Commit Graph

902 Commits (5d8f5004718d38146c6821f37eaeb3c7b0415d9d)

Author SHA1 Message Date
j-marz 5d8f500471 updated formatting to pass tests 2021-03-29 08:36:53 +11:00
j-marz 2686811593 Updated zoneminder filter
Support new log format, ERR instead of WAR. Add detection of non-existent user login attempts
2021-03-28 21:19:10 +11:00
sebres fb08534ed7 Merge branch '0.11' 2021-03-03 18:17:35 +01:00
sebres a45b1c974c filter.d/ignorecommands/apache-fakegooglebot: added timeout parameter (default 55 seconds) - avoid fail with timeout (default 1 minute) by reverse lookup on some slow DNS services (googlebots must be resolved fast);
closes gh-2951
2021-03-02 19:35:27 +01:00
Sergey G. Brester a2f0dbad87
Merge pull request #2742 from aresxc/patch-1
Update  drupal-auth.conf
2021-02-11 19:10:55 +01:00
Sergey G. Brester d678440658
more precise RE (avoids weakness with catch-all's and is injection safe) 2021-02-11 18:32:32 +01:00
Brian J. Murrell dc4ee5aa47 Add transport to asterisk RE
Call rejection messages from Asterisk can have the transport prefixed to the IP address.

Signed-off-by: Brian J. Murrell <brian@interlinx.bc.ca>
2021-01-31 15:22:16 +01:00
sebres 21dd317870 Merge branch '0.11' 2021-01-21 19:13:13 +01:00
sebres 9df332fdef filter.d/apache-overflows.conf: extended to match AH00126 error (Invalid URI ...);
closes gh-2908
2021-01-11 15:10:53 +01:00
sebres 2c60d08b28 Merge '0.11' (fix gh-2899) into master 2020-12-29 21:27:02 +01:00
sebres 73b39e0894 filter.d/named-refused.conf: fixes prefix for messages from systemd journal (no mandatory space ahead, because don't have timestamp)
closes gh-2899
2020-12-29 21:22:47 +01:00
defanor ba7daef86c Handle postscreen's PREGREET and HANGUP messages
Provoking those seems to be a popular activity among spammers.
2020-12-24 17:29:09 +03:00
sebres a03109d096 Merge branch '0.11' into master (0.11.2 released) 2020-11-24 12:41:10 +01:00
Sergey G. Brester 071048b8f2
Merge pull request #2750 from janprzy/master
Added filter nginx-bad-request
2020-11-23 18:28:07 +01:00
sebres 7965d652a1 filter.d/dovecot.conf: allow more verbose logging
closes #2573
2020-11-23 18:17:29 +01:00
sebres a6de9459fc typo 2020-11-23 18:08:38 +01:00
RyuaNerin bba8844af8 typo 2020-11-23 18:07:49 +01:00
mpoliwczak834 595ee7ed74 add submission 2020-11-23 17:42:12 +01:00
mpoliwczak834 0c12cb7970 add managesieve support dovecot filter 2020-11-23 17:42:11 +01:00
sebres cc64ef25f6 filter.d/apache-noscript.conf: extended to match "script not found" with error AH02811 (and cgi-bin path segment in script)
closes gh-2805
2020-11-23 17:25:41 +01:00
Sergey G. Brester 1c1a9b868c
no catch-alls, user name and error message stored in ticket 2020-11-09 15:36:30 +01:00
benrubson 840f0ff10a Add Grafana jail 2020-11-09 15:31:06 +01:00
sebres 25e006e137 review and small tweaks (more precise and safe RE) 2020-11-09 13:43:59 +01:00
Mart124 df659a0cbc Add Bitwarden syslog support 2020-11-09 13:34:39 +01:00
Sergey G. Brester 010e76406f
small tweaks (both 2nd time and facility are optional, avoid catch-all, etc) 2020-11-09 13:19:25 +01:00
benrubson ec873e2dc3 Add SoftEtherVPN jail 2020-11-05 23:56:30 +01:00
sebres 02525d7b6f filter.d/sshd.conf: mode `ddos` (and `aggressive`) extended with new rule closing flood attack vector, matching:
error: kex_exchange_identification: Connection closed by remote host
(gh-2850)
2020-10-08 21:07:51 +02:00
sebres db1f3477cc amend to 3f04cba9f92a1827d0cb3dcb51e57d9f60900b4a: sendmail-auth has 2 failregex now, so rewritten with prefregex 2020-08-27 18:07:42 +02:00
sebres 3f04cba9f9 filter `sendmail-auth` extended to follow new authentication failure message introduced in sendmail 8.16.1, AUTH_FAIL_LOG_USER (gh-2757) 2020-08-27 17:44:25 +02:00
sebres 07fa9f2912 fixes gh-2787: allow to match `did not issue MAIL/EXPN/VRFY/ETRN during connection` non-anchored with extra mode (default names may deviate);
additionally provides common addr-tag for IPv4/IPv6 (`(?:IPv6:<IP6>|<IP4>)`) and test-coverage for IPv6
2020-08-27 17:04:19 +02:00
benrubson 1707560df8 Enhance Guacamole jail 2020-08-25 13:01:50 +02:00
Jan Przybylak a5ab4406d8 Removed unnecessary escape sequence
This commit also contains changes to match requests that are 100% empty (by using "*" instead of "+" in the regex)
2020-06-21 18:24:09 +02:00
Jan Przybylak d7ef5d166d Removed vulnerable catchall & anchor 2020-06-11 16:44:48 +02:00
sebres 5a0edf61c9 filter.d/sshd.conf: normalizing of user pattern in all RE's, allowing empty user (gh-2749) 2020-06-08 14:38:26 +02:00
Jan Przybylak 3c83c19070 Added filter nginx-bad-request 2020-06-06 19:51:46 +02:00
aresdr 412120ac3c
Update drupal-auth.conf
Small fix for Drupal 8. D8 uses "Login attempt failed from" while D7 uses "Login attempt failed for".
The referer part is a must currently, but some requests did not have one and are not failing.
2020-05-30 15:25:31 -07:00
Sergey G. Brester 368aa9e775
Merge pull request #2689 from benrubson/gitlab
New Gitlab jail
2020-05-04 19:19:13 +02:00
sebres 6b90ca820f filter.d/traefik-auth.conf: filter extended with parameter mode (`normal`, `ddos`, `aggressive`) to handle the match of username differently:
- `normal`: matches 401 with supplied username only
  - `ddos`: matches 401 without supplied username only
  - `aggressive`: matches 401 and any variant (with and without username)
closes gh-2693
2020-04-23 13:08:24 +02:00
sebres affd9cef5f filter.d/courier-smtp.conf: prefregex extended to consider port in log-message (closes gh-2697) 2020-04-21 13:32:17 +02:00
benrubson 2912bc640b New Gitlab jail 2020-04-09 16:42:08 +02:00
sebres 136781d627 filter.d/sshd.conf: fixed regex for mode `extra` - "No authentication methods available" (supported seems to be optional now, gh-2682) 2020-04-08 12:17:59 +02:00
sebres 22a04dae05 Merge branch '0.9' into 0.10 (gh-2246) 2020-03-18 16:11:53 +01:00
Sergey G. Brester b1e1cab4b7
Merge pull request #2246 from shaneforsythe/shaneforsythe-patch-2
Improve regex in proftpd.conf
2020-03-18 15:49:18 +01:00
sebres 606bf110c9 filter.d/sshd.conf (mode `ddos`): fixed "connection reset" regex (seems to have same syntax now as closed), so both regex's combined now to single RE
(closes gh-2662)
2020-03-16 17:31:39 +01:00
sebres 42714d0849 filter.d/common.conf: closes gh-2650, avoid substitute of default values in related `lt_*` section, `__prefix_line` should be interpolated in definition section (after the config considers all sections that can overwrite it);
amend to 62b1712d22 (PR #2387, backend-related option `logtype`);
testSampleRegexsZZZ-GENERIC-EXAMPLE covering now negative case also (other daemon in prefix line)
2020-03-05 13:47:11 +01:00
sebres ab3a7fc6d2 filter.d/sshd.conf: mode `ddos` (and aggressive) extended to detect port scanner sending unexpected ident string after connect 2020-02-17 16:24:42 +01:00
sebres 9137c7bb23 filter processing:
- avoid duplicates in "matches" (previously always added matches of pending failures to every next real failure, or nofail-helper recognized IP, now first failure only);
  - several optimizations of merge mechanism (multi-line parsing);
fail2ban-regex: better output handling, extended with tag substitution (ex.: `-o 'fail <ip>, user <F-USER>: <msg>'`); consider a string containing new-line as multi-line log-excerpt (not as a single log-line)
filter.d/sshd.conf: introduced parameter `publickey` (allowing change behavior of "Failed publickey" failures):
  - `nofail` (default) - consider failed publickey (legitimate users) as no failure (helper to get IP and user-name only)
  - `invalid` - consider failed publickey for invalid users only;
  - `any` - consider failed publickey for valid users too;
  - `ignore` - ignore "Failed publickey ..." failures (don't consider failed publickey at all)
tests/samplestestcase.py: SampleRegexsFactory gets new failJSON option `constraint` to allow ignore of some tests depending on filter name, options and test parameters
2020-02-13 12:28:07 +01:00
sebres 1492ab2247 improve processing of pending failures (lines without ID/IP) - fail2ban-regex would show those in matched lines now (as well as increase count of matched RE);
avoid overwrite of data with empty tags by ticket constructed from multi-line failures;
amend to d1b7e2b5fb2b389d04845369d7d29db65425dcf2: better output (as well as ignoring of pending lines) using `--out msg`;
filter.d/sshd.conf: don't forget mlf-cache on "disconnecting: too many authentication failures" - message does not have IP (must be followed by "closed [preauth]" to obtain host-IP).
2020-02-11 18:44:36 +01:00
Sergey G. Brester 774dda6105
filter.d/postfix.conf: extended mode ddos and aggressive covering multiple disconnects without auth 2020-02-10 13:29:16 +01:00
sebres 569dea2b19 filter.d/mysqld-auth.conf: capture user name in filter (can be more strict if user switched, used in action or fail2ban-regex output);
also add coverage for mariadb 10.4 log format (gh-2611)
2020-01-22 17:24:40 +01:00