date in following log line (from nginx) will be wrong detected:
2012/10/11 02:37:17 [error] 18434#0: *947 user "test" was not found in "/www/...", client: 192.168.1.5, ...
sometimes it is [correct] - 2012/10/11 (%Y/%m/%d) = 1349919861.71
sometimes it is [invalid] - 12/10/11 (%d/%m/%y) = 1349915838.06
and older as now - 1800 seconds (therefore will be not found)
solution: regular expression fixed, cause date in log used always after non symbol (\W) character, so r"\d{2}/\d{2}/\d{2}" will be r"(?<!\w)\d{2}/\d{2}/\d{2}".
* 'master' of git://github.com/fail2ban/fail2ban:
add blocking type
add example jail.conf for blocking through blackhole routes for ssh
add support for blocking through blackhole routes
Merge is done with -X ours -- since I have implemented more generic handling
for config files, including now the ones under .d/ subdirectories.
* github_kwirk_fail2ban/upstream#24:
Fix up for warning/error for inaccessible config files
Warn if config file present but unreadable
Additional changes:
ENH: make basedir for Config's a kwarg to the constructor
ENH: improved analysis/reporting on presence/accessibility of config
files. Got carried away and forgot about existing work done by
Steven Hiscocks in the gh-115 -- will merge it in the next
commit for the fair ack of his work
Now for any X.conf configuration file we have following ways to
provide customizations
X.local -- read after .conf (kept for backward compatibility)
X.d/ -- directory to contain additional .conf files, sorted
alphabetically, e.g
X.d/01_enable.conf - to enable the jail
X.d/02_custom_port.conf - to change the port
X could be a 'jail' or 'fail2ban' or any other configuration file in
fail2ban.
Mention that all files still must contain the corresponding sections
(most of the time duplicating it across all of them).
This is also not ideal, since if there happens to be some systemwide common.version -- we are doomed
but otherwise, we cannot keep extending comparison check to /bin, /sbin whatelse
* gh-yarikoptic/master:
ENH: Added login authenticator failed regexp for exim filter
DOC: Mention that logrotate configuration needs to be adjusted if logtarget is changed (Closes: #697333)
sshd filter - avoid banning on pam failures since might be too early. Close gh-106
If desired to ban on pam -- enable pam-generic filter, possibly even tuning in pam-generic.local the value for caught ttys in case of more detailed control needed
Provided example was:
Jan 18 12:47:34 host sshd[23755]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=123.123.123.123 user=myuser
Jan 18 12:47:34 host sshd[23755]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=123.123.123.123 user=myuser
Jan 18 12:47:34 host sshd[23755]: Accepted password for myuser from 123.123.123.123 port 50615 ssh2
Do not trigger sshd bans on pam_unix authentication failures, this will trigger on successful logins on systems that use non-pam_unix authentication (sssd, ldap, etc.).
Yaroslav Halchenko