fail2ban

Commit Graph

Author	SHA1	Message	Date
sebres	9b8563f35e	- fixes regex for message `imap-login: Disconnected (auth failed, X attempts) ...` has to many variations on additional info after `<HOST>`, leave it end-anchored because variable part `user=<[^>]>` (before `<HOST>`) to avoid injecting, but can be safe rewritten using `[^>]` in opposite to "greedy" `user=<[^>]>`. - introduces mode `aggressive` and extends regex for this mode to match: no auth attempts (previously removed in gh-601, because of lots of false positives on misconfigured MTAs) * disconnected before auth was ready * client didn't finish SASL auth	7 years ago
sebres	94b163936a	Merge remote-tracking branch 'remotes/gh-upstream/master' into 0.10 Removed init section (not needed in filter for 0.10). # Conflicts: # config/filter.d/sendmail-reject.conf	7 years ago
Serg G. Brester	af25a9d203	Merge pull request #1566 from opoplawski/journalmatch Add sendmail journalmatch options	7 years ago
Orion Poplawski	84f552881c	Add sendmail journalmatch options	7 years ago
sebres	2fe1479484	Merge branch '_0.9/gh-1849' into 0.10	7 years ago
sebres	5c538fb658	Recognize "unknown user" for additional auth-methods (pam, passwd-file, ldap, sql, etc); simplifying regular expressions (put "unknown user" and "invalid credentials" together as one regex).	7 years ago
sebres	0ef5b7c4d4	small amend to gh-1850: removed greedy catch-all at end.	7 years ago
Marcel Waldvogel	daf57547c6	Parse ejabberd 17.06 output E.g.: 2017-07-29 08:24:04.773 [info] <0.6668.0>@ejabberd_c2s:handle_auth_failure:433 (http_bind\|ejabberd_bosh) Failed c2s PLAIN authentication for test@example.ch from ::FFFF:192.0.2.3: Invalid username or password	7 years ago
sebres	1a562bed0f	Merge remote-tracking branch 'master' into 0.10 # Conflicts: # config/filter.d/asterisk.conf	7 years ago
sebres	a5b62a7f36	failregex extended and simplified (partially ported from gh-1409).	7 years ago
sebres	098abae4e6	Remove greedy catch-all before `<HOST>`, make regex more universal, fewer prone to errors (should avoid future changes, if some optional parameters coming again before/after `RemoteAddress`) + non-captured groups now. Test for possible injection (5.6.7.8 in session-id) already available, line 59 (thus already covered).	7 years ago
Kirill	4c0c7b97c0	Update asterisk.conf to new log message I got an issue like this: [2016-05-15 22:53:00] SECURITY[26428] res_security_log.c: SecurityEvent="FailedACL",EventTV="2016-05-15T22:53:00.203+0300",Severity="Error",Service="AMI",EventVersion="1",AccountID="admin",SessionID="0x7fb580001518",LocalAddress="IPV4/TCP/0.0.0.0/5038",RemoteAddress="IPV4/TCP/78.129.227.4/62389",SessionTV="1970-01-01T03:00:00.000+0300" # [sebres] rebased to current master and resolving conflicts.	7 years ago
sebres	0e33125129	be more precise using common `__prefix_line` expression (set `_daemon` to recognize apache and httpd only)	7 years ago
sebres	b561af45ef	apache-common.conf: introduced parameter `logging` for possibility to match lines, if apache logs into syslog/systemd journal; added test cases to cover `apache-auth[logging=syslog]`.	7 years ago
benrubson	b662cf03ac	Apache, detect syslog prefix, simple example	7 years ago
sebres	7217ef5c9e	filter.d/ejabberd-auth.conf: fixed ejabberd filter - accept new log-format with `wait_for_sasl_response` instead of `wait_for_feature_request` + optional part "IP " (gh-993)	7 years ago
sebres	dae4988aea	filter.d/roundcube-auth.conf: fixes failregex not working with `X-Real-IP` or/and `X-Forwarded-For` (gh-1303)	7 years ago
sebres	aa92b68d4a	filter.d/postfix.conf: normalized several postfix-filters using parameter `mode` (as discussed in gh-1813); introduced parameter `mode`: more (default, combines normal and rbl), auth, normal, rbl, ddos, extra or aggressive (combines all) replacement for gh-1239, gh-1697, gh-1764; closes gh-1245, gh-1297.	7 years ago
sebres	d32a3913cf	postfix postscreen (resp. other RBL's compatibility fix) / gh-1764	7 years ago
sebres	546cd55342	Merge branch 'master' into 0.10	8 years ago
sebres	a1d0633e69	filter.d/asterisk.conf - fixed failregex AMI Asterisk authentification failed (see gh-1302): - optional space between NOTICE and pid; - optional part "Host " before IP-address;	8 years ago
sebres	33fcf8d809	Merge branch 'master' into 0.10	8 years ago
Serg G. Brester	1307e0a5b9	Merge pull request #1760 from szepeviktor/patch-12 Courier may complain about the method only	8 years ago
Serg G. Brester	6110ba9cc3	filter.d/proftpd.conf: added option `journalmatch` for systemd backend (closes gh-1613)	8 years ago
sebres	37ca4f17c2	filter.d/roundcube-auth.conf: added missing entry `journalmatch` from original gh-1783.	8 years ago
Serg G. Brester	986dd3107d	Merge branch '0.10' into patch-12	8 years ago
sebres	d3ae70beb6	filter.d/roundcube-auth.conf: Use the same filter-file and jail also when logging errors to journal instead to a local file. Additionally fixes more complex injections on username.	8 years ago
Johannes Weberhofer	691c080dc7	Added roundcube authentication filter, new jail and log-examples	8 years ago
Serg G. Brester	3294840c2a	Merge pull request #1801 from jeaye/postfix-updates filter.d/postfix.conf: update to the latest postfix logging format	8 years ago
Serg G. Brester	efeca8fdeb	postfix.conf: removes unneeded end-anchoring like `.*$`, etc. also removes several dynamic content at end, which are of no avail there. Additionally normalizes optional part (mail-ID) after reason number.	8 years ago
sebres	dcdf677438	Merge remote-tracking branch 'master' into 0.10	8 years ago
sebres	2b358bc1a4	filter.d/apache-overflows.conf: rewritten without end-anchor ($), because apache-log could contain very long URLs (and/or referrer), the parsing of it anchored way may be very vulnerable (at least as regards the system resources, see gh-1790).	8 years ago
jeaye	6f3d425c4d	Update postfix filters and tests	8 years ago
sebres	bbea73d79d	Merge remote-tracking branch 'remotes/gh-upstream/master' into 0.10	8 years ago
Peter Nowee	b93e47b12f	dovecot: Match also when user field is empty Commit `5678d08` of 2016-11-26 changed: ( user=<\S>,)? to: ( user=<[^>]+>,)? The change from `` (zero or more times) to `+` (one or more times) may not have been intended. It will miss lines containing, for example: Aborted login (tried to use disallowed plaintext auth): user=<> This commit reverts the `+` back to `*`.	8 years ago
Marcel Bischoff	228d25c548	Update Kerio Connect filter (#1455 ) * Update Kerio Connect filter Fixed regex for some log entries that did not get recognized and some additional error formats are added. * Add missing colon, GitHub address * Add filter tests * Add missing test	8 years ago
Filippo Tessarotto	ff1c6718da	Postfix RBL: 554 & SMTP Cherry-pick of `607568f5da` (see gh-1686)	8 years ago
sebres	b13d9d4e22	Merge branch 'master' into 0.10	8 years ago
sebres	0600d51511	filter.d/exim.conf: added new reason for "rejected RCPT" regex: Unrouteable address	8 years ago
sebres	49e237209e	Merge branch 'master' into 0.10	8 years ago
sebres	c546f85207	filter.d/exim.conf: cherry-picked from 0.10, match complex time like `D=2m42s` (closes gh-1766)	8 years ago
Viktor Szépe	ac256a822b	Make courier-auth regexp a non-captured group	8 years ago
Viktor Szépe	4bb8a58dcf	Courier may complain about the method only > Mar 30 22:29:18 szerver imapd-ssl: LOGIN FAILED, method=PLAIN, ip=[::ffff:1.2.3.4]	8 years ago
Seth Reeser	c3426ba5f6	Update botsearch-common.conf (#1759 ) * Update botsearch-common.conf, apache-modsecurity.conf: typo and missing new-line	8 years ago
sebres	8839bcbb09	Merge remote-tracking branch master into 0.10	8 years ago
sebres	3161bcf78b	filter.d/exim.conf: optional part `(...)` after host-name before `[IP]`, normalized over whole config file. # Conflicts: # config/filter.d/exim.conf	8 years ago
sebres	507034c5be	filter.d/apache-auth.conf: joined some similar expressions	8 years ago
Serg G. Brester	6dfd080e20	Update apache-auth.conf remove forgotten referer, that may prevent failure recognition (belongs to gh-1645)	8 years ago
Serg G. Brester	311f8fea83	Merge branch '0.10' into issue1644	8 years ago
Serg G. Brester	4f0f22702a	Update haproxy-http-auth.conf little bit more precise expression	8 years ago

1 2 3 4 5 ...

726 Commits (9b8563f35e88a764e60b61cfdf162dfaf726b0d8)