CERBERUS/fail2ban
1
0
Fork 0
mirror of https://github.com/fail2ban/fail2ban.git synced 2026-05-14 06:56:47 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
6114 commits 34 branches 230 tags 18 MiB
Commit graph

1994 commits

Author SHA1 Message Date
Sergey G. Brester
f7aaaf50b8
filter.d/exim.conf: colon must be outside of F-RCPT group 2025-04-27 23:00:09 +02:00
Sergey G. Brester
52d239483d
typo 2025-04-16 17:18:36 +02:00
sebres
cbe14c70c5 iptables.conf rewritten to affect all derivative actions (multiple chains are also supported by iptables-ipset etc); 
iptables-xt_recent-echo.conf adjusted to be compatible to new syntax of inherited iptables.conf;
test coverage fixed to new handling
 2025-04-16 16:56:46 +02:00
Arnaud
37f72f88ef Reverting chains to chain in order to preserve backward compatibilityu 
backing to the option named "chain", using "iteredchain" a new variable to iterate over.
 2025-04-16 16:06:29 +02:00
Arnaud
139151ec81 Update iptables.conf - allow bans to be efective on multiple chains at the same time 
This patch allows the ban to be applied on the INPUT and the FORWARD chain at the time. May be useful at least on routing devices and on docker hosting machines.
 2025-04-16 16:06:28 +02:00
sebres
c76e90fbb1 * Merge pull request #3940 from exim-pr-mode-more 
`filter.d/exim.conf` - fewer REs by default, introduces mode `more`
 2025-04-02 15:11:38 +02:00
Sergey G. Brester
6104444bb4
improve regex (anchored from left, no catch-alls, <ADDR> for IP, etc) 2025-04-01 17:28:58 +02:00
Rajib Sharia
cf9135983c
Update jail.conf 
Added jail for vaultwarden
 2025-04-01 20:40:15 +08:00
Rajib Sharia
c7f7bc55bb
Create vaultwarden.conf 
Filter for unsuccessful Vaultwarden authentication attempts
 2025-04-01 20:36:53 +08:00
sebres
ee421dfbd6 filter.d/apache-noscript.conf - consider new log-format with "AH02811: stderr from /..."; 
closes gh-3900
 2025-03-28 22:52:51 +01:00
sebres
8ae6eaf39a filter.d/postfix.conf - default _daemon in prefix-line is loosened - can match everything starting with word postfix, like postfix-example.com/smtpd; 
closes gh-3297
 2025-03-10 22:35:26 +01:00
Sergey G. Brester
c035428535
Merge pull request #3954 from luckylittle/feature/systemd-journal-vsftpd 
`filter.d/vsftpd.conf` - fixed regex (if failures generated by systemd-journal)
 2025-03-04 14:20:01 +01:00
sebres
94fe9cf4a8 more fixes, capture user names, more tests... 
since line 7 matches successfully now (it was disabled in gh-358 because of obsolete format), it is marked as match:true (line can be removed later if unneeded)
 2025-03-04 14:13:07 +01:00
sebres
1e06ab68b4 fixed filter (new regex is unneeded), tests format of failures produced by system journal 2025-03-04 13:47:59 +01:00
Sergey G. Brester
13a74feaad
2nd RE unneeded, fix single RE - bypass everything before open parenthesis 2025-03-04 13:02:50 +01:00
Lucian Maly
6e3bfd800c
Added author 2025-03-04 12:26:14 +11:00
Lucian Maly
9d7646e6c0
Added author 2025-03-04 12:25:27 +11:00
Lucian Maly
fd1d0d25a8
Added regex for systemd-journal matches of lighttpd-auth 2025-03-04 12:20:24 +11:00
Lucian Maly
65d473fc8e
Added regex for systemd-journal matches of vsftpd 2025-03-04 11:43:38 +11:00
Sergey G. Brester
c9b5e845ba
action.d/cloudflare-token.conf: fixes actionunban retrieving of CF-ID from IP: 
force adding parameters to URL as query string (add `-G` to curl);
closes gh-3952
 2025-03-01 20:19:35 +01:00
Sergey G. Brester
e5199aee92
action.d/ufw.conf: update comment: 
fix syntax in example, because `dst` as command parameter doesn't have precedence over or-expression, so second `sport` would ignore `dst` and kill any connection for https regardless the IP
 2025-03-01 00:23:55 +01:00
Sergey G. Brester
c88967df2d
filter.d/exim.conf - introduces mode more (several rules moved from mode normal to more), because: 
- they have basically nothing with authentication;
- they can cause false positives (e. g. someone sends several mails from google mailing server to wrong recipients and if they would cause "rejected RCPT - Unknown user", the google host gets banned;
- to avoid occasional ban of legitimate servers one'd need create large white-list for `ignoreip` or construct complex `ignorecommands` to exclude all legitimate servers of big players (like google, microsoft, GMX, etc);
 2025-02-13 21:30:04 +01:00
sebres
882e6d5e00 filter.d/exim.conf - mode aggressive extended to catch dropped by ACL failures, e.g. "ACL: Country is banned" 2025-02-10 17:30:07 +01:00
Sergey G. Brester
6fb3532c45
Merge pull request #3931 from brianjmurrell/patch-2 
`from '[^']*'` is not always present …
 2025-01-30 14:06:00 +01:00
sebres
b55c20594e paths-common.conf: changed default mysql_log path (default logpath of mysqld-auth jail without maintainer overrides); adjusted comments (log_error_verbosity = 3 instead of log-warnings = 2) 
closes gh-3932
 2025-01-30 14:00:43 +01:00
Brian J. Murrell
b8ab346257
Merge branch 'fail2ban:master' into patch-2 2025-01-29 19:36:54 -05:00
sebres
d2c60a168f combine several regexes to single RE 2025-01-30 01:13:49 +01:00
sebres
e1fc569291 normalize jail (defaults, etc); added missing tests for all REs; common prefix for failregex, no catch-alls, etc 2025-01-30 01:13:48 +01:00
Philipp Burndorfer
88385eb6c1 New openvpn jail. 2025-01-30 01:13:46 +01:00
sebres
155a0855f2 silence codespell 2025-01-29 21:59:35 +01:00
Brian J. Murrell
325613a8f8
from '[^']*' is not always present … 
In the message from asterisk.

Signed-off-by: Brian J. Murrell <brian@interlinx.bc.ca>
 2025-01-28 13:09:29 -05:00
sebres
a796cc9b91 filter.d/dropbear.conf: failregex extended to match different format of "Exit before auth" message; 
closes gh-3791
 2024-12-27 16:43:33 +01:00
MichaIng
eb8b44370a
Make Dropbear regex more compatible and simpler 
Dropbear uses `strftime` `"%b %d %H:%M:%S` to print its timestamps, hence we know the day and time format, but the month could be localized. We hence allow any 3 word characters for it, and additionally simplify the day and time pattern into a single group.

Signed-off-by: MichaIng <micha@dietpi.com>
 2024-12-27 14:00:36 +07:00
MichaIng
dd9f359f5c
Fix Dropbear filter when logging to STDOUT 
Since Debian Bookworm, the distribution ships Dropbear with a native systemd service instead of the default upstream init.d service, and accordingly uses the `-F` and `-E` flags, to run it in foreground and have it logging to STDOUT instead of syslog.

As usual, timestamps and also the PID are now included by the log message emitted by Dropbear, in addition to the systemd journal log prefix.

The Dropbear filter hence does not match anymore. This commit adds the PID and timestamp as optional pattern between prefix and fail log text, to support Dropbear on Debian Bookworm and newer (and likely new versions of other distros) without breaking the old pattern when running Dropbear without `-E` flag.

Additionally, for performance reasons, this commit adds a `journalmatch` entry, matching Debian's and Fedora's `dropbear.service` with `dropbear` executable/identifier, the most likely match for a Dropbear systemd service.

Signed-off-by: MichaIng <micha@dietpi.com>
 2024-12-27 13:59:35 +07:00
sebres
89b5f3bb1e filter.d/sshd.conf: ddos and aggressive modes, regex extended for timeout before authentication (optional connection from part); 
closes gh-3907
 2024-12-26 14:24:15 +01:00
Sergey G. Brester
51358e1587
Merge pull request #3636 from szepeviktor/typos 
Fix more typos
 2024-12-21 19:31:54 +01:00
sebres
91c27d0600 filter.d/freeswitch.conf: bypass some new info in prefix before [WARNING] (changed default _pref_line); 
closes gh-3143
 2024-12-04 16:56:23 +01:00
sebres
eb4731d8b1 action.d/*-ipset.conf: workaround sporadic failures by stop if destroying ipset too fast (sleep a bit in error case and repeat); 
closes gh-3624
 2024-11-07 19:28:53 +01:00
Sergey G. Brester
89970d2e3e
Merge pull request #1351 from AntagonistHQ/csf 
add support for the CSF firewall
 2024-09-29 10:01:58 +02:00
Sergey G. Brester
363c0d5fd0
nftables.conf: fixed comment (since 7f1b578af4, gh-488 actioncheck would be never invoked in regular case) 2024-09-07 13:15:45 +02:00
thomas-333
44bd87951e
Update apprise.conf 
Correct typo. "as" should read "has"
 2024-09-02 10:17:10 +01:00
sebres
54c0effceb filter.d/sshd.conf: amend to #3747/#3812 (new ssh version would log with _COMM=sshd-session) 2024-08-11 12:10:12 +02:00
sebres
c769046a1f Revert "filterd./sshd.conf: fixed journalmatch (sshd.service seems to be renamed to ssh.service)" - it'd patched in debian branch. 
This reverts commit 6fce23e7ba.
 2024-08-11 11:55:39 +02:00
sebres
8e0a2366f0 Fixes unmatched tag (caused unmatched brace); review: combined to single regex, simple case without injection attempts faster, <HOST> replaced with <ADDR> (faster and fewer vulnerable on complex cases, since doesn't match text as hostname) etc. 2024-08-10 13:20:18 +02:00
Maksim Usmanov | Maks
35afe20ea0
Roundcube 1.4 change log format 
From roundcube 1.4 log change format -> e92d8e31a3/program/lib/Roundcube/rcube_imap.php (L194)
 2024-08-09 22:53:45 +02:00
sebres
d4663e8941 action.d/firewallcmd-rich-*.conf: fixed incorrect quoting, disabling port variable expansion by substitution of rich rule; closes gh-3815 2024-08-07 22:43:42 +02:00
sebres
9a558589d7 review (anchoring RE, etc) 2024-07-30 19:16:40 +02:00
Jose
db8c943a7b Add jail to jail.conf as requested by test-suite 'More filters exists than are referenced in stock jail.conf set(['proxmox']) 2024-07-30 19:11:02 +02:00
Jose
83f2d59eee match numbers 2024-07-30 19:05:56 +02:00
Jose
07a7da8d8e Remove greedy catch-all before HOST 2024-07-30 19:05:55 +02:00