Commit graph

2043 commits

Author SHA1 Message Date
sebres
eb7ed973ef filter.d/nginx-http-auth.conf: modes fallback and aggressive extended to match more SSL failures, see gh-4142 (amend to gh-2881) 2026-02-12 13:53:57 +01:00
Sergey G. Brester
3bead7c011
Update comments in action
jail.conf shall be unmodified (jails are ideally in jail.local or jail.d/*.conf)
2026-02-02 03:04:25 +01:00
Chris Caron
05f6ad4fcc small fix to url for Apprise doc source 2026-02-01 20:52:06 -05:00
Sergey G. Brester
025adbf485
fixes apprise action configuration examples 2026-02-02 02:37:26 +01:00
Chris Caron
1a802bee93 further feedback from PR 2026-02-01 20:18:07 -05:00
Chris Caron
36e28359ed fixed spelling 2026-02-01 19:51:26 -05:00
Chris Caron
8a8afefd70 applied updates based on PR feedback 2026-02-01 19:45:44 -05:00
Chris Caron
6cdb5738ec improved apprise fail2ban integration (support tagging) 2026-01-28 21:49:42 -05:00
sebres
8506e4a41d action.d/nftables.conf - fixed for SELinux without execmem permission, rewrite capturing with grep -P using grep -E or sed;
(PCRE-JIT by `grep -P` may cause SELinux denial for execmem), closes gh-4137
2026-01-23 21:23:58 +01:00
Sergey G. Brester
45453826a3
small amend with missing newline 2025-12-07 01:18:04 +01:00
Sergey G. Brester
2f0e05a0d7
Merge branch 'master' into master 2025-12-07 01:14:39 +01:00
sebres
ef65652671 filter.d/apache-badbots.conf, filter.d/apache-fakegooglebot.conf - regexs fixed to match lines with vhost in accesslog;
closes gh-1594
2025-11-28 22:27:06 +01:00
sebres
bfafd12c59 filter.d/apache-badbots.conf, filter.d/apache-fakegooglebot.conf - rewrite apache access-log REs more strict (remove catch-alls) 2025-11-28 22:16:23 +01:00
sebres
13563fd09b combine both REs to single RE, no prefregex needed here 2025-09-24 16:23:05 +02:00
sebres
a9401233dd code review, make it backwards compatible to logging type=1 (as suggested in https://github.com/fail2ban/fail2ban/issues/2926#issuecomment-774780120); use by default type=2 2025-09-24 16:09:42 +02:00
para-do-x
abdd0d4b25 Update jail.conf for froxlor-auth
Changed logpath to syslog_user for froxlor-auth
2025-09-24 15:59:18 +02:00
para-do-x
897b21a4c5 Update froxlor-auth.conf
updated the regex to the new logging situation for froxlor.
2025-09-24 15:59:17 +02:00
sebres
65668b8ed8 filter.d/postfix.conf - modes ddos and aggressive extended to match rate limit exceeded for connection or message delivery request rates;
closes gh-3265;
closes gh-4073;
2025-09-23 12:18:45 +02:00
sebres
2856092709 filter.d/postfix.conf - use common prefix instead of NOQUEUE for all modes, outside of mdpr-<mode> in prefregex (amend to gh-4072) 2025-09-18 15:01:05 +02:00
Ulrich Müller
0fee8dbe92 filter.d/postfix.conf: Add optional "NOQUEUE:" to mdpr-ddos
The current regex doesn't match the following log entry, seen with
Postfix 3.10.2:

Sep 17 18:19:20 mxhost postfix/smtpd[12345]: NOQUEUE: lost connection after CONNECT from unknown[192.0.2.25]
Sep 17 18:19:20 mxhost postfix/smtpd[12345]: disconnect from unknown[192.0.2.25] commands=0/0
2025-09-18 08:23:45 +02:00
Sergey G. Brester
6c47bf6461
Merge pull request #4068 from billfor/xarf
fix `dig` to filter out warnings and prevent them from being injected as emails
2025-09-15 17:23:32 +02:00
sebres
9534bdac37 filter.d/nginx-http-auth.conf: filter rewritten and extended:
- with `prefregex` to capture content of error only (bypass common prefix and suffix, like server, request, host, referrer);
  - to match PAM authentication failures (gh-4071)
2025-09-15 16:14:22 +02:00
Sergey G. Brester
85cfb81782
lets see an error (with debug messages) in debug case 2025-09-10 20:04:10 +02:00
bill
3d23a44bb1 fix dig to filter out warnings from email address capture 2025-09-10 13:27:30 -04:00
sebres
26b91862fc introduces a parameter mta_dname (default \S+) to allow more complex REs to match custom MTA daemon names (e.g. with spaces etc) 2025-09-02 19:41:40 +02:00
sebres
13876e93ad fixes the inconsistency with F-MLFID ("ID" matched by (?:\w{14,20}: )? is optional in message); simplify PR 2025-09-02 19:11:04 +02:00
bill
9e72e78f34 filter.d/sendmail-reject.conf: support BSD log format. match user unknown messages. add aggressive mode for lost input channel and relaying denied messages 2025-09-01 22:34:53 -04:00
sebres
c26fda9dbb filter.d/dovecot.conf: new matches in aggressive mode:
- new variant for `no auth attempts in X secs` with `Login aborted` and `(no_auth_attempts)`;
- covered `disconnected during TLS handshake` with `no application protocol` and `no shared cipher`.
2025-08-23 20:16:40 +02:00
Sergey G. Brester
77ba28bae1
Merge pull request #3291 from ttyS4/patch-1
nftables.conf - add support for cidr notation and address ranges
2025-08-08 10:23:08 +02:00
Sergey G. Brester
eb80b895d1
provides flags interval as addr_options now 2025-08-08 10:10:40 +02:00
Bill
6120a731d9
update nginx limit-req filter again (#4048)
amend to #4047 - removes unused ngx_limit_con_zones parameter.
2025-08-04 21:16:26 +02:00
Sergey G. Brester
e16e982a45
Merge pull request #4047 from billfor/nginx
Update nginx-limit-req filter (extended to ban hosts failed by limit connection in ngx_http_limit_conn_module);
closes gh-3674
2025-08-04 11:34:35 +02:00
Sergey G. Brester
e6516fd2b3
combine 2 REs to single regex
closes gh-3674
2025-08-04 11:24:51 +02:00
bill
0a91bf69a5 add filter for delayed requests and connection limiting 2025-08-04 00:27:45 -04:00
sebres
d86a7aecca amend to #3979: removed mistaken double pipes in group matches 2025-07-31 17:38:28 +02:00
sebres
ff3eca1d61 * Merge pull request #3527 from vafgoettlich/master
(partial merge, only postfix-backend)
2025-07-24 11:17:05 +02:00
sebres
0b255a8723 Merge pull request #3527 from vafgoettlich/master
(partial merge, only postfix-backend)
2025-07-24 11:14:03 +02:00
Sergey G. Brester
6d3bfa8781
revert RE back, but relive the end-anchor a bit (ignore any text without single quote, so also preventing false match by injection on foreign data) 2025-07-20 15:04:15 +02:00
177ac
e97df4672a filter.d/asterisk: fix regex to match "No matching endpoint found" with retry info 2025-07-20 18:05:35 +09:00
sebres
b710d5b6c7 filter.d/sendmail-reject.conf - also recognize "Domain of sender address ... does not resolve";
closes gh-4035
2025-07-13 01:03:53 +02:00
Sergey G. Brester
8a4f373617
integrate new RE in already existing (combine new and old format) 2025-06-15 18:07:43 +02:00
Nic Boet
04ff4c060c Dovecot 2.4 filter support
Dovecot 2.4 release is a major upgrade
Logger event structure has changed, all messages are now
prefixed with:

        "Login aborted: " <reason> "auth failed"

Maintain 2.3 support as many folks have yet to migrate,
community edition is still receiving cretial security patches

Dovecot 2.4.1
Python 3.12.10

Signed-off-by: Nic Boet <nic@boet.cc>
2025-06-13 16:44:57 -05:00
pzl
a5d7127109
construct smtp.py email wrap long lines
RFC 5322 2.1.1 requires <=998 chars per line.
If matches are included, and are very long lines,
the email will be rejected. Constructing the mail
as a message instead of a subpart (mimetext) fixes this
2025-05-20 14:55:03 -04:00
Sergey G. Brester
f7aaaf50b8
filter.d/exim.conf: colon must be outside of F-RCPT group 2025-04-27 23:00:09 +02:00
Sergey G. Brester
52d239483d
typo 2025-04-16 17:18:36 +02:00
sebres
cbe14c70c5 iptables.conf rewritten to affect all derivative actions (multiple chains are also supported by iptables-ipset etc);
iptables-xt_recent-echo.conf adjusted to be compatible to new syntax of inherited iptables.conf;
test coverage fixed to new handling
2025-04-16 16:56:46 +02:00
Arnaud
37f72f88ef Reverting chains to chain in order to preserve backward compatibilityu
backing to the option named "chain", using "iteredchain" a new variable to iterate over.
2025-04-16 16:06:29 +02:00
Arnaud
139151ec81 Update iptables.conf - allow bans to be efective on multiple chains at the same time
This patch allows the ban to be applied on the INPUT and the FORWARD chain at the time. May be useful at least on routing devices and on docker hosting machines.
2025-04-16 16:06:28 +02:00
sebres
c76e90fbb1 * Merge pull request #3940 from exim-pr-mode-more
`filter.d/exim.conf` - fewer REs by default, introduces mode `more`
2025-04-02 15:11:38 +02:00
Sergey G. Brester
6104444bb4
improve regex (anchored from left, no catch-alls, <ADDR> for IP, etc) 2025-04-01 17:28:58 +02:00