Commit Graph

1727 Commits (adbfdc222d6fe00f6f3e1e5e32adaf928c5685ab)

Author SHA1 Message Date
sebres a3bcbe2d1b backwards-compatibility, test-cases and ChangeLog update 2018-03-02 19:15:10 +01:00
MatthieuBarbu 6b5516b851 fix sshd rule #2
in line 58, rule don't match with "%(__suff)s" but work fine if I replace with "%(__on_port_opt)s"
Debian 9 stretch : fail2ban 0.10.3
2018-03-02 18:40:36 +01:00
sebres 1d7aa2ff21 filter.d/sshd.conf: rewrite fix (for new ssh log-format) backwards compatible + test-cases extended to cover both cases 2018-03-02 18:17:17 +01:00
MatthieuBarbu 9f5c873526 fix sshd rule
just remove the space before ":11" line 52 because don't match on my Debian 9 stretch...
I don't know if this is wrong on all OS
2018-03-02 17:53:35 +01:00
sebres 5ea76789c6 Merge branch '0.10' into 0.11 2018-03-02 17:18:37 +01:00
sebres 8c291cad38 filter.d/asterisk.conf: fixed failregex prefix by log over remote syslog server (gh-2060) 2018-03-02 09:17:04 +01:00
Ben RUBSON b112250ef0 (Free)BSD IPFW does not allow 2 identical rules (#2054)
ipfw actionban fixed to allow same rule added several times (and actionunban to ignore error by deletion of missing rule)
2018-02-27 10:18:59 +01:00
Ben RUBSON 857767f04b Add 'any' badips.py bancategory (#2056)
action.d/badips.py: allow `any` as bancategory to retrieve IPs from all categories
2018-02-27 10:12:22 +01:00
sebres 47a7f83a0b Merge branch '0.10' into 0.11 2018-02-26 19:30:54 +01:00
sebres 07fcb24ff6 Merge pull request #2057 from benrubson/https
Use httpS with badips
2018-02-26 18:50:35 +01:00
sebres f52c67238a action.d/badips.py: code review, ban command covered, debug log-messages, etc; 2018-02-26 18:16:20 +01:00
benrubson fce2a50165 badips.py, solve a str() issue under FreeBSD 2018-02-26 15:55:21 +01:00
benrubson e2665d39fd Use httpS with badips 2018-02-26 09:58:37 +01:00
sebres a5155f55e7 Merge branch '0.10' into 0.11 2018-02-21 09:31:35 +01:00
sebres e636567d23 filter.d/exim.conf: failregex extended with SMTP call dropped: too many syntax or protocol errors. 2018-02-19 09:50:46 +01:00
sebres 19a5a2f8c0 filter.d/murmur.conf: fixed detection of failures reading from journal (systemd-backend only):
- extended with optional prefix for the systemd-journal (with second date-pattern as optional match);
- added `journalmatch` filtering;
closes gh-2043
2018-02-09 11:43:55 +01:00
sebres 201ae0dac2 Merge branch '0.10' into 0.11 2018-01-31 12:20:34 +01:00
sebres 0be0e43d47 amend to 03b577d7b92a120e325abe20a99b6956a7e0657c: add new-line after matches via tag `<br>` without usage of interim variable 2018-01-30 12:52:26 +01:00
sebres 03b577d7b9 action.d/blocklist_de.conf: fixed tag substitution (in 0.10 it can be variables supplied via shell-arguments), expand `<matches>` with trailing newline;
tests extended;
closes gh-2028
2018-01-30 12:27:03 +01:00
sebres faab77cc79 Merge branch '0.10' into 0.11, with resolved conflicts. 2018-01-24 17:56:58 +01:00
Yaroslav Halchenko 527bb9a7c3 dos2unix for helpers-common.conf
Original report: http://bugs.debian.org/888110
2018-01-23 08:48:36 -05:00
sebres 1ca3df877b Merge branch '0.10' into 0.11 2018-01-18 14:32:00 +01:00
sebres f69e28adfc action.d/pf.conf: compatibility fix - recognizes that parameter `port` specified as empty, with or without braces (should be more backwards compatible to 0.9 now). 2018-01-18 14:05:22 +01:00
sebres 38b3290516 Merge branch '0.10' into 0.11 2018-01-17 16:43:45 +01:00
sebres ed22ddbbbb Merge remote-tracking branch 'remotes/gh-upstream/master' into 0.10 2018-01-17 16:42:56 +01:00
sebres 63e906b2c1 regex rewritten: a bit fewer vulnerable now and using non-capturing groups, test-cases extended in order to cover trying of injection on user name 2018-01-17 16:35:32 +01:00
Benedikt Seidl fed6c49c2d nginx-http-auth: match usernames with spaces
# Conflicts:
#	ChangeLog
2018-01-17 16:35:31 +01:00
Sergey G. Brester b6c6565a7e
regex updated using non-capturing groups 2018-01-16 14:23:47 +01:00
riceru 6a1bbbf101
Update lighttpd-auth.conf
I have lighttpd 1.4.45 (Debian 9) and auth error log is different.
Now printing mod_auth and not http_auth.
I think that the change was in Lighttp 1.4.42
2018-01-16 12:39:55 +00:00
sebres 576eeb70dd Merge branch '0.10' into 0.11 2018-01-15 18:17:18 +01:00
sebres 2b7b0da943 Merge remote-tracking branch 'remotes/gh-upstream/master' into 0.10 2018-01-15 18:16:43 +01:00
Serg G. Brester 7e05976ead
action.d/hostsdeny.conf: actionunban rewritten using sed, also dots in IP were escaped now.
Closes  #2000
2018-01-11 12:38:34 +01:00
sebres 039ac7c7c4 Merge branch '0.10' into 0.11 2018-01-11 10:29:46 +01:00
sebres 2112145eb4 stop ban of legitimate users with multiple public keys (e. g. git, etc), thereby
differentiate between "invalid user" (going banned earlier) and valid users with public keys, for which the rejects of not valid public keys (failures) will be retarded up to "Too many authentication failures" resp. disconnect without success (accepted public key).
2018-01-10 19:07:20 +01:00
sebres 314e402fe0 filter.d/sendmail-auth.conf - extended daemon for Fedora 24/RHEL - the daemon name is "sendmail" (gh-1632) 2018-01-10 14:49:06 +01:00
sebres 0e68c9a720 Merge branch '0.10' into 0.11 2018-01-10 12:22:31 +01:00
sebres c30144b37a Merge branch '0.9' into 0.10
# Conflicts:
#	config/action.d/firewallcmd-ipset.conf
#	config/filter.d/asterisk.conf
# Merge-point after cherry-pick, no changes:
#	fail2ban/client/jailreader.py
#	fail2ban/helpers.py
2018-01-10 12:05:26 +01:00
sebres 131b94e11e firewallcmd-ipset-allports: implemented in `action.d/firewallcmd-ipset.conf` now (`action.d/firewallcmd-ipset-allports.conf` removed), usage:
banaction = firewallcmd-ipset[actiontype="<allports>"]
2018-01-10 10:58:03 +01:00
Danila Vershinin c190631f88 New ban action firewallcmd-ipset-allports. Closes #1167 2018-01-10 10:58:01 +01:00
Yannik Sembritzki 94f0b15c32
Allow faster parsing of hosts without ' characters in them 2018-01-08 14:54:32 +01:00
Yannik Sembritzki b28dfb965a
Fix filter not catching asterisk requests with quote character in username (fixes #2010) 2018-01-03 18:39:30 +01:00
sebres 5028f17f64 Merge branch '0.10' into 0.11, rewrite updateDb because it can be executed after repair, and some tables can be missing.
# Conflicts:
#	fail2ban/server/database.py
#	fail2ban/tests/fail2banclienttestcase.py
#	fail2ban/tests/sockettestcase.py
2017-12-22 17:05:45 +01:00
root 79f414c6a2 fix <family> typo 2017-12-09 15:55:45 +01:00
root 7c63eb2378 In the CentOS7 and epel environment, result of "firewall-cmd -direct -get -chains ipv4 filter" is displayed one line
Changed to be multiple lines with reference to firewallcmd-multiport.conf
2017-12-09 15:55:45 +01:00
sebres 309a1cb337 restore timeout for ipset-based actions: on some systems ipset created without default timeout may cause "Kernel error received: Unknown error -1" (gh-1994);
thus new option `default-timeout` introduced (because of dynamical bantime in 0.10, it cannot be used here).
2017-12-06 02:38:10 +01:00
sebres 6ccaa03e00 action.d/firewallcmd-ipset.conf: extended with actionflush to bulk unban resp. flush ipset 2017-12-06 01:10:56 +01:00
sebres 7e5d8f37fd Merge branch '0.10' into 0.11
# Conflicts:
#	config/action.d/firewallcmd-ipset.conf
#	fail2ban/server/jail.py
#	fail2ban/tests/servertestcase.py
2017-12-06 00:14:23 +01:00
sebres 2712f72650 Merge remote-tracking branch 'master' into 0.10 2017-12-06 00:09:52 +01:00
sebres e384acca5f action.d/firewallcmd-ipset.conf: fixed create of set for ipv6 (missing `family inet6`) 2017-12-05 23:34:03 +01:00
Kevin Maradona 6c705d572b filter.d/nginx-limit-req.conf: nginx limit-req log-level can be set to warn or error therefore having this regex will include both of them. 2017-12-05 22:31:54 +01:00
sebres ffd6b9f6de jail.conf: extended with new parameter `mode` for the filters supporting it; 2017-12-05 16:09:18 +01:00
sebres 2b68882502 filter.d/exim.conf: provides mode "aggressive" to ban flood resp. DDOS-similar failures;
Closes #1983
2017-12-05 16:07:53 +01:00
sebres cc153888d5 Merge branch '0.10' into 0.11 2017-12-01 15:55:10 +01:00
sebres 7f89fbc33f Merge remote-tracking branch 'remotes/gh-upstream/master' into 0.10 2017-12-01 15:53:11 +01:00
Serg G. Brester 4f63180611
Avoid injection using quotes after `auth` command;
Added non-greedy fallback for quoted something (with lookahead simulated possessive greedy catch of non-quoted parts `[^"]*(?=")`).
Note that because host-info's are hereafter (with foreign input in-between), we would not use greedy or non-greedy catch-alls (`.*` or `.*?`) here (preventing performance losses).
2017-11-30 12:32:24 +01:00
Serg G. Brester f59df2e156
Avoid any injecting on protocol (e. g. tries using camel-case)
The phrase "AUTH command used when not advertised" is precise enough as anchor here, so prevent by any foreign-input (any auth protocol error).
2017-11-29 20:55:48 +01:00
Peter Nowee aa158ac05f
Exim failregex: Include lower/mixed case AUTH
When reporting the error `AUTH command used when not advertised`, Exim
starts with `SMTP protocol error in "........."`. Here, Exim logs the
SMTP command as it was provided by the connecting client.
https://github.com/Exim/exim/blob/exim-4_89+fixes/src/src/smtp_in.c#L2850

According to RFC 5321 (SMTP) "[..] a command verb [..] MAY be encoded
in upper case, lower case, or any mixture of upper and lower case with
no impact on its meaning."
https://tools.ietf.org/html/rfc5321#section-2.4

Lower case `auth login` brute-force attempts were seen in the wild and
were not caught by the current failregex.

This commit makes the failregex case-insensitive for the `AUTH`
command, so that lower case (`auth`) or mixed case (`aUtH`) now also
match. The failregex was already case-insensitive for the command
arguments (e.g. `AUTH login` already matched).
2017-11-29 15:14:43 +01:00
SlowRiot 660d57e6ba updating my email address 2017-11-29 10:43:15 +01:00
sebres 5cc0abbb02 Merge branch '0.10' into 0.11
# Conflicts:
#	fail2ban/tests/fail2banclienttestcase.py
2017-11-28 16:37:51 +01:00
sebres 76f2865883 implemented new action "action.d/nginx-block-map.conf", used in order to ban not IP-related tickets via nginx (session blacklisting in nginx-location with map-file); 2017-11-28 13:42:41 +01:00
sebres 12b55bb8cc Merge remote-tracking branch '0.10' into 0.11 2017-11-27 12:02:46 +01:00
sebres f31195a4fc added new logtarget "SYSOUT" to log from fail2ban working in foreground as systemd-service (in opposite to "STDOUT" don't log time-stamps). 2017-11-26 23:03:29 +01:00
sebres 8aeaaf06ee Merge branch '0.10' into 0.11 2017-11-23 22:57:21 +01:00
sebres 159957ab88 filter.d/sshd.conf: extended failregex for modes "extra"/"aggressive": now finds all possible (also future) forms of "no matching (cipher|mac|MAC|compression method|key exchange method|host key type) found", see "ssherr.c" for all possible SSH_ERR_..._ALG_MATCH errors;
obsolete (multi-line buffered) variant extended also.

Closes gh-1943, gh-1944
2017-11-23 22:21:42 +01:00
sebres 70b933f405 Merge branch '0.10' into 0.11 2017-11-06 18:57:53 +01:00
sebres 7e756da2b9 Merge remote-tracking branch 'remotes/gh-upstream/master' into 0.10 2017-11-06 18:56:31 +01:00
sebres eba68a8f37 config/paths-common.conf: Added initial values for `syslog_authpriv`, `syslog_mail` in order to avoid errors while parsing/interpolating configuration;
Note the systemd-backend does not need the logpath at all;
Some defaults normalized (minimized configs, don't need to overwrite values in distribution-related path if equal).
2017-11-03 14:15:07 +01:00
Serg G. Brester 9876dd44f9 replace port imap3 with imap everywhere, since imap3 is not a standard port and old rarely (if ever) used and missing on some systems
(see gh-1942)
2017-11-03 14:03:06 +01:00
Jeff Potter 4a2fc8b7e8 Include imap (port 143) in courier-auth ports
imap was missing from the list of ports, preventing fail2ban from blocking connections on standard IMAP port 143.
2017-11-03 14:01:19 +01:00
sebres 12419b75f2 Merge branch '0.10' into 0.11
# Conflicts:
#	fail2ban/tests/servertestcase.py
2017-10-30 14:02:41 +01:00
sebres b615a98540 jail.conf: avoid overwriting of default value of the parameter `chain` of several actions (where default chain != INPUT);
test-cases extended to cover the same logic (use `<known/chain>` instead of fix value `INPUT`);
Closes gh-1949
2017-10-30 13:32:52 +01:00
Serg G. Brester e07a8cda07 Update jail.conf
Documentation of parameters for action blocklist_de, closes gh-1940
2017-10-27 15:26:17 +02:00
Serg G. Brester 1a8fb6290d Merge pull request #1926 from sebres/0.10-pf-actionflush
action.d/pf.conf: wildcard anchoring example + bulk-unban with command `actionflush`
2017-10-19 16:35:46 +02:00
sebres 76f5e3659e Merge branch '0.10' into 0.11 2017-10-18 19:03:08 +02:00
sebres 0e66e3cc57 Merge branch 'master' into 0.10
# Conflicts:
#	config/filter.d/asterisk.conf
2017-10-18 19:00:23 +02:00
Michael Newton d5d1fe679f Remove invalid regex
Resolves #1927
2017-10-17 14:44:23 -07:00
sebres a1b863fcf6 action.d/pf.conf: extended with bulk-unban, command `actionflush` in order to flush all bans at once (by stop jail, resp. shutdown of fail2ban) 2017-10-17 20:12:48 +02:00
sebres 8726c9fb0a pf.conf: enclose ports in braces, multiple ports expecting this syntax `... any port {http, https}`.
Note this would be backwards-incompatible change (for the people already enclosing multiports in braces in jail.local).
closes gh-1915
2017-10-17 13:46:29 +02:00
Łukasz Wąsikowski a4f94d2619 Update pf.conf
Fix comment, because current one won't work:

cat /etc/pf.conf
anchor f2b {
  sshd
}

# service pf reload
Reloading pf rules.
/etc/pf.conf:2: syntax error

New version:

cat /etc/pf.conf
anchor f2b {
  anchor sshd
}

# service pf reload
Reloading pf rules.
2017-10-17 12:39:25 +02:00
Harry Wood ea1b663f85 typo
spell "positive" (...but also somebody should finish this sentence)
2017-10-16 01:15:58 +01:00
sebres 6c1d481135 Merge branch '0.10' into 0.11 2017-10-04 09:57:43 +02:00
sebres e71f16f6ba Merge branch 'master' into 0.10
# Conflicts resolved:
#	config/filter.d/dovecot.conf
2017-10-04 09:57:18 +02:00
sebres ea36e1b3fc filter.d/dovecot.conf: fixed failregex to recognize pam_authenticate failures with "Permission denied" (gh-1897) 2017-10-04 09:55:37 +02:00
sebres 037a0be3ae Merge branch '0.10' into 0.11 2017-10-02 15:43:55 +02:00
sebres 8c804a2290 Merge branch 'master' into 0.10
# Conflicts resolved:
#	config/filter.d/postfix-rbl.conf
#	config/filter.d/postfix-sasl.conf
#	config/filter.d/postfix.conf
#	fail2ban/tests/files/logs/postfix-sasl
2017-10-02 15:41:30 +02:00
sebres a2120a9de5 filter.d/postfix-*.conf - added optional port regex (closes gh-1902) 2017-10-02 15:31:55 +02:00
Louis Sautier 152c9d27d5
Fix nftables actions for IPv6 addresses, fixes #1893
* add [Init?family=inet6] to nftables-common.conf and make nftable
  expressions more modular
* change "ip protocol" to "meta l4proto" in nftables-allports.conf
  since the former only works for IPv4
2017-09-11 23:32:53 +02:00
sebres e0fede621e Merge branch '0.10' into 0.11 2017-09-08 11:33:19 +02:00
sebres b185e7cb04 Merge remote-tracking branch 'upstream/master' into 0.10 2017-09-08 11:11:05 +02:00
Serg G. Brester fd83260bd8 jail "pass2allow-ftp" should supply blocktype to action
closes gh-1884
2017-09-07 18:51:08 +02:00
Serg G. Brester bb97e66627 Merge pull request #1882 from coderua/patch-1
Add Jorgee Vulnerability Scanner protect
2017-09-07 15:52:31 +02:00
Serg G. Brester 2cd02b731b filter.d/exim.conf: fixed failregex for case of `D=0s`
Closes gh-1886
2017-09-07 15:28:46 +02:00
sebres 4bc226a692 optimized regex 2017-09-05 10:59:16 +02:00
Vladimir Chumak fafefc0293 Add Jorgee Vulnerability Scanner protect
Details for Jorgee Vulnerability Scanner: https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=30164
2017-09-05 10:56:43 +02:00
sebres 4163f32968 small review, prefix replaced with `%(_apache_error_client)s` from apache-common.conf include 2017-09-04 11:48:01 +02:00
john ac95449bbb changed zoneminder regex as per Sebres and yarikoptic recommendations 2017-09-04 11:37:09 +02:00
john 7013729a1f removed redundant options for zoneminder from jail.conf 2017-09-04 11:37:05 +02:00
john 5c3a666380 fixed incomplete regex after adding anchors 2017-09-04 11:37:03 +02:00
john 3d45fd2713 implemented yarikoptic's suggestions in fail2ban pull request #1376 2017-09-04 11:37:00 +02:00
john 08878d22dd added zoneminder.conf filter 2017-09-04 11:36:50 +02:00
john a90f6c4ae8 added zoneminder jail and filter
# Conflicts:
#	config/jail.conf
2017-09-04 11:36:47 +02:00
sebres c312962029 filter.d/dovecot.conf: partially cherry-pick to 0.9 PR #1880 from sebres/0.10-fix-dovecot-regex (d926e11a5c)
fixed failregex (without new mode aggressive)
2017-09-01 10:57:41 +02:00
sebres 32058ed268 Merge remote-tracking branch 'remotes/gh-upstream/0.10' into 0.11 2017-09-01 10:37:52 +02:00
sebres 2cfc53c08e remove capturing groups 2017-09-01 10:25:09 +02:00
sebres 9b8563f35e - fixes regex for message `imap-login: Disconnected (auth failed, X attempts) ...` has to many variations on additional info after `<HOST>`,
leave it end-anchored because variable part `user=<[^>]*>` (before `<HOST>`) to avoid injecting, but can be safe rewritten using `[^>]*` in opposite to "greedy" `user=<[^>]*>`.
- introduces mode `aggressive` and extends regex for this mode to match:
  * no auth attempts (previously removed in gh-601, because of lots of false positives on misconfigured MTAs)
  * disconnected before auth was ready
  * client didn't finish SASL auth
2017-09-01 09:56:21 +02:00
Serg G. Brester a287d0a05c Merge pull request #1872 from kmzby/master
Added filter for phpMyAdmin+syslog
2017-08-25 12:22:58 +02:00
Pavel Mihadyuk 4c1abe1cbf phpmyadmin-syslog: removed excess file, fixed test, updated failregex 2017-08-23 16:56:18 +03:00
Pavel Mihadyuk d09304b897 phpmyadmin-syslog: added default jail config 2017-08-22 19:00:48 +03:00
Pavel Mihadyuk 5b4bc2aafd Added filter for phpMyAdmin+syslog (>=4.7.0). Closes #1713 2017-08-22 18:20:01 +03:00
sebres b80692f602 Merge branch '0.10' into 0.11 2017-08-18 15:44:43 +02:00
sebres 1d5fbb95ae Merge remote-tracking branch 'remotes/gh-upstream/master' into 0.10 2017-08-18 15:44:22 +02:00
Serg G. Brester b0e5efb631 bsd-ipfw.conf: sh-compliant redirect of stderr together with stdout 2017-08-18 15:26:09 +02:00
sebres 3be32adefb Replace not posix-compliant grep option: fgrep with `-q` option can cause 141 exit code in some cases (see gh-1389). 2017-08-18 14:37:29 +02:00
Jacques Distler f84e58e769 Tweaks to action.d/pf.conf
Document recent changes.
Add an option to customize the pf block rule (surely, what the user
really wants, here, is "block quick").
2017-08-18 13:31:34 +02:00
Jacques Distler d646d06e91 Tweaks to action.d/pf.conf
Document recent changes.
Add an option to customize the pf block rule (surely, what the user
really wants, here, is "block quick").
2017-08-17 09:13:32 -05:00
sebres 33874d6e53 action.d/pf.conf: anchored call arguments combined as `<pfctl>` parameter;
test cases fixed;
2017-08-16 17:51:07 +02:00
Alexander Köppe f6ccede2f1 Update pf.conf fixing #1863
Fix #1863
Introduce own PF anchors for fail2ban rules.
2017-08-16 17:51:05 +02:00
sebres 3f83b22de2 action.d/pf.conf: anchored call arguments combined as `<pfctl>` parameter;
test cases fixed;
2017-08-16 11:58:39 +02:00
Alexander Köppe 55baf93635 Update pf.conf fixing #1863
Fix #1863
Introduce own PF anchors for fail2ban rules.
2017-08-16 11:33:45 +02:00
Serg G. Brester b5dd5adb08 Merge pull request #1460 from sebres/0.10-full
0.11 ban-time-incr
2017-08-10 15:23:18 +02:00
sebres 30219b54c4 Merge remote-tracking branch 'remotes/gh-upstream/master' into 0.10 2017-08-09 16:38:29 +02:00
Serg G. Brester c0eb7752a8 Merge pull request #1651 from szepeviktor/patch-9
Introduce Cloudflare API v4
2017-08-09 16:28:52 +02:00
Serg G. Brester 2ed8a38eca Update cloudflare.conf
Switch to API v1 to API v4 per default
2017-08-09 16:27:53 +02:00
Serg G. Brester da7072d40e Merge pull request #1846 from Chocobozzz/patch-3
Fix empty logfile.log in xarf login attack action
2017-08-09 16:21:47 +02:00
sebres 94b163936a Merge remote-tracking branch 'remotes/gh-upstream/master' into 0.10
Removed init section (not needed in filter for 0.10).

# Conflicts:
#	config/filter.d/sendmail-reject.conf
2017-08-09 16:16:31 +02:00
Serg G. Brester af25a9d203 Merge pull request #1566 from opoplawski/journalmatch
Add sendmail journalmatch options
2017-08-09 16:14:10 +02:00
Orion Poplawski 84f552881c Add sendmail journalmatch options 2017-08-09 16:03:34 +02:00
Serg G. Brester 5b7375c614 Merge pull request #1638 from roedie/shorewall-ipv6
Add shorewall IPv6 support
2017-08-09 15:54:57 +02:00
sebres e52f483557 Config reader's: introduced new syntax `%(section/option)s`, in opposite to extended interpolation of python 3 `${section:option}` work with all supported python version in fail2ban and this syntax is like our another features like `%(known/option)s`, etc.;
Variable `default_backend` switched to `%(default/backend)s`, so totally backwards compatible now, but now the setting of parameter `backend` in default section of `jail.local` can overwrite default backend also.
Test cases extended: test targeted section options "section/option" (default and cross sections options);
2017-08-08 20:21:44 +02:00
sebres 5ce8d4f741 fixes default backend handling (as default used value of `known/backend`, which can now be overridden in default section of jail.local);
introduces fallback for `known/option`: interpolate missing `known/option` as `option` from default section
2017-08-08 18:41:15 +02:00
sebres 2fe1479484 Merge branch '_0.9/gh-1849' into 0.10 2017-08-07 18:07:36 +02:00
sebres 5c538fb658 Recognize "unknown user" for additional auth-methods (pam, passwd-file, ldap, sql, etc); simplifying regular expressions (put "unknown user" and "invalid credentials" together as one regex). 2017-08-07 18:04:09 +02:00
sebres 0ef5b7c4d4 small amend to gh-1850: removed greedy catch-all at end. 2017-08-07 15:24:16 +02:00
Marcel Waldvogel daf57547c6 Parse ejabberd 17.06 output
E.g.:
2017-07-29 08:24:04.773 [info] <0.6668.0>@ejabberd_c2s:handle_auth_failure:433 (http_bind|ejabberd_bosh) Failed c2s PLAIN authentication for test@example.ch from ::FFFF:192.0.2.3: Invalid username or password
2017-07-29 19:58:06 +02:00
Bigard Florian f4551d02c9 Fix empty logfile.log in xarf login attack action
Fix empty 3rd MIME part which contains the attack evidence (logfile.log).
2017-07-25 13:44:29 +02:00
sebres 1a562bed0f Merge remote-tracking branch 'master' into 0.10
# Conflicts:
#	config/filter.d/asterisk.conf
2017-07-19 08:57:23 +02:00
sebres a5b62a7f36 failregex extended and simplified (partially ported from gh-1409). 2017-07-18 16:34:22 +02:00
sebres 098abae4e6 Remove greedy catch-all before `<HOST>`, make regex more universal, fewer prone to errors (should avoid future changes, if some optional parameters coming again before/after `RemoteAddress`) + non-captured groups now.
Test for possible injection (5.6.7.8 in session-id) already available, line 59 (thus already covered).
2017-07-18 16:09:53 +02:00
Kirill 4c0c7b97c0 Update asterisk.conf to new log message
I got an issue like this:
[2016-05-15 22:53:00] SECURITY[26428] res_security_log.c: SecurityEvent="FailedACL",EventTV="2016-05-15T22:53:00.203+0300",Severity="Error",Service="AMI",EventVersion="1",AccountID="admin",SessionID="0x7fb580001518",LocalAddress="IPV4/TCP/0.0.0.0/5038",RemoteAddress="IPV4/TCP/78.129.227.4/62389",SessionTV="1970-01-01T03:00:00.000+0300"

# [sebres] rebased to current master and resolving conflicts.
2017-07-18 15:40:32 +02:00
Serg G. Brester 34cb55fd91 Merge pull request #1695 from benrubson/issue1693
Apache, detect syslog prefix
2017-07-14 02:05:23 +02:00
sebres 0e33125129 be more precise using common `__prefix_line` expression (set `_daemon` to recognize apache and httpd only) 2017-07-12 11:59:02 +02:00
sebres b561af45ef apache-common.conf: introduced parameter `logging` for possibility to match lines, if apache logs into syslog/systemd journal;
added test cases to cover `apache-auth[logging=syslog]`.
2017-07-12 11:45:44 +02:00
benrubson b662cf03ac Apache, detect syslog prefix, simple example 2017-07-12 11:36:34 +02:00
Serg G. Brester 6c030c5e10 Merge pull request #1717 from szepeviktor/patch-11
Updated xarf-specification repo URL in xarf action
2017-07-12 09:54:15 +02:00
sebres 7217ef5c9e filter.d/ejabberd-auth.conf: fixed ejabberd filter - accept new log-format with `wait_for_sasl_response` instead of `wait_for_feature_request` + optional part "IP " (gh-993) 2017-07-11 15:25:51 +02:00
sebres dae4988aea filter.d/roundcube-auth.conf: fixes failregex not working with `X-Real-IP` or/and `X-Forwarded-For` (gh-1303) 2017-07-11 14:59:24 +02:00
sebres e26cc5de45 restore backwards compatibility (jail postfix-sasl); changelog update 2017-07-11 11:57:48 +02:00
sebres aa92b68d4a filter.d/postfix.conf: normalized several postfix-filters using parameter `mode` (as discussed in gh-1813);
introduced parameter `mode`: more (default, combines normal and rbl), auth, normal, rbl, ddos, extra or aggressive (combines all)
replacement for gh-1239, gh-1697, gh-1764; closes gh-1245, gh-1297.
2017-07-10 20:49:28 +02:00
sebres d32a3913cf postfix postscreen (resp. other RBL's compatibility fix) / gh-1764 2017-07-10 15:38:24 +02:00
Serg G. Brester 57ea38c342 Update paths-debian.conf
Fixed mail.log path since in the default rsyslog configuration of debians the `mail.warn` is commented now (see `/etc/rsyslog.d/50-default.conf`: `#mail.warn -/var/log/mail.warn`).
Closes gh-1687
2017-07-05 19:57:30 +02:00
sebres 546cd55342 Merge branch 'master' into 0.10 2017-07-03 13:02:25 +02:00
sebres a1d0633e69 filter.d/asterisk.conf - fixed failregex AMI Asterisk authentification failed (see gh-1302):
- optional space between NOTICE and pid;
- optional part "Host " before IP-address;
2017-07-03 12:57:28 +02:00
sebres 33fcf8d809 Merge branch 'master' into 0.10 2017-07-03 12:43:48 +02:00
Serg G. Brester 1307e0a5b9 Merge pull request #1760 from szepeviktor/patch-12
Courier may complain about the method only
2017-07-03 12:00:36 +02:00
Serg G. Brester f27e053592 Update bsd-ipfw.conf
increased starting rule number (lowest_rule_num = 111)
2017-07-01 17:10:53 +02:00
Serg G. Brester 001c0898d6 Merge branch 'master' into master 2017-06-30 18:07:38 +02:00
Serg G. Brester 6110ba9cc3 filter.d/proftpd.conf: added option `journalmatch` for systemd backend (closes gh-1613) 2017-06-30 18:00:01 +02:00
sebres 37ca4f17c2 filter.d/roundcube-auth.conf: added missing entry `journalmatch` from original gh-1783. 2017-06-26 11:24:10 +02:00
Serg G. Brester 986dd3107d Merge branch '0.10' into patch-12 2017-06-19 18:37:28 +02:00
sebres d3ae70beb6 filter.d/roundcube-auth.conf: Use the same filter-file and jail also when logging errors to journal instead to a local file.
Additionally fixes more complex injections on username.
2017-06-19 18:12:13 +02:00
Johannes Weberhofer 691c080dc7 Added roundcube authentication filter, new jail and log-examples 2017-06-19 16:52:42 +02:00
Serg G. Brester 3294840c2a Merge pull request #1801 from jeaye/postfix-updates
filter.d/postfix.conf: update to the latest postfix logging format
2017-06-19 16:44:37 +02:00
Serg G. Brester efeca8fdeb postfix.conf: removes unneeded end-anchoring like `.*$`, etc.
also removes several dynamic content at end, which are of no avail there.
Additionally normalizes optional part (mail-ID) after reason number.
2017-06-19 16:25:46 +02:00
sebres d2c39d2e45 Merge branch '0.10' into 0.10-full
# Conflicts:
#	fail2ban/server/database.py - resolved and test-case with persistent ban-time fixed/extended (bantime presents in database)
2017-06-16 09:35:27 +02:00
sebres dcdf677438 Merge remote-tracking branch 'master' into 0.10 2017-06-15 11:49:51 +02:00
sebres 2b358bc1a4 filter.d/apache-overflows.conf: rewritten without end-anchor ($), because apache-log could contain very long URLs (and/or referrer), the parsing of it anchored way may be very vulnerable (at least as regards the system resources, see gh-1790). 2017-06-15 11:16:19 +02:00
jeaye 6f3d425c4d
Update postfix filters and tests 2017-06-12 18:56:19 -07:00
sebres bbea73d79d Merge remote-tracking branch 'remotes/gh-upstream/master' into 0.10 2017-06-12 13:11:45 +02:00
Serg G. Brester d56554ecf3 Merge pull request #1688 from felixonmars/arch-config
Add a path configuration for Arch Linux
2017-06-06 10:55:13 +02:00
Peter Nowee b93e47b12f
dovecot: Match also when user field is empty
Commit 5678d08 of 2016-11-26 changed:

    ( user=<\S*>,)?

to:

    ( user=<[^>]+>,)?

The change from `*` (zero or more times) to `+` (one or more times) may
not have been intended. It will miss lines containing, for example:

    Aborted login (tried to use disallowed plaintext auth): user=<>

This commit reverts the `+` back to `*`.
2017-05-31 15:54:30 +02:00
Marcel Bischoff 228d25c548 Update Kerio Connect filter (#1455)
* Update Kerio Connect filter

Fixed regex for some log entries that did not get recognized and some additional error formats are added.

* Add missing colon, GitHub address

* Add filter tests

* Add missing test
2017-05-30 20:27:44 +02:00
Serg G. Brester 80cc47b75f Update helpers-common.conf
fixed grep pattern: escape dot-char in search-IP and more restrictive boundaries (IPv6-capable)
2017-05-30 09:14:43 +02:00
Viktor Szépe 5bb6be0163 IPv6 address may overlap 2017-05-30 02:05:38 +02:00
sebres c21b4e4d56 [ban-time-incr] prolong ban, dynamic bantime, etc.:
- dynamic bantime: introduces new action-tag `<bantime>` corresponds to the current ban-time of the ticket;
  Note: because it is dynamic, it should be normally removed from `jail.conf` (resp. `jail.local`).
- introduced new action command `actionprolong`, used for prolongation of the timeout (ban-time of the ticket);
- removed default `timeout` from `actionstart` of several actions;
- faster and safer function escapeTag (replacement at once in one run, '\n' and '\r' escaped also);
2017-05-17 13:25:06 +02:00
sebres 6724de54e6 Merge branch '0.10' into 0.10-full 2017-05-17 11:35:33 +02:00
Filippo Tessarotto ff1c6718da Postfix RBL: 554 & SMTP
Cherry-pick of 607568f5da (see gh-1686)
2017-05-15 14:42:37 +02:00
sebres b13d9d4e22 Merge branch 'master' into 0.10 2017-05-07 21:29:12 +02:00
sebres 0600d51511 filter.d/exim.conf: added new reason for "rejected RCPT" regex: Unrouteable address 2017-05-07 14:02:38 +02:00
sebres 49e237209e Merge branch 'master' into 0.10 2017-05-07 13:32:12 +02:00
sebres c546f85207 filter.d/exim.conf: cherry-picked from 0.10, match complex time like `D=2m42s` (closes gh-1766) 2017-05-07 13:02:32 +02:00
Viktor Szépe ac256a822b Make courier-auth regexp a non-captured group 2017-04-28 16:58:24 +02:00
Viktor Szépe 4bb8a58dcf Courier may complain about the method only
> Mar 30 22:29:18 szerver imapd-ssl: LOGIN FAILED, method=PLAIN, ip=[::ffff:1.2.3.4]
2017-04-28 15:49:59 +02:00
Seth Reeser c3426ba5f6 Update botsearch-common.conf (#1759)
* Update botsearch-common.conf, apache-modsecurity.conf: typo and missing new-line
2017-04-26 20:14:39 +02:00
sebres 8839bcbb09 Merge remote-tracking branch master into 0.10 2017-04-25 10:07:19 +02:00
sebres 99344d28c8 Introduces new tags with hostname:
- `<fq-hostname>` - fully-qualified name of host (the same as `$(hostname -f)`)
- `<sh-hostname>` - short hostname (the same as `$(uname -n)`)

Execution of `uname -n` replaced in all mail actions with most interesting fully-qualified `<fq-hostname>`.
2017-04-24 21:17:55 +02:00
sebres 3161bcf78b filter.d/exim.conf: optional part `(...)` after host-name before `[IP]`, normalized over whole config file.
# Conflicts:
#	config/filter.d/exim.conf
2017-04-24 19:21:26 +02:00
sebres 507034c5be filter.d/apache-auth.conf: joined some similar expressions 2017-04-24 15:32:44 +02:00
Serg G. Brester 6dfd080e20 Update apache-auth.conf
remove forgotten referer, that may prevent failure recognition (belongs to gh-1645)
2017-04-21 11:17:13 +02:00
Serg G. Brester 311f8fea83 Merge branch '0.10' into issue1644 2017-04-21 10:32:29 +02:00
Peter van der Does bb79e7f413
Parameter not needed
The parameter '-s' causes an error as the <mailcmd> already has the parameter.
2017-04-11 11:13:58 -04:00
Serg G. Brester 4f0f22702a Update haproxy-http-auth.conf
little bit more precise expression
2017-04-11 09:11:08 +02:00
Georges Racinet 4fc6323ff0 haproxy-http-auth: avoid port number in IPv6 addresses
The solution taken is to consume the port number explicitely in
the regexp.
2017-04-07 13:59:22 +02:00
sebres 97e8b42d34 dummy action extended with more examples and test-covered now 2017-03-30 13:02:37 +02:00
sebres d03872fbbf bulk unban: add new command `actionflush` default for several iptables/iptables-ipset actions (and common include):
iptables-common
  iptables
  iptables-allports
  iptables-multiport-log
  iptables-multiport
  iptables-new
  iptables-ipset-proto4
  iptables-ipset-proto6
  iptables-ipset-proto6-allports

executing `actionflush` command covered for this actions now
2017-03-29 23:24:11 +02:00
sebres 8bf79fa483 implemented execution of `actionstart` on demand, if action depends on `family` (closes gh-1741);
new action parameter "actionstart_on_demand" (bool) can be set to prevent/allow starting action on demand (default retrieved automatically, if some conditional parameter `param?family=...` presents in action properties);
2017-03-29 17:44:15 +02:00
Seth Reeser c82495353f Update mysqld-auth.conf (#1725) 2017-03-24 19:03:20 +01:00
Serg G. Brester 52c1950371 Update mysqld-auth.conf
small typo, closes gh-1725 (Thx @seth-reeser)
2017-03-24 19:03:17 +01:00
sebres 5e93bf9bd3 Introduced new option "ignoreself", specifies whether the local resp. own IP addresses should be ignored (default is true).
Fail2ban will not ban a host which matches such addresses.

Option "ignoreip" affects additionally to "ignoreself" and don't need to include the DNS resp. IPs of the host self.
2017-03-23 15:52:31 +01:00
sebres f13fac5ae9 amend to 5561423be3b2d4636f5484183c3ad470fd326d06: fixed incorrect failure counting despite the `<F-NOFAIL>` marked regex;
extra: introduced new tag `<F-MLFFORGET>` as mark to forget current multi-line MLFID (e. g. connection closed);
Closes gh-1727
2017-03-21 00:15:57 +01:00
sebres 5561423be3 filter.d/sshd.conf: fixed failregex format - some parts are optional, new ddos more precise rule (Connection reset by with host entry);
closes gh-1719
2017-03-15 18:01:20 +01:00
Viktor Szépe d79267c424 Updated xarf-specification repo URL in xarf action 2017-03-14 20:47:31 +01:00
sebres 875295320e Merge remote-tracking branch 'remotes/gh-upstream/0.10' into 0.10-full 2017-03-13 02:12:39 +01:00
sebres 0c1707afda filter.d/sshd.conf:
- optional parameter `mode` rewritten: normal (default), ddos, extra or aggressive (combines all), see sshd for regex details);

test cases reformatted (since "filterOptions", we don't need multiple test log-files anymore);
2017-03-10 22:09:11 +01:00
sebres 7e442c5b27 filter.d/sendmail-reject.conf:
- rewritten using `prefregex` and used MLFID-related multi-line parsing (by using tag `<F-MLFID>` instead of buffering with `maxlines`);
- optional parameter `mode` introduced: normal (default), extra or aggressive (see sendmail-reject for regex details);

test cases extended
2017-03-10 21:44:19 +01:00
sebres 52ed6597b2 Merge remote-tracking branch 'remotes/gh-upstream/master' into 0.10 2017-03-09 16:27:14 +01:00
sebres 8768776d68 filter.d/cyrus-imap.conf: fixed `failregex` - accept entries without login-info resp. hostname before IP address 2017-03-09 16:13:45 +01:00
Serg G. Brester d042981954 Merge pull request #1655 from ajcollett/0.10
Added config for AbuseIPDB
2017-03-09 15:15:26 +01:00
Serg G. Brester b1f5ac9484 Update abuseipdb.conf 2017-03-09 13:33:11 +01:00
Serg G. Brester 62fa02241f Update jail.conf 2017-03-09 13:31:40 +01:00
sebres 6a2c95da95 `action.d/sendmail-geoip-lines.conf` fixed using new tag `<ip-host>` (dns-cache and without external command execution);
changelog updated;
2017-03-08 16:51:08 +01:00
sebres 28b5262976 Merge branch '0.10' into 0.10-full 2017-02-28 15:14:51 +01:00
sebres d2a3d093c6 rewritten CallingMap: performance optimized, immutable, self-referencing, template possibility (used in new ActionInfo objects);
new ActionInfo handling: saves content between actions, without interim copying (save original on demand, recoverable via reset);
test cases extended
2017-02-24 11:54:24 +01:00
sebres 35efca5941 Better multi-line handling introduced: single-line parsing with caching of needed failure information to process in further lines.
Many times faster and fewer CPU-hungry because of parsing with `maxlines=1`, so without line buffering (scrolling of the buffer-window).
Combination of tags `<F-MLFID>` and `<F-NOFAIL>` can be used now to process multi-line logs using single-line expressions:
- tag `<F-MLFID>`: used to identify resp. store failure info for groups of log-lines with the same identifier (e. g. combined failure-info for the same conn-id by `<F-MLFID>(?:conn-id)</F-MLFID>`, see sshd.conf for example)
- tag `<F-NOFAIL>`: used as mark for no-failure (helper to accumulate common failure-info);
filter.d/sshd.conf: [sshd], [sshd-ddos], [sshd-aggressive] optimized with pre-filtering using new option `prefregex` and new multi-line handling.
2017-02-22 22:19:43 +01:00
sebres 22afdbd536 Several filters optimized with pre-filtering using new option `prefregex` 2017-02-21 15:54:59 +01:00
sebres 4ff8d051f4 Introduced new filter option `prefregex` for pre-filtering using single regular expression;
Some filters extended with user name;
[filter.d/pam-generic.conf]: grave fix injection on user name to host fixed;
test-cases in testSampleRegexsFactory can now check the captured groups (using additionally fields in failJSON structure)
2017-02-20 16:54:17 +01:00
Serg G. Brester 2fa18a74c4 Merge branch 'master' into master 2017-02-17 09:06:09 +01:00
sebres 4bf09bf297 provides new tag `<ip-rev>` for PTR reversed representation of IP address;
[action.d/complain.conf] fixed using this new tag;
2017-02-16 13:38:20 +01:00
Serg G. Brester 7f63809afb Merge branch '0.10' into patch-1 2017-02-15 20:33:36 +01:00
sebres a4ec017d1c Merge branch '0.10' into 0.10-full 2017-02-15 09:26:01 +01:00
Christoph Theis 861ce4177c #1689: Make lowest rule number in action.d/bsd-ipfw.conf configurable 2017-02-14 18:31:42 +01:00
Felix Yan 68d829c1dd
Add a path configuration for Arch Linux 2017-02-14 18:43:01 +08:00
Jan Grewe 58c68b75f0 Remove double-quotes from email addresses 2017-02-08 14:16:13 +01:00
Jan Grewe 1bcf0de7c1 Update complain.conf 2017-02-07 21:39:46 +01:00
Filippo Tessarotto 607568f5da Postfix RBL: 554 & SMTP 2017-02-07 15:26:06 +01:00
Jan Grewe 901eeff53d Make Abusix lookup compatible with Dash 2017-02-06 22:04:36 +01:00
sebres 99634638ba Merge branch '0.10' into 0.10-full 2017-01-23 09:51:36 +01:00
sebres 1823571e0f Merge branch 'ssh-filter-new-regexp' into 0.10 2017-01-23 08:58:43 +01:00
sebres 9d06f0ee40 sshd-amend: optional space after port part 2017-01-23 08:56:47 +01:00
sebres e8a1556562 Merge remote-tracking branch 'master' into 0.10
# Conflicts:
#	fail2ban/tests/samplestestcase.py
2017-01-21 16:59:41 +01:00
sebres 54a8c681ce suhosin.conf: removed greedy match 2017-01-21 16:26:07 +01:00
sebres 8aa9516d50 sshd.conf: fixed expression "received disconnect ... auth fail" - optional space after port part (gh-1652) 2017-01-21 16:18:03 +01:00
sebres 3276bd6d54 sshd: additionally aggressive filter rules - no matching cipher resp. no matching key exchange method (gh-1545, gh-1117) 2017-01-21 15:57:05 +01:00
sebres 628789f9a9 sshd: conditional parameter "mode" for sshd jail (normal, ddos, aggressive)
filter sshd-ddos and new filter sshd-aggressive are both derivation of sshd-filter
2017-01-21 15:54:49 +01:00
sebres dd373dba9f test all config-regexp, that contains greedy catch-all before <HOST>, that is hard-anchored at end or precise sub expression after <HOST>;
new ssh rule(s) added:
- Connection reset by peer (multi-line rule during authorization process);
- No supported authentication methods available;
Single line and multi-line expression optimized, added optional prefixes and suffix (logged from several ssh versions);
closes gh-864
2017-01-21 15:53:48 +01:00
Christian Brandlehner a4d8426401 Support for IBM Domino SMTP task (#1603)
filter.d/domino-smtp.conf
2017-01-20 08:44:20 +01:00
Serg G. Brester 40f294e6bf Merge pull request #1663 from jjeziorny/netscaler-action
Introduced citrix netscaler action
2017-01-19 16:25:23 +01:00
Juliano Jeziorny 1fe554dd25 Introduced Citrix Netscaler action 2017-01-19 14:30:25 +01:00
Christoph Theis 6187431629 #1667: Wrong paths for apache and nginx under FreeBSD 2017-01-17 11:48:25 +01:00
sebres 74a6afadd5 Mail-actions switched to use new option "norestored" instead of checking of variable `restored` during shell execution (prevents executing of such actions at all). 2017-01-16 09:40:48 +01:00
sebres ee3c787cc6 Recognize restored (from database) tickets after restart (tell action restored state of the ticket);
Prevent executing of several actions (e.g. mail, send-mail etc) on restart (bans were already notified).
Test cases extended (smtp and by restart in ServerReloadTest).
Closes gh-1141
Closes gh-921
2017-01-13 19:06:17 +01:00
sebres 7019640eb3 Merge branch 'fix-gh-1658' into 0.10 2017-01-10 12:59:51 +01:00
sebres a9523aefbb sshd.conf: fixed non-anchored part of regex (misleading match of colon inside IPv6 address instead of `: ` in the reason-part by missing space). 2017-01-10 12:58:44 +01:00
sebres c9f32f75e6 Merge branch '0.9-fix-regex-using-journal' into 0.10-fix-regex-using-journal (merge point against 0.9 after back-porting gh-1660 from 0.10) 2017-01-10 11:25:41 +01:00
Andrew James Collett 3991f51f30 Update jail.conf
Sigh, added a space back that I somehow missed in Vim, despite it being a rebase...
2017-01-08 09:45:35 +02:00
Andrew James Collett 10d61e0779 Fixed the spaces again 2017-01-08 09:42:15 +02:00
Andrew James Collett b35391e768 Update jail.conf
Fixing spacing
2017-01-08 09:30:00 +02:00
Andrew James Collett 1c41390f7c Restructured the way the catagories work.
Jail.conf is cleaner and abuseipdb.conf is more flexible.
2017-01-08 09:26:11 +02:00
Andrew James Collett 55e107310f Added config for AbuseIPDB, ony tested on Ubuntu 16.04 2017-01-07 14:24:54 +02:00
Viktor Szépe 81c1810f10 Introduce Cloudflare API v4
In the cloudflare action everyone is suggested to use API v4.
And I don't dare to contribute any actual change.
2016-12-31 21:30:57 +01:00
benrubson cc311b56f3 Apache URIs can contain spaces 2016-12-23 22:57:24 +01:00
roedie 3adc16d266 Shorewall IPv6 suggested changes.
Change files as suggested by sebres.
2016-12-12 20:53:58 +01:00
Yaroslav Halchenko 31a1560eaa minor typos (thanks Vincent Lefevre, Debian #847785) 2016-12-11 15:13:11 -05:00
roedie 6e18508a07 Add shorewall IPv6 support
Small patch which allow fail2ban to use shorewall for IPv6 bans.
2016-12-11 20:44:54 +01:00
sebres 45f1d811c9 Merge branch 'alex1702-1586' 2016-11-28 18:54:02 +01:00
sebres 67c14afd8e ChangeLog entry added + jail.conf review 2016-11-28 18:51:23 +01:00
sebres 425170cef3 code review, makes the test cases workable, added dev-notes 2016-11-28 18:39:07 +01:00
sebres 931eab84b5 `filter.d/apache-modsecurity.conf`
- fixed for newer version (one space, closes gh-1626)
reviewed and optimized:
  - non-greedy catch-all replaced for safer match
  - unneeded catch-all anchoring removed
  - non-capturing groups
2016-11-28 11:28:27 +01:00
sebres 40cbe96352 Merge remote-tracking branch 0.10 into _0.10/fix-datedetector-grave-fix-v2 2016-11-28 11:03:11 +01:00
sebres 5678d08a79 filter.d/dovecot.conf update:
- fixes failregex, that ignores failures through some irrelevant info (closes #1623);
- ignores whole additionally irrelevant info in anchored regex before fixed failure data `\((?:auth failed, \d+ attempts( in \d+ secs)?|tried to use (disabled|disallowed) \S+ auth)\)`
- review, IPv6 compatibility fix, non-capturing groups
2016-11-26 16:50:37 +01:00
sebres a2af19c9f0 fixed several actions, that could not work with jails using multiple logpath; additionally repaired execution in default shell (bad substitution by `${x//...}` executing in `/bin/sh`);
added helper "action.d/helpers-common.conf", and `_grep_logs` part-command for actions needed grep logs from multiple log-files
test cases: executing of some complex actions covered
2016-11-25 19:27:26 +01:00
Serg G. Brester 4f5389fee5 Update jail.conf 2016-11-24 19:30:10 +01:00
Johannes Weberhofer f46ada023e Use Fedora's backend-settings for openSUSE
Those settings are ok for newer openSUSE versions
2016-11-22 09:03:54 +01:00
sebres b5433f48b7 amend after code review of merge gh-1581 2016-11-11 11:09:46 +01:00
sebres bee6e7376b Merge branch 'aclindsa:master' 2016-11-11 10:58:40 +01:00
sebres ea4c1f6356 Merge branch 'master' into 0.10 2016-11-11 10:29:45 +01:00
sebres dab5f56609 Merge branch 'fix-gh-1477' 2016-11-11 10:17:07 +01:00
Alex 8ac28e5dcb Make changes and add test file 2016-11-10 13:09:32 +01:00
Alex 8c40766511 Add Mongodb-auth filter and jail 2016-11-10 12:48:24 +01:00
sebres faee5f1fdc better caching (thereby better performance), better recognition of similar regex 2016-10-17 11:20:30 +02:00
sebres ae7297e16b more precise date template handling (WARNING: this commit creates possible incompatibilities):
- datedetector rewritten more strict as earlier;
  - default templates can be specified exacter using prefix/suffix syntax (via `datepattern`);
  - more as one date pattern can be specified using option `datepattern` now (new-line separated);
  - some default options like `datepattern` can be specified directly in section `[Definition]`, that avoids contrary usage of unnecessarily `[Init]` section, because of performance (each extra section costs time);
  - option `datepattern` can be specified in jail also (jails without filters);
  - if first group specified, only this will be cut out from search log-line (e. g.: `^date:[({DATE})]` will cut out only datetime match pattern, and leaves `date:[] failure ip...` for searching in filter);
  - faster match and fewer searching of appropriate templates (DateDetector.matchTime calls rarer DateTemplate.matchDate now);
  - standard filters extended with exact prefixed or anchored date templates;

template cache introduced (in opposition to default template cache, holds custom templates cached by pattern for possible common usage of same template/regex);
2016-10-17 11:20:27 +02:00
sebres ab0ac2111c added possibility to specify more precise default date pattern:
- `datepattern = {^LN-BEG}` - only line-begin anchored default patterns
     (matches date only at begin of line, or with max distance up to 2 non-alphanumeric characters from line-begin);
  - `datepattern = {*WD-BEG}` - only word-begin anchored default patterns;
  - `datepattern = ^prefix{DATE}suffix` - exact specified default patterns (using prefix and suffix);
common filter configs gets a more precise, line-begin anchored (datepattern = {^LN-BEG}) resp. custom anchoring default date-patterns;
2016-10-17 11:18:30 +02:00
sebres a7d9de8c52 [temp commit] 1st try to optimize datedetector/datetemplate functionality (fix ambiguous resp. misleading date detection if several formats used in log resp. by format switch after restart of some services):
* Misleading date patterns defined more precisely (using extended syntax %E[mdHMS]
  for exact two-digit match)
* `filter.d/freeswitch.conf`
    - Optional prefixes (server, daemon, dual time) if systemd daemon logs used (gh-1548)
    - User part rewritten to accept IPv6 resp. domain after "@" (gh-1548)
2016-10-17 11:16:20 +02:00
Aaron Lindsay 7805f9972d filter.d/sshd.conf: Match 'Invalid user' with 'port \d*' 2016-10-15 15:52:19 -04:00
sebres 84c3eb3e0e filter.d/sendmail-reject.conf: double space (should be by missing dns-host only)
Closes #1578
2016-10-15 14:53:45 +02:00
sebres 53adc9d84a Merge branch 0.10-full with 0.10
Resolved several conflicts and code review after merge
2016-10-14 19:55:20 +02:00
sebres c809c3e61e Merge branch 'master' into 0.10 2016-10-13 19:01:13 +02:00
Nils d08db22b92 Create npf.conf for the NPF packet filter
This file adds support for the NPF packet filter, available on NetBSD since version 6.0
2016-10-13 18:50:54 +02:00
sebres fa8184d4cc fixes deprecated DNSUtils.IsValidIP in fakegooglebot ignore command + test covered now;
Closes #1559
2016-10-05 15:01:33 +02:00
sebres ee1727ecca Merge pull request #1563 from niklasf/fix-lazy-ipv6-regex (and sebres/fix-lazy-ipv6-regex) into 0.10 2016-09-30 13:34:54 +02:00
sebres 9bf8985e2a nginx-limit-req.conf: more precise failregex (word-boundary if `<HOST>` should be non-greedy for some reasons) 2016-09-30 12:33:43 +02:00
Serg G. Brester ba9a88977f Merge pull request #1562 from sebres/_0.10/fix-stability-and-speed
0.10/fix stability and speed optimization
2016-09-30 12:14:51 +02:00
sebres 8b0f6c5413 badips test cases check availability of badips service (and skip this tests if it not available) 2016-09-30 12:03:27 +02:00
sebres 310d4e224d Merge branch master (0.9) into 0.10 2016-09-29 19:46:11 +02:00
sebres 9fb167b5e1 filter.d/vsftpd.conf: optional reason message after FAIL LOGIN, closes #1543 2016-09-09 09:20:15 +02:00
sebres c0e0cfb39d Merge remote-tracking branch 'remotes/gh-upstream/master' into 0.10 2016-09-01 16:23:13 +02:00
sebres 4a1d720344 filter.d/asterisk.conf: another part ` chan_sip.c:28468 handle_request_register:` in log prefix 2016-08-22 14:10:50 +02:00
sebres 2c54f90469 sshd-filter: better universal regexp, that matches more complex different injects, using conditional expressions (on username and auth-info section), see new test cases also. 2016-08-19 10:19:12 +02:00
sebres a544c5abac sshd-filter: recognized "Failed publickey for" now (gh-1477) + improved regexp (not anchored now to recognize all "Failed anything for ... from <HOST>"
ChangeLog entry added
2016-08-18 21:38:55 +02:00
sebres 18ebd9ac21 Merge branches 0.10-full and 0.10 2016-08-17 18:00:25 +02:00
sebres d71a525a85 Merge branch 'master' into 0.10 (resolve conflicts and cleaning tree points after back-porting gh-1508 0.10 -> 0.9) 2016-08-12 18:51:56 +02:00
sebres 38d53a72fd introduces new command "fail2ban-python", as automatically created symlink to python executable, where fail2ban currently installed (resp. its modules are located);
fixed pythonic filters and test scripts (running via "fail2ban-python" now);
fixed test case "testSetupInstallRoot" not for default python (also using direct call, out of virtualenv);

# Conflicts:
#	config/filter.d/ignorecommands/apache-fakegooglebot
#	fail2ban/tests/files/config/apache-auth/digest.py
#	fail2ban/tests/files/ignorecommand.py
#	fail2ban/tests/misctestcase.py
2016-08-12 17:58:37 +02:00
sebres 77f451c4a3 introduces new command "fail2ban-python", as automatically created symlink to python executable, where fail2ban currently installed (resp. its modules are located);
fixed pythonic filters and test scripts (running via "fail2ban-python" now);
fixed test case "testSetupInstallRoot" not for default python (also using direct call, out of virtualenv);
2016-08-11 18:34:18 +02:00
maksyms 9ddbd642f7 Accept no space after "failed:" (#1501)
yoh: Squashed to ease cherry-picking into 0.9

* accept no space after "failed:"

fix issue #1497

* accept no space after "failed:"

* Update postfix-sasl

* Update postfix-sasl

* Update postfix-sasl
2016-08-08 17:09:47 -04:00
maksyms 04427adb95 Accept no space after "failed:" (#1501)
yoh: Squashed to ease cherry-picking into 0.9

* accept no space after "failed:"

fix issue #1497

* accept no space after "failed:"

* Update postfix-sasl

* Update postfix-sasl

* Update postfix-sasl
2016-08-08 17:07:55 -04:00
sebres c52aaa8b78 ASSP failregex minor fixes 2016-08-08 19:06:28 +02:00
sebres 70658d7a19 Merge pull request #1494 from rhardy613/master (branch 'sebres:pr-1494') 2016-08-08 18:49:32 +02:00
rhardy613 8265e3f0f9 Fix comments
For some reasons the comment changes weren't pickup in the last commit.
This fixes it.
2016-08-05 23:25:15 -04:00
rhardy613 66fe5a77ce Fix ASSP filter to work with both ASSP V1 and V2
ASSP V1 development stopped at the end of 2014 and it is now deprecated.
All users were urged to upgrade to ASSP V2 which is still actively
developed.
fail2ban 0.9.5 (and trunk) still have code which only understands ASSP
V1 logs.
This means the filter ignores brute force attacks against ASSP. This fix
adds V2 support.
2016-08-05 23:18:51 -04:00
rhardy613 890a3dcbb9 Fix ASSP filter to work with current release of ASSP
ASSP V1 development stopped at the end of 2014 and it is now deprecated.
All users were urged to upgrade to ASSP V2 which is still actively
developed. For some reason fail2ban 0.9.5 (and trunk) still have code
which only understands ASSP V1 logs. This means the filter ignores brute
force attacks against ASSP.
Now updated with anchored patterns tested against 6 months of log data.
2016-08-05 17:26:47 -04:00
Yaroslav Halchenko c0994b0c6c DOC: minor typo (thanks John Bernard) Closes #1496 2016-08-04 10:23:05 -04:00