diff --git a/CMakeLists.txt b/CMakeLists.txt index f3e56cf..dbd9b38 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -71,7 +71,6 @@ add_subdirectory(src) add_subdirectory(t) set_property(DIRECTORY "t" PROPERTY COMPILE_FLAGS "-g;-ggdb;-Wall;-Wextra;-pedantic;-O0") -install(DIRECTORY "filters" DESTINATION "${CMAKE_INSTALL_DATAROOTDIR}/${CNAME}") file(GLOB_RECURSE CONFIGS "*.conf.in") foreach(CONFIG ${CONFIGS}) string(REPLACE ".conf.in" ".conf" GENERATED ${CONFIG}) diff --git a/debian/control b/debian/control index 3728ca2..fdc76b9 100644 --- a/debian/control +++ b/debian/control @@ -10,7 +10,7 @@ Vcs-Browser: https://github.com/AdUser/f2b Package: f2b Architecture: any -Depends: ${shlibs:Depends}, ${misc:Depends} +Depends: ${shlibs:Depends}, ${misc:Depends}, f2b-filters Description: lightweight automatic anti-bot turret for your public serivces Features: . diff --git a/debian/f2b.dirs b/debian/f2b.dirs index 9872d88..8143dd6 100644 --- a/debian/f2b.dirs +++ b/debian/f2b.dirs @@ -1 +1,2 @@ +usr/share/f2b/filters var/lib/f2b diff --git a/filters/README.txt b/filters/README.txt new file mode 100644 index 0000000..6752296 --- /dev/null +++ b/filters/README.txt @@ -0,0 +1,2 @@ +- Where have all filters gone? +- Now it located in their own repository, for convinient maintenance diff --git a/filters/asterisk.preg b/filters/asterisk.preg deleted file mode 100644 index f2ccd44..0000000 --- a/filters/asterisk.preg +++ /dev/null @@ -1,4 +0,0 @@ -SECURITY.* SecurityEvent="FailedACL".*RemoteAddress="IPV[46]/[TU][CD]P//[0-9]+" -SECURITY.* SecurityEvent="InvalidAccountID".*RemoteAddress="IPV[46]/[TU][CD]P//[0-9+]+" -SECURITY.* SecurityEvent="ChallengeResponseFailed".*RemoteAddress="IPV[46]/[TU][CD]P//[0-9]+" -SECURITY.* SecurityEvent="InvalidPassword".*RemoteAddress="IPV[46]/[TU][CD]P//[0-9]+" diff --git a/filters/coturn.preg b/filters/coturn.preg deleted file mode 100644 index 54c9ef7..0000000 --- a/filters/coturn.preg +++ /dev/null @@ -1,2 +0,0 @@ -# set: defscore=5 -closed \(2nd stage\), user <> .* remote :[0-9]+, reason: allocation watchdog determined stale session state diff --git a/filters/dovecot.preg b/filters/dovecot.preg deleted file mode 100644 index 0d0c71f..0000000 --- a/filters/dovecot.preg +++ /dev/null @@ -1,6 +0,0 @@ -pop3-login: Aborted login \(auth failed, [0-9]+ attempts in [0-9]+ secs\): .* rip= -imap-login: Aborted login \(auth failed, [0-9]+ attempts in [0-9]+ secs\): .* rip= -pop3-login: Disconnected \(auth failed, [0-9]+ attempts in [0-9]+ secs\): .* rip= -imap-login: Disconnected \(auth failed, [0-9]+ attempts in [0-9]+ secs\): .* rip= -# set: defscore=5 -submission-login: Client has quit the connection \(tried to use disallowed plaintext auth\): .* rip= diff --git a/filters/exim.pcre b/filters/exim.pcre deleted file mode 100644 index 98fcbea..0000000 --- a/filters/exim.pcre +++ /dev/null @@ -1,10 +0,0 @@ -# set: defscore=10 -SMTP protocol synchronization error \(input sent without waiting for greeting\): rejected connection from .*\[\] -SMTP protocol synchronization error \(next input sent too soon: pipelining was not advertised\): rejected .*\[\] -rejected [HE][EH]HLO from \[\]: syntactically invalid argument -\[\] .* host is listed in .+ -\[\] .* relay not permitted -\[\] .* rejected after DATA: This message was detected as possible malware -# set: defscore=5 -\[\] .* too many connections from that IP address -\[\] .* temporarily rejected RCPT \<\S+\>: lowest numbered MX record points to local host diff --git a/filters/gitea.preg b/filters/gitea.preg deleted file mode 100644 index 7b3be5b..0000000 --- a/filters/gitea.preg +++ /dev/null @@ -1,3 +0,0 @@ -Failed authentication attempt for [[:print:]]+ from -Failed authentication attempt from -invalid credentials from diff --git a/filters/named.preg b/filters/named.preg deleted file mode 100644 index d568699..0000000 --- a/filters/named.preg +++ /dev/null @@ -1,7 +0,0 @@ -# set: defscore=10 -#[0-9]+ .* query \(cache\) '[0-9.]+.in-addr.arpa/(PTR|SOA)/IN' denied -# requests to '.' or top-level domains -#[0-9]+ .* query \(cache\) '[a-z.]+/ANY/IN' denied -#[0-9]+ .* query \(cache\) '[a-z.]+/A/IN' denied -# set: defscore=1 -#[0-9]+ .* query \(cache\) '[0-9a-z.-]+/RRSIG/IN' denied diff --git a/filters/nginx-bots.pcre b/filters/nginx-bots.pcre deleted file mode 100644 index b457284..0000000 --- a/filters/nginx-bots.pcre +++ /dev/null @@ -1,32 +0,0 @@ -# set: defscore=15 -# h4x0rs - .* "(GET|HEAD|POST) (https?://[0-9a-z.-]+)?(:[0-9]*)?/(shell|cmd|x)\.(php|cgi) - .* "(GET|HEAD|POST) (https?://[0-9a-z.-]+)?(:[0-9]*)?/w00tw00t - .* "(GET|HEAD|POST) (https?://[0-9a-z.-]+)?(:[0-9]*)?/+Ringing\.at\.your\.dorbell - .* "(GET|HEAD|POST) (https?://[0-9a-z.-]+)?(:[0-9]*)?/.*(wget|curl)(\\x|%)20https?:// - .* "(GET|HEAD|POST) .*/bin/(ba|c|z)?sh( |\\x20|%20)-c - .* "(\\x[0-9a-z]{2,6})+" 400 -# set: defscore=10 -# phpmyadmin and variations - .* "(GET|HEAD|POST) (https?://[0-9a-z.-]+)?(:[0-9]*)?/+(php|sqlite)-?(manager)? - .* "(GET|HEAD|POST) (https?://[0-9a-z.-]+)?(:[0-9]*)?/+(php|pg|sql)-?my-?admin - .* "(GET|HEAD|POST) (https?://[0-9a-z.-]+)?(:[0-9]*)?/+pma[0-9]* - .* "(GET|HEAD|POST) (https?://[0-9a-z.-]+)?(:[0-9]*)?/+((my|pg)(sql)?|db|msd?)-?(admin|dumper|dump|manager) -# set: defscore=5 -# open proxy search - .* "(GET|HEAD|POST) https?://[a-z-\.]+proxyradar\.com - .* "CONNECT [a-z-\.]*proxyradar\.com - .* "CONNECT [a-z-\.]*proxytest\.zmap\.io - .* "(GET|HEAD|POST) (https?://[0-9a-z.-]+)?(:[0-9]*)?/+testproxy\.php -# set: defscore=2 -# search bots - .* "(GET|HEAD|POST) .* "python-(requests|urllib)/[0-9\.]+ - .* "(GET|HEAD|POST) .* "AhrefsBot/[0-9a-z\.]+ - .* "(GET|HEAD|POST) .* "DotBot/[0-9a-z\.]+ - .* "(GET|HEAD|POST) .* "MauiBot - .* "(GET|HEAD|POST) .* SiteExplorer/[0-9a-z\.]+ - .* "(GET|HEAD|POST) .* MJ12bot - .* "(GET|HEAD|POST) .* WebIndex -# shit-coded php cms - .* "(GET|HEAD|POST) (https?://[0-9a-z.-]+)?(:[0-9]*)?/.*/wp-login.php - .* "(GET|HEAD|POST) (https?://[0-9a-z.-]+)?(:[0-9]*)?/+(joomla|cms)/administrator diff --git a/filters/postfix.preg b/filters/postfix.preg deleted file mode 100644 index 22b7abb..0000000 --- a/filters/postfix.preg +++ /dev/null @@ -1,11 +0,0 @@ -# set: defscore=10 -NOQUEUE: reject: RCPT from [[:print:]]+\[\]: 450 4\.7\.1 Client host rejected -NOQUEUE: reject: RCPT from [[:print:]]+\[\]: 454 4\.7\.1 Service unavailable; Client host \[[[:print:]]+\] blocked -NOQUEUE: reject: RCPT from [[:print:]]+\[\]: 454 4\.7\.1 <[[:print:]]+>: Relay access denied -NOQUEUE: reject: RCPT from [[:print:]]+\[\]: 554 5\.7\.1 <[[:print:]]+>: Relay access denied -NOQUEUE: reject: RCPT from [[:print:]]+\[\]: 550 5\.1\.1 <[[:print:]]+>: Recipient address rejected: undeliverable address -warning: [[:print:]]+\[\]: SASL [A-Z0-9-]+ authentication failed -# set: defscore=5 -NOQUEUE: reject: RCPT from [[:print:]]+\[\]: 450 4\.7\.1 <[[:print:]]+>: Helo command rejected: Host not found -NOQUEUE: reject: RCPT from [[:print:]]+\[\]: 504 5\.5\.2 <[[:print:]]+>: Helo command rejected: need fully-qualified hostname -lost connection after AUTH from [[:print:]]+\[\] diff --git a/filters/proftpd.preg b/filters/proftpd.preg deleted file mode 100644 index 4aff490..0000000 --- a/filters/proftpd.preg +++ /dev/null @@ -1,9 +0,0 @@ -# set: defscore=30 -\(.*\[\]\): SECURITY VIOLATION: Root login attempted -\(.*\[\]\): SECURITY VIOLATION: Passive connection from .* rejected -# set: defscore=15 -\(.*\[\]\): USER .*: no such user found -\(.*\[\]\): USER .* \(Login failed\): Incorrect password -# set: defscore=1 -\(.*\[\]\): FTP session opened -\(.*\[\]\): crypt\(3\) failed diff --git a/filters/ssh.preg b/filters/ssh.preg deleted file mode 100644 index e675875..0000000 --- a/filters/ssh.preg +++ /dev/null @@ -1,17 +0,0 @@ -# set: defscore=15 -User [[:print:]]+ from not allowed because listed in DenyUsers -User [[:print:]]+ from not allowed because a group is listed in DenyGroups -# set: defscore=10 -User [[:print:]]+ from not allowed because not listed in AllowUsers -User [[:print:]]+ from not allowed because not in any group -User [[:print:]]+ from not allowed because none of user's groups are listed in AllowGroups -[Aa]uthentication failure for .* from ( via [[:print:]]*)? -[Aa]uthentication error for .* from ( via [[:print:]]*)? -Failed password for .* from -# set: defscore=5 -User not known to the underlying authentication module for .* from -Invalid user [[:print:]]+ from -# set: defscore=3 -refused connect from [[:print:]]+ \(\) -Did not receive identification string from -Connection closed by ( port [0-9]+)? \[preauth\]