Commit graph

1043 commits

Author SHA1 Message Date
Sergey G. Brester
f7aaaf50b8
filter.d/exim.conf: colon must be outside of F-RCPT group 2025-04-27 23:00:09 +02:00
sebres
c76e90fbb1 * Merge pull request #3940 from exim-pr-mode-more
`filter.d/exim.conf` - fewer REs by default, introduces mode `more`
2025-04-02 15:11:38 +02:00
Sergey G. Brester
6104444bb4
improve regex (anchored from left, no catch-alls, <ADDR> for IP, etc) 2025-04-01 17:28:58 +02:00
Rajib Sharia
c7f7bc55bb
Create vaultwarden.conf
Filter for unsuccessful Vaultwarden authentication attempts
2025-04-01 20:36:53 +08:00
sebres
ee421dfbd6 filter.d/apache-noscript.conf - consider new log-format with "AH02811: stderr from /...";
closes gh-3900
2025-03-28 22:52:51 +01:00
sebres
8ae6eaf39a filter.d/postfix.conf - default _daemon in prefix-line is loosened - can match everything starting with word postfix, like postfix-example.com/smtpd;
closes gh-3297
2025-03-10 22:35:26 +01:00
Sergey G. Brester
c035428535
Merge pull request #3954 from luckylittle/feature/systemd-journal-vsftpd
`filter.d/vsftpd.conf` - fixed regex (if failures generated by systemd-journal)
2025-03-04 14:20:01 +01:00
sebres
94fe9cf4a8 more fixes, capture user names, more tests...
since line 7 matches successfully now (it was disabled in gh-358 because of obsolete format), it is marked as match:true (line can be removed later if unneeded)
2025-03-04 14:13:07 +01:00
sebres
1e06ab68b4 fixed filter (new regex is unneeded), tests format of failures produced by system journal 2025-03-04 13:47:59 +01:00
Sergey G. Brester
13a74feaad
2nd RE unneeded, fix single RE - bypass everything before open parenthesis 2025-03-04 13:02:50 +01:00
Lucian Maly
6e3bfd800c
Added author 2025-03-04 12:26:14 +11:00
Lucian Maly
9d7646e6c0
Added author 2025-03-04 12:25:27 +11:00
Lucian Maly
fd1d0d25a8
Added regex for systemd-journal matches of lighttpd-auth 2025-03-04 12:20:24 +11:00
Lucian Maly
65d473fc8e
Added regex for systemd-journal matches of vsftpd 2025-03-04 11:43:38 +11:00
Sergey G. Brester
c88967df2d
filter.d/exim.conf - introduces mode more (several rules moved from mode normal to more), because:
- they have basically nothing with authentication;
- they can cause false positives (e. g. someone sends several mails from google mailing server to wrong recipients and if they would cause "rejected RCPT - Unknown user", the google host gets banned;
- to avoid occasional ban of legitimate servers one'd need create large white-list for `ignoreip` or construct complex `ignorecommands` to exclude all legitimate servers of big players (like google, microsoft, GMX, etc);
2025-02-13 21:30:04 +01:00
sebres
882e6d5e00 filter.d/exim.conf - mode aggressive extended to catch dropped by ACL failures, e.g. "ACL: Country is banned"
Some checks failed
Codespell / Check for spelling errors (push) Has been cancelled
CI / build (3.10) (push) Has been cancelled
CI / build (3.11) (push) Has been cancelled
CI / build (3.12) (push) Has been cancelled
CI / build (3.13) (push) Has been cancelled
CI / build (3.14.0-alpha.4) (push) Has been cancelled
CI / build (3.7) (push) Has been cancelled
CI / build (3.8) (push) Has been cancelled
CI / build (3.9) (push) Has been cancelled
CI / build (pypy3.10) (push) Has been cancelled
2025-02-10 17:30:07 +01:00
Sergey G. Brester
6fb3532c45
Merge pull request #3931 from brianjmurrell/patch-2
Some checks failed
Codespell / Check for spelling errors (push) Has been cancelled
CI / build (3.10) (push) Has been cancelled
CI / build (3.11) (push) Has been cancelled
CI / build (3.12) (push) Has been cancelled
CI / build (3.13) (push) Has been cancelled
CI / build (3.14.0-alpha.4) (push) Has been cancelled
CI / build (3.7) (push) Has been cancelled
CI / build (3.8) (push) Has been cancelled
CI / build (3.9) (push) Has been cancelled
CI / build (pypy3.10) (push) Has been cancelled
`from '[^']*'` is not always present …
2025-01-30 14:06:00 +01:00
sebres
b55c20594e paths-common.conf: changed default mysql_log path (default logpath of mysqld-auth jail without maintainer overrides); adjusted comments (log_error_verbosity = 3 instead of log-warnings = 2)
closes gh-3932
2025-01-30 14:00:43 +01:00
sebres
d2c60a168f combine several regexes to single RE 2025-01-30 01:13:49 +01:00
sebres
e1fc569291 normalize jail (defaults, etc); added missing tests for all REs; common prefix for failregex, no catch-alls, etc 2025-01-30 01:13:48 +01:00
Philipp Burndorfer
88385eb6c1 New openvpn jail. 2025-01-30 01:13:46 +01:00
Brian J. Murrell
325613a8f8
from '[^']*' is not always present …
In the message from asterisk.

Signed-off-by: Brian J. Murrell <brian@interlinx.bc.ca>
2025-01-28 13:09:29 -05:00
sebres
a796cc9b91 filter.d/dropbear.conf: failregex extended to match different format of "Exit before auth" message;
Some checks failed
Codespell / Check for spelling errors (push) Has been cancelled
CI / build (3.10) (push) Has been cancelled
CI / build (3.11) (push) Has been cancelled
CI / build (3.12) (push) Has been cancelled
CI / build (3.13.0) (push) Has been cancelled
CI / build (3.14.0-alpha.1) (push) Has been cancelled
CI / build (3.7) (push) Has been cancelled
CI / build (3.8) (push) Has been cancelled
CI / build (3.9) (push) Has been cancelled
CI / build (pypy3.10) (push) Has been cancelled
closes gh-3791
2024-12-27 16:43:33 +01:00
MichaIng
eb8b44370a
Make Dropbear regex more compatible and simpler
Dropbear uses `strftime` `"%b %d %H:%M:%S` to print its timestamps, hence we know the day and time format, but the month could be localized. We hence allow any 3 word characters for it, and additionally simplify the day and time pattern into a single group.

Signed-off-by: MichaIng <micha@dietpi.com>
2024-12-27 14:00:36 +07:00
MichaIng
dd9f359f5c
Fix Dropbear filter when logging to STDOUT
Since Debian Bookworm, the distribution ships Dropbear with a native systemd service instead of the default upstream init.d service, and accordingly uses the `-F` and `-E` flags, to run it in foreground and have it logging to STDOUT instead of syslog.

As usual, timestamps and also the PID are now included by the log message emitted by Dropbear, in addition to the systemd journal log prefix.

The Dropbear filter hence does not match anymore. This commit adds the PID and timestamp as optional pattern between prefix and fail log text, to support Dropbear on Debian Bookworm and newer (and likely new versions of other distros) without breaking the old pattern when running Dropbear without `-E` flag.

Additionally, for performance reasons, this commit adds a `journalmatch` entry, matching Debian's and Fedora's `dropbear.service` with `dropbear` executable/identifier, the most likely match for a Dropbear systemd service.

Signed-off-by: MichaIng <micha@dietpi.com>
2024-12-27 13:59:35 +07:00
sebres
89b5f3bb1e filter.d/sshd.conf: ddos and aggressive modes, regex extended for timeout before authentication (optional connection from part);
Some checks are pending
Codespell / Check for spelling errors (push) Waiting to run
CI / build (3.10) (push) Waiting to run
CI / build (3.11) (push) Waiting to run
CI / build (3.12) (push) Waiting to run
CI / build (3.13.0) (push) Waiting to run
CI / build (3.14.0-alpha.1) (push) Waiting to run
CI / build (3.7) (push) Waiting to run
CI / build (3.8) (push) Waiting to run
CI / build (3.9) (push) Waiting to run
CI / build (pypy3.10) (push) Waiting to run
closes gh-3907
2024-12-26 14:24:15 +01:00
sebres
91c27d0600 filter.d/freeswitch.conf: bypass some new info in prefix before [WARNING] (changed default _pref_line);
closes gh-3143
2024-12-04 16:56:23 +01:00
sebres
54c0effceb filter.d/sshd.conf: amend to #3747/#3812 (new ssh version would log with _COMM=sshd-session) 2024-08-11 12:10:12 +02:00
sebres
c769046a1f Revert "filterd./sshd.conf: fixed journalmatch (sshd.service seems to be renamed to ssh.service)" - it'd patched in debian branch.
This reverts commit 6fce23e7ba.
2024-08-11 11:55:39 +02:00
sebres
8e0a2366f0 Fixes unmatched tag (caused unmatched brace); review: combined to single regex, simple case without injection attempts faster, <HOST> replaced with <ADDR> (faster and fewer vulnerable on complex cases, since doesn't match text as hostname) etc. 2024-08-10 13:20:18 +02:00
Maksim Usmanov | Maks
35afe20ea0
Roundcube 1.4 change log format
From roundcube 1.4 log change format -> e92d8e31a3/program/lib/Roundcube/rcube_imap.php (L194)
2024-08-09 22:53:45 +02:00
sebres
9a558589d7 review (anchoring RE, etc) 2024-07-30 19:16:40 +02:00
Jose
83f2d59eee match numbers 2024-07-30 19:05:56 +02:00
Jose
07a7da8d8e Remove greedy catch-all before HOST 2024-07-30 19:05:55 +02:00
Jose
ca45671db2 Add support to Proxmox Web GUI 2024-07-30 19:04:00 +02:00
sebres
93810fff75 consider CONNECT and other rejected commands as a valid _pref;
closes gh-3800
2024-07-26 19:25:36 +02:00
Sergey G. Brester
50ff131a0f
filter.d/sshd.conf: ungroup (unneeded for _daemon) 2024-07-03 19:35:28 +02:00
Fabian Dellwing
2fed408c05 Adjust sshd filter for OpenSSH 9.8 new daemon name 2024-07-02 08:51:51 +02:00
sebres
59c5e78ce9 filter.d/apache-overflows.conf - consider AH10244: invalid URI path;
closes gh-3778
2024-06-28 12:50:14 +02:00
sebres
a7f3a04b0e filter.d/recidive.conf - restore possibility to set jail name in the filter, _jailname is positive now (but by default it uses now negative lookahead to exclude recidive jail);
closes gh-3769
2024-06-21 13:24:46 +02:00
Sergey G. Brester
6fce23e7ba
filterd./sshd.conf: fixed journalmatch (sshd.service seems to be renamed to ssh.service)
closes gh-3747
2024-06-10 01:40:59 +02:00
sebres
2c13cba73d loosening for denied suffix (would match no matter which reason in parenthesis);
add coverage for denied with "(allow-query-cache did not match)"
2024-03-25 16:35:20 +01:00
Rudimar Remontti
fd7657f9a9 Update named-refused.conf 2024-03-25 16:35:16 +01:00
sebres
1ec9237e53 bypass additional pid in prefix (may be logged by syslog-ng, gh-3060); matches protocol error with authentication mechanism not supported 2024-03-25 15:52:06 +01:00
sebres
c80908837f filter.d/exim.conf:
- messages are prefiltered by `prefregex` now
  - filter can bypass additional timestamp that may be logged via systemd-journal (gh-3060)
2024-03-25 15:31:23 +01:00
Vladimir Varlamov
8da0a99cde pid part may contain full hostname 2024-03-22 22:38:33 +03:00
Vladimir Varlamov
806a27cb4f final <HOST> to <ADDR> conversion 2024-03-22 22:38:33 +03:00
sebres
e605415f61 simplify fields-group a bit (everything up to 4 chars long but H), so it'll be faster (no multiple branches) as well as would theoretically accept future enhancements of logged fields. 2024-03-22 16:47:54 +01:00
sebres
c22a83933b let's use <ADDR> instead <HOST> - only IPs expected, since host-name bypassed before it (directly after H=) 2024-03-22 16:35:46 +01:00
Vladimir Varlamov
df94ec4c52 filter.d/exim.conf: rewrite host line regex for all varied exim's log_selector states
Depending on Exim's log_selector settings, log lines may contain additional information about the connection. And also the line itself with the address of the remote host can vary greatly. But fortunately, all states can be found in the Exim code itself and taken into account. Makes it easier to add new regexps.
Closes #3263
2024-03-22 00:16:41 +03:00