Commit Graph

4090 Commits (c188acd8ef9fe30967078a1eb4c24dd603994d70)

Author SHA1 Message Date
Yaroslav Halchenko c188acd8ef policy boost 2016-03-07 21:55:17 -05:00
Yaroslav Halchenko a525a24cb1 changelog entry 2016-03-07 21:55:02 -05:00
Yaroslav Halchenko 45dce3cab0 ver. 0.9.4 (2016/03/08) - for-you-ladies
-----------
 
 - Fixes:
    * roundcube-auth jail typo for logpath
    * Fix dnsToIp resolver for fqdn with large list of IPs (gh-1164)
    * filter.d/apache-badbots.conf
      - Updated useragent string regex adding escape for `+`
    * filter.d/mysqld-auth.conf
      - Updated "Access denied ..." regex for MySQL 5.6 and later (gh-1211, gh-1332)
    * filter.d/sshd.conf
      - Updated "Auth fail" regex for OpenSSH 5.9 and later
    * Treat failed and killed execution of commands identically (only
      different log messages), which addresses different behavior on different
      exit codes of dash and bash (gh-1155)
    * Fix jail.conf.5 man's section (gh-1226)
    * Fixed default banaction for allports jails like pam-generic, recidive, etc
      with new default variable `banaction_allports` (gh-1216)
    * Fixed `fail2ban-regex` stops working on invalid (wrong encoded) character
      for python version < 3.x (gh-1248)
    * Use postfix_log logpath for postfix-rbl jail
    * filters.d/postfix.conf - add 'Sender address rejected: Domain not found' failregex
    * use `fail2ban_agent` as user-agent in actions badips, blocklist_de, etc (gh-1271)
    * Fix ignoring the sender option by action_mw, action_mwl and action_c_mwl
    * Changed filter.d/asterisk regex for "Call from ..." (few vulnerable now)
    * Removed compression and rotation count from logrotate (inherit them from
      the global logrotate config)
 
 - New Features:
    * New interpolation feature for definition config readers - `<known/parameter>`
      (means last known init definition of filters or actions with name `parameter`).
      This interpolation makes possible to extend a parameters of stock filter or
      action directly in jail inside jail.local file, without creating a separately
      filter.d/*.local file.
      As extension to interpolation `%(known/parameter)s`, that does not works for
      filter and action init parameters
    * New actions:
      - nftables-multiport and nftables-allports - filtering using nftables
        framework. Note: it requires a pre-existing chain for the filtering rule.
    * New filters:
      - openhab - domotic software authentication failure with the
        rest api and web interface (gh-1223)
      - nginx-limit-req - ban hosts, that were failed through nginx by limit
        request processing rate (ngx_http_limit_req_module)
      - murmur - ban hosts that repeatedly attempt to connect to
        murmur/mumble-server with an invalid server password or certificate.
      - haproxy-http-auth - filter to match failed HTTP Authentications against a
        HAProxy server
    * New jails:
      - murmur - bans TCP and UDP from the bad host on the default murmur port.
    * sshd filter got new failregex to match "maximum authentication
      attempts exceeded" (introduced in openssh 6.8)
    * Added filter for Mac OS screen sharing (VNC) daemon
 
 - Enhancements:
    * Do not rotate empty log files
    * Added new date pattern with year after day (e.g. Sun Jan 23 2005 21:59:59)
      http://bugs.debian.org/798923
    * Added openSUSE path configuration (Thanks Johannes Weberhofer)
    * Allow to split ignoreip entries by ',' as well as by ' ' (gh-1197)
    * Added a timeout (3 sec) to urlopen within badips.py action
      (Thanks M. Maraun)
    * Added check against atacker's Googlebot PTR fake records
      (Thanks Pablo Rodriguez Fernandez)
    * Enhance filter against atacker's Googlebot PTR fake records
      (gh-1226)
    * Nginx log paths extended (prefixed with "*" wildcard) (gh-1237)
    * Added filter for openhab domotic software authentication failure with the
      rest api and web interface (gh-1223)
    * Add *_backend options for services to allow distros to set the default
      backend per service, set default to systemd for Fedora as appropriate
    * Performance improvements while monitoring large number of files (gh-1265).
      Use associative array (dict) for monitored log files to speed up lookup
      operations. Thanks @kshetragia
    * Specified that fail2ban is PartOf iptables.service firewalld.service in
      .service file -- would reload fail2ban if those services are restarted
    * Provides new default `fail2ban_version` and interpolation variable
      `fail2ban_agent` in jail.conf
    * Enhance filter 'postfix' to ban incoming SMTP client with no fqdn hostname,
      and to support multiple instances of postfix having varying suffix (gh-1331)
      (Thanks Tom Hendrikx)
    * files/gentoo-initd to use start-stop-daemon to robustify restarting the service
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iEYEABECAAYFAlbePf4ACgkQjRFFY3XAJMiIfwCg1YM7vHW4ZSU0pe0IY3zOkJi2
 G6IAn1rAqlFl9kHl+0epmO9VQqcQfLbk
 =VAw2
 -----END PGP SIGNATURE-----

Merge tag '0.9.4' into debian

ver. 0.9.4 (2016/03/08) - for-you-ladies
-----------

- Fixes:
   * roundcube-auth jail typo for logpath
   * Fix dnsToIp resolver for fqdn with large list of IPs (gh-1164)
   * filter.d/apache-badbots.conf
     - Updated useragent string regex adding escape for `+`
   * filter.d/mysqld-auth.conf
     - Updated "Access denied ..." regex for MySQL 5.6 and later (gh-1211, gh-1332)
   * filter.d/sshd.conf
     - Updated "Auth fail" regex for OpenSSH 5.9 and later
   * Treat failed and killed execution of commands identically (only
     different log messages), which addresses different behavior on different
     exit codes of dash and bash (gh-1155)
   * Fix jail.conf.5 man's section (gh-1226)
   * Fixed default banaction for allports jails like pam-generic, recidive, etc
     with new default variable `banaction_allports` (gh-1216)
   * Fixed `fail2ban-regex` stops working on invalid (wrong encoded) character
     for python version < 3.x (gh-1248)
   * Use postfix_log logpath for postfix-rbl jail
   * filters.d/postfix.conf - add 'Sender address rejected: Domain not found' failregex
   * use `fail2ban_agent` as user-agent in actions badips, blocklist_de, etc (gh-1271)
   * Fix ignoring the sender option by action_mw, action_mwl and action_c_mwl
   * Changed filter.d/asterisk regex for "Call from ..." (few vulnerable now)
   * Removed compression and rotation count from logrotate (inherit them from
     the global logrotate config)

- New Features:
   * New interpolation feature for definition config readers - `<known/parameter>`
     (means last known init definition of filters or actions with name `parameter`).
     This interpolation makes possible to extend a parameters of stock filter or
     action directly in jail inside jail.local file, without creating a separately
     filter.d/*.local file.
     As extension to interpolation `%(known/parameter)s`, that does not works for
     filter and action init parameters
   * New actions:
     - nftables-multiport and nftables-allports - filtering using nftables
       framework. Note: it requires a pre-existing chain for the filtering rule.
   * New filters:
     - openhab - domotic software authentication failure with the
       rest api and web interface (gh-1223)
     - nginx-limit-req - ban hosts, that were failed through nginx by limit
       request processing rate (ngx_http_limit_req_module)
     - murmur - ban hosts that repeatedly attempt to connect to
       murmur/mumble-server with an invalid server password or certificate.
     - haproxy-http-auth - filter to match failed HTTP Authentications against a
       HAProxy server
   * New jails:
     - murmur - bans TCP and UDP from the bad host on the default murmur port.
   * sshd filter got new failregex to match "maximum authentication
     attempts exceeded" (introduced in openssh 6.8)
   * Added filter for Mac OS screen sharing (VNC) daemon

- Enhancements:
   * Do not rotate empty log files
   * Added new date pattern with year after day (e.g. Sun Jan 23 2005 21:59:59)
     http://bugs.debian.org/798923
   * Added openSUSE path configuration (Thanks Johannes Weberhofer)
   * Allow to split ignoreip entries by ',' as well as by ' ' (gh-1197)
   * Added a timeout (3 sec) to urlopen within badips.py action
     (Thanks M. Maraun)
   * Added check against atacker's Googlebot PTR fake records
     (Thanks Pablo Rodriguez Fernandez)
   * Enhance filter against atacker's Googlebot PTR fake records
     (gh-1226)
   * Nginx log paths extended (prefixed with "*" wildcard) (gh-1237)
   * Added filter for openhab domotic software authentication failure with the
     rest api and web interface (gh-1223)
   * Add *_backend options for services to allow distros to set the default
     backend per service, set default to systemd for Fedora as appropriate
   * Performance improvements while monitoring large number of files (gh-1265).
     Use associative array (dict) for monitored log files to speed up lookup
     operations. Thanks @kshetragia
   * Specified that fail2ban is PartOf iptables.service firewalld.service in
     .service file -- would reload fail2ban if those services are restarted
   * Provides new default `fail2ban_version` and interpolation variable
     `fail2ban_agent` in jail.conf
   * Enhance filter 'postfix' to ban incoming SMTP client with no fqdn hostname,
     and to support multiple instances of postfix having varying suffix (gh-1331)
     (Thanks Tom Hendrikx)
   * files/gentoo-initd to use start-stop-daemon to robustify restarting the service

* tag '0.9.4': (138 commits)
  MANIFEST RELEASE and man pages updates
  Changes for the 0.9.4 release
  datedetector: epoch time expression fix (now 10-11 chars, only whole number - anchored ^...\b or by special case within [], audit()) + test cases extended (positive/negative)
  changelog about gentoo initd
  added wp-admin
  ENH(TST): a hypothetical example to show/test needing trailing anchoring
  ENH: revert back to having detailed suffix anchored at the end for mysqld-auto.conf
  Changelog for the recent PR and added Tom to THANKS
  mysqld: failregex fixed (accepts different log level, more secure expression now); closes #1332
  Add support for matching postfix multi-instance daemon names by default
  DOC: removed Nick from listed as FreeBSD maintainer
  DOC: adjusted ISSUE_TEMPLATE.md picking on @sebres's version
  ENH: github templates for issues and PRs
  ENH: add codecov support to travis.yml and bandge to README.md
  gentoo-initd: Use start-stop-daemon in order to handle crashes better
  regexp rewritten (few vulnerable as previous) + test case added
  Update asterisk filter: changed regex for "Call from ...". Sometimes extension can have a plus symbol (+) because they can be phone number. Closes #1309
  Add new regex into postfix filter. The new regexp is able to detect bad formatted SMTP EHLO command
  Remove compression and count from logrotate
  gentoo-initd: do not hide useful output
  ...
2016-03-07 21:50:47 -05:00
Yaroslav Halchenko 0298ba2c1b MANIFEST RELEASE and man pages updates 2016-03-07 21:50:10 -05:00
Yaroslav Halchenko 5ffc15ac68 Changes for the 0.9.4 release 2016-03-07 21:45:44 -05:00
Yaroslav Halchenko 150007b128 Merge pull request #1345 from sebres/dd-epoch-time-fix
datedetector: epoch time expression fix
2016-03-07 13:05:11 -05:00
sebres e075815833 datedetector: epoch time expression fix (now 10-11 chars, only whole number - anchored ^...\b or by special case within [], audit()) + test cases extended (positive/negative) 2016-03-07 17:57:22 +01:00
Yaroslav Halchenko 19850d71e9 changelog about gentoo initd 2016-03-07 10:52:47 -05:00
Yaroslav Halchenko 5106b5943a Merge pull request #1322 from jsuter1/master
gentoo-initd: Use start-stop-daemon in order to handle crashes better
2016-03-07 10:51:14 -05:00
Yaroslav Halchenko 385b50e4a9 Merge pull request #1343 from denics/master
adding wp-admin to bot search
2016-03-07 10:23:37 -05:00
Yaroslav Halchenko ec54b74921 Merge pull request #1338 from yarikoptic/enh-return-mysql-suffix-back
Enh return mysql suffix back
2016-03-07 10:21:26 -05:00
Denix ed0e572bfc added wp-admin
bot are very annoying and I am getting a lot of checks on wp-admin. This should calm them.
2016-03-02 16:52:03 +01:00
Denix 04e932baa2 Merge pull request #1 from fail2ban/master
sync fork
2016-03-02 16:48:51 +01:00
Yaroslav Halchenko a11c878fb2 ENH(TST): a hypothetical example to show/test needing trailing anchoring 2016-02-28 12:12:36 -05:00
Yaroslav Halchenko 6ffbc1ffad ENH: revert back to having detailed suffix anchored at the end for mysqld-auto.conf
As discussed in https://github.com/fail2ban/fail2ban/pull/1333#discussion_r54100127
2016-02-28 12:07:46 -05:00
Yaroslav Halchenko 2adf5855ac Changelog for the recent PR and added Tom to THANKS 2016-02-28 12:03:13 -05:00
Yaroslav Halchenko 3e31145c33 Merge pull request #1331 from whyscream/postfix-multi-instance-support
Add support for matching postfix multi-instance daemon names by default
2016-02-28 12:00:24 -05:00
sebres 667785b608 mysqld: failregex fixed (accepts different log level, more secure expression now);
closes #1332
2016-02-24 17:17:51 +01:00
Tom Hendrikx 6c606cf98f Add support for matching postfix multi-instance daemon names by default 2016-02-23 20:23:04 +01:00
Yaroslav Halchenko bd822d02a4 DOC: removed Nick from listed as FreeBSD maintainer 2016-02-22 09:13:30 -05:00
Yaroslav Halchenko 8b00ca2744 Merge pull request #1327 from yarikoptic/enh-cov-templates
ENH: use codecov + templates for PRs and issues
2016-02-21 09:56:17 -05:00
Yaroslav Halchenko 705b91e6a7 DOC: adjusted ISSUE_TEMPLATE.md picking on @sebres's version 2016-02-20 11:20:33 -05:00
Yaroslav Halchenko 9667c4cb42 ENH: github templates for issues and PRs 2016-02-17 21:20:51 -05:00
Yaroslav Halchenko 72638975a9 ENH: add codecov support to travis.yml and bandge to README.md 2016-02-17 20:43:50 -05:00
Jack Suter fb779a78c5 gentoo-initd: Use start-stop-daemon in order to handle crashes better
Currently, if fail2ban is killed (or crashes), its status will be
reported by '/etc/init.d/fail2ban status' as 'running' even though it
is not. Attempting to restart the service also fails, because Gentoo
unsuccessfully tries to stop the service.

By using start-stop-daemon and providing a pidfile, Gentoo will
instead report the status as 'crashed' and allow the service to be
restarted as normal.
2016-02-16 01:46:27 -05:00
Yaroslav Halchenko 905c87ca4a Merge pull request #1310 from yarikoptic/pr-1288
NF: HAProxy HTTP Auth filter
2016-02-11 08:35:48 -05:00
Yaroslav Halchenko 3dc57af19c Merge branch 'logrotate' of https://github.com/sbraz/fail2ban
* 'logrotate' of https://github.com/sbraz/fail2ban:
  Remove compression and count from logrotate
2016-02-10 18:41:01 -05:00
Yaroslav Halchenko 09bc2e978d Merge pull request #1319 from sebres/asterisk-gh1309
Asterisk regexp fix to catch phone # and relax trailing anchoring

 (replacement for Update asterisk.conf gh-1309)
2016-02-08 10:58:53 -05:00
sebres d8e81eb417 regexp rewritten (few vulnerable as previous) + test case added 2016-02-08 12:01:25 +01:00
3eBoP 257b7049d8 Update asterisk filter: changed regex for "Call from ...". Sometimes extension can have a plus symbol (+) because they can be phone number.
Closes #1309
2016-02-08 11:51:37 +01:00
Pierre GINDRAUD b5a07741c8 Add new regex into postfix filter. The new regexp is able to detect bad formatted SMTP EHLO command 2016-02-08 11:11:59 +01:00
Yaroslav Halchenko b435e1e4c8 Merge pull request #1311 from sbraz/gentoo-init
gentoo-initd: do not hide useful output
2016-01-29 09:54:35 -05:00
Louis Sautier 869d99dd37
Remove compression and count from logrotate
Initially reported at https://bugs.gentoo.org/show_bug.cgi?id=549856
2016-01-29 00:15:48 +01:00
Louis Sautier 294a7790a9
gentoo-initd: do not hide useful output
Gentoo applies a patch for this: https://bugs.gentoo.org/show_bug.cgi?id=536320
2016-01-28 23:40:36 +01:00
Yaroslav Halchenko 3f437b32db Merge remote-tracking branch 'pr/1288/head'
* pr/1288/head:
  Update haproxy-http-auth.conf
  Added HAProxy HTTP Auth filter

 Conflicts:
	config/jail.conf - resolved + removed unnecessary filter/enabled (defaults should be as good)
2016-01-28 08:51:45 -05:00
Yaroslav Halchenko 377ea32441 Merge pull request #1295 from obounaim/master
The sender option is ignored by some actions
2016-01-28 08:48:22 -05:00
Serg G. Brester fe14c8fa05 Merge pull request #1292 from albel727/master
Add nftables actions
2016-01-24 23:55:50 +01:00
Jordan Moeser d7b46509d8 Update haproxy-http-auth.conf
Updated failregex to be more strict
2016-01-12 08:37:33 +10:00
local 58a8736e0f Updating changelog. 2016-01-10 00:10:05 +01:00
local 40c0bed82c action_mw, action_mwl, action_cf_mwl ignore the "sender" option when sending a notification email.
This commit adds "sender="%(sender)s"" to the three actions to correct this issue.
2016-01-10 00:05:03 +01:00
Yaroslav Halchenko 5d0d96a5cb Merge pull request #1286 from yarikoptic/enh-jail
ENH: harmonize jail.conf + 1 more test that passed bantime is non-degenerate and int
2016-01-08 08:51:08 -05:00
Alexander Belykh 985e8938a4 Refactor nftables actionstop into smaller parts 2016-01-06 17:39:54 +06:00
Alexander Belykh 9779eeb986 Add nftables_type/family/table parameters 2016-01-06 17:33:14 +06:00
Alexander Belykh 260c30535d Escape curly braces in nftables actions 2016-01-06 17:13:30 +06:00
Alexander Belykh 1983e15580 Add empty line between parameters in nftables-common.conf 2016-01-06 16:55:29 +06:00
Alexander Belykh cb2d70d7a8 Add ChangeLog entry for new nftables actions 2016-01-05 19:04:44 +06:00
Alexander Belykh f7f91a8bd4 Refactor common code out of nftables-multiport/allports.conf 2016-01-05 19:03:47 +06:00
sebres 25a09352e4 + ChangeLog entry 2016-01-04 14:46:43 +01:00
sebres 69f5623f83 code simplifying (remove duplication): agent will be always supplied as parameter from jail.conf 2016-01-04 09:30:32 +01:00
Alexander Belykh 618e97bce8 Add nftables actions 2016-01-04 01:36:28 +06:00