5e93bf9bd3
Introduced new option "ignoreself", specifies whether the local resp. own IP addresses should be ignored (default is true).
...
Fail2ban will not ban a host which matches such addresses.
Option "ignoreip" affects additionally to "ignoreself" and don't need to include the DNS resp. IPs of the host self.
2017-03-23 15:52:31 +01:00
1e6787877a
Merge pull request #1726 from sebres/0.10-grave-fix-escape-tags-1st
...
0.10 fix escape tags
2017-03-21 15:33:00 +01:00
6ba0546824
code review and inline docu
2017-03-21 14:53:33 +01:00
7a03c964c2
Update ChangeLog
2017-03-21 14:04:18 +01:00
bb9541b7a9
Merge pull request #1728 from sebres/_0.10/fix-gh-1719
2017-03-21 11:05:15 +01:00
43d2cae8da
small amend that correct log trace output by forget MLFID (outputs the reason why it was forgotten - close, disconnect, etc.)
2017-03-21 10:39:55 +01:00
b6886f2e51
SampleRegexsFactory extended with optional filter constraint, if testing the same log-file with multiple filters (no possibility to match by the old sshd-filter 'zzz-sshd-obsolete-multiline')
2017-03-21 09:42:27 +01:00
1971fd4bd3
don't remove MLFID from cache (can recognize multiple attempt within the same connection)
2017-03-21 09:20:56 +01:00
f13fac5ae9
amend to 5561423be3b2d4636f5484183c3ad470fd326d06: fixed incorrect failure counting despite the `<F-NOFAIL>` marked regex;
...
extra: introduced new tag `<F-MLFFORGET>` as mark to forget current multi-line MLFID (e. g. connection closed);
Closes gh-1727
2017-03-21 00:15:57 +01:00
32f3c1dbf3
test coverage
2017-03-20 13:34:42 +01:00
57e9c25449
bug fix in the config readers: mixing with the init section should affect only own init options (from init section only bypass default section);
...
the situation details:
value of "_daemon" from default section "default" (with init section) falsely overwrites it from definition section "test" -
the resulting value of "_daemon" should be "test" in all 3 resulting failregex's (as specified in test.local),
fixed and covered now;
additionally more complex cases covered also (all filter parameters in jail via "%(known/...)s", dynamical interpolation across all, etc);
2017-03-20 12:10:09 +01:00
4f1473724b
fixed grave vulnerability by wrong escape of tags by executing of shell actions
2017-03-20 12:09:42 +01:00
e5c9f9ec1c
[interim commit] try to fix possible escape vulnerability in actions
2017-03-20 12:08:14 +01:00
93ec9e01d4
fixes a small blemish by output in beautifier;
...
command "unban" returns a count of tickets that were flushed
2017-03-17 11:00:54 +01:00
da808fe67b
Merge pull request #1720 from sebres/_0.10/fix-gh-1719
...
fix gh-1719: sshd format changed
2017-03-15 18:36:35 +01:00
5561423be3
filter.d/sshd.conf: fixed failregex format - some parts are optional, new ddos more precise rule (Connection reset by with host entry);
...
closes gh-1719
2017-03-15 18:01:20 +01:00
97d417926d
repairs testing of missing samples for all regex after filter settings (mode) changed
2017-03-15 18:01:18 +01:00
d79267c424
Updated xarf-specification repo URL in xarf action
2017-03-14 20:47:31 +01:00
ef975307c4
errors on closed socket are too sporadic to cover it (prevents "coverage decreased" over and over again)
2017-03-14 16:24:45 +01:00
5ff63b66a0
Merge branch '0.10' into 0.10-full
2017-03-14 13:36:32 +01:00
482e5265d7
output execution time of each test case if verbosity > 2
2017-03-14 13:34:54 +01:00
3cf068670c
Merge branch '0.10' into 0.10-full
2017-03-14 11:47:38 +01:00
77229a65b5
Merge pull request #1716 from sebres/fix-stop-replace-in-callable
...
Prohibit recursive replacement of action info (calling map)
2017-03-13 23:46:52 +01:00
ccfd1ccb2d
code review, increase coverage, etc.
2017-03-13 21:56:06 +01:00
5030e3a122
[Important] Prohibit replacement of recursive "tags" in the action info resp. calling map (very bad idea to do this):
...
- the calling map contains normally dynamic values only (no recursive tags);
- recursive replacement can be vulnerable, because can contain foreign (user) input captured from log (will be replaced in the shell arguments);
2017-03-13 20:45:35 +01:00
c1da6611ec
[BF] prevents always converting of calling map items in replaceTag (without direct access of item):
...
substituteRecursiveTags: ignore replacing callable items from calling map - should be converted on demand only (by get)
2017-03-13 18:47:26 +01:00
92d83274d9
fixes cache overload in the test cases (increase max count and max time of CACHE_ipToName - too many entries in mock-up preset, longer time testing)
2017-03-13 18:03:37 +01:00
3fec546fc0
Merge pull request #1715 from sebres/fix-f2b-regex-debuggex-url
...
fail2ban-regex debuggex url fix
2017-03-13 16:37:57 +01:00
295f7b88c9
increase coverage
2017-03-13 16:21:03 +01:00
3cba2310ff
Fixes debuggex URL (tag replacement) and missing line stat by matched lines (without time - `matched_lines_timeextracted`);
...
Closes gh-1394
2017-03-13 16:14:06 +01:00
875295320e
Merge remote-tracking branch 'remotes/gh-upstream/0.10' into 0.10-full
2017-03-13 02:12:39 +01:00
1bcde678c6
Merge pull request #1710 from sebres/0.10-test-with-filter-options
...
0.10 filter options extension
2017-03-13 02:11:48 +01:00
30b53bb2ce
update ChangeLog and man/fail2ban-regex.1
2017-03-13 02:07:14 +01:00
eb3623e90c
configreader.py: correct reading real relative path (starting with "./");
...
fail2ban-regex: catch read exceptions by wrong config files (raise exception in verbose mode only);
2017-03-12 19:04:45 +01:00
6a26602ba8
allow to use filter options by fail2ban-regex, example:
...
fail2ban-regex text.log "sshd[mode=aggressive]"
2017-03-11 00:06:29 +01:00
8af7a73bfc
update ChangeLog
2017-03-10 22:14:39 +01:00
0c1707afda
filter.d/sshd.conf:
...
- optional parameter `mode` rewritten: normal (default), ddos, extra or aggressive (combines all), see sshd for regex details);
test cases reformatted (since "filterOptions", we don't need multiple test log-files anymore);
2017-03-10 22:09:11 +01:00
7e442c5b27
filter.d/sendmail-reject.conf:
...
- rewritten using `prefregex` and used MLFID-related multi-line parsing (by using tag `<F-MLFID>` instead of buffering with `maxlines`);
- optional parameter `mode` introduced: normal (default), extra or aggressive (see sendmail-reject for regex details);
test cases extended
2017-03-10 21:44:19 +01:00
a683e88a74
samples test case factory extended with filter options - dict in JSON to control filter options (e. g. mode, etc.):
...
# filterOptions: {"mode": "aggressive"}
2017-03-10 20:39:09 +01:00
52ed6597b2
Merge remote-tracking branch 'remotes/gh-upstream/master' into 0.10
2017-03-09 16:27:14 +01:00
d3b644acae
Merge pull request #1708 from sebres/fix-gh-1707
...
filter.d/cyrus-imap.conf: accept entries without login-info resp. hostname before IP address (gh-1707)
2017-03-09 16:26:06 +01:00
0f8cb1749f
Update ChangeLog
2017-03-09 16:15:45 +01:00
8768776d68
filter.d/cyrus-imap.conf: fixed `failregex` - accept entries without login-info resp. hostname before IP address
2017-03-09 16:13:45 +01:00
d042981954
Merge pull request #1655 from ajcollett/0.10
...
Added config for AbuseIPDB
2017-03-09 15:15:26 +01:00
b1f5ac9484
Update abuseipdb.conf
2017-03-09 13:33:11 +01:00
62fa02241f
Update jail.conf
2017-03-09 13:31:40 +01:00
e71f3d595f
Merge pull request #1705 from sebres/0.10-tag-ip-host
...
New actions tag `<ip-host>` introduced: can be used in actions to retrieve the host name (dns) from the IP address
2017-03-09 13:11:57 +01:00
6a2c95da95
`action.d/sendmail-geoip-lines.conf` fixed using new tag `<ip-host>` (dns-cache and without external command execution);
...
changelog updated;
2017-03-08 16:51:08 +01:00
59cf761129
Real action info instead of calling map in test cases, covering of the new tag '<ip-host>';
...
dns lookup: pre-caching within test cases - prevent slow dns-resolving and failures if no-network, of if some IP addresses will be changed later
2017-03-08 16:51:06 +01:00
a0bb51ef92
New tag '<ip-host>' introduced: can be used in actions to retrieve the host name (dns) from the IP address
2017-03-08 16:51:05 +01:00
sebres