Commit Graph

1477 Commits (c80025971fca61fcca075fb733572dafbb15a04b)

Author SHA1 Message Date
sebres c31eb1c562 quick optimization: normalizes pam-generic prefregex (more similar to the same regex within sshd-filter) + datepattern anchored now; 2018-03-20 16:00:21 +01:00
sebres 25cc42129a hold all user names affected by interim attempts in order to avoid forget a failures after success login:
intruder (as legitimate user) firstly tries to login with another user-name (brute-force), so hopes to reset failure counter by succeeded login;
this is fixed and covered in tests now;
sshd-filter extended to cover multiple-login attempts (also fully implements gh-2070);
2018-03-20 13:09:05 +01:00
sebres a9c94686b6 fixed multiple regexs matched 2018-03-20 09:09:42 +01:00
sebres 8028d3940d amend with better match of optional suffix-groups;
remove end-anchors for expressions are precise enough (with clear flow, simple branches, without catch-all's, etc.);
2018-03-19 17:29:26 +01:00
sebres 66d2436f21 filter.d/sshd.conf: extend suffix with optional port, move it to `prefregex` at end outside of the content 2018-03-19 16:50:49 +01:00
sebres 7b3442c4e2 amend to 185cb998e7c7f2509830bed4a9f2fe6179f77e7b: capture error prefix outside of the failure content; 2018-03-19 14:53:56 +01:00
sebres 185cb998e7 make `prefregex` more precise in order to avoid catch the content for non failure lines 2018-03-19 14:38:47 +01:00
sebres e8ffab28fb filter.d/apache-noscript.conf: extended to match "Primary script unknown", got from php-fpm module. 2018-03-19 14:23:24 +01:00
sebres a6fb33bdec filter.d/recidive.conf: fixed if logging into systemd-journal (SYSLOG) with daemon name in prefix, gh-2069 2018-03-09 13:56:38 +01:00
Sergey G. Brester b34ae5999e
action.d/hostdeny.conf: fixes IPv6 syntax
differentiate the IPv4 and IPv6 syntax (where it is enclosed in square brackets)
2018-03-05 19:35:10 +01:00
sebres caa2bdfee6 amendment for gh-2061: it looks like the port was added here also 2018-03-02 19:24:47 +01:00
sebres a3bcbe2d1b backwards-compatibility, test-cases and ChangeLog update 2018-03-02 19:15:10 +01:00
MatthieuBarbu 6b5516b851 fix sshd rule #2
in line 58, rule don't match with "%(__suff)s" but work fine if I replace with "%(__on_port_opt)s"
Debian 9 stretch : fail2ban 0.10.3
2018-03-02 18:40:36 +01:00
sebres 1d7aa2ff21 filter.d/sshd.conf: rewrite fix (for new ssh log-format) backwards compatible + test-cases extended to cover both cases 2018-03-02 18:17:17 +01:00
MatthieuBarbu 9f5c873526 fix sshd rule
just remove the space before ":11" line 52 because don't match on my Debian 9 stretch...
I don't know if this is wrong on all OS
2018-03-02 17:53:35 +01:00
sebres 8c291cad38 filter.d/asterisk.conf: fixed failregex prefix by log over remote syslog server (gh-2060) 2018-03-02 09:17:04 +01:00
Ben RUBSON b112250ef0 (Free)BSD IPFW does not allow 2 identical rules (#2054)
ipfw actionban fixed to allow same rule added several times (and actionunban to ignore error by deletion of missing rule)
2018-02-27 10:18:59 +01:00
Ben RUBSON 857767f04b Add 'any' badips.py bancategory (#2056)
action.d/badips.py: allow `any` as bancategory to retrieve IPs from all categories
2018-02-27 10:12:22 +01:00
sebres 07fcb24ff6 Merge pull request #2057 from benrubson/https
Use httpS with badips
2018-02-26 18:50:35 +01:00
sebres f52c67238a action.d/badips.py: code review, ban command covered, debug log-messages, etc; 2018-02-26 18:16:20 +01:00
benrubson fce2a50165 badips.py, solve a str() issue under FreeBSD 2018-02-26 15:55:21 +01:00
benrubson e2665d39fd Use httpS with badips 2018-02-26 09:58:37 +01:00
sebres e636567d23 filter.d/exim.conf: failregex extended with SMTP call dropped: too many syntax or protocol errors. 2018-02-19 09:50:46 +01:00
sebres 19a5a2f8c0 filter.d/murmur.conf: fixed detection of failures reading from journal (systemd-backend only):
- extended with optional prefix for the systemd-journal (with second date-pattern as optional match);
- added `journalmatch` filtering;
closes gh-2043
2018-02-09 11:43:55 +01:00
sebres 0be0e43d47 amend to 03b577d7b92a120e325abe20a99b6956a7e0657c: add new-line after matches via tag `<br>` without usage of interim variable 2018-01-30 12:52:26 +01:00
sebres 03b577d7b9 action.d/blocklist_de.conf: fixed tag substitution (in 0.10 it can be variables supplied via shell-arguments), expand `<matches>` with trailing newline;
tests extended;
closes gh-2028
2018-01-30 12:27:03 +01:00
Yaroslav Halchenko 527bb9a7c3 dos2unix for helpers-common.conf
Original report: http://bugs.debian.org/888110
2018-01-23 08:48:36 -05:00
sebres f69e28adfc action.d/pf.conf: compatibility fix - recognizes that parameter `port` specified as empty, with or without braces (should be more backwards compatible to 0.9 now). 2018-01-18 14:05:22 +01:00
sebres ed22ddbbbb Merge remote-tracking branch 'remotes/gh-upstream/master' into 0.10 2018-01-17 16:42:56 +01:00
sebres 63e906b2c1 regex rewritten: a bit fewer vulnerable now and using non-capturing groups, test-cases extended in order to cover trying of injection on user name 2018-01-17 16:35:32 +01:00
Benedikt Seidl fed6c49c2d nginx-http-auth: match usernames with spaces
# Conflicts:
#	ChangeLog
2018-01-17 16:35:31 +01:00
Sergey G. Brester b6c6565a7e
regex updated using non-capturing groups 2018-01-16 14:23:47 +01:00
riceru 6a1bbbf101
Update lighttpd-auth.conf
I have lighttpd 1.4.45 (Debian 9) and auth error log is different.
Now printing mod_auth and not http_auth.
I think that the change was in Lighttp 1.4.42
2018-01-16 12:39:55 +00:00
sebres 2b7b0da943 Merge remote-tracking branch 'remotes/gh-upstream/master' into 0.10 2018-01-15 18:16:43 +01:00
Serg G. Brester 7e05976ead
action.d/hostsdeny.conf: actionunban rewritten using sed, also dots in IP were escaped now.
Closes  #2000
2018-01-11 12:38:34 +01:00
sebres 2112145eb4 stop ban of legitimate users with multiple public keys (e. g. git, etc), thereby
differentiate between "invalid user" (going banned earlier) and valid users with public keys, for which the rejects of not valid public keys (failures) will be retarded up to "Too many authentication failures" resp. disconnect without success (accepted public key).
2018-01-10 19:07:20 +01:00
sebres 314e402fe0 filter.d/sendmail-auth.conf - extended daemon for Fedora 24/RHEL - the daemon name is "sendmail" (gh-1632) 2018-01-10 14:49:06 +01:00
sebres c30144b37a Merge branch '0.9' into 0.10
# Conflicts:
#	config/action.d/firewallcmd-ipset.conf
#	config/filter.d/asterisk.conf
# Merge-point after cherry-pick, no changes:
#	fail2ban/client/jailreader.py
#	fail2ban/helpers.py
2018-01-10 12:05:26 +01:00
sebres 131b94e11e firewallcmd-ipset-allports: implemented in `action.d/firewallcmd-ipset.conf` now (`action.d/firewallcmd-ipset-allports.conf` removed), usage:
banaction = firewallcmd-ipset[actiontype="<allports>"]
2018-01-10 10:58:03 +01:00
Danila Vershinin c190631f88 New ban action firewallcmd-ipset-allports. Closes #1167 2018-01-10 10:58:01 +01:00
Yannik Sembritzki 94f0b15c32
Allow faster parsing of hosts without ' characters in them 2018-01-08 14:54:32 +01:00
Yannik Sembritzki b28dfb965a
Fix filter not catching asterisk requests with quote character in username (fixes #2010) 2018-01-03 18:39:30 +01:00
root 79f414c6a2 fix <family> typo 2017-12-09 15:55:45 +01:00
root 7c63eb2378 In the CentOS7 and epel environment, result of "firewall-cmd -direct -get -chains ipv4 filter" is displayed one line
Changed to be multiple lines with reference to firewallcmd-multiport.conf
2017-12-09 15:55:45 +01:00
sebres 6ccaa03e00 action.d/firewallcmd-ipset.conf: extended with actionflush to bulk unban resp. flush ipset 2017-12-06 01:10:56 +01:00
sebres 2712f72650 Merge remote-tracking branch 'master' into 0.10 2017-12-06 00:09:52 +01:00
sebres e384acca5f action.d/firewallcmd-ipset.conf: fixed create of set for ipv6 (missing `family inet6`) 2017-12-05 23:34:03 +01:00
Kevin Maradona 6c705d572b filter.d/nginx-limit-req.conf: nginx limit-req log-level can be set to warn or error therefore having this regex will include both of them. 2017-12-05 22:31:54 +01:00
sebres ffd6b9f6de jail.conf: extended with new parameter `mode` for the filters supporting it; 2017-12-05 16:09:18 +01:00
sebres 2b68882502 filter.d/exim.conf: provides mode "aggressive" to ban flood resp. DDOS-similar failures;
Closes #1983
2017-12-05 16:07:53 +01:00
sebres 7f89fbc33f Merge remote-tracking branch 'remotes/gh-upstream/master' into 0.10 2017-12-01 15:53:11 +01:00
Serg G. Brester 4f63180611
Avoid injection using quotes after `auth` command;
Added non-greedy fallback for quoted something (with lookahead simulated possessive greedy catch of non-quoted parts `[^"]*(?=")`).
Note that because host-info's are hereafter (with foreign input in-between), we would not use greedy or non-greedy catch-alls (`.*` or `.*?`) here (preventing performance losses).
2017-11-30 12:32:24 +01:00
Serg G. Brester f59df2e156
Avoid any injecting on protocol (e. g. tries using camel-case)
The phrase "AUTH command used when not advertised" is precise enough as anchor here, so prevent by any foreign-input (any auth protocol error).
2017-11-29 20:55:48 +01:00
Peter Nowee aa158ac05f
Exim failregex: Include lower/mixed case AUTH
When reporting the error `AUTH command used when not advertised`, Exim
starts with `SMTP protocol error in "........."`. Here, Exim logs the
SMTP command as it was provided by the connecting client.
https://github.com/Exim/exim/blob/exim-4_89+fixes/src/src/smtp_in.c#L2850

According to RFC 5321 (SMTP) "[..] a command verb [..] MAY be encoded
in upper case, lower case, or any mixture of upper and lower case with
no impact on its meaning."
https://tools.ietf.org/html/rfc5321#section-2.4

Lower case `auth login` brute-force attempts were seen in the wild and
were not caught by the current failregex.

This commit makes the failregex case-insensitive for the `AUTH`
command, so that lower case (`auth`) or mixed case (`aUtH`) now also
match. The failregex was already case-insensitive for the command
arguments (e.g. `AUTH login` already matched).
2017-11-29 15:14:43 +01:00
SlowRiot 660d57e6ba updating my email address 2017-11-29 10:43:15 +01:00
sebres 76f2865883 implemented new action "action.d/nginx-block-map.conf", used in order to ban not IP-related tickets via nginx (session blacklisting in nginx-location with map-file); 2017-11-28 13:42:41 +01:00
sebres f31195a4fc added new logtarget "SYSOUT" to log from fail2ban working in foreground as systemd-service (in opposite to "STDOUT" don't log time-stamps). 2017-11-26 23:03:29 +01:00
sebres 159957ab88 filter.d/sshd.conf: extended failregex for modes "extra"/"aggressive": now finds all possible (also future) forms of "no matching (cipher|mac|MAC|compression method|key exchange method|host key type) found", see "ssherr.c" for all possible SSH_ERR_..._ALG_MATCH errors;
obsolete (multi-line buffered) variant extended also.

Closes gh-1943, gh-1944
2017-11-23 22:21:42 +01:00
sebres 7e756da2b9 Merge remote-tracking branch 'remotes/gh-upstream/master' into 0.10 2017-11-06 18:56:31 +01:00
sebres eba68a8f37 config/paths-common.conf: Added initial values for `syslog_authpriv`, `syslog_mail` in order to avoid errors while parsing/interpolating configuration;
Note the systemd-backend does not need the logpath at all;
Some defaults normalized (minimized configs, don't need to overwrite values in distribution-related path if equal).
2017-11-03 14:15:07 +01:00
Serg G. Brester 9876dd44f9 replace port imap3 with imap everywhere, since imap3 is not a standard port and old rarely (if ever) used and missing on some systems
(see gh-1942)
2017-11-03 14:03:06 +01:00
Jeff Potter 4a2fc8b7e8 Include imap (port 143) in courier-auth ports
imap was missing from the list of ports, preventing fail2ban from blocking connections on standard IMAP port 143.
2017-11-03 14:01:19 +01:00
sebres b615a98540 jail.conf: avoid overwriting of default value of the parameter `chain` of several actions (where default chain != INPUT);
test-cases extended to cover the same logic (use `<known/chain>` instead of fix value `INPUT`);
Closes gh-1949
2017-10-30 13:32:52 +01:00
Serg G. Brester e07a8cda07 Update jail.conf
Documentation of parameters for action blocklist_de, closes gh-1940
2017-10-27 15:26:17 +02:00
Serg G. Brester 1a8fb6290d Merge pull request #1926 from sebres/0.10-pf-actionflush
action.d/pf.conf: wildcard anchoring example + bulk-unban with command `actionflush`
2017-10-19 16:35:46 +02:00
sebres 0e66e3cc57 Merge branch 'master' into 0.10
# Conflicts:
#	config/filter.d/asterisk.conf
2017-10-18 19:00:23 +02:00
Michael Newton d5d1fe679f Remove invalid regex
Resolves #1927
2017-10-17 14:44:23 -07:00
sebres a1b863fcf6 action.d/pf.conf: extended with bulk-unban, command `actionflush` in order to flush all bans at once (by stop jail, resp. shutdown of fail2ban) 2017-10-17 20:12:48 +02:00
sebres 8726c9fb0a pf.conf: enclose ports in braces, multiple ports expecting this syntax `... any port {http, https}`.
Note this would be backwards-incompatible change (for the people already enclosing multiports in braces in jail.local).
closes gh-1915
2017-10-17 13:46:29 +02:00
Łukasz Wąsikowski a4f94d2619 Update pf.conf
Fix comment, because current one won't work:

cat /etc/pf.conf
anchor f2b {
  sshd
}

# service pf reload
Reloading pf rules.
/etc/pf.conf:2: syntax error

New version:

cat /etc/pf.conf
anchor f2b {
  anchor sshd
}

# service pf reload
Reloading pf rules.
2017-10-17 12:39:25 +02:00
Harry Wood ea1b663f85 typo
spell "positive" (...but also somebody should finish this sentence)
2017-10-16 01:15:58 +01:00
sebres e71f16f6ba Merge branch 'master' into 0.10
# Conflicts resolved:
#	config/filter.d/dovecot.conf
2017-10-04 09:57:18 +02:00
sebres ea36e1b3fc filter.d/dovecot.conf: fixed failregex to recognize pam_authenticate failures with "Permission denied" (gh-1897) 2017-10-04 09:55:37 +02:00
sebres 8c804a2290 Merge branch 'master' into 0.10
# Conflicts resolved:
#	config/filter.d/postfix-rbl.conf
#	config/filter.d/postfix-sasl.conf
#	config/filter.d/postfix.conf
#	fail2ban/tests/files/logs/postfix-sasl
2017-10-02 15:41:30 +02:00
sebres a2120a9de5 filter.d/postfix-*.conf - added optional port regex (closes gh-1902) 2017-10-02 15:31:55 +02:00
Louis Sautier 152c9d27d5
Fix nftables actions for IPv6 addresses, fixes #1893
* add [Init?family=inet6] to nftables-common.conf and make nftable
  expressions more modular
* change "ip protocol" to "meta l4proto" in nftables-allports.conf
  since the former only works for IPv4
2017-09-11 23:32:53 +02:00
sebres b185e7cb04 Merge remote-tracking branch 'upstream/master' into 0.10 2017-09-08 11:11:05 +02:00
Serg G. Brester fd83260bd8 jail "pass2allow-ftp" should supply blocktype to action
closes gh-1884
2017-09-07 18:51:08 +02:00
Serg G. Brester bb97e66627 Merge pull request #1882 from coderua/patch-1
Add Jorgee Vulnerability Scanner protect
2017-09-07 15:52:31 +02:00
Serg G. Brester 2cd02b731b filter.d/exim.conf: fixed failregex for case of `D=0s`
Closes gh-1886
2017-09-07 15:28:46 +02:00
sebres 4bc226a692 optimized regex 2017-09-05 10:59:16 +02:00
Vladimir Chumak fafefc0293 Add Jorgee Vulnerability Scanner protect
Details for Jorgee Vulnerability Scanner: https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=30164
2017-09-05 10:56:43 +02:00
sebres 4163f32968 small review, prefix replaced with `%(_apache_error_client)s` from apache-common.conf include 2017-09-04 11:48:01 +02:00
john ac95449bbb changed zoneminder regex as per Sebres and yarikoptic recommendations 2017-09-04 11:37:09 +02:00
john 7013729a1f removed redundant options for zoneminder from jail.conf 2017-09-04 11:37:05 +02:00
john 5c3a666380 fixed incomplete regex after adding anchors 2017-09-04 11:37:03 +02:00
john 3d45fd2713 implemented yarikoptic's suggestions in fail2ban pull request #1376 2017-09-04 11:37:00 +02:00
john 08878d22dd added zoneminder.conf filter 2017-09-04 11:36:50 +02:00
john a90f6c4ae8 added zoneminder jail and filter
# Conflicts:
#	config/jail.conf
2017-09-04 11:36:47 +02:00
sebres c312962029 filter.d/dovecot.conf: partially cherry-pick to 0.9 PR #1880 from sebres/0.10-fix-dovecot-regex (d926e11a5c)
fixed failregex (without new mode aggressive)
2017-09-01 10:57:41 +02:00
sebres 2cfc53c08e remove capturing groups 2017-09-01 10:25:09 +02:00
sebres 9b8563f35e - fixes regex for message `imap-login: Disconnected (auth failed, X attempts) ...` has to many variations on additional info after `<HOST>`,
leave it end-anchored because variable part `user=<[^>]*>` (before `<HOST>`) to avoid injecting, but can be safe rewritten using `[^>]*` in opposite to "greedy" `user=<[^>]*>`.
- introduces mode `aggressive` and extends regex for this mode to match:
  * no auth attempts (previously removed in gh-601, because of lots of false positives on misconfigured MTAs)
  * disconnected before auth was ready
  * client didn't finish SASL auth
2017-09-01 09:56:21 +02:00
Serg G. Brester a287d0a05c Merge pull request #1872 from kmzby/master
Added filter for phpMyAdmin+syslog
2017-08-25 12:22:58 +02:00
Pavel Mihadyuk 4c1abe1cbf phpmyadmin-syslog: removed excess file, fixed test, updated failregex 2017-08-23 16:56:18 +03:00
Pavel Mihadyuk d09304b897 phpmyadmin-syslog: added default jail config 2017-08-22 19:00:48 +03:00
Pavel Mihadyuk 5b4bc2aafd Added filter for phpMyAdmin+syslog (>=4.7.0). Closes #1713 2017-08-22 18:20:01 +03:00
sebres 1d5fbb95ae Merge remote-tracking branch 'remotes/gh-upstream/master' into 0.10 2017-08-18 15:44:22 +02:00
Serg G. Brester b0e5efb631 bsd-ipfw.conf: sh-compliant redirect of stderr together with stdout 2017-08-18 15:26:09 +02:00
sebres 3be32adefb Replace not posix-compliant grep option: fgrep with `-q` option can cause 141 exit code in some cases (see gh-1389). 2017-08-18 14:37:29 +02:00
Jacques Distler f84e58e769 Tweaks to action.d/pf.conf
Document recent changes.
Add an option to customize the pf block rule (surely, what the user
really wants, here, is "block quick").
2017-08-18 13:31:34 +02:00