Commit Graph

1399 Commits (ed22ddbbbb3e81117f8d4dcffcc6c5c89b56463b)

Author SHA1 Message Date
sebres 5561423be3 filter.d/sshd.conf: fixed failregex format - some parts are optional, new ddos more precise rule (Connection reset by with host entry);
closes gh-1719
2017-03-15 18:01:20 +01:00
Viktor Szépe d79267c424 Updated xarf-specification repo URL in xarf action 2017-03-14 20:47:31 +01:00
sebres 0c1707afda filter.d/sshd.conf:
- optional parameter `mode` rewritten: normal (default), ddos, extra or aggressive (combines all), see sshd for regex details);

test cases reformatted (since "filterOptions", we don't need multiple test log-files anymore);
2017-03-10 22:09:11 +01:00
sebres 7e442c5b27 filter.d/sendmail-reject.conf:
- rewritten using `prefregex` and used MLFID-related multi-line parsing (by using tag `<F-MLFID>` instead of buffering with `maxlines`);
- optional parameter `mode` introduced: normal (default), extra or aggressive (see sendmail-reject for regex details);

test cases extended
2017-03-10 21:44:19 +01:00
sebres 52ed6597b2 Merge remote-tracking branch 'remotes/gh-upstream/master' into 0.10 2017-03-09 16:27:14 +01:00
sebres 8768776d68 filter.d/cyrus-imap.conf: fixed `failregex` - accept entries without login-info resp. hostname before IP address 2017-03-09 16:13:45 +01:00
Serg G. Brester d042981954 Merge pull request #1655 from ajcollett/0.10
Added config for AbuseIPDB
2017-03-09 15:15:26 +01:00
Serg G. Brester b1f5ac9484 Update abuseipdb.conf 2017-03-09 13:33:11 +01:00
Serg G. Brester 62fa02241f Update jail.conf 2017-03-09 13:31:40 +01:00
sebres 6a2c95da95 `action.d/sendmail-geoip-lines.conf` fixed using new tag `<ip-host>` (dns-cache and without external command execution);
changelog updated;
2017-03-08 16:51:08 +01:00
sebres d2a3d093c6 rewritten CallingMap: performance optimized, immutable, self-referencing, template possibility (used in new ActionInfo objects);
new ActionInfo handling: saves content between actions, without interim copying (save original on demand, recoverable via reset);
test cases extended
2017-02-24 11:54:24 +01:00
sebres 35efca5941 Better multi-line handling introduced: single-line parsing with caching of needed failure information to process in further lines.
Many times faster and fewer CPU-hungry because of parsing with `maxlines=1`, so without line buffering (scrolling of the buffer-window).
Combination of tags `<F-MLFID>` and `<F-NOFAIL>` can be used now to process multi-line logs using single-line expressions:
- tag `<F-MLFID>`: used to identify resp. store failure info for groups of log-lines with the same identifier (e. g. combined failure-info for the same conn-id by `<F-MLFID>(?:conn-id)</F-MLFID>`, see sshd.conf for example)
- tag `<F-NOFAIL>`: used as mark for no-failure (helper to accumulate common failure-info);
filter.d/sshd.conf: [sshd], [sshd-ddos], [sshd-aggressive] optimized with pre-filtering using new option `prefregex` and new multi-line handling.
2017-02-22 22:19:43 +01:00
sebres 22afdbd536 Several filters optimized with pre-filtering using new option `prefregex` 2017-02-21 15:54:59 +01:00
sebres 4ff8d051f4 Introduced new filter option `prefregex` for pre-filtering using single regular expression;
Some filters extended with user name;
[filter.d/pam-generic.conf]: grave fix injection on user name to host fixed;
test-cases in testSampleRegexsFactory can now check the captured groups (using additionally fields in failJSON structure)
2017-02-20 16:54:17 +01:00
Serg G. Brester 2fa18a74c4 Merge branch 'master' into master 2017-02-17 09:06:09 +01:00
sebres 4bf09bf297 provides new tag `<ip-rev>` for PTR reversed representation of IP address;
[action.d/complain.conf] fixed using this new tag;
2017-02-16 13:38:20 +01:00
Serg G. Brester 7f63809afb Merge branch '0.10' into patch-1 2017-02-15 20:33:36 +01:00
Christoph Theis 861ce4177c #1689: Make lowest rule number in action.d/bsd-ipfw.conf configurable 2017-02-14 18:31:42 +01:00
Felix Yan 68d829c1dd
Add a path configuration for Arch Linux 2017-02-14 18:43:01 +08:00
Jan Grewe 58c68b75f0 Remove double-quotes from email addresses 2017-02-08 14:16:13 +01:00
Jan Grewe 1bcf0de7c1 Update complain.conf 2017-02-07 21:39:46 +01:00
Filippo Tessarotto 607568f5da Postfix RBL: 554 & SMTP 2017-02-07 15:26:06 +01:00
Jan Grewe 901eeff53d Make Abusix lookup compatible with Dash 2017-02-06 22:04:36 +01:00
sebres 1823571e0f Merge branch 'ssh-filter-new-regexp' into 0.10 2017-01-23 08:58:43 +01:00
sebres 9d06f0ee40 sshd-amend: optional space after port part 2017-01-23 08:56:47 +01:00
sebres e8a1556562 Merge remote-tracking branch 'master' into 0.10
# Conflicts:
#	fail2ban/tests/samplestestcase.py
2017-01-21 16:59:41 +01:00
sebres 54a8c681ce suhosin.conf: removed greedy match 2017-01-21 16:26:07 +01:00
sebres 8aa9516d50 sshd.conf: fixed expression "received disconnect ... auth fail" - optional space after port part (gh-1652) 2017-01-21 16:18:03 +01:00
sebres 3276bd6d54 sshd: additionally aggressive filter rules - no matching cipher resp. no matching key exchange method (gh-1545, gh-1117) 2017-01-21 15:57:05 +01:00
sebres 628789f9a9 sshd: conditional parameter "mode" for sshd jail (normal, ddos, aggressive)
filter sshd-ddos and new filter sshd-aggressive are both derivation of sshd-filter
2017-01-21 15:54:49 +01:00
sebres dd373dba9f test all config-regexp, that contains greedy catch-all before <HOST>, that is hard-anchored at end or precise sub expression after <HOST>;
new ssh rule(s) added:
- Connection reset by peer (multi-line rule during authorization process);
- No supported authentication methods available;
Single line and multi-line expression optimized, added optional prefixes and suffix (logged from several ssh versions);
closes gh-864
2017-01-21 15:53:48 +01:00
Christian Brandlehner a4d8426401 Support for IBM Domino SMTP task (#1603)
filter.d/domino-smtp.conf
2017-01-20 08:44:20 +01:00
Serg G. Brester 40f294e6bf Merge pull request #1663 from jjeziorny/netscaler-action
Introduced citrix netscaler action
2017-01-19 16:25:23 +01:00
Juliano Jeziorny 1fe554dd25 Introduced Citrix Netscaler action 2017-01-19 14:30:25 +01:00
Christoph Theis 6187431629 #1667: Wrong paths for apache and nginx under FreeBSD 2017-01-17 11:48:25 +01:00
sebres 74a6afadd5 Mail-actions switched to use new option "norestored" instead of checking of variable `restored` during shell execution (prevents executing of such actions at all). 2017-01-16 09:40:48 +01:00
sebres ee3c787cc6 Recognize restored (from database) tickets after restart (tell action restored state of the ticket);
Prevent executing of several actions (e.g. mail, send-mail etc) on restart (bans were already notified).
Test cases extended (smtp and by restart in ServerReloadTest).
Closes gh-1141
Closes gh-921
2017-01-13 19:06:17 +01:00
sebres 7019640eb3 Merge branch 'fix-gh-1658' into 0.10 2017-01-10 12:59:51 +01:00
sebres a9523aefbb sshd.conf: fixed non-anchored part of regex (misleading match of colon inside IPv6 address instead of `: ` in the reason-part by missing space). 2017-01-10 12:58:44 +01:00
sebres c9f32f75e6 Merge branch '0.9-fix-regex-using-journal' into 0.10-fix-regex-using-journal (merge point against 0.9 after back-porting gh-1660 from 0.10) 2017-01-10 11:25:41 +01:00
Andrew James Collett 3991f51f30 Update jail.conf
Sigh, added a space back that I somehow missed in Vim, despite it being a rebase...
2017-01-08 09:45:35 +02:00
Andrew James Collett 10d61e0779 Fixed the spaces again 2017-01-08 09:42:15 +02:00
Andrew James Collett b35391e768 Update jail.conf
Fixing spacing
2017-01-08 09:30:00 +02:00
Andrew James Collett 1c41390f7c Restructured the way the catagories work.
Jail.conf is cleaner and abuseipdb.conf is more flexible.
2017-01-08 09:26:11 +02:00
Andrew James Collett 55e107310f Added config for AbuseIPDB, ony tested on Ubuntu 16.04 2017-01-07 14:24:54 +02:00
Viktor Szépe 81c1810f10 Introduce Cloudflare API v4
In the cloudflare action everyone is suggested to use API v4.
And I don't dare to contribute any actual change.
2016-12-31 21:30:57 +01:00
benrubson cc311b56f3 Apache URIs can contain spaces 2016-12-23 22:57:24 +01:00
roedie 3adc16d266 Shorewall IPv6 suggested changes.
Change files as suggested by sebres.
2016-12-12 20:53:58 +01:00
Yaroslav Halchenko 31a1560eaa minor typos (thanks Vincent Lefevre, Debian #847785) 2016-12-11 15:13:11 -05:00
roedie 6e18508a07 Add shorewall IPv6 support
Small patch which allow fail2ban to use shorewall for IPv6 bans.
2016-12-11 20:44:54 +01:00
sebres 45f1d811c9 Merge branch 'alex1702-1586' 2016-11-28 18:54:02 +01:00
sebres 67c14afd8e ChangeLog entry added + jail.conf review 2016-11-28 18:51:23 +01:00
sebres 425170cef3 code review, makes the test cases workable, added dev-notes 2016-11-28 18:39:07 +01:00
sebres 931eab84b5 `filter.d/apache-modsecurity.conf`
- fixed for newer version (one space, closes gh-1626)
reviewed and optimized:
  - non-greedy catch-all replaced for safer match
  - unneeded catch-all anchoring removed
  - non-capturing groups
2016-11-28 11:28:27 +01:00
sebres 40cbe96352 Merge remote-tracking branch 0.10 into _0.10/fix-datedetector-grave-fix-v2 2016-11-28 11:03:11 +01:00
sebres 5678d08a79 filter.d/dovecot.conf update:
- fixes failregex, that ignores failures through some irrelevant info (closes #1623);
- ignores whole additionally irrelevant info in anchored regex before fixed failure data `\((?:auth failed, \d+ attempts( in \d+ secs)?|tried to use (disabled|disallowed) \S+ auth)\)`
- review, IPv6 compatibility fix, non-capturing groups
2016-11-26 16:50:37 +01:00
sebres a2af19c9f0 fixed several actions, that could not work with jails using multiple logpath; additionally repaired execution in default shell (bad substitution by `${x//...}` executing in `/bin/sh`);
added helper "action.d/helpers-common.conf", and `_grep_logs` part-command for actions needed grep logs from multiple log-files
test cases: executing of some complex actions covered
2016-11-25 19:27:26 +01:00
Serg G. Brester 4f5389fee5 Update jail.conf 2016-11-24 19:30:10 +01:00
Johannes Weberhofer f46ada023e Use Fedora's backend-settings for openSUSE
Those settings are ok for newer openSUSE versions
2016-11-22 09:03:54 +01:00
sebres b5433f48b7 amend after code review of merge gh-1581 2016-11-11 11:09:46 +01:00
sebres bee6e7376b Merge branch 'aclindsa:master' 2016-11-11 10:58:40 +01:00
sebres ea4c1f6356 Merge branch 'master' into 0.10 2016-11-11 10:29:45 +01:00
sebres dab5f56609 Merge branch 'fix-gh-1477' 2016-11-11 10:17:07 +01:00
Alex 8ac28e5dcb Make changes and add test file 2016-11-10 13:09:32 +01:00
Alex 8c40766511 Add Mongodb-auth filter and jail 2016-11-10 12:48:24 +01:00
sebres faee5f1fdc better caching (thereby better performance), better recognition of similar regex 2016-10-17 11:20:30 +02:00
sebres ae7297e16b more precise date template handling (WARNING: this commit creates possible incompatibilities):
- datedetector rewritten more strict as earlier;
  - default templates can be specified exacter using prefix/suffix syntax (via `datepattern`);
  - more as one date pattern can be specified using option `datepattern` now (new-line separated);
  - some default options like `datepattern` can be specified directly in section `[Definition]`, that avoids contrary usage of unnecessarily `[Init]` section, because of performance (each extra section costs time);
  - option `datepattern` can be specified in jail also (jails without filters);
  - if first group specified, only this will be cut out from search log-line (e. g.: `^date:[({DATE})]` will cut out only datetime match pattern, and leaves `date:[] failure ip...` for searching in filter);
  - faster match and fewer searching of appropriate templates (DateDetector.matchTime calls rarer DateTemplate.matchDate now);
  - standard filters extended with exact prefixed or anchored date templates;

template cache introduced (in opposition to default template cache, holds custom templates cached by pattern for possible common usage of same template/regex);
2016-10-17 11:20:27 +02:00
sebres ab0ac2111c added possibility to specify more precise default date pattern:
- `datepattern = {^LN-BEG}` - only line-begin anchored default patterns
     (matches date only at begin of line, or with max distance up to 2 non-alphanumeric characters from line-begin);
  - `datepattern = {*WD-BEG}` - only word-begin anchored default patterns;
  - `datepattern = ^prefix{DATE}suffix` - exact specified default patterns (using prefix and suffix);
common filter configs gets a more precise, line-begin anchored (datepattern = {^LN-BEG}) resp. custom anchoring default date-patterns;
2016-10-17 11:18:30 +02:00
sebres a7d9de8c52 [temp commit] 1st try to optimize datedetector/datetemplate functionality (fix ambiguous resp. misleading date detection if several formats used in log resp. by format switch after restart of some services):
* Misleading date patterns defined more precisely (using extended syntax %E[mdHMS]
  for exact two-digit match)
* `filter.d/freeswitch.conf`
    - Optional prefixes (server, daemon, dual time) if systemd daemon logs used (gh-1548)
    - User part rewritten to accept IPv6 resp. domain after "@" (gh-1548)
2016-10-17 11:16:20 +02:00
Aaron Lindsay 7805f9972d filter.d/sshd.conf: Match 'Invalid user' with 'port \d*' 2016-10-15 15:52:19 -04:00
sebres 84c3eb3e0e filter.d/sendmail-reject.conf: double space (should be by missing dns-host only)
Closes #1578
2016-10-15 14:53:45 +02:00
sebres c809c3e61e Merge branch 'master' into 0.10 2016-10-13 19:01:13 +02:00
Nils d08db22b92 Create npf.conf for the NPF packet filter
This file adds support for the NPF packet filter, available on NetBSD since version 6.0
2016-10-13 18:50:54 +02:00
sebres fa8184d4cc fixes deprecated DNSUtils.IsValidIP in fakegooglebot ignore command + test covered now;
Closes #1559
2016-10-05 15:01:33 +02:00
sebres ee1727ecca Merge pull request #1563 from niklasf/fix-lazy-ipv6-regex (and sebres/fix-lazy-ipv6-regex) into 0.10 2016-09-30 13:34:54 +02:00
sebres 9bf8985e2a nginx-limit-req.conf: more precise failregex (word-boundary if `<HOST>` should be non-greedy for some reasons) 2016-09-30 12:33:43 +02:00
Serg G. Brester ba9a88977f Merge pull request #1562 from sebres/_0.10/fix-stability-and-speed
0.10/fix stability and speed optimization
2016-09-30 12:14:51 +02:00
sebres 8b0f6c5413 badips test cases check availability of badips service (and skip this tests if it not available) 2016-09-30 12:03:27 +02:00
sebres 310d4e224d Merge branch master (0.9) into 0.10 2016-09-29 19:46:11 +02:00
sebres 9fb167b5e1 filter.d/vsftpd.conf: optional reason message after FAIL LOGIN, closes #1543 2016-09-09 09:20:15 +02:00
sebres c0e0cfb39d Merge remote-tracking branch 'remotes/gh-upstream/master' into 0.10 2016-09-01 16:23:13 +02:00
sebres 4a1d720344 filter.d/asterisk.conf: another part ` chan_sip.c:28468 handle_request_register:` in log prefix 2016-08-22 14:10:50 +02:00
sebres 2c54f90469 sshd-filter: better universal regexp, that matches more complex different injects, using conditional expressions (on username and auth-info section), see new test cases also. 2016-08-19 10:19:12 +02:00
sebres a544c5abac sshd-filter: recognized "Failed publickey for" now (gh-1477) + improved regexp (not anchored now to recognize all "Failed anything for ... from <HOST>"
ChangeLog entry added
2016-08-18 21:38:55 +02:00
sebres d71a525a85 Merge branch 'master' into 0.10 (resolve conflicts and cleaning tree points after back-porting gh-1508 0.10 -> 0.9) 2016-08-12 18:51:56 +02:00
sebres 38d53a72fd introduces new command "fail2ban-python", as automatically created symlink to python executable, where fail2ban currently installed (resp. its modules are located);
fixed pythonic filters and test scripts (running via "fail2ban-python" now);
fixed test case "testSetupInstallRoot" not for default python (also using direct call, out of virtualenv);

# Conflicts:
#	config/filter.d/ignorecommands/apache-fakegooglebot
#	fail2ban/tests/files/config/apache-auth/digest.py
#	fail2ban/tests/files/ignorecommand.py
#	fail2ban/tests/misctestcase.py
2016-08-12 17:58:37 +02:00
sebres 77f451c4a3 introduces new command "fail2ban-python", as automatically created symlink to python executable, where fail2ban currently installed (resp. its modules are located);
fixed pythonic filters and test scripts (running via "fail2ban-python" now);
fixed test case "testSetupInstallRoot" not for default python (also using direct call, out of virtualenv);
2016-08-11 18:34:18 +02:00
maksyms 9ddbd642f7 Accept no space after "failed:" (#1501)
yoh: Squashed to ease cherry-picking into 0.9

* accept no space after "failed:"

fix issue #1497

* accept no space after "failed:"

* Update postfix-sasl

* Update postfix-sasl

* Update postfix-sasl
2016-08-08 17:09:47 -04:00
maksyms 04427adb95 Accept no space after "failed:" (#1501)
yoh: Squashed to ease cherry-picking into 0.9

* accept no space after "failed:"

fix issue #1497

* accept no space after "failed:"

* Update postfix-sasl

* Update postfix-sasl

* Update postfix-sasl
2016-08-08 17:07:55 -04:00
sebres c52aaa8b78 ASSP failregex minor fixes 2016-08-08 19:06:28 +02:00
sebres 70658d7a19 Merge pull request #1494 from rhardy613/master (branch 'sebres:pr-1494') 2016-08-08 18:49:32 +02:00
rhardy613 8265e3f0f9 Fix comments
For some reasons the comment changes weren't pickup in the last commit.
This fixes it.
2016-08-05 23:25:15 -04:00
rhardy613 66fe5a77ce Fix ASSP filter to work with both ASSP V1 and V2
ASSP V1 development stopped at the end of 2014 and it is now deprecated.
All users were urged to upgrade to ASSP V2 which is still actively
developed.
fail2ban 0.9.5 (and trunk) still have code which only understands ASSP
V1 logs.
This means the filter ignores brute force attacks against ASSP. This fix
adds V2 support.
2016-08-05 23:18:51 -04:00
rhardy613 890a3dcbb9 Fix ASSP filter to work with current release of ASSP
ASSP V1 development stopped at the end of 2014 and it is now deprecated.
All users were urged to upgrade to ASSP V2 which is still actively
developed. For some reason fail2ban 0.9.5 (and trunk) still have code
which only understands ASSP V1 logs. This means the filter ignores brute
force attacks against ASSP.
Now updated with anchored patterns tested against 6 months of log data.
2016-08-05 17:26:47 -04:00
Yaroslav Halchenko c0994b0c6c DOC: minor typo (thanks John Bernard) Closes #1496 2016-08-04 10:23:05 -04:00
sebres 0eea362aa0 Merge branch 'master' into 0.10 2016-08-01 15:10:52 +02:00
rhardy613 f73746d846 Fix ASSP filter to work with current release of ASSP
ASSP V1 development stopped at the end of 2014 and it is now deprecated.
All users were urged to upgrade to ASSP V2 which is still actively
developed. For some reason fail2ban 0.9.5 (and trunk) still have code
which only understands ASSP V1 logs. This means the filter ignores brute
force attacks against ASSP.
2016-07-31 13:50:52 -04:00
Yaroslav Halchenko 28a0605f69 Merge pull request #1478 from gips0n/master
adding openldap slapd filter
2016-07-14 08:30:42 -04:00
Andrii Melnyk 7433b353ee another variant of regex 2016-07-14 10:19:21 +03:00
Andrii Melnyk 7c5828dd2a add trailing anchor to failregex 2016-07-13 21:09:42 +03:00
sebres 683f8fc56c Merge branch 'master' into 0.10 2016-07-13 19:41:46 +02:00
Andrii Melnyk 48c094f612 improved failregex according to @sebres recomendations 2016-07-08 13:45:10 +03:00
sebres f5f204ca7c Improved changes of gh-1458:
`[^']*` after callid was wrong, changed to `[^\)]*`;
  regexp anchored at the end;
  almost the same regex grouped to one;

Closes #1458
2016-07-08 11:45:25 +02:00
nturcksin 72a157b8f2 Improve PJSIP log support for asterisk 13+ with different callID (Squash gh-1458)
Change the asterisk pjsip filter to don't take the callId part
Add optional part between "Request" and "from"
Listed all log message from asterisk
2016-07-08 11:45:22 +02:00
Andrii Melnyk dcb69b0242 * add `__prefix_line` to regex
* fix time in log file
2016-07-08 05:29:51 +03:00
Andrii Melnyk b2e3affaa0 adding openldap slapd filter 2016-07-08 04:50:57 +03:00
Yaroslav Halchenko 593b1210c0 Merge master (commit '0.9.4-79-gaf8b650') into 0.10
* commit '0.9.4-79-gaf8b650':
  badip timeout option introduced, set to 30 seconds in our test cases (#1463)
  DOC: changelog for recent exim filters tune up
  Asterisk pjsip (#1456)
  BF: finalize that sample log line for exim4
  RF: for consistency use (?:XXX)? instead of (?:|XXX)
  ENH: use non-capturing regex groups in exim-common and exim filters
  ENH: exim filters -- make more use of %(host_info)s which in turn made more flexible
  BF: make :port and I=[ip]:port optional for a "AUTH command used when not advertised"
2016-06-19 20:06:16 -04:00
Serg G. Brester af8b650a37 badip timeout option introduced, set to 30 seconds in our test cases (#1463)
cherry-picked from 0.10 (little bit modified in test_badips.py, because no --fast option in test cases)
2016-06-13 12:56:53 +02:00
sebres e39126f630 badip timeout option introduced, set to 30 seconds in our test cases 2016-06-10 13:15:46 +02:00
Yaroslav Halchenko 636a93f58b Merge pull request #1438 from yarikoptic/bf-exim
exim filters -- make wider use of host_info helper str susbstitution + fix for #1430
2016-06-07 21:35:52 -04:00
Ludovic Gasc f85fb45b29 Asterisk pjsip (#1456)
* Improve PJSIP log support for Asterisk 13+

* Update changelog: filter.d/asterisk.conf - fix security log support for PJSIP and Asterisk 13+

* Change pjsip regexp with sebres observation, thanks to @nturcksin
2016-06-07 11:40:35 +02:00
sebres 39366e703a Merge branch 'master' into 0.10
# Conflicts:
#	fail2ban/server/filter.py
2016-05-31 18:06:18 +02:00
Yaroslav Halchenko 6434661480 RF: for consistency use (?:XXX)? instead of (?:|XXX) 2016-05-30 12:12:53 -04:00
Yaroslav Halchenko 48a8324662 ENH: use non-capturing regex groups in exim-common and exim filters 2016-05-30 11:02:12 -04:00
sebres 8ec4e1189e use raw host (don't use textToIp) if usedns exactly `raw`, because `usedns = no` should ignore no ip failures 2016-05-30 15:34:21 +02:00
Serg G. Brester b6700f3e52 Merge pull request #1433 from yarikoptic/bf-0.10-pf-prevbeh
BF: maintain previous default beh for pf -- default ban type is multiport
2016-05-23 15:20:57 +02:00
Yaroslav Halchenko 9bb869b8d4 ENH: courier-smtp -- allow for trailing username (no spaces) in the logline
Closes #1440
2016-05-21 22:17:09 -04:00
Yaroslav Halchenko 8b8cf2a660 ENH: exim filters -- make more use of %(host_info)s which in turn made more flexible 2016-05-21 10:29:09 -04:00
Yaroslav Halchenko 743a531eb5 BF: make :port and I=[ip]:port optional for a "AUTH command used when not advertised"
Closes #1430
2016-05-21 10:29:01 -04:00
sebres f62266659f Merge branch 'master' into '0.10' 2016-05-21 13:48:00 +02:00
sebres 52377984cd back to mandatory space, ungrouping of sub parameters in `__prefix_line` + small code review; 2016-05-19 17:57:48 +02:00
sebres 0fdc56546f Fixed misunderstanding of port in (ban)action: port will be always specified in jail config ([DEFAULT] or jail) 2016-05-19 17:45:41 +02:00
Yaroslav Halchenko 1ebc3facb1 BF: maintain previous default beh for pf -- ban a port (ssh) only 2016-05-19 17:14:33 +02:00
sebres 4cdca8c258 amend-merge for pull request #1429 from sebres/0.10-freebsd-fix-pf
actiontype for PF action (all- and multi port)
2016-05-19 14:52:10 +02:00
sebres 4d51c591c1 pf.conf: warranted consistently echoing for the pf actiontype if actiontype or multiport tags will be customized; 2016-05-19 14:50:41 +02:00
Serg G. Brester 01d9a41ba1 Merge pull request #1429 from koeppea/0.10-freebsd-fix-pf
actiontype for PF action (all- and multi port)
2016-05-18 11:12:31 +02:00
Alexander Koeppe b5e031f3c3 some documentation for multiport use in pf.conf 2016-05-17 21:32:21 +02:00
sebres 1e7fd26f5f rename `actionoptions` to `actiontype` in pf-action (multiport) + fixed test cases 2016-05-17 20:51:12 +02:00
sebres 25af11215b test case for generic common moved to `./fail2ban/tests/config/filter.d/zzz-generic-example.conf` to prevent shipping it with fail2ban installations 2016-05-17 20:08:46 +02:00
Alexander Koeppe e74047ae49 revert to common config for PF covering multi and allports 2016-05-17 18:19:40 +02:00
Alexander Koeppe 3e1328c83b split PF config files between all- and multi port 2016-05-17 18:19:27 +02:00
sebres cb4f9be8b2 the date brackets removed from filters using `__prefix_line`, because `__prefix_line` already contains the date ambit; 2016-05-17 11:55:02 +02:00
sebres de813acf51 extends generic `__prefix_line` with optional brackets for the date ambit (gh-1421), added new parameter `__date_ambit` + test case added; 2016-05-17 11:54:43 +02:00
Alexander Koeppe 975608dfb6 no hardcoded python interpreter path 2016-05-15 21:08:32 +02:00
sebres 0c44ecfc77 action.d/firewallcmd-ipset.conf: different name of the match set's for IPv4/IPv6, using conditional <ipmset>, analog to the iptables-ipset;
test cases for 3 firewallcmd extended;
2016-05-14 15:01:35 +02:00
TorontoMedia ffebde68e0 Update firewallcmd-multiport.conf 2016-05-13 22:38:36 -04:00
TorontoMedia 07de83e04a Update firewallcmd-common.conf 2016-05-13 22:38:10 -04:00
TorontoMedia 810d5996b5 Update firewallcmd-rich-logging.conf 2016-05-13 22:10:25 -04:00
TorontoMedia 7e54cee8d6 updated firewallcmd actions 2016-05-13 21:36:27 -04:00
sebres 3e49522b7a fixes unexpected extra regex-space in generic `__prefix_line` (gh-1405, misleadingly committed in d2a9537568);
all optional spaces normalized in generic include `common.conf` + test cases are extended (using new example pseudo-filter and test log `zzz-generic-example`);
2016-05-13 20:26:37 +02:00
sebres bdc2d07946 fix suhosin_log in common paths - log files should be separated using "\n":
prevents to throw an error "File option must be 'head' or 'tail'", if jail suhosin will be enabled.
2016-05-11 18:49:04 +02:00
sebres 504e5ba6f2 actions support IPv6 now:
- introduced "conditional" sections, see for example `[Init?family=inet6]`;
  - iptables-common and other iptables config(s) made IPv6 capable;
  - several small code optimizations;
* all test cases passed (py3.x compatible);
2016-05-11 16:54:28 +02:00
sebres 75028585c0 test cases extended for verifying ipv4/ipv6, normalized pf-action with test case 2016-05-11 16:54:25 +02:00
Alexander Koeppe ed2f3ef77d improve PF action and make IPv6 aware 2016-05-11 16:54:22 +02:00
sebres 25d6cf8dd2 fix suhosin_log in common paths - log files should be separated using "\n":
prevents to throw an error "File option must be 'head' or 'tail'", if jail suhosin will be enabled.
2016-05-11 16:54:11 +02:00
sebres 8cb4a3f59e move DNTUtils, IPAddr related code to dedicated source file ipdns.py (also resolves some cyclic import references) 2016-05-09 17:06:25 +02:00
Alexander Koeppe db9f3f738f add ip6-loopback to default ignoreip statement 2016-05-09 15:32:42 +02:00
sebres 05f38285f1 Merge remote-tracking branch 'remotes/gh-upstream/master' into f2b-perfom-prepare-716 2016-05-02 15:40:05 +02:00
jungle-boogie d889918f19 update doc url
direct to confluence page. no code changes.
2016-04-24 21:35:18 -07:00
Yaroslav Halchenko aa303acfd6 Merge pull request #1381 from theDogOfPavlov/patch-3
Tightened up exim regexes to catch rDNS entries
2016-04-23 18:27:38 -04:00
Alexandre Perrin 7712310d2d Be more backward compatible on matching postfix/smtps/smtpd
Support trailing smtps also and not only smtpd.

suggested by @sebres
2016-04-14 13:54:58 +02:00
Alexandre Perrin 1a299409e5 Fix postfix/smtps/smtpd matching. 2016-04-14 12:10:58 +02:00
theDogOfPavlov 1eb51b1bc2 Tightened up regexes to catch rDNS entries 2016-04-01 18:07:01 +01:00
Yaroslav Halchenko db2dd070ad Merge pull request #1356 from opoplawski/bug-1354
Fedora use mariadb by default, fix log path
2016-03-31 22:11:10 -04:00
Serg G. Brester b9b7ecbf6b Merge pull request #1357 from sebres/monit-new-fltr
monit filter fixup for the new version (gh-1355)
2016-03-26 11:39:26 +01:00
TorontoMedia 3d239215cd Two new firewalld actions with rich rules for firewalld-0.3.1+ (gh-1367)
closes #1367
2016-03-25 17:28:30 +01:00
sebres ac27c9cb96 Merge branch 'patch-2' (gh-1371) 2016-03-25 17:05:23 +01:00
Serg G. Brester 0effe76971 Merge pull request #1370 from theDogOfPavlov/patch-1
Added regex for LDAP authentication failures
2016-03-25 15:30:39 +01:00
jblachly e9202fa0b2 Placed failure (illumos) at end of regex 2016-03-24 00:43:15 -04:00
theDogOfPavlov fe1475be95 Additional exim regexes to cover common attacks... 2016-03-21 05:59:59 +00:00
theDogOfPavlov cf2aa9c1c0 Added regex for LDAP authentication failures 2016-03-21 05:53:23 +00:00
jblachly 25c2334bc8 SmartOS PAM Authentication failed (not failURE)
SmartOS (and likely other Illumos platforms) enter log entries for failed sshd logins of the form:
`Authentication failed for USER from HOST`
The current sshd.conf regex matches `failure` -- add to this a match for `failed` to support Illumos
2016-03-16 13:52:01 -04:00
Johannes Weberhofer bd25a43417 define journalmatch setting for pure-ftps 2016-03-11 18:19:53 +01:00
Orion Poplawski f3f813a925 - mysqld does not log login attempts to the journal.
- Add /var/log/mysqld.log to mysql_log
2016-03-09 13:52:50 -07:00
sebres 37c9075fad fixed monit filter: failregex find now both previous and new versions:
- failregex of previous monit version merged as single expression;
- extended failregex with new monit "access denied" version;
2016-03-09 20:06:14 +01:00
Orion Poplawski dfc65018da Fedora use mariadb by default, fix log path 2016-03-09 11:36:06 -07:00
sebres d7e7b52013 Merge remote-tracking branch 'remotes/gh-upstream/master' into f2b-perfom-prepare-716 2016-03-07 19:11:36 +01:00
Yaroslav Halchenko 385b50e4a9 Merge pull request #1343 from denics/master
adding wp-admin to bot search
2016-03-07 10:23:37 -05:00
Denix ed0e572bfc added wp-admin
bot are very annoying and I am getting a lot of checks on wp-admin. This should calm them.
2016-03-02 16:52:03 +01:00
Yaroslav Halchenko 6ffbc1ffad ENH: revert back to having detailed suffix anchored at the end for mysqld-auto.conf
As discussed in https://github.com/fail2ban/fail2ban/pull/1333#discussion_r54100127
2016-02-28 12:07:46 -05:00
Yaroslav Halchenko 3e31145c33 Merge pull request #1331 from whyscream/postfix-multi-instance-support
Add support for matching postfix multi-instance daemon names by default
2016-02-28 12:00:24 -05:00
sebres 667785b608 mysqld: failregex fixed (accepts different log level, more secure expression now);
closes #1332
2016-02-24 17:17:51 +01:00
Tom Hendrikx 6c606cf98f Add support for matching postfix multi-instance daemon names by default 2016-02-23 20:23:04 +01:00
Yaroslav Halchenko 905c87ca4a Merge pull request #1310 from yarikoptic/pr-1288
NF: HAProxy HTTP Auth filter
2016-02-11 08:35:48 -05:00
sebres d8e81eb417 regexp rewritten (few vulnerable as previous) + test case added 2016-02-08 12:01:25 +01:00
3eBoP 257b7049d8 Update asterisk filter: changed regex for "Call from ...". Sometimes extension can have a plus symbol (+) because they can be phone number.
Closes #1309
2016-02-08 11:51:37 +01:00
Pierre GINDRAUD b5a07741c8 Add new regex into postfix filter. The new regexp is able to detect bad formatted SMTP EHLO command 2016-02-08 11:11:59 +01:00
Yaroslav Halchenko 3f437b32db Merge remote-tracking branch 'pr/1288/head'
* pr/1288/head:
  Update haproxy-http-auth.conf
  Added HAProxy HTTP Auth filter

 Conflicts:
	config/jail.conf - resolved + removed unnecessary filter/enabled (defaults should be as good)
2016-01-28 08:51:45 -05:00
Yaroslav Halchenko 377ea32441 Merge pull request #1295 from obounaim/master
The sender option is ignored by some actions
2016-01-28 08:48:22 -05:00
Serg G. Brester fe14c8fa05 Merge pull request #1292 from albel727/master
Add nftables actions
2016-01-24 23:55:50 +01:00
Jordan Moeser d7b46509d8 Update haproxy-http-auth.conf
Updated failregex to be more strict
2016-01-12 08:37:33 +10:00
local 40c0bed82c action_mw, action_mwl, action_cf_mwl ignore the "sender" option when sending a notification email.
This commit adds "sender="%(sender)s"" to the three actions to correct this issue.
2016-01-10 00:05:03 +01:00
Yaroslav Halchenko 5d0d96a5cb Merge pull request #1286 from yarikoptic/enh-jail
ENH: harmonize jail.conf + 1 more test that passed bantime is non-degenerate and int
2016-01-08 08:51:08 -05:00
Alexander Belykh 985e8938a4 Refactor nftables actionstop into smaller parts 2016-01-06 17:39:54 +06:00
Alexander Belykh 9779eeb986 Add nftables_type/family/table parameters 2016-01-06 17:33:14 +06:00
Alexander Belykh 260c30535d Escape curly braces in nftables actions 2016-01-06 17:13:30 +06:00
Alexander Belykh 1983e15580 Add empty line between parameters in nftables-common.conf 2016-01-06 16:55:29 +06:00
Alexander Belykh f7f91a8bd4 Refactor common code out of nftables-multiport/allports.conf 2016-01-05 19:03:47 +06:00
sebres 69f5623f83 code simplifying (remove duplication): agent will be always supplied as parameter from jail.conf 2016-01-04 09:30:32 +01:00
Alexander Belykh 618e97bce8 Add nftables actions 2016-01-04 01:36:28 +06:00
sebres ac31121432 amend to fix fail2ban-version: correct user-agent for badips.py "Fail2Ban/ver", changeable within jail/config now; 2015-12-31 02:32:17 +01:00
Jordan Moeser e133762a28 Added HAProxy HTTP Auth filter 2015-12-31 11:16:23 +10:00
sebres cf334421bd Provides fail2ban version to jail (as interpolation variable during parse of jail.conf);
BF: use `fail2ban_agent` as user-agent in actions badips, blocklist_de, etc. (closes #1271, closes #1272)
2015-12-31 01:38:25 +01:00
Yaroslav Halchenko 28c9832293 RF: harmonize jail.conf (no explicit enabled=false in jails, match filter name for screesharingd, etc) 2015-12-29 19:43:52 -05:00
Yaroslav Halchenko 69aa1feac0 Merge "Mac OS Screen Sharing filter" PR 1232
* pr/1232/head:
  removed system.log
  Removed old svn revision comment
  removed false matches
  Removed includes comment for screensharing jail
  Now using a literal logpath for screensharing jail
  Fixed blatant typo in regex
  clarified comments on sample log format
  Fixed name (again?)
  Made screensharing jail off by default
  Changed regex prequel
  added entry for new screensharingd filter
  name change & new sample data
  Added json metadata
  Sample log for test case
  Replaced .* with literal
  Update jail.conf
  Added new path variable for system.log
  Added in settings for screensharingd filter
  Created file

Conflicts:
	ChangeLog - moved to New Features
	config/jail.conf  - kept at the end
2015-12-29 19:36:59 -05:00
sebres d22b2498d4 normalizing time config entries: use time abbreviation (str2seconds) for all time options such 'dbpurgeage', 'bantime', 'findtime', ex.: default '1d' instead '86400';
code review and test case extended;
2015-12-29 12:49:10 +01:00
Yaroslav Halchenko 26dd6d7425 Merge pull request #1258 from aleksandrs-ledovskis/feature/postfix-domain-not-found-failregex
Add 'Sender address rejected: Domain not found' Postfix failregex
2015-12-18 09:23:54 -05:00
Ross Brown 8d12dba245 Merge remote-tracking branch 'upstream/master' 2015-12-17 18:01:17 +00:00
Ross Brown ead2d509dc Updated 'murmur' filter to use new double-anchored regex based on @yarikoptic's suggestions. 2015-12-17 17:45:24 +00:00
Yaroslav Halchenko 5d6cead996 ENH: sshd filter -- match new "maximum auth attempts exceeded" (Closes #1269) 2015-12-13 23:21:04 -05:00