fafefc0293
Add Jorgee Vulnerability Scanner protect
...
Details for Jorgee Vulnerability Scanner: https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=30164
2017-09-05 10:56:43 +02:00
4163f32968
small review, prefix replaced with `%(_apache_error_client)s` from apache-common.conf include
2017-09-04 11:48:01 +02:00
ac95449bbb
changed zoneminder regex as per Sebres and yarikoptic recommendations
2017-09-04 11:37:09 +02:00
5c3a666380
fixed incomplete regex after adding anchors
2017-09-04 11:37:03 +02:00
3d45fd2713
implemented yarikoptic's suggestions in fail2ban pull request #1376
2017-09-04 11:37:00 +02:00
08878d22dd
added zoneminder.conf filter
2017-09-04 11:36:50 +02:00
c312962029
filter.d/dovecot.conf: partially cherry-pick to 0.9 PR #1880 from sebres/0.10-fix-dovecot-regex ( d926e11a5c)
...
fixed failregex (without new mode aggressive)
2017-09-01 10:57:41 +02:00
4c1abe1cbf
phpmyadmin-syslog: removed excess file, fixed test, updated failregex
2017-08-23 16:56:18 +03:00
5b4bc2aafd
Added filter for phpMyAdmin+syslog (>=4.7.0). Closes #1713
2017-08-22 18:20:01 +03:00
af25a9d203
Merge pull request #1566 from opoplawski/journalmatch
...
Add sendmail journalmatch options
2017-08-09 16:14:10 +02:00
84f552881c
Add sendmail journalmatch options
2017-08-09 16:03:34 +02:00
5c538fb658
Recognize "unknown user" for additional auth-methods (pam, passwd-file, ldap, sql, etc); simplifying regular expressions (put "unknown user" and "invalid credentials" together as one regex).
2017-08-07 18:04:09 +02:00
a5b62a7f36
failregex extended and simplified (partially ported from gh-1409).
2017-07-18 16:34:22 +02:00
098abae4e6
Remove greedy catch-all before `<HOST>`, make regex more universal, fewer prone to errors (should avoid future changes, if some optional parameters coming again before/after `RemoteAddress`) + non-captured groups now.
...
Test for possible injection (5.6.7.8 in session-id) already available, line 59 (thus already covered).
2017-07-18 16:09:53 +02:00
4c0c7b97c0
Update asterisk.conf to new log message
...
I got an issue like this:
[2016-05-15 22:53:00] SECURITY[26428] res_security_log.c: SecurityEvent="FailedACL",EventTV="2016-05-15T22:53:00.203+0300",Severity="Error",Service="AMI",EventVersion="1",AccountID="admin",SessionID="0x7fb580001518",LocalAddress="IPV4/TCP/0.0.0.0/5038",RemoteAddress="IPV4/TCP/78.129.227.4/62389",SessionTV="1970-01-01T03:00:00.000+0300"
# [sebres] rebased to current master and resolving conflicts.
2017-07-18 15:40:32 +02:00
a1d0633e69
filter.d/asterisk.conf - fixed failregex AMI Asterisk authentification failed (see gh-1302):
...
- optional space between NOTICE and pid;
- optional part "Host " before IP-address;
2017-07-03 12:57:28 +02:00
6110ba9cc3
filter.d/proftpd.conf: added option `journalmatch` for systemd backend (closes gh-1613)
2017-06-30 18:00:01 +02:00
2b358bc1a4
filter.d/apache-overflows.conf: rewritten without end-anchor ($), because apache-log could contain very long URLs (and/or referrer), the parsing of it anchored way may be very vulnerable (at least as regards the system resources, see gh-1790).
2017-06-15 11:16:19 +02:00
b93e47b12f
dovecot: Match also when user field is empty
...
Commit 5678d08
2017-05-31 15:54:30 +02:00
228d25c548
Update Kerio Connect filter ( #1455 )
...
* Update Kerio Connect filter
Fixed regex for some log entries that did not get recognized and some additional error formats are added.
* Add missing colon, GitHub address
* Add filter tests
* Add missing test
2017-05-30 20:27:44 +02:00
ff1c6718da
Postfix RBL: 554 & SMTP
...
Cherry-pick of 607568f5da
2017-05-15 14:42:37 +02:00
0600d51511
filter.d/exim.conf: added new reason for "rejected RCPT" regex: Unrouteable address
2017-05-07 14:02:38 +02:00
c546f85207
filter.d/exim.conf: cherry-picked from 0.10, match complex time like `D=2m42s` (closes gh-1766)
2017-05-07 13:02:32 +02:00
3161bcf78b
filter.d/exim.conf: optional part `(...)` after host-name before `[IP]`, normalized over whole config file.
...
# Conflicts:
# config/filter.d/exim.conf
2017-04-24 19:21:26 +02:00
52c1950371
Update mysqld-auth.conf
...
small typo, closes gh-1725 (Thx @seth-reeser)
2017-03-24 19:03:17 +01:00
8768776d68
filter.d/cyrus-imap.conf: fixed `failregex` - accept entries without login-info resp. hostname before IP address
2017-03-09 16:13:45 +01:00
9d06f0ee40
sshd-amend: optional space after port part
2017-01-23 08:56:47 +01:00
54a8c681ce
suhosin.conf: removed greedy match
2017-01-21 16:26:07 +01:00
8aa9516d50
sshd.conf: fixed expression "received disconnect ... auth fail" - optional space after port part (gh-1652)
2017-01-21 16:18:03 +01:00
3276bd6d54
sshd: additionally aggressive filter rules - no matching cipher resp. no matching key exchange method (gh-1545, gh-1117)
2017-01-21 15:57:05 +01:00
628789f9a9
sshd: conditional parameter "mode" for sshd jail (normal, ddos, aggressive)
...
filter sshd-ddos and new filter sshd-aggressive are both derivation of sshd-filter
2017-01-21 15:54:49 +01:00
dd373dba9f
test all config-regexp, that contains greedy catch-all before <HOST>, that is hard-anchored at end or precise sub expression after <HOST>;
...
new ssh rule(s) added:
- Connection reset by peer (multi-line rule during authorization process);
- No supported authentication methods available;
Single line and multi-line expression optimized, added optional prefixes and suffix (logged from several ssh versions);
closes gh-864
2017-01-21 15:53:48 +01:00
a4d8426401
Support for IBM Domino SMTP task ( #1603 )
...
filter.d/domino-smtp.conf
2017-01-20 08:44:20 +01:00
a9523aefbb
sshd.conf: fixed non-anchored part of regex (misleading match of colon inside IPv6 address instead of `: ` in the reason-part by missing space).
2017-01-10 12:58:44 +01:00
31a1560eaa
minor typos (thanks Vincent Lefevre, Debian #847785 )
2016-12-11 15:13:11 -05:00
45f1d811c9
Merge branch 'alex1702-1586'
2016-11-28 18:54:02 +01:00
425170cef3
code review, makes the test cases workable, added dev-notes
2016-11-28 18:39:07 +01:00
931eab84b5
`filter.d/apache-modsecurity.conf`
...
- fixed for newer version (one space, closes gh-1626)
reviewed and optimized:
- non-greedy catch-all replaced for safer match
- unneeded catch-all anchoring removed
- non-capturing groups
2016-11-28 11:28:27 +01:00
5678d08a79
filter.d/dovecot.conf update:
...
- fixes failregex, that ignores failures through some irrelevant info (closes #1623 );
- ignores whole additionally irrelevant info in anchored regex before fixed failure data `\((?:auth failed, \d+ attempts( in \d+ secs)?|tried to use (disabled|disallowed) \S+ auth)\)`
- review, IPv6 compatibility fix, non-capturing groups
2016-11-26 16:50:37 +01:00
b5433f48b7
amend after code review of merge gh-1581
2016-11-11 11:09:46 +01:00
bee6e7376b
Merge branch 'aclindsa:master'
2016-11-11 10:58:40 +01:00
dab5f56609
Merge branch 'fix-gh-1477'
2016-11-11 10:17:07 +01:00
8ac28e5dcb
Make changes and add test file
2016-11-10 13:09:32 +01:00
8c40766511
Add Mongodb-auth filter and jail
2016-11-10 12:48:24 +01:00
7805f9972d
filter.d/sshd.conf: Match 'Invalid user' with 'port \d*'
2016-10-15 15:52:19 -04:00
84c3eb3e0e
filter.d/sendmail-reject.conf: double space (should be by missing dns-host only)
...
Closes #1578
2016-10-15 14:53:45 +02:00
9fb167b5e1
filter.d/vsftpd.conf: optional reason message after FAIL LOGIN, closes #1543
2016-09-09 09:20:15 +02:00
4a1d720344
filter.d/asterisk.conf: another part ` chan_sip.c:28468 handle_request_register:` in log prefix
2016-08-22 14:10:50 +02:00
2c54f90469
sshd-filter: better universal regexp, that matches more complex different injects, using conditional expressions (on username and auth-info section), see new test cases also.
2016-08-19 10:19:12 +02:00
a544c5abac
sshd-filter: recognized "Failed publickey for" now (gh-1477) + improved regexp (not anchored now to recognize all "Failed anything for ... from <HOST>"
...
ChangeLog entry added
2016-08-18 21:38:55 +02:00
Vladimir Chumak