Add PAM failures which is in dropbear-2013.60 in srv-authpam.c
Patch
http://www.unchartedbackwaters.co.uk/files/dropbear/dropbear-0.52.patch
obviously has exit with lower case e so adjust regex for both.
svr-authpasswd.c in 2013.60 (at bottom) for second regex ends after the
IP so the regex was altered.
.*\s* can be compressed to .*
TST: ignore *common.conf files in test cases as these are included
BF: Remove USER_LOGIN from selinux-ssh as its a duplicate message
ENH: add sample jail.conf
actionunban still not working in grooverdan's mod. I made this one grep both <ip> and <port>. It should be more specific if the same <ip> is banned on multiple ports.
suhosin is hardened php implmentation, which will log the alerts (as
seen in samples) to stderr, which is picked up by fastcgi webserver
(e.g. lighttpd, apache, nginx)
I also used non-greedy .*? for the login portion since not sure if space could
be there and trying to minimize possibility of reacting on injected "from
<HOST>" somewhere within the trailing .*
* 'dovecot' of https://github.com/grooverdan/fail2ban:
ENH: remove non-capturing groups for readibility
BF: fix dovecot filter for when no TLS is enabled on pop/imap
Conflicts:
ChangeLog -- changelog entries. Also untabified few other spots
* commit '0.8.10-31-g1ab0f0f': (24 commits)
BF/ENH: Incorrect authentication data doesn't need tailier so that's optional. Also gained log entry for Unrouteable address
ENH: readibility thanks to Yaroslav
DOC: Changelog for fail2ban-regex RF
DOC: Changelog for asterisk hardening
ENH: fail2ban-regex -- add specification of loglevels to enable
RF: reworked -regex cmdline tool to use optparse, some unification and enhancement of outputs
ENH: 'heavydebug' level == 5 for even more debugging in tricky cases
ENH: asterisk -- use \S instead of [^:] + prefix failregex with ^\[
BF: missed a space
BF: [SSL-out] is optional in assp
ENH: regex hardening on assp
ENH: anchor a bit mor. Use \d and \w where possible. Escape a literal .
TST: attempts at injection with username=rhost=1.2.3.4 have no user= logged in dovecot-1.2.15
ENH: proftpd chan accept usernames with spaces
ENH: injection of fail data into USER field
ENH: dovecot regexs rewritten and extra failures
ENH: proftp regex hardening and log messages
ENH/BF: exim improvements with sample
BF: fix to proxy port in 3proxy example
ENH: sample log + more specific regex
...
Conflicts: -- it was a messy merge/resolution.
ChangeLog
bin/fail2ban-regex
fail2ban-testcases
fail2ban/server/filter.py
* '3proxy' of https://github.com/grooverdan/fail2ban:
BF: fix to proxy port in 3proxy example
ENH: sample log + more specific regex
BF: authentication errors end in 01-09 but the beginning part indicates the service as per https://github.com/fail2ban/fail2ban/issues/246#issuecomment-19327955 thanks to ykimon
BF: need to anchor the start to avoid another repeat of DoS injection like Apache
ENH: stricter regex thanks to Steven Hiscocks (kwirk)
DOC: credits
Conflicts:
ChangeLog
* 'exim' of https://github.com/grooverdan/fail2ban:
BF/ENH: Incorrect authentication data doesn't need tailier so that's optional. Also gained log entry for Unrouteable address
ENH: readibility thanks to Yaroslav
ENH/BF: exim improvements with sample
Conflicts:
ChangeLog
* 'proftpd' of https://github.com/grooverdan/fail2ban:
ENH: proftpd chan accept usernames with spaces
ENH: injection of fail data into USER field
ENH: proftp regex hardening and log messages
Conflicts:
ChangeLog
* 'dovecot' of https://github.com/grooverdan/fail2ban:
TST: attempts at injection with username=rhost=1.2.3.4 have no user= logged in dovecot-1.2.15
ENH: dovecot regexs rewritten and extra failures
Conflicts:
ChangeLog -- merged entries
* 'assp' of https://github.com/grooverdan/fail2ban:
BF: missed a space
BF: [SSL-out] is optional in assp
ENH: regex hardening on assp
Conflicts:
ChangeLog -- merged the two entries into 1
* commit '0.8.10-1-g460e09a':
it was not the end of the world and we should continue
DOC: add information on where to report vulnerabilities + pointer to HOWTO_Seek_Help
Changes for 0.8.10 release (changelog, version, etc)
BF: anchor apache- filters. Close#248
DOC: credits for gh-244
Filter Asterisk: Add sample log entry to testcase.
Filter Asterisk: Add AUTH_UNKNOWN_DOMAIN error to list
ENH: purge a few more .*
DOC: credits
DOC: how to do filter enhancements
TST: normalize logs to use example.com and 1.2.3.4 as IP
ENH/BF: constrain regex. Fix ACL error regex
ENH: port optional
Update asterisk
Update asterisk.conf
Conflicts:
ChangeLog
DEVELOP
README.md
fail2ban/version.py
* commit '0.8.9-13-g39d32e0':
Changelog for previous PR
DOC: Changelog entry fro preceeding merge from Terence
TST: Fix fail2ban.conf reader test for unreliable dictionary order
failregex when roundcube log driver is set to 'syslog'
fixed failregex line for roundcube 0.9+
TST: test all stock jails to have actions and correctly specifying blocktype
CFG: assure actions for all the jails
BF: blocktype must be defined within [Init] -- adding [Init] section. Close#232
ENH: since it seems the default is to use file based logging, $syslog is in Should-{Start|Stop} like Debian https://github.com/fail2ban/fail2ban/blob/debian/debian/fail2ban.init
ENH: opensuse script from opensuse: https://build.opensuse.org/package/view_file?expand=1&file=fail2ban.init&package=fail2ban&project=openSUSE%3AFactory
Conflicts:
ChangeLog
config/jail.conf
testcases/clientreadertestcase.py -- had to "git show XXX | patch -p2" under tests/ 2 commits: 8a57ffd7a4db4b
# Only works only if log driver: is set to 'syslog'. this is becoz fail2ban fails to 'read' the line due to the
brackets around the date timestamp on logline when log driver is set to file
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iEYEABECAAYFAlGRBZ8ACgkQjRFFY3XAJMhqzwCgvUsrv6cSjo1d8YCQUA8Na0Kk
44QAoKk7X2sqFM+wvj2vK3stsHa/80qm
=iBfR
-----END PGP SIGNATURE-----
Merge tag '0.8.9' into 0.9 (quite a bit of conflicts "resolved")
Release 0.8.9
* tag '0.8.9':
BF: add missing files to MANIFEST (I think we shoult not rely on sdist anyways -- 'git tag' tarballs are more thorough ;) )
All the (version) updates for the release of 0.8.9
BF: (travis) relax the test for needed to be presented installed directories -- allow new
BF: (travis) if tests ran under coverage -- there is a traceback parts to report (thus > would be present)
ENH: also print the failing traceback line in case of failure
ENH: include explicit list of new files which should not be there upon "install --root"
ENH: now we know that logging handlers closing was still buggy in 2.6.2
ENH: issue a warning if jail name is longer than 19 symbols (Close#222)
DOC: inline commends with ';' are in effect only if ';' follows as space
BF: Fix for filterpoll incorrectly checking for jailless state
ENH: strengthen detection of working pyinotify
ENH: use the same python executable for setup.py test
ENH: actually tune up TraceBack to determine "unittest" portions of the stack across all python releases
TST: Some primarily smoke tests for tests utils
TST: cover few more lines in fail2banreader.py
ENH: basic test for setup.py itself (when applicable, should greatly improve coverage ;) )
ENH: consistent operation of formatExceptionInfo + unittest for it
ENH: point to the status of master branch on travis
Conflicts:
ChangeLog
MANIFEST
README.md
fail2ban/version.py -- all of the above obvious version changes
below files primarily needed just a bit of help in resolution
config/jail.conf
fail2ban/server/filterpoll.py
fail2ban/server/server.py
fail2ban/tests/servertestcase.py
and following were more difficult -- git wasn't able to track renames/moves of the code
fail2ban-testcases -- needed to introduce those changes to tests/utils.py
testcases/clientreadertestcase.py -- manually applied patch from master
testcases/utils.py -- manually applied patch from master
* master: (51 commits)
ENH: Use real (resolving) example.com instead of test.example.com
DOC: Slight tune ups to ChangeLog -- we must release!
Changelog entries for the latest merges
BF: add bash-completion to MANIFEST
DOC: ChangeLog for default action type change
ENH: consolidate where blocktype is defined for iptables rules
BF: default type to unreachable
ENH: separate out regex and escape a .
ENH: logs/sshd -- have ":" after [daemon] (other uses are uncommon)
ENH: logs/sshd -- use example.com as the resolved hostname in sample log lines
ENH: filter.d/sshd.conf -- allow for trailing "via IP" in logs
DOC: Drop sudo from bash-completion
DOC: Added bash-completion script
ENH: add blocktype to all relevant actions. Also default the rejection to a ICMP reject rather than a drop
ENH: Removed unused log line
ENH: logrotate file
BF: missed MANIFEST include
BF: missed MANIFEST include
BF: missed MANIFEST include
ENH: some form of logrotate based on what distros are doing
...
Conflicts:
ChangeLog
MANIFEST
client/actionreader.py
config/jail.conf
fail2ban/server/datedetector.py
fail2ban/tests/datedetectortestcase.py
* 'bsd_logs' of https://github.com/grooverdan/fail2ban:
ENH: separate out regex and escape a .
BF: missed MANIFEST include
DOC: credits for bsd log
DOC: bsd syslog files thanks to Nick Hilliard
BF: change common.conf to handle formats of syslog -v and syslog -vv in BSD
Conflicts:
config/filter.d/common.conf
Origin: from https://github.com/jamesstout/fail2ban
* 'OpenSolaris' of https://github.com/jamesstout/fail2ban:
ENH: Removed unused log line
BF: fail2ban.local needs section headers
ENH: Use .local config files for logtarget and jail
ENH+TST: ssh failure messages for OpenSolaris and OS X
ENH: fail message matching for OpenSolaris and OS X
ENH: extra daemon info regex
ENH: actionunban back to a sed command
Readme for config on Solaris
create socket/pid dir if needed
Extra patterns for Solaris
change sed to perl for Solaris
Conflicts:
config/filter.d/sshd.conf
Origin: https://github.com/lenrico/fail2ban
Squashing was done via rebase -i 1524b076d6
to eliminate massive assp sample log file originally added
fixed test date thx to steven
tight control of the filter for ASSP
as yaroslav wishes
as daniel desires
changed from DateASSPlike class to DateStrptime
fixed little things
added new date format support for ASSP SMTP Proxy
* master:
ENH: "is None" instead of "== None" + tune ups in headers
BF: log error only if there were missed config files that couldn't be read
DOC: missing cinfo tags are ok. Log error for self referencing definitions
DOC: s/defination/definition/g learn to spell
Changelog entry for the previous commit and some untabify
BF: pyinotify backend should also handle IN_MOVED_TO events
ENH: remove stats of config files and use results of SafeConfigParserWithIncludes.read to facilitate meaningful error messages
DOC: credits for gh-70 fix
BF: ensure dates in email are in the C locale. Thanks iGeorgeX
DOC: ChangeLog for recursive tag substition
ENH: allow recursive tag substitution in action files.
DOC: document <br> tag
DOC: ChangeLog for named-refused entry
ENH: Account for views in named filter. By Romain Riviere in gentoo bug #259458
DOC: release documentation and distributor contacts
DOC: changelog entry for enhanced ssh filter
BF: Rename mentioning of README to README.md (Fixes#187)
updated README.md to hyperlink, add travis and coversall
Moving README into a markup README.md for github's goodnesses
Conflicts:
DEVELOP
README.md
fail2ban/client/configreader.py
fail2ban/server/datedetector.py
- OpenSolaris keyboard message matched by new regex 3
- Removed Bye Bye regex per
https://github.com/fail2ban/fail2ban/issues/175#issuecomment-16538036
- PAM auth failure or error and first char case-insensitive, can also
have chars after the hostname. e.g.
Apr 29 16:53:38 Jamess-iMac.local sshd[47831]: error: PAM:
authentication error for james from 205.186.180.101 via 192.168.1.201
for matching log lines like:
Mar 29 05:20:09 dusky sshd[19558]: [ID 800047 auth.info] Failed
keyboard-interactive for james from 205.186.180.30 port 54520 ssh2
this matches [ID 800047 auth.info]
This reverts commit 47a62b6072.
Enabling any jail by default should be a prerogative of particular
distributions (thanks Fabian Wenk for the discussion)
Conflicts:
config/jail.conf
* 0.9: (45 commits)
Beef up changelog for 0.9
ENH: make fail2ban-regex aware of possible maxlines in the filter config file
BF+TST: Correctly reset time in tearDownMyTime
ENH: Reimplement warning suppression of setup.py test --quiet
ENH: Renamed OptionConfigReader to DefinitionInitConfigReader
ENH: Rename splitAction to extractOptions in jailreader
ENH: Use os.path.join for filter/action config readers
BF: Remove warnings handler which breaks setup.py python2<2.7 and python3<3.2
ENH: For python3.2+ use ConfigPaser which replaces SafeConfigParser
TST: Change depreciated unittest assertEquals method to assertEqual
TST: Ensure files are closed in tests to remove ResourceWarnings
BF: Change logging instance logSys `warn` method to `warning`
ENH: use os.path.join for consistency -- add "Contributors" to authors
RF: setup.py now imports version number again
DOC: tune up formatting (spaces) and prelude for the changelog entry
TST+RF: Add ability to execute test from setup.py with setuptools
TST: Move test gathering to function is test utils
TST: Move test TZ changes to setUp and tearDown methods
ENH: Remove redundant `maxlines` option from jail reader
TST: Add test for FilterReader [Init] `maxlines` override
...
Conflicts:
config/jail.conf
* commit '0.8.8-212-gf6f30f1': (24 commits)
DOC: tune up formatting (spaces) and prelude for the changelog entry
DOC: more ChangeLog entries all the way back to 0.8.8
DOC: move new actions and filters to New Features in ChangeLog
DOC: tomcat and Guacmole are next release
DOC: credit man page edits
DOC: developers please rebase and use a single commit
DOC: post release ChangeLog entry
DOC: ChangeLog - current HEAD back to ce3ab34
DOC: begining of ChangeLog
DOC: version/date of release
DOC: ChangeLog versions and dates for Releasing
DOC: guidance for pull requests
BF: filter.d/sshd "Did not receive identification string" relates to an exploit so document this in sshd-ddos.conf but leave it out of authentication based blocks in sshd.conf
DOC: a plugin to thanks for the community support
Add After, PIDFile, and change WantedBy to multi-user.target in fail2ban.server
DOC: slight tune ups to README (we are no longer compatible with python 2.3 ;) )
ENH: more openssh fail messages from openssh source code (CVS 20121205)
Add systemd unit file and tmpfiles.d configuration files
BF: do not rely on scripts being under /usr -- might differ eg on Fedora -- rely on import of common.version (Closes gh-112)
RF: move exceptions used by both client and server into common/exceptions.py
...
Conflicts:
ChangeLog
README
* master:
DOC: initiated changelog (but not juice left to actually fill it up ;-))
TST: test all valid loglevels in server testcases
TST: Add tag replace and escape test for actions
ENH: Minor change to action for consistency of execStart/Stop
TST: Coverage for coveralls.io should only be run on success
TST: no cover additions to server, primarily daemon creation
DOC: thanks @kwirk for spotting the typos in exception message
FD_CLOEXEC support
Typo in default pidfile in fail2ban.conf
Conflicts:
.travis.yml -- after_success
ChangeLog -- added perspective changelog for 0.8.9
fail2ban/server/asyncserver.py -- imports
fail2ban/server/server.py -- no pragma (if I got it right ;-) )
* 'py3' of https://github.com/kwirk/fail2ban: (38 commits)
DOC: Add python3 to requirements
ENH: Clarify use of bytes in csocket and asyncserver for python3
DOC: Revert dnsToIp error change, seperate log message for socket.error
TST: Tweak python3 open statement to resolve python2.5 SyntaxError
TST: Revert changes for filter testcase open statement
DOC: Revert setup.py messages to use print statement
Add *.bak files generated by 2to3 to gitignore
TST: Fix up fail2ban python3 scripts
TST: Fix issues in tests which assumed dictionary's order
ENH: setup.py now automatically runs 2to3 for python3.x
TST: Remove Travis CI unsupported versions of python from Travis config
add fail2ban-2to3 to MANIFEST file
ENH: Add python3 versions to Travis CI config
BF: Handle expected errors for python3.{0,1} when changing log target
Minor tweaks to fail2ban-regex for encoding
Added ability to set log file encoding with fail2ban-regex
Add ability to set log encoding for jail
Move handling of unicode decoding to FileContainer readline
Fix incorrect exit code from fail2ban-2to3
Remove redundant reassignment of variable
...
Conflicts:
fail2ban/tests/servertestcase.py -- both branches added a new unittest at the same point
* 'Support_for_mysql_log_example' of https://github.com/arto-p/fail2ban:
Added testcase for MySQL date format to testcases/datedetectortestcase.py and example of MySQL log file.
Added support for MySQL logfiles
Conflicts:
testcases/datedetectortestcase.py -- conflictde with other added test cases
* pr/117/head:
An example of failed logins against sogo
Update sogo-auth.conf
Update config/filter.d/sogo-auth.conf
Create sogo-auth.conf
Update config/jail.conf
* 'master' of git://github.com/fail2ban/fail2ban:
add blocking type
add example jail.conf for blocking through blackhole routes for ssh
add support for blocking through blackhole routes
Do not trigger sshd bans on pam_unix authentication failures, this will trigger on successful logins on systems that use non-pam_unix authentication (sssd, ldap, etc.).