fail2ban

Commit Graph

Author	SHA1	Message	Date
sebres	606bf110c9	filter.d/sshd.conf (mode `ddos`): fixed "connection reset" regex (seems to have same syntax now as closed), so both regex's combined now to single RE (closes gh-2662)	5 years ago
sebres	32f02ef3b3	Merge branch '0.10' into 0.11	5 years ago
sebres	42714d0849	filter.d/common.conf: closes gh-2650, avoid substitute of default values in related `lt_*` section, `__prefix_line` should be interpolated in definition section (after the config considers all sections that can overwrite it); amend to `62b1712d22` (PR #2387, backend-related option `logtype`); testSampleRegexsZZZ-GENERIC-EXAMPLE covering now negative case also (other daemon in prefix line)	5 years ago
sebres	e6ca04ca9d	Merge branch '0.10' into 0.11 + version bump (back to dev)	5 years ago
sebres	ab3a7fc6d2	filter.d/sshd.conf: mode `ddos` (and aggressive) extended to detect port scanner sending unexpected ident string after connect	5 years ago
sebres	7282cf91b0	Merge branch '0.10' into 0.11	5 years ago
sebres	9137c7bb23	filter processing: - avoid duplicates in "matches" (previously always added matches of pending failures to every next real failure, or nofail-helper recognized IP, now first failure only); - several optimizations of merge mechanism (multi-line parsing); fail2ban-regex: better output handling, extended with tag substitution (ex.: `-o 'fail <ip>, user <F-USER>: <msg>'`); consider a string containing new-line as multi-line log-excerpt (not as a single log-line) filter.d/sshd.conf: introduced parameter `publickey` (allowing change behavior of "Failed publickey" failures): - `nofail` (default) - consider failed publickey (legitimate users) as no failure (helper to get IP and user-name only) - `invalid` - consider failed publickey for invalid users only; - `any` - consider failed publickey for valid users too; - `ignore` - ignore "Failed publickey ..." failures (don't consider failed publickey at all) tests/samplestestcase.py: SampleRegexsFactory gets new failJSON option `constraint` to allow ignore of some tests depending on filter name, options and test parameters	5 years ago
sebres	1492ab2247	improve processing of pending failures (lines without ID/IP) - fail2ban-regex would show those in matched lines now (as well as increase count of matched RE); avoid overwrite of data with empty tags by ticket constructed from multi-line failures; amend to d1b7e2b5fb2b389d04845369d7d29db65425dcf2: better output (as well as ignoring of pending lines) using `--out msg`; filter.d/sshd.conf: don't forget mlf-cache on "disconnecting: too many authentication failures" - message does not have IP (must be followed by "closed [preauth]" to obtain host-IP).	5 years ago
Sergey G. Brester	774dda6105	filter.d/postfix.conf: extended mode ddos and aggressive covering multiple disconnects without auth	5 years ago
Sergey G. Brester	34d63fccfe	close gh-2629 - jail.conf (action_blocklist_de interpolation): replace service parameter (use jail name instead of filter, which can be empty)	5 years ago
sebres	a7c68ea19f	Merge branch '0.10' into 0.11	5 years ago
sebres	569dea2b19	filter.d/mysqld-auth.conf: capture user name in filter (can be more strict if user switched, used in action or fail2ban-regex output); also add coverage for mariadb 10.4 log format (gh-2611)	5 years ago
sebres	70e47c9621	Merge branch '0.10' into 0.11	5 years ago
sebres	ec37b1942c	action.d/nginx-block-map.conf: fixed backslash substitution (different echo behavior in some shells, gh-2596)	5 years ago
sebres	4860d69909	Merge branch '0.10' into 0.11	5 years ago
sebres	f77398c49d	filter.d/sshd.conf: captures `Disconnected from ... [preauth]`, preauth phase only, different handling by `extra` (with supplied user only) and `ddos`/`aggressive` mode (`normal` mode is not affected, used there just as a helper with `<F-NOFAIL>` to capture IP for multiline failures without IP); closes gh-2115, gh-2362.	5 years ago
sebres	587e4ff573	Merge branch '0.10' into 0.11 (conflicts resolved)	5 years ago
sebres	67fd75c88e	pass2allow-ftp: inverted handling - action should prohibit access per default for any IP, so reset start on demand parameter for this action (will be started immediately).	5 years ago
sebres	8f6ba15325	avoid unhandled exception during flush, better invariant check (and repair), avoid repair by unban/stop etc...	5 years ago
Mart124	e763c657c4	Let's get back to WRN	5 years ago
Mart124	d7b707b09d	Update bitwarden.conf	5 years ago
Mart124	869327e9b1	Update bitwarden.conf	5 years ago
Mart124	79caeaa520	Create bitwarden.conf	5 years ago
Mart124	30e742a849	Update jail.conf	5 years ago
Mart124	ef394b3cf0	Update jail.conf	5 years ago
sebres	24d1ea9aa2	Merge branch '0.10' into 0.11	5 years ago
Sergey G. Brester	e4c2f303bd	Merge pull request #2550 from CPbN/centreonjail Add Centreon jail	5 years ago
sebres	0e8a8edb5e	filter.d/sendmail-*.conf: both filters have same `__prefix_line` now (and same RE for ID, 14-20 chars long, optional) + adjusted test cases (gh-2563)	5 years ago
Henry van Megen	548e2e0054	sendmail-auth.conf: filter updated for longer mail IDs (up to 20, see gh-2562)	5 years ago
sebres	5cf064a112	monit: accepting both logpath's: monit and monit.log, closes gh-2495	5 years ago
CPbN	9e699646f8	Add Centreon jail	5 years ago
CPbN	18ba714f97	Add Centreon jail	5 years ago
sebres	3515d06979	Merge branch '0.10' into 0.11	5 years ago
sebres	85ec605358	nftables: amend to gh-2254 - implemented shutdown of action (proper clean-up) - at stop it checks now the last set was deleted and removes table completely (if table does not contain any set); this is avoided if some sets were added manually or can be avoided via overwriting of parameter `_nft_shutdown_table`, for example: banaction = nftables[_nft_shutdown_table=''][...]	5 years ago
sebres	51af193402	nftables: add options allowing to specify own table (default `f2b-table`) and chain (default `f2b-chain`)	5 years ago
sebres	955d690e56	regrouping expressions with curly braces, added more escapes (better handling in posix shell)	5 years ago
sebres	0824ad0d73	Merge branch '0.10' into 0.11	5 years ago
Sergey G. Brester	54298fe761	Merge pull request #2254 Nftables: isolate fail2ban rules into a dedicated table and chain	5 years ago
sebres	d1a73d3004	filter.d/apache-auth.conf: - ignore errors from mod_evasive in `normal` mode (mode-controlled now) (gh-2548); - extended with option `mode` - `normal` (default) and `aggressive` close gh-2548	5 years ago
sebres	8c6a547215	Merge branch '0.10' into 0.11	5 years ago
sebres	50595b70fd	filter.d/mysqld-auth.conf: ISO timestamp format (dual time) within log message (https://serverfault.com/questions/982126/fail2ban-fails-to-recognize-ip)	5 years ago
sebres	9e28b6c65f	filter.d/asterisk.conf: relaxing protocol RE-part before IP in RemoteAddress (gh-2531)	5 years ago
sebres	8ea00c1d5d	fixed mistake in config (semicolon after space as comment in configs?) and coverage, suppress errors by unsupported flush, better space handling in helper _nft_get_handle_id, etc	5 years ago
sebres	492205d30e	action.d/nftables.conf: implemented `actionflush` (allows flushing nftables sets resp. fast unban of all jail tickets at all)	5 years ago
sebres	abc4d9fe37	allow to use multiple protocols in multiport (single set with multiple rules in chain): `banaction = nftables[type=multiport]` with `protocol="tcp,udp,sctp"` in jail replace 3 separate actions. more robust if deleting multiple references to set (rules in chain)	5 years ago
sebres	c753ffb11d	combine nftables actions to single action: - nftables-common is removed - nftables-allports is obsolete, replaced by nftables[type=allports] - nftables-multiport is obsolete, replaced by nftables[type=multiport]	5 years ago
sebres	c59d49da22	nftables-allports: support multiple protocols in single rule; tests/servertestcase.py: added coverage for nftables actions	5 years ago
Ririsoft	dde51b4682	fix actionban/unban ip definition syntax	5 years ago
Monson Shao	1cda50ce05	Rewrite nftables variables based on nftables' logic. Add an example for redirecting.	5 years ago
sebres	990c410877	Merge branch '0.10' into 0.11 # Conflicts (resolved): # fail2ban/client/jailreader.py	5 years ago
sebres	a36b70c7b5	filter.d/znc-adminlog.conf: support logging format of systemd-journal, bypass port after address (optional, removed end-anchor, see gh-2520)	5 years ago
sebres	1cdd618232	Merge branch '0.10' into 0.11	5 years ago
sebres	5d5253dd70	Merge branch '0.10' into 0.11	5 years ago
sebres	91923b5c07	don't need to match identifier exactly (@ is precise enough as prefix), not capturing group; `prefregex` extended, more selective now (denied/NOTAUTH suffix moved from `failregex`, so no catch-all there anymore); update ChangeLog	5 years ago
Joe Horn	4395469226	Update named-refused.conf Log format changed since ver. 9.11.0 Ref. ftp://ftp.isc.org/isc/bind9/9.11.0/RELEASE-NOTES-bind-9.11.0.html "The logging format used for querylog has been altered. It now includes an additional field indicating the address in memory of the client object processing the query."	5 years ago
Sergey G. Brester	a395361de8	Merge pull request #2467 from sebres/logtype-option-rfc5424 New option `logtype` value - `rfc5424`	5 years ago
sebres	581f13c2db	Merge branch '0.10' into 0.11	5 years ago
Sergey G. Brester	0dfd4f1f41	Merge pull request #2404 from benrubson/badprotocol filter.d/sshd.conf: matches "Bad protocol version identification" in ddos and aggressive modes.	5 years ago
Sergey G. Brester	119401fced	Merge pull request #2452 from benrubson/badips Badips key is only used to retrieve list	5 years ago
sebres	af611db859	Merge branch '0.10' into 0.11	5 years ago
sebres	5e980afbb8	filter.d/apache-noscript.conf: closes #2466 - matches "Primary script unknown" without "\n" (optional now)	5 years ago
sebres	62b1712d22	amend to #2387 : - common.conf: rewritten using section-based handling round about option logtype; - option `logtype` extended with `rfc5424` to cover RFC 5424 log-format (see #2309);	5 years ago
benrubson	8b171f7d25	Badips key is only used to retrieve list	6 years ago
sebres	80f97eaf02	Merge branch '0.10' into 0.11	6 years ago
sebres	e751be2c13	normalize, simplify and fix several mail actions (mail and sendmail actions are more similar now, sendmail is configurable via parameter `mailcmd`, etc); added test covering sendmail-whois-lines	6 years ago
sebres	5045c4bb00	Merge branch '0.10' into 0.11	6 years ago
girst	a7dc3614c4	znc-adminlog: use `<ADDR>` instead of `<HOST>`	6 years ago
girst	b288ccd6b6	new filter: znc-adminlog	6 years ago
sebres	2e7a600851	Merge branch '0.10' into 0.11	6 years ago
sebres	22b9304562	action.d/badips.py: fix start of banaction on demand (which may be IP-family related), supplied action info with ticket instead of simulating it with dict; (closes gh-2390)	6 years ago
sebres	0ed3a63151	Merge branch '0.10' into 0.11	6 years ago
sebres	e5ae113215	filter.d/postfix.conf: extended with new postfix filter mode `errors` to match "too many errors" (gh-2439), also included within modes `normal`, `more` (`extra` and `aggressive`), since postfix parameter `smtpd_hard_error_limit` is default 20 (additionally consider `maxretry`)	6 years ago
sebres	3b2f75414c	filter.d/postfix.conf: extended regexp's to accept variable suffix code in status of postfix for precise messages (gh-2442)	6 years ago
sebres	3d4044084a	Merge branch '0.10' into 0.11	6 years ago
Sergey G. Brester	7dbd3a07eb	cut comment to limit documented on abuseipdb, additionally use curl in quiet mode	6 years ago
Carlos Ferreira	7b73cb7639	Switch to AbuseIPDB API v2	6 years ago
sebres	5137cd2ec8	Merge branch '0.10' into 0.11	6 years ago
sebres	49bf6132cc	amend for 3036ed18893b6aae6619e53201aa53deb701b94f: eliminate "invalid sequence" warnings	6 years ago
sebres	f69a8693fc	Merge branch '0.10' into 0.11	6 years ago
sebres	0426a24719	filter.d/postfix.conf: (closes gh-2426) filter extended to catch "5.1.1" (Recipient address rejected: User unknown in local recipient table) with RCPT (and some session-id instead of "NOQUEUE")	6 years ago
sebres	ca85ddc866	Merge branch '0.10' into 0.11	6 years ago
sebres	d8d71c5a22	action.d/helpers-common.conf: grep arguments are rewritten - using options `-wF` to match only whole words and fixed string (not as pattern)	6 years ago
chtheis	fa727586ff	Fix grep pattern to deal with Apache's error log Apache's error log appends the port to the IP address, other logs don't.	6 years ago
sebres	74eac6c94f	Merge branch '0.10' into 0.11	6 years ago
sebres	23d2281e57	action.d/nginx-block-map.conf: small fix with better RE-rule for removal of ID (token/session) via sed (anchored now)	6 years ago
benrubson	5b2b680bfe	SSHd add Bad protocol version message	6 years ago
Sergey G. Brester	b318eb7e33	closes gh-2408: prevent execution of action `abuseipdb` for restored tickets	6 years ago
sebres	c47bb523b7	Merge branch '0.10' into 0.11	6 years ago
Holston	422a2de7fe	updated	6 years ago
Holston	a581bf3f08	Fixed filter for Apache mod_security	6 years ago
Holston	5d6a84ba78	Updated to correct logging option	6 years ago
sebres	f0c5bd56f4	Merge branch '0.10' into 0.11 (conflicts resolved)	6 years ago
sebres	25f1aa334e	fail2ban.conf: move default settings into DEFAULT section (to be more similar to jail.conf, Definition section overwrites the options, so it is backwards compatible)	6 years ago
sebres	0386df0042	introduced new options: `dbmaxmatches` (fail2ban.conf) and `maxmatches` (jail.conf); setting `maxmatches` and `dbmaxmatches` to 0 saves memory usage and database size (closes gh-2118).	6 years ago
sebres	337be4b36c	Merge remote-tracking branch 'remotes/gh-upstream/0.10' into 0.11	6 years ago
Sergey G. Brester	28c1da33dc	Merge pull request #2387 from sebres/logtype-option-journal New backend-related option `logtype` (`journal` or `file`)	6 years ago
Sergey G. Brester	6c7093c66d	minor amend, refolding branches (SP\|SA -> S[PA])	6 years ago
Amir Caspi	ffd5d0db78	Update sendmail-reject.conf On some distros (e.g., CentOS 7), sendmail default config labels port 465 as TLSMTA and port 587 as MSA. Update failregex to reflect. Relevant loglines included in `9e1fa4ff73`	6 years ago
sebres	ced9828d04	filter.d/sendmail-reject.conf: fixed gh-2385 for some systems (e. g. CentOS): if only identifier set to `sm-mta` (no unit `sendmail`) for some messages.	6 years ago
sebres	ec681a3363	backend `systemd` sets `logtype` to `journal` automatically; sshd-journal: new test covering sshd journal logging format (matches short prefix-line simulating output of formatJournalEntry); samplestestcase-factory extended with new option `fileOptions` to set common filter/test options for whole test-file	6 years ago
sebres	e268bf97d4	introduces new configuration parameter "logtype" (default "file" for file-backends, and "journal" for journal-backends); common.conf: differentiate "__prefix_line" for file/journal logtype's (speedup and fix parsing of systemd-journal); samplestestcase.py: extends testSampleRegexsFactory to allow coverage of journal logtype; closes gh-2383: asterisk can log timestamp if logs into systemd-journal (regex extended with optional part matching this)	6 years ago
sebres	17a4f81e23	Merge branch '0.10' into 0.11	6 years ago
sebres	e8401a7e65	action.d/xarf-login-attack.conf: fixes gh-2372, correction for split of addresses, interpolation is shell-independent now, etc; extended with option `boundary`, additionally dynamic boundary part is used (is not so predictable as it was previously);	6 years ago
Sergey G. Brester	7a7a905ab2	0.9 - Merge pull request #2339 from cFire/master Add override for dovecot failed logins on debian	6 years ago
sebres	4e2c7b9fdd	Merge branch '0.10' into 0.11	6 years ago
sebres	741cf8fb0e	Merge branch 'master-0.9' into 0.10	6 years ago
sebres	1a9527e6a4	fixed catch-all on user (and simplifying)	6 years ago
jim	a7f3ba87f6	filter.d/sogo-auth.conf: fixes gh-2289 - matching auth-failures when behind a proxy; (broken by commit `72b06479a5`), replacement for gh-2290.	6 years ago
sebres	324f0ed7cc	Merge branch '0.10' into 0.11	6 years ago
sebres	3c70fe298a	closes gh-969: introduces new section `[Thread]` and option `stacksize` to configure default stack-size of the threads running in fail2ban. Example: ```ini [Thread] stacksize = 32 ```	6 years ago
sebres	5126068099	loglevel and shortloglevel combined to single parameter loglevel, below an example logging summary with NOTICE and rest with DEBUG log-levels: action = badips.py[... , loglevel="debug, notice"]	6 years ago
benrubson	689938ee99	Add a shortloglevel badips.py option	6 years ago
sebres	a3b7a0525a	Merge branch '0.10' into 0.11	6 years ago
sebres	140243328f	coverage: try to avoid sporadic "coverage decreased" in CI	6 years ago
Sergey G. Brester	d3f6d6ffdd	Merge pull request #2286 from crazy-max/0.10 New filter `traefik-auth`	6 years ago
Sergey G. Brester	dcede9b3f1	comment rewritten (belongs to the filter)	6 years ago
Sergey G. Brester	d84fb8a4b1	regex rewritten (more secure now, resolves catch-all vulni)	6 years ago
sebres	9ed35c423a	Merge branch '0.9' into 0.10 (gh-2317)	6 years ago
Yaroslav Halchenko	31e6ec3c5b	Merge pull request #2323 from todgru/fix-spelling-abuseipdb-conf fix: correct spelling category	6 years ago
Cool Fire	27526e431b	Changes static logfile string to variable Since we don't want to re-declare a log file name we already have a varialbe for, use the existing variable to set dovecot_log.	6 years ago
Cool Fire	b31a018e7c	Add override for dovecot failed logins on debian	6 years ago
sebres	1647d0090e	Merge branch '0.10' into 0.11	6 years ago
sebres	e651bc7866	amend to #1622 : jail-reader supports now multi-line option for multi-line action parameter: logpath = a.log b.log c.log action = ban[...] = log[logpath="%(logpath)s"] closes gh-2341, ultimate fix for gh-976	6 years ago
todgru	39ed016a1e	fix: correct spelling category	6 years ago
sebres	d88ce7181c	Merge branch '0.10' into 0.11	6 years ago
sebres	a13fdcf4f7	closes gh-2314: extended regex for mysql 8.0.13 if used logging with details (e. g. log-error-verbosity = 3, so log output has few additional words enclosed in brackets after "[Note]").	6 years ago
Yannik Sembritzki	6b4404b1bc	Fix asterisk filter not catching attackers when port is logged (Fixes #2316 )	6 years ago
CrazyMax	7cdabdd7ae	Update traefik-auth failregex	6 years ago
CrazyMax	a51f82770b	New filter `traefik-auth`	6 years ago
sebres	b49c1ab4b3	Merge branch '0.10' into 0.11	6 years ago
sebres	555b29e8e6	Merge remote-tracking branch 'remotes/gh-upstream/master' into 0.10	6 years ago
sebres	1c1d2cc435	introduces new failregex-flag tag `<F-MLFGAINED>` signaled that the access to service was gained (ATM used similar to <F-NOFAIL>, but does not added to matches); filter.d/sshd.conf: extended with new rules: - Disconnecting ...: Change of username or service not allowed - Disconnected from ... [preauth] (extra/aggressive mode only)	6 years ago
dienteperro	0df221b54b	"be" instead of "me" in shorewall.conf	6 years ago
sebres	f9f7e29295	Merge branch '0.10' into 0.11 (version bump after r.0.10.4)	6 years ago
Shane Forsythe	8614ca8c41	Update proftpd.conf proftpd 1.3.5e can leave inconsistent error message if ftp or mod_sftp is used Oct 2 15:45:31 ftp01 proftpd[5516]: 10.10.2.13 (10.10.2.189[10.10.2.189]) - SECURITY VIOLATION: Root login attempted Oct 2 15:45:44 ftp01 proftpd[5517]: 10.10.2.13 (10.10.2.189[10.10.2.189]) - SECURITY VIOLATION: Root login attempted. Fix regex to make trailing period optional, otherwise brute force attacks against root account using ftp are not blocked correctly.	6 years ago
Sergey G. Brester	1752c19b6f	Merge pull request #2205 from benrubson/patch-1 Add loglevel option to badips.py	6 years ago
Sergey G. Brester	65676baf8c	fixed py3 incompatibility (for some reasons this file seems to be excluded from 2to3), anyway not needed, because int-type is already checked in str2LogLevel	6 years ago
Sergey G. Brester	4b751c84c3	badips.py: Rewrite new bool option "log" as "loglevel" and revert default to log-level (DEBUG).	6 years ago
sebres	6b52f90ad6	Merge branch '0.10' into 0.11	6 years ago
sebres	58b510a5be	filter.d/domino-smtp.conf: - recognizes failures logged using another format (something like session-id, IP enclosed in square brackets); - failregex extended to catch connections rejected for policy reasons (gh-2228);	6 years ago
sebres	8a0c06ba9e	Merge branch '0.10' into 0.11	6 years ago
sebres	d01fe9d22a	action.d/*.conf: correct comments for actionstart/actionstop	6 years ago
Ben RUBSON	9d7c0e00c1	Also log number of IPs removed/added	6 years ago
Ben RUBSON	70e53b55c5	Typo	6 years ago
Ben RUBSON	ec4c4b12c1	Add yes/no log option to badips.py	6 years ago
sebres	714fd8c915	Merge branch '0.10' into 0.11	6 years ago
Sergey G. Brester	ee207d8c31	Merge pull request #2151 from benrubson/merge Apache SNI error / misredirect attempts rules are combined in one regex	6 years ago
Ben RUBSON	77b35b8db7	Improvement	6 years ago
sebres	addd26ae55	Merge branch '0.10' into 0.11	6 years ago
sebres	e2a255d104	fixed typo in comments by "ignoreself" parameter	6 years ago

1 2 3 4 5 ...

1775 Commits (8c4d02403b4768fb1a76372a7a462fc903c2711e)