310d4e224d
Merge branch master (0.9) into 0.10
2016-09-29 19:46:11 +02:00
9fb167b5e1
filter.d/vsftpd.conf: optional reason message after FAIL LOGIN, closes #1543
2016-09-09 09:20:15 +02:00
c0e0cfb39d
Merge remote-tracking branch 'remotes/gh-upstream/master' into 0.10
2016-09-01 16:23:13 +02:00
4a1d720344
filter.d/asterisk.conf: another part ` chan_sip.c:28468 handle_request_register:` in log prefix
2016-08-22 14:10:50 +02:00
2c54f90469
sshd-filter: better universal regexp, that matches more complex different injects, using conditional expressions (on username and auth-info section), see new test cases also.
2016-08-19 10:19:12 +02:00
a544c5abac
sshd-filter: recognized "Failed publickey for" now (gh-1477) + improved regexp (not anchored now to recognize all "Failed anything for ... from <HOST>"
...
ChangeLog entry added
2016-08-18 21:38:55 +02:00
18ebd9ac21
Merge branches 0.10-full and 0.10
2016-08-17 18:00:25 +02:00
d71a525a85
Merge branch 'master' into 0.10 (resolve conflicts and cleaning tree points after back-porting gh-1508 0.10 -> 0.9)
2016-08-12 18:51:56 +02:00
38d53a72fd
introduces new command "fail2ban-python", as automatically created symlink to python executable, where fail2ban currently installed (resp. its modules are located);
...
fixed pythonic filters and test scripts (running via "fail2ban-python" now);
fixed test case "testSetupInstallRoot" not for default python (also using direct call, out of virtualenv);
# Conflicts:
# config/filter.d/ignorecommands/apache-fakegooglebot
# fail2ban/tests/files/config/apache-auth/digest.py
# fail2ban/tests/files/ignorecommand.py
# fail2ban/tests/misctestcase.py
2016-08-12 17:58:37 +02:00
77f451c4a3
introduces new command "fail2ban-python", as automatically created symlink to python executable, where fail2ban currently installed (resp. its modules are located);
...
fixed pythonic filters and test scripts (running via "fail2ban-python" now);
fixed test case "testSetupInstallRoot" not for default python (also using direct call, out of virtualenv);
2016-08-11 18:34:18 +02:00
9ddbd642f7
Accept no space after "failed:" ( #1501 )
...
yoh: Squashed to ease cherry-picking into 0.9
* accept no space after "failed:"
fix issue #1497
* accept no space after "failed:"
* Update postfix-sasl
* Update postfix-sasl
* Update postfix-sasl
2016-08-08 17:09:47 -04:00
04427adb95
Accept no space after "failed:" ( #1501 )
...
yoh: Squashed to ease cherry-picking into 0.9
* accept no space after "failed:"
fix issue #1497
* accept no space after "failed:"
* Update postfix-sasl
* Update postfix-sasl
* Update postfix-sasl
2016-08-08 17:07:55 -04:00
c52aaa8b78
ASSP failregex minor fixes
2016-08-08 19:06:28 +02:00
70658d7a19
Merge pull request #1494 from rhardy613/master (branch 'sebres:pr-1494')
2016-08-08 18:49:32 +02:00
8265e3f0f9
Fix comments
...
For some reasons the comment changes weren't pickup in the last commit.
This fixes it.
2016-08-05 23:25:15 -04:00
66fe5a77ce
Fix ASSP filter to work with both ASSP V1 and V2
...
ASSP V1 development stopped at the end of 2014 and it is now deprecated.
All users were urged to upgrade to ASSP V2 which is still actively
developed.
fail2ban 0.9.5 (and trunk) still have code which only understands ASSP
V1 logs.
This means the filter ignores brute force attacks against ASSP. This fix
adds V2 support.
2016-08-05 23:18:51 -04:00
890a3dcbb9
Fix ASSP filter to work with current release of ASSP
...
ASSP V1 development stopped at the end of 2014 and it is now deprecated.
All users were urged to upgrade to ASSP V2 which is still actively
developed. For some reason fail2ban 0.9.5 (and trunk) still have code
which only understands ASSP V1 logs. This means the filter ignores brute
force attacks against ASSP.
Now updated with anchored patterns tested against 6 months of log data.
2016-08-05 17:26:47 -04:00
c0994b0c6c
DOC: minor typo (thanks John Bernard) Closes #1496
2016-08-04 10:23:05 -04:00
0eea362aa0
Merge branch 'master' into 0.10
2016-08-01 15:10:52 +02:00
f73746d846
Fix ASSP filter to work with current release of ASSP
...
ASSP V1 development stopped at the end of 2014 and it is now deprecated.
All users were urged to upgrade to ASSP V2 which is still actively
developed. For some reason fail2ban 0.9.5 (and trunk) still have code
which only understands ASSP V1 logs. This means the filter ignores brute
force attacks against ASSP.
2016-07-31 13:50:52 -04:00
922213f3d9
Merge tag '0.10.0a1' into 0.10-full
2016-07-15 10:32:42 +02:00
28a0605f69
Merge pull request #1478 from gips0n/master
...
adding openldap slapd filter
2016-07-14 08:30:42 -04:00
7433b353ee
another variant of regex
2016-07-14 10:19:21 +03:00
7c5828dd2a
add trailing anchor to failregex
2016-07-13 21:09:42 +03:00
683f8fc56c
Merge branch 'master' into 0.10
2016-07-13 19:41:46 +02:00
48c094f612
improved failregex according to @sebres recomendations
2016-07-08 13:45:10 +03:00
f5f204ca7c
Improved changes of gh-1458:
...
`[^']*` after callid was wrong, changed to `[^\)]*`;
regexp anchored at the end;
almost the same regex grouped to one;
Closes #1458
2016-07-08 11:45:25 +02:00
72a157b8f2
Improve PJSIP log support for asterisk 13+ with different callID (Squash gh-1458)
...
Change the asterisk pjsip filter to don't take the callId part
Add optional part between "Request" and "from"
Listed all log message from asterisk
2016-07-08 11:45:22 +02:00
dcb69b0242
* add `__prefix_line` to regex
...
* fix time in log file
2016-07-08 05:29:51 +03:00
b2e3affaa0
adding openldap slapd filter
2016-07-08 04:50:57 +03:00
593b1210c0
Merge master (commit '0.9.4-79-gaf8b650') into 0.10
...
* commit '0.9.4-79-gaf8b650':
badip timeout option introduced, set to 30 seconds in our test cases (#1463 )
DOC: changelog for recent exim filters tune up
Asterisk pjsip (#1456 )
BF: finalize that sample log line for exim4
RF: for consistency use (?:XXX)? instead of (?:|XXX)
ENH: use non-capturing regex groups in exim-common and exim filters
ENH: exim filters -- make more use of %(host_info)s which in turn made more flexible
BF: make :port and I=[ip]:port optional for a "AUTH command used when not advertised"
2016-06-19 20:06:16 -04:00
af8b650a37
badip timeout option introduced, set to 30 seconds in our test cases ( #1463 )
...
cherry-picked from 0.10 (little bit modified in test_badips.py, because no --fast option in test cases)
2016-06-13 12:56:53 +02:00
334bfd50ff
Merge branch '0.10' into 0.10-full
2016-06-12 15:12:50 +02:00
e39126f630
badip timeout option introduced, set to 30 seconds in our test cases
2016-06-10 13:15:46 +02:00
12ff119841
Merge branch 'ban-time-incr' into 0.10-full
2016-06-09 22:50:31 +02:00
636a93f58b
Merge pull request #1438 from yarikoptic/bf-exim
...
exim filters -- make wider use of host_info helper str susbstitution + fix for #1430
2016-06-07 21:35:52 -04:00
f85fb45b29
Asterisk pjsip ( #1456 )
...
* Improve PJSIP log support for Asterisk 13+
* Update changelog: filter.d/asterisk.conf - fix security log support for PJSIP and Asterisk 13+
* Change pjsip regexp with sebres observation, thanks to @nturcksin
2016-06-07 11:40:35 +02:00
39366e703a
Merge branch 'master' into 0.10
...
# Conflicts:
# fail2ban/server/filter.py
2016-05-31 18:06:18 +02:00
6434661480
RF: for consistency use (?:XXX)? instead of (?:|XXX)
2016-05-30 12:12:53 -04:00
48a8324662
ENH: use non-capturing regex groups in exim-common and exim filters
2016-05-30 11:02:12 -04:00
8ec4e1189e
use raw host (don't use textToIp) if usedns exactly `raw`, because `usedns = no` should ignore no ip failures
2016-05-30 15:34:21 +02:00
b6700f3e52
Merge pull request #1433 from yarikoptic/bf-0.10-pf-prevbeh
...
BF: maintain previous default beh for pf -- default ban type is multiport
2016-05-23 15:20:57 +02:00
9bb869b8d4
ENH: courier-smtp -- allow for trailing username (no spaces) in the logline
...
Closes #1440
2016-05-21 22:17:09 -04:00
8b8cf2a660
ENH: exim filters -- make more use of %(host_info)s which in turn made more flexible
2016-05-21 10:29:09 -04:00
743a531eb5
BF: make :port and I=[ip]:port optional for a "AUTH command used when not advertised"
...
Closes #1430
2016-05-21 10:29:01 -04:00
f62266659f
Merge branch 'master' into '0.10'
2016-05-21 13:48:00 +02:00
52377984cd
back to mandatory space, ungrouping of sub parameters in `__prefix_line` + small code review;
2016-05-19 17:57:48 +02:00
0fdc56546f
Fixed misunderstanding of port in (ban)action: port will be always specified in jail config ([DEFAULT] or jail)
2016-05-19 17:45:41 +02:00
1ebc3facb1
BF: maintain previous default beh for pf -- ban a port (ssh) only
2016-05-19 17:14:33 +02:00
4cdca8c258
amend-merge for pull request #1429 from sebres/0.10-freebsd-fix-pf
...
actiontype for PF action (all- and multi port)
2016-05-19 14:52:10 +02:00
4d51c591c1
pf.conf: warranted consistently echoing for the pf actiontype if actiontype or multiport tags will be customized;
2016-05-19 14:50:41 +02:00
01d9a41ba1
Merge pull request #1429 from koeppea/0.10-freebsd-fix-pf
...
actiontype for PF action (all- and multi port)
2016-05-18 11:12:31 +02:00
b5e031f3c3
some documentation for multiport use in pf.conf
2016-05-17 21:32:21 +02:00
1e7fd26f5f
rename `actionoptions` to `actiontype` in pf-action (multiport) + fixed test cases
2016-05-17 20:51:12 +02:00
25af11215b
test case for generic common moved to `./fail2ban/tests/config/filter.d/zzz-generic-example.conf` to prevent shipping it with fail2ban installations
2016-05-17 20:08:46 +02:00
e74047ae49
revert to common config for PF covering multi and allports
2016-05-17 18:19:40 +02:00
3e1328c83b
split PF config files between all- and multi port
2016-05-17 18:19:27 +02:00
cb4f9be8b2
the date brackets removed from filters using `__prefix_line`, because `__prefix_line` already contains the date ambit;
2016-05-17 11:55:02 +02:00
de813acf51
extends generic `__prefix_line` with optional brackets for the date ambit (gh-1421), added new parameter `__date_ambit` + test case added;
2016-05-17 11:54:43 +02:00
975608dfb6
no hardcoded python interpreter path
2016-05-15 21:08:32 +02:00
0c44ecfc77
action.d/firewallcmd-ipset.conf: different name of the match set's for IPv4/IPv6, using conditional <ipmset>, analog to the iptables-ipset;
...
test cases for 3 firewallcmd extended;
2016-05-14 15:01:35 +02:00
ffebde68e0
Update firewallcmd-multiport.conf
2016-05-13 22:38:36 -04:00
07de83e04a
Update firewallcmd-common.conf
2016-05-13 22:38:10 -04:00
810d5996b5
Update firewallcmd-rich-logging.conf
2016-05-13 22:10:25 -04:00
7e54cee8d6
updated firewallcmd actions
2016-05-13 21:36:27 -04:00
3e49522b7a
fixes unexpected extra regex-space in generic `__prefix_line` (gh-1405, misleadingly committed in d2a9537568);
...
all optional spaces normalized in generic include `common.conf` + test cases are extended (using new example pseudo-filter and test log `zzz-generic-example`);
2016-05-13 20:26:37 +02:00
bdc2d07946
fix suhosin_log in common paths - log files should be separated using "\n":
...
prevents to throw an error "File option must be 'head' or 'tail'", if jail suhosin will be enabled.
2016-05-11 18:49:04 +02:00
504e5ba6f2
actions support IPv6 now:
...
- introduced "conditional" sections, see for example `[Init?family=inet6]`;
- iptables-common and other iptables config(s) made IPv6 capable;
- several small code optimizations;
* all test cases passed (py3.x compatible);
2016-05-11 16:54:28 +02:00
75028585c0
test cases extended for verifying ipv4/ipv6, normalized pf-action with test case
2016-05-11 16:54:25 +02:00
ed2f3ef77d
improve PF action and make IPv6 aware
2016-05-11 16:54:22 +02:00
25d6cf8dd2
fix suhosin_log in common paths - log files should be separated using "\n":
...
prevents to throw an error "File option must be 'head' or 'tail'", if jail suhosin will be enabled.
2016-05-11 16:54:11 +02:00
8cb4a3f59e
move DNTUtils, IPAddr related code to dedicated source file ipdns.py (also resolves some cyclic import references)
2016-05-09 17:06:25 +02:00
db9f3f738f
add ip6-loopback to default ignoreip statement
2016-05-09 15:32:42 +02:00
05f38285f1
Merge remote-tracking branch 'remotes/gh-upstream/master' into f2b-perfom-prepare-716
2016-05-02 15:40:05 +02:00
d889918f19
update doc url
...
direct to confluence page. no code changes.
2016-04-24 21:35:18 -07:00
aa303acfd6
Merge pull request #1381 from theDogOfPavlov/patch-3
...
Tightened up exim regexes to catch rDNS entries
2016-04-23 18:27:38 -04:00
7712310d2d
Be more backward compatible on matching postfix/smtps/smtpd
...
Support trailing smtps also and not only smtpd.
suggested by @sebres
2016-04-14 13:54:58 +02:00
1a299409e5
Fix postfix/smtps/smtpd matching.
2016-04-14 12:10:58 +02:00
1eb51b1bc2
Tightened up regexes to catch rDNS entries
2016-04-01 18:07:01 +01:00
db2dd070ad
Merge pull request #1356 from opoplawski/bug-1354
...
Fedora use mariadb by default, fix log path
2016-03-31 22:11:10 -04:00
b9b7ecbf6b
Merge pull request #1357 from sebres/monit-new-fltr
...
monit filter fixup for the new version (gh-1355)
2016-03-26 11:39:26 +01:00
3d239215cd
Two new firewalld actions with rich rules for firewalld-0.3.1+ (gh-1367)
...
closes #1367
2016-03-25 17:28:30 +01:00
ac27c9cb96
Merge branch 'patch-2' (gh-1371)
2016-03-25 17:05:23 +01:00
0effe76971
Merge pull request #1370 from theDogOfPavlov/patch-1
...
Added regex for LDAP authentication failures
2016-03-25 15:30:39 +01:00
e9202fa0b2
Placed failure (illumos) at end of regex
2016-03-24 00:43:15 -04:00
fe1475be95
Additional exim regexes to cover common attacks...
2016-03-21 05:59:59 +00:00
cf2aa9c1c0
Added regex for LDAP authentication failures
2016-03-21 05:53:23 +00:00
25c2334bc8
SmartOS PAM Authentication failed (not failURE)
...
SmartOS (and likely other Illumos platforms) enter log entries for failed sshd logins of the form:
`Authentication failed for USER from HOST`
The current sshd.conf regex matches `failure` -- add to this a match for `failed` to support Illumos
2016-03-16 13:52:01 -04:00
bd25a43417
define journalmatch setting for pure-ftps
2016-03-11 18:19:53 +01:00
f3f813a925
- mysqld does not log login attempts to the journal.
...
- Add /var/log/mysqld.log to mysql_log
2016-03-09 13:52:50 -07:00
37c9075fad
fixed monit filter: failregex find now both previous and new versions:
...
- failregex of previous monit version merged as single expression;
- extended failregex with new monit "access denied" version;
2016-03-09 20:06:14 +01:00
dfc65018da
Fedora use mariadb by default, fix log path
2016-03-09 11:36:06 -07:00
d7e7b52013
Merge remote-tracking branch 'remotes/gh-upstream/master' into f2b-perfom-prepare-716
2016-03-07 19:11:36 +01:00
385b50e4a9
Merge pull request #1343 from denics/master
...
adding wp-admin to bot search
2016-03-07 10:23:37 -05:00
bf0adc1fdf
Merge remote-tracking branch 'f2b-perfom-prepare-716-cs' into ban-time-incr (+ conflicts resolved)
2016-03-06 15:12:48 +01:00
ed0e572bfc
added wp-admin
...
bot are very annoying and I am getting a lot of checks on wp-admin. This should calm them.
2016-03-02 16:52:03 +01:00
6ffbc1ffad
ENH: revert back to having detailed suffix anchored at the end for mysqld-auto.conf
...
As discussed in https://github.com/fail2ban/fail2ban/pull/1333#discussion_r54100127
2016-02-28 12:07:46 -05:00
3e31145c33
Merge pull request #1331 from whyscream/postfix-multi-instance-support
...
Add support for matching postfix multi-instance daemon names by default
2016-02-28 12:00:24 -05:00
667785b608
mysqld: failregex fixed (accepts different log level, more secure expression now);
...
closes #1332
2016-02-24 17:17:51 +01:00
6c606cf98f
Add support for matching postfix multi-instance daemon names by default
2016-02-23 20:23:04 +01:00
sebres