Commit graph

3494 commits

Author SHA1 Message Date
Daniel Black
273b2f45a3 MRG: remove the "no auth attempts" as per aseques gh-600 2014-01-29 20:43:51 +11:00
Daniel Black
9b614ce486 ENH: dovecot filter enhancements 2014-01-29 20:27:45 +11:00
Joan
9c6aab37d6 As suggested by @grooverdan, grouping the tests and making them false to avoid accidentally reenabling them in the future 2014-01-29 08:32:14 +01:00
Joan
aaa86cd10f As suggested by @grooverdan, grouping the tests and making them false to avoid accidentally reenabling them in the future 2014-01-29 08:31:29 +01:00
Joan
84617fa6da Fixed a failing case 2014-01-28 16:19:35 +01:00
Joan
08171ba52f Removed the -no auth attempts- from the triggers because of lots of FP 2014-01-28 12:44:46 +01:00
Steven Hiscocks
0f318c225e Merge pull request #599 from grooverdan/datecompression
ENH: more datetemplate compression
2014-01-27 13:20:01 -08:00
Daniel Black
a7456377b5 ENH: more datetemplate compression 2014-01-28 08:15:48 +11:00
Daniel Black
cc1a9cc45d BF: match up fail2ban-regex for datedetector/datetemplate changes 2014-01-28 06:59:01 +11:00
Daniel Black
a749a2780e Merge pull request #593 from grooverdan/tine
ENH: Tine20 filter
2014-01-26 18:50:42 -08:00
Daniel Black
7476ebabbd Merge pull request #596 from grooverdan/pureftpd
BF: Pureftpd
2014-01-26 16:52:53 -08:00
Daniel Black
ae98a1f70c Merge pull request #598 from kwirk/date-detector-template-rf
RF: Refactor date detector and date template elements
2014-01-26 16:51:43 -08:00
Steven Hiscocks
e7d4cf6296 TST: Fix dates in ISO8601 being converted back to local time. 2014-01-26 23:37:57 +00:00
Daniel Black
8b51d0c394 ENH: compress DateDetector templates more 2014-01-27 10:10:06 +11:00
Steven Hiscocks
f2ddb3e3d0 RF: Refactor date detector and date template elements
Changes include to use Python class properties, merge some date
patterns, and change ISO8601 date template to DatePatternRegex class.
2014-01-26 22:03:55 +00:00
Daniel Black
1a1e3bec86 ENH: framework for distro paths 2014-01-25 23:25:54 +11:00
Daniel Black
3c48e3f035 DOC: changelog for pure-ftpd filter fixes 2014-01-25 12:22:27 +11:00
Daniel Black
256c732bcd BF/ENH: filter pure-ftpd - re-add _daemon. Add translations
_daemon was accidently removed in
89fd792dfb

Added translations from source code
2014-01-25 12:19:46 +11:00
Daniel Black
1e1261ccb4 MRG: from master 2014-01-23 2014-01-23 17:45:18 +11:00
Daniel Black
ca57427080 BF: firewallcmd-ipset had non-working actioncheck 2014-01-23 17:41:13 +11:00
Daniel Black
c8ae064b79 ENH: tighten regex and change failJSON to support timezone. Closes gh-583 2014-01-22 22:16:03 +11:00
Daniel Black
36d38043ba DOC: thanks Lars for the filter base and log samples 2014-01-22 18:12:48 +11:00
Daniel Black
2063d96e59 MRG: import Lars' PR for tine20 2014-01-22 18:12:19 +11:00
Daniel Black
499b33f8a6 DOC: post release versioning 2014-01-22 08:37:51 +11:00
Daniel Black
819df889d8 Merge pull request #592 from kwirk/python-action-tests
TST+BF: Add tests for python actions, including test for smtp.py
2014-01-20 15:48:08 -08:00
Steven Hiscocks
0fb7921fb1 BF: Tweak python action tests and fix Deprecation Warning 2014-01-20 23:10:43 +00:00
Steven Hiscocks
8221c7ca71 TST+BF: Add tests for python actions, including test for smtp.py
Also fix bug when specifying multiple recipients for smtp.py action
2014-01-20 23:10:43 +00:00
Steven Hiscocks
a0f39255bc BF: Kerio log datepattern fix for recent datepattern full regex merge 2014-01-20 23:00:38 +00:00
Steven Hiscocks
4aa50684ab Merge pull request #581 from kwirk/datetemplate-regroupdict
ENH: Full regex for datepattern, utilising modified Python `_strptime`
2014-01-20 14:53:28 -08:00
Steven Hiscocks
e614a2f4a4 BF: Resolve Deprecation Warnings for python3
Mainly python imp -> importlib for python3.3+, and other minor tweaks
2014-01-20 22:46:17 +00:00
Daniel Black
33dd1733fb DOC: version and release date to 0.8.12 on 2014-01-22 2014-01-19 16:25:23 +11:00
Daniel Black
79da66df5d Merge pull request #591 from grooverdan/master_to_0.9
MRG: Master to 0.9 2014-01-19
2014-01-18 20:12:11 -08:00
Daniel Black
a650178bd1 MRG: merge from master 2014-01-19 2014-01-19 14:48:29 +11:00
Steven Hiscocks
77aab8d97a Merge pull request #590 from grooverdan/kerio
Kerio filter for #120 also fix fail2ban-regex for datepattern
2014-01-18 04:58:58 -08:00
Daniel Black
97c7d391a4 BF: remove duplicate implemenation of reading datepatterns in fail2ban-regex 2014-01-18 23:52:20 +11:00
Daniel Black
10edd994d1 DOC: ChangeLog for kerio filters 2014-01-18 23:21:44 +11:00
Daniel Black
263ac32730 ENH: test log samples for kerio thanks to
Tony Lawrence
2014-01-18 23:18:33 +11:00
Steven Hiscocks
0b4dd6272c Merge pull request #589 from grooverdan/one-bad-regex-gh-585
fault tolerance when pushing multiple configurations
2014-01-18 03:27:52 -08:00
Daniel Black
59b1e225e9 DOC/ENH: update man pages for release 2014-01-18 21:13:55 +11:00
Daniel Black
5ade6a13af DOC: ChangeLog dateing and normalisation 2014-01-18 21:00:24 +11:00
Daniel Black
058621f9bd ENH: continue with rest of fail2ban config even if errors. Closes gh-585 2014-01-18 20:16:38 +11:00
Daniel Black
2647461a3c DOC: ChangeLog. Note incompatible changes and group new filters and actions under New Features 2014-01-18 19:38:25 +11:00
Daniel Black
c6c75dd19e BF: complete MANIFEST 2014-01-18 19:28:21 +11:00
Daniel Black
224e795f4c DOC: note in man page about "last message repeated" syslog compression. Closes Debian bug #620364 2014-01-18 19:12:33 +11:00
Daniel Black
1452be4a3a Merge pull request #588 from grooverdan/badips
ENH: Badips action (reporting)
2014-01-17 23:10:29 -08:00
Daniel Black
f5d6f384f7 Merge pull request #587 from grooverdan/dovecot-586
BF: Dovecot filter fix
2014-01-17 23:10:06 -08:00
Daniel Black
93613e82f0 DOC: credits for action.d/badips 2014-01-15 09:40:18 +11:00
Daniel Black
f566cab766 Merge branch 'master' into badips 2014-01-15 09:37:11 +11:00
Daniel Black
657da2041c BF: dovecot filters, session characters and order of session/tls in log messages 2014-01-15 08:02:47 +11:00
Ivo Truxa
4765bc757c BF Dovecot auth failures
I am sorry, I installed the Win GIT, but still did not learn how to work with it, so am posting here again. This time, I'll avoid posting two pull requests, so please fix the dovecot.filter for me, if you don't mind.

This current filter does not match authentication errors in my Dovecot logs (two different lines attached). First of all the session string is at the end (after the optional TLS string), and not before it as it is now in the filter. I don't see it anywhere in the other logs here in the opposite order, hence I assume it is the rule for all installations. And then, the session ID can include also other characters than those matched by \w+ (i.e. the slash and the plus signs in my case), hence it needs to be \S+ instead. Personally, I'd do the regex much less restrictive than it is, but if I follow the current logics, the following form works:

<pre>^%(__prefix_line)s(pop3|imap)-login: (Info: )?(Aborted login|Disconnected)(: Inactivity)? \(((no auth attempts|auth failed, \d+ attempts)( in \d+ secs)?|tried to use disabled \S+ auth)\):( user=&lt;\S*&gt;,)?( method=\S+,)? rip=&lt;HO
ST&gt;, lip=(\d{1,3}\.){3}\d{1,3}(, TLS( handshaking)?(: Disconnected)?)?(, session=&lt;\S+&gt;)?\s*$</pre>
2014-01-14 17:59:40 +01:00