fail2ban

Commit Graph

Author	SHA1	Message	Date
sebres	19a5a2f8c0	filter.d/murmur.conf: fixed detection of failures reading from journal (systemd-backend only): - extended with optional prefix for the systemd-journal (with second date-pattern as optional match); - added `journalmatch` filtering; closes gh-2043	7 years ago
sebres	0be0e43d47	amend to 03b577d7b92a120e325abe20a99b6956a7e0657c: add new-line after matches via tag `<br>` without usage of interim variable	7 years ago
sebres	03b577d7b9	action.d/blocklist_de.conf: fixed tag substitution (in 0.10 it can be variables supplied via shell-arguments), expand `<matches>` with trailing newline; tests extended; closes gh-2028	7 years ago
Yaroslav Halchenko	527bb9a7c3	dos2unix for helpers-common.conf Original report: http://bugs.debian.org/888110	7 years ago
sebres	f69e28adfc	action.d/pf.conf: compatibility fix - recognizes that parameter `port` specified as empty, with or without braces (should be more backwards compatible to 0.9 now).	7 years ago
sebres	ed22ddbbbb	Merge remote-tracking branch 'remotes/gh-upstream/master' into 0.10	7 years ago
sebres	63e906b2c1	regex rewritten: a bit fewer vulnerable now and using non-capturing groups, test-cases extended in order to cover trying of injection on user name	7 years ago
Benedikt Seidl	fed6c49c2d	nginx-http-auth: match usernames with spaces # Conflicts: # ChangeLog	7 years ago
Sergey G. Brester	b6c6565a7e	regex updated using non-capturing groups	7 years ago
riceru	6a1bbbf101	Update lighttpd-auth.conf I have lighttpd 1.4.45 (Debian 9) and auth error log is different. Now printing mod_auth and not http_auth. I think that the change was in Lighttp 1.4.42	7 years ago
sebres	2b7b0da943	Merge remote-tracking branch 'remotes/gh-upstream/master' into 0.10	7 years ago
Serg G. Brester	7e05976ead	action.d/hostsdeny.conf: actionunban rewritten using sed, also dots in IP were escaped now. Closes #2000	7 years ago
sebres	2112145eb4	stop ban of legitimate users with multiple public keys (e. g. git, etc), thereby differentiate between "invalid user" (going banned earlier) and valid users with public keys, for which the rejects of not valid public keys (failures) will be retarded up to "Too many authentication failures" resp. disconnect without success (accepted public key).	7 years ago
sebres	314e402fe0	filter.d/sendmail-auth.conf - extended daemon for Fedora 24/RHEL - the daemon name is "sendmail" (gh-1632)	7 years ago
sebres	c30144b37a	Merge branch '0.9' into 0.10 # Conflicts: # config/action.d/firewallcmd-ipset.conf # config/filter.d/asterisk.conf # Merge-point after cherry-pick, no changes: # fail2ban/client/jailreader.py # fail2ban/helpers.py	7 years ago
sebres	131b94e11e	firewallcmd-ipset-allports: implemented in `action.d/firewallcmd-ipset.conf` now (`action.d/firewallcmd-ipset-allports.conf` removed), usage: banaction = firewallcmd-ipset[actiontype="<allports>"]	7 years ago
Danila Vershinin	c190631f88	New ban action firewallcmd-ipset-allports. Closes #1167	7 years ago
Yannik Sembritzki	94f0b15c32	Allow faster parsing of hosts without ' characters in them	7 years ago
Yannik Sembritzki	b28dfb965a	Fix filter not catching asterisk requests with quote character in username (fixes #2010 )	7 years ago
root	79f414c6a2	fix <family> typo	7 years ago
root	7c63eb2378	In the CentOS7 and epel environment, result of "firewall-cmd -direct -get -chains ipv4 filter" is displayed one line Changed to be multiple lines with reference to firewallcmd-multiport.conf	7 years ago
sebres	6ccaa03e00	action.d/firewallcmd-ipset.conf: extended with actionflush to bulk unban resp. flush ipset	7 years ago
sebres	2712f72650	Merge remote-tracking branch 'master' into 0.10	7 years ago
sebres	e384acca5f	action.d/firewallcmd-ipset.conf: fixed create of set for ipv6 (missing `family inet6`)	7 years ago
Kevin Maradona	6c705d572b	filter.d/nginx-limit-req.conf: nginx limit-req log-level can be set to warn or error therefore having this regex will include both of them.	7 years ago
sebres	ffd6b9f6de	jail.conf: extended with new parameter `mode` for the filters supporting it;	7 years ago
sebres	2b68882502	filter.d/exim.conf: provides mode "aggressive" to ban flood resp. DDOS-similar failures; Closes #1983	7 years ago
sebres	7f89fbc33f	Merge remote-tracking branch 'remotes/gh-upstream/master' into 0.10	7 years ago
Serg G. Brester	4f63180611	Avoid injection using quotes after `auth` command; Added non-greedy fallback for quoted something (with lookahead simulated possessive greedy catch of non-quoted parts `[^"](?=")`). Note that because host-info's are hereafter (with foreign input in-between), we would not use greedy or non-greedy catch-alls (`.` or `.*?`) here (preventing performance losses).	7 years ago
Serg G. Brester	f59df2e156	Avoid any injecting on protocol (e. g. tries using camel-case) The phrase "AUTH command used when not advertised" is precise enough as anchor here, so prevent by any foreign-input (any auth protocol error).	7 years ago
Peter Nowee	aa158ac05f	Exim failregex: Include lower/mixed case AUTH When reporting the error `AUTH command used when not advertised`, Exim starts with `SMTP protocol error in "........."`. Here, Exim logs the SMTP command as it was provided by the connecting client. https://github.com/Exim/exim/blob/exim-4_89+fixes/src/src/smtp_in.c#L2850 According to RFC 5321 (SMTP) "[..] a command verb [..] MAY be encoded in upper case, lower case, or any mixture of upper and lower case with no impact on its meaning." https://tools.ietf.org/html/rfc5321#section-2.4 Lower case `auth login` brute-force attempts were seen in the wild and were not caught by the current failregex. This commit makes the failregex case-insensitive for the `AUTH` command, so that lower case (`auth`) or mixed case (`aUtH`) now also match. The failregex was already case-insensitive for the command arguments (e.g. `AUTH login` already matched).	7 years ago
SlowRiot	660d57e6ba	updating my email address	7 years ago
sebres	76f2865883	implemented new action "action.d/nginx-block-map.conf", used in order to ban not IP-related tickets via nginx (session blacklisting in nginx-location with map-file);	7 years ago
sebres	f31195a4fc	added new logtarget "SYSOUT" to log from fail2ban working in foreground as systemd-service (in opposite to "STDOUT" don't log time-stamps).	7 years ago
sebres	159957ab88	filter.d/sshd.conf: extended failregex for modes "extra"/"aggressive": now finds all possible (also future) forms of "no matching (cipher\|mac\|MAC\|compression method\|key exchange method\|host key type) found", see "ssherr.c" for all possible SSH_ERR_..._ALG_MATCH errors; obsolete (multi-line buffered) variant extended also. Closes gh-1943, gh-1944	7 years ago
sebres	7e756da2b9	Merge remote-tracking branch 'remotes/gh-upstream/master' into 0.10	7 years ago
sebres	eba68a8f37	config/paths-common.conf: Added initial values for `syslog_authpriv`, `syslog_mail` in order to avoid errors while parsing/interpolating configuration; Note the systemd-backend does not need the logpath at all; Some defaults normalized (minimized configs, don't need to overwrite values in distribution-related path if equal).	7 years ago
Serg G. Brester	9876dd44f9	replace port imap3 with imap everywhere, since imap3 is not a standard port and old rarely (if ever) used and missing on some systems (see gh-1942)	7 years ago
Jeff Potter	4a2fc8b7e8	Include imap (port 143) in courier-auth ports imap was missing from the list of ports, preventing fail2ban from blocking connections on standard IMAP port 143.	7 years ago
sebres	b615a98540	jail.conf: avoid overwriting of default value of the parameter `chain` of several actions (where default chain != INPUT); test-cases extended to cover the same logic (use `<known/chain>` instead of fix value `INPUT`); Closes gh-1949	7 years ago
Serg G. Brester	e07a8cda07	Update jail.conf Documentation of parameters for action blocklist_de, closes gh-1940	7 years ago
Serg G. Brester	1a8fb6290d	Merge pull request #1926 from sebres/0.10-pf-actionflush action.d/pf.conf: wildcard anchoring example + bulk-unban with command `actionflush`	7 years ago
sebres	0e66e3cc57	Merge branch 'master' into 0.10 # Conflicts: # config/filter.d/asterisk.conf	7 years ago
Michael Newton	d5d1fe679f	Remove invalid regex Resolves #1927	7 years ago
sebres	a1b863fcf6	action.d/pf.conf: extended with bulk-unban, command `actionflush` in order to flush all bans at once (by stop jail, resp. shutdown of fail2ban)	7 years ago
sebres	8726c9fb0a	pf.conf: enclose ports in braces, multiple ports expecting this syntax `... any port {http, https}`. Note this would be backwards-incompatible change (for the people already enclosing multiports in braces in jail.local). closes gh-1915	7 years ago
Łukasz Wąsikowski	a4f94d2619	Update pf.conf Fix comment, because current one won't work: cat /etc/pf.conf anchor f2b { sshd } # service pf reload Reloading pf rules. /etc/pf.conf:2: syntax error New version: cat /etc/pf.conf anchor f2b { anchor sshd } # service pf reload Reloading pf rules.	7 years ago
Harry Wood	ea1b663f85	typo spell "positive" (...but also somebody should finish this sentence)	7 years ago
sebres	e71f16f6ba	Merge branch 'master' into 0.10 # Conflicts resolved: # config/filter.d/dovecot.conf	7 years ago
sebres	ea36e1b3fc	filter.d/dovecot.conf: fixed failregex to recognize pam_authenticate failures with "Permission denied" (gh-1897)	7 years ago
sebres	8c804a2290	Merge branch 'master' into 0.10 # Conflicts resolved: # config/filter.d/postfix-rbl.conf # config/filter.d/postfix-sasl.conf # config/filter.d/postfix.conf # fail2ban/tests/files/logs/postfix-sasl	7 years ago
sebres	a2120a9de5	filter.d/postfix-*.conf - added optional port regex (closes gh-1902)	7 years ago
Louis Sautier	152c9d27d5	Fix nftables actions for IPv6 addresses, fixes #1893 * add [Init?family=inet6] to nftables-common.conf and make nftable expressions more modular * change "ip protocol" to "meta l4proto" in nftables-allports.conf since the former only works for IPv4	7 years ago
sebres	b185e7cb04	Merge remote-tracking branch 'upstream/master' into 0.10	7 years ago
Serg G. Brester	fd83260bd8	jail "pass2allow-ftp" should supply blocktype to action closes gh-1884	7 years ago
Serg G. Brester	bb97e66627	Merge pull request #1882 from coderua/patch-1 Add Jorgee Vulnerability Scanner protect	7 years ago
Serg G. Brester	2cd02b731b	filter.d/exim.conf: fixed failregex for case of `D=0s` Closes gh-1886	7 years ago
sebres	4bc226a692	optimized regex	7 years ago
Vladimir Chumak	fafefc0293	Add Jorgee Vulnerability Scanner protect Details for Jorgee Vulnerability Scanner: https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=30164	7 years ago
sebres	4163f32968	small review, prefix replaced with `%(_apache_error_client)s` from apache-common.conf include	7 years ago
john	ac95449bbb	changed zoneminder regex as per Sebres and yarikoptic recommendations	7 years ago
john	7013729a1f	removed redundant options for zoneminder from jail.conf	7 years ago
john	5c3a666380	fixed incomplete regex after adding anchors	7 years ago
john	3d45fd2713	implemented yarikoptic's suggestions in fail2ban pull request #1376	7 years ago
john	08878d22dd	added zoneminder.conf filter	7 years ago
john	a90f6c4ae8	added zoneminder jail and filter # Conflicts: # config/jail.conf	7 years ago
sebres	c312962029	filter.d/dovecot.conf: partially cherry-pick to 0.9 PR #1880 from sebres/0.10-fix-dovecot-regex (`d926e11a5c`) fixed failregex (without new mode aggressive)	7 years ago
sebres	2cfc53c08e	remove capturing groups	7 years ago
sebres	9b8563f35e	- fixes regex for message `imap-login: Disconnected (auth failed, X attempts) ...` has to many variations on additional info after `<HOST>`, leave it end-anchored because variable part `user=<[^>]>` (before `<HOST>`) to avoid injecting, but can be safe rewritten using `[^>]` in opposite to "greedy" `user=<[^>]>`. - introduces mode `aggressive` and extends regex for this mode to match: no auth attempts (previously removed in gh-601, because of lots of false positives on misconfigured MTAs) * disconnected before auth was ready * client didn't finish SASL auth	7 years ago
Serg G. Brester	a287d0a05c	Merge pull request #1872 from kmzby/master Added filter for phpMyAdmin+syslog	7 years ago
Pavel Mihadyuk	4c1abe1cbf	phpmyadmin-syslog: removed excess file, fixed test, updated failregex	7 years ago
Pavel Mihadyuk	d09304b897	phpmyadmin-syslog: added default jail config	7 years ago
Pavel Mihadyuk	5b4bc2aafd	Added filter for phpMyAdmin+syslog (>=4.7.0). Closes #1713	7 years ago
sebres	1d5fbb95ae	Merge remote-tracking branch 'remotes/gh-upstream/master' into 0.10	7 years ago
Serg G. Brester	b0e5efb631	bsd-ipfw.conf: sh-compliant redirect of stderr together with stdout	7 years ago
sebres	3be32adefb	Replace not posix-compliant grep option: fgrep with `-q` option can cause 141 exit code in some cases (see gh-1389).	7 years ago
Jacques Distler	f84e58e769	Tweaks to action.d/pf.conf Document recent changes. Add an option to customize the pf block rule (surely, what the user really wants, here, is "block quick").	7 years ago
sebres	33874d6e53	action.d/pf.conf: anchored call arguments combined as `<pfctl>` parameter; test cases fixed;	7 years ago
Alexander Köppe	f6ccede2f1	Update pf.conf fixing #1863 Fix #1863 Introduce own PF anchors for fail2ban rules.	7 years ago
sebres	30219b54c4	Merge remote-tracking branch 'remotes/gh-upstream/master' into 0.10	7 years ago
Serg G. Brester	c0eb7752a8	Merge pull request #1651 from szepeviktor/patch-9 Introduce Cloudflare API v4	7 years ago
Serg G. Brester	2ed8a38eca	Update cloudflare.conf Switch to API v1 to API v4 per default	7 years ago
Serg G. Brester	da7072d40e	Merge pull request #1846 from Chocobozzz/patch-3 Fix empty logfile.log in xarf login attack action	7 years ago
sebres	94b163936a	Merge remote-tracking branch 'remotes/gh-upstream/master' into 0.10 Removed init section (not needed in filter for 0.10). # Conflicts: # config/filter.d/sendmail-reject.conf	7 years ago
Serg G. Brester	af25a9d203	Merge pull request #1566 from opoplawski/journalmatch Add sendmail journalmatch options	7 years ago
Orion Poplawski	84f552881c	Add sendmail journalmatch options	7 years ago
Serg G. Brester	5b7375c614	Merge pull request #1638 from roedie/shorewall-ipv6 Add shorewall IPv6 support	7 years ago
sebres	e52f483557	Config reader's: introduced new syntax `%(section/option)s`, in opposite to extended interpolation of python 3 `${section:option}` work with all supported python version in fail2ban and this syntax is like our another features like `%(known/option)s`, etc.; Variable `default_backend` switched to `%(default/backend)s`, so totally backwards compatible now, but now the setting of parameter `backend` in default section of `jail.local` can overwrite default backend also. Test cases extended: test targeted section options "section/option" (default and cross sections options);	7 years ago
sebres	5ce8d4f741	fixes default backend handling (as default used value of `known/backend`, which can now be overridden in default section of jail.local); introduces fallback for `known/option`: interpolate missing `known/option` as `option` from default section	7 years ago
sebres	2fe1479484	Merge branch '_0.9/gh-1849' into 0.10	7 years ago
sebres	5c538fb658	Recognize "unknown user" for additional auth-methods (pam, passwd-file, ldap, sql, etc); simplifying regular expressions (put "unknown user" and "invalid credentials" together as one regex).	7 years ago
sebres	0ef5b7c4d4	small amend to gh-1850: removed greedy catch-all at end.	7 years ago
Marcel Waldvogel	daf57547c6	Parse ejabberd 17.06 output E.g.: 2017-07-29 08:24:04.773 [info] <0.6668.0>@ejabberd_c2s:handle_auth_failure:433 (http_bind\|ejabberd_bosh) Failed c2s PLAIN authentication for test@example.ch from ::FFFF:192.0.2.3: Invalid username or password	7 years ago
Bigard Florian	f4551d02c9	Fix empty logfile.log in xarf login attack action Fix empty 3rd MIME part which contains the attack evidence (logfile.log).	7 years ago
sebres	1a562bed0f	Merge remote-tracking branch 'master' into 0.10 # Conflicts: # config/filter.d/asterisk.conf	7 years ago
sebres	a5b62a7f36	failregex extended and simplified (partially ported from gh-1409).	7 years ago
sebres	098abae4e6	Remove greedy catch-all before `<HOST>`, make regex more universal, fewer prone to errors (should avoid future changes, if some optional parameters coming again before/after `RemoteAddress`) + non-captured groups now. Test for possible injection (5.6.7.8 in session-id) already available, line 59 (thus already covered).	7 years ago
Kirill	4c0c7b97c0	Update asterisk.conf to new log message I got an issue like this: [2016-05-15 22:53:00] SECURITY[26428] res_security_log.c: SecurityEvent="FailedACL",EventTV="2016-05-15T22:53:00.203+0300",Severity="Error",Service="AMI",EventVersion="1",AccountID="admin",SessionID="0x7fb580001518",LocalAddress="IPV4/TCP/0.0.0.0/5038",RemoteAddress="IPV4/TCP/78.129.227.4/62389",SessionTV="1970-01-01T03:00:00.000+0300" # [sebres] rebased to current master and resolving conflicts.	7 years ago
Serg G. Brester	34cb55fd91	Merge pull request #1695 from benrubson/issue1693 Apache, detect syslog prefix	7 years ago
sebres	0e33125129	be more precise using common `__prefix_line` expression (set `_daemon` to recognize apache and httpd only)	7 years ago

1 2 3 4 5 ...

1454 Commits (5b0c3e75d33c0ea9458ef5880048ecf5aa434457)