4b4d5a95b7
Changed regex prequel
...
Use standard prefix macro instead of literal daemon name.
2015-10-27 21:30:20 -07:00
4c3f778b82
Replaced .* with literal
...
Per Serg's suggestions. Possible I'm missing some auth attempt types, but I couldn't find anything where literal wasn't sufficient.
2015-10-27 10:33:30 -07:00
3ec725a2ba
Created file
...
From https://github.com/beezwax/filemaker-fail2ban/blob/master/fail2ban/filter.d/screensharingd.conf
2015-10-26 17:35:38 -07:00
2861a957a9
filter for openhab domotic software authentication failure with the rest api and web interface + test cases;
...
closes gh-1223
2015-10-26 15:48:23 +01:00
2c576c64f8
Change domain filter regex
...
Change domain filter regex since there are other Google crawlers.
See "Google crawlers"
<https://support.google.com/webmasters/answer/1061943?hl=en >
2015-10-20 10:46:00 +02:00
74fcb219ab
Enhanced Google domain detection in apache-fakegooglebot
...
Previously, an attacker could fake a domain like
crawl-1-1-1-1.googlebot.com.fake.net and get resolved. This change
avoids to resolve fake Google domains.
2015-10-20 10:45:53 +02:00
a28e6b442e
Add check in apache-fakegooglebot to protect against PTR fake record
...
An attacker may return a PTR record which fakes a Googlebot's domain
name. This modification resolves the PTR records to verify it.
See "Verifying Googlebot":
<https://support.google.com/webmasters/answer/80553?vid=1-635800030504666679-1963774919 >
2015-10-13 17:11:49 +02:00
2696ede251
mysqld-auth: Updated "Access denied ..." regex for MySQL 5.6 and later
...
closes gh-1211
2015-10-07 14:34:13 +02:00
36919d9f97
ssh.conf: Fix disconnect "Auth fail" matching
...
The regex for matching against "Auth fail" disconnect log message does
not match against current versions of ssh. OpenSSH 5.9 introduced
privilege separation of the pre-auth process, which included
[logging through monitor.c](http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/monitor.c.diff?r1=1.113&r2=1.114 )
which adds " [preauth]" to the end of each message and causes the log
level to be prepended to each message.
It also fails to match against clients which send a disconnect message
with a description that is either empty or includes a space, since this
is the content in the log message after the disconnect code, per
[packet.c:1785](http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/packet.c?annotate=1.215 ),
which was matched by \S+. Although I have not observed this yet, I
couldn't find anything which would preclude it in [RFC
4253](https://tools.ietf.org/html/rfc4253#section-11.1 ) and since the
message is attacker-controlled it provides a way to avoid getting
banned.
This commit fixes both issues.
Signed-off-by: Kevin Locke <kevin@kevinlocke.name>
2015-10-02 15:46:29 -07:00
835b3ff483
Update apache-badbots.conf
...
Useragent strings including `+http` need to be escaped to be valid.
2015-09-05 00:12:28 -04:00
5d60700c0c
Added pass2allow (knocking with fail2ban)
2015-07-10 16:22:43 +02:00
a3b8257b73
Add HEAD method verb to apache-badbots, nginx-badbots
2015-07-07 17:45:40 +02:00
f7444f16b8
Add optional session id prefix for roundcube 1.1.1
2015-07-04 11:06:51 -04:00
2796534a5d
Update regex to work with roundcube 1.0.5 on CentOS 6
2015-07-04 11:02:04 -04:00
345820d2aa
Merge pull request #1056 from ipoddubny/asterisk_security_log
...
Fix support for Asterisk security log
2015-05-25 12:50:13 -04:00
f41872f034
Merge pull request #1013 from szepeviktor/patch-4
...
Non-US locale warning for proftpd
2015-05-25 10:51:51 -04:00
eb091d9b8c
Merge remote-tracking branch 'origin/master' into pr-1039
...
* origin/master:
minor: no tripple empty lines
add froxlor-auth filter and jail
add froxlor-auth filter and jail 0
add froxlor-auth filter and jail
BF: Fix fail2ban-regex not parsing journalmatch correctly
2015-05-25 10:50:34 -04:00
964cdb5d9b
add froxlor-auth filter and jail
2015-05-25 13:44:50 +02:00
7a4e6fa6e5
Asterisk security log: add support for websocket protocol events
...
Thanks to @kcormier.
2015-05-25 08:13:30 +03:00
988d9a08da
Asterisk security log: accept events containing Response/ExpectedResponse
...
Event containing Challenge may come without ReceivedChallenge, but with
Response and ExpectedResponse.
Also Challenge now accepts '/' character, since it is used at least by PJSIP.
2015-05-25 08:12:51 +03:00
189265a323
Asterisk security log: accept SessionID of PJSIP events
...
Unlike chan_sip and manager, PJSIP populates SessionID using
Call-Id header of a related SIP message.
As Call-Id of a SIP message can contain almost anything,
the regular expression for SessionID has been loosened.
2015-05-25 08:11:34 +03:00
ab2ac1a367
Asterisk security log: accept <unknown> in AccountID
2015-05-24 12:47:55 +03:00
977f9955e7
Asterisk security log: accept EventTV in ISO8601
...
Asterisk uses ISO8601 dates in security log since version 12.
Closes #988
2015-05-24 12:46:54 +03:00
56e5821c06
Match unknown user in dovecot's passwd-file auth database
2015-04-30 16:53:10 +08:00
8f792f52fb
Add drupal-auth filter and jail
2015-04-27 13:10:27 -04:00
b530d88eca
Merge remote-tracking branch 'upstream/master' into bf/1000-asteriskBlocksSelf
...
Conflicts:
ChangeLog
2015-04-26 15:13:59 -04:00
f8c7247f42
added \s after host
2015-04-17 10:22:01 +02:00
5f2807b41f
replaced .* before rhost with regex matching all the previous fields
2015-04-17 10:04:35 +02:00
8825a5f31b
updated filter.d/sshd.conf
...
Added line to match sshd auth errors on OpenSuSE systems
2015-04-16 19:48:28 +02:00
e776a4e1ab
Update proftpd.conf
2015-04-08 15:57:39 +02:00
f9e8a99a79
Non-US locale warning for proftpd
2015-04-06 17:04:41 +02:00
72f4bcfbff
Match hacking attempt IP instead of asterisk server IP ( closes #1000 )
2015-03-24 19:03:26 -04:00
eb0d086ed0
Merge branch 'master' into nginx-botsearch
2015-02-04 02:13:33 +01:00
e7ff7e90b7
[postfix-sasl] update regexes
...
- Add : to match "SASL LOGIN authentication failed: Password:"
- Add ignoreregex to ignore system authentication issues:
"warning: unknown[1.1.1.1]: SASL LOGIN authentication failed: Connection lost to authentication server"
- Add test log messages for both
2015-02-03 11:30:16 -07:00
fb0f463eac
Include consistency
2015-02-03 15:54:05 +01:00
705718be52
Filter apache-botsearch.conf now loads variables from botsearch-common.conf
2015-02-03 04:44:33 +01:00
18778d9174
Created botsearch-common.conf
...
File contains variables used in -botsearch filters
2015-02-03 04:25:47 +01:00
73af02ffc6
Merge pull request #940 from leeclemens/ENH/ApacheFakeGoogleBot
...
New jail: apache-fakegooglebot
2015-02-02 21:44:04 -05:00
df581fe6e2
Merge pull request #929 from opoplawski/pam_auth
...
Add filter variable __pam_auth to allow customize for setups with multiple authorization schemes (Close #928 )
2015-02-02 21:42:10 -05:00
7ada96b4e9
Merge pull request #932 from opoplawski/dovecot
...
Dovecot - dovecot auth failure from EL7
2015-02-02 21:37:28 -05:00
f8fe165cd2
Switched from tabs to spaces for indents
2015-02-03 03:35:22 +01:00
841c476045
Merge branch 'enh/fakegooglebot' of https://github.com/yarikoptic/fail2ban into yarikoptic-enh/fakegooglebot
...
Conflicts:
config/filter.d/ignorecommands/apache-fakegooglebot
2015-02-02 13:01:23 -05:00
15b65c7ad2
NF: apache-fakegooglebot ignorecommand + DNSUtils.ipToName
2015-02-02 12:19:20 -05:00
7e94ba6f0c
Remove implementation specific suffix
2015-02-02 11:43:05 -05:00
af078532ac
New jail: apache-fakegooglebot
...
Detects fake googlebot user agents in apache access log
2015-02-02 00:42:01 -05:00
ec6a30efcf
ENH: define ignoreregex for all filters explicitly, to avoid warnings ( Closes #934 )
2015-01-30 10:38:28 -05:00
c8e82f18b6
Add jail nginx-botsearch
...
Jail blocks requests for predefined non-existent folders. Based on
apache-botsearch jail.
2015-01-29 17:57:52 +01:00
b4776a1ba0
Match dovecot unknown user line
2015-01-29 09:37:37 -07:00
3bc92610f7
Add dovecot auth failure from EL7
2015-01-29 09:11:59 -07:00
79b5a2617f
Add filter variable __pam_auth to allow easier changing of pam auth backend
2015-01-27 14:34:27 -07:00
Simon Brown