github
/
fail2ban
mirror of https://github.com/fail2ban/fail2ban
1
0
Fork 0
Code Issues Releases Wiki Activity
4,435 Commits
32 Branches
229 Tags
18 MiB
Commit Graph

4435 Commits (76f5e3659e65b16fb2e049a36b8b3de6ee113649)

Author SHA1 Message Date
Serg G. Brester cea8ba7831 Merge pull request #1733 from sebres/0.10-repl-skiplines 
Normalizes replacement of `<SKIPLINES>` + no multiline failregex per default
 2017-03-27 09:34:08 +02:00
Seth Reeser c82495353f Update mysqld-auth.conf (#1725) 2017-03-24 19:03:20 +01:00
Serg G. Brester 52c1950371 Update mysqld-auth.conf 
small typo, closes gh-1725 (Thx @seth-reeser)
 2017-03-24 19:03:17 +01:00
sebres 6ac5c55edc the sequence in args-dict is currently undefined (so can be 1st argument with `?` instead of `&`) 2017-03-24 17:35:41 +01:00
sebres 990d9a66da fail2ban-regex: fixed matched output by multi-line (buffered) parsing + and multi-line debuggex URL; 
test coverage extended;
 2017-03-24 17:07:21 +01:00
sebres bc888e0753 Regex compiled in multi-line parsing mode only if `maxlines` > 1 (buffering), if however expected - prefix `(?m)` could be used in regex to enable it; 
Removed warning "Mutliline regex set for jail ... but maxlines not greater than 1", because can be expected situation now:
non multi-line entry from systemd-filter containing new-lines (that should be ignored by anchors resp. entry parsed as single string);
small code review;
 2017-03-24 13:20:04 +01:00
sebres 61c1bdfe79 Normalizes replacement of `<SKIPLINES>` (moved to _resolveHostTag, so will be replaced together with another tags); 
Regex will be compiled as MULTILINE only if needed (buffering with `maxlines` > 1), that enables:
- improve performance by the single line parsing;
- make regex more precise (because distinguish between anchors `^`/`$` for the begin/end of string and the new-line character '\n', e. g. if coming from filters (like systemd journal) that allow the parsing of log-entries contain new-line chars (as single entry);
 2017-03-24 11:25:12 +01:00
Serg G. Brester b650503f00 Merge pull request #1732 from sebres/0.10-ignoreself 
0.10 `ignoreself` for ignore own IP addresses
 2017-03-24 10:12:23 +01:00
sebres e7052e9625 update man/jail.conf.5 (docu for the ignoreself) 2017-03-24 09:55:20 +01:00
sebres 30352c5f03 fix sporadic coverage changes (sometimes produces "no such process" in popen.poll after terminate/kill in timeout test cases) 2017-03-23 17:48:52 +01:00
sebres 663bc9903d increase coverage (was decreased since "ignoreip" was set to default empty) 2017-03-23 16:19:21 +01:00
sebres 6c4b1c7204 Update ChangeLog 2017-03-23 15:54:53 +01:00
sebres 5e93bf9bd3 Introduced new option "ignoreself", specifies whether the local resp. own IP addresses should be ignored (default is true). 
Fail2ban will not ban a host which matches such addresses.

Option "ignoreip" affects additionally to "ignoreself" and don't need to include the DNS resp. IPs of the host self.
 2017-03-23 15:52:31 +01:00
Serg G. Brester 1e6787877a Merge pull request #1726 from sebres/0.10-grave-fix-escape-tags-1st 
0.10 fix escape tags
 2017-03-21 15:33:00 +01:00
sebres 6ba0546824 code review and inline docu 2017-03-21 14:53:33 +01:00
Serg G. Brester 7a03c964c2 Update ChangeLog 2017-03-21 14:04:18 +01:00
sebres bb9541b7a9 Merge pull request #1728 from sebres/_0.10/fix-gh-1719 2017-03-21 11:05:15 +01:00
sebres 43d2cae8da small amend that correct log trace output by forget MLFID (outputs the reason why it was forgotten - close, disconnect, etc.) 2017-03-21 10:39:55 +01:00
sebres b6886f2e51 SampleRegexsFactory extended with optional filter constraint, if testing the same log-file with multiple filters (no possibility to match by the old sshd-filter 'zzz-sshd-obsolete-multiline') 2017-03-21 09:42:27 +01:00
sebres 1971fd4bd3 don't remove MLFID from cache (can recognize multiple attempt within the same connection) 2017-03-21 09:20:56 +01:00
sebres f13fac5ae9 amend to 5561423be3b2d4636f5484183c3ad470fd326d06: fixed incorrect failure counting despite the `<F-NOFAIL>` marked regex; 
extra: introduced new tag `<F-MLFFORGET>` as mark to forget current multi-line MLFID (e. g. connection closed);
Closes gh-1727
 2017-03-21 00:15:57 +01:00
sebres 32f3c1dbf3 test coverage 2017-03-20 13:34:42 +01:00
sebres 57e9c25449 bug fix in the config readers: mixing with the init section should affect only own init options (from init section only bypass default section); 
the situation details:
  value of "_daemon" from default section "default" (with init section) falsely overwrites it from definition section "test" -
  the resulting value of "_daemon" should be "test" in all 3 resulting failregex's (as specified in test.local),
  fixed and covered now;
additionally more complex cases covered also (all filter parameters in jail via "%(known/...)s", dynamical interpolation across all, etc);
 2017-03-20 12:10:09 +01:00
sebres 4f1473724b fixed grave vulnerability by wrong escape of tags by executing of shell actions 2017-03-20 12:09:42 +01:00
sebres e5c9f9ec1c [interim commit] try to fix possible escape vulnerability in actions 2017-03-20 12:08:14 +01:00
sebres 93ec9e01d4 fixes a small blemish by output in beautifier; 
command "unban" returns a count of tickets that were flushed
 2017-03-17 11:00:54 +01:00
Serg G. Brester da808fe67b Merge pull request #1720 from sebres/_0.10/fix-gh-1719 
fix gh-1719: sshd format changed
 2017-03-15 18:36:35 +01:00
sebres 5561423be3 filter.d/sshd.conf: fixed failregex format - some parts are optional, new ddos more precise rule (Connection reset by with host entry); 
closes gh-1719
 2017-03-15 18:01:20 +01:00
sebres 97d417926d repairs testing of missing samples for all regex after filter settings (mode) changed 2017-03-15 18:01:18 +01:00
Viktor Szépe d79267c424 Updated xarf-specification repo URL in xarf action 2017-03-14 20:47:31 +01:00
sebres ef975307c4 errors on closed socket are too sporadic to cover it (prevents "coverage decreased" over and over again) 2017-03-14 16:24:45 +01:00
sebres 5ff63b66a0 Merge branch '0.10' into 0.10-full 2017-03-14 13:36:32 +01:00
sebres 482e5265d7 output execution time of each test case if verbosity > 2 2017-03-14 13:34:54 +01:00
sebres 3cf068670c Merge branch '0.10' into 0.10-full 2017-03-14 11:47:38 +01:00
Serg G. Brester 77229a65b5 Merge pull request #1716 from sebres/fix-stop-replace-in-callable 
Prohibit recursive replacement of action info (calling map)
 2017-03-13 23:46:52 +01:00
sebres ccfd1ccb2d code review, increase coverage, etc. 2017-03-13 21:56:06 +01:00
sebres 5030e3a122 [Important] Prohibit replacement of recursive "tags" in the action info resp. calling map (very bad idea to do this): 
- the calling map contains normally dynamic values only (no recursive tags);
- recursive replacement can be vulnerable, because can contain foreign (user) input captured from log (will be replaced in the shell arguments);
 2017-03-13 20:45:35 +01:00
sebres c1da6611ec [BF] prevents always converting of calling map items in replaceTag (without direct access of item): 
substituteRecursiveTags: ignore replacing callable items from calling map - should be converted on demand only (by get)
 2017-03-13 18:47:26 +01:00
sebres 92d83274d9 fixes cache overload in the test cases (increase max count and max time of CACHE_ipToName - too many entries in mock-up preset, longer time testing) 2017-03-13 18:03:37 +01:00
Serg G. Brester 3fec546fc0 Merge pull request #1715 from sebres/fix-f2b-regex-debuggex-url 
fail2ban-regex debuggex url fix
 2017-03-13 16:37:57 +01:00
sebres 295f7b88c9 increase coverage 2017-03-13 16:21:03 +01:00
sebres 3cba2310ff Fixes debuggex URL (tag replacement) and missing line stat by matched lines (without time - `matched_lines_timeextracted`); 
Closes gh-1394
 2017-03-13 16:14:06 +01:00
sebres 875295320e Merge remote-tracking branch 'remotes/gh-upstream/0.10' into 0.10-full 2017-03-13 02:12:39 +01:00
Serg G. Brester 1bcde678c6 Merge pull request #1710 from sebres/0.10-test-with-filter-options 
0.10 filter options extension
 2017-03-13 02:11:48 +01:00
sebres 30b53bb2ce update ChangeLog and man/fail2ban-regex.1 2017-03-13 02:07:14 +01:00
sebres eb3623e90c configreader.py: correct reading real relative path (starting with "./"); 
fail2ban-regex: catch read exceptions by wrong config files (raise exception in verbose mode only);
 2017-03-12 19:04:45 +01:00
sebres 6a26602ba8 allow to use filter options by fail2ban-regex, example: 
fail2ban-regex text.log "sshd[mode=aggressive]"
 2017-03-11 00:06:29 +01:00
sebres 8af7a73bfc update ChangeLog 2017-03-10 22:14:39 +01:00
sebres 0c1707afda filter.d/sshd.conf: 
- optional parameter `mode` rewritten: normal (default), ddos, extra or aggressive (combines all), see sshd for regex details);

test cases reformatted (since "filterOptions", we don't need multiple test log-files anymore);
 2017-03-10 22:09:11 +01:00
sebres 7e442c5b27 filter.d/sendmail-reject.conf: 
- rewritten using `prefregex` and used MLFID-related multi-line parsing (by using tag `<F-MLFID>` instead of buffering with `maxlines`);
- optional parameter `mode` introduced: normal (default), extra or aggressive (see sendmail-reject for regex details);

test cases extended
 2017-03-10 21:44:19 +01:00