sebres
ced9828d04
filter.d/sendmail-reject.conf: fixed gh-2385 for some systems (e. g. CentOS): if only identifier set to `sm-mta` (no unit `sendmail`) for some messages.
2019-03-29 14:24:06 +01:00
sebres
ec681a3363
backend `systemd` sets `logtype` to `journal` automatically;
...
sshd-journal: new test covering sshd journal logging format (matches short prefix-line simulating output of formatJournalEntry);
samplestestcase-factory extended with new option `fileOptions` to set common filter/test options for whole test-file
2019-03-29 14:24:00 +01:00
sebres
e268bf97d4
introduces new configuration parameter "logtype" (default "file" for file-backends, and "journal" for journal-backends);
...
common.conf: differentiate "__prefix_line" for file/journal logtype's (speedup and fix parsing of systemd-journal);
samplestestcase.py: extends testSampleRegexsFactory to allow coverage of journal logtype;
closes gh-2383: asterisk can log timestamp if logs into systemd-journal (regex extended with optional part matching this)
2019-03-29 14:23:57 +01:00
sebres
17a4f81e23
Merge branch '0.10' into 0.11
2019-03-27 13:46:56 +01:00
sebres
e8401a7e65
action.d/xarf-login-attack.conf: fixes gh-2372, correction for split of addresses, interpolation is shell-independent now, etc;
...
extended with option `boundary`, additionally dynamic boundary part is used (is not so predictable as it was previously);
2019-03-16 00:05:06 +01:00
Sergey G. Brester
7a7a905ab2
0.9 - Merge pull request #2339 from cFire/master
...
Add override for dovecot failed logins on debian
2019-03-14 11:45:46 +01:00
sebres
4e2c7b9fdd
Merge branch '0.10' into 0.11
2019-03-12 17:01:03 +01:00
sebres
741cf8fb0e
Merge branch 'master-0.9' into 0.10
2019-03-12 16:58:08 +01:00
sebres
1a9527e6a4
fixed catch-all on user (and simplifying)
2019-03-12 16:53:36 +01:00
jim
a7f3ba87f6
filter.d/sogo-auth.conf: fixes gh-2289 - matching auth-failures when behind a proxy;
...
(broken by commit 72b06479a5
), replacement for gh-2290.
2019-03-12 16:50:04 +01:00
sebres
324f0ed7cc
Merge branch '0.10' into 0.11
2019-03-01 12:36:07 +01:00
sebres
3c70fe298a
closes gh-969: introduces new section `[Thread]` and option `stacksize` to configure default stack-size of the threads running in fail2ban. Example:
...
```ini
[Thread]
stacksize = 32
```
2019-02-24 16:45:14 +01:00
sebres
5126068099
loglevel and shortloglevel combined to single parameter loglevel, below an example logging summary with NOTICE and rest with DEBUG log-levels:
...
action = badips.py[... , loglevel="debug, notice"]
2019-02-22 14:05:19 +01:00
benrubson
689938ee99
Add a shortloglevel badips.py option
2019-02-22 13:32:46 +01:00
sebres
a3b7a0525a
Merge branch '0.10' into 0.11
2019-02-22 13:22:52 +01:00
sebres
140243328f
coverage: try to avoid sporadic "coverage decreased" in CI
2019-02-22 13:20:40 +01:00
Sergey G. Brester
d3f6d6ffdd
Merge pull request #2286 from crazy-max/0.10
...
New filter `traefik-auth`
2019-02-21 22:27:04 +01:00
Sergey G. Brester
dcede9b3f1
comment rewritten (belongs to the filter)
2019-02-21 22:26:28 +01:00
Sergey G. Brester
d84fb8a4b1
regex rewritten (more secure now, resolves catch-all vulni)
2019-02-21 22:19:04 +01:00
sebres
9ed35c423a
Merge branch '0.9' into 0.10 (gh-2317)
2019-02-21 20:13:54 +01:00
Yaroslav Halchenko
31e6ec3c5b
Merge pull request #2323 from todgru/fix-spelling-abuseipdb-conf
...
fix: correct spelling category
2019-02-15 17:08:45 -05:00
Cool Fire
27526e431b
Changes static logfile string to variable
...
Since we don't want to re-declare a log file name we already
have a varialbe for, use the existing variable to set dovecot_log.
2019-02-13 10:10:24 +01:00
Cool Fire
b31a018e7c
Add override for dovecot failed logins on debian
2019-02-13 10:01:14 +01:00
sebres
1647d0090e
Merge branch '0.10' into 0.11
2019-02-11 19:19:44 +01:00
sebres
e651bc7866
amend to #1622 : jail-reader supports now multi-line option for multi-line action parameter:
...
logpath = a.log
b.log
c.log
action = ban[...]
= log[logpath="%(logpath)s"]
closes gh-2341, ultimate fix for gh-976
2019-02-11 11:54:58 +01:00
todgru
39ed016a1e
fix: correct spelling category
2019-01-14 22:08:38 -08:00
sebres
d88ce7181c
Merge branch '0.10' into 0.11
2019-01-07 01:51:59 +01:00
sebres
a13fdcf4f7
closes gh-2314: extended regex for mysql 8.0.13 if used logging with details (e. g. log-error-verbosity = 3, so log output has few additional words enclosed in brackets after "[Note]").
2019-01-07 01:34:12 +01:00
Yannik Sembritzki
6b4404b1bc
Fix asterisk filter not catching attackers when port is logged ( Fixes #2316 )
2019-01-03 23:55:42 +01:00
CrazyMax
7cdabdd7ae
Update traefik-auth failregex
2018-12-14 19:06:09 +01:00
CrazyMax
a51f82770b
New filter `traefik-auth`
2018-11-24 22:44:44 +01:00
sebres
b49c1ab4b3
Merge branch '0.10' into 0.11
2018-11-21 13:06:44 +01:00
sebres
555b29e8e6
Merge remote-tracking branch 'remotes/gh-upstream/master' into 0.10
2018-11-21 13:05:42 +01:00
sebres
1c1d2cc435
introduces new failregex-flag tag `<F-MLFGAINED>` signaled that the access to service was gained (ATM used similar to <F-NOFAIL>, but does not added to matches);
...
filter.d/sshd.conf: extended with new rules:
- Disconnecting ...: Change of username or service not allowed
- Disconnected from ... [preauth] (extra/aggressive mode only)
2018-11-19 21:19:57 +01:00
dienteperro
0df221b54b
"be" instead of "me" in shorewall.conf
2018-11-15 14:34:51 -05:00
sebres
f9f7e29295
Merge branch '0.10' into 0.11 (version bump after r.0.10.4)
2018-10-04 13:08:25 +02:00
Shane Forsythe
8614ca8c41
Update proftpd.conf
...
proftpd 1.3.5e can leave inconsistent error message if ftp or mod_sftp is used
Oct 2 15:45:31 ftp01 proftpd[5516]: 10.10.2.13 (10.10.2.189[10.10.2.189]) - SECURITY VIOLATION: Root login attempted
Oct 2 15:45:44 ftp01 proftpd[5517]: 10.10.2.13 (10.10.2.189[10.10.2.189]) - SECURITY VIOLATION: Root login attempted.
Fix regex to make trailing period optional, otherwise brute force attacks against root account using ftp are not blocked correctly.
2018-10-02 17:24:33 -04:00
Sergey G. Brester
1752c19b6f
Merge pull request #2205 from benrubson/patch-1
...
Add loglevel option to badips.py
2018-10-02 13:12:03 +02:00
Sergey G. Brester
65676baf8c
fixed py3 incompatibility (for some reasons this file seems to be excluded from 2to3), anyway not needed, because int-type is already checked in str2LogLevel
2018-10-02 13:00:20 +02:00
Sergey G. Brester
4b751c84c3
badips.py: Rewrite new bool option "log" as "loglevel" and revert default to log-level (DEBUG).
2018-10-02 12:32:15 +02:00
sebres
6b52f90ad6
Merge branch '0.10' into 0.11
2018-09-21 15:54:16 +02:00
sebres
58b510a5be
filter.d/domino-smtp.conf:
...
- recognizes failures logged using another format (something like session-id, IP enclosed in square brackets);
- failregex extended to catch connections rejected for policy reasons (gh-2228);
2018-09-21 14:14:00 +02:00
sebres
8a0c06ba9e
Merge branch '0.10' into 0.11
2018-09-14 11:01:40 +02:00
sebres
d01fe9d22a
action.d/*.conf: correct comments for actionstart/actionstop
2018-09-12 16:01:57 +02:00
Ben RUBSON
9d7c0e00c1
Also log number of IPs removed/added
2018-09-08 09:28:42 +02:00
Ben RUBSON
70e53b55c5
Typo
2018-08-19 22:39:18 +02:00
Ben RUBSON
ec4c4b12c1
Add yes/no log option to badips.py
2018-08-19 22:35:09 +02:00
sebres
714fd8c915
Merge branch '0.10' into 0.11
2018-08-14 16:01:00 +02:00
Sergey G. Brester
ee207d8c31
Merge pull request #2151 from benrubson/merge
...
Apache SNI error / misredirect attempts rules are combined in one regex
2018-08-14 14:56:49 +02:00
Ben RUBSON
77b35b8db7
Improvement
2018-08-14 14:07:32 +02:00
sebres
addd26ae55
Merge branch '0.10' into 0.11
2018-08-14 11:13:15 +02:00
sebres
e2a255d104
fixed typo in comments by "ignoreself" parameter
2018-08-14 11:11:19 +02:00
sebres
606761b3c7
Merge branch '0.10' into 0.11
2018-08-03 12:06:13 +02:00
sebres
e995d5a0b6
filter.d/freeswitch.conf: provide mode parameter, allows to avoid matching of messages like `auth challenge (REGISTER)` (see gh-2163) (currently `extra` as default to be backwards-compatible), see comments in filter how to set it to mode `normal`.
2018-08-03 11:42:15 +02:00
sebres
bc2dbacc9a
filter.d/freeswitch.conf: provide compatibility for log-format from gh-2193:
...
- extended with new default date-pattern `^(?:%%Y-)?%%m-%%d[ T]%%H:%%M:%%S(?:\.%%f)?` to cover
`YYYY-mm-dd HH:MM::SS.ms` as well as `mm-dd HH:MM::SS.ms` (so year is optional);
- more optional arguments in log-line (so accept [WARN] as well as [WARNING] and optional [SOFIA] hereafter);
2018-08-03 11:22:30 +02:00
sebres
eb1156b099
Merge branch '0.10' into 0.11
2018-07-18 15:57:39 +02:00
sebres
22d37cdce2
sshd: fixed failregex for ddos (resp. aggressive) mode, to cover "authenticating user" case in log-message:
...
Connection closed by authenticating user root 192.0.2.10 ... [preauth]
tests extended (also with few injection tries).
closes gh-2185.
2018-07-18 15:31:04 +02:00
sebres
6a81cc9d8c
Merge branch '0.10' into 0.11
2018-07-17 15:18:44 +02:00
sebres
8fe07e29ad
filter.d/dovecot.conf: failregex enhancement to catch disconnected with "proxy dest auth failed";
...
closes gh-2184
2018-07-17 15:06:42 +02:00
sebres
57f2d9e31c
Merge branch '0.10' into 0.11
2018-07-06 18:06:54 +02:00
Sergey G. Brester
75330568d9
Merge pull request #2168 from dpavlin/dovecot-add-F-USER
...
dovecot: collect F-USER and variants
2018-07-06 17:16:43 +02:00
sebres
9de1657aab
Merge branch '0.10' into 0.11
2018-07-06 11:43:56 +02:00
sebres
6ce67a6d21
coverage
2018-07-05 16:27:36 +02:00
Dobrica Pavlinusic
6f1e789f31
dovecot: collect F-USER and variants
...
We are prefering ruser= if availble because this are credentials
presented to dovecot from remote client.
2018-06-30 16:16:03 +02:00
sebres
0eaa0ecd86
Merge branch '0.10' into 0.11
2018-06-14 12:36:22 +02:00
sebres
8cbe1e6b13
Merge pull request #2155
2018-06-14 12:35:57 +02:00
cheese1
43db4411de
small typo
2018-06-14 12:35:04 +02:00
sebres
9fdc6e0e82
Merge branch '0.10' into 0.11
2018-06-11 14:36:35 +02:00
Boris Gulay
a923cd209b
`filter.d/dovecot.conf`: failregex enhancement to catch sql password mismatch errors;
2018-06-11 14:30:10 +02:00
benrubson
f54f6caece
Merge Apache SNI error / misredirect attempts rules
2018-06-09 10:19:27 +02:00
sebres
0d40dd42b1
Merge branch '0.10' into 0.11
2018-04-26 13:43:15 +02:00
sebres
bba7a6c5cf
amend to (gh-2067) / b34ae5999e0d8ee1af8939527305c13152844b3d: fix parameter in config (dynamic parameters stating with '_' are protected and don't allowed in command-actions);
...
the interpolation of hostsdeny is test-covered now;
closes gh-2114.
2018-04-17 18:59:24 +02:00
sebres
0707695146
Merge branch '0.10' into 0.11, version bump
...
# Conflicts resolved:
# fail2ban/server/database.py
2018-04-05 12:58:11 +02:00
sebres
8069eef50c
badips: try to fix sporadic test errors if badips-server timed out resp. not available (502 bad gateway or similar).
2018-04-05 12:31:29 +02:00
sebres
70d099bbd6
Merge branch '0.10' into 0.11
2018-04-04 18:59:44 +02:00
Michael Grant
57bc502d5c
Update sendmail-reject.conf
2018-04-04 18:52:36 +02:00
Michael Grant
2ab6a5ae62
Update sendmail-auth.conf
2018-04-04 18:52:35 +02:00
Michael Grant
87520e8008
Sendmail logs IPv6 addresses with the prefix 'IPv6:'. Added (IPv6:)? before all <HOST> regexes to match the IPv6 address (but not the prefix).
2018-04-04 18:52:33 +02:00
sebres
1fdad90b4d
Merge branch '0.10' into 0.11
2018-04-04 16:49:57 +02:00
Luis Aranguren
fc76ccf192
Fixes abuseipdb curl cypher error and comment $f2bV_matches
...
Fixed https://github.com/fail2ban/fail2ban/issues/2044 #2044
and used https://github.com/fail2ban/fail2ban/issues/2039 to fix comment in abuseipdb.com only showing $f2bV_matches
2018-04-04 16:39:16 +02:00
Sergey G. Brester
7bbc26d67e
Merge pull request #2097 from benrubson/sni
...
Detect Apache SNI error / misredirect attempts
2018-04-04 16:31:38 +02:00
benrubson
bd74f7ba8b
Detect Apache SNI error / misredirect attempts, typos
2018-04-04 00:20:58 +02:00
sebres
7dfd61f462
Merge branch '0.10' into 0.11-2
2018-04-03 14:14:44 +02:00
sebres
8423f017e7
Merge branch 'sshd-ddos-mode-closed-preauth' into 0.10
2018-04-03 14:12:35 +02:00
sebres
4ee07adde6
Merge branch '0.10' into fix-sshd-filter-suff
...
# Conflicts resolved:
# fail2ban/server/filter.py
2018-04-03 13:30:57 +02:00
benrubson
30dc22fb2e
Detect Apache SNI error / misredirect attempts
2018-03-29 11:36:49 +02:00
sebres
4f6532f810
filter.d/sshd.conf: mode `ddos` (and `aggressive`) extended to catch `Connection closed by ... [preauth]`, so in DDOS mode it causes failure now on closed within preauth stage;
...
at least using both modes can ban port-scanners and prevent for other annoying "intruders", closing connection within preauth-stage (see gh-2085 for example).
2018-03-20 18:54:22 +01:00
sebres
cd7f1354c6
remove end-anchors for expressions that are precise enough (with clear flow, simple branches, without catch-all's, etc.)
2018-03-20 18:47:42 +01:00
sebres
c31eb1c562
quick optimization: normalizes pam-generic prefregex (more similar to the same regex within sshd-filter) + datepattern anchored now;
2018-03-20 16:00:21 +01:00
sebres
25cc42129a
hold all user names affected by interim attempts in order to avoid forget a failures after success login:
...
intruder (as legitimate user) firstly tries to login with another user-name (brute-force), so hopes to reset failure counter by succeeded login;
this is fixed and covered in tests now;
sshd-filter extended to cover multiple-login attempts (also fully implements gh-2070);
2018-03-20 13:09:05 +01:00
sebres
a9c94686b6
fixed multiple regexs matched
2018-03-20 09:09:42 +01:00
sebres
8028d3940d
amend with better match of optional suffix-groups;
...
remove end-anchors for expressions are precise enough (with clear flow, simple branches, without catch-all's, etc.);
2018-03-19 17:29:26 +01:00
sebres
66d2436f21
filter.d/sshd.conf: extend suffix with optional port, move it to `prefregex` at end outside of the content
2018-03-19 16:50:49 +01:00
sebres
7b3442c4e2
amend to 185cb998e7c7f2509830bed4a9f2fe6179f77e7b: capture error prefix outside of the failure content;
2018-03-19 14:53:56 +01:00
sebres
185cb998e7
make `prefregex` more precise in order to avoid catch the content for non failure lines
2018-03-19 14:38:47 +01:00
sebres
e8ffab28fb
filter.d/apache-noscript.conf: extended to match "Primary script unknown", got from php-fpm module.
2018-03-19 14:23:24 +01:00
sebres
a6fb33bdec
filter.d/recidive.conf: fixed if logging into systemd-journal (SYSLOG) with daemon name in prefix, gh-2069
2018-03-09 13:56:38 +01:00
Sergey G. Brester
b34ae5999e
action.d/hostdeny.conf: fixes IPv6 syntax
...
differentiate the IPv4 and IPv6 syntax (where it is enclosed in square brackets)
2018-03-05 19:35:10 +01:00
sebres
2b282ead09
Merge branch '0.10' into 0.11
2018-03-02 19:48:15 +01:00
sebres
caa2bdfee6
amendment for gh-2061: it looks like the port was added here also
2018-03-02 19:24:47 +01:00
sebres
a3bcbe2d1b
backwards-compatibility, test-cases and ChangeLog update
2018-03-02 19:15:10 +01:00
MatthieuBarbu
6b5516b851
fix sshd rule #2
...
in line 58, rule don't match with "%(__suff)s" but work fine if I replace with "%(__on_port_opt)s"
Debian 9 stretch : fail2ban 0.10.3
2018-03-02 18:40:36 +01:00
sebres
1d7aa2ff21
filter.d/sshd.conf: rewrite fix (for new ssh log-format) backwards compatible + test-cases extended to cover both cases
2018-03-02 18:17:17 +01:00
MatthieuBarbu
9f5c873526
fix sshd rule
...
just remove the space before ":11" line 52 because don't match on my Debian 9 stretch...
I don't know if this is wrong on all OS
2018-03-02 17:53:35 +01:00
sebres
5ea76789c6
Merge branch '0.10' into 0.11
2018-03-02 17:18:37 +01:00
sebres
8c291cad38
filter.d/asterisk.conf: fixed failregex prefix by log over remote syslog server (gh-2060)
2018-03-02 09:17:04 +01:00
Ben RUBSON
b112250ef0
(Free)BSD IPFW does not allow 2 identical rules ( #2054 )
...
ipfw actionban fixed to allow same rule added several times (and actionunban to ignore error by deletion of missing rule)
2018-02-27 10:18:59 +01:00
Ben RUBSON
857767f04b
Add 'any' badips.py bancategory ( #2056 )
...
action.d/badips.py: allow `any` as bancategory to retrieve IPs from all categories
2018-02-27 10:12:22 +01:00
sebres
47a7f83a0b
Merge branch '0.10' into 0.11
2018-02-26 19:30:54 +01:00
sebres
07fcb24ff6
Merge pull request #2057 from benrubson/https
...
Use httpS with badips
2018-02-26 18:50:35 +01:00
sebres
f52c67238a
action.d/badips.py: code review, ban command covered, debug log-messages, etc;
2018-02-26 18:16:20 +01:00
benrubson
fce2a50165
badips.py, solve a str() issue under FreeBSD
2018-02-26 15:55:21 +01:00
benrubson
e2665d39fd
Use httpS with badips
2018-02-26 09:58:37 +01:00
sebres
a5155f55e7
Merge branch '0.10' into 0.11
2018-02-21 09:31:35 +01:00
sebres
e636567d23
filter.d/exim.conf: failregex extended with SMTP call dropped: too many syntax or protocol errors.
2018-02-19 09:50:46 +01:00
sebres
19a5a2f8c0
filter.d/murmur.conf: fixed detection of failures reading from journal (systemd-backend only):
...
- extended with optional prefix for the systemd-journal (with second date-pattern as optional match);
- added `journalmatch` filtering;
closes gh-2043
2018-02-09 11:43:55 +01:00
sebres
201ae0dac2
Merge branch '0.10' into 0.11
2018-01-31 12:20:34 +01:00
sebres
0be0e43d47
amend to 03b577d7b92a120e325abe20a99b6956a7e0657c: add new-line after matches via tag `<br>` without usage of interim variable
2018-01-30 12:52:26 +01:00
sebres
03b577d7b9
action.d/blocklist_de.conf: fixed tag substitution (in 0.10 it can be variables supplied via shell-arguments), expand `<matches>` with trailing newline;
...
tests extended;
closes gh-2028
2018-01-30 12:27:03 +01:00
sebres
faab77cc79
Merge branch '0.10' into 0.11, with resolved conflicts.
2018-01-24 17:56:58 +01:00
Yaroslav Halchenko
527bb9a7c3
dos2unix for helpers-common.conf
...
Original report: http://bugs.debian.org/888110
2018-01-23 08:48:36 -05:00
sebres
1ca3df877b
Merge branch '0.10' into 0.11
2018-01-18 14:32:00 +01:00
sebres
f69e28adfc
action.d/pf.conf: compatibility fix - recognizes that parameter `port` specified as empty, with or without braces (should be more backwards compatible to 0.9 now).
2018-01-18 14:05:22 +01:00
sebres
38b3290516
Merge branch '0.10' into 0.11
2018-01-17 16:43:45 +01:00
sebres
ed22ddbbbb
Merge remote-tracking branch 'remotes/gh-upstream/master' into 0.10
2018-01-17 16:42:56 +01:00
sebres
63e906b2c1
regex rewritten: a bit fewer vulnerable now and using non-capturing groups, test-cases extended in order to cover trying of injection on user name
2018-01-17 16:35:32 +01:00
Benedikt Seidl
fed6c49c2d
nginx-http-auth: match usernames with spaces
...
# Conflicts:
# ChangeLog
2018-01-17 16:35:31 +01:00
Sergey G. Brester
b6c6565a7e
regex updated using non-capturing groups
2018-01-16 14:23:47 +01:00
riceru
6a1bbbf101
Update lighttpd-auth.conf
...
I have lighttpd 1.4.45 (Debian 9) and auth error log is different.
Now printing mod_auth and not http_auth.
I think that the change was in Lighttp 1.4.42
2018-01-16 12:39:55 +00:00
sebres
576eeb70dd
Merge branch '0.10' into 0.11
2018-01-15 18:17:18 +01:00
sebres
2b7b0da943
Merge remote-tracking branch 'remotes/gh-upstream/master' into 0.10
2018-01-15 18:16:43 +01:00
Serg G. Brester
7e05976ead
action.d/hostsdeny.conf: actionunban rewritten using sed, also dots in IP were escaped now.
...
Closes #2000
2018-01-11 12:38:34 +01:00
sebres
039ac7c7c4
Merge branch '0.10' into 0.11
2018-01-11 10:29:46 +01:00
sebres
2112145eb4
stop ban of legitimate users with multiple public keys (e. g. git, etc), thereby
...
differentiate between "invalid user" (going banned earlier) and valid users with public keys, for which the rejects of not valid public keys (failures) will be retarded up to "Too many authentication failures" resp. disconnect without success (accepted public key).
2018-01-10 19:07:20 +01:00
sebres
314e402fe0
filter.d/sendmail-auth.conf - extended daemon for Fedora 24/RHEL - the daemon name is "sendmail" (gh-1632)
2018-01-10 14:49:06 +01:00
sebres
0e68c9a720
Merge branch '0.10' into 0.11
2018-01-10 12:22:31 +01:00
sebres
c30144b37a
Merge branch '0.9' into 0.10
...
# Conflicts:
# config/action.d/firewallcmd-ipset.conf
# config/filter.d/asterisk.conf
# Merge-point after cherry-pick, no changes:
# fail2ban/client/jailreader.py
# fail2ban/helpers.py
2018-01-10 12:05:26 +01:00
sebres
131b94e11e
firewallcmd-ipset-allports: implemented in `action.d/firewallcmd-ipset.conf` now (`action.d/firewallcmd-ipset-allports.conf` removed), usage:
...
banaction = firewallcmd-ipset[actiontype="<allports>"]
2018-01-10 10:58:03 +01:00
Danila Vershinin
c190631f88
New ban action firewallcmd-ipset-allports. Closes #1167
2018-01-10 10:58:01 +01:00
Yannik Sembritzki
94f0b15c32
Allow faster parsing of hosts without ' characters in them
2018-01-08 14:54:32 +01:00
Yannik Sembritzki
b28dfb965a
Fix filter not catching asterisk requests with quote character in username ( fixes #2010 )
2018-01-03 18:39:30 +01:00
sebres
5028f17f64
Merge branch '0.10' into 0.11, rewrite updateDb because it can be executed after repair, and some tables can be missing.
...
# Conflicts:
# fail2ban/server/database.py
# fail2ban/tests/fail2banclienttestcase.py
# fail2ban/tests/sockettestcase.py
2017-12-22 17:05:45 +01:00
root
79f414c6a2
fix <family> typo
2017-12-09 15:55:45 +01:00
root
7c63eb2378
In the CentOS7 and epel environment, result of "firewall-cmd -direct -get -chains ipv4 filter" is displayed one line
...
Changed to be multiple lines with reference to firewallcmd-multiport.conf
2017-12-09 15:55:45 +01:00
sebres
309a1cb337
restore timeout for ipset-based actions: on some systems ipset created without default timeout may cause "Kernel error received: Unknown error -1" (gh-1994);
...
thus new option `default-timeout` introduced (because of dynamical bantime in 0.10, it cannot be used here).
2017-12-06 02:38:10 +01:00
sebres
6ccaa03e00
action.d/firewallcmd-ipset.conf: extended with actionflush to bulk unban resp. flush ipset
2017-12-06 01:10:56 +01:00
sebres
7e5d8f37fd
Merge branch '0.10' into 0.11
...
# Conflicts:
# config/action.d/firewallcmd-ipset.conf
# fail2ban/server/jail.py
# fail2ban/tests/servertestcase.py
2017-12-06 00:14:23 +01:00
sebres
2712f72650
Merge remote-tracking branch 'master' into 0.10
2017-12-06 00:09:52 +01:00
sebres
e384acca5f
action.d/firewallcmd-ipset.conf: fixed create of set for ipv6 (missing `family inet6`)
2017-12-05 23:34:03 +01:00
Kevin Maradona
6c705d572b
filter.d/nginx-limit-req.conf: nginx limit-req log-level can be set to warn or error therefore having this regex will include both of them.
2017-12-05 22:31:54 +01:00
sebres
ffd6b9f6de
jail.conf: extended with new parameter `mode` for the filters supporting it;
2017-12-05 16:09:18 +01:00
sebres
2b68882502
filter.d/exim.conf: provides mode "aggressive" to ban flood resp. DDOS-similar failures;
...
Closes #1983
2017-12-05 16:07:53 +01:00
sebres
cc153888d5
Merge branch '0.10' into 0.11
2017-12-01 15:55:10 +01:00
sebres
7f89fbc33f
Merge remote-tracking branch 'remotes/gh-upstream/master' into 0.10
2017-12-01 15:53:11 +01:00
Serg G. Brester
4f63180611
Avoid injection using quotes after `auth` command;
...
Added non-greedy fallback for quoted something (with lookahead simulated possessive greedy catch of non-quoted parts `[^"]*(?=")`).
Note that because host-info's are hereafter (with foreign input in-between), we would not use greedy or non-greedy catch-alls (`.*` or `.*?`) here (preventing performance losses).
2017-11-30 12:32:24 +01:00
Serg G. Brester
f59df2e156
Avoid any injecting on protocol (e. g. tries using camel-case)
...
The phrase "AUTH command used when not advertised" is precise enough as anchor here, so prevent by any foreign-input (any auth protocol error).
2017-11-29 20:55:48 +01:00
Peter Nowee
aa158ac05f
Exim failregex: Include lower/mixed case AUTH
...
When reporting the error `AUTH command used when not advertised`, Exim
starts with `SMTP protocol error in "........."`. Here, Exim logs the
SMTP command as it was provided by the connecting client.
https://github.com/Exim/exim/blob/exim-4_89+fixes/src/src/smtp_in.c#L2850
According to RFC 5321 (SMTP) "[..] a command verb [..] MAY be encoded
in upper case, lower case, or any mixture of upper and lower case with
no impact on its meaning."
https://tools.ietf.org/html/rfc5321#section-2.4
Lower case `auth login` brute-force attempts were seen in the wild and
were not caught by the current failregex.
This commit makes the failregex case-insensitive for the `AUTH`
command, so that lower case (`auth`) or mixed case (`aUtH`) now also
match. The failregex was already case-insensitive for the command
arguments (e.g. `AUTH login` already matched).
2017-11-29 15:14:43 +01:00
SlowRiot
660d57e6ba
updating my email address
2017-11-29 10:43:15 +01:00
sebres
5cc0abbb02
Merge branch '0.10' into 0.11
...
# Conflicts:
# fail2ban/tests/fail2banclienttestcase.py
2017-11-28 16:37:51 +01:00
sebres
76f2865883
implemented new action "action.d/nginx-block-map.conf", used in order to ban not IP-related tickets via nginx (session blacklisting in nginx-location with map-file);
2017-11-28 13:42:41 +01:00
sebres
12b55bb8cc
Merge remote-tracking branch '0.10' into 0.11
2017-11-27 12:02:46 +01:00
sebres
f31195a4fc
added new logtarget "SYSOUT" to log from fail2ban working in foreground as systemd-service (in opposite to "STDOUT" don't log time-stamps).
2017-11-26 23:03:29 +01:00
sebres
8aeaaf06ee
Merge branch '0.10' into 0.11
2017-11-23 22:57:21 +01:00
sebres
159957ab88
filter.d/sshd.conf: extended failregex for modes "extra"/"aggressive": now finds all possible (also future) forms of "no matching (cipher|mac|MAC|compression method|key exchange method|host key type) found", see "ssherr.c" for all possible SSH_ERR_..._ALG_MATCH errors;
...
obsolete (multi-line buffered) variant extended also.
Closes gh-1943, gh-1944
2017-11-23 22:21:42 +01:00
sebres
70b933f405
Merge branch '0.10' into 0.11
2017-11-06 18:57:53 +01:00
sebres
7e756da2b9
Merge remote-tracking branch 'remotes/gh-upstream/master' into 0.10
2017-11-06 18:56:31 +01:00
sebres
eba68a8f37
config/paths-common.conf: Added initial values for `syslog_authpriv`, `syslog_mail` in order to avoid errors while parsing/interpolating configuration;
...
Note the systemd-backend does not need the logpath at all;
Some defaults normalized (minimized configs, don't need to overwrite values in distribution-related path if equal).
2017-11-03 14:15:07 +01:00
Serg G. Brester
9876dd44f9
replace port imap3 with imap everywhere, since imap3 is not a standard port and old rarely (if ever) used and missing on some systems
...
(see gh-1942)
2017-11-03 14:03:06 +01:00
Jeff Potter
4a2fc8b7e8
Include imap (port 143) in courier-auth ports
...
imap was missing from the list of ports, preventing fail2ban from blocking connections on standard IMAP port 143.
2017-11-03 14:01:19 +01:00
sebres
12419b75f2
Merge branch '0.10' into 0.11
...
# Conflicts:
# fail2ban/tests/servertestcase.py
2017-10-30 14:02:41 +01:00
sebres
b615a98540
jail.conf: avoid overwriting of default value of the parameter `chain` of several actions (where default chain != INPUT);
...
test-cases extended to cover the same logic (use `<known/chain>` instead of fix value `INPUT`);
Closes gh-1949
2017-10-30 13:32:52 +01:00
Serg G. Brester
e07a8cda07
Update jail.conf
...
Documentation of parameters for action blocklist_de, closes gh-1940
2017-10-27 15:26:17 +02:00
Serg G. Brester
1a8fb6290d
Merge pull request #1926 from sebres/0.10-pf-actionflush
...
action.d/pf.conf: wildcard anchoring example + bulk-unban with command `actionflush`
2017-10-19 16:35:46 +02:00
sebres
76f5e3659e
Merge branch '0.10' into 0.11
2017-10-18 19:03:08 +02:00
sebres
0e66e3cc57
Merge branch 'master' into 0.10
...
# Conflicts:
# config/filter.d/asterisk.conf
2017-10-18 19:00:23 +02:00
Michael Newton
d5d1fe679f
Remove invalid regex
...
Resolves #1927
2017-10-17 14:44:23 -07:00
sebres
a1b863fcf6
action.d/pf.conf: extended with bulk-unban, command `actionflush` in order to flush all bans at once (by stop jail, resp. shutdown of fail2ban)
2017-10-17 20:12:48 +02:00
sebres
8726c9fb0a
pf.conf: enclose ports in braces, multiple ports expecting this syntax `... any port {http, https}`.
...
Note this would be backwards-incompatible change (for the people already enclosing multiports in braces in jail.local).
closes gh-1915
2017-10-17 13:46:29 +02:00
Łukasz Wąsikowski
a4f94d2619
Update pf.conf
...
Fix comment, because current one won't work:
cat /etc/pf.conf
anchor f2b {
sshd
}
# service pf reload
Reloading pf rules.
/etc/pf.conf:2: syntax error
New version:
cat /etc/pf.conf
anchor f2b {
anchor sshd
}
# service pf reload
Reloading pf rules.
2017-10-17 12:39:25 +02:00
Harry Wood
ea1b663f85
typo
...
spell "positive" (...but also somebody should finish this sentence)
2017-10-16 01:15:58 +01:00
sebres
6c1d481135
Merge branch '0.10' into 0.11
2017-10-04 09:57:43 +02:00
sebres
e71f16f6ba
Merge branch 'master' into 0.10
...
# Conflicts resolved:
# config/filter.d/dovecot.conf
2017-10-04 09:57:18 +02:00
sebres
ea36e1b3fc
filter.d/dovecot.conf: fixed failregex to recognize pam_authenticate failures with "Permission denied" (gh-1897)
2017-10-04 09:55:37 +02:00
sebres
037a0be3ae
Merge branch '0.10' into 0.11
2017-10-02 15:43:55 +02:00
sebres
8c804a2290
Merge branch 'master' into 0.10
...
# Conflicts resolved:
# config/filter.d/postfix-rbl.conf
# config/filter.d/postfix-sasl.conf
# config/filter.d/postfix.conf
# fail2ban/tests/files/logs/postfix-sasl
2017-10-02 15:41:30 +02:00
sebres
a2120a9de5
filter.d/postfix-*.conf - added optional port regex (closes gh-1902)
2017-10-02 15:31:55 +02:00
Louis Sautier
152c9d27d5
Fix nftables actions for IPv6 addresses, fixes #1893
...
* add [Init?family=inet6] to nftables-common.conf and make nftable
expressions more modular
* change "ip protocol" to "meta l4proto" in nftables-allports.conf
since the former only works for IPv4
2017-09-11 23:32:53 +02:00
sebres
e0fede621e
Merge branch '0.10' into 0.11
2017-09-08 11:33:19 +02:00
sebres
b185e7cb04
Merge remote-tracking branch 'upstream/master' into 0.10
2017-09-08 11:11:05 +02:00
Serg G. Brester
fd83260bd8
jail "pass2allow-ftp" should supply blocktype to action
...
closes gh-1884
2017-09-07 18:51:08 +02:00
Serg G. Brester
bb97e66627
Merge pull request #1882 from coderua/patch-1
...
Add Jorgee Vulnerability Scanner protect
2017-09-07 15:52:31 +02:00
Serg G. Brester
2cd02b731b
filter.d/exim.conf: fixed failregex for case of `D=0s`
...
Closes gh-1886
2017-09-07 15:28:46 +02:00
sebres
4bc226a692
optimized regex
2017-09-05 10:59:16 +02:00
Vladimir Chumak
fafefc0293
Add Jorgee Vulnerability Scanner protect
...
Details for Jorgee Vulnerability Scanner: https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=30164
2017-09-05 10:56:43 +02:00
sebres
4163f32968
small review, prefix replaced with `%(_apache_error_client)s` from apache-common.conf include
2017-09-04 11:48:01 +02:00
john
ac95449bbb
changed zoneminder regex as per Sebres and yarikoptic recommendations
2017-09-04 11:37:09 +02:00
john
7013729a1f
removed redundant options for zoneminder from jail.conf
2017-09-04 11:37:05 +02:00
john
5c3a666380
fixed incomplete regex after adding anchors
2017-09-04 11:37:03 +02:00
john
3d45fd2713
implemented yarikoptic's suggestions in fail2ban pull request #1376
2017-09-04 11:37:00 +02:00
john
08878d22dd
added zoneminder.conf filter
2017-09-04 11:36:50 +02:00