Yaroslav Halchenko
5f2d3832f7
NF: roundcube-auth filter (to close Debian #699442 , needing debian/jail.conf section)
12 years ago
Orion Poplawski
bb7628591c
Update config/filter.d/sshd.conf
...
Do not trigger sshd bans on pam_unix authentication failures, this will trigger on successful logins on systems that use non-pam_unix authentication (sssd, ldap, etc.).
12 years ago
Yaroslav Halchenko
9a39292813
ENH: Added login authenticator failed regexp for exim filter
12 years ago
pigsyn
f336d9f876
Update config/filter.d/webmin-auth.conf
...
Added '\s*$' to the regular expression to match the space written by webmin logs at line-endings
12 years ago
pigsyn
dc67b24270
Update config/filter.d/webmin-auth.conf
...
Added a trailing '.*$' to each regex so they can find expressions in targeted log files.
12 years ago
Yaroslav Halchenko
3969e3f77b
ENH: dovecot.conf - require space(s) before rip/rhost log entry
12 years ago
hamilton5
266cdc29a6
Update config/filter.d/dovecot.conf
...
even tho not on the fail2ban site..
suggested to not be greedy by yarikoptic
12 years ago
hamilton5
e040c6d8a3
Update config/filter.d/dovecot.conf
...
site actually needs updated because of <HOST> alias
per Notes above.
12 years ago
hamilton5
7ede1e8518
Update config/filter.d/dovecot.conf
...
added failregex line for debian and centos per
http://www.fail2ban.org/wiki/index.php/Talk:Dovecot
12 years ago
Yaroslav Halchenko
fc27e00290
ENH: tune up sshd-ddos to use common.conf and allow training spaces
12 years ago
Yaroslav Halchenko
6ecf4fd80a
Merge pull request #64 from sourcejedi/remove_sshd_rdns
...
Misconfigured DNS should not ban *successful* ssh logins
Per our discussion indeed better (and still as "safe") to not punish users behind bad DNS
12 years ago
Yaroslav Halchenko
282724a7f9
ENH: join both failregex for lighttpd-auth into a single one
...
they are close in meaning
should provide a slight run-time performance benefit
12 years ago
François Boulogne
958a1b0a40
Lighttpd: support auth.backend = "htdigest"
12 years ago
Yaroslav Halchenko
2082fee7b1
ENH: match possibly present "pam_unix(sshd:auth):" portion for sshd ( Closes : #648020 )
13 years ago
Yaroslav Halchenko
6ad55f64b3
ENH: add wu-ftpd failregex for use against syslog ( Closes : #514239 )
13 years ago
Alan Jenkins
8c38907016
Misconfigured DNS should not ban *successful* ssh logins
...
Noticed while looking at the source (to see the point of ssh-ddos).
POSSIBLE BREAK-IN ATTEMPT - sounds scary? But keep reading
the message. It's not a login failure. It's a warning about
reverse-DNS. The login can still succeed, and if it _does_ fail,
that will be logged as normal.
<exhibit n="1">
Jul 9 05:43:00 brick sshd[18971]: Address 200.41.233.234 maps to host234.advance.com.
ar, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Jul 9 05:43:00 brick sshd[18971]: Invalid user html from 200.41.233.234
</exhibit>
The problem (in my mind) is that some users are stuck with bad dns.
The warning won't stop them from logging in. I'm pretty sure they can't
even see it. But when they exceed a threshold number of logins -
which could be all successful logins - fail2ban will trigger.
fail2ban shouldn't adding additional checks to successful logins
- it goes against the name fail2ban :)
- the first X "POSSIBLE BREAK-IN ATTEMPT"s would be permitted anyway
- if you want to ban bad DNS, the right way is PARANOID in /etc/hosts.deny
I've checked the source of OpenSSH, and this will only affect the
reverse-DNS error. (I won't be offended if you want to check
for yourself though ;)
<exhibit n="2">
$ grep -r -h -C1 'ATTEMPT' openssh-5.5p1/
logit("reverse mapping checking getaddrinfo for %.700s "
"[%s] failed - POSSIBLE BREAK-IN ATTEMPT!", name, ntop);
return xstrdup(ntop);
--
logit("Address %.100s maps to %.600s, but this does not "
"map back to the address - POSSIBLE BREAK-IN ATTEMPT!",
ntop, name);
$
</exhibit>
13 years ago
Petr Voralek
4007751191
ENH: catch failed ssh logins due to being listed in DenyUsers. Close gh-47 ( Closes : #669063 )
13 years ago
Yaroslav Halchenko
71a3fb17e2
Merge remote-tracking branch 'gh-magicrhesus/master'
...
* gh-magicrhesus/master:
Add the INCLUDE section to use __pid_re feature
Disable asterisk jail by default
Change jail for asterisk, add support for SIP and SIP-TLS on TCP and UDP ports
Change NOTICE by NOTICE%(__pid_re)s
Remove custom bantime
Add sample log file for asterisk
Add $ at the end of the failregex
Add asterisk support
Conflicts:
config/jail.conf -- placed asterisk jails before recidive and added blank lines after the jail headers
13 years ago
Xavier Devlamynck
8c00ce0a65
Add the INCLUDE section to use __pid_re feature
13 years ago
Xavier Devlamynck
c679a1a588
Change NOTICE by NOTICE%(__pid_re)s
13 years ago
Xavier D
d98cdb25d6
Add $ at the end of the failregex
13 years ago
Yaroslav Halchenko
25f1e8d98c
BF: allow trailing whitespace in few missing it regexes for sshd.conf
13 years ago
Yaroslav Halchenko
1807be5a8c
ENH: moved jail definition for recidive into jail.conf + swapped/commented durations + non-groupping ?:
...
thanks @cepheid666 for the useful comments
13 years ago
Tom Hendrikx
f94a121663
Fix for https://github.com/fail2ban/fail2ban/issues/19
...
Based on previous work as documented in the bug by Amir and myself,
plus some enhancements and documentation added to the file itself rather
than a URL (they rot).
13 years ago
Xavier Devlamynck
7d465f98c1
Add asterisk support
13 years ago
Yaroslav Halchenko
4c76fb3b54
ENH: allow trailing white-spaces in lighttpd-auth.conf
...
now catches the one in testcases/files/logs/lighttpd
13 years ago
François Boulogne
683d4f269d
modifications suggested by a referee (log ex+regexp)
13 years ago
François Boulogne
b6d9f795dc
add filter for lighttpd mod_auth failure
13 years ago
Yaroslav Halchenko
a9be451079
ENH: removed expansion for few Date and Revision SVN keywords
...
For consistency of appearance... eventually we might just remove them
altogether
13 years ago
Yaroslav Halchenko
dad91f7969
ENH: sshd.conf -- allow user names to have spaces and trailing spaces in the line
...
absorbed from patches carried by Debian distribution of f2b
13 years ago
Yaroslav Halchenko
ed0bf3ad96
Removed duplicate entry for DataCha0s/2\.0 in badbots ( closes : #519557 )
13 years ago
Adam Spiers
3152afbdc2
Recognise time-stamped kernel messages
...
e.g.
Sep 25 12:51:04 myhost kernel: [773580.832329] sshd[25557]: Invalid user pgsql from 91.203.223.206
This fixes the sshd filter on Fedora 15, and probably other filters on
other newish distros too.
13 years ago
Yaroslav Halchenko
3eb5e3b876
BF: Allow for trailing spaces in sasl logs
...
git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@783 a942ae1a-1317-0410-a47c-b1dcaea8d605
14 years ago
Yaroslav Halchenko
6d25310e28
ENH: Adding author for dovecot filter and prunning unneeded space in the regexp
...
git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@776 a942ae1a-1317-0410-a47c-b1dcaea8d605
14 years ago
Yaroslav Halchenko
eab9af9caa
BF: proftpd filter -- if login failed -- count regardless of the reason for failure
...
git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@775 a942ae1a-1317-0410-a47c-b1dcaea8d605
14 years ago
Yaroslav Halchenko
d4b89d8404
BF: Allow for trailing spaces in proftpd logs
...
See http://bugs.debian.org/507986
git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@774 a942ae1a-1317-0410-a47c-b1dcaea8d605
14 years ago
Yaroslav Halchenko
1cb48bbc96
BF: escaping () in pure-ftpd filter. Thanks Teodor
...
See http://bugs.debian.org/544744
git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@773 a942ae1a-1317-0410-a47c-b1dcaea8d605
14 years ago
Yaroslav Halchenko
02e7dfb099
BF: allow space in the trailing of failregex for sasl.conf: see http://bugs.debian.org/573314
...
git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@772 a942ae1a-1317-0410-a47c-b1dcaea8d605
14 years ago
Yaroslav Halchenko
6558c03f8e
NF: Adding found on a drive filter.d/dovecot.conf
...
git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@770 a942ae1a-1317-0410-a47c-b1dcaea8d605
14 years ago
Yaroslav Halchenko
10faba5163
ENH: make filter.d/apache-overflows.conf catch more: see http://bugs.debian.org/574182
...
git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@769 a942ae1a-1317-0410-a47c-b1dcaea8d605
14 years ago
Yaroslav Halchenko
0073ba3838
ENH: dropbear filter: see http://bugs.debian.org/546913
...
git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@768 a942ae1a-1317-0410-a47c-b1dcaea8d605
14 years ago
Arturo 'Buanzo' Busleiman
dde7afe1f3
added two new filter files (PHP url_fopen, lighttpd fastcgi alerts), updated MANIFEST and jail.conf accordingly
...
git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@742 a942ae1a-1317-0410-a47c-b1dcaea8d605
15 years ago
Cyril Jaquier
55fd21ec4b
- Made the named-refused regex a bit less restrictive in order to match logs with "view". Thanks to Stephen Gildea.
...
git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@730 a942ae1a-1317-0410-a47c-b1dcaea8d605
16 years ago
Cyril Jaquier
abd061bad8
- Changed <HOST> template to be more restrictive. Debian bug #514163 .
...
git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@728 a942ae1a-1317-0410-a47c-b1dcaea8d605
16 years ago
Cyril Jaquier
7fd0300a73
- Added cyrus-imap and sieve filters. Thanks to Jan Wagner. Debian bug #513953 .
...
git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@727 a942ae1a-1317-0410-a47c-b1dcaea8d605
16 years ago
Cyril Jaquier
376f348823
- Pull a commit from Yaroslav git repo. BF: addressing added bang to ssh log ( closes : #512193 ).
...
git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@726 a942ae1a-1317-0410-a47c-b1dcaea8d605
16 years ago
Cyril Jaquier
e46e8ed32e
- Improved SASL filter. Thanks to Loic Pefferkorn. Tracker #2310410 .
...
git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@723 a942ae1a-1317-0410-a47c-b1dcaea8d605
16 years ago
Cyril Jaquier
622218271d
- Added svn:keywords property.
...
git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@716 a942ae1a-1317-0410-a47c-b1dcaea8d605
16 years ago
Cyril Jaquier
bb8e610795
- Added apache-nohome.conf. Thanks to Yaroslav Halchenko.
...
git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@715 a942ae1a-1317-0410-a47c-b1dcaea8d605
16 years ago
Cyril Jaquier
391a38a7a8
- Added new regex. Thanks to Tobias Offermann.
...
git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@713 a942ae1a-1317-0410-a47c-b1dcaea8d605
16 years ago