github
/
fail2ban
mirror of https://github.com/fail2ban/fail2ban
1
0
Fork 0
Code Issues Releases Wiki Activity

* (NOT RELEASED YET) New upstream release. 

Patches absorbed upstream:
    00_daemon_pids.dpatch
    00_iptables_allports.dpatch
    00_vsftp_filter_spaces.dpatch
    00_resolve_all_names.dpatch
    00_HOST_ignoreregex.dpatch
   Patches which needed some tune-up:
    00_ssh_strong_re.dpatch
    00_mail-whois-lines.dpatch
    00_named_refused.dpatch
pull/3/head
Yaroslav Halchenko 2007-08-15 02:17:44 +00:00
parent e10a8616b4
commit 0012f9ff92
10 changed files with 19 additions and 297 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
debian/changelog vendored
View File

@ -1,6 +1,16 @@
fail2ban (0.8.1-1) UNRELEASED; urgency=low fail2ban (0.8.1-1) UNRELEASED; urgency=low
* (NOT RELEASED YET) New upstream release * (NOT RELEASED YET) New upstream release.
Patches absorbed upstream:
00_daemon_pids.dpatch
00_iptables_allports.dpatch
00_vsftp_filter_spaces.dpatch
00_resolve_all_names.dpatch
00_HOST_ignoreregex.dpatch
Patches which needed some tune-up:
00_ssh_strong_re.dpatch
00_mail-whois-lines.dpatch
00_named_refused.dpatch
-- Yaroslav Halchenko <debian@onerussian.com> Tue, 14 Aug 2007 19:12:53 -0400 -- Yaroslav Halchenko <debian@onerussian.com> Tue, 14 Aug 2007 19:12:53 -0400

34
debian/patches/00_HOST_ignoreregex.dpatch vendored
View File

@ -1,34 +0,0 @@
#! /bin/sh /usr/share/dpatch/dpatch-run
## 00_HOST_ignoreregex.dpatch by Yaroslav Halchenko <debian@onerussian.com>
##
## All lines beginning with `## DP:' are a description of the patch.
## DP: No description.
@DPATCH@
diff -urNad trunk~/server/failregex.py trunk/server/failregex.py
--- trunk~/server/failregex.py 2007-05-05 21:30:22.000000000 -0400
+++ trunk/server/failregex.py 2007-06-19 23:00:45.000000000 -0400
@@ -40,9 +40,7 @@
# avoid construction of invalid object.
# @param value the regular expression
- def __init__(self, value):
- # Replace "<HOST>" with default regular expression for host.
- regex = value.replace("<HOST>", "(?:::f{4,6}:)?(?P<host>\S+)")
+ def __init__(self, regex):
# Initializes the parent.
Regex.__init__(self, regex)
# Check for group "host"
diff -urNad trunk~/server/regex.py trunk/server/regex.py
--- trunk~/server/regex.py 2007-05-05 21:30:22.000000000 -0400
+++ trunk/server/regex.py 2007-06-19 23:00:21.000000000 -0400
@@ -42,6 +42,9 @@
def __init__(self, regex):
self._matchCache = None
+ # Perform shortcuts expansions
+ # Replace "<HOST>" with default regular expression for host.
+ regex = regex.replace("<HOST>", "(?:::f{4,6}:)?(?P<host>\S+)")
if regex.lstrip() == '':
raise RegexException("Cannot add empty regex")
try:

52
debian/patches/00_daemon_pids.dpatch vendored
View File

@ -1,52 +0,0 @@
#! /bin/sh /usr/share/dpatch/dpatch-run
## 00_daemon_pids.dpatch by Yaroslav Halchenko <debian@onerussian.com>
##
## All lines beginning with `## DP:' are a description of the patch.
## DP: Optional PID entry which might not be present due to configuration. Also failregex for wu-ftpd got hardened with $ at the end.
@DPATCH@
diff -urNad trunk~/config/filter.d/pure-ftpd.conf trunk/config/filter.d/pure-ftpd.conf
--- trunk~/config/filter.d/pure-ftpd.conf 2007-05-05 21:30:21.000000000 -0400
+++ trunk/config/filter.d/pure-ftpd.conf 2007-06-19 23:08:40.000000000 -0400
@@ -19,7 +19,7 @@
# (?:::f{4,6}:)?(?P<host>\S+)
# Values: TEXT
#
-failregex = pure-ftpd: (.+?@<HOST>) \[WARNING\] %(__errmsg)s \[.+\]$
+failregex = pure-ftpd(?:\[\d+\])?: (.+?@<HOST>) \[WARNING\] %(__errmsg)s \[.+\]$
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
diff -urNad trunk~/config/filter.d/sshd-ddos.conf trunk/config/filter.d/sshd-ddos.conf
--- trunk~/config/filter.d/sshd-ddos.conf 2007-05-05 21:30:21.000000000 -0400
+++ trunk/config/filter.d/sshd-ddos.conf 2007-06-19 23:09:56.000000000 -0400
@@ -14,7 +14,7 @@
# (?:::f{4,6}:)?(?P<host>\S+)
# Values: TEXT
#
-failregex = sshd\[\S*\]: Did not receive identification string from <HOST>
+failregex = sshd(?:\[\d+\])?: Did not receive identification string from <HOST>$
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
diff -urNad trunk~/config/filter.d/vsftpd.conf trunk/config/filter.d/vsftpd.conf
--- trunk~/config/filter.d/vsftpd.conf 2007-05-05 21:30:21.000000000 -0400
+++ trunk/config/filter.d/vsftpd.conf 2007-06-19 23:10:26.000000000 -0400
@@ -14,7 +14,7 @@
# (?:::f{4,6}:)?(?P<host>\S+)
# Values: TEXT
#
-failregex = vsftpd: .* authentication failure; .* rhost=<HOST>$
+failregex = vsftpd(?:\[\d+\])?: .* authentication failure; .* rhost=<HOST>$
\[.+\] FAIL LOGIN: Client "<HOST>"$
# Option: ignoreregex
diff -urNad trunk~/config/filter.d/wuftpd.conf trunk/config/filter.d/wuftpd.conf
--- trunk~/config/filter.d/wuftpd.conf 2007-05-05 21:30:21.000000000 -0400
+++ trunk/config/filter.d/wuftpd.conf 2007-06-19 23:11:59.000000000 -0400
@@ -11,4 +11,4 @@
# Notes.: regex to match the password failures messages in the logfile.
# Values: TEXT
#
-failregex = wu-ftpd\[\d+\]:\s+\(pam_unix\)\s+authentication failure.* rhost=<HOST>
+failregex = wu-ftpd(?:\[\d+\])?:\s+\(pam_unix\)\s+authentication failure.* rhost=<HOST>$

82
debian/patches/00_iptables_allports.dpatch vendored
View File

@ -1,82 +0,0 @@
#! /bin/sh /usr/share/dpatch/dpatch-run
## 00_iptables_allports.dpatch by Yaroslav Halchenko <debian@onerussian.com>
##
## All lines beginning with `## DP:' are a description of the patch.
## DP: No description.
@DPATCH@
diff -urNad trunk~/config/action.d/iptables-allports.conf trunk/config/action.d/iptables-allports.conf
--- trunk~/config/action.d/iptables-allports.conf 1969-12-31 19:00:00.000000000 -0500
+++ trunk/config/action.d/iptables-allports.conf 2007-06-25 12:49:34.000000000 -0400
@@ -0,0 +1,71 @@
+# Fail2Ban configuration file
+#
+# Author: Cyril Jaquier
+# Modified: Yaroslav O. Halchenko <debian@onerussian.com>
+# made active on all ports from original iptables.conf
+#
+# $Revision: $
+#
+
+[Definition]
+
+# Option: actionstart
+# Notes.: command executed once at the start of Fail2Ban.
+# Values: CMD
+#
+actionstart = iptables -N fail2ban-<name>
+ iptables -A fail2ban-<name> -j RETURN
+ iptables -I INPUT -p <protocol> -j fail2ban-<name>
+
+# Option: actionend
+# Notes.: command executed once at the end of Fail2Ban
+# Values: CMD
+#
+actionstop = iptables -D INPUT -p <protocol> -j fail2ban-<name>
+ iptables -F fail2ban-<name>
+ iptables -X fail2ban-<name>
+
+# Option: actioncheck
+# Notes.: command executed once before each actionban command
+# Values: CMD
+#
+actioncheck = iptables -n -L INPUT | grep -q fail2ban-<name>
+
+# Option: actionban
+# Notes.: command executed when banning an IP. Take care that the
+# command is executed with Fail2Ban user rights.
+# Tags: <ip> IP address
+# <failures> number of failures
+# <time> unix timestamp of the ban time
+# Values: CMD
+#
+actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
+
+# Option: actionunban
+# Notes.: command executed when unbanning an IP. Take care that the
+# command is executed with Fail2Ban user rights.
+# Tags: <ip> IP address
+# <failures> number of failures
+# <time> unix timestamp of the ban time
+# Values: CMD
+#
+actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP
+
+[Init]
+
+# Defaut name of the chain
+#
+name = default
+
+# Option: port
+# Notes.: specifies port to monitor
+# Values: [ NUM | STRING ] Default:
+#
+port = ssh
+
+# Option: protocol
+# Notes.: internally used by config reader for interpolations.
+# Values: [ tcp | udp | icmp | all ] Default: tcp
+#
+protocol = tcp
+

14
debian/patches/00_mail-whois-lines.dpatch vendored
View File

@ -6,16 +6,10 @@
## DP: abuser IP over the log files ## DP: abuser IP over the log files
@DPATCH@ @DPATCH@
diff -urNad fail2ban-0.7.7~/config/action.d/mail-whois-lines.conf fail2ban-0.7.7/config/action.d/mail-whois-lines.conf diff -urNad trunk~/config/action.d/mail-whois-lines.conf trunk/config/action.d/mail-whois-lines.conf
--- fail2ban-0.7.7~/config/action.d/mail-whois-lines.conf 2007-01-08 16:40:40.000000000 -0500 --- trunk~/config/action.d/mail-whois-lines.conf 2007-08-14 19:12:48.000000000 -0400
+++ fail2ban-0.7.7/config/action.d/mail-whois-lines.conf 2007-02-08 22:07:12.000000000 -0500 +++ trunk/config/action.d/mail-whois-lines.conf 2007-08-14 19:24:17.000000000 -0400
@@ -2,12 +2,12 @@ @@ -7,7 +7,7 @@
#
# Author: Cyril Jaquier
# Modified-By: Yaroslav Halchenko to include grepping on IP over log files
-# $Revision: 520 $
+# $Revision: 254 $
#
[Definition] [Definition]

40
debian/patches/00_named_refused.dpatch vendored
View File

@ -5,47 +5,9 @@
## DP: No description. ## DP: No description.
@DPATCH@ @DPATCH@
diff -urNad trunk~/config/filter.d/named-refused.conf trunk/config/filter.d/named-refused.conf
--- trunk~/config/filter.d/named-refused.conf 1969-12-31 19:00:00.000000000 -0500
+++ trunk/config/filter.d/named-refused.conf 2007-07-29 22:31:22.000000000 -0400
@@ -0,0 +1,34 @@
+# Fail2Ban configuration file for named (bind9). Trying to generalize the
+# structure which is general to capture general patterns in log
+# lines to cover different configurations/distributions
+#
+# Author: Yaroslav Halchenko
+#
+# $Revision: $
+#
+
+[Definition]
+
+# if you want to catch only login erros from specific daemons, use smth like
+#_named_rcodes=(?:REFUSED|SERVFAIL)
+# To catch all REFUSED queries only
+_named_rcodes=REFUSED
+_daemon=named
+
+#
+# Shortcuts for easier comprehension of the failregex
+__pid_re=(?:\[\d+\])
+__daemon_re=\(?%(_daemon)s(?:\(\S+\))?\)?:?
+__daemon_combs_re=(?:%(__pid_re)s?:\s+%(__daemon_re)s|%(__daemon_re)s%(__pid_re)s?:)
+# hostname daemon_id spaces
+# this can be optional (for instance if we match named native log files)
+__line_prefix=(?:\s\S+ %(__daemon_combs_re)s\s+)?
+
+# Option: failregex
+# Notes.: regex to match the password failures messages in the logfile.
+# Values: TEXT
+#
+failregex = %(__line_prefix)sunexpected RCODE \(%(_named_rcodes)s\) resolving '.*': <HOST>#\S+$
+ %(__line_prefix)sclient <HOST>#\S+: query(?: \(cache\))? '.*' denied\s*$
+
+
diff -urNad trunk~/config/filter.d/named-refused.examples trunk/config/filter.d/named-refused.examples diff -urNad trunk~/config/filter.d/named-refused.examples trunk/config/filter.d/named-refused.examples
--- trunk~/config/filter.d/named-refused.examples 1969-12-31 19:00:00.000000000 -0500 --- trunk~/config/filter.d/named-refused.examples 1969-12-31 19:00:00.000000000 -0500
+++ trunk/config/filter.d/named-refused.examples 2007-07-29 22:30:29.000000000 -0400 +++ trunk/config/filter.d/named-refused.examples 2007-08-14 19:44:13.000000000 -0400
@@ -0,0 +1,13 @@ @@ -0,0 +1,13 @@
+Jul 15 18:42:00 raid5 named[3888]: unexpected RCODE (SERVFAIL) resolving 'skira.de/NS/IN': 216.14.208.5#53 +Jul 15 18:42:00 raid5 named[3888]: unexpected RCODE (SERVFAIL) resolving 'skira.de/NS/IN': 216.14.208.5#53
+Jul 15 18:42:01 raid5 named[3888]: unexpected RCODE (SERVFAIL) resolving 'skira.de/NS/IN': 216.14.208.4#53 +Jul 15 18:42:01 raid5 named[3888]: unexpected RCODE (SERVFAIL) resolving 'skira.de/NS/IN': 216.14.208.4#53

30
debian/patches/00_resolve_all_names.dpatch vendored
View File

@ -1,30 +0,0 @@
#! /bin/sh /usr/share/dpatch/dpatch-run
## 00_resolve_all_names.dpatch by Yaroslav Halchenko <debian@onerussian.com>
##
## All lines beginning with `## DP:' are a description of the patch.
## DP: No description.
@DPATCH@
diff -urNad trunk~/server/filter.py trunk/server/filter.py
--- trunk~/server/filter.py 2007-04-18 16:44:07.000000000 -0400
+++ trunk/server/filter.py 2007-08-06 14:20:11.000000000 -0400
@@ -538,11 +538,14 @@
ipList.append(plainIPStr)
if not ipList:
# Try to get IP from possible DNS
- dns = DNSUtils.textToDns(text)
- if not dns == None:
- ip = DNSUtils.dnsToIp(dns.group(0))
- for e in ip:
- ipList.append(e)
+ # yoh: this way would not work for reported
+ # hosts with only top part of the address
+ # Since we have now <HOST> it is safe and
+ # efficient to simply try to resolve it
+ # dns = DNSUtils.textToDns(text)
+ ip = DNSUtils.dnsToIp(text)
+ for e in ip:
+ ipList.append(e)
return ipList
@staticmethod

25
debian/patches/00_ssh_strong_re.dpatch vendored
View File

@ -5,28 +5,9 @@
## DP: No description. ## DP: No description.
@DPATCH@ @DPATCH@
diff -urNad fail2ban-0.8.0~/config/filter.d/sshd.conf fail2ban-0.8.0/config/filter.d/sshd.conf diff -urNad trunk~/config/filter.d/sshd.examples trunk/config/filter.d/sshd.examples
--- fail2ban-0.8.0~/config/filter.d/sshd.conf 2007-02-22 15:52:37.000000000 -0500 --- trunk~/config/filter.d/sshd.examples 1969-12-31 19:00:00.000000000 -0500
+++ fail2ban-0.8.0/config/filter.d/sshd.conf 2007-07-29 13:14:50.000000000 -0400 +++ trunk/config/filter.d/sshd.examples 2007-08-14 19:40:23.000000000 -0400
@@ -14,10 +14,11 @@
# (?:::f{4,6}:)?(?P<host>\S+)
# Values: TEXT
#
-failregex = Authentication failure for .* from <HOST>
- Failed [-/\w]+ for .* from <HOST>
- ROOT LOGIN REFUSED .* FROM <HOST>
- [iI](?:llegal|nvalid) user .* from <HOST>
+failregex = (?:error: PAM: )?Authentication failure for .* from <HOST>\s*$
+ Failed [-/\w]+ for .* from <HOST>(?: port \d*)?(?: ssh\d*)?$
+ ROOT LOGIN REFUSED.* FROM <HOST>\s*$
+ [iI](?:llegal|nvalid) user .* from <HOST>\s*$
+ User \S+ from <HOST> not allowed because not listed in AllowUsers$
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
diff -urNad fail2ban-0.8.0~/config/filter.d/sshd.examples fail2ban-0.8.0/config/filter.d/sshd.examples
--- fail2ban-0.8.0~/config/filter.d/sshd.examples 1969-12-31 19:00:00.000000000 -0500
+++ fail2ban-0.8.0/config/filter.d/sshd.examples 2007-07-29 13:14:22.000000000 -0400
@@ -0,0 +1,19 @@ @@ -0,0 +1,19 @@
+#1 +#1
+Jun 21 16:47:48 digital-mlhhyiqscv sshd[13709]: error: PAM: Authentication failure for myhlj1374 from 192.030.0.6 +Jun 21 16:47:48 digital-mlhhyiqscv sshd[13709]: error: PAM: Authentication failure for myhlj1374 from 192.030.0.6

21
debian/patches/00_vsftp_filter_spaces.dpatch vendored
View File

@ -1,21 +0,0 @@
#! /bin/sh /usr/share/dpatch/dpatch-run
## 00_vsftp_filter_spaces.dpatch by Yaroslav Halchenko <debian@onerussian.com>
##
## All lines beginning with `## DP:' are a description of the patch.
## DP: No description.
@DPATCH@
diff -urNad trunk~/config/filter.d/vsftpd.conf trunk/config/filter.d/vsftpd.conf
--- trunk~/config/filter.d/vsftpd.conf 2007-01-29 15:51:45.000000000 -0500
+++ trunk/config/filter.d/vsftpd.conf 2007-08-03 21:55:00.000000000 -0400
@@ -14,8 +14,8 @@
# (?:::f{4,6}:)?(?P<host>\S+)
# Values: TEXT
#
-failregex = vsftpd: .* authentication failure; .* rhost=<HOST>$
- \[.+\] FAIL LOGIN: Client "<HOST>"$
+failregex = vsftpd: .* authentication failure; .* rhost=<HOST>\s*$
+ \[.+\] FAIL LOGIN: Client "<HOST>"\s*$
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.

6
debian/patches/00list vendored
View File

@ -1,12 +1,6 @@
00_mail-whois-lines 00_mail-whois-lines
00_vsftp_filter_spaces
00_var_run_socket 00_var_run_socket
00_HOST_ignoreregex
00_daemon_pids
00_resolve_all_names
10_dbts_manpages 10_dbts_manpages
00_iptables_allports
00_ssh_strong_re 00_ssh_strong_re
00_pam_generic 00_pam_generic
00_named_refused 00_named_refused
00_named_logtimeformat