fail2ban

Commit Graph

Author	SHA1	Message	Date
sebres	f13fac5ae9	amend to 5561423be3b2d4636f5484183c3ad470fd326d06: fixed incorrect failure counting despite the `<F-NOFAIL>` marked regex; extra: introduced new tag `<F-MLFFORGET>` as mark to forget current multi-line MLFID (e. g. connection closed); Closes gh-1727	8 years ago
sebres	5561423be3	filter.d/sshd.conf: fixed failregex format - some parts are optional, new ddos more precise rule (Connection reset by with host entry); closes gh-1719	8 years ago
sebres	0c1707afda	filter.d/sshd.conf: - optional parameter `mode` rewritten: normal (default), ddos, extra or aggressive (combines all), see sshd for regex details); test cases reformatted (since "filterOptions", we don't need multiple test log-files anymore);	8 years ago
sebres	35efca5941	Better multi-line handling introduced: single-line parsing with caching of needed failure information to process in further lines. Many times faster and fewer CPU-hungry because of parsing with `maxlines=1`, so without line buffering (scrolling of the buffer-window). Combination of tags `<F-MLFID>` and `<F-NOFAIL>` can be used now to process multi-line logs using single-line expressions: - tag `<F-MLFID>`: used to identify resp. store failure info for groups of log-lines with the same identifier (e. g. combined failure-info for the same conn-id by `<F-MLFID>(?:conn-id)</F-MLFID>`, see sshd.conf for example) - tag `<F-NOFAIL>`: used as mark for no-failure (helper to accumulate common failure-info); filter.d/sshd.conf: [sshd], [sshd-ddos], [sshd-aggressive] optimized with pre-filtering using new option `prefregex` and new multi-line handling.	8 years ago
sebres	4ff8d051f4	Introduced new filter option `prefregex` for pre-filtering using single regular expression; Some filters extended with user name; [filter.d/pam-generic.conf]: grave fix injection on user name to host fixed; test-cases in testSampleRegexsFactory can now check the captured groups (using additionally fields in failJSON structure)	8 years ago
sebres	1823571e0f	Merge branch 'ssh-filter-new-regexp' into 0.10	8 years ago
sebres	9d06f0ee40	sshd-amend: optional space after port part	8 years ago
sebres	e8a1556562	Merge remote-tracking branch 'master' into 0.10 # Conflicts: # fail2ban/tests/samplestestcase.py	8 years ago
sebres	8aa9516d50	sshd.conf: fixed expression "received disconnect ... auth fail" - optional space after port part (gh-1652)	8 years ago
sebres	3276bd6d54	sshd: additionally aggressive filter rules - no matching cipher resp. no matching key exchange method (gh-1545, gh-1117)	8 years ago
sebres	628789f9a9	sshd: conditional parameter "mode" for sshd jail (normal, ddos, aggressive) filter sshd-ddos and new filter sshd-aggressive are both derivation of sshd-filter	8 years ago
sebres	dd373dba9f	test all config-regexp, that contains greedy catch-all before <HOST>, that is hard-anchored at end or precise sub expression after <HOST>; new ssh rule(s) added: - Connection reset by peer (multi-line rule during authorization process); - No supported authentication methods available; Single line and multi-line expression optimized, added optional prefixes and suffix (logged from several ssh versions); closes gh-864	8 years ago
sebres	7019640eb3	Merge branch 'fix-gh-1658' into 0.10	8 years ago
sebres	a9523aefbb	sshd.conf: fixed non-anchored part of regex (misleading match of colon inside IPv6 address instead of `: ` in the reason-part by missing space).	8 years ago
sebres	c9f32f75e6	Merge branch '0.9-fix-regex-using-journal' into 0.10-fix-regex-using-journal (merge point against 0.9 after back-porting gh-1660 from 0.10)	8 years ago
sebres	40cbe96352	Merge remote-tracking branch 0.10 into _0.10/fix-datedetector-grave-fix-v2	8 years ago
sebres	b5433f48b7	amend after code review of merge gh-1581	8 years ago
sebres	bee6e7376b	Merge branch 'aclindsa:master'	8 years ago
sebres	ab0ac2111c	added possibility to specify more precise default date pattern: - `datepattern = {^LN-BEG}` - only line-begin anchored default patterns (matches date only at begin of line, or with max distance up to 2 non-alphanumeric characters from line-begin); - `datepattern = {*WD-BEG}` - only word-begin anchored default patterns; - `datepattern = ^prefix{DATE}suffix` - exact specified default patterns (using prefix and suffix); common filter configs gets a more precise, line-begin anchored (datepattern = {^LN-BEG}) resp. custom anchoring default date-patterns;	8 years ago
Aaron Lindsay	7805f9972d	filter.d/sshd.conf: Match 'Invalid user' with 'port \d*'	8 years ago
sebres	2c54f90469	sshd-filter: better universal regexp, that matches more complex different injects, using conditional expressions (on username and auth-info section), see new test cases also.	8 years ago
sebres	a544c5abac	sshd-filter: recognized "Failed publickey for" now (gh-1477) + improved regexp (not anchored now to recognize all "Failed anything for ... from <HOST>" ChangeLog entry added	8 years ago
jblachly	e9202fa0b2	Placed failure (illumos) at end of regex	9 years ago
jblachly	25c2334bc8	SmartOS PAM Authentication failed (not failURE) SmartOS (and likely other Illumos platforms) enter log entries for failed sshd logins of the form: `Authentication failed for USER from HOST` The current sshd.conf regex matches `failure` -- add to this a match for `failed` to support Illumos	9 years ago
Yaroslav Halchenko	5d6cead996	ENH: sshd filter -- match new "maximum auth attempts exceeded" (Closes #1269 )	9 years ago
Kevin Locke	36919d9f97	ssh.conf: Fix disconnect "Auth fail" matching The regex for matching against "Auth fail" disconnect log message does not match against current versions of ssh. OpenSSH 5.9 introduced privilege separation of the pre-auth process, which included [logging through monitor.c](http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/monitor.c.diff?r1=1.113&r2=1.114) which adds " [preauth]" to the end of each message and causes the log level to be prepended to each message. It also fails to match against clients which send a disconnect message with a description that is either empty or includes a space, since this is the content in the log message after the disconnect code, per [packet.c:1785](http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/packet.c?annotate=1.215), which was matched by \S+. Although I have not observed this yet, I couldn't find anything which would preclude it in [RFC 4253](https://tools.ietf.org/html/rfc4253#section-11.1) and since the message is attacker-controlled it provides a way to avoid getting banned. This commit fixes both issues. Signed-off-by: Kevin Locke <kevin@kevinlocke.name>	9 years ago
Markus Oesterle	f8c7247f42	added \s after host	10 years ago
Markus Oesterle	5f2807b41f	replaced .* before rhost with regex matching all the previous fields	10 years ago
Markus Oesterle	8825a5f31b	updated filter.d/sshd.conf Added line to match sshd auth errors on OpenSuSE systems	10 years ago
pmarrapese	96918acee4	more explicit match for sshd filter & added test	11 years ago
pmarrapese	46d6e93800	adjusted sshd filter regex to catch more verbose lines	11 years ago
Steven Hiscocks	bc10b64c69	ENH: Match non "Bye Bye" for sshd locked accounts failregex	11 years ago
Daniel Black	c701ac9276	DOC: document LogLevel requirement for "Connection from" regex"	11 years ago
Daniel Black	5f4d0ed576	ENH: ssh filter - "Disconnecting: Too many authentication failures.." matching Connection log message	11 years ago
Daniel Black	ef82eac790	DOC: openssh real protection is pubkey	11 years ago
Daniel Black	76468942f9	MRG: complete merge from master	11 years ago
Daniel Black	a8e0498389	BF: add expression for ssh filter for code 3: SSH2_DISCONNECT_KEY_EXCHANGE_FAILED. closes gh-289	11 years ago
Daniel Black	227f27ce6b	ENH: added multiline filter for sshd filter	11 years ago
Daniel Black	1ac7b53cad	MRG: merge from master	11 years ago
Yaroslav Halchenko	bf245f9640	DOC: adding DEV Notes for for non-greedy matchin within sshd.conf	11 years ago
Yaroslav Halchenko	750e0c1e3d	BF: disallow exploiting of non-greedy .* in previous fix by providing too long rhost -- do not impose length limits for user-provided input since daemon might eventually change reported length and we would need to adjust anyways. So limiting in length does not provide additional security but allows for a possible injection vector	11 years ago
Yaroslav Halchenko	abb012ae5c	BF: fixing injection for OpenSSH 6.3 -- making .* before <HOST> non-greedy	11 years ago
Daniel Black	47d35c9d80	MRG: 0.8.11 to 0.9 Epnoc of selinux is now true UTC Merge multiline support and date detection in filter	11 years ago
Daniel Black	89fd792dfb	DOC: in filters, put user relevant doc at top, and developer info at bottom, and remove all the repetative blindly copied stuff that appears in the jail man page	11 years ago
Daniel Black	778f09debe	DOC/ENH: __md5hex regex defination to common.conf. Document debian bug #	11 years ago
Daniel Black	f2ae20a3b8	BF: filter.d/sshd group on md5hex and () for serial needed to be escaped	11 years ago
Daniel Black	1eeb6e94bd	BF: fix regex for openssh-6.3	11 years ago
Steven Hiscocks	5ca6a9aeb6	Merge branch 'systemd-journal' into 0.9 Conflicts: bin/fail2ban-regex config/filter.d/sshd.conf Closes github #224	12 years ago
Steven Hiscocks	49261925d7	ENH: Add new regex for locked accounts for sshd	12 years ago
Steven Hiscocks	f7d328195f	NF: Add systemd journal backend	12 years ago

1 2

94 Commits (9b0f39a17d32b2f78738c8500123cf01b56b550b)