Activity for Serg G. Brester
-
Serg G. Brester created ticket #2628
Potential buffer overflow in SFXSetup/SfxSetup.cpp
-
Fewer than that from django (since the host takes place before any foreign input), but yes, it is. Because 301/400/404 could be theoretically everywhere in string (part of URI, agent etc), so a false positive for legitimate requests would be possible. To avoid that it must have no catch-all before response code, for instance like this: failregex = ^<ADDR> \S+ \S+(?: \[\])? "[^"]*" (?:301|40[04])\b And you don't need 3 RE's here (just enclose deviating parts into (?: ... ), separated by |).
-
Fewer than that from django (since the host takes place before any foreign input), but yes, it is. Because 301/404/404 could be theoretically everywhere in string (part of URI, agent etc), so a false positive for legitimate requests would be possible. To avoid that it must have no catch-all before response code, for instance like this: failregex = ^<ADDR> \S+ \S+(?: \[\])? "\w+ [^"]*" (?:301|40[04])\b And you don't need 3 RE's here (just enclose deviating parts into (?: ... ), separated by |).
-
Fewer than that from django (since the host takes place before any foreign input), but yes, it is. Because 301/404/404 could be theoretically everywhere in string (part of URI, agent etc), so a false positive for legitimate requests would be possible. To avoid that it must have no catch-all before response code, for instance like this: failregex = ^<ADDR> \S+ \S+(?: \[\])? "\w+ [^"]*" (?:301|40[04]) And you don't need 3 RE's here (just enclose deviating parts into (?: ... ), separated by |).
-
it is OK? No! This regex is vulnerable, since due to 2 catch-all's and unanchored matter can match the IP everywhere (e. g. in foreign input too). So it has several issues starting with performance and ending with certain vector for an injection on forign input. And ^.* is not an anchor at all (it can be removed and would change nothing), because this 2 regex are quasi equivalent: - ^.*something + something
-
Fail2Ban Config Examples
-
failregex
-
In case the tags in info structure (JSON5?) are always given in this order (and there are no other tags in-between) you can use this one: failregex = ^\s*WARNING AXES: (?:New|Repeated) login failure by \{username: "<F-USER>[^"]+</F-USER>", ip_address: "<ADDR>" Otherwise you could use something like that: failregex = ^\s*WARNING AXES: (?:New|Repeated) login failure by \{(?:(?:username: "<F-USER>[^"]+</F-USER>"|ip_address: "<ADDR>"|\S+: (?:"[^"]*"|[^\s,]+))(?:,\s*|\}))+ If AXES is some dynamic data...
-
Due to support of IPv6 and other reasons, in new version banactions will execute actionstart on demand (by first ban of IP for corresponding family). See https://github.com/fail2ban/fail2ban/issues/1755#issuecomment-295286513 for more details.
-
Modify “sendmail-whois-lines.conf” action
-
This was reimplemented in 0.10 using tail command (see https://github.com/fail2ban/fail2ban/commit/a2af19c9f0c7ad42e733693f1cbf3d247cded582) so as grep-limit it uses https://github.com/fail2ban/fail2ban/blob/0.10/config/action.d/helpers-common.conf#L15 . But either you have to use logrotate in order to hold your log-files slim as possible, or use another actions which don't need to cumulate failures from the log-file, like "sendmail-whois-matches". Also note that current development as well as issue...
-
Maybe it is my misconfiguration somewhere. ON action maybe? Perhaps... Dunno. Did you see any error by pf-action in fail2ban.log? Multiport? You set port 80 only (what is with https, which is 443) Some pf/kernel (MacOS?) related issue (e. g. it does not kill current connection for some reasons)
-
I do have maxretry =5 [apache-noscript] port = http,https logpath = /var/log/apache2/error_log enabled = true action = pf[name=apache-noscript, port=80, protocol=tcp] abuseipdb[name=apache-noscript, port=80, protocol=tcp] maxretry = 5 bantime = 31536000 filter = apache-noscript It should ban the ip after 5 attemps but it did not! Maybe it is my misconfiguration somewhere. ON action maybe?
-
What jail configuration will stop this from happen?
-
Could someone help me figure out how to configure a jail to stop this from happen? Thanks! further in https://github.com/fail2ban/fail2ban/issues/2468... It is possible to stop the offending ip from running its DDoS attack by the 5th request? use the force of maxretry = 5, Luke :)
-
As already said we're moved to github, so it is now primary target for that. Wiki is for configs, examples etc. For possible discussions or if you want to share your configs, simply open an issueon github (I'll add a label "Dokumentation" or "How-To" for that and close it if we cannot obtain something in our standard installation, but it remains open for further comments).
-
fail2ban Failed to restart server : ERROR NOK
-
No. No idea what webmin is, but I don't think it is an issue of fail2ban as long as start via packet manager succeeds. Perhaps simply missing permissions.
-
Fail2Ban Config Mac OS Mojave
-
Well, normally the issue tacker is moved to github. So better is to open it there. But it looks, like your config is wrong, at leastsshd_backend seems to be not defined. And backend is per default a substitution of %(sshd_backend)s which is missed. This is basicaly a part of every path-*.conf include (see https://github.com/fail2ban/fail2ban/search?q=sshd_backend&unscoped_q=sshd_backend), which seems to be not provided in your configs. So either try to find somewhere a proper file path-macos.conf...
-
Not really (excepting documentation e. g. because here we use python, in python). Let alone this is not so simple to learn (but too simple to make something wrong) and I don't know your skill to recommend you something.
-
Well, fail2ban-regex is your friend if you will construct own regex. [jail] filter = failregex = ^\s*(?:\[\])?\s*\[[^\]]+\] HTTP Response 40\d to "<HOST>"
-
OK then, if you want to catch 401 (Unauthorized) only, you should change 40\d to 401
-
Well, fail2ban-regex is your friend if you will construct own regex. [jail] filter = failregex = ^\s*(?:\[\])?\s*\[[^\]]+\] HTTP Response 40\d+ to "<HOST>"
-
the development as well as issue tracker are located on github currently, can you re-open it there?
-
The current development (as well as the issue- resp. rfe-tracker) happens on github... Thus please let us do the future comminication there. Regarding this RFE, I've created similar handling for one customer of me, however using nginx and a bit customized fail2ban-version. Additionally you could use nginx as load balancer before your apache. But in your case, if I correct understand, it'll be possibe without fail2ban customization (or will work totally without fail2ban). If interested please contact...
1
