You can subscribe to this list here.
2006 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
(1) |
Aug
(1) |
Sep
|
Oct
|
Nov
|
Dec
(24) |
---|---|---|---|---|---|---|---|---|---|---|---|---|
2007 |
Jan
(31) |
Feb
(17) |
Mar
(14) |
Apr
(5) |
May
(14) |
Jun
(8) |
Jul
(9) |
Aug
(14) |
Sep
(4) |
Oct
(5) |
Nov
(3) |
Dec
(14) |
2008 |
Jan
(6) |
Feb
(5) |
Mar
(29) |
Apr
(6) |
May
(12) |
Jun
|
Jul
(5) |
Aug
(7) |
Sep
|
Oct
(5) |
Nov
|
Dec
|
2009 |
Jan
(7) |
Feb
(8) |
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
(17) |
Sep
(6) |
Oct
|
Nov
|
Dec
(2) |
2010 |
Jan
|
Feb
|
Mar
(1) |
Apr
|
May
(1) |
Jun
(3) |
Jul
|
Aug
|
Sep
(4) |
Oct
|
Nov
|
Dec
|
2011 |
Jan
|
Feb
|
Mar
(10) |
Apr
|
May
(1) |
Jun
(2) |
Jul
(3) |
Aug
(9) |
Sep
(1) |
Oct
|
Nov
|
Dec
|
From: <yar...@us...> - 2011-09-24 02:28:51
|
Revision: 784 http://fail2ban.svn.sourceforge.net/fail2ban/?rev=784&view=rev Author: yarikoptic Date: 2011-09-24 02:28:45 +0000 (Sat, 24 Sep 2011) Log Message: ----------- BF: Lock server's executeCmd to prevent racing among iptables calls (Closes: #554162) Many kudos go to Michael Saavedra for the solution and the patch. Modified Paths: -------------- branches/FAIL2BAN-0_8/server/action.py Modified: branches/FAIL2BAN-0_8/server/action.py =================================================================== --- branches/FAIL2BAN-0_8/server/action.py 2011-08-07 02:41:08 UTC (rev 783) +++ branches/FAIL2BAN-0_8/server/action.py 2011-09-24 02:28:45 UTC (rev 784) @@ -25,11 +25,15 @@ __license__ = "GPL" import logging, os +import threading #from subprocess import call # Gets the instance of the logger. logSys = logging.getLogger("fail2ban.actions.action") +# Create a lock for running system commands +_cmd_lock = threading.Lock() + ## # Execute commands. # @@ -301,17 +305,21 @@ #@staticmethod def executeCmd(realCmd): logSys.debug(realCmd) - try: - # The following line gives deadlock with multiple jails - #retcode = call(realCmd, shell=True) - retcode = os.system(realCmd) - if retcode == 0: - logSys.debug("%s returned successfully" % realCmd) - return True - else: - logSys.error("%s returned %x" % (realCmd, retcode)) - except OSError, e: - logSys.error("%s failed with %s" % (realCmd, e)) + _cmd_lock.acquire() + try: # Try wrapped within another try needed for python version < 2.5 + try: + # The following line gives deadlock with multiple jails + #retcode = call(realCmd, shell=True) + retcode = os.system(realCmd) + if retcode == 0: + logSys.debug("%s returned successfully" % realCmd) + return True + else: + logSys.error("%s returned %x" % (realCmd, retcode)) + except OSError, e: + logSys.error("%s failed with %s" % (realCmd, e)) + finally: + _cmd_lock.release() return False executeCmd = staticmethod(executeCmd) This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |
From: Craig S. <jac...@gm...> - 2011-08-15 23:32:11
|
Heres a conf for squid. Just thought I'd share. -- - Jackie *"Craig"* Sparks - *"Focus on Solutions not Problems"* Email0: Jac...@gm... http://chunkhost.com/r/getachunk - Support my VPS host sign up now http://www.sparkscomm.com http://sparkscomm.com/wordpress/resume http://www.facebook.com/profile.php?ref=profile&id=100000140654932 https://www.scriptlance.com/cgi-bin/freelancers/feedback.cgi?p=rwtskraps http://twitter.com/#!/skraps_foo http://skraps.pastebin.com -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.10 (GNU/Linux) mQINBE1kJ5YBEAC1w4t0k7lLyBuikRUSZfvsigSR1IRASTuU5X2o443E/7fPYo/m kwDwc8uqzwCvvuV9ziZgv5+KFZ8eUUrTN1TTc8zu4hMX9xt1l8nBRHYb2jrTBXKF 9Hu85CSN1WKc+FJSFtZgdpi8Vo0jgPgNQS9C/Vndei94O3/PukrE7dn17HISbCw/ svAF/Y1MrwtcV20lZqnEf5RYddvuN86FxM77SyF9PdlSzFuIVMKa2zDSUHRNqWId Y/e+mObf/kJdA0tHaQHwEX4VlX7o504v8Jqnjq1WeiebHp0wKHouSF+Inmift9PK 0MQQkDOG6MFRlK3cWt0LIPGDl31ZlfkTSH21XETEQjKTM5Afmdmv2zHi1z0q5YQY iaUClUSMLzx4gJQg3G/Rfx+VMDRrVW5nkDLMYuce7Fdutw3zVcH5bxs+T6+nqgqL DK1SPmNW6dyxOjkDVs0/5AwOx+1mb0R5u7vFyrTOr7PV4ZpI9ejTwRx0PBptj8pb +f5Vp4B177fvL5clY61MwojIdW+3aobP912PY/ffR9t3uN1bmYoy0tdFHvnhAuxs qA6qEriRp3Oz5xhpSIUKAngsuuQh9dd915LoRFKMsh1PLCGEcPy+sFCGPppFJg79 Df5MeSHBqDhq/ofml2xS9XzYFNAmgzJ1RWBYTe45C/iKu0/rHb+GsDT2iwARAQAB tDNKYWNraWUgQ3JhaWcgU3BhcmtzIDxqYWNraWUuY3JhaWcuc3BhcmtzQGdtYWls LmNvbT6JAjgEEwECACIFAk1kJ5YCGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheA AAoJEN3TA3S+FcwAMeMP/R5nOm0eLywi1oZkA+NTQctJ9mMhmAgbUJnGvu5vG0YS dQ1NhyJdZ/oKtqZdLtaFv3blenBZIMf45qIhlzm2JXpHXGCoWbPtu9sRnwfA+IQi ohlk8D6i2Gf+NTbp5SJtwUBlkws61isJmN/RbPyS79V7R0RnUW0Uc2y6TpvTx523 7geS3+sVPKuVxnp6Q7SySodv+Tlxy+P/brmANEeGMZAjPMTgqLHg9Js6ZkZ/HrWQ EEZD3W8n/DU1KMOTr96BfDAGEGZZAWS78GQvQy0Jff9g9eNnept+bntpy+i0NTUS mRq+uGGKfzIZudKr066ILaH2YIWf9YBWyrhfnpESmTnv65Uvca4V+b1vzV0wbKl7 UUacuFOn5BdAcVIT9L3IAsOMZWZOmHIB6c28mv3BDT25kS5t+mhzf7t+ppPLb83S 6uYlitgWLrpjgDrY2UFVWbvVxfiN9G4qhS2IOpRpvBQVTN3iTlHQ2keBfCUfOnOd 1cmJtvh57wCKDvjapPrzEjhUDor27HGM6XhaPV7DpSLeUBjZcSmWtoSB/Ff0LTVu ChP2oiaqUWW8QkYayCye6sviCsdW+bfCwA9kBZmNXDM49qC951pmKvOY4bKNSmbk O17BwgRoNDB2BVC7zA29J6I+dzlWydDk1DsxCcNffoeeEkMDcjZEnCVySEv8vStL uQINBE1kJ5YBEADfM60c5yMCZqjb6pbn38RGIjoN9El/GvByX3h5jaWp04eJcc07 VSwetzF3h/q3BL4nVgyUykZr7eOr9TomimgsaWXS+Vf99uXGujQVrXMWU0H5zfhN et+smsP97J+YOVM3tJD30XEJwFRFWU5oTjG/AQml9/1AC4RgEmIauphS/aRo4TG1 yRqqp6XMAnPsWAacPt3eZA/HH4LbLZcxfpC/mx9F/QKM/bMV1TdRHwAIFavw5yl1 CCVxC/YuDyOiczAiZoOS7syUwCfVmVk8HxbI3IqhK31AN2Qviq5fq8iTTR+xkjFK 7XR7UKKuig5vk4AUiZPlVf4OgDCpJAQIU7HEc0Wpfo1WfcVfxkEH2Jl7K1EUACCU oIx2BGGs5x/O1cXx0aHZUfo6kWVUoXKXgJeMFL2KvBn4a+BkzdpI6TLJFiifOkDK ZbwVV/GDn6t1xCqz2gVLK+PDfv4tdD7lKWUN9C1pH5rB3XXI4MtegD/DR/08D8Yw bdF57ZKbruMxdV1Q3eHcFhJFyqs82suygxCfTlBOIoAV0dkTSbVi1bkcBKSh9gk0 k19cFzvO3S72NEwQrZcs0uBhUX3HDhx0eFQtGPEyZl/77e554DDJ3MQUCGeGmFSO w1/7p3lDCAIGtIr4sSLUUyQn7h0RbfFZwBwzZrh9nMmDbhWibJurul3/kQARAQAB iQIfBBgBAgAJBQJNZCeWAhsMAAoJEN3TA3S+FcwAUf8P/2zUCvOOX0viuC3nI0ZR 3bXWBobv5Fs0Fb3A6O8DVzXLsNsC3WoHdvqRlxHT4fHuKuDAjOj3XHsqntKe+omC PXSIrHGsKK3va3FnLSRMUqQ45zTXc2rNRW+FYMr0EsIAeBcWK17DbfSBuVJxUx0I Hs9AgJZ+w+YBcNnp0/gKyN7EjETdJJUo2t2zNv7FEf/hLIBFddYL2clxrlRlD+aR 5eQ/BNIJOu+T8jENb3zdbee+aC9ZJ5waFlDSBirFwsDOdJHTxXwZ1fb9YlQBmTNI mERLlI2VBIV5FdANpnsm9kczJiQGLZajfgylEglwJ3TSo4x1CM9Kwmo1XDK39ZV4 7rurtx5/Pzukd9Kyy6v3BLUkA8toE4U3y9TeHCQcC8IfjEJU8qMu1t0H++Yl0ikN sRpY1vfsEVv9txuKVQxXPxD6nZMe8Edhn5SMRtbe2XmM1NKT8WLvjNmd1wWWP6+E Ucx5/kcvxlPmDmmdLqUpTrRcTfs5iwKf3TiQyl4eFNXZs4tXy/Bv5JFTSx5l5PSD nBitamN/G+rYoYmdAvwiW3Cnf2LdYWYH2V3wNeTd1vthg3AeQPB9rhLbvtsjwmIP lZETXNjsVlJRB595j9vDfy8qiUzg93OO3pdKRzr1cxWyyt6uNzGiOPTJiN02lp6a VPd1isDqohZq35dMK3SYoOzH =NjkE -----END PGP PUBLIC KEY BLOCK----- |
From: <yar...@us...> - 2011-08-07 02:41:15
|
Revision: 783 http://fail2ban.svn.sourceforge.net/fail2ban/?rev=783&view=rev Author: yarikoptic Date: 2011-08-07 02:41:08 +0000 (Sun, 07 Aug 2011) Log Message: ----------- BF: Allow for trailing spaces in sasl logs Modified Paths: -------------- branches/FAIL2BAN-0_8/config/filter.d/sasl.conf Modified: branches/FAIL2BAN-0_8/config/filter.d/sasl.conf =================================================================== --- branches/FAIL2BAN-0_8/config/filter.d/sasl.conf 2011-07-29 02:31:38 UTC (rev 782) +++ branches/FAIL2BAN-0_8/config/filter.d/sasl.conf 2011-08-07 02:41:08 UTC (rev 783) @@ -14,7 +14,7 @@ # (?:::f{4,6}:)?(?P<host>[\w\-.^_]+) # Values: TEXT # -failregex = (?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/]*={0,2})?$ +failregex = (?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/]*={0,2})?\s*$ # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |
From: <yar...@us...> - 2011-07-29 02:31:45
|
Revision: 782 http://fail2ban.svn.sourceforge.net/fail2ban/?rev=782&view=rev Author: yarikoptic Date: 2011-07-29 02:31:38 +0000 (Fri, 29 Jul 2011) Log Message: ----------- Create tag FAIL2BAN-0_8_5 Added Paths: ----------- tags/FAIL2BAN-0_8_5/ This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |
From: <yar...@us...> - 2011-07-29 02:31:10
|
Revision: 781 http://fail2ban.svn.sourceforge.net/fail2ban/?rev=781&view=rev Author: yarikoptic Date: 2011-07-29 02:31:01 +0000 (Fri, 29 Jul 2011) Log Message: ----------- for 0.8.5 release -- changelog + version Modified Paths: -------------- branches/FAIL2BAN-0_8/ChangeLog branches/FAIL2BAN-0_8/README branches/FAIL2BAN-0_8/common/version.py Modified: branches/FAIL2BAN-0_8/ChangeLog =================================================================== --- branches/FAIL2BAN-0_8/ChangeLog 2011-07-29 02:08:31 UTC (rev 780) +++ branches/FAIL2BAN-0_8/ChangeLog 2011-07-29 02:31:01 UTC (rev 781) @@ -4,9 +4,47 @@ |_| \__,_|_|_/___|_.__/\__,_|_||_| ================================================================================ -Fail2Ban (version 0.8.4) 2009/09/07 +Fail2Ban (version 0.8.5) 2011/07/28 ================================================================================ +ver. 0.8.5 (2011/07/28) - stable +---------- +- Fix: use addfailregex instead of failregex while processing per-jail + "failregex" parameter (Fixed Debian bug #635830, LP: #635036). Thanks to + Marat Khayrullin for the patch and Daniel T Chen for forwarding to + Debian. +- Fix: use os.path.join to generate full path - fixes includes in configs + given local filename (5 weeks ago) [yarikoptic] +- Fix: allowed for trailing spaces in proftpd logs +- Fix: escaped () in pure-ftpd filter. Thanks to Teodor +- Fix: allowed space in the trailing of failregex for sasl.conf: + see http://bugs.debian.org/573314 +- Fix: use /var/run/fail2ban instead of /tmp for temp files in actions: + see http://bugs.debian.org/544232 +- Fix: Tai64N stores time in GMT, needed to convert to local time before + returning +- Fix: disabled named-refused-udp jail entirely with a big fat warning +- Fix: added time module. Bug reported in buanzo's blog: + see http://blogs.buanzo.com.ar/2009/04/fail2ban-patch-ban-ip-address-manually.html +- Fix: Patch to make log file descriptors cloexec to stop leaking file + descriptors on fork/exec. Thanks to Jonathan Underwood: + see https://bugzilla.redhat.com/show_bug.cgi?id=230191#c24 +- Enhancement: added author for dovecot filter and pruned unneeded space + in the regexp +- Enhancement: proftpd filter -- if login failed -- count regardless of the + reason for failure +- Enhancement: added <chain> to action.d/iptables*. Thanks to Matthijs Kooijman: + see http://bugs.debian.org/515599 +- Enhancement: added filter.d/dovecot.conf from Martin Waschbuesch +- Enhancement: made filter.d/apache-overflows.conf catch more: + see http://bugs.debian.org/574182 +- Enhancement: added dropbear filter from Francis Russell and Zak B. Elep: + see http://bugs.debian.org/546913 +- Enhancement: changed default ignoreip to ignore entire loopback zone (/8): + see http://bugs.debian.org/598200 +- Minor: spell-checked jail.conf. Thanks to Christoph Anton Mitterer +- Few minor cosmetic changes + ver. 0.8.4 (2009/09/07) - stable ---------- - Check the inode number for rotation in addition to checking the first line of Modified: branches/FAIL2BAN-0_8/README =================================================================== --- branches/FAIL2BAN-0_8/README 2011-07-29 02:08:31 UTC (rev 780) +++ branches/FAIL2BAN-0_8/README 2011-07-29 02:31:01 UTC (rev 781) @@ -4,7 +4,7 @@ |_| \__,_|_|_/___|_.__/\__,_|_||_| ================================================================================ -Fail2Ban (version 0.8.4) 2009/09/07 +Fail2Ban (version 0.8.5) 2011/07/26 ================================================================================ Fail2Ban scans log files like /var/log/pwdfail and bans IP that makes too many Modified: branches/FAIL2BAN-0_8/common/version.py =================================================================== --- branches/FAIL2BAN-0_8/common/version.py 2011-07-29 02:08:31 UTC (rev 780) +++ branches/FAIL2BAN-0_8/common/version.py 2011-07-29 02:31:01 UTC (rev 781) @@ -21,7 +21,7 @@ __author__ = "Cyril Jaquier" __version__ = "$Revision$" __date__ = "$Date$" -__copyright__ = "Copyright (c) 2004 Cyril Jaquier" +__copyright__ = "Copyright (c) 2004 Cyril Jaquier, 2011 Yaroslav Halchenko" __license__ = "GPL" -version = "0.8.4-SVN" +version = "0.8.5" This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |
From: <yar...@us...> - 2011-07-29 02:08:37
|
Revision: 780 http://fail2ban.svn.sourceforge.net/fail2ban/?rev=780&view=rev Author: yarikoptic Date: 2011-07-29 02:08:31 +0000 (Fri, 29 Jul 2011) Log Message: ----------- BF: use addfailregex instead of failregex while processing per-jail "failregex" parameter (Closes: #635830) (LP: #635036) patch from Marat Khayrullin received in Ubuntu BTS. Otherwise custom per-jail failregex forbidded fail2ban from starting Modified Paths: -------------- branches/FAIL2BAN-0_8/client/jailreader.py Modified: branches/FAIL2BAN-0_8/client/jailreader.py =================================================================== --- branches/FAIL2BAN-0_8/client/jailreader.py 2011-06-27 03:40:16 UTC (rev 779) +++ branches/FAIL2BAN-0_8/client/jailreader.py 2011-07-29 02:08:31 UTC (rev 780) @@ -120,7 +120,7 @@ elif opt == "bantime": stream.append(["set", self.__name, "bantime", self.__opts[opt]]) elif opt == "failregex": - stream.append(["set", self.__name, "failregex", self.__opts[opt]]) + stream.append(["set", self.__name, "addfailregex", self.__opts[opt]]) elif opt == "ignoreregex": for regex in self.__opts[opt].split('\n'): # Do not send a command if the rule is empty. This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |
From: <yar...@us...> - 2011-06-27 03:40:22
|
Revision: 779 http://fail2ban.svn.sourceforge.net/fail2ban/?rev=779&view=rev Author: yarikoptic Date: 2011-06-27 03:40:16 +0000 (Mon, 27 Jun 2011) Log Message: ----------- BF: use os.path.join to generate full path - fixes includes in configs given local filename Modified Paths: -------------- branches/FAIL2BAN-0_8/client/configparserinc.py Modified: branches/FAIL2BAN-0_8/client/configparserinc.py =================================================================== --- branches/FAIL2BAN-0_8/client/configparserinc.py 2011-06-27 03:40:08 UTC (rev 778) +++ branches/FAIL2BAN-0_8/client/configparserinc.py 2011-06-27 03:40:16 UTC (rev 779) @@ -86,7 +86,7 @@ if os.path.isabs(newResource): r = newResource else: - r = "%s/%s" % (resourceDir, newResource) + r = os.path.join(resourceDir, newResource) if r in seen: continue s = seen + [resource] This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |
From: <yar...@us...> - 2011-06-27 03:40:14
|
Revision: 778 http://fail2ban.svn.sourceforge.net/fail2ban/?rev=778&view=rev Author: yarikoptic Date: 2011-06-27 03:40:08 +0000 (Mon, 27 Jun 2011) Log Message: ----------- very minor -- uniform indentation in example Modified Paths: -------------- branches/FAIL2BAN-0_8/client/configparserinc.py Modified: branches/FAIL2BAN-0_8/client/configparserinc.py =================================================================== --- branches/FAIL2BAN-0_8/client/configparserinc.py 2011-05-07 03:16:40 UTC (rev 777) +++ branches/FAIL2BAN-0_8/client/configparserinc.py 2011-06-27 03:40:08 UTC (rev 778) @@ -43,7 +43,7 @@ [INCLUDES] before = 1.conf - 3.conf + 3.conf after = 1.conf @@ -54,8 +54,8 @@ the tree. I wasn't sure what would be the right way to implement generic (aka c++ - template) so we could base at any *configparser class... so I will - leave it for the future + template) so we could base at any *configparser class... so I will + leave it for the future """ This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |
From: <yar...@us...> - 2011-05-07 03:16:47
|
Revision: 777 http://fail2ban.svn.sourceforge.net/fail2ban/?rev=777&view=rev Author: yarikoptic Date: 2011-05-07 03:16:40 +0000 (Sat, 07 May 2011) Log Message: ----------- BF: use standard/reserved example.com instead of mail.com Adapted from fail2ban-0.8.4-examplemail.patch in Fedora: http://sophie.zarb.org/sources/fail2ban/fail2ban-0.8.4-examplemail.patch Modified Paths: -------------- branches/FAIL2BAN-0_8/config/jail.conf branches/FAIL2BAN-0_8/files/nagios/check_fail2ban Property Changed: ---------------- branches/FAIL2BAN-0_8/files/nagios/check_fail2ban Modified: branches/FAIL2BAN-0_8/config/jail.conf =================================================================== --- branches/FAIL2BAN-0_8/config/jail.conf 2011-03-23 21:38:26 UTC (rev 776) +++ branches/FAIL2BAN-0_8/config/jail.conf 2011-05-07 03:16:40 UTC (rev 777) @@ -45,7 +45,7 @@ enabled = false filter = sshd action = iptables[name=SSH, port=ssh, protocol=tcp] - sendmail-whois[name=SSH, dest=yo...@ma..., sender=fai...@ma...] + sendmail-whois[name=SSH, dest=yo...@ex..., sender=fai...@ex...] logpath = /var/log/sshd.log maxretry = 5 @@ -54,7 +54,7 @@ enabled = false filter = proftpd action = iptables[name=ProFTPD, port=ftp, protocol=tcp] - sendmail-whois[name=ProFTPD, dest=yo...@ma...] + sendmail-whois[name=ProFTPD, dest=yo...@ex...] logpath = /var/log/proftpd/proftpd.log maxretry = 6 @@ -66,7 +66,7 @@ filter = sasl backend = polling action = iptables[name=sasl, port=smtp, protocol=tcp] - sendmail-whois[name=sasl, dest=yo...@ma...] + sendmail-whois[name=sasl, dest=yo...@ex...] logpath = /var/log/mail.log # Here we use TCP-Wrappers instead of Netfilter/Iptables. "ignoreregex" is @@ -77,7 +77,7 @@ enabled = false filter = sshd action = hostsdeny - sendmail-whois[name=SSH, dest=yo...@ma...] + sendmail-whois[name=SSH, dest=yo...@ex...] ignoreregex = for myuser from logpath = /var/log/sshd.log @@ -101,7 +101,7 @@ enabled = false filter = postfix action = hostsdeny[file=/not/a/standard/path/hosts.deny] - sendmail[name=Postfix, dest=yo...@ma...] + sendmail[name=Postfix, dest=yo...@ex...] logpath = /var/log/postfix.log bantime = 300 @@ -112,7 +112,7 @@ enabled = false filter = vsftpd -action = sendmail-whois[name=VSFTPD, dest=yo...@ma...] +action = sendmail-whois[name=VSFTPD, dest=yo...@ex...] logpath = /var/log/vsftpd.log maxretry = 5 bantime = 1800 @@ -124,7 +124,7 @@ enabled = false filter = vsftpd action = iptables[name=VSFTPD, port=ftp, protocol=tcp] - sendmail-whois[name=VSFTPD, dest=yo...@ma...] + sendmail-whois[name=VSFTPD, dest=yo...@ex...] logpath = /var/log/vsftpd.log maxretry = 5 bantime = 1800 @@ -137,7 +137,7 @@ enabled = false filter = apache-badbots action = iptables-multiport[name=BadBots, port="http,https"] - sendmail-buffered[name=BadBots, lines=5, dest=yo...@ma...] + sendmail-buffered[name=BadBots, lines=5, dest=yo...@ex...] logpath = /var/www/*/logs/access_log bantime = 172800 maxretry = 1 @@ -149,7 +149,7 @@ enabled = false filter = apache-noscript action = shorewall - sendmail[name=Postfix, dest=yo...@ma...] + sendmail[name=Postfix, dest=yo...@ex...] logpath = /var/log/apache2/error_log # Ban attackers that try to use PHP's URL-fopen() functionality @@ -190,7 +190,7 @@ enabled = false filter = sshd action = ipfw[localhost=192.168.0.1] - sendmail-whois[name="SSH,IPFW", dest=yo...@ma...] + sendmail-whois[name="SSH,IPFW", dest=yo...@ex...] logpath = /var/log/auth.log ignoreip = 168.192.0.1 @@ -224,7 +224,7 @@ # enabled = false # filter = named-refused # action = iptables-multiport[name=Named, port="domain,953", protocol=udp] -# sendmail-whois[name=Named, dest=yo...@ma...] +# sendmail-whois[name=Named, dest=yo...@ex...] # logpath = /var/log/named/security.log # ignoreip = 168.192.0.1 @@ -235,7 +235,7 @@ enabled = false filter = named-refused action = iptables-multiport[name=Named, port="domain,953", protocol=tcp] - sendmail-whois[name=Named, dest=yo...@ma...] + sendmail-whois[name=Named, dest=yo...@ex...] logpath = /var/log/named/security.log ignoreip = 168.192.0.1 Modified: branches/FAIL2BAN-0_8/files/nagios/check_fail2ban =================================================================== --- branches/FAIL2BAN-0_8/files/nagios/check_fail2ban 2011-03-23 21:38:26 UTC (rev 776) +++ branches/FAIL2BAN-0_8/files/nagios/check_fail2ban 2011-05-07 03:16:40 UTC (rev 777) @@ -99,7 +99,7 @@ # put a txt file on your server and describe how to fix the issue, this # could be attached to the mail. ###################################################################### -# mutt -s "FAIL2BAN NOT WORKING" yo...@em... < /home/f2ban.txt +# mutt -s "FAIL2BAN NOT WORKING" yo...@ex... < /home/f2ban.txt exitstatus=$STATE_CRITICAL fi Property changes on: branches/FAIL2BAN-0_8/files/nagios/check_fail2ban ___________________________________________________________________ Added: svn:executable + * This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |
From: <yar...@us...> - 2011-03-23 21:38:32
|
Revision: 776 http://fail2ban.svn.sourceforge.net/fail2ban/?rev=776&view=rev Author: yarikoptic Date: 2011-03-23 21:38:26 +0000 (Wed, 23 Mar 2011) Log Message: ----------- ENH: Adding author for dovecot filter and prunning unneeded space in the regexp Modified Paths: -------------- branches/FAIL2BAN-0_8/config/filter.d/dovecot.conf Modified: branches/FAIL2BAN-0_8/config/filter.d/dovecot.conf =================================================================== --- branches/FAIL2BAN-0_8/config/filter.d/dovecot.conf 2011-03-23 20:37:19 UTC (rev 775) +++ branches/FAIL2BAN-0_8/config/filter.d/dovecot.conf 2011-03-23 21:38:26 UTC (rev 776) @@ -1,6 +1,6 @@ # Fail2Ban configuration file for dovcot # -# Author: +# Author: Martin Waschbuesch # # $Revision: $ # @@ -14,7 +14,7 @@ # (?:::f{4,6}:)?(?P<host>[\w\-.^_]+) # Values: TEXT # -failregex = .*(?: pop3-login|imap-login):.*(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed).*rip=(?P<host>\S*),.* +failregex = .*(?:pop3-login|imap-login):.*(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed).*rip=(?P<host>\S*),.* # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |
From: <yar...@us...> - 2011-03-23 20:37:25
|
Revision: 775 http://fail2ban.svn.sourceforge.net/fail2ban/?rev=775&view=rev Author: yarikoptic Date: 2011-03-23 20:37:19 +0000 (Wed, 23 Mar 2011) Log Message: ----------- BF: proftpd filter -- if login failed -- count regardless of the reason for failure Modified Paths: -------------- branches/FAIL2BAN-0_8/config/filter.d/proftpd.conf Modified: branches/FAIL2BAN-0_8/config/filter.d/proftpd.conf =================================================================== --- branches/FAIL2BAN-0_8/config/filter.d/proftpd.conf 2011-03-23 20:37:10 UTC (rev 774) +++ branches/FAIL2BAN-0_8/config/filter.d/proftpd.conf 2011-03-23 20:37:19 UTC (rev 775) @@ -15,7 +15,7 @@ # Values: TEXT # failregex = \(\S+\[<HOST>\]\)[: -]+ USER \S+: no such user found from \S+ \[\S+\] to \S+:\S+ *$ - \(\S+\[<HOST>\]\)[: -]+ USER \S+ \(Login failed\): Incorrect password\. *$ + \(\S+\[<HOST>\]\)[: -]+ USER \S+ \(Login failed\): .*$ \(\S+\[<HOST>\]\)[: -]+ SECURITY VIOLATION: \S+ login attempted\. *$ \(\S+\[<HOST>\]\)[: -]+ Maximum login attempts \(\d+\) exceeded *$ This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |
From: <yar...@us...> - 2011-03-23 20:37:16
|
Revision: 774 http://fail2ban.svn.sourceforge.net/fail2ban/?rev=774&view=rev Author: yarikoptic Date: 2011-03-23 20:37:10 +0000 (Wed, 23 Mar 2011) Log Message: ----------- BF: Allow for trailing spaces in proftpd logs See http://bugs.debian.org/507986 Modified Paths: -------------- branches/FAIL2BAN-0_8/config/filter.d/proftpd.conf Modified: branches/FAIL2BAN-0_8/config/filter.d/proftpd.conf =================================================================== --- branches/FAIL2BAN-0_8/config/filter.d/proftpd.conf 2011-03-23 20:37:00 UTC (rev 773) +++ branches/FAIL2BAN-0_8/config/filter.d/proftpd.conf 2011-03-23 20:37:10 UTC (rev 774) @@ -14,10 +14,10 @@ # (?:::f{4,6}:)?(?P<host>[\w\-.^_]+) # Values: TEXT # -failregex = \(\S+\[<HOST>\]\)[: -]+ USER \S+: no such user found from \S+ \[\S+\] to \S+:\S+$ - \(\S+\[<HOST>\]\)[: -]+ USER \S+ \(Login failed\): Incorrect password\.$ - \(\S+\[<HOST>\]\)[: -]+ SECURITY VIOLATION: \S+ login attempted\.$ - \(\S+\[<HOST>\]\)[: -]+ Maximum login attempts \(\d+\) exceeded$ +failregex = \(\S+\[<HOST>\]\)[: -]+ USER \S+: no such user found from \S+ \[\S+\] to \S+:\S+ *$ + \(\S+\[<HOST>\]\)[: -]+ USER \S+ \(Login failed\): Incorrect password\. *$ + \(\S+\[<HOST>\]\)[: -]+ SECURITY VIOLATION: \S+ login attempted\. *$ + \(\S+\[<HOST>\]\)[: -]+ Maximum login attempts \(\d+\) exceeded *$ # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |
From: <yar...@us...> - 2011-03-23 20:37:06
|
Revision: 773 http://fail2ban.svn.sourceforge.net/fail2ban/?rev=773&view=rev Author: yarikoptic Date: 2011-03-23 20:37:00 +0000 (Wed, 23 Mar 2011) Log Message: ----------- BF: escaping () in pure-ftpd filter. Thanks Teodor See http://bugs.debian.org/544744 Modified Paths: -------------- branches/FAIL2BAN-0_8/config/filter.d/pure-ftpd.conf Modified: branches/FAIL2BAN-0_8/config/filter.d/pure-ftpd.conf =================================================================== --- branches/FAIL2BAN-0_8/config/filter.d/pure-ftpd.conf 2011-03-23 20:36:50 UTC (rev 772) +++ branches/FAIL2BAN-0_8/config/filter.d/pure-ftpd.conf 2011-03-23 20:37:00 UTC (rev 773) @@ -19,7 +19,7 @@ # (?:::f{4,6}:)?(?P<host>[\w\-.^_]+) # Values: TEXT # -failregex = pure-ftpd(?:\[\d+\])?: (.+?@<HOST>) \[WARNING\] %(__errmsg)s \[.+\]$ +failregex = pure-ftpd(?:\[\d+\])?: \(.+?@<HOST>\) \[WARNING\] %(__errmsg)s \[.+\]\s*$ # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |
From: <yar...@us...> - 2011-03-23 20:36:56
|
Revision: 772 http://fail2ban.svn.sourceforge.net/fail2ban/?rev=772&view=rev Author: yarikoptic Date: 2011-03-23 20:36:50 +0000 (Wed, 23 Mar 2011) Log Message: ----------- BF: allow space in the trailing of failregex for sasl.conf: see http://bugs.debian.org/573314 Modified Paths: -------------- branches/FAIL2BAN-0_8/config/filter.d/sasl.conf Modified: branches/FAIL2BAN-0_8/config/filter.d/sasl.conf =================================================================== --- branches/FAIL2BAN-0_8/config/filter.d/sasl.conf 2011-03-23 20:36:41 UTC (rev 771) +++ branches/FAIL2BAN-0_8/config/filter.d/sasl.conf 2011-03-23 20:36:50 UTC (rev 772) @@ -14,7 +14,7 @@ # (?:::f{4,6}:)?(?P<host>[\w\-.^_]+) # Values: TEXT # -failregex = (?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [A-Za-z0-9+/]*={0,2})?$ +failregex = (?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/]*={0,2})?$ # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |
From: <yar...@us...> - 2011-03-23 20:36:47
|
Revision: 771 http://fail2ban.svn.sourceforge.net/fail2ban/?rev=771&view=rev Author: yarikoptic Date: 2011-03-23 20:36:41 +0000 (Wed, 23 Mar 2011) Log Message: ----------- ENH: add <chain> to action.d/iptables*. Thanks Matthijs Kooijman: see http://bugs.debian.org/515599 Modified Paths: -------------- branches/FAIL2BAN-0_8/config/action.d/iptables-allports.conf branches/FAIL2BAN-0_8/config/action.d/iptables-multiport-log.conf branches/FAIL2BAN-0_8/config/action.d/iptables-multiport.conf branches/FAIL2BAN-0_8/config/action.d/iptables-new.conf branches/FAIL2BAN-0_8/config/action.d/iptables.conf Modified: branches/FAIL2BAN-0_8/config/action.d/iptables-allports.conf =================================================================== --- branches/FAIL2BAN-0_8/config/action.d/iptables-allports.conf 2011-03-23 20:36:28 UTC (rev 770) +++ branches/FAIL2BAN-0_8/config/action.d/iptables-allports.conf 2011-03-23 20:36:41 UTC (rev 771) @@ -15,13 +15,13 @@ # actionstart = iptables -N fail2ban-<name> iptables -A fail2ban-<name> -j RETURN - iptables -I INPUT -p <protocol> -j fail2ban-<name> + iptables -I <chain> -p <protocol> -j fail2ban-<name> # Option: actionstop # Notes.: command executed once at the end of Fail2Ban # Values: CMD # -actionstop = iptables -D INPUT -p <protocol> -j fail2ban-<name> +actionstop = iptables -D <chain> -p <protocol> -j fail2ban-<name> iptables -F fail2ban-<name> iptables -X fail2ban-<name> @@ -29,7 +29,7 @@ # Notes.: command executed once before each actionban command # Values: CMD # -actioncheck = iptables -n -L INPUT | grep -q fail2ban-<name> +actioncheck = iptables -n -L <chain> | grep -q fail2ban-<name> # Option: actionban # Notes.: command executed when banning an IP. Take care that the @@ -63,3 +63,8 @@ # protocol = tcp +# Option: chain +# Notes specifies the iptables chain to which the fail2ban rules should be +# added +# Values: STRING Default: INPUT +chain = INPUT Modified: branches/FAIL2BAN-0_8/config/action.d/iptables-multiport-log.conf =================================================================== --- branches/FAIL2BAN-0_8/config/action.d/iptables-multiport-log.conf 2011-03-23 20:36:28 UTC (rev 770) +++ branches/FAIL2BAN-0_8/config/action.d/iptables-multiport-log.conf 2011-03-23 20:36:41 UTC (rev 771) @@ -5,7 +5,7 @@ # # make "fail2ban-<name>" chain to match drop IP # make "fail2ban-<name>-log" chain to log and drop -# insert a jump to fail2ban-<name> from -I INPUT if proto/port match +# insert a jump to fail2ban-<name> from -I <chain> if proto/port match # # $Revision$ # @@ -18,7 +18,7 @@ # actionstart = iptables -N fail2ban-<name> iptables -A fail2ban-<name> -j RETURN - iptables -I INPUT 1 -p <protocol> -m multiport --dports <port> -j fail2ban-<name> + iptables -I <chain> 1 -p <protocol> -m multiport --dports <port> -j fail2ban-<name> iptables -N fail2ban-<name>-log iptables -I fail2ban-<name>-log -j LOG --log-prefix "$(expr fail2ban-<name> : '\(.\{1,23\}\)'):DROP " --log-level warning -m limit --limit 6/m --limit-burst 2 iptables -A fail2ban-<name>-log -j DROP @@ -27,7 +27,7 @@ # Notes.: command executed once at the end of Fail2Ban # Values: CMD # -actionstop = iptables -D INPUT -p <protocol> -m multiport --dports <port> -j fail2ban-<name> +actionstop = iptables -D <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name> iptables -F fail2ban-<name> iptables -F fail2ban-<name>-log iptables -X fail2ban-<name> @@ -76,3 +76,9 @@ # Values: [ tcp | udp | icmp | all ] Default: tcp # protocol = tcp + +# Option: chain +# Notes specifies the iptables chain to which the fail2ban rules should be +# added +# Values: STRING Default: INPUT +chain = INPUT Modified: branches/FAIL2BAN-0_8/config/action.d/iptables-multiport.conf =================================================================== --- branches/FAIL2BAN-0_8/config/action.d/iptables-multiport.conf 2011-03-23 20:36:28 UTC (rev 770) +++ branches/FAIL2BAN-0_8/config/action.d/iptables-multiport.conf 2011-03-23 20:36:41 UTC (rev 771) @@ -13,13 +13,13 @@ # actionstart = iptables -N fail2ban-<name> iptables -A fail2ban-<name> -j RETURN - iptables -I INPUT -p <protocol> -m multiport --dports <port> -j fail2ban-<name> + iptables -I <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name> # Option: actionstop # Notes.: command executed once at the end of Fail2Ban # Values: CMD # -actionstop = iptables -D INPUT -p <protocol> -m multiport --dports <port> -j fail2ban-<name> +actionstop = iptables -D <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name> iptables -F fail2ban-<name> iptables -X fail2ban-<name> @@ -27,7 +27,7 @@ # Notes.: command executed once before each actionban command # Values: CMD # -actioncheck = iptables -n -L INPUT | grep -q fail2ban-<name> +actioncheck = iptables -n -L <chain> | grep -q fail2ban-<name> # Option: actionban # Notes.: command executed when banning an IP. Take care that the @@ -67,3 +67,8 @@ # protocol = tcp +# Option: chain +# Notes specifies the iptables chain to which the fail2ban rules should be +# added +# Values: STRING Default: INPUT +chain = INPUT Modified: branches/FAIL2BAN-0_8/config/action.d/iptables-new.conf =================================================================== --- branches/FAIL2BAN-0_8/config/action.d/iptables-new.conf 2011-03-23 20:36:28 UTC (rev 770) +++ branches/FAIL2BAN-0_8/config/action.d/iptables-new.conf 2011-03-23 20:36:41 UTC (rev 771) @@ -15,13 +15,13 @@ # actionstart = iptables -N fail2ban-<name> iptables -A fail2ban-<name> -j RETURN - iptables -I INPUT -m state --state NEW -p <protocol> --dport <port> -j fail2ban-<name> + iptables -I <chain> -m state --state NEW -p <protocol> --dport <port> -j fail2ban-<name> # Option: actionstop # Notes.: command executed once at the end of Fail2Ban # Values: CMD # -actionstop = iptables -D INPUT -m state --state NEW -p <protocol> --dport <port> -j fail2ban-<name> +actionstop = iptables -D <chain> -m state --state NEW -p <protocol> --dport <port> -j fail2ban-<name> iptables -F fail2ban-<name> iptables -X fail2ban-<name> @@ -29,7 +29,7 @@ # Notes.: command executed once before each actionban command # Values: CMD # -actioncheck = iptables -n -L INPUT | grep -q fail2ban-<name> +actioncheck = iptables -n -L <chain> | grep -q fail2ban-<name> # Option: actionban # Notes.: command executed when banning an IP. Take care that the @@ -69,3 +69,8 @@ # protocol = tcp +# Option: chain +# Notes specifies the iptables chain to which the fail2ban rules should be +# added +# Values: STRING Default: INPUT +chain = INPUT Modified: branches/FAIL2BAN-0_8/config/action.d/iptables.conf =================================================================== --- branches/FAIL2BAN-0_8/config/action.d/iptables.conf 2011-03-23 20:36:28 UTC (rev 770) +++ branches/FAIL2BAN-0_8/config/action.d/iptables.conf 2011-03-23 20:36:41 UTC (rev 771) @@ -13,13 +13,13 @@ # actionstart = iptables -N fail2ban-<name> iptables -A fail2ban-<name> -j RETURN - iptables -I INPUT -p <protocol> --dport <port> -j fail2ban-<name> + iptables -I <chain> -p <protocol> --dport <port> -j fail2ban-<name> # Option: actionstop # Notes.: command executed once at the end of Fail2Ban # Values: CMD # -actionstop = iptables -D INPUT -p <protocol> --dport <port> -j fail2ban-<name> +actionstop = iptables -D <chain> -p <protocol> --dport <port> -j fail2ban-<name> iptables -F fail2ban-<name> iptables -X fail2ban-<name> @@ -27,7 +27,7 @@ # Notes.: command executed once before each actionban command # Values: CMD # -actioncheck = iptables -n -L INPUT | grep -q fail2ban-<name> +actioncheck = iptables -n -L <chain> | grep -q fail2ban-<name> # Option: actionban # Notes.: command executed when banning an IP. Take care that the @@ -67,3 +67,8 @@ # protocol = tcp +# Option: chain +# Notes specifies the iptables chain to which the fail2ban rules should be +# added +# Values: STRING Default: INPUT +chain = INPUT This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |
From: <yar...@us...> - 2011-03-23 20:36:34
|
Revision: 770 http://fail2ban.svn.sourceforge.net/fail2ban/?rev=770&view=rev Author: yarikoptic Date: 2011-03-23 20:36:28 +0000 (Wed, 23 Mar 2011) Log Message: ----------- NF: Adding found on a drive filter.d/dovecot.conf Added Paths: ----------- branches/FAIL2BAN-0_8/config/filter.d/dovecot.conf Added: branches/FAIL2BAN-0_8/config/filter.d/dovecot.conf =================================================================== --- branches/FAIL2BAN-0_8/config/filter.d/dovecot.conf (rev 0) +++ branches/FAIL2BAN-0_8/config/filter.d/dovecot.conf 2011-03-23 20:36:28 UTC (rev 770) @@ -0,0 +1,23 @@ +# Fail2Ban configuration file for dovcot +# +# Author: +# +# $Revision: $ +# + +[Definition] + +# Option: failregex +# Notes.: regex to match the password failures messages in the logfile. The +# host must be matched by a group named "host". The tag "<HOST>" can +# be used for standard IP/hostname matching and is only an alias for +# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+) +# Values: TEXT +# +failregex = .*(?: pop3-login|imap-login):.*(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed).*rip=(?P<host>\S*),.* + +# Option: ignoreregex +# Notes.: regex to ignore. If this regex matches, the line is ignored. +# Values: TEXT +# +ignoreregex = This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |
From: <yar...@us...> - 2011-03-23 20:36:24
|
Revision: 769 http://fail2ban.svn.sourceforge.net/fail2ban/?rev=769&view=rev Author: yarikoptic Date: 2011-03-23 20:36:17 +0000 (Wed, 23 Mar 2011) Log Message: ----------- ENH: make filter.d/apache-overflows.conf catch more: see http://bugs.debian.org/574182 Modified Paths: -------------- branches/FAIL2BAN-0_8/config/filter.d/apache-overflows.conf Modified: branches/FAIL2BAN-0_8/config/filter.d/apache-overflows.conf =================================================================== --- branches/FAIL2BAN-0_8/config/filter.d/apache-overflows.conf 2011-03-23 20:36:08 UTC (rev 768) +++ branches/FAIL2BAN-0_8/config/filter.d/apache-overflows.conf 2011-03-23 20:36:17 UTC (rev 769) @@ -11,7 +11,7 @@ # Notes.: Regexp to catch Apache overflow attempts. # Values: TEXT # -failregex = [[]client <HOST>[]] (Invalid method in request|request failed: URI too long|erroneous characters after protocol string) +failregex = [[]client <HOST>[]] (Invalid (method|URI) in request|request failed: URI too long|erroneous characters after protocol string) # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |
From: <yar...@us...> - 2011-03-23 20:36:14
|
Revision: 768 http://fail2ban.svn.sourceforge.net/fail2ban/?rev=768&view=rev Author: yarikoptic Date: 2011-03-23 20:36:08 +0000 (Wed, 23 Mar 2011) Log Message: ----------- ENH: dropbear filter: see http://bugs.debian.org/546913 Added Paths: ----------- branches/FAIL2BAN-0_8/config/filter.d/dropbear.conf Added: branches/FAIL2BAN-0_8/config/filter.d/dropbear.conf =================================================================== --- branches/FAIL2BAN-0_8/config/filter.d/dropbear.conf (rev 0) +++ branches/FAIL2BAN-0_8/config/filter.d/dropbear.conf 2011-03-23 20:36:08 UTC (rev 768) @@ -0,0 +1,52 @@ +# Fail2Ban configuration file +# +# Author: Francis Russell +# Zak B. Elep +# +# $Revision$ +# +# More information: http://bugs.debian.org/546913 + +[INCLUDES] + +# Read common prefixes. If any customizations available -- read them from +# common.local +before = common.conf + + +[Definition] + +_daemon = dropbear + +# Option: failregex +# Notes.: regex to match the password failures messages in the logfile. The +# host must be matched by a group named "host". The tag "<HOST>" can +# be used for standard IP/hostname matching and is only an alias for +# (?:::f{4,6}:)?(?P<host>\S+) +# Values: TEXT + +# These match the unmodified dropbear messages. It isn't possible to +# match the source of the 'exit before auth' messages from dropbear. +# +failregex = ^%(__prefix_line)slogin attempt for nonexistent user ('.*' )?from <HOST>:.*\s*$ + ^%(__prefix_line)sbad password attempt for .+ from <HOST>:.*\s*$ + +# The only line we need to match with the modified dropbear. + +# NOTE: The failregex below is ONLY intended to work with a patched +# version of Dropbear as described here: +# http://www.unchartedbackwaters.co.uk/pyblosxom/static/patches +# +# The standard Dropbear output doesn't provide enough information to +# ban all types of attack. The Dropbear patch adds IP address +# information to the 'exit before auth' message which is always +# produced for any form of non-successful login. It is that message +# which this file matches. + +# failregex = ^%(__prefix_line)sexit before auth from <HOST>.*\s*$ + +# Option: ignoreregex +# Notes.: regex to ignore. If this regex matches, the line is ignored. +# Values: TEXT +# +ignoreregex = This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |