Browse Source

* move filters to their own repository

master
Alex 'AdUser' Z 2 years ago
parent
commit
751fc7fada
  1. 1
      CMakeLists.txt
  2. 2
      debian/control
  3. 1
      debian/f2b.dirs
  4. 2
      filters/README.txt
  5. 4
      filters/asterisk.preg
  6. 2
      filters/coturn.preg
  7. 6
      filters/dovecot.preg
  8. 10
      filters/exim.pcre
  9. 3
      filters/gitea.preg
  10. 7
      filters/named.preg
  11. 32
      filters/nginx-bots.pcre
  12. 11
      filters/postfix.preg
  13. 9
      filters/proftpd.preg
  14. 17
      filters/ssh.preg

1
CMakeLists.txt

@ -71,7 +71,6 @@ add_subdirectory(src)
add_subdirectory(t)
set_property(DIRECTORY "t" PROPERTY COMPILE_FLAGS "-g;-ggdb;-Wall;-Wextra;-pedantic;-O0")
install(DIRECTORY "filters" DESTINATION "${CMAKE_INSTALL_DATAROOTDIR}/${CNAME}")
file(GLOB_RECURSE CONFIGS "*.conf.in")
foreach(CONFIG ${CONFIGS})
string(REPLACE ".conf.in" ".conf" GENERATED ${CONFIG})

2
debian/control vendored

@ -10,7 +10,7 @@ Vcs-Browser: https://github.com/AdUser/f2b
Package: f2b
Architecture: any
Depends: ${shlibs:Depends}, ${misc:Depends}
Depends: ${shlibs:Depends}, ${misc:Depends}, f2b-filters
Description: lightweight automatic anti-bot turret for your public serivces
Features:
.

1
debian/f2b.dirs vendored

@ -1 +1,2 @@
usr/share/f2b/filters
var/lib/f2b

2
filters/README.txt

@ -0,0 +1,2 @@
- Where have all filters gone?
- Now it located in their own repository, for convinient maintenance

4
filters/asterisk.preg

@ -1,4 +0,0 @@
SECURITY.* SecurityEvent="FailedACL".*RemoteAddress="IPV[46]/[TU][CD]P/<HOST>/[0-9]+"
SECURITY.* SecurityEvent="InvalidAccountID".*RemoteAddress="IPV[46]/[TU][CD]P/<HOST>/[0-9+]+"
SECURITY.* SecurityEvent="ChallengeResponseFailed".*RemoteAddress="IPV[46]/[TU][CD]P/<HOST>/[0-9]+"
SECURITY.* SecurityEvent="InvalidPassword".*RemoteAddress="IPV[46]/[TU][CD]P/<HOST>/[0-9]+"

2
filters/coturn.preg

@ -1,2 +0,0 @@
# set: defscore=5
closed \(2nd stage\), user <> .* remote <HOST>:[0-9]+, reason: allocation watchdog determined stale session state

6
filters/dovecot.preg

@ -1,6 +0,0 @@
pop3-login: Aborted login \(auth failed, [0-9]+ attempts in [0-9]+ secs\): .* rip=<HOST>
imap-login: Aborted login \(auth failed, [0-9]+ attempts in [0-9]+ secs\): .* rip=<HOST>
pop3-login: Disconnected \(auth failed, [0-9]+ attempts in [0-9]+ secs\): .* rip=<HOST>
imap-login: Disconnected \(auth failed, [0-9]+ attempts in [0-9]+ secs\): .* rip=<HOST>
# set: defscore=5
submission-login: Client has quit the connection \(tried to use disallowed plaintext auth\): .* rip=<HOST>

10
filters/exim.pcre

@ -1,10 +0,0 @@
# set: defscore=10
SMTP protocol synchronization error \(input sent without waiting for greeting\): rejected connection from .*\[<HOST>\]
SMTP protocol synchronization error \(next input sent too soon: pipelining was not advertised\): rejected .*\[<HOST>\]
rejected [HE][EH]HLO from \[<HOST>\]: syntactically invalid argument
\[<HOST>\] .* host is listed in .+
\[<HOST>\] .* relay not permitted
\[<HOST>\] .* rejected after DATA: This message was detected as possible malware
# set: defscore=5
\[<HOST>\] .* too many connections from that IP address
\[<HOST>\] .* temporarily rejected RCPT \<\S+\>: lowest numbered MX record points to local host

3
filters/gitea.preg

@ -1,3 +0,0 @@
Failed authentication attempt for [[:print:]]+ from <HOST>
Failed authentication attempt from <HOST>
invalid credentials from <HOST>

7
filters/named.preg

@ -1,7 +0,0 @@
# set: defscore=10
<HOST>#[0-9]+ .* query \(cache\) '[0-9.]+.in-addr.arpa/(PTR|SOA)/IN' denied
# requests to '.' or top-level domains
<HOST>#[0-9]+ .* query \(cache\) '[a-z.]+/ANY/IN' denied
<HOST>#[0-9]+ .* query \(cache\) '[a-z.]+/A/IN' denied
# set: defscore=1
<HOST>#[0-9]+ .* query \(cache\) '[0-9a-z.-]+/RRSIG/IN' denied

32
filters/nginx-bots.pcre

@ -1,32 +0,0 @@
# set: defscore=15
# h4x0rs
<HOST> .* "(GET|HEAD|POST) (https?://[0-9a-z.-]+)?(:[0-9]*)?/(shell|cmd|x)\.(php|cgi)
<HOST> .* "(GET|HEAD|POST) (https?://[0-9a-z.-]+)?(:[0-9]*)?/w00tw00t
<HOST> .* "(GET|HEAD|POST) (https?://[0-9a-z.-]+)?(:[0-9]*)?/+Ringing\.at\.your\.dorbell
<HOST> .* "(GET|HEAD|POST) (https?://[0-9a-z.-]+)?(:[0-9]*)?/.*(wget|curl)(\\x|%)20https?://
<HOST> .* "(GET|HEAD|POST) .*/bin/(ba|c|z)?sh( |\\x20|%20)-c
<HOST> .* "(\\x[0-9a-z]{2,6})+" 400
# set: defscore=10
# phpmyadmin and variations
<HOST> .* "(GET|HEAD|POST) (https?://[0-9a-z.-]+)?(:[0-9]*)?/+(php|sqlite)-?(manager)?
<HOST> .* "(GET|HEAD|POST) (https?://[0-9a-z.-]+)?(:[0-9]*)?/+(php|pg|sql)-?my-?admin
<HOST> .* "(GET|HEAD|POST) (https?://[0-9a-z.-]+)?(:[0-9]*)?/+pma[0-9]*
<HOST> .* "(GET|HEAD|POST) (https?://[0-9a-z.-]+)?(:[0-9]*)?/+((my|pg)(sql)?|db|msd?)-?(admin|dumper|dump|manager)
# set: defscore=5
# open proxy search
<HOST> .* "(GET|HEAD|POST) https?://[a-z-\.]+proxyradar\.com
<HOST> .* "CONNECT [a-z-\.]*proxyradar\.com
<HOST> .* "CONNECT [a-z-\.]*proxytest\.zmap\.io
<HOST> .* "(GET|HEAD|POST) (https?://[0-9a-z.-]+)?(:[0-9]*)?/+testproxy\.php
# set: defscore=2
# search bots
<HOST> .* "(GET|HEAD|POST) .* "python-(requests|urllib)/[0-9\.]+
<HOST> .* "(GET|HEAD|POST) .* "AhrefsBot/[0-9a-z\.]+
<HOST> .* "(GET|HEAD|POST) .* "DotBot/[0-9a-z\.]+
<HOST> .* "(GET|HEAD|POST) .* "MauiBot
<HOST> .* "(GET|HEAD|POST) .* SiteExplorer/[0-9a-z\.]+
<HOST> .* "(GET|HEAD|POST) .* MJ12bot
<HOST> .* "(GET|HEAD|POST) .* WebIndex
# shit-coded php cms
<HOST> .* "(GET|HEAD|POST) (https?://[0-9a-z.-]+)?(:[0-9]*)?/.*/wp-login.php
<HOST> .* "(GET|HEAD|POST) (https?://[0-9a-z.-]+)?(:[0-9]*)?/+(joomla|cms)/administrator

11
filters/postfix.preg

@ -1,11 +0,0 @@
# set: defscore=10
NOQUEUE: reject: RCPT from [[:print:]]+\[<HOST>\]: 450 4\.7\.1 Client host rejected
NOQUEUE: reject: RCPT from [[:print:]]+\[<HOST>\]: 454 4\.7\.1 Service unavailable; Client host \[[[:print:]]+\] blocked
NOQUEUE: reject: RCPT from [[:print:]]+\[<HOST>\]: 454 4\.7\.1 <[[:print:]]+>: Relay access denied
NOQUEUE: reject: RCPT from [[:print:]]+\[<HOST>\]: 554 5\.7\.1 <[[:print:]]+>: Relay access denied
NOQUEUE: reject: RCPT from [[:print:]]+\[<HOST>\]: 550 5\.1\.1 <[[:print:]]+>: Recipient address rejected: undeliverable address
warning: [[:print:]]+\[<HOST>\]: SASL [A-Z0-9-]+ authentication failed
# set: defscore=5
NOQUEUE: reject: RCPT from [[:print:]]+\[<HOST>\]: 450 4\.7\.1 <[[:print:]]+>: Helo command rejected: Host not found
NOQUEUE: reject: RCPT from [[:print:]]+\[<HOST>\]: 504 5\.5\.2 <[[:print:]]+>: Helo command rejected: need fully-qualified hostname
lost connection after AUTH from [[:print:]]+\[<HOST>\]

9
filters/proftpd.preg

@ -1,9 +0,0 @@
# set: defscore=30
\(.*\[<HOST>\]\): SECURITY VIOLATION: Root login attempted
\(.*\[<HOST>\]\): SECURITY VIOLATION: Passive connection from .* rejected
# set: defscore=15
\(.*\[<HOST>\]\): USER .*: no such user found
\(.*\[<HOST>\]\): USER .* \(Login failed\): Incorrect password
# set: defscore=1
\(.*\[<HOST>\]\): FTP session opened
\(.*\[<HOST>\]\): crypt\(3\) failed

17
filters/ssh.preg

@ -1,17 +0,0 @@
# set: defscore=15
User [[:print:]]+ from <HOST> not allowed because listed in DenyUsers
User [[:print:]]+ from <HOST> not allowed because a group is listed in DenyGroups
# set: defscore=10
User [[:print:]]+ from <HOST> not allowed because not listed in AllowUsers
User [[:print:]]+ from <HOST> not allowed because not in any group
User [[:print:]]+ from <HOST> not allowed because none of user's groups are listed in AllowGroups
[Aa]uthentication failure for .* from <HOST>( via [[:print:]]*)?
[Aa]uthentication error for .* from <HOST>( via [[:print:]]*)?
Failed password for .* from <HOST>
# set: defscore=5
User not known to the underlying authentication module for .* from <HOST>
Invalid user [[:print:]]+ from <HOST>
# set: defscore=3
refused connect from [[:print:]]+ \(<HOST>\)
Did not receive identification string from <HOST>
Connection closed by <HOST>( port [0-9]+)? \[preauth\]
Loading…
Cancel
Save