sebres
6281dc3633
failmanager, ticket: avoid reset of retry count by pause between attempts near to findTime - adjust time of ticket will now change current attempts considering findTime as an estimation from rate by previous known interval (if it exceeds the findTime);
...
this should avoid some false positives as well as provide more safe handling around `maxretry/findtime` relation especially on busy circumstances.
2020-03-02 17:05:00 +01:00
sebres
4766547e1f
performance optimization of `datepattern` (better search algorithm);
...
datetemplate: improved anchor detection for capturing groups `(^...)`; introduced new prefix `{UNB}` for `datepattern` to disable word boundaries in regex;
datedetector: speedup special case if only one template is defined (every match wins - no collision, no sorting, no other best match possible)
2020-02-28 14:27:21 +01:00
Sergey G. Brester
2e42b98cd3
Merge pull request #2638 from gurnec/pypy-ulimit-fix
...
close Popen() pipes explicitly for PyPy
2020-02-25 15:31:31 +01:00
sebres
6c6cf2a956
small amend (avoid possible error by close of not existing pipe)
2020-02-25 15:06:04 +01:00
Christopher Gurnee
df885586d4
close Popen() pipes explicitly for PyPy
...
Waiting for garbage collection to close pipes opened by Popen() can
lead to "Too many open files" errors with PyPy; close them explicitly.
2020-02-25 14:55:10 +01:00
sebres
e57e950ef5
version bump (back to dev)
2020-02-25 14:51:54 +01:00
sebres
ab3a7fc6d2
filter.d/sshd.conf: mode `ddos` (and aggressive) extended to detect port scanner sending unexpected ident string after connect
2020-02-17 16:24:42 +01:00
sebres
b3644ad413
code normalization and optimization (strip of trailing new-line, date parsing, ignoreregex mechanism, etc)
2020-02-13 21:52:54 +01:00
sebres
91eca4fdeb
automatically create not-existing path (last level folder only) for pidfile, socket and database (with default permissions)
2020-02-13 13:50:17 +01:00
sebres
14e68eed72
performance: set fetch handler getGroups depending on presence of alternate tags in RE (simplest variant or merged with alt-tags) in regex constructor
2020-02-13 12:31:15 +01:00
sebres
9137c7bb23
filter processing:
...
- avoid duplicates in "matches" (previously always added matches of pending failures to every next real failure, or nofail-helper recognized IP, now first failure only);
- several optimizations of merge mechanism (multi-line parsing);
fail2ban-regex: better output handling, extended with tag substitution (ex.: `-o 'fail <ip>, user <F-USER>: <msg>'`); consider a string containing new-line as multi-line log-excerpt (not as a single log-line)
filter.d/sshd.conf: introduced parameter `publickey` (allowing change behavior of "Failed publickey" failures):
- `nofail` (default) - consider failed publickey (legitimate users) as no failure (helper to get IP and user-name only)
- `invalid` - consider failed publickey for invalid users only;
- `any` - consider failed publickey for valid users too;
- `ignore` - ignore "Failed publickey ..." failures (don't consider failed publickey at all)
tests/samplestestcase.py: SampleRegexsFactory gets new failJSON option `constraint` to allow ignore of some tests depending on filter name, options and test parameters
2020-02-13 12:28:07 +01:00
sebres
1492ab2247
improve processing of pending failures (lines without ID/IP) - fail2ban-regex would show those in matched lines now (as well as increase count of matched RE);
...
avoid overwrite of data with empty tags by ticket constructed from multi-line failures;
amend to d1b7e2b5fb2b389d04845369d7d29db65425dcf2: better output (as well as ignoring of pending lines) using `--out msg`;
filter.d/sshd.conf: don't forget mlf-cache on "disconnecting: too many authentication failures" - message does not have IP (must be followed by "closed [preauth]" to obtain host-IP).
2020-02-11 18:44:36 +01:00
Sergey G. Brester
ac8e8db814
travis: switch 3.8-dev to 3.8 (released)
2020-02-11 14:18:58 +01:00
Sergey G. Brester
d7643fe538
Merge pull request #2630 from fail2ban/gh-2200-postfix
...
filter.d/postfix.conf: extended mode ddos and aggressive covering multiple disconnects without auth
2020-02-11 12:44:21 +01:00
Sergey G. Brester
88cf5bcd93
Update postfix
2020-02-10 13:41:28 +01:00
Sergey G. Brester
774dda6105
filter.d/postfix.conf: extended mode ddos and aggressive covering multiple disconnects without auth
2020-02-10 13:29:16 +01:00
Sergey G. Brester
34d63fccfe
close gh-2629 - jail.conf (action_blocklist_de interpolation): replace service parameter (use jail name instead of filter, which can be empty)
2020-02-10 13:03:55 +01:00
sebres
7a28861fc7
review of command line: more long-named options can be supplied via command line
2020-02-07 13:52:45 +01:00
sebres
3f48907064
amend to f3dbc9dda10e52610e3de26f538b5581fd905505: change main thread-name back to `fail2ban-server`;
...
implements new command line option `--pname` to specify it by start of server (default `fail2ban-server`);
closes gh-2623 (revert change of main thread-name, because it can affect process-name too, so `pgrep` & co. may be confused)
2020-02-07 11:08:01 +01:00
sebres
9c7bd80807
fail2ban-regex: stop endless logging on closed streams (redirected pipes like `... | head -n 100`), exit if stdout channel is closed
2020-02-03 20:09:13 +01:00
sebres
12b3ac684a
closes #2615 : systemd backend would seek to last known position (or `now - findtime`) in journal at start.
2020-01-28 21:45:30 +01:00
sebres
569dea2b19
filter.d/mysqld-auth.conf: capture user name in filter (can be more strict if user switched, used in action or fail2ban-regex output);
...
also add coverage for mariadb 10.4 log format (gh-2611)
2020-01-22 17:24:40 +01:00
sebres
9e6d07d928
testSampleRegexsFactory: `time` is not mandatory anymore (check time only if set in json), allows usage of same line(s) matching different `logtype` option:
...
`# filterOptions: [{"logtype": "file"}, {"logtype": "short"}, {"logtype": "journal"}]`
2020-01-22 17:19:35 +01:00
sebres
8dc6f30cdd
closes #2596 : fixed supplying of backend-related `logtype` to the jail filter - don't merge it (provide as init parameter if not set in definition section), init parameters don't affect config-cache (better implementation as in #2387 and it covered now with new test)
2020-01-15 21:49:51 +01:00
sebres
05f9e53660
Merge branch '0.10-invariant-improve' into 0.10
2020-01-15 13:26:15 +01:00
sebres
d4c921c22a
amend to 31b8d91ba2211595182d8d3fe6d89034b562aef0: tag `<family>` is normally dynamic tag (ticket related), so better to replace it this way (may avoid confusing if tag is used directly during restore sane env process for both families); conditional replacement is not affected here
2020-01-15 13:22:55 +01:00
sebres
ec37b1942c
action.d/nginx-block-map.conf: fixed backslash substitution (different echo behavior in some shells, gh-2596)
2020-01-14 11:39:13 +01:00
sebres
31a6c8cf5d
closes gh-2599: fixes `splitwords` for unicode string
2020-01-13 20:12:16 +01:00
sebres
b158f83aa3
testIPAddr_CompareDNS: add missing network constraint (gh-2596)
2020-01-13 12:37:19 +01:00
sebres
b25d8565fc
release 0.10.5 -- Deserve more respect a jedi's weapon must. Hrrrm, Yes
2020-01-10 13:34:46 +01:00
sebres
4e4bd43e5e
small amend for d1b7e2b5fb2b389d04845369d7d29db65425dcf2: double usage string removed, spacing fixed
...
generate-man: small fixing (avoid ../bin in usage, version fix
2020-01-10 13:28:20 +01:00
sebres
f77398c49d
filter.d/sshd.conf: captures `Disconnected from ... [preauth]`, preauth phase only, different handling by `extra` (with supplied user only) and `ddos`/`aggressive` mode (`normal` mode is not affected, used there just as a helper with `<F-NOFAIL>` to capture IP for multiline failures without IP);
...
closes gh-2115, gh-2362.
2020-01-09 20:53:53 +01:00
sebres
d1b7e2b5fb
fail2ban-regex - several enhancements and fixes:
...
- improved usage output (don't put a long help if an error occurs);
- new option `--no-check-all` to avoid check of all regex's (first matched only);
- new option `-o`, `--out` to set token provided in output (disables check-all and outputs only expected data);
- test cases optimized and extended
2020-01-09 16:59:13 +01:00
sebres
dbc6590589
usage of failure-ID tag `<F-ID>...</F-ID>` causes raw handling automatically (avoid DNS-resolve for found ID)
2020-01-08 22:07:33 +01:00
Sergey G. Brester
a15832e773
Merge pull request #2588 from sebres/0.10-invariant-improve
...
0.10 auto-reban, improved invariant check and conditional operations
2020-01-08 21:04:42 +01:00
sebres
f30b7ae244
update ChangeLog + spelling
2020-01-08 21:03:00 +01:00
sebres
17a34b1528
amend with missing parameter of actionreban in actionreader and coverage
2020-01-07 22:01:11 +01:00
sebres
f001f8de2a
automatic reban (repeat banning action) after repair/restore sane environment, if already logged ticket causes new failures (part of #980 , closes #1680 );
...
introduces banning epoch for actions and tickets (to distinguish or recognize removed set of tickets)
2020-01-07 21:28:32 +01:00
sebres
1a9bc1905d
auto-detection of IPv6 subsystem availability (important for not on-demand actions or jails, like pass2allow)
2020-01-07 17:01:47 +01:00
sebres
125da61bda
more cases covered, start in repair distinguish operations, on demand flag etc
2020-01-07 15:50:54 +01:00
sebres
b7fe33483a
coverage
2020-01-07 11:54:21 +01:00
sebres
a527fbcae5
small amend: if not on-demand, the families should be specified (or default), also avoids error "dictionary changed size during iteration"
2020-01-06 21:44:19 +01:00
sebres
67fd75c88e
pass2allow-ftp: inverted handling - action should prohibit access per default for any IP, so reset start on demand parameter for this action (will be started immediately).
2020-01-06 21:13:40 +01:00
sebres
165b7d6643
tests fixed, prepared for other conditional operations (for subnet usage), operations like repair/flush/stop considering started families (executed for started only)
2020-01-06 21:02:57 +01:00
sebres
3c42c7b9ef
**not ready** testActionsConsistencyCheck fixed, but several **broken** tests (todo: fix public interface like action.start()/stop()).
2020-01-06 21:02:56 +01:00
sebres
31b8d91ba2
**not ready** amend with more tests (some issue on stop?)
2019-12-27 21:58:06 +01:00
sebres
8f6ba15325
avoid unhandled exception during flush, better invariant check (and repair), avoid repair by unban/stop etc...
2019-12-27 21:30:41 +01:00
Sergey G. Brester
690a0050f0
Merge pull request #2567 from Mart124/bitwarden
...
New jail, Bitwarden
2019-12-13 18:31:21 +01:00
sebres
7e98073014
amend to f3dbc9dda10e52610e3de26f538b5581fd905505: don't need truncate (if the name with \0 exceeds 16 bytes, the string is silently truncated by prctl).
2019-12-12 21:45:09 +01:00
sebres
f3dbc9dda1
set real thread names (used for identification and diagnostic purposes, e. g. top -H, ps -e -T, pstree, etc)
2019-12-12 21:28:16 +01:00