github
/
fail2ban
mirror of https://github.com/fail2ban/fail2ban
1
0
Fork 0
Code Issues Releases Wiki Activity
3,158 Commits
32 Branches
229 Tags
18 MiB
Commit Graph

3158 Commits (af088eefcef8ba70713a15ec9fc75c2637634f92)

Author SHA1 Message Date
Daniel Black 79da66df5d Merge pull request #591 from grooverdan/master_to_0.9 
MRG: Master to 0.9 2014-01-19
 2014-01-18 20:12:11 -08:00
Daniel Black a650178bd1 MRG: merge from master 2014-01-19 2014-01-19 14:48:29 +11:00
Steven Hiscocks 77aab8d97a Merge pull request #590 from grooverdan/kerio 
Kerio filter for #120 also fix fail2ban-regex for datepattern
 2014-01-18 04:58:58 -08:00
Daniel Black 97c7d391a4 BF: remove duplicate implemenation of reading datepatterns in fail2ban-regex 2014-01-18 23:52:20 +11:00
Daniel Black 10edd994d1 DOC: ChangeLog for kerio filters 2014-01-18 23:21:44 +11:00
Daniel Black 263ac32730 ENH: test log samples for kerio thanks to 
Tony Lawrence
 2014-01-18 23:18:33 +11:00
Steven Hiscocks 0b4dd6272c Merge pull request #589 from grooverdan/one-bad-regex-gh-585 
fault tolerance when pushing multiple configurations
 2014-01-18 03:27:52 -08:00
Daniel Black 59b1e225e9 DOC/ENH: update man pages for release 2014-01-18 21:13:55 +11:00
Daniel Black 5ade6a13af DOC: ChangeLog dateing and normalisation 2014-01-18 21:00:24 +11:00
Daniel Black 058621f9bd ENH: continue with rest of fail2ban config even if errors. Closes gh-585 2014-01-18 20:16:38 +11:00
Daniel Black 2647461a3c DOC: ChangeLog. Note incompatible changes and group new filters and actions under New Features 2014-01-18 19:38:25 +11:00
Daniel Black c6c75dd19e BF: complete MANIFEST 2014-01-18 19:28:21 +11:00
Daniel Black 224e795f4c DOC: note in man page about "last message repeated" syslog compression. Closes Debian bug #620364 2014-01-18 19:12:33 +11:00
Daniel Black 1452be4a3a Merge pull request #588 from grooverdan/badips 
ENH: Badips action (reporting)
 2014-01-17 23:10:29 -08:00
Daniel Black f5d6f384f7 Merge pull request #587 from grooverdan/dovecot-586 
BF: Dovecot filter fix
 2014-01-17 23:10:06 -08:00
Daniel Black 93613e82f0 DOC: credits for action.d/badips 2014-01-15 09:40:18 +11:00
Daniel Black f566cab766 Merge branch 'master' into badips 2014-01-15 09:37:11 +11:00
Daniel Black 657da2041c BF: dovecot filters, session characters and order of session/tls in log messages 2014-01-15 08:02:47 +11:00
Ivo Truxa 4765bc757c BF Dovecot auth failures 
I am sorry, I installed the Win GIT, but still did not learn how to work with it, so am posting here again. This time, I'll avoid posting two pull requests, so please fix the dovecot.filter for me, if you don't mind.

This current filter does not match authentication errors in my Dovecot logs (two different lines attached). First of all the session string is at the end (after the optional TLS string), and not before it as it is now in the filter. I don't see it anywhere in the other logs here in the opposite order, hence I assume it is the rule for all installations. And then, the session ID can include also other characters than those matched by \w+ (i.e. the slash and the plus signs in my case), hence it needs to be \S+ instead. Personally, I'd do the regex much less restrictive than it is, but if I follow the current logics, the following form works:

<pre>^%(__prefix_line)s(pop3|imap)-login: (Info: )?(Aborted login|Disconnected)(: Inactivity)? \(((no auth attempts|auth failed, \d+ attempts)( in \d+ secs)?|tried to use disabled \S+ auth)\):( user=&lt;\S*&gt;,)?( method=\S+,)? rip=&lt;HO
ST&gt;, lip=(\d{1,3}\.){3}\d{1,3}(, TLS( handshaking)?(: Disconnected)?)?(, session=&lt;\S+&gt;)?\s*$</pre>
 2014-01-14 17:59:40 +01:00
Daniel Black 2333b2d5d9 MRG: from 0.9 2014-01-13 22:17:14 +11:00
Daniel Black 703d337a39 Merge pull request #580 from grooverdan/master_to_0.9 
MRG: Master to 0.9
 2014-01-13 02:37:07 -08:00
Daniel Black c7f887642d Merge branch '0.9' into master_to_0.9 2014-01-13 21:23:42 +11:00
Daniel Black 3de80545e0 MRG: from master 2014/01/13 2014-01-13 21:23:39 +11:00
Daniel Black 01e5ae1234 Merge pull request #584 from grooverdan/exim-auth 
ENH: Exim auth
 2014-01-13 02:20:47 -08:00
Daniel Black b60449e5c7 Merge pull request #579 from grooverdan/squirrelmail 
ENH: Squirrelmail filter
 2014-01-13 02:19:34 -08:00
Daniel Black 812463003d Merge pull request #582 from grooverdan/postfix 
ENH: add improper command pipelining postfix filter
 2014-01-13 02:18:57 -08:00
Daniel Black 08b4f3e5f2 Merge branch 'patch-5' of https://github.com/truxoft/fail2ban into exim-auth 2014-01-13 19:26:12 +11:00
Daniel Black 353b84a648 Merge branch 'patch-4' of https://github.com/truxoft/fail2ban into exim-auth 2014-01-13 19:25:46 +11:00
Lars Kneschke 47dd8fb897 ENH: filter for Tine 2.0 2014-01-13 06:04:59 +01:00
Ivo Truxa 2d8c0b26e4 Matching any Exim authentication name 
As explained in https://github.com/grooverdan/fail2ban/pull/4, in Exim there can be used plenty of other standard authentication names, and in fact the names can be custom. The failregex in Exim filter should catch authentication errors regardless of the name of the authentication. Hence replacing the plain|login with the general \w+
 2014-01-13 01:38:49 +01:00
Ivo Truxa 9f107403e8 Update exim 
When using Dovecot authentication for Exim, which is relatively common, the current regex for catching authentication failures needs a small tweak. The current plain|login options are too limiting and will only work in the cases when only the Exim's rudimentary built-in authentication is used. There can be not only the dovecot_login shown in this log example, but also dovecot_plain, ntlm, cram, cyrus, md5, and plenty of others. In fact many admins may opt for their own authentication labels, when setting up Exim. For this reason the regex should catch any label. I suggest modifying the regex in the following way:

<pre>^%(pid)s \w+ authenticator failed for (\S+ )?\(\S+\) \[<HOST>\]: 535 Incorrect authentication data( \(set_id=.*\)|: \d+ Time\(s\))?\s*$</pre>
 2014-01-13 01:18:09 +01:00
Daniel Black 6b0e6b9bca ENH: add improper command pipelining postfix filter 2014-01-13 06:59:59 +11:00
Steven Hiscocks d41f372c6c BF: Typo in "z" regex addition for TimeRE 2014-01-12 19:09:11 +00:00
Steven Hiscocks 5c16ac3a89 ENH: Full regex for datepattern, utilising modified Python `_strptime` 2014-01-12 18:59:31 +00:00
Daniel Black a443b8b4d3 BF: remove second jail definition 2014-01-12 21:45:39 +11:00
Daniel Black 7b6ee64b9e DOC: add over pruned bits of jail.conf.5 2014-01-12 21:43:11 +11:00
Daniel Black cd3e94140c MRG: complete merge 2014-01-12 21:16:55 +11:00
Daniel Black f2e55e8499 ENH: add filter for squirrelmail. Closes gh-261 2014-01-12 20:27:36 +11:00
Daniel Black 1e8ed55a36 MRG: from 0.9 2014-01-12 20:15:34 +11:00
Daniel Black 5deb1f8ddc Merge pull request #578 from dozepih/asterisk-acl 
ENH: Support ACL-events without AccountID. Typically happens when a registration from unknown domain
 2014-01-11 18:32:53 -08:00
Tomas Pihl b52a4441fd Support ACL-events without AccountID. Typically happens when a registration 
from an unknown domain is performed.

Add credits
 2014-01-12 01:28:55 +01:00
Steven Hiscocks 0dd6533680 BF: Add ejabberd-auth to jail.conf 2014-01-09 23:22:12 +00:00
Steven Hiscocks e73090d040 Merge pull request #577 from grooverdan/rel-imports 
ENH: fix test case imports to relative
 2014-01-09 15:14:20 -08:00
Daniel Black e9752d8d29 ENH: fix test case imports to relative 2014-01-10 10:04:05 +11:00
Daniel Black 928f566d19 Merge pull request #576 from kwirk/ejabberd-filter 
ENH: ejabberd filter
 2014-01-09 14:52:18 -08:00
Steven Hiscocks 62cfad3c2d Merge pull request #575 from grooverdan/no-dot-filters 
ENH: dont run samples on filter filenames beginning with .
 2014-01-09 14:49:47 -08:00
Steven Hiscocks 6a6139f1e1 Merge pull request #574 from grooverdan/master-tag-subst 
TST: for tag substition, multiple on same line
 2014-01-09 14:49:08 -08:00
Steven Hiscocks 128112d51c ENH: ejabberd filter 2014-01-09 22:47:17 +00:00
Daniel Black 8e8c80d980 ENH: dont run samples on filter filenames beginning with . 2014-01-10 09:44:30 +11:00
Daniel Black cd5aab5ff1 TST: for tag substition, multiple on same line 2014-01-10 09:20:56 +11:00