github
/
fail2ban
mirror of https://github.com/fail2ban/fail2ban
1
0
Fork 0
Code Issues Releases Wiki Activity
2,603 Commits
33 Branches
229 Tags
18 MiB
Commit Graph

434 Commits (f04bae13667da0dd6f8edd4ec8e71c6327e653f9)

Author SHA1 Message Date
Daniel Black 77fda9498c ENH: pull asterisk filter change to support syslog from 0.9 branch 2014-03-14 23:15:46 +11:00
Daniel Black 853bed8e4f ENH: more sendmail-reject filter items thanks to fab23 2014-03-02 14:04:27 +11:00
Daniel Black c10cc20928 ENH: rename sendmail-spam to sendmail-reject 2014-02-28 08:41:04 +11:00
Daniel Black d34569fb8d BF: email address as arg1 in sendmail filters 2014-02-27 11:38:23 +11:00
Daniel Black 72c84fe9b0 ENH: wider regex for RBL and sendmail-spam 2014-02-27 10:02:34 +11:00
Daniel Black 3d776afbb0 ENH: add filter for sendmail-{auth,spam}. Closes gh-20 2014-02-26 19:16:49 +11:00
Steven Hiscocks 9928f1df96 ENH: Allow 255.255.255.0 style mask for ignoreip 2014-02-19 17:51:08 +00:00
Ivo Truxa f6ccd8878d date fix 
sorry, need to get some glasses
 2014-02-03 23:27:19 +01:00
Ivo Truxa 110b8e6905 ENH: Nagios filter 
Sample log entry from /var/log/messages for a denied access to the nrpe2 (Nagios Remote Plugin Executor) daemon
 2014-02-03 21:39:52 +01:00
Daniel Black 273b2f45a3 MRG: remove the "no auth attempts" as per aseques gh-600 2014-01-29 20:43:51 +11:00
Daniel Black 9b614ce486 ENH: dovecot filter enhancements 2014-01-29 20:27:45 +11:00
Joan 9c6aab37d6 As suggested by @grooverdan, grouping the tests and making them false to avoid accidentally reenabling them in the future 2014-01-29 08:32:14 +01:00
Joan aaa86cd10f As suggested by @grooverdan, grouping the tests and making them false to avoid accidentally reenabling them in the future 2014-01-29 08:31:29 +01:00
Joan 08171ba52f Removed the -no auth attempts- from the triggers because of lots of FP 2014-01-28 12:44:46 +01:00
Daniel Black 657da2041c BF: dovecot filters, session characters and order of session/tls in log messages 2014-01-15 08:02:47 +11:00
Ivo Truxa 4765bc757c BF Dovecot auth failures 
I am sorry, I installed the Win GIT, but still did not learn how to work with it, so am posting here again. This time, I'll avoid posting two pull requests, so please fix the dovecot.filter for me, if you don't mind.

This current filter does not match authentication errors in my Dovecot logs (two different lines attached). First of all the session string is at the end (after the optional TLS string), and not before it as it is now in the filter. I don't see it anywhere in the other logs here in the opposite order, hence I assume it is the rule for all installations. And then, the session ID can include also other characters than those matched by \w+ (i.e. the slash and the plus signs in my case), hence it needs to be \S+ instead. Personally, I'd do the regex much less restrictive than it is, but if I follow the current logics, the following form works:

<pre>^%(__prefix_line)s(pop3|imap)-login: (Info: )?(Aborted login|Disconnected)(: Inactivity)? \(((no auth attempts|auth failed, \d+ attempts)( in \d+ secs)?|tried to use disabled \S+ auth)\):( user=&lt;\S*&gt;,)?( method=\S+,)? rip=&lt;HO
ST&gt;, lip=(\d{1,3}\.){3}\d{1,3}(, TLS( handshaking)?(: Disconnected)?)?(, session=&lt;\S+&gt;)?\s*$</pre>
 2014-01-14 17:59:40 +01:00
Daniel Black 01e5ae1234 Merge pull request #584 from grooverdan/exim-auth 
ENH: Exim auth
 2014-01-13 02:20:47 -08:00
Daniel Black 353b84a648 Merge branch 'patch-4' of https://github.com/truxoft/fail2ban into exim-auth 2014-01-13 19:25:46 +11:00
Ivo Truxa 9f107403e8 Update exim 
When using Dovecot authentication for Exim, which is relatively common, the current regex for catching authentication failures needs a small tweak. The current plain|login options are too limiting and will only work in the cases when only the Exim's rudimentary built-in authentication is used. There can be not only the dovecot_login shown in this log example, but also dovecot_plain, ntlm, cram, cyrus, md5, and plenty of others. In fact many admins may opt for their own authentication labels, when setting up Exim. For this reason the regex should catch any label. I suggest modifying the regex in the following way:

<pre>^%(pid)s \w+ authenticator failed for (\S+ )?\(\S+\) \[<HOST>\]: 535 Incorrect authentication data( \(set_id=.*\)|: \d+ Time\(s\))?\s*$</pre>
 2014-01-13 01:18:09 +01:00
Daniel Black 6b0e6b9bca ENH: add improper command pipelining postfix filter 2014-01-13 06:59:59 +11:00
Tomas Pihl b52a4441fd Support ACL-events without AccountID. Typically happens when a registration 
from an unknown domain is performed.

Add credits
 2014-01-12 01:28:55 +01:00
Daniel Black 928f566d19 Merge pull request #576 from kwirk/ejabberd-filter 
ENH: ejabberd filter
 2014-01-09 14:52:18 -08:00
Steven Hiscocks 128112d51c ENH: ejabberd filter 2014-01-09 22:47:17 +00:00
Daniel Black cd5aab5ff1 TST: for tag substition, multiple on same line 2014-01-10 09:20:56 +11:00
Daniel Black 755af0a51e Merge pull request #562 from grooverdan/jail.conf-complete_and_correct 
ENH: Jail.conf now has all filters and TST: a mechanism to test this is truee
 2014-01-06 12:08:45 -08:00
Daniel Black 50eab4df81 ENH: add filter groupoffice. Closes gh-566 2014-01-06 21:56:22 +11:00
Daniel Black a8e0498389 BF: add expression for ssh filter for code 3: SSH2_DISCONNECT_KEY_EXCHANGE_FAILED. closes gh-289 2014-01-05 21:26:26 +11:00
Daniel Black c700910155 TST: ensure stock jail has all filters 2014-01-05 21:06:30 +11:00
Daniel Black 23f0b854da MRG: merge in freeswitch 2014-01-04 12:24:40 +11:00
Daniel Black 69b3a1cf64 BF: catchin DEBUG messages will result in duplicates 2014-01-04 12:10:51 +11:00
Daniel Black 36533de6bc ENH: more filter expressions for freeswitch. Anchored existing one at end too 2014-01-04 08:21:22 +11:00
Daniel Black 04d28fd2e1 ENH: add filter freeswitch - as raised on mailing list 2014-01-03 13:00:37 +11:00
Daniel Black 83f3aeb308 ENH: filter for horde 2014-01-02 23:12:36 +11:00
Daniel Black e2faa312c1 TST: test case for horde 2014-01-02 23:11:39 +11:00
Daniel Black 856407379b ENH: add filter openwebmail. Closes gh-543. 2013-12-31 08:09:00 +11:00
Daniel Black 3d79e1612b MRG: test cases on exim-spam 2013-12-29 21:38:00 +00:00
Ivo Truxa d2658e063c Update exim-spam 
An example with no valid FROM email address and host without reverse DNS record
 2013-12-29 22:33:08 +01:00
Ivo Truxa bb88cfaddb Update exim-spam 
attached sample Exim log line to demonstrate a silently tossed message as described at https://github.com/fail2ban/fail2ban/issues/533
 2013-12-29 18:53:04 +01:00
Daniel Black 6666f41ee6 ENH: apache modsecurity filter 2013-12-29 06:59:47 +00:00
Yaroslav Halchenko c6a7bc2221 BF(2.4): remove use of "with" for python 2.4 for now (since we list it as supported) 2013-12-27 01:54:54 -05:00
Yaroslav Halchenko 952de51cf1 ENH: per original discussion, and changes which followed, better not to ignore absent failregex -- all filters (but included common) should have it 2013-12-27 01:47:15 -05:00
Yaroslav Halchenko 4e165c9692 ENH: FilterReader - use the set methods (improve coverage), test getters, use os.path.join 2013-12-27 01:43:23 -05:00
Yaroslav Halchenko 0141a6dbe7 TST: add few more rudimentary tests for Regex to complete its coverage 2013-12-27 01:29:02 -05:00
bes.internal 55d76ac373 TST: add test for IgnoreCommand at server 2013-12-25 00:58:00 +03:00
bes.internal ebd89ec077 New ignorecommand that is added to the ignoreip list from output of an external program 
ignorecommand update man and fix protocol help

ENH: run ignore command only after internal list has been examined. Change interface on ignorecommand to take IP as environment variable and return true if it is to be banned

ENH: ignore IP command to take tagged command

DOC: man pages for ingorecommand

TST: add test cases for ignorecommand
 2013-12-24 23:55:35 +03:00
Daniel Black 1b7df1181f BF: apache-2.4 log format fix. Closes gh-516 2013-12-23 08:28:40 +00:00
Yaroslav Halchenko 7af58b9984 Merge branch 'apache-noscripts' of https://github.com/grooverdan/fail2ban 
* 'apache-noscripts' of https://github.com/grooverdan/fail2ban:
  ENH: apache-noscript now matched php-cgi scripts. Closes gh-503

Conflicts:
	ChangeLog -- two new entries collided,  Reformatted the merged one a bit
 2013-12-22 22:28:57 -05:00
Daniel Black 7a9252bd0e TST BF: local defination 2013-12-22 12:08:10 +00:00
Daniel Black 2a67ef519c TST: missing logpath raises IOError 2013-12-22 08:43:57 +00:00
Daniel Black 2d688a5a03 TST: improve polling test case to ensure isModified only returns True once (file static) 2013-12-22 07:47:24 +00:00