github
/
fail2ban
mirror of https://github.com/fail2ban/fail2ban
1
0
Fork 0
Code Issues Releases Wiki Activity
4,282 Commits
34 Branches
229 Tags
21 MiB
Commit Graph

1356 Commits (ceff489a46396b561d4a890ae75213e266837a04)

Author SHA1 Message Date
sebres e71f16f6ba Merge branch 'master' into 0.10 
# Conflicts resolved:
#	config/filter.d/dovecot.conf
 2017-10-04 09:57:18 +02:00
sebres ea36e1b3fc filter.d/dovecot.conf: fixed failregex to recognize pam_authenticate failures with "Permission denied" (gh-1897) 2017-10-04 09:55:37 +02:00
sebres 8c804a2290 Merge branch 'master' into 0.10 
# Conflicts resolved:
#	config/filter.d/postfix-rbl.conf
#	config/filter.d/postfix-sasl.conf
#	config/filter.d/postfix.conf
#	fail2ban/tests/files/logs/postfix-sasl
 2017-10-02 15:41:30 +02:00
sebres a2120a9de5 filter.d/postfix-*.conf - added optional port regex (closes gh-1902) 2017-10-02 15:31:55 +02:00
Louis Sautier 152c9d27d5
Fix nftables actions for IPv6 addresses, fixes #1893 
* add [Init?family=inet6] to nftables-common.conf and make nftable
  expressions more modular
* change "ip protocol" to "meta l4proto" in nftables-allports.conf
  since the former only works for IPv4
 2017-09-11 23:32:53 +02:00
sebres b185e7cb04 Merge remote-tracking branch 'upstream/master' into 0.10 2017-09-08 11:11:05 +02:00
Serg G. Brester fd83260bd8 jail "pass2allow-ftp" should supply blocktype to action 
closes gh-1884
 2017-09-07 18:51:08 +02:00
Serg G. Brester bb97e66627 Merge pull request #1882 from coderua/patch-1 
Add Jorgee Vulnerability Scanner protect
 2017-09-07 15:52:31 +02:00
Serg G. Brester 2cd02b731b filter.d/exim.conf: fixed failregex for case of `D=0s` 
Closes gh-1886
 2017-09-07 15:28:46 +02:00
sebres 4bc226a692 optimized regex 2017-09-05 10:59:16 +02:00
Vladimir Chumak fafefc0293 Add Jorgee Vulnerability Scanner protect 
Details for Jorgee Vulnerability Scanner: https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=30164
 2017-09-05 10:56:43 +02:00
sebres 4163f32968 small review, prefix replaced with `%(_apache_error_client)s` from apache-common.conf include 2017-09-04 11:48:01 +02:00
john ac95449bbb changed zoneminder regex as per Sebres and yarikoptic recommendations 2017-09-04 11:37:09 +02:00
john 7013729a1f removed redundant options for zoneminder from jail.conf 2017-09-04 11:37:05 +02:00
john 5c3a666380 fixed incomplete regex after adding anchors 2017-09-04 11:37:03 +02:00
john 3d45fd2713 implemented yarikoptic's suggestions in fail2ban pull request #1376 2017-09-04 11:37:00 +02:00
john 08878d22dd added zoneminder.conf filter 2017-09-04 11:36:50 +02:00
john a90f6c4ae8 added zoneminder jail and filter 
# Conflicts:
#	config/jail.conf
 2017-09-04 11:36:47 +02:00
sebres c312962029 filter.d/dovecot.conf: partially cherry-pick to 0.9 PR #1880 from sebres/0.10-fix-dovecot-regex (d926e11a5c) 
fixed failregex (without new mode aggressive)
 2017-09-01 10:57:41 +02:00
sebres 2cfc53c08e remove capturing groups 2017-09-01 10:25:09 +02:00
sebres 9b8563f35e - fixes regex for message `imap-login: Disconnected (auth failed, X attempts) ...` has to many variations on additional info after `<HOST>`, 
leave it end-anchored because variable part `user=<[^>]*>` (before `<HOST>`) to avoid injecting, but can be safe rewritten using `[^>]*` in opposite to "greedy" `user=<[^>]*>`.
- introduces mode `aggressive` and extends regex for this mode to match:
  * no auth attempts (previously removed in gh-601, because of lots of false positives on misconfigured MTAs)
  * disconnected before auth was ready
  * client didn't finish SASL auth
 2017-09-01 09:56:21 +02:00
Serg G. Brester a287d0a05c Merge pull request #1872 from kmzby/master 
Added filter for phpMyAdmin+syslog
 2017-08-25 12:22:58 +02:00
Pavel Mihadyuk 4c1abe1cbf phpmyadmin-syslog: removed excess file, fixed test, updated failregex 2017-08-23 16:56:18 +03:00
Pavel Mihadyuk d09304b897 phpmyadmin-syslog: added default jail config 2017-08-22 19:00:48 +03:00
Pavel Mihadyuk 5b4bc2aafd Added filter for phpMyAdmin+syslog (>=4.7.0). Closes #1713 2017-08-22 18:20:01 +03:00
sebres 1d5fbb95ae Merge remote-tracking branch 'remotes/gh-upstream/master' into 0.10 2017-08-18 15:44:22 +02:00
Serg G. Brester b0e5efb631 bsd-ipfw.conf: sh-compliant redirect of stderr together with stdout 2017-08-18 15:26:09 +02:00
sebres 3be32adefb Replace not posix-compliant grep option: fgrep with `-q` option can cause 141 exit code in some cases (see gh-1389). 2017-08-18 14:37:29 +02:00
Jacques Distler f84e58e769 Tweaks to action.d/pf.conf 
Document recent changes.
Add an option to customize the pf block rule (surely, what the user
really wants, here, is "block quick").
 2017-08-18 13:31:34 +02:00
sebres 33874d6e53 action.d/pf.conf: anchored call arguments combined as `<pfctl>` parameter; 
test cases fixed;
 2017-08-16 17:51:07 +02:00
Alexander Köppe f6ccede2f1 Update pf.conf fixing #1863 
Fix #1863
Introduce own PF anchors for fail2ban rules.
 2017-08-16 17:51:05 +02:00
sebres 30219b54c4 Merge remote-tracking branch 'remotes/gh-upstream/master' into 0.10 2017-08-09 16:38:29 +02:00
Serg G. Brester c0eb7752a8 Merge pull request #1651 from szepeviktor/patch-9 
Introduce Cloudflare API v4
 2017-08-09 16:28:52 +02:00
Serg G. Brester 2ed8a38eca Update cloudflare.conf 
Switch to API v1 to API v4 per default
 2017-08-09 16:27:53 +02:00
Serg G. Brester da7072d40e Merge pull request #1846 from Chocobozzz/patch-3 
Fix empty logfile.log in xarf login attack action
 2017-08-09 16:21:47 +02:00
sebres 94b163936a Merge remote-tracking branch 'remotes/gh-upstream/master' into 0.10 
Removed init section (not needed in filter for 0.10).

# Conflicts:
#	config/filter.d/sendmail-reject.conf
 2017-08-09 16:16:31 +02:00
Serg G. Brester af25a9d203 Merge pull request #1566 from opoplawski/journalmatch 
Add sendmail journalmatch options
 2017-08-09 16:14:10 +02:00
Orion Poplawski 84f552881c Add sendmail journalmatch options 2017-08-09 16:03:34 +02:00
Serg G. Brester 5b7375c614 Merge pull request #1638 from roedie/shorewall-ipv6 
Add shorewall IPv6 support
 2017-08-09 15:54:57 +02:00
sebres e52f483557 Config reader's: introduced new syntax `%(section/option)s`, in opposite to extended interpolation of python 3 `${section:option}` work with all supported python version in fail2ban and this syntax is like our another features like `%(known/option)s`, etc.; 
Variable `default_backend` switched to `%(default/backend)s`, so totally backwards compatible now, but now the setting of parameter `backend` in default section of `jail.local` can overwrite default backend also.
Test cases extended: test targeted section options "section/option" (default and cross sections options);
 2017-08-08 20:21:44 +02:00
sebres 5ce8d4f741 fixes default backend handling (as default used value of `known/backend`, which can now be overridden in default section of jail.local); 
introduces fallback for `known/option`: interpolate missing `known/option` as `option` from default section
 2017-08-08 18:41:15 +02:00
sebres 2fe1479484 Merge branch '_0.9/gh-1849' into 0.10 2017-08-07 18:07:36 +02:00
sebres 5c538fb658 Recognize "unknown user" for additional auth-methods (pam, passwd-file, ldap, sql, etc); simplifying regular expressions (put "unknown user" and "invalid credentials" together as one regex). 2017-08-07 18:04:09 +02:00
sebres 0ef5b7c4d4 small amend to gh-1850: removed greedy catch-all at end. 2017-08-07 15:24:16 +02:00
Marcel Waldvogel daf57547c6 Parse ejabberd 17.06 output 
E.g.:
2017-07-29 08:24:04.773 [info] <0.6668.0>@ejabberd_c2s:handle_auth_failure:433 (http_bind|ejabberd_bosh) Failed c2s PLAIN authentication for test@example.ch from ::FFFF:192.0.2.3: Invalid username or password
 2017-07-29 19:58:06 +02:00
Bigard Florian f4551d02c9 Fix empty logfile.log in xarf login attack action 
Fix empty 3rd MIME part which contains the attack evidence (logfile.log).
 2017-07-25 13:44:29 +02:00
sebres 1a562bed0f Merge remote-tracking branch 'master' into 0.10 
# Conflicts:
#	config/filter.d/asterisk.conf
 2017-07-19 08:57:23 +02:00
sebres a5b62a7f36 failregex extended and simplified (partially ported from gh-1409). 2017-07-18 16:34:22 +02:00
sebres 098abae4e6 Remove greedy catch-all before `<HOST>`, make regex more universal, fewer prone to errors (should avoid future changes, if some optional parameters coming again before/after `RemoteAddress`) + non-captured groups now. 
Test for possible injection (5.6.7.8 in session-id) already available, line 59 (thus already covered).
 2017-07-18 16:09:53 +02:00
Kirill 4c0c7b97c0 Update asterisk.conf to new log message 
I got an issue like this:
[2016-05-15 22:53:00] SECURITY[26428] res_security_log.c: SecurityEvent="FailedACL",EventTV="2016-05-15T22:53:00.203+0300",Severity="Error",Service="AMI",EventVersion="1",AccountID="admin",SessionID="0x7fb580001518",LocalAddress="IPV4/TCP/0.0.0.0/5038",RemoteAddress="IPV4/TCP/78.129.227.4/62389",SessionTV="1970-01-01T03:00:00.000+0300"

# [sebres] rebased to current master and resolving conflicts.
 2017-07-18 15:40:32 +02:00