01:00
6a1bbbf101
Update lighttpd-auth.conf
...
I have lighttpd 1.4.45 (Debian 9) and auth error log is different.
Now printing mod_auth and not http_auth.
I think that the change was in Lighttp 1.4.42
2018-01-16 12:39:55 +00:00
576eeb70dd
Merge branch '0.10' into 0.11
2018-01-15 18:17:18 +01:00
2b7b0da943
Merge remote-tracking branch 'remotes/gh-upstream/master' into 0.10
2018-01-15 18:16:43 +01:00
7e05976ead
action.d/hostsdeny.conf: actionunban rewritten using sed, also dots in IP were escaped now.
...
Closes #2000
2018-01-11 12:38:34 +01:00
039ac7c7c4
Merge branch '0.10' into 0.11
2018-01-11 10:29:46 +01:00
2112145eb4
stop ban of legitimate users with multiple public keys (e. g. git, etc), thereby
...
differentiate between "invalid user" (going banned earlier) and valid users with public keys, for which the rejects of not valid public keys (failures) will be retarded up to "Too many authentication failures" resp. disconnect without success (accepted public key).
2018-01-10 19:07:20 +01:00
314e402fe0
filter.d/sendmail-auth.conf - extended daemon for Fedora 24/RHEL - the daemon name is "sendmail" (gh-1632)
2018-01-10 14:49:06 +01:00
0e68c9a720
Merge branch '0.10' into 0.11
2018-01-10 12:22:31 +01:00
c30144b37a
Merge branch '0.9' into 0.10
...
# Conflicts:
# config/action.d/firewallcmd-ipset.conf
# config/filter.d/asterisk.conf
# Merge-point after cherry-pick, no changes:
# fail2ban/client/jailreader.py
# fail2ban/helpers.py
2018-01-10 12:05:26 +01:00
131b94e11e
firewallcmd-ipset-allports: implemented in `action.d/firewallcmd-ipset.conf` now (`action.d/firewallcmd-ipset-allports.conf` removed), usage:
...
banaction = firewallcmd-ipset[actiontype="<allports>"]
2018-01-10 10:58:03 +01:00
c190631f88
New ban action firewallcmd-ipset-allports. Closes #1167
2018-01-10 10:58:01 +01:00
94f0b15c32
Allow faster parsing of hosts without ' characters in them
2018-01-08 14:54:32 +01:00
b28dfb965a
Fix filter not catching asterisk requests with quote character in username ( fixes #2010 )
2018-01-03 18:39:30 +01:00
5028f17f64
Merge branch '0.10' into 0.11, rewrite updateDb because it can be executed after repair, and some tables can be missing.
...
# Conflicts:
# fail2ban/server/database.py
# fail2ban/tests/fail2banclienttestcase.py
# fail2ban/tests/sockettestcase.py
2017-12-22 17:05:45 +01:00
79f414c6a2
fix <family> typo
2017-12-09 15:55:45 +01:00
7c63eb2378
In the CentOS7 and epel environment, result of "firewall-cmd -direct -get -chains ipv4 filter" is displayed one line
...
Changed to be multiple lines with reference to firewallcmd-multiport.conf
2017-12-09 15:55:45 +01:00
309a1cb337
restore timeout for ipset-based actions: on some systems ipset created without default timeout may cause "Kernel error received: Unknown error -1" (gh-1994);
...
thus new option `default-timeout` introduced (because of dynamical bantime in 0.10, it cannot be used here).
2017-12-06 02:38:10 +01:00
6ccaa03e00
action.d/firewallcmd-ipset.conf: extended with actionflush to bulk unban resp. flush ipset
2017-12-06 01:10:56 +01:00
7e5d8f37fd
Merge branch '0.10' into 0.11
...
# Conflicts:
# config/action.d/firewallcmd-ipset.conf
# fail2ban/server/jail.py
# fail2ban/tests/servertestcase.py
2017-12-06 00:14:23 +01:00
2712f72650
Merge remote-tracking branch 'master' into 0.10
2017-12-06 00:09:52 +01:00
e384acca5f
action.d/firewallcmd-ipset.conf: fixed create of set for ipv6 (missing `family inet6`)
2017-12-05 23:34:03 +01:00
6c705d572b
filter.d/nginx-limit-req.conf: nginx limit-req log-level can be set to warn or error therefore having this regex will include both of them.
2017-12-05 22:31:54 +01:00
ffd6b9f6de
jail.conf: extended with new parameter `mode` for the filters supporting it;
2017-12-05 16:09:18 +01:00
2b68882502
filter.d/exim.conf: provides mode "aggressive" to ban flood resp. DDOS-similar failures;
...
Closes #1983
2017-12-05 16:07:53 +01:00
cc153888d5
Merge branch '0.10' into 0.11
2017-12-01 15:55:10 +01:00
7f89fbc33f
Merge remote-tracking branch 'remotes/gh-upstream/master' into 0.10
2017-12-01 15:53:11 +01:00
4f63180611
Avoid injection using quotes after `auth` command;
...
Added non-greedy fallback for quoted something (with lookahead simulated possessive greedy catch of non-quoted parts `[^"]*(?=")`).
Note that because host-info's are hereafter (with foreign input in-between), we would not use greedy or non-greedy catch-alls (`.*` or `.*?`) here (preventing performance losses).
2017-11-30 12:32:24 +01:00
f59df2e156
Avoid any injecting on protocol (e. g. tries using camel-case)
...
The phrase "AUTH command used when not advertised" is precise enough as anchor here, so prevent by any foreign-input (any auth protocol error).
2017-11-29 20:55:48 +01:00
aa158ac05f
Exim failregex: Include lower/mixed case AUTH
...
When reporting the error `AUTH command used when not advertised`, Exim
starts with `SMTP protocol error in "........."`. Here, Exim logs the
SMTP command as it was provided by the connecting client.
https://github.com/Exim/exim/blob/exim-4_89+fixes/src/src/smtp_in.c#L2850
According to RFC 5321 (SMTP) "[..] a command verb [..] MAY be encoded
in upper case, lower case, or any mixture of upper and lower case with
no impact on its meaning."
https://tools.ietf.org/html/rfc5321#section-2.4
Lower case `auth login` brute-force attempts were seen in the wild and
were not caught by the current failregex.
This commit makes the failregex case-insensitive for the `AUTH`
command, so that lower case (`auth`) or mixed case (`aUtH`) now also
match. The failregex was already case-insensitive for the command
arguments (e.g. `AUTH login` already matched).
2017-11-29 15:14:43 +01:00
660d57e6ba
updating my email address
2017-11-29 10:43:15 +01:00
5cc0abbb02
Merge branch '0.10' into 0.11
...
# Conflicts:
# fail2ban/tests/fail2banclienttestcase.py
2017-11-28 16:37:51 +01:00
76f2865883
implemented new action "action.d/nginx-block-map.conf", used in order to ban not IP-related tickets via nginx (session blacklisting in nginx-location with map-file);
2017-11-28 13:42:41 +01:00
12b55bb8cc
Merge remote-tracking branch '0.10' into 0.11
2017-11-27 12:02:46 +01:00
f31195a4fc
added new logtarget "SYSOUT" to log from fail2ban working in foreground as systemd-service (in opposite to "STDOUT" don't log time-stamps).
2017-11-26 23:03:29 +01:00
8aeaaf06ee
Merge branch '0.10' into 0.11
2017-11-23 22:57:21 +01:00
159957ab88
filter.d/sshd.conf: extended failregex for modes "extra"/"aggressive": now finds all possible (also future) forms of "no matching (cipher|mac|MAC|compression method|key exchange method|host key type) found", see "ssherr.c" for all possible SSH_ERR_..._ALG_MATCH errors;
...
obsolete (multi-line buffered) variant extended also.
Closes gh-1943, gh-1944
2017-11-23 22:21:42 +01:00
70b933f405
Merge branch '0.10' into 0.11
2017-11-06 18:57:53 +01:00
7e756da2b9
Merge remote-tracking branch 'remotes/gh-upstream/master' into 0.10
2017-11-06 18:56:31 +01:00
eba68a8f37
config/paths-common.conf: Added initial values for `syslog_authpriv`, `syslog_mail` in order to avoid errors while parsing/interpolating configuration;
...
Note the systemd-backend does not need the logpath at all;
Some defaults normalized (minimized configs, don't need to overwrite values in distribution-related path if equal).
2017-11-03 14:15:07 +01:00
9876dd44f9
replace port imap3 with imap everywhere, since imap3 is not a standard port and old rarely (if ever) used and missing on some systems
...
(see gh-1942)
2017-11-03 14:03:06 +01:00
4a2fc8b7e8
Include imap (port 143) in courier-auth ports
...
imap was missing from the list of ports, preventing fail2ban from blocking connections on standard IMAP port 143.
2017-11-03 14:01:19 +01:00
12419b75f2
Merge branch '0.10' into 0.11
...
# Conflicts:
# fail2ban/tests/servertestcase.py
2017-10-30 14:02:41 +01:00
b615a98540
jail.conf: avoid overwriting of default value of the parameter `chain` of several actions (where default chain != INPUT);
...
test-cases extended to cover the same logic (use `<known/chain>` instead of fix value `INPUT`);
Closes gh-1949
2017-10-30 13:32:52 +01:00
e07a8cda07
Update jail.conf
...
Documentation of parameters for action blocklist_de, closes gh-1940
2017-10-27 15:26:17 +02:00
1a8fb6290d
Merge pull request #1926 from sebres/0.10-pf-actionflush
...
action.d/pf.conf: wildcard anchoring example + bulk-unban with command `actionflush`
2017-10-19 16:35:46 +02:00
76f5e3659e
Merge branch '0.10' into 0.11
2017-10-18 19:03:08 +02:00
0e66e3cc57
Merge branch 'master' into 0.10
...
# Conflicts:
# config/filter.d/asterisk.conf
2017-10-18 19:00:23 +02:00
d5d1fe679f
Remove invalid regex
...
Resolves #1927
2017-10-17 14:44:23 -07:00
a1b863fcf6
action.d/pf.conf: extended with bulk-unban, command `actionflush` in order to flush all bans at once (by stop jail, resp. shutdown of fail2ban)
2017-10-17 20:12:48 +02:00
8726c9fb0a
pf.conf: enclose ports in braces, multiple ports expecting this syntax `... any port {http, https}`.
...
Note this would be backwards-incompatible change (for the people already enclosing multiports in braces in jail.local).
closes gh-1915
2017-10-17 13:46:29 +02:00
a4f94d2619
Update pf.conf
...
Fix comment, because current one won't work:
cat /etc/pf.conf
anchor f2b {
sshd
}
# service pf reload
Reloading pf rules.
/etc/pf.conf:2: syntax error
New version:
cat /etc/pf.conf
anchor f2b {
anchor sshd
}
# service pf reload
Reloading pf rules.
2017-10-17 12:39:25 +02:00
ea1b663f85
typo
...
spell "positive" (...but also somebody should finish this sentence)
2017-10-16 01:15:58 +01:00
6c1d481135
Merge branch '0.10' into 0.11
2017-10-04 09:57:43 +02:00
e71f16f6ba
Merge branch 'master' into 0.10
...
# Conflicts resolved:
# config/filter.d/dovecot.conf
2017-10-04 09:57:18 +02:00
ea36e1b3fc
filter.d/dovecot.conf: fixed failregex to recognize pam_authenticate failures with "Permission denied" (gh-1897)
2017-10-04 09:55:37 +02:00
037a0be3ae
Merge branch '0.10' into 0.11
2017-10-02 15:43:55 +02:00
8c804a2290
Merge branch 'master' into 0.10
...
# Conflicts resolved:
# config/filter.d/postfix-rbl.conf
# config/filter.d/postfix-sasl.conf
# config/filter.d/postfix.conf
# fail2ban/tests/files/logs/postfix-sasl
2017-10-02 15:41:30 +02:00
a2120a9de5
filter.d/postfix-*.conf - added optional port regex (closes gh-1902)
2017-10-02 15:31:55 +02:00
152c9d27d5
Fix nftables actions for IPv6 addresses, fixes #1893
...
* add [Init?family=inet6] to nftables-common.conf and make nftable
expressions more modular
* change "ip protocol" to "meta l4proto" in nftables-allports.conf
since the former only works for IPv4
2017-09-11 23:32:53 +02:00
e0fede621e
Merge branch '0.10' into 0.11
2017-09-08 11:33:19 +02:00
b185e7cb04
Merge remote-tracking branch 'upstream/master' into 0.10
2017-09-08 11:11:05 +02:00
fd83260bd8
jail "pass2allow-ftp" should supply blocktype to action
...
closes gh-1884
2017-09-07 18:51:08 +02:00
bb97e66627
Merge pull request #1882 from coderua/patch-1
...
Add Jorgee Vulnerability Scanner protect
2017-09-07 15:52:31 +02:00
2cd02b731b
filter.d/exim.conf: fixed failregex for case of `D=0s`
...
Closes gh-1886
2017-09-07 15:28:46 +02:00
4bc226a692
optimized regex
2017-09-05 10:59:16 +02:00
fafefc0293
Add Jorgee Vulnerability Scanner protect
...
Details for Jorgee Vulnerability Scanner: https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=30164
2017-09-05 10:56:43 +02:00
4163f32968
small review, prefix replaced with `%(_apache_error_client)s` from apache-common.conf include
2017-09-04 11:48:01 +02:00
ac95449bbb
changed zoneminder regex as per Sebres and yarikoptic recommendations
2017-09-04 11:37:09 +02:00
7013729a1f
removed redundant options for zoneminder from jail.conf
2017-09-04 11:37:05 +02:00
5c3a666380
fixed incomplete regex after adding anchors
2017-09-04 11:37:03 +02:00
3d45fd2713
implemented yarikoptic's suggestions in fail2ban pull request #1376
2017-09-04 11:37:00 +02:00
08878d22dd
added zoneminder.conf filter
2017-09-04 11:36:50 +02:00
a90f6c4ae8
added zoneminder jail and filter
...
# Conflicts:
# config/jail.conf
2017-09-04 11:36:47 +02:00
c312962029
filter.d/dovecot.conf: partially cherry-pick to 0.9 PR #1880 from sebres/0.10-fix-dovecot-regex ( d926e11a5c)
...
fixed failregex (without new mode aggressive)
2017-09-01 10:57:41 +02:00
32058ed268
Merge remote-tracking branch 'remotes/gh-upstream/0.10' into 0.11
2017-09-01 10:37:52 +02:00
2cfc53c08e
remove capturing groups
2017-09-01 10:25:09 +02:00
9b8563f35e
- fixes regex for message `imap-login: Disconnected (auth failed, X attempts) ...` has to many variations on additional info after `<HOST>`,
...
leave it end-anchored because variable part `user=<[^>]*>` (before `<HOST>`) to avoid injecting, but can be safe rewritten using `[^>]*` in opposite to "greedy" `user=<[^>]*>`.
- introduces mode `aggressive` and extends regex for this mode to match:
* no auth attempts (previously removed in gh-601, because of lots of false positives on misconfigured MTAs)
* disconnected before auth was ready
* client didn't finish SASL auth
2017-09-01 09:56:21 +02:00
a287d0a05c
Merge pull request #1872 from kmzby/master
...
Added filter for phpMyAdmin+syslog
2017-08-25 12:22:58 +02:00
4c1abe1cbf
phpmyadmin-syslog: removed excess file, fixed test, updated failregex
2017-08-23 16:56:18 +03:00
d09304b897
phpmyadmin-syslog: added default jail config
2017-08-22 19:00:48 +03:00
5b4bc2aafd
Added filter for phpMyAdmin+syslog (>=4.7.0). Closes #1713
2017-08-22 18:20:01 +03:00
b80692f602
Merge branch '0.10' into 0.11
2017-08-18 15:44:43 +02:00
1d5fbb95ae
Merge remote-tracking branch 'remotes/gh-upstream/master' into 0.10
2017-08-18 15:44:22 +02:00
b0e5efb631
bsd-ipfw.conf: sh-compliant redirect of stderr together with stdout
2017-08-18 15:26:09 +02:00
3be32adefb
Replace not posix-compliant grep option: fgrep with `-q` option can cause 141 exit code in some cases (see gh-1389).
2017-08-18 14:37:29 +02:00
f84e58e769
Tweaks to action.d/pf.conf
...
Document recent changes.
Add an option to customize the pf block rule (surely, what the user
really wants, here, is "block quick").
2017-08-18 13:31:34 +02:00
d646d06e91
Tweaks to action.d/pf.conf
...
Document recent changes.
Add an option to customize the pf block rule (surely, what the user
really wants, here, is "block quick").
2017-08-17 09:13:32 -05:00
33874d6e53
action.d/pf.conf: anchored call arguments combined as `<pfctl>` parameter;
...
test cases fixed;
2017-08-16 17:51:07 +02:00
f6ccede2f1
Update pf.conf fixing #1863
...
Fix #1863
Introduce own PF anchors for fail2ban rules.
2017-08-16 17:51:05 +02:00
3f83b22de2
action.d/pf.conf: anchored call arguments combined as `<pfctl>` parameter;
...
test cases fixed;
2017-08-16 11:58:39 +02:00
55baf93635
Update pf.conf fixing #1863
...
Fix #1863
Introduce own PF anchors for fail2ban rules.
2017-08-16 11:33:45 +02:00
b5dd5adb08
Merge pull request #1460 from sebres/0.10-full
...
0.11 ban-time-incr
2017-08-10 15:23:18 +02:00
30219b54c4
Merge remote-tracking branch 'remotes/gh-upstream/master' into 0.10
2017-08-09 16:38:29 +02:00
c0eb7752a8
Merge pull request #1651 from szepeviktor/patch-9
...
Introduce Cloudflare API v4
2017-08-09 16:28:52 +02:00
2ed8a38eca
Update cloudflare.conf
...
Switch to API v1 to API v4 per default
2017-08-09 16:27:53 +02:00
da7072d40e
Merge pull request #1846 from Chocobozzz/patch-3
...
Fix empty logfile.log in xarf login attack action
2017-08-09 16:21:47 +02:00
94b163936a
Merge remote-tracking branch 'remotes/gh-upstream/master' into 0.10
...
Removed init section (not needed in filter for 0.10).
# Conflicts:
# config/filter.d/sendmail-reject.conf
2017-08-09 16:16:31 +02:00
af25a9d203
Merge pull request #1566 from opoplawski/journalmatch
...
Add sendmail journalmatch options
2017-08-09 16:14:10 +02:00
84f552881c
Add sendmail journalmatch options
2017-08-09 16:03:34 +02:00
5b7375c614
Merge pull request #1638 from roedie/shorewall-ipv6
...
Add shorewall IPv6 support
2017-08-09 15:54:57 +02:00
e52f483557
Config reader's: introduced new syntax `%(section/option)s`, in opposite to extended interpolation of python 3 `${section:option}` work with all supported python version in fail2ban and this syntax is like our another features like `%(known/option)s`, etc.;
...
Variable `default_backend` switched to `%(default/backend)s`, so totally backwards compatible now, but now the setting of parameter `backend` in default section of `jail.local` can overwrite default backend also.
Test cases extended: test targeted section options "section/option" (default and cross sections options);
2017-08-08 20:21:44 +02:00
5ce8d4f741
fixes default backend handling (as default used value of `known/backend`, which can now be overridden in default section of jail.local);
...
introduces fallback for `known/option`: interpolate missing `known/option` as `option` from default section
2017-08-08 18:41:15 +02:00
2fe1479484
Merge branch '_0.9/gh-1849' into 0.10
2017-08-07 18:07:36 +02:00
5c538fb658
Recognize "unknown user" for additional auth-methods (pam, passwd-file, ldap, sql, etc); simplifying regular expressions (put "unknown user" and "invalid credentials" together as one regex).
2017-08-07 18:04:09 +02:00
0ef5b7c4d4
small amend to gh-1850: removed greedy catch-all at end.
2017-08-07 15:24:16 +02:00
daf57547c6
Parse ejabberd 17.06 output
...
E.g.:
2017-07-29 08:24:04.773 [info] <0.6668.0>@ejabberd_c2s:handle_auth_failure:433 (http_bind|ejabberd_bosh) Failed c2s PLAIN authentication for test@example.ch from ::FFFF:192.0.2.3: Invalid username or password
2017-07-29 19:58:06 +02:00
f4551d02c9
Fix empty logfile.log in xarf login attack action
...
Fix empty 3rd MIME part which contains the attack evidence (logfile.log).
2017-07-25 13:44:29 +02:00
1a562bed0f
Merge remote-tracking branch 'master' into 0.10
...
# Conflicts:
# config/filter.d/asterisk.conf
2017-07-19 08:57:23 +02:00
a5b62a7f36
failregex extended and simplified (partially ported from gh-1409).
2017-07-18 16:34:22 +02:00
098abae4e6
Remove greedy catch-all before `<HOST>`, make regex more universal, fewer prone to errors (should avoid future changes, if some optional parameters coming again before/after `RemoteAddress`) + non-captured groups now.
...
Test for possible injection (5.6.7.8 in session-id) already available, line 59 (thus already covered).
2017-07-18 16:09:53 +02:00
4c0c7b97c0
Update asterisk.conf to new log message
...
I got an issue like this:
[2016-05-15 22:53:00] SECURITY[26428] res_security_log.c: SecurityEvent="FailedACL",EventTV="2016-05-15T22:53:00.203+0300",Severity="Error",Service="AMI",EventVersion="1",AccountID="admin",SessionID="0x7fb580001518",LocalAddress="IPV4/TCP/0.0.0.0/5038",RemoteAddress="IPV4/TCP/78.129.227.4/62389",SessionTV="1970-01-01T03:00:00.000+0300"
# [sebres] rebased to current master and resolving conflicts.
2017-07-18 15:40:32 +02:00
34cb55fd91
Merge pull request #1695 from benrubson/issue1693
...
Apache, detect syslog prefix
2017-07-14 02:05:23 +02:00
0e33125129
be more precise using common `__prefix_line` expression (set `_daemon` to recognize apache and httpd only)
2017-07-12 11:59:02 +02:00
b561af45ef
apache-common.conf: introduced parameter `logging` for possibility to match lines, if apache logs into syslog/systemd journal;
...
added test cases to cover `apache-auth[logging=syslog]`.
2017-07-12 11:45:44 +02:00
b662cf03ac
Apache, detect syslog prefix, simple example
2017-07-12 11:36:34 +02:00
6c030c5e10
Merge pull request #1717 from szepeviktor/patch-11
...
Updated xarf-specification repo URL in xarf action
2017-07-12 09:54:15 +02:00
7217ef5c9e
filter.d/ejabberd-auth.conf: fixed ejabberd filter - accept new log-format with `wait_for_sasl_response` instead of `wait_for_feature_request` + optional part "IP " (gh-993)
2017-07-11 15:25:51 +02:00
dae4988aea
filter.d/roundcube-auth.conf: fixes failregex not working with `X-Real-IP` or/and `X-Forwarded-For` (gh-1303)
2017-07-11 14:59:24 +02:00
e26cc5de45
restore backwards compatibility (jail postfix-sasl); changelog update
2017-07-11 11:57:48 +02:00
aa92b68d4a
filter.d/postfix.conf: normalized several postfix-filters using parameter `mode` (as discussed in gh-1813);
...
introduced parameter `mode`: more (default, combines normal and rbl), auth, normal, rbl, ddos, extra or aggressive (combines all)
replacement for gh-1239, gh-1697, gh-1764; closes gh-1245, gh-1297.
2017-07-10 20:49:28 +02:00
d32a3913cf
postfix postscreen (resp. other RBL's compatibility fix) / gh-1764
2017-07-10 15:38:24 +02:00
57ea38c342
Update paths-debian.conf
...
Fixed mail.log path since in the default rsyslog configuration of debians the `mail.warn` is commented now (see `/etc/rsyslog.d/50-default.conf`: `#mail.warn -/var/log/mail.warn`).
Closes gh-1687
2017-07-05 19:57:30 +02:00
546cd55342
Merge branch 'master' into 0.10
2017-07-03 13:02:25 +02:00
a1d0633e69
filter.d/asterisk.conf - fixed failregex AMI Asterisk authentification failed (see gh-1302):
...
- optional space between NOTICE and pid;
- optional part "Host " before IP-address;
2017-07-03 12:57:28 +02:00
33fcf8d809
Merge branch 'master' into 0.10
2017-07-03 12:43:48 +02:00
1307e0a5b9
Merge pull request #1760 from szepeviktor/patch-12
...
Courier may complain about the method only
2017-07-03 12:00:36 +02:00
f27e053592
Update bsd-ipfw.conf
...
increased starting rule number (lowest_rule_num = 111)
2017-07-01 17:10:53 +02:00
001c0898d6
Merge branch 'master' into master
2017-06-30 18:07:38 +02:00
6110ba9cc3
filter.d/proftpd.conf: added option `journalmatch` for systemd backend (closes gh-1613)
2017-06-30 18:00:01 +02:00
37ca4f17c2
filter.d/roundcube-auth.conf: added missing entry `journalmatch` from original gh-1783.
2017-06-26 11:24:10 +02:00
986dd3107d
Merge branch '0.10' into patch-12
2017-06-19 18:37:28 +02:00
d3ae70beb6
filter.d/roundcube-auth.conf: Use the same filter-file and jail also when logging errors to journal instead to a local file.
...
Additionally fixes more complex injections on username.
2017-06-19 18:12:13 +02:00
691c080dc7
Added roundcube authentication filter, new jail and log-examples
2017-06-19 16:52:42 +02:00
3294840c2a
Merge pull request #1801 from jeaye/postfix-updates
...
filter.d/postfix.conf: update to the latest postfix logging format
2017-06-19 16:44:37 +02:00
efeca8fdeb
postfix.conf: removes unneeded end-anchoring like `.*$`, etc.
...
also removes several dynamic content at end, which are of no avail there.
Additionally normalizes optional part (mail-ID) after reason number.
2017-06-19 16:25:46 +02:00
d2c39d2e45
Merge branch '0.10' into 0.10-full
...
# Conflicts:
# fail2ban/server/database.py - resolved and test-case with persistent ban-time fixed/extended (bantime presents in database)
2017-06-16 09:35:27 +02:00
dcdf677438
Merge remote-tracking branch 'master' into 0.10
2017-06-15 11:49:51 +02:00
2b358bc1a4
filter.d/apache-overflows.conf: rewritten without end-anchor ($), because apache-log could contain very long URLs (and/or referrer), the parsing of it anchored way may be very vulnerable (at least as regards the system resources, see gh-1790).
2017-06-15 11:16:19 +02:00
6f3d425c4d
Update postfix filters and tests
2017-06-12 18:56:19 -07:00
bbea73d79d
Merge remote-tracking branch 'remotes/gh-upstream/master' into 0.10
2017-06-12 13:11:45 +02:00
d56554ecf3
Merge pull request #1688 from felixonmars/arch-config
...
Add a path configuration for Arch Linux
2017-06-06 10:55:13 +02:00
b93e47b12f
dovecot: Match also when user field is empty
...
Commit 5678d08
2017-05-31 15:54:30 +02:00
228d25c548
Update Kerio Connect filter ( #1455 )
...
* Update Kerio Connect filter
Fixed regex for some log entries that did not get recognized and some additional error formats are added.
* Add missing colon, GitHub address
* Add filter tests
* Add missing test
2017-05-30 20:27:44 +02:00
80cc47b75f
Update helpers-common.conf
...
fixed grep pattern: escape dot-char in search-IP and more restrictive boundaries (IPv6-capable)
2017-05-30 09:14:43 +02:00
5bb6be0163
IPv6 address may overlap
2017-05-30 02:05:38 +02:00
c21b4e4d56
[ban-time-incr] prolong ban, dynamic bantime, etc.:
...
- dynamic bantime: introduces new action-tag `<bantime>` corresponds to the current ban-time of the ticket;
Note: because it is dynamic, it should be normally removed from `jail.conf` (resp. `jail.local`).
- introduced new action command `actionprolong`, used for prolongation of the timeout (ban-time of the ticket);
- removed default `timeout` from `actionstart` of several actions;
- faster and safer function escapeTag (replacement at once in one run, '\n' and '\r' escaped also);
2017-05-17 13:25:06 +02:00
6724de54e6
Merge branch '0.10' into 0.10-full
2017-05-17 11:35:33 +02:00
ff1c6718da
Postfix RBL: 554 & SMTP
...
Cherry-pick of 607568f5da
2017-05-15 14:42:37 +02:00
b13d9d4e22
Merge branch 'master' into 0.10
2017-05-07 21:29:12 +02:00
0600d51511
filter.d/exim.conf: added new reason for "rejected RCPT" regex: Unrouteable address
2017-05-07 14:02:38 +02:00
49e237209e
Merge branch 'master' into 0.10
2017-05-07 13:32:12 +02:00
c546f85207
filter.d/exim.conf: cherry-picked from 0.10, match complex time like `D=2m42s` (closes gh-1766)
2017-05-07 13:02:32 +02:00
ac256a822b
Make courier-auth regexp a non-captured group
2017-04-28 16:58:24 +02:00
4bb8a58dcf
Courier may complain about the method only
...
> Mar 30 22:29:18 szerver imapd-ssl: LOGIN FAILED, method=PLAIN, ip=[::ffff:1.2.3.4]
2017-04-28 15:49:59 +02:00
c3426ba5f6
Update botsearch-common.conf ( #1759 )
...
* Update botsearch-common.conf, apache-modsecurity.conf: typo and missing new-line
2017-04-26 20:14:39 +02:00
8839bcbb09
Merge remote-tracking branch master into 0.10
2017-04-25 10:07:19 +02:00
99344d28c8
Introduces new tags with hostname:
...
- `<fq-hostname>` - fully-qualified name of host (the same as `$(hostname -f)`)
- `<sh-hostname>` - short hostname (the same as `$(uname -n)`)
Execution of `uname -n` replaced in all mail actions with most interesting fully-qualified `<fq-hostname>`.
2017-04-24 21:17:55 +02:00
3161bcf78b
filter.d/exim.conf: optional part `(...)` after host-name before `[IP]`, normalized over whole config file.
...
# Conflicts:
# config/filter.d/exim.conf
2017-04-24 19:21:26 +02:00
507034c5be
filter.d/apache-auth.conf: joined some similar expressions
2017-04-24 15:32:44 +02:00
6dfd080e20
Update apache-auth.conf
...
remove forgotten referer, that may prevent failure recognition (belongs to gh-1645)
2017-04-21 11:17:13 +02:00
311f8fea83
Merge branch '0.10' into issue1644
2017-04-21 10:32:29 +02:00
bb79e7f413
Parameter not needed
...
The parameter '-s' causes an error as the <mailcmd> already has the parameter.
2017-04-11 11:13:58 -04:00
4f0f22702a
Update haproxy-http-auth.conf
...
little bit more precise expression
2017-04-11 09:11:08 +02:00
4fc6323ff0
haproxy-http-auth: avoid port number in IPv6 addresses
...
The solution taken is to consume the port number explicitely in
the regexp.
2017-04-07 13:59:22 +02:00
97e8b42d34
dummy action extended with more examples and test-covered now
2017-03-30 13:02:37 +02:00
d03872fbbf
bulk unban: add new command `actionflush` default for several iptables/iptables-ipset actions (and common include):
...
iptables-common
iptables
iptables-allports
iptables-multiport-log
iptables-multiport
iptables-new
iptables-ipset-proto4
iptables-ipset-proto6
iptables-ipset-proto6-allports
executing `actionflush` command covered for this actions now
2017-03-29 23:24:11 +02:00
8bf79fa483
implemented execution of `actionstart` on demand, if action depends on `family` (closes gh-1741);
...
new action parameter "actionstart_on_demand" (bool) can be set to prevent/allow starting action on demand (default retrieved automatically, if some conditional parameter `param?family=...` presents in action properties);
2017-03-29 17:44:15 +02:00
c82495353f
Update mysqld-auth.conf ( #1725 )
2017-03-24 19:03:20 +01:00
52c1950371
Update mysqld-auth.conf
...
small typo, closes gh-1725 (Thx @seth-reeser)
2017-03-24 19:03:17 +01:00
5e93bf9bd3
Introduced new option "ignoreself", specifies whether the local resp. own IP addresses should be ignored (default is true).
...
Fail2ban will not ban a host which matches such addresses.
Option "ignoreip" affects additionally to "ignoreself" and don't need to include the DNS resp. IPs of the host self.
2017-03-23 15:52:31 +01:00
f13fac5ae9
amend to 5561423be3b2d4636f5484183c3ad470fd326d06: fixed incorrect failure counting despite the `<F-NOFAIL>` marked regex;
...
extra: introduced new tag `<F-MLFFORGET>` as mark to forget current multi-line MLFID (e. g. connection closed);
Closes gh-1727
2017-03-21 00:15:57 +01:00
5561423be3
filter.d/sshd.conf: fixed failregex format - some parts are optional, new ddos more precise rule (Connection reset by with host entry);
...
closes gh-1719
2017-03-15 18:01:20 +01:00
d79267c424
Updated xarf-specification repo URL in xarf action
2017-03-14 20:47:31 +01:00
875295320e
Merge remote-tracking branch 'remotes/gh-upstream/0.10' into 0.10-full
2017-03-13 02:12:39 +01:00
0c1707afda
filter.d/sshd.conf:
...
- optional parameter `mode` rewritten: normal (default), ddos, extra or aggressive (combines all), see sshd for regex details);
test cases reformatted (since "filterOptions", we don't need multiple test log-files anymore);
2017-03-10 22:09:11 +01:00
7e442c5b27
filter.d/sendmail-reject.conf:
...
- rewritten using `prefregex` and used MLFID-related multi-line parsing (by using tag `<F-MLFID>` instead of buffering with `maxlines`);
- optional parameter `mode` introduced: normal (default), extra or aggressive (see sendmail-reject for regex details);
test cases extended
2017-03-10 21:44:19 +01:00
52ed6597b2
Merge remote-tracking branch 'remotes/gh-upstream/master' into 0.10
2017-03-09 16:27:14 +01:00
8768776d68
filter.d/cyrus-imap.conf: fixed `failregex` - accept entries without login-info resp. hostname before IP address
2017-03-09 16:13:45 +01:00
d042981954
Merge pull request #1655 from ajcollett/0.10
...
Added config for AbuseIPDB
2017-03-09 15:15:26 +01:00
b1f5ac9484
Update abuseipdb.conf
2017-03-09 13:33:11 +01:00
62fa02241f
Update jail.conf
2017-03-09 13:31:40 +01:00
6a2c95da95
`action.d/sendmail-geoip-lines.conf` fixed using new tag `<ip-host>` (dns-cache and without external command execution);
...
changelog updated;
2017-03-08 16:51:08 +01:00
28b5262976
Merge branch '0.10' into 0.10-full
2017-02-28 15:14:51 +01:00
d2a3d093c6
rewritten CallingMap: performance optimized, immutable, self-referencing, template possibility (used in new ActionInfo objects);
...
new ActionInfo handling: saves content between actions, without interim copying (save original on demand, recoverable via reset);
test cases extended
2017-02-24 11:54:24 +01:00
35efca5941
Better multi-line handling introduced: single-line parsing with caching of needed failure information to process in further lines.
...
Many times faster and fewer CPU-hungry because of parsing with `maxlines=1`, so without line buffering (scrolling of the buffer-window).
Combination of tags `<F-MLFID>` and `<F-NOFAIL>` can be used now to process multi-line logs using single-line expressions:
- tag `<F-MLFID>`: used to identify resp. store failure info for groups of log-lines with the same identifier (e. g. combined failure-info for the same conn-id by `<F-MLFID>(?:conn-id)</F-MLFID>`, see sshd.conf for example)
- tag `<F-NOFAIL>`: used as mark for no-failure (helper to accumulate common failure-info);
filter.d/sshd.conf: [sshd], [sshd-ddos], [sshd-aggressive] optimized with pre-filtering using new option `prefregex` and new multi-line handling.
2017-02-22 22:19:43 +01:00
22afdbd536
Several filters optimized with pre-filtering using new option `prefregex`
2017-02-21 15:54:59 +01:00
4ff8d051f4
Introduced new filter option `prefregex` for pre-filtering using single regular expression;
...
Some filters extended with user name;
[filter.d/pam-generic.conf]: grave fix injection on user name to host fixed;
test-cases in testSampleRegexsFactory can now check the captured groups (using additionally fields in failJSON structure)
2017-02-20 16:54:17 +01:00
2fa18a74c4
Merge branch 'master' into master
2017-02-17 09:06:09 +01:00
4bf09bf297
provides new tag `<ip-rev>` for PTR reversed representation of IP address;
...
[action.d/complain.conf] fixed using this new tag;
2017-02-16 13:38:20 +01:00
7f63809afb
Merge branch '0.10' into patch-1
2017-02-15 20:33:36 +01:00
a4ec017d1c
Merge branch '0.10' into 0.10-full
2017-02-15 09:26:01 +01:00
861ce4177c
#1689 : Make lowest rule number in action.d/bsd-ipfw.conf configurable
2017-02-14 18:31:42 +01:00
68d829c1dd
Add a path configuration for Arch Linux
2017-02-14 18:43:01 +08:00
58c68b75f0
Remove double-quotes from email addresses
2017-02-08 14:16:13 +01:00
1bcf0de7c1
Update complain.conf
2017-02-07 21:39:46 +01:00
607568f5da
Postfix RBL: 554 & SMTP
2017-02-07 15:26:06 +01:00
901eeff53d
Make Abusix lookup compatible with Dash
2017-02-06 22:04:36 +01:00
99634638ba
Merge branch '0.10' into 0.10-full
2017-01-23 09:51:36 +01:00
Michael Grant