Commit Graph

4325 Commits (c88f5e9038136cca4db1c433de5d2300788fd3e7)

Author SHA1 Message Date
Viktor Szépe c88f5e9038 Monit files are moved
/etc/monitrc.d -> /etc/monit/conf-available
http://anonscm.debian.org/cgit/collab-maint/monit.git/commit/?id=0bcc9189cb4f43863f08b2423cc54097a3e124ef

Was #896
2017-08-10 15:18:49 +02:00
Yaroslav Halchenko abb2feafe7 added patch to fix rel symlink for tests to be ran out of source 2017-05-10 23:27:49 -04:00
Yaroslav Halchenko 1561d5fb14 changelog and dropping absorbed patch 2017-05-10 22:11:27 -04:00
Yaroslav Halchenko 96323b1da0 ver. 0.9.7 (2017/05/11) - awaiting-victory
-----------
 
 0.9.x line is no longer heavily developed.  If you are interested in
 new features (e.g. IPv6 support), please consider 0.10 branch and its
 releases.
 
 * Fixed a systemd-journal handling in fail2ban-regex (gh-1657)
 * filter.d/sshd.conf
     - Fixed non-anchored part of failregex (misleading match of colon inside
       IPv6 address instead of `: ` in the reason-part by missing space, gh-1658)
       (0.10th resp. IPv6 relevant only, amend for gh-1479)
 * config/pathes-freebsd.conf
     - Fixed filenames for apache and nginx log files (gh-1667)
 * filter.d/exim.conf
     - optional part `(...)` after host-name before `[IP]` (gh-1751)
     - new reason "Unrouteable address" for "rejected RCPT" regex (gh-1762)
     - match of complex time like `D=2m42s` in regex "no MAIL in SMTP connection" (gh-1766)
 * filter.d/sshd.conf
     - new aggressive rules (gh-864):
       - Connection reset by peer (multi-line rule during authorization process)
       - No supported authentication methods available
     - single line and multi-line expression optimized, added optional prefixes
       and suffix (logged from several ssh versions), according to gh-1206;
     - fixed expression received disconnect auth fail (optional space after port
       part, gh-1652)
       and suffix (logged from several ssh versions), according to gh-1206;
 * filter.d/suhosin.conf
     - greedy catch-all before `<HOST>` fixed (potential vulnerability)
 * filter.d/cyrus-imap.conf
     - accept entries without login-info resp. hostname before IP address (gh-1707)
 * Filter tests extended with check of all config-regexp, that contains greedy catch-all
   before `<HOST>`, that is hard-anchored at end or precise sub expression after `<HOST>`
 
 * New Actions:
     - action.d/netscaler: Block IPs on a Citrix Netscaler ADC (gh-1663)
 
 * New Filters:
     - filter.d/domino-smtp: IBM Domino SMTP task (gh-1603)
 
 * Introduced new log-level `MSG` (as INFO-2, equivalent to 18)
 -----BEGIN PGP SIGNATURE-----
 
 iHQEABECADQWIQQ7tuEkBkOmFW8AaFSNEUVjdcAkyAUCWRPA2RYcZGViaWFuQG9u
 ZXJ1c3NpYW4uY29tAAoJEI0RRWN1wCTIhVYAoLkhjr/elXNJ2KKKsFUGrp0s9E3Y
 AJ0fW8Cy8cRiPbYFlapPIgZIccvoRw==
 =KuXB
 -----END PGP SIGNATURE-----

Merge tag '0.9.7' into debian

ver. 0.9.7 (2017/05/11) - awaiting-victory
-----------

0.9.x line is no longer heavily developed.  If you are interested in
new features (e.g. IPv6 support), please consider 0.10 branch and its
releases.

* Fixed a systemd-journal handling in fail2ban-regex (gh-1657)
* filter.d/sshd.conf
    - Fixed non-anchored part of failregex (misleading match of colon inside
      IPv6 address instead of `: ` in the reason-part by missing space, gh-1658)
      (0.10th resp. IPv6 relevant only, amend for gh-1479)
* config/pathes-freebsd.conf
    - Fixed filenames for apache and nginx log files (gh-1667)
* filter.d/exim.conf
    - optional part `(...)` after host-name before `[IP]` (gh-1751)
    - new reason "Unrouteable address" for "rejected RCPT" regex (gh-1762)
    - match of complex time like `D=2m42s` in regex "no MAIL in SMTP connection" (gh-1766)
* filter.d/sshd.conf
    - new aggressive rules (gh-864):
      - Connection reset by peer (multi-line rule during authorization process)
      - No supported authentication methods available
    - single line and multi-line expression optimized, added optional prefixes
      and suffix (logged from several ssh versions), according to gh-1206;
    - fixed expression received disconnect auth fail (optional space after port
      part, gh-1652)
      and suffix (logged from several ssh versions), according to gh-1206;
* filter.d/suhosin.conf
    - greedy catch-all before `<HOST>` fixed (potential vulnerability)
* filter.d/cyrus-imap.conf
    - accept entries without login-info resp. hostname before IP address (gh-1707)
* Filter tests extended with check of all config-regexp, that contains greedy catch-all
  before `<HOST>`, that is hard-anchored at end or precise sub expression after `<HOST>`

* New Actions:
    - action.d/netscaler: Block IPs on a Citrix Netscaler ADC (gh-1663)

* New Filters:
    - filter.d/domino-smtp: IBM Domino SMTP task (gh-1603)

* Introduced new log-level `MSG` (as INFO-2, equivalent to 18)

* tag '0.9.7': (33 commits)
  Preparing for 0.9.7 release
  Added newly added files to MANIFEST
  update ChangeLog
  filter.d/exim.conf: added new reason for "rejected RCPT" regex: Unrouteable address
  try to fix travis integration of pypy3: setuptools recently dropped support for Python 3.0 - 3.2, but old pypy3 based on Python 3.2.5
  filter.d/exim.conf: cherry-picked from 0.10, match complex time like `D=2m42s` (closes gh-1766)
  Update ChangeLog #1757
  filter.d/exim.conf: optional part `(...)` after host-name before `[IP]`, normalized over whole config file.
  BF: specify explicit time offset not a time zone name to avoid needing tzdata during testing
  Update ChangeLog
  amend resp. restore of change from 59c35bc44a (gh-129): - logging of "Log rotation detected" with new MSG level - introduces new log-level MSG (as INFO-2, 18)
  Update mysqld-auth.conf
  Update ChangeLog
  filter.d/cyrus-imap.conf: fixed `failregex` - accept entries without login-info resp. hostname before IP address
  evil symlink removed: does not supported by some file systems (e. g. development over net share)
  sshd-amend: optional space after port part
  suhosin.conf: removed greedy match
  sshd.conf: fixed expression "received disconnect ... auth fail" - optional space after port part (gh-1652)
  change log update after rebase
  sshd: additionally aggressive filter rules - no matching cipher resp. no matching key exchange method (gh-1545, gh-1117)
  ...
2017-05-10 21:39:51 -04:00
Yaroslav Halchenko 35280044ff Preparing for 0.9.7 release 2017-05-10 21:38:57 -04:00
Yaroslav Halchenko 663d526d74 Added newly added files to MANIFEST 2017-05-10 21:31:09 -04:00
sebres bea3a62a37 update ChangeLog 2017-05-07 14:02:45 +02:00
sebres 0600d51511 filter.d/exim.conf: added new reason for "rejected RCPT" regex: Unrouteable address 2017-05-07 14:02:38 +02:00
sebres 3d64d705f3 try to fix travis integration of pypy3: setuptools recently dropped support for Python 3.0 - 3.2, but old pypy3 based on Python 3.2.5 2017-05-07 13:28:35 +02:00
sebres c546f85207 filter.d/exim.conf: cherry-picked from 0.10, match complex time like `D=2m42s` (closes gh-1766) 2017-05-07 13:02:32 +02:00
Serg G. Brester fafe11d326 Merge pull request #1757 from sebres/0.9-fix-gh-1751
filter.d/exim.conf: optional part `(...)` by authenticator failed for ...
2017-04-25 10:05:27 +02:00
sebres 462442a517 Update ChangeLog #1757 2017-04-25 10:04:45 +02:00
sebres 3161bcf78b filter.d/exim.conf: optional part `(...)` after host-name before `[IP]`, normalized over whole config file.
# Conflicts:
#	config/filter.d/exim.conf
2017-04-24 19:21:26 +02:00
Yaroslav Halchenko 7e0e9cda50 changelog for the patch 2017-04-17 10:28:43 -04:00
Yaroslav Halchenko 0f3217f352 "cherry-pick" a639f0b083 (BF: specify explicit time offset not a time zone name to avoid needing tzdata during testing) 2017-04-17 10:27:01 -04:00
Yaroslav Halchenko a0cf31903d Merge pull request #1754 from yarikoptic/bf-tzdata
BF: specify explicit time offset not a time zone name to avoid needing tzdata during testing
2017-04-17 10:26:37 -04:00
Paul Brook a639f0b083 BF: specify explicit time offset not a time zone name to avoid needing tzdata during testing 2017-04-16 12:11:05 -04:00
sebres 7982d1e627 Update ChangeLog 2017-03-27 11:31:41 +02:00
sebres e8596cfce7 amend resp. restore of change from 59c35bc44a (gh-129):
- logging of "Log rotation detected" with new MSG level
- introduces new log-level MSG (as INFO-2, 18)
2017-03-27 11:27:41 +02:00
Serg G. Brester 52c1950371 Update mysqld-auth.conf
small typo, closes gh-1725 (Thx @seth-reeser)
2017-03-24 19:03:17 +01:00
Serg G. Brester d3b644acae Merge pull request #1708 from sebres/fix-gh-1707
filter.d/cyrus-imap.conf: accept entries without login-info resp. hostname before IP address (gh-1707)
2017-03-09 16:26:06 +01:00
sebres 0f8cb1749f Update ChangeLog 2017-03-09 16:15:45 +01:00
sebres 8768776d68 filter.d/cyrus-imap.conf: fixed `failregex` - accept entries without login-info resp. hostname before IP address 2017-03-09 16:13:45 +01:00
sebres c4dc698d98 evil symlink removed: does not supported by some file systems (e. g. development over net share) 2017-01-23 09:26:05 +01:00
sebres c4d56ea84a Merge branch 'ssh-filter-new-regexp' 2017-01-23 08:58:03 +01:00
sebres 9d06f0ee40 sshd-amend: optional space after port part 2017-01-23 08:56:47 +01:00
Serg G. Brester 3ccb026840 Merge pull request #1209 from sebres/ssh-filter-new-regexp
sshd-aggressive (new ssh rules added (gh-864) and code review...)
2017-01-21 16:29:42 +01:00
sebres 54a8c681ce suhosin.conf: removed greedy match 2017-01-21 16:26:07 +01:00
sebres 8aa9516d50 sshd.conf: fixed expression "received disconnect ... auth fail" - optional space after port part (gh-1652) 2017-01-21 16:18:03 +01:00
sebres c8f473110c change log update after rebase 2017-01-21 15:59:27 +01:00
sebres 3276bd6d54 sshd: additionally aggressive filter rules - no matching cipher resp. no matching key exchange method (gh-1545, gh-1117) 2017-01-21 15:57:05 +01:00
sebres 628789f9a9 sshd: conditional parameter "mode" for sshd jail (normal, ddos, aggressive)
filter sshd-ddos and new filter sshd-aggressive are both derivation of sshd-filter
2017-01-21 15:54:49 +01:00
sebres dd373dba9f test all config-regexp, that contains greedy catch-all before <HOST>, that is hard-anchored at end or precise sub expression after <HOST>;
new ssh rule(s) added:
- Connection reset by peer (multi-line rule during authorization process);
- No supported authentication methods available;
Single line and multi-line expression optimized, added optional prefixes and suffix (logged from several ssh versions);
closes gh-864
2017-01-21 15:53:48 +01:00
Serg G. Brester 5e08298b6b Update ChangeLog 2017-01-20 08:47:30 +01:00
Christian Brandlehner a4d8426401 Support for IBM Domino SMTP task (#1603)
filter.d/domino-smtp.conf
2017-01-20 08:44:20 +01:00
Serg G. Brester 40f294e6bf Merge pull request #1663 from jjeziorny/netscaler-action
Introduced citrix netscaler action
2017-01-19 16:25:23 +01:00
Serg G. Brester 75b252e47f Update ChangeLog 2017-01-19 15:00:08 +01:00
Juliano Jeziorny 1fe554dd25 Introduced Citrix Netscaler action 2017-01-19 14:30:25 +01:00
Serg G. Brester 063a11564b Merge pull request #1673 from chtheis/master
Wrong paths for apache and nginx under FreeBSD
2017-01-18 17:12:20 +01:00
Christoph Theis fe76cd9b7d #1667: changelog entry 2017-01-17 14:05:20 +01:00
Christoph Theis 6187431629 #1667: Wrong paths for apache and nginx under FreeBSD 2017-01-17 11:48:25 +01:00
sebres a9523aefbb sshd.conf: fixed non-anchored part of regex (misleading match of colon inside IPv6 address instead of `: ` in the reason-part by missing space). 2017-01-10 12:58:44 +01:00
sebres f8d35a7c9c changelog entry 2017-01-10 11:16:17 +01:00
sebres 2009f1c434 fail2ban-regex: fix for systemd-journal (see gh-1657) 2017-01-10 11:13:18 +01:00
Yaroslav Halchenko 31a1560eaa minor typos (thanks Vincent Lefevre, Debian #847785) 2016-12-11 15:13:11 -05:00
Yaroslav Halchenko 4a1fd888f0 Carry on development 2016-12-11 00:49:09 -05:00
Yaroslav Halchenko eec7c9bbca remove generated symlink under bin/fail2ban-python 2016-12-09 09:45:47 -05:00
Yaroslav Halchenko 6de7c2a127 changelog entry 2016-12-09 09:40:24 -05:00
Yaroslav Halchenko 623bb39ca6 Merge branch 'enh-rel0.9.6' into debian
* enh-rel0.9.6: (60 commits)
  updated man pages
  ENH: prep for 0.9.6 release (as of tomorrow)
  BF: added missing entires into MANIFEST
  Update ChangeLog
  ChangeLog entry added + jail.conf review
  code review, makes the test cases workable, added dev-notes
  ChangeLog update
  `filter.d/apache-modsecurity.conf`   - fixed for newer version (one space, closes gh-1626) reviewed and optimized:   - non-greedy catch-all replaced for safer match   - unneeded catch-all anchoring removed   - non-capturing groups
  filter.d/dovecot.conf update: - fixes failregex, that ignores failures through some irrelevant info (closes #1623); - ignores whole additionally irrelevant info in anchored regex before fixed failure data `\((?:auth failed, \d+ attempts( in \d+ secs)?|tried to use (disabled|disallowed) \S+ auth)\)` - review, IPv6 compatibility fix, non-capturing groups
  Update jail.conf
  Use Fedora's backend-settings for openSUSE
  amend after code review of merge gh-1581
  Make changes and add test file
  Add Mongodb-auth filter and jail
  Update FILTERS
  filter.d/sshd.conf: Match 'Invalid user' with 'port \d*'
  ChangeLog entry added
  filter.d/sendmail-reject.conf: double space (should be by missing dns-host only) Closes #1578
  Update Changelog to reflect the new np.conf action
  Create npf.conf for the NPF packet filter
  ...
2016-12-09 09:37:33 -05:00
Yaroslav Halchenko 3605155978 updated man pages 2016-12-09 09:36:08 -05:00