sebres
a3bcbe2d1b
backwards-compatibility, test-cases and ChangeLog update
2018-03-02 19:15:10 +01:00
MatthieuBarbu
6b5516b851
fix sshd rule #2
...
in line 58, rule don't match with "%(__suff)s" but work fine if I replace with "%(__on_port_opt)s"
Debian 9 stretch : fail2ban 0.10.3
2018-03-02 18:40:36 +01:00
sebres
1d7aa2ff21
filter.d/sshd.conf: rewrite fix (for new ssh log-format) backwards compatible + test-cases extended to cover both cases
2018-03-02 18:17:17 +01:00
MatthieuBarbu
9f5c873526
fix sshd rule
...
just remove the space before ":11" line 52 because don't match on my Debian 9 stretch...
I don't know if this is wrong on all OS
2018-03-02 17:53:35 +01:00
sebres
5ea76789c6
Merge branch '0.10' into 0.11
2018-03-02 17:18:37 +01:00
sebres
8c291cad38
filter.d/asterisk.conf: fixed failregex prefix by log over remote syslog server (gh-2060)
2018-03-02 09:17:04 +01:00
Ben RUBSON
b112250ef0
(Free)BSD IPFW does not allow 2 identical rules ( #2054 )
...
ipfw actionban fixed to allow same rule added several times (and actionunban to ignore error by deletion of missing rule)
2018-02-27 10:18:59 +01:00
Ben RUBSON
857767f04b
Add 'any' badips.py bancategory ( #2056 )
...
action.d/badips.py: allow `any` as bancategory to retrieve IPs from all categories
2018-02-27 10:12:22 +01:00
sebres
47a7f83a0b
Merge branch '0.10' into 0.11
2018-02-26 19:30:54 +01:00
sebres
07fcb24ff6
Merge pull request #2057 from benrubson/https
...
Use httpS with badips
2018-02-26 18:50:35 +01:00
sebres
f52c67238a
action.d/badips.py: code review, ban command covered, debug log-messages, etc;
2018-02-26 18:16:20 +01:00
benrubson
fce2a50165
badips.py, solve a str() issue under FreeBSD
2018-02-26 15:55:21 +01:00
benrubson
e2665d39fd
Use httpS with badips
2018-02-26 09:58:37 +01:00
sebres
a5155f55e7
Merge branch '0.10' into 0.11
2018-02-21 09:31:35 +01:00
sebres
e636567d23
filter.d/exim.conf: failregex extended with SMTP call dropped: too many syntax or protocol errors.
2018-02-19 09:50:46 +01:00
sebres
19a5a2f8c0
filter.d/murmur.conf: fixed detection of failures reading from journal (systemd-backend only):
...
- extended with optional prefix for the systemd-journal (with second date-pattern as optional match);
- added `journalmatch` filtering;
closes gh-2043
2018-02-09 11:43:55 +01:00
sebres
201ae0dac2
Merge branch '0.10' into 0.11
2018-01-31 12:20:34 +01:00
sebres
0be0e43d47
amend to 03b577d7b92a120e325abe20a99b6956a7e0657c: add new-line after matches via tag `<br>` without usage of interim variable
2018-01-30 12:52:26 +01:00
sebres
03b577d7b9
action.d/blocklist_de.conf: fixed tag substitution (in 0.10 it can be variables supplied via shell-arguments), expand `<matches>` with trailing newline;
...
tests extended;
closes gh-2028
2018-01-30 12:27:03 +01:00
sebres
faab77cc79
Merge branch '0.10' into 0.11, with resolved conflicts.
2018-01-24 17:56:58 +01:00
Yaroslav Halchenko
527bb9a7c3
dos2unix for helpers-common.conf
...
Original report: http://bugs.debian.org/888110
2018-01-23 08:48:36 -05:00
sebres
1ca3df877b
Merge branch '0.10' into 0.11
2018-01-18 14:32:00 +01:00
sebres
f69e28adfc
action.d/pf.conf: compatibility fix - recognizes that parameter `port` specified as empty, with or without braces (should be more backwards compatible to 0.9 now).
2018-01-18 14:05:22 +01:00
sebres
38b3290516
Merge branch '0.10' into 0.11
2018-01-17 16:43:45 +01:00
sebres
ed22ddbbbb
Merge remote-tracking branch 'remotes/gh-upstream/master' into 0.10
2018-01-17 16:42:56 +01:00
sebres
63e906b2c1
regex rewritten: a bit fewer vulnerable now and using non-capturing groups, test-cases extended in order to cover trying of injection on user name
2018-01-17 16:35:32 +01:00
Benedikt Seidl
fed6c49c2d
nginx-http-auth: match usernames with spaces
...
# Conflicts:
# ChangeLog
2018-01-17 16:35:31 +01:00
Sergey G. Brester
b6c6565a7e
regex updated using non-capturing groups
2018-01-16 14:23:47 +01:00
riceru
6a1bbbf101
Update lighttpd-auth.conf
...
I have lighttpd 1.4.45 (Debian 9) and auth error log is different.
Now printing mod_auth and not http_auth.
I think that the change was in Lighttp 1.4.42
2018-01-16 12:39:55 +00:00
sebres
576eeb70dd
Merge branch '0.10' into 0.11
2018-01-15 18:17:18 +01:00
sebres
2b7b0da943
Merge remote-tracking branch 'remotes/gh-upstream/master' into 0.10
2018-01-15 18:16:43 +01:00
Serg G. Brester
7e05976ead
action.d/hostsdeny.conf: actionunban rewritten using sed, also dots in IP were escaped now.
...
Closes #2000
2018-01-11 12:38:34 +01:00
sebres
039ac7c7c4
Merge branch '0.10' into 0.11
2018-01-11 10:29:46 +01:00
sebres
2112145eb4
stop ban of legitimate users with multiple public keys (e. g. git, etc), thereby
...
differentiate between "invalid user" (going banned earlier) and valid users with public keys, for which the rejects of not valid public keys (failures) will be retarded up to "Too many authentication failures" resp. disconnect without success (accepted public key).
2018-01-10 19:07:20 +01:00
sebres
314e402fe0
filter.d/sendmail-auth.conf - extended daemon for Fedora 24/RHEL - the daemon name is "sendmail" (gh-1632)
2018-01-10 14:49:06 +01:00
sebres
0e68c9a720
Merge branch '0.10' into 0.11
2018-01-10 12:22:31 +01:00
sebres
c30144b37a
Merge branch '0.9' into 0.10
...
# Conflicts:
# config/action.d/firewallcmd-ipset.conf
# config/filter.d/asterisk.conf
# Merge-point after cherry-pick, no changes:
# fail2ban/client/jailreader.py
# fail2ban/helpers.py
2018-01-10 12:05:26 +01:00
sebres
131b94e11e
firewallcmd-ipset-allports: implemented in `action.d/firewallcmd-ipset.conf` now (`action.d/firewallcmd-ipset-allports.conf` removed), usage:
...
banaction = firewallcmd-ipset[actiontype="<allports>"]
2018-01-10 10:58:03 +01:00
Danila Vershinin
c190631f88
New ban action firewallcmd-ipset-allports. Closes #1167
2018-01-10 10:58:01 +01:00
Yannik Sembritzki
94f0b15c32
Allow faster parsing of hosts without ' characters in them
2018-01-08 14:54:32 +01:00
Yannik Sembritzki
b28dfb965a
Fix filter not catching asterisk requests with quote character in username ( fixes #2010 )
2018-01-03 18:39:30 +01:00
sebres
5028f17f64
Merge branch '0.10' into 0.11, rewrite updateDb because it can be executed after repair, and some tables can be missing.
...
# Conflicts:
# fail2ban/server/database.py
# fail2ban/tests/fail2banclienttestcase.py
# fail2ban/tests/sockettestcase.py
2017-12-22 17:05:45 +01:00
root
79f414c6a2
fix <family> typo
2017-12-09 15:55:45 +01:00
root
7c63eb2378
In the CentOS7 and epel environment, result of "firewall-cmd -direct -get -chains ipv4 filter" is displayed one line
...
Changed to be multiple lines with reference to firewallcmd-multiport.conf
2017-12-09 15:55:45 +01:00
sebres
309a1cb337
restore timeout for ipset-based actions: on some systems ipset created without default timeout may cause "Kernel error received: Unknown error -1" (gh-1994);
...
thus new option `default-timeout` introduced (because of dynamical bantime in 0.10, it cannot be used here).
2017-12-06 02:38:10 +01:00
sebres
6ccaa03e00
action.d/firewallcmd-ipset.conf: extended with actionflush to bulk unban resp. flush ipset
2017-12-06 01:10:56 +01:00
sebres
7e5d8f37fd
Merge branch '0.10' into 0.11
...
# Conflicts:
# config/action.d/firewallcmd-ipset.conf
# fail2ban/server/jail.py
# fail2ban/tests/servertestcase.py
2017-12-06 00:14:23 +01:00
sebres
2712f72650
Merge remote-tracking branch 'master' into 0.10
2017-12-06 00:09:52 +01:00
sebres
e384acca5f
action.d/firewallcmd-ipset.conf: fixed create of set for ipv6 (missing `family inet6`)
2017-12-05 23:34:03 +01:00
Kevin Maradona
6c705d572b
filter.d/nginx-limit-req.conf: nginx limit-req log-level can be set to warn or error therefore having this regex will include both of them.
2017-12-05 22:31:54 +01:00
sebres
ffd6b9f6de
jail.conf: extended with new parameter `mode` for the filters supporting it;
2017-12-05 16:09:18 +01:00
sebres
2b68882502
filter.d/exim.conf: provides mode "aggressive" to ban flood resp. DDOS-similar failures;
...
Closes #1983
2017-12-05 16:07:53 +01:00
sebres
cc153888d5
Merge branch '0.10' into 0.11
2017-12-01 15:55:10 +01:00
sebres
7f89fbc33f
Merge remote-tracking branch 'remotes/gh-upstream/master' into 0.10
2017-12-01 15:53:11 +01:00
Serg G. Brester
4f63180611
Avoid injection using quotes after `auth` command;
...
Added non-greedy fallback for quoted something (with lookahead simulated possessive greedy catch of non-quoted parts `[^"]*(?=")`).
Note that because host-info's are hereafter (with foreign input in-between), we would not use greedy or non-greedy catch-alls (`.*` or `.*?`) here (preventing performance losses).
2017-11-30 12:32:24 +01:00
Serg G. Brester
f59df2e156
Avoid any injecting on protocol (e. g. tries using camel-case)
...
The phrase "AUTH command used when not advertised" is precise enough as anchor here, so prevent by any foreign-input (any auth protocol error).
2017-11-29 20:55:48 +01:00
Peter Nowee
aa158ac05f
Exim failregex: Include lower/mixed case AUTH
...
When reporting the error `AUTH command used when not advertised`, Exim
starts with `SMTP protocol error in "........."`. Here, Exim logs the
SMTP command as it was provided by the connecting client.
https://github.com/Exim/exim/blob/exim-4_89+fixes/src/src/smtp_in.c#L2850
According to RFC 5321 (SMTP) "[..] a command verb [..] MAY be encoded
in upper case, lower case, or any mixture of upper and lower case with
no impact on its meaning."
https://tools.ietf.org/html/rfc5321#section-2.4
Lower case `auth login` brute-force attempts were seen in the wild and
were not caught by the current failregex.
This commit makes the failregex case-insensitive for the `AUTH`
command, so that lower case (`auth`) or mixed case (`aUtH`) now also
match. The failregex was already case-insensitive for the command
arguments (e.g. `AUTH login` already matched).
2017-11-29 15:14:43 +01:00
SlowRiot
660d57e6ba
updating my email address
2017-11-29 10:43:15 +01:00
sebres
5cc0abbb02
Merge branch '0.10' into 0.11
...
# Conflicts:
# fail2ban/tests/fail2banclienttestcase.py
2017-11-28 16:37:51 +01:00
sebres
76f2865883
implemented new action "action.d/nginx-block-map.conf", used in order to ban not IP-related tickets via nginx (session blacklisting in nginx-location with map-file);
2017-11-28 13:42:41 +01:00
sebres
12b55bb8cc
Merge remote-tracking branch '0.10' into 0.11
2017-11-27 12:02:46 +01:00
sebres
f31195a4fc
added new logtarget "SYSOUT" to log from fail2ban working in foreground as systemd-service (in opposite to "STDOUT" don't log time-stamps).
2017-11-26 23:03:29 +01:00
sebres
8aeaaf06ee
Merge branch '0.10' into 0.11
2017-11-23 22:57:21 +01:00
sebres
159957ab88
filter.d/sshd.conf: extended failregex for modes "extra"/"aggressive": now finds all possible (also future) forms of "no matching (cipher|mac|MAC|compression method|key exchange method|host key type) found", see "ssherr.c" for all possible SSH_ERR_..._ALG_MATCH errors;
...
obsolete (multi-line buffered) variant extended also.
Closes gh-1943, gh-1944
2017-11-23 22:21:42 +01:00
sebres
70b933f405
Merge branch '0.10' into 0.11
2017-11-06 18:57:53 +01:00
sebres
7e756da2b9
Merge remote-tracking branch 'remotes/gh-upstream/master' into 0.10
2017-11-06 18:56:31 +01:00
sebres
eba68a8f37
config/paths-common.conf: Added initial values for `syslog_authpriv`, `syslog_mail` in order to avoid errors while parsing/interpolating configuration;
...
Note the systemd-backend does not need the logpath at all;
Some defaults normalized (minimized configs, don't need to overwrite values in distribution-related path if equal).
2017-11-03 14:15:07 +01:00
Serg G. Brester
9876dd44f9
replace port imap3 with imap everywhere, since imap3 is not a standard port and old rarely (if ever) used and missing on some systems
...
(see gh-1942)
2017-11-03 14:03:06 +01:00
Jeff Potter
4a2fc8b7e8
Include imap (port 143) in courier-auth ports
...
imap was missing from the list of ports, preventing fail2ban from blocking connections on standard IMAP port 143.
2017-11-03 14:01:19 +01:00
sebres
12419b75f2
Merge branch '0.10' into 0.11
...
# Conflicts:
# fail2ban/tests/servertestcase.py
2017-10-30 14:02:41 +01:00
sebres
b615a98540
jail.conf: avoid overwriting of default value of the parameter `chain` of several actions (where default chain != INPUT);
...
test-cases extended to cover the same logic (use `<known/chain>` instead of fix value `INPUT`);
Closes gh-1949
2017-10-30 13:32:52 +01:00
Serg G. Brester
e07a8cda07
Update jail.conf
...
Documentation of parameters for action blocklist_de, closes gh-1940
2017-10-27 15:26:17 +02:00
Serg G. Brester
1a8fb6290d
Merge pull request #1926 from sebres/0.10-pf-actionflush
...
action.d/pf.conf: wildcard anchoring example + bulk-unban with command `actionflush`
2017-10-19 16:35:46 +02:00
sebres
76f5e3659e
Merge branch '0.10' into 0.11
2017-10-18 19:03:08 +02:00
sebres
0e66e3cc57
Merge branch 'master' into 0.10
...
# Conflicts:
# config/filter.d/asterisk.conf
2017-10-18 19:00:23 +02:00
Michael Newton
d5d1fe679f
Remove invalid regex
...
Resolves #1927
2017-10-17 14:44:23 -07:00
sebres
a1b863fcf6
action.d/pf.conf: extended with bulk-unban, command `actionflush` in order to flush all bans at once (by stop jail, resp. shutdown of fail2ban)
2017-10-17 20:12:48 +02:00
sebres
8726c9fb0a
pf.conf: enclose ports in braces, multiple ports expecting this syntax `... any port {http, https}`.
...
Note this would be backwards-incompatible change (for the people already enclosing multiports in braces in jail.local).
closes gh-1915
2017-10-17 13:46:29 +02:00
Łukasz Wąsikowski
a4f94d2619
Update pf.conf
...
Fix comment, because current one won't work:
cat /etc/pf.conf
anchor f2b {
sshd
}
# service pf reload
Reloading pf rules.
/etc/pf.conf:2: syntax error
New version:
cat /etc/pf.conf
anchor f2b {
anchor sshd
}
# service pf reload
Reloading pf rules.
2017-10-17 12:39:25 +02:00
Harry Wood
ea1b663f85
typo
...
spell "positive" (...but also somebody should finish this sentence)
2017-10-16 01:15:58 +01:00
sebres
6c1d481135
Merge branch '0.10' into 0.11
2017-10-04 09:57:43 +02:00
sebres
e71f16f6ba
Merge branch 'master' into 0.10
...
# Conflicts resolved:
# config/filter.d/dovecot.conf
2017-10-04 09:57:18 +02:00
sebres
ea36e1b3fc
filter.d/dovecot.conf: fixed failregex to recognize pam_authenticate failures with "Permission denied" (gh-1897)
2017-10-04 09:55:37 +02:00
sebres
037a0be3ae
Merge branch '0.10' into 0.11
2017-10-02 15:43:55 +02:00
sebres
8c804a2290
Merge branch 'master' into 0.10
...
# Conflicts resolved:
# config/filter.d/postfix-rbl.conf
# config/filter.d/postfix-sasl.conf
# config/filter.d/postfix.conf
# fail2ban/tests/files/logs/postfix-sasl
2017-10-02 15:41:30 +02:00
sebres
a2120a9de5
filter.d/postfix-*.conf - added optional port regex (closes gh-1902)
2017-10-02 15:31:55 +02:00
Louis Sautier
152c9d27d5
Fix nftables actions for IPv6 addresses, fixes #1893
...
* add [Init?family=inet6] to nftables-common.conf and make nftable
expressions more modular
* change "ip protocol" to "meta l4proto" in nftables-allports.conf
since the former only works for IPv4
2017-09-11 23:32:53 +02:00
sebres
e0fede621e
Merge branch '0.10' into 0.11
2017-09-08 11:33:19 +02:00
sebres
b185e7cb04
Merge remote-tracking branch 'upstream/master' into 0.10
2017-09-08 11:11:05 +02:00
Serg G. Brester
fd83260bd8
jail "pass2allow-ftp" should supply blocktype to action
...
closes gh-1884
2017-09-07 18:51:08 +02:00
Serg G. Brester
bb97e66627
Merge pull request #1882 from coderua/patch-1
...
Add Jorgee Vulnerability Scanner protect
2017-09-07 15:52:31 +02:00
Serg G. Brester
2cd02b731b
filter.d/exim.conf: fixed failregex for case of `D=0s`
...
Closes gh-1886
2017-09-07 15:28:46 +02:00
sebres
4bc226a692
optimized regex
2017-09-05 10:59:16 +02:00
Vladimir Chumak
fafefc0293
Add Jorgee Vulnerability Scanner protect
...
Details for Jorgee Vulnerability Scanner: https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=30164
2017-09-05 10:56:43 +02:00
sebres
4163f32968
small review, prefix replaced with `%(_apache_error_client)s` from apache-common.conf include
2017-09-04 11:48:01 +02:00
john
ac95449bbb
changed zoneminder regex as per Sebres and yarikoptic recommendations
2017-09-04 11:37:09 +02:00
john
7013729a1f
removed redundant options for zoneminder from jail.conf
2017-09-04 11:37:05 +02:00
john
5c3a666380
fixed incomplete regex after adding anchors
2017-09-04 11:37:03 +02:00
john
3d45fd2713
implemented yarikoptic's suggestions in fail2ban pull request #1376
2017-09-04 11:37:00 +02:00
john
08878d22dd
added zoneminder.conf filter
2017-09-04 11:36:50 +02:00
john
a90f6c4ae8
added zoneminder jail and filter
...
# Conflicts:
# config/jail.conf
2017-09-04 11:36:47 +02:00
sebres
c312962029
filter.d/dovecot.conf: partially cherry-pick to 0.9 PR #1880 from sebres/0.10-fix-dovecot-regex ( d926e11a5c
)
...
fixed failregex (without new mode aggressive)
2017-09-01 10:57:41 +02:00
sebres
32058ed268
Merge remote-tracking branch 'remotes/gh-upstream/0.10' into 0.11
2017-09-01 10:37:52 +02:00
sebres
2cfc53c08e
remove capturing groups
2017-09-01 10:25:09 +02:00
sebres
9b8563f35e
- fixes regex for message `imap-login: Disconnected (auth failed, X attempts) ...` has to many variations on additional info after `<HOST>`,
...
leave it end-anchored because variable part `user=<[^>]*>` (before `<HOST>`) to avoid injecting, but can be safe rewritten using `[^>]*` in opposite to "greedy" `user=<[^>]*>`.
- introduces mode `aggressive` and extends regex for this mode to match:
* no auth attempts (previously removed in gh-601, because of lots of false positives on misconfigured MTAs)
* disconnected before auth was ready
* client didn't finish SASL auth
2017-09-01 09:56:21 +02:00
Serg G. Brester
a287d0a05c
Merge pull request #1872 from kmzby/master
...
Added filter for phpMyAdmin+syslog
2017-08-25 12:22:58 +02:00
Pavel Mihadyuk
4c1abe1cbf
phpmyadmin-syslog: removed excess file, fixed test, updated failregex
2017-08-23 16:56:18 +03:00
Pavel Mihadyuk
d09304b897
phpmyadmin-syslog: added default jail config
2017-08-22 19:00:48 +03:00
Pavel Mihadyuk
5b4bc2aafd
Added filter for phpMyAdmin+syslog (>=4.7.0). Closes #1713
2017-08-22 18:20:01 +03:00
sebres
b80692f602
Merge branch '0.10' into 0.11
2017-08-18 15:44:43 +02:00
sebres
1d5fbb95ae
Merge remote-tracking branch 'remotes/gh-upstream/master' into 0.10
2017-08-18 15:44:22 +02:00
Serg G. Brester
b0e5efb631
bsd-ipfw.conf: sh-compliant redirect of stderr together with stdout
2017-08-18 15:26:09 +02:00
sebres
3be32adefb
Replace not posix-compliant grep option: fgrep with `-q` option can cause 141 exit code in some cases (see gh-1389).
2017-08-18 14:37:29 +02:00
Jacques Distler
f84e58e769
Tweaks to action.d/pf.conf
...
Document recent changes.
Add an option to customize the pf block rule (surely, what the user
really wants, here, is "block quick").
2017-08-18 13:31:34 +02:00
Jacques Distler
d646d06e91
Tweaks to action.d/pf.conf
...
Document recent changes.
Add an option to customize the pf block rule (surely, what the user
really wants, here, is "block quick").
2017-08-17 09:13:32 -05:00
sebres
33874d6e53
action.d/pf.conf: anchored call arguments combined as `<pfctl>` parameter;
...
test cases fixed;
2017-08-16 17:51:07 +02:00
Alexander Köppe
f6ccede2f1
Update pf.conf fixing #1863
...
Fix #1863
Introduce own PF anchors for fail2ban rules.
2017-08-16 17:51:05 +02:00
sebres
3f83b22de2
action.d/pf.conf: anchored call arguments combined as `<pfctl>` parameter;
...
test cases fixed;
2017-08-16 11:58:39 +02:00
Alexander Köppe
55baf93635
Update pf.conf fixing #1863
...
Fix #1863
Introduce own PF anchors for fail2ban rules.
2017-08-16 11:33:45 +02:00
Serg G. Brester
b5dd5adb08
Merge pull request #1460 from sebres/0.10-full
...
0.11 ban-time-incr
2017-08-10 15:23:18 +02:00
sebres
30219b54c4
Merge remote-tracking branch 'remotes/gh-upstream/master' into 0.10
2017-08-09 16:38:29 +02:00
Serg G. Brester
c0eb7752a8
Merge pull request #1651 from szepeviktor/patch-9
...
Introduce Cloudflare API v4
2017-08-09 16:28:52 +02:00
Serg G. Brester
2ed8a38eca
Update cloudflare.conf
...
Switch to API v1 to API v4 per default
2017-08-09 16:27:53 +02:00
Serg G. Brester
da7072d40e
Merge pull request #1846 from Chocobozzz/patch-3
...
Fix empty logfile.log in xarf login attack action
2017-08-09 16:21:47 +02:00
sebres
94b163936a
Merge remote-tracking branch 'remotes/gh-upstream/master' into 0.10
...
Removed init section (not needed in filter for 0.10).
# Conflicts:
# config/filter.d/sendmail-reject.conf
2017-08-09 16:16:31 +02:00
Serg G. Brester
af25a9d203
Merge pull request #1566 from opoplawski/journalmatch
...
Add sendmail journalmatch options
2017-08-09 16:14:10 +02:00
Orion Poplawski
84f552881c
Add sendmail journalmatch options
2017-08-09 16:03:34 +02:00
Serg G. Brester
5b7375c614
Merge pull request #1638 from roedie/shorewall-ipv6
...
Add shorewall IPv6 support
2017-08-09 15:54:57 +02:00
sebres
e52f483557
Config reader's: introduced new syntax `%(section/option)s`, in opposite to extended interpolation of python 3 `${section:option}` work with all supported python version in fail2ban and this syntax is like our another features like `%(known/option)s`, etc.;
...
Variable `default_backend` switched to `%(default/backend)s`, so totally backwards compatible now, but now the setting of parameter `backend` in default section of `jail.local` can overwrite default backend also.
Test cases extended: test targeted section options "section/option" (default and cross sections options);
2017-08-08 20:21:44 +02:00
sebres
5ce8d4f741
fixes default backend handling (as default used value of `known/backend`, which can now be overridden in default section of jail.local);
...
introduces fallback for `known/option`: interpolate missing `known/option` as `option` from default section
2017-08-08 18:41:15 +02:00
sebres
2fe1479484
Merge branch '_0.9/gh-1849' into 0.10
2017-08-07 18:07:36 +02:00
sebres
5c538fb658
Recognize "unknown user" for additional auth-methods (pam, passwd-file, ldap, sql, etc); simplifying regular expressions (put "unknown user" and "invalid credentials" together as one regex).
2017-08-07 18:04:09 +02:00
sebres
0ef5b7c4d4
small amend to gh-1850: removed greedy catch-all at end.
2017-08-07 15:24:16 +02:00
Marcel Waldvogel
daf57547c6
Parse ejabberd 17.06 output
...
E.g.:
2017-07-29 08:24:04.773 [info] <0.6668.0>@ejabberd_c2s:handle_auth_failure:433 (http_bind|ejabberd_bosh) Failed c2s PLAIN authentication for test@example.ch from ::FFFF:192.0.2.3: Invalid username or password
2017-07-29 19:58:06 +02:00
Bigard Florian
f4551d02c9
Fix empty logfile.log in xarf login attack action
...
Fix empty 3rd MIME part which contains the attack evidence (logfile.log).
2017-07-25 13:44:29 +02:00
sebres
1a562bed0f
Merge remote-tracking branch 'master' into 0.10
...
# Conflicts:
# config/filter.d/asterisk.conf
2017-07-19 08:57:23 +02:00
sebres
a5b62a7f36
failregex extended and simplified (partially ported from gh-1409).
2017-07-18 16:34:22 +02:00
sebres
098abae4e6
Remove greedy catch-all before `<HOST>`, make regex more universal, fewer prone to errors (should avoid future changes, if some optional parameters coming again before/after `RemoteAddress`) + non-captured groups now.
...
Test for possible injection (5.6.7.8 in session-id) already available, line 59 (thus already covered).
2017-07-18 16:09:53 +02:00
Kirill
4c0c7b97c0
Update asterisk.conf to new log message
...
I got an issue like this:
[2016-05-15 22:53:00] SECURITY[26428] res_security_log.c: SecurityEvent="FailedACL",EventTV="2016-05-15T22:53:00.203+0300",Severity="Error",Service="AMI",EventVersion="1",AccountID="admin",SessionID="0x7fb580001518",LocalAddress="IPV4/TCP/0.0.0.0/5038",RemoteAddress="IPV4/TCP/78.129.227.4/62389",SessionTV="1970-01-01T03:00:00.000+0300"
# [sebres] rebased to current master and resolving conflicts.
2017-07-18 15:40:32 +02:00
Serg G. Brester
34cb55fd91
Merge pull request #1695 from benrubson/issue1693
...
Apache, detect syslog prefix
2017-07-14 02:05:23 +02:00
sebres
0e33125129
be more precise using common `__prefix_line` expression (set `_daemon` to recognize apache and httpd only)
2017-07-12 11:59:02 +02:00
sebres
b561af45ef
apache-common.conf: introduced parameter `logging` for possibility to match lines, if apache logs into syslog/systemd journal;
...
added test cases to cover `apache-auth[logging=syslog]`.
2017-07-12 11:45:44 +02:00
benrubson
b662cf03ac
Apache, detect syslog prefix, simple example
2017-07-12 11:36:34 +02:00
Serg G. Brester
6c030c5e10
Merge pull request #1717 from szepeviktor/patch-11
...
Updated xarf-specification repo URL in xarf action
2017-07-12 09:54:15 +02:00
sebres
7217ef5c9e
filter.d/ejabberd-auth.conf: fixed ejabberd filter - accept new log-format with `wait_for_sasl_response` instead of `wait_for_feature_request` + optional part "IP " (gh-993)
2017-07-11 15:25:51 +02:00
sebres
dae4988aea
filter.d/roundcube-auth.conf: fixes failregex not working with `X-Real-IP` or/and `X-Forwarded-For` (gh-1303)
2017-07-11 14:59:24 +02:00
sebres
e26cc5de45
restore backwards compatibility (jail postfix-sasl); changelog update
2017-07-11 11:57:48 +02:00
sebres
aa92b68d4a
filter.d/postfix.conf: normalized several postfix-filters using parameter `mode` (as discussed in gh-1813);
...
introduced parameter `mode`: more (default, combines normal and rbl), auth, normal, rbl, ddos, extra or aggressive (combines all)
replacement for gh-1239, gh-1697, gh-1764; closes gh-1245, gh-1297.
2017-07-10 20:49:28 +02:00
sebres
d32a3913cf
postfix postscreen (resp. other RBL's compatibility fix) / gh-1764
2017-07-10 15:38:24 +02:00
Serg G. Brester
57ea38c342
Update paths-debian.conf
...
Fixed mail.log path since in the default rsyslog configuration of debians the `mail.warn` is commented now (see `/etc/rsyslog.d/50-default.conf`: `#mail.warn -/var/log/mail.warn`).
Closes gh-1687
2017-07-05 19:57:30 +02:00
sebres
546cd55342
Merge branch 'master' into 0.10
2017-07-03 13:02:25 +02:00
sebres
a1d0633e69
filter.d/asterisk.conf - fixed failregex AMI Asterisk authentification failed (see gh-1302):
...
- optional space between NOTICE and pid;
- optional part "Host " before IP-address;
2017-07-03 12:57:28 +02:00
sebres
33fcf8d809
Merge branch 'master' into 0.10
2017-07-03 12:43:48 +02:00
Serg G. Brester
1307e0a5b9
Merge pull request #1760 from szepeviktor/patch-12
...
Courier may complain about the method only
2017-07-03 12:00:36 +02:00
Serg G. Brester
f27e053592
Update bsd-ipfw.conf
...
increased starting rule number (lowest_rule_num = 111)
2017-07-01 17:10:53 +02:00
Serg G. Brester
001c0898d6
Merge branch 'master' into master
2017-06-30 18:07:38 +02:00
Serg G. Brester
6110ba9cc3
filter.d/proftpd.conf: added option `journalmatch` for systemd backend (closes gh-1613)
2017-06-30 18:00:01 +02:00
sebres
37ca4f17c2
filter.d/roundcube-auth.conf: added missing entry `journalmatch` from original gh-1783.
2017-06-26 11:24:10 +02:00
Serg G. Brester
986dd3107d
Merge branch '0.10' into patch-12
2017-06-19 18:37:28 +02:00
sebres
d3ae70beb6
filter.d/roundcube-auth.conf: Use the same filter-file and jail also when logging errors to journal instead to a local file.
...
Additionally fixes more complex injections on username.
2017-06-19 18:12:13 +02:00
Johannes Weberhofer
691c080dc7
Added roundcube authentication filter, new jail and log-examples
2017-06-19 16:52:42 +02:00
Serg G. Brester
3294840c2a
Merge pull request #1801 from jeaye/postfix-updates
...
filter.d/postfix.conf: update to the latest postfix logging format
2017-06-19 16:44:37 +02:00
Serg G. Brester
efeca8fdeb
postfix.conf: removes unneeded end-anchoring like `.*$`, etc.
...
also removes several dynamic content at end, which are of no avail there.
Additionally normalizes optional part (mail-ID) after reason number.
2017-06-19 16:25:46 +02:00
sebres
d2c39d2e45
Merge branch '0.10' into 0.10-full
...
# Conflicts:
# fail2ban/server/database.py - resolved and test-case with persistent ban-time fixed/extended (bantime presents in database)
2017-06-16 09:35:27 +02:00
sebres
dcdf677438
Merge remote-tracking branch 'master' into 0.10
2017-06-15 11:49:51 +02:00
sebres
2b358bc1a4
filter.d/apache-overflows.conf: rewritten without end-anchor ($), because apache-log could contain very long URLs (and/or referrer), the parsing of it anchored way may be very vulnerable (at least as regards the system resources, see gh-1790).
2017-06-15 11:16:19 +02:00
jeaye
6f3d425c4d
Update postfix filters and tests
2017-06-12 18:56:19 -07:00
sebres
bbea73d79d
Merge remote-tracking branch 'remotes/gh-upstream/master' into 0.10
2017-06-12 13:11:45 +02:00
Serg G. Brester
d56554ecf3
Merge pull request #1688 from felixonmars/arch-config
...
Add a path configuration for Arch Linux
2017-06-06 10:55:13 +02:00
Peter Nowee
b93e47b12f
dovecot: Match also when user field is empty
...
Commit 5678d08
of 2016-11-26 changed:
( user=<\S*>,)?
to:
( user=<[^>]+>,)?
The change from `*` (zero or more times) to `+` (one or more times) may
not have been intended. It will miss lines containing, for example:
Aborted login (tried to use disallowed plaintext auth): user=<>
This commit reverts the `+` back to `*`.
2017-05-31 15:54:30 +02:00
Marcel Bischoff
228d25c548
Update Kerio Connect filter ( #1455 )
...
* Update Kerio Connect filter
Fixed regex for some log entries that did not get recognized and some additional error formats are added.
* Add missing colon, GitHub address
* Add filter tests
* Add missing test
2017-05-30 20:27:44 +02:00
Serg G. Brester
80cc47b75f
Update helpers-common.conf
...
fixed grep pattern: escape dot-char in search-IP and more restrictive boundaries (IPv6-capable)
2017-05-30 09:14:43 +02:00
Viktor Szépe
5bb6be0163
IPv6 address may overlap
2017-05-30 02:05:38 +02:00
sebres
c21b4e4d56
[ban-time-incr] prolong ban, dynamic bantime, etc.:
...
- dynamic bantime: introduces new action-tag `<bantime>` corresponds to the current ban-time of the ticket;
Note: because it is dynamic, it should be normally removed from `jail.conf` (resp. `jail.local`).
- introduced new action command `actionprolong`, used for prolongation of the timeout (ban-time of the ticket);
- removed default `timeout` from `actionstart` of several actions;
- faster and safer function escapeTag (replacement at once in one run, '\n' and '\r' escaped also);
2017-05-17 13:25:06 +02:00
sebres
6724de54e6
Merge branch '0.10' into 0.10-full
2017-05-17 11:35:33 +02:00
Filippo Tessarotto
ff1c6718da
Postfix RBL: 554 & SMTP
...
Cherry-pick of 607568f5da
(see gh-1686)
2017-05-15 14:42:37 +02:00
sebres
b13d9d4e22
Merge branch 'master' into 0.10
2017-05-07 21:29:12 +02:00
sebres
0600d51511
filter.d/exim.conf: added new reason for "rejected RCPT" regex: Unrouteable address
2017-05-07 14:02:38 +02:00
sebres
49e237209e
Merge branch 'master' into 0.10
2017-05-07 13:32:12 +02:00
sebres
c546f85207
filter.d/exim.conf: cherry-picked from 0.10, match complex time like `D=2m42s` (closes gh-1766)
2017-05-07 13:02:32 +02:00
Viktor Szépe
ac256a822b
Make courier-auth regexp a non-captured group
2017-04-28 16:58:24 +02:00
Viktor Szépe
4bb8a58dcf
Courier may complain about the method only
...
> Mar 30 22:29:18 szerver imapd-ssl: LOGIN FAILED, method=PLAIN, ip=[::ffff:1.2.3.4]
2017-04-28 15:49:59 +02:00
Seth Reeser
c3426ba5f6
Update botsearch-common.conf ( #1759 )
...
* Update botsearch-common.conf, apache-modsecurity.conf: typo and missing new-line
2017-04-26 20:14:39 +02:00
sebres
8839bcbb09
Merge remote-tracking branch master into 0.10
2017-04-25 10:07:19 +02:00
sebres
99344d28c8
Introduces new tags with hostname:
...
- `<fq-hostname>` - fully-qualified name of host (the same as `$(hostname -f)`)
- `<sh-hostname>` - short hostname (the same as `$(uname -n)`)
Execution of `uname -n` replaced in all mail actions with most interesting fully-qualified `<fq-hostname>`.
2017-04-24 21:17:55 +02:00
sebres
3161bcf78b
filter.d/exim.conf: optional part `(...)` after host-name before `[IP]`, normalized over whole config file.
...
# Conflicts:
# config/filter.d/exim.conf
2017-04-24 19:21:26 +02:00
sebres
507034c5be
filter.d/apache-auth.conf: joined some similar expressions
2017-04-24 15:32:44 +02:00
Serg G. Brester
6dfd080e20
Update apache-auth.conf
...
remove forgotten referer, that may prevent failure recognition (belongs to gh-1645)
2017-04-21 11:17:13 +02:00
Serg G. Brester
311f8fea83
Merge branch '0.10' into issue1644
2017-04-21 10:32:29 +02:00
Peter van der Does
bb79e7f413
Parameter not needed
...
The parameter '-s' causes an error as the <mailcmd> already has the parameter.
2017-04-11 11:13:58 -04:00
Serg G. Brester
4f0f22702a
Update haproxy-http-auth.conf
...
little bit more precise expression
2017-04-11 09:11:08 +02:00
Georges Racinet
4fc6323ff0
haproxy-http-auth: avoid port number in IPv6 addresses
...
The solution taken is to consume the port number explicitely in
the regexp.
2017-04-07 13:59:22 +02:00
sebres
97e8b42d34
dummy action extended with more examples and test-covered now
2017-03-30 13:02:37 +02:00
sebres
d03872fbbf
bulk unban: add new command `actionflush` default for several iptables/iptables-ipset actions (and common include):
...
iptables-common
iptables
iptables-allports
iptables-multiport-log
iptables-multiport
iptables-new
iptables-ipset-proto4
iptables-ipset-proto6
iptables-ipset-proto6-allports
executing `actionflush` command covered for this actions now
2017-03-29 23:24:11 +02:00
sebres
8bf79fa483
implemented execution of `actionstart` on demand, if action depends on `family` (closes gh-1741);
...
new action parameter "actionstart_on_demand" (bool) can be set to prevent/allow starting action on demand (default retrieved automatically, if some conditional parameter `param?family=...` presents in action properties);
2017-03-29 17:44:15 +02:00
Seth Reeser
c82495353f
Update mysqld-auth.conf ( #1725 )
2017-03-24 19:03:20 +01:00
Serg G. Brester
52c1950371
Update mysqld-auth.conf
...
small typo, closes gh-1725 (Thx @seth-reeser)
2017-03-24 19:03:17 +01:00
sebres
5e93bf9bd3
Introduced new option "ignoreself", specifies whether the local resp. own IP addresses should be ignored (default is true).
...
Fail2ban will not ban a host which matches such addresses.
Option "ignoreip" affects additionally to "ignoreself" and don't need to include the DNS resp. IPs of the host self.
2017-03-23 15:52:31 +01:00
sebres
f13fac5ae9
amend to 5561423be3b2d4636f5484183c3ad470fd326d06: fixed incorrect failure counting despite the `<F-NOFAIL>` marked regex;
...
extra: introduced new tag `<F-MLFFORGET>` as mark to forget current multi-line MLFID (e. g. connection closed);
Closes gh-1727
2017-03-21 00:15:57 +01:00
sebres
5561423be3
filter.d/sshd.conf: fixed failregex format - some parts are optional, new ddos more precise rule (Connection reset by with host entry);
...
closes gh-1719
2017-03-15 18:01:20 +01:00
Viktor Szépe
d79267c424
Updated xarf-specification repo URL in xarf action
2017-03-14 20:47:31 +01:00
sebres
875295320e
Merge remote-tracking branch 'remotes/gh-upstream/0.10' into 0.10-full
2017-03-13 02:12:39 +01:00
sebres
0c1707afda
filter.d/sshd.conf:
...
- optional parameter `mode` rewritten: normal (default), ddos, extra or aggressive (combines all), see sshd for regex details);
test cases reformatted (since "filterOptions", we don't need multiple test log-files anymore);
2017-03-10 22:09:11 +01:00
sebres
7e442c5b27
filter.d/sendmail-reject.conf:
...
- rewritten using `prefregex` and used MLFID-related multi-line parsing (by using tag `<F-MLFID>` instead of buffering with `maxlines`);
- optional parameter `mode` introduced: normal (default), extra or aggressive (see sendmail-reject for regex details);
test cases extended
2017-03-10 21:44:19 +01:00
sebres
52ed6597b2
Merge remote-tracking branch 'remotes/gh-upstream/master' into 0.10
2017-03-09 16:27:14 +01:00
sebres
8768776d68
filter.d/cyrus-imap.conf: fixed `failregex` - accept entries without login-info resp. hostname before IP address
2017-03-09 16:13:45 +01:00
Serg G. Brester
d042981954
Merge pull request #1655 from ajcollett/0.10
...
Added config for AbuseIPDB
2017-03-09 15:15:26 +01:00
Serg G. Brester
b1f5ac9484
Update abuseipdb.conf
2017-03-09 13:33:11 +01:00
Serg G. Brester
62fa02241f
Update jail.conf
2017-03-09 13:31:40 +01:00
sebres
6a2c95da95
`action.d/sendmail-geoip-lines.conf` fixed using new tag `<ip-host>` (dns-cache and without external command execution);
...
changelog updated;
2017-03-08 16:51:08 +01:00
sebres
28b5262976
Merge branch '0.10' into 0.10-full
2017-02-28 15:14:51 +01:00
sebres
d2a3d093c6
rewritten CallingMap: performance optimized, immutable, self-referencing, template possibility (used in new ActionInfo objects);
...
new ActionInfo handling: saves content between actions, without interim copying (save original on demand, recoverable via reset);
test cases extended
2017-02-24 11:54:24 +01:00
sebres
35efca5941
Better multi-line handling introduced: single-line parsing with caching of needed failure information to process in further lines.
...
Many times faster and fewer CPU-hungry because of parsing with `maxlines=1`, so without line buffering (scrolling of the buffer-window).
Combination of tags `<F-MLFID>` and `<F-NOFAIL>` can be used now to process multi-line logs using single-line expressions:
- tag `<F-MLFID>`: used to identify resp. store failure info for groups of log-lines with the same identifier (e. g. combined failure-info for the same conn-id by `<F-MLFID>(?:conn-id)</F-MLFID>`, see sshd.conf for example)
- tag `<F-NOFAIL>`: used as mark for no-failure (helper to accumulate common failure-info);
filter.d/sshd.conf: [sshd], [sshd-ddos], [sshd-aggressive] optimized with pre-filtering using new option `prefregex` and new multi-line handling.
2017-02-22 22:19:43 +01:00
sebres
22afdbd536
Several filters optimized with pre-filtering using new option `prefregex`
2017-02-21 15:54:59 +01:00
sebres
4ff8d051f4
Introduced new filter option `prefregex` for pre-filtering using single regular expression;
...
Some filters extended with user name;
[filter.d/pam-generic.conf]: grave fix injection on user name to host fixed;
test-cases in testSampleRegexsFactory can now check the captured groups (using additionally fields in failJSON structure)
2017-02-20 16:54:17 +01:00
Serg G. Brester
2fa18a74c4
Merge branch 'master' into master
2017-02-17 09:06:09 +01:00
sebres
4bf09bf297
provides new tag `<ip-rev>` for PTR reversed representation of IP address;
...
[action.d/complain.conf] fixed using this new tag;
2017-02-16 13:38:20 +01:00
Serg G. Brester
7f63809afb
Merge branch '0.10' into patch-1
2017-02-15 20:33:36 +01:00
sebres
a4ec017d1c
Merge branch '0.10' into 0.10-full
2017-02-15 09:26:01 +01:00
Christoph Theis
861ce4177c
#1689 : Make lowest rule number in action.d/bsd-ipfw.conf configurable
2017-02-14 18:31:42 +01:00
Felix Yan
68d829c1dd
Add a path configuration for Arch Linux
2017-02-14 18:43:01 +08:00
Jan Grewe
58c68b75f0
Remove double-quotes from email addresses
2017-02-08 14:16:13 +01:00
Jan Grewe
1bcf0de7c1
Update complain.conf
2017-02-07 21:39:46 +01:00
Filippo Tessarotto
607568f5da
Postfix RBL: 554 & SMTP
2017-02-07 15:26:06 +01:00
Jan Grewe
901eeff53d
Make Abusix lookup compatible with Dash
2017-02-06 22:04:36 +01:00
sebres
99634638ba
Merge branch '0.10' into 0.10-full
2017-01-23 09:51:36 +01:00
sebres
1823571e0f
Merge branch 'ssh-filter-new-regexp' into 0.10
2017-01-23 08:58:43 +01:00
sebres
9d06f0ee40
sshd-amend: optional space after port part
2017-01-23 08:56:47 +01:00
sebres
e8a1556562
Merge remote-tracking branch 'master' into 0.10
...
# Conflicts:
# fail2ban/tests/samplestestcase.py
2017-01-21 16:59:41 +01:00
sebres
54a8c681ce
suhosin.conf: removed greedy match
2017-01-21 16:26:07 +01:00
sebres
8aa9516d50
sshd.conf: fixed expression "received disconnect ... auth fail" - optional space after port part (gh-1652)
2017-01-21 16:18:03 +01:00
sebres
3276bd6d54
sshd: additionally aggressive filter rules - no matching cipher resp. no matching key exchange method (gh-1545, gh-1117)
2017-01-21 15:57:05 +01:00
sebres
628789f9a9
sshd: conditional parameter "mode" for sshd jail (normal, ddos, aggressive)
...
filter sshd-ddos and new filter sshd-aggressive are both derivation of sshd-filter
2017-01-21 15:54:49 +01:00
sebres
dd373dba9f
test all config-regexp, that contains greedy catch-all before <HOST>, that is hard-anchored at end or precise sub expression after <HOST>;
...
new ssh rule(s) added:
- Connection reset by peer (multi-line rule during authorization process);
- No supported authentication methods available;
Single line and multi-line expression optimized, added optional prefixes and suffix (logged from several ssh versions);
closes gh-864
2017-01-21 15:53:48 +01:00
Christian Brandlehner
a4d8426401
Support for IBM Domino SMTP task ( #1603 )
...
filter.d/domino-smtp.conf
2017-01-20 08:44:20 +01:00
Serg G. Brester
40f294e6bf
Merge pull request #1663 from jjeziorny/netscaler-action
...
Introduced citrix netscaler action
2017-01-19 16:25:23 +01:00
Juliano Jeziorny
1fe554dd25
Introduced Citrix Netscaler action
2017-01-19 14:30:25 +01:00
Christoph Theis
6187431629
#1667 : Wrong paths for apache and nginx under FreeBSD
2017-01-17 11:48:25 +01:00
sebres
74a6afadd5
Mail-actions switched to use new option "norestored" instead of checking of variable `restored` during shell execution (prevents executing of such actions at all).
2017-01-16 09:40:48 +01:00
sebres
ee3c787cc6
Recognize restored (from database) tickets after restart (tell action restored state of the ticket);
...
Prevent executing of several actions (e.g. mail, send-mail etc) on restart (bans were already notified).
Test cases extended (smtp and by restart in ServerReloadTest).
Closes gh-1141
Closes gh-921
2017-01-13 19:06:17 +01:00
sebres
7019640eb3
Merge branch 'fix-gh-1658' into 0.10
2017-01-10 12:59:51 +01:00
sebres
a9523aefbb
sshd.conf: fixed non-anchored part of regex (misleading match of colon inside IPv6 address instead of `: ` in the reason-part by missing space).
2017-01-10 12:58:44 +01:00
sebres
c9f32f75e6
Merge branch '0.9-fix-regex-using-journal' into 0.10-fix-regex-using-journal (merge point against 0.9 after back-porting gh-1660 from 0.10)
2017-01-10 11:25:41 +01:00
Andrew James Collett
3991f51f30
Update jail.conf
...
Sigh, added a space back that I somehow missed in Vim, despite it being a rebase...
2017-01-08 09:45:35 +02:00
Andrew James Collett
10d61e0779
Fixed the spaces again
2017-01-08 09:42:15 +02:00
Andrew James Collett
b35391e768
Update jail.conf
...
Fixing spacing
2017-01-08 09:30:00 +02:00
Andrew James Collett
1c41390f7c
Restructured the way the catagories work.
...
Jail.conf is cleaner and abuseipdb.conf is more flexible.
2017-01-08 09:26:11 +02:00
Andrew James Collett
55e107310f
Added config for AbuseIPDB, ony tested on Ubuntu 16.04
2017-01-07 14:24:54 +02:00
Viktor Szépe
81c1810f10
Introduce Cloudflare API v4
...
In the cloudflare action everyone is suggested to use API v4.
And I don't dare to contribute any actual change.
2016-12-31 21:30:57 +01:00
benrubson
cc311b56f3
Apache URIs can contain spaces
2016-12-23 22:57:24 +01:00
roedie
3adc16d266
Shorewall IPv6 suggested changes.
...
Change files as suggested by sebres.
2016-12-12 20:53:58 +01:00
Yaroslav Halchenko
31a1560eaa
minor typos (thanks Vincent Lefevre, Debian #847785 )
2016-12-11 15:13:11 -05:00
roedie
6e18508a07
Add shorewall IPv6 support
...
Small patch which allow fail2ban to use shorewall for IPv6 bans.
2016-12-11 20:44:54 +01:00
sebres
45f1d811c9
Merge branch 'alex1702-1586'
2016-11-28 18:54:02 +01:00
sebres
67c14afd8e
ChangeLog entry added + jail.conf review
2016-11-28 18:51:23 +01:00
sebres
425170cef3
code review, makes the test cases workable, added dev-notes
2016-11-28 18:39:07 +01:00
sebres
931eab84b5
`filter.d/apache-modsecurity.conf`
...
- fixed for newer version (one space, closes gh-1626)
reviewed and optimized:
- non-greedy catch-all replaced for safer match
- unneeded catch-all anchoring removed
- non-capturing groups
2016-11-28 11:28:27 +01:00
sebres
40cbe96352
Merge remote-tracking branch 0.10 into _0.10/fix-datedetector-grave-fix-v2
2016-11-28 11:03:11 +01:00
sebres
5678d08a79
filter.d/dovecot.conf update:
...
- fixes failregex, that ignores failures through some irrelevant info (closes #1623 );
- ignores whole additionally irrelevant info in anchored regex before fixed failure data `\((?:auth failed, \d+ attempts( in \d+ secs)?|tried to use (disabled|disallowed) \S+ auth)\)`
- review, IPv6 compatibility fix, non-capturing groups
2016-11-26 16:50:37 +01:00
sebres
a2af19c9f0
fixed several actions, that could not work with jails using multiple logpath; additionally repaired execution in default shell (bad substitution by `${x//...}` executing in `/bin/sh`);
...
added helper "action.d/helpers-common.conf", and `_grep_logs` part-command for actions needed grep logs from multiple log-files
test cases: executing of some complex actions covered
2016-11-25 19:27:26 +01:00
Serg G. Brester
4f5389fee5
Update jail.conf
2016-11-24 19:30:10 +01:00
Johannes Weberhofer
f46ada023e
Use Fedora's backend-settings for openSUSE
...
Those settings are ok for newer openSUSE versions
2016-11-22 09:03:54 +01:00
sebres
b5433f48b7
amend after code review of merge gh-1581
2016-11-11 11:09:46 +01:00
sebres
bee6e7376b
Merge branch 'aclindsa:master'
2016-11-11 10:58:40 +01:00
sebres
ea4c1f6356
Merge branch 'master' into 0.10
2016-11-11 10:29:45 +01:00
sebres
dab5f56609
Merge branch 'fix-gh-1477'
2016-11-11 10:17:07 +01:00
Alex
8ac28e5dcb
Make changes and add test file
2016-11-10 13:09:32 +01:00
Alex
8c40766511
Add Mongodb-auth filter and jail
2016-11-10 12:48:24 +01:00
sebres
faee5f1fdc
better caching (thereby better performance), better recognition of similar regex
2016-10-17 11:20:30 +02:00
sebres
ae7297e16b
more precise date template handling (WARNING: this commit creates possible incompatibilities):
...
- datedetector rewritten more strict as earlier;
- default templates can be specified exacter using prefix/suffix syntax (via `datepattern`);
- more as one date pattern can be specified using option `datepattern` now (new-line separated);
- some default options like `datepattern` can be specified directly in section `[Definition]`, that avoids contrary usage of unnecessarily `[Init]` section, because of performance (each extra section costs time);
- option `datepattern` can be specified in jail also (jails without filters);
- if first group specified, only this will be cut out from search log-line (e. g.: `^date:[({DATE})]` will cut out only datetime match pattern, and leaves `date:[] failure ip...` for searching in filter);
- faster match and fewer searching of appropriate templates (DateDetector.matchTime calls rarer DateTemplate.matchDate now);
- standard filters extended with exact prefixed or anchored date templates;
template cache introduced (in opposition to default template cache, holds custom templates cached by pattern for possible common usage of same template/regex);
2016-10-17 11:20:27 +02:00
sebres
ab0ac2111c
added possibility to specify more precise default date pattern:
...
- `datepattern = {^LN-BEG}` - only line-begin anchored default patterns
(matches date only at begin of line, or with max distance up to 2 non-alphanumeric characters from line-begin);
- `datepattern = {*WD-BEG}` - only word-begin anchored default patterns;
- `datepattern = ^prefix{DATE}suffix` - exact specified default patterns (using prefix and suffix);
common filter configs gets a more precise, line-begin anchored (datepattern = {^LN-BEG}) resp. custom anchoring default date-patterns;
2016-10-17 11:18:30 +02:00
sebres
a7d9de8c52
[temp commit] 1st try to optimize datedetector/datetemplate functionality (fix ambiguous resp. misleading date detection if several formats used in log resp. by format switch after restart of some services):
...
* Misleading date patterns defined more precisely (using extended syntax %E[mdHMS]
for exact two-digit match)
* `filter.d/freeswitch.conf`
- Optional prefixes (server, daemon, dual time) if systemd daemon logs used (gh-1548)
- User part rewritten to accept IPv6 resp. domain after "@" (gh-1548)
2016-10-17 11:16:20 +02:00
Aaron Lindsay
7805f9972d
filter.d/sshd.conf: Match 'Invalid user' with 'port \d*'
2016-10-15 15:52:19 -04:00
sebres
84c3eb3e0e
filter.d/sendmail-reject.conf: double space (should be by missing dns-host only)
...
Closes #1578
2016-10-15 14:53:45 +02:00
sebres
53adc9d84a
Merge branch 0.10-full with 0.10
...
Resolved several conflicts and code review after merge
2016-10-14 19:55:20 +02:00
sebres
c809c3e61e
Merge branch 'master' into 0.10
2016-10-13 19:01:13 +02:00
Nils
d08db22b92
Create npf.conf for the NPF packet filter
...
This file adds support for the NPF packet filter, available on NetBSD since version 6.0
2016-10-13 18:50:54 +02:00
sebres
fa8184d4cc
fixes deprecated DNSUtils.IsValidIP in fakegooglebot ignore command + test covered now;
...
Closes #1559
2016-10-05 15:01:33 +02:00
sebres
ee1727ecca
Merge pull request #1563 from niklasf/fix-lazy-ipv6-regex (and sebres/fix-lazy-ipv6-regex) into 0.10
2016-09-30 13:34:54 +02:00
sebres
9bf8985e2a
nginx-limit-req.conf: more precise failregex (word-boundary if `<HOST>` should be non-greedy for some reasons)
2016-09-30 12:33:43 +02:00
Serg G. Brester
ba9a88977f
Merge pull request #1562 from sebres/_0.10/fix-stability-and-speed
...
0.10/fix stability and speed optimization
2016-09-30 12:14:51 +02:00
sebres
8b0f6c5413
badips test cases check availability of badips service (and skip this tests if it not available)
2016-09-30 12:03:27 +02:00
sebres
310d4e224d
Merge branch master (0.9) into 0.10
2016-09-29 19:46:11 +02:00
sebres
9fb167b5e1
filter.d/vsftpd.conf: optional reason message after FAIL LOGIN, closes #1543
2016-09-09 09:20:15 +02:00
sebres
c0e0cfb39d
Merge remote-tracking branch 'remotes/gh-upstream/master' into 0.10
2016-09-01 16:23:13 +02:00
sebres
4a1d720344
filter.d/asterisk.conf: another part ` chan_sip.c:28468 handle_request_register:` in log prefix
2016-08-22 14:10:50 +02:00
sebres
2c54f90469
sshd-filter: better universal regexp, that matches more complex different injects, using conditional expressions (on username and auth-info section), see new test cases also.
2016-08-19 10:19:12 +02:00
sebres
a544c5abac
sshd-filter: recognized "Failed publickey for" now (gh-1477) + improved regexp (not anchored now to recognize all "Failed anything for ... from <HOST>"
...
ChangeLog entry added
2016-08-18 21:38:55 +02:00
sebres
18ebd9ac21
Merge branches 0.10-full and 0.10
2016-08-17 18:00:25 +02:00
sebres
d71a525a85
Merge branch 'master' into 0.10 (resolve conflicts and cleaning tree points after back-porting gh-1508 0.10 -> 0.9)
2016-08-12 18:51:56 +02:00
sebres
38d53a72fd
introduces new command "fail2ban-python", as automatically created symlink to python executable, where fail2ban currently installed (resp. its modules are located);
...
fixed pythonic filters and test scripts (running via "fail2ban-python" now);
fixed test case "testSetupInstallRoot" not for default python (also using direct call, out of virtualenv);
# Conflicts:
# config/filter.d/ignorecommands/apache-fakegooglebot
# fail2ban/tests/files/config/apache-auth/digest.py
# fail2ban/tests/files/ignorecommand.py
# fail2ban/tests/misctestcase.py
2016-08-12 17:58:37 +02:00
sebres
77f451c4a3
introduces new command "fail2ban-python", as automatically created symlink to python executable, where fail2ban currently installed (resp. its modules are located);
...
fixed pythonic filters and test scripts (running via "fail2ban-python" now);
fixed test case "testSetupInstallRoot" not for default python (also using direct call, out of virtualenv);
2016-08-11 18:34:18 +02:00
maksyms
9ddbd642f7
Accept no space after "failed:" ( #1501 )
...
yoh: Squashed to ease cherry-picking into 0.9
* accept no space after "failed:"
fix issue #1497
* accept no space after "failed:"
* Update postfix-sasl
* Update postfix-sasl
* Update postfix-sasl
2016-08-08 17:09:47 -04:00
maksyms
04427adb95
Accept no space after "failed:" ( #1501 )
...
yoh: Squashed to ease cherry-picking into 0.9
* accept no space after "failed:"
fix issue #1497
* accept no space after "failed:"
* Update postfix-sasl
* Update postfix-sasl
* Update postfix-sasl
2016-08-08 17:07:55 -04:00
sebres
c52aaa8b78
ASSP failregex minor fixes
2016-08-08 19:06:28 +02:00
sebres
70658d7a19
Merge pull request #1494 from rhardy613/master (branch 'sebres:pr-1494')
2016-08-08 18:49:32 +02:00
rhardy613
8265e3f0f9
Fix comments
...
For some reasons the comment changes weren't pickup in the last commit.
This fixes it.
2016-08-05 23:25:15 -04:00
rhardy613
66fe5a77ce
Fix ASSP filter to work with both ASSP V1 and V2
...
ASSP V1 development stopped at the end of 2014 and it is now deprecated.
All users were urged to upgrade to ASSP V2 which is still actively
developed.
fail2ban 0.9.5 (and trunk) still have code which only understands ASSP
V1 logs.
This means the filter ignores brute force attacks against ASSP. This fix
adds V2 support.
2016-08-05 23:18:51 -04:00
rhardy613
890a3dcbb9
Fix ASSP filter to work with current release of ASSP
...
ASSP V1 development stopped at the end of 2014 and it is now deprecated.
All users were urged to upgrade to ASSP V2 which is still actively
developed. For some reason fail2ban 0.9.5 (and trunk) still have code
which only understands ASSP V1 logs. This means the filter ignores brute
force attacks against ASSP.
Now updated with anchored patterns tested against 6 months of log data.
2016-08-05 17:26:47 -04:00
Yaroslav Halchenko
c0994b0c6c
DOC: minor typo (thanks John Bernard) Closes #1496
2016-08-04 10:23:05 -04:00