fail2ban

Commit Graph

Author	SHA1	Message	Date
sebres	bf689c27b8	filter.d/sshd.conf: `ddos` mode extended - recognizes messages "kex_exchange_identification: Connection closed / reset by pear" (fixed possible regression of `f77398c49d`); closes gh-3086	3 years ago
sebres	8bf15db688	filter.d/sshd.conf: `ddos` mode extended - recognizes new message "banner exchange: invalid format" generated by port scanner, https payload on ssh port; closes gh-3169	3 years ago
Sergey G. Brester	ba839af8ad	filter.d/lighttpd-auth.conf: adjusted to the current source code + avoiding catch-all's, etc (gh-3116)	3 years ago
sebres	92f90038fa	filter.d/dovecot.conf: extended to match prefix like `conn unix:auth-worker (uid=143): auth-worker<13247>:` (authenticate from external service like exim), gh-2553	4 years ago
sebres	8b984a0135	filter.d\exim-common.conf: pid-prefix extended to match `mx1 exim[...]:` (gh-2553)	4 years ago
sebres	6be1a5a0b1	filter.d/dovecot.conf: fixed "Authentication failure" regex, matches "Password mismatch" in title case (gh-2880)	4 years ago
sebres	8afea37494	filter.d/sendmail-auth.conf: covering several "authentication failure" messages, sendmail 8.16.1 (gh-2757)	4 years ago
sebres	c5f1598a21	filter.d/postfix.conf: extended to cover new vectors: - reject: BDAT/DATA from (gh-2927) - (since regex is more precise now) token selector changed to `[A-Z]{4}`, e. g. no matter what a command is supplied now (RCPT, EHLO, VRFY, DATA, BDAT or something else) - matches "Command rejected" and "Data command rejected" now	4 years ago
sebres	ae3e9b9149	filter.d/postfix.conf: extended to cover 2 new vectors: - RCPT from unknown, 504 5.5.2, need fully-qualified hostname, gh-2995 - 550 5.7.25 Client host rejected, gh-2996 review combining several regex to single one	4 years ago
sebres	87f717e0e0	filter.d/sendmail-reject.conf: fix reverse DNS for ... (gh-3012)	4 years ago
sebres	1627d4f573	filter.d/sendmail-auth.conf: user not found, closes gh-3030	4 years ago
sebres	f0214b3d36	filter.d/sendmail-reject.conf: fixed regex to consider "Connection rate limit exceeded" with different combination of arguments	4 years ago
sebres	a45b1c974c	filter.d/ignorecommands/apache-fakegooglebot: added timeout parameter (default 55 seconds) - avoid fail with timeout (default 1 minute) by reverse lookup on some slow DNS services (googlebots must be resolved fast); closes gh-2951	4 years ago
sebres	9df332fdef	filter.d/apache-overflows.conf: extended to match AH00126 error (Invalid URI ...); closes gh-2908	4 years ago
sebres	73b39e0894	filter.d/named-refused.conf: fixes prefix for messages from systemd journal (no mandatory space ahead, because don't have timestamp) closes gh-2899	4 years ago
sebres	7965d652a1	filter.d/dovecot.conf: allow more verbose logging closes #2573	4 years ago
sebres	a6de9459fc	typo	4 years ago
RyuaNerin	bba8844af8	typo	4 years ago
mpoliwczak834	595ee7ed74	add submission	4 years ago
mpoliwczak834	0c12cb7970	add managesieve support dovecot filter	4 years ago
sebres	cc64ef25f6	filter.d/apache-noscript.conf: extended to match "script not found" with error AH02811 (and cgi-bin path segment in script) closes gh-2805	4 years ago
Sergey G. Brester	1c1a9b868c	no catch-alls, user name and error message stored in ticket	4 years ago
benrubson	840f0ff10a	Add Grafana jail	4 years ago
sebres	25e006e137	review and small tweaks (more precise and safe RE)	4 years ago
Mart124	df659a0cbc	Add Bitwarden syslog support	4 years ago
Sergey G. Brester	010e76406f	small tweaks (both 2nd time and facility are optional, avoid catch-all, etc)	4 years ago
benrubson	ec873e2dc3	Add SoftEtherVPN jail	4 years ago
sebres	02525d7b6f	filter.d/sshd.conf: mode `ddos` (and `aggressive`) extended with new rule closing flood attack vector, matching: error: kex_exchange_identification: Connection closed by remote host (gh-2850)	4 years ago
sebres	db1f3477cc	amend to 3f04cba9f92a1827d0cb3dcb51e57d9f60900b4a: sendmail-auth has 2 failregex now, so rewritten with prefregex	4 years ago
sebres	3f04cba9f9	filter `sendmail-auth` extended to follow new authentication failure message introduced in sendmail 8.16.1, AUTH_FAIL_LOG_USER (gh-2757)	4 years ago
sebres	07fa9f2912	fixes gh-2787: allow to match `did not issue MAIL/EXPN/VRFY/ETRN during connection` non-anchored with extra mode (default names may deviate); additionally provides common addr-tag for IPv4/IPv6 (`(?:IPv6:<IP6>\|<IP4>)`) and test-coverage for IPv6	4 years ago
benrubson	1707560df8	Enhance Guacamole jail	4 years ago
sebres	5a0edf61c9	filter.d/sshd.conf: normalizing of user pattern in all RE's, allowing empty user (gh-2749)	5 years ago
Sergey G. Brester	368aa9e775	Merge pull request #2689 from benrubson/gitlab New Gitlab jail	5 years ago
sebres	6b90ca820f	filter.d/traefik-auth.conf: filter extended with parameter mode (`normal`, `ddos`, `aggressive`) to handle the match of username differently: - `normal`: matches 401 with supplied username only - `ddos`: matches 401 without supplied username only - `aggressive`: matches 401 and any variant (with and without username) closes gh-2693	5 years ago
sebres	affd9cef5f	filter.d/courier-smtp.conf: prefregex extended to consider port in log-message (closes gh-2697)	5 years ago
benrubson	2912bc640b	New Gitlab jail	5 years ago
sebres	136781d627	filter.d/sshd.conf: fixed regex for mode `extra` - "No authentication methods available" (supported seems to be optional now, gh-2682)	5 years ago
sebres	22a04dae05	Merge branch '0.9' into 0.10 (gh-2246)	5 years ago
Sergey G. Brester	b1e1cab4b7	Merge pull request #2246 from shaneforsythe/shaneforsythe-patch-2 Improve regex in proftpd.conf	5 years ago
sebres	606bf110c9	filter.d/sshd.conf (mode `ddos`): fixed "connection reset" regex (seems to have same syntax now as closed), so both regex's combined now to single RE (closes gh-2662)	5 years ago
sebres	42714d0849	filter.d/common.conf: closes gh-2650, avoid substitute of default values in related `lt_*` section, `__prefix_line` should be interpolated in definition section (after the config considers all sections that can overwrite it); amend to `62b1712d22` (PR #2387, backend-related option `logtype`); testSampleRegexsZZZ-GENERIC-EXAMPLE covering now negative case also (other daemon in prefix line)	5 years ago
sebres	ab3a7fc6d2	filter.d/sshd.conf: mode `ddos` (and aggressive) extended to detect port scanner sending unexpected ident string after connect	5 years ago
sebres	9137c7bb23	filter processing: - avoid duplicates in "matches" (previously always added matches of pending failures to every next real failure, or nofail-helper recognized IP, now first failure only); - several optimizations of merge mechanism (multi-line parsing); fail2ban-regex: better output handling, extended with tag substitution (ex.: `-o 'fail <ip>, user <F-USER>: <msg>'`); consider a string containing new-line as multi-line log-excerpt (not as a single log-line) filter.d/sshd.conf: introduced parameter `publickey` (allowing change behavior of "Failed publickey" failures): - `nofail` (default) - consider failed publickey (legitimate users) as no failure (helper to get IP and user-name only) - `invalid` - consider failed publickey for invalid users only; - `any` - consider failed publickey for valid users too; - `ignore` - ignore "Failed publickey ..." failures (don't consider failed publickey at all) tests/samplestestcase.py: SampleRegexsFactory gets new failJSON option `constraint` to allow ignore of some tests depending on filter name, options and test parameters	5 years ago
sebres	1492ab2247	improve processing of pending failures (lines without ID/IP) - fail2ban-regex would show those in matched lines now (as well as increase count of matched RE); avoid overwrite of data with empty tags by ticket constructed from multi-line failures; amend to d1b7e2b5fb2b389d04845369d7d29db65425dcf2: better output (as well as ignoring of pending lines) using `--out msg`; filter.d/sshd.conf: don't forget mlf-cache on "disconnecting: too many authentication failures" - message does not have IP (must be followed by "closed [preauth]" to obtain host-IP).	5 years ago
Sergey G. Brester	774dda6105	filter.d/postfix.conf: extended mode ddos and aggressive covering multiple disconnects without auth	5 years ago
sebres	569dea2b19	filter.d/mysqld-auth.conf: capture user name in filter (can be more strict if user switched, used in action or fail2ban-regex output); also add coverage for mariadb 10.4 log format (gh-2611)	5 years ago
sebres	f77398c49d	filter.d/sshd.conf: captures `Disconnected from ... [preauth]`, preauth phase only, different handling by `extra` (with supplied user only) and `ddos`/`aggressive` mode (`normal` mode is not affected, used there just as a helper with `<F-NOFAIL>` to capture IP for multiline failures without IP); closes gh-2115, gh-2362.	5 years ago
Mart124	e763c657c4	Let's get back to WRN	5 years ago
Mart124	d7b707b09d	Update bitwarden.conf	5 years ago

1 2 3 4 5 ...

899 Commits (bf689c27b833d4cafc6ce34ada214cd4df2d7d86)