sebres
eb7ed973ef
filter.d/nginx-http-auth.conf: modes fallback and aggressive extended to match more SSL failures, see gh-4142 (amend to gh-2881)
2026-02-12 13:53:57 +01:00
Sergey G. Brester
3bead7c011
Update comments in action
...
jail.conf shall be unmodified (jails are ideally in jail.local or jail.d/*.conf)
2026-02-02 03:04:25 +01:00
Chris Caron
05f6ad4fcc
small fix to url for Apprise doc source
2026-02-01 20:52:06 -05:00
Sergey G. Brester
025adbf485
fixes apprise action configuration examples
2026-02-02 02:37:26 +01:00
Chris Caron
1a802bee93
further feedback from PR
2026-02-01 20:18:07 -05:00
Chris Caron
36e28359ed
fixed spelling
2026-02-01 19:51:26 -05:00
Chris Caron
8a8afefd70
applied updates based on PR feedback
2026-02-01 19:45:44 -05:00
Chris Caron
6cdb5738ec
improved apprise fail2ban integration (support tagging)
2026-01-28 21:49:42 -05:00
sebres
8506e4a41d
action.d/nftables.conf - fixed for SELinux without execmem permission, rewrite capturing with grep -P using grep -E or sed;
...
(PCRE-JIT by `grep -P` may cause SELinux denial for execmem), closes gh-4137
2026-01-23 21:23:58 +01:00
Sergey G. Brester
45453826a3
small amend with missing newline
2025-12-07 01:18:04 +01:00
Sergey G. Brester
2f0e05a0d7
Merge branch 'master' into master
2025-12-07 01:14:39 +01:00
sebres
ef65652671
filter.d/apache-badbots.conf, filter.d/apache-fakegooglebot.conf - regexs fixed to match lines with vhost in accesslog;
...
closes gh-1594
2025-11-28 22:27:06 +01:00
sebres
bfafd12c59
filter.d/apache-badbots.conf, filter.d/apache-fakegooglebot.conf - rewrite apache access-log REs more strict (remove catch-alls)
2025-11-28 22:16:23 +01:00
sebres
13563fd09b
combine both REs to single RE, no prefregex needed here
2025-09-24 16:23:05 +02:00
sebres
a9401233dd
code review, make it backwards compatible to logging type=1 (as suggested in https://github.com/fail2ban/fail2ban/issues/2926#issuecomment-774780120 ); use by default type=2
2025-09-24 16:09:42 +02:00
para-do-x
abdd0d4b25
Update jail.conf for froxlor-auth
...
Changed logpath to syslog_user for froxlor-auth
2025-09-24 15:59:18 +02:00
para-do-x
897b21a4c5
Update froxlor-auth.conf
...
updated the regex to the new logging situation for froxlor.
2025-09-24 15:59:17 +02:00
sebres
65668b8ed8
filter.d/postfix.conf - modes ddos and aggressive extended to match rate limit exceeded for connection or message delivery request rates;
...
closes gh-3265;
closes gh-4073;
2025-09-23 12:18:45 +02:00
sebres
2856092709
filter.d/postfix.conf - use common prefix instead of NOQUEUE for all modes, outside of mdpr-<mode> in prefregex (amend to gh-4072)
2025-09-18 15:01:05 +02:00
Ulrich Müller
0fee8dbe92
filter.d/postfix.conf: Add optional "NOQUEUE:" to mdpr-ddos
...
The current regex doesn't match the following log entry, seen with
Postfix 3.10.2:
Sep 17 18:19:20 mxhost postfix/smtpd[12345]: NOQUEUE: lost connection after CONNECT from unknown[192.0.2.25]
Sep 17 18:19:20 mxhost postfix/smtpd[12345]: disconnect from unknown[192.0.2.25] commands=0/0
2025-09-18 08:23:45 +02:00
Sergey G. Brester
6c47bf6461
Merge pull request #4068 from billfor/xarf
...
fix `dig` to filter out warnings and prevent them from being injected as emails
2025-09-15 17:23:32 +02:00
sebres
9534bdac37
filter.d/nginx-http-auth.conf: filter rewritten and extended:
...
- with `prefregex` to capture content of error only (bypass common prefix and suffix, like server, request, host, referrer);
- to match PAM authentication failures (gh-4071)
2025-09-15 16:14:22 +02:00
Sergey G. Brester
85cfb81782
lets see an error (with debug messages) in debug case
2025-09-10 20:04:10 +02:00
bill
3d23a44bb1
fix dig to filter out warnings from email address capture
2025-09-10 13:27:30 -04:00
sebres
26b91862fc
introduces a parameter mta_dname (default \S+) to allow more complex REs to match custom MTA daemon names (e.g. with spaces etc)
2025-09-02 19:41:40 +02:00
sebres
13876e93ad
fixes the inconsistency with F-MLFID ("ID" matched by (?:\w{14,20}: )? is optional in message); simplify PR
2025-09-02 19:11:04 +02:00
bill
9e72e78f34
filter.d/sendmail-reject.conf: support BSD log format. match user unknown messages. add aggressive mode for lost input channel and relaying denied messages
2025-09-01 22:34:53 -04:00
sebres
c26fda9dbb
filter.d/dovecot.conf: new matches in aggressive mode:
...
- new variant for `no auth attempts in X secs` with `Login aborted` and `(no_auth_attempts)`;
- covered `disconnected during TLS handshake` with `no application protocol` and `no shared cipher`.
2025-08-23 20:16:40 +02:00
Sergey G. Brester
77ba28bae1
Merge pull request #3291 from ttyS4/patch-1
...
nftables.conf - add support for cidr notation and address ranges
2025-08-08 10:23:08 +02:00
Sergey G. Brester
eb80b895d1
provides flags interval as addr_options now
2025-08-08 10:10:40 +02:00
Bill
6120a731d9
update nginx limit-req filter again ( #4048 )
...
amend to #4047 - removes unused ngx_limit_con_zones parameter.
2025-08-04 21:16:26 +02:00
Sergey G. Brester
e16e982a45
Merge pull request #4047 from billfor/nginx
...
Update nginx-limit-req filter (extended to ban hosts failed by limit connection in ngx_http_limit_conn_module);
closes gh-3674
2025-08-04 11:34:35 +02:00
Sergey G. Brester
e6516fd2b3
combine 2 REs to single regex
...
closes gh-3674
2025-08-04 11:24:51 +02:00
bill
0a91bf69a5
add filter for delayed requests and connection limiting
2025-08-04 00:27:45 -04:00
sebres
d86a7aecca
amend to #3979 : removed mistaken double pipes in group matches
2025-07-31 17:38:28 +02:00
sebres
ff3eca1d61
* Merge pull request #3527 from vafgoettlich/master
...
(partial merge, only postfix-backend)
2025-07-24 11:17:05 +02:00
sebres
0b255a8723
Merge pull request #3527 from vafgoettlich/master
...
(partial merge, only postfix-backend)
2025-07-24 11:14:03 +02:00
Sergey G. Brester
6d3bfa8781
revert RE back, but relive the end-anchor a bit (ignore any text without single quote, so also preventing false match by injection on foreign data)
2025-07-20 15:04:15 +02:00
177ac
e97df4672a
filter.d/asterisk: fix regex to match "No matching endpoint found" with retry info
2025-07-20 18:05:35 +09:00
sebres
b710d5b6c7
filter.d/sendmail-reject.conf - also recognize "Domain of sender address ... does not resolve";
...
closes gh-4035
2025-07-13 01:03:53 +02:00
Sergey G. Brester
8a4f373617
integrate new RE in already existing (combine new and old format)
2025-06-15 18:07:43 +02:00
Nic Boet
04ff4c060c
Dovecot 2.4 filter support
...
Dovecot 2.4 release is a major upgrade
Logger event structure has changed, all messages are now
prefixed with:
"Login aborted: " <reason> "auth failed"
Maintain 2.3 support as many folks have yet to migrate,
community edition is still receiving cretial security patches
Dovecot 2.4.1
Python 3.12.10
Signed-off-by: Nic Boet <nic@boet.cc>
2025-06-13 16:44:57 -05:00
pzl
a5d7127109
construct smtp.py email wrap long lines
...
RFC 5322 2.1.1 requires <=998 chars per line.
If matches are included, and are very long lines,
the email will be rejected. Constructing the mail
as a message instead of a subpart (mimetext) fixes this
2025-05-20 14:55:03 -04:00
Sergey G. Brester
f7aaaf50b8
filter.d/exim.conf: colon must be outside of F-RCPT group
2025-04-27 23:00:09 +02:00
Sergey G. Brester
52d239483d
typo
2025-04-16 17:18:36 +02:00
sebres
cbe14c70c5
iptables.conf rewritten to affect all derivative actions (multiple chains are also supported by iptables-ipset etc);
...
iptables-xt_recent-echo.conf adjusted to be compatible to new syntax of inherited iptables.conf;
test coverage fixed to new handling
2025-04-16 16:56:46 +02:00
Arnaud
37f72f88ef
Reverting chains to chain in order to preserve backward compatibilityu
...
backing to the option named "chain", using "iteredchain" a new variable to iterate over.
2025-04-16 16:06:29 +02:00
Arnaud
139151ec81
Update iptables.conf - allow bans to be efective on multiple chains at the same time
...
This patch allows the ban to be applied on the INPUT and the FORWARD chain at the time. May be useful at least on routing devices and on docker hosting machines.
2025-04-16 16:06:28 +02:00
sebres
c76e90fbb1
* Merge pull request #3940 from exim-pr-mode-more
...
`filter.d/exim.conf` - fewer REs by default, introduces mode `more`
2025-04-02 15:11:38 +02:00
Sergey G. Brester
6104444bb4
improve regex (anchored from left, no catch-alls, <ADDR> for IP, etc)
2025-04-01 17:28:58 +02:00