mirror of
https://github.com/fail2ban/fail2ban.git
synced 2026-03-11 08:55:31 +00:00
DOC: in filters, put user relevant doc at top, and developer info at bottom, and remove all the repetative blindly copied stuff that appears in the jail man page
This commit is contained in:
parent
de9977441a
commit
89fd792dfb
43 changed files with 281 additions and 518 deletions
|
|
@ -1,18 +1,18 @@
|
|||
# Fail2Ban configuration file
|
||||
# Fail2Ban filter for 3proxy
|
||||
#
|
||||
# Author: Daniel Black
|
||||
#
|
||||
# Requested by ykimon in https://github.com/fail2ban/fail2ban/issues/246
|
||||
#
|
||||
|
||||
[Definition]
|
||||
|
||||
# Option: failregex
|
||||
# Notes.: http://www.3proxy.ru/howtoe.asp#ERRORS indicates that 01-09 are
|
||||
# all authentication problems (%E field)
|
||||
# Log format is: "L%d-%m-%Y %H:%M:%S %z %N.%p %E %U %C:%c %R:%r %O %I %h %T"
|
||||
# Values: TEXT
|
||||
#
|
||||
|
||||
failregex = ^\s[+-]\d{4} \S+ \d{3}0[1-9] \S+ <HOST>:\d+ [\d.]+:\d+ \d+ \d+ \d+\s
|
||||
|
||||
ignoreregex =
|
||||
|
||||
# DEV Notes:
|
||||
# http://www.3proxy.ru/howtoe.asp#ERRORS indicates that 01-09 are
|
||||
# all authentication problems (%E field)
|
||||
# Log format is: "L%d-%m-%Y %H:%M:%S %z %N.%p %E %U %C:%c %R:%r %O %I %h %T"
|
||||
#
|
||||
# Requested by ykimon in https://github.com/fail2ban/fail2ban/issues/246
|
||||
# Author: Daniel Black
|
||||
|
|
|
|||
|
|
@ -1,17 +1,33 @@
|
|||
# Fail2Ban configuration file
|
||||
#
|
||||
# Author: Cyril Jaquier
|
||||
#
|
||||
# Fail2Ban apache-auth filter
|
||||
#
|
||||
|
||||
[INCLUDES]
|
||||
|
||||
# Read common prefixes. If any customizations available -- read them from
|
||||
# common.local
|
||||
# apache-common.local
|
||||
before = apache-common.conf
|
||||
|
||||
[Definition]
|
||||
|
||||
|
||||
failregex = ^%(_apache_error_client)s (AH01797: )?client denied by server configuration: (uri )?\S*\s*$
|
||||
^%(_apache_error_client)s (AH01617: )?user .* authentication failure for "\S*": Password Mismatch$
|
||||
^%(_apache_error_client)s (AH01618: )?user .* not found(: )?\S*\s*$
|
||||
^%(_apache_error_client)s (AH01614: )?client used wrong authentication scheme: \S*\s*$
|
||||
^%(_apache_error_client)s (AH\d+: )?Authorization of user \S+ to access \S* failed, reason: .*$
|
||||
^%(_apache_error_client)s (AH0179[24]: )?(Digest: )?user .*: password mismatch: \S*\s*$
|
||||
^%(_apache_error_client)s (AH0179[01]: |Digest: )user `.*' in realm `.+' (not found|denied by provider): \S*\s*$
|
||||
^%(_apache_error_client)s (AH01631: )?user .*: authorization failure for "\S*":\s*$
|
||||
^%(_apache_error_client)s (AH01775: )?(Digest: )?invalid nonce .* received - length is not \S+\s*$
|
||||
^%(_apache_error_client)s (AH01788: )?(Digest: )?realm mismatch - got `.*' but expected `.+'\s*$
|
||||
^%(_apache_error_client)s (AH01789: )?(Digest: )?unknown algorithm `.*' received: \S*\s*$
|
||||
^%(_apache_error_client)s (AH01793: )?invalid qop `.*' received: \S*\s*$
|
||||
^%(_apache_error_client)s (AH01777: )?(Digest: )?invalid nonce .* received - user attempted time travel\s*$
|
||||
|
||||
ignoreregex =
|
||||
|
||||
# DEV Notes:
|
||||
#
|
||||
# This filter matches the authorization failures of Apache. It takes the log messages
|
||||
# from the modules in aaa that return HTTP_UNAUTHORIZED, HTTP_METHOD_NOT_ALLOWED or
|
||||
# HTTP_FORBIDDEN and not AUTH_GENERAL_ERROR or HTTP_INTERNAL_SERVER_ERROR.
|
||||
|
|
@ -34,23 +50,5 @@ before = apache-common.conf
|
|||
# ^%(_apache_error_client)s (AH01779: )?user .*: one-time-nonce mismatch - sending new nonce\s*$
|
||||
# ^%(_apache_error_client)s (AH02486: )?realm mismatch - got `.*' but no realm specified\s*$
|
||||
#
|
||||
failregex = ^%(_apache_error_client)s (AH01797: )?client denied by server configuration: (uri )?\S*\s*$
|
||||
^%(_apache_error_client)s (AH01617: )?user .* authentication failure for "\S*": Password Mismatch$
|
||||
^%(_apache_error_client)s (AH01618: )?user .* not found(: )?\S*\s*$
|
||||
^%(_apache_error_client)s (AH01614: )?client used wrong authentication scheme: \S*\s*$
|
||||
^%(_apache_error_client)s (AH\d+: )?Authorization of user \S+ to access \S* failed, reason: .*$
|
||||
^%(_apache_error_client)s (AH0179[24]: )?(Digest: )?user .*: password mismatch: \S*\s*$
|
||||
^%(_apache_error_client)s (AH0179[01]: |Digest: )user `.*' in realm `.+' (not found|denied by provider): \S*\s*$
|
||||
^%(_apache_error_client)s (AH01631: )?user .*: authorization failure for "\S*":\s*$
|
||||
^%(_apache_error_client)s (AH01775: )?(Digest: )?invalid nonce .* received - length is not \S+\s*$
|
||||
^%(_apache_error_client)s (AH01788: )?(Digest: )?realm mismatch - got `.*' but expected `.+'\s*$
|
||||
^%(_apache_error_client)s (AH01789: )?(Digest: )?unknown algorithm `.*' received: \S*\s*$
|
||||
^%(_apache_error_client)s (AH01793: )?invalid qop `.*' received: \S*\s*$
|
||||
^%(_apache_error_client)s (AH01777: )?(Digest: )?invalid nonce .* received - user attempted time travel\s*$
|
||||
|
||||
|
||||
# Option: ignoreregex
|
||||
# Notes.: regex to ignore. If this regex matches, the line is ignored.
|
||||
# Values: TEXT
|
||||
#
|
||||
ignoreregex =
|
||||
# Author: Cyril Jaquier
|
||||
# Major edits by Daniel Black
|
||||
|
|
|
|||
|
|
@ -1,27 +1,21 @@
|
|||
# Fail2Ban configuration file
|
||||
#
|
||||
# List of bad bots fetched from http://www.user-agents.org
|
||||
# Generated on Sun Feb 11 01:09:15 EST 2007 by ./badbots.sh
|
||||
#
|
||||
# Author: Yaroslav Halchenko
|
||||
#
|
||||
#
|
||||
# Regexp to catch known spambots and software alike. Please verify
|
||||
# that it is your intent to block IPs which were driven by
|
||||
# above mentioned bots.
|
||||
|
||||
|
||||
[Definition]
|
||||
|
||||
badbotscustom = EmailCollector|WebEMailExtrac|TrackBack/1\.02|sogou music spider
|
||||
badbots = atSpider/1\.0|autoemailspider|China Local Browse 2\.6|ContentSmartz|DataCha0s/2\.0|DBrowse 1\.4b|DBrowse 1\.4d|Demo Bot DOT 16b|Demo Bot Z 16b|DSurf15a 01|DSurf15a 71|DSurf15a 81|DSurf15a VA|EBrowse 1\.4b|Educate Search VxB|EmailSiphon|EmailWolf 1\.00|ESurf15a 15|ExtractorPro|Franklin Locator 1\.8|FSurf15a 01|Full Web Bot 0416B|Full Web Bot 0516B|Full Web Bot 2816B|Industry Program 1\.0\.x|ISC Systems iRc Search 2\.1|IUPUI Research Bot v 1\.9a|LARBIN-EXPERIMENTAL \(efp@gmx\.net\)|LetsCrawl\.com/1\.0 +http\://letscrawl\.com/|Lincoln State Web Browser|LWP\:\:Simple/5\.803|Mac Finder 1\.0\.xx|MFC Foundation Class Library 4\.0|Microsoft URL Control - 6\.00\.8xxx|Missauga Locate 1\.0\.0|Missigua Locator 1\.9|Missouri College Browse|Mizzu Labs 2\.2|Mo College 1\.9|Mozilla/2\.0 \(compatible; NEWT ActiveX; Win32\)|Mozilla/3\.0 \(compatible; Indy Library\)|Mozilla/4\.0 \(compatible; Advanced Email Extractor v2\.xx\)|Mozilla/4\.0 \(compatible; Iplexx Spider/1\.0 http\://www\.iplexx\.at\)|Mozilla/4\.0 \(compatible; MSIE 5\.0; Windows NT; DigExt; DTS Agent|Mozilla/4\.0 efp@gmx\.net|Mozilla/5\.0 \(Version\: xxxx Type\:xx\)|MVAClient|NASA Search 1\.0|Nsauditor/1\.x|PBrowse 1\.4b|PEval 1\.4b|Poirot|Port Huron Labs|Production Bot 0116B|Production Bot 2016B|Production Bot DOT 3016B|Program Shareware 1\.0\.2|PSurf15a 11|PSurf15a 51|PSurf15a VA|psycheclone|RSurf15a 41|RSurf15a 51|RSurf15a 81|searchbot admin@google\.com|sogou spider|sohu agent|SSurf15a 11 |TSurf15a 11|Under the Rainbow 2\.2|User-Agent\: Mozilla/4\.0 \(compatible; MSIE 6\.0; Windows NT 5\.1\)|WebVulnCrawl\.blogspot\.com/1\.0 libwww-perl/5\.803|Wells Search II|WEP Search 00
|
||||
|
||||
# Option: failregex
|
||||
# Notes.: Regexp to catch known spambots and software alike. Please verify
|
||||
# that it is your intent to block IPs which were driven by
|
||||
# above mentioned bots.
|
||||
# Values: TEXT
|
||||
#
|
||||
failregex = ^<HOST> -.*"(GET|POST).*HTTP.*"(?:%(badbots)s|%(badbotscustom)s)"$
|
||||
|
||||
# Option: ignoreregex
|
||||
# Notes.: regex to ignore. If this regex matches, the line is ignored.
|
||||
# Values: TEXT
|
||||
#
|
||||
ignoreregex =
|
||||
|
||||
# DEV Notes:
|
||||
# List of bad bots fetched from http://www.user-agents.org
|
||||
# Generated on Sun Feb 11 01:09:15 EST 2007 by ./badbots.sh
|
||||
#
|
||||
# Author: Yaroslav Halchenko
|
||||
|
|
|
|||
|
|
@ -1,21 +1,20 @@
|
|||
# Generic configuration items (to be used as interpolations) in other
|
||||
# apache filters
|
||||
#
|
||||
# Author: Yaroslav Halchenko
|
||||
#
|
||||
#
|
||||
# apache filters.
|
||||
|
||||
[INCLUDES]
|
||||
|
||||
# Load customizations if any available
|
||||
after = apache-common.local
|
||||
|
||||
|
||||
[DEFAULT]
|
||||
|
||||
_apache_error_client = \[[^]]*\] \[(error|\S+:\S+)\]( \[pid \d+:\S+ \d+\])? \[client <HOST>(:\d{1,5})?\]
|
||||
|
||||
# Common prefix for [error] apache messages which also would include <HOST>
|
||||
# Depending on the version it could be
|
||||
# 2.2: [Sat Jun 01 11:23:08 2013] [error] [client 1.2.3.4]
|
||||
# 2.4: [Thu Jun 27 11:55:44.569531 2013] [core:info] [pid 4101:tid 2992634688] [client 1.2.3.4:46652]
|
||||
#
|
||||
# Reference: https://github.com/fail2ban/fail2ban/issues/268
|
||||
_apache_error_client = \[[^]]*\] \[(error|\S+:\S+)\]( \[pid \d+:\S+ \d+\])? \[client <HOST>(:\d{1,5})?\]
|
||||
#
|
||||
# Author: Yaroslav Halchenko
|
||||
|
|
|
|||
|
|
@ -1,28 +1,20 @@
|
|||
# Fail2Ban configuration file
|
||||
#
|
||||
# Author: Yaroslav O. Halchenko <debian@onerussian.com>
|
||||
#
|
||||
# Fail2Ban filter to web requests for home directories on Apache servers
|
||||
#
|
||||
# Regex to match failures to find a home directory on a server, which
|
||||
# became popular last days. Most often attacker just uses IP instead of
|
||||
# domain name -- so expect to see them in generic error.log if you have
|
||||
# per-domain log files.
|
||||
|
||||
[INCLUDES]
|
||||
|
||||
# Read common prefixes. If any customizations available -- read them from
|
||||
# common.local
|
||||
# overwrite with apache-common.local if _apache_error_client is incorrect.
|
||||
before = apache-common.conf
|
||||
|
||||
[Definition]
|
||||
|
||||
# Option: failregex
|
||||
# Notes.: regex to match failures to find a home directory on a server, which
|
||||
# became popular last days. Most often attacker just uses IP instead of
|
||||
# domain name -- so expect to see them in generic error.log if you have
|
||||
# per-domain log files.
|
||||
# Values: TEXT
|
||||
#
|
||||
|
||||
failregex = ^%(_apache_error_client)s (AH00128: )?File does not exist: .*/~.*
|
||||
|
||||
# Option: ignoreregex
|
||||
# Notes.: regex to ignore. If this regex matches, the line is ignored.
|
||||
# Values: TEXT
|
||||
#
|
||||
ignoreregex =
|
||||
|
||||
# Author: Yaroslav O. Halchenko <debian@onerussian.com>
|
||||
|
|
|
|||
|
|
@ -1,29 +1,18 @@
|
|||
# Fail2Ban configuration file
|
||||
#
|
||||
# Author: Cyril Jaquier
|
||||
# Fail2Ban filter to block web requests for scripts (on non scripted websites)
|
||||
#
|
||||
#
|
||||
|
||||
[INCLUDES]
|
||||
|
||||
# Read common prefixes. If any customizations available -- read them from
|
||||
# common.local
|
||||
# overwrite with apache-common.local if _apache_error_client is incorrect.
|
||||
before = apache-common.conf
|
||||
|
||||
[Definition]
|
||||
|
||||
# Option: failregex
|
||||
# Notes.: regex to match the password failure messages in the logfile. The
|
||||
# host must be matched by a group named "host". The tag "<HOST>" can
|
||||
# be used for standard IP/hostname matching and is only an alias for
|
||||
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
|
||||
# Values: TEXT
|
||||
#
|
||||
failregex = ^%(_apache_error_client)s (File does not exist|script not found or unable to stat): /\S*(\.php|\.asp|\.exe|\.pl)\s*$
|
||||
^%(_apache_error_client)s script '/\S*(\.php|\.asp|\.exe|\.pl)\S*' not found or unable to stat\s*$
|
||||
|
||||
# Option: ignoreregex
|
||||
# Notes.: regex to ignore. If this regex matches, the line is ignored.
|
||||
# Values: TEXT
|
||||
#
|
||||
ignoreregex =
|
||||
|
||||
|
||||
# Author: Cyril Jaquier
|
||||
|
|
|
|||
|
|
@ -1,25 +1,15 @@
|
|||
# Fail2Ban configuration file
|
||||
#
|
||||
# Author: Tim Connors
|
||||
#
|
||||
# Fail2Ban filter to block web requests on a long or suspicious nature
|
||||
#
|
||||
|
||||
[INCLUDES]
|
||||
|
||||
# Read common prefixes. If any customizations available -- read them from
|
||||
# common.local
|
||||
# overwrite with apache-common.local if _apache_error_client is incorrect.
|
||||
before = apache-common.conf
|
||||
|
||||
[Definition]
|
||||
|
||||
# Option: failregex
|
||||
# Notes.: Regexp to catch Apache overflow attempts.
|
||||
# Values: TEXT
|
||||
#
|
||||
failregex = ^%(_apache_error_client)s (Invalid (method|URI) in request|request failed: URI too long|erroneous characters after protocol string)
|
||||
|
||||
# Option: ignoreregex
|
||||
# Notes.: regex to ignore. If this regex matches, the line is ignored.
|
||||
# Values: TEXT
|
||||
#
|
||||
ignoreregex =
|
||||
|
||||
# Author: Tim Connors
|
||||
|
|
|
|||
|
|
@ -1,33 +1,24 @@
|
|||
# Fail2Ban configuration file
|
||||
# for Anti-Spam SMTP Proxy Server also known as ASSP
|
||||
# Fail2Ban filter for Anti-Spam SMTP Proxy Server also known as ASSP
|
||||
#
|
||||
# Honmepage: http://www.magicvillage.de/~Fritz_Borgstedt/assp/0003D91C-8000001C/
|
||||
# ProjektSite: http://sourceforge.net/projects/assp/?source=directory
|
||||
#
|
||||
# Author: Enrico Labedzki (enrico.labedzki@deiwos.de)
|
||||
#
|
||||
|
||||
[Definition]
|
||||
|
||||
# Option: failregex
|
||||
# Notes.: regex to match the SMTP failure messages in the logfile. The
|
||||
# host must be matched by a group named "host". The tag "<HOST>" can
|
||||
# be used for standard IP/hostname matching and is only an alias for
|
||||
# (?:::f{4,6}:)?(?P<host>\S+)
|
||||
# Values: TEXT
|
||||
#
|
||||
# Examples: Apr-27-13 02:33:09 Blocking 217.194.197.97 - too much AUTH errors (41);
|
||||
# Dec-29-12 17:10:31 [SSL-out] 200.247.87.82 SSL negotiation with client failed: SSL accept attempt failed with unknown errorerror:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol;
|
||||
# Dec-30-12 04:01:47 [SSL-out] 81.82.232.66 max sender authentication errors (5) exceeded
|
||||
__assp_actions = (?:dropping|refusing)
|
||||
|
||||
failregex = ^(:? \[SSL-out\])? <HOST> max sender authentication errors \(\d{,3}\) exceeded -- %(__assp_actions)s connection - after reply: \d{3} \d{1}\.\d{1}.\d{1} Error: authentication failed: \w+;$
|
||||
^(?: \[SSL-out\])? <HOST> SSL negotiation with client failed: SSL accept attempt failed with unknown error.*:unknown protocol;$
|
||||
^ Blocking <HOST> - too much AUTH errors \(\d{,3}\);$
|
||||
|
||||
|
||||
# Option: ignoreregex
|
||||
# Notes.: regex to ignore. If this regex matches, the line is ignored.
|
||||
# Values: TEXT
|
||||
#
|
||||
ignoreregex =
|
||||
|
||||
# DEV Notes:
|
||||
#
|
||||
# Examples: Apr-27-13 02:33:09 Blocking 217.194.197.97 - too much AUTH errors (41);
|
||||
# Dec-29-12 17:10:31 [SSL-out] 200.247.87.82 SSL negotiation with client failed: SSL accept attempt failed with unknown errorerror:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol;
|
||||
# Dec-30-12 04:01:47 [SSL-out] 81.82.232.66 max sender authentication errors (5) exceeded
|
||||
#
|
||||
# Author: Enrico Labedzki (enrico.labedzki@deiwos.de)
|
||||
|
|
|
|||
|
|
@ -1,22 +1,11 @@
|
|||
# Fail2Ban configuration file
|
||||
# Fail2Ban filter for asterisk authentication failures
|
||||
#
|
||||
# Author: Xavier Devlamynck
|
||||
#
|
||||
#
|
||||
|
||||
|
||||
[INCLUDES]
|
||||
|
||||
# Read common prefixes. If any customizations available -- read them from
|
||||
# common.local
|
||||
before = common.conf
|
||||
|
||||
[Definition]
|
||||
|
||||
# Option: failregex
|
||||
# Notes.: regex to match the password failures messages in the logfile.
|
||||
# Values: TEXT
|
||||
#
|
||||
__pid_re = (?:\[\d+\])
|
||||
|
||||
# All Asterisk log messages begin like this:
|
||||
log_prefix= \[\]\s*(?:NOTICE|SECURITY)%(__pid_re)s:?(?:\[\S+\d*\])? \S+:\d*
|
||||
|
||||
failregex = ^%(log_prefix)s Registration from '[^']*' failed for '<HOST>(:\d+)?' - Wrong password$
|
||||
|
|
@ -34,10 +23,7 @@ failregex = ^%(log_prefix)s Registration from '[^']*' failed for '<HOST>(:\d+)?'
|
|||
^%(log_prefix)s (?:handle_request_subscribe: )?Sending fake auth rejection for (device|user) \d*<sip:[^@]+@<HOST>>;tag=\w+\S*$
|
||||
^%(log_prefix)s SecurityEvent="(FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)",EventTV="[\d-]+",Severity="[\w]+",Service="[\w]+",EventVersion="\d+",AccountID="\d+",SessionID="0x[\da-f]+",LocalAddress="IPV[46]/(UD|TC)P/[\da-fA-F:.]+/\d+",RemoteAddress="IPV[46]/(UD|TC)P/<HOST>/\d+"(,Challenge="\w+",ReceivedChallenge="\w+")?(,ReceivedHash="[\da-f]+")?$
|
||||
|
||||
# Option: ignoreregex
|
||||
# Notes.: regex to ignore. If this regex matches, the line is ignored.
|
||||
# Values: TEXT
|
||||
#
|
||||
ignoreregex =
|
||||
|
||||
|
||||
# Author: Xavier Devlamynck
|
||||
|
|
|
|||
|
|
@ -1,9 +1,6 @@
|
|||
# Generic configuration items (to be used as interpolations) in other
|
||||
# filters or actions configurations
|
||||
#
|
||||
# Author: Yaroslav Halchenko
|
||||
#
|
||||
#
|
||||
|
||||
[INCLUDES]
|
||||
|
||||
|
|
@ -49,7 +46,6 @@ __md5hex = (?:[\da-f]{2}:){15}[\da-f]{2}
|
|||
# <auth.info> appearing before the host as per testcases/files/logs/bsd/*.
|
||||
__bsd_syslog_verbose = (<[^.]+\.[^.]+>)
|
||||
|
||||
#
|
||||
# Common line prefixes (beginnings) which could be used in filters
|
||||
#
|
||||
# [bsdverbose]? [hostname] [vserver tag] daemon_id spaces
|
||||
|
|
@ -57,3 +53,4 @@ __bsd_syslog_verbose = (<[^.]+\.[^.]+>)
|
|||
# This can be optional (for instance if we match named native log files)
|
||||
__prefix_line = \s*%(__bsd_syslog_verbose)s?\s*(?:%(__hostname)s )?(?:%(__kernel_prefix)s )?(?:@vserver_\S+ )?%(__daemon_combs_re)s?\s%(__daemon_extra_re)s?\s*
|
||||
|
||||
# Author: Yaroslav Halchenko
|
||||
|
|
|
|||
|
|
@ -1,8 +1,4 @@
|
|||
# Fail2Ban configuration file
|
||||
#
|
||||
# Author: Christoph Haas
|
||||
# Modified by: Cyril Jaquier
|
||||
#
|
||||
# Fail2Ban filter for courier authentication failures
|
||||
#
|
||||
|
||||
[INCLUDES]
|
||||
|
|
@ -11,22 +7,13 @@
|
|||
# common.local
|
||||
before = common.conf
|
||||
|
||||
|
||||
[Definition]
|
||||
|
||||
_daemon = (?:courier)?(?:imapd?|pop3d?)(?:login)?(?:-ssl)?
|
||||
|
||||
# Option: failregex
|
||||
# Notes.: regex to match the password failures messages in the logfile. The
|
||||
# host must be matched by a group named "host". The tag "<HOST>" can
|
||||
# be used for standard IP/hostname matching and is only an alias for
|
||||
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
|
||||
# Values: TEXT
|
||||
#
|
||||
failregex = ^%(__prefix_line)sLOGIN FAILED, user=.*, ip=\[<HOST>\]$
|
||||
|
||||
# Option: ignoreregex
|
||||
# Notes.: regex to ignore. If this regex matches, the line is ignored.
|
||||
# Values: TEXT
|
||||
#
|
||||
ignoreregex =
|
||||
|
||||
# Author: Christoph Haas
|
||||
# Modified by: Cyril Jaquier
|
||||
|
|
|
|||
|
|
@ -1,6 +1,4 @@
|
|||
# Fail2Ban configuration file
|
||||
#
|
||||
# Author: Cyril Jaquier
|
||||
# Fail2Ban filter to block relay attempts though a Courier smtp server
|
||||
#
|
||||
#
|
||||
|
||||
|
|
@ -10,22 +8,12 @@
|
|||
# common.local
|
||||
before = common.conf
|
||||
|
||||
|
||||
[Definition]
|
||||
|
||||
_daemon = courieresmtpd
|
||||
|
||||
# Option: failregex
|
||||
# Notes.: regex to match the password failures messages in the logfile. The
|
||||
# host must be matched by a group named "host". The tag "<HOST>" can
|
||||
# be used for standard IP/hostname matching and is only an alias for
|
||||
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
|
||||
# Values: TEXT
|
||||
#
|
||||
failregex = ^%(__prefix_line)serror,relay=<HOST>,.*: 550 User unknown\.$
|
||||
|
||||
# Option: ignoreregex
|
||||
# Notes.: regex to ignore. If this regex matches, the line is ignored.
|
||||
# Values: TEXT
|
||||
#
|
||||
ignoreregex =
|
||||
|
||||
# Author: Cyril Jaquier
|
||||
|
|
|
|||
|
|
@ -1,6 +1,5 @@
|
|||
# Fail2Ban configuration file
|
||||
# Fail2Ban filter for authentication failures on Cyrus imap server
|
||||
#
|
||||
# Author: Jan Wagner <waja@cyconet.org>
|
||||
#
|
||||
#
|
||||
|
||||
|
|
@ -10,22 +9,12 @@
|
|||
# common.local
|
||||
before = common.conf
|
||||
|
||||
|
||||
[Definition]
|
||||
|
||||
_daemon = (?:cyrus/)?(?:imapd?|pop3d?)
|
||||
|
||||
# Option: failregex
|
||||
# Notes.: regex to match the password failures messages in the logfile. The
|
||||
# host must be matched by a group named "host". The tag "<HOST>" can
|
||||
# be used for standard IP/hostname matching and is only an alias for
|
||||
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
|
||||
# Values: TEXT
|
||||
#
|
||||
failregex = ^%(__prefix_line)sbadlogin: \S+ ?\[<HOST>\] \S+ .*?\[?SASL\(-13\): authentication failure: .*\]?$
|
||||
|
||||
# Option: ignoreregex
|
||||
# Notes.: regex to ignore. If this regex matches, the line is ignored.
|
||||
# Values: TEXT
|
||||
#
|
||||
ignoreregex =
|
||||
|
||||
# Author: Jan Wagner <waja@cyconet.org>
|
||||
|
|
|
|||
|
|
@ -1,7 +1,5 @@
|
|||
# Fail2Ban configuration file for dovecot
|
||||
# Fail2Ban filter Dovecot authentication and pop3/imap server
|
||||
#
|
||||
# Author: Martin Waschbuesch
|
||||
# Daniel Black (rewrote with begin and end anchors)
|
||||
|
||||
[INCLUDES]
|
||||
|
||||
|
|
@ -10,17 +8,16 @@ before = common.conf
|
|||
[Definition]
|
||||
|
||||
_daemon = (auth|dovecot(-auth)?|auth-worker)
|
||||
# Option: failregex
|
||||
# Notes.: regex to match the password failures messages in the logfile.
|
||||
# first regex is essentially a copy of pam-generic.conf
|
||||
# Values: TEXT
|
||||
#
|
||||
|
||||
failregex = ^%(__prefix_line)s(pam_unix(\(dovecot:auth\))?:)?\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=\S* rhost=<HOST>(\s+user=\S*)?\s*$
|
||||
^%(__prefix_line)s(pop3|imap)-login: (Info: )?(Aborted login|Disconnected)(: Inactivity)? \(((no auth attempts|auth failed, \d+ attempts)( in \d+ secs)?|tried to use disabled \S+ auth)\):( user=<\S*>,)?( method=\S+,)? rip=<HOST>, lip=(\d{1,3}\.){3}\d{1,3}(, session=<\w+>)?(, TLS( handshaking)?(: Disconnected)?)?\s*$
|
||||
^%(__prefix_line)s(Info|dovecot: auth\(default\)): pam\(\S+,<HOST>\): pam_authenticate\(\) failed: (User not known to the underlying authentication module: \d+ Time\(s\)|Authentication failure \(password mismatch\?\))\s*$
|
||||
|
||||
# Option: ignoreregex
|
||||
# Notes.: regex to ignore. If this regex matches, the line is ignored.
|
||||
# Values: TEXT
|
||||
#
|
||||
ignoreregex =
|
||||
|
||||
# DEV Notes:
|
||||
# * the first regex is essentially a copy of pam-generic.conf
|
||||
# * Probably doesn't do dovecot sql/ldap backends properly
|
||||
#
|
||||
# Author: Martin Waschbuesch
|
||||
# Daniel Black (rewrote with begin and end anchors)
|
||||
|
|
|
|||
|
|
@ -1,17 +1,18 @@
|
|||
# Fail2Ban configuration file for exim
|
||||
#
|
||||
# Author: Daniel Black
|
||||
# Fail2Ban filter file for common exim expressions
|
||||
#
|
||||
# This is to be used by other exim filters
|
||||
|
||||
[INCLUDES]
|
||||
|
||||
# Load customizations if any available
|
||||
#
|
||||
after = exim-common.local
|
||||
|
||||
[Definition]
|
||||
|
||||
# From exim source code: ./src/receive.c:add_host_info_for_log
|
||||
host_info = H=([\w.-]+ )?(\(\S+\) )?\[<HOST>\](:\d+)? (I=\[\S+\]:\d+ )?(U=\S+ )?(P=e?smtp )?
|
||||
pid = ( \[\d+\])?
|
||||
|
||||
# DEV Notes:
|
||||
# From exim source code: ./src/receive.c:add_host_info_for_log
|
||||
#
|
||||
# Author: Daniel Black
|
||||
|
|
|
|||
|
|
@ -1,9 +1,5 @@
|
|||
# Fail2Ban configuration file
|
||||
# Fail2Ban filter for exim the spam rejection messages
|
||||
#
|
||||
# Author: Cyril Jaquier
|
||||
# Daniel Black (rewrote with strong regexs)
|
||||
#
|
||||
|
||||
|
||||
[INCLUDES]
|
||||
|
||||
|
|
@ -11,19 +7,16 @@
|
|||
# exim-common.local
|
||||
before = exim-common.conf
|
||||
|
||||
|
||||
[Definition]
|
||||
|
||||
# Option: failregex
|
||||
# Notes.: This includes the spam rejection messages of exim.
|
||||
# Note the %(host_info) defination contains a <HOST> match
|
||||
|
||||
failregex = ^%(pid)s \S+ F=(<>|\S+@\S+) %(host_info)srejected by local_scan\(\): .{0,256}$
|
||||
^%(pid)s %(host_info)sF=(<>|[^@]+@\S+) rejected RCPT [^@]+@\S+: .*dnsbl.*\s*$
|
||||
^%(pid)s \S+ %(host_info)sF=(<>|[^@]+@\S+) rejected after DATA: This message contains a virus \(\S+\)\.\s*$
|
||||
|
||||
# Option: ignoreregex
|
||||
# Notes.: regex to ignore. If this regex matches, the line is ignored.
|
||||
# Values: TEXT
|
||||
#
|
||||
ignoreregex =
|
||||
|
||||
# DEV Notes:
|
||||
# The %(host_info) defination contains a <HOST> match
|
||||
#
|
||||
# Author: Cyril Jaquier
|
||||
# Daniel Black (rewrote with strong regexs)
|
||||
|
|
|
|||
|
|
@ -1,7 +1,7 @@
|
|||
# Fail2Ban configuration file
|
||||
# Fail2Ban filter for exim
|
||||
#
|
||||
# Author: Cyril Jaquier
|
||||
# Daniel Black (rewrote with strong regexs)
|
||||
# This includes the rejection messages of exim. For spam and filter
|
||||
# related bans use the exim-spam.conf
|
||||
#
|
||||
|
||||
|
||||
|
|
@ -11,22 +11,18 @@
|
|||
# exim-common.local
|
||||
before = exim-common.conf
|
||||
|
||||
|
||||
[Definition]
|
||||
|
||||
# Option: failregex
|
||||
# Notes.: This includes the rejection messages of exim. For spam and filter
|
||||
# related bans use the exim-spam.conf
|
||||
# Note the %(host_info) defination contains a <HOST> match
|
||||
|
||||
failregex = ^%(pid)s %(host_info)ssender verify fail for <\S+>: (?:Unknown user|Unrouteable address|all relevant MX records point to non-existent hosts)\s*$
|
||||
^%(pid)s (plain|login) authenticator failed for (\S+ )?\(\S+\) \[<HOST>\]: 535 Incorrect authentication data( \(set_id=.*\)|: \d+ Time\(s\))?\s*$
|
||||
^%(pid)s %(host_info)sF=(<>|[^@]+@\S+) rejected RCPT [^@]+@\S+: (relay not permitted|Sender verify failed|Unknown user)\s*$
|
||||
^%(pid)s SMTP protocol synchronization error \(.*\): rejected (connection from|"\S+") %(host_info)s(next )?input=".*"\s*$
|
||||
^%(pid)s SMTP call from \S+ \[<HOST>\](:\d+)? (I=\[\S+\]:\d+ )?dropped: too many nonmail commands \(last was "\S+"\)\s*$
|
||||
|
||||
# Option: ignoreregex
|
||||
# Notes.: regex to ignore. If this regex matches, the line is ignored.
|
||||
# Values: TEXT
|
||||
#
|
||||
ignoreregex =
|
||||
|
||||
# DEV Notes:
|
||||
# The %(host_info) defination contains a <HOST> match
|
||||
#
|
||||
# Author: Cyril Jaquier
|
||||
# Daniel Black (rewrote with strong regexs)
|
||||
|
|
|
|||
|
|
@ -1,7 +1,4 @@
|
|||
# Fail2Ban configuration file for gssftp
|
||||
#
|
||||
# Author: Kevin Zembower
|
||||
# Edited: Daniel Black - syslog based daemon
|
||||
# Fail2Ban filter file for gssftp
|
||||
#
|
||||
# Note: gssftp is part of the krb5-appl-servers in Fedora
|
||||
#
|
||||
|
|
@ -16,3 +13,6 @@ _daemon = ftpd
|
|||
failregex = ^%(__prefix_line)srepeated login failures from <HOST> \(\S+\)$
|
||||
|
||||
ignoreregex =
|
||||
|
||||
# Author: Kevin Zembower
|
||||
# Edited: Daniel Black - syslog based daemon
|
||||
|
|
|
|||
|
|
@ -1,18 +1,10 @@
|
|||
# Fail2Ban configuration file
|
||||
#
|
||||
# Author: Francois Boulogne <fboulogne@april.org>
|
||||
# Fail2Ban filter to match wrong passwords as notified by lighttpd's auth Module
|
||||
#
|
||||
|
||||
[Definition]
|
||||
|
||||
# Option: failregex
|
||||
# Notes.: regex to match wrong passwords as notified by lighttpd's auth Module
|
||||
# Values: TEXT
|
||||
#
|
||||
failregex = ^: \(http_auth\.c\.\d+\) (password doesn\'t match .* username: .*|digest: auth failed for .*: wrong password|get_password failed), IP: <HOST>\s*$
|
||||
|
||||
# Option: ignoreregex
|
||||
# Notes.: regex to ignore. If this regex matches, the line is ignored.
|
||||
# Values: TEXT
|
||||
#
|
||||
ignoreregex =
|
||||
|
||||
# Author: Francois Boulogne <fboulogne@april.org>
|
||||
|
|
|
|||
|
|
@ -1,7 +1,5 @@
|
|||
# Fail2Ban configuration file for unsuccesfull MySQL authentication attempts
|
||||
# Fail2Ban filter for unsuccesfull MySQL authentication attempts
|
||||
#
|
||||
# Authors: Artur Penttinen
|
||||
# Yaroslav O. Halchenko
|
||||
#
|
||||
# To log wrong MySQL access attempts add to /etc/my.cnf in [mysqld]:
|
||||
# log-error=/var/log/mysqld.log
|
||||
|
|
@ -15,23 +13,20 @@
|
|||
# common.local
|
||||
before = common.conf
|
||||
|
||||
|
||||
[Definition]
|
||||
|
||||
_daemon = mysqld
|
||||
|
||||
# Option: failregex
|
||||
# Notes.: regex to match the password failures messages in the logfile. The
|
||||
# host must be matched by a group named "host". The tag "<HOST>" can
|
||||
# be used for standard IP/hostname matching and is only an alias for
|
||||
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
|
||||
# Values: TEXT
|
||||
# 130322 11:26:54 [Warning] Access denied for user 'root'@'127.0.0.1' (using password: YES)
|
||||
#
|
||||
failregex = ^%(__prefix_line)s(\d{6} \s?\d{1,2}:\d{2}:\d{2} )?\[Warning\] Access denied for user '\w+'@'<HOST>' (to database '[^']*'|\(using password: (YES|NO)\))*\s*$
|
||||
|
||||
# Option: ignoreregex
|
||||
# Notes.: regex to ignore. If this regex matches, the line is ignored.
|
||||
# Values: TEXT
|
||||
#
|
||||
ignoreregex =
|
||||
|
||||
# DEV Notes:
|
||||
#
|
||||
# Technically __prefix_line can equate to an empty string hence it can support
|
||||
# syslog and non-syslog at once.
|
||||
# Example:
|
||||
# 130322 11:26:54 [Warning] Access denied for user 'root'@'127.0.0.1' (using password: YES)
|
||||
#
|
||||
# Authors: Artur Penttinen
|
||||
# Yaroslav O. Halchenko
|
||||
|
|
|
|||
|
|
@ -1,13 +1,12 @@
|
|||
# Fail2Ban configuration file for named (bind9). Trying to generalize the
|
||||
# structure which is general to capture general patterns in log
|
||||
# lines to cover different configurations/distributions
|
||||
# Fail2Ban filter file for named (bind9).
|
||||
#
|
||||
# Author: Yaroslav Halchenko
|
||||
|
||||
# This filter blocks attacks against named (bind9) however it requires special
|
||||
# configuration on bind.
|
||||
#
|
||||
# This filter blocks attacks against named (bind9).
|
||||
# By default, logging is off with bind9 installation.
|
||||
#
|
||||
# By default, logging is off
|
||||
# with bind9 installation. You will need something like this:
|
||||
# You will need something like this in your named.conf to provide proper logging.
|
||||
#
|
||||
# logging {
|
||||
# channel security_file {
|
||||
|
|
@ -19,29 +18,31 @@
|
|||
# security_file;
|
||||
# };
|
||||
# };
|
||||
#
|
||||
# in your named.conf to provide proper logging.
|
||||
|
||||
[Definition]
|
||||
|
||||
#
|
||||
# Daemon name
|
||||
_daemon=named
|
||||
|
||||
#
|
||||
# Shortcuts for easier comprehension of the failregex
|
||||
|
||||
__pid_re=(?:\[\d+\])
|
||||
__daemon_re=\(?%(_daemon)s(?:\(\S+\))?\)?:?
|
||||
__daemon_combs_re=(?:%(__pid_re)s?:\s+%(__daemon_re)s|%(__daemon_re)s%(__pid_re)s?:)
|
||||
|
||||
# hostname daemon_id spaces
|
||||
# this can be optional (for instance if we match named native log files)
|
||||
__line_prefix=(?:\s\S+ %(__daemon_combs_re)s\s+)?
|
||||
|
||||
|
||||
# note - (\.\d+)? is a really ugly catch of the microseconds not captured in
|
||||
# in the date detector
|
||||
#
|
||||
failregex = ^%(__line_prefix)s(\.\d+)?( error:)?\s*client <HOST>#\S+( \([\S.]+\))?: (view (internal|external): )?query(?: \(cache\))? '.*' denied\s*$
|
||||
^%(__line_prefix)s(\.\d+)?( error:)?\s*client <HOST>#\S+( \([\S.]+\))?: zone transfer '\S+/AXFR/\w+' denied\s*$
|
||||
^%(__line_prefix)s(\.\d+)?( error:)?\s*client <HOST>#\S+( \([\S.]+\))?: bad zone transfer request: '\S+/IN': non-authoritative zone \(NOTAUTH\)\s*$
|
||||
|
||||
# DEV Notes:
|
||||
# Trying to generalize the
|
||||
# structure which is general to capture general patterns in log
|
||||
# lines to cover different configurations/distributions
|
||||
#
|
||||
# (\.\d+)? is a really ugly catch of the microseconds not captured in the date detector
|
||||
#
|
||||
# Author: Yaroslav Halchenko
|
||||
|
|
|
|||
|
|
@ -1,35 +1,29 @@
|
|||
# Fail2Ban configuration file for generic PAM authentication errors
|
||||
#
|
||||
# Author: Yaroslav Halchenko
|
||||
#
|
||||
#
|
||||
|
||||
[INCLUDES]
|
||||
|
||||
before = common.conf
|
||||
|
||||
[Definition]
|
||||
|
||||
# if you want to catch only login erros from specific daemons, use smth like
|
||||
# if you want to catch only login errors from specific daemons, use something like
|
||||
#_ttys_re=(?:ssh|pure-ftpd|ftp)
|
||||
# To catch all failed logins
|
||||
#
|
||||
# Default: catch all failed logins
|
||||
_ttys_re=\S*
|
||||
|
||||
__pam_re=\(?pam_unix(?:\(\S+\))?\)?:?
|
||||
_daemon = \S+
|
||||
|
||||
# Option: failregex
|
||||
# Notes.: regex to match the password failures messages in the logfile.
|
||||
# Values: TEXT
|
||||
#
|
||||
failregex = ^%(__prefix_line)s%(__pam_re)s\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=%(_ttys_re)s ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$
|
||||
|
||||
# for linux-pam before 0.99.2.0 (late 2005)
|
||||
ignoreregex =
|
||||
|
||||
# DEV Notes:
|
||||
#
|
||||
# for linux-pam before 0.99.2.0 (late 2005) (removed before 0.8.11 release)
|
||||
# _daemon = \S*\(?pam_unix\)?
|
||||
# failregex = ^%(__prefix_line)sauthentication failure; logname=\S* uid=\S* euid=\S* tty=%(_ttys_re)s ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$
|
||||
|
||||
|
||||
# Option: ignoreregex
|
||||
# Notes.: regex to ignore. If this regex matches, the line is ignored.
|
||||
# Values: TEXT
|
||||
#
|
||||
ignoreregex =
|
||||
# Author: Yaroslav Halchenko
|
||||
|
|
|
|||
|
|
@ -1,6 +1,4 @@
|
|||
# Fail2Ban configuration file
|
||||
#
|
||||
# Author: Christophe Carles and Daniel Black
|
||||
# Fail2Ban filter for perdition
|
||||
#
|
||||
#
|
||||
|
||||
|
|
@ -14,3 +12,7 @@ _daemon=perdition.\S+
|
|||
|
||||
failregex = ^%(__prefix_line)sAuth: <HOST>:\d+->(\d{1,3}\.){3}\d{1,3}:\d+ client-secure=\S+ authorisation_id=NONE authentication_id=".+" server="\S+" protocol=\S+ server-secure=\S+ status="failed: (local authentication failure|Re-Authentication Failure)"$
|
||||
^%(__prefix_line)sFatal Error reading authentication information from client <HOST>:\d+->(\d{1,3}\.){3}\d{1,3}:\d+: Exiting child$
|
||||
|
||||
ignoreregex =
|
||||
|
||||
# Author: Christophe Carles and Daniel Black
|
||||
|
|
|
|||
|
|
@ -1,23 +1,20 @@
|
|||
# Fail2Ban configuration file
|
||||
# Fail2Ban filter for URLs with a URL as a script parameters
|
||||
# which can be an indication of a fopen url php injection
|
||||
#
|
||||
# Example of web requests in Apache access log:
|
||||
# 66.185.212.172 - - [26/Mar/2009:08:44:20 -0500] "GET /index.php?n=http://eatmyfood.hostinginfive.com/pizza.htm? HTTP/1.1" 200 114 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)"
|
||||
|
||||
[Definition]
|
||||
|
||||
failregex = ^<HOST> -.*"(GET|POST).*\?.*\=http\:\/\/.* HTTP\/.*$
|
||||
|
||||
ignoreregex =
|
||||
|
||||
# DEV Notes:
|
||||
#
|
||||
# Author: Arturo 'Buanzo' Busleiman <buanzo@buanzo.com.ar>
|
||||
# Version 2
|
||||
# fixes the failregex so REFERERS that contain =http:// don't get blocked
|
||||
# (mentioned by "fasuto" (no real email provided... blog comment) in this entry:
|
||||
# http://blogs.buanzo.com.ar/2009/04/fail2ban-filter-for-php-injection-attacks.html#comment-1489
|
||||
#
|
||||
|
||||
[Definition]
|
||||
|
||||
# Option: failregex
|
||||
# Notes.: regex to match this kind of request:
|
||||
#
|
||||
# 66.185.212.172 - - [26/Mar/2009:08:44:20 -0500] "GET /index.php?n=http://eatmyfood.hostinginfive.com/pizza.htm? HTTP/1.1" 200 114 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)"
|
||||
#
|
||||
failregex = ^<HOST> -.*"(GET|POST).*\?.*\=http\:\/\/.* HTTP\/.*$
|
||||
|
||||
# Option: ignoreregex
|
||||
# Notes.: regex to ignore. If this regex matches, the line is ignored.
|
||||
# Values: TEXT
|
||||
#
|
||||
ignoreregex =
|
||||
# Author: Arturo 'Buanzo' Busleiman <buanzo@buanzo.com.ar>
|
||||
|
|
|
|||
|
|
@ -1,7 +1,4 @@
|
|||
# Fail2Ban configuration file
|
||||
#
|
||||
# Author: Yaroslav Halchenko
|
||||
#
|
||||
# Fail2Ban filter for postfix authentication failures
|
||||
#
|
||||
|
||||
[INCLUDES]
|
||||
|
|
@ -14,3 +11,4 @@ _daemon = postfix/smtpd
|
|||
|
||||
failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/]*={0,2})?\s*$
|
||||
|
||||
# Author: Yaroslav Halchenko
|
||||
|
|
|
|||
|
|
@ -1,6 +1,4 @@
|
|||
# Fail2Ban configuration file
|
||||
#
|
||||
# Author: Cyril Jaquier
|
||||
# Fail2Ban filter for selected Postfix SMTP rejections
|
||||
#
|
||||
#
|
||||
|
||||
|
|
@ -10,24 +8,14 @@
|
|||
# common.local
|
||||
before = common.conf
|
||||
|
||||
|
||||
[Definition]
|
||||
|
||||
_daemon = postfix/smtpd
|
||||
|
||||
# Option: failregex
|
||||
# Notes.: regex to match the password failures messages in the logfile. The
|
||||
# host must be matched by a group named "host". The tag "<HOST>" can
|
||||
# be used for standard IP/hostname matching and is only an alias for
|
||||
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
|
||||
# Values: TEXT
|
||||
#
|
||||
failregex = ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 554 5\.7\.1 .*$
|
||||
^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 450 4\.7\.1 : Helo command rejected: Host not found; from=<> to=<> proto=ESMTP helo= *$
|
||||
^%(__prefix_line)sNOQUEUE: reject: VRFY from \S+\[<HOST>\]: 550 5\.1\.1 .*$
|
||||
|
||||
# Option: ignoreregex
|
||||
# Notes.: regex to ignore. If this regex matches, the line is ignored.
|
||||
# Values: TEXT
|
||||
#
|
||||
ignoreregex =
|
||||
|
||||
# Author: Cyril Jaquier
|
||||
|
|
|
|||
|
|
@ -1,7 +1,4 @@
|
|||
# Fail2Ban configuration file
|
||||
#
|
||||
# Author: Yaroslav Halchenko
|
||||
# Daniel Black - hardening of regex
|
||||
# Fail2Ban fitler for the Proftpd FTP daemon
|
||||
#
|
||||
|
||||
[INCLUDES]
|
||||
|
|
@ -20,3 +17,6 @@ failregex = ^%(__prefix_line)s%(__hostname)s \(\S+\[<HOST>\]\)[: -]+ USER .*: no
|
|||
^%(__prefix_line)s%(__hostname)s \(\S+\[<HOST>\]\)[: -]+ Maximum login attempts \(\d+\) exceeded *$
|
||||
|
||||
ignoreregex =
|
||||
|
||||
# Author: Yaroslav Halchenko
|
||||
# Daniel Black - hardening of regex
|
||||
|
|
|
|||
|
|
@ -1,7 +1,5 @@
|
|||
# Fail2Ban configuration file
|
||||
# Fail2Ban filter for pureftp
|
||||
#
|
||||
# Author: Cyril Jaquier
|
||||
# Modified: Yaroslav Halchenko for pure-ftpd
|
||||
#
|
||||
#
|
||||
[INCLUDES]
|
||||
|
|
@ -13,22 +11,9 @@ before = common.conf
|
|||
# Error message specified in multiple languages
|
||||
__errmsg = (?:Authentication failed for user|Erreur d'authentification pour l'utilisateur)
|
||||
|
||||
#
|
||||
# Option: failregex
|
||||
# Notes.: regex to match the password failures messages in the logfile. The
|
||||
# host must be matched by a group named "host". The tag "<HOST>" can
|
||||
# be used for standard IP/hostname matching and is only an alias for
|
||||
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
|
||||
# Values: TEXT
|
||||
#
|
||||
#
|
||||
_daemon = pure-ftpd
|
||||
|
||||
failregex = ^%(__prefix_line)s\(.+?@<HOST>\) \[WARNING\] %(__errmsg)s \[.+\]\s*$
|
||||
|
||||
# Option: ignoreregex
|
||||
# Notes.: regex to ignore. If this regex matches, the line is ignored.
|
||||
# Values: TEXT
|
||||
#
|
||||
ignoreregex =
|
||||
|
||||
# Author: Cyril Jaquier
|
||||
# Modified: Yaroslav Halchenko for pure-ftpd
|
||||
|
|
|
|||
|
|
@ -1,8 +1,11 @@
|
|||
# Fail2Ban configuration file
|
||||
# Fail2Ban filters for qmail RBL patches/fake proxies
|
||||
#
|
||||
# Author: Daniel Black
|
||||
# the default djb RBL implementation doesn't log any rejections
|
||||
# so is useless with this filter.
|
||||
#
|
||||
# One patch is here:
|
||||
#
|
||||
# http://www.tjsi.com/rblsmtpd/faq/ patch to rblsmtpd
|
||||
|
||||
[INCLUDES]
|
||||
|
||||
|
|
@ -12,11 +15,17 @@ before = common.conf
|
|||
|
||||
_daemon = (?:qmail|rblsmtpd)
|
||||
|
||||
#
|
||||
# These seem to be for two or 3 different patches to qmail or rblsmtpd
|
||||
# so you'll probably only ever see one of these.
|
||||
|
||||
failregex = ^%(__prefix_line)s\d+\.\d+ rblsmtpd: <HOST> pid \d+ \S+ 4\d\d \S+\s*$
|
||||
^%(__prefix_line)s\d+\.\d+ qmail-smtpd: 4\d\d badiprbl: ip <HOST> rbl: \S+\s*$
|
||||
^%(__prefix_line)s\S+ blocked <HOST> \S+ -\s*$
|
||||
|
||||
ignoreregex =
|
||||
|
||||
# DEV Notes:
|
||||
#
|
||||
# These seem to be for two or 3 different patches to qmail or rblsmtpd
|
||||
# so you'll probably only ever see one of these regex's that match.
|
||||
#
|
||||
# ref: https://github.com/fail2ban/fail2ban/pull/386
|
||||
#
|
||||
# Author: Daniel Black
|
||||
|
|
|
|||
|
|
@ -1,9 +1,8 @@
|
|||
# Fail2Ban configuration file
|
||||
# Fail2Ban filter for repeat bans
|
||||
#
|
||||
# Author: Tom Hendrikx, modifications by Amir Caspi
|
||||
#
|
||||
# This filter monitors the fail2ban log file, and enables you to add long
|
||||
# time bans for ip addresses that get banned by fail2ban multiple times.
|
||||
#
|
||||
# Reasons to use this: block very persistent attackers for a longer time,
|
||||
# stop receiving email notifications about the same attacker over and
|
||||
# over again.
|
||||
|
|
@ -13,8 +12,6 @@
|
|||
# drawbacks, namely in that it works only with iptables, or if you use a
|
||||
# different blocking mechanism for this jail versus others (e.g. hostsdeny
|
||||
# for most jails, and shorewall for this one).
|
||||
#
|
||||
|
||||
|
||||
[INCLUDES]
|
||||
|
||||
|
|
@ -26,10 +23,10 @@ before = common.conf
|
|||
|
||||
_daemon = fail2ban\.actions
|
||||
|
||||
|
||||
# The name of the jail that this filter is used for. In jail.conf, name the
|
||||
# jail using this filter 'recidive', or change this line!
|
||||
_jailname = recidive
|
||||
|
||||
failregex = ^(%(__prefix_line)s|,\d{3} fail2ban.actions:\s+)WARNING\s+\[(?!%(_jailname)s\])(?:.*)\]\s+Ban\s+<HOST>\s*$
|
||||
|
||||
# Author: Tom Hendrikx, modifications by Amir Caspi
|
||||
|
|
|
|||
|
|
@ -1,6 +1,5 @@
|
|||
# Fail2Ban configuration file for roundcube web server
|
||||
#
|
||||
# Author: Teodor Micu & Yaroslav Halchenko & terence namusonge
|
||||
#
|
||||
#
|
||||
|
||||
|
|
@ -10,17 +9,8 @@ before = common.conf
|
|||
|
||||
[Definition]
|
||||
|
||||
# Option: failregex
|
||||
# Notes.: regex to match the password failure messages in the logfile. The
|
||||
# host must be matched by a group named "host". The tag "<HOST>" can
|
||||
# be used for standard IP/hostname matching and is only an alias for
|
||||
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
|
||||
# Values: TEXT
|
||||
#
|
||||
failregex = ^\s*(\[(\s[+-][0-9]{4})?\])?(%(__hostname)s roundcube: IMAP Error)?: (FAILED login|Login failed) for .*? from <HOST>(\. AUTHENTICATE .*)?\s*$
|
||||
|
||||
# Option: ignoreregex
|
||||
# Notes.: regex to ignore. If this regex matches, the line is ignored.
|
||||
# Values: TEXT
|
||||
#
|
||||
ignoreregex =
|
||||
|
||||
# Author: Teodor Micu & Yaroslav Halchenko & terence namusonge
|
||||
|
|
|
|||
|
|
@ -1,7 +1,5 @@
|
|||
# Fail2Ban configuration file for generic SELinux audit messages
|
||||
#
|
||||
# Author: Daniel Black
|
||||
#
|
||||
# This file is not intended to be used directly, and should be included into a
|
||||
# filter file which would define following variables. See selinux-ssh.conf as
|
||||
# and example.
|
||||
|
|
@ -13,9 +11,11 @@
|
|||
# _msg
|
||||
#
|
||||
# Also one of these variables must include <HOST>.
|
||||
#
|
||||
|
||||
[Definition]
|
||||
|
||||
failregex = ^type=%(_type)s msg=audit\(:\d+\): (user )?pid=\d+ uid=%(_uid)s auid=%(_auid)s ses=\d+ subj=%(_subj)s msg='%(_msg)s'$
|
||||
|
||||
ignoreregex =
|
||||
|
||||
# Author: Daniel Black
|
||||
|
|
|
|||
|
|
@ -1,11 +1,6 @@
|
|||
# Fail2Ban configuration file for SELinux ssh authentication errors
|
||||
#
|
||||
# Author: Daniel Black
|
||||
#
|
||||
#
|
||||
# Note: USER_LOGIN is ignored as this is the duplicate messsage
|
||||
# ssh logs after 3 USER_AUTH failures.
|
||||
#
|
||||
|
||||
[INCLUDES]
|
||||
|
||||
after = selinux-common.conf
|
||||
|
|
@ -22,3 +17,9 @@ _terminal = ssh
|
|||
|
||||
_msg = op=\S+ acct=(?P<_quote_acct>"?)\S+(?P=_quote_acct) exe="%(_exe)s" hostname=(\?|(\d+\.){3}\d+) addr=<HOST> terminal=%(_terminal)s res=failed
|
||||
|
||||
# DEV Notes:
|
||||
#
|
||||
# Note: USER_LOGIN is ignored as this is the duplicate messsage
|
||||
# ssh logs after 3 USER_AUTH failures.
|
||||
#
|
||||
# Author: Daniel Black
|
||||
|
|
|
|||
|
|
@ -1,7 +1,4 @@
|
|||
# Fail2Ban configuration file
|
||||
#
|
||||
# Author: Jan Wagner <waja@cyconet.org>
|
||||
#
|
||||
# Fail2Ban filter for sieve authentication failures
|
||||
#
|
||||
|
||||
[INCLUDES]
|
||||
|
|
@ -10,21 +7,12 @@
|
|||
# common.local
|
||||
before = common.conf
|
||||
|
||||
|
||||
[Definition]
|
||||
|
||||
_deamon = (?:cyrus/)?(?:tim)?sieved?
|
||||
|
||||
# Option: failregex
|
||||
# Notes.: regex to match the password failures messages in the logfile. The
|
||||
# host must be matched by a group named "host". The tag "<HOST>" can
|
||||
# be used for standard IP/hostname matching.
|
||||
# Values: TEXT
|
||||
#
|
||||
failregex = ^%(__prefix_line)sbadlogin: \S+ ?\[<HOST>\] \S+ authentication failure$
|
||||
|
||||
# Option: ignoreregex
|
||||
# Notes.: regex to ignore. If this regex matches, the line is ignored.
|
||||
# Values: TEXT
|
||||
#
|
||||
ignoreregex =
|
||||
|
||||
# Author: Jan Wagner <waja@cyconet.org>
|
||||
|
|
|
|||
|
|
@ -1,20 +1,17 @@
|
|||
# /etc/fail2ban/filter.d/sogo-auth.conf
|
||||
#
|
||||
# Fail2Ban configuration file
|
||||
# By Arnd Brandes
|
||||
# SOGo
|
||||
# Fail2ban filter for SOGo authentcation
|
||||
#
|
||||
# Log file usually in /var/log/sogo/sogo.log
|
||||
|
||||
[Definition]
|
||||
# Option: failregex
|
||||
# Filter Ban in /var/log/sogo/sogo.log
|
||||
# Note: the error log may contain multiple hosts, whereas the first one
|
||||
# is the client and all others are poxys. We match the first one, only
|
||||
|
||||
failregex = ^ sogod \[\d+\]: SOGoRootPage Login from '<HOST>' for user '.*' might not have worked( - password policy: \d* grace: -?\d* expire: -?\d* bound: -?\d*)?\s*$
|
||||
|
||||
# Option: ignoreregex
|
||||
# Notes.: regex to ignore. If this regex matches, the line is ignored.
|
||||
# Values: TEXT
|
||||
#
|
||||
ignoreregex =
|
||||
|
||||
#
|
||||
# DEV Notes:
|
||||
#
|
||||
# The error log may contain multiple hosts, whereas the first one
|
||||
# is the client and all others are poxys. We match the first one, only
|
||||
#
|
||||
# Author: Arnd Brandes
|
||||
|
|
|
|||
|
|
@ -1,6 +1,4 @@
|
|||
# Fail2Ban configuration file
|
||||
#
|
||||
# Author: Yaroslav Halchenko
|
||||
# Fail2Ban ssh filter for at attempted exploit
|
||||
#
|
||||
# The regex here also relates to a exploit:
|
||||
#
|
||||
|
|
@ -20,17 +18,8 @@ before = common.conf
|
|||
|
||||
_daemon = sshd
|
||||
|
||||
# Option: failregex
|
||||
# Notes.: regex to match the password failures messages in the logfile. The
|
||||
# host must be matched by a group named "host". The tag "<HOST>" can
|
||||
# be used for standard IP/hostname matching and is only an alias for
|
||||
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
|
||||
# Values: TEXT
|
||||
#
|
||||
failregex = ^%(__prefix_line)sDid not receive identification string from <HOST>\s*$
|
||||
|
||||
# Option: ignoreregex
|
||||
# Notes.: regex to ignore. If this regex matches, the line is ignored.
|
||||
# Values: TEXT
|
||||
#
|
||||
ignoreregex =
|
||||
|
||||
# Author: Yaroslav Halchenko
|
||||
|
|
|
|||
|
|
@ -1,7 +1,4 @@
|
|||
# Fail2Ban configuration file
|
||||
#
|
||||
# Author: Cyril Jaquier
|
||||
#
|
||||
# Fail2Ban filter for openssh
|
||||
#
|
||||
|
||||
[INCLUDES]
|
||||
|
|
@ -15,15 +12,6 @@ before = common.conf
|
|||
|
||||
_daemon = sshd
|
||||
|
||||
# Option: failregex
|
||||
# Notes.: regex to match the password failures messages in the logfile. The
|
||||
# host must be matched by a group named "host". The tag "<HOST>" can
|
||||
# be used for standard IP/hostname matching and is only an alias for
|
||||
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
|
||||
# Values: TEXT
|
||||
#
|
||||
#
|
||||
|
||||
failregex = ^%(__prefix_line)s(?:error: PAM: )?[aA]uthentication (?:failure|error) for .* from <HOST>( via \S+)?\s*$
|
||||
^%(__prefix_line)s(?:error: PAM: )?User not known to the underlying authentication module for .* from <HOST>\s*$
|
||||
^%(__prefix_line)sFailed \S+ for .* from <HOST>(?: port \d*)?(?: ssh\d*)?(: (ruser .{0,100}|(\S+ ID \S+ \(serial \d+\) CA )?\S+ %(__md5hex)s(, client user ".{0,100}", client host ".{0,100}")?))?\s*$
|
||||
|
|
@ -36,8 +24,6 @@ failregex = ^%(__prefix_line)s(?:error: PAM: )?[aA]uthentication (?:failure|erro
|
|||
^%(__prefix_line)sUser .+ from <HOST> not allowed because a group is listed in DenyGroups\s*$
|
||||
^%(__prefix_line)sUser .+ from <HOST> not allowed because none of user's groups are listed in AllowGroups\s*$
|
||||
|
||||
# Option: ignoreregex
|
||||
# Notes.: regex to ignore. If this regex matches, the line is ignored.
|
||||
# Values: TEXT
|
||||
#
|
||||
ignoreregex =
|
||||
|
||||
# Author: Cyril Jaquier, Yaroslav Halchenko, Petr Voralek, Daniel Black
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
# Fail2Ban configuration file
|
||||
# Fail2Ban filter for suhosian PHP hardening
|
||||
#
|
||||
# Author: Arturo 'Buanzo' Busleiman <buanzo@buanzo.com.ar>
|
||||
# This occurs with lighttpd or directly from the plugin
|
||||
#
|
||||
|
||||
[INCLUDES]
|
||||
|
|
@ -14,18 +14,15 @@ before = common.conf
|
|||
|
||||
_daemon = (?:lighttpd|suhosin)
|
||||
|
||||
# Option: failregex
|
||||
# Notes.: regex to match ALERTS as notified by lighttpd's FastCGI Module
|
||||
# Values: TEXT
|
||||
#
|
||||
# https://github.com/stefanesser/suhosin/blob/1fba865ab73cc98a3109f88d85eb82c1bfc29b37/log.c#L161
|
||||
|
||||
_lighttpd_prefix = (?:\(mod_fastcgi\.c\.\d+\) FastCGI-stderr:\s)
|
||||
|
||||
failregex = ^%(__prefix_line)s%(_lighttpd_prefix)s?ALERT - .* \(attacker '<HOST>', file '.*'(?:, line \d+)?\)$
|
||||
|
||||
# Option: ignoreregex
|
||||
# Notes.: regex to ignore. If this regex matches, the line is ignored.
|
||||
# Values: TEXT
|
||||
#
|
||||
ignoreregex =
|
||||
|
||||
# DEV Notes:
|
||||
#
|
||||
# https://github.com/stefanesser/suhosin/blob/1fba865ab73cc98a3109f88d85eb82c1bfc29b37/log.c#L161
|
||||
#
|
||||
# Author: Arturo 'Buanzo' Busleiman <buanzo@buanzo.com.ar>
|
||||
|
|
|
|||
|
|
@ -1,7 +1,6 @@
|
|||
# Fail2Ban configuration file
|
||||
#
|
||||
# Author: Amir Caspi
|
||||
# Fail2Ban filter for uwimap
|
||||
#
|
||||
|
||||
[INCLUDES]
|
||||
|
||||
before = common.conf
|
||||
|
|
@ -14,3 +13,5 @@ failregex = ^%(__prefix_line)sLogin (?:failed|excessive login failures|disabled|
|
|||
^%(__prefix_line)sFailed .* override of user=.* host=.*\[<HOST>\]\s*$
|
||||
|
||||
ignoreregex =
|
||||
|
||||
# Author: Amir Caspi
|
||||
|
|
|
|||
|
|
@ -1,7 +1,4 @@
|
|||
# Fail2Ban configuration file
|
||||
#
|
||||
# Author: Cyril Jaquier
|
||||
#
|
||||
# Fail2Ban filter for vsftp
|
||||
#
|
||||
|
||||
[INCLUDES]
|
||||
|
|
@ -13,18 +10,9 @@ before = common.conf
|
|||
__pam_re=\(?pam_unix(?:\(\S+\))?\)?:?
|
||||
_daemon = vsftpd
|
||||
|
||||
# Option: failregex
|
||||
# Notes.: regex to match the password failures messages in the logfile. The
|
||||
# host must be matched by a group named "host". The tag "<HOST>" can
|
||||
# be used for standard IP/hostname matching and is only an alias for
|
||||
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
|
||||
# Values: TEXT
|
||||
#
|
||||
failregex = ^%(__prefix_line)s%(__pam_re)s\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=(ftp)? ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$
|
||||
^ \[pid \d+\] \[.+\] FAIL LOGIN: Client "<HOST>"\s*$
|
||||
|
||||
# Option: ignoreregex
|
||||
# Notes.: regex to ignore. If this regex matches, the line is ignored.
|
||||
# Values: TEXT
|
||||
#
|
||||
ignoreregex =
|
||||
|
||||
# Author: Cyril Jaquier
|
||||
|
|
|
|||
|
|
@ -1,8 +1,4 @@
|
|||
# Fail2Ban configuration file
|
||||
#
|
||||
# Author: Cyril Jaquier
|
||||
# Rule by : Delvit Guillaume
|
||||
#
|
||||
# Fail2Ban filter for webmin
|
||||
#
|
||||
|
||||
[INCLUDES]
|
||||
|
|
@ -15,10 +11,14 @@ _daemon = webmin
|
|||
|
||||
[Definition]
|
||||
|
||||
# patern : webmin[15673]: Non-existent login as toto from 86.0.6.217
|
||||
# webmin[29544]: Invalid login as root from 86.0.6.217
|
||||
#
|
||||
failregex = ^%(__prefix_line)sNon-existent login as .+ from <HOST>\s*$
|
||||
^%(__prefix_line)sInvalid login as .+ from <HOST>\s*$
|
||||
|
||||
ignoreregex =
|
||||
|
||||
# DEV Notes:
|
||||
#
|
||||
# pattern : webmin[15673]: Non-existent login as toto from 86.0.6.217
|
||||
# webmin[29544]: Invalid login as root from 86.0.6.217
|
||||
#
|
||||
# Rule Author: Delvit Guillaume
|
||||
|
|
|
|||
|
|
@ -1,7 +1,5 @@
|
|||
# Fail2Ban configuration file for wuftpd
|
||||
#
|
||||
# Author: Yaroslav Halchenko
|
||||
#
|
||||
#
|
||||
|
||||
[INCLUDES]
|
||||
|
|
@ -14,14 +12,8 @@ before = common.conf
|
|||
|
||||
_daemon = wu-ftpd
|
||||
|
||||
# Option: failregex
|
||||
# Notes.: regex to match the password failures messages in the logfile.
|
||||
# Values: TEXT
|
||||
#
|
||||
failregex = ^%(__prefix_line)sfailed login from \S+ \[<HOST>\]\s*$
|
||||
|
||||
# Option: ignoreregex
|
||||
# Notes.: regex to ignore. If this regex matches, the line is ignored.
|
||||
# Values: TEXT
|
||||
#
|
||||
ignoreregex =
|
||||
|
||||
# Author: Yaroslav Halchenko
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
# Fail2Ban configuration file
|
||||
# Fail2Ban filter for xinetd failures
|
||||
#
|
||||
# Author: Guido Bozzetto
|
||||
# Cfr.: /var/log/(daemon\.|sys)log
|
||||
#
|
||||
#
|
||||
|
||||
|
|
@ -10,29 +10,18 @@
|
|||
# common.local
|
||||
before = common.conf
|
||||
|
||||
|
||||
[Definition]
|
||||
|
||||
_daemon = xinetd
|
||||
|
||||
# Option: failregex
|
||||
# Notes.: regex to match the password failures messages in the logfile. The
|
||||
# host must be matched by a group named "host". The tag "<HOST>" can
|
||||
# be used for standard IP/hostname matching and is only an alias for
|
||||
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
|
||||
# Values: TEXT
|
||||
#
|
||||
# Cfr.: /var/log/(daemon\.|sys)log
|
||||
# libwrap => tcp wrappers: hosts.(allow|deny)
|
||||
# address => xinetd: deny_from|only_from
|
||||
# load => xinetd: max_load (temporary problem)
|
||||
#
|
||||
|
||||
failregex = ^%(__prefix_line)sFAIL: \S+ address from=<HOST>$
|
||||
^%(__prefix_line)sFAIL: \S+ libwrap from=<HOST>$
|
||||
|
||||
# Option: ignoreregex
|
||||
# Notes.: regex to ignore. If this regex matches, the line is ignored.
|
||||
# Values: TEXT
|
||||
#
|
||||
ignoreregex =
|
||||
|
||||
# DEV Notes:
|
||||
#
|
||||
# libwrap => tcp wrappers: hosts.(allow|deny)
|
||||
# address => xinetd: deny_from|only_from
|
||||
#
|
||||
# Author: Guido Bozzetto
|
||||
|
|
|
|||
Loading…
Reference in a new issue