e636567d23
filter.d/exim.conf: failregex extended with SMTP call dropped: too many syntax or protocol errors.
7 years ago
19a5a2f8c0
filter.d/murmur.conf: fixed detection of failures reading from journal (systemd-backend only):
...
- extended with optional prefix for the systemd-journal (with second date-pattern as optional match);
- added `journalmatch` filtering;
closes gh-2043
7 years ago
0be0e43d47
amend to 03b577d7b92a120e325abe20a99b6956a7e0657c: add new-line after matches via tag `<br>` without usage of interim variable
7 years ago
03b577d7b9
action.d/blocklist_de.conf: fixed tag substitution (in 0.10 it can be variables supplied via shell-arguments), expand `<matches>` with trailing newline;
...
tests extended;
closes gh-2028
7 years ago
527bb9a7c3
dos2unix for helpers-common.conf
...
Original report: http://bugs.debian.org/888110
7 years ago
f69e28adfc
action.d/pf.conf: compatibility fix - recognizes that parameter `port` specified as empty, with or without braces (should be more backwards compatible to 0.9 now).
7 years ago
ed22ddbbbb
Merge remote-tracking branch 'remotes/gh-upstream/master' into 0.10
7 years ago
63e906b2c1
regex rewritten: a bit fewer vulnerable now and using non-capturing groups, test-cases extended in order to cover trying of injection on user name
7 years ago
fed6c49c2d
nginx-http-auth: match usernames with spaces
...
# Conflicts:
# ChangeLog
7 years ago
b6c6565a7e
regex updated using non-capturing groups
7 years ago
6a1bbbf101
Update lighttpd-auth.conf
...
I have lighttpd 1.4.45 (Debian 9) and auth error log is different.
Now printing mod_auth and not http_auth.
I think that the change was in Lighttp 1.4.42
7 years ago
2b7b0da943
Merge remote-tracking branch 'remotes/gh-upstream/master' into 0.10
7 years ago
7e05976ead
action.d/hostsdeny.conf: actionunban rewritten using sed, also dots in IP were escaped now.
...
Closes #2000
7 years ago
2112145eb4
stop ban of legitimate users with multiple public keys (e. g. git, etc), thereby
...
differentiate between "invalid user" (going banned earlier) and valid users with public keys, for which the rejects of not valid public keys (failures) will be retarded up to "Too many authentication failures" resp. disconnect without success (accepted public key).
7 years ago
314e402fe0
filter.d/sendmail-auth.conf - extended daemon for Fedora 24/RHEL - the daemon name is "sendmail" (gh-1632)
7 years ago
c30144b37a
Merge branch '0.9' into 0.10
...
# Conflicts:
# config/action.d/firewallcmd-ipset.conf
# config/filter.d/asterisk.conf
# Merge-point after cherry-pick, no changes:
# fail2ban/client/jailreader.py
# fail2ban/helpers.py
7 years ago
131b94e11e
firewallcmd-ipset-allports: implemented in `action.d/firewallcmd-ipset.conf` now (`action.d/firewallcmd-ipset-allports.conf` removed), usage:
...
banaction = firewallcmd-ipset[actiontype="<allports>"]
7 years ago
c190631f88
New ban action firewallcmd-ipset-allports. Closes #1167
7 years ago
94f0b15c32
Allow faster parsing of hosts without ' characters in them
7 years ago
b28dfb965a
Fix filter not catching asterisk requests with quote character in username ( fixes #2010 )
7 years ago
79f414c6a2
fix <family> typo
7 years ago
7c63eb2378
In the CentOS7 and epel environment, result of "firewall-cmd -direct -get -chains ipv4 filter" is displayed one line
...
Changed to be multiple lines with reference to firewallcmd-multiport.conf
7 years ago
6ccaa03e00
action.d/firewallcmd-ipset.conf: extended with actionflush to bulk unban resp. flush ipset
7 years ago
2712f72650
Merge remote-tracking branch 'master' into 0.10
7 years ago
e384acca5f
action.d/firewallcmd-ipset.conf: fixed create of set for ipv6 (missing `family inet6`)
7 years ago
6c705d572b
filter.d/nginx-limit-req.conf: nginx limit-req log-level can be set to warn or error therefore having this regex will include both of them.
7 years ago
ffd6b9f6de
jail.conf: extended with new parameter `mode` for the filters supporting it;
7 years ago
2b68882502
filter.d/exim.conf: provides mode "aggressive" to ban flood resp. DDOS-similar failures;
...
Closes #1983
7 years ago
7f89fbc33f
Merge remote-tracking branch 'remotes/gh-upstream/master' into 0.10
7 years ago
4f63180611
Avoid injection using quotes after `auth` command;
...
Added non-greedy fallback for quoted something (with lookahead simulated possessive greedy catch of non-quoted parts `[^"]*(?=")`).
Note that because host-info's are hereafter (with foreign input in-between), we would not use greedy or non-greedy catch-alls (`.*` or `.*?`) here (preventing performance losses).
7 years ago
f59df2e156
Avoid any injecting on protocol (e. g. tries using camel-case)
...
The phrase "AUTH command used when not advertised" is precise enough as anchor here, so prevent by any foreign-input (any auth protocol error).
7 years ago
aa158ac05f
Exim failregex: Include lower/mixed case AUTH
...
When reporting the error `AUTH command used when not advertised`, Exim
starts with `SMTP protocol error in "........."`. Here, Exim logs the
SMTP command as it was provided by the connecting client.
https://github.com/Exim/exim/blob/exim-4_89+fixes/src/src/smtp_in.c#L2850
According to RFC 5321 (SMTP) "[..] a command verb [..] MAY be encoded
in upper case, lower case, or any mixture of upper and lower case with
no impact on its meaning."
https://tools.ietf.org/html/rfc5321#section-2.4
Lower case `auth login` brute-force attempts were seen in the wild and
were not caught by the current failregex.
This commit makes the failregex case-insensitive for the `AUTH`
command, so that lower case (`auth`) or mixed case (`aUtH`) now also
match. The failregex was already case-insensitive for the command
arguments (e.g. `AUTH login` already matched).
7 years ago
660d57e6ba
updating my email address
7 years ago
76f2865883
implemented new action "action.d/nginx-block-map.conf", used in order to ban not IP-related tickets via nginx (session blacklisting in nginx-location with map-file);
7 years ago
f31195a4fc
added new logtarget "SYSOUT" to log from fail2ban working in foreground as systemd-service (in opposite to "STDOUT" don't log time-stamps).
7 years ago
159957ab88
filter.d/sshd.conf: extended failregex for modes "extra"/"aggressive": now finds all possible (also future) forms of "no matching (cipher|mac|MAC|compression method|key exchange method|host key type) found", see "ssherr.c" for all possible SSH_ERR_..._ALG_MATCH errors;
...
obsolete (multi-line buffered) variant extended also.
Closes gh-1943, gh-1944
7 years ago
7e756da2b9
Merge remote-tracking branch 'remotes/gh-upstream/master' into 0.10
7 years ago
eba68a8f37
config/paths-common.conf: Added initial values for `syslog_authpriv`, `syslog_mail` in order to avoid errors while parsing/interpolating configuration;
...
Note the systemd-backend does not need the logpath at all;
Some defaults normalized (minimized configs, don't need to overwrite values in distribution-related path if equal).
7 years ago
9876dd44f9
replace port imap3 with imap everywhere, since imap3 is not a standard port and old rarely (if ever) used and missing on some systems
...
(see gh-1942)
7 years ago
4a2fc8b7e8
Include imap (port 143) in courier-auth ports
...
imap was missing from the list of ports, preventing fail2ban from blocking connections on standard IMAP port 143.
7 years ago
b615a98540
jail.conf: avoid overwriting of default value of the parameter `chain` of several actions (where default chain != INPUT);
...
test-cases extended to cover the same logic (use `<known/chain>` instead of fix value `INPUT`);
Closes gh-1949
7 years ago
e07a8cda07
Update jail.conf
...
Documentation of parameters for action blocklist_de, closes gh-1940
7 years ago
1a8fb6290d
Merge pull request #1926 from sebres/0.10-pf-actionflush
...
action.d/pf.conf: wildcard anchoring example + bulk-unban with command `actionflush`
7 years ago
0e66e3cc57
Merge branch 'master' into 0.10
...
# Conflicts:
# config/filter.d/asterisk.conf
7 years ago
d5d1fe679f
Remove invalid regex
...
Resolves #1927
7 years ago
a1b863fcf6
action.d/pf.conf: extended with bulk-unban, command `actionflush` in order to flush all bans at once (by stop jail, resp. shutdown of fail2ban)
7 years ago
8726c9fb0a
pf.conf: enclose ports in braces, multiple ports expecting this syntax `... any port {http, https}`.
...
Note this would be backwards-incompatible change (for the people already enclosing multiports in braces in jail.local).
closes gh-1915
7 years ago
a4f94d2619
Update pf.conf
...
Fix comment, because current one won't work:
cat /etc/pf.conf
anchor f2b {
sshd
}
# service pf reload
Reloading pf rules.
/etc/pf.conf:2: syntax error
New version:
cat /etc/pf.conf
anchor f2b {
anchor sshd
}
# service pf reload
Reloading pf rules.
7 years ago
ea1b663f85
typo
...
spell "positive" (...but also somebody should finish this sentence)
7 years ago
e71f16f6ba
Merge branch 'master' into 0.10
...
# Conflicts resolved:
# config/filter.d/dovecot.conf
7 years ago
sebres