d8d71c5a22
action.d/helpers-common.conf: grep arguments are rewritten - using options `-wF` to match only whole words and fixed string (not as pattern)
2019-05-10 16:17:13 +02:00
fa727586ff
Fix grep pattern to deal with Apache's error log
...
Apache's error log appends the port to the IP address, other logs don't.
2019-05-10 16:04:27 +02:00
23d2281e57
action.d/nginx-block-map.conf: small fix with better RE-rule for removal of ID (token/session) via sed (anchored now)
2019-05-02 15:22:45 +02:00
b318eb7e33
closes gh-2408: prevent execution of action `abuseipdb` for restored tickets
2019-04-29 10:45:37 +02:00
422a2de7fe
updated
2019-04-24 21:35:19 +02:00
a581bf3f08
Fixed filter for Apache mod_security
2019-04-24 21:35:17 +02:00
5d6a84ba78
Updated to correct logging option
2019-04-24 21:35:15 +02:00
25f1aa334e
fail2ban.conf: move default settings into DEFAULT section (to be more similar to jail.conf, Definition section overwrites the options, so it is backwards compatible)
2019-04-18 20:53:11 +02:00
0386df0042
introduced new options: `dbmaxmatches` (fail2ban.conf) and `maxmatches` (jail.conf);
...
setting `maxmatches` and `dbmaxmatches` to 0 saves memory usage and database size (closes gh-2118).
2019-04-18 20:31:39 +02:00
28c1da33dc
Merge pull request #2387 from sebres/logtype-option-journal
...
New backend-related option `logtype` (`journal` or `file`)
2019-04-18 13:27:42 +02:00
6c7093c66d
minor amend, refolding branches (SP|SA -> S[PA])
2019-04-04 02:28:50 +02:00
ffd5d0db78
Update sendmail-reject.conf
...
On some distros (e.g., CentOS 7), sendmail default config labels port 465 as TLSMTA and port 587 as MSA. Update failregex to reflect. Relevant loglines included in 9e1fa4ff73
2019-03-29 17:39:27 -06:00
ced9828d04
filter.d/sendmail-reject.conf: fixed gh-2385 for some systems (e. g. CentOS): if only identifier set to `sm-mta` (no unit `sendmail`) for some messages.
2019-03-29 14:24:06 +01:00
ec681a3363
backend `systemd` sets `logtype` to `journal` automatically;
...
sshd-journal: new test covering sshd journal logging format (matches short prefix-line simulating output of formatJournalEntry);
samplestestcase-factory extended with new option `fileOptions` to set common filter/test options for whole test-file
2019-03-29 14:24:00 +01:00
e268bf97d4
introduces new configuration parameter "logtype" (default "file" for file-backends, and "journal" for journal-backends);
...
common.conf: differentiate "__prefix_line" for file/journal logtype's (speedup and fix parsing of systemd-journal);
samplestestcase.py: extends testSampleRegexsFactory to allow coverage of journal logtype;
closes gh-2383: asterisk can log timestamp if logs into systemd-journal (regex extended with optional part matching this)
2019-03-29 14:23:57 +01:00
e8401a7e65
action.d/xarf-login-attack.conf: fixes gh-2372, correction for split of addresses, interpolation is shell-independent now, etc;
...
extended with option `boundary`, additionally dynamic boundary part is used (is not so predictable as it was previously);
2019-03-16 00:05:06 +01:00
741cf8fb0e
Merge branch 'master-0.9' into 0.10
2019-03-12 16:58:08 +01:00
1a9527e6a4
fixed catch-all on user (and simplifying)
2019-03-12 16:53:36 +01:00
a7f3ba87f6
filter.d/sogo-auth.conf: fixes gh-2289 - matching auth-failures when behind a proxy;
...
(broken by commit 72b06479a5
2019-03-12 16:50:04 +01:00
3c70fe298a
closes gh-969: introduces new section `[Thread]` and option `stacksize` to configure default stack-size of the threads running in fail2ban. Example:
...
```ini
[Thread]
stacksize = 32
```
2019-02-24 16:45:14 +01:00
5126068099
loglevel and shortloglevel combined to single parameter loglevel, below an example logging summary with NOTICE and rest with DEBUG log-levels:
...
action = badips.py[... , loglevel="debug, notice"]
2019-02-22 14:05:19 +01:00
689938ee99
Add a shortloglevel badips.py option
2019-02-22 13:32:46 +01:00
140243328f
coverage: try to avoid sporadic "coverage decreased" in CI
2019-02-22 13:20:40 +01:00
d3f6d6ffdd
Merge pull request #2286 from crazy-max/0.10
...
New filter `traefik-auth`
2019-02-21 22:27:04 +01:00
dcede9b3f1
comment rewritten (belongs to the filter)
2019-02-21 22:26:28 +01:00
d84fb8a4b1
regex rewritten (more secure now, resolves catch-all vulni)
2019-02-21 22:19:04 +01:00
9ed35c423a
Merge branch '0.9' into 0.10 (gh-2317)
2019-02-21 20:13:54 +01:00
e651bc7866
amend to #1622 : jail-reader supports now multi-line option for multi-line action parameter:
...
logpath = a.log
b.log
c.log
action = ban[...]
= log[logpath="%(logpath)s"]
closes gh-2341, ultimate fix for gh-976
2019-02-11 11:54:58 +01:00
a13fdcf4f7
closes gh-2314: extended regex for mysql 8.0.13 if used logging with details (e. g. log-error-verbosity = 3, so log output has few additional words enclosed in brackets after "[Note]").
2019-01-07 01:34:12 +01:00
6b4404b1bc
Fix asterisk filter not catching attackers when port is logged ( Fixes #2316 )
2019-01-03 23:55:42 +01:00
7cdabdd7ae
Update traefik-auth failregex
2018-12-14 19:06:09 +01:00
a51f82770b
New filter `traefik-auth`
2018-11-24 22:44:44 +01:00
555b29e8e6
Merge remote-tracking branch 'remotes/gh-upstream/master' into 0.10
2018-11-21 13:05:42 +01:00
1c1d2cc435
introduces new failregex-flag tag `<F-MLFGAINED>` signaled that the access to service was gained (ATM used similar to <F-NOFAIL>, but does not added to matches);
...
filter.d/sshd.conf: extended with new rules:
- Disconnecting ...: Change of username or service not allowed
- Disconnected from ... [preauth] (extra/aggressive mode only)
2018-11-19 21:19:57 +01:00
0df221b54b
"be" instead of "me" in shorewall.conf
2018-11-15 14:34:51 -05:00
1752c19b6f
Merge pull request #2205 from benrubson/patch-1
...
Add loglevel option to badips.py
2018-10-02 13:12:03 +02:00
65676baf8c
fixed py3 incompatibility (for some reasons this file seems to be excluded from 2to3), anyway not needed, because int-type is already checked in str2LogLevel
2018-10-02 13:00:20 +02:00
4b751c84c3
badips.py: Rewrite new bool option "log" as "loglevel" and revert default to log-level (DEBUG).
2018-10-02 12:32:15 +02:00
58b510a5be
filter.d/domino-smtp.conf:
...
- recognizes failures logged using another format (something like session-id, IP enclosed in square brackets);
- failregex extended to catch connections rejected for policy reasons (gh-2228);
2018-09-21 14:14:00 +02:00
d01fe9d22a
action.d/*.conf: correct comments for actionstart/actionstop
2018-09-12 16:01:57 +02:00
9d7c0e00c1
Also log number of IPs removed/added
2018-09-08 09:28:42 +02:00
70e53b55c5
Typo
2018-08-19 22:39:18 +02:00
ec4c4b12c1
Add yes/no log option to badips.py
2018-08-19 22:35:09 +02:00
ee207d8c31
Merge pull request #2151 from benrubson/merge
...
Apache SNI error / misredirect attempts rules are combined in one regex
2018-08-14 14:56:49 +02:00
77b35b8db7
Improvement
2018-08-14 14:07:32 +02:00
e2a255d104
fixed typo in comments by "ignoreself" parameter
2018-08-14 11:11:19 +02:00
e995d5a0b6
filter.d/freeswitch.conf: provide mode parameter, allows to avoid matching of messages like `auth challenge (REGISTER)` (see gh-2163) (currently `extra` as default to be backwards-compatible), see comments in filter how to set it to mode `normal`.
2018-08-03 11:42:15 +02:00
bc2dbacc9a
filter.d/freeswitch.conf: provide compatibility for log-format from gh-2193:
...
- extended with new default date-pattern `^(?:%%Y-)?%%m-%%d[ T]%%H:%%M:%%S(?:\.%%f)?` to cover
`YYYY-mm-dd HH:MM::SS.ms` as well as `mm-dd HH:MM::SS.ms` (so year is optional);
- more optional arguments in log-line (so accept [WARN] as well as [WARNING] and optional [SOFIA] hereafter);
2018-08-03 11:22:30 +02:00
22d37cdce2
sshd: fixed failregex for ddos (resp. aggressive) mode, to cover "authenticating user" case in log-message:
...
Connection closed by authenticating user root 192.0.2.10 ... [preauth]
tests extended (also with few injection tries).
closes gh-2185.
2018-07-18 15:31:04 +02:00
8fe07e29ad
filter.d/dovecot.conf: failregex enhancement to catch disconnected with "proxy dest auth failed";
...
closes gh-2184
2018-07-17 15:06:42 +02:00
sebres