rhardy613
890a3dcbb9
Fix ASSP filter to work with current release of ASSP
...
ASSP V1 development stopped at the end of 2014 and it is now deprecated.
All users were urged to upgrade to ASSP V2 which is still actively
developed. For some reason fail2ban 0.9.5 (and trunk) still have code
which only understands ASSP V1 logs. This means the filter ignores brute
force attacks against ASSP.
Now updated with anchored patterns tested against 6 months of log data.
2016-08-05 17:26:47 -04:00
Yaroslav Halchenko
c0994b0c6c
DOC: minor typo (thanks John Bernard) Closes #1496
2016-08-04 10:23:05 -04:00
sebres
0eea362aa0
Merge branch 'master' into 0.10
2016-08-01 15:10:52 +02:00
rhardy613
f73746d846
Fix ASSP filter to work with current release of ASSP
...
ASSP V1 development stopped at the end of 2014 and it is now deprecated.
All users were urged to upgrade to ASSP V2 which is still actively
developed. For some reason fail2ban 0.9.5 (and trunk) still have code
which only understands ASSP V1 logs. This means the filter ignores brute
force attacks against ASSP.
2016-07-31 13:50:52 -04:00
Yaroslav Halchenko
28a0605f69
Merge pull request #1478 from gips0n/master
...
adding openldap slapd filter
2016-07-14 08:30:42 -04:00
Andrii Melnyk
7433b353ee
another variant of regex
2016-07-14 10:19:21 +03:00
Andrii Melnyk
7c5828dd2a
add trailing anchor to failregex
2016-07-13 21:09:42 +03:00
sebres
683f8fc56c
Merge branch 'master' into 0.10
2016-07-13 19:41:46 +02:00
Andrii Melnyk
48c094f612
improved failregex according to @sebres recomendations
2016-07-08 13:45:10 +03:00
sebres
f5f204ca7c
Improved changes of gh-1458:
...
`[^']*` after callid was wrong, changed to `[^\)]*`;
regexp anchored at the end;
almost the same regex grouped to one;
Closes #1458
2016-07-08 11:45:25 +02:00
nturcksin
72a157b8f2
Improve PJSIP log support for asterisk 13+ with different callID (Squash gh-1458)
...
Change the asterisk pjsip filter to don't take the callId part
Add optional part between "Request" and "from"
Listed all log message from asterisk
2016-07-08 11:45:22 +02:00
Andrii Melnyk
dcb69b0242
* add `__prefix_line` to regex
...
* fix time in log file
2016-07-08 05:29:51 +03:00
Andrii Melnyk
b2e3affaa0
adding openldap slapd filter
2016-07-08 04:50:57 +03:00
Yaroslav Halchenko
593b1210c0
Merge master (commit '0.9.4-79-gaf8b650') into 0.10
...
* commit '0.9.4-79-gaf8b650':
badip timeout option introduced, set to 30 seconds in our test cases (#1463 )
DOC: changelog for recent exim filters tune up
Asterisk pjsip (#1456 )
BF: finalize that sample log line for exim4
RF: for consistency use (?:XXX)? instead of (?:|XXX)
ENH: use non-capturing regex groups in exim-common and exim filters
ENH: exim filters -- make more use of %(host_info)s which in turn made more flexible
BF: make :port and I=[ip]:port optional for a "AUTH command used when not advertised"
2016-06-19 20:06:16 -04:00
Serg G. Brester
af8b650a37
badip timeout option introduced, set to 30 seconds in our test cases ( #1463 )
...
cherry-picked from 0.10 (little bit modified in test_badips.py, because no --fast option in test cases)
2016-06-13 12:56:53 +02:00
sebres
e39126f630
badip timeout option introduced, set to 30 seconds in our test cases
2016-06-10 13:15:46 +02:00
Yaroslav Halchenko
636a93f58b
Merge pull request #1438 from yarikoptic/bf-exim
...
exim filters -- make wider use of host_info helper str susbstitution + fix for #1430
2016-06-07 21:35:52 -04:00
Ludovic Gasc
f85fb45b29
Asterisk pjsip ( #1456 )
...
* Improve PJSIP log support for Asterisk 13+
* Update changelog: filter.d/asterisk.conf - fix security log support for PJSIP and Asterisk 13+
* Change pjsip regexp with sebres observation, thanks to @nturcksin
2016-06-07 11:40:35 +02:00
sebres
39366e703a
Merge branch 'master' into 0.10
...
# Conflicts:
# fail2ban/server/filter.py
2016-05-31 18:06:18 +02:00
Yaroslav Halchenko
6434661480
RF: for consistency use (?:XXX)? instead of (?:|XXX)
2016-05-30 12:12:53 -04:00
Yaroslav Halchenko
48a8324662
ENH: use non-capturing regex groups in exim-common and exim filters
2016-05-30 11:02:12 -04:00
sebres
8ec4e1189e
use raw host (don't use textToIp) if usedns exactly `raw`, because `usedns = no` should ignore no ip failures
2016-05-30 15:34:21 +02:00
Serg G. Brester
b6700f3e52
Merge pull request #1433 from yarikoptic/bf-0.10-pf-prevbeh
...
BF: maintain previous default beh for pf -- default ban type is multiport
2016-05-23 15:20:57 +02:00
Yaroslav Halchenko
9bb869b8d4
ENH: courier-smtp -- allow for trailing username (no spaces) in the logline
...
Closes #1440
2016-05-21 22:17:09 -04:00
Yaroslav Halchenko
8b8cf2a660
ENH: exim filters -- make more use of %(host_info)s which in turn made more flexible
2016-05-21 10:29:09 -04:00
Yaroslav Halchenko
743a531eb5
BF: make :port and I=[ip]:port optional for a "AUTH command used when not advertised"
...
Closes #1430
2016-05-21 10:29:01 -04:00
sebres
f62266659f
Merge branch 'master' into '0.10'
2016-05-21 13:48:00 +02:00
sebres
52377984cd
back to mandatory space, ungrouping of sub parameters in `__prefix_line` + small code review;
2016-05-19 17:57:48 +02:00
sebres
0fdc56546f
Fixed misunderstanding of port in (ban)action: port will be always specified in jail config ([DEFAULT] or jail)
2016-05-19 17:45:41 +02:00
Yaroslav Halchenko
1ebc3facb1
BF: maintain previous default beh for pf -- ban a port (ssh) only
2016-05-19 17:14:33 +02:00
sebres
4cdca8c258
amend-merge for pull request #1429 from sebres/0.10-freebsd-fix-pf
...
actiontype for PF action (all- and multi port)
2016-05-19 14:52:10 +02:00
sebres
4d51c591c1
pf.conf: warranted consistently echoing for the pf actiontype if actiontype or multiport tags will be customized;
2016-05-19 14:50:41 +02:00
Serg G. Brester
01d9a41ba1
Merge pull request #1429 from koeppea/0.10-freebsd-fix-pf
...
actiontype for PF action (all- and multi port)
2016-05-18 11:12:31 +02:00
Alexander Koeppe
b5e031f3c3
some documentation for multiport use in pf.conf
2016-05-17 21:32:21 +02:00
sebres
1e7fd26f5f
rename `actionoptions` to `actiontype` in pf-action (multiport) + fixed test cases
2016-05-17 20:51:12 +02:00
sebres
25af11215b
test case for generic common moved to `./fail2ban/tests/config/filter.d/zzz-generic-example.conf` to prevent shipping it with fail2ban installations
2016-05-17 20:08:46 +02:00
Alexander Koeppe
e74047ae49
revert to common config for PF covering multi and allports
2016-05-17 18:19:40 +02:00
Alexander Koeppe
3e1328c83b
split PF config files between all- and multi port
2016-05-17 18:19:27 +02:00
sebres
cb4f9be8b2
the date brackets removed from filters using `__prefix_line`, because `__prefix_line` already contains the date ambit;
2016-05-17 11:55:02 +02:00
sebres
de813acf51
extends generic `__prefix_line` with optional brackets for the date ambit (gh-1421), added new parameter `__date_ambit` + test case added;
2016-05-17 11:54:43 +02:00
Alexander Koeppe
975608dfb6
no hardcoded python interpreter path
2016-05-15 21:08:32 +02:00
sebres
0c44ecfc77
action.d/firewallcmd-ipset.conf: different name of the match set's for IPv4/IPv6, using conditional <ipmset>, analog to the iptables-ipset;
...
test cases for 3 firewallcmd extended;
2016-05-14 15:01:35 +02:00
TorontoMedia
ffebde68e0
Update firewallcmd-multiport.conf
2016-05-13 22:38:36 -04:00
TorontoMedia
07de83e04a
Update firewallcmd-common.conf
2016-05-13 22:38:10 -04:00
TorontoMedia
810d5996b5
Update firewallcmd-rich-logging.conf
2016-05-13 22:10:25 -04:00
TorontoMedia
7e54cee8d6
updated firewallcmd actions
2016-05-13 21:36:27 -04:00
sebres
3e49522b7a
fixes unexpected extra regex-space in generic `__prefix_line` (gh-1405, misleadingly committed in d2a9537568
);
...
all optional spaces normalized in generic include `common.conf` + test cases are extended (using new example pseudo-filter and test log `zzz-generic-example`);
2016-05-13 20:26:37 +02:00
sebres
bdc2d07946
fix suhosin_log in common paths - log files should be separated using "\n":
...
prevents to throw an error "File option must be 'head' or 'tail'", if jail suhosin will be enabled.
2016-05-11 18:49:04 +02:00
sebres
504e5ba6f2
actions support IPv6 now:
...
- introduced "conditional" sections, see for example `[Init?family=inet6]`;
- iptables-common and other iptables config(s) made IPv6 capable;
- several small code optimizations;
* all test cases passed (py3.x compatible);
2016-05-11 16:54:28 +02:00
sebres
75028585c0
test cases extended for verifying ipv4/ipv6, normalized pf-action with test case
2016-05-11 16:54:25 +02:00
Alexander Koeppe
ed2f3ef77d
improve PF action and make IPv6 aware
2016-05-11 16:54:22 +02:00
sebres
25d6cf8dd2
fix suhosin_log in common paths - log files should be separated using "\n":
...
prevents to throw an error "File option must be 'head' or 'tail'", if jail suhosin will be enabled.
2016-05-11 16:54:11 +02:00
sebres
8cb4a3f59e
move DNTUtils, IPAddr related code to dedicated source file ipdns.py (also resolves some cyclic import references)
2016-05-09 17:06:25 +02:00
Alexander Koeppe
db9f3f738f
add ip6-loopback to default ignoreip statement
2016-05-09 15:32:42 +02:00
sebres
05f38285f1
Merge remote-tracking branch 'remotes/gh-upstream/master' into f2b-perfom-prepare-716
2016-05-02 15:40:05 +02:00
jungle-boogie
d889918f19
update doc url
...
direct to confluence page. no code changes.
2016-04-24 21:35:18 -07:00
Yaroslav Halchenko
aa303acfd6
Merge pull request #1381 from theDogOfPavlov/patch-3
...
Tightened up exim regexes to catch rDNS entries
2016-04-23 18:27:38 -04:00
Alexandre Perrin
7712310d2d
Be more backward compatible on matching postfix/smtps/smtpd
...
Support trailing smtps also and not only smtpd.
suggested by @sebres
2016-04-14 13:54:58 +02:00
Alexandre Perrin
1a299409e5
Fix postfix/smtps/smtpd matching.
2016-04-14 12:10:58 +02:00
theDogOfPavlov
1eb51b1bc2
Tightened up regexes to catch rDNS entries
2016-04-01 18:07:01 +01:00
Yaroslav Halchenko
db2dd070ad
Merge pull request #1356 from opoplawski/bug-1354
...
Fedora use mariadb by default, fix log path
2016-03-31 22:11:10 -04:00
Serg G. Brester
b9b7ecbf6b
Merge pull request #1357 from sebres/monit-new-fltr
...
monit filter fixup for the new version (gh-1355)
2016-03-26 11:39:26 +01:00
TorontoMedia
3d239215cd
Two new firewalld actions with rich rules for firewalld-0.3.1+ (gh-1367)
...
closes #1367
2016-03-25 17:28:30 +01:00
sebres
ac27c9cb96
Merge branch 'patch-2' (gh-1371)
2016-03-25 17:05:23 +01:00
Serg G. Brester
0effe76971
Merge pull request #1370 from theDogOfPavlov/patch-1
...
Added regex for LDAP authentication failures
2016-03-25 15:30:39 +01:00
jblachly
e9202fa0b2
Placed failure (illumos) at end of regex
2016-03-24 00:43:15 -04:00
theDogOfPavlov
fe1475be95
Additional exim regexes to cover common attacks...
2016-03-21 05:59:59 +00:00
theDogOfPavlov
cf2aa9c1c0
Added regex for LDAP authentication failures
2016-03-21 05:53:23 +00:00
jblachly
25c2334bc8
SmartOS PAM Authentication failed (not failURE)
...
SmartOS (and likely other Illumos platforms) enter log entries for failed sshd logins of the form:
`Authentication failed for USER from HOST`
The current sshd.conf regex matches `failure` -- add to this a match for `failed` to support Illumos
2016-03-16 13:52:01 -04:00
Johannes Weberhofer
bd25a43417
define journalmatch setting for pure-ftps
2016-03-11 18:19:53 +01:00
Orion Poplawski
f3f813a925
- mysqld does not log login attempts to the journal.
...
- Add /var/log/mysqld.log to mysql_log
2016-03-09 13:52:50 -07:00
sebres
37c9075fad
fixed monit filter: failregex find now both previous and new versions:
...
- failregex of previous monit version merged as single expression;
- extended failregex with new monit "access denied" version;
2016-03-09 20:06:14 +01:00
Orion Poplawski
dfc65018da
Fedora use mariadb by default, fix log path
2016-03-09 11:36:06 -07:00
sebres
d7e7b52013
Merge remote-tracking branch 'remotes/gh-upstream/master' into f2b-perfom-prepare-716
2016-03-07 19:11:36 +01:00
Yaroslav Halchenko
385b50e4a9
Merge pull request #1343 from denics/master
...
adding wp-admin to bot search
2016-03-07 10:23:37 -05:00
Denix
ed0e572bfc
added wp-admin
...
bot are very annoying and I am getting a lot of checks on wp-admin. This should calm them.
2016-03-02 16:52:03 +01:00
Yaroslav Halchenko
6ffbc1ffad
ENH: revert back to having detailed suffix anchored at the end for mysqld-auto.conf
...
As discussed in https://github.com/fail2ban/fail2ban/pull/1333#discussion_r54100127
2016-02-28 12:07:46 -05:00
Yaroslav Halchenko
3e31145c33
Merge pull request #1331 from whyscream/postfix-multi-instance-support
...
Add support for matching postfix multi-instance daemon names by default
2016-02-28 12:00:24 -05:00
sebres
667785b608
mysqld: failregex fixed (accepts different log level, more secure expression now);
...
closes #1332
2016-02-24 17:17:51 +01:00
Tom Hendrikx
6c606cf98f
Add support for matching postfix multi-instance daemon names by default
2016-02-23 20:23:04 +01:00
Yaroslav Halchenko
905c87ca4a
Merge pull request #1310 from yarikoptic/pr-1288
...
NF: HAProxy HTTP Auth filter
2016-02-11 08:35:48 -05:00
sebres
d8e81eb417
regexp rewritten (few vulnerable as previous) + test case added
2016-02-08 12:01:25 +01:00
3eBoP
257b7049d8
Update asterisk filter: changed regex for "Call from ...". Sometimes extension can have a plus symbol (+) because they can be phone number.
...
Closes #1309
2016-02-08 11:51:37 +01:00
Pierre GINDRAUD
b5a07741c8
Add new regex into postfix filter. The new regexp is able to detect bad formatted SMTP EHLO command
2016-02-08 11:11:59 +01:00
Yaroslav Halchenko
3f437b32db
Merge remote-tracking branch 'pr/1288/head'
...
* pr/1288/head:
Update haproxy-http-auth.conf
Added HAProxy HTTP Auth filter
Conflicts:
config/jail.conf - resolved + removed unnecessary filter/enabled (defaults should be as good)
2016-01-28 08:51:45 -05:00
Yaroslav Halchenko
377ea32441
Merge pull request #1295 from obounaim/master
...
The sender option is ignored by some actions
2016-01-28 08:48:22 -05:00
Serg G. Brester
fe14c8fa05
Merge pull request #1292 from albel727/master
...
Add nftables actions
2016-01-24 23:55:50 +01:00
Jordan Moeser
d7b46509d8
Update haproxy-http-auth.conf
...
Updated failregex to be more strict
2016-01-12 08:37:33 +10:00
local
40c0bed82c
action_mw, action_mwl, action_cf_mwl ignore the "sender" option when sending a notification email.
...
This commit adds "sender="%(sender)s"" to the three actions to correct this issue.
2016-01-10 00:05:03 +01:00
Yaroslav Halchenko
5d0d96a5cb
Merge pull request #1286 from yarikoptic/enh-jail
...
ENH: harmonize jail.conf + 1 more test that passed bantime is non-degenerate and int
2016-01-08 08:51:08 -05:00
Alexander Belykh
985e8938a4
Refactor nftables actionstop into smaller parts
2016-01-06 17:39:54 +06:00
Alexander Belykh
9779eeb986
Add nftables_type/family/table parameters
2016-01-06 17:33:14 +06:00
Alexander Belykh
260c30535d
Escape curly braces in nftables actions
2016-01-06 17:13:30 +06:00
Alexander Belykh
1983e15580
Add empty line between parameters in nftables-common.conf
2016-01-06 16:55:29 +06:00
Alexander Belykh
f7f91a8bd4
Refactor common code out of nftables-multiport/allports.conf
2016-01-05 19:03:47 +06:00
sebres
69f5623f83
code simplifying (remove duplication): agent will be always supplied as parameter from jail.conf
2016-01-04 09:30:32 +01:00
Alexander Belykh
618e97bce8
Add nftables actions
2016-01-04 01:36:28 +06:00
sebres
ac31121432
amend to fix fail2ban-version: correct user-agent for badips.py "Fail2Ban/ver", changeable within jail/config now;
2015-12-31 02:32:17 +01:00
Jordan Moeser
e133762a28
Added HAProxy HTTP Auth filter
2015-12-31 11:16:23 +10:00
sebres
cf334421bd
Provides fail2ban version to jail (as interpolation variable during parse of jail.conf);
...
BF: use `fail2ban_agent` as user-agent in actions badips, blocklist_de, etc. (closes #1271 , closes #1272 )
2015-12-31 01:38:25 +01:00
Yaroslav Halchenko
28c9832293
RF: harmonize jail.conf (no explicit enabled=false in jails, match filter name for screesharingd, etc)
2015-12-29 19:43:52 -05:00
Yaroslav Halchenko
69aa1feac0
Merge "Mac OS Screen Sharing filter" PR 1232
...
* pr/1232/head:
removed system.log
Removed old svn revision comment
removed false matches
Removed includes comment for screensharing jail
Now using a literal logpath for screensharing jail
Fixed blatant typo in regex
clarified comments on sample log format
Fixed name (again?)
Made screensharing jail off by default
Changed regex prequel
added entry for new screensharingd filter
name change & new sample data
Added json metadata
Sample log for test case
Replaced .* with literal
Update jail.conf
Added new path variable for system.log
Added in settings for screensharingd filter
Created file
Conflicts:
ChangeLog - moved to New Features
config/jail.conf - kept at the end
2015-12-29 19:36:59 -05:00
sebres
d22b2498d4
normalizing time config entries: use time abbreviation (str2seconds) for all time options such 'dbpurgeage', 'bantime', 'findtime', ex.: default '1d' instead '86400';
...
code review and test case extended;
2015-12-29 12:49:10 +01:00
Yaroslav Halchenko
26dd6d7425
Merge pull request #1258 from aleksandrs-ledovskis/feature/postfix-domain-not-found-failregex
...
Add 'Sender address rejected: Domain not found' Postfix failregex
2015-12-18 09:23:54 -05:00
Ross Brown
8d12dba245
Merge remote-tracking branch 'upstream/master'
2015-12-17 18:01:17 +00:00
Ross Brown
ead2d509dc
Updated 'murmur' filter to use new double-anchored regex based on @yarikoptic's suggestions.
2015-12-17 17:45:24 +00:00
Yaroslav Halchenko
5d6cead996
ENH: sshd filter -- match new "maximum auth attempts exceeded" ( Closes #1269 )
2015-12-13 23:21:04 -05:00
Ross Brown
106c3eab9a
Added filter and jail for murmur/mumble-server.
2015-11-29 15:56:56 +00:00
Aleksandrs Ļedovskis
fa59a6850f
Add 'Sender address rejected: Domain not found' Postfix failregex
...
Signed-off-by: Aleksandrs Ļedovskis <aleksandrs@ledovskis.lv>
2015-11-22 12:01:15 +02:00
Orion Poplawski
c656cb0d36
Merge branch 'master' into journaldefault
...
Conflicts:
ChangeLog
2015-11-13 15:22:59 -07:00
Orion Poplawski
ba76f4ca2f
Fix typo
2015-11-02 15:21:14 -07:00
Simon Brown
69bb532db0
removed system.log
2015-11-02 09:26:45 -08:00
Simon Brown
3e16f33dbe
Removed old svn revision comment
2015-11-02 09:08:47 -08:00
Serg G. Brester
eef7771b4e
Merge pull request #1238 from sebres/fix/gh-1216
...
Fixed directly defined banaction for allports jails like pam-generic, recidive, etc
2015-10-31 13:17:04 +01:00
sebres
e825e977cc
Nginx log paths extended (prefixed with "*" wildcard)
...
closes gh-1237
2015-10-30 17:51:30 +01:00
sebres
f359ed8c36
Fixed directly defined banaction for allports jails like pam-generic, recidive, etc with new default variable `banaction_allports` (+ man entries for both variables added);
...
closes gh-1216
2015-10-30 15:36:18 +01:00
Simon Brown
5839a3bd80
Removed includes comment for screensharing jail
2015-10-29 16:07:54 -07:00
sebres
53b39162a1
Shortly, much faster and stable version of regexp (possible because expression is start-anchored and does not contains closely to catch-all sub expressions)
2015-10-29 23:55:23 +01:00
sebres
6884593ab8
New filter `nginx-limit-req` ban hosts, that were failed through nginx by limit request processing rate (ngx_http_limit_req_module)
2015-10-29 23:15:20 +01:00
Orion Poplawski
0661aece46
Merge branch 'master' into journaldefault
...
Conflicts:
ChangeLog
2015-10-29 15:22:37 -06:00
Simon Brown
65bc5cf6ba
Now using a literal logpath for screensharing jail
2015-10-29 09:03:01 -07:00
Simon Brown
cabd46f069
Fixed blatant typo in regex
...
However, still failing test, even though ```PYTHONPATH=. fail2ban-regex -v fail2ban/tests/files/logs/screensharingd /etc/fail2ban/filter.d/screensharingd.conf``` gives desired result
2015-10-28 20:58:25 -07:00
Simon Brown
acee68a9ee
Made screensharing jail off by default
...
Also added note about requiring paths-osx.conf.
2015-10-28 15:11:11 -07:00
Simon Brown
4b4d5a95b7
Changed regex prequel
...
Use standard prefix macro instead of literal daemon name.
2015-10-27 21:30:20 -07:00
Simon Brown
4c3f778b82
Replaced .* with literal
...
Per Serg's suggestions. Possible I'm missing some auth attempt types, but I couldn't find anything where literal wasn't sufficient.
2015-10-27 10:33:30 -07:00
Simon Brown
d17d837b8c
Update jail.conf
...
Added logencoding to screensharing jail to avoid encoding error messages in fail2ban log
2015-10-27 10:28:07 -07:00
Simon Brown
de14946542
Added new path variable for system.log
...
Logging location for the majority of Mac OS daemons.
2015-10-26 18:02:07 -07:00
Simon Brown
80546c6164
Added in settings for screensharingd filter
2015-10-26 17:50:49 -07:00
Simon Brown
3ec725a2ba
Created file
...
From https://github.com/beezwax/filemaker-fail2ban/blob/master/fail2ban/filter.d/screensharingd.conf
2015-10-26 17:35:38 -07:00
1technophile
2861a957a9
filter for openhab domotic software authentication failure with the rest api and web interface + test cases;
...
closes gh-1223
2015-10-26 15:48:23 +01:00
Pablo Rodriguez Fernandez
2c576c64f8
Change domain filter regex
...
Change domain filter regex since there are other Google crawlers.
See "Google crawlers"
<https://support.google.com/webmasters/answer/1061943?hl=en >
2015-10-20 10:46:00 +02:00
Pablo Rodriguez Fernandez
74fcb219ab
Enhanced Google domain detection in apache-fakegooglebot
...
Previously, an attacker could fake a domain like
crawl-1-1-1-1.googlebot.com.fake.net and get resolved. This change
avoids to resolve fake Google domains.
2015-10-20 10:45:53 +02:00
Orion Poplawski
3a9cf2b3da
Add and use default_backend to set individual backend defaults to auto
2015-10-19 19:50:03 -06:00
Orion Poplawski
ced7be94b2
Fix postfix_log typo
2015-10-19 19:43:10 -06:00
Orion Poplawski
75d33c0f09
Add *_backend options for services to allow distros to set the default backend
...
per service.
Set default to systemd for Fedora as appropriate.
2015-10-18 20:18:50 -06:00
Pablo Rodriguez Fernandez
a28e6b442e
Add check in apache-fakegooglebot to protect against PTR fake record
...
An attacker may return a PTR record which fakes a Googlebot's domain
name. This modification resolves the PTR records to verify it.
See "Verifying Googlebot":
<https://support.google.com/webmasters/answer/80553?vid=1-635800030504666679-1963774919 >
2015-10-13 17:11:49 +02:00
agentmoller001
617302fcc2
Updated route.conf to clear warnings
...
Does not throw warnings when starting/restarting by adding three lines of code.
2015-10-09 18:16:36 -07:00
sebres
2696ede251
mysqld-auth: Updated "Access denied ..." regex for MySQL 5.6 and later
...
closes gh-1211
2015-10-07 14:34:13 +02:00
Kevin Locke
36919d9f97
ssh.conf: Fix disconnect "Auth fail" matching
...
The regex for matching against "Auth fail" disconnect log message does
not match against current versions of ssh. OpenSSH 5.9 introduced
privilege separation of the pre-auth process, which included
[logging through monitor.c](http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/monitor.c.diff?r1=1.113&r2=1.114 )
which adds " [preauth]" to the end of each message and causes the log
level to be prepended to each message.
It also fails to match against clients which send a disconnect message
with a description that is either empty or includes a space, since this
is the content in the log message after the disconnect code, per
[packet.c:1785](http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/packet.c?annotate=1.215 ),
which was matched by \S+. Although I have not observed this yet, I
couldn't find anything which would preclude it in [RFC
4253](https://tools.ietf.org/html/rfc4253#section-11.1 ) and since the
message is attacker-controlled it provides a way to avoid getting
banned.
This commit fixes both issues.
Signed-off-by: Kevin Locke <kevin@kevinlocke.name>
2015-10-02 15:46:29 -07:00
Viktor Szépe
0d8968daa9
Added CloudFlare API error codes URL
2015-09-30 16:07:45 +02:00
Yaroslav Halchenko
ff06176e9e
Merge remote-tracking branch 'origin/master' into enh-split-comma
...
* origin/master:
DOC: changelog for the timeout change
Set Timeout at urlopen to 3 seconds
README :: init/service example mentions debian based systems as the example
README :: fitted paragraph style
BF: disable testing on python 3.2 until coverage gets a fix
README :: Some style/grammar tweaks, and init/service script mention. Re: #1193
Set Timeout at urlopen to 3 seconds
2015-09-27 00:52:14 -04:00
M. Maraun
2895d981fa
Set Timeout at urlopen to 3 seconds
2015-09-26 21:26:55 +02:00
Yaroslav Halchenko
8cf614e221
ENH: allow to split ignoreip by space and/or comma ( Closes #1197 )
...
Way too many people ran into this gotcha, so lets just do it
2015-09-23 12:13:52 -04:00
Yaroslav Halchenko
55e542b273
Merge remote-tracking branch 'pr/1170/head' -- opensuse paths
...
* pr/1170/head:
Updated ChangeLog regarding openSUSE's path config
Added configuration for opensuse path
2015-09-17 21:59:45 -04:00
Edward Beckett
835b3ff483
Update apache-badbots.conf
...
Useragent strings including `+http` need to be escaped to be valid.
2015-09-05 00:12:28 -04:00
weberho
f7af93a677
Added configuration for opensuse path
2015-08-26 15:25:59 +02:00
weberho
d278fbca30
Fixed line suspected to be faulty
2015-08-26 14:48:55 +02:00
Yaroslav Halchenko
c37009aec7
Merge branch 'grep-m1k' of github.com:szepeviktor/fail2ban
...
* 'grep-m1k' of github.com:szepeviktor/fail2ban:
Limit the number of log lines in *-lines.conf actions
Conflicts:
ChangeLog -- took both versions and adjusted the new one
for -n 1000 change
2015-07-27 22:37:46 -04:00
Yaroslav Halchenko
38c320798d
Merge pull request #1127 from yarikoptic/enh-iptables-w-close-1122
...
WIP ENH Add <lockingopt> (Close : #1122 ) and <iptables> to define the iptables call
2015-07-27 22:30:54 -04:00
Yaroslav Halchenko
0041bc3770
DOC: Changelog for shorewall-ipset-proto6.conf + adjusted its description
2015-07-26 23:10:08 -04:00
Yaroslav Halchenko
de2f9504c0
Merge pull request #978 from ediazrod/patch-2
...
shorewall-ipset-proto6.conf for shorewall
2015-07-26 23:00:58 -04:00
Yaroslav Halchenko
65cd218e10
Merge remote-tracking branch 'origin/master'
...
* origin/master:
ipjailmatches is on one line with its description in man jail.conf
Added a space between IP address and the following colon
2015-07-26 22:47:43 -04:00
Viktor Szépe
c8b3ee10a0
Limit the number of log lines in *-lines.conf actions
2015-07-27 02:35:21 +02:00
Thomas Mayer
a19cb1b2b9
Merge 923d807ef8
into cf2feea987
2015-07-25 01:23:39 +00:00
Yaroslav Halchenko
3c0d7f5a4c
BF: do not wrap iptables into itself. Thanks Lee
2015-07-24 11:59:53 -04:00
Viktor Szépe
ebdfbae559
Added a space between IP address and the following colon
2015-07-24 09:33:47 +02:00
Yaroslav Halchenko
749d3c160c
BF: symbiosis-blacklist-allports now also requires iptables-common.conf
2015-07-23 21:53:37 -04:00
Yaroslav Halchenko
916937bb6a
RF: use <iptables> to take effect of it being a parameter
2015-07-23 21:38:10 -04:00
Yaroslav Halchenko
31dc4e2263
ENH: added lockingopt option for iptables actions, made iptables cmd itself a parameter
2015-07-23 21:34:20 -04:00
Yaroslav Halchenko
7a011fca1b
DOC: adjusted comment in pass2allow-ftp to my suggested wording
2015-07-16 21:55:20 -04:00
Viktor Szépe
948b12e5df
Fixed definition of knocking_url for pass2allow
2015-07-14 18:35:51 +02:00
Viktor Szépe
b638e807ad
Explicitly stating that knocking_url needs to be customized
2015-07-13 18:12:04 +02:00
Viktor Szépe
586703dcc2
Test, changelog and fixes to pass2allow
2015-07-13 16:46:04 +02:00
Viktor Szépe
5b7e1de2f4
Instead of allow-iptables-multiport actions swap blocktype and (new) returntype
2015-07-11 18:20:09 +02:00
Viktor Szépe
5d60700c0c
Added pass2allow (knocking with fail2ban)
2015-07-10 16:22:43 +02:00
Viktor Szépe
a3b8257b73
Add HEAD method verb to apache-badbots, nginx-badbots
2015-07-07 17:45:40 +02:00
Yaroslav Halchenko
8c4c17a880
Merge pull request #1004 from tsabi/fix-lc_time
...
Fix of LC_TIME usage, it should be LC_ALL
2015-07-05 21:36:37 -04:00
Yaroslav Halchenko
e38b4b8cb3
Merge pull request #1051 from leeclemens/bf/roundcube
...
Update regex to work with roundcube 1.0.5 and 1.1.1
2015-07-05 21:35:49 -04:00
Lee Clemens
3e902d7b3a
Define roundcube_errors_log in paths-common.conf
...
Remove from paths-debian
2015-07-04 14:46:31 -04:00
Lee Clemens
fdc3172aec
Fix PEP8 E302 expected 2 blank lines, found X
2015-07-04 13:47:40 -04:00
Lee Clemens
f7444f16b8
Add optional session id prefix for roundcube 1.1.1
2015-07-04 11:06:51 -04:00
Lee Clemens
2796534a5d
Update regex to work with roundcube 1.0.5 on CentOS 6
2015-07-04 11:02:04 -04:00
Viktor Szépe
b65a8b065d
Other actions do not dive into this gory descriptions, but we do.
2015-07-03 19:17:50 +02:00
Viktor Szépe
2063ce4b23
All the arguments must be listed in [Init]
2015-07-01 14:48:44 +02:00
Viktor Szépe
79457112e9
Updated CF action
2015-07-01 09:38:36 +02:00
Yaroslav Halchenko
345820d2aa
Merge pull request #1056 from ipoddubny/asterisk_security_log
...
Fix support for Asterisk security log
2015-05-25 12:50:13 -04:00
Yaroslav Halchenko
f41872f034
Merge pull request #1013 from szepeviktor/patch-4
...
Non-US locale warning for proftpd
2015-05-25 10:51:51 -04:00
Yaroslav Halchenko
eb091d9b8c
Merge remote-tracking branch 'origin/master' into pr-1039
...
* origin/master:
minor: no tripple empty lines
add froxlor-auth filter and jail
add froxlor-auth filter and jail 0
add froxlor-auth filter and jail
BF: Fix fail2ban-regex not parsing journalmatch correctly
2015-05-25 10:50:34 -04:00
Yaroslav Halchenko
8c4d4aa7fb
minor: no tripple empty lines
2015-05-25 10:42:19 -04:00
Joern Muehlencord
4296d1a9a9
add froxlor-auth filter and jail
2015-05-25 13:51:06 +02:00
Joern Muehlencord
964cdb5d9b
add froxlor-auth filter and jail
2015-05-25 13:44:50 +02:00
Ivan Poddubny
7a4e6fa6e5
Asterisk security log: add support for websocket protocol events
...
Thanks to @kcormier.
2015-05-25 08:13:30 +03:00
Ivan Poddubny
988d9a08da
Asterisk security log: accept events containing Response/ExpectedResponse
...
Event containing Challenge may come without ReceivedChallenge, but with
Response and ExpectedResponse.
Also Challenge now accepts '/' character, since it is used at least by PJSIP.
2015-05-25 08:12:51 +03:00
Ivan Poddubny
189265a323
Asterisk security log: accept SessionID of PJSIP events
...
Unlike chan_sip and manager, PJSIP populates SessionID using
Call-Id header of a related SIP message.
As Call-Id of a SIP message can contain almost anything,
the regular expression for SessionID has been loosened.
2015-05-25 08:11:34 +03:00
Ivan Poddubny
ab2ac1a367
Asterisk security log: accept <unknown> in AccountID
2015-05-24 12:47:55 +03:00
Ivan Poddubny
977f9955e7
Asterisk security log: accept EventTV in ISO8601
...
Asterisk uses ISO8601 dates in security log since version 12.
Closes #988
2015-05-24 12:46:54 +03:00
Anton Shestakov
56e5821c06
Match unknown user in dovecot's passwd-file auth database
2015-04-30 16:53:10 +08:00
Aaron Brice
7ae0ef2408
Fix actions in ufw.conf
...
On Ubuntu 15.04 the ufw action was not working.
- With empty <application>, receiving errors:
2015-04-24 16:28:35,204 fail2ban.filter [8527]: INFO [sshd] Found 43.255.190.157
2015-04-24 16:28:35,695 fail2ban.actions [8527]: NOTICE [sshd] Ban 43.255.190.157
2015-04-24 16:28:35,802 fail2ban.action [8527]: ERROR [ -n "" ] && app="app " -- stdout: b''
2015-04-24 16:28:35,803 fail2ban.action [8527]: ERROR [ -n "" ] && app="app " -- stderr: b''
2015-04-24 16:28:35,803 fail2ban.action [8527]: ERROR [ -n "" ] && app="app " -- returned 1
- With action = ufw[application=OpenSSH], it was silently not doing
anything (no errors after "Ban x.x.x.x", but no IP addresses in ufw
status).
Re-arranged the bash commands on two lines, and it works with or without
<application>.
2015-04-28 11:39:00 -07:00
Lee Clemens
8f792f52fb
Add drupal-auth filter and jail
2015-04-27 13:10:27 -04:00
Lee Clemens
b530d88eca
Merge remote-tracking branch 'upstream/master' into bf/1000-asteriskBlocksSelf
...
Conflicts:
ChangeLog
2015-04-26 15:13:59 -04:00
Markus Oesterle
f8c7247f42
added \s after host
2015-04-17 10:22:01 +02:00
Markus Oesterle
5f2807b41f
replaced .* before rhost with regex matching all the previous fields
2015-04-17 10:04:35 +02:00
Markus Oesterle
8825a5f31b
updated filter.d/sshd.conf
...
Added line to match sshd auth errors on OpenSuSE systems
2015-04-16 19:48:28 +02:00
Viktor Szépe
e776a4e1ab
Update proftpd.conf
2015-04-08 15:57:39 +02:00
Viktor Szépe
f9e8a99a79
Non-US locale warning for proftpd
2015-04-06 17:04:41 +02:00
Thomas Mayer
923d807ef8
use human-readable variable names (issue #1003 )
2015-03-29 18:18:30 +02:00
Thomas Mayer
675c3a7c95
use printf instead of echo for POSIX compatibility (issue #1003 )
2015-03-29 18:08:47 +02:00
Thomas Mayer
ac1e41ea70
Revert "remove '-ne' option as it's not interpreted any way (issue #1003 )"
...
This reverts commit 4a598070c8
.
2015-03-29 17:54:25 +02:00
Thomas Mayer
4a598070c8
remove '-ne' option as it's not interpreted any way (issue #1003 )
2015-03-28 06:58:01 +01:00
Thomas Mayer
80f11a4d28
Add empty Init Section to pass tests (issue #1003 )
2015-03-27 18:36:09 +01:00
Thomas Mayer
c9b24839e4
Character detection heuristics for whois output via optional setting in mail-whois*.conf ( Closes #1003 )
...
when set by user,
- detects character set of whois output (which is undefined by RFC 3912) via heuristics of the file command
- converts whois data to UTF-8 character set with iconv
- sends the whois output in UTF-8 character set to mail program
- avoids that heirloom mailx creates binary attachment for input with unknown character set
2015-03-27 14:27:41 +01:00
Csaba Tóth
0720c831b7
Fix of LC_TIME usage, it should be LC_ALL
2015-03-26 03:02:02 +01:00
Lee Clemens
72f4bcfbff
Match hacking attempt IP instead of asterisk server IP ( closes #1000 )
2015-03-24 19:03:26 -04:00
Yaroslav Halchenko
d28880fdca
Merge pull request #997 from yarikoptic/bf/long-purge-for-recidive
...
DOC: make a warning for recidive jail to increase dbpurgeage (Closes #964 )
2015-03-23 21:30:04 -04:00
ediazrod
5fdd1d1ded
Update shorewall-ipset-proto6.conf
2015-03-23 00:56:37 +01:00
ediazrod
e26a1ad6b6
Update shorewall-ipset-proto6.conf
2015-03-23 00:55:06 +01:00
Yaroslav Halchenko
56aacf872c
Merge pull request #952 from ache/master
...
Update bsd-ipfw.conf
2015-03-21 21:46:54 -04:00
Yaroslav Halchenko
02836b599c
Added a comment about systemd backend for jails with logs outside of journal ( Closes #959 )
2015-03-21 21:25:50 -04:00
Yaroslav Halchenko
320a28a4a4
DOC: make a warning for recidive jail to increase dbpurgeage ( Closes #964 )
2015-03-21 20:50:03 -04:00
ediazrod
d0887f3234
This is a especific configuration for shorewall ipset proto6
...
Use ipset proto6 in shorewall. You must follow the rules to enable ipset in you blacklist
if you have a lot of spam (my case) is better use ipset rather than shorewall command line (is my firewall)
stop fail2ban with shorewall on one list of 1000 Ips takes 5 min with ipset in shorewall 10 sec.
2015-02-26 18:48:31 +01:00
Yaroslav Halchenko
e788e3823e
Merge pull request #965 from TorontoMedia/master
...
Split output of firewallcmd list into separate lines for grepping (Close #908 )
2015-02-14 16:06:10 -05:00
TorontoMedia
b4f1f613bb
Update firewallcmd-allports.conf
2015-02-14 12:32:36 -05:00
TorontoMedia
0fac7e40b6
Update firewallcmd-multiport.conf
2015-02-14 12:31:33 -05:00
Yaroslav Halchenko
07b0ab07ad
Merge branch 'master' of https://github.com/rumple010/fail2ban
...
* 'master' of https://github.com/rumple010/fail2ban :
Changed default TTL value to 60 seconds.
Added a reminder to create an nsupdate.local file to set required options.
Modified the ChangeLog and THANKS files to reflect the addition of action.d/nsupdate.conf.
add nsupdate action
Conflicts:
ChangeLog
2015-02-14 09:32:05 -05:00
Yaroslav Halchenko
d5e68abf95
ENH: check badips.com response on presence of "categories" in it
...
As https://travis-ci.org/fail2ban/fail2ban/jobs/50609529 query might fail in
that response would not contain "categories". With this change we will handle
it explicitly and will spit out ValueError, providing information about
the response so it could be troubleshooted
2015-02-13 08:55:35 -05:00
Ache
ae1451b29f
Update bsd-ipfw.conf
...
Deleting not existent is not error.
Adding already present is not error.
Otherwise all those entries becomes stale forever, not removed and its number increases over time.
2015-02-08 15:55:32 +03:00
Yaroslav Halchenko
3fb2becddb
Merge pull request #949 from leeclemens/enh/configSyslogSocket
...
Configure Syslog Socket Path (closes #814 )
2015-02-06 20:08:15 -05:00
Lee Clemens
6268eb32be
Use syslogsocket value "auto" to determine syslog socket's path
2015-02-06 19:14:09 -05:00
Luke Hollins
549ab24e70
Fixed grammatical error in emails sent
2015-02-06 11:47:03 -05:00
Yaroslav Halchenko
119a7bbb16
Merge pull request #939 from szepeviktor/geoip
...
Added sendmail-geoip-lines.conf
2015-02-06 11:32:41 -05:00
Viktor Szépe
4c88a00c28
Line notes implemented
2015-02-06 17:22:30 +01:00
Lee Clemens
445fd7367f
Configure Syslog Socket Path
2015-02-05 23:44:57 -05:00
František Šumšal
eb0d086ed0
Merge branch 'master' into nginx-botsearch
2015-02-04 02:13:33 +01:00
František Šumšal
1c6d2074fb
Changed default settings for nginx-botseach filter
2015-02-04 01:48:59 +01:00
Orion Poplawski
e7ff7e90b7
[postfix-sasl] update regexes
...
- Add : to match "SASL LOGIN authentication failed: Password:"
- Add ignoreregex to ignore system authentication issues:
"warning: unknown[1.1.1.1]: SASL LOGIN authentication failed: Connection lost to authentication server"
- Add test log messages for both
2015-02-03 11:30:16 -07:00
František Šumšal
fb0f463eac
Include consistency
2015-02-03 15:54:05 +01:00
František Šumšal
705718be52
Filter apache-botsearch.conf now loads variables from botsearch-common.conf
2015-02-03 04:44:33 +01:00
František Šumšal
18778d9174
Created botsearch-common.conf
...
File contains variables used in -botsearch filters
2015-02-03 04:25:47 +01:00
Yaroslav Halchenko
73af02ffc6
Merge pull request #940 from leeclemens/ENH/ApacheFakeGoogleBot
...
New jail: apache-fakegooglebot
2015-02-02 21:44:04 -05:00
Yaroslav Halchenko
df581fe6e2
Merge pull request #929 from opoplawski/pam_auth
...
Add filter variable __pam_auth to allow customize for setups with multiple authorization schemes (Close #928 )
2015-02-02 21:42:10 -05:00
Yaroslav Halchenko
7ada96b4e9
Merge pull request #932 from opoplawski/dovecot
...
Dovecot - dovecot auth failure from EL7
2015-02-02 21:37:28 -05:00
František Šumšal
f8fe165cd2
Switched from tabs to spaces for indents
2015-02-03 03:35:22 +01:00
Yaroslav Halchenko
8f6d9c6a5a
Merge branch 'enh/local_time_zone' of https://github.com/yarikoptic/fail2ban
...
* 'enh/local_time_zone' of https://github.com/yarikoptic/fail2ban :
fixed typos, thanks szepeviktor for review
ENH: use non-UTC date invocation (without -u) and report offset for localzone (%z)
Conflicts:
ChangeLog
2015-02-02 21:21:44 -05:00
Lee Clemens
841c476045
Merge branch 'enh/fakegooglebot' of https://github.com/yarikoptic/fail2ban into yarikoptic-enh/fakegooglebot
...
Conflicts:
config/filter.d/ignorecommands/apache-fakegooglebot
2015-02-02 13:01:23 -05:00
Yaroslav Halchenko
15b65c7ad2
NF: apache-fakegooglebot ignorecommand + DNSUtils.ipToName
2015-02-02 12:19:20 -05:00
Lee Clemens
7e94ba6f0c
Remove implementation specific suffix
2015-02-02 11:43:05 -05:00
Lee Clemens
854915920f
Remove implementation specific suffix
2015-02-02 11:38:23 -05:00
Lee Clemens
af078532ac
New jail: apache-fakegooglebot
...
Detects fake googlebot user agents in apache access log
2015-02-02 00:42:01 -05:00
Viktor Szépe
1619ab3145
Added sendmail-geoip-lines.conf
2015-02-01 00:06:56 +01:00
Yaroslav Halchenko
ec6a30efcf
ENH: define ignoreregex for all filters explicitly, to avoid warnings ( Closes #934 )
2015-01-30 10:38:28 -05:00
František Šumšal
c8e82f18b6
Add jail nginx-botsearch
...
Jail blocks requests for predefined non-existent folders. Based on
apache-botsearch jail.
2015-01-29 17:57:52 +01:00
Orion Poplawski
b4776a1ba0
Match dovecot unknown user line
2015-01-29 09:37:37 -07:00
Orion Poplawski
3bc92610f7
Add dovecot auth failure from EL7
2015-01-29 09:11:59 -07:00
Andrew St. Jean
6bdfe756cf
Changed default TTL value to 60 seconds.
2015-01-28 22:46:43 -05:00
Orion Poplawski
79b5a2617f
Add filter variable __pam_auth to allow easier changing of pam auth backend
2015-01-27 14:34:27 -07:00
Andrew St. Jean
43732acae1
Added a reminder to create an nsupdate.local file to set required options.
2015-01-26 21:48:16 -05:00
Yaroslav Halchenko
085d0f72ed
ENH: use non-UTC date invocation (without -u) and report offset for localzone (%z)
2015-01-26 09:19:44 -05:00
Yaroslav Halchenko
65980a70fc
Merge branch 'enh/recidive-allports' of https://github.com/yarikoptic/fail2ban
...
* 'enh/recidive-allports' of https://github.com/yarikoptic/fail2ban :
use iptables-allports for recidive
Conflicts:
ChangeLog
2015-01-26 09:04:42 -05:00
rumple010
eb76dcd5a0
add nsupdate action
...
Adds a new action file that uses nsupdate to dynamically update a BIND
zone file with a TXT resource record representing a banned IP address.
Resource record is deleted from the zone when the ban expires.
2015-01-25 23:15:07 -05:00
sebres
12e3cca3f2
port[s] typo fixed in jail.conf/nginx-http-auth, issue gh-913
2015-01-19 10:28:53 +01:00
Yaroslav Halchenko
083031524d
BF: adding missing Definition section header to firewallcmd-allports
2015-01-08 21:14:50 -05:00
TorontoMedia
d7b7f4bc91
Update firewallcmd-allports.conf
2015-01-08 21:06:43 -05:00
Lee Clemens
77677e43df
Merge branch 'master' of github.com:fail2ban/fail2ban into ENH/PostfixRBL
2015-01-07 20:39:04 -05:00
Lee Clemens
bda8dc1926
Merge branch 'master' of github.com:fail2ban/fail2ban into ENH/PostfixRBL
2015-01-03 15:29:42 -05:00
TorontoMedia
7eed55266b
Created firewallcmd-multiport
2015-01-01 12:46:48 -05:00
TorontoMedia
9f91cb2fd8
Created firewallcmd-allports
2015-01-01 12:44:34 -05:00
TorontoMedia
50e5fd9ed7
Create firewallcmd-multiport.conf
2015-01-01 05:32:41 -05:00
TorontoMedia
591e444753
Create firewallcmd-allports.conf
2015-01-01 05:32:06 -05:00
Lee Clemens
0f48cf4284
loosen up regex for spamhaus (spamcop says "Blocked" as part of url)
2014-12-30 19:14:39 -05:00
Lee Clemens
fe72a5585c
Create Jail for Postfix based on RBL
...
Use RBL blocks to ban addresses, unique Jail so maxretry can be set to 1 (vs postfix.conf)
2014-12-30 19:06:17 -05:00
Lee Clemens
2d7429c47c
Add 'Client host rejected error message' regex
...
Not sure if it was reworded (using Postfix 2.6) or a slightly different error, but I only have "Client host rejected: cannot find your hostname"
2014-12-30 18:05:19 -05:00
Viktor Szépe
81b3dbde1d
postfix-sasl failregex case insensitive
2014-12-11 00:10:37 +01:00
bes-internal
ccc986b7d8
exim filter: correct failregex for exim with extended log options
...
incoming_interface, incoming_port, outgoing_port
2014-12-04 13:34:44 +03:00
Orion Poplawski
d8867807f5
Separate php-url-fopen logpath by newline
2014-11-28 22:04:09 -07:00
Guillaume FRANCOIS
a6a2dc868b
Add ignoreregex to avoid warning on start
2014-11-12 11:05:56 +01:00
Guillaume FRANCOIS
9269664350
Add ignoreregex to avoid warning on start
2014-11-12 10:30:28 +01:00
Yaroslav Halchenko
2a3790f8e8
use iptables-allports for recidive
2014-11-04 13:24:54 -05:00
Yaroslav Halchenko
967485c2d0
improving grepping
2014-10-29 23:14:47 -04:00
Yaroslav Halchenko
efbf5064a1
Merge pull request #807 from xslidian/patch-1
...
grep IP at the start of lines
2014-10-29 23:07:10 -04:00
Orion Poplawski
01b2673e34
Use multiport for firewallcmd-new
2014-10-29 16:27:37 -06:00
Yaroslav Halchenko
36abb5ed96
BF: fix $ for % in jail.conf. Debian bug #767255
2014-10-29 13:08:51 -04:00
pacop
e3a037ee3f
merge master
2014-10-25 18:15:34 +02:00
pacop
ce4f2d1c88
added filter for PortSentry with jail and samples
2014-10-04 15:08:12 +02:00
SlowRiot
fc5f729f01
adding jail conf for shellshock filter
2014-09-26 16:37:50 +01:00
SlowRiot
4f636eb0e3
adding filter to detect Shellshock attack attempts against bash scripts through apache. See http://seclists.org/oss-sec/2014/q3/650
2014-09-26 16:25:07 +01:00
Nick Weeds
2c158fe168
Add apache filter for AH01630 client denied by server configuration
2014-09-14 21:54:05 +01:00
Yaroslav Halchenko
0e1f8f7f39
RF: remove those two additional failregexes for the postfix
...
see comment
https://github.com/fail2ban/fail2ban/pull/804\#discussion_r17512426
2014-09-13 10:25:27 -04:00
Yaroslav Halchenko
96c20c8379
Merge pull request #804 from pleasantone/master
...
Add support for postfix/submission/smtpd matching.
2014-09-13 10:24:06 -04:00
Yaroslav Halchenko
c58c4de9bc
ENH: add empty ignoreregex to avoid a warning ( Close #805 )
2014-09-13 10:18:37 -04:00
Dean Lee
ba44ff312b
grep IP at the start of lines
...
I'm not sure if this regex works best, so I'm patching this single file as a sample.
Don't forget to update `mail-whois-lines.conf` after this patch got merged.
For the following logs, `grep '[^0-9]199.48.161.87[^0-9]'` will output nothing, while `grep '\([^0-9]\|^\)199.48.161.87[^0-9]'` works:
<pre>199.48.161.87 - - [09/Sep/2014:13:38:54 +0800] "POST /wp-login.php HTTP/1.1" 403 4674 "-" "Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.0" - hitsjapan.com
199.48.161.87 - - [09/Sep/2014:13:38:56 +0800] "POST /wp-login.php HTTP/1.1" 403 4674 "-" "Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.0" - hitsjapan.com
199.48.161.87 - - [09/Sep/2014:13:38:58 +0800] "POST /wp-login.php HTTP/1.1" 403 4674 "-" "Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.0" - hitsjapan.com
199.48.161.87 - - [09/Sep/2014:13:39:00 +0800] "POST /wp-login.php HTTP/1.1" 403 4674 "-" "Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.0" - hitsjapan.com
199.48.161.87 - - [09/Sep/2014:13:39:05 +0800] "POST /wp-login.php HTTP/1.1" 403 4674 "-" "Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.0" - hitsjapan.com
199.48.161.87 - - [09/Sep/2014:13:39:05 +0800] "POST /wp-login.php HTTP/1.1" 403 4674 "-" "Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.0" - hitsjapan.com
199.48.161.87 - - [09/Sep/2014:13:39:13 +0800] "POST /wp-login.php HTTP/1.1" 403 4674 "-" "Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.0" - hitsjapan.com
199.48.161.87 - - [09/Sep/2014:13:39:21 +0800] "POST /wp-login.php HTTP/1.1" 403 4674 "-" "Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.0" - hitsjapan.com
199.48.161.87 - - [09/Sep/2014:13:39:32 +0800] "POST /wp-login.php HTTP/1.1" 403 4674 "-" "Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.0" - hitsjapan.com
199.48.161.87 - - [09/Sep/2014:13:39:34 +0800] "POST /wp-login.php HTTP/1.1" 403 4674 "-" "Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.0" - hitsjapan.com
199.48.161.87 - - [09/Sep/2014:13:39:34 +0800] "POST /wp-login.php HTTP/1.1" 403 168 "-" "Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.0" - hitsjapan.com
199.48.161.87 - - [09/Sep/2014:13:39:34 +0800] "POST /wp-login.php HTTP/1.1" 403 168 "-" "Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.0" - hitsjapan.com
199.48.161.87 - - [09/Sep/2014:13:39:35 +0800] "POST /wp-login.php HTTP/1.1" 403 168 "-" "Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.0" - hitsjapan.com
199.48.161.87 - - [09/Sep/2014:13:39:35 +0800] "POST /wp-login.php HTTP/1.1" 403 168 "-" "Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.0" - hitsjapan.com
199.48.161.87 - - [09/Sep/2014:13:39:35 +0800] "POST /wp-login.php HTTP/1.1" 403 168 "-" "Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.0" - hitsjapan.com</pre>
2014-09-09 14:55:34 +08:00
Paul Traina
249e169d8e
Update test cases and also suport smtps per request.
2014-09-08 11:53:51 -07:00
Daniel Black
1864f75b3b
Credits and notes from #806
2014-09-08 19:02:37 +10:00
weberho
d2c086b187
fixed encoding
2014-09-08 10:26:08 +02:00
weberho
218ffe862e
fixed encoding
2014-09-08 10:23:07 +02:00
Paul Traina
544cfaff2c
Add support for postfix/submission/smtpd matching.
2014-09-06 10:23:38 -07:00
Yaroslav Halchenko
0d9cfb84e3
Merge pull request #778 from yarikoptic/enh/symbiosis
...
ENH: symbiosis-blacklist-allports action
2014-08-20 23:00:11 -04:00
Yaroslav Halchenko
426ed7ff2f
Merge pull request #780 from opoplawski/logpath
...
Fxi jail.conf to use more syslog macros
2014-08-20 22:59:23 -04:00
Yaroslav Halchenko
93243e7d57
ENH: Ignore errors while unbaning in symbiosis firewall
...
Fail2Ban at times "interfers" with the firewall reflashing thus leading
to the sporadic errors. IMHO should be safe to ignore
2014-08-12 11:57:07 -04:00
Luc Maisonobe
763115b1eb
added systemd configuration for postfix-sasl.conf
2014-08-11 21:54:27 +02:00
Yaroslav Halchenko
aee560b1c6
Merge branch 'master' of git://github.com/fail2ban/fail2ban
...
* 'master' of git://github.com/fail2ban/fail2ban:
1.5 version of Fail2ban logwatch file
Fix typos.
2014-08-11 13:10:02 -04:00
Yaroslav Halchenko
6fc04c2256
Merge branch 'bf+enh/cyrus-imap' of https://github.com/yarikoptic/fail2ban (with some tune up to Changelog entry)
...
* 'bf+enh/cyrus-imap' of https://github.com/yarikoptic/fail2ban :
ENH: cyrus-imap -- catch also 'user not found' attempts
BF: cyrus-imaps -- catch also for secured daemons
Conflicts:
ChangeLog
2014-08-11 13:09:43 -04:00
Yaroslav Halchenko
f403bad0ab
Merge pull request #775 from alimony/patch-1
...
Fix typos.
2014-08-11 13:08:30 -04:00
Yaroslav Halchenko
b79a82ebdd
minor typo
2014-08-08 15:57:41 -04:00
Orion Poplawski
6b554fbe98
Fxi jail.conf to use more syslog macros
2014-08-08 13:27:32 -06:00
Yaroslav Halchenko
818dd59d65
ENH: symbiosis-blacklist-allports action
2014-08-08 11:57:30 -04:00
Markus Amalthea Magnuson
7b76322898
Fix typos.
2014-08-02 12:21:59 +02:00
Yaroslav Halchenko
4a23a7dcf1
Merge pull request #766 from leftyfb/master
...
Added cloudflare action
2014-07-28 15:34:09 -04:00
leftyfb
6dbd449f77
Changed to Cloudflare JSON API
2014-07-28 11:10:50 -04:00
Jisoo Park
2e7b8adb3b
Fix sieve filter to use correct option
2014-07-28 23:42:02 +09:00
Yaroslav Halchenko
f19c5fc939
Merge pull request #770 from eltrai/master
...
Forwards bantime to action scripts
2014-07-28 10:17:08 -04:00
Yaroslav Halchenko
f9cfbd66e6
Merge pull request #771 from szepeviktor/patch-1
...
named users + smtp auth probes
2014-07-28 10:14:18 -04:00
Szépe Viktor
143a55bf26
Update courier-smtp.conf
2014-07-28 12:51:38 +02:00
Yaroslav Halchenko
2d7f2fa33f
Merge pull request #756 from marclaporte/patch-1
...
typo
2014-07-27 21:49:24 -04:00
Yaroslav Halchenko
45c1095606
Merge pull request #750 from niorg/master
...
Added Directadmin filter, jail and log test
2014-07-27 21:47:07 -04:00
Yaroslav Halchenko
3339dc8d84
ENH: cyrus-imap -- catch also 'user not found' attempts
2014-07-25 10:13:04 -04:00
Yaroslav Halchenko
3e5c598b79
BF: cyrus-imaps -- catch also for secured daemons
2014-07-25 10:02:40 -04:00
Szépe Viktor
d757ef584f
Update courier-smtp.conf
2014-07-20 21:09:10 +02:00
Szépe Viktor
a786e8a29b
named users + smtp atuh probes
2014-07-20 19:59:54 +02:00
Pierre-Alain Dupont
3d7504c19e
Forwards bantime to action scripts
...
That way, ipset and afctl will use a real timeout and not default to a fixed value for all jails
2014-07-20 16:25:59 +02:00
leftyfb
cba570cabd
Updated comments
2014-07-17 23:49:35 -04:00
leftyfb
5471e99ebe
Added cloudflare action
2014-07-17 22:54:30 -04:00
Yaroslav Halchenko
6cddc65cee
BF: path to exim's mainlog on Fedora (Thanks Frantisek Sumsal) + changelog entry
2014-07-14 12:16:12 -04:00
Yaroslav Halchenko
43950d8b7e
BF: fix path to the exim log on Debian systems (/var/log/exim4)
2014-07-08 11:09:25 -04:00
Marc Laporte
3777591ab0
typo
2014-07-05 11:55:57 -04:00
Cyril Roos
add8e61036
Added Directadmin filter, jail and log test
2014-07-02 13:52:06 +02:00
Yaroslav Halchenko
0adb10f653
Merge branch 'ainfo-copy' of https://github.com/kwirk/fail2ban
...
* 'ainfo-copy' of https://github.com/kwirk/fail2ban :
TST: actions modifying aInfo test more robust
TST: Test for actions modifying (un)ban aInfo
BF: aInfo could be modified by actions, causing unexpected behaviour
2014-06-22 10:53:30 -04:00
Steven Hiscocks
2d54161696
Merge branch 'kwirk/harmonize-log-msgs'
...
Conflicts:
ChangeLog - Keep all additions
2014-06-22 12:57:49 +01:00
Steven Hiscocks
76a5633ff9
Merge pull request #739 from ranvis/enh-iptables-ipsets
...
ENH: Add <chain> to iptables-ipsets.
2014-06-21 22:48:49 +01:00
SATO Kentaro
65ff3e9604
ENH: Introduce iptables-common.conf.
2014-06-18 19:04:57 +09:00
Steven Hiscocks
94232d7c31
Merge pull request #726 from pmarrapese/master
...
Minor improvement to sshd filter
2014-06-17 23:43:42 +01:00
Steven Hiscocks
8268c1641f
BF: aInfo could be modified by actions, causing unexpected behaviour
...
A separate copy of aInfo is passed to each action
2014-06-17 23:24:23 +01:00
Yaroslav Halchenko
93d5c363ca
Merge branch 'enh/oracle_msg_server'
...
* enh/oracle_msg_server:
ENH: make oracleims failregex better anchored (more explicit)
Update oracleims.conf to be 'less greedy'
Update THANKS
Update jail.conf for oracleims filter.
Create test for oracleims filter
Create oracleims.conf in filter.d for new filter
2014-06-16 09:22:42 -04:00
SATO Kentaro
1e1c4ac62a
ENH: Add <chain> to iptables-ipsets.
2014-06-16 21:30:13 +09:00
Yaroslav Halchenko
994fe77e59
ENH: make oracleims failregex better anchored (more explicit)
2014-06-10 03:52:16 -04:00
JoelSnyder
5165d2f6ea
Update oracleims.conf to be 'less greedy'
...
This assumes that the protocol is always a string, which it always is, and that the other four fields in the "tr" are always numeric (which they always are). See port_access documentation at http://docs.oracle.com/cd/E19563-01/819-4428/bgaur/index.html
2014-06-09 18:44:27 -07:00
JoelSnyder
70ed93d8cc
Update jail.conf for oracleims filter.
...
This is the jail.conf update. Hopefully this will go into pull request #734 .
2014-06-09 18:37:31 -07:00
Steven Hiscocks
e8131475cd
ENH: Realign and harmonise log messages with getF2BLogger helper
2014-06-09 22:17:00 +01:00
Steven Hiscocks
db023be09b
BF: Fix bad syntax in badips.py action
...
Taken from https://bugzilla.redhat.com/attachment.cgi?id=895966&action=diff
2014-06-07 20:51:53 +01:00
JoelSnyder
9b7c35810a
Create oracleims.conf in filter.d for new filter
...
Created oracleims.conf to catch messages from Sun/Oracle Communications Messaging Server v6.3 and above (including v7)
2014-06-02 22:55:59 -07:00
pmarrapese
96918acee4
more explicit match for sshd filter & added test
2014-05-19 20:47:16 -07:00
pmarrapese
46d6e93800
adjusted sshd filter regex to catch more verbose lines
2014-05-18 22:12:54 -07:00
Steven Hiscocks
77ba065571
Merge pull request #697 from jhmartin/monit_admin_hack
...
Block brute-force attempts against the Monit gui
2014-05-07 22:23:01 +01:00
Steven Hiscocks
bc10b64c69
ENH: Match non "Bye Bye" for sshd locked accounts failregex
2014-04-27 13:35:55 +01:00
Yaroslav Halchenko
596b819bdc
DOC: minor -- tabify docstring in badips.py action
2014-04-23 10:04:17 -04:00
Jason Martin
9c3cb31862
Even stricter monit regex, now covers entire line
2014-04-22 21:29:52 -07:00
Jason Martin
72bfd14330
Tidy up filter.d/monit.conf, make regex more complete.
...
Add ChangeLog / THANKS entry.
Add test cases.
2014-04-19 13:04:03 -07:00
Steven Hiscocks
03d90c2f42
BF: recidive filter and samples at wrong log level: WARNING->NOTICE
2014-04-19 18:07:23 +01:00
Jason Martin
7d112430ca
Block brute-force attempts against the Monit gui
2014-04-16 21:21:41 -07:00
Steven Hiscocks
d4427e5a76
Merge pull request #683 from yarikoptic/fix/682
...
Fix typos referencing paths-common, provide empty defaults for syslog_ log files (Partial fix to #682 )
2014-04-15 17:14:28 +01:00
Steven Hiscocks
9fcb92524e
BF: badips.py action logging of exc_info on debug typo
2014-04-12 11:21:52 +01:00
Yaroslav Halchenko
8bcb25c3a2
defining empty defaults for syslog_ log targets for common (Thanks @chtheis, partial fix to #682 )
2014-04-10 23:17:39 -04:00
Yaroslav Halchenko
7dcea0d48d
typos of paths-common (Thanks @chtheis, partial fix to #682 )
2014-04-10 23:17:30 -04:00
Yaroslav Halchenko
5bccec61e4
ENH: adding pruned with previous merge trailing \s* in nginx filter
2014-04-03 21:31:46 -04:00
Yung-Chin Oei
941a38ea8e
nginx-http-auth: match when "referrer" is present
...
A sample log-line is provided. The updated regex successfully matches
this line.
Signed-off-by: Yung-Chin Oei <yungchin@yungchin.nl>
2014-04-04 01:27:39 +01:00
shawn
d7e888238c
Correct grammar
2014-04-03 10:44:49 -04:00
yungchin
6e8c1b2871
nginx-http-auth filter: match server_name = ""
...
As documented at
http://nginx.org/en/docs/http/server_names.html#miscellaneous_names "If
no server_name is defined in a server block then nginx uses the empty
name as the server name." This regex change allows us to match error
output for such a configuration.
The log line added to the tests was lifted from our logs verbatim; it
did not match without the patched regex.
Signed-off-by: Yung-Chin Oei <yungchin@yungchin.nl>
2014-04-03 11:04:21 +01:00
yungchin
3a155ed2e0
Update comments in shorewall.conf for new settings
2014-04-01 16:52:21 +01:00
Ruben Kerkhof
1c36da9df9
Fix 2 more typos that codespell didn't catch
2014-03-25 10:57:20 +00:00
Ruben Kerkhof
1695d5c076
Fix a few typos
...
Found with https://github.com/lucasdemarchi/codespell
Signed-off-by: Ruben Kerkhof <ruben@rubenkerkhof.com>
2014-03-24 13:16:52 +00:00
Manuel Rüger
5a1ad75114
Fix typo in comment
2014-03-18 03:07:19 +01:00
Steven Hiscocks
41cbbbc248
BF: Remove unused imports and variables.
...
All highlighted by using pyflakes.
2014-03-16 14:31:34 +00:00
Steven Hiscocks
16125ec81a
BF: badips.py action methods not static due to use of self._logSys
2014-03-16 14:18:19 +00:00
Steven Hiscocks
6c5a978d6f
BF: journalmatch for recidive should be NOTICE level not WARNING
2014-03-15 13:29:44 +00:00
Daniel Black
7611096162
Merge branch '0.9' of https://github.com/fail2ban/fail2ban into 0.9
2014-03-14 22:31:16 +11:00
Daniel Black
aa7e8fb9ce
DOC: Credits. close gh-644
2014-03-14 22:30:44 +11:00
Steven Hiscocks
9e374b159e
ENH: Allow setting of badips.py key for reporting and blacklisting
2014-03-13 22:45:10 +00:00
Steven Hiscocks
de43d1d6d5
ENH: Change badips.py default score to "3"
...
As per recommendation from Amy from badips.com
2014-03-13 22:05:50 +00:00
Daniel Black
476d79d3cc
ENH: asterisk filter to support syslog format
2014-03-14 09:03:27 +11:00
Daniel Black
415f187644
ENH: sendmail-reject for all smtp ports.
2014-03-14 07:12:12 +11:00
Steven Hiscocks
a78a9d282c
DOC: Document that badips.py action should be last action for jail
2014-03-13 20:04:30 +00:00
Steven Hiscocks
0222ff4677
Merge branch 'badips-blacklist' into 0.9
...
Conflicts:
ChangeLog
- entires added in both branches.
Change:
config/action.d/badips.py
- jail.getName() changed to jail.name
2014-03-13 20:01:15 +00:00
Steven Hiscocks
0c63d0061a
DOC: Add documentation for badips.py action
2014-03-13 19:58:32 +00:00
Steven Hiscocks
dfb46cfda6
BF: Require Python 2.7+ for badips.py action
2014-03-12 21:54:15 +00:00
Daniel Black
df882feb16
ENH: expand sendmail-reject jail to 465,submission
2014-03-13 07:44:02 +11:00
Daniel Black
ef29d7bd29
ENH: paths-{common,distro} normalisation
2014-03-12 20:32:41 +11:00
Daniel Black
50d938e0bf
MRG: merge filter sendmail-spam into sendmail-reject
2014-03-02 16:28:23 +11:00
Daniel Black
666fd5eceb
ENH: purge excessive jail variations
2014-03-02 16:11:53 +11:00
Daniel Black
69f5baae36
ENH: jail.conf to use syslog_mail
2014-03-02 15:18:41 +11:00
Daniel Black
2d45becb0e
Merge branch '0.9' into distro-paths-gh-315
2014-03-02 15:17:21 +11:00
Daniel Black
2d8c497ce5
ENH: highlight missing osx paths
2014-03-02 15:16:53 +11:00
Daniel Black
cc8ec826c5
MRG: from master 2014-03-02
2014-03-02 14:33:45 +11:00
Daniel Black
853bed8e4f
ENH: more sendmail-reject filter items thanks to fab23
2014-03-02 14:04:27 +11:00
Daniel Black
d0ec09a3b5
BF: move to right location
2014-03-01 15:50:30 +11:00
Daniel Black
c10cc20928
ENH: rename sendmail-spam to sendmail-reject
2014-02-28 08:41:04 +11:00
Daniel Black
d34569fb8d
BF: email address as arg1 in sendmail filters
2014-02-27 11:38:23 +11:00
Daniel Black
72c84fe9b0
ENH: wider regex for RBL and sendmail-spam
2014-02-27 10:02:34 +11:00
Daniel Black
fe1725c603
BF: add jail.conf definitions for sendmail* filters
2014-02-26 19:31:09 +11:00
Daniel Black
3d776afbb0
ENH: add filter for sendmail-{auth,spam}. Closes gh-20
2014-02-26 19:16:49 +11:00
Steven Hiscocks
a9b9c6ea03
Merge branch 'logging' into 0.9
...
Conflicts:
fail2ban/server/actions.py
jail getName()->name
fail2ban/server/filter.py
jail getName()->name
2014-02-23 23:03:56 +00:00
Steven Hiscocks
df8d700d17
RF: Refactor Jail and JailThread
...
Includes:
- documentation to new format and use of properties
- change isActive->is_active as former no longer documented for
python3, and later introduction and documented in python2.6
- status formatter in beautifier somewhat more automatically
formatted; no changes are required for additional status elements
- JailThread now set to active within `start` method, complimenting
`stop` method
2014-02-23 17:41:14 +00:00
Steven Hiscocks
a4731ef988
DOC: Correct log levels
2014-02-20 23:09:45 +00:00
Steven Hiscocks
5630c56c75
ENH: Change logging levels and make info more verbose
2014-02-20 23:01:40 +00:00
Daniel Black
9be22a96a6
Merge pull request #614 from kwirk/complain-abusix
...
BF: Use abusix Abuse Contact DB to get more accurate abuse addresses
2014-02-20 09:17:23 +11:00
Daniel Black
cc463aa60d
Merge pull request #620 from kwirk/xarf-tweaks
...
BF: Fix misplaced ";", and duplicate {ip,}matches
2014-02-20 09:16:11 +11:00
Daniel Black
b6f9b9161d
BF: remove self reference
2014-02-20 09:01:05 +11:00
Daniel Black
a044517cb7
MRG: from master to 0.9 2014-02-20
2014-02-20 08:35:24 +11:00
Daniel Black
79e6543eca
Merge branch '0.9' into distro-paths-gh-315
2014-02-20 08:20:47 +11:00
Daniel Black
83266eb668
ENH: framework for distro paths
2014-02-20 08:20:02 +11:00
Steven Hiscocks
8c5525163b
BF: Fix misplaced ";", and duplicate {ip,}matches
2014-02-18 15:13:02 +00:00
Steven Hiscocks
997729e274
BF: Fix complain action for multiple recipients and misplaced ";"
2014-02-18 15:05:06 +00:00
Steven Hiscocks
7c76f7f204
BF: $EUID not avilable in all shells, replaced with `id -u` in xt_recent
2014-02-16 17:56:06 +00:00
Steven Hiscocks
2a37ee2fb7
ENH: Add root user check in xt_recent, and add missing actionstop
...
Thanks to Helmut Grohne on IRC for suggestion
2014-02-16 16:52:30 +00:00
Steven Hiscocks
5c7630c4be
ENH: Allow separate blacklist category for badips.py action
2014-02-14 17:45:08 +00:00
Steven Hiscocks
cf81ddd8e2
BF: Add error handling in badips.py action
2014-02-14 17:10:34 +00:00
Steven Hiscocks
31f4ea59cb
BF: Use abusix Abuse Contact DB to get more accurate abuse addresses
...
Taken from xarf-login-attack action from 0.9 branch by Daniel Black
2014-02-13 22:00:33 +00:00
Steven Hiscocks
f68d85a6ac
Merge branch 'master' into 0.9
...
Conflicts:
ChangeLog
Spelling correction of 0.8.13 fixed in master
config/jail.conf
Added nagios and duplicate php-url removal in master
Just nagios added, duplicate not issue in 0.9
2014-02-13 20:14:40 +00:00
Daniel Black
c701ac9276
DOC: document LogLevel requirement for "Connection from" regex"
2014-02-13 16:20:36 +11:00
Daniel Black
5f4d0ed576
ENH: ssh filter - "Disconnecting: Too many authentication failures.." matching Connection log message
2014-02-13 09:13:46 +11:00
Aarón Nieves Fernández
993b7d3dfb
Duplicate jail "php-url-fopen"
2014-02-10 21:41:50 +01:00
Steven Hiscocks
dff8909473
ENH: Add badips.com reporting and blacklisting action (python based)
2014-02-09 12:23:14 +00:00
Ivo Truxa
c207ad6058
removing ignoreip at [nagios]
...
I removed the ignoreip setting from the nagios section. As pointed out, it is redundant here. Nagios server, under normal circumstances should not trigger any access errors, and would be included in the global ignoreips anyway.
2014-02-06 00:27:38 +01:00
Ivo Truxa
f5f434f846
removing the second failregex
...
The second failregex was supposed to catch an error concerning an ACL denial over IPv6, but this message is no more generated by the nrpe version (v2.15) that introduced the IPv6 support, so the first failregex seems to be sufficient.
2014-02-06 00:22:05 +01:00
Ivo Truxa
a71bb89ccd
removing a dot (typo)
...
The dot at the ignoregex did not belong there. Somehow it was added during the copying and pasting. Thanks for reporting it, I did not see it. Otherwise, empty ignoregexes are in all filters, and if they are missing, fail2ban client shows warnings when starting the filter, which I prefer avoiding.
2014-02-03 23:12:56 +01:00
Ivo Truxa
dac4dd465e
ENH: Nagios filter
...
added typical configuration settings for the nagios filter
2014-02-03 21:51:49 +01:00
Ivo Truxa
c91fda8619
ENH: Nagios filter
...
Sample log for the first failregex is available in the testcases. No example available for the IPv6 denial yet.
2014-02-03 21:46:07 +01:00
Daniel Black
ef82eac790
DOC: openssh real protection is pubkey
2014-02-02 15:16:40 +11:00
Daniel Black
59b9045e88
MRG: from master 2014-02-02
2014-02-02 13:21:16 +11:00
Daniel Black
273b2f45a3
MRG: remove the "no auth attempts" as per aseques gh-600
2014-01-29 20:43:51 +11:00
Daniel Black
9b614ce486
ENH: dovecot filter enhancements
2014-01-29 20:27:45 +11:00
Joan
84617fa6da
Fixed a failing case
2014-01-28 16:19:35 +01:00
Joan
08171ba52f
Removed the -no auth attempts- from the triggers because of lots of FP
2014-01-28 12:44:46 +01:00
Daniel Black
a749a2780e
Merge pull request #593 from grooverdan/tine
...
ENH: Tine20 filter
2014-01-26 18:50:42 -08:00
Daniel Black
1a1e3bec86
ENH: framework for distro paths
2014-01-25 23:25:54 +11:00
Daniel Black
256c732bcd
BF/ENH: filter pure-ftpd - re-add _daemon. Add translations
...
_daemon was accidently removed in
89fd792dfb
Added translations from source code
2014-01-25 12:19:46 +11:00
Daniel Black
1e1261ccb4
MRG: from master 2014-01-23
2014-01-23 17:45:18 +11:00
Daniel Black
ca57427080
BF: firewallcmd-ipset had non-working actioncheck
2014-01-23 17:41:13 +11:00
Daniel Black
c8ae064b79
ENH: tighten regex and change failJSON to support timezone. Closes gh-583
2014-01-22 22:16:03 +11:00
Daniel Black
2063d96e59
MRG: import Lars' PR for tine20
2014-01-22 18:12:19 +11:00
Steven Hiscocks
8221c7ca71
TST+BF: Add tests for python actions, including test for smtp.py
...
Also fix bug when specifying multiple recipients for smtp.py action
2014-01-20 23:10:43 +00:00
Steven Hiscocks
a0f39255bc
BF: Kerio log datepattern fix for recent datepattern full regex merge
2014-01-20 23:00:38 +00:00
Daniel Black
a650178bd1
MRG: merge from master 2014-01-19
2014-01-19 14:48:29 +11:00
Daniel Black
263ac32730
ENH: test log samples for kerio thanks to
...
Tony Lawrence
2014-01-18 23:18:33 +11:00
Daniel Black
1452be4a3a
Merge pull request #588 from grooverdan/badips
...
ENH: Badips action (reporting)
2014-01-17 23:10:29 -08:00
Daniel Black
f566cab766
Merge branch 'master' into badips
2014-01-15 09:37:11 +11:00
Daniel Black
657da2041c
BF: dovecot filters, session characters and order of session/tls in log messages
2014-01-15 08:02:47 +11:00
Daniel Black
2333b2d5d9
MRG: from 0.9
2014-01-13 22:17:14 +11:00
Daniel Black
c7f887642d
Merge branch '0.9' into master_to_0.9
2014-01-13 21:23:42 +11:00
Daniel Black
3de80545e0
MRG: from master 2014/01/13
2014-01-13 21:23:39 +11:00
Daniel Black
01e5ae1234
Merge pull request #584 from grooverdan/exim-auth
...
ENH: Exim auth
2014-01-13 02:20:47 -08:00
Daniel Black
08b4f3e5f2
Merge branch 'patch-5' of https://github.com/truxoft/fail2ban into exim-auth
2014-01-13 19:26:12 +11:00
Lars Kneschke
47dd8fb897
ENH: filter for Tine 2.0
2014-01-13 06:04:59 +01:00
Ivo Truxa
2d8c0b26e4
Matching any Exim authentication name
...
As explained in https://github.com/grooverdan/fail2ban/pull/4 , in Exim there can be used plenty of other standard authentication names, and in fact the names can be custom. The failregex in Exim filter should catch authentication errors regardless of the name of the authentication. Hence replacing the plain|login with the general \w+
2014-01-13 01:38:49 +01:00
Daniel Black
6b0e6b9bca
ENH: add improper command pipelining postfix filter
2014-01-13 06:59:59 +11:00
Daniel Black
a443b8b4d3
BF: remove second jail definition
2014-01-12 21:45:39 +11:00
Daniel Black
cd3e94140c
MRG: complete merge
2014-01-12 21:16:55 +11:00
Daniel Black
f2e55e8499
ENH: add filter for squirrelmail. Closes gh-261
2014-01-12 20:27:36 +11:00
Daniel Black
1e8ed55a36
MRG: from 0.9
2014-01-12 20:15:34 +11:00
Tomas Pihl
b52a4441fd
Support ACL-events without AccountID. Typically happens when a registration
...
from an unknown domain is performed.
Add credits
2014-01-12 01:28:55 +01:00
Steven Hiscocks
0dd6533680
BF: Add ejabberd-auth to jail.conf
2014-01-09 23:22:12 +00:00
Steven Hiscocks
128112d51c
ENH: ejabberd filter
2014-01-09 22:47:17 +00:00
Daniel Black
8333abe420
Merge pull request #557 from grooverdan/apache-botsearch
...
ENH: Apache botsearch + BF: tag substition
2014-01-09 14:11:00 -08:00
Daniel Black
b0baab3a0e
ENH: more test cases and wider regex
2014-01-10 08:40:24 +11:00
Daniel Black
4b33f96db4
DOC: fix comment regarding apache version in apache-noscript
2014-01-10 08:35:37 +11:00
Daniel Black
8e5366a7e9
DOC: for apache-botsearch and apache-botsearch
2014-01-10 07:34:01 +11:00
Steven Hiscocks
7e8da15fc6
Merge pull request #572 from grooverdan/counterstrike
...
ENH: Counter Strike filter
2014-01-08 12:47:10 -08:00
Yaroslav Halchenko
6532a2e2f7
Merge pull request #548 from grooverdan/exim-honeypot
...
Exim honeypot
2014-01-07 06:14:42 -08:00
Daniel Black
d94efe719d
ENH: jail.conf for counter-strike
2014-01-07 20:50:50 +11:00
Daniel Black
0fb6bc7188
ENH: add filter for Counter Strike 1.6. Closes gh-347
2014-01-07 20:33:57 +11:00
Daniel Black
aabdc51e87
BF: revert separate jail for exim-honeypot as only exim-spam exists.
2014-01-07 16:26:29 +11:00
Daniel Black
9e087b508d
MRG: from 0.9
2014-01-07 16:11:40 +11:00
Daniel Black
58ebf659e4
MRG: from 0.9 to make history cleaner
2014-01-07 16:07:58 +11:00
Yaroslav Halchenko
9a8b449086
DOC: some typos, fixes from Vincent Lefevre
2014-01-06 23:38:52 -05:00
Daniel Black
9e390d6549
ENH: jail.conf for exim-honeypot
2014-01-07 11:53:20 +11:00
Daniel Black
809581ae99
ENH: jail.conf for apache-botsearch
2014-01-07 11:52:21 +11:00
Daniel Black
ed9ed6d0cb
TST/ENH: fix test case for ReadStockJailFilterComplete and add missing jails
2014-01-07 11:27:54 +11:00
Daniel Black
10fa5e3439
BF: fix jails for gssftpd and qmail
2014-01-07 10:49:11 +11:00
Daniel Black
549f64e86c
BF: remove imap2 - not an IANA and probably not used
2014-01-07 10:25:29 +11:00
Daniel Black
320861b7dc
Merge branch 'more-jails-0.9' into master_to_0.9
2014-01-07 10:24:27 +11:00
Daniel Black
76468942f9
MRG: complete merge from master
2014-01-07 10:24:23 +11:00
Daniel Black
fa6a183e94
BF: typos in jail.conf corrected
2014-01-07 09:49:27 +11:00
Daniel Black
a31c76f126
ENH: jail cleanup and fill in missing for 0.9
2014-01-07 09:34:39 +11:00
Daniel Black
755af0a51e
Merge pull request #562 from grooverdan/jail.conf-complete_and_correct
...
ENH: Jail.conf now has all filters and TST: a mechanism to test this is truee
2014-01-06 12:08:45 -08:00
Daniel Black
90fdf5fc21
ENH: jail.conf entry for groupoffice
2014-01-07 06:55:38 +11:00
Daniel Black
ab3ded2205
Merge pull request #549 from kwirk/python-actions
...
ENH: Python actions
2014-01-06 02:58:45 -08:00
Daniel Black
50eab4df81
ENH: add filter groupoffice. Closes gh-566
2014-01-06 21:56:22 +11:00
Daniel Black
f137c7b107
BF: stunnel doesnt need datepattern as its inbuilt
2014-01-06 09:53:54 +11:00
Daniel Black
1687505995
BF: Fix datepattern
2014-01-06 09:06:05 +11:00
Steven Hiscocks
6c301ae210
Merge pull request #563 from grooverdan/gh-289-ssh
...
BF: add expression for ssh filter for code 3: SSH2_DISCONNECT_KEY_EXCHAN...
2014-01-05 09:55:05 -08:00
Daniel Black
03aba92238
ENH: add kerio filter
2014-01-05 23:41:49 +11:00
Daniel Black
1c5787174f
BF: escape . in stunnel filter
2014-01-05 23:25:49 +11:00
Daniel Black
a8e0498389
BF: add expression for ssh filter for code 3: SSH2_DISCONNECT_KEY_EXCHANGE_FAILED. closes gh-289
2014-01-05 21:26:26 +11:00
Daniel Black
a9f804e443
ENH: complete stock jail.conf to contain all filters
2014-01-05 21:03:16 +11:00
Daniel Black
6ce2ba2895
ENH: additional phpmyadmin tips from Tom on http://www.fail2ban.org/wiki/index.php?title=Fail2ban:Community_Portal . Block is now a prefix of a path
2014-01-05 11:48:35 +11:00
Daniel Black
c37ee4cc52
DOC: filter.d/vsftpd doco from wiki
2014-01-05 11:30:56 +11:00
Daniel Black
6602937ee1
DOC: filter.d./pure-ftpd doco from wiki
2014-01-05 11:24:20 +11:00
Steven Hiscocks
69a850d226
DOC: Update docstrings for smtp.py action
2014-01-04 22:46:57 +00:00
Steven Hiscocks
6e63f0ea5a
RF: Change Jails and Actions to Mapping types
2014-01-04 16:57:08 +00:00
Daniel Black
d7666c8942
DOC: bit more on how to use freeswitch
2014-01-04 12:39:48 +11:00
Daniel Black
23f0b854da
MRG: merge in freeswitch
2014-01-04 12:24:40 +11:00
Daniel Black
69b3a1cf64
BF: catchin DEBUG messages will result in duplicates
2014-01-04 12:10:51 +11:00
Daniel Black
05b159c74b
Merge pull request #464 from grooverdan/increase-jail-name-length
...
ENH: Actions to have f2b- as prefix instead of fail2ban- as per #462
2014-01-03 14:48:56 -08:00
Daniel Black
3d1a1afca4
MRG: to more recent 0.9
2014-01-04 09:31:05 +11:00
Daniel Black
5fe75436cc
DOC: DEV NOTES before author names
2014-01-04 08:53:45 +11:00
Daniel Black
477f30665a
DOC: ignoreip for internal ips on freeswitch
2014-01-04 08:31:42 +11:00
Daniel Black
36533de6bc
ENH: more filter expressions for freeswitch. Anchored existing one at end too
2014-01-04 08:21:22 +11:00
Daniel Black
d1faae3b3b
BF: port not used in jail definition for freeswitch
2014-01-04 08:01:42 +11:00
Daniel Black
938ef689de
DOC: dev notes on stunnel
2014-01-04 07:55:26 +11:00
Steven Hiscocks
80d6f74ee8
RF: Refactor actions further, include removing server proxy interface
...
This allows direct setting of action properties and calling of methods
from the fail2ban-client if so required.
2014-01-03 17:04:49 +00:00
Daniel Black
7c09a61ca5
ENH: add apache-botsearch. Closes gh-544
2014-01-03 23:12:58 +11:00
Daniel Black
b8536490ef
ENH: filter for stunnel from fail2ban wiki
2014-01-03 19:32:29 +11:00
Daniel Black
a0c2de3e4d
DOC: document incompatiblity between APF and iptables-* actions. Closes gh-510
2014-01-03 16:51:38 +11:00
Daniel Black
04d28fd2e1
ENH: add filter freeswitch - as raised on mailing list
2014-01-03 13:00:37 +11:00
Daniel Black
117d3b0466
MRG: horde filter from master
2014-01-03 10:34:59 +11:00
Daniel Black
83f3aeb308
ENH: filter for horde
2014-01-02 23:12:36 +11:00
Steven Hiscocks
98bf511443
BF: Incorrect number of arguments in smtp.py action connect log
2014-01-01 23:50:44 +00:00
Steven Hiscocks
5b2b59d752
ENH: python actions use initOpts as **kwargs
...
Adds an easy way to handle case where mandatory arguments are missed, or
not valid arguments are passed
2014-01-01 23:18:11 +00:00
Steven Hiscocks
6ef911185d
ENH: Add matches to smtp.py action
2014-01-01 12:27:49 +00:00
Daniel Black
55688395fb
DOC: doco for exim-spam
2014-01-01 22:56:08 +11:00
Daniel Black
9c7bb3b97e
ENH: exim-spam to take honeypot email address as argument. Closes #541
2014-01-01 22:45:13 +11:00
Daniel Black
391b5fc883
MRG: from master again 2014-01-01
2014-01-01 19:28:38 +11:00