Serg G. Brester
7e05976ead
action.d/hostsdeny.conf: actionunban rewritten using sed, also dots in IP were escaped now.
...
Closes #2000
2018-01-11 12:38:34 +01:00
sebres
314e402fe0
filter.d/sendmail-auth.conf - extended daemon for Fedora 24/RHEL - the daemon name is "sendmail" (gh-1632)
2018-01-10 14:49:06 +01:00
Serg G. Brester
029cd5aa24
Update ChangeLog
2018-01-10 11:47:59 +01:00
Serg G. Brester
597a27576e
Merge pull request #1908 from GetPageSpeed/firewallcmd-ipset-allports
...
New ban mode `allports` for `firewallcmd-ipset`. Closes #1167
2018-01-10 11:43:44 +01:00
sebres
131b94e11e
firewallcmd-ipset-allports: implemented in `action.d/firewallcmd-ipset.conf` now (`action.d/firewallcmd-ipset-allports.conf` removed), usage:
...
banaction = firewallcmd-ipset[actiontype="<allports>"]
2018-01-10 10:58:03 +01:00
Danila Vershinin
c190631f88
New ban action firewallcmd-ipset-allports. Closes #1167
2018-01-10 10:58:01 +01:00
sebres
3d9a112c8f
cherry-pick newer version of extractOptions, in order to avoid large discrepancy between 0.10 and 0.9 config-parsers:
...
allow to use dual parameter lists (coming through substitutions), e. g.: `name[p1=0, p2="..."][p3='...']`;
simplified explanation: `][` treats as `,` in new version.
cherry-picked from 0.10.
2018-01-10 10:57:59 +01:00
Serg G. Brester
82f8bd8639
Merge pull request #2011 from Yannik/patch-1
...
Fix filter not catching asterisk requests with quote character in username (fixes #2010 )
2018-01-10 09:27:29 +01:00
Serg G. Brester
f7e2d3610b
Update ChangeLog
2018-01-09 21:19:01 +01:00
Serg G. Brester
a1d1498561
Restore log-entries not affected by #2011
2018-01-09 21:13:02 +01:00
Yannik Sembritzki
aab54bb0dd
don't replace normal test case with specialized test case
2018-01-08 22:29:43 +01:00
Yannik Sembritzki
94f0b15c32
Allow faster parsing of hosts without ' characters in them
2018-01-08 14:54:32 +01:00
Yannik Sembritzki
eaf5e88692
replace actual offenders ip with 1.2.3.4
2018-01-03 19:00:09 +01:00
Yannik Sembritzki
184202c6aa
remove duplicate testcase
2018-01-03 18:49:38 +01:00
Yannik Sembritzki
a53ee46ad4
add test for asterisk pjsip attack with quote in username
2018-01-03 18:48:11 +01:00
Yannik Sembritzki
b28dfb965a
Fix filter not catching asterisk requests with quote character in username ( fixes #2010 )
2018-01-03 18:39:30 +01:00
Serg G. Brester
f96761927d
Merge pull request #1969 from RaidForums/patch-1
...
Update nginx-limit-req filter.
2017-12-05 23:51:18 +01:00
Kevin Maradona
6c705d572b
filter.d/nginx-limit-req.conf: nginx limit-req log-level can be set to warn or error therefore having this regex will include both of them.
2017-12-05 22:31:54 +01:00
Serg G. Brester
f834e7826d
Merge pull request #1979 from peternowee/fix-exim-lowercase-auth
...
Exim failregex: Include lower/mixed case AUTH
2017-12-01 15:22:09 +01:00
Peter Nowee
e4bbaf3d58
Update ChangeLog
2017-12-01 15:01:48 +01:00
Serg G. Brester
cbd63d9cd5
added test to cover quoted injecting on AUTH command
2017-11-30 12:45:11 +01:00
Serg G. Brester
4f63180611
Avoid injection using quotes after `auth` command;
...
Added non-greedy fallback for quoted something (with lookahead simulated possessive greedy catch of non-quoted parts `[^"]*(?=")`).
Note that because host-info's are hereafter (with foreign input in-between), we would not use greedy or non-greedy catch-alls (`.*` or `.*?`) here (preventing performance losses).
2017-11-30 12:32:24 +01:00
Serg G. Brester
f59df2e156
Avoid any injecting on protocol (e. g. tries using camel-case)
...
The phrase "AUTH command used when not advertised" is precise enough as anchor here, so prevent by any foreign-input (any auth protocol error).
2017-11-29 20:55:48 +01:00
Peter Nowee
aa158ac05f
Exim failregex: Include lower/mixed case AUTH
...
When reporting the error `AUTH command used when not advertised`, Exim
starts with `SMTP protocol error in "........."`. Here, Exim logs the
SMTP command as it was provided by the connecting client.
https://github.com/Exim/exim/blob/exim-4_89+fixes/src/src/smtp_in.c#L2850
According to RFC 5321 (SMTP) "[..] a command verb [..] MAY be encoded
in upper case, lower case, or any mixture of upper and lower case with
no impact on its meaning."
https://tools.ietf.org/html/rfc5321#section-2.4
Lower case `auth login` brute-force attempts were seen in the wild and
were not caught by the current failregex.
This commit makes the failregex case-insensitive for the `AUTH`
command, so that lower case (`auth`) or mixed case (`aUtH`) now also
match. The failregex was already case-insensitive for the command
arguments (e.g. `AUTH login` already matched).
2017-11-29 15:14:43 +01:00
SlowRiot
660d57e6ba
updating my email address
2017-11-29 10:43:15 +01:00
sebres
5708b8b90e
fixed test-cases covering dns2ip (IP of www.epfl.ch changed)
2017-11-23 22:42:51 +01:00
Serg G. Brester
a87af7bf41
Merge pull request #1948 from itoffshore/alpine
...
gentoo-initd: add descriptions
2017-11-03 13:30:18 +01:00
Stuart Cardall
18d2761dc0
gentoo-initd: add descriptions
...
add descriptions to stop syslog errors for extra_started_commands when running:
rc-service ipset describe
Oct 28 15:13:30 xxxx daemon.warn /etc/init.d/fail2ban[26446]: ^[[1m^[[36mreload^[[m: no description
Oct 28 15:13:30 xxxx daemon.warn /etc/init.d/fail2ban[26447]: ^[[1m^[[36mshowlog^[[m: no description
2017-11-01 22:19:14 +01:00
Serg G. Brester
e07a8cda07
Update jail.conf
...
Documentation of parameters for action blocklist_de, closes gh-1940
2017-10-27 15:26:17 +02:00
Serg G. Brester
0aeb91d1e2
Merge pull request #1929 from miken32/patch-1
...
Remove invalid (vulnerable) regex using IP from foreign input (not the originator).
2017-10-18 18:54:43 +02:00
Serg G. Brester
d81405adbc
Update ChangeLog
...
typo
2017-10-18 18:52:55 +02:00
Serg G. Brester
b6ab0aa83f
Update ChangeLog
...
more detailed entry
2017-10-18 18:52:12 +02:00
Michael Newton
894a05b843
Update ChangeLog
2017-10-18 09:26:51 -07:00
Michael Newton
3f715e8577
Remove tests
2017-10-17 14:46:11 -07:00
Michael Newton
d5d1fe679f
Remove invalid regex
...
Resolves #1927
2017-10-17 14:44:23 -07:00
Serg G. Brester
c42dd6941c
Merge pull request #1921 from harry-wood/patch-1
...
typo
2017-10-16 10:50:11 +02:00
Harry Wood
ea1b663f85
typo
...
spell "positive" (...but also somebody should finish this sentence)
2017-10-16 01:15:58 +01:00
sebres
ea36e1b3fc
filter.d/dovecot.conf: fixed failregex to recognize pam_authenticate failures with "Permission denied" (gh-1897)
2017-10-04 09:55:37 +02:00
sebres
a2120a9de5
filter.d/postfix-*.conf - added optional port regex (closes gh-1902)
2017-10-02 15:31:55 +02:00
Serg G. Brester
983b128c54
Update ChangeLog
...
several fixes of 0.9th branch
2017-09-08 11:07:48 +02:00
Serg G. Brester
bb97e66627
Merge pull request #1882 from coderua/patch-1
...
Add Jorgee Vulnerability Scanner protect
2017-09-07 15:52:31 +02:00
Serg G. Brester
99a9a9136e
Merge pull request #1887 from fail2ban/exim-gh-1886
...
filter.d/exim.conf: fixed failregex for case of flood attempts with `D=0s`
2017-09-07 15:47:20 +02:00
Serg G. Brester
db121a6f85
Update exim
...
Test case covers flood attempts with `D=0s`
2017-09-07 15:32:35 +02:00
Serg G. Brester
2cd02b731b
filter.d/exim.conf: fixed failregex for case of `D=0s`
...
Closes gh-1886
2017-09-07 15:28:46 +02:00
sebres
4bc226a692
optimized regex
2017-09-05 10:59:16 +02:00
Vladimir Chumak
fafefc0293
Add Jorgee Vulnerability Scanner protect
...
Details for Jorgee Vulnerability Scanner: https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=30164
2017-09-05 10:56:43 +02:00
sebres
acd9e8155b
Merge pull request #1376 from j-marz/master:
...
Added ZoneMinder filter
2017-09-04 11:52:10 +02:00
sebres
4163f32968
small review, prefix replaced with `%(_apache_error_client)s` from apache-common.conf include
2017-09-04 11:48:01 +02:00
john
ac95449bbb
changed zoneminder regex as per Sebres and yarikoptic recommendations
2017-09-04 11:37:09 +02:00
john
7013729a1f
removed redundant options for zoneminder from jail.conf
2017-09-04 11:37:05 +02:00