* move filters to their own repository

1 year ago · 751fc7fada
14 changed files with 4 additions and 103 deletions
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@ -71,7 +71,6 @@ add_subdirectory(src)
 add_subdirectory(t)
 set_property(DIRECTORY "t" PROPERTY COMPILE_FLAGS "-g;-ggdb;-Wall;-Wextra;-pedantic;-O0")

-install(DIRECTORY "filters"  DESTINATION "${CMAKE_INSTALL_DATAROOTDIR}/${CNAME}")
 file(GLOB_RECURSE CONFIGS "*.conf.in")
 foreach(CONFIG ${CONFIGS})
  string(REPLACE ".conf.in" ".conf" GENERATED ${CONFIG})
--- a/debian/control
+++ b/debian/control
@ -10,7 +10,7 @@ Vcs-Browser: https://github.com/AdUser/f2b

 Package: f2b
 Architecture: any
-Depends: ${shlibs:Depends}, ${misc:Depends}
+Depends: ${shlibs:Depends}, ${misc:Depends}, f2b-filters
 Description: lightweight automatic anti-bot turret for your public serivces
 Features:
 .
--- a/debian/f2b.dirs
+++ b/debian/f2b.dirs
@ -1 +1,2 @@
+usr/share/f2b/filters
 var/lib/f2b
--- a/filters/README.txt
+++ b/filters/README.txt
@ -0,0 +1,2 @@
+- Where have all filters gone?
+- Now it located in their own repository, for convinient maintenance
--- a/filters/asterisk.preg
+++ b/filters/asterisk.preg
@ -1,4 +0,0 @@
-SECURITY.* SecurityEvent="FailedACL".*RemoteAddress="IPV[46]/[TU][CD]P/<HOST>/[0-9]+"
-SECURITY.* SecurityEvent="InvalidAccountID".*RemoteAddress="IPV[46]/[TU][CD]P/<HOST>/[0-9+]+"
-SECURITY.* SecurityEvent="ChallengeResponseFailed".*RemoteAddress="IPV[46]/[TU][CD]P/<HOST>/[0-9]+"
-SECURITY.* SecurityEvent="InvalidPassword".*RemoteAddress="IPV[46]/[TU][CD]P/<HOST>/[0-9]+"
--- a/filters/coturn.preg
+++ b/filters/coturn.preg
@ -1,2 +0,0 @@
-# set: defscore=5
-closed \(2nd stage\), user <> .* remote <HOST>:[0-9]+, reason: allocation watchdog determined stale session state
--- a/filters/dovecot.preg
+++ b/filters/dovecot.preg
@ -1,6 +0,0 @@
-pop3-login: Aborted login \(auth failed, [0-9]+ attempts in [0-9]+ secs\): .* rip=<HOST>
-imap-login: Aborted login \(auth failed, [0-9]+ attempts in [0-9]+ secs\): .* rip=<HOST>
-pop3-login: Disconnected \(auth failed, [0-9]+ attempts in [0-9]+ secs\): .* rip=<HOST>
-imap-login: Disconnected \(auth failed, [0-9]+ attempts in [0-9]+ secs\): .* rip=<HOST>
-# set: defscore=5
-submission-login: Client has quit the connection \(tried to use disallowed plaintext auth\): .* rip=<HOST>
--- a/filters/exim.pcre
+++ b/filters/exim.pcre
@ -1,10 +0,0 @@
-# set: defscore=10
-SMTP protocol synchronization error \(input sent without waiting for greeting\): rejected connection from .*\[<HOST>\]
-SMTP protocol synchronization error \(next input sent too soon: pipelining was not advertised\): rejected .*\[<HOST>\]
-rejected [HE][EH]HLO from \[<HOST>\]: syntactically invalid argument
-\[<HOST>\] .* host is listed in .+
-\[<HOST>\] .* relay not permitted
-\[<HOST>\] .* rejected after DATA: This message was detected as possible malware
-# set: defscore=5
-\[<HOST>\] .* too many connections from that IP address
-\[<HOST>\] .* temporarily rejected RCPT \<\S+\>: lowest numbered MX record points to local host
--- a/filters/gitea.preg
+++ b/filters/gitea.preg
@ -1,3 +0,0 @@
-Failed authentication attempt for [[:print:]]+ from <HOST>
-Failed authentication attempt from <HOST>
-invalid credentials from <HOST>
--- a/filters/named.preg
+++ b/filters/named.preg
@ -1,7 +0,0 @@
-# set: defscore=10
-<HOST>#[0-9]+ .* query \(cache\) '[0-9.]+.in-addr.arpa/(PTR|SOA)/IN' denied
-# requests to '.' or top-level domains
-<HOST>#[0-9]+ .* query \(cache\) '[a-z.]+/ANY/IN' denied
-<HOST>#[0-9]+ .* query \(cache\) '[a-z.]+/A/IN' denied
-# set: defscore=1
-<HOST>#[0-9]+ .* query \(cache\) '[0-9a-z.-]+/RRSIG/IN' denied
--- a/filters/nginx-bots.pcre
+++ b/filters/nginx-bots.pcre
@ -1,32 +0,0 @@
-# set: defscore=15
-# h4x0rs
-<HOST> .* "(GET|HEAD|POST) (https?://[0-9a-z.-]+)?(:[0-9]*)?/(shell|cmd|x)\.(php|cgi)
-<HOST> .* "(GET|HEAD|POST) (https?://[0-9a-z.-]+)?(:[0-9]*)?/w00tw00t
-<HOST> .* "(GET|HEAD|POST) (https?://[0-9a-z.-]+)?(:[0-9]*)?/+Ringing\.at\.your\.dorbell
-<HOST> .* "(GET|HEAD|POST) (https?://[0-9a-z.-]+)?(:[0-9]*)?/.*(wget|curl)(\\x|%)20https?://
-<HOST> .* "(GET|HEAD|POST) .*/bin/(ba|c|z)?sh( |\\x20|%20)-c
-<HOST> .* "(\\x[0-9a-z]{2,6})+" 400
-# set: defscore=10
-# phpmyadmin and variations
-<HOST> .* "(GET|HEAD|POST) (https?://[0-9a-z.-]+)?(:[0-9]*)?/+(php|sqlite)-?(manager)?
-<HOST> .* "(GET|HEAD|POST) (https?://[0-9a-z.-]+)?(:[0-9]*)?/+(php|pg|sql)-?my-?admin
-<HOST> .* "(GET|HEAD|POST) (https?://[0-9a-z.-]+)?(:[0-9]*)?/+pma[0-9]*
-<HOST> .* "(GET|HEAD|POST) (https?://[0-9a-z.-]+)?(:[0-9]*)?/+((my|pg)(sql)?|db|msd?)-?(admin|dumper|dump|manager)
-# set: defscore=5
-# open proxy search
-<HOST> .* "(GET|HEAD|POST) https?://[a-z-\.]+proxyradar\.com
-<HOST> .* "CONNECT [a-z-\.]*proxyradar\.com
-<HOST> .* "CONNECT [a-z-\.]*proxytest\.zmap\.io
-<HOST> .* "(GET|HEAD|POST) (https?://[0-9a-z.-]+)?(:[0-9]*)?/+testproxy\.php
-# set: defscore=2
-# search bots
-<HOST> .* "(GET|HEAD|POST) .* "python-(requests|urllib)/[0-9\.]+
-<HOST> .* "(GET|HEAD|POST) .* "AhrefsBot/[0-9a-z\.]+
-<HOST> .* "(GET|HEAD|POST) .* "DotBot/[0-9a-z\.]+
-<HOST> .* "(GET|HEAD|POST) .* "MauiBot
-<HOST> .* "(GET|HEAD|POST) .* SiteExplorer/[0-9a-z\.]+
-<HOST> .* "(GET|HEAD|POST) .* MJ12bot
-<HOST> .* "(GET|HEAD|POST) .* WebIndex
-# shit-coded php cms
-<HOST> .* "(GET|HEAD|POST) (https?://[0-9a-z.-]+)?(:[0-9]*)?/.*/wp-login.php
-<HOST> .* "(GET|HEAD|POST) (https?://[0-9a-z.-]+)?(:[0-9]*)?/+(joomla|cms)/administrator
--- a/filters/postfix.preg
+++ b/filters/postfix.preg
@ -1,11 +0,0 @@
-# set: defscore=10
-NOQUEUE: reject: RCPT from [[:print:]]+\[<HOST>\]: 450 4\.7\.1 Client host rejected
-NOQUEUE: reject: RCPT from [[:print:]]+\[<HOST>\]: 454 4\.7\.1 Service unavailable; Client host \[[[:print:]]+\] blocked
-NOQUEUE: reject: RCPT from [[:print:]]+\[<HOST>\]: 454 4\.7\.1 <[[:print:]]+>: Relay access denied
-NOQUEUE: reject: RCPT from [[:print:]]+\[<HOST>\]: 554 5\.7\.1 <[[:print:]]+>: Relay access denied
-NOQUEUE: reject: RCPT from [[:print:]]+\[<HOST>\]: 550 5\.1\.1 <[[:print:]]+>: Recipient address rejected: undeliverable address
-warning: [[:print:]]+\[<HOST>\]: SASL [A-Z0-9-]+ authentication failed
-# set: defscore=5
-NOQUEUE: reject: RCPT from [[:print:]]+\[<HOST>\]: 450 4\.7\.1 <[[:print:]]+>: Helo command rejected: Host not found
-NOQUEUE: reject: RCPT from [[:print:]]+\[<HOST>\]: 504 5\.5\.2 <[[:print:]]+>: Helo command rejected: need fully-qualified hostname
-lost connection after AUTH from [[:print:]]+\[<HOST>\]
--- a/filters/proftpd.preg
+++ b/filters/proftpd.preg
@ -1,9 +0,0 @@
-# set: defscore=30
-\(.*\[<HOST>\]\): SECURITY VIOLATION: Root login attempted
-\(.*\[<HOST>\]\): SECURITY VIOLATION: Passive connection from .* rejected
-# set: defscore=15
-\(.*\[<HOST>\]\): USER .*: no such user found
-\(.*\[<HOST>\]\): USER .* \(Login failed\): Incorrect password
-# set: defscore=1
-\(.*\[<HOST>\]\): FTP session opened
-\(.*\[<HOST>\]\): crypt\(3\) failed
--- a/filters/ssh.preg
+++ b/filters/ssh.preg
@ -1,17 +0,0 @@
-# set: defscore=15
-User [[:print:]]+ from <HOST> not allowed because listed in DenyUsers
-User [[:print:]]+ from <HOST> not allowed because a group is listed in DenyGroups
-# set: defscore=10
-User [[:print:]]+ from <HOST> not allowed because not listed in AllowUsers
-User [[:print:]]+ from <HOST> not allowed because not in any group
-User [[:print:]]+ from <HOST> not allowed because none of user's groups are listed in AllowGroups
-[Aa]uthentication failure for .* from <HOST>( via [[:print:]]*)?
-[Aa]uthentication error for .* from <HOST>( via [[:print:]]*)?
-Failed password for .* from <HOST>
-# set: defscore=5
-User not known to the underlying authentication module for .* from <HOST>
-Invalid user [[:print:]]+ from <HOST>
-# set: defscore=3
-refused connect from [[:print:]]+ \(<HOST>\)
-Did not receive identification string from <HOST>
-Connection closed by <HOST>( port [0-9]+)? \[preauth\]