Commit Graph

4814 Commits (654fda8a50f65c6b329d75cbac91a50aa5a8a8f5)

Author SHA1 Message Date
Yaroslav Halchenko a0cf31903d Merge pull request #1754 from yarikoptic/bf-tzdata
BF: specify explicit time offset not a time zone name to avoid needing tzdata during testing
2017-04-17 10:26:37 -04:00
Paul Brook a639f0b083 BF: specify explicit time offset not a time zone name to avoid needing tzdata during testing 2017-04-16 12:11:05 -04:00
Serg G. Brester 36814c4274 Merge pull request #1749 from petervanderdoes/bugfix/problem_with_mail_command
Parameter `-s` is already a part of `mailcmd` interpolation
2017-04-11 20:57:42 +02:00
Peter van der Does bb79e7f413
Parameter not needed
The parameter '-s' causes an error as the <mailcmd> already has the parameter.
2017-04-11 11:13:58 -04:00
Serg G. Brester 61e73b9694 Merge pull request #1746 from gracinet/0.10-haproxy-ipv6
haproxy-http-auth IPv6 (Closes #1745)
2017-04-11 10:04:16 +02:00
Serg G. Brester 4f0f22702a Update haproxy-http-auth.conf
little bit more precise expression
2017-04-11 09:11:08 +02:00
Georges Racinet 07023436ac haproxy-http-auth: added a test for IPv4-mapped-in-IPv6
This what one gets in logis if haproxy is binding to ::
on a dual-stack system.
2017-04-07 14:04:13 +02:00
Georges Racinet 4fc6323ff0 haproxy-http-auth: avoid port number in IPv6 addresses
The solution taken is to consume the port number explicitely in
the regexp.
2017-04-07 13:59:22 +02:00
Serg G. Brester e7f1fc5cb3 Update ChangeLog
enhancements of #1743
2017-03-31 10:39:50 +02:00
Serg G. Brester e63af0aa4e Merge pull request #1743 from sebres/0.10-flush-bulk-unban
0.10 - flush resp. bulk unban
2017-03-31 10:36:05 +02:00
sebres 97e8b42d34 dummy action extended with more examples and test-covered now 2017-03-30 13:02:37 +02:00
sebres 042a060a54 additionally complex test-case coverage for `actionflush` inside server via actions-mechanism of fail2ban - reload with removing action, unban all, stopping of jails and actions, etc. 2017-03-29 23:24:13 +02:00
sebres d03872fbbf bulk unban: add new command `actionflush` default for several iptables/iptables-ipset actions (and common include):
iptables-common
  iptables
  iptables-allports
  iptables-multiport-log
  iptables-multiport
  iptables-new
  iptables-ipset-proto4
  iptables-ipset-proto6
  iptables-ipset-proto6-allports

executing `actionflush` command covered for this actions now
2017-03-29 23:24:11 +02:00
sebres a1e9cc552c bulk unban: introduced new command `actionflush`: executed in order to flush all bans at once (e. g. by unban all, reload with removing action, stop, shutdown the system);
the actions having `actionflush` do not execute `actionunban` for each single ticket
2017-03-29 23:24:09 +02:00
Serg G. Brester 44a26c6159 Update ChangeLog
amend to gh-1742
2017-03-29 23:14:33 +02:00
Serg G. Brester 4dcdcc3002 Merge pull request #1742 from sebres/0.10-actionstart-on-demand
0.10 - Execution of `actionstart` on demand (fixes gh-1741)
2017-03-29 23:07:03 +02:00
sebres daa13eb5dd no cover for unreachable and abstract 2017-03-29 18:33:33 +02:00
sebres ca18270beb fix artificial test cases ('family' becomes mandatory in the action info, but dict was supplied in the test case) 2017-03-29 18:02:21 +02:00
sebres 8bf79fa483 implemented execution of `actionstart` on demand, if action depends on `family` (closes gh-1741);
new action parameter "actionstart_on_demand" (bool) can be set to prevent/allow starting action on demand (default retrieved automatically, if some conditional parameter `param?family=...` presents in action properties);
2017-03-29 17:44:15 +02:00
Serg G. Brester 05f5c6efcc Update README.md
added wiki-reference;
fixed mail-representation (after github swiched markdown syntax)
2017-03-29 12:32:34 +02:00
Serg G. Brester 1a59a5c5a7 Merge pull request #1740 from sebres/0.10-strptime-perf
strptime.py: small code review and performance optimization
2017-03-29 11:33:57 +02:00
sebres ee3c9fcb75 "%y" - in the fail2ban parsed year without century should be always relative current century (>= 2000);
cover several format specifiers and different "assume" cases (without year, without date, greater as now, etc.);
2017-03-28 22:10:29 +02:00
sebres 7437fbd75b strptime.py: small code review and performance optimization (get some properties on demand, etc.) 2017-03-28 20:21:39 +02:00
Serg G. Brester ec19aed489 Merge pull request #1739 from gracinet/0.10-test_smtp-no-network
Fixes test_smtp connects to wrong inet (if listening on ::1 instead of 127.0.0.1)
2017-03-28 19:49:58 +02:00
Georges Racinet 7b93f111e1 test_smtp inconsistency for py3+IPv6
It appears that, under Python3, on an IPv6 enabled machine,
the testing SMTP server on 'localhost' can turn out to listen on ::1 only,
which makes those tests break if the SMTP client part uses 127.0.0.1
directly. Using 'localhost' there as well makes the tests pass.
2017-03-28 19:29:45 +02:00
sebres 873f97c6c5 Merge branch '0.9-log-level-msg' into 0.10 2017-03-27 11:36:36 +02:00
sebres 7982d1e627 Update ChangeLog 2017-03-27 11:31:41 +02:00
sebres e8596cfce7 amend resp. restore of change from 59c35bc44a (gh-129):
- logging of "Log rotation detected" with new MSG level
- introduces new log-level MSG (as INFO-2, 18)
2017-03-27 11:27:41 +02:00
Serg G. Brester d26060ead0 Update ChangeLog
belongs to #1733
2017-03-27 09:38:53 +02:00
Serg G. Brester cea8ba7831 Merge pull request #1733 from sebres/0.10-repl-skiplines
Normalizes replacement of `<SKIPLINES>` + no multiline failregex per default
2017-03-27 09:34:08 +02:00
Seth Reeser c82495353f Update mysqld-auth.conf (#1725) 2017-03-24 19:03:20 +01:00
Serg G. Brester 52c1950371 Update mysqld-auth.conf
small typo, closes gh-1725 (Thx @seth-reeser)
2017-03-24 19:03:17 +01:00
sebres 6ac5c55edc the sequence in args-dict is currently undefined (so can be 1st argument with `?` instead of `&`) 2017-03-24 17:35:41 +01:00
sebres 990d9a66da fail2ban-regex: fixed matched output by multi-line (buffered) parsing + and multi-line debuggex URL;
test coverage extended;
2017-03-24 17:07:21 +01:00
sebres bc888e0753 Regex compiled in multi-line parsing mode only if `maxlines` > 1 (buffering), if however expected - prefix `(?m)` could be used in regex to enable it;
Removed warning "Mutliline regex set for jail ... but maxlines not greater than 1", because can be expected situation now:
non multi-line entry from systemd-filter containing new-lines (that should be ignored by anchors resp. entry parsed as single string);
small code review;
2017-03-24 13:20:04 +01:00
sebres 61c1bdfe79 Normalizes replacement of `<SKIPLINES>` (moved to _resolveHostTag, so will be replaced together with another tags);
Regex will be compiled as MULTILINE only if needed (buffering with `maxlines` > 1), that enables:
- improve performance by the single line parsing;
- make regex more precise (because distinguish between anchors `^`/`$` for the begin/end of string and the new-line character '\n', e. g. if coming from filters (like systemd journal) that allow the parsing of log-entries contain new-line chars (as single entry);
2017-03-24 11:25:12 +01:00
Serg G. Brester b650503f00 Merge pull request #1732 from sebres/0.10-ignoreself
0.10 `ignoreself` for ignore own IP addresses
2017-03-24 10:12:23 +01:00
sebres e7052e9625 update man/jail.conf.5 (docu for the ignoreself) 2017-03-24 09:55:20 +01:00
sebres 30352c5f03 fix sporadic coverage changes (sometimes produces "no such process" in popen.poll after terminate/kill in timeout test cases) 2017-03-23 17:48:52 +01:00
sebres 663bc9903d increase coverage (was decreased since "ignoreip" was set to default empty) 2017-03-23 16:19:21 +01:00
sebres 6c4b1c7204 Update ChangeLog 2017-03-23 15:54:53 +01:00
sebres 5e93bf9bd3 Introduced new option "ignoreself", specifies whether the local resp. own IP addresses should be ignored (default is true).
Fail2ban will not ban a host which matches such addresses.

Option "ignoreip" affects additionally to "ignoreself" and don't need to include the DNS resp. IPs of the host self.
2017-03-23 15:52:31 +01:00
Serg G. Brester 1e6787877a Merge pull request #1726 from sebres/0.10-grave-fix-escape-tags-1st
0.10 fix escape tags
2017-03-21 15:33:00 +01:00
sebres 6ba0546824 code review and inline docu 2017-03-21 14:53:33 +01:00
Serg G. Brester 7a03c964c2 Update ChangeLog 2017-03-21 14:04:18 +01:00
sebres bb9541b7a9 Merge pull request #1728 from sebres/_0.10/fix-gh-1719 2017-03-21 11:05:15 +01:00
sebres 43d2cae8da small amend that correct log trace output by forget MLFID (outputs the reason why it was forgotten - close, disconnect, etc.) 2017-03-21 10:39:55 +01:00
sebres b6886f2e51 SampleRegexsFactory extended with optional filter constraint, if testing the same log-file with multiple filters (no possibility to match by the old sshd-filter 'zzz-sshd-obsolete-multiline') 2017-03-21 09:42:27 +01:00
sebres 1971fd4bd3 don't remove MLFID from cache (can recognize multiple attempt within the same connection) 2017-03-21 09:20:56 +01:00
sebres f13fac5ae9 amend to 5561423be3b2d4636f5484183c3ad470fd326d06: fixed incorrect failure counting despite the `<F-NOFAIL>` marked regex;
extra: introduced new tag `<F-MLFFORGET>` as mark to forget current multi-line MLFID (e. g. connection closed);
Closes gh-1727
2017-03-21 00:15:57 +01:00