bb97e66627
Merge pull request #1882 from coderua/patch-1
...
Add Jorgee Vulnerability Scanner protect
2017-09-07 15:52:31 +02:00
2cd02b731b
filter.d/exim.conf: fixed failregex for case of `D=0s`
...
Closes gh-1886
2017-09-07 15:28:46 +02:00
4bc226a692
optimized regex
2017-09-05 10:59:16 +02:00
fafefc0293
Add Jorgee Vulnerability Scanner protect
...
Details for Jorgee Vulnerability Scanner: https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=30164
2017-09-05 10:56:43 +02:00
4163f32968
small review, prefix replaced with `%(_apache_error_client)s` from apache-common.conf include
2017-09-04 11:48:01 +02:00
ac95449bbb
changed zoneminder regex as per Sebres and yarikoptic recommendations
2017-09-04 11:37:09 +02:00
7013729a1f
removed redundant options for zoneminder from jail.conf
2017-09-04 11:37:05 +02:00
5c3a666380
fixed incomplete regex after adding anchors
2017-09-04 11:37:03 +02:00
3d45fd2713
implemented yarikoptic's suggestions in fail2ban pull request #1376
2017-09-04 11:37:00 +02:00
08878d22dd
added zoneminder.conf filter
2017-09-04 11:36:50 +02:00
a90f6c4ae8
added zoneminder jail and filter
...
# Conflicts:
# config/jail.conf
2017-09-04 11:36:47 +02:00
c312962029
filter.d/dovecot.conf: partially cherry-pick to 0.9 PR #1880 from sebres/0.10-fix-dovecot-regex ( d926e11a5c)
...
fixed failregex (without new mode aggressive)
2017-09-01 10:57:41 +02:00
2cfc53c08e
remove capturing groups
2017-09-01 10:25:09 +02:00
9b8563f35e
- fixes regex for message `imap-login: Disconnected (auth failed, X attempts) ...` has to many variations on additional info after `<HOST>`,
...
leave it end-anchored because variable part `user=<[^>]*>` (before `<HOST>`) to avoid injecting, but can be safe rewritten using `[^>]*` in opposite to "greedy" `user=<[^>]*>`.
- introduces mode `aggressive` and extends regex for this mode to match:
* no auth attempts (previously removed in gh-601, because of lots of false positives on misconfigured MTAs)
* disconnected before auth was ready
* client didn't finish SASL auth
2017-09-01 09:56:21 +02:00
a287d0a05c
Merge pull request #1872 from kmzby/master
...
Added filter for phpMyAdmin+syslog
2017-08-25 12:22:58 +02:00
4c1abe1cbf
phpmyadmin-syslog: removed excess file, fixed test, updated failregex
2017-08-23 16:56:18 +03:00
d09304b897
phpmyadmin-syslog: added default jail config
2017-08-22 19:00:48 +03:00
5b4bc2aafd
Added filter for phpMyAdmin+syslog (>=4.7.0). Closes #1713
2017-08-22 18:20:01 +03:00
1d5fbb95ae
Merge remote-tracking branch 'remotes/gh-upstream/master' into 0.10
2017-08-18 15:44:22 +02:00
b0e5efb631
bsd-ipfw.conf: sh-compliant redirect of stderr together with stdout
2017-08-18 15:26:09 +02:00
3be32adefb
Replace not posix-compliant grep option: fgrep with `-q` option can cause 141 exit code in some cases (see gh-1389).
2017-08-18 14:37:29 +02:00
f84e58e769
Tweaks to action.d/pf.conf
...
Document recent changes.
Add an option to customize the pf block rule (surely, what the user
really wants, here, is "block quick").
2017-08-18 13:31:34 +02:00
33874d6e53
action.d/pf.conf: anchored call arguments combined as `<pfctl>` parameter;
...
test cases fixed;
2017-08-16 17:51:07 +02:00
f6ccede2f1
Update pf.conf fixing #1863
...
Fix #1863
Introduce own PF anchors for fail2ban rules.
2017-08-16 17:51:05 +02:00
30219b54c4
Merge remote-tracking branch 'remotes/gh-upstream/master' into 0.10
2017-08-09 16:38:29 +02:00
c0eb7752a8
Merge pull request #1651 from szepeviktor/patch-9
...
Introduce Cloudflare API v4
2017-08-09 16:28:52 +02:00
2ed8a38eca
Update cloudflare.conf
...
Switch to API v1 to API v4 per default
2017-08-09 16:27:53 +02:00
da7072d40e
Merge pull request #1846 from Chocobozzz/patch-3
...
Fix empty logfile.log in xarf login attack action
2017-08-09 16:21:47 +02:00
94b163936a
Merge remote-tracking branch 'remotes/gh-upstream/master' into 0.10
...
Removed init section (not needed in filter for 0.10).
# Conflicts:
# config/filter.d/sendmail-reject.conf
2017-08-09 16:16:31 +02:00
af25a9d203
Merge pull request #1566 from opoplawski/journalmatch
...
Add sendmail journalmatch options
2017-08-09 16:14:10 +02:00
84f552881c
Add sendmail journalmatch options
2017-08-09 16:03:34 +02:00
5b7375c614
Merge pull request #1638 from roedie/shorewall-ipv6
...
Add shorewall IPv6 support
2017-08-09 15:54:57 +02:00
e52f483557
Config reader's: introduced new syntax `%(section/option)s`, in opposite to extended interpolation of python 3 `${section:option}` work with all supported python version in fail2ban and this syntax is like our another features like `%(known/option)s`, etc.;
...
Variable `default_backend` switched to `%(default/backend)s`, so totally backwards compatible now, but now the setting of parameter `backend` in default section of `jail.local` can overwrite default backend also.
Test cases extended: test targeted section options "section/option" (default and cross sections options);
2017-08-08 20:21:44 +02:00
5ce8d4f741
fixes default backend handling (as default used value of `known/backend`, which can now be overridden in default section of jail.local);
...
introduces fallback for `known/option`: interpolate missing `known/option` as `option` from default section
2017-08-08 18:41:15 +02:00
2fe1479484
Merge branch '_0.9/gh-1849' into 0.10
2017-08-07 18:07:36 +02:00
5c538fb658
Recognize "unknown user" for additional auth-methods (pam, passwd-file, ldap, sql, etc); simplifying regular expressions (put "unknown user" and "invalid credentials" together as one regex).
2017-08-07 18:04:09 +02:00
0ef5b7c4d4
small amend to gh-1850: removed greedy catch-all at end.
2017-08-07 15:24:16 +02:00
daf57547c6
Parse ejabberd 17.06 output
...
E.g.:
2017-07-29 08:24:04.773 [info] <0.6668.0>@ejabberd_c2s:handle_auth_failure:433 (http_bind|ejabberd_bosh) Failed c2s PLAIN authentication for test@example.ch from ::FFFF:192.0.2.3: Invalid username or password
2017-07-29 19:58:06 +02:00
f4551d02c9
Fix empty logfile.log in xarf login attack action
...
Fix empty 3rd MIME part which contains the attack evidence (logfile.log).
2017-07-25 13:44:29 +02:00
1a562bed0f
Merge remote-tracking branch 'master' into 0.10
...
# Conflicts:
# config/filter.d/asterisk.conf
2017-07-19 08:57:23 +02:00
a5b62a7f36
failregex extended and simplified (partially ported from gh-1409).
2017-07-18 16:34:22 +02:00
098abae4e6
Remove greedy catch-all before `<HOST>`, make regex more universal, fewer prone to errors (should avoid future changes, if some optional parameters coming again before/after `RemoteAddress`) + non-captured groups now.
...
Test for possible injection (5.6.7.8 in session-id) already available, line 59 (thus already covered).
2017-07-18 16:09:53 +02:00
4c0c7b97c0
Update asterisk.conf to new log message
...
I got an issue like this:
[2016-05-15 22:53:00] SECURITY[26428] res_security_log.c: SecurityEvent="FailedACL",EventTV="2016-05-15T22:53:00.203+0300",Severity="Error",Service="AMI",EventVersion="1",AccountID="admin",SessionID="0x7fb580001518",LocalAddress="IPV4/TCP/0.0.0.0/5038",RemoteAddress="IPV4/TCP/78.129.227.4/62389",SessionTV="1970-01-01T03:00:00.000+0300"
# [sebres] rebased to current master and resolving conflicts.
2017-07-18 15:40:32 +02:00
34cb55fd91
Merge pull request #1695 from benrubson/issue1693
...
Apache, detect syslog prefix
2017-07-14 02:05:23 +02:00
0e33125129
be more precise using common `__prefix_line` expression (set `_daemon` to recognize apache and httpd only)
2017-07-12 11:59:02 +02:00
b561af45ef
apache-common.conf: introduced parameter `logging` for possibility to match lines, if apache logs into syslog/systemd journal;
...
added test cases to cover `apache-auth[logging=syslog]`.
2017-07-12 11:45:44 +02:00
b662cf03ac
Apache, detect syslog prefix, simple example
2017-07-12 11:36:34 +02:00
6c030c5e10
Merge pull request #1717 from szepeviktor/patch-11
...
Updated xarf-specification repo URL in xarf action
2017-07-12 09:54:15 +02:00
7217ef5c9e
filter.d/ejabberd-auth.conf: fixed ejabberd filter - accept new log-format with `wait_for_sasl_response` instead of `wait_for_feature_request` + optional part "IP " (gh-993)
2017-07-11 15:25:51 +02:00
dae4988aea
filter.d/roundcube-auth.conf: fixes failregex not working with `X-Real-IP` or/and `X-Forwarded-For` (gh-1303)
2017-07-11 14:59:24 +02:00
e26cc5de45
restore backwards compatibility (jail postfix-sasl); changelog update
2017-07-11 11:57:48 +02:00
aa92b68d4a
filter.d/postfix.conf: normalized several postfix-filters using parameter `mode` (as discussed in gh-1813);
...
introduced parameter `mode`: more (default, combines normal and rbl), auth, normal, rbl, ddos, extra or aggressive (combines all)
replacement for gh-1239, gh-1697, gh-1764; closes gh-1245, gh-1297.
2017-07-10 20:49:28 +02:00
d32a3913cf
postfix postscreen (resp. other RBL's compatibility fix) / gh-1764
2017-07-10 15:38:24 +02:00
57ea38c342
Update paths-debian.conf
...
Fixed mail.log path since in the default rsyslog configuration of debians the `mail.warn` is commented now (see `/etc/rsyslog.d/50-default.conf`: `#mail.warn -/var/log/mail.warn`).
Closes gh-1687
2017-07-05 19:57:30 +02:00
546cd55342
Merge branch 'master' into 0.10
2017-07-03 13:02:25 +02:00
a1d0633e69
filter.d/asterisk.conf - fixed failregex AMI Asterisk authentification failed (see gh-1302):
...
- optional space between NOTICE and pid;
- optional part "Host " before IP-address;
2017-07-03 12:57:28 +02:00
33fcf8d809
Merge branch 'master' into 0.10
2017-07-03 12:43:48 +02:00
1307e0a5b9
Merge pull request #1760 from szepeviktor/patch-12
...
Courier may complain about the method only
2017-07-03 12:00:36 +02:00
f27e053592
Update bsd-ipfw.conf
...
increased starting rule number (lowest_rule_num = 111)
2017-07-01 17:10:53 +02:00
001c0898d6
Merge branch 'master' into master
2017-06-30 18:07:38 +02:00
6110ba9cc3
filter.d/proftpd.conf: added option `journalmatch` for systemd backend (closes gh-1613)
2017-06-30 18:00:01 +02:00
37ca4f17c2
filter.d/roundcube-auth.conf: added missing entry `journalmatch` from original gh-1783.
2017-06-26 11:24:10 +02:00
986dd3107d
Merge branch '0.10' into patch-12
2017-06-19 18:37:28 +02:00
d3ae70beb6
filter.d/roundcube-auth.conf: Use the same filter-file and jail also when logging errors to journal instead to a local file.
...
Additionally fixes more complex injections on username.
2017-06-19 18:12:13 +02:00
691c080dc7
Added roundcube authentication filter, new jail and log-examples
2017-06-19 16:52:42 +02:00
3294840c2a
Merge pull request #1801 from jeaye/postfix-updates
...
filter.d/postfix.conf: update to the latest postfix logging format
2017-06-19 16:44:37 +02:00
efeca8fdeb
postfix.conf: removes unneeded end-anchoring like `.*$`, etc.
...
also removes several dynamic content at end, which are of no avail there.
Additionally normalizes optional part (mail-ID) after reason number.
2017-06-19 16:25:46 +02:00
dcdf677438
Merge remote-tracking branch 'master' into 0.10
2017-06-15 11:49:51 +02:00
2b358bc1a4
filter.d/apache-overflows.conf: rewritten without end-anchor ($), because apache-log could contain very long URLs (and/or referrer), the parsing of it anchored way may be very vulnerable (at least as regards the system resources, see gh-1790).
2017-06-15 11:16:19 +02:00
6f3d425c4d
Update postfix filters and tests
2017-06-12 18:56:19 -07:00
bbea73d79d
Merge remote-tracking branch 'remotes/gh-upstream/master' into 0.10
2017-06-12 13:11:45 +02:00
d56554ecf3
Merge pull request #1688 from felixonmars/arch-config
...
Add a path configuration for Arch Linux
2017-06-06 10:55:13 +02:00
b93e47b12f
dovecot: Match also when user field is empty
...
Commit 5678d08
2017-05-31 15:54:30 +02:00
228d25c548
Update Kerio Connect filter ( #1455 )
...
* Update Kerio Connect filter
Fixed regex for some log entries that did not get recognized and some additional error formats are added.
* Add missing colon, GitHub address
* Add filter tests
* Add missing test
2017-05-30 20:27:44 +02:00
80cc47b75f
Update helpers-common.conf
...
fixed grep pattern: escape dot-char in search-IP and more restrictive boundaries (IPv6-capable)
2017-05-30 09:14:43 +02:00
5bb6be0163
IPv6 address may overlap
2017-05-30 02:05:38 +02:00
ff1c6718da
Postfix RBL: 554 & SMTP
...
Cherry-pick of 607568f5da
2017-05-15 14:42:37 +02:00
b13d9d4e22
Merge branch 'master' into 0.10
2017-05-07 21:29:12 +02:00
0600d51511
filter.d/exim.conf: added new reason for "rejected RCPT" regex: Unrouteable address
2017-05-07 14:02:38 +02:00
49e237209e
Merge branch 'master' into 0.10
2017-05-07 13:32:12 +02:00
c546f85207
filter.d/exim.conf: cherry-picked from 0.10, match complex time like `D=2m42s` (closes gh-1766)
2017-05-07 13:02:32 +02:00
ac256a822b
Make courier-auth regexp a non-captured group
2017-04-28 16:58:24 +02:00
4bb8a58dcf
Courier may complain about the method only
...
> Mar 30 22:29:18 szerver imapd-ssl: LOGIN FAILED, method=PLAIN, ip=[::ffff:1.2.3.4]
2017-04-28 15:49:59 +02:00
c3426ba5f6
Update botsearch-common.conf ( #1759 )
...
* Update botsearch-common.conf, apache-modsecurity.conf: typo and missing new-line
2017-04-26 20:14:39 +02:00
8839bcbb09
Merge remote-tracking branch master into 0.10
2017-04-25 10:07:19 +02:00
99344d28c8
Introduces new tags with hostname:
...
- `<fq-hostname>` - fully-qualified name of host (the same as `$(hostname -f)`)
- `<sh-hostname>` - short hostname (the same as `$(uname -n)`)
Execution of `uname -n` replaced in all mail actions with most interesting fully-qualified `<fq-hostname>`.
2017-04-24 21:17:55 +02:00
3161bcf78b
filter.d/exim.conf: optional part `(...)` after host-name before `[IP]`, normalized over whole config file.
...
# Conflicts:
# config/filter.d/exim.conf
2017-04-24 19:21:26 +02:00
507034c5be
filter.d/apache-auth.conf: joined some similar expressions
2017-04-24 15:32:44 +02:00
6dfd080e20
Update apache-auth.conf
...
remove forgotten referer, that may prevent failure recognition (belongs to gh-1645)
2017-04-21 11:17:13 +02:00
311f8fea83
Merge branch '0.10' into issue1644
2017-04-21 10:32:29 +02:00
bb79e7f413
Parameter not needed
...
The parameter '-s' causes an error as the <mailcmd> already has the parameter.
2017-04-11 11:13:58 -04:00
4f0f22702a
Update haproxy-http-auth.conf
...
little bit more precise expression
2017-04-11 09:11:08 +02:00
4fc6323ff0
haproxy-http-auth: avoid port number in IPv6 addresses
...
The solution taken is to consume the port number explicitely in
the regexp.
2017-04-07 13:59:22 +02:00
97e8b42d34
dummy action extended with more examples and test-covered now
2017-03-30 13:02:37 +02:00
d03872fbbf
bulk unban: add new command `actionflush` default for several iptables/iptables-ipset actions (and common include):
...
iptables-common
iptables
iptables-allports
iptables-multiport-log
iptables-multiport
iptables-new
iptables-ipset-proto4
iptables-ipset-proto6
iptables-ipset-proto6-allports
executing `actionflush` command covered for this actions now
2017-03-29 23:24:11 +02:00
8bf79fa483
implemented execution of `actionstart` on demand, if action depends on `family` (closes gh-1741);
...
new action parameter "actionstart_on_demand" (bool) can be set to prevent/allow starting action on demand (default retrieved automatically, if some conditional parameter `param?family=...` presents in action properties);
2017-03-29 17:44:15 +02:00
c82495353f
Update mysqld-auth.conf ( #1725 )
2017-03-24 19:03:20 +01:00
52c1950371
Update mysqld-auth.conf
...
small typo, closes gh-1725 (Thx @seth-reeser)
2017-03-24 19:03:17 +01:00
5e93bf9bd3
Introduced new option "ignoreself", specifies whether the local resp. own IP addresses should be ignored (default is true).
...
Fail2ban will not ban a host which matches such addresses.
Option "ignoreip" affects additionally to "ignoreself" and don't need to include the DNS resp. IPs of the host self.
2017-03-23 15:52:31 +01:00
f13fac5ae9
amend to 5561423be3b2d4636f5484183c3ad470fd326d06: fixed incorrect failure counting despite the `<F-NOFAIL>` marked regex;
...
extra: introduced new tag `<F-MLFFORGET>` as mark to forget current multi-line MLFID (e. g. connection closed);
Closes gh-1727
2017-03-21 00:15:57 +01:00
Serg G. Brester