github
/
fail2ban
mirror of https://github.com/fail2ban/fail2ban
1
0
Fork 0
Code Issues Releases Wiki Activity
4,030 Commits
34 Branches
230 Tags
19 MiB
Commit Graph

4030 Commits (ca18270beb046279d0bf6dfd011fcedad59e20e5)

Author SHA1 Message Date
sebres ca18270beb fix artificial test cases ('family' becomes mandatory in the action info, but dict was supplied in the test case) 2017-03-29 18:02:21 +02:00
sebres 8bf79fa483 implemented execution of `actionstart` on demand, if action depends on `family` (closes gh-1741); 
new action parameter "actionstart_on_demand" (bool) can be set to prevent/allow starting action on demand (default retrieved automatically, if some conditional parameter `param?family=...` presents in action properties);
 2017-03-29 17:44:15 +02:00
Serg G. Brester 05f5c6efcc Update README.md 
added wiki-reference;
fixed mail-representation (after github swiched markdown syntax)
 2017-03-29 12:32:34 +02:00
Serg G. Brester 1a59a5c5a7 Merge pull request #1740 from sebres/0.10-strptime-perf 
strptime.py: small code review and performance optimization
 2017-03-29 11:33:57 +02:00
sebres ee3c9fcb75 "%y" - in the fail2ban parsed year without century should be always relative current century (>= 2000); 
cover several format specifiers and different "assume" cases (without year, without date, greater as now, etc.);
 2017-03-28 22:10:29 +02:00
sebres 7437fbd75b strptime.py: small code review and performance optimization (get some properties on demand, etc.) 2017-03-28 20:21:39 +02:00
Serg G. Brester ec19aed489 Merge pull request #1739 from gracinet/0.10-test_smtp-no-network 
Fixes test_smtp connects to wrong inet (if listening on ::1 instead of 127.0.0.1)
 2017-03-28 19:49:58 +02:00
Georges Racinet 7b93f111e1 test_smtp inconsistency for py3+IPv6 
It appears that, under Python3, on an IPv6 enabled machine,
the testing SMTP server on 'localhost' can turn out to listen on ::1 only,
which makes those tests break if the SMTP client part uses 127.0.0.1
directly. Using 'localhost' there as well makes the tests pass.
 2017-03-28 19:29:45 +02:00
sebres 873f97c6c5 Merge branch '0.9-log-level-msg' into 0.10 2017-03-27 11:36:36 +02:00
sebres 7982d1e627 Update ChangeLog 2017-03-27 11:31:41 +02:00
sebres e8596cfce7 amend resp. restore of change from 59c35bc44a (gh-129): 
- logging of "Log rotation detected" with new MSG level
- introduces new log-level MSG (as INFO-2, 18)
 2017-03-27 11:27:41 +02:00
Serg G. Brester d26060ead0 Update ChangeLog 
belongs to #1733
 2017-03-27 09:38:53 +02:00
Serg G. Brester cea8ba7831 Merge pull request #1733 from sebres/0.10-repl-skiplines 
Normalizes replacement of `<SKIPLINES>` + no multiline failregex per default
 2017-03-27 09:34:08 +02:00
Seth Reeser c82495353f Update mysqld-auth.conf (#1725) 2017-03-24 19:03:20 +01:00
Serg G. Brester 52c1950371 Update mysqld-auth.conf 
small typo, closes gh-1725 (Thx @seth-reeser)
 2017-03-24 19:03:17 +01:00
sebres 6ac5c55edc the sequence in args-dict is currently undefined (so can be 1st argument with `?` instead of `&`) 2017-03-24 17:35:41 +01:00
sebres 990d9a66da fail2ban-regex: fixed matched output by multi-line (buffered) parsing + and multi-line debuggex URL; 
test coverage extended;
 2017-03-24 17:07:21 +01:00
sebres bc888e0753 Regex compiled in multi-line parsing mode only if `maxlines` > 1 (buffering), if however expected - prefix `(?m)` could be used in regex to enable it; 
Removed warning "Mutliline regex set for jail ... but maxlines not greater than 1", because can be expected situation now:
non multi-line entry from systemd-filter containing new-lines (that should be ignored by anchors resp. entry parsed as single string);
small code review;
 2017-03-24 13:20:04 +01:00
sebres 61c1bdfe79 Normalizes replacement of `<SKIPLINES>` (moved to _resolveHostTag, so will be replaced together with another tags); 
Regex will be compiled as MULTILINE only if needed (buffering with `maxlines` > 1), that enables:
- improve performance by the single line parsing;
- make regex more precise (because distinguish between anchors `^`/`$` for the begin/end of string and the new-line character '\n', e. g. if coming from filters (like systemd journal) that allow the parsing of log-entries contain new-line chars (as single entry);
 2017-03-24 11:25:12 +01:00
Serg G. Brester b650503f00 Merge pull request #1732 from sebres/0.10-ignoreself 
0.10 `ignoreself` for ignore own IP addresses
 2017-03-24 10:12:23 +01:00
sebres e7052e9625 update man/jail.conf.5 (docu for the ignoreself) 2017-03-24 09:55:20 +01:00
sebres 30352c5f03 fix sporadic coverage changes (sometimes produces "no such process" in popen.poll after terminate/kill in timeout test cases) 2017-03-23 17:48:52 +01:00
sebres 663bc9903d increase coverage (was decreased since "ignoreip" was set to default empty) 2017-03-23 16:19:21 +01:00
sebres 6c4b1c7204 Update ChangeLog 2017-03-23 15:54:53 +01:00
sebres 5e93bf9bd3 Introduced new option "ignoreself", specifies whether the local resp. own IP addresses should be ignored (default is true). 
Fail2ban will not ban a host which matches such addresses.

Option "ignoreip" affects additionally to "ignoreself" and don't need to include the DNS resp. IPs of the host self.
 2017-03-23 15:52:31 +01:00
Serg G. Brester 1e6787877a Merge pull request #1726 from sebres/0.10-grave-fix-escape-tags-1st 
0.10 fix escape tags
 2017-03-21 15:33:00 +01:00
sebres 6ba0546824 code review and inline docu 2017-03-21 14:53:33 +01:00
Serg G. Brester 7a03c964c2 Update ChangeLog 2017-03-21 14:04:18 +01:00
sebres bb9541b7a9 Merge pull request #1728 from sebres/_0.10/fix-gh-1719 2017-03-21 11:05:15 +01:00
sebres 43d2cae8da small amend that correct log trace output by forget MLFID (outputs the reason why it was forgotten - close, disconnect, etc.) 2017-03-21 10:39:55 +01:00
sebres b6886f2e51 SampleRegexsFactory extended with optional filter constraint, if testing the same log-file with multiple filters (no possibility to match by the old sshd-filter 'zzz-sshd-obsolete-multiline') 2017-03-21 09:42:27 +01:00
sebres 1971fd4bd3 don't remove MLFID from cache (can recognize multiple attempt within the same connection) 2017-03-21 09:20:56 +01:00
sebres f13fac5ae9 amend to 5561423be3b2d4636f5484183c3ad470fd326d06: fixed incorrect failure counting despite the `<F-NOFAIL>` marked regex; 
extra: introduced new tag `<F-MLFFORGET>` as mark to forget current multi-line MLFID (e. g. connection closed);
Closes gh-1727
 2017-03-21 00:15:57 +01:00
sebres 32f3c1dbf3 test coverage 2017-03-20 13:34:42 +01:00
sebres 57e9c25449 bug fix in the config readers: mixing with the init section should affect only own init options (from init section only bypass default section); 
the situation details:
  value of "_daemon" from default section "default" (with init section) falsely overwrites it from definition section "test" -
  the resulting value of "_daemon" should be "test" in all 3 resulting failregex's (as specified in test.local),
  fixed and covered now;
additionally more complex cases covered also (all filter parameters in jail via "%(known/...)s", dynamical interpolation across all, etc);
 2017-03-20 12:10:09 +01:00
sebres 4f1473724b fixed grave vulnerability by wrong escape of tags by executing of shell actions 2017-03-20 12:09:42 +01:00
sebres e5c9f9ec1c [interim commit] try to fix possible escape vulnerability in actions 2017-03-20 12:08:14 +01:00
sebres 93ec9e01d4 fixes a small blemish by output in beautifier; 
command "unban" returns a count of tickets that were flushed
 2017-03-17 11:00:54 +01:00
Serg G. Brester da808fe67b Merge pull request #1720 from sebres/_0.10/fix-gh-1719 
fix gh-1719: sshd format changed
 2017-03-15 18:36:35 +01:00
sebres 5561423be3 filter.d/sshd.conf: fixed failregex format - some parts are optional, new ddos more precise rule (Connection reset by with host entry); 
closes gh-1719
 2017-03-15 18:01:20 +01:00
sebres 97d417926d repairs testing of missing samples for all regex after filter settings (mode) changed 2017-03-15 18:01:18 +01:00
sebres 482e5265d7 output execution time of each test case if verbosity > 2 2017-03-14 13:34:54 +01:00
Serg G. Brester 77229a65b5 Merge pull request #1716 from sebres/fix-stop-replace-in-callable 
Prohibit recursive replacement of action info (calling map)
 2017-03-13 23:46:52 +01:00
sebres ccfd1ccb2d code review, increase coverage, etc. 2017-03-13 21:56:06 +01:00
sebres 5030e3a122 [Important] Prohibit replacement of recursive "tags" in the action info resp. calling map (very bad idea to do this): 
- the calling map contains normally dynamic values only (no recursive tags);
- recursive replacement can be vulnerable, because can contain foreign (user) input captured from log (will be replaced in the shell arguments);
 2017-03-13 20:45:35 +01:00
sebres c1da6611ec [BF] prevents always converting of calling map items in replaceTag (without direct access of item): 
substituteRecursiveTags: ignore replacing callable items from calling map - should be converted on demand only (by get)
 2017-03-13 18:47:26 +01:00
sebres 92d83274d9 fixes cache overload in the test cases (increase max count and max time of CACHE_ipToName - too many entries in mock-up preset, longer time testing) 2017-03-13 18:03:37 +01:00
Serg G. Brester 3fec546fc0 Merge pull request #1715 from sebres/fix-f2b-regex-debuggex-url 
fail2ban-regex debuggex url fix
 2017-03-13 16:37:57 +01:00
sebres 295f7b88c9 increase coverage 2017-03-13 16:21:03 +01:00
sebres 3cba2310ff Fixes debuggex URL (tag replacement) and missing line stat by matched lines (without time - `matched_lines_timeextracted`); 
Closes gh-1394
 2017-03-13 16:14:06 +01:00