Steven Hiscocks
53d8a46e8a
Merge pull request #7 from grooverdan/gh-303-merge
...
Gh 303 merge
2013-08-21 12:20:48 -07:00
Daniel Black
ed42b08789
TST: merge dropbear log samples
2013-08-19 21:25:33 +10:00
Daniel Black
61d43608ae
ENH: filter.d/postfix - add filter for VRFY. Closes gh-322
2013-08-19 18:42:39 +10:00
Daniel Black
4f39d2b1fd
TST: fix failJson year
2013-08-18 23:04:53 +10:00
Daniel Black
444e989dd5
TST: another zone transfer refused example for file named-refused
2013-08-18 22:49:59 +10:00
Daniel Black
5d451bc4d6
ENH: add refused zone tranfer to named-refused filter. closes #323
2013-08-18 22:19:31 +10:00
Yaroslav Halchenko
e7d5e466b9
Merge branch 'enh/asterisk_and_dropbear_filters'
...
* enh/asterisk_and_dropbear_filters:
ENH: hardened added dropbear failregex to avoid trailing .* and enclose username in ''
minor: consistent indentation in dropbear.conf
https://github.com/fail2ban/fail2ban/issues/306
fail2ban-users: Sebastian Arcus - Detect device auth failures on Asterisk 11
2013-08-08 09:59:24 -04:00
Yaroslav Halchenko
547c123cfb
BF: example.com is pointing to another IP now. Closes #313
...
This is a permanent change according to private correspondence with
David Closson @ IANN, thus replaced 192.0.43.10 with updated IP
93.184.216.119, while leaving 192.0.43.10 as is in the sample log
files (it is still within IANN dedicated testing network).
2013-08-07 22:56:57 -04:00
Daniel Black
c0a2e50559
TST: apache auth - opaque value
2013-08-06 17:13:09 +10:00
Daniel Black
7b2773889d
TST: apache-auth filter - nonce timetravel tests + other expression fixes
2013-07-29 02:29:04 +10:00
Daniel Black
52aaa1c9bb
TST: bad include of vim swap files
2013-07-28 22:01:51 +10:00
Daniel Black
0fb04cb2f0
ENH: filter enhancements on mod-digest (with test cases) for apache-auth (httpd-2.4.4)
2013-07-28 22:00:55 +10:00
Jamyn Shanley
a355fab91b
https://github.com/fail2ban/fail2ban/issues/306
...
Fix regex for latest dropbear (keep backwards compatibility). Add test case logfiles.
Signed-off-by: Jamyn Shanley <jshanley@gmail.com>
2013-07-27 03:43:32 +00:00
Jamyn Shanley
8936f2cd02
fail2ban-users: Sebastian Arcus - Detect device auth failures on Asterisk 11
2013-07-27 00:06:06 +00:00
Steven Hiscocks
1c7d28d1ea
TST: Add qmail sample log
2013-07-26 17:03:14 +01:00
Steven Hiscocks
5437f5fe90
TST: Add gssftpd sample log
2013-07-26 17:02:53 +01:00
Steven Hiscocks
f7d8e68738
TST: Add apache-badbots sample log
2013-07-26 12:32:29 +01:00
Steven Hiscocks
37f240bef0
TST: Add sample log for php-url-fopen filter
2013-07-21 22:13:37 +01:00
Steven Hiscocks
cf1e5bdbc2
ENH: Tweak proftpd regex and add sample logs
...
Needed to add optional ":" post __pid_re, and for consistency, decided
to make use of __prefix_line instead which includes this.
2013-07-21 22:03:49 +01:00
Steven Hiscocks
e59a4960a3
TST: Add additional sample log line for apache-noscript
2013-07-21 16:48:12 +01:00
Steven Hiscocks
8b9bafda79
ENH: Change lighttpd-fastcgi to suhosin, and improve regex and samples
...
suhosin is hardened php implmentation, which will log the alerts (as
seen in samples) to stderr, which is picked up by fastcgi webserver
(e.g. lighttpd, apache, nginx)
2013-07-21 16:35:37 +01:00
Steven Hiscocks
4033857f63
ENH: Improve xinetd-fail regex and add sample logs
2013-07-21 15:44:09 +01:00
Steven Hiscocks
b5ffbced37
TST: Sample test cases now handle ignoreregex and add recidive samples
2013-07-21 15:31:32 +01:00
Steven Hiscocks
e7b7815de3
TST: Add additional sshd sample logs
2013-07-21 15:22:44 +01:00
Steven Hiscocks
a11f91b835
ENH: Improve cyrus-imap regex and add extra sample line
2013-07-20 17:28:28 +01:00
Steven Hiscocks
534be189dc
ENH: Improve sieve regex and add sample line
2013-07-20 17:26:09 +01:00
Steven Hiscocks
d791ba12ba
TST: Add sample log for dropbear filter
2013-07-20 16:54:28 +01:00
Steven Hiscocks
ab671b0b1a
ENH: Improve wuftpd failregex, drop duplicate pam regex and add sample
...
For wu-ftpd configured to use pam, the pam filter used be used, as regex
is more robust.
2013-07-20 16:34:24 +01:00
Steven Hiscocks
57a6c11260
ENH: Improve courierlogin regex and add sample logs
2013-07-20 15:53:18 +01:00
Steven Hiscocks
bd175f0267
ENH: Improve cyrus-imap regex and add sample log file
2013-07-20 15:38:29 +01:00
Steven Hiscocks
83a80a29ea
ENH: Improve couriersmtp and add sample logs
2013-07-20 15:34:00 +01:00
Steven Hiscocks
eb2f0c9272
ENH: Improve postfix regex and add more samples
2013-07-20 15:31:21 +01:00
Daniel Black
5cfe108186
ENH: filter enhancements (with test cases) for apache-auth (httpd-2.4.4)
2013-07-20 22:21:08 +10:00
Daniel Black
bdcde678d1
TST: fix year
2013-07-20 15:15:02 +10:00
Daniel Black
fcf79b475f
ENH: new filter perdition.conf
2013-07-19 20:14:53 +10:00
Steven Hiscocks
a012b54117
TST: Add additional postfix filter sample
2013-07-18 22:17:31 +01:00
Steven Hiscocks
2a3a627322
TST: Add sample for sieve regex
2013-07-18 22:17:14 +01:00
Daniel Black
fa85be2eea
DOC/TST: fix configuration path for apache-auth test cases
2013-07-18 08:37:05 +10:00
Daniel Black
8ce9c78474
TST: apache-auth digest logs
2013-07-18 00:36:17 +10:00
Daniel Black
4eca2c0bd5
TST: apache-auth client denied by server configuration
2013-07-17 23:24:19 +10:00
Daniel Black
e0292913eb
ENH/TST: filter, testcase and log entry for apache-auth authorization scheme mod_authz_owner
2013-07-17 23:05:04 +10:00
Daniel Black
40cc336cd5
TST: testcases and logs for apache-auth basic
2013-07-17 22:46:04 +10:00
Yaroslav Halchenko
f6a8a04cf3
ENH: roundcube-auth - adopt for current format with trailing error message. thanks @kwirk for the review/feedback
...
I also used non-greedy .*? for the login portion since not sure if space could
be there and trying to minimize possibility of reacting on injected "from
<HOST>" somewhere within the trailing .*
2013-07-16 15:07:32 -04:00
Steven Hiscocks
4855cae487
Merge branch 'sample-log-meta-data'
...
Conflicts:
testcases/files/logs/dovecot
2013-07-14 18:29:36 +01:00
Steven Hiscocks
728399c39e
Merge pull request #281 from kwirk/dovecot-filter
...
ENH: dovecot filter additions for session, time value and blank user
2013-07-14 05:18:04 -07:00
Steven Hiscocks
40f67c64b8
TST: Test sample logs' entries are matched by filter regexs
2013-07-13 23:03:01 +01:00
Daniel Black
1bb427cc14
TST: remove dup test log entry
2013-07-12 09:09:24 +10:00
Daniel Black
6ce41a611d
BF: fix filter on apache-auth. Closes #286
2013-07-11 22:13:51 +10:00
Daniel Black
5412d7336f
DOC: ChangeLog confict
2013-07-09 08:23:44 +10:00
Daniel Black
619603fe05
BF: match asterisk InvalidPassword correctly
2013-07-07 17:48:20 +10:00
Steven Hiscocks
bfa2b9dec3
ENH: dovecot filter additions for session, time value and blank user
2013-07-05 18:36:02 +01:00
Daniel Black
d6dece4900
ENH: Split log and provide jail examples
2013-07-03 07:42:47 +10:00
Yaroslav Halchenko
e6ebcf6687
Merge branch 'dovecot' of https://github.com/grooverdan/fail2ban
...
* 'dovecot' of https://github.com/grooverdan/fail2ban :
ENH: remove non-capturing groups for readibility
BF: fix dovecot filter for when no TLS is enabled on pop/imap
Conflicts:
ChangeLog -- changelog entries. Also untabified few other spots
2013-07-02 10:12:51 -04:00
Yaroslav Halchenko
f0f237fa05
Merge pull request #269 from grooverdan/asterisk
...
ENH: filter.d/asterisk - consolidate log prefix regex and add a few fail messages
2013-07-02 07:04:10 -07:00
Daniel Black
4777cfd4e7
ENH: split out exim-spam into speparate filter
2013-07-02 20:03:16 +10:00
Daniel Black
c7d64c3c7f
TST: url reference fix
2013-07-01 21:58:03 +10:00
Daniel Black
ca996ace5e
ENH: remove temporary failures from local_scan in line with comments in gh-258
2013-07-01 21:56:02 +10:00
Daniel Black
72f9e6a51e
ENH/TST: more samples and rejection types for sender verify fail and rejected RCPT
2013-07-01 21:50:35 +10:00
Daniel Black
3b76fc79f9
BF: fix dovecot filter for when no TLS is enabled on pop/imap
2013-07-01 21:12:51 +10:00
Yaroslav Halchenko
1b170b2aef
BF: support apache 2.4 more detailed error log format. Close #268
2013-06-28 09:49:36 -04:00
Yaroslav Halchenko
6d331bcbea
BF: make colon after [daemon] optional. Close #267
2013-06-27 11:44:47 -04:00
Daniel Black
fa7a105483
ENH: filter.d/asterisk - consolidate log prefix regex and add a few fail messages
2013-06-27 09:16:14 +10:00
Daniel Black
b8cfda68b8
ENH: new exim filter regexs. Also note a begining PID in this format. Thanks to ftoppi for the log entries
2013-06-16 00:19:37 +10:00
Daniel Black
d441d61a1e
TST/ENH: Improve regex around exim
...
rejected by local_scan now has test cases.
Unrouteable address error messages now normalised after looking into
exim code.
2013-06-15 12:34:16 +10:00
Yaroslav Halchenko
9d4b613ee4
Merge branch '3proxy' of https://github.com/grooverdan/fail2ban
...
* '3proxy' of https://github.com/grooverdan/fail2ban :
BF: fix to proxy port in 3proxy example
ENH: sample log + more specific regex
BF: authentication errors end in 01-09 but the beginning part indicates the service as per https://github.com/fail2ban/fail2ban/issues/246#issuecomment-19327955 thanks to ykimon
BF: need to anchor the start to avoid another repeat of DoS injection like Apache
ENH: stricter regex thanks to Steven Hiscocks (kwirk)
DOC: credits
Conflicts:
ChangeLog
2013-06-14 12:32:51 -04:00
Yaroslav Halchenko
173fe48e77
Merge branch 'exim' of https://github.com/grooverdan/fail2ban
...
* 'exim' of https://github.com/grooverdan/fail2ban :
BF/ENH: Incorrect authentication data doesn't need tailier so that's optional. Also gained log entry for Unrouteable address
ENH: readibility thanks to Yaroslav
ENH/BF: exim improvements with sample
Conflicts:
ChangeLog
2013-06-14 12:28:07 -04:00
Yaroslav Halchenko
ec629ab4e8
Merge branch 'proftpd' of https://github.com/grooverdan/fail2ban
...
* 'proftpd' of https://github.com/grooverdan/fail2ban :
ENH: proftpd chan accept usernames with spaces
ENH: injection of fail data into USER field
ENH: proftp regex hardening and log messages
Conflicts:
ChangeLog
2013-06-14 12:16:59 -04:00
Daniel Black
8cc13b5b40
BF/ENH: Incorrect authentication data doesn't need tailier so that's optional. Also gained log entry for Unrouteable address
2013-06-14 18:12:53 +10:00
Daniel Black
e8b6acfa65
TST: attempts at injection with username=rhost=1.2.3.4 have no user= logged in dovecot-1.2.15
2013-06-14 00:53:03 +10:00
Daniel Black
2e2ec5d1f5
ENH: injection of fail data into USER field
2013-06-14 00:17:41 +10:00
Daniel Black
dbe7ffe050
ENH: dovecot regexs rewritten and extra failures
2013-06-13 23:52:15 +10:00
Daniel Black
4c67a269bf
ENH: proftp regex hardening and log messages
2013-06-13 22:11:05 +10:00
Daniel Black
3e3802512a
ENH/BF: exim improvements with sample
2013-06-13 17:44:18 +10:00
Daniel Black
9dbaec0894
ENH: sample log + more specific regex
2013-06-13 10:23:14 +10:00
Yaroslav Halchenko
6ccd57813c
BF: anchor apache- filters. Close #248
...
See https://vndh.net/note:fail2ban-089-denial-service for more information
2013-06-11 19:19:25 -04:00
Daniel Black
16d63434ef
DOC: credits
2013-06-11 23:56:09 +10:00
Carlos Alberto Lopez Perez
7248ef4564
Filter Asterisk: Add sample log entry to testcase.
...
* Sample log entry for AUTH_UNKNOWN_DOMAIN (Not a local domain)
2013-06-11 02:13:37 +02:00
Daniel Black
916b5a7c23
TST: normalize logs to use example.com and 1.2.3.4 as IP
2013-05-30 10:24:48 +10:00
Daniel Black
eceede175a
Merge branch 'patch-4' of https://github.com/silviogarbes/fail2ban into asterisk-227
2013-05-30 09:37:00 +10:00
Terence Namusonge
098c88a67b
failregex when roundcube log driver is set to 'syslog'
2013-05-26 07:46:29 +02:00
silviogarbes
52fa5f19b0
Update asterisk
2013-05-14 12:58:43 -03:00
Yaroslav Halchenko
571cadd80c
ENH: Use real (resolving) example.com instead of test.example.com
2013-05-08 10:30:38 -04:00
Yaroslav Halchenko
976a65bb89
Merge branch 'bsd_logs' of https://github.com/grooverdan/fail2ban
...
* 'bsd_logs' of https://github.com/grooverdan/fail2ban :
ENH: separate out regex and escape a .
BF: missed MANIFEST include
DOC: credits for bsd log
DOC: bsd syslog files thanks to Nick Hilliard
BF: change common.conf to handle formats of syslog -v and syslog -vv in BSD
Conflicts:
config/filter.d/common.conf
2013-05-08 10:30:04 -04:00
Yaroslav Halchenko
5e1d8b07e8
ENH: logs/sshd -- have ":" after [daemon] (other uses are uncommon)
...
See https://github.com/fail2ban/fail2ban/issues/216\#issuecomment-17535577
for the analysis
2013-05-07 12:30:05 -04:00
Yaroslav Halchenko
ffcac2ccee
ENH: logs/sshd -- use example.com as the resolved hostname in sample log lines
2013-05-07 12:26:13 -04:00
Yaroslav Halchenko
2143cdff39
Merge: opensolaris docs/fixes, no 'sed -i' in hostsdeny, sshd regex tuneups
...
Origin: from https://github.com/jamesstout/fail2ban
* 'OpenSolaris' of https://github.com/jamesstout/fail2ban :
ENH: Removed unused log line
BF: fail2ban.local needs section headers
ENH: Use .local config files for logtarget and jail
ENH+TST: ssh failure messages for OpenSolaris and OS X
ENH: fail message matching for OpenSolaris and OS X
ENH: extra daemon info regex
ENH: actionunban back to a sed command
Readme for config on Solaris
create socket/pid dir if needed
Extra patterns for Solaris
change sed to perl for Solaris
Conflicts:
config/filter.d/sshd.conf
2013-05-06 11:11:12 -04:00
jamesstout
932bd102fe
ENH: Removed unused log line
...
removed #9 per
https://github.com/fail2ban/fail2ban/pull/182#discussion_r4068885
2013-05-04 18:38:05 +08:00
Daniel Black
cde7108033
DOC: bsd syslog files thanks to Nick Hilliard
2013-05-03 16:12:19 +10:00
Enrico Labedzki
24a8d07c20
added new date format support for ASSP SMTP Proxy
2013-05-03 00:56:46 -04:00
jamesstout
018913db6a
ENH+TST: ssh failure messages for OpenSolaris and OS X
2013-04-30 04:24:56 +08:00
Daniel Black
0ac8746d05
ENH: Account for views in named filter. By Romain Riviere in gentoo bug #259458
2013-04-28 11:03:44 +10:00
Yaroslav Halchenko
ffaa9697ee
Adjusting previous PR (MySQL logs) according to my comments
2013-04-09 18:00:40 -04:00
Yaroslav Halchenko
3e6be243bf
Merge branch 'Support_for_mysql_log_example' of https://github.com/arto-p/fail2ban
...
* 'Support_for_mysql_log_example' of https://github.com/arto-p/fail2ban :
Added testcase for MySQL date format to testcases/datedetectortestcase.py and example of MySQL log file.
Added support for MySQL logfiles
Conflicts:
testcases/datedetectortestcase.py -- conflictde with other added test cases
2013-04-09 17:55:14 -04:00
Yaroslav Halchenko
72b06479a5
ENH: Slight tune ups for fresh SOGo filter + comment into the sample log file
2013-03-27 11:09:54 -04:00
Yaroslav Halchenko
105306e1a8
Merge remote-tracking branch 'pr/117/head' -- SOGo filters
...
* pr/117/head:
An example of failed logins against sogo
Update sogo-auth.conf
Update config/filter.d/sogo-auth.conf
Create sogo-auth.conf
Update config/jail.conf
2013-03-27 11:09:35 -04:00
Yaroslav Halchenko
91d5736c12
ENH: postfix filter -- react also on (450 4.7.1) with empty from/to. fixes #126
2013-03-26 09:40:04 -04:00
Artur Penttinen
edc0eb2a9c
Added testcase for MySQL date format to testcases/datedetectortestcase.py
...
and example of MySQL log file.
2013-03-25 16:00:07 +02:00
ArndRa
ebb6e5f4eb
An example of failed logins against sogo
2013-03-25 09:11:51 +01:00
Yaroslav Halchenko
5f2d3832f7
NF: roundcube-auth filter (to close Debian #699442 , needing debian/jail.conf section)
2013-01-31 14:41:34 -05:00
Yaroslav Halchenko
9a39292813
ENH: Added login authenticator failed regexp for exim filter
2013-01-04 15:23:05 -05:00