Commit Graph

44 Commits (bb32295b50a0277e1cb85f5e533d458aa8a21fe6)

Author SHA1 Message Date
Yaroslav Halchenko e7cb0f8b8c ENH: filter.d/sshd.conf -- allow for trailing "via IP" in logs 2013-05-07 12:22:49 -04:00
Yaroslav Halchenko 2143cdff39 Merge: opensolaris docs/fixes, no 'sed -i' in hostsdeny, sshd regex tuneups
Origin: from https://github.com/jamesstout/fail2ban

* 'OpenSolaris' of https://github.com/jamesstout/fail2ban:
  ENH: Removed unused log line
  BF: fail2ban.local needs section headers
  ENH: Use .local config files for logtarget and jail
  ENH+TST: ssh failure messages for OpenSolaris and OS X
  ENH: fail message matching for OpenSolaris and OS X
  ENH: extra daemon info regex
  ENH: actionunban back to a sed command
  Readme for config on Solaris
  create socket/pid dir if needed
  Extra patterns for Solaris
  change sed to perl for Solaris

Conflicts:
	config/filter.d/sshd.conf
2013-05-06 11:11:12 -04:00
Yaroslav Halchenko 822a01018f Merge pull request #205 from grooverdan/bsd_ssh
BSD ssh improvements (casing, msg)
2013-05-06 07:54:58 -07:00
Daniel Black 40c56b10a0 EHN: enhance sshd filter for bsd. 2013-05-03 16:17:35 +10:00
Daniel Black 495f2dd877 DOC: purge of svn tags 2013-05-03 16:03:38 +10:00
jamesstout 3367dbd987 ENH: fail message matching for OpenSolaris and OS X
- OpenSolaris keyboard message matched by new regex 3
- Removed Bye Bye regex per
https://github.com/fail2ban/fail2ban/issues/175#issuecomment-16538036
- PAM auth failure or error and first char case-insensitive, can also
have chars after the hostname. e.g.

Apr 29 16:53:38 Jamess-iMac.local sshd[47831]: error: PAM:
authentication error for james from 205.186.180.101 via 192.168.1.201
2013-04-30 04:23:13 +08:00
jamesstout 10fcfb925d Extra patterns for Solaris 2013-04-21 07:30:21 +08:00
Daniel Black 41b9f7b6ac BF: filter.d/sshd "Did not receive identification string" relates to an exploit so document this in sshd-ddos.conf but leave it out of authentication based blocks in sshd.conf 2013-04-18 04:38:03 +10:00
Daniel Black 32d10e904a ENH: more openssh fail messages from openssh source code (CVS 20121205) 2013-04-17 00:03:36 +10:00
Orion Poplawski bb7628591c Update config/filter.d/sshd.conf
Do not trigger sshd bans on pam_unix authentication failures, this will trigger on successful logins on systems that use non-pam_unix authentication (sssd, ldap, etc.).
2013-01-18 14:44:49 -07:00
Yaroslav Halchenko 6ecf4fd80a Merge pull request #64 from sourcejedi/remove_sshd_rdns
Misconfigured DNS should not ban *successful* ssh logins

Per our discussion indeed better (and still as "safe") to not punish users behind bad DNS
2012-11-05 18:20:37 -08:00
Yaroslav Halchenko 2082fee7b1 ENH: match possibly present "pam_unix(sshd:auth):" portion for sshd (Closes: #648020) 2012-07-31 15:53:41 -04:00
Alan Jenkins 8c38907016 Misconfigured DNS should not ban *successful* ssh logins
Noticed while looking at the source (to see the point of ssh-ddos).

POSSIBLE BREAK-IN ATTEMPT - sounds scary?  But keep reading
the message.  It's not a login failure.  It's a warning about
reverse-DNS.  The login can still succeed, and if it _does_ fail,
that will be logged as normal.

<exhibit n="1">
Jul  9 05:43:00 brick sshd[18971]: Address 200.41.233.234 maps to host234.advance.com.
ar, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Jul  9 05:43:00 brick sshd[18971]: Invalid user html from 200.41.233.234
</exhibit>

The problem (in my mind) is that some users are stuck with bad dns.
The warning won't stop them from logging in.  I'm pretty sure they can't
even see it.  But when they exceed a threshold number of logins -
which could be all successful logins - fail2ban will trigger.

fail2ban shouldn't adding additional checks to successful logins
 - it goes against the name fail2ban :)
 - the first X "POSSIBLE BREAK-IN ATTEMPT"s would be permitted anyway
 - if you want to ban bad DNS, the right way is PARANOID in /etc/hosts.deny

I've checked the source of OpenSSH, and this will only affect the
reverse-DNS error.  (I won't be offended if you want to check
for yourself though ;)

<exhibit n="2">
$ grep -r -h -C1 'ATTEMPT' openssh-5.5p1/
                logit("reverse mapping checking getaddrinfo for %.700s "
                    "[%s] failed - POSSIBLE BREAK-IN ATTEMPT!", name, ntop);
                return xstrdup(ntop);
--
                logit("Address %.100s maps to %.600s, but this does not "
                    "map back to the address - POSSIBLE BREAK-IN ATTEMPT!",
                    ntop, name);
$
</exhibit>
2012-07-13 21:41:58 +01:00
Petr Voralek 4007751191 ENH: catch failed ssh logins due to being listed in DenyUsers. Close gh-47 (Closes: #669063) 2012-04-16 20:36:53 -04:00
Yaroslav Halchenko 25f1e8d98c BF: allow trailing whitespace in few missing it regexes for sshd.conf 2012-02-10 21:14:51 -05:00
Yaroslav Halchenko dad91f7969 ENH: sshd.conf -- allow user names to have spaces and trailing spaces in the line
absorbed from patches carried by Debian distribution of f2b
2011-11-18 10:07:13 -05:00
Cyril Jaquier abd061bad8 - Changed <HOST> template to be more restrictive. Debian bug #514163.
git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@728 a942ae1a-1317-0410-a47c-b1dcaea8d605
2009-02-08 17:31:24 +00:00
Cyril Jaquier 376f348823 - Pull a commit from Yaroslav git repo. BF: addressing added bang to ssh log (closes: #512193).
git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@726 a942ae1a-1317-0410-a47c-b1dcaea8d605
2009-02-03 21:56:03 +00:00
Cyril Jaquier 391a38a7a8 - Added new regex. Thanks to Tobias Offermann.
git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@713 a942ae1a-1317-0410-a47c-b1dcaea8d605
2008-10-10 16:00:10 +00:00
Cyril Jaquier 155c4652a4 - Merged patches from Debian package. Thanks to Yaroslav Halchenko.
git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@706 a942ae1a-1317-0410-a47c-b1dcaea8d605
2008-07-22 22:29:57 +00:00
Cyril Jaquier 6db1212152 - Added revision.
git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@663 a942ae1a-1317-0410-a47c-b1dcaea8d605
2008-03-05 21:47:14 +00:00
Cyril Jaquier f0399ca5a4 - Absorbed some Debian patches. Thanks to Yaroslav Halchenko.
- Renamed actionend to actionstop.

git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@658 a942ae1a-1317-0410-a47c-b1dcaea8d605
2008-03-04 22:41:28 +00:00
Cyril Jaquier 174ce7027a - Fixed fail2ban-regex. It support "includes" in configuration files.
- Modified "includes" to be more generic. We will probably support URL in the future.
- Small refactoring.

git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@656 a942ae1a-1317-0410-a47c-b1dcaea8d605
2008-03-04 00:17:56 +00:00
Cyril Jaquier 66063d2731 - Added "full line failregex" patch. Thanks to Yaroslav Halchenko. It will be possible to create stronger failregex against log injection
git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@621 a942ae1a-1317-0410-a47c-b1dcaea8d605
2007-09-12 21:38:51 +00:00
Cyril Jaquier 732c66215f - Improved regular expressions
git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@613 a942ae1a-1317-0410-a47c-b1dcaea8d605
2007-08-13 21:39:26 +00:00
Cyril Jaquier 3ef8fbe2e3 - Modified failregex again. Thanks to Yaroslav Halchenko
git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@609 a942ae1a-1317-0410-a47c-b1dcaea8d605
2007-08-08 22:29:13 +00:00
Cyril Jaquier f714c96d0e - Updated regular expressions
git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@598 a942ae1a-1317-0410-a47c-b1dcaea8d605
2007-07-10 20:24:44 +00:00
Cyril Jaquier 1e2ddec485 - Fixed vulnerability in sshd.conf. Thanks to Daniel B. Cid
git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@587 a942ae1a-1317-0410-a47c-b1dcaea8d605
2007-06-07 21:29:18 +00:00
Cyril Jaquier 54e4d012d1 - Fixed bug #1664386. Thanks to Harry Rarig
git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/trunk@551 a942ae1a-1317-0410-a47c-b1dcaea8d605
2007-02-22 20:52:35 +00:00
Cyril Jaquier 743ec88eef - Updated failregex
git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/trunk@532 a942ae1a-1317-0410-a47c-b1dcaea8d605
2007-01-29 20:32:13 +00:00
Cyril Jaquier 6cf814245e - Fixed missing regular expression
git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/trunk@513 a942ae1a-1317-0410-a47c-b1dcaea8d605
2007-01-04 13:07:04 +00:00
Cyril Jaquier 44d75eb54f - Added missing svn:keywords
- Split failregex in sshd.conf
- Added sshd-ddos.conf. Thanks to Yaroslav Halchenko

git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/trunk@510 a942ae1a-1317-0410-a47c-b1dcaea8d605
2007-01-04 12:21:44 +00:00
Cyril Jaquier 840b9fff0f - Fixed some comments
git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/trunk@495 a942ae1a-1317-0410-a47c-b1dcaea8d605
2006-12-18 22:35:34 +00:00
Cyril Jaquier f5d4cb6be2 - Added alias "<HOST>" for failregex
git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/trunk@471 a942ae1a-1317-0410-a47c-b1dcaea8d605
2006-11-19 21:25:51 +00:00
Cyril Jaquier 0fd9865172 - Defined default values in .conf. Should fix Debian bug #398758
git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/trunk@464 a942ae1a-1317-0410-a47c-b1dcaea8d605
2006-11-15 18:44:28 +00:00
Cyril Jaquier 90359ba523 - Added option "ignoreregex" in filter scripts and jail.conf. Feature Request #1283304
git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/trunk@458 a942ae1a-1317-0410-a47c-b1dcaea8d605
2006-11-12 14:52:36 +00:00
Cyril Jaquier 2bcc036cf2 - Improved configuration files
git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/trunk@394 a942ae1a-1317-0410-a47c-b1dcaea8d605
2006-10-01 21:19:56 +00:00
Cyril Jaquier 21b6e76cde - Added date detector
git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/trunk@325 a942ae1a-1317-0410-a47c-b1dcaea8d605
2006-09-05 21:16:28 +00:00
Cyril Jaquier f1f12518c8 - Moved "logpath" and "maxtime" to "jail.conf"
git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/trunk@320 a942ae1a-1317-0410-a47c-b1dcaea8d605
2006-09-04 19:18:57 +00:00
Cyril Jaquier 857f6d619b - Fixed bug in failregex
git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/trunk@267 a942ae1a-1317-0410-a47c-b1dcaea8d605
2006-08-06 22:14:34 +00:00
Cyril Jaquier 3d73f45531 - Added 'host' group in failregex
git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/trunk@262 a942ae1a-1317-0410-a47c-b1dcaea8d605
2006-08-06 21:23:06 +00:00
Cyril Jaquier 9aa6a505eb - Added header
git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/trunk@254 a942ae1a-1317-0410-a47c-b1dcaea8d605
2006-07-17 19:26:14 +00:00
Cyril Jaquier 7048e19995 - 0.7.0 soon
git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/trunk@251 a942ae1a-1317-0410-a47c-b1dcaea8d605
2006-07-16 21:35:08 +00:00
Cyril Jaquier ea1948eff4 - Initial commit of the new development release 0.7
git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/trunk@249 a942ae1a-1317-0410-a47c-b1dcaea8d605
2006-06-26 20:05:00 +00:00