github
/
fail2ban
mirror of https://github.com/fail2ban/fail2ban
1
0
Fork 0
Code Issues Releases Wiki Activity
829 Commits
33 Branches
229 Tags
19 MiB
Commit Graph

100 Commits (b3d8ba146b52478262d0637b8bab06cb6cb6aa20)

Author SHA1 Message Date
pigsyn f336d9f876 Update config/filter.d/webmin-auth.conf 
Added '\s*$' to the regular expression to match the space written by webmin logs at line-endings
 2012-12-13 08:14:49 +01:00
pigsyn dc67b24270 Update config/filter.d/webmin-auth.conf 
Added a trailing '.*$' to each regex so they can find expressions in targeted log files.
 2012-12-12 23:07:39 +01:00
Yaroslav Halchenko 3969e3f77b ENH: dovecot.conf - require space(s) before rip/rhost log entry 2012-12-12 09:16:52 -05:00
hamilton5 266cdc29a6 Update config/filter.d/dovecot.conf 
even tho not on the fail2ban site..
suggested to not be greedy by yarikoptic
 2012-12-11 12:09:28 -05:00
hamilton5 e040c6d8a3 Update config/filter.d/dovecot.conf 
site actually needs updated because of <HOST> alias 
per Notes above.
 2012-12-11 03:26:14 -05:00
hamilton5 7ede1e8518 Update config/filter.d/dovecot.conf 
added failregex line for debian and centos per 
http://www.fail2ban.org/wiki/index.php/Talk:Dovecot
 2012-12-10 19:17:04 -05:00
Yaroslav Halchenko fc27e00290 ENH: tune up sshd-ddos to use common.conf and allow training spaces 2012-12-07 15:24:34 -05:00
Yaroslav Halchenko 6ecf4fd80a Merge pull request #64 from sourcejedi/remove_sshd_rdns 
Misconfigured DNS should not ban *successful* ssh logins

Per our discussion indeed better (and still as "safe") to not punish users behind bad DNS
 2012-11-05 18:20:37 -08:00
Yaroslav Halchenko 282724a7f9 ENH: join both failregex for lighttpd-auth into a single one 
they are close in meaning
should provide a slight run-time performance benefit
 2012-09-30 11:30:24 -04:00
François Boulogne 958a1b0a40 Lighttpd: support auth.backend = "htdigest" 2012-09-30 13:27:21 +02:00
Yaroslav Halchenko 2082fee7b1 ENH: match possibly present "pam_unix(sshd:auth):" portion for sshd (Closes: #648020) 2012-07-31 15:53:41 -04:00
Yaroslav Halchenko 6ad55f64b3 ENH: add wu-ftpd failregex for use against syslog (Closes: #514239) 2012-07-31 15:43:13 -04:00
Alan Jenkins 8c38907016 Misconfigured DNS should not ban *successful* ssh logins 
Noticed while looking at the source (to see the point of ssh-ddos).

POSSIBLE BREAK-IN ATTEMPT - sounds scary?  But keep reading
the message.  It's not a login failure.  It's a warning about
reverse-DNS.  The login can still succeed, and if it _does_ fail,
that will be logged as normal.

<exhibit n="1">
Jul  9 05:43:00 brick sshd[18971]: Address 200.41.233.234 maps to host234.advance.com.
ar, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Jul  9 05:43:00 brick sshd[18971]: Invalid user html from 200.41.233.234
</exhibit>

The problem (in my mind) is that some users are stuck with bad dns.
The warning won't stop them from logging in.  I'm pretty sure they can't
even see it.  But when they exceed a threshold number of logins -
which could be all successful logins - fail2ban will trigger.

fail2ban shouldn't adding additional checks to successful logins
 - it goes against the name fail2ban :)
 - the first X "POSSIBLE BREAK-IN ATTEMPT"s would be permitted anyway
 - if you want to ban bad DNS, the right way is PARANOID in /etc/hosts.deny

I've checked the source of OpenSSH, and this will only affect the
reverse-DNS error.  (I won't be offended if you want to check
for yourself though ;)

<exhibit n="2">
$ grep -r -h -C1 'ATTEMPT' openssh-5.5p1/
                logit("reverse mapping checking getaddrinfo for %.700s "
                    "[%s] failed - POSSIBLE BREAK-IN ATTEMPT!", name, ntop);
                return xstrdup(ntop);
--
                logit("Address %.100s maps to %.600s, but this does not "
                    "map back to the address - POSSIBLE BREAK-IN ATTEMPT!",
                    ntop, name);
$
</exhibit>
 2012-07-13 21:41:58 +01:00
Petr Voralek 4007751191 ENH: catch failed ssh logins due to being listed in DenyUsers. Close gh-47 (Closes: #669063) 2012-04-16 20:36:53 -04:00
Yaroslav Halchenko 71a3fb17e2 Merge remote-tracking branch 'gh-magicrhesus/master' 
* gh-magicrhesus/master:
  Add the INCLUDE section to use __pid_re feature
  Disable asterisk jail by default
  Change jail for asterisk, add support for SIP and SIP-TLS on TCP and UDP ports
  Change NOTICE by NOTICE%(__pid_re)s
  Remove custom bantime
  Add sample log file for asterisk
  Add $ at the end of the failregex
  Add asterisk support

Conflicts:
	config/jail.conf -- placed asterisk jails before recidive and added blank lines after the jail headers
 2012-02-28 12:03:16 -05:00
Xavier Devlamynck 8c00ce0a65 Add the INCLUDE section to use __pid_re feature 2012-02-28 17:28:06 +01:00
Xavier Devlamynck c679a1a588 Change NOTICE by NOTICE%(__pid_re)s 2012-02-21 18:05:53 +01:00
Xavier D d98cdb25d6 Add $ at the end of the failregex 2012-02-13 17:11:32 +01:00
Yaroslav Halchenko 25f1e8d98c BF: allow trailing whitespace in few missing it regexes for sshd.conf 2012-02-10 21:14:51 -05:00
Yaroslav Halchenko 1807be5a8c ENH: moved jail definition for recidive into jail.conf + swapped/commented durations + non-groupping ?: 
thanks @cepheid666 for the useful comments
 2012-01-26 23:28:44 -05:00
Tom Hendrikx f94a121663 Fix for https://github.com/fail2ban/fail2ban/issues/19 
Based on previous work as documented in the bug by Amir and myself,
plus some enhancements and documentation added to the file itself rather
than a URL (they rot).
 2012-01-26 23:33:01 +01:00
Xavier Devlamynck 7d465f98c1 Add asterisk support 2012-01-11 16:35:40 +01:00
Yaroslav Halchenko 4c76fb3b54 ENH: allow trailing white-spaces in lighttpd-auth.conf 
now catches the one in testcases/files/logs/lighttpd
 2011-12-25 10:00:50 -05:00
François Boulogne 683d4f269d modifications suggested by a referee (log ex+regexp) 2011-12-24 22:24:08 +01:00
François Boulogne b6d9f795dc add filter for lighttpd mod_auth failure 2011-12-24 21:51:18 +01:00
Yaroslav Halchenko a9be451079 ENH: removed expansion for few Date and Revision SVN keywords 
For consistency of appearance... eventually we might just remove them
altogether
 2011-11-18 10:14:39 -05:00
Yaroslav Halchenko dad91f7969 ENH: sshd.conf -- allow user names to have spaces and trailing spaces in the line 
absorbed from patches carried by Debian distribution of f2b
 2011-11-18 10:07:13 -05:00
Yaroslav Halchenko ed0bf3ad96 Removed duplicate entry for DataCha0s/2\.0 in badbots (closes: #519557) 2011-11-18 09:40:56 -05:00
Adam Spiers 3152afbdc2 Recognise time-stamped kernel messages 
e.g.

Sep 25 12:51:04 myhost kernel: [773580.832329] sshd[25557]: Invalid user pgsql from 91.203.223.206

This fixes the sshd filter on Fedora 15, and probably other filters on
other newish distros too.
 2011-09-28 12:46:28 -04:00
Yaroslav Halchenko 3eb5e3b876 BF: Allow for trailing spaces in sasl logs 
git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@783 a942ae1a-1317-0410-a47c-b1dcaea8d605
 2011-08-07 02:41:08 +00:00
Yaroslav Halchenko 6d25310e28 ENH: Adding author for dovecot filter and prunning unneeded space in the regexp 
git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@776 a942ae1a-1317-0410-a47c-b1dcaea8d605
 2011-03-23 21:38:26 +00:00
Yaroslav Halchenko eab9af9caa BF: proftpd filter -- if login failed -- count regardless of the reason for failure 
git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@775 a942ae1a-1317-0410-a47c-b1dcaea8d605
 2011-03-23 20:37:19 +00:00
Yaroslav Halchenko d4b89d8404 BF: Allow for trailing spaces in proftpd logs 
See http://bugs.debian.org/507986

git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@774 a942ae1a-1317-0410-a47c-b1dcaea8d605
 2011-03-23 20:37:10 +00:00
Yaroslav Halchenko 1cb48bbc96 BF: escaping () in pure-ftpd filter. Thanks Teodor 
See http://bugs.debian.org/544744

git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@773 a942ae1a-1317-0410-a47c-b1dcaea8d605
 2011-03-23 20:37:00 +00:00
Yaroslav Halchenko 02e7dfb099 BF: allow space in the trailing of failregex for sasl.conf: see http://bugs.debian.org/573314 
git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@772 a942ae1a-1317-0410-a47c-b1dcaea8d605
 2011-03-23 20:36:50 +00:00
Yaroslav Halchenko 6558c03f8e NF: Adding found on a drive filter.d/dovecot.conf 
git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@770 a942ae1a-1317-0410-a47c-b1dcaea8d605
 2011-03-23 20:36:28 +00:00
Yaroslav Halchenko 10faba5163 ENH: make filter.d/apache-overflows.conf catch more: see http://bugs.debian.org/574182 
git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@769 a942ae1a-1317-0410-a47c-b1dcaea8d605
 2011-03-23 20:36:17 +00:00
Yaroslav Halchenko 0073ba3838 ENH: dropbear filter: see http://bugs.debian.org/546913 
git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@768 a942ae1a-1317-0410-a47c-b1dcaea8d605
 2011-03-23 20:36:08 +00:00
Arturo 'Buanzo' Busleiman dde7afe1f3 added two new filter files (PHP url_fopen, lighttpd fastcgi alerts), updated MANIFEST and jail.conf accordingly 
git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@742 a942ae1a-1317-0410-a47c-b1dcaea8d605
 2009-08-30 14:17:29 +00:00
Cyril Jaquier 55fd21ec4b - Made the named-refused regex a bit less restrictive in order to match logs with "view". Thanks to Stephen Gildea. 
git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@730 a942ae1a-1317-0410-a47c-b1dcaea8d605
 2009-02-09 20:27:35 +00:00
Cyril Jaquier abd061bad8 - Changed <HOST> template to be more restrictive. Debian bug #514163. 
git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@728 a942ae1a-1317-0410-a47c-b1dcaea8d605
 2009-02-08 17:31:24 +00:00
Cyril Jaquier 7fd0300a73 - Added cyrus-imap and sieve filters. Thanks to Jan Wagner. Debian bug #513953. 
git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@727 a942ae1a-1317-0410-a47c-b1dcaea8d605
 2009-02-03 22:37:46 +00:00
Cyril Jaquier 376f348823 - Pull a commit from Yaroslav git repo. BF: addressing added bang to ssh log (closes: #512193). 
git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@726 a942ae1a-1317-0410-a47c-b1dcaea8d605
 2009-02-03 21:56:03 +00:00
Cyril Jaquier e46e8ed32e - Improved SASL filter. Thanks to Loic Pefferkorn. Tracker #2310410. 
git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@723 a942ae1a-1317-0410-a47c-b1dcaea8d605
 2009-01-27 23:35:46 +00:00
Cyril Jaquier 622218271d - Added svn:keywords property. 
git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@716 a942ae1a-1317-0410-a47c-b1dcaea8d605
 2008-10-13 14:38:41 +00:00
Cyril Jaquier bb8e610795 - Added apache-nohome.conf. Thanks to Yaroslav Halchenko. 
git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@715 a942ae1a-1317-0410-a47c-b1dcaea8d605
 2008-10-13 14:37:25 +00:00
Cyril Jaquier 391a38a7a8 - Added new regex. Thanks to Tobias Offermann. 
git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@713 a942ae1a-1317-0410-a47c-b1dcaea8d605
 2008-10-10 16:00:10 +00:00
Cyril Jaquier 3615c8ec81 - Improved pattern. Thanks to Yaroslav Halchenko. 
git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@707 a942ae1a-1317-0410-a47c-b1dcaea8d605
 2008-08-12 19:20:02 +00:00
Cyril Jaquier 155c4652a4 - Merged patches from Debian package. Thanks to Yaroslav Halchenko. 
git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@706 a942ae1a-1317-0410-a47c-b1dcaea8d605
 2008-07-22 22:29:57 +00:00
Cyril Jaquier 11c8c71014 - Added missing ignoreregex to filters. Thanks to Klaus Lehmann. 
git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@699 a942ae1a-1317-0410-a47c-b1dcaea8d605
 2008-05-21 22:17:00 +00:00