github
/
fail2ban
mirror of https://github.com/fail2ban/fail2ban
1
0
Fork 0
Code Issues Releases Wiki Activity
3,719 Commits
34 Branches
230 Tags
20 MiB
Commit Graph

3719 Commits (8614ca8c41a0d868f0d54d219666374216fb70d4)

Author SHA1 Message Date
Shane Forsythe 8614ca8c41
Update proftpd.conf 
proftpd 1.3.5e can leave inconsistent error message if ftp or mod_sftp is used

Oct  2 15:45:31 ftp01 proftpd[5516]: 10.10.2.13 (10.10.2.189[10.10.2.189]) - SECURITY VIOLATION: Root login attempted
Oct  2 15:45:44 ftp01 proftpd[5517]: 10.10.2.13 (10.10.2.189[10.10.2.189]) - SECURITY VIOLATION: Root login attempted.

Fix regex to make trailing period optional, otherwise brute force attacks against root account using ftp are not blocked correctly.
 2018-10-02 17:24:33 -04:00
cheese1 43db4411de small typo 2018-06-14 12:35:04 +02:00
Sergey G. Brester 088192ea9f
Merge pull request #1960 from comradekingu/patch-1 
https, "Fail2Ban", other language improvements
 2018-03-22 11:44:50 +01:00
Sergey G. Brester 9710c8c996
minor fix with reindent 2018-03-22 11:43:15 +01:00
Allan Nordhøy d7e320b96d
reverting linux indentation 2018-01-23 21:09:53 +01:00
Sergey G. Brester 37f5a6975e
Merge pull request #2015 from BenediktSeidl/nginx-http-auth--spaces-fix 
nginx-http-auth: match usernames with spaces
 2018-01-17 16:40:54 +01:00
sebres 63e906b2c1 regex rewritten: a bit fewer vulnerable now and using non-capturing groups, test-cases extended in order to cover trying of injection on user name 2018-01-17 16:35:32 +01:00
Benedikt Seidl fed6c49c2d nginx-http-auth: match usernames with spaces 
# Conflicts:
#	ChangeLog
 2018-01-17 16:35:31 +01:00
Sergey G. Brester 9a8c4a9869
Merge pull request #2018 from riceru/patch-1 
lighttpd-auth.conf: new log-format (http_auth -> mod_auth)
 2018-01-17 12:14:38 +01:00
Sergey G. Brester b6c6565a7e
regex updated using non-capturing groups 2018-01-16 14:23:47 +01:00
Sergey G. Brester 9a46590486
extended test-cases to cover new log-format (http_auth -> mod_auth) 2018-01-16 14:20:51 +01:00
riceru 6a1bbbf101
Update lighttpd-auth.conf 
I have lighttpd 1.4.45 (Debian 9) and auth error log is different.
Now printing mod_auth and not http_auth.
I think that the change was in Lighttp 1.4.42
 2018-01-16 12:39:55 +00:00
Serg G. Brester 7e05976ead
action.d/hostsdeny.conf: actionunban rewritten using sed, also dots in IP were escaped now. 
Closes  #2000
 2018-01-11 12:38:34 +01:00
sebres 314e402fe0 filter.d/sendmail-auth.conf - extended daemon for Fedora 24/RHEL - the daemon name is "sendmail" (gh-1632) 2018-01-10 14:49:06 +01:00
Serg G. Brester 029cd5aa24
Update ChangeLog 2018-01-10 11:47:59 +01:00
Serg G. Brester 597a27576e
Merge pull request #1908 from GetPageSpeed/firewallcmd-ipset-allports 
New ban mode `allports` for `firewallcmd-ipset`. Closes #1167
 2018-01-10 11:43:44 +01:00
sebres 131b94e11e firewallcmd-ipset-allports: implemented in `action.d/firewallcmd-ipset.conf` now (`action.d/firewallcmd-ipset-allports.conf` removed), usage: 
banaction = firewallcmd-ipset[actiontype="<allports>"]
 2018-01-10 10:58:03 +01:00
Danila Vershinin c190631f88 New ban action firewallcmd-ipset-allports. Closes #1167 2018-01-10 10:58:01 +01:00
sebres 3d9a112c8f cherry-pick newer version of extractOptions, in order to avoid large discrepancy between 0.10 and 0.9 config-parsers: 
allow to use dual parameter lists (coming through substitutions), e. g.: `name[p1=0, p2="..."][p3='...']`;
simplified explanation: `][` treats as `,` in new version.
cherry-picked from 0.10.
 2018-01-10 10:57:59 +01:00
Serg G. Brester 82f8bd8639
Merge pull request #2011 from Yannik/patch-1 
Fix filter not catching asterisk requests with quote character in username (fixes #2010)
 2018-01-10 09:27:29 +01:00
Serg G. Brester f7e2d3610b
Update ChangeLog 2018-01-09 21:19:01 +01:00
Serg G. Brester a1d1498561
Restore log-entries not affected by #2011 2018-01-09 21:13:02 +01:00
Yannik Sembritzki aab54bb0dd
don't replace normal test case with specialized test case 2018-01-08 22:29:43 +01:00
Yannik Sembritzki 94f0b15c32
Allow faster parsing of hosts without ' characters in them 2018-01-08 14:54:32 +01:00
Yannik Sembritzki eaf5e88692
replace actual offenders ip with 1.2.3.4 2018-01-03 19:00:09 +01:00
Yannik Sembritzki 184202c6aa
remove duplicate testcase 2018-01-03 18:49:38 +01:00
Yannik Sembritzki a53ee46ad4
add test for asterisk pjsip attack with quote in username 2018-01-03 18:48:11 +01:00
Yannik Sembritzki b28dfb965a
Fix filter not catching asterisk requests with quote character in username (fixes #2010) 2018-01-03 18:39:30 +01:00
Serg G. Brester f96761927d
Merge pull request #1969 from RaidForums/patch-1 
Update nginx-limit-req filter.
 2017-12-05 23:51:18 +01:00
Kevin Maradona 6c705d572b filter.d/nginx-limit-req.conf: nginx limit-req log-level can be set to warn or error therefore having this regex will include both of them. 2017-12-05 22:31:54 +01:00
Serg G. Brester f834e7826d
Merge pull request #1979 from peternowee/fix-exim-lowercase-auth 
Exim failregex: Include lower/mixed case AUTH
 2017-12-01 15:22:09 +01:00
Peter Nowee e4bbaf3d58
Update ChangeLog 2017-12-01 15:01:48 +01:00
Serg G. Brester cbd63d9cd5
added test to cover quoted injecting on AUTH command 2017-11-30 12:45:11 +01:00
Serg G. Brester 4f63180611
Avoid injection using quotes after `auth` command; 
Added non-greedy fallback for quoted something (with lookahead simulated possessive greedy catch of non-quoted parts `[^"]*(?=")`).
Note that because host-info's are hereafter (with foreign input in-between), we would not use greedy or non-greedy catch-alls (`.*` or `.*?`) here (preventing performance losses).
 2017-11-30 12:32:24 +01:00
Serg G. Brester f59df2e156
Avoid any injecting on protocol (e. g. tries using camel-case) 
The phrase "AUTH command used when not advertised" is precise enough as anchor here, so prevent by any foreign-input (any auth protocol error).
 2017-11-29 20:55:48 +01:00
Peter Nowee aa158ac05f
Exim failregex: Include lower/mixed case AUTH 
When reporting the error `AUTH command used when not advertised`, Exim
starts with `SMTP protocol error in "........."`. Here, Exim logs the
SMTP command as it was provided by the connecting client.
https://github.com/Exim/exim/blob/exim-4_89+fixes/src/src/smtp_in.c#L2850

According to RFC 5321 (SMTP) "[..] a command verb [..] MAY be encoded
in upper case, lower case, or any mixture of upper and lower case with
no impact on its meaning."
https://tools.ietf.org/html/rfc5321#section-2.4

Lower case `auth login` brute-force attempts were seen in the wild and
were not caught by the current failregex.

This commit makes the failregex case-insensitive for the `AUTH`
command, so that lower case (`auth`) or mixed case (`aUtH`) now also
match. The failregex was already case-insensitive for the command
arguments (e.g. `AUTH login` already matched).
 2017-11-29 15:14:43 +01:00
SlowRiot 660d57e6ba updating my email address 2017-11-29 10:43:15 +01:00
sebres 5708b8b90e fixed test-cases covering dns2ip (IP of www.epfl.ch changed) 2017-11-23 22:42:51 +01:00
Allan Nordhøy 855f5d0ced
to be found 2017-11-11 14:03:15 +01:00
Allan Nordhøy fe9e85c71d
"Fail2Ban", other language improvements 2017-11-10 23:56:10 +01:00
Serg G. Brester a87af7bf41
Merge pull request #1948 from itoffshore/alpine 
gentoo-initd: add descriptions
 2017-11-03 13:30:18 +01:00
Stuart Cardall 18d2761dc0 gentoo-initd: add descriptions 
add descriptions to stop syslog errors for extra_started_commands when running:

rc-service ipset describe

Oct 28 15:13:30 xxxx daemon.warn /etc/init.d/fail2ban[26446]: ^[[1m^[[36mreload^[[m: no description
Oct 28 15:13:30 xxxx daemon.warn /etc/init.d/fail2ban[26447]: ^[[1m^[[36mshowlog^[[m: no description
 2017-11-01 22:19:14 +01:00
Serg G. Brester e07a8cda07 Update jail.conf 
Documentation of parameters for action blocklist_de, closes gh-1940
 2017-10-27 15:26:17 +02:00
Serg G. Brester 0aeb91d1e2 Merge pull request #1929 from miken32/patch-1 
Remove invalid (vulnerable) regex using IP from foreign input (not the originator).
 2017-10-18 18:54:43 +02:00
Serg G. Brester d81405adbc Update ChangeLog 
typo
 2017-10-18 18:52:55 +02:00
Serg G. Brester b6ab0aa83f Update ChangeLog 
more detailed entry
 2017-10-18 18:52:12 +02:00
Michael Newton 894a05b843 Update ChangeLog 2017-10-18 09:26:51 -07:00
Michael Newton 3f715e8577 Remove tests 2017-10-17 14:46:11 -07:00
Michael Newton d5d1fe679f Remove invalid regex 
Resolves #1927
 2017-10-17 14:44:23 -07:00
Serg G. Brester c42dd6941c Merge pull request #1921 from harry-wood/patch-1 
typo
 2017-10-16 10:50:11 +02:00