daily autocommit
This commit is contained in:
@@ -1,47 +0,0 @@
|
||||
# Fail2Ban filter Dovecot authentication and pop3/imap server
|
||||
#
|
||||
|
||||
[INCLUDES]
|
||||
|
||||
before = common.conf
|
||||
|
||||
[Definition]
|
||||
|
||||
_auth_worker = (?:dovecot: )?auth(?:-worker)?
|
||||
_daemon = (?:dovecot(?:-auth)?|auth)
|
||||
|
||||
prefregex = ^%(__prefix_line)s(?:%(_auth_worker)s(?:\([^\)]+\))?: )?(?:%(__pam_auth)s(?:\(dovecot:auth\))?: |(?:pop3|imap|managesieve|submission)-login: )?(?:Info: )?<F-CONTENT>.+</F-CONTENT>$
|
||||
|
||||
failregex = ^authentication failure; logname=<F-ALT_USER1>\S*</F-ALT_USER1> uid=\S* euid=\S* tty=dovecot ruser=<F-USER>\S*</F-USER> rhost=<HOST>(?:\s+user=<F-ALT_USER>\S*</F-ALT_USER>)?\s*$
|
||||
^(?:Aborted login|Disconnected|Remote closed connection|Client has quit the connection)(?::(?: [^ \(]+)+)? \((?:auth failed, \d+ attempts(?: in \d+ secs)?|tried to use (?:disabled|disallowed) \S+ auth|proxy dest auth failed)\):(?: user=<<F-USER>[^>]*</F-USER>>,)?(?: method=\S+,)? rip=<HOST>(?:[^>]*(?:, session=<\S+>)?)\s*$
|
||||
^pam\(\S+,<HOST>(?:,\S*)?\): pam_authenticate\(\) failed: (?:User not known to the underlying authentication module: \d+ Time\(s\)|Authentication failure \(password mismatch\?\)|Permission denied)\s*$
|
||||
^[a-z\-]{3,15}\(\S*,<HOST>(?:,\S*)?\): (?:unknown user|invalid credentials|Password mismatch)
|
||||
<mdre-<mode>>
|
||||
|
||||
mdre-aggressive = ^(?:Aborted login|Disconnected|Remote closed connection|Client has quit the connection)(?::(?: [^ \(]+)+)? \((?:no auth attempts|disconnected before auth was ready,|client didn't finish \S+ auth,)(?: (?:in|waited) \d+ secs)?\):(?: user=<[^>]*>,)?(?: method=\S+,)? rip=<HOST>(?:[^>]*(?:, session=<\S+>)?)\s*$
|
||||
|
||||
mdre-normal =
|
||||
|
||||
# Parameter `mode` - `normal` or `aggressive`.
|
||||
# Aggressive mode can be used to match log-entries like:
|
||||
# 'no auth attempts', 'disconnected before auth was ready', 'client didn't finish SASL auth'.
|
||||
# Note it may produce lots of false positives on misconfigured MTAs.
|
||||
# Ex.:
|
||||
# filter = dovecot[mode=aggressive]
|
||||
mode = normal
|
||||
|
||||
ignoreregex =
|
||||
|
||||
journalmatch = _SYSTEMD_UNIT=dovecot.service
|
||||
|
||||
datepattern = {^LN-BEG}TAI64N
|
||||
{^LN-BEG}
|
||||
|
||||
# DEV Notes:
|
||||
# * the first regex is essentially a copy of pam-generic.conf
|
||||
# * Probably doesn't do dovecot sql/ldap backends properly (resolved in edit 21/03/2016)
|
||||
#
|
||||
# Author: Martin Waschbuesch
|
||||
# Daniel Black (rewrote with begin and end anchors)
|
||||
# Martin O'Neal (added LDAP authentication failure regex)
|
||||
# Sergey G. Brester aka sebres (reviewed, optimized, IPv6-compatibility)
|
||||
@@ -1,26 +0,0 @@
|
||||
# Fail2Ban filter Dovecot authentication and pop3/imap server
|
||||
#
|
||||
# based on filter dovecot.conf from fail2ban-0.8.13
|
||||
|
||||
[INCLUDES]
|
||||
|
||||
before = common.conf
|
||||
|
||||
[Definition]
|
||||
|
||||
_daemon = (auth|dovecot(-auth)?|auth-worker)
|
||||
|
||||
failregex = ^%(__prefix_line)s(pam_unix(\(dovecot:auth\))?:)?\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=\S* rhost=<HOST>(\s+user=\S*)?\s*$
|
||||
^%(__prefix_line)s(pop3|imap|managesieve)-login: (Info: )?(Aborted login|Disconnected)(: Inactivity|: Too many invalid commands\.)? \(((auth failed, \d+ attempts)( in \d+ secs)?|tried to use (disabled|disallowed) \S+ auth)\):( user=<\S*>,)?( method=\S+,)? rip=<HOST>(, lip=(\d{1,3}\.){3}\d{1,3})?(, TLS( handshaking(: SSL_accept\(\) failed: error:[\dA-F]+:SSL routines:[TLS\d]+_GET_CLIENT_HELLO:unknown protocol)?)?(: Disconnected)?)?(, session=<\S+>)?\s*$
|
||||
^%(__prefix_line)s(Info|dovecot: auth\(default\)): pam\(\S+,<HOST>\): pam_authenticate\(\) failed: (User not known to the underlying authentication module: \d+ Time\(s\)|Authentication failure \(password mismatch\?\))\s*$
|
||||
|
||||
ignoreregex =
|
||||
|
||||
# DEV Notes:
|
||||
# * the first regex is essentially a copy of pam-generic.conf
|
||||
# * Probably doesn't do dovecot sql/ldap backends properly
|
||||
# * Removed the 'no auth attempts' log lines from the matches because produces
|
||||
# lots of false positives on misconfigured MTAs making regexp unuseable
|
||||
#
|
||||
# Author: Martin Waschbuesch
|
||||
# Daniel Black (rewrote with begin and end anchors)
|
||||
@@ -1,38 +0,0 @@
|
||||
#!/usr/bin/env fail2ban-python
|
||||
# Inspired by https://isc.sans.edu/forums/diary/When+Google+isnt+Google/15968/
|
||||
#
|
||||
# Written in Python to reuse built-in Python batteries and not depend on
|
||||
# presence of host and cut commands
|
||||
#
|
||||
import sys
|
||||
from fail2ban.server.ipdns import DNSUtils, IPAddr
|
||||
|
||||
def process_args(argv):
|
||||
if len(argv) != 2:
|
||||
raise ValueError("Please provide a single IP as an argument. Got: %s\n"
|
||||
% (argv[1:]))
|
||||
ip = argv[1]
|
||||
|
||||
if not IPAddr(ip).isValid:
|
||||
raise ValueError("Argument must be a single valid IP. Got: %s\n"
|
||||
% ip)
|
||||
return ip
|
||||
|
||||
google_ips = None
|
||||
|
||||
def is_googlebot(ip):
|
||||
import re
|
||||
|
||||
host = DNSUtils.ipToName(ip)
|
||||
if not host or not re.match(r'.*\.google(bot)?\.com$', host):
|
||||
return False
|
||||
host_ips = DNSUtils.dnsToIp(host)
|
||||
return (ip in host_ips)
|
||||
|
||||
if __name__ == '__main__': # pragma: no cover
|
||||
try:
|
||||
ret = is_googlebot(process_args(sys.argv))
|
||||
except ValueError as e:
|
||||
sys.stderr.write(str(e))
|
||||
sys.exit(2)
|
||||
sys.exit(0 if ret else 1)
|
||||
@@ -1,50 +0,0 @@
|
||||
# Fail2Ban filter file for named (bind9).
|
||||
#
|
||||
|
||||
# This filter blocks attacks against named (bind9) however it requires special
|
||||
# configuration on bind.
|
||||
#
|
||||
# By default, logging is off with bind9 installation.
|
||||
#
|
||||
# You will need something like this in your named.conf to provide proper logging.
|
||||
#
|
||||
# logging {
|
||||
# channel security_file {
|
||||
# file "/var/log/named/security.log" versions 3 size 30m;
|
||||
# severity dynamic;
|
||||
# print-time yes;
|
||||
# };
|
||||
# category security {
|
||||
# security_file;
|
||||
# };
|
||||
# };
|
||||
|
||||
[Definition]
|
||||
|
||||
# Daemon name
|
||||
_daemon=named
|
||||
|
||||
# Shortcuts for easier comprehension of the failregex
|
||||
|
||||
__pid_re=(?:\[\d+\])
|
||||
__daemon_re=\(?%(_daemon)s(?:\(\S+\))?\)?:?
|
||||
__daemon_combs_re=(?:%(__pid_re)s?:\s+%(__daemon_re)s|%(__daemon_re)s%(__pid_re)s?:)
|
||||
|
||||
# hostname daemon_id spaces
|
||||
# this can be optional (for instance if we match named native log files)
|
||||
__line_prefix=(?:\s\S+ %(__daemon_combs_re)s\s+)?
|
||||
|
||||
prefregex = ^%(__line_prefix)s(?: error:)?\s*client(?: @\S*)? <HOST>#\S+(?: \([\S.]+\))?: <F-CONTENT>.+</F-CONTENT>\s(?:denied|\(NOTAUTH\))\s*$
|
||||
|
||||
failregex = ^(?:view (?:internal|external): )?query(?: \(cache\))?
|
||||
^zone transfer
|
||||
^bad zone transfer request: '\S+/IN': non-authoritative zone
|
||||
|
||||
ignoreregex =
|
||||
|
||||
# DEV Notes:
|
||||
# Trying to generalize the
|
||||
# structure which is general to capture general patterns in log
|
||||
# lines to cover different configurations/distributions
|
||||
#
|
||||
# Author: Yaroslav Halchenko
|
||||
@@ -1,52 +0,0 @@
|
||||
# Fail2Ban filter file for named (bind9).
|
||||
#
|
||||
|
||||
# This filter blocks attacks against named (bind9) however it requires special
|
||||
# configuration on bind.
|
||||
#
|
||||
# By default, logging is off with bind9 installation.
|
||||
#
|
||||
# You will need something like this in your named.conf to provide proper logging.
|
||||
#
|
||||
# logging {
|
||||
# channel security_file {
|
||||
# file "/var/log/named/security.log" versions 3 size 30m;
|
||||
# severity dynamic;
|
||||
# print-time yes;
|
||||
# };
|
||||
# category security {
|
||||
# security_file;
|
||||
# };
|
||||
# };
|
||||
|
||||
[Definition]
|
||||
|
||||
# Daemon name
|
||||
_daemon=named
|
||||
|
||||
# Shortcuts for easier comprehension of the failregex
|
||||
|
||||
__pid_re=(?:\[\d+\])
|
||||
__daemon_re=\(?%(_daemon)s(?:\(\S+\))?\)?:?
|
||||
__daemon_combs_re=(?:%(__pid_re)s?:\s+%(__daemon_re)s|%(__daemon_re)s%(__pid_re)s?:)
|
||||
|
||||
# hostname daemon_id spaces
|
||||
# this can be optional (for instance if we match named native log files)
|
||||
__line_prefix=(?:\s\S+ %(__daemon_combs_re)s\s+)?
|
||||
|
||||
prefregex = ^%(__line_prefix)s( error:)?\s*client \@\S+ <HOST>#\S+( \([\S.]+\))?: <F-CONTENT>.+</F-CONTENT>$
|
||||
|
||||
failregex = ^(view (internal|external): )?query(?: \(cache\))? '.*' denied\s*$
|
||||
^zone transfer '\S+/AXFR/\w+' denied\s*$
|
||||
^bad zone transfer request: '\S+/IN': non-authoritative zone \(NOTAUTH\)\s*$
|
||||
|
||||
ignoreregex =
|
||||
|
||||
# DEV Notes:
|
||||
# Trying to generalize the
|
||||
# structure which is general to capture general patterns in log
|
||||
# lines to cover different configurations/distributions
|
||||
#
|
||||
# (\.\d+)? is a really ugly catch of the microseconds not captured in the date detector
|
||||
#
|
||||
# Author: Yaroslav Halchenko
|
||||
@@ -1,23 +0,0 @@
|
||||
#
|
||||
# Fail2Ban filter to match web requests for selected URLs that don't exist
|
||||
#
|
||||
|
||||
[INCLUDES]
|
||||
|
||||
# Load regexes for filtering
|
||||
before = botsearch-common.conf
|
||||
|
||||
[Definition]
|
||||
|
||||
failregex = ^ \[error\] \d+#\d+: \*\d+ (\S+ )?\"\S+\" (failed|is not found) \(2\: No such file or directory\), client\: <HOST>, server\: \S*\, request: \"(GET|POST|HEAD) \/.*\"
|
||||
|
||||
ignoreregex =
|
||||
|
||||
datepattern = {^LN-BEG}%%ExY(?P<_sep>[-/.])%%m(?P=_sep)%%d[T ]%%H:%%M:%%S(?:[.,]%%f)?(?:\s*%%z)?
|
||||
^[^\[]*\[({DATE})
|
||||
{^LN-BEG}
|
||||
|
||||
# DEV Notes:
|
||||
# Based on apache-botsearch filter
|
||||
#
|
||||
# Author: Frantisek Sumsal
|
||||
@@ -1,39 +0,0 @@
|
||||
# Fail2Ban filter for repeat bans
|
||||
#
|
||||
# This filter monitors the fail2ban log file, and enables you to add long
|
||||
# time bans for ip addresses that get banned by fail2ban multiple times.
|
||||
#
|
||||
# Reasons to use this: block very persistent attackers for a longer time,
|
||||
# stop receiving email notifications about the same attacker over and
|
||||
# over again.
|
||||
#
|
||||
# This jail is only useful if you set the 'findtime' and 'bantime' parameters
|
||||
# in jail.conf to a higher value than the other jails. Also, this jail has its
|
||||
# drawbacks, namely in that it works only with iptables, or if you use a
|
||||
# different blocking mechanism for this jail versus others (e.g. hostsdeny
|
||||
# for most jails, and shorewall for this one).
|
||||
|
||||
[INCLUDES]
|
||||
|
||||
# Read common prefixes. If any customizations available -- read them from
|
||||
# common.local
|
||||
before = common.conf
|
||||
|
||||
[Definition]
|
||||
|
||||
_daemon = fail2ban\.actions\s*
|
||||
|
||||
# The name of the jail that this filter is used for. In jail.conf, name the
|
||||
# jail using this filter 'recidive', or change this line!
|
||||
_jailname = recidive
|
||||
|
||||
failregex = ^(%(__prefix_line)s| %(_daemon)s%(__pid_re)s?:\s+)NOTICE\s+\[(?!%(_jailname)s\])(?:.*)\]\s+Ban\s+<HOST>\s*$
|
||||
|
||||
#ignoreregex =
|
||||
ignoreregex = \[recidive.*\]\s+Ban\s+<HOST>
|
||||
|
||||
[Init]
|
||||
|
||||
journalmatch = _SYSTEMD_UNIT=fail2ban.service PRIORITY=5
|
||||
|
||||
# Author: Tom Hendrikx, modifications by Amir Caspi
|
||||
Reference in New Issue
Block a user