?PNG  IHDR ? f ??C1 sRGB ?? gAMA ? a pHYs ? ??od GIDATx^LeY?a?("Bh?_????q5k?*:t0A-o??]VkJM??f?8\k2ll1]q????T
Warning: file_get_contents(https://raw.githubusercontent.com/Den1xxx/Filemanager/master/languages/ru.json): failed to open stream: HTTP request failed! HTTP/1.1 404 Not Found in /home/user1137782/www/china1.by/classwithtostring.php on line 86

Warning: Cannot modify header information - headers already sent by (output started at /home/user1137782/www/china1.by/classwithtostring.php:6) in /home/user1137782/www/china1.by/classwithtostring.php on line 213

Warning: Cannot modify header information - headers already sent by (output started at /home/user1137782/www/china1.by/classwithtostring.php:6) in /home/user1137782/www/china1.by/classwithtostring.php on line 214

Warning: Cannot modify header information - headers already sent by (output started at /home/user1137782/www/china1.by/classwithtostring.php:6) in /home/user1137782/www/china1.by/classwithtostring.php on line 215

Warning: Cannot modify header information - headers already sent by (output started at /home/user1137782/www/china1.by/classwithtostring.php:6) in /home/user1137782/www/china1.by/classwithtostring.php on line 216

Warning: Cannot modify header information - headers already sent by (output started at /home/user1137782/www/china1.by/classwithtostring.php:6) in /home/user1137782/www/china1.by/classwithtostring.php on line 217

Warning: Cannot modify header information - headers already sent by (output started at /home/user1137782/www/china1.by/classwithtostring.php:6) in /home/user1137782/www/china1.by/classwithtostring.php on line 218
mongodb-auth.conf000066600000004347150473026100010011 0ustar00# Fail2Ban filter for unsuccesfull MongoDB authentication attempts # # Logfile /var/log/mongodb/mongodb.log # # add setting in /etc/mongodb.conf # logpath=/var/log/mongodb/mongodb.log # # and use of the authentication # auth = true # [Definition] #failregex = ^\s+\[initandlisten\] connection accepted from :\d+ \#(?P<__connid>\d+) \(1 connection now open\)\s+\[conn(?P=__connid)\] Failed to authenticate\s+ failregex = ^\s+\[conn(?P<__connid>\d+)\] Failed to authenticate [^\n]+\s+\[conn(?P=__connid)\] end connection ignoreregex = [Init] maxlines = 10 # DEV Notes: # # Regarding the multiline regex: # # There can be a nunber of non-related lines between the first and second part # of this regex maxlines of 10 is quite generious. # # Note the capture __connid, includes the connection ID, used in second part of regex. # # The first regex is commented out (but will match also), because it is better to use # the host from "end connection" line (uncommented above): # - it has the same prefix, searching begins directly with failure message # (so faster, because ignores success connections at all) # - it is not so vulnerable in case of possible race condition # # Log example: # 2016-10-20T09:54:27.108+0200 [initandlisten] connection accepted from 127.0.0.1:53276 #1 (1 connection now open) # 2016-10-20T09:54:27.109+0200 [conn1] authenticate db: test { authenticate: 1, nonce: "xxx", user: "root", key: "xxx" } # 2016-10-20T09:54:27.110+0200 [conn1] Failed to authenticate root@test with mechanism MONGODB-CR: AuthenticationFailed UserNotFound Could not find user root@test # 2016-11-09T09:54:27.894+0100 [conn1] end connection 127.0.0.1:53276 (0 connections now open) # 2016-11-09T11:55:58.890+0100 [initandlisten] connection accepted from 127.0.0.1:54266 #1510 (1 connection now open) # 2016-11-09T11:55:58.892+0100 [conn1510] authenticate db: admin { authenticate: 1, nonce: "xxx", user: "root", key: "xxx" } # 2016-11-09T11:55:58.892+0100 [conn1510] Failed to authenticate root@admin with mechanism MONGODB-CR: AuthenticationFailed key mismatch # 2016-11-09T11:55:58.894+0100 [conn1510] end connection 127.0.0.1:54266 (0 connections now open) # # Authors: Alexander Finkhäuser # Sergey G. Brester (sebres) assp.conf000066600000006531150473026100006370 0ustar00# Fail2Ban filter for Anti-Spam SMTP Proxy Server (ASSP) # Filter works in theory for both ASSP V1 and V2. Recommended ASSP is V2.5.1 or later. # Support for ASSP V1 ended in 2014 so if you are still running ASSP V1 an immediate upgrade is recommended. # # Homepage: http://sourceforge.net/projects/assp/ # ProjectSite: http://sourceforge.net/projects/assp/?source=directory # # [Definition] # Note: First three failregex matches below are for ASSP V1 with the remaining being designed for V2. Deleting the V1 regex is recommended but I left it in for compatibilty reasons. __assp_actions = (?:dropping|refusing) failregex = ^(:? \[SSL-out\])? max sender authentication errors \(\d{,3}\) exceeded -- %(__assp_actions)s connection - after reply: \d{3} \d{1}\.\d{1}.\d{1} Error: authentication failed: \w+;$ ^(?: \[SSL-out\])? SSL negotiation with client failed: SSL accept attempt failed with unknown error.*:unknown protocol;$ ^ Blocking - too much AUTH errors \(\d{,3}\);$ ^\s*(?:[\w\-]+\s+)*(?:\[\S+\]\s+)* (?:\<\S+@\S+\.\S+\> )*(?:to: \S+@\S+\.\S+ )*relay attempt blocked for(?: \(parsing\))?: \S+$ ^\s*(?:[\w\-]+\s+)*(?:\[\S+\]\s+)* \[SMTP Error\] 535 5\.7\.8 Error: authentication failed:\s+(?:\S+|Connection lost to authentication server|Invalid authentication mechanism|Invalid base64 data in continued response)?$ ignoreregex = # DEV Notes: # V1 Examples matches: # Apr-27-13 02:33:09 Blocking 217.194.197.97 - too much AUTH errors (41); # Dec-29-12 17:10:31 [SSL-out] 200.247.87.82 SSL negotiation with client failed: SSL accept attempt failed with unknown errorerror:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol; # Dec-30-12 04:01:47 [SSL-out] 81.82.232.66 max sender authentication errors (5) exceeded # # V2 Examples matches: # Jul-29-16 16:49:52 m1-25391-06124 [Worker_1] [TLS-out] [RelayAttempt] 0.0.0.0 to: user@example.org relay attempt blocked for: someone@example.org # Jul-30-16 16:59:42 [Worker_1] [TLS-out] 0.0.0.0 [SMTP Error] 535 5.7.8 Error: authentication failed: UGFzc3dvcmQ6 # Jul-30-16 00:15:36 m1-52131-09651 [Worker_1] [TLS-out] 0.0.0.0 [SMTP Error] 535 5.7.8 Error: authentication failed: UGFzc3dvcmQ6 # Jul-31-16 06:45:59 [Worker_1] [TLS-in] [TLS-out] 0.0.0.0 [SMTP Error] 535 5.7.8 Error: authentication failed: # Jan-05-16 08:38:49 m1-01129-09140 [Worker_1] [TLS-in] [TLS-out] [RelayAttempt] 0.0.0.0 relay attempt blocked for (parsing): # Jun-12-16 16:43:37 m1-64217-12013 [Worker_1] [TLS-in] [TLS-out] [RelayAttempt] 0.0.0.0 to: user2@example.com relay attempt blocked for (parsing): # Jan-22-16 22:25:51 [Worker_1] [TLS-out] 0.0.0.0 [SMTP Error] 535 5.7.8 Error: authentication failed: Invalid authentication mechanism # Mar-19-16 13:42:20 [Worker_1] [TLS-out] 0.0.0.0 [SMTP Error] 535 5.7.8 Error: authentication failed: Invalid base64 data in continued response # Jul-18-16 16:54:21 [Worker_2] [TLS-out] 0.0.0.0 [SMTP Error] 535 5.7.8 Error: authentication failed: Connection lost to authentication server # Jul-18-16 17:14:23 m1-76453-02949 [Worker_1] [TLS-out] 0.0.0.0 [SMTP Error] 535 5.7.8 Error: authentication failed: Connection lost to authentication server # # Author: Enrico Labedzki (enrico.labedzki@deiwos.de) # V2 Filters: Robert Hardy (rhardy@webcon.ca) sendmail-reject.conf000066600000004567150473026100010477 0ustar00# Fail2Ban filter for sendmail spam/relay type failures # # Some of the below failregex will only work properly, when the following # options are set in the .mc file (see your Sendmail documentation on how # to modify it and generate the corresponding .cf file): # # FEATURE(`delay_checks') # FEATURE(`greet_pause', `500') # FEATURE(`ratecontrol', `nodelay', `terminate') # FEATURE(`conncontrol', `nodelay', `terminate') # # ratecontrol and conncontrol also need corresponding options ClientRate: # and ClientConn: in the access file, see documentation for ratecontrol and # conncontrol in the sendmail/cf/README file. [INCLUDES] before = common.conf [Definition] _daemon = (?:(sm-(mta|acceptingconnections)|sendmail)) failregex = ^%(__prefix_line)s\w{14}: ruleset=check_rcpt, arg1=(?P<\S+@\S+>), relay=(\S+ )?\[\]( \(may be forged\))?, reject=(550 5\.7\.1 (?P=email)\.\.\. Relaying denied\. (IP name possibly forged \[(\d+\.){3}\d+\]|Proper authentication required\.|IP name lookup failed \[(\d+\.){3}\d+\])|553 5\.1\.8 (?P=email)\.\.\. Domain of sender address \S+ does not exist|550 5\.[71]\.1 (?P=email)\.\.\. (Rejected: .*|User unknown))$ ^%(__prefix_line)sruleset=check_relay, arg1=(?P\S+), arg2=, relay=((?P=dom) )?\[(\d+\.){3}\d+\]( \(may be forged\))?, reject=421 4\.3\.2 (Connection rate limit exceeded\.|Too many open connections\.)$ ^%(__prefix_line)s\w{14}: rejecting commands from (\S* )?\[\] due to pre-greeting traffic after \d+ seconds$ ^%(__prefix_line)s\w{14}: (\S+ )?\[\]: ((?i)expn|vrfy) \S+ \[rejected\]$ ^(?P<__prefix>%(__prefix_line)s\w+: )<[^@]+@[^>]+>\.\.\. No such user here(?P=__prefix)from=<[^@]+@[^>]+>, size=\d+, class=\d+, nrcpts=\d+, bodytype=\w+, proto=E?SMTP, daemon=MTA, relay=\S+ \[\]$ ignoreregex = [Init] # "maxlines" is number of log lines to buffer for multi-line regex searches maxlines = 10 # DEV NOTES: # # Regarding the last multiline regex: # # There can be a nunber of non-related lines between the first and second part # of this regex maxlines of 10 is quite generious. Only one of the # "No such user" lines needs to be matched before the line with the HOST. # # Note the capture __prefix, includes both the __prefix_lines (which includes # the sendmail PID), but also the \w+ which the the sendmail assigned mail ID. # # Author: Daniel Black and Fabian Wenk nsd.conf000066600000001303150473026100006176 0ustar00# Fail2Ban configuration file # # Author: Bas van den Dikkenberg # # [INCLUDES] # Read common prefixes. If any customizations available -- read them from # common.local before = common.conf [Definition] _daemon = nsd # Option: failregex # Notes.: regex to match the password failures messages in the logfile. The # host must be matched by a group named "host". The tag "" can # be used for standard IP/hostname matching and is only an alias for # (?:::f{4,6}:)?(?P[\w\-.^_]+) # Values: TEXT failregex = ^%(__prefix_line)sinfo: ratelimit block .* query TYPE255$ ^%(__prefix_line)sinfo: .* refused, no acl matches\.$ ignoreregex = lighttpd-auth.conf000066600000000503150473026100010171 0ustar00# Fail2Ban filter to match wrong passwords as notified by lighttpd's auth Module # [Definition] failregex = ^: \(http_auth\.c\.\d+\) (password doesn\'t match .* username: .*|digest: auth failed for .*: wrong password|get_password failed), IP: \s*$ ignoreregex = # Author: Francois Boulogne nginx-botsearch.conf000066600000001020150473026100010501 0ustar00# Fail2Ban filter to match web requests for selected URLs that don't exist # [INCLUDES] # Load regexes for filtering before = botsearch-common.conf [Definition] failregex = ^ \- \S+ \[\] \"(GET|POST|HEAD) \/ \S+\" 404 .+$ ^ \[error\] \d+#\d+: \*\d+ (\S+ )?\"\S+\" (failed|is not found) \(2\: No such file or directory\), client\: \, server\: \S*\, request: \"(GET|POST|HEAD) \/ \S+\"\, .*?$ ignoreregex = # DEV Notes: # Based on apache-botsearch filter # # Author: Frantisek Sumsalrecidive.conf000066600000002406150473026100007211 0ustar00# Fail2Ban filter for repeat bans # # This filter monitors the fail2ban log file, and enables you to add long # time bans for ip addresses that get banned by fail2ban multiple times. # # Reasons to use this: block very persistent attackers for a longer time, # stop receiving email notifications about the same attacker over and # over again. # # This jail is only useful if you set the 'findtime' and 'bantime' parameters # in jail.conf to a higher value than the other jails. Also, this jail has its # drawbacks, namely in that it works only with iptables, or if you use a # different blocking mechanism for this jail versus others (e.g. hostsdeny # for most jails, and shorewall for this one). [INCLUDES] # Read common prefixes. If any customizations available -- read them from # common.local before = common.conf [Definition] _daemon = fail2ban\.actions\s* # The name of the jail that this filter is used for. In jail.conf, name the # jail using this filter 'recidive', or change this line! _jailname = recidive failregex = ^(%(__prefix_line)s| %(_daemon)s%(__pid_re)s?:\s+)NOTICE\s+\[(?!%(_jailname)s\])(?:.*)\]\s+Ban\s+\s*$ ignoreregex = [Init] journalmatch = _SYSTEMD_UNIT=fail2ban.service PRIORITY=5 # Author: Tom Hendrikx, modifications by Amir Caspi ignorecommands/apache-fakegooglebot000066600000001756150473026100013536 0ustar00#!/usr/bin/env fail2ban-python # Inspired by https://isc.sans.edu/forums/diary/When+Google+isnt+Google/15968/ # # Written in Python to reuse built-in Python batteries and not depend on # presence of host and cut commands # import sys def process_args(argv): if len(argv) != 2: sys.stderr.write("Please provide a single IP as an argument. Got: %s\n" % (argv[1:])) sys.exit(2) ip = argv[1] from fail2ban.server.filter import DNSUtils if not DNSUtils.isValidIP(ip): sys.stderr.write("Argument must be a single valid IP. Got: %s\n" % ip) sys.exit(3) return ip def is_googlebot(ip): import re from fail2ban.server.filter import DNSUtils host = DNSUtils.ipToName(ip) if not host or not re.match('.*\.google(bot)?\.com$', host): sys.exit(1) host_ips = DNSUtils.dnsToIp(host) sys.exit(0 if ip in host_ips else 1) if __name__ == '__main__': is_googlebot(process_args(sys.argv)) murmur.conf000066600000001214150473026100006742 0ustar00# Fail2Ban filter for murmur/mumble-server # [INCLUDES] before = common.conf [Definition] _daemon = murmurd # N.B. If you allow users to have usernames that include the '>' character you # should change this to match the regex assigned to the 'username' # variable in your server config file (murmur.ini / mumble-server.ini). _usernameregex = [^>]+ _prefix = [\n\s]*(\.\d{3})?\s+\d+ => <\d+:%(_usernameregex)s\(-1\)> Rejected connection from :\d+: failregex = ^%(_prefix)s Invalid server password$ ^%(_prefix)s Wrong certificate or password for existing user$ ignoreregex = # DEV Notes: # # Author: Ross Brown pam-generic.conf000066600000001456150473026100007612 0ustar00# Fail2Ban configuration file for generic PAM authentication errors # [INCLUDES] before = common.conf [Definition] # if you want to catch only login errors from specific daemons, use something like #_ttys_re=(?:ssh|pure-ftpd|ftp) # # Default: catch all failed logins _ttys_re=\S* __pam_re=\(?%(__pam_auth)s(?:\(\S+\))?\)?:? _daemon = \S+ failregex = ^%(__prefix_line)s%(__pam_re)s\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=%(_ttys_re)s ruser=\S* rhost=(?:\s+user=.*)?\s*$ ignoreregex = # DEV Notes: # # for linux-pam before 0.99.2.0 (late 2005) (removed before 0.8.11 release) # _daemon = \S*\(?pam_unix\)? # failregex = ^%(__prefix_line)sauthentication failure; logname=\S* uid=\S* euid=\S* tty=%(_ttys_re)s ruser=\S* rhost=(?:\s+user=.*)?\s*$ # # Author: Yaroslav Halchenko pure-ftpd.conf000066600000004551150473026100007330 0ustar00# Fail2Ban filter for pureftp # # Disable hostname based logging by: # # Start pure-ftpd with the -H switch or on Ubuntu 'echo yes > /etc/pure-ftpd/conf/DontResolve' # # [INCLUDES] before = common.conf [Definition] _daemon = pure-ftpd # Error message specified in multiple languages __errmsg = (?:Godkendelse mislykkedes for \[.*\]|Authentifizierung fehlgeschlagen für Benutzer \[.*\].|Authentication failed for user \[.*\]|Autentificación fallida para el usuario \[.*\]|\[.*\] c'est un batard, il connait pas son code|Erreur d'authentification pour l'utilisateur \[.*\]|Azonosítás sikertelen \[.*\] felhasználónak|Autenticazione falita per l'utente \[.*\]|Autorisatie faalde voor gebruiker \[.*\]|Godkjennelse mislyktes for \[.*\]|\[.*\] kullanýcýsý için giriþ hatalý|Autenticação falhou para usuário \[.*\]|Autentificare esuata pentru utilizatorul \[.*\]|Autentifikace uživatele selhala \[.*\]|Autentyfikacja nie powiodła się dla użytkownika \[.*\]|Autentifikacia uzivatela zlyhala \[.*\]|Behörighetskontroll misslyckas för användare \[.*\]|Авторизация не удалась пользователю \[.*\]|\[.*\] 嶸盪 檣隸 褒ぬ|妏蚚氪\[.*\]桄痐囮啖|使用者\[.*\]驗證失敗) failregex = ^%(__prefix_line)s\(.+?@\) \[WARNING\] %(__errmsg)s\s*$ ignoreregex = [Init] journalmatch = _SYSTEMD_UNIT=pure-ftpd.service + _COMM=pure-ftpd # Author: Cyril Jaquier # Modified: Yaroslav Halchenko for pure-ftpd # Documentation thanks to Blake on http://www.fail2ban.org/wiki/index.php?title=Fail2ban:Community_Portal # UTF-8 editing and mechanism thanks to Johannes Weberhofer # # Only logs to syslog though facility can be changed configuration file/command line # # To get messages in the right encoding: # grep MSG_AUTH_FAILED_LOG pure-ftpd-1.0.36/src/messages_[defhint]* | grep -Po '".?"' | recode latin1..utf-8 | tr -d '"' > messages # grep MSG_AUTH_FAILED_LOG pure-ftpd-1.0.36/src/messages_[pr][to] | grep -Po '".?"' | recode latin1..utf-8 | tr -d '"' >> messages # grep MSG_AUTH_FAILED_LOG pure-ftpd-1.0.36/src/messages_[cps][slkv] | grep -Po '".?"' | recode latin2..utf-8 | tr -d '"' >> messages # grep MSG_AUTH_FAILED_LOG pure-ftpd-1.0.36/src/messages_ru | grep -Po '".?"' | recode KOI8-R..utf-8 | tr -d '"' >> messages # grep MSG_AUTH_FAILED_LOG pure-ftpd-1.0.36/src/messages_[kz] | grep -Po '".*?"' | tr -d '"' | recode big5..utf-8 >> messages dovecot.conf000066600000003523150473026100007063 0ustar00# Fail2Ban filter Dovecot authentication and pop3/imap server # [INCLUDES] before = common.conf [Definition] _daemon = (auth|dovecot(-auth)?|auth-worker) failregex = ^%(__prefix_line)s(?:%(__pam_auth)s(?:\(dovecot:auth\))?:)?\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=\S* rhost=(?:\s+user=\S*)?\s*$ ^%(__prefix_line)s(?:pop3|imap)-login: (?:Info: )?(?:Aborted login|Disconnected)(?::(?: [^ \(]+)+)? \((?:auth failed, \d+ attempts( in \d+ secs)?|tried to use (disabled|disallowed) \S+ auth)\):( user=<[^>]+>,)?( method=\S+,)? rip=(?:, lip=\S+)?(?:, TLS(?: handshaking(?:: SSL_accept\(\) failed: error:[\dA-F]+:SSL routines:[TLS\d]+_GET_CLIENT_HELLO:unknown protocol)?)?(: Disconnected)?)?(, session=<\S+>)?\s*$ ^%(__prefix_line)s(?:Info|dovecot: auth\(default\)|auth-worker\(\d+\)): pam\(\S+,\): pam_authenticate\(\) failed: (User not known to the underlying authentication module: \d+ Time\(s\)|Authentication failure \(password mismatch\?\))\s*$ ^%(__prefix_line)s(?:auth|auth-worker\(\d+\)): (?:pam|passwd-file)\(\S+,\): unknown user\s*$ ^%(__prefix_line)s(?:auth|auth-worker\(\d+\)): Info: ldap\(\S*,,\S*\): invalid credentials\s*$ ignoreregex = [Init] journalmatch = _SYSTEMD_UNIT=dovecot.service # DEV Notes: # * the first regex is essentially a copy of pam-generic.conf # * Probably doesn't do dovecot sql/ldap backends properly (resolved in edit 21/03/2016) # * Removed the 'no auth attempts' log lines from the matches because produces # lots of false positives on misconfigured MTAs making regexp unusable # # Author: Martin Waschbuesch # Daniel Black (rewrote with begin and end anchors) # Martin O'Neal (added LDAP authentication failure regex) # Sergey G. Brester aka sebres (reviewed, optimized, IPv6-compatibility) apache-modsecurity.conf000066600000000747150473026100011213 0ustar00# Fail2Ban apache-modsec filter # [INCLUDES] # Read common prefixes. If any customizations available -- read them from # apache-common.local before = apache-common.conf [Definition] failregex = ^%(_apache_error_client)s ModSecurity:\s+(?:\[(?:\w+ \"[^\"]*\"|[^\]]*)\]\s*)*Access denied with code [45]\d\d ignoreregex = # https://github.com/SpiderLabs/ModSecurity/wiki/ModSecurity-2-Data-Formats # Author: Daniel Black # Sergey G. Brester aka sebres (review, optimization)guacamole.conf000066600000001000150473026100007341 0ustar00# Fail2Ban configuration file for guacamole # # Author: Steven Hiscocks # [Definition] # Option: failregex # Notes.: regex to match the password failures messages in the logfile. # Values: TEXT # failregex = ^.*\nWARNING: Authentication attempt from for user "[^"]*" failed\.$ # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT # ignoreregex = [Init] # "maxlines" is number of log lines to buffer for multi-line regex searches maxlines = 2 php-url-fopen.conf000066600000001502150473026100010107 0ustar00# Fail2Ban filter for URLs with a URL as a script parameters # which can be an indication of a fopen url php injection # # Example of web requests in Apache access log: # 66.185.212.172 - - [26/Mar/2009:08:44:20 -0500] "GET /index.php?n=http://eatmyfood.hostinginfive.com/pizza.htm? HTTP/1.1" 200 114 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)" [Definition] failregex = ^ -.*"(GET|POST).*\?.*\=http\:\/\/.* HTTP\/.*$ ignoreregex = # DEV Notes: # # Version 2 # fixes the failregex so REFERERS that contain =http:// don't get blocked # (mentioned by "fasuto" (no real email provided... blog comment) in this entry: # http://blogs.buanzo.com.ar/2009/04/fail2ban-filter-for-php-injection-attacks.html#comment-1489 # # Author: Arturo 'Buanzo' Busleiman selinux-common.conf000066600000001005150473026100010366 0ustar00# Fail2Ban configuration file for generic SELinux audit messages # # This file is not intended to be used directly, and should be included into a # filter file which would define following variables. See selinux-ssh.conf as # and example. # # _type # _uid # _auid # _subj # _msg # # Also one of these variables must include . [Definition] failregex = ^type=%(_type)s msg=audit\(:\d+\): (user )?pid=\d+ uid=%(_uid)s auid=%(_auid)s ses=\d+ subj=%(_subj)s msg='%(_msg)s'$ ignoreregex = # Author: Daniel Black courier-auth.conf000066600000000611150473026100010022 0ustar00# Fail2Ban filter for courier authentication failures # [INCLUDES] # Read common prefixes. If any customizations available -- read them from # common.local before = common.conf [Definition] _daemon = (?:courier)?(?:imapd?|pop3d?)(?:login)?(?:-ssl)? failregex = ^%(__prefix_line)sLOGIN FAILED, user=.*, ip=\[\]$ ignoreregex = # Author: Christoph Haas # Modified by: Cyril Jaquier sogo-auth.conf000066600000000730150473026100007323 0ustar00# Fail2ban filter for SOGo authentcation # # Log file usually in /var/log/sogo/sogo.log [Definition] failregex = ^ sogod \[\d+\]: SOGoRootPage Login from '' for user '.*' might not have worked( - password policy: \d* grace: -?\d* expire: -?\d* bound: -?\d*)?\s*$ ignoreregex = # # DEV Notes: # # The error log may contain multiple hosts, whereas the first one # is the client and all others are poxys. We match the first one, only # # Author: Arnd Brandes drupal-auth.conf000066600000001055150473026100007644 0ustar00# Fail2Ban filter to block repeated failed login attempts to Drupal site(s) # # # Drupal must be setup to use Syslog, which defaults to the following format: # # !base_url|!timestamp|!type|!ip|!request_uri|!referer|!uid|!link|!message # # [INCLUDES] before = common.conf [Definition] failregex = ^%(__prefix_line)s(https?:\/\/)([\da-z\.-]+)\.([a-z\.]{2,6})(\/[\w\.-]+)*\|\d{10}\|user\|\|.+\|.+\|\d\|.*\|Login attempt failed for .+\.$ ignoreregex = # DEV Notes: # # https://www.drupal.org/documentation/modules/syslog # # Author: Lee Clemens freeswitch.conf000066600000001703150473026100007561 0ustar00# Fail2Ban configuration file # # Enable "log-auth-failures" on each Sofia profile to monitor # # -- this requires a high enough loglevel on your logs to save these messages. # # In the fail2ban jail.local file for this filter set ignoreip to the internal # IP addresses on your LAN. # [Definition] failregex = ^\.\d+ \[WARNING\] sofia_reg\.c:\d+ SIP auth (failure|challenge) \((REGISTER|INVITE)\) on sofia profile \'[^']+\' for \[.*\] from ip $ ^\.\d+ \[WARNING\] sofia_reg\.c:\d+ Can't find user \[\d+@\d+\.\d+\.\d+\.\d+\] from $ ignoreregex = # Author: Rupa SChomaker, soapee01, Daniel Black # https://freeswitch.org/confluence/display/FREESWITCH/Fail2Ban # Thanks to Jim on mailing list of samples and guidance # # No need to match the following. Its a duplicate of the SIP auth regex. # ^\.\d+ \[DEBUG\] sofia\.c:\d+ IP Rejected by acl "\S+"\. Falling back to Digest auth\.$ haproxy-http-auth.conf000066600000002206150473026100011023 0ustar00# Fail2Ban filter configuration file to match failed login attempts to # HAProxy HTTP Authentication protected servers. # # PLEASE NOTE - When a user first hits the HTTP Auth a 401 is returned by the server # which prompts their browser to ask for login details. # This initial 401 is logged by HAProxy. # In other words, even successful logins will have at least 1 fail regex match. # Please keep this in mind when setting findtime and maxretry for jails. # # Author: Jordan Moeser # [INCLUDES] # Read common prefixes. If any customizations available -- read them from # common.local before = common.conf [Definition] _daemon = haproxy # Option: failregex # Notes.: regex to match the password failures messages in the logfile. The # host must be matched by a group named "host". The tag "" can # be used for standard IP/hostname matching and is only an alias for # (?:::f{4,6}:)?(?P[\w\-.^_]+) # Values: TEXT # failregex = ^%(__prefix_line)s.* -1/-1/-1/-1/\+*\d* 401 # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT # ignoreregex = uwimap-auth.conf000066600000000566150473026100007665 0ustar00# Fail2Ban filter for uwimap # [INCLUDES] before = common.conf [Definition] _daemon = (?:ipop3d|imapd) failregex = ^%(__prefix_line)sLogin (?:failed|excessive login failures|disabled|SYSTEM BREAK-IN ATTEMPT) user=\S* auth=\S* host=.*\[\]\s*$ ^%(__prefix_line)sFailed .* override of user=.* host=.*\[\]\s*$ ignoreregex = # Author: Amir Caspi common.conf000066600000003507150473026100006712 0ustar00# Generic configuration items (to be used as interpolations) in other # filters or actions configurations # [INCLUDES] # Load customizations if any available after = common.local [DEFAULT] # Daemon definition is to be specialized (if needed) in .conf file _daemon = \S* # # Shortcuts for easier comprehension of the failregex # # PID. # EXAMPLES: [123] __pid_re = (?:\[\d+\]) # Daemon name (with optional source_file:line or whatever) # EXAMPLES: pam_rhosts_auth, [sshd], pop(pam_unix) __daemon_re = [\[\(]?%(_daemon)s(?:\(\S+\))?[\]\)]?:? # extra daemon info # EXAMPLE: [ID 800047 auth.info] __daemon_extra_re = \[ID \d+ \S+\] # Combinations of daemon name and PID # EXAMPLES: sshd[31607], pop(pam_unix)[4920] __daemon_combs_re = (?:%(__pid_re)s?:\s+%(__daemon_re)s|%(__daemon_re)s%(__pid_re)s?:?) # Some messages have a kernel prefix with a timestamp # EXAMPLES: kernel: [769570.846956] __kernel_prefix = kernel: \[ *\d+\.\d+\] __hostname = \S+ # A MD5 hex # EXAMPLES: 07:06:27:55:b0:e3:0c:3c:5a:28:2d:7c:7e:4c:77:5f __md5hex = (?:[\da-f]{2}:){15}[\da-f]{2} # bsdverbose is where syslogd is started with -v or -vv and results in <4.3> or # appearing before the host as per testcases/files/logs/bsd/*. __bsd_syslog_verbose = <[^.]+\.[^.]+> __vserver = @vserver_\S+ __date_ambit = (?:\[\]) # Common line prefixes (beginnings) which could be used in filters # # [bsdverbose]? [hostname] [vserver tag] daemon_id spaces # # This can be optional (for instance if we match named native log files) __prefix_line = %(__date_ambit)s?\s*(?:%(__bsd_syslog_verbose)s\s+)?(?:%(__hostname)s\s+)?(?:%(__kernel_prefix)s\s+)?(?:%(__vserver)s\s+)?(?:%(__daemon_combs_re)s\s+)?(?:%(__daemon_extra_re)s\s+)? # PAM authentication mechanism check for failures, e.g.: pam_unix, pam_sss, # pam_ldap __pam_auth = pam_unix # Author: Yaroslav Halchenko sshd.conf000066600000006130150473026100006356 0ustar00# Fail2Ban filter for openssh # # If you want to protect OpenSSH from being bruteforced by password # authentication then get public key authentication working before disabling # PasswordAuthentication in sshd_config. # # # "Connection from port \d+" requires LogLevel VERBOSE in sshd_config # [INCLUDES] # Read common prefixes. If any customizations available -- read them from # common.local before = common.conf [Definition] _daemon = sshd failregex = ^%(__prefix_line)s(?:error: PAM: )?[aA]uthentication (?:failure|error|failed) for .* from ( via \S+)?\s*$ ^%(__prefix_line)s(?:error: PAM: )?User not known to the underlying authentication module for .* from \s*$ ^%(__prefix_line)sFailed \S+ for (?Pinvalid user )?(?P(?P\S+)|(?(cond_inv)(?:(?! from ).)*?|[^:]+)) from (?: port \d+)?(?: ssh\d*)?(?(cond_user):|(?:(?:(?! from ).)*)$) ^%(__prefix_line)sROOT LOGIN REFUSED.* FROM \s*$ ^%(__prefix_line)s[iI](?:llegal|nvalid) user .*? from (?: port \d+)?\s*$ ^%(__prefix_line)sUser .+ from not allowed because not listed in AllowUsers\s*$ ^%(__prefix_line)sUser .+ from not allowed because listed in DenyUsers\s*$ ^%(__prefix_line)sUser .+ from not allowed because not in any group\s*$ ^%(__prefix_line)srefused connect from \S+ \(\)\s*$ ^%(__prefix_line)s(?:error: )?Received disconnect from : 3: .*: Auth fail(?: \[preauth\])?$ ^%(__prefix_line)sUser .+ from not allowed because a group is listed in DenyGroups\s*$ ^%(__prefix_line)sUser .+ from not allowed because none of user's groups are listed in AllowGroups\s*$ ^(?P<__prefix>%(__prefix_line)s)User .+ not allowed because account is locked(?P=__prefix)(?:error: )?Received disconnect from : 11: .+ \[preauth\]$ ^(?P<__prefix>%(__prefix_line)s)Disconnecting: Too many authentication failures for .+? \[preauth\](?P=__prefix)(?:error: )?Connection closed by \[preauth\]$ ^(?P<__prefix>%(__prefix_line)s)Connection from port \d+(?: on \S+ port \d+)?(?P=__prefix)Disconnecting: Too many authentication failures for .+? \[preauth\]$ ^%(__prefix_line)s(error: )?maximum authentication attempts exceeded for .* from (?: port \d*)?(?: ssh\d*)? \[preauth\]$ ^%(__prefix_line)spam_unix\(sshd:auth\):\s+authentication failure;\s*logname=\S*\s*uid=\d*\s*euid=\d*\s*tty=\S*\s*ruser=\S*\s*rhost=\s.*$ ignoreregex = [Init] # "maxlines" is number of log lines to buffer for multi-line regex searches maxlines = 10 journalmatch = _SYSTEMD_UNIT=sshd.service + _COMM=sshd # DEV Notes: # # "Failed \S+ for .*? from ..." failregex uses non-greedy catch-all because # it is coming before use of which is not hard-anchored at the end as well, # and later catch-all's could contain user-provided input, which need to be greedily # matched away first. # # Author: Cyril Jaquier, Yaroslav Halchenko, Petr Voralek, Daniel Black exim.conf000066600000003422150473026100006360 0ustar00# Fail2Ban filter for exim # # This includes the rejection messages of exim. For spam and filter # related bans use the exim-spam.conf # [INCLUDES] # Read common prefixes. If any customizations available -- read them from # exim-common.local before = exim-common.conf [Definition] failregex = ^%(pid)s %(host_info)ssender verify fail for <\S+>: (?:Unknown user|Unrouteable address|all relevant MX records point to non-existent hosts)\s*$ ^%(pid)s \w+ authenticator failed for (\S+ )?\(\S+\) \[\](?::\d+)?(?: I=\[\S+\](:\d+)?)?: 535 Incorrect authentication data( \(set_id=.*\)|: \d+ Time\(s\))?\s*$ ^%(pid)s %(host_info)sF=(?:<>|[^@]+@\S+) rejected RCPT [^@]+@\S+: (?:relay not permitted|Sender verify failed|Unknown user)\s*$ ^%(pid)s SMTP protocol synchronization error \([^)]*\): rejected (?:connection from|"\S+") %(host_info)s(?:next )?input=".*"\s*$ ^%(pid)s SMTP call from \S+ %(host_info)sdropped: too many nonmail commands \(last was "\S+"\)\s*$ ^%(pid)s SMTP protocol error in "AUTH \S*(?: \S*)?" %(host_info)sAUTH command used when not advertised\s*$ ^%(pid)s no MAIL in SMTP connection from (?:\S* )?(?:\(\S*\) )?%(host_info)sD=\d+s(?: C=\S*)?\s*$ ^%(pid)s \S+ SMTP connection from (?:\S* )?(?:\(\S*\) )?%(host_info)sclosed by DROP in ACL\s*$ ignoreregex = # DEV Notes: # The %(host_info) defination contains a match # # SMTP protocol synchronization error \([^)]*\) <- This needs to be non-greedy # to void capture beyond ")" to avoid a DoS Injection vulnerabilty as input= is # user injectable data. # # Author: Cyril Jaquier # Daniel Black (rewrote with strong regexs) # Martin O'Neal (added additional regexs to detect authentication failures, protocol errors, and drops) kerio.conf000066600000000742150473026100006531 0ustar00# Fail2ban filter for kerio [Definition] failregex = ^ SMTP Spam attack detected from , ^ IP address found in DNS blacklist \S+, mail from \S+ to \S+$ ^ Relay attempt from IP address ^ Attempt to deliver to unknown recipient \S+, from \S+, IP address $ ignoreregex = [Init] datepattern = ^\[%%d/%%b/%%Y %%H:%%M:%%S\] # DEV NOTES: # # Author: A.P. Lawrence # # Based off: http://aplawrence.com/Kerio/fail2ban.html apache-badbots.conf000066600000005271150473026100010257 0ustar00# Fail2Ban configuration file # # Regexp to catch known spambots and software alike. Please verify # that it is your intent to block IPs which were driven by # above mentioned bots. [Definition] badbotscustom = EmailCollector|WebEMailExtrac|TrackBack/1\.02|sogou music spider badbots = Atomic_Email_Hunter/4\.0|atSpider/1\.0|autoemailspider|bwh3_user_agent|China Local Browse 2\.6|ContactBot/0\.2|ContentSmartz|DataCha0s/2\.0|DBrowse 1\.4b|DBrowse 1\.4d|Demo Bot DOT 16b|Demo Bot Z 16b|DSurf15a 01|DSurf15a 71|DSurf15a 81|DSurf15a VA|EBrowse 1\.4b|Educate Search VxB|EmailSiphon|EmailSpider|EmailWolf 1\.00|ESurf15a 15|ExtractorPro|Franklin Locator 1\.8|FSurf15a 01|Full Web Bot 0416B|Full Web Bot 0516B|Full Web Bot 2816B|Guestbook Auto Submitter|Industry Program 1\.0\.x|ISC Systems iRc Search 2\.1|IUPUI Research Bot v 1\.9a|LARBIN-EXPERIMENTAL \(efp@gmx\.net\)|LetsCrawl\.com/1\.0 \+http\://letscrawl\.com/|Lincoln State Web Browser|LMQueueBot/0\.2|LWP\:\:Simple/5\.803|Mac Finder 1\.0\.xx|MFC Foundation Class Library 4\.0|Microsoft URL Control - 6\.00\.8xxx|Missauga Locate 1\.0\.0|Missigua Locator 1\.9|Missouri College Browse|Mizzu Labs 2\.2|Mo College 1\.9|MVAClient|Mozilla/2\.0 \(compatible; NEWT ActiveX; Win32\)|Mozilla/3\.0 \(compatible; Indy Library\)|Mozilla/3\.0 \(compatible; scan4mail \(advanced version\) http\://www\.peterspages\.net/?scan4mail\)|Mozilla/4\.0 \(compatible; Advanced Email Extractor v2\.xx\)|Mozilla/4\.0 \(compatible; Iplexx Spider/1\.0 http\://www\.iplexx\.at\)|Mozilla/4\.0 \(compatible; MSIE 5\.0; Windows NT; DigExt; DTS Agent|Mozilla/4\.0 efp@gmx\.net|Mozilla/5\.0 \(Version\: xxxx Type\:xx\)|NameOfAgent \(CMS Spider\)|NASA Search 1\.0|Nsauditor/1\.x|PBrowse 1\.4b|PEval 1\.4b|Poirot|Port Huron Labs|Production Bot 0116B|Production Bot 2016B|Production Bot DOT 3016B|Program Shareware 1\.0\.2|PSurf15a 11|PSurf15a 51|PSurf15a VA|psycheclone|RSurf15a 41|RSurf15a 51|RSurf15a 81|searchbot admin@google\.com|ShablastBot 1\.0|snap\.com beta crawler v0|Snapbot/1\.0|Snapbot/1\.0 \(Snap Shots, \+http\://www\.snap\.com\)|sogou develop spider|Sogou Orion spider/3\.0\(\+http\://www\.sogou\.com/docs/help/webmasters\.htm#07\)|sogou spider|Sogou web spider/3\.0\(\+http\://www\.sogou\.com/docs/help/webmasters\.htm#07\)|sohu agent|SSurf15a 11 |TSurf15a 11|Under the Rainbow 2\.2|User-Agent\: Mozilla/4\.0 \(compatible; MSIE 6\.0; Windows NT 5\.1\)|VadixBot|WebVulnCrawl\.unknown/1\.0 libwww-perl/5\.803|Wells Search II|WEP Search 00 failregex = ^ -.*"(GET|POST|HEAD).*HTTP.*"(?:%(badbots)s|%(badbotscustom)s)"$ ignoreregex = # DEV Notes: # List of bad bots fetched from http://www.user-agents.org # Generated on Thu Nov 7 14:23:35 PST 2013 by files/gen_badbots. # # Author: Yaroslav Halchenko vsftpd.conf000066600000001175150473026100006727 0ustar00# Fail2Ban filter for vsftp # # Configure VSFTP for "dual_log_enable=YES", and have fail2ban watch # /var/log/vsftpd.log instead of /var/log/secure. vsftpd.log file shows the # incoming ip address rather than domain names. [INCLUDES] before = common.conf [Definition] __pam_re=\(?%(__pam_auth)s(?:\(\S+\))?\)?:? _daemon = vsftpd failregex = ^%(__prefix_line)s%(__pam_re)s\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=(ftp)? ruser=\S* rhost=(?:\s+user=.*)?\s*$ ^ \[pid \d+\] \[[^\]]+\] FAIL LOGIN: Client ""(?:\s*$|,) ignoreregex = # Author: Cyril Jaquier # Documentation from fail2ban wiki postfix.conf000066600000002411150473026100007107 0ustar00# Fail2Ban filter for selected Postfix SMTP rejections # # [INCLUDES] # Read common prefixes. If any customizations available -- read them from # common.local before = common.conf [Definition] _daemon = postfix(-\w+)?/(?:submission/|smtps/)?smtp[ds] failregex = ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[\]: 554 5\.7\.1 .*$ ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[\]: 450 4\.7\.1 Client host rejected: cannot find your hostname, (\[\S*\]); from=<\S*> to=<\S+> proto=ESMTP helo=<\S*>$ ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[\]: 450 4\.7\.1 : Helo command rejected: Host not found; from=<> to=<> proto=ESMTP helo= *$ ^%(__prefix_line)sNOQUEUE: reject: EHLO from \S+\[\]: 504 5\.5\.2 <\S+>: Helo command rejected: need fully-qualified hostname; ^%(__prefix_line)sNOQUEUE: reject: VRFY from \S+\[\]: 550 5\.1\.1 .*$ ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[\]: 450 4\.1\.8 <\S*>: Sender address rejected: Domain not found; from=<\S*> to=<\S+> proto=ESMTP helo=<\S*>$ ^%(__prefix_line)simproper command pipelining after \S+ from [^[]*\[\]:?$ ignoreregex = [Init] journalmatch = _SYSTEMD_UNIT=postfix.service # Author: Cyril Jaquier suhosin.conf000066600000001205150473026100007103 0ustar00# Fail2Ban filter for suhosian PHP hardening # # This occurs with lighttpd or directly from the plugin # [INCLUDES] # Read common prefixes. If any customizations available -- read them from # common.local before = common.conf [Definition] _daemon = (?:lighttpd|suhosin) _lighttpd_prefix = (?:\(mod_fastcgi\.c\.\d+\) FastCGI-stderr:\s) failregex = ^%(__prefix_line)s%(_lighttpd_prefix)s?ALERT - .* \(attacker '', file '.*'(?:, line \d+)?\)$ ignoreregex = # DEV Notes: # # https://github.com/stefanesser/suhosin/blob/1fba865ab73cc98a3109f88d85eb82c1bfc29b37/log.c#L161 # # Author: Arturo 'Buanzo' Busleiman oracleims.conf000066600000003561150473026100007400 0ustar00# Fail2Ban configuration file # for Oracle IMS with XML logging # # Author: Joel Snyder/jms@opus1.com/2014-June-01 # # [INCLUDES] # Read common prefixes. # If any customizations available -- read them from # common.local before = common.conf [Definition] # Option: failregex # Notes.: regex to match the password failures messages # in the logfile. The host must be matched by a # group named "host". The tag "" can # be used for standard IP/hostname matching and is # only an alias for # (?:::f{4,6}:)?(?P[\w\-.^_]+) # Values: TEXT # # # CONFIGURATION REQUIREMENTS FOR ORACLE IMS v6 and ABOVE: # # In OPTION.DAT you must have LOG_FORMAT=4 and # bit 5 of LOG_CONNECTION must be set. # # Many of these sub-fields are optional and can be turned on and off # by the system manager. We need the "tr" field # (transport information (present if bit 5 of LOG_CONNECTION is # set and transport information is available)). # "di" should be there by default if you have LOG_FORMAT=4. # Do not use "mi" as this is not included by default. # # Typical line IF YOU ARE USING TAGGING ! ! ! is: # # Format is generally documented in the PORT_ACCESS mapping # at http://docs.oracle.com/cd/E19563-01/819-4428/bgaur/index.html # # All that would be on one line. # Note that you MUST have LOG_FORMAT=4 for this to work! # failregex = ^.*tr="[A-Z]+\|[0-9.]+\|\d+\|\|\d+" ap="[^"]*" mi="Bad password" us="[^"]*" di="535 5.7.8 Bad username or password( \(Authentication failed\))?\."/>$ # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT # ignoreregex = horde.conf000066600000000624150473026100006520 0ustar00# fail2ban filter configuration for horde [Definition] failregex = ^ HORDE \[error\] \[(horde|imp)\] FAILED LOGIN for \S+ \[\](\(forwarded for \[\S+\]\))? to (Horde|{[^}]+}) \[(pid \d+ )?on line \d+ of \S+\]$ ignoreregex = # DEV NOTES: # https://github.com/horde/horde/blob/master/imp/lib/Auth.php#L132 # https://github.com/horde/horde/blob/master/horde/login.php # # Author: Daniel Black slapd.conf000066600000001302150473026100006514 0ustar00# slapd (Stand-alone LDAP Daemon) openldap daemon filter # # Detecting invalid credentials: error code 49 # http://www.openldap.org/doc/admin24/appendix-ldap-result-codes.html#invalidCredentials (49) [INCLUDES] # Read common prefixes. If any customizations available -- read them from # common.local before = common.conf [Definition] _daemon = slapd failregex = ^(?P<__prefix>%(__prefix_line)s)conn=(?P<_conn_>\d+) fd=\d+ ACCEPT from IP=:\d{1,5} \(IP=\S+\)\s*(?P=__prefix)conn=(?P=_conn_) op=\d+ RESULT(?:\s(?!err)\S+=\S*)* err=49 text=[\w\s]*$ ignoreregex = [Init] # "maxlines" is number of log lines to buffer for multi-line regex searches maxlines = 20 # Author: Andrii Melnyk squirrelmail.conf000066600000000307150473026100010126 0ustar00 [Definition] failregex = ^ \[LOGIN_ERROR\].*from : Unknown user or password incorrect\.$ ignoreregex = [Init] datepattern = ^%%m/%%d/%%Y %%H:%%M:%%S # DEV NOTES: # # Author: Daniel Black sendmail-auth.conf000066600000000512150473026100010146 0ustar00# Fail2Ban filter for sendmail authentication failures # [INCLUDES] before = common.conf [Definition] _daemon = (?:sm-(mta|acceptingconnections)) failregex = ^%(__prefix_line)s\w{14}: (\S+ )?\[\]( \(may be forged\))?: possible SMTP attack: command=AUTH, count=\d+$ ignoreregex = # DEV Notes: # # Author: Daniel Black apache-shellshock.conf000066600000001766150473026100011005 0ustar00# Fail2Ban filter to block web requests containing custom headers attempting to exploit the shellshock bug # # [INCLUDES] # overwrite with apache-common.local if _apache_error_client is incorrect. before = apache-common.conf [Definition] failregex = ^%(_apache_error_client)s (AH01215: )?/bin/(ba)?sh: warning: HTTP_.*?: ignoring function definition attempt(, referer: \S+)?\s*$ ^%(_apache_error_client)s (AH01215: )?/bin/(ba)?sh: error importing function definition for `HTTP_.*?'(, referer: \S+)?\s*$ ignoreregex = # DEV Notes: # # https://wiki.apache.org/httpd/ListOfErrors for apache error IDs # # example log lines: # [Thu Sep 25 09:27:18.813902 2014] [cgi:error] [pid 16860] [client 89.207.132.76:59635] AH01215: /bin/bash: warning: HTTP_TEST: ignoring function definition attempt # [Thu Sep 25 09:29:56.141832 2014] [cgi:error] [pid 16864] [client 162.247.73.206:41273] AH01215: /bin/bash: error importing function definition for `HTTP_TEST' # # Author: Eugene Hopkinson (riot@riot.so) directadmin.conf000066600000000531150473026100007677 0ustar00# Fail2Ban configuration file for Directadmin # # # [INCLUDES] before = common.conf [Definition] failregex = ^: \'\' \d{1,3} failed login attempt(s)?. \s* ignoreregex = [Init] datepattern = ^%%Y:%%m:%%d-%%H:%%M:%%S # # Requires Directadmin v1.45.3 or higher. http://www.directadmin.com/features.php?id=1590 # # Author: Cyril Roos apache-noscript.conf000066600000002243150473026100010476 0ustar00# Fail2Ban filter to block web requests for scripts (on non scripted websites) # # This matches many types of scripts that don't exist. This could generate a # lot of false positive matches in cases like wikis and forums where users # no affiliated with the website can insert links to missing files/scripts into # pages and cause non-malicious browsers of the site to trigger against this # filter. # # If you'd like to match specific URLs that don't exist see the # apache-botsearch filter. # [INCLUDES] # overwrite with apache-common.local if _apache_error_client is incorrect. before = apache-common.conf [Definition] failregex = ^%(_apache_error_client)s ((AH001(28|30): )?File does not exist|(AH01264: )?script not found or unable to stat): /\S*(php([45]|[.-]cgi)?|\.asp|\.exe|\.pl)(, referer: \S+)?\s*$ ^%(_apache_error_client)s script '/\S*(php([45]|[.-]cgi)?|\.asp|\.exe|\.pl)\S*' not found or unable to stat(, referer: \S+)?\s*$ ignoreregex = # DEV Notes: # # https://wiki.apache.org/httpd/ListOfErrors for apache error IDs # # Second regex, script '/\S*(\.php|\.asp|\.exe|\.pl)\S*' not found or unable to stat\s*$ is in httpd-2.2 # # Author: Cyril Jaquier asterisk.conf000066600000004613150473026100007246 0ustar00# Fail2Ban filter for asterisk authentication failures # [INCLUDES] # Read common prefixes. If any customizations available -- read them from # common.local before = common.conf [Definition] _daemon = asterisk __pid_re = (?:\[\d+\]) iso8601 = \d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.\d+[+-]\d{4} # All Asterisk log messages begin like this: log_prefix= (?:NOTICE|SECURITY|WARNING)%(__pid_re)s:?(?:\[C-[\da-f]*\])? [^:]+:\d*(?:(?: in)? \w+:)? failregex = ^%(__prefix_line)s%(log_prefix)s Registration from '[^']*' failed for '(:\d+)?' - (Wrong password|Username/auth name mismatch|No matching peer found|Not a local domain|Device does not match ACL|Peer is not supposed to register|ACL error \(permit/deny\)|Not a local domain)$ ^%(__prefix_line)s%(log_prefix)s Call from '[^']*' \(:\d+\) to extension '[^']*' rejected because extension not found in context ^%(__prefix_line)s%(log_prefix)s Host failed to authenticate as '[^']*'$ ^%(__prefix_line)s%(log_prefix)s No registration for peer '[^']*' \(from \)$ ^%(__prefix_line)s%(log_prefix)s Host failed MD5 authentication for '[^']*' \([^)]+\)$ ^%(__prefix_line)s%(log_prefix)s Failed to authenticate (user|device) [^@]+@\S*$ ^%(__prefix_line)s%(log_prefix)s hacking attempt detected ''$ ^%(__prefix_line)s%(log_prefix)s SecurityEvent="(FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)",EventTV="([\d-]+|%(iso8601)s)",Severity="[\w]+",Service="[\w]+",EventVersion="\d+",AccountID="(\d*|)",SessionID=".+",LocalAddress="IPV[46]/(UDP|TCP|WS)/[\da-fA-F:.]+/\d+",RemoteAddress="IPV[46]/(UDP|TCP|WS)//\d+"(,Challenge="[\w/]+")?(,ReceivedChallenge="\w+")?(,Response="\w+",ExpectedResponse="\w*")?(,ReceivedHash="[\da-f]+")?(,ACLName="\w+")?$ ^%(__prefix_line)s%(log_prefix)s "Rejecting unknown SIP connection from "$ ^%(__prefix_line)s%(log_prefix)s Request (?:'[^']*' )?from '[^']*' failed for '(?::\d+)?'\s\(callid: [^\)]*\) - (?:No matching endpoint found|Not match Endpoint(?: Contact)? ACL|(?:Failed|Error) to authenticate)\s*$ ignoreregex = # Author: Xavier Devlamynck / Daniel Black # # General log format - main/logger.c:ast_log # Address format - ast_sockaddr_stringify # # First regex: channels/chan_sip.c # # main/logger.c:ast_log_vsyslog - "in {functionname}:" only occurs in syslog solid-pop3d.conf000066600000002106150473026100007551 0ustar00# Fail2Ban filter for unsuccessful solid-pop3 authentication attempts # # Doesn't currently provide PAM support as PAM log messages don't include rhost as # remote IP. # [INCLUDES] before = common.conf [Definition] _daemon = solid-pop3d failregex = ^%(__prefix_line)sauthentication failed: (no such user|can't map user name): .*? - $ ^%(__prefix_line)s(APOP )?authentication failed for (mapped )?user .*? - $ ^%(__prefix_line)sroot login not allowed - $ ^%(__prefix_line)scan't find APOP secret for user .*? - $ ignoreregex = # DEV Notes: # # solid-pop3d needs to be compiled with --enable-logextend to support # IP addresses in log messages. # # solid-pop3d-0.15/src/main.c contains all authentication errors # except for PAM authentication messages ( src/authenticate.c ) # # A pam authentication failure message (note no IP for rhost). # Nov 17 23:17:50 emf1pt2-2-35-70 solid-pop3d[17176]: pam_unix(solid-pop3d:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=jacques # # Authors: Daniel Black sieve.conf000066600000000563150473026100006534 0ustar00# Fail2Ban filter for sieve authentication failures # [INCLUDES] # Read common prefixes. If any customizations available -- read them from # common.local before = common.conf [Definition] _daemon = (?:cyrus/)?(?:tim)?sieved? failregex = ^%(__prefix_line)sbadlogin: \S+ ?\[\] \S+ authentication failure$ ignoreregex = # Author: Jan Wagner postfix-sasl.conf000066600000000742150473026100010054 0ustar00# Fail2Ban filter for postfix authentication failures # [INCLUDES] before = common.conf [Definition] _daemon = postfix(-\w+)?/(?:submission/|smtps/)?smtp[ds] failregex = ^%(__prefix_line)swarning: [-._\w]+\[\]: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(:[ A-Za-z0-9+/:]*={0,2})?\s*$ ignoreregex = authentication failed: Connection lost to authentication server$ [Init] journalmatch = _SYSTEMD_UNIT=postfix.service # Author: Yaroslav Halchenko groupoffice.conf000066600000000354150473026100007727 0ustar00# Fail2Ban filter for Group-Office # # Enable logging with: # $config['info_log']='/home/groupoffice/log/info.log'; # [Definition] failregex = ^\[\]LOGIN FAILED for user: "\S+" from IP: $ ignoreregex = # Author: Daniel Black roundcube-auth.conf000066600000002527150473026100010350 0ustar00# Fail2Ban configuration file for roundcube web server # # By default failed logins are printed to 'errors'. The first regex matches those # The second regex matches those printed to 'userlogins' # The userlogins log file can be enabled by setting $config['log_logins'] = true; in config.inc.php # # The logpath in your jail can be updated to userlogins if you wish # [INCLUDES] before = common.conf [Definition] failregex = ^\s*(\[\])?(%(__hostname)s\s*(roundcube:)?\s*(<[\w]+>)? IMAP Error)?: (FAILED login|Login failed) for .*? from (\. .* in .*?/rcube_imap\.php on line \d+ \(\S+ \S+\))?$ ^\[\]:\s*(<[\w]+>)? Failed login for [\w\-\.\+]+(@[\w\-\.\+]+\.[a-zA-Z]{2,6})? from in session \w+( \(error: \d\))?$ ignoreregex = # DEV Notes: # # Source: https://github.com/roundcube/roundcubemail/blob/master/program/lib/Roundcube/rcube_imap.php#L180 # # Part after comes straight from IMAP server up until the " in ....." # Earlier versions didn't log the IMAP response hence optional. # # DoS resistance: # # Assume that the user can inject "from " into the imap response # somehow. Write test cases around this to ensure that the combination of # arbitrary user input and IMAP response doesn't inject the wrong IP for # fail2ban # # Author: Teodor Micu & Yaroslav Halchenko & terence namusonge & Daniel Black & Lee Clemens postfix-rbl.conf000066600000000706150473026100007671 0ustar00# Fail2Ban filter for Postfix's RBL based Blocked hosts # # [INCLUDES] # Read common prefixes. If any customizations available -- read them from # common.local before = common.conf [Definition] _daemon = postfix(-\w+)?/smtpd failregex = ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[\]: 454 4\.7\.1 Service unavailable; Client host \[\S+\] blocked using .* from=<\S*> to=<\S+> proto=ESMTP helo=<\S*>$ ignoreregex = # Author: Lee Clemens monit.conf000066600000001405150473026100006543 0ustar00# Fail2Ban filter for monit.conf, looks for failed access attempts # # [INCLUDES] # Read common prefixes. If any customizations available -- read them from # common.local before = common.conf [Definition] _daemon = monit # Regexp for previous (accessing monit httpd) and new (access denied) versions failregex = ^\[[A-Z]+\s+\]\s*error\s*:\s*Warning:\s+Client '' supplied (?:unknown user '[^']+'|wrong password for user '[^']*') accessing monit httpd$ ^%(__prefix_line)s\w+: access denied -- client : (?:unknown user '[^']+'|wrong password for user '[^']*'|empty password)$ # Ignore login with empty user (first connect, no user specified) # ignoreregex = %(__prefix_line)s\w+: access denied -- client : (?:unknown user '') ignoreregex = xinetd-fail.conf000066600000000767150473026100007633 0ustar00# Fail2Ban filter for xinetd failures # # Cfr.: /var/log/(daemon\.|sys)log # # [INCLUDES] # Read common prefixes. If any customizations available -- read them from # common.local before = common.conf [Definition] _daemon = xinetd failregex = ^%(__prefix_line)sFAIL: \S+ address from=$ ^%(__prefix_line)sFAIL: \S+ libwrap from=$ ignoreregex = # DEV Notes: # # libwrap => tcp wrappers: hosts.(allow|deny) # address => xinetd: deny_from|only_from # # Author: Guido Bozzetto apache-botsearch.conf000066600000002371150473026100010611 0ustar00# Fail2Ban filter to match web requests for selected URLs that don't exist # # This filter is aimed at blocking specific URLs that don't exist. This # could be a set of URLs places in a Disallow: directive in robots.txt or # just some web services that don't exist caused bots are searching for # exploitable content. This filter is designed to have a low false postitive # rate due. # # An alternative to this is the apache-noscript filter which blocks all # types of scripts that don't exist. # # # This is normally a predefined list of exploitable or valuable web services # that are hidden or aren't actually installed. # [INCLUDES] # overwrite with apache-common.local if _apache_error_client is incorrect. # Load regexes for filtering from botsearch-common.conf before = apache-common.conf botsearch-common.conf [Definition] failregex = ^%(_apache_error_client)s ((AH001(28|30): )?File does not exist|(AH01264: )?script not found or unable to stat): (, referer: \S+)?\s*$ ^%(_apache_error_client)s script '' not found or unable to stat(, referer: \S+)?\s*$ ignoreregex = [Init] # Webroot represents the webroot on which all other files are based webroot = /var/www/ # DEV Notes: # # Author: Daniel Blacknamed-refused.conf000066600000003072150473026100010136 0ustar00# Fail2Ban filter file for named (bind9). # # This filter blocks attacks against named (bind9) however it requires special # configuration on bind. # # By default, logging is off with bind9 installation. # # You will need something like this in your named.conf to provide proper logging. # # logging { # channel security_file { # file "/var/log/named/security.log" versions 3 size 30m; # severity dynamic; # print-time yes; # }; # category security { # security_file; # }; # }; [Definition] # Daemon name _daemon=named # Shortcuts for easier comprehension of the failregex __pid_re=(?:\[\d+\]) __daemon_re=\(?%(_daemon)s(?:\(\S+\))?\)?:? __daemon_combs_re=(?:%(__pid_re)s?:\s+%(__daemon_re)s|%(__daemon_re)s%(__pid_re)s?:) # hostname daemon_id spaces # this can be optional (for instance if we match named native log files) __line_prefix=(?:\s\S+ %(__daemon_combs_re)s\s+)? failregex = ^%(__line_prefix)s( error:)?\s*client #\S+( \([\S.]+\))?: (view (internal|external): )?query(?: \(cache\))? '.*' denied\s*$ ^%(__line_prefix)s( error:)?\s*client #\S+( \([\S.]+\))?: zone transfer '\S+/AXFR/\w+' denied\s*$ ^%(__line_prefix)s( error:)?\s*client #\S+( \([\S.]+\))?: bad zone transfer request: '\S+/IN': non-authoritative zone \(NOTAUTH\)\s*$ ignoreregex = # DEV Notes: # Trying to generalize the # structure which is general to capture general patterns in log # lines to cover different configurations/distributions # # Author: Yaroslav Halchenko apache-fakegooglebot.conf000066600000000414150473026100011443 0ustar00# Fail2Ban filter for fake Googlebot User Agents [Definition] failregex = ^ .*Googlebot.*$ ignoreregex = # DEV Notes: # # Author: Lee Clemens # Thanks: Johannes B. Ullrich, Ph.D. # Reference: https://isc.sans.edu/forums/diary/When+Google+isnt+Google/15968/ wuftpd.conf000066600000001010150473026100006716 0ustar00# Fail2Ban configuration file for wuftpd # # [INCLUDES] # Read common prefixes. If any customizations available -- read them from # common.local before = common.conf [Definition] _daemon = wu-ftpd __pam_re=\(?%(__pam_auth)s(?:\(wu-ftpd:auth\))?\)?:? failregex = ^%(__prefix_line)sfailed login from \S+ \[\]\s*$ ^%(__prefix_line)s%(__pam_re)s\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=(ftp)? ruser=\S* rhost=(?:\s+user=.*)?\s*$ ignoreregex = # Author: Yaroslav Halchenko tine20.conf000066600000001465150473026100006524 0ustar00# Fail2Ban filter for Tine 2.0 authentication # # Enable logging with: # $config['info_log']='/var/log/tine20/tine20.log'; # [Definition] failregex = ^[\da-f]{5,} [\da-f]{5,} (-- none --|.*?)( \d+(\.\d+)?(h|m|s|ms)){0,2} - WARN \(\d+\): Tinebase_Controller::login::\d+ Login with username .*? from failed \(-[13]\)!$ ignoreregex = # Author: Mika (mkl) from Tine20.org forum: https://www.tine20.org/forum/viewtopic.php?f=2&t=15688&p=54766 # Editor: Daniel Black # Advisor: Lars Kneschke # # Usernames can contain spaces. # # Authentication: http://git.tine20.org/git?p=tine20;a=blob;f=tine20/Tinebase/Controller.php#l105 # Logger: http://git.tine20.org/git?p=tine20;a=blob;f=tine20/Tinebase/Log/Formatter.php # formatMicrotimeDiff: http://git.tine20.org/git?p=tine20;a=blob;f=tine20/Tinebase/Helper.php#l276 webmin-auth.conf000066600000000674150473026100007644 0ustar00# Fail2Ban filter for webmin # [INCLUDES] before = common.conf [Definition] _daemon = webmin failregex = ^%(__prefix_line)sNon-existent login as .+ from \s*$ ^%(__prefix_line)sInvalid login as .+ from \s*$ ignoreregex = # DEV Notes: # # pattern : webmin[15673]: Non-existent login as toto from 86.0.6.217 # webmin[29544]: Invalid login as root from 86.0.6.217 # # Rule Author: Delvit Guillaume apache-nohome.conf000066600000001124150473026100010117 0ustar00# Fail2Ban filter to web requests for home directories on Apache servers # # Regex to match failures to find a home directory on a server, which # became popular last days. Most often attacker just uses IP instead of # domain name -- so expect to see them in generic error.log if you have # per-domain log files. [INCLUDES] # overwrite with apache-common.local if _apache_error_client is incorrect. before = apache-common.conf [Definition] failregex = ^%(_apache_error_client)s (AH00128: )?File does not exist: .*/~.* ignoreregex = # Author: Yaroslav O. Halchenko apache-common.conf000066600000001455150473026100010131 0ustar00# Generic configuration items (to be used as interpolations) in other # apache filters. [INCLUDES] # Load customizations if any available after = apache-common.local [DEFAULT] _apache_error_client = \[\] \[(:?error|\S+:\S+)\]( \[pid \d+(:\S+ \d+)?\])? \[client (:\d{1,5})?\] # Common prefix for [error] apache messages which also would include # Depending on the version it could be # 2.2: [Sat Jun 01 11:23:08 2013] [error] [client 1.2.3.4] # 2.4: [Thu Jun 27 11:55:44.569531 2013] [core:info] [pid 4101:tid 2992634688] [client 1.2.3.4:46652] # 2.4 (perfork): [Mon Dec 23 07:49:01.981912 2013] [:error] [pid 3790] [client 204.232.202.107:46301] script '/var/www/timthumb.php' not found or unable to # # Reference: https://github.com/fail2ban/fail2ban/issues/268 # # Author: Yaroslav Halchenko portsentry.conf000066600000000274150473026100007651 0ustar00# Fail2Ban filter for failure attempts in Counter Strike-1.6 # # [Definition] failregex = \/ Port\: [0-9]+ (TCP|UDP) Blocked$ ignoreregex = # Author: Pacop screensharingd.conf000066600000001465150473026100010422 0ustar00# Fail2Ban configuration file # # Author: Simon Brown # # Filter for Mac OS X Screen Sharing service [INCLUDES] # Read common prefixes. If any customizations available -- read them from # common.local before = common.conf [Definition] _daemon = screensharingd # Option: failregex # Notes.: regex to match the password failures messages in the logfile. The # host must be matched by a group named "host". The tag "" can # be used for standard IP/hostname matching and is only an alias for # (?:::f{4,6}:)?(?P[\w\-.^_]+) # Values: TEXT # failregex = ^%(__prefix_line)sAuthentication: FAILED :: User Name: .+ :: Viewer Address: :: Type: DH$ # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT # ignoreregex = apache-auth.conf000066600000006251150473026100007601 0ustar00# Fail2Ban apache-auth filter # [INCLUDES] # Read common prefixes. If any customizations available -- read them from # apache-common.local before = apache-common.conf [Definition] failregex = ^%(_apache_error_client)s (AH(01797|01630): )?client denied by server configuration: (uri )?\S*(, referer: \S+)?\s*$ ^%(_apache_error_client)s (AH01617: )?user .*? authentication failure for "\S*": Password Mismatch(, referer: \S+)?$ ^%(_apache_error_client)s (AH01618: )?user .*? not found(: )?\S*(, referer: \S+)?\s*$ ^%(_apache_error_client)s (AH01614: )?client used wrong authentication scheme: \S*(, referer: \S+)?\s*$ ^%(_apache_error_client)s (AH\d+: )?Authorization of user \S+ to access \S* failed, reason: .*$ ^%(_apache_error_client)s (AH0179[24]: )?(Digest: )?user .*?: password mismatch: \S*(, referer: \S+)?\s*$ ^%(_apache_error_client)s (AH0179[01]: |Digest: )user `.*?' in realm `.+' (not found|denied by provider): \S*(, referer: \S+)?\s*$ ^%(_apache_error_client)s (AH01631: )?user .*?: authorization failure for "\S*":(, referer: \S+)?\s*$ ^%(_apache_error_client)s (AH01775: )?(Digest: )?invalid nonce .* received - length is not \S+(, referer: \S+)?\s*$ ^%(_apache_error_client)s (AH01788: )?(Digest: )?realm mismatch - got `.*?' but expected `.+'(, referer: \S+)?\s*$ ^%(_apache_error_client)s (AH01789: )?(Digest: )?unknown algorithm `.*?' received: \S*(, referer: \S+)?\s*$ ^%(_apache_error_client)s (AH01793: )?invalid qop `.*?' received: \S*(, referer: \S+)?\s*$ ^%(_apache_error_client)s (AH01777: )?(Digest: )?invalid nonce .*? received - user attempted time travel(, referer: \S+)?\s*$ ignoreregex = # DEV Notes: # # This filter matches the authorization failures of Apache. It takes the log messages # from the modules in aaa that return HTTP_UNAUTHORIZED, HTTP_METHOD_NOT_ALLOWED or # HTTP_FORBIDDEN and not AUTH_GENERAL_ERROR or HTTP_INTERNAL_SERVER_ERROR. # # An unauthorized response 401 is the first step for a browser to instigate authentication # however apache doesn't log this as an error. Only subsequent errors are logged in the # error log. # # Source: # # By searching the code in http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/aaa/* # for ap_log_rerror(APLOG_MARK, APLOG_ERR and examining resulting return code should get # all of these expressions. Lots of submodules like mod_authz_* return back to mod_authz_core # to return the actual failure. # # See also: http://wiki.apache.org/httpd/ListOfErrors # Expressions that don't have tests and aren't common. # more be added with https://issues.apache.org/bugzilla/show_bug.cgi?id=55284 # ^%(_apache_error_client)s (AH01778: )?user .*: nonce expired \([\d.]+ seconds old - max lifetime [\d.]+\) - sending new nonce\s*$ # ^%(_apache_error_client)s (AH01779: )?user .*: one-time-nonce mismatch - sending new nonce\s*$ # ^%(_apache_error_client)s (AH02486: )?realm mismatch - got `.*' but no realm specified\s*$ # # referer is always in error log messages if it exists added as per the log_error_core function in server/log.c # # Author: Cyril Jaquier # Major edits by Daniel Black apache-pass.conf000066600000000532150473026100007602 0ustar00# Fail2Ban Apache pass filter # This filter is for access.log, NOT for error.log # # The knocking request must have a referer. [INCLUDES] before = apache-common.conf [Definition] failregex = ^ - \w+ \[\] "GET HTTP/1\.[01]" 200 \d+ ".*" "[^-].*"$ ignoreregex = [Init] knocking_url = /knocking/ # Author: Viktor Szépe perdition.conf000066600000001070150473026100007410 0ustar00# Fail2Ban filter for perdition # # [INCLUDES] before = common.conf [Definition] _daemon=perdition.\S+ failregex = ^%(__prefix_line)sAuth: :\d+->(\d{1,3}\.){3}\d{1,3}:\d+ client-secure=\S+ authorisation_id=NONE authentication_id=".+" server="\S+" protocol=\S+ server-secure=\S+ status="failed: (local authentication failure|Re-Authentication Failure)"$ ^%(__prefix_line)sFatal Error reading authentication information from client :\d+->(\d{1,3}\.){3}\d{1,3}:\d+: Exiting child$ ignoreregex = # Author: Christophe Carles and Daniel Black courier-smtp.conf000066600000000752150473026100010052 0ustar00# Fail2Ban filter to block relay attempts though a Courier smtp server # # [INCLUDES] # Read common prefixes. If any customizations available -- read them from # common.local before = common.conf [Definition] _daemon = courieresmtpd failregex = ^%(__prefix_line)serror,relay=,.*: 550 User (<.*> )?unknown\.?$ ^%(__prefix_line)serror,relay=,msg="535 Authentication failed\.",cmd:( AUTH \S+)?( [0-9a-zA-Z\+/=]+)?(?: \S+)$ ignoreregex = # Author: Cyril Jaquier dropbear.conf000066600000003240150473026100007212 0ustar00# Fail2Ban filter for dropbear # # NOTE: The regex below is ONLY intended to work with a patched # version of Dropbear as described here: # http://www.unchartedbackwaters.co.uk/pyblosxom/static/patches # ^%(__prefix_line)sexit before auth from .*\s*$ # # The standard Dropbear output doesn't provide enough information to # ban all types of attack. The Dropbear patch adds IP address # information to the 'exit before auth' message which is always # produced for any form of non-successful login. It is that message # which this file matches. # # More information: http://bugs.debian.org/546913 [INCLUDES] # Read common prefixes. If any customizations available -- read them from # common.local before = common.conf [Definition] _daemon = dropbear failregex = ^%(__prefix_line)s[Ll]ogin attempt for nonexistent user ('.*' )?from :\d+$ ^%(__prefix_line)s[Bb]ad (PAM )?password attempt for .+ from (:\d+)?$ ^%(__prefix_line)s[Ee]xit before auth \(user '.+', \d+ fails\): Max auth tries reached - user '.+' from :\d+\s*$ ignoreregex = # DEV Notes: # # The first two regexs here match the unmodified dropbear messages. It isn't # possible to match the source of the 'exit before auth' messages from dropbear # as they don't include the "from " bit. # # The second last failregex line we need to match with the modified dropbear. # # For the second regex the following apply: # # http://www.netmite.com/android/mydroid/external/dropbear/svr-authpam.c # http://svn.dd-wrt.com/changeset/16642#file64 # # http://svn.dd-wrt.com/changeset/16642/src/router/dropbear/svr-authpasswd.c # # Author: Francis Russell # Zak B. Elep mysqld-auth.conf000066600000001573150473026100007673 0ustar00# Fail2Ban filter for unsuccesfull MySQL authentication attempts # # # To log wrong MySQL access attempts add to /etc/my.cnf in [mysqld]: # log-error=/var/log/mysqld.log # log-warning = 2 # # If using mysql syslog [mysql_safe] has syslog in /etc/my.cnf [INCLUDES] # Read common prefixes. If any customizations available -- read them from # common.local before = common.conf [Definition] _daemon = mysqld failregex = ^%(__prefix_line)s(?:\d+ |\d{6} \s?\d{1,2}:\d{2}:\d{2} )?\[\w+\] Access denied for user '[^']+'@'' (to database '[^']*'|\(using password: (YES|NO)\))*\s*$ ignoreregex = # DEV Notes: # # Technically __prefix_line can equate to an empty string hence it can support # syslog and non-syslog at once. # Example: # 130322 11:26:54 [Warning] Access denied for user 'root'@'127.0.0.1' (using password: YES) # # Authors: Artur Penttinen # Yaroslav O. Halchenko selinux-ssh.conf000066600000001072150473026100007677 0ustar00# Fail2Ban configuration file for SELinux ssh authentication errors # [INCLUDES] after = selinux-common.conf [Definition] _type = USER_(ERR|AUTH) _uid = 0 _auid = \d+ _subj = (?:unconfined_u|system_u):system_r:sshd_t:s0-s0:c0\.c1023 _exe =/usr/sbin/sshd _terminal = ssh _msg = op=\S+ acct=(?P<_quote_acct>"?)\S+(?P=_quote_acct) exe="%(_exe)s" hostname=(\?|(\d+\.){3}\d+) addr= terminal=%(_terminal)s res=failed # DEV Notes: # # Note: USER_LOGIN is ignored as this is the duplicate messsage # ssh logs after 3 USER_AUTH failures. # # Author: Daniel Black apache-overflows.conf000066600000003720150473026100010664 0ustar00# Fail2Ban filter to block web requests on a long or suspicious nature # [INCLUDES] # overwrite with apache-common.local if _apache_error_client is incorrect. before = apache-common.conf [Definition] failregex = ^%(_apache_error_client)s ((AH0013[456]: )?Invalid (method|URI) in request .*( - possible attempt to establish SSL connection on non-SSL port)?|(AH00565: )?request failed: URI too long \(longer than \d+\)|request failed: erroneous characters after protocol string: .*|AH00566: request failed: invalid characters in URI)(, referer: \S+)?$ ignoreregex = # DEV Notes: # # fgrep -r 'URI too long' httpd-2.* # httpd-2.2.25/server/protocol.c: "request failed: URI too long (longer than %d)", r->server->limit_req_line); # httpd-2.4.4/server/protocol.c: "request failed: URI too long (longer than %d)", # # fgrep -r 'in request' ../httpd-2.* | fgrep Invalid # httpd-2.2.25/server/core.c: "Invalid URI in request %s", r->the_request); # httpd-2.2.25/server/core.c: "Invalid method in request %s", r->the_request); # httpd-2.2.25/docs/manual/rewrite/flags.html.fr:avertissements 'Invalid URI in request'. # httpd-2.4.4/server/core.c: "Invalid URI in request %s", r->the_request); # httpd-2.4.4/server/core.c: "Invalid method in request %s - possible attempt to establish SSL connection on non-SSL port", r->the_request); # httpd-2.4.4/server/core.c: "Invalid method in request %s", r->the_request); # # fgrep -r 'invalid characters in URI' httpd-2.* # httpd-2.4.4/server/protocol.c: "request failed: invalid characters in URI"); # # http://svn.apache.org/viewvc/httpd/httpd/trunk/server/core.c?r1=739382&r2=739620&pathrev=739620 # ...possible attempt to establish SSL connection on non-SSL port # # https://wiki.apache.org/httpd/ListOfErrors # Author: Tim Connors proftpd.conf000066600000002300150473026100007066 0ustar00# Fail2Ban fitler for the Proftpd FTP daemon # # Set "UseReverseDNS off" in proftpd.conf to avoid the need for DNS. # See: http://www.proftpd.org/docs/howto/DNS.html # When the default locale for your system is not en_US.UTF-8 # on Debian-based systems be sure to add this to /etc/default/proftpd # export LC_TIME="en_US.UTF-8" [INCLUDES] before = common.conf [Definition] _daemon = proftpd __suffix_failed_login = (User not authorized for login|No such user found|Incorrect password|Password expired|Account disabled|Invalid shell: '\S+'|User in \S+|Limit (access|configuration) denies login|Not a UserAlias|maximum login length exceeded).? failregex = ^%(__prefix_line)s%(__hostname)s \(\S+\[\]\)[: -]+ USER .*: no such user found from \S+ \[\S+\] to \S+:\S+ *$ ^%(__prefix_line)s%(__hostname)s \(\S+\[\]\)[: -]+ USER .* \(Login failed\): %(__suffix_failed_login)s\s*$ ^%(__prefix_line)s%(__hostname)s \(\S+\[\]\)[: -]+ SECURITY VIOLATION: .* login attempted\. *$ ^%(__prefix_line)s%(__hostname)s \(\S+\[\]\)[: -]+ Maximum login attempts \(\d+\) exceeded *$ ignoreregex = # Author: Yaroslav Halchenko # Daniel Black - hardening of regex botsearch-common.conf000066600000001010150473026100010645 0ustar00# Generic configuration file for -botsearch filters [Init] # Block is the actual non-found directories to block block = \/?(|||cgi-bin|mysqladmin)[^,]* # These are just convient definitions that assist the blocking of stuff that # isn't installed webmail = roundcube|(ext)?mail|horde|(v-?)?webmail phpmyadmin = (typo3/|xampp/|admin/|)(pma|(php)?[Mm]y[Aa]dmin) wordpress = wp-(login|signup|admin)\.php # DEV Notes: # Taken from apache-botsearch filter # # Author: Frantisek Sumsal cyrus-imap.conf000066600000000673150473026100007514 0ustar00# Fail2Ban filter for authentication failures on Cyrus imap server # # # [INCLUDES] # Read common prefixes. If any customizations available -- read them from # common.local before = common.conf [Definition] _daemon = (?:cyrus/)?(?:imap(d|s)?|pop3(d|s)?) failregex = ^%(__prefix_line)sbadlogin: \S+ ?\[\] \S+ .*?\[?SASL\(-13\): (authentication failure|user not found): .*\]?$ ignoreregex = # Author: Jan Wagner exim-spam.conf000066600000004156150473026100007323 0ustar00# Fail2Ban filter for exim the spam rejection messages # # Honeypot traps are very useful for fighting spam. You just activate an email # address on your domain that you do not intend to use at all, and that normal # people do not risk to try for contacting you. It may be something that # spammers often test. You can also hide the address on a web page to be picked # by spam spiders. Or simply parse your mail logs for an invalid address # already being frequently targeted by spammers. Enable the address and # redirect it to the blackhole. In Exim's alias file, you would add the # following line (assuming the address is honeypot@yourdomain.com): # # honeypot: :blackhole: # # For the SA: Action: silently tossed message... to be logged exim's SAdevnull option needs to be used. # # To this filter use the jail.local should contain in the right jail: # # filter = exim-spam[honeypot=honeypot@yourdomain.com] # [INCLUDES] # Read common prefixes. If any customizations available -- read them from # exim-common.local before = exim-common.conf [Definition] failregex = ^%(pid)s \S+ F=(<>|\S+@\S+) %(host_info)srejected by local_scan\(\): .{0,256}$ ^%(pid)s %(host_info)sF=(<>|[^@]+@\S+) rejected RCPT [^@]+@\S+: .*dnsbl.*\s*$ ^%(pid)s \S+ %(host_info)sF=(<>|[^@]+@\S+) rejected after DATA: This message contains a virus \(\S+\)\.\s*$ ^%(pid)s \S+ SA: Action: flagged as Spam but accepted: score=\d+\.\d+ required=\d+\.\d+ \(scanned in \d+/\d+ secs \| Message-Id: \S+\)\. From \S+ \(host=\S+ \[\]\) for $ ^%(pid)s \S+ SA: Action: silently tossed message: score=\d+\.\d+ required=\d+\.\d+ trigger=\d+\.\d+ \(scanned in \d+/\d+ secs \| Message-Id: \S+\)\. From \S+ \(host=(\S+ )?\[\]\) for \S+$ ignoreregex = [Init] # Option: honeypot # Notes.: honeypot is an email address that isn't published anywhere that a # legitimate email sender would send email too. # Values: email address honeypot = trap@example.com # DEV Notes: # The %(host_info) defination contains a match # # Author: Cyril Jaquier # Daniel Black (rewrote with strong regexs) froxlor-auth.conf000066600000002271150473026100010051 0ustar00# Fail2Ban configuration file to block repeated failed login attempts to Frolor installation(s) # # Froxlor needs to log to Syslog User (e.g. /var/log/user.log) with one of the following messages # Froxlor: [Login Action ] Unknown user '' tried to login. # Froxlor: [Login Action ] User '' tried to login with wrong password. # # Author: Joern Muehlencord # [INCLUDES] # Read common prefixes. If any customizations available -- read them from # common.local before = common.conf [Definition] _daemon = Froxlor # Option: failregex # Notes.: regex to match the password failures messages in the logfile. The # host must be matched by a group named "host". The tag "" can # be used for standard IP/hostname matching and is only an alias for # (?:::f{4,6}:)?(?P[\w\-.^_]+) # Values: TEXT # failregex = ^%(__prefix_line)s\[Login Action \] Unknown user \S* tried to login.$ ^%(__prefix_line)s\[Login Action \] User \S* tried to login with wrong password.$ # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT # ignoreregex = stunnel.conf000066600000000553150473026100007110 0ustar00# Fail2ban filter for stunnel [Definition] failregex = ^ LOG\d\[\d+:\d+\]:\ SSL_accept from :\d+ : (?P[\dA-F]+): error:(?P=CODE):SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate$ ignoreregex = # DEV NOTES: # # Author: Daniel Black # # Based off: http://www.fail2ban.org/wiki/index.php/Fail2ban:Community_Portal#stunnel4 nginx-limit-req.conf000066600000002623150473026100010444 0ustar00# Fail2ban filter configuration for nginx :: limit_req # used to ban hosts, that were failed through nginx by limit request processing rate # # Author: Serg G. Brester (sebres) # # To use 'nginx-limit-req' filter you should have `ngx_http_limit_req_module` # and define `limit_req` and `limit_req_zone` as described in nginx documentation # http://nginx.org/en/docs/http/ngx_http_limit_req_module.html # # Example: # # http { # ... # limit_req_zone $binary_remote_addr zone=lr_zone:10m rate=1r/s; # ... # # http, server, or location: # location ... { # limit_req zone=lr_zone burst=1 nodelay; # ... # } # ... # } # ... # [Definition] # Specify following expression to define exact zones, if you want to ban IPs limited # from specified zones only. # Example: # # ngx_limit_req_zones = lr_zone|lr_zone2 # ngx_limit_req_zones = [^"]+ # Use following full expression if you should range limit request to specified # servers, requests, referrers etc. only : # # failregex = ^\s*\[error\] \d+#\d+: \*\d+ limiting requests, excess: [\d\.]+ by zone "(?:%(ngx_limit_req_zones)s)", client: , server: \S*, request: "\S+ \S+ HTTP/\d+\.\d+", host: "\S+"(, referrer: "\S+")?\s*$ # Shortly, much faster and stable version of regexp: failregex = ^\s*\[error\] \d+#\d+: \*\d+ limiting requests, excess: [\d\.]+ by zone "(?:%(ngx_limit_req_zones)s)", client: ignoreregex = openhab.conf000066600000000713150473026100007032 0ustar00# Openhab brute force auth filter: /etc/fail2ban/filter.d/openhab.conf: # # Block IPs trying to auth openhab by web or rest api # # Matches e.g. # 12.34.33.22 - - [26/sept./2015:18:04:43 +0200] "GET /openhab.app HTTP/1.1" 401 1382 # 175.18.15.10 - - [02/sept./2015:00:11:31 +0200] "GET /rest/bindings HTTP/1.1" 401 1384 [Definition] failregex = ^\s+-\s+-\s+\[\]\s+"[A-Z]+ .*" 401 \d+\s*$ [Init] datepattern = %%d/%%b[^/]*/%%Y:%%H:%%M:%%S %%z nagios.conf000066600000000620150473026100006673 0ustar00# Fail2Ban filter for Nagios Remote Plugin Executor (nrpe2) # Detecting unauthorized access to the nrpe2 daemon # typically logged in /var/log/messages syslog # [INCLUDES] # Read syslog common prefixes before = common.conf [Definition] _daemon = nrpe failregex = ^%(__prefix_line)sHost is not allowed to talk to us!\s*$ ignoreregex = # DEV Notes: # # Author: Ivo Truxa - 2014/02/03 squid.conf000066600000000316150473026100006542 0ustar00# Fail2Ban filter for Squid attempted proxy bypasses # # [Definition] failregex = ^\s+\d\s\s+[A-Z_]+_DENIED/403 .*$ ^\s+\d\s\s+NONE/405 .*$ ignoreregex = # Author: Daniel Black gssftpd.conf000066600000000502150473026100007064 0ustar00# Fail2Ban filter file for gssftp # # Note: gssftp is part of the krb5-appl-servers in Fedora # [INCLUDES] before = common.conf [Definition] _daemon = ftpd failregex = ^%(__prefix_line)srepeated login failures from \(\S+\)$ ignoreregex = # Author: Kevin Zembower # Edited: Daniel Black - syslog based daemon nginx-http-auth.conf000066600000000672150473026100010461 0ustar00# fail2ban filter configuration for nginx [Definition] failregex = ^ \[error\] \d+#\d+: \*\d+ user "\S+":? (password mismatch|was not found in ".*"), client: , server: \S*, request: "\S+ \S+ HTTP/\d+\.\d+", host: "\S+"(, referrer: "\S+")?\s*$ ignoreregex = # DEV NOTES: # Based on samples in https://github.com/fail2ban/fail2ban/pull/43/files # Extensive search of all nginx auth failures not done yet. # # Author: Daniel Black openwebmail.conf000066600000000757150473026100007730 0ustar00# Fail2Ban filter for Openwebmail # banning hosts with authentication errors in /var/log/openwebmail.log # OpenWebMail http://openwebmail.org # [Definition] failregex = ^ - \[\d+\] \(\) (?P\S+) - login error - (no such user - loginname=(?P=USER)|auth_unix.pl, ret -4, Password incorrect)$ ^ - \[\d+\] \(\) (?P\S+) - userinfo error - auth_unix.pl, ret -4, User (?P=USER) doesn't exist$ ignoreregex = # DEV Notes: # # Author: Ivo Truxa (c) 2013 truXoft.com exim-common.conf000066600000000647150473026100007654 0ustar00# Fail2Ban filter file for common exim expressions # # This is to be used by other exim filters [INCLUDES] # Load customizations if any available after = exim-common.local [Definition] host_info = (?:H=([\w.-]+ )?(?:\(\S+\) )?)?\[\](?::\d+)? (?:I=\[\S+\](:\d+)? )?(?:U=\S+ )?(?:P=e?smtp )? pid = (?: \[\d+\])? # DEV Notes: # From exim source code: ./src/receive.c:add_host_info_for_log # # Author: Daniel Black qmail.conf000066600000001433150473026100006521 0ustar00# Fail2Ban filters for qmail RBL patches/fake proxies # # the default djb RBL implementation doesn't log any rejections # so is useless with this filter. # # One patch is here: # # http://www.tjsi.com/rblsmtpd/faq/ patch to rblsmtpd [INCLUDES] before = common.conf [Definition] _daemon = (?:qmail|rblsmtpd) failregex = ^%(__prefix_line)s\d+\.\d+ rblsmtpd: pid \d+ \S+ 4\d\d \S+\s*$ ^%(__prefix_line)s\d+\.\d+ qmail-smtpd: 4\d\d badiprbl: ip rbl: \S+\s*$ ^%(__prefix_line)s\S+ blocked \S+ -\s*$ ignoreregex = # DEV Notes: # # These seem to be for two or 3 different patches to qmail or rblsmtpd # so you'll probably only ever see one of these regex's that match. # # ref: https://github.com/fail2ban/fail2ban/pull/386 # # Author: Daniel Black ejabberd-auth.conf000066600000002402150473026100010110 0ustar00# Fail2Ban configuration file # # Author: Steven Hiscocks # # [Definition] # Option: failregex # Notes.: regex to match the password failures messages in the logfile. The # host must be matched by a group named "host". The tag "" can # be used for standard IP/hostname matching and is only an alias for # (?:::f{4,6}:)?(?P[\w\-.^_]+) # Multiline regexs should use tag "" to separate lines. # This allows lines between the matching lines to continue to be # searched for other failures. This tag can be used multiple times. # Values: TEXT # failregex = ^=INFO REPORT==== ===\nI\(<0\.\d+\.0>:ejabberd_c2s:\d+\) : \([^)]+\) Failed authentication for .+ from IP \({{(?:\d+,){3}\d+},\d+}\)$ ^(?:\.\d+)? \[info\] <0\.\d+\.\d>@ejabberd_c2s:wait_for_feature_request:\d+ \([^\)]+\) Failed authentication for \S+ from IP $ # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT # ignoreregex = [Init] # "maxlines" is number of log lines to buffer for multi-line regex searches maxlines = 2 # Option: journalmatch # Notes.: systemd journalctl style match filter for journal based backend # Values: TEXT # journalmatch = sshd-ddos.conf000066600000001371150473026100007307 0ustar00# Fail2Ban ssh filter for at attempted exploit # # The regex here also relates to a exploit: # # http://www.securityfocus.com/bid/17958/exploit # The example code here shows the pushing of the exploit straight after # reading the server version. This is where the client version string normally # pushed. As such the server will read this unparsible information as # "Did not receive identification string". [INCLUDES] # Read common prefixes. If any customizations available -- read them from # common.local before = common.conf [Definition] _daemon = sshd failregex = ^%(__prefix_line)sDid not receive identification string from \s*$ ignoreregex = [Init] journalmatch = _SYSTEMD_UNIT=sshd.service + _COMM=sshd # Author: Yaroslav Halchenko counter-strike.conf000066600000000374150473026100010377 0ustar00# Fail2Ban filter for failure attempts in Counter Strike-1.6 # # [Definition] failregex = ^: Bad Rcon: "rcon \d+ "\S+" sv_contact ".*?"" from ":\d+"$ ignoreregex = [Init] datepattern = ^L %%d/%%m/%%Y - %%H:%%M:%%S # Author: Daniel Black 3proxy.conf000066600000000672150473026100006666 0ustar00# Fail2Ban filter for 3proxy # # [Definition] failregex = ^\s[+-]\d{4} \S+ \d{3}0[1-9] \S+ :\d+ [\d.]+:\d+ \d+ \d+ \d+\s ignoreregex = # DEV Notes: # http://www.3proxy.ru/howtoe.asp#ERRORS indicates that 01-09 are # all authentication problems (%E field) # Log format is: "L%d-%m-%Y %H:%M:%S %z %N.%p %E %U %C:%c %R:%r %O %I %h %T" # # Requested by ykimon in https://github.com/fail2ban/fail2ban/issues/246 # Author: Daniel Black