sebres
ed22ddbbbb
Merge remote-tracking branch 'remotes/gh-upstream/master' into 0.10
7 years ago
sebres
63e906b2c1
regex rewritten: a bit fewer vulnerable now and using non-capturing groups, test-cases extended in order to cover trying of injection on user name
7 years ago
Benedikt Seidl
fed6c49c2d
nginx-http-auth: match usernames with spaces
...
# Conflicts:
# ChangeLog
7 years ago
Sergey G. Brester
b6c6565a7e
regex updated using non-capturing groups
7 years ago
riceru
6a1bbbf101
Update lighttpd-auth.conf
...
I have lighttpd 1.4.45 (Debian 9) and auth error log is different.
Now printing mod_auth and not http_auth.
I think that the change was in Lighttp 1.4.42
7 years ago
sebres
2b7b0da943
Merge remote-tracking branch 'remotes/gh-upstream/master' into 0.10
7 years ago
sebres
2112145eb4
stop ban of legitimate users with multiple public keys (e. g. git, etc), thereby
...
differentiate between "invalid user" (going banned earlier) and valid users with public keys, for which the rejects of not valid public keys (failures) will be retarded up to "Too many authentication failures" resp. disconnect without success (accepted public key).
7 years ago
sebres
314e402fe0
filter.d/sendmail-auth.conf - extended daemon for Fedora 24/RHEL - the daemon name is "sendmail" (gh-1632)
7 years ago
sebres
c30144b37a
Merge branch '0.9' into 0.10
...
# Conflicts:
# config/action.d/firewallcmd-ipset.conf
# config/filter.d/asterisk.conf
# Merge-point after cherry-pick, no changes:
# fail2ban/client/jailreader.py
# fail2ban/helpers.py
7 years ago
Yannik Sembritzki
94f0b15c32
Allow faster parsing of hosts without ' characters in them
7 years ago
Yannik Sembritzki
b28dfb965a
Fix filter not catching asterisk requests with quote character in username ( fixes #2010 )
7 years ago
sebres
2712f72650
Merge remote-tracking branch 'master' into 0.10
7 years ago
Kevin Maradona
6c705d572b
filter.d/nginx-limit-req.conf: nginx limit-req log-level can be set to warn or error therefore having this regex will include both of them.
7 years ago
sebres
2b68882502
filter.d/exim.conf: provides mode "aggressive" to ban flood resp. DDOS-similar failures;
...
Closes #1983
7 years ago
sebres
7f89fbc33f
Merge remote-tracking branch 'remotes/gh-upstream/master' into 0.10
7 years ago
Serg G. Brester
4f63180611
Avoid injection using quotes after `auth` command;
...
Added non-greedy fallback for quoted something (with lookahead simulated possessive greedy catch of non-quoted parts `[^"]*(?=")`).
Note that because host-info's are hereafter (with foreign input in-between), we would not use greedy or non-greedy catch-alls (`.*` or `.*?`) here (preventing performance losses).
7 years ago
Serg G. Brester
f59df2e156
Avoid any injecting on protocol (e. g. tries using camel-case)
...
The phrase "AUTH command used when not advertised" is precise enough as anchor here, so prevent by any foreign-input (any auth protocol error).
7 years ago
Peter Nowee
aa158ac05f
Exim failregex: Include lower/mixed case AUTH
...
When reporting the error `AUTH command used when not advertised`, Exim
starts with `SMTP protocol error in "........."`. Here, Exim logs the
SMTP command as it was provided by the connecting client.
https://github.com/Exim/exim/blob/exim-4_89+fixes/src/src/smtp_in.c#L2850
According to RFC 5321 (SMTP) "[..] a command verb [..] MAY be encoded
in upper case, lower case, or any mixture of upper and lower case with
no impact on its meaning."
https://tools.ietf.org/html/rfc5321#section-2.4
Lower case `auth login` brute-force attempts were seen in the wild and
were not caught by the current failregex.
This commit makes the failregex case-insensitive for the `AUTH`
command, so that lower case (`auth`) or mixed case (`aUtH`) now also
match. The failregex was already case-insensitive for the command
arguments (e.g. `AUTH login` already matched).
7 years ago
SlowRiot
660d57e6ba
updating my email address
7 years ago
sebres
159957ab88
filter.d/sshd.conf: extended failregex for modes "extra"/"aggressive": now finds all possible (also future) forms of "no matching (cipher|mac|MAC|compression method|key exchange method|host key type) found", see "ssherr.c" for all possible SSH_ERR_..._ALG_MATCH errors;
...
obsolete (multi-line buffered) variant extended also.
Closes gh-1943, gh-1944
7 years ago
sebres
0e66e3cc57
Merge branch 'master' into 0.10
...
# Conflicts:
# config/filter.d/asterisk.conf
7 years ago
Michael Newton
d5d1fe679f
Remove invalid regex
...
Resolves #1927
7 years ago
Harry Wood
ea1b663f85
typo
...
spell "positive" (...but also somebody should finish this sentence)
7 years ago
sebres
e71f16f6ba
Merge branch 'master' into 0.10
...
# Conflicts resolved:
# config/filter.d/dovecot.conf
7 years ago
sebres
ea36e1b3fc
filter.d/dovecot.conf: fixed failregex to recognize pam_authenticate failures with "Permission denied" (gh-1897)
7 years ago
sebres
8c804a2290
Merge branch 'master' into 0.10
...
# Conflicts resolved:
# config/filter.d/postfix-rbl.conf
# config/filter.d/postfix-sasl.conf
# config/filter.d/postfix.conf
# fail2ban/tests/files/logs/postfix-sasl
7 years ago
sebres
a2120a9de5
filter.d/postfix-*.conf - added optional port regex (closes gh-1902)
7 years ago
sebres
b185e7cb04
Merge remote-tracking branch 'upstream/master' into 0.10
7 years ago
Serg G. Brester
bb97e66627
Merge pull request #1882 from coderua/patch-1
...
Add Jorgee Vulnerability Scanner protect
7 years ago
Serg G. Brester
2cd02b731b
filter.d/exim.conf: fixed failregex for case of `D=0s`
...
Closes gh-1886
7 years ago
sebres
4bc226a692
optimized regex
7 years ago
Vladimir Chumak
fafefc0293
Add Jorgee Vulnerability Scanner protect
...
Details for Jorgee Vulnerability Scanner: https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=30164
7 years ago
sebres
4163f32968
small review, prefix replaced with `%(_apache_error_client)s` from apache-common.conf include
7 years ago
john
ac95449bbb
changed zoneminder regex as per Sebres and yarikoptic recommendations
7 years ago
john
5c3a666380
fixed incomplete regex after adding anchors
7 years ago
john
3d45fd2713
implemented yarikoptic's suggestions in fail2ban pull request #1376
7 years ago
john
08878d22dd
added zoneminder.conf filter
7 years ago
sebres
c312962029
filter.d/dovecot.conf: partially cherry-pick to 0.9 PR #1880 from sebres/0.10-fix-dovecot-regex ( d926e11a5c
)
...
fixed failregex (without new mode aggressive)
7 years ago
sebres
2cfc53c08e
remove capturing groups
7 years ago
sebres
9b8563f35e
- fixes regex for message `imap-login: Disconnected (auth failed, X attempts) ...` has to many variations on additional info after `<HOST>`,
...
leave it end-anchored because variable part `user=<[^>]*>` (before `<HOST>`) to avoid injecting, but can be safe rewritten using `[^>]*` in opposite to "greedy" `user=<[^>]*>`.
- introduces mode `aggressive` and extends regex for this mode to match:
* no auth attempts (previously removed in gh-601, because of lots of false positives on misconfigured MTAs)
* disconnected before auth was ready
* client didn't finish SASL auth
7 years ago
Pavel Mihadyuk
4c1abe1cbf
phpmyadmin-syslog: removed excess file, fixed test, updated failregex
7 years ago
Pavel Mihadyuk
5b4bc2aafd
Added filter for phpMyAdmin+syslog (>=4.7.0). Closes #1713
7 years ago
sebres
94b163936a
Merge remote-tracking branch 'remotes/gh-upstream/master' into 0.10
...
Removed init section (not needed in filter for 0.10).
# Conflicts:
# config/filter.d/sendmail-reject.conf
7 years ago
Serg G. Brester
af25a9d203
Merge pull request #1566 from opoplawski/journalmatch
...
Add sendmail journalmatch options
7 years ago
Orion Poplawski
84f552881c
Add sendmail journalmatch options
7 years ago
sebres
2fe1479484
Merge branch '_0.9/gh-1849' into 0.10
7 years ago
sebres
5c538fb658
Recognize "unknown user" for additional auth-methods (pam, passwd-file, ldap, sql, etc); simplifying regular expressions (put "unknown user" and "invalid credentials" together as one regex).
7 years ago
sebres
0ef5b7c4d4
small amend to gh-1850: removed greedy catch-all at end.
7 years ago
Marcel Waldvogel
daf57547c6
Parse ejabberd 17.06 output
...
E.g.:
2017-07-29 08:24:04.773 [info] <0.6668.0>@ejabberd_c2s:handle_auth_failure:433 (http_bind|ejabberd_bosh) Failed c2s PLAIN authentication for test@example.ch from ::FFFF:192.0.2.3: Invalid username or password
7 years ago
sebres
1a562bed0f
Merge remote-tracking branch 'master' into 0.10
...
# Conflicts:
# config/filter.d/asterisk.conf
7 years ago