Sergey G. Brester
809b904106
filter.d/exim.conf: fixes "dropped: too many ..." regex and also matches unrecognized commands new vector
2023-04-24 15:40:53 +02:00
sebres
e636567d23
filter.d/exim.conf: failregex extended with SMTP call dropped: too many syntax or protocol errors.
2018-02-19 09:50:46 +01:00
sebres
2b68882502
filter.d/exim.conf: provides mode "aggressive" to ban flood resp. DDOS-similar failures;
...
Closes #1983
2017-12-05 16:07:53 +01:00
sebres
7f89fbc33f
Merge remote-tracking branch 'remotes/gh-upstream/master' into 0.10
2017-12-01 15:53:11 +01:00
Serg G. Brester
4f63180611
Avoid injection using quotes after `auth` command;
...
Added non-greedy fallback for quoted something (with lookahead simulated possessive greedy catch of non-quoted parts `[^"]*(?=")`).
Note that because host-info's are hereafter (with foreign input in-between), we would not use greedy or non-greedy catch-alls (`.*` or `.*?`) here (preventing performance losses).
2017-11-30 12:32:24 +01:00
Serg G. Brester
f59df2e156
Avoid any injecting on protocol (e. g. tries using camel-case)
...
The phrase "AUTH command used when not advertised" is precise enough as anchor here, so prevent by any foreign-input (any auth protocol error).
2017-11-29 20:55:48 +01:00
Peter Nowee
aa158ac05f
Exim failregex: Include lower/mixed case AUTH
...
When reporting the error `AUTH command used when not advertised`, Exim
starts with `SMTP protocol error in "........."`. Here, Exim logs the
SMTP command as it was provided by the connecting client.
https://github.com/Exim/exim/blob/exim-4_89+fixes/src/src/smtp_in.c#L2850
According to RFC 5321 (SMTP) "[..] a command verb [..] MAY be encoded
in upper case, lower case, or any mixture of upper and lower case with
no impact on its meaning."
https://tools.ietf.org/html/rfc5321#section-2.4
Lower case `auth login` brute-force attempts were seen in the wild and
were not caught by the current failregex.
This commit makes the failregex case-insensitive for the `AUTH`
command, so that lower case (`auth`) or mixed case (`aUtH`) now also
match. The failregex was already case-insensitive for the command
arguments (e.g. `AUTH login` already matched).
2017-11-29 15:14:43 +01:00
sebres
b185e7cb04
Merge remote-tracking branch 'upstream/master' into 0.10
2017-09-08 11:11:05 +02:00
Serg G. Brester
2cd02b731b
filter.d/exim.conf: fixed failregex for case of `D=0s`
...
Closes gh-1886
2017-09-07 15:28:46 +02:00
sebres
b13d9d4e22
Merge branch 'master' into 0.10
2017-05-07 21:29:12 +02:00
sebres
0600d51511
filter.d/exim.conf: added new reason for "rejected RCPT" regex: Unrouteable address
2017-05-07 14:02:38 +02:00
sebres
49e237209e
Merge branch 'master' into 0.10
2017-05-07 13:32:12 +02:00
sebres
c546f85207
filter.d/exim.conf: cherry-picked from 0.10, match complex time like `D=2m42s` (closes gh-1766)
2017-05-07 13:02:32 +02:00
sebres
8839bcbb09
Merge remote-tracking branch master into 0.10
2017-04-25 10:07:19 +02:00
sebres
3161bcf78b
filter.d/exim.conf: optional part `(...)` after host-name before `[IP]`, normalized over whole config file.
...
# Conflicts:
# config/filter.d/exim.conf
2017-04-24 19:21:26 +02:00
sebres
22afdbd536
Several filters optimized with pre-filtering using new option `prefregex`
2017-02-21 15:54:59 +01:00
Yaroslav Halchenko
6434661480
RF: for consistency use (?:XXX)? instead of (?:|XXX)
2016-05-30 12:12:53 -04:00
Yaroslav Halchenko
48a8324662
ENH: use non-capturing regex groups in exim-common and exim filters
2016-05-30 11:02:12 -04:00
Yaroslav Halchenko
8b8cf2a660
ENH: exim filters -- make more use of %(host_info)s which in turn made more flexible
2016-05-21 10:29:09 -04:00
Yaroslav Halchenko
743a531eb5
BF: make :port and I=[ip]:port optional for a "AUTH command used when not advertised"
...
Closes #1430
2016-05-21 10:29:01 -04:00
theDogOfPavlov
1eb51b1bc2
Tightened up regexes to catch rDNS entries
2016-04-01 18:07:01 +01:00
theDogOfPavlov
fe1475be95
Additional exim regexes to cover common attacks...
2016-03-21 05:59:59 +00:00
bes-internal
ccc986b7d8
exim filter: correct failregex for exim with extended log options
...
incoming_interface, incoming_port, outgoing_port
2014-12-04 13:34:44 +03:00
Ivo Truxa
2d8c0b26e4
Matching any Exim authentication name
...
As explained in https://github.com/grooverdan/fail2ban/pull/4 , in Exim there can be used plenty of other standard authentication names, and in fact the names can be custom. The failregex in Exim filter should catch authentication errors regardless of the name of the authentication. Hence replacing the plain|login with the general \w+
2014-01-13 01:38:49 +01:00
Daniel Black
52972164a2
BF: exim filter to be DoS resistant
2013-11-12 18:13:35 +11:00
Daniel Black
89fd792dfb
DOC: in filters, put user relevant doc at top, and developer info at bottom, and remove all the repetative blindly copied stuff that appears in the jail man page
2013-10-31 00:02:59 +11:00
Daniel Black
ca4729e943
ENH: filter.d/exim.conf - add authentication failures for "plain" authentication
2013-08-25 23:02:10 +10:00
Daniel Black
4777cfd4e7
ENH: split out exim-spam into speparate filter
2013-07-02 20:03:16 +10:00
Daniel Black
ca996ace5e
ENH: remove temporary failures from local_scan in line with comments in gh-258
2013-07-01 21:56:02 +10:00
Daniel Black
9757e1df2b
ENH: make groupings non-capturing
2013-07-01 21:53:05 +10:00
Daniel Black
72f9e6a51e
ENH/TST: more samples and rejection types for sender verify fail and rejected RCPT
2013-07-01 21:50:35 +10:00
Daniel Black
25c3bbfc2f
DOC: credits/blame to me for changes to exim
2013-06-16 00:25:24 +10:00
Daniel Black
b8cfda68b8
ENH: new exim filter regexs. Also note a begining PID in this format. Thanks to ftoppi for the log entries
2013-06-16 00:19:37 +10:00
Daniel Black
d441d61a1e
TST/ENH: Improve regex around exim
...
rejected by local_scan now has test cases.
Unrouteable address error messages now normalised after looking into
exim code.
2013-06-15 12:34:16 +10:00
Daniel Black
8cc13b5b40
BF/ENH: Incorrect authentication data doesn't need tailier so that's optional. Also gained log entry for Unrouteable address
2013-06-14 18:12:53 +10:00
Daniel Black
a433a8ea5f
ENH: readibility thanks to Yaroslav
2013-06-14 15:21:50 +10:00
Daniel Black
3e3802512a
ENH/BF: exim improvements with sample
2013-06-13 17:44:18 +10:00
Daniel Black
495f2dd877
DOC: purge of svn tags
2013-05-03 16:03:38 +10:00
Yaroslav Halchenko
9a39292813
ENH: Added login authenticator failed regexp for exim filter
2013-01-04 15:23:05 -05:00
Cyril Jaquier
abd061bad8
- Changed <HOST> template to be more restrictive. Debian bug #514163 .
...
git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@728 a942ae1a-1317-0410-a47c-b1dcaea8d605
2009-02-08 17:31:24 +00:00
Cyril Jaquier
44d75eb54f
- Added missing svn:keywords
...
- Split failregex in sshd.conf
- Added sshd-ddos.conf. Thanks to Yaroslav Halchenko
git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/trunk@510 a942ae1a-1317-0410-a47c-b1dcaea8d605
2007-01-04 12:21:44 +00:00
Cyril Jaquier
3a344557ec
- Exim4 filter. Thanks to mEDI
...
git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/trunk@499 a942ae1a-1317-0410-a47c-b1dcaea8d605
2006-12-23 09:49:19 +00:00