sebres
5561423be3
filter.d/sshd.conf: fixed failregex format - some parts are optional, new ddos more precise rule (Connection reset by with host entry);
...
closes gh-1719
2017-03-15 18:01:20 +01:00
Viktor Szépe
d79267c424
Updated xarf-specification repo URL in xarf action
2017-03-14 20:47:31 +01:00
sebres
0c1707afda
filter.d/sshd.conf:
...
- optional parameter `mode` rewritten: normal (default), ddos, extra or aggressive (combines all), see sshd for regex details);
test cases reformatted (since "filterOptions", we don't need multiple test log-files anymore);
2017-03-10 22:09:11 +01:00
sebres
7e442c5b27
filter.d/sendmail-reject.conf:
...
- rewritten using `prefregex` and used MLFID-related multi-line parsing (by using tag `<F-MLFID>` instead of buffering with `maxlines`);
- optional parameter `mode` introduced: normal (default), extra or aggressive (see sendmail-reject for regex details);
test cases extended
2017-03-10 21:44:19 +01:00
sebres
52ed6597b2
Merge remote-tracking branch 'remotes/gh-upstream/master' into 0.10
2017-03-09 16:27:14 +01:00
sebres
8768776d68
filter.d/cyrus-imap.conf: fixed `failregex` - accept entries without login-info resp. hostname before IP address
2017-03-09 16:13:45 +01:00
Serg G. Brester
d042981954
Merge pull request #1655 from ajcollett/0.10
...
Added config for AbuseIPDB
2017-03-09 15:15:26 +01:00
Serg G. Brester
b1f5ac9484
Update abuseipdb.conf
2017-03-09 13:33:11 +01:00
Serg G. Brester
62fa02241f
Update jail.conf
2017-03-09 13:31:40 +01:00
sebres
6a2c95da95
`action.d/sendmail-geoip-lines.conf` fixed using new tag `<ip-host>` (dns-cache and without external command execution);
...
changelog updated;
2017-03-08 16:51:08 +01:00
sebres
d2a3d093c6
rewritten CallingMap: performance optimized, immutable, self-referencing, template possibility (used in new ActionInfo objects);
...
new ActionInfo handling: saves content between actions, without interim copying (save original on demand, recoverable via reset);
test cases extended
2017-02-24 11:54:24 +01:00
sebres
35efca5941
Better multi-line handling introduced: single-line parsing with caching of needed failure information to process in further lines.
...
Many times faster and fewer CPU-hungry because of parsing with `maxlines=1`, so without line buffering (scrolling of the buffer-window).
Combination of tags `<F-MLFID>` and `<F-NOFAIL>` can be used now to process multi-line logs using single-line expressions:
- tag `<F-MLFID>`: used to identify resp. store failure info for groups of log-lines with the same identifier (e. g. combined failure-info for the same conn-id by `<F-MLFID>(?:conn-id)</F-MLFID>`, see sshd.conf for example)
- tag `<F-NOFAIL>`: used as mark for no-failure (helper to accumulate common failure-info);
filter.d/sshd.conf: [sshd], [sshd-ddos], [sshd-aggressive] optimized with pre-filtering using new option `prefregex` and new multi-line handling.
2017-02-22 22:19:43 +01:00
sebres
22afdbd536
Several filters optimized with pre-filtering using new option `prefregex`
2017-02-21 15:54:59 +01:00
sebres
4ff8d051f4
Introduced new filter option `prefregex` for pre-filtering using single regular expression;
...
Some filters extended with user name;
[filter.d/pam-generic.conf]: grave fix injection on user name to host fixed;
test-cases in testSampleRegexsFactory can now check the captured groups (using additionally fields in failJSON structure)
2017-02-20 16:54:17 +01:00
Serg G. Brester
2fa18a74c4
Merge branch 'master' into master
2017-02-17 09:06:09 +01:00
sebres
4bf09bf297
provides new tag `<ip-rev>` for PTR reversed representation of IP address;
...
[action.d/complain.conf] fixed using this new tag;
2017-02-16 13:38:20 +01:00
Serg G. Brester
7f63809afb
Merge branch '0.10' into patch-1
2017-02-15 20:33:36 +01:00
Christoph Theis
861ce4177c
#1689 : Make lowest rule number in action.d/bsd-ipfw.conf configurable
2017-02-14 18:31:42 +01:00
Felix Yan
68d829c1dd
Add a path configuration for Arch Linux
2017-02-14 18:43:01 +08:00
Jan Grewe
58c68b75f0
Remove double-quotes from email addresses
2017-02-08 14:16:13 +01:00
Jan Grewe
1bcf0de7c1
Update complain.conf
2017-02-07 21:39:46 +01:00
Filippo Tessarotto
607568f5da
Postfix RBL: 554 & SMTP
2017-02-07 15:26:06 +01:00
Jan Grewe
901eeff53d
Make Abusix lookup compatible with Dash
2017-02-06 22:04:36 +01:00
sebres
1823571e0f
Merge branch 'ssh-filter-new-regexp' into 0.10
2017-01-23 08:58:43 +01:00
sebres
9d06f0ee40
sshd-amend: optional space after port part
2017-01-23 08:56:47 +01:00
sebres
e8a1556562
Merge remote-tracking branch 'master' into 0.10
...
# Conflicts:
# fail2ban/tests/samplestestcase.py
2017-01-21 16:59:41 +01:00
sebres
54a8c681ce
suhosin.conf: removed greedy match
2017-01-21 16:26:07 +01:00
sebres
8aa9516d50
sshd.conf: fixed expression "received disconnect ... auth fail" - optional space after port part (gh-1652)
2017-01-21 16:18:03 +01:00
sebres
3276bd6d54
sshd: additionally aggressive filter rules - no matching cipher resp. no matching key exchange method (gh-1545, gh-1117)
2017-01-21 15:57:05 +01:00
sebres
628789f9a9
sshd: conditional parameter "mode" for sshd jail (normal, ddos, aggressive)
...
filter sshd-ddos and new filter sshd-aggressive are both derivation of sshd-filter
2017-01-21 15:54:49 +01:00
sebres
dd373dba9f
test all config-regexp, that contains greedy catch-all before <HOST>, that is hard-anchored at end or precise sub expression after <HOST>;
...
new ssh rule(s) added:
- Connection reset by peer (multi-line rule during authorization process);
- No supported authentication methods available;
Single line and multi-line expression optimized, added optional prefixes and suffix (logged from several ssh versions);
closes gh-864
2017-01-21 15:53:48 +01:00
Christian Brandlehner
a4d8426401
Support for IBM Domino SMTP task ( #1603 )
...
filter.d/domino-smtp.conf
2017-01-20 08:44:20 +01:00
Serg G. Brester
40f294e6bf
Merge pull request #1663 from jjeziorny/netscaler-action
...
Introduced citrix netscaler action
2017-01-19 16:25:23 +01:00
Juliano Jeziorny
1fe554dd25
Introduced Citrix Netscaler action
2017-01-19 14:30:25 +01:00
Christoph Theis
6187431629
#1667 : Wrong paths for apache and nginx under FreeBSD
2017-01-17 11:48:25 +01:00
sebres
74a6afadd5
Mail-actions switched to use new option "norestored" instead of checking of variable `restored` during shell execution (prevents executing of such actions at all).
2017-01-16 09:40:48 +01:00
sebres
ee3c787cc6
Recognize restored (from database) tickets after restart (tell action restored state of the ticket);
...
Prevent executing of several actions (e.g. mail, send-mail etc) on restart (bans were already notified).
Test cases extended (smtp and by restart in ServerReloadTest).
Closes gh-1141
Closes gh-921
2017-01-13 19:06:17 +01:00
sebres
7019640eb3
Merge branch 'fix-gh-1658' into 0.10
2017-01-10 12:59:51 +01:00
sebres
a9523aefbb
sshd.conf: fixed non-anchored part of regex (misleading match of colon inside IPv6 address instead of `: ` in the reason-part by missing space).
2017-01-10 12:58:44 +01:00
sebres
c9f32f75e6
Merge branch '0.9-fix-regex-using-journal' into 0.10-fix-regex-using-journal (merge point against 0.9 after back-porting gh-1660 from 0.10)
2017-01-10 11:25:41 +01:00
Andrew James Collett
3991f51f30
Update jail.conf
...
Sigh, added a space back that I somehow missed in Vim, despite it being a rebase...
2017-01-08 09:45:35 +02:00
Andrew James Collett
10d61e0779
Fixed the spaces again
2017-01-08 09:42:15 +02:00
Andrew James Collett
b35391e768
Update jail.conf
...
Fixing spacing
2017-01-08 09:30:00 +02:00
Andrew James Collett
1c41390f7c
Restructured the way the catagories work.
...
Jail.conf is cleaner and abuseipdb.conf is more flexible.
2017-01-08 09:26:11 +02:00
Andrew James Collett
55e107310f
Added config for AbuseIPDB, ony tested on Ubuntu 16.04
2017-01-07 14:24:54 +02:00
Viktor Szépe
81c1810f10
Introduce Cloudflare API v4
...
In the cloudflare action everyone is suggested to use API v4.
And I don't dare to contribute any actual change.
2016-12-31 21:30:57 +01:00
benrubson
cc311b56f3
Apache URIs can contain spaces
2016-12-23 22:57:24 +01:00
roedie
3adc16d266
Shorewall IPv6 suggested changes.
...
Change files as suggested by sebres.
2016-12-12 20:53:58 +01:00
Yaroslav Halchenko
31a1560eaa
minor typos (thanks Vincent Lefevre, Debian #847785 )
2016-12-11 15:13:11 -05:00
roedie
6e18508a07
Add shorewall IPv6 support
...
Small patch which allow fail2ban to use shorewall for IPv6 bans.
2016-12-11 20:44:54 +01:00
sebres
45f1d811c9
Merge branch 'alex1702-1586'
2016-11-28 18:54:02 +01:00
sebres
67c14afd8e
ChangeLog entry added + jail.conf review
2016-11-28 18:51:23 +01:00
sebres
425170cef3
code review, makes the test cases workable, added dev-notes
2016-11-28 18:39:07 +01:00
sebres
931eab84b5
`filter.d/apache-modsecurity.conf`
...
- fixed for newer version (one space, closes gh-1626)
reviewed and optimized:
- non-greedy catch-all replaced for safer match
- unneeded catch-all anchoring removed
- non-capturing groups
2016-11-28 11:28:27 +01:00
sebres
40cbe96352
Merge remote-tracking branch 0.10 into _0.10/fix-datedetector-grave-fix-v2
2016-11-28 11:03:11 +01:00
sebres
5678d08a79
filter.d/dovecot.conf update:
...
- fixes failregex, that ignores failures through some irrelevant info (closes #1623 );
- ignores whole additionally irrelevant info in anchored regex before fixed failure data `\((?:auth failed, \d+ attempts( in \d+ secs)?|tried to use (disabled|disallowed) \S+ auth)\)`
- review, IPv6 compatibility fix, non-capturing groups
2016-11-26 16:50:37 +01:00
sebres
a2af19c9f0
fixed several actions, that could not work with jails using multiple logpath; additionally repaired execution in default shell (bad substitution by `${x//...}` executing in `/bin/sh`);
...
added helper "action.d/helpers-common.conf", and `_grep_logs` part-command for actions needed grep logs from multiple log-files
test cases: executing of some complex actions covered
2016-11-25 19:27:26 +01:00
Serg G. Brester
4f5389fee5
Update jail.conf
2016-11-24 19:30:10 +01:00
Johannes Weberhofer
f46ada023e
Use Fedora's backend-settings for openSUSE
...
Those settings are ok for newer openSUSE versions
2016-11-22 09:03:54 +01:00
sebres
b5433f48b7
amend after code review of merge gh-1581
2016-11-11 11:09:46 +01:00
sebres
bee6e7376b
Merge branch 'aclindsa:master'
2016-11-11 10:58:40 +01:00
sebres
ea4c1f6356
Merge branch 'master' into 0.10
2016-11-11 10:29:45 +01:00
sebres
dab5f56609
Merge branch 'fix-gh-1477'
2016-11-11 10:17:07 +01:00
Alex
8ac28e5dcb
Make changes and add test file
2016-11-10 13:09:32 +01:00
Alex
8c40766511
Add Mongodb-auth filter and jail
2016-11-10 12:48:24 +01:00
sebres
faee5f1fdc
better caching (thereby better performance), better recognition of similar regex
2016-10-17 11:20:30 +02:00
sebres
ae7297e16b
more precise date template handling (WARNING: this commit creates possible incompatibilities):
...
- datedetector rewritten more strict as earlier;
- default templates can be specified exacter using prefix/suffix syntax (via `datepattern`);
- more as one date pattern can be specified using option `datepattern` now (new-line separated);
- some default options like `datepattern` can be specified directly in section `[Definition]`, that avoids contrary usage of unnecessarily `[Init]` section, because of performance (each extra section costs time);
- option `datepattern` can be specified in jail also (jails without filters);
- if first group specified, only this will be cut out from search log-line (e. g.: `^date:[({DATE})]` will cut out only datetime match pattern, and leaves `date:[] failure ip...` for searching in filter);
- faster match and fewer searching of appropriate templates (DateDetector.matchTime calls rarer DateTemplate.matchDate now);
- standard filters extended with exact prefixed or anchored date templates;
template cache introduced (in opposition to default template cache, holds custom templates cached by pattern for possible common usage of same template/regex);
2016-10-17 11:20:27 +02:00
sebres
ab0ac2111c
added possibility to specify more precise default date pattern:
...
- `datepattern = {^LN-BEG}` - only line-begin anchored default patterns
(matches date only at begin of line, or with max distance up to 2 non-alphanumeric characters from line-begin);
- `datepattern = {*WD-BEG}` - only word-begin anchored default patterns;
- `datepattern = ^prefix{DATE}suffix` - exact specified default patterns (using prefix and suffix);
common filter configs gets a more precise, line-begin anchored (datepattern = {^LN-BEG}) resp. custom anchoring default date-patterns;
2016-10-17 11:18:30 +02:00
sebres
a7d9de8c52
[temp commit] 1st try to optimize datedetector/datetemplate functionality (fix ambiguous resp. misleading date detection if several formats used in log resp. by format switch after restart of some services):
...
* Misleading date patterns defined more precisely (using extended syntax %E[mdHMS]
for exact two-digit match)
* `filter.d/freeswitch.conf`
- Optional prefixes (server, daemon, dual time) if systemd daemon logs used (gh-1548)
- User part rewritten to accept IPv6 resp. domain after "@" (gh-1548)
2016-10-17 11:16:20 +02:00
Aaron Lindsay
7805f9972d
filter.d/sshd.conf: Match 'Invalid user' with 'port \d*'
2016-10-15 15:52:19 -04:00
sebres
84c3eb3e0e
filter.d/sendmail-reject.conf: double space (should be by missing dns-host only)
...
Closes #1578
2016-10-15 14:53:45 +02:00
sebres
c809c3e61e
Merge branch 'master' into 0.10
2016-10-13 19:01:13 +02:00
Nils
d08db22b92
Create npf.conf for the NPF packet filter
...
This file adds support for the NPF packet filter, available on NetBSD since version 6.0
2016-10-13 18:50:54 +02:00
sebres
fa8184d4cc
fixes deprecated DNSUtils.IsValidIP in fakegooglebot ignore command + test covered now;
...
Closes #1559
2016-10-05 15:01:33 +02:00
sebres
ee1727ecca
Merge pull request #1563 from niklasf/fix-lazy-ipv6-regex (and sebres/fix-lazy-ipv6-regex) into 0.10
2016-09-30 13:34:54 +02:00
sebres
9bf8985e2a
nginx-limit-req.conf: more precise failregex (word-boundary if `<HOST>` should be non-greedy for some reasons)
2016-09-30 12:33:43 +02:00
Serg G. Brester
ba9a88977f
Merge pull request #1562 from sebres/_0.10/fix-stability-and-speed
...
0.10/fix stability and speed optimization
2016-09-30 12:14:51 +02:00
sebres
8b0f6c5413
badips test cases check availability of badips service (and skip this tests if it not available)
2016-09-30 12:03:27 +02:00
sebres
310d4e224d
Merge branch master (0.9) into 0.10
2016-09-29 19:46:11 +02:00
sebres
9fb167b5e1
filter.d/vsftpd.conf: optional reason message after FAIL LOGIN, closes #1543
2016-09-09 09:20:15 +02:00
sebres
c0e0cfb39d
Merge remote-tracking branch 'remotes/gh-upstream/master' into 0.10
2016-09-01 16:23:13 +02:00
sebres
4a1d720344
filter.d/asterisk.conf: another part ` chan_sip.c:28468 handle_request_register:` in log prefix
2016-08-22 14:10:50 +02:00
sebres
2c54f90469
sshd-filter: better universal regexp, that matches more complex different injects, using conditional expressions (on username and auth-info section), see new test cases also.
2016-08-19 10:19:12 +02:00
sebres
a544c5abac
sshd-filter: recognized "Failed publickey for" now (gh-1477) + improved regexp (not anchored now to recognize all "Failed anything for ... from <HOST>"
...
ChangeLog entry added
2016-08-18 21:38:55 +02:00
sebres
d71a525a85
Merge branch 'master' into 0.10 (resolve conflicts and cleaning tree points after back-porting gh-1508 0.10 -> 0.9)
2016-08-12 18:51:56 +02:00
sebres
38d53a72fd
introduces new command "fail2ban-python", as automatically created symlink to python executable, where fail2ban currently installed (resp. its modules are located);
...
fixed pythonic filters and test scripts (running via "fail2ban-python" now);
fixed test case "testSetupInstallRoot" not for default python (also using direct call, out of virtualenv);
# Conflicts:
# config/filter.d/ignorecommands/apache-fakegooglebot
# fail2ban/tests/files/config/apache-auth/digest.py
# fail2ban/tests/files/ignorecommand.py
# fail2ban/tests/misctestcase.py
2016-08-12 17:58:37 +02:00
sebres
77f451c4a3
introduces new command "fail2ban-python", as automatically created symlink to python executable, where fail2ban currently installed (resp. its modules are located);
...
fixed pythonic filters and test scripts (running via "fail2ban-python" now);
fixed test case "testSetupInstallRoot" not for default python (also using direct call, out of virtualenv);
2016-08-11 18:34:18 +02:00
maksyms
9ddbd642f7
Accept no space after "failed:" ( #1501 )
...
yoh: Squashed to ease cherry-picking into 0.9
* accept no space after "failed:"
fix issue #1497
* accept no space after "failed:"
* Update postfix-sasl
* Update postfix-sasl
* Update postfix-sasl
2016-08-08 17:09:47 -04:00
maksyms
04427adb95
Accept no space after "failed:" ( #1501 )
...
yoh: Squashed to ease cherry-picking into 0.9
* accept no space after "failed:"
fix issue #1497
* accept no space after "failed:"
* Update postfix-sasl
* Update postfix-sasl
* Update postfix-sasl
2016-08-08 17:07:55 -04:00
sebres
c52aaa8b78
ASSP failregex minor fixes
2016-08-08 19:06:28 +02:00
sebres
70658d7a19
Merge pull request #1494 from rhardy613/master (branch 'sebres:pr-1494')
2016-08-08 18:49:32 +02:00
rhardy613
8265e3f0f9
Fix comments
...
For some reasons the comment changes weren't pickup in the last commit.
This fixes it.
2016-08-05 23:25:15 -04:00
rhardy613
66fe5a77ce
Fix ASSP filter to work with both ASSP V1 and V2
...
ASSP V1 development stopped at the end of 2014 and it is now deprecated.
All users were urged to upgrade to ASSP V2 which is still actively
developed.
fail2ban 0.9.5 (and trunk) still have code which only understands ASSP
V1 logs.
This means the filter ignores brute force attacks against ASSP. This fix
adds V2 support.
2016-08-05 23:18:51 -04:00
rhardy613
890a3dcbb9
Fix ASSP filter to work with current release of ASSP
...
ASSP V1 development stopped at the end of 2014 and it is now deprecated.
All users were urged to upgrade to ASSP V2 which is still actively
developed. For some reason fail2ban 0.9.5 (and trunk) still have code
which only understands ASSP V1 logs. This means the filter ignores brute
force attacks against ASSP.
Now updated with anchored patterns tested against 6 months of log data.
2016-08-05 17:26:47 -04:00
Yaroslav Halchenko
c0994b0c6c
DOC: minor typo (thanks John Bernard) Closes #1496
2016-08-04 10:23:05 -04:00
sebres
0eea362aa0
Merge branch 'master' into 0.10
2016-08-01 15:10:52 +02:00
rhardy613
f73746d846
Fix ASSP filter to work with current release of ASSP
...
ASSP V1 development stopped at the end of 2014 and it is now deprecated.
All users were urged to upgrade to ASSP V2 which is still actively
developed. For some reason fail2ban 0.9.5 (and trunk) still have code
which only understands ASSP V1 logs. This means the filter ignores brute
force attacks against ASSP.
2016-07-31 13:50:52 -04:00
Yaroslav Halchenko
28a0605f69
Merge pull request #1478 from gips0n/master
...
adding openldap slapd filter
2016-07-14 08:30:42 -04:00
Andrii Melnyk
7433b353ee
another variant of regex
2016-07-14 10:19:21 +03:00
Andrii Melnyk
7c5828dd2a
add trailing anchor to failregex
2016-07-13 21:09:42 +03:00
sebres
683f8fc56c
Merge branch 'master' into 0.10
2016-07-13 19:41:46 +02:00
Andrii Melnyk
48c094f612
improved failregex according to @sebres recomendations
2016-07-08 13:45:10 +03:00
sebres
f5f204ca7c
Improved changes of gh-1458:
...
`[^']*` after callid was wrong, changed to `[^\)]*`;
regexp anchored at the end;
almost the same regex grouped to one;
Closes #1458
2016-07-08 11:45:25 +02:00
nturcksin
72a157b8f2
Improve PJSIP log support for asterisk 13+ with different callID (Squash gh-1458)
...
Change the asterisk pjsip filter to don't take the callId part
Add optional part between "Request" and "from"
Listed all log message from asterisk
2016-07-08 11:45:22 +02:00
Andrii Melnyk
dcb69b0242
* add `__prefix_line` to regex
...
* fix time in log file
2016-07-08 05:29:51 +03:00
Andrii Melnyk
b2e3affaa0
adding openldap slapd filter
2016-07-08 04:50:57 +03:00
Yaroslav Halchenko
593b1210c0
Merge master (commit '0.9.4-79-gaf8b650') into 0.10
...
* commit '0.9.4-79-gaf8b650':
badip timeout option introduced, set to 30 seconds in our test cases (#1463 )
DOC: changelog for recent exim filters tune up
Asterisk pjsip (#1456 )
BF: finalize that sample log line for exim4
RF: for consistency use (?:XXX)? instead of (?:|XXX)
ENH: use non-capturing regex groups in exim-common and exim filters
ENH: exim filters -- make more use of %(host_info)s which in turn made more flexible
BF: make :port and I=[ip]:port optional for a "AUTH command used when not advertised"
2016-06-19 20:06:16 -04:00
Serg G. Brester
af8b650a37
badip timeout option introduced, set to 30 seconds in our test cases ( #1463 )
...
cherry-picked from 0.10 (little bit modified in test_badips.py, because no --fast option in test cases)
2016-06-13 12:56:53 +02:00
sebres
e39126f630
badip timeout option introduced, set to 30 seconds in our test cases
2016-06-10 13:15:46 +02:00
Yaroslav Halchenko
636a93f58b
Merge pull request #1438 from yarikoptic/bf-exim
...
exim filters -- make wider use of host_info helper str susbstitution + fix for #1430
2016-06-07 21:35:52 -04:00
Ludovic Gasc
f85fb45b29
Asterisk pjsip ( #1456 )
...
* Improve PJSIP log support for Asterisk 13+
* Update changelog: filter.d/asterisk.conf - fix security log support for PJSIP and Asterisk 13+
* Change pjsip regexp with sebres observation, thanks to @nturcksin
2016-06-07 11:40:35 +02:00
sebres
39366e703a
Merge branch 'master' into 0.10
...
# Conflicts:
# fail2ban/server/filter.py
2016-05-31 18:06:18 +02:00
Yaroslav Halchenko
6434661480
RF: for consistency use (?:XXX)? instead of (?:|XXX)
2016-05-30 12:12:53 -04:00
Yaroslav Halchenko
48a8324662
ENH: use non-capturing regex groups in exim-common and exim filters
2016-05-30 11:02:12 -04:00
sebres
8ec4e1189e
use raw host (don't use textToIp) if usedns exactly `raw`, because `usedns = no` should ignore no ip failures
2016-05-30 15:34:21 +02:00
Serg G. Brester
b6700f3e52
Merge pull request #1433 from yarikoptic/bf-0.10-pf-prevbeh
...
BF: maintain previous default beh for pf -- default ban type is multiport
2016-05-23 15:20:57 +02:00
Yaroslav Halchenko
9bb869b8d4
ENH: courier-smtp -- allow for trailing username (no spaces) in the logline
...
Closes #1440
2016-05-21 22:17:09 -04:00
Yaroslav Halchenko
8b8cf2a660
ENH: exim filters -- make more use of %(host_info)s which in turn made more flexible
2016-05-21 10:29:09 -04:00
Yaroslav Halchenko
743a531eb5
BF: make :port and I=[ip]:port optional for a "AUTH command used when not advertised"
...
Closes #1430
2016-05-21 10:29:01 -04:00
sebres
f62266659f
Merge branch 'master' into '0.10'
2016-05-21 13:48:00 +02:00
sebres
52377984cd
back to mandatory space, ungrouping of sub parameters in `__prefix_line` + small code review;
2016-05-19 17:57:48 +02:00
sebres
0fdc56546f
Fixed misunderstanding of port in (ban)action: port will be always specified in jail config ([DEFAULT] or jail)
2016-05-19 17:45:41 +02:00
Yaroslav Halchenko
1ebc3facb1
BF: maintain previous default beh for pf -- ban a port (ssh) only
2016-05-19 17:14:33 +02:00
sebres
4cdca8c258
amend-merge for pull request #1429 from sebres/0.10-freebsd-fix-pf
...
actiontype for PF action (all- and multi port)
2016-05-19 14:52:10 +02:00
sebres
4d51c591c1
pf.conf: warranted consistently echoing for the pf actiontype if actiontype or multiport tags will be customized;
2016-05-19 14:50:41 +02:00
Serg G. Brester
01d9a41ba1
Merge pull request #1429 from koeppea/0.10-freebsd-fix-pf
...
actiontype for PF action (all- and multi port)
2016-05-18 11:12:31 +02:00
Alexander Koeppe
b5e031f3c3
some documentation for multiport use in pf.conf
2016-05-17 21:32:21 +02:00
sebres
1e7fd26f5f
rename `actionoptions` to `actiontype` in pf-action (multiport) + fixed test cases
2016-05-17 20:51:12 +02:00
sebres
25af11215b
test case for generic common moved to `./fail2ban/tests/config/filter.d/zzz-generic-example.conf` to prevent shipping it with fail2ban installations
2016-05-17 20:08:46 +02:00
Alexander Koeppe
e74047ae49
revert to common config for PF covering multi and allports
2016-05-17 18:19:40 +02:00
Alexander Koeppe
3e1328c83b
split PF config files between all- and multi port
2016-05-17 18:19:27 +02:00
sebres
cb4f9be8b2
the date brackets removed from filters using `__prefix_line`, because `__prefix_line` already contains the date ambit;
2016-05-17 11:55:02 +02:00
sebres
de813acf51
extends generic `__prefix_line` with optional brackets for the date ambit (gh-1421), added new parameter `__date_ambit` + test case added;
2016-05-17 11:54:43 +02:00
Alexander Koeppe
975608dfb6
no hardcoded python interpreter path
2016-05-15 21:08:32 +02:00
sebres
0c44ecfc77
action.d/firewallcmd-ipset.conf: different name of the match set's for IPv4/IPv6, using conditional <ipmset>, analog to the iptables-ipset;
...
test cases for 3 firewallcmd extended;
2016-05-14 15:01:35 +02:00
TorontoMedia
ffebde68e0
Update firewallcmd-multiport.conf
2016-05-13 22:38:36 -04:00
TorontoMedia
07de83e04a
Update firewallcmd-common.conf
2016-05-13 22:38:10 -04:00
TorontoMedia
810d5996b5
Update firewallcmd-rich-logging.conf
2016-05-13 22:10:25 -04:00
TorontoMedia
7e54cee8d6
updated firewallcmd actions
2016-05-13 21:36:27 -04:00
sebres
3e49522b7a
fixes unexpected extra regex-space in generic `__prefix_line` (gh-1405, misleadingly committed in d2a9537568
);
...
all optional spaces normalized in generic include `common.conf` + test cases are extended (using new example pseudo-filter and test log `zzz-generic-example`);
2016-05-13 20:26:37 +02:00
sebres
bdc2d07946
fix suhosin_log in common paths - log files should be separated using "\n":
...
prevents to throw an error "File option must be 'head' or 'tail'", if jail suhosin will be enabled.
2016-05-11 18:49:04 +02:00
sebres
504e5ba6f2
actions support IPv6 now:
...
- introduced "conditional" sections, see for example `[Init?family=inet6]`;
- iptables-common and other iptables config(s) made IPv6 capable;
- several small code optimizations;
* all test cases passed (py3.x compatible);
2016-05-11 16:54:28 +02:00
sebres
75028585c0
test cases extended for verifying ipv4/ipv6, normalized pf-action with test case
2016-05-11 16:54:25 +02:00
Alexander Koeppe
ed2f3ef77d
improve PF action and make IPv6 aware
2016-05-11 16:54:22 +02:00
sebres
25d6cf8dd2
fix suhosin_log in common paths - log files should be separated using "\n":
...
prevents to throw an error "File option must be 'head' or 'tail'", if jail suhosin will be enabled.
2016-05-11 16:54:11 +02:00
sebres
8cb4a3f59e
move DNTUtils, IPAddr related code to dedicated source file ipdns.py (also resolves some cyclic import references)
2016-05-09 17:06:25 +02:00
Alexander Koeppe
db9f3f738f
add ip6-loopback to default ignoreip statement
2016-05-09 15:32:42 +02:00
sebres
05f38285f1
Merge remote-tracking branch 'remotes/gh-upstream/master' into f2b-perfom-prepare-716
2016-05-02 15:40:05 +02:00
jungle-boogie
d889918f19
update doc url
...
direct to confluence page. no code changes.
2016-04-24 21:35:18 -07:00
Yaroslav Halchenko
aa303acfd6
Merge pull request #1381 from theDogOfPavlov/patch-3
...
Tightened up exim regexes to catch rDNS entries
2016-04-23 18:27:38 -04:00
Alexandre Perrin
7712310d2d
Be more backward compatible on matching postfix/smtps/smtpd
...
Support trailing smtps also and not only smtpd.
suggested by @sebres
2016-04-14 13:54:58 +02:00
Alexandre Perrin
1a299409e5
Fix postfix/smtps/smtpd matching.
2016-04-14 12:10:58 +02:00
theDogOfPavlov
1eb51b1bc2
Tightened up regexes to catch rDNS entries
2016-04-01 18:07:01 +01:00
Yaroslav Halchenko
db2dd070ad
Merge pull request #1356 from opoplawski/bug-1354
...
Fedora use mariadb by default, fix log path
2016-03-31 22:11:10 -04:00
Serg G. Brester
b9b7ecbf6b
Merge pull request #1357 from sebres/monit-new-fltr
...
monit filter fixup for the new version (gh-1355)
2016-03-26 11:39:26 +01:00
TorontoMedia
3d239215cd
Two new firewalld actions with rich rules for firewalld-0.3.1+ (gh-1367)
...
closes #1367
2016-03-25 17:28:30 +01:00
sebres
ac27c9cb96
Merge branch 'patch-2' (gh-1371)
2016-03-25 17:05:23 +01:00
Serg G. Brester
0effe76971
Merge pull request #1370 from theDogOfPavlov/patch-1
...
Added regex for LDAP authentication failures
2016-03-25 15:30:39 +01:00
jblachly
e9202fa0b2
Placed failure (illumos) at end of regex
2016-03-24 00:43:15 -04:00
theDogOfPavlov
fe1475be95
Additional exim regexes to cover common attacks...
2016-03-21 05:59:59 +00:00
theDogOfPavlov
cf2aa9c1c0
Added regex for LDAP authentication failures
2016-03-21 05:53:23 +00:00
jblachly
25c2334bc8
SmartOS PAM Authentication failed (not failURE)
...
SmartOS (and likely other Illumos platforms) enter log entries for failed sshd logins of the form:
`Authentication failed for USER from HOST`
The current sshd.conf regex matches `failure` -- add to this a match for `failed` to support Illumos
2016-03-16 13:52:01 -04:00
Johannes Weberhofer
bd25a43417
define journalmatch setting for pure-ftps
2016-03-11 18:19:53 +01:00
Orion Poplawski
f3f813a925
- mysqld does not log login attempts to the journal.
...
- Add /var/log/mysqld.log to mysql_log
2016-03-09 13:52:50 -07:00
sebres
37c9075fad
fixed monit filter: failregex find now both previous and new versions:
...
- failregex of previous monit version merged as single expression;
- extended failregex with new monit "access denied" version;
2016-03-09 20:06:14 +01:00
Orion Poplawski
dfc65018da
Fedora use mariadb by default, fix log path
2016-03-09 11:36:06 -07:00
sebres
d7e7b52013
Merge remote-tracking branch 'remotes/gh-upstream/master' into f2b-perfom-prepare-716
2016-03-07 19:11:36 +01:00
Yaroslav Halchenko
385b50e4a9
Merge pull request #1343 from denics/master
...
adding wp-admin to bot search
2016-03-07 10:23:37 -05:00
Denix
ed0e572bfc
added wp-admin
...
bot are very annoying and I am getting a lot of checks on wp-admin. This should calm them.
2016-03-02 16:52:03 +01:00
Yaroslav Halchenko
6ffbc1ffad
ENH: revert back to having detailed suffix anchored at the end for mysqld-auto.conf
...
As discussed in https://github.com/fail2ban/fail2ban/pull/1333#discussion_r54100127
2016-02-28 12:07:46 -05:00
Yaroslav Halchenko
3e31145c33
Merge pull request #1331 from whyscream/postfix-multi-instance-support
...
Add support for matching postfix multi-instance daemon names by default
2016-02-28 12:00:24 -05:00
sebres
667785b608
mysqld: failregex fixed (accepts different log level, more secure expression now);
...
closes #1332
2016-02-24 17:17:51 +01:00
Tom Hendrikx
6c606cf98f
Add support for matching postfix multi-instance daemon names by default
2016-02-23 20:23:04 +01:00
Yaroslav Halchenko
905c87ca4a
Merge pull request #1310 from yarikoptic/pr-1288
...
NF: HAProxy HTTP Auth filter
2016-02-11 08:35:48 -05:00
sebres
d8e81eb417
regexp rewritten (few vulnerable as previous) + test case added
2016-02-08 12:01:25 +01:00
3eBoP
257b7049d8
Update asterisk filter: changed regex for "Call from ...". Sometimes extension can have a plus symbol (+) because they can be phone number.
...
Closes #1309
2016-02-08 11:51:37 +01:00
Pierre GINDRAUD
b5a07741c8
Add new regex into postfix filter. The new regexp is able to detect bad formatted SMTP EHLO command
2016-02-08 11:11:59 +01:00
Yaroslav Halchenko
3f437b32db
Merge remote-tracking branch 'pr/1288/head'
...
* pr/1288/head:
Update haproxy-http-auth.conf
Added HAProxy HTTP Auth filter
Conflicts:
config/jail.conf - resolved + removed unnecessary filter/enabled (defaults should be as good)
2016-01-28 08:51:45 -05:00
Yaroslav Halchenko
377ea32441
Merge pull request #1295 from obounaim/master
...
The sender option is ignored by some actions
2016-01-28 08:48:22 -05:00
Serg G. Brester
fe14c8fa05
Merge pull request #1292 from albel727/master
...
Add nftables actions
2016-01-24 23:55:50 +01:00
Jordan Moeser
d7b46509d8
Update haproxy-http-auth.conf
...
Updated failregex to be more strict
2016-01-12 08:37:33 +10:00
local
40c0bed82c
action_mw, action_mwl, action_cf_mwl ignore the "sender" option when sending a notification email.
...
This commit adds "sender="%(sender)s"" to the three actions to correct this issue.
2016-01-10 00:05:03 +01:00
Yaroslav Halchenko
5d0d96a5cb
Merge pull request #1286 from yarikoptic/enh-jail
...
ENH: harmonize jail.conf + 1 more test that passed bantime is non-degenerate and int
2016-01-08 08:51:08 -05:00
Alexander Belykh
985e8938a4
Refactor nftables actionstop into smaller parts
2016-01-06 17:39:54 +06:00
Alexander Belykh
9779eeb986
Add nftables_type/family/table parameters
2016-01-06 17:33:14 +06:00
Alexander Belykh
260c30535d
Escape curly braces in nftables actions
2016-01-06 17:13:30 +06:00
Alexander Belykh
1983e15580
Add empty line between parameters in nftables-common.conf
2016-01-06 16:55:29 +06:00
Alexander Belykh
f7f91a8bd4
Refactor common code out of nftables-multiport/allports.conf
2016-01-05 19:03:47 +06:00
sebres
69f5623f83
code simplifying (remove duplication): agent will be always supplied as parameter from jail.conf
2016-01-04 09:30:32 +01:00
Alexander Belykh
618e97bce8
Add nftables actions
2016-01-04 01:36:28 +06:00
sebres
ac31121432
amend to fix fail2ban-version: correct user-agent for badips.py "Fail2Ban/ver", changeable within jail/config now;
2015-12-31 02:32:17 +01:00
Jordan Moeser
e133762a28
Added HAProxy HTTP Auth filter
2015-12-31 11:16:23 +10:00
sebres
cf334421bd
Provides fail2ban version to jail (as interpolation variable during parse of jail.conf);
...
BF: use `fail2ban_agent` as user-agent in actions badips, blocklist_de, etc. (closes #1271 , closes #1272 )
2015-12-31 01:38:25 +01:00
Yaroslav Halchenko
28c9832293
RF: harmonize jail.conf (no explicit enabled=false in jails, match filter name for screesharingd, etc)
2015-12-29 19:43:52 -05:00
Yaroslav Halchenko
69aa1feac0
Merge "Mac OS Screen Sharing filter" PR 1232
...
* pr/1232/head:
removed system.log
Removed old svn revision comment
removed false matches
Removed includes comment for screensharing jail
Now using a literal logpath for screensharing jail
Fixed blatant typo in regex
clarified comments on sample log format
Fixed name (again?)
Made screensharing jail off by default
Changed regex prequel
added entry for new screensharingd filter
name change & new sample data
Added json metadata
Sample log for test case
Replaced .* with literal
Update jail.conf
Added new path variable for system.log
Added in settings for screensharingd filter
Created file
Conflicts:
ChangeLog - moved to New Features
config/jail.conf - kept at the end
2015-12-29 19:36:59 -05:00
sebres
d22b2498d4
normalizing time config entries: use time abbreviation (str2seconds) for all time options such 'dbpurgeage', 'bantime', 'findtime', ex.: default '1d' instead '86400';
...
code review and test case extended;
2015-12-29 12:49:10 +01:00
Yaroslav Halchenko
26dd6d7425
Merge pull request #1258 from aleksandrs-ledovskis/feature/postfix-domain-not-found-failregex
...
Add 'Sender address rejected: Domain not found' Postfix failregex
2015-12-18 09:23:54 -05:00
Ross Brown
8d12dba245
Merge remote-tracking branch 'upstream/master'
2015-12-17 18:01:17 +00:00
Ross Brown
ead2d509dc
Updated 'murmur' filter to use new double-anchored regex based on @yarikoptic's suggestions.
2015-12-17 17:45:24 +00:00
Yaroslav Halchenko
5d6cead996
ENH: sshd filter -- match new "maximum auth attempts exceeded" ( Closes #1269 )
2015-12-13 23:21:04 -05:00