Serg G. Brester
40f294e6bf
Merge pull request #1663 from jjeziorny/netscaler-action
...
Introduced citrix netscaler action
2017-01-19 16:25:23 +01:00
Juliano Jeziorny
1fe554dd25
Introduced Citrix Netscaler action
2017-01-19 14:30:25 +01:00
Christoph Theis
6187431629
#1667 : Wrong paths for apache and nginx under FreeBSD
2017-01-17 11:48:25 +01:00
sebres
a9523aefbb
sshd.conf: fixed non-anchored part of regex (misleading match of colon inside IPv6 address instead of `: ` in the reason-part by missing space).
2017-01-10 12:58:44 +01:00
Viktor Szépe
81c1810f10
Introduce Cloudflare API v4
...
In the cloudflare action everyone is suggested to use API v4.
And I don't dare to contribute any actual change.
2016-12-31 21:30:57 +01:00
Yaroslav Halchenko
31a1560eaa
minor typos (thanks Vincent Lefevre, Debian #847785 )
2016-12-11 15:13:11 -05:00
sebres
45f1d811c9
Merge branch 'alex1702-1586'
2016-11-28 18:54:02 +01:00
sebres
67c14afd8e
ChangeLog entry added + jail.conf review
2016-11-28 18:51:23 +01:00
sebres
425170cef3
code review, makes the test cases workable, added dev-notes
2016-11-28 18:39:07 +01:00
sebres
931eab84b5
`filter.d/apache-modsecurity.conf`
...
- fixed for newer version (one space, closes gh-1626)
reviewed and optimized:
- non-greedy catch-all replaced for safer match
- unneeded catch-all anchoring removed
- non-capturing groups
2016-11-28 11:28:27 +01:00
sebres
5678d08a79
filter.d/dovecot.conf update:
...
- fixes failregex, that ignores failures through some irrelevant info (closes #1623 );
- ignores whole additionally irrelevant info in anchored regex before fixed failure data `\((?:auth failed, \d+ attempts( in \d+ secs)?|tried to use (disabled|disallowed) \S+ auth)\)`
- review, IPv6 compatibility fix, non-capturing groups
2016-11-26 16:50:37 +01:00
Serg G. Brester
4f5389fee5
Update jail.conf
2016-11-24 19:30:10 +01:00
Johannes Weberhofer
f46ada023e
Use Fedora's backend-settings for openSUSE
...
Those settings are ok for newer openSUSE versions
2016-11-22 09:03:54 +01:00
sebres
b5433f48b7
amend after code review of merge gh-1581
2016-11-11 11:09:46 +01:00
sebres
bee6e7376b
Merge branch 'aclindsa:master'
2016-11-11 10:58:40 +01:00
sebres
dab5f56609
Merge branch 'fix-gh-1477'
2016-11-11 10:17:07 +01:00
Alex
8ac28e5dcb
Make changes and add test file
2016-11-10 13:09:32 +01:00
Alex
8c40766511
Add Mongodb-auth filter and jail
2016-11-10 12:48:24 +01:00
Aaron Lindsay
7805f9972d
filter.d/sshd.conf: Match 'Invalid user' with 'port \d*'
2016-10-15 15:52:19 -04:00
sebres
84c3eb3e0e
filter.d/sendmail-reject.conf: double space (should be by missing dns-host only)
...
Closes #1578
2016-10-15 14:53:45 +02:00
Nils
d08db22b92
Create npf.conf for the NPF packet filter
...
This file adds support for the NPF packet filter, available on NetBSD since version 6.0
2016-10-13 18:50:54 +02:00
sebres
9fb167b5e1
filter.d/vsftpd.conf: optional reason message after FAIL LOGIN, closes #1543
2016-09-09 09:20:15 +02:00
sebres
4a1d720344
filter.d/asterisk.conf: another part ` chan_sip.c:28468 handle_request_register:` in log prefix
2016-08-22 14:10:50 +02:00
sebres
2c54f90469
sshd-filter: better universal regexp, that matches more complex different injects, using conditional expressions (on username and auth-info section), see new test cases also.
2016-08-19 10:19:12 +02:00
sebres
a544c5abac
sshd-filter: recognized "Failed publickey for" now (gh-1477) + improved regexp (not anchored now to recognize all "Failed anything for ... from <HOST>"
...
ChangeLog entry added
2016-08-18 21:38:55 +02:00
sebres
38d53a72fd
introduces new command "fail2ban-python", as automatically created symlink to python executable, where fail2ban currently installed (resp. its modules are located);
...
fixed pythonic filters and test scripts (running via "fail2ban-python" now);
fixed test case "testSetupInstallRoot" not for default python (also using direct call, out of virtualenv);
# Conflicts:
# config/filter.d/ignorecommands/apache-fakegooglebot
# fail2ban/tests/files/config/apache-auth/digest.py
# fail2ban/tests/files/ignorecommand.py
# fail2ban/tests/misctestcase.py
2016-08-12 17:58:37 +02:00
maksyms
9ddbd642f7
Accept no space after "failed:" ( #1501 )
...
yoh: Squashed to ease cherry-picking into 0.9
* accept no space after "failed:"
fix issue #1497
* accept no space after "failed:"
* Update postfix-sasl
* Update postfix-sasl
* Update postfix-sasl
2016-08-08 17:09:47 -04:00
sebres
c52aaa8b78
ASSP failregex minor fixes
2016-08-08 19:06:28 +02:00
sebres
70658d7a19
Merge pull request #1494 from rhardy613/master (branch 'sebres:pr-1494')
2016-08-08 18:49:32 +02:00
rhardy613
8265e3f0f9
Fix comments
...
For some reasons the comment changes weren't pickup in the last commit.
This fixes it.
2016-08-05 23:25:15 -04:00
rhardy613
66fe5a77ce
Fix ASSP filter to work with both ASSP V1 and V2
...
ASSP V1 development stopped at the end of 2014 and it is now deprecated.
All users were urged to upgrade to ASSP V2 which is still actively
developed.
fail2ban 0.9.5 (and trunk) still have code which only understands ASSP
V1 logs.
This means the filter ignores brute force attacks against ASSP. This fix
adds V2 support.
2016-08-05 23:18:51 -04:00
rhardy613
890a3dcbb9
Fix ASSP filter to work with current release of ASSP
...
ASSP V1 development stopped at the end of 2014 and it is now deprecated.
All users were urged to upgrade to ASSP V2 which is still actively
developed. For some reason fail2ban 0.9.5 (and trunk) still have code
which only understands ASSP V1 logs. This means the filter ignores brute
force attacks against ASSP.
Now updated with anchored patterns tested against 6 months of log data.
2016-08-05 17:26:47 -04:00
Yaroslav Halchenko
c0994b0c6c
DOC: minor typo (thanks John Bernard) Closes #1496
2016-08-04 10:23:05 -04:00
rhardy613
f73746d846
Fix ASSP filter to work with current release of ASSP
...
ASSP V1 development stopped at the end of 2014 and it is now deprecated.
All users were urged to upgrade to ASSP V2 which is still actively
developed. For some reason fail2ban 0.9.5 (and trunk) still have code
which only understands ASSP V1 logs. This means the filter ignores brute
force attacks against ASSP.
2016-07-31 13:50:52 -04:00
Yaroslav Halchenko
28a0605f69
Merge pull request #1478 from gips0n/master
...
adding openldap slapd filter
2016-07-14 08:30:42 -04:00
Andrii Melnyk
7433b353ee
another variant of regex
2016-07-14 10:19:21 +03:00
Andrii Melnyk
7c5828dd2a
add trailing anchor to failregex
2016-07-13 21:09:42 +03:00
Andrii Melnyk
48c094f612
improved failregex according to @sebres recomendations
2016-07-08 13:45:10 +03:00
sebres
f5f204ca7c
Improved changes of gh-1458:
...
`[^']*` after callid was wrong, changed to `[^\)]*`;
regexp anchored at the end;
almost the same regex grouped to one;
Closes #1458
2016-07-08 11:45:25 +02:00
nturcksin
72a157b8f2
Improve PJSIP log support for asterisk 13+ with different callID (Squash gh-1458)
...
Change the asterisk pjsip filter to don't take the callId part
Add optional part between "Request" and "from"
Listed all log message from asterisk
2016-07-08 11:45:22 +02:00
Andrii Melnyk
dcb69b0242
* add `__prefix_line` to regex
...
* fix time in log file
2016-07-08 05:29:51 +03:00
Andrii Melnyk
b2e3affaa0
adding openldap slapd filter
2016-07-08 04:50:57 +03:00
Serg G. Brester
af8b650a37
badip timeout option introduced, set to 30 seconds in our test cases ( #1463 )
...
cherry-picked from 0.10 (little bit modified in test_badips.py, because no --fast option in test cases)
2016-06-13 12:56:53 +02:00
Yaroslav Halchenko
636a93f58b
Merge pull request #1438 from yarikoptic/bf-exim
...
exim filters -- make wider use of host_info helper str susbstitution + fix for #1430
2016-06-07 21:35:52 -04:00
Ludovic Gasc
f85fb45b29
Asterisk pjsip ( #1456 )
...
* Improve PJSIP log support for Asterisk 13+
* Update changelog: filter.d/asterisk.conf - fix security log support for PJSIP and Asterisk 13+
* Change pjsip regexp with sebres observation, thanks to @nturcksin
2016-06-07 11:40:35 +02:00
Yaroslav Halchenko
6434661480
RF: for consistency use (?:XXX)? instead of (?:|XXX)
2016-05-30 12:12:53 -04:00
Yaroslav Halchenko
48a8324662
ENH: use non-capturing regex groups in exim-common and exim filters
2016-05-30 11:02:12 -04:00
sebres
8ec4e1189e
use raw host (don't use textToIp) if usedns exactly `raw`, because `usedns = no` should ignore no ip failures
2016-05-30 15:34:21 +02:00
Yaroslav Halchenko
9bb869b8d4
ENH: courier-smtp -- allow for trailing username (no spaces) in the logline
...
Closes #1440
2016-05-21 22:17:09 -04:00
Yaroslav Halchenko
8b8cf2a660
ENH: exim filters -- make more use of %(host_info)s which in turn made more flexible
2016-05-21 10:29:09 -04:00
Yaroslav Halchenko
743a531eb5
BF: make :port and I=[ip]:port optional for a "AUTH command used when not advertised"
...
Closes #1430
2016-05-21 10:29:01 -04:00
sebres
52377984cd
back to mandatory space, ungrouping of sub parameters in `__prefix_line` + small code review;
2016-05-19 17:57:48 +02:00
sebres
25af11215b
test case for generic common moved to `./fail2ban/tests/config/filter.d/zzz-generic-example.conf` to prevent shipping it with fail2ban installations
2016-05-17 20:08:46 +02:00
sebres
cb4f9be8b2
the date brackets removed from filters using `__prefix_line`, because `__prefix_line` already contains the date ambit;
2016-05-17 11:55:02 +02:00
sebres
de813acf51
extends generic `__prefix_line` with optional brackets for the date ambit (gh-1421), added new parameter `__date_ambit` + test case added;
2016-05-17 11:54:43 +02:00
sebres
3e49522b7a
fixes unexpected extra regex-space in generic `__prefix_line` (gh-1405, misleadingly committed in d2a9537568
);
...
all optional spaces normalized in generic include `common.conf` + test cases are extended (using new example pseudo-filter and test log `zzz-generic-example`);
2016-05-13 20:26:37 +02:00
sebres
bdc2d07946
fix suhosin_log in common paths - log files should be separated using "\n":
...
prevents to throw an error "File option must be 'head' or 'tail'", if jail suhosin will be enabled.
2016-05-11 18:49:04 +02:00
jungle-boogie
d889918f19
update doc url
...
direct to confluence page. no code changes.
2016-04-24 21:35:18 -07:00
Yaroslav Halchenko
aa303acfd6
Merge pull request #1381 from theDogOfPavlov/patch-3
...
Tightened up exim regexes to catch rDNS entries
2016-04-23 18:27:38 -04:00
Alexandre Perrin
7712310d2d
Be more backward compatible on matching postfix/smtps/smtpd
...
Support trailing smtps also and not only smtpd.
suggested by @sebres
2016-04-14 13:54:58 +02:00
Alexandre Perrin
1a299409e5
Fix postfix/smtps/smtpd matching.
2016-04-14 12:10:58 +02:00
theDogOfPavlov
1eb51b1bc2
Tightened up regexes to catch rDNS entries
2016-04-01 18:07:01 +01:00
Yaroslav Halchenko
db2dd070ad
Merge pull request #1356 from opoplawski/bug-1354
...
Fedora use mariadb by default, fix log path
2016-03-31 22:11:10 -04:00
Serg G. Brester
b9b7ecbf6b
Merge pull request #1357 from sebres/monit-new-fltr
...
monit filter fixup for the new version (gh-1355)
2016-03-26 11:39:26 +01:00
TorontoMedia
3d239215cd
Two new firewalld actions with rich rules for firewalld-0.3.1+ (gh-1367)
...
closes #1367
2016-03-25 17:28:30 +01:00
sebres
ac27c9cb96
Merge branch 'patch-2' (gh-1371)
2016-03-25 17:05:23 +01:00
Serg G. Brester
0effe76971
Merge pull request #1370 from theDogOfPavlov/patch-1
...
Added regex for LDAP authentication failures
2016-03-25 15:30:39 +01:00
jblachly
e9202fa0b2
Placed failure (illumos) at end of regex
2016-03-24 00:43:15 -04:00
theDogOfPavlov
fe1475be95
Additional exim regexes to cover common attacks...
2016-03-21 05:59:59 +00:00
theDogOfPavlov
cf2aa9c1c0
Added regex for LDAP authentication failures
2016-03-21 05:53:23 +00:00
jblachly
25c2334bc8
SmartOS PAM Authentication failed (not failURE)
...
SmartOS (and likely other Illumos platforms) enter log entries for failed sshd logins of the form:
`Authentication failed for USER from HOST`
The current sshd.conf regex matches `failure` -- add to this a match for `failed` to support Illumos
2016-03-16 13:52:01 -04:00
Johannes Weberhofer
bd25a43417
define journalmatch setting for pure-ftps
2016-03-11 18:19:53 +01:00
Orion Poplawski
f3f813a925
- mysqld does not log login attempts to the journal.
...
- Add /var/log/mysqld.log to mysql_log
2016-03-09 13:52:50 -07:00
sebres
37c9075fad
fixed monit filter: failregex find now both previous and new versions:
...
- failregex of previous monit version merged as single expression;
- extended failregex with new monit "access denied" version;
2016-03-09 20:06:14 +01:00
Orion Poplawski
dfc65018da
Fedora use mariadb by default, fix log path
2016-03-09 11:36:06 -07:00
Yaroslav Halchenko
385b50e4a9
Merge pull request #1343 from denics/master
...
adding wp-admin to bot search
2016-03-07 10:23:37 -05:00
Denix
ed0e572bfc
added wp-admin
...
bot are very annoying and I am getting a lot of checks on wp-admin. This should calm them.
2016-03-02 16:52:03 +01:00
Yaroslav Halchenko
6ffbc1ffad
ENH: revert back to having detailed suffix anchored at the end for mysqld-auto.conf
...
As discussed in https://github.com/fail2ban/fail2ban/pull/1333#discussion_r54100127
2016-02-28 12:07:46 -05:00
Yaroslav Halchenko
3e31145c33
Merge pull request #1331 from whyscream/postfix-multi-instance-support
...
Add support for matching postfix multi-instance daemon names by default
2016-02-28 12:00:24 -05:00
sebres
667785b608
mysqld: failregex fixed (accepts different log level, more secure expression now);
...
closes #1332
2016-02-24 17:17:51 +01:00
Tom Hendrikx
6c606cf98f
Add support for matching postfix multi-instance daemon names by default
2016-02-23 20:23:04 +01:00
Yaroslav Halchenko
905c87ca4a
Merge pull request #1310 from yarikoptic/pr-1288
...
NF: HAProxy HTTP Auth filter
2016-02-11 08:35:48 -05:00
sebres
d8e81eb417
regexp rewritten (few vulnerable as previous) + test case added
2016-02-08 12:01:25 +01:00
3eBoP
257b7049d8
Update asterisk filter: changed regex for "Call from ...". Sometimes extension can have a plus symbol (+) because they can be phone number.
...
Closes #1309
2016-02-08 11:51:37 +01:00
Pierre GINDRAUD
b5a07741c8
Add new regex into postfix filter. The new regexp is able to detect bad formatted SMTP EHLO command
2016-02-08 11:11:59 +01:00
Yaroslav Halchenko
3f437b32db
Merge remote-tracking branch 'pr/1288/head'
...
* pr/1288/head:
Update haproxy-http-auth.conf
Added HAProxy HTTP Auth filter
Conflicts:
config/jail.conf - resolved + removed unnecessary filter/enabled (defaults should be as good)
2016-01-28 08:51:45 -05:00
Yaroslav Halchenko
377ea32441
Merge pull request #1295 from obounaim/master
...
The sender option is ignored by some actions
2016-01-28 08:48:22 -05:00
Serg G. Brester
fe14c8fa05
Merge pull request #1292 from albel727/master
...
Add nftables actions
2016-01-24 23:55:50 +01:00
Jordan Moeser
d7b46509d8
Update haproxy-http-auth.conf
...
Updated failregex to be more strict
2016-01-12 08:37:33 +10:00
local
40c0bed82c
action_mw, action_mwl, action_cf_mwl ignore the "sender" option when sending a notification email.
...
This commit adds "sender="%(sender)s"" to the three actions to correct this issue.
2016-01-10 00:05:03 +01:00
Yaroslav Halchenko
5d0d96a5cb
Merge pull request #1286 from yarikoptic/enh-jail
...
ENH: harmonize jail.conf + 1 more test that passed bantime is non-degenerate and int
2016-01-08 08:51:08 -05:00
Alexander Belykh
985e8938a4
Refactor nftables actionstop into smaller parts
2016-01-06 17:39:54 +06:00
Alexander Belykh
9779eeb986
Add nftables_type/family/table parameters
2016-01-06 17:33:14 +06:00
Alexander Belykh
260c30535d
Escape curly braces in nftables actions
2016-01-06 17:13:30 +06:00
Alexander Belykh
1983e15580
Add empty line between parameters in nftables-common.conf
2016-01-06 16:55:29 +06:00
Alexander Belykh
f7f91a8bd4
Refactor common code out of nftables-multiport/allports.conf
2016-01-05 19:03:47 +06:00
sebres
69f5623f83
code simplifying (remove duplication): agent will be always supplied as parameter from jail.conf
2016-01-04 09:30:32 +01:00
Alexander Belykh
618e97bce8
Add nftables actions
2016-01-04 01:36:28 +06:00
sebres
ac31121432
amend to fix fail2ban-version: correct user-agent for badips.py "Fail2Ban/ver", changeable within jail/config now;
2015-12-31 02:32:17 +01:00
Jordan Moeser
e133762a28
Added HAProxy HTTP Auth filter
2015-12-31 11:16:23 +10:00