9137c7bb23
filter processing:
...
- avoid duplicates in "matches" (previously always added matches of pending failures to every next real failure, or nofail-helper recognized IP, now first failure only);
- several optimizations of merge mechanism (multi-line parsing);
fail2ban-regex: better output handling, extended with tag substitution (ex.: `-o 'fail <ip>, user <F-USER>: <msg>'`); consider a string containing new-line as multi-line log-excerpt (not as a single log-line)
filter.d/sshd.conf: introduced parameter `publickey` (allowing change behavior of "Failed publickey" failures):
- `nofail` (default) - consider failed publickey (legitimate users) as no failure (helper to get IP and user-name only)
- `invalid` - consider failed publickey for invalid users only;
- `any` - consider failed publickey for valid users too;
- `ignore` - ignore "Failed publickey ..." failures (don't consider failed publickey at all)
tests/samplestestcase.py: SampleRegexsFactory gets new failJSON option `constraint` to allow ignore of some tests depending on filter name, options and test parameters
2020-02-13 12:28:07 +01:00
1492ab2247
improve processing of pending failures (lines without ID/IP) - fail2ban-regex would show those in matched lines now (as well as increase count of matched RE);
...
avoid overwrite of data with empty tags by ticket constructed from multi-line failures;
amend to d1b7e2b5fb2b389d04845369d7d29db65425dcf2: better output (as well as ignoring of pending lines) using `--out msg`;
filter.d/sshd.conf: don't forget mlf-cache on "disconnecting: too many authentication failures" - message does not have IP (must be followed by "closed [preauth]" to obtain host-IP).
2020-02-11 18:44:36 +01:00
774dda6105
filter.d/postfix.conf: extended mode ddos and aggressive covering multiple disconnects without auth
2020-02-10 13:29:16 +01:00
34d63fccfe
close gh-2629 - jail.conf (action_blocklist_de interpolation): replace service parameter (use jail name instead of filter, which can be empty)
2020-02-10 13:03:55 +01:00
a7c68ea19f
Merge branch '0.10' into 0.11
2020-01-28 21:47:55 +01:00
569dea2b19
filter.d/mysqld-auth.conf: capture user name in filter (can be more strict if user switched, used in action or fail2ban-regex output);
...
also add coverage for mariadb 10.4 log format (gh-2611)
2020-01-22 17:24:40 +01:00
70e47c9621
Merge branch '0.10' into 0.11
2020-01-14 11:44:35 +01:00
ec37b1942c
action.d/nginx-block-map.conf: fixed backslash substitution (different echo behavior in some shells, gh-2596)
2020-01-14 11:39:13 +01:00
4860d69909
Merge branch '0.10' into 0.11
2020-01-09 20:55:00 +01:00
f77398c49d
filter.d/sshd.conf: captures `Disconnected from ... [preauth]`, preauth phase only, different handling by `extra` (with supplied user only) and `ddos`/`aggressive` mode (`normal` mode is not affected, used there just as a helper with `<F-NOFAIL>` to capture IP for multiline failures without IP);
...
closes gh-2115, gh-2362.
2020-01-09 20:53:53 +01:00
587e4ff573
Merge branch '0.10' into 0.11
...
(conflicts resolved)
2020-01-08 21:27:23 +01:00
67fd75c88e
pass2allow-ftp: inverted handling - action should prohibit access per default for any IP, so reset start on demand parameter for this action (will be started immediately).
2020-01-06 21:13:40 +01:00
8f6ba15325
avoid unhandled exception during flush, better invariant check (and repair), avoid repair by unban/stop etc...
2019-12-27 21:30:41 +01:00
e763c657c4
Let's get back to WRN
2019-11-27 00:32:10 +01:00
d7b707b09d
Update bitwarden.conf
2019-11-27 00:09:22 +01:00
869327e9b1
Update bitwarden.conf
2019-11-25 22:17:58 +01:00
79caeaa520
Create bitwarden.conf
2019-11-25 22:05:29 +01:00
30e742a849
Update jail.conf
2019-11-25 21:57:41 +01:00
ef394b3cf0
Update jail.conf
2019-11-25 21:55:45 +01:00
24d1ea9aa2
Merge branch '0.10' into 0.11
2019-11-25 01:58:55 +01:00
e4c2f303bd
Merge pull request #2550 from CPbN/centreonjail
...
Add Centreon jail
2019-11-15 01:53:20 +01:00
0e8a8edb5e
filter.d/sendmail-*.conf: both filters have same `__prefix_line` now (and same RE for ID, 14-20 chars long, optional) + adjusted test cases (gh-2563)
2019-11-08 13:15:40 +01:00
548e2e0054
sendmail-auth.conf: filter updated for longer mail IDs (up to 20, see gh-2562)
2019-11-08 12:42:09 +01:00
5cf064a112
monit: accepting both logpath's: monit and monit.log, closes gh-2495
2019-11-04 12:18:12 +01:00
9e699646f8
Add Centreon jail
2019-10-24 14:37:18 +02:00
18ba714f97
Add Centreon jail
2019-10-23 09:14:26 +02:00
3515d06979
Merge branch '0.10' into 0.11
2019-10-18 19:19:21 +02:00
85ec605358
nftables: amend to gh-2254 - implemented shutdown of action (proper clean-up) - at stop it checks now the last set was deleted and removes table completely (if table does not contain any set);
...
this is avoided if some sets were added manually or can be avoided via overwriting of parameter `_nft_shutdown_table`, for example:
banaction = nftables[_nft_shutdown_table=''][...]
2019-10-18 19:01:16 +02:00
51af193402
nftables: add options allowing to specify own table (default `f2b-table`) and chain (default `f2b-chain`)
2019-10-18 18:54:02 +02:00
955d690e56
regrouping expressions with curly braces, added more escapes (better handling in posix shell)
2019-10-18 18:34:48 +02:00
0824ad0d73
Merge branch '0.10' into 0.11
2019-10-18 12:04:38 +02:00
54298fe761
Merge pull request #2254
...
Nftables: isolate fail2ban rules into a dedicated table and chain
2019-10-18 11:43:38 +02:00
d1a73d3004
filter.d/apache-auth.conf:
...
- ignore errors from mod_evasive in `normal` mode (mode-controlled now) (gh-2548);
- extended with option `mode` - `normal` (default) and `aggressive`
close gh-2548
2019-10-18 11:26:19 +02:00
8c6a547215
Merge branch '0.10' into 0.11
2019-10-11 03:01:46 +02:00
50595b70fd
filter.d/mysqld-auth.conf: ISO timestamp format (dual time) within log message
...
(https://serverfault.com/questions/982126/fail2ban-fails-to-recognize-ip )
2019-10-11 01:31:07 +02:00
9e28b6c65f
filter.d/asterisk.conf: relaxing protocol RE-part before IP in RemoteAddress (gh-2531)
2019-09-26 21:46:26 +02:00
8ea00c1d5d
fixed mistake in config (semicolon after space as comment in configs?) and coverage, suppress errors by unsupported flush, better space handling in helper _nft_get_handle_id, etc
2019-09-25 13:47:29 +02:00
492205d30e
action.d/nftables.conf: implemented `actionflush` (allows flushing nftables sets resp. fast unban of all jail tickets at all)
2019-09-24 20:00:29 +02:00
abc4d9fe37
allow to use multiple protocols in multiport (single set with multiple rules in chain):
...
`banaction = nftables[type=multiport]` with `protocol="tcp,udp,sctp"` in jail replace 3 separate actions.
more robust if deleting multiple references to set (rules in chain)
2019-09-24 19:44:59 +02:00
c753ffb11d
combine nftables actions to single action:
...
- nftables-common is removed
- nftables-allports is obsolete, replaced by nftables[type=allports]
- nftables-multiport is obsolete, replaced by nftables[type=multiport]
2019-09-24 18:53:38 +02:00
c59d49da22
nftables-allports: support multiple protocols in single rule;
...
tests/servertestcase.py: added coverage for nftables actions
2019-09-24 18:46:41 +02:00
dde51b4682
fix actionban/unban ip definition syntax
2019-09-24 13:01:14 +02:00
1cda50ce05
Rewrite nftables variables based on nftables' logic.
...
Add an example for redirecting.
2019-09-24 13:01:13 +02:00
990c410877
Merge branch '0.10' into 0.11
...
# Conflicts (resolved):
# fail2ban/client/jailreader.py
2019-09-11 16:18:09 +02:00
a36b70c7b5
filter.d/znc-adminlog.conf: support logging format of systemd-journal, bypass port after address (optional, removed end-anchor, see gh-2520)
2019-09-10 21:02:26 +02:00
1cdd618232
Merge branch '0.10' into 0.11
2019-07-29 13:26:37 +02:00
5d5253dd70
Merge branch '0.10' into 0.11
2019-07-29 13:25:49 +02:00
91923b5c07
don't need to match identifier exactly (@ is precise enough as prefix), not capturing group;
...
`prefregex` extended, more selective now (denied/NOTAUTH suffix moved from `failregex`, so no catch-all there anymore);
update ChangeLog
2019-07-29 13:21:00 +02:00
4395469226
Update named-refused.conf
...
Log format changed since ver. 9.11.0
Ref. ftp://ftp.isc.org/isc/bind9/9.11.0/RELEASE-NOTES-bind-9.11.0.html
"The logging format used for querylog has been altered. It now includes an additional field indicating the address in memory of the client object processing the query."
2019-07-29 13:06:49 +02:00
a395361de8
Merge pull request #2467 from sebres/logtype-option-rfc5424
...
New option `logtype` value - `rfc5424`
2019-07-24 00:02:04 +02:00
581f13c2db
Merge branch '0.10' into 0.11
2019-07-22 19:07:15 +02:00
0dfd4f1f41
Merge pull request #2404 from benrubson/badprotocol
...
filter.d/sshd.conf: matches "Bad protocol version identification" in ddos and aggressive modes.
2019-07-22 12:47:39 +02:00
119401fced
Merge pull request #2452 from benrubson/badips
...
Badips key is only used to retrieve list
2019-07-20 12:08:22 +02:00
af611db859
Merge branch '0.10' into 0.11
2019-07-10 12:47:03 +02:00
5e980afbb8
filter.d/apache-noscript.conf: closes #2466 - matches "Primary script unknown" without "\n" (optional now)
2019-07-10 12:45:53 +02:00
62b1712d22
amend to #2387 :
...
- common.conf: rewritten using section-based handling round about option logtype;
- option `logtype` extended with `rfc5424` to cover RFC 5424 log-format (see #2309 );
2019-07-09 21:48:43 +02:00
8b171f7d25
Badips key is only used to retrieve list
2019-06-26 18:34:20 +02:00
80f97eaf02
Merge branch '0.10' into 0.11
2019-06-26 17:29:08 +02:00
e751be2c13
normalize, simplify and fix several mail actions (mail and sendmail actions are more similar now, sendmail is configurable via parameter `mailcmd`, etc);
...
added test covering sendmail-whois-lines
2019-06-15 23:14:41 +02:00
5045c4bb00
Merge branch '0.10' into 0.11
2019-06-12 16:28:57 +02:00
a7dc3614c4
znc-adminlog: use `<ADDR>` instead of `<HOST>`
2019-06-12 16:26:34 +02:00
b288ccd6b6
new filter: znc-adminlog
2019-06-12 16:25:50 +02:00
2e7a600851
Merge branch '0.10' into 0.11
2019-06-12 11:44:05 +02:00
22b9304562
action.d/badips.py: fix start of banaction on demand (which may be IP-family related), supplied action info with ticket instead of simulating it with dict;
...
(closes gh-2390)
2019-06-12 11:23:52 +02:00
0ed3a63151
Merge branch '0.10' into 0.11
2019-06-07 16:29:38 +02:00
e5ae113215
filter.d/postfix.conf: extended with new postfix filter mode `errors` to match "too many errors" (gh-2439),
...
also included within modes `normal`, `more` (`extra` and `aggressive`), since postfix
parameter `smtpd_hard_error_limit` is default 20 (additionally consider `maxretry`)
2019-06-07 16:14:02 +02:00
3b2f75414c
filter.d/postfix.conf: extended regexp's to accept variable suffix code in status of postfix for precise messages (gh-2442)
2019-06-07 15:40:55 +02:00
3d4044084a
Merge branch '0.10' into 0.11
2019-06-07 14:48:10 +02:00
7dbd3a07eb
cut comment to limit documented on abuseipdb, additionally use curl in quiet mode
2019-06-07 14:39:55 +02:00
7b73cb7639
Switch to AbuseIPDB API v2
2019-06-07 14:39:52 +02:00
5137cd2ec8
Merge branch '0.10' into 0.11
2019-05-14 21:40:50 +02:00
49bf6132cc
amend for 3036ed18893b6aae6619e53201aa53deb701b94f: eliminate "invalid sequence" warnings
2019-05-14 21:40:33 +02:00
f69a8693fc
Merge branch '0.10' into 0.11
2019-05-14 20:19:29 +02:00
0426a24719
filter.d/postfix.conf: (closes gh-2426) filter extended to catch "5.1.1" (Recipient address rejected: User unknown in local recipient table) with RCPT (and some session-id instead of "NOQUEUE")
2019-05-14 15:27:20 +02:00
ca85ddc866
Merge branch '0.10' into 0.11
2019-05-10 16:23:50 +02:00
d8d71c5a22
action.d/helpers-common.conf: grep arguments are rewritten - using options `-wF` to match only whole words and fixed string (not as pattern)
2019-05-10 16:17:13 +02:00
fa727586ff
Fix grep pattern to deal with Apache's error log
...
Apache's error log appends the port to the IP address, other logs don't.
2019-05-10 16:04:27 +02:00
74eac6c94f
Merge branch '0.10' into 0.11
2019-05-02 15:28:44 +02:00
23d2281e57
action.d/nginx-block-map.conf: small fix with better RE-rule for removal of ID (token/session) via sed (anchored now)
2019-05-02 15:22:45 +02:00
5b2b680bfe
SSHd add Bad protocol version message
2019-05-02 11:42:45 +02:00
b318eb7e33
closes gh-2408: prevent execution of action `abuseipdb` for restored tickets
2019-04-29 10:45:37 +02:00
c47bb523b7
Merge branch '0.10' into 0.11
2019-04-24 21:58:27 +02:00
422a2de7fe
updated
2019-04-24 21:35:19 +02:00
a581bf3f08
Fixed filter for Apache mod_security
2019-04-24 21:35:17 +02:00
5d6a84ba78
Updated to correct logging option
2019-04-24 21:35:15 +02:00
f0c5bd56f4
Merge branch '0.10' into 0.11 (conflicts resolved)
2019-04-19 13:20:38 +02:00
25f1aa334e
fail2ban.conf: move default settings into DEFAULT section (to be more similar to jail.conf, Definition section overwrites the options, so it is backwards compatible)
2019-04-18 20:53:11 +02:00
0386df0042
introduced new options: `dbmaxmatches` (fail2ban.conf) and `maxmatches` (jail.conf);
...
setting `maxmatches` and `dbmaxmatches` to 0 saves memory usage and database size (closes gh-2118).
2019-04-18 20:31:39 +02:00
337be4b36c
Merge remote-tracking branch 'remotes/gh-upstream/0.10' into 0.11
2019-04-18 13:47:44 +02:00
28c1da33dc
Merge pull request #2387 from sebres/logtype-option-journal
...
New backend-related option `logtype` (`journal` or `file`)
2019-04-18 13:27:42 +02:00
6c7093c66d
minor amend, refolding branches (SP|SA -> S[PA])
2019-04-04 02:28:50 +02:00
ffd5d0db78
Update sendmail-reject.conf
...
On some distros (e.g., CentOS 7), sendmail default config labels port 465 as TLSMTA and port 587 as MSA. Update failregex to reflect. Relevant loglines included in 9e1fa4ff73
2019-03-29 17:39:27 -06:00
ced9828d04
filter.d/sendmail-reject.conf: fixed gh-2385 for some systems (e. g. CentOS): if only identifier set to `sm-mta` (no unit `sendmail`) for some messages.
2019-03-29 14:24:06 +01:00
ec681a3363
backend `systemd` sets `logtype` to `journal` automatically;
...
sshd-journal: new test covering sshd journal logging format (matches short prefix-line simulating output of formatJournalEntry);
samplestestcase-factory extended with new option `fileOptions` to set common filter/test options for whole test-file
2019-03-29 14:24:00 +01:00
e268bf97d4
introduces new configuration parameter "logtype" (default "file" for file-backends, and "journal" for journal-backends);
...
common.conf: differentiate "__prefix_line" for file/journal logtype's (speedup and fix parsing of systemd-journal);
samplestestcase.py: extends testSampleRegexsFactory to allow coverage of journal logtype;
closes gh-2383: asterisk can log timestamp if logs into systemd-journal (regex extended with optional part matching this)
2019-03-29 14:23:57 +01:00
17a4f81e23
Merge branch '0.10' into 0.11
2019-03-27 13:46:56 +01:00
e8401a7e65
action.d/xarf-login-attack.conf: fixes gh-2372, correction for split of addresses, interpolation is shell-independent now, etc;
...
extended with option `boundary`, additionally dynamic boundary part is used (is not so predictable as it was previously);
2019-03-16 00:05:06 +01:00
7a7a905ab2
0.9 - Merge pull request #2339 from cFire/master
...
Add override for dovecot failed logins on debian
2019-03-14 11:45:46 +01:00
4e2c7b9fdd
Merge branch '0.10' into 0.11
2019-03-12 17:01:03 +01:00
741cf8fb0e
Merge branch 'master-0.9' into 0.10
2019-03-12 16:58:08 +01:00
sebres