github
/
fail2ban
mirror of https://github.com/fail2ban/fail2ban
1
0
Fork 0
Code Issues Releases Wiki Activity
3,740 Commits
32 Branches
229 Tags
18 MiB
Commit Graph

955 Commits (d8469b39732ccf970f2819211e13c3bab414330b)

Author SHA1 Message Date
Yaroslav Halchenko 9a8b449086 DOC: some typos, fixes from Vincent Lefevre 2014-01-06 23:38:52 -05:00
Daniel Black 9e390d6549 ENH: jail.conf for exim-honeypot 2014-01-07 11:53:20 +11:00
Daniel Black 809581ae99 ENH: jail.conf for apache-botsearch 2014-01-07 11:52:21 +11:00
Daniel Black ed9ed6d0cb TST/ENH: fix test case for ReadStockJailFilterComplete and add missing jails 2014-01-07 11:27:54 +11:00
Daniel Black 10fa5e3439 BF: fix jails for gssftpd and qmail 2014-01-07 10:49:11 +11:00
Daniel Black 549f64e86c BF: remove imap2 - not an IANA and probably not used 2014-01-07 10:25:29 +11:00
Daniel Black 320861b7dc Merge branch 'more-jails-0.9' into master_to_0.9 2014-01-07 10:24:27 +11:00
Daniel Black 76468942f9 MRG: complete merge from master 2014-01-07 10:24:23 +11:00
Daniel Black fa6a183e94 BF: typos in jail.conf corrected 2014-01-07 09:49:27 +11:00
Daniel Black a31c76f126 ENH: jail cleanup and fill in missing for 0.9 2014-01-07 09:34:39 +11:00
Daniel Black 755af0a51e Merge pull request #562 from grooverdan/jail.conf-complete_and_correct 
ENH: Jail.conf now has all filters and TST: a mechanism to test this is truee
 2014-01-06 12:08:45 -08:00
Daniel Black 90fdf5fc21 ENH: jail.conf entry for groupoffice 2014-01-07 06:55:38 +11:00
Daniel Black ab3ded2205 Merge pull request #549 from kwirk/python-actions 
ENH: Python actions
 2014-01-06 02:58:45 -08:00
Daniel Black 50eab4df81 ENH: add filter groupoffice. Closes gh-566 2014-01-06 21:56:22 +11:00
Daniel Black f137c7b107 BF: stunnel doesnt need datepattern as its inbuilt 2014-01-06 09:53:54 +11:00
Daniel Black 1687505995 BF: Fix datepattern 2014-01-06 09:06:05 +11:00
Steven Hiscocks 6c301ae210 Merge pull request #563 from grooverdan/gh-289-ssh 
BF: add expression for ssh filter for code 3: SSH2_DISCONNECT_KEY_EXCHAN...
 2014-01-05 09:55:05 -08:00
Daniel Black 03aba92238 ENH: add kerio filter 2014-01-05 23:41:49 +11:00
Daniel Black 1c5787174f BF: escape . in stunnel filter 2014-01-05 23:25:49 +11:00
Daniel Black a8e0498389 BF: add expression for ssh filter for code 3: SSH2_DISCONNECT_KEY_EXCHANGE_FAILED. closes gh-289 2014-01-05 21:26:26 +11:00
Daniel Black a9f804e443 ENH: complete stock jail.conf to contain all filters 2014-01-05 21:03:16 +11:00
Daniel Black 6ce2ba2895 ENH: additional phpmyadmin tips from Tom on http://www.fail2ban.org/wiki/index.php?title=Fail2ban:Community_Portal. Block is now a prefix of a path 2014-01-05 11:48:35 +11:00
Daniel Black c37ee4cc52 DOC: filter.d/vsftpd doco from wiki 2014-01-05 11:30:56 +11:00
Daniel Black 6602937ee1 DOC: filter.d./pure-ftpd doco from wiki 2014-01-05 11:24:20 +11:00
Steven Hiscocks 69a850d226 DOC: Update docstrings for smtp.py action 2014-01-04 22:46:57 +00:00
Steven Hiscocks 6e63f0ea5a RF: Change Jails and Actions to Mapping types 2014-01-04 16:57:08 +00:00
Daniel Black d7666c8942 DOC: bit more on how to use freeswitch 2014-01-04 12:39:48 +11:00
Daniel Black 23f0b854da MRG: merge in freeswitch 2014-01-04 12:24:40 +11:00
Daniel Black 69b3a1cf64 BF: catchin DEBUG messages will result in duplicates 2014-01-04 12:10:51 +11:00
Daniel Black 05b159c74b Merge pull request #464 from grooverdan/increase-jail-name-length 
ENH: Actions to have f2b- as prefix instead of fail2ban- as per #462
 2014-01-03 14:48:56 -08:00
Daniel Black 3d1a1afca4 MRG: to more recent 0.9 2014-01-04 09:31:05 +11:00
Daniel Black 5fe75436cc DOC: DEV NOTES before author names 2014-01-04 08:53:45 +11:00
Daniel Black 477f30665a DOC: ignoreip for internal ips on freeswitch 2014-01-04 08:31:42 +11:00
Daniel Black 36533de6bc ENH: more filter expressions for freeswitch. Anchored existing one at end too 2014-01-04 08:21:22 +11:00
Daniel Black d1faae3b3b BF: port not used in jail definition for freeswitch 2014-01-04 08:01:42 +11:00
Daniel Black 938ef689de DOC: dev notes on stunnel 2014-01-04 07:55:26 +11:00
Steven Hiscocks 80d6f74ee8 RF: Refactor actions further, include removing server proxy interface 
This allows direct setting of action properties and calling of methods
from the fail2ban-client if so required.
 2014-01-03 17:04:49 +00:00
Daniel Black 7c09a61ca5 ENH: add apache-botsearch. Closes gh-544 2014-01-03 23:12:58 +11:00
Daniel Black b8536490ef ENH: filter for stunnel from fail2ban wiki 2014-01-03 19:32:29 +11:00
Daniel Black a0c2de3e4d DOC: document incompatiblity between APF and iptables-* actions. Closes gh-510 2014-01-03 16:51:38 +11:00
Daniel Black 04d28fd2e1 ENH: add filter freeswitch - as raised on mailing list 2014-01-03 13:00:37 +11:00
Daniel Black 117d3b0466 MRG: horde filter from master 2014-01-03 10:34:59 +11:00
Daniel Black 83f3aeb308 ENH: filter for horde 2014-01-02 23:12:36 +11:00
Steven Hiscocks 98bf511443 BF: Incorrect number of arguments in smtp.py action connect log 2014-01-01 23:50:44 +00:00
Steven Hiscocks 5b2b59d752 ENH: python actions use initOpts as **kwargs 
Adds an easy way to handle case where mandatory arguments are missed, or
not valid arguments are passed
 2014-01-01 23:18:11 +00:00
Steven Hiscocks 6ef911185d ENH: Add matches to smtp.py action 2014-01-01 12:27:49 +00:00
Daniel Black 55688395fb DOC: doco for exim-spam 2014-01-01 22:56:08 +11:00
Daniel Black 9c7bb3b97e ENH: exim-spam to take honeypot email address as argument. Closes #541 2014-01-01 22:45:13 +11:00
Daniel Black 391b5fc883 MRG: from master again 2014-01-01 2014-01-01 19:28:38 +11:00
Steven Hiscocks f37c90cdba ENH: Python based actions 
Python actions are imported from action.d config folder, which have .py
file extension. This imports and creates an instance of the Action class
(Action can be a variable that points to a class of another name).
fail2ban.server.action.ActionBase is a base class which can be inherited
from or as a minimum has a subclass hook which is used to ensure any
imported actions implements the methods required.
All calls to the execAction are also wrapped in a try except such that
any errors won't cripple the jail.
Action is renamed CommandAction, to clearly distinguish it from other
actions.

Include is an example smtp.py python action for sending emails via smtp.
This is work in progress, as looking to add the <matches> and whois
elements, and also SSL/TLS support.
 2013-12-31 18:54:34 +00:00
Daniel Black e8710b679d ENH: stronger regex for failregex 2013-12-31 08:22:52 +11:00
Daniel Black 856407379b ENH: add filter openwebmail. Closes gh-543. 2013-12-31 08:09:00 +11:00
Daniel Black ccb64e68b4 DOC: for exim-spam to say how to enable the log lines for the latest regex 2013-12-29 21:53:26 +00:00
Daniel Black b5f5ddf123 ENH: end anchor for exim-spam 2013-12-29 20:56:25 +00:00
Daniel Black d727ba639a ENH: exim-spam to include spamassassin log entry. Closes gh-533 2013-12-29 20:16:37 +00:00
Daniel Black c074773805 ENH: apache modsecurity from 0.9 branch 2013-12-29 07:06:13 +00:00
Daniel Black be382dae4d MRG: ufw changelog conflicts 2013-12-29 05:45:06 +00:00
Daniel Black 1f6ece2a40 Merge pull request #490 from grooverdan/firewallcmd-ipset 
ENH: add firewallcmd-ipset
 2013-12-28 21:43:49 -08:00
Daniel Black ea2a13946e TST: more test of filters 2013-12-29 05:29:59 +00:00
Daniel Black c9cfdca396 ENH: add filter for apache-modsecurity 2013-12-28 22:28:11 +00:00
Daniel Black ddac79c15c TST: include blank ignorecommand in jail.conf to indicate default value and to raise test coverage 2013-12-25 11:01:31 +00:00
bes.internal ebd89ec077 New ignorecommand that is added to the ignoreip list from output of an external program 
ignorecommand update man and fix protocol help

ENH: run ignore command only after internal list has been examined. Change interface on ignorecommand to take IP as environment variable and return true if it is to be banned

ENH: ignore IP command to take tagged command

DOC: man pages for ingorecommand

TST: add test cases for ignorecommand
 2013-12-24 23:55:35 +03:00
Daniel Black 382d68f0fe DOC: perfork model for apache log format 2013-12-23 09:09:48 +00:00
Daniel Black 1b7df1181f BF: apache-2.4 log format fix. Closes gh-516 2013-12-23 08:28:40 +00:00
Yaroslav Halchenko 7af58b9984 Merge branch 'apache-noscripts' of https://github.com/grooverdan/fail2ban 
* 'apache-noscripts' of https://github.com/grooverdan/fail2ban:
  ENH: apache-noscript now matched php-cgi scripts. Closes gh-503

Conflicts:
	ChangeLog -- two new entries collided,  Reformatted the merged one a bit
 2013-12-22 22:28:57 -05:00
Daniel Black a9b7d33c51 ENH: apache-noscript now matched php-cgi scripts. Closes gh-503 2013-12-19 10:01:24 +00:00
Daniel Black a1a219189f Merge pull request #493 from grooverdan/xarf-ipmatch 
ENH: use ipmatches for action xarf-login-attack
 2013-12-19 01:28:49 -08:00
Daniel Black ed2f46759c MRG: restore accidently deleted pam comment in jail.conf 2013-12-19 09:21:12 +00:00
Daniel Black 44a0981495 MRG: fix recidive filter 2013-12-19 09:18:18 +00:00
Steven Hiscocks d22716ab63 ENH: Add nsd filter and amend DateEpoch to match date format 2013-12-18 22:31:54 +00:00
Daniel Black 7c0efc8ec8 MRG: merge so far - flushLogs not working yet 2013-12-16 15:08:34 +00:00
Daniel Black 4eedf9d4e1 ENH: use ipmatches for action xarf-login-attack 2013-12-15 23:49:38 +00:00
Daniel Black a398c51d6c ENH: simplify actioncheck on firewallcmd-new a little more 2013-12-15 22:36:47 +00:00
Daniel Black 772def1095 Merge pull request #491 from kwirk/ipmatches 
ENH: Add <ipmatches> and <ipjailmatches> tags + sendmail implementations
 2013-12-15 14:29:02 -08:00
Steven Hiscocks 40007abc1d ENH: Refactor and add database matches and failures for sendmail actions 2013-12-15 21:41:43 +00:00
Steven Hiscocks 2deb76e3f9 Merge pull request #492 from grooverdan/abusix-disclaimer 
ENH: full abusix disclaimer in action xarf-login-attack
 2013-12-14 13:35:43 -08:00
Daniel Black 1c6c011154 EHH missed trailing . 2013-12-14 21:22:46 +00:00
Daniel Black 868a4ea470 ENH: full abusix disclaimer in action xarf-login-attack 2013-12-14 21:18:20 +00:00
Daniel Black 9fe0a69852 ENH: add firewallcmd-ipset 2013-12-14 09:06:01 +00:00
Daniel Black 4ffc57e14f ENH: simplify firewallcmd-new actioncheck and provide output samples 2013-12-14 07:11:29 +00:00
Daniel Black ed816afbcd ENH: add badips action 2013-12-14 01:41:28 +00:00
Daniel Black 1ff52dfe4d DOC: document ufw a bit more. Change insertpos default to 1 to allow it to work if the user run ufw enable 2013-12-14 00:40:47 +00:00
Daniel Black f35345ecaa ENH: add ufw action based off Guilhem Lettron's work in lp-#701522. Closes gh-455 2013-12-14 00:34:12 +00:00
Daniel Black 13ccebe78f BF: fix actioncheck in firewallcmd 2013-12-13 23:40:51 +00:00
Steven Hiscocks 0bcff771b8 ENH: Add <ipmatches> and <ipjailmatches> tags 
Example use filter also added for sendmail-whois with ipmatches rather
than grepped lines
 2013-12-13 22:40:11 +00:00
Steven Hiscocks 2c3dbc8046 BF: In 0.9 recidive bans come from fail2ban.server.actions 
Also changed journalmatch to limit to WARNING priority to avoid the
recidive + DEBUG combo issue
 2013-12-13 21:55:43 +00:00
Steven Hiscocks b7d1579c9d MRG: branch 'kwirk/database' into 0.9 - gh-480 
Conflicts:
	fail2ban/tests/utils.py
        - Another test suite added in separate commit e09b700
 2013-12-13 17:15:19 +00:00
Steven Hiscocks e18af48e34 ENH: Database now optional, by setting dbfile to "None" 2013-12-10 21:16:36 +00:00
Daniel Black 9d532828fc BF: multiple _ separated values according to http://wiki.squid-cache.org/SquidFaq/SquidLogs#Squid_result_codes. Thanks Steven 2013-12-11 07:44:41 +11:00
Daniel Black 66374913ec ENH: add squid filter 2013-12-10 21:24:37 +11:00
Daniel Black db4c21acde BF/DOC: fix filename in documentation for filter.d/proftpd 2013-12-09 14:46:01 +11:00
Daniel Black e8eab11615 DOC: proftp - turn off ReverseDNS 2013-12-09 14:45:09 +11:00
Daniel Black f385439a41 MRG: ChangeLog merge 2013-12-09 09:28:42 +11:00
Daniel Black 36917d7517 BF: action.d/complain - match IP at beginning and end of lines 2013-12-09 09:21:55 +11:00
Steven Hiscocks d8c7bca9b0 BF: Fix dbpurgeage default value, and change default dbfile extension 2013-12-08 11:35:12 +00:00
Steven Hiscocks bbadef847b ENH: Add fail2ban persistent data storage 2013-12-07 23:23:28 +00:00
Daniel Black 135c759dbb Merge pull request #477 from kwirk/blocklist.de 
ENH: Added blocklist.de reporting API action
 2013-12-06 16:16:39 -08:00
Steven Hiscocks 630dd91dcd BF: Add [Init] section to blocklist.de action 2013-12-07 00:09:31 +00:00
Steven Hiscocks b3c173795e ENH: blocklist.de action error on HTTP response code 4xx 2013-12-06 08:22:21 +00:00
Daniel Black 51f2619878 Merge pull request #473 from grooverdan/whois-missing 
ENH: Whois missing in actions? Include output to say so
 2013-12-05 12:44:35 -08:00
Daniel Black e07ba41870 Merge pull request #463 from grooverdan/firewall-cmd-direct-new-length-too-long 
BF: firewall-cmd-direct-new was too long. Thanks Joel.
 2013-12-05 12:42:55 -08:00
Steven Hiscocks a19b33cc72 ENH: blocklist.de action added fail2ban version as user agent 2013-12-05 18:12:15 +00:00
Steven Hiscocks f742ed0e4b DOC: when to use blocklist.de reporting 
Taken from commit 1846056606
 2013-12-05 18:06:53 +00:00
Steven Hiscocks e810ec009d ENH: Added blocklist.de reporting API action 2013-12-05 08:22:20 +00:00
Daniel Black 4dc51e5def BF: put notice in email if whois program could not provide more information. Closes gh-471 2013-12-04 22:43:06 +11:00
Daniel Black 97d7f46bb7 DOC: correct grammar - s/Here are more information/Here is more information/ 2013-12-04 22:40:48 +11:00
Daniel Black 8aead9ab79 BF: escape quotes when splitting addresses for xarf 2013-12-04 08:19:05 +11:00
Daniel Black 1846056606 DOC: when to use xarf messages to network owner 2013-12-03 20:40:42 +11:00
Daniel Black 8c37d2e4de ENH: remove dependency on querycontacts 2013-12-03 20:34:21 +11:00
Daniel Black bfd435091d ENH: jail examples for xarf-login-attack 2013-12-01 20:29:43 +11:00
Daniel Black dd356c3cef BF: fixed for sendmail and tested the MTA aspects of this action 2013-12-01 19:08:28 +11:00
Daniel Black 9df5f4eec8 BF: remove debugging tee command on xarf-login-attack 2013-12-01 17:53:34 +11:00
Daniel Black d015f7f4fc BF/ENH: fixed so xarf-login-attack works 2013-12-01 17:49:35 +11:00
Daniel Black 0495aa098e BF: grep matches on <ip> shouldn't include other IPs 2013-11-30 18:01:45 +11:00
Daniel Black 95845b7b65 BF: complain action could match too many IP addresses 2013-11-30 17:47:10 +11:00
Daniel Black 5cc7173fd4 ENH: add xarf email sender for login-attack type 2013-11-30 14:16:26 +11:00
Yaroslav Halchenko 3a5983ab0b Merge branch 'bf/syslog-format' of https://github.com/yarikoptic/fail2ban 
* 'bf/syslog-format' of https://github.com/yarikoptic/fail2ban:
  Changelog entries for the last changes
  ENH: added optional [PID] matching in recidive.conf
  ENH: reintroducing levelnameinto syslog msgs, time stamp and indentation in non-syslog msgs
  BF/ENH: include [PID] into logging msgs, remove indentation from syslog messages

Conflicts:
	ChangeLog
 2013-11-29 19:58:56 -05:00
Daniel Black f7504d5b64 MRG: conflict in THANKS 2013-11-30 10:39:19 +11:00
Daniel Black 56b6bf7d25 ENH: reduce firewalld-cmd-new -> firewallcmd-new 2013-11-30 10:30:29 +11:00
Daniel Black 04438cd1a1 BF/ENH: mysql jail - rename to mysql-syslog to be consistent with 0.8.13. Add port to syslog defination. Document mysql configuration required for mysql jails 2013-11-30 10:00:59 +11:00
Daniel Black 3f4d179612 BF: smtps not an IANA port - from #447 2013-11-30 09:52:32 +11:00
Daniel Black fe9e077acf BF: correct spelling of port for solid-pop3 jail in jail.conf 2013-11-30 09:51:30 +11:00
Daniel Black 86a0a5962a BF: revert to fail2ban- prefix as f2b- was intended for 0.9 2013-11-30 08:05:20 +11:00
Yaroslav Halchenko 25e967f23b Merge branch 'mysqld-syslog-iptables-name-too-long' of https://github.com/grooverdan/fail2ban 
* 'mysqld-syslog-iptables-name-too-long' of https://github.com/grooverdan/fail2ban:
  BF: jail name mysqld-syslog-iptables too long. removed -iptables. Thanks Stefan (#447)

Conflicts:
	ChangeLog
 2013-11-29 10:02:31 -05:00
Daniel Black b9b2ddf996 BF: smtps not IANA standard. Closes #447 2013-11-29 21:47:53 +11:00
Daniel Black cade746307 BF: jail name mysqld-syslog-iptables too long. removed -iptables. Thanks Stefan (#447) 2013-11-29 21:45:11 +11:00
Daniel Black 9e53892708 BF: did remove instead of move 2013-11-29 19:26:24 +11:00
Daniel Black af4feb0c92 Actions to have f2b- as prefix instead of fail2ban- as per #462 2013-11-29 19:08:38 +11:00
Daniel Black fb666b69ff BF: firewall-cmd-direct-new was too long. Thanks Joel. 2013-11-28 23:35:05 +11:00
Daniel Black 227f27ce6b ENH: added multiline filter for sshd filter 2013-11-25 14:55:41 +11:00
Daniel Black f80fa7d7a0 Merge pull request #456 from grooverdan/apffix 
BF: add init section with name for action.d/apf. Closes #398
 2013-11-24 13:48:46 -08:00
Daniel Black 13223c33f5 MRG: recidive-protocol-all 2013-11-25 08:22:09 +11:00
Daniel Black dc154c792e BF: add init section with name for action.d/apf. Closes #398 2013-11-25 08:08:20 +11:00
Yaroslav Halchenko a26d4f42b7 ENH: added optional [PID] matching in recidive.conf 2013-11-24 10:21:02 -05:00
Daniel Black 9a82bc3c61 BF: kernel messages can have space. Thanks ag4ve(shawn). Closes #448 2013-11-24 18:21:02 +11:00
Daniel Black 98eacdf333 MRG/BF: merge from master. Fix bugs in iso8601 2013-11-24 16:36:06 +11:00
Yaroslav Halchenko 629e9ae445 Merge pull request #443 from grooverdan/apache-authfix 
BF: apache filters using error log weren't matched when referer existed ...
 2013-11-18 15:53:39 -08:00
Daniel Black 284f811c91 BF: apache filters using error log weren't matched when referer existed in HTTP header 2013-11-19 10:27:55 +11:00
Daniel Black 1ea68b2d0c DOC: filter.d/solid-pop3d - document lack of PAM support. Thanks to Jacques for the log messages 2013-11-18 09:44:26 +11:00
Daniel Black 0eea0a35db ENH: filter.d/solid-pop3d - added log messages and regexes 2013-11-18 08:58:23 +11:00
Daniel Black dab2ddb9da ENH: recidive jail to block all protocols. Closes #440 2013-11-18 07:57:16 +11:00
Daniel Black b3b9ea4559 ENH: jail for solid-pop3d 2013-11-18 07:42:45 +11:00
Daniel Black 88eff70774 ENH: filter.d/solid-pop3d added 2013-11-16 09:43:15 +11:00
Daniel Black 1ac7b53cad MRG: merge from master 2013-11-13 09:16:45 +11:00
Daniel Black 286d78e13c Merge pull request #430 from grooverdan/apache-overflows 
ENH: Apache overflows - httpd-2.4 message IDs + samples
 2013-11-12 12:46:52 -08:00
Daniel Black 50ca16e50e Merge pull request #431 from grooverdan/apache-noscript 
ENH: apache-2.4 message IDs for filter apache-noscript
 2013-11-12 12:46:09 -08:00
Daniel Black 947c6ff9cc Merge pull request #433 from grooverdan/asterisk 
BF/ENH: asterisk connection ID is a hex not decimal number. Add "Rejecting unknown SIP connection from " regex thanks to Jonathan Lanning
 2013-11-12 12:45:52 -08:00
Daniel Black 38503a5848 Merge pull request #434 from grooverdan/dos-resistant-dropbear 
ENH: DoS resistant dropbear filter
 2013-11-12 12:45:12 -08:00
Daniel Black 62b1f98dff Merge pull request #435 from grooverdan/dos-resistant-exim 
BF: exim filter to be DoS resistant
 2013-11-12 12:44:53 -08:00
Daniel Black be60518218 BF/ENH: DoS resistant roundcube-auth with test cases and more variation in IMAP error given 2013-11-12 18:57:01 +11:00
Daniel Black 52972164a2 BF: exim filter to be DoS resistant 2013-11-12 18:13:35 +11:00
Daniel Black c272573fe3 ENH: DoS resistant dropbear filter 2013-11-12 18:06:16 +11:00
Daniel Black eb9663eb4f BF/ENH: asterisk connection ID is a hex not decimal number. Add "Rejecting unknown SIP connection from <HOST>" regex thanks to Jonathan Lanning 2013-11-12 09:22:41 +11:00
Daniel Black 648d48c355 ENH: apache-2.4 message IDs for filter apache-noscript 2013-11-11 10:49:11 +11:00
Daniel Black a4718eb644 ENH: apache-overflow filter to have HTTP-2.4 message IDs and test samples 2013-11-11 10:38:02 +11:00
Daniel Black 87516eb92b ENH: apache-overflows - more detail on "request failed: URI too long (longer than %d)" with test case 2013-11-11 09:46:40 +11:00
Daniel Black c5021b55f6 Merge pull request #427 from yarikoptic/bf/nginx-regex-injection 
BF: anchor introduced nginx-http-auth at the end
 2013-11-08 17:23:03 -08:00
Yaroslav Halchenko ccd26578ec Merge pull request #425 from grooverdan/asterisk-simplify 
ENH: condense asterisk regexs for speed
 2013-11-08 14:42:35 -08:00
Yaroslav Halchenko ac061155f0 BF: anchor introduced nginx-http-auth at the end 
needed since request probably could be not a correct HTTP statement but continue with
all those to match till the end and then injected ", client: VICTIM, server..." thus allowing
injection.  We better anchor at the end then
 2013-11-08 14:40:52 -08:00
Yaroslav Halchenko ea8fce6308 Merge pull request #426 from yarikoptic/bf/openssh6.3-regex-injection 
openssh 6.3 regex injection vectors:  inject into ruser and/or exploiting pre-specified limits set for user provided data
 2013-11-08 14:35:18 -08:00
Yaroslav Halchenko bf245f9640 DOC: adding DEV Notes for for non-greedy matchin within sshd.conf 2013-11-08 14:34:31 -08:00
Daniel Black d6bbe03861 Merge pull request #424 from grooverdan/nginx-auth 
ENH: add filter.d/nginx-http-auth. Partially forfils #405
 2013-11-08 14:24:02 -08:00
Yaroslav Halchenko 750e0c1e3d BF: disallow exploiting of non-greedy .* in previous fix by providing too long rhost -- do not impose length limits for user-provided input 
since daemon might eventually change reported length and we would need to adjust anyways.  So limiting
in length does not provide additional security but allows for a possible injection vector
 2013-11-08 10:10:33 -08:00
Yaroslav Halchenko abb012ae5c BF: fixing injection for OpenSSH 6.3 -- making .* before <HOST> non-greedy 2013-11-08 10:00:37 -08:00
Daniel Black a8a1310098 ENH: sendmail-spam - loose regex on email and domain bits so more likely to match. Added dev notes and author attribution/blame 2013-11-08 10:54:10 +11:00
Daniel Black d7560d4041 ENH: condense asterisk regexs for speed 2013-11-08 10:24:50 +11:00
Daniel Black ab9d921162 BF: missed action in nginx-http-auth 2013-11-08 10:09:19 +11:00
Daniel Black a148d35d70 ENH: add filter.d/nginx-http-auth. Partially forfills #405 2013-11-08 10:06:40 +11:00
Yaroslav Halchenko 4522308354 ENH: regenerated config/filter.d/apache-badbots.conf 2013-11-07 14:26:18 -08:00
Daniel Black cb982ef921 ENH: multiline filter for sendmail-spam. Closes gh-418 2013-11-08 08:55:45 +11:00
Daniel Black 0730db9b2b Merge pull request #416 from grooverdan/debian-bug-665925-wuftpd-pam 
BF:  wuftpd pam filter fix (Debian bug 665925)
 2013-11-05 18:39:01 -08:00
Daniel Black e55b24c533 BF: fix dovecot filter for newer failure message. Closes Debian bug #709324 2013-11-06 12:51:21 +11:00
Daniel Black 8b54523316 BF: fix to filter.d/wuftp to support pam authentication - Debian bug #665925 2013-11-06 12:13:37 +11:00
Daniel Black ac1f45d18c Merge pull request #412 from grooverdan/firewalld 
ENH: enhance firewall-cmd to use firewall-0.8.3's --remove-rules
 2013-11-05 16:46:18 -08:00
Daniel Black 87f68d7564 firewalld-0.3.8 release that support --remove-rules out so documenting this. 2013-11-06 11:37:56 +11:00
Daniel Black ee1edfbf0c BF: remove duplication definition secion in webmin-auth 2013-11-04 17:54:36 +11:00
Daniel Black 60006bd70f BF: remove duplication definition secion in webmin-auth 2013-11-04 17:51:41 +11:00
Daniel Black 47d35c9d80 MRG: 0.8.11 to 0.9 
Epnoc of selinux is now true UTC

Merge multiline support and date detection in filter
 2013-11-02 15:59:05 +11:00
Daniel Black b5c10488c1 Merge pull request #409 from grooverdan/filter-doco 
DOC: in filters, put user relevant doc at top, and developer info at bot...
 2013-10-30 15:11:46 -07:00
Daniel Black 5eddd5d12d DOC: document required firewalld version as > 0.3.7.1 2013-10-31 09:10:59 +11:00
Daniel Black 27d257d5a6 Merge pull request #408 from grooverdan/dropbear 
BF: filter.d/dropbear
 2013-10-30 14:43:07 -07:00
Daniel Black 8ac6081555 ENH: fix to use upstream --remove-rules 
https://fedorahosted.org/firewalld/ticket/10
 2013-10-31 01:23:00 +11:00
Daniel Black 93de46ac72 BF: maxretry=5 for ssh as per DEVELOP. align = in jail.conf 2013-10-31 00:52:47 +11:00
Daniel Black c3f9c9aa60 BF: filter.d/dropbear 
Add PAM failures which is in dropbear-2013.60 in srv-authpam.c

Patch
http://www.unchartedbackwaters.co.uk/files/dropbear/dropbear-0.52.patch
obviously has exit with lower case e so adjust regex for both.

svr-authpasswd.c in 2013.60 (at bottom) for second regex ends after the
IP so the regex was altered.

.*\s* can be compressed to .*
 2013-10-31 00:21:30 +11:00
Daniel Black 89fd792dfb DOC: in filters, put user relevant doc at top, and developer info at bottom, and remove all the repetative blindly copied stuff that appears in the jail man page 2013-10-31 00:02:59 +11:00
Daniel Black de9977441a DOC: move named and mysql instructions into the filters from jail.conf 2013-10-30 21:12:16 +11:00
Daniel Black 7ab909d056 DOC: space out jail.conf consistantly 2013-10-30 20:34:06 +11:00
Daniel Black 95f3f38682 MRG: merge ChangeLog and jail.conf 2013-10-30 20:19:41 +11:00
Daniel Black e3150044fd BF: fix selinux 
TST: ignore *common.conf files in test cases as these are included
BF: Remove USER_LOGIN from selinux-ssh as its a duplicate message
ENH: add sample jail.conf
 2013-10-30 20:05:49 +11:00
Daniel Black 0f85aef609 Merge pull request #407 from grooverdan/dovecot-jail 
ENH: Dovecot jail
 2013-10-29 15:15:19 -07:00
Daniel Black a991adb83f ENH: add submission, smtps and sieve to blocked ports since this also typically rely on dovecot auth 2013-10-29 14:33:45 +11:00
Daniel Black 8412303131 ENH: dovecot jail examples 2013-10-29 10:17:45 +11:00
Daniel Black cde389cadc ENH: additional tweek to dovecot regex based on http://chrisgilligan.com/portfolio/fail2ban-regex/ 2013-10-29 10:15:54 +11:00
Daniel Black 0c14707201 ENH: add dovecot jail 2013-10-26 10:01:04 +11:00
Daniel Black d451c2a231 FIX: vsftp improvements from Rich Mellor on mailing list 2013-10-26 09:51:25 +11:00
Daniel Black b61fe0f12d Merge pull request #378 from grooverdan/sasl 
ENH: filter.d/postfix-sasl - anchor regex at start and rename from filter.d/sasl
 2013-10-22 04:51:24 -07:00
Daniel Black 4ecc063bd0 ENH: rename filter.d/sasl -> filter.d/postfix-sasl 2013-10-22 22:40:29 +11:00
Daniel Black c2b76d1fd0 Merge pull request #397 from yarikoptic/_enh/unify_default_strings 
DOC: enh/unify "Default:" strings
 2013-10-22 04:36:41 -07:00
Daniel Black b4cbf82912 DOC: remove Default: on action firewall-cmd-direct-new 2013-10-15 08:34:42 +11:00
Yaroslav Halchenko 4149c7495d Options in actions to be specified in jails have no "Default"s besides those specified in the files -- thus removing from comments 2013-10-14 16:29:16 -04:00
Yaroslav Halchenko d12eb2526a Fixing up default values in fail2ban.conf + unifying formatting 2013-10-14 16:28:19 -04:00
Daniel Black f1bb08aa6a ENH: base blocktype off iptables-blocktype.conf for firewall-cmd-direct-new.conf like other iptables based actions 2013-10-14 23:06:38 +11:00
Daniel Black 12f7ea7ec4 DOC: remove excessive comments from firewall-cmd-direct-new 2013-10-14 22:39:38 +11:00
Daniel Black 0d8d1ae26c ENH: new action.d/firewall-cmd-direct-new.conf from Redhat Bugzilla #979622 2013-10-14 22:36:01 +11:00
Daniel Black 123ad1cc9c MRG: Merge branch 'asterisk-common-jail' 2013-10-14 22:29:56 +11:00
Daniel Black 8421007f32 MRG: merge man/jail.conf.5 entries 2013-10-14 22:28:34 +11:00
Daniel Black ef62d0d4c1 Merge pull request #391 from grooverdan/jail-mysql-doc 
ENH: mysql syslog jail.conf base
 2013-10-14 04:25:49 -07:00
Daniel Black e417a2112c Merge pull request #386 from grooverdan/qmail 
ENH: filter.d/qmail - anchor at start. Add another regex
 2013-10-14 04:24:32 -07:00
Daniel Black e227568c3b Merge pull request #384 from grooverdan/dovecot-325 
ENH: added to dovecot filter. closes gh-325
 2013-10-14 04:23:03 -07:00
Daniel Black 0022cca786 Merge pull request #385 from grooverdan/ipset 
ENH/BF: Ipset  - add iptables-ipset-proto6-allports / use blocktype on iptables-ipset-proto6*
 2013-10-14 04:21:52 -07:00
Daniel Black 8fe542ca9f DOC: reintroduce comment on comments 2013-10-11 06:48:31 +11:00
Daniel Black 6b6169178f ENH: mysql syslog jail.conf base 2013-10-10 10:00:20 +11:00
Daniel Black ee58696531 DOC: try to encourage jail.local jail.d/*.local a lot more 2013-10-10 09:56:52 +11:00
Daniel Black 6ef33981e3 ENH: new asterisk jail to replace asterisk-(tcp|udp) (now that gh-37 is fixed) 2013-10-10 09:41:05 +11:00
Daniel Black 6b519d54db ENH: filter.d/recidive - replace ignore regex with a negative lookahead assertion 2013-10-10 07:13:37 +11:00
Daniel Black 351eb5ec8f ENH: filter.d/qmail - anchor at start. Add another regex for http://www.tjsi.com/rblsmtpd/faq/ patch to rblsmtpd 2013-10-09 16:44:48 +11:00
Daniel Black eb59a57b7f ENH: tighten pam_unix expression for dovecot 2013-10-09 14:54:36 +11:00
Daniel Black 864d2f41b9 ENH: auth-worker as per of _daemon definition for dovecot 2013-10-09 14:52:17 +11:00
Daniel Black 2d1bd54439 Merge pull request #379 from grooverdan/webmin 
ENH: filter.d/webmin anchor at start and use syslog
 2013-10-08 20:13:14 -07:00
Yaroslav Halchenko 500968874e Merge pull request #381 from grooverdan/suhosin 
ENH: filter.d/suhosin - anchor regex at start
 2013-10-08 19:49:51 -07:00
Yaroslav Halchenko a7b1b802e0 Merge pull request #382 from grooverdan/vsftpd 
Vsftpd
 2013-10-08 19:47:38 -07:00
Yaroslav Halchenko f0b91fcede Merge pull request #380 from grooverdan/sogo 
ENH: filter.d/sogo-auth - anchor regex at start
 2013-10-08 19:41:55 -07:00
Daniel Black df313649a4 ENH: escape . in recidive filter 2013-10-09 12:32:06 +11:00
Daniel Black 1a5e17f2a3 BF: use blocktype for iptables-ipset-proto6* 2013-10-09 11:59:16 +11:00
Daniel Black dcb845f17c ENH: add iptables-ipset-proto6-allports for blocking all ports 2013-10-09 11:57:35 +11:00
Daniel Black 2a1d629d88 BF: webmin -> webmin-auth 2013-10-09 11:08:44 +11:00
Daniel Black ab457acc4d BF: fix name in action for uwimap-auth 2013-10-09 11:06:38 +11:00
Daniel Black 0beea03914 ENH: jail.conf example for webmin 2013-10-09 11:05:50 +11:00
Daniel Black d60f470096 ENH: added to dovecot filter. closes gh-325 2013-10-09 10:09:06 +11:00
Daniel Black 5a2623f0df ENH: reorder osx-ipfw jail defination to near the other ssh examples 2013-10-09 09:26:36 +11:00
Daniel Black 359210f224 ENH: filter.d/squirrelmail added 2013-10-08 20:37:33 +11:00
Daniel Black 46386412a4 ENH: filter.d/vsftpd - pam regex as syslog and anchored at start 2013-10-05 20:02:40 +10:00
Daniel Black 1519712972 ENH: filter.d/vsftpd anchor internal regex at start 2013-10-05 20:02:21 +10:00
Daniel Black 9637c27873 ENH: filter.d/suhosin - anchor regex at start 2013-10-05 19:39:39 +10:00
Daniel Black 13bcc9aa84 ENH: filter.d/sogo-auth - anchor regex at start 2013-10-05 19:27:07 +10:00
Daniel Black b64bf3fa7b ENH: filter.d/webmin anchor at start and use syslog 2013-10-05 19:18:44 +10:00
Daniel Black f4c7c8f4b3 ENH: sasl - anchor regex at start 2013-10-05 18:59:41 +10:00
Daniel Black 23dd734aa9 Merge pull request #366 from grooverdan/dovecot 
ENH: dovecot regex to match failure reported by Bob Cohen on mailing lis...
 2013-10-01 15:50:39 -07:00
Daniel Black f998e01590 Merge pull request #359 from grooverdan/pureftpd 
ENH: Pureftpd syslog prefixing and filter achoring
 2013-10-01 15:14:33 -07:00
Daniel Black ba8183b116 Merge pull request #372 from grooverdan/uw-imap 
ENH: filter.d/uwimap-auth added. Closes #18
 2013-10-01 15:13:11 -07:00
Daniel Black 262616f7a7 ENH: filter.d/uwimap-auth - failure of an admin override to regex 2013-10-01 22:32:57 +10:00
Daniel Black 9211179d30 ENH: filter.d/uwimap-auth - add "disabled" to regex 2013-10-01 22:10:33 +10:00
Daniel Black 4649cf9608 ENH: separate selinux and selinux-ssh 2013-10-01 20:21:45 +10:00
Daniel Black 791183b639 ENH: filter.d/uwimap-auth - add SYSTEM BREAK-IN ATTEMPT 2013-10-01 10:10:53 +10:00
Daniel Black a1eaa5f755 ENH: filter.d/selinxu added. Closes #296 2013-10-01 09:59:15 +10:00
Daniel Black 778f09debe DOC/ENH: __md5hex regex defination to common.conf. Document debian bug # 2013-10-01 09:03:33 +10:00
Daniel Black b3b62d65bf ENH: filter.d/uwimap-auth added. Closes #18 2013-09-29 18:06:27 +10:00
Daniel Black f2ae20a3b8 BF: filter.d/sshd group on md5hex and () for serial needed to be escaped 2013-09-29 17:44:45 +10:00
Daniel Black 1eeb6e94bd BF: fix regex for openssh-6.3 2013-09-29 17:28:33 +10:00
Daniel Black e12d389c65 MRG/DOC: jail.conf resolution, ChangeLog fixes 2013-09-29 08:21:13 +10:00
Daniel Black 74434694dc BF: more duplicate jail.conf entries - 3proxy exim{,-spam}, perdition 2013-09-28 21:38:15 +10:00
Daniel Black 5cf25a63df BF: remove duplicate ssh-pf in jail.conf 2013-09-28 21:31:45 +10:00
Mark McKinstry b6bf26c9f2 dont' need to set a default name 2013-09-25 18:37:22 -04:00
Mark McKinstry 4187e87b69 don't enabel ssh-apf jail by default 2013-09-25 18:35:09 -04:00
Mark McKinstry f9f4d2728f add an example jail for apf action and ssh filter 2013-09-25 17:59:37 -04:00
Mark McKinstry 2668adc896 Merge branch 'master' of github.com:fail2ban/fail2ban 2013-09-25 17:54:38 -04:00
Mark McKinstry 1af4543aca ability to name the jail that banned the IP with apf 2013-09-25 17:52:34 -04:00
Mark McKinstry dd9ee4c39a quotes around the comment put in apf's deny_hosts.rules file 2013-09-25 17:51:25 -04:00
Mark McKinstry e64493c328 use human readable/longer options when banning and un-banning IPs with apf 2013-09-25 16:44:10 -04:00
Mark McKinstry c692912a82 don't hardcode absolute path for apf firewall 2013-09-25 16:38:45 -04:00
Mark McKinstry 66aff43d68 remove un-needed '$' line 2013-09-25 16:37:58 -04:00
Daniel Black 9805d39b60 MRG: merge date changes to support timezones 2013-09-20 18:22:32 +10:00
Daniel Black 8c2a5612ed DOC: resolve ChangeLog conflicts 2013-09-19 19:38:28 +10:00
Daniel Black 2a805452c6 DOC: resolve ChangeLog conflicts 2013-09-19 19:28:39 +10:00
Daniel Black 8e9fab9b3c Merge branch 'master' of https://github.com/fail2ban/fail2ban 2013-09-19 19:25:47 +10:00
Daniel Black 3be7dcd701 DOC: resolve ChangeLog conflicts 2013-09-19 19:23:02 +10:00
Daniel Black 89e0520675 ENH: dovecot regex to match failure reported by Bob Cohen on mailing list 2013-09-19 08:25:50 +10:00
Daniel Black c3ee03b9ba BF: fix daemon name typo for filter proftpd 2013-09-18 07:32:26 +10:00
Daniel Black 39ca8837eb TST: pureftpd - syslog therefore use syslog prefixes in filter 2013-09-17 22:24:56 +10:00
Daniel Black 30bb1a77a3 ENH: added syslog prefix to pam-generic filter. Disable regex match for pre 2006 (< 0.99.2.0) versions on linux-pam 2013-09-17 10:50:46 +10:00
Daniel Black ee497ff1cb ENH: filter mysqld-auth can be a is a syslog based service so anchor it using syslog prefix 2013-09-17 07:57:19 +10:00
Daniel Black 13ec9d58c0 ENH: filter gssftpd is a syslog based service so anchor it using syslog prefix 2013-09-17 07:25:23 +10:00
Daniel Black 673cc4d77f ENH: anchor at end of recidive filter 2013-09-16 18:43:56 +10:00
Daniel Black 504111b0b1 ENH: filter.d/recidive - anchor regex at start and support f2b SYSLOG target 2013-09-16 01:22:42 +10:00
Beau Raines 060bd45295 ENH - Added server name to subject line in email notifications 
This is useful when fail2ban is running on multiple servers and
keeping the notifictions separate and knowing which machine is "under
attack".
 2013-09-08 15:21:58 -07:00
Daniel Black 8c1b828423 BF: capture of microseconds no longer needed. Closes gh-341 2013-09-09 03:41:12 +10:00
Daniel Black d0098b0213 ENH: add timezone offest and subsecond support to Datedetector 2013-09-09 03:37:59 +10:00
Daniel Black 1f1a56174f MRG: merge from master 2013-09-08 21:02:35 +10:00
Daniel Black ad291d7e38 Merge pull request #346 from grooverdan/bsd-ipfw-default-unreach-port 
BF: action.d/bsd-ipfw - use blocktype instead of unused action for icmp ...
 2013-09-04 16:18:19 -07:00
Daniel Black e5f1a7f050 Merge pull request #344 from grooverdan/osx 
ENH: OSX ipfw based on Andy Fragen's work
 2013-09-04 16:16:16 -07:00
Daniel Black 4face1f3e7 MRG: resolve conficts in action.d/osx-ipfw design 2013-09-05 09:07:10 +10:00
Andy Fragen d258a51a23 after some research it looks like setting to unreachable better than deny 2013-09-04 11:28:03 -07:00
Andy Fragen fe557e5900 more specific actionunban 2013-09-01 13:09:51 -07:00
Andy Fragen a4884f82cd add mods from grooverdan and fix actionunban 
actionunban still not working in grooverdan's mod. I made this one grep both <ip> and <port>. It should be more specific if the same <ip> is banned on multiple ports.
 2013-08-31 08:39:19 -07:00
Daniel Black 6b0e2289d4 Merge pull request #335 from grooverdan/gh-333-bind 
ENH: filter.d/named-refused.conf - BIND 9.9.3 regex changes. Closes gh-333
 2013-08-30 21:34:22 -07:00
Daniel Black f2bcf84893 BF: action.d/bsd-ipfw - use blocktype instead of unused action for icmp rejecting blocked packets 2013-08-31 11:40:04 +10:00
Daniel Black 749f215089 ENH: port optional 2013-08-31 11:07:15 +10:00
Daniel Black 8b22fa15b5 BF: reverted to simplier random rulenum. If your machine is handling 1000s of block the addition complexity isnt what you want 2013-08-31 11:03:01 +10:00
Daniel Black b31799a322 ENH: add action.d/osx-afctl anonymously contributed on f2b wiki 2013-08-31 10:51:04 +10:00
Daniel Black 808aa1a792 ENH: added jail.conf example. closes gh-340 2013-08-31 09:39:21 +10:00
Daniel Black 5741348f45 ENH: more options and ruggedness to prevent unintensional consequences 2013-08-31 09:38:18 +10:00
Daniel Black 52bd0f86a8 Merge branch 'osx-ipfw' of https://github.com/afragen/fail2ban into osx 2013-08-31 09:09:04 +10:00
Daniel Black 7cc3e8a8c0 BF: Invert expression on actionstop in bsd-ipfw.conf to ensure exit status 0 on success. Closes gh-343 2013-08-31 08:59:02 +10:00
Daniel Black 15f2f38972 ENH: anchor regex at start 2013-08-28 12:32:40 +10:00
Daniel Black d5684a0834 BF: filter.d/routecube-auth - time offset can be positive or negative 2013-08-28 11:57:38 +10:00
Daniel Black a401d11644 ENH: add regex for bad zone transfer request/ TST: add test for bind-9.9 zone transfer denied 2013-08-28 00:53:08 +10:00
Andy Fragen ef504c869f added osx specific ipfw action with random rulenum 2013-08-26 16:06:23 -07:00
Yaroslav Halchenko 265a85ec1f RF: do not catch for now "invalid nonce \S* received - hash is not \S*" -- imho needs more analysis 2013-08-26 09:48:56 -04:00
Daniel Black b8e7d0b867 ENH: further tighten lighttpd basic auth regex 2013-08-26 08:51:40 +10:00
Daniel Black a7ebb84a7d ENH: tighted up lighttpd regex 2013-08-26 08:42:45 +10:00