Commit Graph

1206 Commits (983b128c5439cacfbc560c600266051b4bf6de6e)

Author SHA1 Message Date
Serg G. Brester 40f294e6bf Merge pull request #1663 from jjeziorny/netscaler-action
Introduced citrix netscaler action
2017-01-19 16:25:23 +01:00
Juliano Jeziorny 1fe554dd25 Introduced Citrix Netscaler action 2017-01-19 14:30:25 +01:00
Christoph Theis 6187431629 #1667: Wrong paths for apache and nginx under FreeBSD 2017-01-17 11:48:25 +01:00
sebres a9523aefbb sshd.conf: fixed non-anchored part of regex (misleading match of colon inside IPv6 address instead of `: ` in the reason-part by missing space). 2017-01-10 12:58:44 +01:00
Viktor Szépe 81c1810f10 Introduce Cloudflare API v4
In the cloudflare action everyone is suggested to use API v4.
And I don't dare to contribute any actual change.
2016-12-31 21:30:57 +01:00
Yaroslav Halchenko 31a1560eaa minor typos (thanks Vincent Lefevre, Debian #847785) 2016-12-11 15:13:11 -05:00
sebres 45f1d811c9 Merge branch 'alex1702-1586' 2016-11-28 18:54:02 +01:00
sebres 67c14afd8e ChangeLog entry added + jail.conf review 2016-11-28 18:51:23 +01:00
sebres 425170cef3 code review, makes the test cases workable, added dev-notes 2016-11-28 18:39:07 +01:00
sebres 931eab84b5 `filter.d/apache-modsecurity.conf`
- fixed for newer version (one space, closes gh-1626)
reviewed and optimized:
  - non-greedy catch-all replaced for safer match
  - unneeded catch-all anchoring removed
  - non-capturing groups
2016-11-28 11:28:27 +01:00
sebres 5678d08a79 filter.d/dovecot.conf update:
- fixes failregex, that ignores failures through some irrelevant info (closes #1623);
- ignores whole additionally irrelevant info in anchored regex before fixed failure data `\((?:auth failed, \d+ attempts( in \d+ secs)?|tried to use (disabled|disallowed) \S+ auth)\)`
- review, IPv6 compatibility fix, non-capturing groups
2016-11-26 16:50:37 +01:00
Serg G. Brester 4f5389fee5 Update jail.conf 2016-11-24 19:30:10 +01:00
Johannes Weberhofer f46ada023e Use Fedora's backend-settings for openSUSE
Those settings are ok for newer openSUSE versions
2016-11-22 09:03:54 +01:00
sebres b5433f48b7 amend after code review of merge gh-1581 2016-11-11 11:09:46 +01:00
sebres bee6e7376b Merge branch 'aclindsa:master' 2016-11-11 10:58:40 +01:00
sebres dab5f56609 Merge branch 'fix-gh-1477' 2016-11-11 10:17:07 +01:00
Alex 8ac28e5dcb Make changes and add test file 2016-11-10 13:09:32 +01:00
Alex 8c40766511 Add Mongodb-auth filter and jail 2016-11-10 12:48:24 +01:00
Aaron Lindsay 7805f9972d filter.d/sshd.conf: Match 'Invalid user' with 'port \d*' 2016-10-15 15:52:19 -04:00
sebres 84c3eb3e0e filter.d/sendmail-reject.conf: double space (should be by missing dns-host only)
Closes #1578
2016-10-15 14:53:45 +02:00
Nils d08db22b92 Create npf.conf for the NPF packet filter
This file adds support for the NPF packet filter, available on NetBSD since version 6.0
2016-10-13 18:50:54 +02:00
sebres 9fb167b5e1 filter.d/vsftpd.conf: optional reason message after FAIL LOGIN, closes #1543 2016-09-09 09:20:15 +02:00
sebres 4a1d720344 filter.d/asterisk.conf: another part ` chan_sip.c:28468 handle_request_register:` in log prefix 2016-08-22 14:10:50 +02:00
sebres 2c54f90469 sshd-filter: better universal regexp, that matches more complex different injects, using conditional expressions (on username and auth-info section), see new test cases also. 2016-08-19 10:19:12 +02:00
sebres a544c5abac sshd-filter: recognized "Failed publickey for" now (gh-1477) + improved regexp (not anchored now to recognize all "Failed anything for ... from <HOST>"
ChangeLog entry added
2016-08-18 21:38:55 +02:00
sebres 38d53a72fd introduces new command "fail2ban-python", as automatically created symlink to python executable, where fail2ban currently installed (resp. its modules are located);
fixed pythonic filters and test scripts (running via "fail2ban-python" now);
fixed test case "testSetupInstallRoot" not for default python (also using direct call, out of virtualenv);

# Conflicts:
#	config/filter.d/ignorecommands/apache-fakegooglebot
#	fail2ban/tests/files/config/apache-auth/digest.py
#	fail2ban/tests/files/ignorecommand.py
#	fail2ban/tests/misctestcase.py
2016-08-12 17:58:37 +02:00
maksyms 9ddbd642f7 Accept no space after "failed:" (#1501)
yoh: Squashed to ease cherry-picking into 0.9

* accept no space after "failed:"

fix issue #1497

* accept no space after "failed:"

* Update postfix-sasl

* Update postfix-sasl

* Update postfix-sasl
2016-08-08 17:09:47 -04:00
sebres c52aaa8b78 ASSP failregex minor fixes 2016-08-08 19:06:28 +02:00
sebres 70658d7a19 Merge pull request #1494 from rhardy613/master (branch 'sebres:pr-1494') 2016-08-08 18:49:32 +02:00
rhardy613 8265e3f0f9 Fix comments
For some reasons the comment changes weren't pickup in the last commit.
This fixes it.
2016-08-05 23:25:15 -04:00
rhardy613 66fe5a77ce Fix ASSP filter to work with both ASSP V1 and V2
ASSP V1 development stopped at the end of 2014 and it is now deprecated.
All users were urged to upgrade to ASSP V2 which is still actively
developed.
fail2ban 0.9.5 (and trunk) still have code which only understands ASSP
V1 logs.
This means the filter ignores brute force attacks against ASSP. This fix
adds V2 support.
2016-08-05 23:18:51 -04:00
rhardy613 890a3dcbb9 Fix ASSP filter to work with current release of ASSP
ASSP V1 development stopped at the end of 2014 and it is now deprecated.
All users were urged to upgrade to ASSP V2 which is still actively
developed. For some reason fail2ban 0.9.5 (and trunk) still have code
which only understands ASSP V1 logs. This means the filter ignores brute
force attacks against ASSP.
Now updated with anchored patterns tested against 6 months of log data.
2016-08-05 17:26:47 -04:00
Yaroslav Halchenko c0994b0c6c DOC: minor typo (thanks John Bernard) Closes #1496 2016-08-04 10:23:05 -04:00
rhardy613 f73746d846 Fix ASSP filter to work with current release of ASSP
ASSP V1 development stopped at the end of 2014 and it is now deprecated.
All users were urged to upgrade to ASSP V2 which is still actively
developed. For some reason fail2ban 0.9.5 (and trunk) still have code
which only understands ASSP V1 logs. This means the filter ignores brute
force attacks against ASSP.
2016-07-31 13:50:52 -04:00
Yaroslav Halchenko 28a0605f69 Merge pull request #1478 from gips0n/master
adding openldap slapd filter
2016-07-14 08:30:42 -04:00
Andrii Melnyk 7433b353ee another variant of regex 2016-07-14 10:19:21 +03:00
Andrii Melnyk 7c5828dd2a add trailing anchor to failregex 2016-07-13 21:09:42 +03:00
Andrii Melnyk 48c094f612 improved failregex according to @sebres recomendations 2016-07-08 13:45:10 +03:00
sebres f5f204ca7c Improved changes of gh-1458:
`[^']*` after callid was wrong, changed to `[^\)]*`;
  regexp anchored at the end;
  almost the same regex grouped to one;

Closes #1458
2016-07-08 11:45:25 +02:00
nturcksin 72a157b8f2 Improve PJSIP log support for asterisk 13+ with different callID (Squash gh-1458)
Change the asterisk pjsip filter to don't take the callId part
Add optional part between "Request" and "from"
Listed all log message from asterisk
2016-07-08 11:45:22 +02:00
Andrii Melnyk dcb69b0242 * add `__prefix_line` to regex
* fix time in log file
2016-07-08 05:29:51 +03:00
Andrii Melnyk b2e3affaa0 adding openldap slapd filter 2016-07-08 04:50:57 +03:00
Serg G. Brester af8b650a37 badip timeout option introduced, set to 30 seconds in our test cases (#1463)
cherry-picked from 0.10 (little bit modified in test_badips.py, because no --fast option in test cases)
2016-06-13 12:56:53 +02:00
Yaroslav Halchenko 636a93f58b Merge pull request #1438 from yarikoptic/bf-exim
exim filters -- make wider use of host_info helper str susbstitution + fix for #1430
2016-06-07 21:35:52 -04:00
Ludovic Gasc f85fb45b29 Asterisk pjsip (#1456)
* Improve PJSIP log support for Asterisk 13+

* Update changelog: filter.d/asterisk.conf - fix security log support for PJSIP and Asterisk 13+

* Change pjsip regexp with sebres observation, thanks to @nturcksin
2016-06-07 11:40:35 +02:00
Yaroslav Halchenko 6434661480 RF: for consistency use (?:XXX)? instead of (?:|XXX) 2016-05-30 12:12:53 -04:00
Yaroslav Halchenko 48a8324662 ENH: use non-capturing regex groups in exim-common and exim filters 2016-05-30 11:02:12 -04:00
sebres 8ec4e1189e use raw host (don't use textToIp) if usedns exactly `raw`, because `usedns = no` should ignore no ip failures 2016-05-30 15:34:21 +02:00
Yaroslav Halchenko 9bb869b8d4 ENH: courier-smtp -- allow for trailing username (no spaces) in the logline
Closes #1440
2016-05-21 22:17:09 -04:00
Yaroslav Halchenko 8b8cf2a660 ENH: exim filters -- make more use of %(host_info)s which in turn made more flexible 2016-05-21 10:29:09 -04:00
Yaroslav Halchenko 743a531eb5 BF: make :port and I=[ip]:port optional for a "AUTH command used when not advertised"
Closes #1430
2016-05-21 10:29:01 -04:00
sebres 52377984cd back to mandatory space, ungrouping of sub parameters in `__prefix_line` + small code review; 2016-05-19 17:57:48 +02:00
sebres 25af11215b test case for generic common moved to `./fail2ban/tests/config/filter.d/zzz-generic-example.conf` to prevent shipping it with fail2ban installations 2016-05-17 20:08:46 +02:00
sebres cb4f9be8b2 the date brackets removed from filters using `__prefix_line`, because `__prefix_line` already contains the date ambit; 2016-05-17 11:55:02 +02:00
sebres de813acf51 extends generic `__prefix_line` with optional brackets for the date ambit (gh-1421), added new parameter `__date_ambit` + test case added; 2016-05-17 11:54:43 +02:00
sebres 3e49522b7a fixes unexpected extra regex-space in generic `__prefix_line` (gh-1405, misleadingly committed in d2a9537568);
all optional spaces normalized in generic include `common.conf` + test cases are extended (using new example pseudo-filter and test log `zzz-generic-example`);
2016-05-13 20:26:37 +02:00
sebres bdc2d07946 fix suhosin_log in common paths - log files should be separated using "\n":
prevents to throw an error "File option must be 'head' or 'tail'", if jail suhosin will be enabled.
2016-05-11 18:49:04 +02:00
jungle-boogie d889918f19 update doc url
direct to confluence page. no code changes.
2016-04-24 21:35:18 -07:00
Yaroslav Halchenko aa303acfd6 Merge pull request #1381 from theDogOfPavlov/patch-3
Tightened up exim regexes to catch rDNS entries
2016-04-23 18:27:38 -04:00
Alexandre Perrin 7712310d2d Be more backward compatible on matching postfix/smtps/smtpd
Support trailing smtps also and not only smtpd.

suggested by @sebres
2016-04-14 13:54:58 +02:00
Alexandre Perrin 1a299409e5 Fix postfix/smtps/smtpd matching. 2016-04-14 12:10:58 +02:00
theDogOfPavlov 1eb51b1bc2 Tightened up regexes to catch rDNS entries 2016-04-01 18:07:01 +01:00
Yaroslav Halchenko db2dd070ad Merge pull request #1356 from opoplawski/bug-1354
Fedora use mariadb by default, fix log path
2016-03-31 22:11:10 -04:00
Serg G. Brester b9b7ecbf6b Merge pull request #1357 from sebres/monit-new-fltr
monit filter fixup for the new version (gh-1355)
2016-03-26 11:39:26 +01:00
TorontoMedia 3d239215cd Two new firewalld actions with rich rules for firewalld-0.3.1+ (gh-1367)
closes #1367
2016-03-25 17:28:30 +01:00
sebres ac27c9cb96 Merge branch 'patch-2' (gh-1371) 2016-03-25 17:05:23 +01:00
Serg G. Brester 0effe76971 Merge pull request #1370 from theDogOfPavlov/patch-1
Added regex for LDAP authentication failures
2016-03-25 15:30:39 +01:00
jblachly e9202fa0b2 Placed failure (illumos) at end of regex 2016-03-24 00:43:15 -04:00
theDogOfPavlov fe1475be95 Additional exim regexes to cover common attacks... 2016-03-21 05:59:59 +00:00
theDogOfPavlov cf2aa9c1c0 Added regex for LDAP authentication failures 2016-03-21 05:53:23 +00:00
jblachly 25c2334bc8 SmartOS PAM Authentication failed (not failURE)
SmartOS (and likely other Illumos platforms) enter log entries for failed sshd logins of the form:
`Authentication failed for USER from HOST`
The current sshd.conf regex matches `failure` -- add to this a match for `failed` to support Illumos
2016-03-16 13:52:01 -04:00
Johannes Weberhofer bd25a43417 define journalmatch setting for pure-ftps 2016-03-11 18:19:53 +01:00
Orion Poplawski f3f813a925 - mysqld does not log login attempts to the journal.
- Add /var/log/mysqld.log to mysql_log
2016-03-09 13:52:50 -07:00
sebres 37c9075fad fixed monit filter: failregex find now both previous and new versions:
- failregex of previous monit version merged as single expression;
- extended failregex with new monit "access denied" version;
2016-03-09 20:06:14 +01:00
Orion Poplawski dfc65018da Fedora use mariadb by default, fix log path 2016-03-09 11:36:06 -07:00
Yaroslav Halchenko 385b50e4a9 Merge pull request #1343 from denics/master
adding wp-admin to bot search
2016-03-07 10:23:37 -05:00
Denix ed0e572bfc added wp-admin
bot are very annoying and I am getting a lot of checks on wp-admin. This should calm them.
2016-03-02 16:52:03 +01:00
Yaroslav Halchenko 6ffbc1ffad ENH: revert back to having detailed suffix anchored at the end for mysqld-auto.conf
As discussed in https://github.com/fail2ban/fail2ban/pull/1333#discussion_r54100127
2016-02-28 12:07:46 -05:00
Yaroslav Halchenko 3e31145c33 Merge pull request #1331 from whyscream/postfix-multi-instance-support
Add support for matching postfix multi-instance daemon names by default
2016-02-28 12:00:24 -05:00
sebres 667785b608 mysqld: failregex fixed (accepts different log level, more secure expression now);
closes #1332
2016-02-24 17:17:51 +01:00
Tom Hendrikx 6c606cf98f Add support for matching postfix multi-instance daemon names by default 2016-02-23 20:23:04 +01:00
Yaroslav Halchenko 905c87ca4a Merge pull request #1310 from yarikoptic/pr-1288
NF: HAProxy HTTP Auth filter
2016-02-11 08:35:48 -05:00
sebres d8e81eb417 regexp rewritten (few vulnerable as previous) + test case added 2016-02-08 12:01:25 +01:00
3eBoP 257b7049d8 Update asterisk filter: changed regex for "Call from ...". Sometimes extension can have a plus symbol (+) because they can be phone number.
Closes #1309
2016-02-08 11:51:37 +01:00
Pierre GINDRAUD b5a07741c8 Add new regex into postfix filter. The new regexp is able to detect bad formatted SMTP EHLO command 2016-02-08 11:11:59 +01:00
Yaroslav Halchenko 3f437b32db Merge remote-tracking branch 'pr/1288/head'
* pr/1288/head:
  Update haproxy-http-auth.conf
  Added HAProxy HTTP Auth filter

 Conflicts:
	config/jail.conf - resolved + removed unnecessary filter/enabled (defaults should be as good)
2016-01-28 08:51:45 -05:00
Yaroslav Halchenko 377ea32441 Merge pull request #1295 from obounaim/master
The sender option is ignored by some actions
2016-01-28 08:48:22 -05:00
Serg G. Brester fe14c8fa05 Merge pull request #1292 from albel727/master
Add nftables actions
2016-01-24 23:55:50 +01:00
Jordan Moeser d7b46509d8 Update haproxy-http-auth.conf
Updated failregex to be more strict
2016-01-12 08:37:33 +10:00
local 40c0bed82c action_mw, action_mwl, action_cf_mwl ignore the "sender" option when sending a notification email.
This commit adds "sender="%(sender)s"" to the three actions to correct this issue.
2016-01-10 00:05:03 +01:00
Yaroslav Halchenko 5d0d96a5cb Merge pull request #1286 from yarikoptic/enh-jail
ENH: harmonize jail.conf + 1 more test that passed bantime is non-degenerate and int
2016-01-08 08:51:08 -05:00
Alexander Belykh 985e8938a4 Refactor nftables actionstop into smaller parts 2016-01-06 17:39:54 +06:00
Alexander Belykh 9779eeb986 Add nftables_type/family/table parameters 2016-01-06 17:33:14 +06:00
Alexander Belykh 260c30535d Escape curly braces in nftables actions 2016-01-06 17:13:30 +06:00
Alexander Belykh 1983e15580 Add empty line between parameters in nftables-common.conf 2016-01-06 16:55:29 +06:00
Alexander Belykh f7f91a8bd4 Refactor common code out of nftables-multiport/allports.conf 2016-01-05 19:03:47 +06:00
sebres 69f5623f83 code simplifying (remove duplication): agent will be always supplied as parameter from jail.conf 2016-01-04 09:30:32 +01:00
Alexander Belykh 618e97bce8 Add nftables actions 2016-01-04 01:36:28 +06:00
sebres ac31121432 amend to fix fail2ban-version: correct user-agent for badips.py "Fail2Ban/ver", changeable within jail/config now; 2015-12-31 02:32:17 +01:00
Jordan Moeser e133762a28 Added HAProxy HTTP Auth filter 2015-12-31 11:16:23 +10:00