Commit Graph

5926 Commits (7b528a6da68822d25cd8a671fc4212a1539feee1)

Author SHA1 Message Date
sebres c03fe6682c merge 0.10 to 0.11 (GHSA-m985-3f3v-cwmm) 2021-07-07 12:04:46 +02:00
sebres e3f2fcfab4 merge point (GHSA-m985-3f3v-cwmm 0.9/0.10) 2021-07-07 11:50:49 +02:00
sebres 2ed414ed09 fixed possible RCE vulnerability, unset escape variable (default tilde) stops consider "~" char after new-line as composing escape sequence
closes GHSA-m985-3f3v-cwmm for 0.9
2021-07-07 11:46:28 +02:00
sebres 410a6ce5c8 fixed possible RCE vulnerability, unset escape variable (default tilde) stops consider "~" char after new-line as composing escape sequence 2021-06-21 17:12:53 +02:00
sebres 579c6a94af filter.d/postfix.conf: mode `ddos` (and `aggressive`) extended to consider abusive handling of clients hitting command limit (gh-3040) 2021-06-10 15:23:24 +02:00
sebres 43f2923fbd filter.d/postfix.conf: matches rejects with "undeliverable address" (sender/recipient verification, gh-3039) additionally to "Unknown user";
both are configurable now via extended parameter and can be disabled using `exre-user=` supplied in filter parameters
2021-06-10 15:06:54 +02:00
Sergey G. Brester bbfff18280
action.d/ufw.conf: amend to #3018: parameter `kill-mode` extended with conntrack 2021-06-03 12:02:08 +02:00
sebres c7a86b4616 action.d/firewallcmd-ipset.conf: amend to #2620:
- combines actions `firewallcmd-ipset` and `firewallcmd-ipset-native` (parameter `ipsettype=firewalld`);
- IPv6-capability for firewalld ipset;
- no internal timeout handling by default;
- no permanent rules yet
2021-05-29 22:59:55 +02:00
Sergey G. Brester 2a508da5a0
Merge pull request #2620 from mspolitaev/master
Using native firewalld ipset implementation
2021-05-29 21:30:55 +02:00
sebres 38535b0cca Merge branch '0.11' into master 2021-05-29 21:25:24 +02:00
sebres d2f5c7de09 Merge branch '0.10' into 0.11 2021-05-29 21:24:11 +02:00
sebres 92f90038fa filter.d/dovecot.conf: extended to match prefix like `conn unix:auth-worker (uid=143): auth-worker<13247>:` (authenticate from external service like exim), gh-2553 2021-05-29 21:12:34 +02:00
sebres 8b984a0135 filter.d\exim-common.conf: pid-prefix extended to match `mx1 exim[...]:` (gh-2553) 2021-05-29 20:47:56 +02:00
sebres 6be1a5a0b1 filter.d/dovecot.conf: fixed "Authentication failure" regex, matches "Password mismatch" in title case (gh-2880) 2021-05-29 20:25:28 +02:00
sebres 8afea37494 filter.d/sendmail-auth.conf: covering several "authentication failure" messages, sendmail 8.16.1 (gh-2757) 2021-05-29 20:09:57 +02:00
sebres c5f1598a21 filter.d/postfix.conf: extended to cover new vectors:
- reject: BDAT/DATA from (gh-2927)
- (since regex is more precise now) token selector changed to `[A-Z]{4}`, e. g. no matter what a command is supplied now (RCPT, EHLO, VRFY, DATA, BDAT or something else)
- matches "Command rejected" and "Data command rejected" now
2021-05-29 19:48:24 +02:00
sebres ae3e9b9149 filter.d/postfix.conf: extended to cover 2 new vectors:
- RCPT from unknown, 504 5.5.2, need fully-qualified hostname, gh-2995
- 550 5.7.25 Client host rejected, gh-2996
review combining several regex to single one
2021-05-29 19:21:27 +02:00
sebres 87f717e0e0 filter.d/sendmail-reject.conf: fix reverse DNS for ... (gh-3012) 2021-05-29 18:45:59 +02:00
Sergey G. Brester 3d52fe3e4e
Merge pull request #2679 from mikaku/updated-to-latest-jail.conf
Add new jail (and filter) Monitorix
2021-05-27 12:17:16 +02:00
sebres 0a05dbdbfc Merge branch '0.11' into master 2021-05-25 23:19:25 +02:00
sebres 3312b8cb95 Merge branch '0.10' into 0.11 2021-05-25 23:18:33 +02:00
sebres 1627d4f573 filter.d/sendmail-auth.conf: user not found, closes gh-3030 2021-05-25 23:16:29 +02:00
Sergey G. Brester f07e0f7ade
Merge pull request #2984 from j-marz/zoneminder_filter_update
Zoneminder filter update
2021-05-21 13:03:33 +02:00
Sergey G. Brester ec4e0dd65b
padding with space, prefregex, regex review (simplifying, capture user name, consider possible space char in user name) 2021-05-21 13:00:24 +02:00
j-marz 2367ad115c fixed typo in comment 2021-05-20 09:15:45 +10:00
Michael Orlitzky 78dddb75e6 files/fail2ban-openrc.init.in: add a comment about @RUNDIR@ in the future. 2021-05-14 07:50:34 -04:00
Michael Orlitzky 4d2841832c files/fail2ban-openrc.init.in: don't restart() with a broken config.
This commit adds a new function checkconfig() to the OpenRC service
script. All it does is run the server with the "--test" flag in
addition to the usual command-line arguments.

The new command is not user-facing, but lets us avoid restarting the
daemon with a broken config. That helps when the user changes his
configuration while the daemon is running, and then tries to restart()
not knowing that the new config is broken. A priori, we would stop the
daemon and then the error would only become visible when the subsequent
start() command failed. Refusing to stop() with a broken configuration
is a nicer thing to do.
2021-05-14 07:50:34 -04:00
Michael Orlitzky 87e9cff065 files/fail2ban-openrc.init.in: remove redundant "return" from start_pre.
OpenRC functions will exit with the return code from the last command
by default, so there's no need for the "|| return 1" in our
single-line start_pre() phase.
2021-05-14 07:50:34 -04:00
Michael Orlitzky 36a7abe82f files/fail2ban-openrc.init.in: mention that "reload" doesn't drop bans.
The description of the "reload" OpenRC command just said that it would
reload the configuration, which is true but not totally helpful. This
commit updates it to mention that your existing bans won't be dropped,
in contrast with the "restart" command that does drop your bans.
2021-05-14 07:50:34 -04:00
Michael Orlitzky dd0f348757 files/fail2ban-openrc.init: replace @BINDIR@ at build-time.
This commit renames fail2ban-openrc.init to fail2ban-openrc.init.in,
and replaces the hard-coded value "/usr/bin" with "@BINDIR@"
therein. At build-time, setup.py will replace that string with the
correct value, and rename the file (without the ".in" suffix).

This mimics the procedure done for "fail2ban-service.in" entirely.
2021-05-14 07:50:34 -04:00
Michael Orlitzky e6a9f109c5 files/fail2ban-openrc.init: force the socket location in the service script.
The socket location needs to be set in the service script for the same
reason that the PID file location does: because the service script is
taking responsibility for ensuring that its parent directory exists
and has the correct permissions. We can't do that if the end user is
allowed to move the PID file or socket somewhere else (without parsing
the config file, which has other security implications).
2021-05-14 07:50:28 -04:00
Michael Orlitzky 4e7419e71f files/fail2ban-openrc.conf: add back the "-x" example.
I've removed the stale socket cleanup from our OpenRC service script:

  * Cleaning up stale sockets isn't really the job of the service script.
  * The ability to ignore a stale socket is already built into the server.

With it gone, maybe the "-x" is a useful example to have in the conf
file (although it's commented-out by default, anyway).
2021-05-14 07:38:00 -04:00
Michael Orlitzky 654fda8a50 files/fail2ban-openrc*: let start-stop-daemon manage the server.
There are two ways that it would make sense to write the OpenRC
service script for fail2ban:

  1. Use the fail2ban-client program to stop, start, reload, etc. the
     server; and try to figure out whether or not it worked afterwards.

  2. Use the start-stop-daemon program built into OpenRC to manage the
     fail2ban-server process. This works only for starting and stopping,
     because the "reload" command is sent over an undocumented protocol,
     but has the benefit that you get immediate feedback about the result
     of calling fail2ban-server.

The existing service script combined the two in a way that appeared to
work, but didn't make too much sense. It used start-stop-daemon to
initiate the fail2ban-client program with either a "start" or "stop"
argument. So long as everything goes fine, that appears to work. But
the start-stop-daemon is not actually monitoring the fail2ban-client
program; it's supposed to be monitoring the fail2ban-server process
that gets started as side-effect.

The existing stop() function does not do quite what you'd expect; for
example the "stop" command is never sent. Again, the daemon does
ultimately get stopped so long as the hard-coded PID file contains
what you think it does -- so it "works" -- but is misleading.

This commit changes everything to use the second approach above, where
start-stop-daemon manages everything. This was done mainly to simplify
the service script, because now the default start() and stop() phases
can be used, allowing us to delete them from our copy. One might worry
that there is some special magic behind "fail2ban-client start" and
"fail2ban-client stop", however that does not appear to be the
case. Admittedly, if in the future those two commands begin to do
something nonstandard, the service script would need to be changed
again to take the first approach above and use fail2ban-client for
everything.
2021-05-14 07:38:00 -04:00
Michael Orlitzky 80b1007a8f files/fail2ban-openrc.init: remove the "showlog" command.
The extra "showlog" command in our OpenRC service script was more
trouble than it was worth: the only thing it did was call "less" on a
log file, and the service script is only guessing at the location of
the log file (only the fail2ban server knows its true location).

It's not like "/etc/init.d/fail2ban showlog" is that much easier to type
than "less /var/log/fail2ban.log" in the first place, so I think the
extra complexity (5 more lines in the service script) is not worth it.
2021-05-14 07:37:56 -04:00
Ioannis Cherouvim 5e3de882af
docs: Typo. (#3025) 2021-05-12 13:18:46 +02:00
Sergey G. Brester 3f9cf27853
filter.d/apache-fakegooglebot.conf: better, more precise regex and datepattern (closes possible weakness like #3013) 2021-05-11 13:47:48 +02:00
usernamepi 4f8427178a
Missing comment "#" (#3022)
Missed this ... but the logs showed it.
2021-05-07 18:23:40 +02:00
sebres 6ac2156907 Merge branch '0.11' into master 2021-05-07 01:48:36 +02:00
sebres 3e1aa03037 Merge branch '0.10' into 0.11 2021-05-07 01:46:46 +02:00
sebres ef5c826c74 fixes search for the best datepattern (gh-3020) - e. g. if line is too short, boundaries check for previously known unprecise pattern may fail on incomplete lines (logging break-off, no flush, etc) 2021-05-07 01:18:54 +02:00
sebres 2918849f9e fixes precise year pattern %ExY - accept years 20xx up to current century (using almost the same pattern in tests and production now) 2021-05-07 01:10:26 +02:00
usernamepi 88f779ed24
ufw.conf, amend to #3018 - add missing option for comment (#3019) 2021-05-06 23:23:39 +02:00
Sergey G. Brester 5a8f1bceb8
Merge pull request #3018 from usernamepi/master
Update ufw.conf: several fixes and enhancements
2021-05-06 22:20:39 +02:00
Sergey G. Brester 2958ad8636
Update ChangeLog 2021-05-06 22:19:38 +02:00
Sergey G. Brester 8f6a8df3a4
added new options `kill-mode` and `kill`, which makes the drop of all connections optional 2021-05-06 21:47:06 +02:00
Sergey G. Brester 5debaa4cac
option "add", can be set to "insert <num>" instead of prepend (customization or backwards compat) 2021-05-06 20:23:58 +02:00
usernamepi e4e7a83cff
Update ufw.conf
Prerequisites:
* The ss command is available, kernel is compiled with option CONFIG_INET_DIAG_DESTROY.
* Ufw version is => 0.36 (released in 2018)

* Now using "prepend" instead of "insert" to be able to handle IPv6 addresses correctly. The current action will fail for IPv6 addresses.
* Now application names containing a space should handled correctly, solves https://github.com/fail2ban/fail2ban/pull/1532
* Now closing IPv4 and IPv6 connections (if any) from the ip that is being banned. The current action will leave them open.
   Using ss to accomplish this. For this to work the kernel needs to be compiled with the CONFIG_INET_DIAG_DESTROY option.
   My system apparently is compiled that way.
2021-05-06 13:44:36 +02:00
sebres 71ce548117 Merge branch '0.11' 2021-04-27 14:05:53 +02:00
sebres b5b615731e Merge branch '0.10' into 0.11 2021-04-27 14:03:49 +02:00
sebres 319cfefac2 fix travis build (unsupported pythons and pypy versions), update 3.10 in GH actions 2021-04-27 13:41:57 +02:00