sebres
06b46e92eb
jail.conf: don't specify `action` directly in jails (use `action_` or `banaction` instead);
...
no mails-action added per default anymore (e. g. to allow that `action = %(action_mw)s` should be specified per jail or in default section in jail.local), closes gh-2357;
ensure we've unique action name per jail (also if parameter `actname` is not set but name deviates from standard name, gh-2686);
don't use %(banaction)s interpolation because it can be complex value (containing `[...]`), so would bother the action interpolation.
2020-04-15 19:00:49 +02:00
sebres
7e3061e7ac
fail2ban.service systemd unit template: don't add user site directory to python system path (avoids accessing of `/root/.local` directory, prevents SE linux audit warning at daemon startup, gh-2688)
2020-04-15 17:35:04 +02:00
Sergey G. Brester
78651de7e5
Update ChangeLog
2020-04-14 12:25:18 +02:00
benrubson
2912bc640b
New Gitlab jail
2020-04-09 16:42:08 +02:00
sebres
136781d627
filter.d/sshd.conf: fixed regex for mode `extra` - "No authentication methods available" (supported seems to be optional now, gh-2682)
2020-04-08 12:17:59 +02:00
sebres
d21a24de8e
more test cases for IP/DNS (and use dummies if no-network set by testing)
2020-04-06 12:39:36 +02:00
sebres
fc175fa78a
performance: optimize simplest case whether the ignoreip is a single IP (not subnet/dns) - uses a set instead of list (holds single IPs and subnets/dns in different lists);
...
decrease log level for ignored duplicates (warning is too heavy here)
2020-04-06 12:12:23 +02:00
Jordi Sanfeliu
ede2009708
added new jail (and filter) Monitorix
2020-04-03 12:52:19 +02:00
sebres
343ec1cdd2
test-causes: avoid host-depending issue (mistakenly ignoring IP 127.0.0.2 as own address) - replace loop-back addr with test sub-net addr (and disable ignoreself)
2020-03-18 20:40:31 +01:00
sebres
38b32a9a72
Merge branch '0.10' into 0.11
2020-03-18 19:53:55 +01:00
sebres
22a04dae05
Merge branch '0.9' into 0.10 (gh-2246)
2020-03-18 16:11:53 +01:00
Sergey G. Brester
b1e1cab4b7
Merge pull request #2246 from shaneforsythe/shaneforsythe-patch-2
...
Improve regex in proftpd.conf
2020-03-18 15:49:18 +01:00
sebres
606bf110c9
filter.d/sshd.conf (mode `ddos`): fixed "connection reset" regex (seems to have same syntax now as closed), so both regex's combined now to single RE
...
(closes gh-2662)
2020-03-16 17:31:39 +01:00
sebres
6e570b8644
Merge branch '0.11'
2020-03-13 23:23:32 +01:00
sebres
5b16973f08
Merge branch '0.10' into 0.11
2020-03-13 23:23:03 +01:00
sebres
8547ea7ea0
resolve sporadic minor issue - check pending can refresh watcher (monitor) that gets deleting, and there may be no wdInt to delete
2020-03-13 23:16:04 +01:00
sebres
9905904bba
Merge branch '0.11'
2020-03-13 22:43:22 +01:00
sebres
00c5d33e45
Merge branch '0.10' into 0.11
2020-03-13 22:39:19 +01:00
sebres
b64a435b0e
ignore only not banned old (repeated and ignored) tickets
2020-03-13 22:34:15 +01:00
sebres
b43dc147b5
amend to RC-fix 9f1c6f1617
(gh-2660):
...
resolves bottleneck by initial scanning of a lot of messages (or evildoers generating many messages) causes repeated ban, that will be ignored but could cause entering of "long" sleep in actions thread previously;
speedup recognition banning queue has entries to begin check-ban process in actions thread
2020-03-13 22:22:42 +01:00
sebres
bc2b81133c
pyinotify backend: guarantees initial scanning of log-file by start (retarded via pending event if filter not yet active)
2020-03-13 22:07:32 +01:00
sebres
68f827e1f3
small optimization for manually (via client / protocol) signaled attempt (performBan only if maxretry gets reached)
2020-03-13 18:03:27 +01:00
sebres
4c22d4a801
Merge branch '0.11'
2020-03-13 17:47:03 +01:00
sebres
d42ec210cc
Merge branch '0.10' into 0.11
2020-03-13 17:44:29 +01:00
sebres
9f1c6f1617
filter stability fix: prevent race condition - no ban if filter (backend) is continuously busy if too many messages will be found in log, e. g. initial scan of large log-file or journal (gh-2660)
2020-03-13 17:34:37 +01:00
sebres
ab363a2c0e
small amend with fix still one test (ban unexpected in this old artificial test-cases, todo - such tests should be rewritten or removed)
2020-03-13 17:28:33 +01:00
sebres
e3737bb7c0
filter stability fix: prevent race condition - no ban if filter (backend) is continuously busy if too many messages will be found in log, e. g. initial scan of large log-file or journal (gh-2660)
2020-03-13 17:20:19 +01:00
Sergey G. Brester
428c75d1cd
Merge pull request #2651 from fail2ban/0.10-travis-3.9-dev
...
python 3.9 compatibility + CI
2020-03-06 20:46:02 +01:00
Sergey G. Brester
d4da9afd7f
Update ChangeLog
2020-03-06 20:29:48 +01:00
Sergey G. Brester
9d7388e684
Thread: is_alive instead of isAlive (removed in py-3.9)
2020-03-06 20:04:18 +01:00
Sergey G. Brester
55e76c0b80
restore isAlive method removed in python 3.9
2020-03-06 19:41:16 +01:00
Sergey G. Brester
781a25512b
travis CI: add 3.9-dev as target
2020-03-06 19:04:39 +01:00
sebres
8b43d54878
Merge branch '0.11'
2020-03-05 14:32:42 +01:00
sebres
32f02ef3b3
Merge branch '0.10' into 0.11
2020-03-05 14:01:14 +01:00
sebres
42714d0849
filter.d/common.conf: closes gh-2650, avoid substitute of default values in related `lt_*` section, `__prefix_line` should be interpolated in definition section (after the config considers all sections that can overwrite it);
...
amend to 62b1712d22
(PR #2387 , backend-related option `logtype`);
testSampleRegexsZZZ-GENERIC-EXAMPLE covering now negative case also (other daemon in prefix line)
2020-03-05 13:47:11 +01:00
sebres
2ddf687c31
Merge branch '0.10' into 0.11 - test cases only (add ban to database was moved to observer in 0.11)
2020-03-02 19:17:16 +01:00
sebres
15158e4474
closes gh-2647: add ban to database is moved from jail.putFailTicket to actions.__CheckBan; be sure manual ban is written to database, so can be restored by restart; reload/restart test extended
2020-03-02 18:58:59 +01:00
sebres
f088e7bf76
Merge branch '0.10' into 0.11
2020-03-02 17:10:48 +01:00
sebres
6281dc3633
failmanager, ticket: avoid reset of retry count by pause between attempts near to findTime - adjust time of ticket will now change current attempts considering findTime as an estimation from rate by previous known interval (if it exceeds the findTime);
...
this should avoid some false positives as well as provide more safe handling around `maxretry/findtime` relation especially on busy circumstances.
2020-03-02 17:05:00 +01:00
sebres
4766547e1f
performance optimization of `datepattern` (better search algorithm);
...
datetemplate: improved anchor detection for capturing groups `(^...)`; introduced new prefix `{UNB}` for `datepattern` to disable word boundaries in regex;
datedetector: speedup special case if only one template is defined (every match wins - no collision, no sorting, no other best match possible)
2020-02-28 14:27:21 +01:00
sebres
ef1eaf9b37
Merge branch '0.11'
2020-02-25 17:18:50 +01:00
sebres
c15c300d2a
Merge branch '0.10' into 0.11
2020-02-25 17:11:29 +01:00
sebres
e6ca04ca9d
Merge branch '0.10' into 0.11 + version bump (back to dev)
2020-02-25 16:10:31 +01:00
Sergey G. Brester
2e42b98cd3
Merge pull request #2638 from gurnec/pypy-ulimit-fix
...
close Popen() pipes explicitly for PyPy
2020-02-25 15:31:31 +01:00
sebres
6c6cf2a956
small amend (avoid possible error by close of not existing pipe)
2020-02-25 15:06:04 +01:00
Christopher Gurnee
df885586d4
close Popen() pipes explicitly for PyPy
...
Waiting for garbage collection to close pipes opened by Popen() can
lead to "Too many open files" errors with PyPy; close them explicitly.
2020-02-25 14:55:10 +01:00
sebres
e57e950ef5
version bump (back to dev)
2020-02-25 14:51:54 +01:00
sebres
ab3a7fc6d2
filter.d/sshd.conf: mode `ddos` (and aggressive) extended to detect port scanner sending unexpected ident string after connect
2020-02-17 16:24:42 +01:00
sebres
ceeba99f25
replace internals of several iptables-ipset actions using internals of iptables include:
...
- better check mechanism (using `-C`, option `--check` is available long time);
- additionally iptables-ipset is a common action for iptables-ipset-proto6-* now (which become obsolete now);
- many features of different iptables actions are combinable as single chain/rule (can be supplied to action as parameters);
- tests adjusted.
2020-02-14 12:16:26 +01:00
sebres
d26209e2c6
first attempt to make certain standard actions breakdown safe starting with iptables:
...
- better check mechanism (using `-C`, option `--check` is available long time);
- additionally iptables is a replacement for iptables-common now, several actions using this as include now become obsolete;
- many features of different iptables actions are combinable as single chain/rule (can be supplied to action as parameters);
2020-02-14 12:16:25 +01:00