Commit Graph

1206 Commits (983b128c5439cacfbc560c600266051b4bf6de6e)

Author SHA1 Message Date
Serg G. Brester bb97e66627 Merge pull request #1882 from coderua/patch-1
Add Jorgee Vulnerability Scanner protect
2017-09-07 15:52:31 +02:00
Serg G. Brester 2cd02b731b filter.d/exim.conf: fixed failregex for case of `D=0s`
Closes gh-1886
2017-09-07 15:28:46 +02:00
sebres 4bc226a692 optimized regex 2017-09-05 10:59:16 +02:00
Vladimir Chumak fafefc0293 Add Jorgee Vulnerability Scanner protect
Details for Jorgee Vulnerability Scanner: https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=30164
2017-09-05 10:56:43 +02:00
sebres 4163f32968 small review, prefix replaced with `%(_apache_error_client)s` from apache-common.conf include 2017-09-04 11:48:01 +02:00
john ac95449bbb changed zoneminder regex as per Sebres and yarikoptic recommendations 2017-09-04 11:37:09 +02:00
john 7013729a1f removed redundant options for zoneminder from jail.conf 2017-09-04 11:37:05 +02:00
john 5c3a666380 fixed incomplete regex after adding anchors 2017-09-04 11:37:03 +02:00
john 3d45fd2713 implemented yarikoptic's suggestions in fail2ban pull request #1376 2017-09-04 11:37:00 +02:00
john 08878d22dd added zoneminder.conf filter 2017-09-04 11:36:50 +02:00
john a90f6c4ae8 added zoneminder jail and filter
# Conflicts:
#	config/jail.conf
2017-09-04 11:36:47 +02:00
sebres c312962029 filter.d/dovecot.conf: partially cherry-pick to 0.9 PR #1880 from sebres/0.10-fix-dovecot-regex (d926e11a5c)
fixed failregex (without new mode aggressive)
2017-09-01 10:57:41 +02:00
Serg G. Brester a287d0a05c Merge pull request #1872 from kmzby/master
Added filter for phpMyAdmin+syslog
2017-08-25 12:22:58 +02:00
Pavel Mihadyuk 4c1abe1cbf phpmyadmin-syslog: removed excess file, fixed test, updated failregex 2017-08-23 16:56:18 +03:00
Pavel Mihadyuk d09304b897 phpmyadmin-syslog: added default jail config 2017-08-22 19:00:48 +03:00
Pavel Mihadyuk 5b4bc2aafd Added filter for phpMyAdmin+syslog (>=4.7.0). Closes #1713 2017-08-22 18:20:01 +03:00
Serg G. Brester b0e5efb631 bsd-ipfw.conf: sh-compliant redirect of stderr together with stdout 2017-08-18 15:26:09 +02:00
sebres 3be32adefb Replace not posix-compliant grep option: fgrep with `-q` option can cause 141 exit code in some cases (see gh-1389). 2017-08-18 14:37:29 +02:00
Serg G. Brester c0eb7752a8 Merge pull request #1651 from szepeviktor/patch-9
Introduce Cloudflare API v4
2017-08-09 16:28:52 +02:00
Serg G. Brester 2ed8a38eca Update cloudflare.conf
Switch to API v1 to API v4 per default
2017-08-09 16:27:53 +02:00
Serg G. Brester da7072d40e Merge pull request #1846 from Chocobozzz/patch-3
Fix empty logfile.log in xarf login attack action
2017-08-09 16:21:47 +02:00
Serg G. Brester af25a9d203 Merge pull request #1566 from opoplawski/journalmatch
Add sendmail journalmatch options
2017-08-09 16:14:10 +02:00
Orion Poplawski 84f552881c Add sendmail journalmatch options 2017-08-09 16:03:34 +02:00
sebres 5c538fb658 Recognize "unknown user" for additional auth-methods (pam, passwd-file, ldap, sql, etc); simplifying regular expressions (put "unknown user" and "invalid credentials" together as one regex). 2017-08-07 18:04:09 +02:00
Bigard Florian f4551d02c9 Fix empty logfile.log in xarf login attack action
Fix empty 3rd MIME part which contains the attack evidence (logfile.log).
2017-07-25 13:44:29 +02:00
sebres a5b62a7f36 failregex extended and simplified (partially ported from gh-1409). 2017-07-18 16:34:22 +02:00
sebres 098abae4e6 Remove greedy catch-all before `<HOST>`, make regex more universal, fewer prone to errors (should avoid future changes, if some optional parameters coming again before/after `RemoteAddress`) + non-captured groups now.
Test for possible injection (5.6.7.8 in session-id) already available, line 59 (thus already covered).
2017-07-18 16:09:53 +02:00
Kirill 4c0c7b97c0 Update asterisk.conf to new log message
I got an issue like this:
[2016-05-15 22:53:00] SECURITY[26428] res_security_log.c: SecurityEvent="FailedACL",EventTV="2016-05-15T22:53:00.203+0300",Severity="Error",Service="AMI",EventVersion="1",AccountID="admin",SessionID="0x7fb580001518",LocalAddress="IPV4/TCP/0.0.0.0/5038",RemoteAddress="IPV4/TCP/78.129.227.4/62389",SessionTV="1970-01-01T03:00:00.000+0300"

# [sebres] rebased to current master and resolving conflicts.
2017-07-18 15:40:32 +02:00
sebres a1d0633e69 filter.d/asterisk.conf - fixed failregex AMI Asterisk authentification failed (see gh-1302):
- optional space between NOTICE and pid;
- optional part "Host " before IP-address;
2017-07-03 12:57:28 +02:00
Serg G. Brester f27e053592 Update bsd-ipfw.conf
increased starting rule number (lowest_rule_num = 111)
2017-07-01 17:10:53 +02:00
Serg G. Brester 001c0898d6 Merge branch 'master' into master 2017-06-30 18:07:38 +02:00
Serg G. Brester 6110ba9cc3 filter.d/proftpd.conf: added option `journalmatch` for systemd backend (closes gh-1613) 2017-06-30 18:00:01 +02:00
sebres 2b358bc1a4 filter.d/apache-overflows.conf: rewritten without end-anchor ($), because apache-log could contain very long URLs (and/or referrer), the parsing of it anchored way may be very vulnerable (at least as regards the system resources, see gh-1790). 2017-06-15 11:16:19 +02:00
Peter Nowee b93e47b12f
dovecot: Match also when user field is empty
Commit 5678d08 of 2016-11-26 changed:

    ( user=<\S*>,)?

to:

    ( user=<[^>]+>,)?

The change from `*` (zero or more times) to `+` (one or more times) may
not have been intended. It will miss lines containing, for example:

    Aborted login (tried to use disallowed plaintext auth): user=<>

This commit reverts the `+` back to `*`.
2017-05-31 15:54:30 +02:00
Marcel Bischoff 228d25c548 Update Kerio Connect filter (#1455)
* Update Kerio Connect filter

Fixed regex for some log entries that did not get recognized and some additional error formats are added.

* Add missing colon, GitHub address

* Add filter tests

* Add missing test
2017-05-30 20:27:44 +02:00
Filippo Tessarotto ff1c6718da Postfix RBL: 554 & SMTP
Cherry-pick of 607568f5da (see gh-1686)
2017-05-15 14:42:37 +02:00
sebres 0600d51511 filter.d/exim.conf: added new reason for "rejected RCPT" regex: Unrouteable address 2017-05-07 14:02:38 +02:00
sebres c546f85207 filter.d/exim.conf: cherry-picked from 0.10, match complex time like `D=2m42s` (closes gh-1766) 2017-05-07 13:02:32 +02:00
sebres 3161bcf78b filter.d/exim.conf: optional part `(...)` after host-name before `[IP]`, normalized over whole config file.
# Conflicts:
#	config/filter.d/exim.conf
2017-04-24 19:21:26 +02:00
Serg G. Brester 52c1950371 Update mysqld-auth.conf
small typo, closes gh-1725 (Thx @seth-reeser)
2017-03-24 19:03:17 +01:00
sebres 8768776d68 filter.d/cyrus-imap.conf: fixed `failregex` - accept entries without login-info resp. hostname before IP address 2017-03-09 16:13:45 +01:00
Serg G. Brester 2fa18a74c4 Merge branch 'master' into master 2017-02-17 09:06:09 +01:00
Christoph Theis 861ce4177c #1689: Make lowest rule number in action.d/bsd-ipfw.conf configurable 2017-02-14 18:31:42 +01:00
sebres 9d06f0ee40 sshd-amend: optional space after port part 2017-01-23 08:56:47 +01:00
sebres 54a8c681ce suhosin.conf: removed greedy match 2017-01-21 16:26:07 +01:00
sebres 8aa9516d50 sshd.conf: fixed expression "received disconnect ... auth fail" - optional space after port part (gh-1652) 2017-01-21 16:18:03 +01:00
sebres 3276bd6d54 sshd: additionally aggressive filter rules - no matching cipher resp. no matching key exchange method (gh-1545, gh-1117) 2017-01-21 15:57:05 +01:00
sebres 628789f9a9 sshd: conditional parameter "mode" for sshd jail (normal, ddos, aggressive)
filter sshd-ddos and new filter sshd-aggressive are both derivation of sshd-filter
2017-01-21 15:54:49 +01:00
sebres dd373dba9f test all config-regexp, that contains greedy catch-all before <HOST>, that is hard-anchored at end or precise sub expression after <HOST>;
new ssh rule(s) added:
- Connection reset by peer (multi-line rule during authorization process);
- No supported authentication methods available;
Single line and multi-line expression optimized, added optional prefixes and suffix (logged from several ssh versions);
closes gh-864
2017-01-21 15:53:48 +01:00
Christian Brandlehner a4d8426401 Support for IBM Domino SMTP task (#1603)
filter.d/domino-smtp.conf
2017-01-20 08:44:20 +01:00