committing changes in /etc after apt run

Package changes:
-adduser 3.116 all
+adduser 3.117 all
-apt 1.6~alpha3 armhf
-apt-listchanges 3.14 all
-apt-utils 1.6~alpha3 armhf
-aptitude 0.8.9-1 armhf
-aptitude-common 0.8.9-1 all
-avahi-daemon 0.7-3 armhf
-base-files 10+rpi1 armhf
+apt 1.6~beta1 armhf
+apt-listchanges 3.16 all
+apt-utils 1.6~beta1 armhf
+aptitude 0.8.10-6 armhf
+aptitude-common 0.8.10-6 all
+avahi-daemon 0.7-3.1+b1 armhf
+base-files 10.1+rpi1 armhf
-bash 4.4-5 armhf
-bash-completion 1:2.1-4.3 all
-bind9 1:9.10.3.dfsg.P4-12.6 armhf
-bind9-host 1:9.10.3.dfsg.P4-12.6 armhf
-bind9utils 1:9.10.3.dfsg.P4-12.6 armhf
-binutils 2.29.1-6+rpi1 armhf
-binutils-arm-linux-gnueabihf 2.29.1-6+rpi1 armhf
-binutils-common 2.29.1-6+rpi1 armhf
+bash 4.4.18-1.1 armhf
+bash-completion 1:2.7-1 all
+bind9 1:9.11.2.P1-1 armhf
+bind9-host 1:9.11.2.P1-1 armhf
+bind9utils 1:9.11.2.P1-1 armhf
+binutils 2.30-7+rpi1 armhf
+binutils-arm-linux-gnueabihf 2.30-7+rpi1 armhf
+binutils-common 2.30-7+rpi1 armhf
-bluez 5.47-1 armhf
-bluez-firmware 1.2-3+rpi2 all
-bridge-utils 1.5-14 armhf
+bluez 5.47-1+b3 armhf
+bluez-firmware 1.2-3+rpt4.1 all
+bridge-utils 1.5-15 armhf
-bsdmainutils 9.0.14 armhf
-bsdutils 1:2.30.2-0.1 armhf
+bsdmainutils 11.1.2 armhf
+bsdutils 1:2.31.1-0.4 armhf
-certbot 0.19.0-1 all
+certbot 0.21.1-1 all
-console-setup 1.170 all
-console-setup-linux 1.170 all
-coreutils 8.26-3 armhf
-cpio 2.11+dfsg-6 armhf
+console-setup 1.178 all
+console-setup-linux 1.178 all
+coreutils 8.28-1 armhf
+cpio 2.12+dfsg-6 armhf
-cpp-6 6.4.0-6 armhf
-cpp-7 7.2.0-12 armhf
+cpp-6 6.4.0-12+rpi1 armhf
+cpp-7 7.3.0-5 armhf
-curl 7.56.1-1 armhf
-dash 0.5.8-2.5 armhf
-dbus 1.12.0-1 armhf
-dc 1.06.95-9 armhf
-debconf 1.5.64 all
-debconf-i18n 1.5.64 all
-debconf-utils 1.5.64 all
-debianutils 4.8.2 armhf
+curl 7.58.0-2 armhf
+dash 0.5.8-2.10 armhf
+dbus 1.12.6-2 armhf
+dc 1.07.1-1 armhf
+debconf 1.5.66 all
+debconf-i18n 1.5.66 all
+debconf-utils 1.5.66 all
+debianutils 4.8.4 armhf
-dhcpcd5 1:6.11.5-1+rpt2 armhf
+dhcpcd5 1:6.11.5-1+rpt4 armhf
-dirmngr 2.2.1-5 armhf
+dirmngr 2.2.5-1 armhf
-dmsetup 2:1.02.142-1 armhf
-dnsutils 1:9.10.3.dfsg.P4-12.6 armhf
+dmsetup 2:1.02.145-4.1 armhf
+dnsutils 1:9.11.2.P1-1 armhf
-dpkg 1.19.0.4 armhf
-dpkg-dev 1.19.0.4 all
-e2fslibs 1.43.7-1 armhf
-e2fsprogs 1.43.7-1 armhf
-e2fsprogs-l10n 1.43.7-1 all
+dpkg 1.19.0.5 armhf
+dpkg-dev 1.19.0.5 all
+e2fslibs 1.44.0-1 armhf
+e2fsprogs 1.44.0-1 armhf
+e2fsprogs-l10n 1.44.0-1 all
-elinks 0.12~pre6-12+b1 armhf
-elinks-data 0.12~pre6-12 all
-etckeeper 1.18.5-1 all
-exim4-base 4.89-7 armhf
-exim4-config 4.89-7 all
-exim4-daemon-light 4.89-7 armhf
-eyed3 0.8-1 all
-fail2ban 0.9.7-2 all
+elinks 0.12~pre6-13 armhf
+elinks-data 0.12~pre6-13 all
+etckeeper 1.18.7-1 all
+exim4-base 4.90.1-1 armhf
+exim4-config 4.90.1-1 all
+exim4-daemon-light 4.90.1-1 armhf
+eyed3 0.8.4-2 all
+fail2ban 0.10.2-1 all
-fakeroot 1.22-1 armhf
-fbset 2.1-29 armhf
-fdisk 2.30.2-0.1 armhf
-file 1:5.32-1 armhf
-findutils 4.6.0+git+20170729-2 armhf
-firmware-atheros 1:20161130-3+rpi2 all
-firmware-brcm80211 1:20161130-3+rpi2 all
-firmware-libertas 1:20161130-3+rpi2 all
-firmware-misc-nonfree 1:20161130-3+rpi2 all
-firmware-realtek 1:20161130-3+rpi2 all
-fontconfig-config 2.12.3-0.2 all
+fakeroot 1.22-2 armhf
+fbset 2.1-30 armhf
+fdisk 2.31.1-0.4 armhf
+file 1:5.32-2 armhf
+findutils 4.6.0+git+20170828-2 armhf
+firmware-atheros 1:20161130-3+rpt3 all
+firmware-brcm80211 1:20161130-3+rpt3 all
+firmware-libertas 1:20161130-3+rpt3 all
+firmware-misc-nonfree 1:20161130-3+rpt3 all
+firmware-realtek 1:20161130-3+rpt3 all
+fontconfig-config 2.12.6-0.1 all
-g++-7 7.2.0-12 armhf
-gawk 1:4.1.4+dfsg-1 armhf
+g++-7 7.3.0-5 armhf
+gawk 1:4.1.4+dfsg-1+b1 armhf
-gcc-4.9-base 4.9.3-14 armhf
-gcc-5-base 5.4.1-4 armhf
-gcc-6 6.4.0-6 armhf
-gcc-6-base 6.4.0-6 armhf
-gcc-7 7.2.0-12 armhf
-gcc-7-base 7.2.0-12 armhf
-gdb 7.12-6 armhf
-geoip-database 20170928-1 all
+gcc-4.9-base 4.9.4-2+rpi1 armhf
+gcc-5-base 5.5.0-8 armhf
+gcc-6 6.4.0-12+rpi1 armhf
+gcc-6-base 6.4.0-12+rpi1 armhf
+gcc-7 7.3.0-5 armhf
+gcc-7-base 7.3.0-5 armhf
+gcc-8-base 8-20180218-1+rpi1 armhf
+gdb 7.12-6+b1 armhf
+geoip-database 20180215-1 all
-gir1.2-glib-2.0 1.54.1-2 armhf
-git 1:2.14.2-1 armhf
-git-man 1:2.14.2-1 all
-gnupg 2.2.1-5 armhf
-gnupg-agent 2.2.1-5 all
-gnupg-l10n 2.2.1-5 all
-gnupg-utils 2.2.1-5 armhf
-gpg 2.2.1-5 armhf
-gpg-agent 2.2.1-5 armhf
-gpg-wks-client 2.2.1-5 armhf
-gpg-wks-server 2.2.1-5 armhf
-gpgconf 2.2.1-5 armhf
-gpgsm 2.2.1-5 armhf
-gpgv 2.2.1-5 armhf
+gir1.2-glib-2.0 1.54.1-4 armhf
+git 1:2.16.2-1 armhf
+git-man 1:2.16.2-1 all
+gnupg 2.2.5-1 armhf
+gnupg-agent 2.2.5-1 all
+gnupg-l10n 2.2.5-1 all
+gnupg-utils 2.2.5-1 armhf
+gpg 2.2.5-1 armhf
+gpg-agent 2.2.5-1 armhf
+gpg-wks-client 2.2.5-1 armhf
+gpg-wks-server 2.2.5-1 armhf
+gpgconf 2.2.5-1 armhf
+gpgsm 2.2.5-1 armhf
+gpgv 2.2.5-1 armhf
-groff-base 1.22.3-9 armhf
+groff-base 1.22.3-10 armhf
-hostname 3.18 armhf
-htop 2.0.2-1 armhf
-i2c-tools 3.1.2-3+b1 armhf
-id3tool 1.2a-7 armhf
-id3v2 0.1.12-3 armhf
-ifupdown 0.8.29 armhf
-info 6.5.0.dfsg.1-1 armhf
+hostname 3.20 armhf
+htop 2.1.0-3 armhf
+i2c-tools 4.0-2 armhf
+id3tool 1.2a-8 armhf
+id3v2 0.1.12+dfsg-1 armhf
+ifupdown 0.8.31 armhf
+info 6.5.0.dfsg.1-2 armhf
-install-info 6.5.0.dfsg.1-1 armhf
+install-info 6.5.0.dfsg.1-2 armhf
-iproute2 4.9.0-2 armhf
-iptables 1.6.1-2+b1 armhf
+iproute2 4.15.0-2 armhf
+iptables 1.6.2-1 armhf
-isc-dhcp-client 4.3.5-3 armhf
-isc-dhcp-common 4.3.5-3+b1 armhf
-isc-dhcp-server 4.3.5-3 armhf
-iso-codes 3.76-1 all
-iw 4.9-0.1 armhf
+isc-dhcp-client 4.3.5-3.1 armhf
+isc-dhcp-common 4.3.5-3.1 armhf
+isc-dhcp-server 4.3.5-3.1 armhf
+iso-codes 3.79-1 all
+iw 4.14-0.1 armhf
-keyboard-configuration 1.170 all
-keyutils 1.5.9-9 armhf
-klibc-utils 2.0.4-9+rpi1 armhf
-kmod 24-1 armhf
-less 481-2.1 armhf
+keyboard-configuration 1.178 all
+keyutils 1.5.9-9.2 armhf
+klibc-utils 2.0.4-11+rpi1 armhf
+kmod 25-1 armhf
+less 487-0.1 armhf
-libalgorithm-diff-xs-perl 0.04-4+b3 armhf
+libalgorithm-diff-xs-perl 0.04-5 armhf
-libapparmor1 2.11.1-2 armhf
-libapt-inst2.0 1.6~alpha3 armhf
-libapt-pkg5.0 1.6~alpha3 armhf
-libasan3 6.4.0-6 armhf
-libasan4 7.2.0-12 armhf
+libapparmor1 2.12-3 armhf
+libapt-inst2.0 1.6~beta1 armhf
+libapt-pkg5.0 1.6~beta1 armhf
+libargon2-0 0~20161029-1.1 armhf
+libasan3 6.4.0-12+rpi1 armhf
+libasan4 7.3.0-5 armhf
-libassuan0 2.4.3-3 armhf
-libatomic1 7.2.0-12 armhf
+libassuan0 2.5.1-2 armhf
+libatomic1 8-20180218-1+rpi1 armhf
-libaudit-common 1:2.8.1-1 all
-libaudit1 1:2.8.1-1 armhf
+libaudit-common 1:2.8.2-1 all
+libaudit1 1:2.8.2-1 armhf
-libavahi-common-data 0.7-3 armhf
-libavahi-common3 0.7-3 armhf
-libavahi-core7 0.7-3 armhf
-libbabeltrace-ctf1 1.5.3-4 all
-libbabeltrace1 1.5.3-4 armhf
+libavahi-common-data 0.7-3.1+b1 armhf
+libavahi-common3 0.7-3.1+b1 armhf
+libavahi-core7 0.7-3.1+b1 armhf
+libbabeltrace-ctf1 1.5.4-1 all
+libbabeltrace1 1.5.4-1 armhf
-libbinutils 2.29.1-6+rpi1 armhf
+libbind9-160 1:9.11.2.P1-1 armhf
+libbinutils 2.30-7+rpi1 armhf
-libblkid1 2.30.2-0.1 armhf
-libboost-filesystem1.62.0 1.62.0+dfsg-4+b2 armhf
+libblkid1 2.31.1-0.4 armhf
+libboost-filesystem1.62.0 1.62.0+dfsg-5 armhf
-libboost-iostreams1.62.0 1.62.0+dfsg-4+b2 armhf
-libboost-system1.62.0 1.62.0+dfsg-4+b2 armhf
-libbsd0 0.8.6-2 armhf
+libboost-iostreams1.62.0 1.62.0+dfsg-5 armhf
+libboost-system1.62.0 1.62.0+dfsg-5 armhf
+libbsd0 0.8.7-1 armhf
-libc-bin 2.24-17 armhf
-libc-dev-bin 2.24-17 armhf
-libc-l10n 2.24-17 all
-libc6 2.24-17 armhf
-libc6-dbg 2.24-17 armhf
-libc6-dev 2.24-17 armhf
+libc-bin 2.27-1+rpi1 armhf
+libc-dev-bin 2.27-1+rpi1 armhf
+libc-l10n 2.27-1+rpi1 all
+libc6 2.27-1+rpi1 armhf
+libc6-dbg 2.27-1+rpi1 armhf
+libc6-dev 2.27-1+rpi1 armhf
-libcap2 1:2.25-1.1 armhf
-libcap2-bin 1:2.25-1.1 armhf
-libcc1-0 7.2.0-12 armhf
-libcilkrts5 7.2.0-12 armhf
-libcomerr2 1.43.7-1 armhf
+libcap2 1:2.25-1.2 armhf
+libcap2-bin 1:2.25-1.2 armhf
+libcc1-0 8-20180218-1+rpi1 armhf
+libcilkrts5 7.3.0-5 armhf
+libcom-err2 1.44.0-1 armhf
+libcomerr2 1.44.0-1 armhf
+libcryptsetup12 2:2.0.1-1 armhf
-libcurl3 7.56.1-1 armhf
-libcurl3-gnutls 7.56.1-1 armhf
-libcwidget3v5 0.5.17-6 armhf
+libcurl3 7.58.0-2 armhf
+libcurl3-gnutls 7.58.0-2 armhf
+libcwidget3v5 0.5.17-7 armhf
-libdbus-1-3 1.12.0-1 armhf
-libdbus-glib-1-2 0.108-2 armhf
-libdebconfclient0 0.232 armhf
-libdevmapper1.02.1 2:1.02.142-1 armhf
+libdbus-1-3 1.12.6-2 armhf
+libdbus-glib-1-2 0.110-2 armhf
+libdebconfclient0 0.241 armhf
+libdevmapper1.02.1 2:1.02.145-4.1 armhf
+libdns-export169 1:9.11.2.P1-1 armhf
-libdpkg-perl 1.19.0.4 all
-libdrm-common 2.4.85-1+rpi1 all
-libdrm2 2.4.85-1+rpi1 armhf
-libdw1 0.170-0.1 armhf
+libdns169 1:9.11.2.P1-1 armhf
+libdpkg-perl 1.19.0.5 all
+libdrm-common 2.4.90-1+rpi1 all
+libdrm2 2.4.90-1+rpi1 armhf
+libdw1 0.170-0.3 armhf
-libelf1 0.170-0.1 armhf
+libelf1 0.170-0.3 armhf
-libexpat1 2.2.3-1 armhf
-libexpat1-dev 2.2.3-1 armhf
-libfakeroot 1.22-1 armhf
-libfastjson4 0.99.7-1 armhf
-libfdisk1 2.30.2-0.1 armhf
-libffi6 3.2.1-6 armhf
-libfftw3-single3 3.3.6p2-2 armhf
+libexpat1 2.2.5-3 armhf
+libexpat1-dev 2.2.5-3 armhf
+libext2fs2 1.44.0-1 armhf
+libfakeroot 1.22-2 armhf
+libfastjson4 0.99.8-2 armhf
+libfdisk1 2.31.1-0.4 armhf
+libffi6 3.2.1-8 armhf
+libfftw3-single3 3.3.7-1 armhf
-libfontconfig1 2.12.3-0.2 armhf
-libfreetype6 2.8.1-0.1 armhf
-libfreetype6-dev 2.8.1-0.1 armhf
+libfontconfig1 2.12.6-0.1 armhf
+libfreetype6 2.8.1-2 armhf
+libfreetype6-dev 2.8.1-2 armhf
-libgcc-6-dev 6.4.0-6 armhf
-libgcc-7-dev 7.2.0-12 armhf
-libgcc1 1:7.2.0-12 armhf
-libgcrypt20 1.7.9-1 armhf
+libgcc-6-dev 6.4.0-12+rpi1 armhf
+libgcc-7-dev 7.3.0-5 armhf
+libgcc1 1:8-20180218-1+rpi1 armhf
+libgcrypt20 1.8.1-4 armhf
+libgdbm-compat4 1.14.1-4 armhf
-libgeoip1 1.6.11-2 armhf
-libgfortran4 7.2.0-12 armhf
-libgirepository-1.0-1 1.54.1-2 armhf
-libglib2.0-0 2.54.1-1 armhf
-libglib2.0-data 2.54.1-1 all
-libgmp10 2:6.1.2+dfsg-1.1 armhf
-libgnutls30 3.5.16-1 armhf
-libgomp1 7.2.0-12 armhf
-libgpg-error0 1.27-4 armhf
-libgpm2 1.20.4-6.2 armhf
-libgssapi-krb5-2 1.15.2-2 armhf
-libhogweed4 3.3-2 armhf
+libgdbm5 1.14.1-4 armhf
+libgeoip1 1.6.12-1 armhf
+libgfortran4 7.3.0-5 armhf
+libgirepository-1.0-1 1.54.1-4 armhf
+libglib2.0-0 2.54.3-2 armhf
+libglib2.0-data 2.54.3-2 all
+libgmp10 2:6.1.2+dfsg-3 armhf
+libgnutls30 3.5.18-1 armhf
+libgomp1 8-20180218-1+rpi1 armhf
+libgpg-error0 1.27-6 armhf
+libgpm2 1.20.7-5 armhf
+libgssapi-krb5-2 1.16-2 armhf
+libhogweed4 3.4-1 armhf
-libhtml-tree-perl 5.03-2 all
-libhttp-cookies-perl 6.01-1 all
+libhtml-tree-perl 5.07-1 all
+libhttp-cookies-perl 6.04-1 all
-libhttp-message-perl 6.13-1 all
+libhttp-message-perl 6.14-1 all
+libi2c0 4.0-2 armhf
-libidn11 1.33-2 armhf
-libidn2-0 2.0.2-5 armhf
+libidn11 1.33-2.1 armhf
+libidn2-0 2.0.4-1.1 armhf
-libio-socket-ssl-perl 2.052-1 all
-libip4tc0 1.6.1-2+b1 armhf
-libip6tc0 1.6.1-2+b1 armhf
-libiptc0 1.6.1-2+b1 armhf
+libio-socket-ssl-perl 2.056-1 all
+libip4tc0 1.6.2-1 armhf
+libip6tc0 1.6.2-1 armhf
+libiptc0 1.6.2-1 armhf
+libirs-export160 1:9.11.2.P1-1 armhf
+libirs160 1:9.11.2.P1-1 armhf
+libisc-export166 1:9.11.2.P1-1 armhf
+libisc166 1:9.11.2.P1-1 armhf
+libisccc160 1:9.11.2.P1-1 armhf
+libisccfg-export160 1:9.11.2.P1-1 armhf
+libisccfg160 1:9.11.2.P1-1 armhf
-libjim0.77 0.77-2 armhf
-libjpeg62-turbo 1:1.5.2-2 armhf
+libjim0.77 0.77+dfsg0-2 armhf
+libjpeg62-turbo 1:1.5.2-2+b1 armhf
-libjs-sphinxdoc 1.6.5-2 all
+libjs-sphinxdoc 1.6.7-1 all
-libk5crypto3 1.15.2-2 armhf
-libkeyutils1 1.5.9-9 armhf
-libklibc 2.0.4-9+rpi1 armhf
-libkmod2 24-1 armhf
-libkrb5-3 1.15.2-2 armhf
-libkrb5support0 1.15.2-2 armhf
+libjson-c3 0.12.1-1.3 armhf
+libk5crypto3 1.16-2 armhf
+libkeyutils1 1.5.9-9.2 armhf
+libklibc 2.0.4-11+rpi1 armhf
+libkmod2 25-1 armhf
+libkrb5-3 1.16-2 armhf
+libkrb5support0 1.16-2 armhf
+liblmdb0 0.9.21-1 armhf
-liblockfile-bin 1.14-1 armhf
-liblockfile1 1.14-1 armhf
-liblogging-stdlog0 1.0.6-1 armhf
+liblockfile-bin 1.14-1.1 armhf
+liblockfile1 1.14-1.1 armhf
+liblogging-stdlog0 1.0.6-3 armhf
+liblwres160 1:9.11.2.P1-1 armhf
-libmagic-mgc 1:5.32-1 armhf
-libmagic1 1:5.32-1 armhf
+libmagic-mgc 1:5.32-2 armhf
+libmagic1 1:5.32-2 armhf
-libmount1 2.30.2-0.1 armhf
-libmpc3 1.0.3-2 armhf
+libmount1 2.31.1-0.4 armhf
+libmpc3 1.1.0-1 armhf
+libmpfr6 4.0.0-7 armhf
-libncurses5 6.0+20170902-1 armhf
-libncursesw5 6.0+20170902-1 armhf
+libncurses5 6.1-1 armhf
+libncursesw5 6.1-1 armhf
-libnet-ssleay-perl 1.80-1+b1 armhf
+libnet-ssleay-perl 1.84-1 armhf
-libnettle6 3.3-2 armhf
-libnewt0.52 0.52.20-1+b1 armhf
+libnettle6 3.4-1 armhf
+libnewt0.52 0.52.20-3 armhf
-libnghttp2-14 1.27.0-1 armhf
-libnginx-mod-http-auth-pam 1.13.6-2 armhf
-libnginx-mod-http-dav-ext 1.13.6-2 armhf
-libnginx-mod-http-echo 1.13.6-2 armhf
-libnginx-mod-http-geoip 1.13.6-2 armhf
-libnginx-mod-http-image-filter 1.13.6-2 armhf
-libnginx-mod-http-subs-filter 1.13.6-2 armhf
-libnginx-mod-http-upstream-fair 1.13.6-2 armhf
-libnginx-mod-http-xslt-filter 1.13.6-2 armhf
-libnginx-mod-mail 1.13.6-2 armhf
-libnginx-mod-stream 1.13.6-2 armhf
-libnih-dbus1 1.0.3-8 armhf
-libnih1 1.0.3-8 armhf
+libnghttp2-14 1.31.0-1 armhf
+libnginx-mod-http-auth-pam 1.13.9-1 armhf
+libnginx-mod-http-dav-ext 1.13.9-1 armhf
+libnginx-mod-http-echo 1.13.9-1 armhf
+libnginx-mod-http-geoip 1.13.9-1 armhf
+libnginx-mod-http-image-filter 1.13.9-1 armhf
+libnginx-mod-http-subs-filter 1.13.9-1 armhf
+libnginx-mod-http-upstream-fair 1.13.9-1 armhf
+libnginx-mod-http-xslt-filter 1.13.9-1 armhf
+libnginx-mod-mail 1.13.9-1 armhf
+libnginx-mod-stream 1.13.9-1 armhf
+libnih-dbus1 1.0.3-10+b9 armhf
+libnih1 1.0.3-10+b9 armhf
-libnpth0 1.5-2 armhf
+libnpth0 1.5-3 armhf
+libnss-systemd 237-3+b1 armhf
-libpam-modules 1.1.8-3.6+rpi1 armhf
-libpam-modules-bin 1.1.8-3.6+rpi1 armhf
-libpam-runtime 1.1.8-3.6+rpi1 all
-libpam-systemd 235-2 armhf
-libpam0g 1.1.8-3.6+rpi1 armhf
-libparted2 3.2-18 armhf
-libpcap0.8 1.8.1-5 armhf
-libpcre2-8-0 10.22-3 armhf
-libpcre3 2:8.39-4 armhf
-libpcsclite1 1.8.22-1 armhf
-libperl5.26 5.26.1-2 armhf
-libpipeline1 1.4.2-1 armhf
-libplymouth4 0.9.3-1 armhf
+libpam-modules 1.1.8-3.7 armhf
+libpam-modules-bin 1.1.8-3.7 armhf
+libpam-runtime 1.1.8-3.7 all
+libpam-systemd 237-3+b1 armhf
+libpam0g 1.1.8-3.7 armhf
+libparted2 3.2-20 armhf
+libpcap0.8 1.8.1-6 armhf
+libpcre2-8-0 10.31-3 armhf
+libpcre3 2:8.39-9 armhf
+libpcsclite1 1.8.23-1 armhf
+libperl5.26 5.26.1-5 armhf
+libpipeline1 1.5.0-1 armhf
+libplymouth4 0.9.3-2 armhf
-libprocps6 2:3.3.12-3 armhf
-libpsl5 0.18.0-4 armhf
-libpython-stdlib 2.7.14-1 armhf
-libpython2.7-minimal 2.7.14-2 armhf
-libpython2.7-stdlib 2.7.14-2 armhf
-libpython3-dev 3.6.3-2 armhf
-libpython3-stdlib 3.6.3-2 armhf
+libprocps6 2:3.3.12-4 armhf
+libpsl5 0.19.1-5 armhf
+libpython-stdlib 2.7.14-4 armhf
+libpython2.7-minimal 2.7.14-6 armhf
+libpython2.7-stdlib 2.7.14-6 armhf
+libpython3-dev 3.6.4-1 armhf
+libpython3-stdlib 3.6.4-1 armhf
-libpython3.6 3.6.3-1 armhf
-libpython3.6-dev 3.6.3-1 armhf
-libpython3.6-minimal 3.6.3-1 armhf
-libpython3.6-stdlib 3.6.3-1 armhf
-libraspberrypi-bin 1.20170811-1 armhf
-libraspberrypi-dev 1.20170811-1 armhf
-libraspberrypi-doc 1.20170811-1 armhf
-libraspberrypi0 1.20170811-1 armhf
+libpython3.6 3.6.4-4 armhf
+libpython3.6-dev 3.6.4-4 armhf
+libpython3.6-minimal 3.6.4-4 armhf
+libpython3.6-stdlib 3.6.4-4 armhf
+libraspberrypi-bin 1.20180313-1 armhf
+libraspberrypi-dev 1.20180313-1 armhf
+libraspberrypi-doc 1.20180313-1 armhf
+libraspberrypi0 1.20180313-1 armhf
-libruby2.3 2.3.3-1+deb9u1+rpi1 armhf
-libsamplerate0 0.1.9-1 armhf
+libruby2.3 2.3.6-2+rpi1 armhf
+libruby2.5 2.5.0-6+rpi1 armhf
+libsamplerate0 0.1.9-2 armhf
-libsigsegv2 2.11-1 armhf
-libslang2 2.3.1a-1 armhf
-libsmartcols1 2.30.2-0.1 armhf
-libsqlite3-0 3.20.1-2 armhf
-libss2 1.43.7-1 armhf
+libsigsegv2 2.12-1 armhf
+libslang2 2.3.2-1 armhf
+libsmartcols1 2.31.1-0.4 armhf
+libsqlite3-0 3.22.0-1 armhf
+libss2 1.44.0-1 armhf
-libssl1.0.2 1.0.2l-2 armhf
+libssl1.0.2 1.0.2n-1 armhf
-libstdc++-7-dev 7.2.0-12 armhf
-libstdc++6 7.2.0-12 armhf
+libstdc++-7-dev 7.3.0-5 armhf
+libstdc++6 8-20180218-1+rpi1 armhf
-libsystemd0 235-2 armhf
+libsystemd0 237-3+b1 armhf
-libtasn1-6 4.12-2.1 armhf
-libtcl8.6 8.6.7+dfsg-1 armhf
+libtasn1-6 4.13-2 armhf
+libtcl8.6 8.6.8+dfsg-3 armhf
-libtiff5 4.0.8-6 armhf
+libtiff5 4.0.9-4 armhf
-libtinfo5 6.0+20170902-1 armhf
+libtinfo5 6.1-1 armhf
-libtry-tiny-perl 0.28-1 all
-libubsan0 7.2.0-12 armhf
+libtry-tiny-perl 0.30-1 all
+libubsan0 7.3.0-5 armhf
-libudev1 235-2 armhf
+libudev1 237-3+b1 armhf
-libunistring2 0.9.7-2 armhf
-liburi-perl 1.72-2 all
+libunistring2 0.9.8-1 armhf
+liburi-perl 1.73-1 all
-libuuid1 2.30.2-0.1 armhf
-libv4l-0 1.12.5-1 armhf
-libv4l2rds0 1.12.5-1 armhf
-libv4lconvert0 1.12.5-1 armhf
-libwbclient0 2:4.7.0+dfsg-2 armhf
-libwebp6 0.6.0-3 armhf
+libuuid1 2.31.1-0.4 armhf
+libv4l-0 1.14.2-1 armhf
+libv4l2rds0 1.14.2-1 armhf
+libv4lconvert0 1.14.2-1 armhf
+libwbclient0 2:4.7.4+dfsg-2 armhf
+libwebp6 0.6.1-2 armhf
-libwww-perl 6.27-1 all
+libwww-perl 6.31-1 all
-libxcb1 1.12-1 armhf
+libxcb1 1.13-1 armhf
-libxml2 2.9.4+dfsg1-5 armhf
+libxml2 2.9.4+dfsg1-6.1 armhf
-libxslt1.1 1.1.29-2.2 armhf
-libxtables12 1.6.1-2+b1 armhf
+libxslt1.1 1.1.29-5 armhf
+libxtables12 1.6.2-1 armhf
-linux-libc-dev 4.9.51-1+rpi3+b1 armhf
-locales 2.24-17 all
+linux-libc-dev 4.15.4-1+rpi1 armhf
+locales 2.27-1+rpi1 all
-man-db 2.7.6.1-2 armhf
-manpages 4.13-3 all
-manpages-dev 4.13-3 all
+man-db 2.8.2-1 armhf
+manpages 4.15-1 all
+manpages-dev 4.15-1 all
-mount 2.30.2-0.1 armhf
+mount 2.31.1-0.4 armhf
-multiarch-support 2.24-17 armhf
+multiarch-support 2.27-1+rpi1 armhf
-nano 2.8.7-1 armhf
+nano 2.9.3-2 armhf
-ncurses-base 6.0+20170902-1 all
-ncurses-bin 6.0+20170902-1 armhf
-ncurses-term 6.0+20170902-1 all
+ncurses-base 6.1-1 all
+ncurses-bin 6.1-1 armhf
+ncurses-term 6.1-1 all
-net-tools 1.60+git20161116.90da8a0-1 armhf
+net-tools 1.60+git20161116.90da8a0-2 armhf
-netcat-openbsd 1.178-3 armhf
+netcat-openbsd 1.187-1 armhf
-nfs-common 1:1.3.4-2.1+b1 armhf
-nginx 1.13.6-2 all
-nginx-common 1.13.6-2 all
-nginx-full 1.13.6-2 armhf
+nfs-common 1:1.3.4-2.2 armhf
+nginx-common 1.13.9-1 all
-openssh-client 1:7.6p1-2 armhf
-openssh-server 1:7.6p1-2 armhf
-openssh-sftp-server 1:7.6p1-2 armhf
+openssh-client 1:7.6p1-4 armhf
+openssh-server 1:7.6p1-4 armhf
+openssh-sftp-server 1:7.6p1-4 armhf
-parted 3.2-18 armhf
+parted 3.2-20 armhf
-patch 2.7.5-1 armhf
+patch 2.7.6-1 armhf
-perl 5.26.1-2 armhf
-perl-base 5.26.1-2 armhf
-perl-modules-5.26 5.26.1-2 all
+perl 5.26.1-5 armhf
+perl-base 5.26.1-5 armhf
+perl-modules-5.26 5.26.1-5 all
-pi-bluetooth 0.1.6 armhf
-pinentry-curses 1.0.0-3 armhf
+pi-bluetooth 0.1.7 all
+pinentry-curses 1.1.0-1 armhf
-plymouth 0.9.3-1 armhf
+plymouth 0.9.3-2 armhf
-procps 2:3.3.12-3 armhf
+procps 2:3.3.12-4 armhf
-python 2.7.14-1 armhf
-python-acme 0.19.0-1 all
+python 2.7.14-4 armhf
+python-acme 0.21.1-1 all
-python-asn1crypto 0.22.0-1 all
+python-asn1crypto 0.24.0-1 all
-python-certbot 0.19.0-1 all
-python-certifi 2017.7.27.1-2 all
-python-cffi-backend 1.9.1-2+b1 armhf
+python-certifi 2018.1.18-2 all
+python-cffi-backend 1.11.5-1 armhf
-python-cryptography 1.9-1 armhf
-python-enum34 1.1.6-1 all
-python-eyed3 0.8-1 all
-python-funcsigs 1.0.2-3 all
+python-cryptography 2.1.4-1 armhf
+python-enum34 1.1.6-2 all
+python-eyed3 0.8.4-2 all
+python-funcsigs 1.0.2-4 all
-python-idna 2.5-1 all
+python-idna 2.6-1 all
+python-josepy 1.0.1-1 all
-python-minimal 2.7.14-1 armhf
+python-magic 2:0.4.15-1 all
+python-minimal 2.7.14-4 armhf
-python-newt 0.52.20-1+b1 armhf
-python-openssl 16.2.0-1 all
+python-newt 0.52.20-3 armhf
+python-openssl 17.5.0-1 all
-python-pbr 3.1.1-2 all
-python-pip-whl 9.0.1-2+rpt1 all
-python-pkg-resources 36.6.0-1 all
+python-pbr 3.1.1-4 all
+python-pip-whl 9.0.1-2+rpt2 all
+python-pkg-resources 38.5.2-1 all
-python-requests 2.18.1-1 all
+python-requests 2.18.4-2 all
-python-setuptools 36.6.0-1 all
-python-six 1.11.0-1 all
-python-tz 2017.2-2 all
-python-urllib3 1.21.1-1 all
+python-setuptools 38.5.2-1 all
+python-six 1.11.0-2 all
+python-tz 2018.3-2 all
+python-urllib3 1.22-1 all
-python2.7 2.7.14-2 armhf
-python2.7-minimal 2.7.14-2 armhf
-python3 3.6.3-2 armhf
+python2.7 2.7.14-6 armhf
+python2.7-minimal 2.7.14-6 armhf
+python3 3.6.4-1 armhf
+python3-acme 0.21.1-1 all
-python3-asn1crypto 0.22.0-1 all
-python3-cffi-backend 1.9.1-2+b1 armhf
-python3-crypto 2.6.1-7+b1 armhf
-python3-cryptography 1.9-1 armhf
-python3-dbus 1.2.4-1+b1 armhf
-python3-debconf 1.5.64 all
-python3-dev 3.6.3-2 armhf
-python3-gi 3.24.1-3+rpi1 armhf
-python3-idna 2.5-1 all
-python3-keyring 10.4.0-1 all
-python3-keyrings.alt 2.2-2 all
-python3-minimal 3.6.3-2 armhf
-python3-pip 9.0.1-2+rpt1 all
-python3-pkg-resources 36.6.0-1 all
+python3-asn1crypto 0.24.0-1 all
+python3-certbot 0.21.1-1 all
+python3-certifi 2018.1.18-2 all
+python3-cffi-backend 1.11.5-1 armhf
+python3-chardet 3.0.4-1 all
+python3-configargparse 0.11.0-1 all
+python3-configobj 5.0.6-2 all
+python3-crypto 2.6.1-8 armhf
+python3-cryptography 2.1.4-1 armhf
+python3-dbus 1.2.6-1 armhf
+python3-debconf 1.5.66 all
+python3-dev 3.6.4-1 armhf
+python3-distutils 3.6.4-4 all
+python3-eyed3 0.8.4-2 all
+python3-future 0.15.2-4 all
+python3-gi 3.26.1-2 armhf
+python3-idna 2.6-1 all
+python3-josepy 1.0.1-1 all
+python3-keyring 10.6.0-1 all
+python3-keyrings.alt 3.0-1 all
+python3-lib2to3 3.6.4-4 all
+python3-magic 2:0.4.15-1 all
+python3-minimal 3.6.4-1 armhf
+python3-mock 2.0.0-3 all
+python3-openssl 17.5.0-1 all
+python3-parsedatetime 2.4-2 all
+python3-pbr 3.1.1-4 all
+python3-pip 9.0.1-2+rpt2 all
+python3-pkg-resources 38.5.2-1 all
+python3-requests 2.18.4-2 all
+python3-rfc3339 1.0-4 all
-python3-setuptools 36.6.0-1 all
-python3-six 1.11.0-1 all
+python3-setuptools 38.5.2-1 all
+python3-six 1.11.0-2 all
-python3-wheel 0.29.0-2 all
+python3-tz 2018.3-2 all
+python3-urllib3 1.22-1 all
+python3-wheel 0.30.0-0.2 all
+python3-zope.component 4.3.0-1 all
+python3-zope.event 4.2.0-1 all
+python3-zope.hookable 4.0.4-4+b2 armhf
+python3-zope.interface 4.3.2-1+b1 armhf
-python3.6 3.6.3-1 armhf
-python3.6-dev 3.6.3-1 armhf
-python3.6-minimal 3.6.3-1 armhf
-rake 12.0.0-1 all
-raspberrypi-bootloader 1.20170811-1 armhf
-raspberrypi-kernel 1.20170811-1 armhf
+python3.6 3.6.4-4 armhf
+python3.6-dev 3.6.4-4 armhf
+python3.6-minimal 3.6.4-4 armhf
+rake 12.3.0-1 all
+raspberrypi-bootloader 1.20180313-1 armhf
+raspberrypi-kernel 1.20180313-1 armhf
-raspberrypi-sys-mods 20170717 armhf
+raspberrypi-sys-mods 20180315 armhf
-raspi-config 20170926 all
+raspi-config 20180228 all
+rfkill 2.31.1-0.4 armhf
-rsync 3.1.2-2 armhf
-rsyslog 8.29.0-2 armhf
-ruby 1:2.3.3 armhf
+rsync 3.1.2-2.1 armhf
+rsyslog 8.33.1-1 armhf
+ruby 1:2.5.0 armhf
-ruby2.3 2.3.3-1+deb9u1+rpi1 armhf
+ruby2.3 2.3.6-2+rpi1 armhf
+ruby2.5 2.5.0-6+rpi1 armhf
-samba-common 2:4.7.0+dfsg-2 all
+samba-common 2:4.7.4+dfsg-2 all
-sed 4.4-1 armhf
+sed 4.4-2 armhf
-sensible-utils 0.0.10 all
+sensible-utils 0.0.11 all
-ssh 1:7.6p1-2 all
-strace 4.19-1 armhf
-sudo 1.8.21p2-2 armhf
-systemd 235-2 armhf
-systemd-sysv 235-2 armhf
+ssh 1:7.6p1-4 all
+strace 4.21-1 armhf
+sudo 1.8.21p2-3 armhf
+systemd 237-3+b1 armhf
+systemd-sysv 237-3+b1 armhf
-tasksel 3.42 all
-tasksel-data 3.42 all
+tasksel 3.43 all
+tasksel-data 3.43 all
-tmux 2.6-1 armhf
+tmux 2.6-3 armhf
-tzdata 2017c-1 all
-ucf 3.0036 all
-udev 235-2 armhf
+tzdata 2018c-1 all
+ucf 3.0038 all
+udev 237-3+b1 armhf
-usb-modeswitch 2.5.1+repack0-1+b1 armhf
-usb-modeswitch-data 20170806-1 all
+usb-modeswitch 2.5.2+repack0-2 armhf
+usb-modeswitch-data 20170806-2 all
-util-linux 2.30.2-0.1 armhf
-v4l-utils 1.12.5-1 armhf
+util-linux 2.31.1-0.4 armhf
+v4l-utils 1.14.2-1 armhf
-vim-common 2:8.0.1144-1 all
-vim-nox 2:8.0.1144-1 armhf
-vim-runtime 2:8.0.1144-1 all
-vim-tiny 2:8.0.1144-1 armhf
-vnstat 1.15-2 armhf
-wget 1.19.2-1 armhf
-whiptail 0.52.20-1+b1 armhf
-whois 5.2.18 armhf
+vim-common 2:8.0.1453-1 all
+vim-nox 2:8.0.1453-1 armhf
+vim-runtime 2:8.0.1453-1 all
+vim-tiny 2:8.0.1453-1 armhf
+vnstat 1.17-1 armhf
+wget 1.19.4-1 armhf
+whiptail 0.52.20-3 armhf
+whois 5.3.0 armhf
-wpasupplicant 2:2.4-1.1 armhf
-xauth 1:1.0.9-1 armhf
-xdg-user-dirs 0.15-3 armhf
-xkb-data 2.19-1.1 all
+wpasupplicant 2:2.6-15 armhf
+xauth 1:1.0.10-1 armhf
+xdg-user-dirs 0.16-1 armhf
+xkb-data 2.23.1-1 all
-xxd 2:8.0.1144-1 armhf
+xxd 2:8.0.1453-1 armhf
-zsh 5.4.2-1 armhf
-zsh-common 5.4.2-1 all
+zsh 5.4.2-3 armhf
+zsh-common 5.4.2-3 all
remotes/origin/may2018
Joshua Dye 7 years ago
parent bc08959028
commit 2dd500797c

@ -30,6 +30,7 @@ mkdir -p './kernel/install.d'
mkdir -p './letsencrypt/renewal-hooks/deploy'
mkdir -p './letsencrypt/renewal-hooks/post'
mkdir -p './letsencrypt/renewal-hooks/pre'
mkdir -p './monit/conf-available'
mkdir -p './network/interfaces.d'
mkdir -p './nginx/conf.d'
mkdir -p './nginx/modules-available'
@ -61,7 +62,9 @@ maybe chmod 0644 'apache2/conf-available/javascript-common.conf'
maybe chmod 0755 'apparmor.d'
maybe chmod 0755 'apparmor.d/force-complain'
maybe chmod 0755 'apparmor.d/local'
maybe chmod 0644 'apparmor.d/local/usr.bin.man'
maybe chmod 0644 'apparmor.d/local/usr.sbin.named'
maybe chmod 0644 'apparmor.d/usr.bin.man'
maybe chmod 0644 'apparmor.d/usr.sbin.named'
maybe chmod 0755 'apt'
maybe chmod 0755 'apt/apt.conf.d'
@ -468,6 +471,7 @@ maybe chmod 0640 'exim4/passwd.client'
maybe chmod 0644 'exim4/update-exim4.conf.conf'
maybe chmod 0755 'fail2ban'
maybe chmod 0755 'fail2ban/action.d'
maybe chmod 0644 'fail2ban/action.d/abuseipdb.conf'
maybe chmod 0644 'fail2ban/action.d/apf.conf'
maybe chmod 0644 'fail2ban/action.d/badips.conf'
maybe chmod 0644 'fail2ban/action.d/badips.py'
@ -478,11 +482,13 @@ maybe chmod 0644 'fail2ban/action.d/complain.conf'
maybe chmod 0644 'fail2ban/action.d/dshield.conf'
maybe chmod 0644 'fail2ban/action.d/dummy.conf'
maybe chmod 0644 'fail2ban/action.d/firewallcmd-allports.conf'
maybe chmod 0644 'fail2ban/action.d/firewallcmd-common.conf'
maybe chmod 0644 'fail2ban/action.d/firewallcmd-ipset.conf'
maybe chmod 0644 'fail2ban/action.d/firewallcmd-multiport.conf'
maybe chmod 0644 'fail2ban/action.d/firewallcmd-new.conf'
maybe chmod 0644 'fail2ban/action.d/firewallcmd-rich-logging.conf'
maybe chmod 0644 'fail2ban/action.d/firewallcmd-rich-rules.conf'
maybe chmod 0644 'fail2ban/action.d/helpers-common.conf'
maybe chmod 0644 'fail2ban/action.d/hostsdeny.conf'
maybe chmod 0644 'fail2ban/action.d/ipfilter.conf'
maybe chmod 0644 'fail2ban/action.d/ipfw.conf'
@ -506,6 +512,7 @@ maybe chmod 0644 'fail2ban/action.d/netscaler.conf'
maybe chmod 0644 'fail2ban/action.d/nftables-allports.conf'
maybe chmod 0644 'fail2ban/action.d/nftables-common.conf'
maybe chmod 0644 'fail2ban/action.d/nftables-multiport.conf'
maybe chmod 0644 'fail2ban/action.d/nginx-block-map.conf'
maybe chmod 0644 'fail2ban/action.d/npf.conf'
maybe chmod 0644 'fail2ban/action.d/nsupdate.conf'
maybe chmod 0644 'fail2ban/action.d/osx-afctl.conf'
@ -586,6 +593,7 @@ maybe chmod 0644 'fail2ban/filter.d/oracleims.conf'
maybe chmod 0644 'fail2ban/filter.d/pam-generic.conf'
maybe chmod 0644 'fail2ban/filter.d/perdition.conf'
maybe chmod 0644 'fail2ban/filter.d/php-url-fopen.conf'
maybe chmod 0644 'fail2ban/filter.d/phpmyadmin-syslog.conf'
maybe chmod 0644 'fail2ban/filter.d/portsentry.conf'
maybe chmod 0644 'fail2ban/filter.d/postfix-rbl.conf'
maybe chmod 0644 'fail2ban/filter.d/postfix-sasl.conf'
@ -617,9 +625,11 @@ maybe chmod 0644 'fail2ban/filter.d/vsftpd.conf'
maybe chmod 0644 'fail2ban/filter.d/webmin-auth.conf'
maybe chmod 0644 'fail2ban/filter.d/wuftpd.conf'
maybe chmod 0644 'fail2ban/filter.d/xinetd-fail.conf'
maybe chmod 0644 'fail2ban/filter.d/zoneminder.conf'
maybe chmod 0644 'fail2ban/jail.conf'
maybe chmod 0755 'fail2ban/jail.d'
maybe chmod 0644 'fail2ban/jail.d/defaults-debian.conf'
maybe chmod 0644 'fail2ban/paths-arch.conf'
maybe chmod 0644 'fail2ban/paths-common.conf'
maybe chmod 0644 'fail2ban/paths-debian.conf'
maybe chmod 0644 'fail2ban/paths-opensuse.conf'
@ -746,6 +756,7 @@ maybe chmod 0755 'initramfs-tools/scripts/panic'
maybe chmod 0644 'initramfs-tools/update-initramfs.conf'
maybe chmod 0644 'inputrc'
maybe chmod 0755 'insserv.conf.d'
maybe chmod 0644 'insserv.conf.d/bind9'
maybe chmod 0644 'insserv.conf.d/rpcbind'
maybe chmod 0755 'iproute2'
maybe chmod 0644 'iproute2/bpf_pinning'
@ -754,6 +765,8 @@ maybe chmod 0644 'iproute2/group'
maybe chmod 0644 'iproute2/nl_protos'
maybe chmod 0644 'iproute2/rt_dsfield'
maybe chmod 0644 'iproute2/rt_protos'
maybe chmod 0755 'iproute2/rt_protos.d'
maybe chmod 0644 'iproute2/rt_protos.d/README'
maybe chmod 0644 'iproute2/rt_realms'
maybe chmod 0644 'iproute2/rt_scopes'
maybe chmod 0644 'iproute2/rt_tables'
@ -846,6 +859,7 @@ maybe chmod 0644 'letsencrypt/archive/wifi2.natalieandjoshua.com/fullchain1.pem'
maybe chmod 0644 'letsencrypt/archive/wifi2.natalieandjoshua.com/fullchain2.pem'
maybe chmod 0644 'letsencrypt/archive/wifi2.natalieandjoshua.com/privkey1.pem'
maybe chmod 0644 'letsencrypt/archive/wifi2.natalieandjoshua.com/privkey2.pem'
maybe chmod 0644 'letsencrypt/cli.ini'
maybe chmod 0755 'letsencrypt/csr'
maybe chmod 0644 'letsencrypt/csr/0000_csr-certbot.pem'
maybe chmod 0644 'letsencrypt/csr/0001_csr-certbot.pem'
@ -925,6 +939,7 @@ maybe chmod 0755 'logrotate.d'
maybe chmod 0644 'logrotate.d/alternatives'
maybe chmod 0644 'logrotate.d/apt'
maybe chmod 0644 'logrotate.d/aptitude'
maybe chmod 0644 'logrotate.d/certbot'
maybe chmod 0644 'logrotate.d/dpkg'
maybe chmod 0644 'logrotate.d/exim4-base'
maybe chmod 0644 'logrotate.d/exim4-paniclog'
@ -949,6 +964,7 @@ maybe chmod 0644 'modprobe.d/raspi-blacklist.conf'
maybe chmod 0644 'modules'
maybe chmod 0755 'modules-load.d'
maybe chmod 0755 'monit'
maybe chmod 0755 'monit/conf-available'
maybe chmod 0755 'monit/monitrc.d'
maybe chmod 0644 'monit/monitrc.d/fail2ban'
maybe chmod 0644 'motd'
@ -1045,6 +1061,7 @@ maybe chmod 0755 'profile.d'
maybe chmod 0644 'profile.d/Z97-byobu.sh'
maybe chmod 0644 'profile.d/bash_completion.sh'
maybe chmod 0644 'profile.d/sshpwd.sh'
maybe chmod 0644 'profile.d/wifi-country.sh'
maybe chmod 0644 'protocols'
maybe chmod 0755 'python'
maybe chmod 0644 'python/debian_config'
@ -1144,6 +1161,7 @@ maybe chmod 0644 'sysctl.conf'
maybe chmod 0755 'sysctl.d'
maybe chmod 0644 'sysctl.d/98-rpi.conf'
maybe chmod 0644 'sysctl.d/README.sysctl'
maybe chmod 0644 'sysctl.d/protect-links.conf'
maybe chmod 0755 'systemd'
maybe chmod 0644 'systemd/journald.conf'
maybe chmod 0644 'systemd/logind.conf'

@ -0,0 +1,83 @@
# vim:syntax=apparmor
#include <tunables/global>
/usr/bin/man {
#include <abstractions/base>
# Use a special profile when man calls anything groff-related. We only
# include the programs that actually parse input data in a non-trivial
# way, not wrappers such as groff and nroff, since the latter would need a
# broader profile.
/usr/bin/eqn rmCx -> &man_groff,
/usr/bin/grap rmCx -> &man_groff,
/usr/bin/pic rmCx -> &man_groff,
/usr/bin/preconv rmCx -> &man_groff,
/usr/bin/refer rmCx -> &man_groff,
/usr/bin/tbl rmCx -> &man_groff,
/usr/bin/troff rmCx -> &man_groff,
/usr/bin/vgrind rmCx -> &man_groff,
# Similarly, use a special profile when man calls decompressors and other
# simple filters.
/bin/bzip2 rmCx -> &man_filter,
/bin/gzip rmCx -> &man_filter,
/usr/bin/col rmCx -> &man_filter,
/usr/bin/compress rmCx -> &man_filter,
/usr/bin/iconv rmCx -> &man_filter,
/usr/bin/lzip.lzip rmCx -> &man_filter,
/usr/bin/tr rmCx -> &man_filter,
/usr/bin/xz rmCx -> &man_filter,
# Allow basically anything in terms of file system access, subject to DAC.
# The purpose of this profile isn't to confine man itself (that might be
# nice in the future, but is tricky since it's quite configurable), but to
# confine the processes it calls that parse untrusted data.
/** mrixwlk,
capability setuid,
capability setgid,
# Site-specific additions and overrides. See local/README for details.
#include <local/usr.bin.man>
}
profile man_groff {
#include <abstractions/base>
# Recent kernels revalidate open FDs, and there are often some still
# open on TTYs. This is temporary until man learns to close irrelevant
# open FDs before execve.
#include <abstractions/consoles>
# man always runs its groff pipeline with the input file open on stdin,
# so we can skip <abstractions/user-manpages>.
/usr/bin/eqn rm,
/usr/bin/grap rm,
/usr/bin/pic rm,
/usr/bin/preconv rm,
/usr/bin/refer rm,
/usr/bin/tbl rm,
/usr/bin/troff rm,
/usr/bin/vgrind rm,
/etc/groff/** r,
/usr/lib/groff/site-tmac/** r,
/usr/share/groff/** r,
}
profile man_filter {
#include <abstractions/base>
# Recent kernels revalidate open FDs, and there are often some still
# open on TTYs. This is temporary until man learns to close irrelevant
# open FDs before execve.
#include <abstractions/consoles>
/bin/bzip2 rm,
/bin/gzip rm,
/usr/bin/col rm,
/usr/bin/compress rm,
/usr/bin/iconv rm,
/usr/bin/lzip.lzip rm,
/usr/bin/tr rm,
/usr/bin/xz rm,
}

@ -35,6 +35,9 @@
# dnscvsutil package
/var/lib/dnscvsutil/compiled/** rw,
# Allow changing worker thread names
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
@{PROC}/net/if_inet6 r,
@{PROC}/*/net/if_inet6 r,
@{PROC}/sys/net/ipv4/ip_local_port_range r,

@ -24,6 +24,7 @@ APT
"linux-backports-modules-.*";
# tools
"linux-tools";
"linux-cloud-tools";
};
Never-MarkAuto-Sections

@ -1,28 +1,30 @@
// DO NOT EDIT! File autogenerated by /etc/kernel/postinst.d/apt-auto-removal
APT::NeverAutoRemove
{
"^linux-image-4\.9\.0-3-amd64$";
"^linux-image-4\.9\.41-v7\+$";
"^linux-headers-4\.9\.0-3-amd64$";
"^linux-image-4\.9\.80-v7\+$";
"^linux-headers-4\.9\.41-v7\+$";
"^linux-image-extra-4\.9\.0-3-amd64$";
"^linux-headers-4\.9\.80-v7\+$";
"^linux-image-extra-4\.9\.41-v7\+$";
"^linux-signed-image-4\.9\.0-3-amd64$";
"^linux-image-extra-4\.9\.80-v7\+$";
"^linux-signed-image-4\.9\.41-v7\+$";
"^kfreebsd-image-4\.9\.0-3-amd64$";
"^linux-signed-image-4\.9\.80-v7\+$";
"^kfreebsd-image-4\.9\.41-v7\+$";
"^kfreebsd-headers-4\.9\.0-3-amd64$";
"^kfreebsd-image-4\.9\.80-v7\+$";
"^kfreebsd-headers-4\.9\.41-v7\+$";
"^gnumach-image-4\.9\.0-3-amd64$";
"^kfreebsd-headers-4\.9\.80-v7\+$";
"^gnumach-image-4\.9\.41-v7\+$";
"^.*-modules-4\.9\.0-3-amd64$";
"^gnumach-image-4\.9\.80-v7\+$";
"^.*-modules-4\.9\.41-v7\+$";
"^.*-kernel-4\.9\.0-3-amd64$";
"^.*-modules-4\.9\.80-v7\+$";
"^.*-kernel-4\.9\.41-v7\+$";
"^linux-backports-modules-.*-4\.9\.0-3-amd64$";
"^.*-kernel-4\.9\.80-v7\+$";
"^linux-backports-modules-.*-4\.9\.41-v7\+$";
"^linux-tools-4\.9\.0-3-amd64$";
"^linux-backports-modules-.*-4\.9\.80-v7\+$";
"^linux-tools-4\.9\.41-v7\+$";
"^linux-tools-4\.9\.80-v7\+$";
"^linux-cloud-tools-4\.9\.41-v7\+$";
"^linux-cloud-tools-4\.9\.80-v7\+$";
};
/* Debug information:
# dpkg list:
@ -30,13 +32,13 @@ APT::NeverAutoRemove
# list of different kernel versions:
# Installing kernel: (4.9.41-v7+)
# Running kernel: ignored (4.9.0-3-amd64)
# Installing kernel: (4.9.80-v7+)
# Running kernel: ignored (4.9.41-v7+)
# Last kernel:
# Previous kernel:
# Kernel versions list to keep:
# Kernel packages (version part) to protect:
4\.9\.0-3-amd64
4\.9\.41-v7\+
4\.9\.80-v7\+
*/

@ -16,7 +16,10 @@ if [ -z "${debian_chroot:-}" ] && [ -r /etc/debian_chroot ]; then
fi
# set a fancy prompt (non-color, overwrite the one in /etc/profile)
PS1='${debian_chroot:+($debian_chroot)}\u@\h:\w\$ '
# but only if not SUDOing and have SUDO_PS1 set; then assume smart user.
if ! [ -n "${SUDO_USER}" -a -n "${SUDO_PS1}" ]; then
PS1='${debian_chroot:+($debian_chroot)}\u@\h:\w\$ '
fi
# Commented out, don't overwrite xterm -T "title" -n "icontitle" by default.
# If this is an xterm set the title to user@host:dir

@ -108,7 +108,7 @@ _fail2ban () {
;;
logtarget)
if [[ "$cmd" == "set" ]];then
COMPREPLY=( $( compgen -W "STDOUT STDERR SYSLOG" -- "$cur" ) )
COMPREPLY=( $( compgen -W "STDOUT STDERR SYSLOG SYSOUT" -- "$cur" ) )
_filedir # And files
fi
return 0

@ -19,9 +19,9 @@ check_power()
# 255 (false) Power status could not be determined
# Desktop systems always return 255 it seems
if which on_ac_power >/dev/null 2>&1; then
on_ac_power
POWER=$?
if [ $POWER -eq 1 ]; then
if on_ac_power; then
:
elif [ $? -eq 1 ]; then
return 1
fi
fi

@ -25,11 +25,9 @@
<policy context="default">
<deny own="fi.epitest.hostap.WPASupplicant"/>
<deny send_destination="fi.epitest.hostap.WPASupplicant"/>
<deny send_interface="fi.epitest.hostap.WPASupplicant"/>
<deny own="fi.w1.wpa_supplicant1"/>
<deny send_destination="fi.w1.wpa_supplicant1"/>
<deny send_interface="fi.w1.wpa_supplicant1"/>
<deny receive_sender="fi.w1.wpa_supplicant1" receive_type="signal"/>
</policy>
</busconfig>

@ -32,11 +32,11 @@ DARCS_COMMIT_OPTIONS="-a"
#AVOID_COMMIT_BEFORE_INSTALL=1
# The high-level package manager that's being used.
# (apt, pacman, pacman-g2, yum, dnf, zypper etc)
# (apt, pacman, pacman-g2, yum, dnf, zypper, apk etc)
HIGHLEVEL_PACKAGE_MANAGER=apt
# The low-level package manager that's being used.
# (dpkg, rpm, pacman, pacmatic, pacman-g2, etc)
# (dpkg, rpm, pacman, pacmatic, pacman-g2, apk etc)
LOWLEVEL_PACKAGE_MANAGER=dpkg
# To push each commit to a remote, put the name of the remote here.

@ -21,5 +21,7 @@ else
pacmatic -Q
elif [ "$LOWLEVEL_PACKAGE_MANAGER" = pkgng ]; then
pkg info -E "*"
elif [ "$LOWLEVEL_PACKAGE_MANAGER" = apk ]; then
apk info -v | sort
fi
fi

@ -2,7 +2,7 @@
set -e
exclude_internal () {
egrep -v '(^|/)(.git|.hg|.bzr|_darcs)/'
egrep -v '(^|/)(\.git|\.hg|\.bzr|_darcs)/'
}
if [ "$VCS" = bzr ] || [ "$VCS" = darcs ]; then

@ -1,6 +1,10 @@
#!/bin/sh
set -e
# Make sure sort always sorts in same order.
LANG=C
export LANG
filter_ignore() {
case "$VCS" in
darcs) ignorefile=.darcsignore ;;
@ -16,7 +20,11 @@ filter_ignore() {
;;
git)
(git ls-files -oi --exclude-standard; git ls-files -oi --exclude-standard --directory) | sort | uniq > "$listfile" || true
if [ -s "$listfile" ]; then
sed 's/^\.\///' | grep -xFvf "$listfile"
else
cat -
fi
;;
esac
rm -f "$listfile"
@ -51,6 +59,7 @@ generate_metadata() {
# Keep the sort order the same at all times.
LC_COLLATE=C
export LC_COLLATE
unset LC_ALL
if [ "$VCS" = git ] || [ "$VCS" = hg ]; then
# These version control systems do not track directories,
@ -70,7 +79,15 @@ generate_metadata() {
# Store things that don't have the default user or group.
# Store all file modes, in case the user has an unusual umask.
find $NOVCS \( -type f -or -type d \) -print | filter_ignore | sort | perl -ne '
find $NOVCS \( -type f -or -type d \) -print | filter_ignore | sort | maybe_chmod_chown
# We don't handle xattrs.
# Maybe check for getfattr/setfattr and use them if they're available?
}
maybe_chmod_chown() {
if [ "$(which perl 2>/dev/null)" != "" ]; then
perl -ne '
BEGIN { $q=chr(39) }
sub uidname {
my $want=shift;
@ -104,9 +121,27 @@ generate_metadata() {
}
printf "maybe chmod %04o %s\n", $mode & 07777, $_;
'
# We don't handle xattrs.
# Maybe check for getfattr/setfattr and use them if they're available?
return $?
else
# fallback if perl isn't present
euid=$(id -u)
egid=$(id -g)
q="'"
while read x; do
stat=$(stat -c "%f:%u:%g:%a:%U:%G" $x)
IFS=":" read mode uid gid perm uname gname <<EOF
$stat
EOF
x=$q$(echo $x | sed "s/$q/$q\"$q\"$q/")$q
if [ $uid -ne $euid ]; then
echo maybe chown "'$uname'" $x
fi
if [ $gid -ne $egid ]; then
echo maybe chgrp "'$gname'" $x
fi
echo maybe chmod 0$perm $x
done
fi
}
if [ "$VCS" = git ] || [ "$VCS" = hg ] || [ "$VCS" = bzr ] || [ "$VCS" = darcs ]; then

@ -99,6 +99,10 @@ writefile () {
ignore "*.pacorig"
ignore "*.pacsave"
nl
elif [ "$LOWLEVEL_PACKAGE_MANAGER" = "apk" ]; then
comment "new versions of conffiles, stored by apk"
ignore "*.apk-new"
nl
fi
comment "old versions of files"

@ -0,0 +1,105 @@
# Fail2ban configuration file
#
# Action to report IP address to abuseipdb.com
# You must sign up to obtain an API key from abuseipdb.com.
#
# NOTE: These reports may include sensitive Info.
# If you want cleaner reports that ensure no user data see the helper script at the below website.
#
# IMPORTANT:
#
# Reporting an IP of abuse is a serious complaint. Make sure that it is
# serious. Fail2ban developers and network owners recommend you only use this
# action for:
# * The recidive where the IP has been banned multiple times
# * Where maxretry has been set quite high, beyond the normal user typing
# password incorrectly.
# * For filters that have a low likelihood of receiving human errors
#
# This action relies on a api_key being added to the above action conf,
# and the appropriate categories set.
#
# Example, for ssh bruteforce (in section [sshd] of `jail.local`):
# action = %(known/action)s
# %(action_abuseipdb)s[abuseipdb_apikey="my-api-key", abuseipdb_category="18,22"]
#
# See below for catagories.
#
# Original Ref: https://wiki.shaunc.com/wikka.php?wakka=ReportingToAbuseIPDBWithFail2Ban
# Added to fail2ban by Andrew James Collett (ajcollett)
## abuseIPDB Catagories, `the abuseipdb_category` MUST be set in the jail.conf action call.
# Example, for ssh bruteforce: action = %(action_abuseipdb)s[abuseipdb_category="18,22"]
# ID Title Description
# 3 Fraud Orders
# 4 DDoS Attack
# 9 Open Proxy
# 10 Web Spam
# 11 Email Spam
# 14 Port Scan
# 18 Brute-Force
# 19 Bad Web Bot
# 20 Exploited Host
# 21 Web App Attack
# 22 SSH Secure Shell (SSH) abuse. Use this category in combination with more specific categories.
# 23 IoT Targeted
# See https://abuseipdb.com/categories for more descriptions
[Definition]
# Option: actionstart
# Notes.: command executed once at the start of Fail2Ban.
# Values: CMD
#
actionstart =
# Option: actionstop
# Notes.: command executed once at the end of Fail2Ban
# Values: CMD
#
actionstop =
# Option: actioncheck
# Notes.: command executed once before each actionban command
# Values: CMD
#
actioncheck =
# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
# command is executed with Fail2Ban user rights.
#
# ** IMPORTANT! **
#
# By default, this posts directly to AbuseIPDB's API, unfortunately
# this results in a lot of backslashes/escapes appearing in the
# reports. This also may include info like your hostname.
# If you have your own web server with PHP available, you can
# use my (Shaun's) helper PHP script by commenting out the first #actionban
# line below, uncommenting the second one, and pointing the URL at
# wherever you install the helper script. For the PHP helper script, see
# <https://wiki.shaunc.com/wikka.php?wakka=ReportingToAbuseIPDBWithFail2Ban>
#
# --ciphers ecdhe_ecdsa_aes_256_sha is used to workaround a
# "NSS error -12286" from curl as it attempts to connect using
# SSLv3. See https://www.centos.org/forums/viewtopic.php?t=52732
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionban = curl --fail --ciphers ecdhe_ecdsa_aes_256_sha --data 'key=<abuseipdb_apikey>' --data-urlencode 'comment=<matches>' --data 'ip=<ip>' --data 'category=<abuseipdb_category>' "https://www.abuseipdb.com/report/json"
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionunban =
[Init]
# Option: abuseipdb_apikey
# Notes Your API key from abuseipdb.com
# Values: STRING Default: None
# Register for abuseipdb [https://www.abuseipdb.com], get api key and set below.
# You will need to set the catagory in the action call.
abuseipdb_apikey =

@ -34,7 +34,7 @@ else:
from fail2ban.server.actions import ActionBase
class BadIPsAction(ActionBase):
class BadIPsAction(ActionBase): # pragma: no cover - may be unavailable
"""Fail2Ban action which reports bans to badips.com, and also
blacklist bad IPs listed on badips.com by using another action's
ban method.
@ -105,6 +105,16 @@ class BadIPsAction(ActionBase):
# Used later for threading.Timer for updating badips
self._timer = None
@staticmethod
def isAvailable(timeout=1):
try:
response = urlopen(Request("/".join([BadIPsAction._badips]),
headers={'User-Agent': "Fail2Ban"}), timeout=timeout)
return True, ''
except Exception as e: # pragma: no cover
return False, e
def getCategories(self, incParents=False):
"""Get badips.com categories.

@ -14,7 +14,7 @@
# Notes.: command executed once at the start of Fail2Ban.
# Values: CMD
#
actionstart = ipfw show | fgrep -q 'table(<table>)' || ( ipfw show | awk 'BEGIN { b = 1 } { if ($1 <= b) { b = $1 + 1 } else { e = b } } END { if (e) exit e <br> else exit b }'; num=$?; ipfw -q add $num <blocktype> <block> from table\(<table>\) to me <port>; echo $num > "<startstatefile>" )
actionstart = ipfw show | fgrep -c -m 1 -s 'table(<table>)' > /dev/null 2>&1 || ( ipfw show | awk 'BEGIN { b = <lowest_rule_num> } { if ($1 < b) {} else if ($1 == b) { b = $1 + 1 } else { e = b } } END { if (e) exit e <br> else exit b }'; num=$?; ipfw -q add $num <blocktype> <block> from table\(<table>\) to me <port>; echo $num > "<startstatefile>" )
# Option: actionstop
@ -81,3 +81,11 @@ block = ip
# Values: STRING
#
blocktype = unreach port
# Option: lowest_rule_num
# Notes: When fail2ban starts with action and there is no rule for the given table yet
# then fail2ban will start looking for an empty slot starting with this rule number.
# Values: NUM
lowest_rule_num = 111

@ -40,7 +40,12 @@ actioncheck =
# <time> unix timestamp of the ban time
# Values: CMD
#
actionban = curl -s -o /dev/null https://www.cloudflare.com/api_json.html -d 'a=ban' -d 'tkn=<cftoken>' -d 'email=<cfuser>' -d 'key=<ip>'
# API v1
#actionban = curl -s -o /dev/null https://www.cloudflare.com/api_json.html -d 'a=ban' -d 'tkn=<cftoken>' -d 'email=<cfuser>' -d 'key=<ip>'
# API v4
actionban = curl -s -o /dev/null -X POST -H 'X-Auth-Email: <cfuser>' -H 'X-Auth-Key: <cftoken>' \
-H 'Content-Type: application/json' -d '{ "mode": "block", "configuration": { "target": "ip", "value": "<ip>" } }' \
https://api.cloudflare.com/client/v4/user/firewall/access_rules/rules
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
@ -50,7 +55,12 @@ actionban = curl -s -o /dev/null https://www.cloudflare.com/api_json.html -d 'a=
# <time> unix timestamp of the ban time
# Values: CMD
#
actionunban = curl -s -o /dev/null https://www.cloudflare.com/api_json.html -d 'a=nul' -d 'tkn=<cftoken>' -d 'email=<cfuser>' -d 'key=<ip>'
# API v1
#actionunban = curl -s -o /dev/null https://www.cloudflare.com/api_json.html -d 'a=nul' -d 'tkn=<cftoken>' -d 'email=<cfuser>' -d 'key=<ip>'
# API v4
actionunban = curl -s -o /dev/null -X DELETE -H 'X-Auth-Email: <cfuser>' -H 'X-Auth-Key: <cftoken>' \
https://api.cloudflare.com/client/v4/user/firewall/access_rules/rules/$(curl -s -X GET -H 'X-Auth-Email: <cfuser>' -H 'X-Auth-Key: <cftoken>' \
'https://api.cloudflare.com/client/v4/user/firewall/access_rules/rules?mode=block&configuration_target=ip&configuration_value=<ip>&page=1&per_page=1' | cut -d'"' -f6)
[Init]

@ -28,8 +28,18 @@
#
[INCLUDES]
before = helpers-common.conf
[Definition]
# Used in test cases for coverage internal transformations
debug = 0
# bypass ban/unban for restored tickets
norestored = 1
# Option: actionstart
# Notes.: command executed once at the start of Fail2Ban.
# Values: CMD
@ -54,10 +64,18 @@ actioncheck =
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionban = oifs=${IFS}; IFS=.;SEP_IP=( <ip> ); set -- ${SEP_IP}; ADDRESSES=$(dig +short -t txt -q $4.$3.$2.$1.abuse-contacts.abusix.org); IFS=${oifs}
actionban = oifs=${IFS};
RESOLVER_ADDR="%(addr_resolver)s"
if [ "<debug>" -gt 0 ]; then echo "try to resolve $RESOLVER_ADDR"; fi
ADDRESSES=$(dig +short -t txt -q $RESOLVER_ADDR | tr -d '"')
IFS=,; ADDRESSES=$(echo $ADDRESSES)
IFS=${oifs}
IP=<ip>
if [ ! -z "$ADDRESSES" ]; then
(printf %%b "<message>\n"; date '+Note: Local timezone is %%z (%%Z)'; grep -E '(^|[^0-9])<ip>([^0-9]|$)' <logpath>) | <mailcmd> "Abuse from <ip>" <mailargs> ${ADDRESSES//,/\" \"}
( printf %%b "<message>\n"; date '+Note: Local timezone is %%z (%%Z)';
printf %%b "\nLines containing failures of <ip> (max <grepmax>)\n";
%(_grep_logs)s;
) | <mailcmd> "Abuse from <ip>" <mailargs> $ADDRESSES
fi
# Option: actionunban
@ -68,7 +86,12 @@ actionban = oifs=${IFS}; IFS=.;SEP_IP=( <ip> ); set -- ${SEP_IP}; ADDRESSES=$(di
#
actionunban =
[Init]
# Server as resolver used in dig command
#
addr_resolver = <ip-rev>abuse-contacts.abusix.org
# Default message used for abuse content
#
message = Dear Sir/Madam,\n\nWe have detected abuse from the IP address $IP, which according to a abusix.com is on your network. We would appreciate if you would investigate and take action as appropriate.\n\nLog lines are given below, but please ask if you require any further information.\n\n(If you are not the correct person to contact about this please accept our apologies - your e-mail address was extracted from the whois record by an automated process.)\n\n This mail was generated by Fail2Ban.\nThe recipient address of this report was provided by the Abuse Contact DB by abusix.com. abusix.com does not maintain the content of the database. All information which we pass out, derives from the RIR databases and is processed for ease of use. If you want to change or report non working abuse contacts please contact the appropriate RIR. If you have any further question, contact abusix.com directly via email (info@abusix.com). Information about the Abuse Contact Database can be found here: https://abusix.com/global-reporting/abuse-contact-db\nabusix.com is neither responsible nor liable for the content or accuracy of this message.\n
# Path to the log files which contain relevant lines for the abuser IP
@ -92,3 +115,7 @@ mailcmd = mail -s
#
mailargs =
# Number of log lines to include in the email
#
#grepmax = 1000
#grepopts = -m <grepmax>

@ -28,6 +28,9 @@
[Definition]
# bypass ban/unban for restored tickets
norestored = 1
# Option: actionstart
# Notes.: command executed once at the start of Fail2Ban.
# Values: CMD

@ -10,14 +10,23 @@
# Notes.: command executed once at the start of Fail2Ban.
# Values: CMD
#
actionstart = touch /var/run/fail2ban/fail2ban.dummy
printf %%b "<init>\n" >> /var/run/fail2ban/fail2ban.dummy
actionstart = if [ ! -z '<target>' ]; then touch <target>; fi;
printf %%b "<init>\n" <to_target>
echo "%(debug)s started"
# Option: actionflush
# Notes.: command executed once to flush (clear) all IPS, by shutdown (resp. by stop of the jail or this action)
# Values: CMD
#
actionflush = printf %%b "-*\n" <to_target>
echo "%(debug)s clear all"
# Option: actionstop
# Notes.: command executed once at the end of Fail2Ban
# Values: CMD
#
actionstop = rm -f /var/run/fail2ban/fail2ban.dummy
actionstop = if [ ! -z '<target>' ]; then rm -f <target>; fi;
echo "%(debug)s stopped"
# Option: actioncheck
# Notes.: command executed once before each actionban command
@ -31,7 +40,8 @@ actioncheck =
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionban = printf %%b "+<ip>\n" >> /var/run/fail2ban/fail2ban.dummy
actionban = printf %%b "+<ip>\n" <to_target>
echo "%(debug)s banned <ip> (family: <family>)"
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
@ -39,9 +49,15 @@ actionban = printf %%b "+<ip>\n" >> /var/run/fail2ban/fail2ban.dummy
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionunban = printf %%b "-<ip>\n" >> /var/run/fail2ban/fail2ban.dummy
actionunban = printf %%b "-<ip>\n" <to_target>
echo "%(debug)s unbanned <ip> (family: <family>)"
debug = [<name>] <actname> <target> --
[Init]
init = 123
target = /var/run/fail2ban/fail2ban.dummy
to_target = >> <target>

@ -6,34 +6,26 @@
[INCLUDES]
before = iptables-common.conf
before = firewallcmd-common.conf
[Definition]
actionstart = firewall-cmd --direct --add-chain ipv4 filter f2b-<name>
firewall-cmd --direct --add-rule ipv4 filter f2b-<name> 1000 -j RETURN
firewall-cmd --direct --add-rule ipv4 filter <chain> 0 -j f2b-<name>
actionstart = firewall-cmd --direct --add-chain <family> filter f2b-<name>
firewall-cmd --direct --add-rule <family> filter f2b-<name> 1000 -j RETURN
firewall-cmd --direct --add-rule <family> filter <chain> 0 -j f2b-<name>
actionstop = firewall-cmd --direct --remove-rule ipv4 filter <chain> 0 -j f2b-<name>
firewall-cmd --direct --remove-rules ipv4 filter f2b-<name>
firewall-cmd --direct --remove-chain ipv4 filter f2b-<name>
actionstop = firewall-cmd --direct --remove-rule <family> filter <chain> 0 -j f2b-<name>
firewall-cmd --direct --remove-rules <family> filter f2b-<name>
firewall-cmd --direct --remove-chain <family> filter f2b-<name>
# Example actioncheck: firewall-cmd --direct --get-chains ipv4 filter | sed -e 's, ,\n,g' | grep -q '^f2b-recidive$'
actioncheck = firewall-cmd --direct --get-chains ipv4 filter | sed -e 's, ,\n,g' | grep -q '^f2b-<name>$'
actioncheck = firewall-cmd --direct --get-chains <family> filter | sed -e 's, ,\n,g' | grep -q '^f2b-<name>$'
actionban = firewall-cmd --direct --add-rule ipv4 filter f2b-<name> 0 -s <ip> -j <blocktype>
actionban = firewall-cmd --direct --add-rule <family> filter f2b-<name> 0 -s <ip> -j <blocktype>
actionunban = firewall-cmd --direct --remove-rule ipv4 filter f2b-<name> 0 -s <ip> -j <blocktype>
[Init]
# Default name of the chain
#
name = default
chain = INPUT_direct
actionunban = firewall-cmd --direct --remove-rule <family> filter f2b-<name> 0 -s <ip> -j <blocktype>
# DEV NOTES:
#

@ -0,0 +1,76 @@
# Fail2Ban configuration file
#
# Author: Donald Yandt
#
[Init]
# Option: name
# Notes Default name of the chain
# Values: STRING
name = default
# Option port
# Notes Can also use port numbers separated by a comma and in rich-rules comma and/or space.
# Value STRING Default: 1:65535
port = 1:65535
# Option: protocol
# Notes [ tcp | udp | icmp | all ]
# Values: STRING Default: tcp
protocol = tcp
# Option: family(ipv4)
# Notes specifies the socket address family type
# Values: STRING
family = ipv4
# Option: chain
# Notes specifies the firewalld chain to which the Fail2Ban rules should be
# added
# Values: STRING Default: INPUT_direct
chain = INPUT_direct
# Option: zone
# Notes use command firewall-cmd --get-active-zones to see a list of all active zones. See firewalld man pages for more information on zones
# Values: STRING Default: public
zone = public
# Option: service
# Notes use command firewall-cmd --get-services to see a list of services available
# Examples services: amanda-client amanda-k5-client bacula bacula-client dhcp dhcpv6 dhcpv6-client dns freeipa-ldap freeipa-ldaps
# freeipa-replication ftp high-availability http https imaps ipp ipp-client ipsec iscsi-target kadmin kerberos
# kpasswd ldap ldaps libvirt libvirt-tls mdns mosh mountd ms-wbt mysql nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3s
# postgresql privoxy proxy-dhcp puppetmaster radius rpc-bind rsyncd samba samba-client sane smtp squid ssh synergy
# telnet tftp tftp-client tinc tor-socks transmission-client vdsm vnc-server wbem-https xmpp-bosh xmpp-client xmpp-local xmpp-server
# Values: STRING Default: ssh
service = ssh
# Option: rejecttype (ipv4)
# Notes See iptables/firewalld man pages for ipv4 reject types.
# Values: STRING
rejecttype = icmp-port-unreachable
# Option: blocktype (ipv4/ipv6)
# Notes See iptables/firewalld man pages for jump targets. Common values are REJECT,
# REJECT --reject-with icmp-port-unreachable, DROP
# Values: STRING
blocktype = REJECT --reject-with <rejecttype>
# Option: rich-blocktype (ipv4/ipv6)
# Notes See firewalld man pages for jump targets. Common values are reject,
# reject type="icmp-port-unreachable", drop
# Values: STRING
rich-blocktype = reject type='<rejecttype>'
[Init?family=inet6]
# Option: family(ipv6)
# Notes specifies the socket address family type
# Values: STRING
family = ipv6
# Option: rejecttype (ipv6)
# Note: See iptables/firewalld man pages for ipv6 reject types.
# Values: STRING
rejecttype = icmp6-port-unreachable

@ -14,20 +14,22 @@
[INCLUDES]
before = iptables-common.conf
before = firewallcmd-common.conf
[Definition]
actionstart = ipset create fail2ban-<name> hash:ip timeout <bantime>
firewall-cmd --direct --add-rule ipv4 filter <chain> 0 -p <protocol> -m multiport --dports <port> -m set --match-set fail2ban-<name> src -j <blocktype>
actionstart = ipset create <ipmset> hash:ip timeout <bantime><familyopt>
firewall-cmd --direct --add-rule <family> filter <chain> 0 <actiontype> -m set --match-set <ipmset> src -j <blocktype>
actionstop = firewall-cmd --direct --remove-rule ipv4 filter <chain> 0 -p <protocol> -m multiport --dports <port> -m set --match-set fail2ban-<name> src -j <blocktype>
ipset flush fail2ban-<name>
ipset destroy fail2ban-<name>
actionflush = ipset flush <ipmset>
actionban = ipset add fail2ban-<name> <ip> timeout <bantime> -exist
actionstop = firewall-cmd --direct --remove-rule <family> filter <chain> 0 <actiontype> -m set --match-set <ipmset> src -j <blocktype>
<actionflush>
ipset destroy <ipmset>
actionunban = ipset del fail2ban-<name> <ip> -exist
actionban = ipset add <ipmset> <ip> timeout <bantime> -exist
actionunban = ipset del <ipmset> <ip> -exist
[Init]
@ -44,6 +46,31 @@ chain = INPUT_direct
bantime = 600
# Option: actiontype
# Notes.: defines additions to the blocking rule
# Values: leave empty to block all attempts from the host
# Default: Value of the multiport
actiontype = <multiport>
# Option: allports
# Notes.: default addition to block all ports
# Usage.: use in jail config: banaction = firewallcmd-ipset[actiontype=<allports>]
# for all protocols: banaction = firewallcmd-ipset[actiontype=""]
allports = -p <protocol>
# Option: multiport
# Notes.: addition to block access only to specific ports
# Usage.: use in jail config: banaction = firewallcmd-ipset[actiontype=<multiport>]
multiport = -p <protocol> -m multiport --dports <port>
ipmset = f2b-<name>
familyopt =
[Init?family=inet6]
ipmset = f2b-<name>6
familyopt = <sp>family inet6
# DEV NOTES:
#

@ -5,59 +5,22 @@
[INCLUDES]
before = iptables-common.conf
before = firewallcmd-common.conf
[Definition]
actionstart = firewall-cmd --direct --add-chain ipv4 filter f2b-<name>
firewall-cmd --direct --add-rule ipv4 filter f2b-<name> 1000 -j RETURN
firewall-cmd --direct --add-rule ipv4 filter <chain> 0 -m conntrack --ctstate NEW -p <protocol> -m multiport --dports <port> -j f2b-<name>
actionstart = firewall-cmd --direct --add-chain <family> filter f2b-<name>
firewall-cmd --direct --add-rule <family> filter f2b-<name> 1000 -j RETURN
firewall-cmd --direct --add-rule <family> filter <chain> 0 -m conntrack --ctstate NEW -p <protocol> -m multiport --dports <port> -j f2b-<name>
actionstop = firewall-cmd --direct --remove-rule ipv4 filter <chain> 0 -m conntrack --ctstate NEW -p <protocol> -m multiport --dports <port> -j f2b-<name>
firewall-cmd --direct --remove-rules ipv4 filter f2b-<name>
firewall-cmd --direct --remove-chain ipv4 filter f2b-<name>
actionstop = firewall-cmd --direct --remove-rule <family> filter <chain> 0 -m conntrack --ctstate NEW -p <protocol> -m multiport --dports <port> -j f2b-<name>
firewall-cmd --direct --remove-rules <family> filter f2b-<name>
firewall-cmd --direct --remove-chain <family> filter f2b-<name>
# Example actioncheck: firewall-cmd --direct --get-chains ipv4 filter | sed -e 's, ,\n,g' | grep -q '^f2b-apache-modsecurity$'
actioncheck = firewall-cmd --direct --get-chains ipv4 filter | sed -e 's, ,\n,g' | grep -q '^f2b-<name>$'
actioncheck = firewall-cmd --direct --get-chains <family> filter | sed -e 's, ,\n,g' | grep -q '^f2b-<name>$'
actionban = firewall-cmd --direct --add-rule ipv4 filter f2b-<name> 0 -s <ip> -j <blocktype>
actionunban = firewall-cmd --direct --remove-rule ipv4 filter f2b-<name> 0 -s <ip> -j <blocktype>
[Init]
# Default name of the chain
name = default
chain = INPUT_direct
# Could also use port numbers separated by a comma.
port = 1:65535
# Option: protocol
# Values: [ tcp | udp | icmp | all ]
protocol = tcp
# DEV NOTES:
#
# Author: Donald Yandt
# Uses "FirewallD" instead of the "iptables daemon".
#
#
# Output:
# actionstart:
# $ firewall-cmd --direct --add-chain ipv4 filter f2b-apache-modsecurity
# success
# $ firewall-cmd --direct --add-rule ipv4 filter f2b-apache-modsecurity 1000 -j RETURN
# success
# $ sudo firewall-cmd --direct --add-rule ipv4 filter INPUT_direct 0 -m state --state NEW -p tcp -m multiport --dports 80,443 -j f2b-apache-modsecurity
# success
# actioncheck:
# $ firewall-cmd --direct --get-chains ipv4 filter f2b-apache-modsecurity | sed -e 's, ,\n,g' | grep -q '^f2b-apache-modsecurity$'
# f2b-apache-modsecurity
actionban = firewall-cmd --direct --add-rule <family> filter f2b-<name> 0 -s <ip> -j <blocktype>
actionunban = firewall-cmd --direct --remove-rule <family> filter f2b-<name> 0 -s <ip> -j <blocktype>

@ -4,32 +4,23 @@
[INCLUDES]
before = iptables-common.conf
before = firewallcmd-common.conf
[Definition]
actionstart = firewall-cmd --direct --add-chain ipv4 filter f2b-<name>
firewall-cmd --direct --add-rule ipv4 filter f2b-<name> 1000 -j RETURN
firewall-cmd --direct --add-rule ipv4 filter <chain> 0 -m state --state NEW -p <protocol> -m multiport --dports <port> -j f2b-<name>
actionstart = firewall-cmd --direct --add-chain <family> filter f2b-<name>
firewall-cmd --direct --add-rule <family> filter f2b-<name> 1000 -j RETURN
firewall-cmd --direct --add-rule <family> filter <chain> 0 -m state --state NEW -p <protocol> -m multiport --dports <port> -j f2b-<name>
actionstop = firewall-cmd --direct --remove-rule ipv4 filter <chain> 0 -m state --state NEW -p <protocol> -m multiport --dports <port> -j f2b-<name>
firewall-cmd --direct --remove-rules ipv4 filter f2b-<name>
firewall-cmd --direct --remove-chain ipv4 filter f2b-<name>
actionstop = firewall-cmd --direct --remove-rule <family> filter <chain> 0 -m state --state NEW -p <protocol> -m multiport --dports <port> -j f2b-<name>
firewall-cmd --direct --remove-rules <family> filter f2b-<name>
firewall-cmd --direct --remove-chain <family> filter f2b-<name>
actioncheck = firewall-cmd --direct --get-chains ipv4 filter | grep -q 'f2b-<name>$'
actioncheck = firewall-cmd --direct --get-chains <family> filter | sed -e 's, ,\n,g' | grep -q 'f2b-<name>$'
actionban = firewall-cmd --direct --add-rule ipv4 filter f2b-<name> 0 -s <ip> -j <blocktype>
actionban = firewall-cmd --direct --add-rule <family> filter f2b-<name> 0 -s <ip> -j <blocktype>
actionunban = firewall-cmd --direct --remove-rule ipv4 filter f2b-<name> 0 -s <ip> -j <blocktype>
[Init]
# Option: chain
# Notes specifies the iptables chain to which the fail2ban rules should be
# added
# Values: [ STRING ]
#
chain = INPUT_direct
actionunban = firewall-cmd --direct --remove-rule <family> filter f2b-<name> 0 -s <ip> -j <blocktype>
# DEV NOTES:
#

@ -15,6 +15,10 @@
# firewall-cmd [--zone=<zone>] --list-all
# firewall-cmd [--zone=zone] --query-rich-rule='rule'
[INCLUDES]
before = firewallcmd-common.conf
[Definition]
actionstart =
@ -26,40 +30,22 @@ actioncheck =
# you can also use zones and/or service names.
#
# zone example:
# firewall-cmd --zone=<zone> --add-rich-rule="rule family='ipv4' source address='<ip>' port port='<port>' protocol='<protocol>' log prefix='f2b-<name>' level='<level>' limit value='<rate>/m' <blocktype>"
# firewall-cmd --zone=<zone> --add-rich-rule="rule family='<family>' source address='<ip>' port port='<port>' protocol='<protocol>' log prefix='f2b-<name>' level='<level>' limit value='<rate>/m' <rich-blocktype>"
#
# service name example:
# firewall-cmd --zone=<zone> --add-rich-rule="rule family='ipv4' source address='<ip>' service name='<service>' log prefix='f2b-<name>' level='<level>' limit value='<rate>/m' <blocktype>"
# firewall-cmd --zone=<zone> --add-rich-rule="rule family='<family>' source address='<ip>' service name='<service>' log prefix='f2b-<name>' level='<level>' limit value='<rate>/m' <rich-blocktype>"
#
# Because rich rules can only handle single or a range of ports we must split ports and execute the command for each port. Ports can be single and ranges separated by a comma or space for an example: http, https, 22-60, 18 smtp
actionban = ports="<port>"; for p in $(echo $ports | tr ", " " "); do firewall-cmd --add-rich-rule="rule family='ipv4' source address='<ip>' port port='$p' protocol='<protocol>' log prefix='f2b-<name>' level='<level>' limit value='<rate>/m' <blocktype>"; done
actionban = ports="<port>"; for p in $(echo $ports | tr ", " " "); do firewall-cmd --add-rich-rule="rule family='<family>' source address='<ip>' port port='$p' protocol='<protocol>' log prefix='f2b-<name>' level='<level>' limit value='<rate>/m' <rich-blocktype>"; done
actionunban = ports="<port>"; for p in $(echo $ports | tr ", " " "); do firewall-cmd --remove-rich-rule="rule family='ipv4' source address='<ip>' port port='$p' protocol='<protocol>' log prefix='f2b-<name>' level='<level>' limit value='<rate>/m' <blocktype>"; done
actionunban = ports="<port>"; for p in $(echo $ports | tr ", " " "); do firewall-cmd --remove-rich-rule="rule family='<family>' source address='<ip>' port port='$p' protocol='<protocol>' log prefix='f2b-<name>' level='<level>' limit value='<rate>/m' <rich-blocktype>"; done
[Init]
name = default
# log levels are "emerg", "alert", "crit", "error", "warning", "notice", "info" or "debug"
level = info
# log rate per minute
rate = 1
zone = public
# use command firewall-cmd --get-services to see a list of services available
#
# Examples:
#
# amanda-client amanda-k5-client bacula bacula-client dhcp dhcpv6 dhcpv6-client dns freeipa-ldap freeipa-ldaps
# freeipa-replication ftp high-availability http https imaps ipp ipp-client ipsec iscsi-target kadmin kerberos
# kpasswd ldap ldaps libvirt libvirt-tls mdns mosh mountd ms-wbt mysql nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3s
# postgresql privoxy proxy-dhcp puppetmaster radius rpc-bind rsyncd samba samba-client sane smtp squid ssh synergy
# telnet tftp tftp-client tinc tor-socks transmission-client vdsm vnc-server wbem-https xmpp-bosh xmpp-client xmpp-local xmpp-server
service = ssh
# reject types: 'icmp-net-unreachable', 'icmp-host-unreachable', 'icmp-port-unreachable', 'icmp-proto-unreachable',
# 'icmp-net-prohibited', 'icmp-host-prohibited', 'icmp-admin-prohibited' or 'tcp-reset'
blocktype = reject type='icmp-port-unreachable'

@ -13,6 +13,10 @@
# firewall-cmd [--zone=<zone>] --list-all
# firewall-cmd [--zone=zone] --query-rich-rule='rule'
[INCLUDES]
before = firewallcmd-common.conf
[Definition]
actionstart =
@ -24,34 +28,15 @@ actioncheck =
#you can also use zones and/or service names.
#
# zone example:
# firewall-cmd --zone=<zone> --add-rich-rule="rule family='ipv4' source address='<ip>' port port='<port>' protocol='<protocol>' <blocktype>"
# firewall-cmd --zone=<zone> --add-rich-rule="rule family='ipv4' source address='<ip>' port port='<port>' protocol='<protocol>' <rich-blocktype>"
#
# service name example:
# firewall-cmd --zone=<zone> --add-rich-rule="rule family='ipv4' source address='<ip>' service name='<service>' <blocktype>"
# firewall-cmd --zone=<zone> --add-rich-rule="rule family='ipv4' source address='<ip>' service name='<service>' <rich-blocktype>"
#
# Because rich rules can only handle single or a range of ports we must split ports and execute the command for each port. Ports can be single and ranges separated by a comma or space for an example: http, https, 22-60, 18 smtp
actionban = ports="<port>"; for p in $(echo $ports | tr ", " " "); do firewall-cmd --add-rich-rule="rule family='ipv4' source address='<ip>' port port='$p' protocol='<protocol>' <blocktype>"; done
actionunban = ports="<port>"; for p in $(echo $ports | tr ", " " "); do firewall-cmd --remove-rich-rule="rule family='ipv4' source address='<ip>' port port='$p' protocol='<protocol>' <blocktype>"; done
[Init]
name = default
zone = public
# use command firewall-cmd --get-services to see a list of services available
#
# Examples:
#
# amanda-client amanda-k5-client bacula bacula-client dhcp dhcpv6 dhcpv6-client dns freeipa-ldap freeipa-ldaps
# freeipa-replication ftp high-availability http https imaps ipp ipp-client ipsec iscsi-target kadmin kerberos
# kpasswd ldap ldaps libvirt libvirt-tls mdns mosh mountd ms-wbt mysql nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3s
# postgresql privoxy proxy-dhcp puppetmaster radius rpc-bind rsyncd samba samba-client sane smtp squid ssh synergy
# telnet tftp tftp-client tinc tor-socks transmission-client vdsm vnc-server wbem-https xmpp-bosh xmpp-client xmpp-local xmpp-server
actionban = ports="<port>"; for p in $(echo $ports | tr ", " " "); do firewall-cmd --add-rich-rule="rule family='<family>' source address='<ip>' port port='$p' protocol='<protocol>' <rich-blocktype>"; done
service = ssh
actionunban = ports="<port>"; for p in $(echo $ports | tr ", " " "); do firewall-cmd --remove-rich-rule="rule family='<family>' source address='<ip>' port port='$p' protocol='<protocol>' <rich-blocktype>"; done
# reject types: 'icmp-net-unreachable', 'icmp-host-unreachable', 'icmp-port-unreachable', 'icmp-proto-unreachable',
# 'icmp-net-prohibited', 'icmp-host-prohibited', 'icmp-admin-prohibited' or 'tcp-reset'
blocktype = reject type='icmp-port-unreachable'

@ -0,0 +1,16 @@
[DEFAULT]
# Usage:
# _grep_logs_args = 'test'
# (printf %%b "Log-excerpt contains 'test':\n"; %(_grep_logs)s; printf %%b "Log-excerpt contains 'test':\n") | mail ...
#
_grep_logs = logpath="<logpath>"; grep <grepopts> -E %(_grep_logs_args)s $logpath | <greplimit>
_grep_logs_args = "(^|[^0-9a-fA-F:])$(echo '<ip>' | sed 's/\./\\./g')([^0-9a-fA-F:]|$)"
# Used for actions, that should not by executed if ticket was restored:
_bypass_if_restored = if [ '<restored>' = '1' ]; then exit 0; fi;
[Init]
greplimit = tail -n <grepmax>
grepmax = 1000
grepopts = -m <grepmax>

@ -31,8 +31,7 @@ actioncheck =
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionban = IP=<ip> &&
printf %%b "<daemon_list>: $IP\n" >> <file>
actionban = IP=<ip> && printf %%b "<daemon_list>: $IP\n" >> <file>
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
@ -40,7 +39,7 @@ actionban = IP=<ip> &&
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionunban = echo "/^<daemon_list>: <ip>$/<br>d<br>w<br>q" | ed <file>
actionunban = IP=$(echo <ip> | sed 's/\./\\./g') && sed -i "/^<daemon_list>: $IP$/d" <file>
[Init]

@ -26,7 +26,7 @@ actionstart = <iptables> -N f2b-<name>
# Values: CMD
#
actionstop = <iptables> -D <chain> -p <protocol> -j f2b-<name>
<iptables> -F f2b-<name>
<actionflush>
<iptables> -X f2b-<name>
# Option: actioncheck

@ -6,6 +6,9 @@
# used in all iptables based actions by default.
#
# The user can override the defaults in iptables-common.local
#
# Modified: Alexander Koeppe <format_c@online.de>, Serg G. Brester <serg.brester@sebres.de>
# made config file IPv6 capable (see new section Init?family=inet6)
[INCLUDES]
@ -13,6 +16,15 @@ after = iptables-blocktype.local
iptables-common.local
# iptables-blocktype.local is obsolete
[Definition]
# Option: actionflush
# Notes.: command executed once to flush IPS, by shutdown (resp. by stop of the jail or this action)
# Values: CMD
#
actionflush = <iptables> -F f2b-<name>
[Init]
# Option: chain
@ -62,3 +74,19 @@ lockingopt = -w
# Notes.: Actual command to be executed, including common to all calls options
# Values: STRING
iptables = iptables <lockingopt>
[Init?family=inet6]
# Option: blocktype (ipv6)
# Note: This is what the action does with rules. This can be any jump target
# as per the iptables man page (section 8). Common values are DROP
# REJECT, REJECT --reject-with icmp6-port-unreachable
# Values: STRING
blocktype = REJECT --reject-with icmp6-port-unreachable
# Option: iptables (ipv6)
# Notes.: Actual command to be executed, including common to all calls options
# Values: STRING
iptables = ip6tables <lockingopt>

@ -30,12 +30,19 @@ before = iptables-common.conf
actionstart = ipset --create f2b-<name> iphash
<iptables> -I <chain> -p <protocol> -m multiport --dports <port> -m set --match-set f2b-<name> src -j <blocktype>
# Option: actionflush
# Notes.: command executed once to flush IPS, by shutdown (resp. by stop of the jail or this action)
# Values: CMD
#
actionflush = ipset --flush f2b-<name>
# Option: actionstop
# Notes.: command executed once at the end of Fail2Ban
# Values: CMD
#
actionstop = <iptables> -D <chain> -p <protocol> -m multiport --dports <port> -m set --match-set f2b-<name> src -j <blocktype>
ipset --flush f2b-<name>
<actionflush>
ipset --destroy f2b-<name>
# Option: actionban

@ -12,6 +12,9 @@
#
# If you are running on an older kernel you make need to patch in external
# modules which probably won't be protocol version 6.
#
# Modified: Alexander Koeppe <format_c@online.de>, Serg G. Brester <serg.brester@sebres.de>
# made config file IPv6 capable (see new section Init?family=inet6)
[INCLUDES]
@ -23,16 +26,22 @@ before = iptables-common.conf
# Notes.: command executed once at the start of Fail2Ban.
# Values: CMD
#
actionstart = ipset create f2b-<name> hash:ip timeout <bantime>
<iptables> -I <chain> -m set --match-set f2b-<name> src -j <blocktype>
actionstart = ipset create <ipmset> hash:ip timeout <bantime><familyopt>
<iptables> -I <chain> -m set --match-set <ipmset> src -j <blocktype>
# Option: actionflush
# Notes.: command executed once to flush IPS, by shutdown (resp. by stop of the jail or this action)
# Values: CMD
#
actionflush = ipset flush <ipmset>
# Option: actionstop
# Notes.: command executed once at the end of Fail2Ban
# Values: CMD
#
actionstop = <iptables> -D <chain> -m set --match-set f2b-<name> src -j <blocktype>
ipset flush f2b-<name>
ipset destroy f2b-<name>
actionstop = <iptables> -D <chain> -m set --match-set <ipmset> src -j <blocktype>
<actionflush>
ipset destroy <ipmset>
# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
@ -40,7 +49,7 @@ actionstop = <iptables> -D <chain> -m set --match-set f2b-<name> src -j <blockty
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionban = ipset add f2b-<name> <ip> timeout <bantime> -exist
actionban = ipset add <ipmset> <ip> timeout <bantime> -exist
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
@ -48,7 +57,7 @@ actionban = ipset add f2b-<name> <ip> timeout <bantime> -exist
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionunban = ipset del f2b-<name> <ip> -exist
actionunban = ipset del <ipmset> <ip> -exist
[Init]
@ -57,3 +66,12 @@ actionunban = ipset del f2b-<name> <ip> -exist
# Values: [ NUM ] Default: 600
#
bantime = 600
ipmset = f2b-<name>
familyopt =
[Init?family=inet6]
ipmset = f2b-<name>6
familyopt = <sp>family inet6

@ -12,6 +12,9 @@
#
# If you are running on an older kernel you make need to patch in external
# modules.
#
# Modified: Alexander Koeppe <format_c@online.de>, Serg G. Brester <serg.brester@sebres.de>
# made config file IPv6 capable (see new section Init?family=inet6)
[INCLUDES]
@ -23,16 +26,22 @@ before = iptables-common.conf
# Notes.: command executed once at the start of Fail2Ban.
# Values: CMD
#
actionstart = ipset create f2b-<name> hash:ip timeout <bantime>
<iptables> -I <chain> -p <protocol> -m multiport --dports <port> -m set --match-set f2b-<name> src -j <blocktype>
actionstart = ipset create <ipmset> hash:ip timeout <bantime><familyopt>
<iptables> -I <chain> -p <protocol> -m multiport --dports <port> -m set --match-set <ipmset> src -j <blocktype>
# Option: actionflush
# Notes.: command executed once to flush IPS, by shutdown (resp. by stop of the jail or this action)
# Values: CMD
#
actionflush = ipset flush <ipmset>
# Option: actionstop
# Notes.: command executed once at the end of Fail2Ban
# Values: CMD
#
actionstop = <iptables> -D <chain> -p <protocol> -m multiport --dports <port> -m set --match-set f2b-<name> src -j <blocktype>
ipset flush f2b-<name>
ipset destroy f2b-<name>
actionstop = <iptables> -D <chain> -p <protocol> -m multiport --dports <port> -m set --match-set <ipmset> src -j <blocktype>
<actionflush>
ipset destroy <ipmset>
# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
@ -40,7 +49,7 @@ actionstop = <iptables> -D <chain> -p <protocol> -m multiport --dports <port> -m
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionban = ipset add f2b-<name> <ip> timeout <bantime> -exist
actionban = ipset add <ipmset> <ip> timeout <bantime> -exist
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
@ -48,7 +57,7 @@ actionban = ipset add f2b-<name> <ip> timeout <bantime> -exist
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionunban = ipset del f2b-<name> <ip> -exist
actionunban = ipset del <ipmset> <ip> -exist
[Init]
@ -57,3 +66,12 @@ actionunban = ipset del f2b-<name> <ip> -exist
# Values: [ NUM ] Default: 600
#
bantime = 600
ipmset = f2b-<name>
familyopt =
[Init?family=inet6]
ipmset = f2b-<name>6
familyopt = <sp>family inet6

@ -26,13 +26,19 @@ actionstart = <iptables> -N f2b-<name>
<iptables> -I f2b-<name>-log -j LOG --log-prefix "$(expr f2b-<name> : '\(.\{1,23\}\)'):DROP " --log-level warning -m limit --limit 6/m --limit-burst 2
<iptables> -A f2b-<name>-log -j <blocktype>
# Option: actionflush
# Notes.: command executed once to flush IPS, by shutdown (resp. by stop of the jail or this action)
# Values: CMD
#
actionflush = <iptables> -F f2b-<name>
<iptables> -F f2b-<name>-log
# Option: actionstop
# Notes.: command executed once at the end of Fail2Ban
# Values: CMD
#
actionstop = <iptables> -D <chain> -p <protocol> -m multiport --dports <port> -j f2b-<name>
<iptables> -F f2b-<name>
<iptables> -F f2b-<name>-log
<actionflush>
<iptables> -X f2b-<name>
<iptables> -X f2b-<name>-log

@ -23,7 +23,7 @@ actionstart = <iptables> -N f2b-<name>
# Values: CMD
#
actionstop = <iptables> -D <chain> -p <protocol> -m multiport --dports <port> -j f2b-<name>
<iptables> -F f2b-<name>
<actionflush>
<iptables> -X f2b-<name>
# Option: actioncheck

@ -25,7 +25,7 @@ actionstart = <iptables> -N f2b-<name>
# Values: CMD
#
actionstop = <iptables> -D <chain> -m state --state NEW -p <protocol> --dport <port> -j f2b-<name>
<iptables> -F f2b-<name>
<actionflush>
<iptables> -X f2b-<name>
# Option: actioncheck

@ -2,7 +2,8 @@
#
# Author: Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
#
#
# Modified: Alexander Koeppe <format_c@online.de>, Serg G. Brester <serg.brester@sebres.de>
# made config file IPv6 capable
[INCLUDES]
@ -22,30 +23,36 @@ before = iptables-common.conf
# iptables-persistent package).
#
# Explanation of the rule below:
# Check if any packets coming from an IP on the f2b-<name>
# Check if any packets coming from an IP on the <iptname>
# list have been seen in the last 3600 seconds. If yes, update the
# timestamp for this IP and drop the packet. If not, let the packet
# through.
#
# Fail2ban inserts blacklisted hosts into the f2b-<name> list
# Fail2ban inserts blacklisted hosts into the <iptname> list
# and removes them from the list after some time, according to its
# own rules. The 3600 second timeout is independent and acts as a
# safeguard in case the fail2ban process dies unexpectedly. The
# shorter of the two timeouts actually matters.
actionstart = if [ `id -u` -eq 0 ];then <iptables> -I <chain> -m recent --update --seconds 3600 --name f2b-<name> -j <blocktype>;fi
actionstart = if [ `id -u` -eq 0 ];then <iptables> -I <chain> -m recent --update --seconds 3600 --name <iptname> -j <blocktype>;fi
# Option: actionflush
#
# [TODO] Flushing is currently not implemented for xt_recent
#
actionflush =
# Option: actionstop
# Notes.: command executed once at the end of Fail2Ban
# Values: CMD
#
actionstop = echo / > /proc/net/xt_recent/f2b-<name>
if [ `id -u` -eq 0 ];then <iptables> -D <chain> -m recent --update --seconds 3600 --name f2b-<name> -j <blocktype>;fi
actionstop = echo / > /proc/net/xt_recent/<iptname>
if [ `id -u` -eq 0 ];then <iptables> -D <chain> -m recent --update --seconds 3600 --name <iptname> -j <blocktype>;fi
# Option: actioncheck
# Notes.: command executed once before each actionban command
# Values: CMD
#
actioncheck = test -e /proc/net/xt_recent/f2b-<name>
actioncheck = test -e /proc/net/xt_recent/<iptname>
# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
@ -53,7 +60,7 @@ actioncheck = test -e /proc/net/xt_recent/f2b-<name>
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionban = echo +<ip> > /proc/net/xt_recent/f2b-<name>
actionban = echo +<ip> > /proc/net/xt_recent/<iptname>
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
@ -61,7 +68,12 @@ actionban = echo +<ip> > /proc/net/xt_recent/f2b-<name>
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionunban = echo -<ip> > /proc/net/xt_recent/f2b-<name>
actionunban = echo -<ip> > /proc/net/xt_recent/<iptname>
[Init]
iptname = f2b-<name>
[Init?family=inet6]
iptname = f2b-<name>6

@ -23,7 +23,7 @@ actionstart = <iptables> -N f2b-<name>
# Values: CMD
#
actionstop = <iptables> -D <chain> -p <protocol> --dport <port> -j f2b-<name>
<iptables> -F f2b-<name>
<actionflush>
<iptables> -X f2b-<name>
# Option: actioncheck

@ -6,6 +6,9 @@
[Definition]
# bypass ban/unban for restored tickets
norestored = 1
# Option: actionstart
# Notes.: command executed once at the start of Fail2Ban.
# Values: CMD
@ -14,7 +17,7 @@ actionstart = printf %%b "Hi,\n
The jail <name> has been started successfully.\n
Output will be buffered until <lines> lines are available.\n
Regards,\n
Fail2Ban"|mail -s "[Fail2Ban] <name>: started on `uname -n`" <dest>
Fail2Ban"|mail -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest>
# Option: actionstop
# Notes.: command executed once at the end of Fail2Ban
@ -25,13 +28,13 @@ actionstop = if [ -f <tmpfile> ]; then
These hosts have been banned by Fail2Ban.\n
`cat <tmpfile>`
Regards,\n
Fail2Ban"|mail -s "[Fail2Ban] <name>: Summary from `uname -n`" <dest>
Fail2Ban"|mail -s "[Fail2Ban] <name>: Summary from <fq-hostname>" <dest>
rm <tmpfile>
fi
printf %%b "Hi,\n
The jail <name> has been stopped.\n
Regards,\n
Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped on `uname -n`" <dest>
Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
# Option: actioncheck
# Notes.: command executed once before each actionban command

@ -7,9 +7,13 @@
[INCLUDES]
before = mail-whois-common.conf
helpers-common.conf
[Definition]
# bypass ban/unban for restored tickets
norestored = 1
# Option: actionstart
# Notes.: command executed once at the start of Fail2Ban.
# Values: CMD
@ -17,7 +21,7 @@ before = mail-whois-common.conf
actionstart = printf %%b "Hi,\n
The jail <name> has been started successfully.\n
Regards,\n
Fail2Ban"|mail -s "[Fail2Ban] <name>: started on `uname -n`" <dest>
Fail2Ban" | <mailcmd> "[Fail2Ban] <name>: started on <fq-hostname>" <dest>
# Option: actionstop
# Notes.: command executed once at the end of Fail2Ban
@ -26,7 +30,7 @@ actionstart = printf %%b "Hi,\n
actionstop = printf %%b "Hi,\n
The jail <name> has been stopped.\n
Regards,\n
Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped on `uname -n`" <dest>
Fail2Ban" | <mailcmd> "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
# Option: actioncheck
# Notes.: command executed once before each actionban command
@ -40,15 +44,19 @@ actioncheck =
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionban = printf %%b "Hi,\n
_ban_mail_content = ( printf %%b "Hi,\n
The IP <ip> has just been banned by Fail2Ban after
<failures> attempts against <name>.\n\n
Here is more information about <ip> :\n
`%(_whois_command)s`\n\n
Lines containing IP:<ip> in <logpath>\n
`grep -E <grepopts> '(^|[^0-9])<ip>([^0-9]|$)' <logpath>`\n\n
Here is more information about <ip> :\n"
%(_whois_command)s;
printf %%b "\nLines containing failures of <ip> (max <grepmax>)\n";
%(_grep_logs)s;
printf %%b "\n
Regards,\n
Fail2Ban"|mail -s "[Fail2Ban] <name>: banned <ip> from `uname -n`" <dest>
Fail2Ban" )
actionban = %(_ban_mail_content)s | <mailcmd> "[Fail2Ban] <name>: banned <ip> from <fq-hostname>" <dest>
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
@ -60,6 +68,12 @@ actionunban =
[Init]
# Option: mailcmd
# Notes.: Your system mail command. Is passed 2 args: subject and recipient
# Values: CMD
#
mailcmd = mail -s
# Default name of the chain
#
name = default
@ -74,4 +88,5 @@ logpath = /dev/null
# Number of log lines to include in the email
#
grepopts = -m 1000
#grepmax = 1000
#grepopts = -m <grepmax>

@ -10,6 +10,9 @@ before = mail-whois-common.conf
[Definition]
# bypass ban/unban for restored tickets
norestored = 1
# Option: actionstart
# Notes.: command executed once at the start of Fail2Ban.
# Values: CMD
@ -17,7 +20,7 @@ before = mail-whois-common.conf
actionstart = printf %%b "Hi,\n
The jail <name> has been started successfully.\n
Regards,\n
Fail2Ban"|mail -s "[Fail2Ban] <name>: started on `uname -n`" <dest>
Fail2Ban"|mail -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest>
# Option: actionstop
# Notes.: command executed once at the end of Fail2Ban
@ -26,7 +29,7 @@ actionstart = printf %%b "Hi,\n
actionstop = printf %%b "Hi,\n
The jail <name> has been stopped.\n
Regards,\n
Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped on `uname -n`" <dest>
Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
# Option: actioncheck
# Notes.: command executed once before each actionban command
@ -46,7 +49,7 @@ actionban = printf %%b "Hi,\n
Here is more information about <ip> :\n
`%(_whois_command)s`\n
Regards,\n
Fail2Ban"|mail -s "[Fail2Ban] <name>: banned <ip> from `uname -n`" <dest>
Fail2Ban"|mail -s "[Fail2Ban] <name>: banned <ip> from <fq-hostname>" <dest>
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the

@ -6,6 +6,9 @@
[Definition]
# bypass ban/unban for restored tickets
norestored = 1
# Option: actionstart
# Notes.: command executed once at the start of Fail2Ban.
# Values: CMD
@ -13,7 +16,7 @@
actionstart = printf %%b "Hi,\n
The jail <name> has been started successfully.\n
Regards,\n
Fail2Ban"|mail -s "[Fail2Ban] <name>: started on `uname -n`" <dest>
Fail2Ban"|mail -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest>
# Option: actionstop
# Notes.: command executed once at the end of Fail2Ban
@ -22,7 +25,7 @@ actionstart = printf %%b "Hi,\n
actionstop = printf %%b "Hi,\n
The jail <name> has been stopped.\n
Regards,\n
Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped on `uname -n`" <dest>
Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
# Option: actioncheck
# Notes.: command executed once before each actionban command
@ -40,7 +43,7 @@ actionban = printf %%b "Hi,\n
The IP <ip> has just been banned by Fail2Ban after
<failures> attempts against <name>.\n
Regards,\n
Fail2Ban"|mail -s "[Fail2Ban] <name>: banned <ip> from `uname -n`" <dest>
Fail2Ban"|mail -s "[Fail2Ban] <name>: banned <ip> from <fq-hostname>" <dest>
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the

@ -17,6 +17,6 @@ before = nftables-common.conf
# Notes.: additional expressions for nftables filter rule
# Values: nftables expressions
#
nftables_mode = ip protocol <protocol>
nftables_mode = meta l4proto <protocol>
[Init]

@ -28,11 +28,11 @@ nftables_mode = <protocol> dport \{ <port> \}
# Notes.: command executed once at the start of Fail2Ban.
# Values: CMD
#
actionstart = <nftables> add set <nftables_family> <nftables_table> f2b-<name> \{ type <nftables_type>\; \}
<nftables> insert rule <nftables_family> <nftables_table> <chain> %(nftables_mode)s ip saddr @f2b-<name> <blocktype>
actionstart = <nftables> add set <nftables_family> <nftables_table> <set_name> \{ type <nftables_type>\; \}
<nftables> insert rule <nftables_family> <nftables_table> <chain> %(nftables_mode)s <address_family> saddr @<set_name> <blocktype>
_nft_list = <nftables> --handle --numeric list chain <nftables_family> <nftables_table> <chain>
_nft_get_handle_id = grep -m1 'ip saddr @f2b-<name> <blocktype> # handle' | grep -oe ' handle [0-9]*'
_nft_get_handle_id = grep -m1 '<address_family> saddr @<set_name> <blocktype> # handle' | grep -oe ' handle [0-9]*'
# Option: actionstop
# Notes.: command executed once at the end of Fail2Ban
@ -40,13 +40,13 @@ _nft_get_handle_id = grep -m1 'ip saddr @f2b-<name> <blocktype> # handle' | grep
#
actionstop = HANDLE_ID=$(%(_nft_list)s | %(_nft_get_handle_id)s)
<nftables> delete rule <nftables_family> <nftables_table> <chain> $HANDLE_ID
<nftables> delete set <nftables_family> <nftables_table> f2b-<name>
<nftables> delete set <nftables_family> <nftables_table> <set_name>
# Option: actioncheck
# Notes.: command executed once before each actionban command
# Values: CMD
#
actioncheck = <nftables> list chain <nftables_family> <nftables_table> <chain> | grep -q '@f2b-<name>[ \t]'
actioncheck = <nftables> list chain <nftables_family> <nftables_table> <chain> | grep -q '@<set_name>[ \t]'
# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
@ -54,7 +54,7 @@ actioncheck = <nftables> list chain <nftables_family> <nftables_table> <chain> |
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionban = <nftables> add element <nftables_family> <nftables_table> f2b-<name> \{ <ip> \}
actionban = <nftables> add element <nftables_family> <nftables_table> <set_name> \{ <ip> \}
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
@ -62,7 +62,7 @@ actionban = <nftables> add element <nftables_family> <nftables_table> f2b-<name>
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionunban = <nftables> delete element <nftables_family> <nftables_table> f2b-<name> \{ <ip> \}
actionunban = <nftables> delete element <nftables_family> <nftables_table> <set_name> \{ <ip> \}
[Init]
@ -117,3 +117,19 @@ blocktype = reject
# Notes.: Actual command to be executed, including common to all calls options
# Values: STRING
nftables = nft
# Option: set_name
# Notes.: The name of the nft set used to store banned addresses
# Values: STRING
set_name = f2b-<name>
# Option: address_family
# Notes.: The family of the banned addresses
# Values: [ ip | ip6 ]
address_family = ip
[Init?family=inet6]
nftables_type = ipv6_addr
set_name = f2b-<name>6
address_family = ip6

@ -0,0 +1,108 @@
# Fail2Ban configuration file for black-listing via nginx
#
# Author: Serg G. Brester (aka sebres)
#
# To use 'nginx-block-map' action you should define some special blocks in your nginx configuration,
# and use it hereafter in your locations (to notify fail2ban by failure, resp. nginx by ban).
#
# Example (argument "token_id" resp. cookie "session_id" used here as unique identifier for user):
#
# http {
# ...
# # maps to check user is blacklisted (banned in f2b):
# #map $arg_token_id $blck_lst_tok { include blacklisted-tokens.map; }
# map $cookie_session_id $blck_lst_ses { include blacklisted-sessions.map; }
# ...
# # special log-format to notify fail2ban about failures:
# log_format f2b_session_errors '$msec failure "$cookie_session_id" - $remote_addr - $remote_user '
# ;# '"$request" $status $bytes_sent '
# # '"$http_referer" "$http_user_agent"';
#
# # location checking blacklisted values:
# location ... {
# # check banned sessionid:
# if ($blck_lst_ses != "") {
# try_files "" @f2b-banned;
# }
# ...
# # notify fail2ban about a failure inside nginx:
# error_page 401 = @notify-f2b;
# ...
# }
# ...
# # location for return with "403 Forbidden" if banned:
# location @f2b-banned {
# default_type text/html;
# return 403 "<br/><center>
# <b style=\"color:red; font-size:18pt; border:2pt solid black; padding:5pt;\">
# You are banned!</b></center>";
# }
# ...
# # location to notify fail2ban about a failure inside nginx:
# location @notify-f2b {
# access_log /var/log/nginx/f2b-auth-errors.log f2b_session_errors;
# }
# }
# ...
#
# Note that quote-character (and possibly other special characters) are not allowed currently as session-id.
# Thus please add any session-id validation rule in your locations (or in the corresponding backend-service),
# like in example below:
#
# location ... {
# if ($cookie_session_id !~ "^[\w\-]+$") {
# return 403 "Wrong session-id"
# }
# ...
# }
#
# The parameters for jail corresponding log-format (f2b_session_errors):
#
# [nginx-blck-lst]
# filter =
# datepattern = ^Epoch
# failregex = ^ failure "<F-ID>[^"]+</F-ID>" - <ADDR>
# usedns = no
#
# The same log-file can be used for IP-related jail (additionally to session-related, to ban very bad IPs):
#
# [nginx-blck-ip]
# maxretry = 100
# filter =
# datepattern = ^Epoch
# failregex = ^ failure "[^"]+" - <ADDR>
# usedns = no
#
[Definition]
# path to configuration of nginx (used to target nginx-instance in multi-instance system,
# and as path for the blacklisted map):
srv_cfg_path = /etc/nginx/
# cmd-line arguments to supply to test/reload nginx:
#srv_cmd = nginx -c %(srv_cfg_path)s/nginx.conf
srv_cmd = nginx
# first test configuration is correct, hereafter send reload signal:
blck_lst_reload = %(srv_cmd)s -qt; if [ $? -eq 0 ]; then
%(srv_cmd)s -s reload; if [ $? -ne 0 ]; then echo 'reload failed.'; fi;
fi;
# map-file for nginx, can be redefined using `action = nginx-block-map[blck_lst_file="/path/file.map"]`:
blck_lst_file = %(srv_cfg_path)s/blacklisted-sessions.map
# Action definition:
actionstart_on_demand = false
actionstart = touch '%(blck_lst_file)s'
actionflush = truncate -s 0 '%(blck_lst_file)s'; %(blck_lst_reload)s
actionstop = %(actionflush)s
actioncheck =
actionban = echo "\\\\<fid> 1;" >> '%(blck_lst_file)s'; %(blck_lst_reload)s
actionunban = id=$(echo "<fid>" | sed -e 's/[]\/$*.^|[]/\\&/g'); sed -i "/$id 1;/d" %(blck_lst_file)s; %(blck_lst_reload)s

@ -3,6 +3,7 @@
# OpenBSD pf ban/unban
#
# Author: Nick Hilliard <nick@foobar.org>
# Modified by: Alexander Koeppe making PF work seamless and with IPv4 and IPv6
#
#
@ -12,23 +13,49 @@
# Notes.: command executed once at the start of Fail2Ban.
# Values: CMD
#
# we don't enable PF automatically, as it will be enabled elsewhere
actionstart =
# we don't enable PF automatically; to enable run pfctl -e
# or add `pf_enable="YES"` to /etc/rc.conf (tested on FreeBSD)
# also, these rulesets are loaded into (nested) anchors
# to enable them, add as wildcard:
# anchor "f2b/*"
# or using jail names:
# anchor f2b {
# anchor name1
# anchor name2
# ...
# }
# to your main pf ruleset, where "namei" are the names of the jails
# which invoke this action
actionstart = echo "table <<tablename>-<name>> persist counters" | <pfctl> -f-
port="<port>"; if [ "$port" != "" ] && case "$port" in \{*) false;; esac; then port="{$port}"; fi
echo "<block> proto <protocol> from <<tablename>-<name>> to <actiontype>" | <pfctl> -f-
# Option: start_on_demand - to start action on demand
# Example: `action=pf[actionstart_on_demand=true]`
actionstart_on_demand = false
# Option: actionstop
# Notes.: command executed once at the end of Fail2Ban
# Values: CMD
#
# we don't disable PF automatically either
actionstop =
# we only disable PF rules we've installed prior
actionstop = <pfctl> -sr 2>/dev/null | grep -v <tablename>-<name> | <pfctl> -f-
%(actionflush)s
<pfctl> -t <tablename>-<name> -T kill
# Option: actionflush
# Notes.: command executed once to flush IPS, by shutdown (resp. by stop of the jail or this action)
# Values: CMD
#
actionflush = <pfctl> -t <tablename>-<name> -T flush
# Option: actioncheck
# Notes.: command executed once before each actionban command
# Values: CMD
#
actioncheck =
actioncheck = <pfctl> -sr | grep -q <tablename>-<name>
# Option: actionban
@ -39,7 +66,7 @@ actioncheck =
# <time> unix timestamp of the ban time
# Values: CMD
#
actionban = /sbin/pfctl -t <tablename> -T add <ip>/32
actionban = <pfctl> -t <tablename>-<name> -T add <ip>
# Option: actionunban
@ -51,12 +78,47 @@ actionban = /sbin/pfctl -t <tablename> -T add <ip>/32
# Values: CMD
#
# note -r option used to remove matching rule
actionunban = /sbin/pfctl -t <tablename> -T delete <ip>/32
actionunban = <pfctl> -t <tablename>-<name> -T delete <ip>
# Option: pfctl
#
# Use anchor as jailname to manipulate affected rulesets only.
# If more parameter expected it can be extended with `pf[pfctl="<known/pfctl> ..."]`
#
pfctl = pfctl -a f2b/<name>
[Init]
# Option: tablename
# Notes.: The pf table name.
# Values: [ STRING ]
#
tablename = fail2ban
tablename = f2b
# Option: block
#
# The action you want pf to take.
# Probably, you want "block quick", but adjust as needed.
block = block quick
# Option: protocol
# Notes.: internally used by config reader for interpolations.
# Values: [ tcp | udp | icmp | ipv6-icmp ] Default: tcp
#
protocol = tcp
# Option: actiontype
# Notes.: defines additions to the blocking rule
# Values: leave empty to block all attempts from the host
# Default: Value of the multiport
actiontype = <multiport>
# Option: allports
# Notes.: default addition to block all ports
# Usage.: use in jail config: "banaction = pf[actiontype=<allports>]"
allports = any
# Option: multiport
# Notes.: addition to block access only to specific ports
# Usage.: use in jail config: "banaction = pf[actiontype=<multiport>]"
multiport = any port $port

@ -10,11 +10,14 @@ before = sendmail-common.conf
[Definition]
# bypass ban/unban for restored tickets
norestored = 1
# Option: actionstart
# Notes.: command executed once at the start of Fail2Ban.
# Values: CMD
#
actionstart = printf %%b "Subject: [Fail2Ban] <name>: started on `uname -n`
actionstart = printf %%b "Subject: [Fail2Ban] <name>: started on <fq-hostname>
From: <sendername> <<sender>>
To: <dest>\n
Hi,\n
@ -28,7 +31,7 @@ actionstart = printf %%b "Subject: [Fail2Ban] <name>: started on `uname -n`
# Values: CMD
#
actionstop = if [ -f <tmpfile> ]; then
printf %%b "Subject: [Fail2Ban] <name>: summary from `uname -n`
printf %%b "Subject: [Fail2Ban] <name>: summary from <fq-hostname>
From: <sendername> <<sender>>
To: <dest>\n
Hi,\n
@ -38,7 +41,7 @@ actionstop = if [ -f <tmpfile> ]; then
Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
rm <tmpfile>
fi
printf %%b "Subject: [Fail2Ban] <name>: stopped on `uname -n`
printf %%b "Subject: [Fail2Ban] <name>: stopped on <fq-hostname>
From: Fail2Ban <<sender>>
To: <dest>\n
Hi,\n
@ -61,7 +64,7 @@ actioncheck =
actionban = printf %%b "`date`: <ip> (<failures> failures)\n" >> <tmpfile>
LINE=$( wc -l <tmpfile> | awk '{ print $1 }' )
if [ $LINE -ge <lines> ]; then
printf %%b "Subject: [Fail2Ban] <name>: summary from `uname -n`
printf %%b "Subject: [Fail2Ban] <name>: summary from <fq-hostname>
From: <sendername> <<sender>>
To: <dest>\n
Hi,\n

@ -14,7 +14,7 @@ after = sendmail-common.local
# Notes.: command executed once at the start of Fail2Ban.
# Values: CMD
#
actionstart = printf %%b "Subject: [Fail2Ban] <name>: started on `uname -n`
actionstart = printf %%b "Subject: [Fail2Ban] <name>: started on <fq-hostname>
Date: `LC_ALL=C date +"%%a, %%d %%h %%Y %%T %%z"`
From: <sendername> <<sender>>
To: <dest>\n
@ -27,7 +27,7 @@ actionstart = printf %%b "Subject: [Fail2Ban] <name>: started on `uname -n`
# Notes.: command executed once at the end of Fail2Ban
# Values: CMD
#
actionstop = printf %%b "Subject: [Fail2Ban] <name>: stopped on `uname -n`
actionstop = printf %%b "Subject: [Fail2Ban] <name>: stopped on <fq-hostname>
Date: `LC_ALL=C date +"%%a, %%d %%h %%Y %%T %%z"`
From: <sendername> <<sender>>
To: <dest>\n

@ -7,9 +7,13 @@
[INCLUDES]
before = sendmail-common.conf
helpers-common.conf
[Definition]
# bypass ban/unban for restored tickets
norestored = 1
# Option: actionban
# Notes.: Command executed when banning an IP. Take care that the
# command is executed with Fail2Ban user rights.
@ -19,7 +23,7 @@ before = sendmail-common.conf
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionban = printf %%b "Subject: [Fail2Ban] <name>: banned <ip> from `uname -n`
actionban = ( printf %%b "Subject: [Fail2Ban] <name>: banned <ip> from <fq-hostname>
Date: `LC_ALL=C date +"%%a, %%d %%h %%Y %%T %%z"`
From: <sendername> <<sender>>
To: <dest>\n
@ -32,11 +36,12 @@ actionban = printf %%b "Subject: [Fail2Ban] <name>: banned <ip> from `uname -n`
http://whois.domaintools.com/<ip>\n\n
Country:`geoiplookup -f /usr/share/GeoIP/GeoIP.dat "<ip>" | cut -d':' -f2-`
AS:`geoiplookup -f /usr/share/GeoIP/GeoIPASNum.dat "<ip>" | cut -d':' -f2-`
hostname: `host -t A <ip> 2>&1`\n\n
Lines containing IP:<ip> in <logpath>\n
`grep -E <grepopts> '(^|[^0-9])<ip>([^0-9]|$)' <logpath>`\n\n
hostname: <ip-host>\n\n
Lines containing failures of <ip>\n";
%(_grep_logs)s;
printf %%b "\n
Regards,\n
Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
Fail2Ban" ) | /usr/sbin/sendmail -f <sender> <dest>
[Init]
@ -50,4 +55,5 @@ logpath = /dev/null
# Number of log lines to include in the email
#
grepopts = -m 1000
#grepmax = 1000
#grepopts = -m <grepmax>

@ -10,13 +10,16 @@ before = sendmail-common.conf
[Definition]
# bypass ban/unban for restored tickets
norestored = 1
# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionban = printf %%b "Subject: [Fail2Ban] <name>: banned <ip> from `uname -n`
actionban = printf %%b "Subject: [Fail2Ban] <name>: banned <ip> from <fq-hostname>
Date: `LC_ALL=C date +"%%a, %%d %%h %%Y %%T %%z"`
From: <sendername> <<sender>>
To: <dest>\n

@ -10,13 +10,16 @@ before = sendmail-common.conf
[Definition]
# bypass ban/unban for restored tickets
norestored = 1
# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionban = printf %%b "Subject: [Fail2Ban] <name>: banned <ip> from `uname -n`
actionban = printf %%b "Subject: [Fail2Ban] <name>: banned <ip> from <fq-hostname>
Date: `LC_ALL=C date +"%%a, %%d %%h %%Y %%T %%z"`
From: <sendername> <<sender>>
To: <dest>\n

@ -7,16 +7,20 @@
[INCLUDES]
before = sendmail-common.conf
helpers-common.conf
[Definition]
# bypass ban/unban for restored tickets
norestored = 1
# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionban = printf %%b "Subject: [Fail2Ban] <name>: banned <ip> from `uname -n`
actionban = ( printf %%b "Subject: [Fail2Ban] <name>: banned <ip> from <fq-hostname>
Date: `LC_ALL=C date +"%%a, %%d %%h %%Y %%T %%z"`
From: <sendername> <<sender>>
To: <dest>\n
@ -25,10 +29,11 @@ actionban = printf %%b "Subject: [Fail2Ban] <name>: banned <ip> from `uname -n`
<failures> attempts against <name>.\n\n
Here is more information about <ip> :\n
`/usr/bin/whois <ip> || echo missing whois program`\n\n
Lines containing IP:<ip> in <logpath>\n
`grep -E <grepopts> '(^|[^0-9])<ip>([^0-9]|$)' <logpath>`\n\n
Lines containing failures of <ip>\n";
%(_grep_logs)s;
printf %%b "\n
Regards,\n
Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
Fail2Ban" ) | /usr/sbin/sendmail -f <sender> <dest>
[Init]
@ -42,4 +47,5 @@ logpath = /dev/null
# Number of log lines to include in the email
#
grepopts = -m 1000
#grepmax = 1000
#grepopts = -m <grepmax>

@ -10,13 +10,16 @@ before = sendmail-common.conf
[Definition]
# bypass ban/unban for restored tickets
norestored = 1
# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionban = printf %%b "Subject: [Fail2Ban] <name>: banned <ip> from `uname -n`
actionban = printf %%b "Subject: [Fail2Ban] <name>: banned <ip> from <fq-hostname>
Date: `LC_ALL=C date +"%%a, %%d %%h %%Y %%T %%z"`
From: <sendername> <<sender>>
To: <dest>\n

@ -10,13 +10,16 @@ before = sendmail-common.conf
[Definition]
# bypass ban/unban for restored tickets
norestored = 1
# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionban = printf %%b "Subject: [Fail2Ban] <name>: banned <ip> from `uname -n`
actionban = printf %%b "Subject: [Fail2Ban] <name>: banned <ip> from <fq-hostname>
Date: `LC_ALL=C date +"%%a, %%d %%h %%Y %%T %%z"`
From: <sendername> <<sender>>
To: <dest>\n

@ -10,13 +10,16 @@ before = sendmail-common.conf
[Definition]
# bypass ban/unban for restored tickets
norestored = 1
# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionban = printf %%b "Subject: [Fail2Ban] <name>: banned <ip> from `uname -n`
actionban = printf %%b "Subject: [Fail2Ban] <name>: banned <ip> from <fq-hostname>
Date: `LC_ALL=C date +"%%a, %%d %%h %%Y %%T %%z"`
From: <sendername> <<sender>>
To: <dest>\n

@ -40,7 +40,7 @@ actioncheck =
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionban = shorewall <blocktype> <ip>
actionban = shorewall<family> <blocktype> <ip>
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
@ -48,12 +48,26 @@ actionban = shorewall <blocktype> <ip>
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionunban = shorewall allow <ip>
actionunban = shorewall<family> allow <ip>
[Init]
# Option: family
# Note: Control which version of command is executed
# Values: Empty or 6 in case of IPv6
family =
# Option: blocktype
# Note: This is what the action does with rules.
# See man page of shorewall for options that include drop, logdrop, reject, or logreject
# Values: STRING
blocktype = reject
[Init?family=inet6]
# Option: family
# Note: Control which version of command is executed
# Values: Empty or 6 in case of IPv6
family = 6

@ -123,9 +123,12 @@ class SMTPAction(ActionBase):
self.message_values = CallingMap(
jailname = self._jail.name,
hostname = socket.gethostname,
bantime = self._jail.actions.getBanTime,
bantime = lambda: self._jail.actions.getBanTime(),
)
# bypass ban/unban for restored tickets
self.norestored = 1
def _sendMessage(self, subject, text):
"""Sends message based on arguments and instance's properties.
@ -211,6 +214,8 @@ class SMTPAction(ActionBase):
Dictionary which includes information in relation to
the ban.
"""
if aInfo.get('restored'):
return
aInfo.update(self.message_values)
message = "".join([
messages['ban']['head'],

@ -22,7 +22,7 @@
# Login-Attack, Malware-Attack, Fraud (Phishing, etc.), Info DNSBL
#
# For details see:
# https://github.com/abusix/xarf-specification
# https://github.com/xarf/xarf-specification
# http://www.x-arf.org/schemata.html
#
# Author: Daniel Black
@ -32,6 +32,9 @@
[Definition]
# bypass ban/unban for restored tickets
norestored = 1
actionstart =
actionstop =
@ -43,14 +46,14 @@ actionban = oifs=${IFS}; IFS=.;SEP_IP=( <ip> ); set -- ${SEP_IP}; ADDRESSES=$(di
FROM=<sender>
SERVICE=<service>
FAILURES=<failures>
REPORTID=<time>@`uname -n`
REPORTID=<time>@<fq-hostname>
TLP=<tlp>
PORT=<port>
DATE=`LC_ALL=C date --date=@<time> +"%%a, %%d %%h %%Y %%T %%z"`
if [ ! -z "$ADDRESSES" ]; then
(printf -- %%b "<header>\n<message>\n<report>\n";
(printf -- %%b "<header>\n<message>\n<report>\n\n";
date '+Note: Local timezone is %%z (%%Z)';
printf -- %%b "<ipmatches>\n\n<footer>") | <mailcmd> <mailargs> ${ADDRESSES//,/\" \"}
printf -- %%b "\n<ipmatches>\n\n<footer>") | <mailcmd> <mailargs> ${ADDRESSES//,/\" \"}
fi
actionunban =
@ -116,7 +119,7 @@ logpath = /dev/null
# Option: sender
# Notes.: This is the sender that is included in the XARF report
sender = fail2ban@`uname -n`
sender = fail2ban@<fq-hostname>
# Option: port
# Notes.: This is the port number that received the login-attack

@ -30,7 +30,7 @@ loglevel = INFO
# using logrotate -- also adjust or disable rotation in the
# corresponding configuration file
# (e.g. /etc/logrotate.d/fail2ban on Debian systems)
# Values: [ STDOUT | STDERR | SYSLOG | FILE ] Default: STDERR
# Values: [ STDOUT | STDERR | SYSLOG | SYSOUT | FILE ] Default: STDERR
#
logtarget = /var/log/fail2ban.log
@ -66,4 +66,4 @@ dbfile = /var/lib/fail2ban/fail2ban.sqlite3
# Options: dbpurgeage
# Notes.: Sets age at which bans should be purged from the database
# Values: [ SECONDS ] Default: 86400 (24hours)
dbpurgeage = 86400
dbpurgeage = 1d

@ -9,6 +9,8 @@ failregex = ^\s[+-]\d{4} \S+ \d{3}0[1-9] \S+ <HOST>:\d+ [\d.]+:\d+ \d+ \d+ \d+\s
ignoreregex =
datepattern = {^LN-BEG}
# DEV Notes:
# http://www.3proxy.ru/howtoe.asp#ERRORS indicates that 01-09 are
# all authentication problems (%E field)

@ -9,20 +9,21 @@ before = apache-common.conf
[Definition]
prefregex = ^%(_apache_error_client)s (?:AH\d+: )?<F-CONTENT>.+</F-CONTENT>$
failregex = ^%(_apache_error_client)s (AH(01797|01630): )?client denied by server configuration: (uri )?\S*(, referer: \S+)?\s*$
^%(_apache_error_client)s (AH01617: )?user .*? authentication failure for "\S*": Password Mismatch(, referer: \S+)?$
^%(_apache_error_client)s (AH01618: )?user .*? not found(: )?\S*(, referer: \S+)?\s*$
^%(_apache_error_client)s (AH01614: )?client used wrong authentication scheme: \S*(, referer: \S+)?\s*$
^%(_apache_error_client)s (AH\d+: )?Authorization of user \S+ to access \S* failed, reason: .*$
^%(_apache_error_client)s (AH0179[24]: )?(Digest: )?user .*?: password mismatch: \S*(, referer: \S+)?\s*$
^%(_apache_error_client)s (AH0179[01]: |Digest: )user `.*?' in realm `.+' (not found|denied by provider): \S*(, referer: \S+)?\s*$
^%(_apache_error_client)s (AH01631: )?user .*?: authorization failure for "\S*":(, referer: \S+)?\s*$
^%(_apache_error_client)s (AH01775: )?(Digest: )?invalid nonce .* received - length is not \S+(, referer: \S+)?\s*$
^%(_apache_error_client)s (AH01788: )?(Digest: )?realm mismatch - got `.*?' but expected `.+'(, referer: \S+)?\s*$
^%(_apache_error_client)s (AH01789: )?(Digest: )?unknown algorithm `.*?' received: \S*(, referer: \S+)?\s*$
^%(_apache_error_client)s (AH01793: )?invalid qop `.*?' received: \S*(, referer: \S+)?\s*$
^%(_apache_error_client)s (AH01777: )?(Digest: )?invalid nonce .*? received - user attempted time travel(, referer: \S+)?\s*$
# auth_type = ((?:Digest|Basic): )?
auth_type = ([A-Z]\w+: )?
failregex = ^client (?:denied by server configuration|used wrong authentication scheme)\b
^user <F-USER>(?:\S*|.*?)</F-USER> (?:auth(?:oriz|entic)ation failure|not found|denied by provider)\b
^Authorization of user <F-USER>(?:\S*|.*?)</F-USER> to access .*? failed\b
^%(auth_type)suser <F-USER>(?:\S*|.*?)</F-USER>: password mismatch\b
^%(auth_type)suser `<F-USER>(?:[^']*|.*?)</F-USER>' in realm `.+' (not found|denied by provider)\b
^%(auth_type)sinvalid nonce .* received - length is not\b
^%(auth_type)srealm mismatch - got `(?:[^']*|.*?)' but expected\b
^%(auth_type)sunknown algorithm `(?:[^']*|.*?)' received\b
^invalid qop `(?:[^']*|.*?)' received\b
^%(auth_type)sinvalid nonce .*? received - user attempted time travel\b
ignoreregex =
@ -43,14 +44,17 @@ ignoreregex =
# all of these expressions. Lots of submodules like mod_authz_* return back to mod_authz_core
# to return the actual failure.
#
# Note that URI can contain spaces.
#
# See also: http://wiki.apache.org/httpd/ListOfErrors
# Expressions that don't have tests and aren't common.
# more be added with https://issues.apache.org/bugzilla/show_bug.cgi?id=55284
# ^%(_apache_error_client)s (AH01778: )?user .*: nonce expired \([\d.]+ seconds old - max lifetime [\d.]+\) - sending new nonce\s*$
# ^%(_apache_error_client)s (AH01779: )?user .*: one-time-nonce mismatch - sending new nonce\s*$
# ^%(_apache_error_client)s (AH02486: )?realm mismatch - got `.*' but no realm specified\s*$
# ^user .*: nonce expired \([\d.]+ seconds old - max lifetime [\d.]+\) - sending new nonce\s*$
# ^user .*: one-time-nonce mismatch - sending new nonce\s*$
# ^realm mismatch - got `(?:[^']*|.*?)' but no realm specified\s*$
#
# referer is always in error log messages if it exists added as per the log_error_core function in server/log.c
# Because url/referer are foreign input, short form of regex used if long enough to idetify failure.
#
# Author: Cyril Jaquier
# Major edits by Daniel Black
# Major edits by Daniel Black and Ben Rubson.
# Rewritten for v.0.10 by Sergey Brester (sebres).

@ -7,13 +7,16 @@
[Definition]
badbotscustom = EmailCollector|WebEMailExtrac|TrackBack/1\.02|sogou music spider
badbotscustom = EmailCollector|WebEMailExtrac|TrackBack/1\.02|sogou music spider|(?:Mozilla/\d+\.\d+ )?Jorgee
badbots = Atomic_Email_Hunter/4\.0|atSpider/1\.0|autoemailspider|bwh3_user_agent|China Local Browse 2\.6|ContactBot/0\.2|ContentSmartz|DataCha0s/2\.0|DBrowse 1\.4b|DBrowse 1\.4d|Demo Bot DOT 16b|Demo Bot Z 16b|DSurf15a 01|DSurf15a 71|DSurf15a 81|DSurf15a VA|EBrowse 1\.4b|Educate Search VxB|EmailSiphon|EmailSpider|EmailWolf 1\.00|ESurf15a 15|ExtractorPro|Franklin Locator 1\.8|FSurf15a 01|Full Web Bot 0416B|Full Web Bot 0516B|Full Web Bot 2816B|Guestbook Auto Submitter|Industry Program 1\.0\.x|ISC Systems iRc Search 2\.1|IUPUI Research Bot v 1\.9a|LARBIN-EXPERIMENTAL \(efp@gmx\.net\)|LetsCrawl\.com/1\.0 \+http\://letscrawl\.com/|Lincoln State Web Browser|LMQueueBot/0\.2|LWP\:\:Simple/5\.803|Mac Finder 1\.0\.xx|MFC Foundation Class Library 4\.0|Microsoft URL Control - 6\.00\.8xxx|Missauga Locate 1\.0\.0|Missigua Locator 1\.9|Missouri College Browse|Mizzu Labs 2\.2|Mo College 1\.9|MVAClient|Mozilla/2\.0 \(compatible; NEWT ActiveX; Win32\)|Mozilla/3\.0 \(compatible; Indy Library\)|Mozilla/3\.0 \(compatible; scan4mail \(advanced version\) http\://www\.peterspages\.net/?scan4mail\)|Mozilla/4\.0 \(compatible; Advanced Email Extractor v2\.xx\)|Mozilla/4\.0 \(compatible; Iplexx Spider/1\.0 http\://www\.iplexx\.at\)|Mozilla/4\.0 \(compatible; MSIE 5\.0; Windows NT; DigExt; DTS Agent|Mozilla/4\.0 efp@gmx\.net|Mozilla/5\.0 \(Version\: xxxx Type\:xx\)|NameOfAgent \(CMS Spider\)|NASA Search 1\.0|Nsauditor/1\.x|PBrowse 1\.4b|PEval 1\.4b|Poirot|Port Huron Labs|Production Bot 0116B|Production Bot 2016B|Production Bot DOT 3016B|Program Shareware 1\.0\.2|PSurf15a 11|PSurf15a 51|PSurf15a VA|psycheclone|RSurf15a 41|RSurf15a 51|RSurf15a 81|searchbot admin@google\.com|ShablastBot 1\.0|snap\.com beta crawler v0|Snapbot/1\.0|Snapbot/1\.0 \(Snap Shots&#44; \+http\://www\.snap\.com\)|sogou develop spider|Sogou Orion spider/3\.0\(\+http\://www\.sogou\.com/docs/help/webmasters\.htm#07\)|sogou spider|Sogou web spider/3\.0\(\+http\://www\.sogou\.com/docs/help/webmasters\.htm#07\)|sohu agent|SSurf15a 11 |TSurf15a 11|Under the Rainbow 2\.2|User-Agent\: Mozilla/4\.0 \(compatible; MSIE 6\.0; Windows NT 5\.1\)|VadixBot|WebVulnCrawl\.unknown/1\.0 libwww-perl/5\.803|Wells Search II|WEP Search 00
failregex = ^<HOST> -.*"(GET|POST|HEAD).*HTTP.*"(?:%(badbots)s|%(badbotscustom)s)"$
ignoreregex =
datepattern = ^[^\[]*\[({DATE})
{^LN-BEG}
# DEV Notes:
# List of bad bots fetched from http://www.user-agents.org
# Generated on Thu Nov 7 14:23:35 PST 2013 by files/gen_badbots.

@ -3,7 +3,7 @@
# This filter is aimed at blocking specific URLs that don't exist. This
# could be a set of URLs places in a Disallow: directive in robots.txt or
# just some web services that don't exist caused bots are searching for
# exploitable content. This filter is designed to have a low false postitive
# exploitable content. This filter is designed to have a low false positive
# rate due.
#
# An alternative to this is the apache-noscript filter which blocks all
@ -23,13 +23,12 @@ before = apache-common.conf
[Definition]
failregex = ^%(_apache_error_client)s ((AH001(28|30): )?File does not exist|(AH01264: )?script not found or unable to stat): <webroot><block>(, referer: \S+)?\s*$
^%(_apache_error_client)s script '<webroot><block>' not found or unable to stat(, referer: \S+)?\s*$
ignoreregex =
prefregex = ^%(_apache_error_client)s (?:AH\d+: )?<F-CONTENT>.+</F-CONTENT>$
failregex = ^(?:File does not exist|script not found or unable to stat): <webroot><block>(, referer: \S+)?\s*$
^script '<webroot><block>' not found or unable to stat(, referer: \S+)?\s*$
[Init]
ignoreregex =
# Webroot represents the webroot on which all other files are based
webroot = /var/www/

@ -3,12 +3,33 @@
[INCLUDES]
before = common.conf
# Load customizations if any available
after = apache-common.local
[DEFAULT]
_apache_error_client = \[\] \[(:?error|\S+:\S+)\]( \[pid \d+(:\S+ \d+)?\])? \[client <HOST>(:\d{1,5})?\]
# Apache logging mode:
# all - universal prefix (logfile, syslog)
# logfile - logfile only
# syslog - syslog only
# Use `filter = apache-auth[logging=syslog]` to get more precise regex if apache logs into syslog (ErrorLog syslog).
# Use `filter = apache-auth[logging=all]` to get universal regex matches both logging variants.
logging = logfile
# Apache logging prefixes (date-pattern prefix, server, process etc.):
apache-prefix-syslog = %(__prefix_line)s
apache-prefix-logfile = \[\]\s
apache-prefix-all = (?:%(apache-prefix-logfile)s|%(apache-prefix-syslog)s)?
# Setting for __prefix_line (only `logging=syslog`):
_daemon = (?:apache\d*|httpd(?:/\w+)?)
apache-prefix = <apache-prefix-<logging>>
_apache_error_client = <apache-prefix>\[(:?error|\S+:\S+)\]( \[pid \d+(:\S+ \d+)?\])? \[client <HOST>(:\d{1,5})?\]
datepattern = {^LN-BEG}
# Common prefix for [error] apache messages which also would include <HOST>
# Depending on the version it could be

@ -6,6 +6,8 @@ failregex = ^<HOST> .*Googlebot.*$
ignoreregex =
datepattern = ^[^\[]*\[({DATE})
{^LN-BEG}
# DEV Notes:
#

@ -8,12 +8,16 @@ before = apache-common.conf
[Definition]
failregex = ^%(_apache_error_client)s ((AH0013[456]: )?Invalid (method|URI) in request .*( - possible attempt to establish SSL connection on non-SSL port)?|(AH00565: )?request failed: URI too long \(longer than \d+\)|request failed: erroneous characters after protocol string: .*|AH00566: request failed: invalid characters in URI)(, referer: \S+)?$
failregex = ^%(_apache_error_client)s (?:(?:AH0013[456]: )?Invalid (method|URI) in request\b|(?:AH00565: )?request failed: URI too long \(longer than \d+\)|request failed: erroneous characters after protocol string:|(?:AH00566: )?request failed: invalid characters in URI\b)
ignoreregex =
# DEV Notes:
#
# [sebres] Because this apache-log could contain very long URLs (and/or referrer),
# the parsing of it anchored way may be very vulnerable (at least as regards
# the system resources, see gh-1790). Thus rewritten without end-anchor ($).
#
# fgrep -r 'URI too long' httpd-2.*
# httpd-2.2.25/server/protocol.c: "request failed: URI too long (longer than %d)", r->server->limit_req_line);
# httpd-2.4.4/server/protocol.c: "request failed: URI too long (longer than %d)",

@ -3,16 +3,15 @@
#
# The knocking request must have a referer.
[INCLUDES]
before = apache-common.conf
[Definition]
failregex = ^<HOST> - \w+ \[\] "GET <knocking_url> HTTP/1\.[01]" 200 \d+ ".*" "[^-].*"$
ignoreregex =
datepattern = ^[^\[]*\[({DATE})
{^LN-BEG}
[Init]
knocking_url = /knocking/

@ -9,8 +9,10 @@ before = apache-common.conf
[Definition]
failregex = ^%(_apache_error_client)s (AH01215: )?/bin/(ba)?sh: warning: HTTP_.*?: ignoring function definition attempt(, referer: \S+)?\s*$
^%(_apache_error_client)s (AH01215: )?/bin/(ba)?sh: error importing function definition for `HTTP_.*?'(, referer: \S+)?\s*$
prefregex = ^%(_apache_error_client)s (AH01215: )?/bin/([bd]a)?sh: <F-CONTENT>.+</F-CONTENT>$
failregex = ^warning: HTTP_[^:]+: ignoring function definition attempt(, referer: \S+)?\s*$
^error importing function definition for `HTTP_[^']+'(, referer: \S+)?\s*$
ignoreregex =
@ -23,4 +25,4 @@ ignoreregex =
# [Thu Sep 25 09:27:18.813902 2014] [cgi:error] [pid 16860] [client 89.207.132.76:59635] AH01215: /bin/bash: warning: HTTP_TEST: ignoring function definition attempt
# [Thu Sep 25 09:29:56.141832 2014] [cgi:error] [pid 16864] [client 162.247.73.206:41273] AH01215: /bin/bash: error importing function definition for `HTTP_TEST'
#
# Author: Eugene Hopkinson (riot@riot.so)
# Author: Eugene Hopkinson (e.hopkinson@gmail.com)

@ -20,6 +20,9 @@ failregex = ^(:? \[SSL-out\])? <HOST> max sender authentication errors \(\d{,3}\
ignoreregex =
datepattern = {^LN-BEG}%%b-%%d-%%Exy %%H:%%M:%%S
{^LN-BEG}
# DEV Notes:
# V1 Examples matches:
# Apr-27-13 02:33:09 Blocking 217.194.197.97 - too much AUTH errors (41);

@ -11,26 +11,30 @@ before = common.conf
_daemon = asterisk
__pid_re = (?:\[\d+\])
__pid_re = (?:\s*\[\d+\])
iso8601 = \d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.\d+[+-]\d{4}
# All Asterisk log messages begin like this:
log_prefix= (?:NOTICE|SECURITY|WARNING)%(__pid_re)s:?(?:\[C-[\da-f]*\])? [^:]+:\d*(?:(?: in)? \w+:)?
failregex = ^%(__prefix_line)s%(log_prefix)s Registration from '[^']*' failed for '<HOST>(:\d+)?' - (Wrong password|Username/auth name mismatch|No matching peer found|Not a local domain|Device does not match ACL|Peer is not supposed to register|ACL error \(permit/deny\)|Not a local domain)$
^%(__prefix_line)s%(log_prefix)s Call from '[^']*' \(<HOST>:\d+\) to extension '[^']*' rejected because extension not found in context
^%(__prefix_line)s%(log_prefix)s Host <HOST> failed to authenticate as '[^']*'$
^%(__prefix_line)s%(log_prefix)s No registration for peer '[^']*' \(from <HOST>\)$
^%(__prefix_line)s%(log_prefix)s Host <HOST> failed MD5 authentication for '[^']*' \([^)]+\)$
^%(__prefix_line)s%(log_prefix)s Failed to authenticate (user|device) [^@]+@<HOST>\S*$
^%(__prefix_line)s%(log_prefix)s hacking attempt detected '<HOST>'$
^%(__prefix_line)s%(log_prefix)s SecurityEvent="(FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)",EventTV="([\d-]+|%(iso8601)s)",Severity="[\w]+",Service="[\w]+",EventVersion="\d+",AccountID="(\d*|<unknown>)",SessionID=".+",LocalAddress="IPV[46]/(UDP|TCP|WS)/[\da-fA-F:.]+/\d+",RemoteAddress="IPV[46]/(UDP|TCP|WS)/<HOST>/\d+"(,Challenge="[\w/]+")?(,ReceivedChallenge="\w+")?(,Response="\w+",ExpectedResponse="\w*")?(,ReceivedHash="[\da-f]+")?(,ACLName="\w+")?$
^%(__prefix_line)s%(log_prefix)s "Rejecting unknown SIP connection from <HOST>"$
^%(__prefix_line)s%(log_prefix)s Request (?:'[^']*' )?from '[^']*' failed for '<HOST>(?::\d+)?'\s\(callid: [^\)]*\) - (?:No matching endpoint found|Not match Endpoint(?: Contact)? ACL|(?:Failed|Error) to authenticate)\s*$
prefregex = ^%(__prefix_line)s%(log_prefix)s <F-CONTENT>.+</F-CONTENT>$
failregex = ^Registration from '[^']*' failed for '<HOST>(:\d+)?' - (?:Wrong password|Username/auth name mismatch|No matching peer found|Not a local domain|Device does not match ACL|Peer is not supposed to register|ACL error \(permit/deny\)|Not a local domain)$
^Call from '[^']*' \(<HOST>:\d+\) to extension '[^']*' rejected because extension not found in context
^(?:Host )?<HOST> (?:failed (?:to authenticate\b|MD5 authentication\b)|tried to authenticate with nonexistent user\b)
^No registration for peer '[^']*' \(from <HOST>\)$
^hacking attempt detected '<HOST>'$
^SecurityEvent="(?:FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)"(?:(?:,(?!RemoteAddress=)\w+="[^"]*")*|.*?),RemoteAddress="IPV[46]/(UDP|TCP|WS)/<HOST>/\d+"(?:,(?!RemoteAddress=)\w+="[^"]*")*$
^"Rejecting unknown SIP connection from <HOST>"$
^Request (?:'[^']*' )?from '(?:[^']*|.*?)' failed for '<HOST>(?::\d+)?'\s\(callid: [^\)]*\) - (?:No matching endpoint found|Not match Endpoint(?: Contact)? ACL|(?:Failed|Error) to authenticate)\s*$
# FreePBX (todo: make optional in v.0.10):
# ^(%(__prefix_line)s|\[\]\s*WARNING%(__pid_re)s:?(?:\[C-[\da-f]*\])? )[^:]+: Friendly Scanner from <HOST>$
ignoreregex =
datepattern = {^LN-BEG}
# Author: Xavier Devlamynck / Daniel Black
#

@ -5,7 +5,7 @@
# Block is the actual non-found directories to block
block = \/?(<webmail>|<phpmyadmin>|<wordpress>|cgi-bin|mysqladmin)[^,]*
# These are just convient definitions that assist the blocking of stuff that
# These are just convenient definitions that assist the blocking of stuff that
# isn't installed
webmail = roundcube|(ext)?mail|horde|(v-?)?webmail

@ -61,4 +61,7 @@ __prefix_line = %(__date_ambit)s?\s*(?:%(__bsd_syslog_verbose)s\s+)?(?:%(__hostn
# pam_ldap
__pam_auth = pam_unix
# standardly all formats using prefix have line-begin anchored date:
datepattern = {^LN-BEG}
# Author: Yaroslav Halchenko

@ -8,8 +8,6 @@ failregex = ^: Bad Rcon: "rcon \d+ "\S+" sv_contact ".*?"" from "<HOST>:\d+"$
ignoreregex =
[Init]
datepattern = ^L %%d/%%m/%%Y - %%H:%%M:%%S

@ -11,9 +11,11 @@ before = common.conf
_daemon = (?:courier)?(?:imapd?|pop3d?)(?:login)?(?:-ssl)?
failregex = ^%(__prefix_line)sLOGIN FAILED, user=.*, ip=\[<HOST>\]$
failregex = ^%(__prefix_line)sLOGIN FAILED, (?:user|method)=.*, ip=\[<HOST>\]$
ignoreregex =
datepattern = {^LN-BEG}
# Author: Christoph Haas
# Modified by: Cyril Jaquier

@ -12,8 +12,10 @@ before = common.conf
_daemon = courieresmtpd
failregex = ^%(__prefix_line)serror,relay=<HOST>,.*: 550 User (<.*> )?unknown\.?$
^%(__prefix_line)serror,relay=<HOST>,msg="535 Authentication failed\.",cmd:( AUTH \S+)?( [0-9a-zA-Z\+/=]+)?(?: \S+)$
prefregex = ^%(__prefix_line)serror,relay=<HOST>,<F-CONTENT>.+</F-CONTENT>$
failregex = ^[^:]*: 550 User (<.*> )?unknown\.?$
^msg="535 Authentication failed\.",cmd:( AUTH \S+)?( [0-9a-zA-Z\+/=]+)?(?: \S+)$
ignoreregex =

@ -13,7 +13,6 @@ failregex = ^: \'<HOST>\' \d{1,3} failed login attempt(s)?. \s*
ignoreregex =
[Init]
datepattern = ^%%Y:%%m:%%d-%%H:%%M:%%S
#

@ -7,25 +7,39 @@ before = common.conf
[Definition]
_daemon = (auth|dovecot(-auth)?|auth-worker)
_auth_worker = (?:dovecot: )?auth(?:-worker)?
_daemon = (?:dovecot(?:-auth)?|auth)
failregex = ^%(__prefix_line)s(?:%(__pam_auth)s(?:\(dovecot:auth\))?:)?\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=\S* rhost=<HOST>(?:\s+user=\S*)?\s*$
^%(__prefix_line)s(?:pop3|imap)-login: (?:Info: )?(?:Aborted login|Disconnected)(?::(?: [^ \(]+)+)? \((?:auth failed, \d+ attempts( in \d+ secs)?|tried to use (disabled|disallowed) \S+ auth)\):( user=<[^>]+>,)?( method=\S+,)? rip=<HOST>(?:, lip=\S+)?(?:, TLS(?: handshaking(?:: SSL_accept\(\) failed: error:[\dA-F]+:SSL routines:[TLS\d]+_GET_CLIENT_HELLO:unknown protocol)?)?(: Disconnected)?)?(, session=<\S+>)?\s*$
^%(__prefix_line)s(?:Info|dovecot: auth\(default\)|auth-worker\(\d+\)): pam\(\S+,<HOST>\): pam_authenticate\(\) failed: (User not known to the underlying authentication module: \d+ Time\(s\)|Authentication failure \(password mismatch\?\))\s*$
^%(__prefix_line)s(?:auth|auth-worker\(\d+\)): (?:pam|passwd-file)\(\S+,<HOST>\): unknown user\s*$
^%(__prefix_line)s(?:auth|auth-worker\(\d+\)): Info: ldap\(\S*,<HOST>,\S*\): invalid credentials\s*$
prefregex = ^%(__prefix_line)s(?:%(_auth_worker)s(?:\([^\)]+\))?: )?(?:%(__pam_auth)s(?:\(dovecot:auth\))?: |(?:pop3|imap)-login: )?(?:Info: )?<F-CONTENT>.+</F-CONTENT>$
ignoreregex =
failregex = ^authentication failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=\S* rhost=<HOST>(?:\s+user=\S*)?\s*$
^(?:Aborted login|Disconnected)(?::(?: [^ \(]+)+)? \((?:auth failed, \d+ attempts(?: in \d+ secs)?|tried to use (?:disabled|disallowed) \S+ auth)\):(?: user=<[^>]*>,)?(?: method=\S+,)? rip=<HOST>(?:[^>]*(?:, session=<\S+>)?)\s*$
^pam\(\S+,<HOST>(?:,\S*)?\): pam_authenticate\(\) failed: (?:User not known to the underlying authentication module: \d+ Time\(s\)|Authentication failure \(password mismatch\?\)|Permission denied)\s*$
^[a-z\-]{3,15}\(\S*,<HOST>(?:,\S*)?\): (?:unknown user|invalid credentials)\s*$
<mdre-<mode>>
mdre-aggressive = ^(?:Aborted login|Disconnected)(?::(?: [^ \(]+)+)? \((?:no auth attempts|disconnected before auth was ready,|client didn't finish \S+ auth,)(?: (?:in|waited) \d+ secs)?\):(?: user=<[^>]*>,)?(?: method=\S+,)? rip=<HOST>(?:[^>]*(?:, session=<\S+>)?)\s*$
mdre-normal =
[Init]
# Parameter `mode` - `normal` or `aggressive`.
# Aggressive mode can be used to match log-entries like:
# 'no auth attempts', 'disconnected before auth was ready', 'client didn't finish SASL auth'.
# Note it may produce lots of false positives on misconfigured MTAs.
# Ex.:
# filter = dovecot[mode=aggressive]
mode = normal
ignoreregex =
journalmatch = _SYSTEMD_UNIT=dovecot.service
datepattern = {^LN-BEG}TAI64N
{^LN-BEG}
# DEV Notes:
# * the first regex is essentially a copy of pam-generic.conf
# * Probably doesn't do dovecot sql/ldap backends properly (resolved in edit 21/03/2016)
# * Removed the 'no auth attempts' log lines from the matches because produces
# lots of false positives on misconfigured MTAs making regexp unusable
#
# Author: Martin Waschbuesch
# Daniel Black (rewrote with begin and end anchors)

@ -23,9 +23,11 @@ before = common.conf
_daemon = dropbear
failregex = ^%(__prefix_line)s[Ll]ogin attempt for nonexistent user ('.*' )?from <HOST>:\d+$
^%(__prefix_line)s[Bb]ad (PAM )?password attempt for .+ from <HOST>(:\d+)?$
^%(__prefix_line)s[Ee]xit before auth \(user '.+', \d+ fails\): Max auth tries reached - user '.+' from <HOST>:\d+\s*$
prefregex = ^%(__prefix_line)s<F-CONTENT>(?:[Ll]ogin|[Bb]ad|[Ee]xit).+</F-CONTENT>$
failregex = ^[Ll]ogin attempt for nonexistent user ('.*' )?from <HOST>:\d+$
^[Bb]ad (PAM )?password attempt for .+ from <HOST>(:\d+)?$
^[Ee]xit before auth \(user '.+', \d+ fails\): Max auth tries reached - user '.+' from <HOST>:\d+\s*$
ignoreregex =

@ -16,8 +16,8 @@
# searched for other failures. This tag can be used multiple times.
# Values: TEXT
#
failregex = ^=INFO REPORT==== ===\nI\(<0\.\d+\.0>:ejabberd_c2s:\d+\) : \([^)]+\) Failed authentication for .+ from IP <HOST> \({{(?:\d+,){3}\d+},\d+}\)$
^(?:\.\d+)? \[info\] <0\.\d+\.\d>@ejabberd_c2s:wait_for_feature_request:\d+ \([^\)]+\) Failed authentication for \S+ from IP <HOST>$
failregex = ^=INFO REPORT==== ===\nI\(<0\.\d+\.0>:ejabberd_c2s:\d+\) : \([^)]+\) Failed authentication for \S+ from (?:IP )?<HOST>(?: \({{(?:\d+,){3}\d+},\d+}\))?$
^(?:\.\d+)? \[info\] <0\.\d+\.\d>@ejabberd_c2s:\w+:\d+ \([^\)]+\) Failed (?:c2s \w+ )?authentication for \S+ from (?:IP )?(?:::FFFF:)?<HOST>(?:: |$)
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
@ -25,8 +25,6 @@ failregex = ^=INFO REPORT==== ===\nI\(<0\.\d+\.0>:ejabberd_c2s:\d+\) : \([^)]+\
#
ignoreregex =
[Init]
# "maxlines" is number of log lines to buffer for multi-line regex searches
maxlines = 2
@ -35,3 +33,8 @@ maxlines = 2
# Values: TEXT
#
journalmatch =
#datepattern = ^(?:=[^=]+={3,} )?({DATE})
# explicit time format using prefix =...==== and no date in second string begins with I(...)...
datepattern = ^(?:=[^=]+={3,} )?(%%ExY(?P<_sep>[-/.])%%m(?P=_sep)%%d[T ]%%H:%%M:%%S(?:[.,]%%f)?(?:\s*%%z)?)
^I\(()**

@ -13,14 +13,32 @@ before = exim-common.conf
[Definition]
# Fre-filter via "prefregex" is currently inactive because of too different failure syntax in exim-log (testing needed):
#prefregex = ^%(pid)s <F-CONTENT>\b(?:\w+ authenticator failed|([\w\-]+ )?SMTP (?:(?:call|connection) from|protocol(?: synchronization)? error)|no MAIL in|(?:%(host_info_pre)s\[[^\]]+\]%(host_info_suf)s(?:sender verify fail|rejected RCPT|dropped|AUTH command))).+</F-CONTENT>$
failregex = ^%(pid)s %(host_info)ssender verify fail for <\S+>: (?:Unknown user|Unrouteable address|all relevant MX records point to non-existent hosts)\s*$
^%(pid)s \w+ authenticator failed for (?:[^\[\( ]* )?(?:\(\S*\) )?\[<HOST>\](?::\d+)?(?: I=\[\S+\](:\d+)?)?: 535 Incorrect authentication data( \(set_id=.*\)|: \d+ Time\(s\))?\s*$
^%(pid)s %(host_info)srejected RCPT [^@]+@\S+: (?:relay not permitted|Sender verify failed|Unknown user|Unrouteable address)\s*$
^%(pid)s SMTP protocol synchronization error \([^)]*\): rejected (?:connection from|"\S+") %(host_info)s(?:next )?input=".*"\s*$
^%(pid)s SMTP call from \S+ %(host_info)sdropped: too many nonmail commands \(last was "\S+"\)\s*$
^%(pid)s SMTP protocol error in "AUTH \S*(?: \S*)?" %(host_info)sAUTH command used when not advertised\s*$
^%(pid)s no MAIL in SMTP connection from (?:[^\[\( ]* )?(?:\(\S*\) )?%(host_info)sD=\d\S+s(?: C=\S*)?\s*$
^%(pid)s SMTP protocol error in "[^"]+(?:"+[^"]*(?="))*?" %(host_info)sAUTH command used when not advertised\s*$
^%(pid)s no MAIL in SMTP connection from (?:[^\[\( ]* )?(?:\(\S*\) )?%(host_info)sD=\d\S*s(?: C=\S*)?\s*$
^%(pid)s (?:[\w\-]+ )?SMTP connection from (?:[^\[\( ]* )?(?:\(\S*\) )?%(host_info)sclosed by DROP in ACL\s*$
<mdre-<mode>>
mdre-aggressive = ^%(pid)s no host name found for IP address <HOST>$
^%(pid)s no IP address found for host \S+ \(during SMTP connection from \[<HOST>\]\)$
mdre-normal =
# Parameter `mode` - `normal` or `aggressive`.
# Aggressive mode can be used to match flood and ddos-similar log-entries like:
# 'no host found for IP', 'no IP found for host'.
# Note this is not an authentication failures, so it may produce lots of false
# positives on misconfigured MTAs.
# Ex.:
# filter = exim[mode=aggressive]
mode = normal
ignoreregex =

@ -8,13 +8,26 @@
# IP addresses on your LAN.
#
[INCLUDES]
# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf
[Definition]
failregex = ^\.\d+ \[WARNING\] sofia_reg\.c:\d+ SIP auth (failure|challenge) \((REGISTER|INVITE)\) on sofia profile \'[^']+\' for \[.*\] from ip <HOST>$
^\.\d+ \[WARNING\] sofia_reg\.c:\d+ Can't find user \[\d+@\d+\.\d+\.\d+\.\d+\] from <HOST>$
_daemon = freeswitch
# Prefix contains common prefix line (server, daemon, etc.) and 2 datetimes if used systemd backend
_pref_line = ^%(__prefix_line)s(?:\d+-\d+-\d+ \d+:\d+:\d+\.\d+)?
failregex = %(_pref_line)s \[WARNING\] sofia_reg\.c:\d+ SIP auth (failure|challenge) \((REGISTER|INVITE)\) on sofia profile \'[^']+\' for \[[^\]]*\] from ip <HOST>$
%(_pref_line)s \[WARNING\] sofia_reg\.c:\d+ Can't find user \[[^@]+@[^\]]+\] from <HOST>$
ignoreregex =
datepattern = {^LN-BEG}
# Author: Rupa SChomaker, soapee01, Daniel Black
# https://freeswitch.org/confluence/display/FREESWITCH/Fail2Ban
# Thanks to Jim on mailing list of samples and guidance

@ -25,8 +25,11 @@ _daemon = Froxlor
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT
#
failregex = ^%(__prefix_line)s\[Login Action <HOST>\] Unknown user \S* tried to login.$
^%(__prefix_line)s\[Login Action <HOST>\] User \S* tried to login with wrong password.$
prefregex = ^%(__prefix_line)s\[Login Action <HOST>\] <F-CONTENT>.+</F-CONTENT>$
failregex = ^Unknown user \S* tried to login.$
^User \S* tried to login with wrong password.$
# Option: ignoreregex

@ -17,6 +17,9 @@ failregex = ^.*\nWARNING: Authentication attempt from <HOST> for user "[^"]*" fa
#
ignoreregex =
[Init]
# "maxlines" is number of log lines to buffer for multi-line regex searches
maxlines = 2
datepattern = ^%%b %%d, %%ExY %%I:%%M:%%S %%p
^WARNING:()**
{^LN-BEG}

@ -28,7 +28,7 @@ _daemon = haproxy
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT
#
failregex = ^%(__prefix_line)s<HOST>.*<NOSRV> -1/-1/-1/-1/\+*\d* 401
failregex = ^%(__prefix_line)s<HOST>(?::\d+)?\s+.*<NOSRV> -1/-1/-1/-1/\+*\d* 401
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.

@ -5,31 +5,34 @@
# presence of host and cut commands
#
import sys
from fail2ban.server.ipdns import DNSUtils, IPAddr
def process_args(argv):
if len(argv) != 2:
sys.stderr.write("Please provide a single IP as an argument. Got: %s\n"
raise ValueError("Please provide a single IP as an argument. Got: %s\n"
% (argv[1:]))
sys.exit(2)
ip = argv[1]
from fail2ban.server.filter import DNSUtils
if not DNSUtils.isValidIP(ip):
sys.stderr.write("Argument must be a single valid IP. Got: %s\n"
if not IPAddr(ip).isValid:
raise ValueError("Argument must be a single valid IP. Got: %s\n"
% ip)
sys.exit(3)
return ip
google_ips = None
def is_googlebot(ip):
import re
from fail2ban.server.filter import DNSUtils
host = DNSUtils.ipToName(ip)
if not host or not re.match('.*\.google(bot)?\.com$', host):
sys.exit(1)
return False
host_ips = DNSUtils.dnsToIp(host)
sys.exit(0 if ip in host_ips else 1)
return (ip in host_ips)
if __name__ == '__main__':
is_googlebot(process_args(sys.argv))
if __name__ == '__main__': # pragma: no cover
try:
ret = is_googlebot(process_args(sys.argv))
except ValueError as e:
sys.stderr.write(str(e))
sys.exit(2)
sys.exit(0 if ret else 1)

@ -3,18 +3,22 @@
[Definition]
failregex = ^ SMTP Spam attack detected from <HOST>,
^ IP address <HOST> found in DNS blacklist \S+, mail from \S+ to \S+$
^ IP address <HOST> found in DNS blacklist
^ Relay attempt from IP address <HOST>
^ Attempt to deliver to unknown recipient \S+, from \S+, IP address <HOST>$
^ Failed SMTP login from <HOST>
^ SMTP: User \S+ doesn't exist. Attempt from IP address <HOST>
^ Client with IP address <HOST> has no reverse DNS entry, connection rejected before SMTP greeting$
^ Administration login into Web Administration from <HOST> failed: IP address not allowed$
^ Message from IP address <HOST>, sender \S+ rejected: sender domain does not exist$
ignoreregex =
[Init]
datepattern = ^\[%%d/%%b/%%Y %%H:%%M:%%S\]
# DEV NOTES:
#
# Author: A.P. Lawrence
# Updated by: M. Bischoff <https://github.com/herrbischoff>
#
# Based off: http://aplawrence.com/Kerio/fail2ban.html

@ -3,7 +3,7 @@
[Definition]
failregex = ^: \(http_auth\.c\.\d+\) (password doesn\'t match .* username: .*|digest: auth failed for .*: wrong password|get_password failed), IP: <HOST>\s*$
failregex = ^: \((?:http|mod)_auth\.c\.\d+\) (?:password doesn\'t match .* username: .*|digest: auth failed for .*: wrong password|get_password failed), IP: <HOST>\s*$
ignoreregex =

@ -13,7 +13,7 @@ before = common.conf
_daemon = monit
# Regexp for previous (accessing monit httpd) and new (access denied) versions
failregex = ^\[[A-Z]+\s+\]\s*error\s*:\s*Warning:\s+Client '<HOST>' supplied (?:unknown user '[^']+'|wrong password for user '[^']*') accessing monit httpd$
failregex = ^\[\s*\]\s*error\s*:\s*Warning:\s+Client '<HOST>' supplied (?:unknown user '[^']+'|wrong password for user '[^']*') accessing monit httpd$
^%(__prefix_line)s\w+: access denied -- client <HOST>: (?:unknown user '[^']+'|wrong password for user '[^']*'|empty password)$
# Ignore login with empty user (first connect, no user specified)

@ -15,13 +15,16 @@ _daemon = murmurd
# variable in your server config file (murmur.ini / mumble-server.ini).
_usernameregex = [^>]+
_prefix = <W>[\n\s]*(\.\d{3})?\s+\d+ => <\d+:%(_usernameregex)s\(-1\)> Rejected connection from <HOST>:\d+:
_prefix = \s+\d+ => <\d+:%(_usernameregex)s\(-1\)> Rejected connection from <HOST>:\d+:
failregex = ^%(_prefix)s Invalid server password$
^%(_prefix)s Wrong certificate or password for existing user$
prefregex = ^%(_prefix)s <F-CONTENT>.+</F-CONTENT>$
failregex = ^Invalid server password$
^Wrong certificate or password for existing user$
ignoreregex =
datepattern = ^<W>{DATE}
# DEV Notes:
#

@ -34,9 +34,11 @@ __daemon_combs_re=(?:%(__pid_re)s?:\s+%(__daemon_re)s|%(__daemon_re)s%(__pid_re)
# this can be optional (for instance if we match named native log files)
__line_prefix=(?:\s\S+ %(__daemon_combs_re)s\s+)?
failregex = ^%(__line_prefix)s( error:)?\s*client <HOST>#\S+( \([\S.]+\))?: (view (internal|external): )?query(?: \(cache\))? '.*' denied\s*$
^%(__line_prefix)s( error:)?\s*client <HOST>#\S+( \([\S.]+\))?: zone transfer '\S+/AXFR/\w+' denied\s*$
^%(__line_prefix)s( error:)?\s*client <HOST>#\S+( \([\S.]+\))?: bad zone transfer request: '\S+/IN': non-authoritative zone \(NOTAUTH\)\s*$
prefregex = ^%(__line_prefix)s( error:)?\s*client <HOST>#\S+( \([\S.]+\))?: <F-CONTENT>.+</F-CONTENT>$
failregex = ^(view (internal|external): )?query(?: \(cache\))? '.*' denied\s*$
^zone transfer '\S+/AXFR/\w+' denied\s*$
^bad zone transfer request: '\S+/IN': non-authoritative zone \(NOTAUTH\)\s*$
ignoreregex =

@ -13,6 +13,9 @@ failregex = ^<HOST> \- \S+ \[\] \"(GET|POST|HEAD) \/<block> \S+\" 404 .+$
ignoreregex =
datepattern = {^LN-BEG}%%ExY(?P<_sep>[-/.])%%m(?P=_sep)%%d[T ]%%H:%%M:%%S(?:[.,]%%f)?(?:\s*%%z)?
^[^\[]*\[({DATE})
{^LN-BEG}
# DEV Notes:
# Based on apache-botsearch filter

@ -4,10 +4,12 @@
[Definition]
failregex = ^ \[error\] \d+#\d+: \*\d+ user "\S+":? (password mismatch|was not found in ".*"), client: <HOST>, server: \S*, request: "\S+ \S+ HTTP/\d+\.\d+", host: "\S+"(, referrer: "\S+")?\s*$
failregex = ^ \[error\] \d+#\d+: \*\d+ user "(?:[^"]+|.*?)":? (?:password mismatch|was not found in "[^\"]*"), client: <HOST>, server: \S*, request: "\S+ \S+ HTTP/\d+\.\d+", host: "\S+"(?:, referrer: "\S+")?\s*$
ignoreregex =
datepattern = {^LN-BEG}
# DEV NOTES:
# Based on samples in https://github.com/fail2ban/fail2ban/pull/43/files
# Extensive search of all nginx auth failures not done yet.

@ -36,10 +36,11 @@ ngx_limit_req_zones = [^"]+
# Use following full expression if you should range limit request to specified
# servers, requests, referrers etc. only :
#
# failregex = ^\s*\[error\] \d+#\d+: \*\d+ limiting requests, excess: [\d\.]+ by zone "(?:%(ngx_limit_req_zones)s)", client: <HOST>, server: \S*, request: "\S+ \S+ HTTP/\d+\.\d+", host: "\S+"(, referrer: "\S+")?\s*$
# failregex = ^\s*\[[a-z]+\] \d+#\d+: \*\d+ limiting requests, excess: [\d\.]+ by zone "(?:%(ngx_limit_req_zones)s)", client: <HOST>, server: \S*, request: "\S+ \S+ HTTP/\d+\.\d+", host: "\S+"(, referrer: "\S+")?\s*$
# Shortly, much faster and stable version of regexp:
failregex = ^\s*\[error\] \d+#\d+: \*\d+ limiting requests, excess: [\d\.]+ by zone "(?:%(ngx_limit_req_zones)s)", client: <HOST>
failregex = ^\s*\[[a-z]+\] \d+#\d+: \*\d+ limiting requests, excess: [\d\.]+ by zone "(?:%(ngx_limit_req_zones)s)", client: <HOST>,
ignoreregex =
datepattern = {^LN-BEG}

@ -26,3 +26,6 @@ failregex = ^%(__prefix_line)sinfo: ratelimit block .* query <HOST> TYPE255$
^%(__prefix_line)sinfo: .* <HOST> refused, no acl matches\.$
ignoreregex =
datepattern = {^LN-BEG}Epoch
{^LN-BEG}

@ -9,7 +9,6 @@
[Definition]
failregex = ^<HOST>\s+-\s+-\s+\[\]\s+"[A-Z]+ .*" 401 \d+\s*$
[Init]
datepattern = %%d/%%b[^/]*/%%Y:%%H:%%M:%%S %%z

@ -52,10 +52,12 @@ before = common.conf
# Note that you MUST have LOG_FORMAT=4 for this to work!
#
failregex = ^.*tr="[A-Z]+\|[0-9.]+\|\d+\|<HOST>\|\d+" ap="[^"]*" mi="Bad password" us="[^"]*" di="535 5.7.8 Bad username or password( \(Authentication failed\))?\."/>$
failregex = tr="[A-Z]+\|[0-9.]+\|\d+\|<HOST>\|\d+" ap="[^"]*" mi="Bad password" us="[^"]*" di="535 5.7.8 Bad username or password( \(Authentication failed\))?\."/>$
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
datepattern = ^<co ts="{DATE}"\s+

@ -16,7 +16,12 @@ _ttys_re=\S*
__pam_re=\(?%(__pam_auth)s(?:\(\S+\))?\)?:?
_daemon = \S+
failregex = ^%(__prefix_line)s%(__pam_re)s\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=%(_ttys_re)s ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$
prefregex = ^%(__prefix_line)s%(__pam_re)s\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=%(_ttys_re)s <F-CONTENT>.+</F-CONTENT>$
failregex = ^ruser=<F-USER>\S*</F-USER> rhost=<HOST>\s*$
^ruser= rhost=<HOST>\s+user=<F-USER>\S*</F-USER>\s*$
^ruser= rhost=<HOST>\s+user=<F-USER>.*?</F-USER>\s*$
^ruser=<F-USER>.*?</F-USER> rhost=<HOST>\s*$
ignoreregex =

Some files were not shown because too many files have changed in this diff Show More

Loading…
Cancel
Save