Commit Graph

42 Commits (81b2eb32d65730b29bd83bda1c52c9ab1197b287)

Author SHA1 Message Date
Sergey G. Brester 809b904106
filter.d/exim.conf: fixes "dropped: too many ..." regex and also matches unrecognized commands new vector 2023-04-24 15:40:53 +02:00
sebres e636567d23 filter.d/exim.conf: failregex extended with SMTP call dropped: too many syntax or protocol errors. 2018-02-19 09:50:46 +01:00
sebres 2b68882502 filter.d/exim.conf: provides mode "aggressive" to ban flood resp. DDOS-similar failures;
Closes #1983
2017-12-05 16:07:53 +01:00
sebres 7f89fbc33f Merge remote-tracking branch 'remotes/gh-upstream/master' into 0.10 2017-12-01 15:53:11 +01:00
Serg G. Brester 4f63180611
Avoid injection using quotes after `auth` command;
Added non-greedy fallback for quoted something (with lookahead simulated possessive greedy catch of non-quoted parts `[^"]*(?=")`).
Note that because host-info's are hereafter (with foreign input in-between), we would not use greedy or non-greedy catch-alls (`.*` or `.*?`) here (preventing performance losses).
2017-11-30 12:32:24 +01:00
Serg G. Brester f59df2e156
Avoid any injecting on protocol (e. g. tries using camel-case)
The phrase "AUTH command used when not advertised" is precise enough as anchor here, so prevent by any foreign-input (any auth protocol error).
2017-11-29 20:55:48 +01:00
Peter Nowee aa158ac05f
Exim failregex: Include lower/mixed case AUTH
When reporting the error `AUTH command used when not advertised`, Exim
starts with `SMTP protocol error in "........."`. Here, Exim logs the
SMTP command as it was provided by the connecting client.
https://github.com/Exim/exim/blob/exim-4_89+fixes/src/src/smtp_in.c#L2850

According to RFC 5321 (SMTP) "[..] a command verb [..] MAY be encoded
in upper case, lower case, or any mixture of upper and lower case with
no impact on its meaning."
https://tools.ietf.org/html/rfc5321#section-2.4

Lower case `auth login` brute-force attempts were seen in the wild and
were not caught by the current failregex.

This commit makes the failregex case-insensitive for the `AUTH`
command, so that lower case (`auth`) or mixed case (`aUtH`) now also
match. The failregex was already case-insensitive for the command
arguments (e.g. `AUTH login` already matched).
2017-11-29 15:14:43 +01:00
sebres b185e7cb04 Merge remote-tracking branch 'upstream/master' into 0.10 2017-09-08 11:11:05 +02:00
Serg G. Brester 2cd02b731b filter.d/exim.conf: fixed failregex for case of `D=0s`
Closes gh-1886
2017-09-07 15:28:46 +02:00
sebres b13d9d4e22 Merge branch 'master' into 0.10 2017-05-07 21:29:12 +02:00
sebres 0600d51511 filter.d/exim.conf: added new reason for "rejected RCPT" regex: Unrouteable address 2017-05-07 14:02:38 +02:00
sebres 49e237209e Merge branch 'master' into 0.10 2017-05-07 13:32:12 +02:00
sebres c546f85207 filter.d/exim.conf: cherry-picked from 0.10, match complex time like `D=2m42s` (closes gh-1766) 2017-05-07 13:02:32 +02:00
sebres 8839bcbb09 Merge remote-tracking branch master into 0.10 2017-04-25 10:07:19 +02:00
sebres 3161bcf78b filter.d/exim.conf: optional part `(...)` after host-name before `[IP]`, normalized over whole config file.
# Conflicts:
#	config/filter.d/exim.conf
2017-04-24 19:21:26 +02:00
sebres 22afdbd536 Several filters optimized with pre-filtering using new option `prefregex` 2017-02-21 15:54:59 +01:00
Yaroslav Halchenko 6434661480 RF: for consistency use (?:XXX)? instead of (?:|XXX) 2016-05-30 12:12:53 -04:00
Yaroslav Halchenko 48a8324662 ENH: use non-capturing regex groups in exim-common and exim filters 2016-05-30 11:02:12 -04:00
Yaroslav Halchenko 8b8cf2a660 ENH: exim filters -- make more use of %(host_info)s which in turn made more flexible 2016-05-21 10:29:09 -04:00
Yaroslav Halchenko 743a531eb5 BF: make :port and I=[ip]:port optional for a "AUTH command used when not advertised"
Closes #1430
2016-05-21 10:29:01 -04:00
theDogOfPavlov 1eb51b1bc2 Tightened up regexes to catch rDNS entries 2016-04-01 18:07:01 +01:00
theDogOfPavlov fe1475be95 Additional exim regexes to cover common attacks... 2016-03-21 05:59:59 +00:00
bes-internal ccc986b7d8 exim filter: correct failregex for exim with extended log options
incoming_interface, incoming_port, outgoing_port
2014-12-04 13:34:44 +03:00
Ivo Truxa 2d8c0b26e4 Matching any Exim authentication name
As explained in https://github.com/grooverdan/fail2ban/pull/4, in Exim there can be used plenty of other standard authentication names, and in fact the names can be custom. The failregex in Exim filter should catch authentication errors regardless of the name of the authentication. Hence replacing the plain|login with the general \w+
2014-01-13 01:38:49 +01:00
Daniel Black 52972164a2 BF: exim filter to be DoS resistant 2013-11-12 18:13:35 +11:00
Daniel Black 89fd792dfb DOC: in filters, put user relevant doc at top, and developer info at bottom, and remove all the repetative blindly copied stuff that appears in the jail man page 2013-10-31 00:02:59 +11:00
Daniel Black ca4729e943 ENH: filter.d/exim.conf - add authentication failures for "plain" authentication 2013-08-25 23:02:10 +10:00
Daniel Black 4777cfd4e7 ENH: split out exim-spam into speparate filter 2013-07-02 20:03:16 +10:00
Daniel Black ca996ace5e ENH: remove temporary failures from local_scan in line with comments in gh-258 2013-07-01 21:56:02 +10:00
Daniel Black 9757e1df2b ENH: make groupings non-capturing 2013-07-01 21:53:05 +10:00
Daniel Black 72f9e6a51e ENH/TST: more samples and rejection types for sender verify fail and rejected RCPT 2013-07-01 21:50:35 +10:00
Daniel Black 25c3bbfc2f DOC: credits/blame to me for changes to exim 2013-06-16 00:25:24 +10:00
Daniel Black b8cfda68b8 ENH: new exim filter regexs. Also note a begining PID in this format. Thanks to ftoppi for the log entries 2013-06-16 00:19:37 +10:00
Daniel Black d441d61a1e TST/ENH: Improve regex around exim
rejected by local_scan now has test cases.

Unrouteable address error messages now normalised after looking into
exim code.
2013-06-15 12:34:16 +10:00
Daniel Black 8cc13b5b40 BF/ENH: Incorrect authentication data doesn't need tailier so that's optional. Also gained log entry for Unrouteable address 2013-06-14 18:12:53 +10:00
Daniel Black a433a8ea5f ENH: readibility thanks to Yaroslav 2013-06-14 15:21:50 +10:00
Daniel Black 3e3802512a ENH/BF: exim improvements with sample 2013-06-13 17:44:18 +10:00
Daniel Black 495f2dd877 DOC: purge of svn tags 2013-05-03 16:03:38 +10:00
Yaroslav Halchenko 9a39292813 ENH: Added login authenticator failed regexp for exim filter 2013-01-04 15:23:05 -05:00
Cyril Jaquier abd061bad8 - Changed <HOST> template to be more restrictive. Debian bug #514163.
git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@728 a942ae1a-1317-0410-a47c-b1dcaea8d605
2009-02-08 17:31:24 +00:00
Cyril Jaquier 44d75eb54f - Added missing svn:keywords
- Split failregex in sshd.conf
- Added sshd-ddos.conf. Thanks to Yaroslav Halchenko

git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/trunk@510 a942ae1a-1317-0410-a47c-b1dcaea8d605
2007-01-04 12:21:44 +00:00
Cyril Jaquier 3a344557ec - Exim4 filter. Thanks to mEDI
git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/trunk@499 a942ae1a-1317-0410-a47c-b1dcaea8d605
2006-12-23 09:49:19 +00:00