From 2ce0ffb97752f51199fb85f56167ecf7079a7a02 Mon Sep 17 00:00:00 2001 From: Louis Sautier Date: Sun, 10 Sep 2017 21:37:03 +0200 Subject: [PATCH 1/5] Fix Gentoo init script's shebang Use openrc-run instead of runscript. https://github.com/OpenRC/openrc/commit/5d5856c193768d24f11d5f0533e48c39526aef5c --- ChangeLog | 1 + files/gentoo-initd | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index c56ca6ec..5beae7ec 100644 --- a/ChangeLog +++ b/ChangeLog @@ -35,6 +35,7 @@ ver. 0.10.1-dev-1 (2016/??/??) - development edition ----------- ### Fixes +* fix Gentoo init script's shebang to use openrc-run instead of runscript * jail "pass2allow-ftp" supply blocktype and returntype parameters to the action (gh-1884) * avoid using "ANSI_X3.4-1968" as preferred encoding (if missing environment variables 'LANGUAGE', 'LC_ALL', 'LC_CTYPE', and 'LANG', see gh-1587). diff --git a/files/gentoo-initd b/files/gentoo-initd index c4d8675c..d4e52bcb 100755 --- a/files/gentoo-initd +++ b/files/gentoo-initd @@ -1,4 +1,4 @@ -#!/sbin/runscript +#!/sbin/openrc-run # This file is part of Fail2Ban. # # Fail2Ban is free software; you can redistribute it and/or modify From 72ad904f584be4df44963c2b058a29d9f076d013 Mon Sep 17 00:00:00 2001 From: "Serg G. Brester" Date: Mon, 11 Sep 2017 12:22:43 +0200 Subject: [PATCH 2/5] Update ChangeLog --- ChangeLog | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 5beae7ec..27be6498 100644 --- a/ChangeLog +++ b/ChangeLog @@ -35,7 +35,7 @@ ver. 0.10.1-dev-1 (2016/??/??) - development edition ----------- ### Fixes -* fix Gentoo init script's shebang to use openrc-run instead of runscript +* fix Gentoo init script's shebang to use openrc-run instead of runscript (gh-1891) * jail "pass2allow-ftp" supply blocktype and returntype parameters to the action (gh-1884) * avoid using "ANSI_X3.4-1968" as preferred encoding (if missing environment variables 'LANGUAGE', 'LC_ALL', 'LC_CTYPE', and 'LANG', see gh-1587). From 152c9d27d598414ad5a3a5d0932e0310c5ecdc57 Mon Sep 17 00:00:00 2001 From: Louis Sautier Date: Mon, 11 Sep 2017 23:22:01 +0200 Subject: [PATCH 3/5] Fix nftables actions for IPv6 addresses, fixes #1893 * add [Init?family=inet6] to nftables-common.conf and make nftable expressions more modular * change "ip protocol" to "meta l4proto" in nftables-allports.conf since the former only works for IPv4 --- ChangeLog | 1 + config/action.d/nftables-allports.conf | 2 +- config/action.d/nftables-common.conf | 30 ++++++++++++++++++++------ 3 files changed, 25 insertions(+), 8 deletions(-) diff --git a/ChangeLog b/ChangeLog index 27be6498..e3c10de2 100644 --- a/ChangeLog +++ b/ChangeLog @@ -35,6 +35,7 @@ ver. 0.10.1-dev-1 (2016/??/??) - development edition ----------- ### Fixes +* fix nftables actions for IPv6 addresses (gh-1893) * fix Gentoo init script's shebang to use openrc-run instead of runscript (gh-1891) * jail "pass2allow-ftp" supply blocktype and returntype parameters to the action (gh-1884) * avoid using "ANSI_X3.4-1968" as preferred encoding (if missing environment variables diff --git a/config/action.d/nftables-allports.conf b/config/action.d/nftables-allports.conf index afd0ca84..6c69da39 100644 --- a/config/action.d/nftables-allports.conf +++ b/config/action.d/nftables-allports.conf @@ -17,6 +17,6 @@ before = nftables-common.conf # Notes.: additional expressions for nftables filter rule # Values: nftables expressions # -nftables_mode = ip protocol +nftables_mode = meta l4proto [Init] diff --git a/config/action.d/nftables-common.conf b/config/action.d/nftables-common.conf index 80657c5c..83311087 100644 --- a/config/action.d/nftables-common.conf +++ b/config/action.d/nftables-common.conf @@ -28,11 +28,11 @@ nftables_mode = dport \{ \} # Notes.: command executed once at the start of Fail2Ban. # Values: CMD # -actionstart = add set f2b- \{ type \; \} - insert rule %(nftables_mode)s ip saddr @f2b- +actionstart = add set \{ type \; \} + insert rule %(nftables_mode)s saddr @ _nft_list = --handle --numeric list chain -_nft_get_handle_id = grep -m1 'ip saddr @f2b- # handle' | grep -oe ' handle [0-9]*' +_nft_get_handle_id = grep -m1 ' saddr @ # handle' | grep -oe ' handle [0-9]*' # Option: actionstop # Notes.: command executed once at the end of Fail2Ban @@ -40,13 +40,13 @@ _nft_get_handle_id = grep -m1 'ip saddr @f2b- # handle' | grep # actionstop = HANDLE_ID=$(%(_nft_list)s | %(_nft_get_handle_id)s) delete rule $HANDLE_ID - delete set f2b- + delete set # Option: actioncheck # Notes.: command executed once before each actionban command # Values: CMD # -actioncheck = list chain | grep -q '@f2b-[ \t]' +actioncheck = list chain | grep -q '@[ \t]' # Option: actionban # Notes.: command executed when banning an IP. Take care that the @@ -54,7 +54,7 @@ actioncheck = list chain | # Tags: See jail.conf(5) man page # Values: CMD # -actionban = add element f2b- \{ \} +actionban = add element \{ \} # Option: actionunban # Notes.: command executed when unbanning an IP. Take care that the @@ -62,7 +62,7 @@ actionban = add element f2b- # Tags: See jail.conf(5) man page # Values: CMD # -actionunban = delete element f2b- \{ \} +actionunban = delete element \{ \} [Init] @@ -117,3 +117,19 @@ blocktype = reject # Notes.: Actual command to be executed, including common to all calls options # Values: STRING nftables = nft + +# Option: set_name +# Notes.: The name of the nft set used to store banned addresses +# Values: STRING +set_name = f2b- + +# Option: address_family +# Notes.: The family of the banned addresses +# Values: [ ip | ip6 ] +address_family = ip + +[Init?family=inet6] + +nftables_type = ipv6_addr +set_name = f2b-6 +address_family = ip6 From 6149df521643151d87deb738a0b893821deaa411 Mon Sep 17 00:00:00 2001 From: "Serg G. Brester" Date: Tue, 12 Sep 2017 09:27:16 +0200 Subject: [PATCH 4/5] Update ChangeLog --- ChangeLog | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index e3c10de2..4e1d0b55 100644 --- a/ChangeLog +++ b/ChangeLog @@ -35,7 +35,6 @@ ver. 0.10.1-dev-1 (2016/??/??) - development edition ----------- ### Fixes -* fix nftables actions for IPv6 addresses (gh-1893) * fix Gentoo init script's shebang to use openrc-run instead of runscript (gh-1891) * jail "pass2allow-ftp" supply blocktype and returntype parameters to the action (gh-1884) * avoid using "ANSI_X3.4-1968" as preferred encoding (if missing environment variables @@ -55,6 +54,7 @@ ver. 0.10.1-dev-1 (2016/??/??) - development edition human readable representation (opposite to `-d`); ### Enhancements +* nftables actions are IPv6-capable now (gh-1893) * filter.d/dovecot.conf: introduced mode `aggressive` for cases like "disconnected before auth was ready" (gh-1880) From a2120a9de5ba6211e42aae24252e860a62d9d4fa Mon Sep 17 00:00:00 2001 From: sebres Date: Mon, 2 Oct 2017 15:31:55 +0200 Subject: [PATCH 5/5] filter.d/postfix-*.conf - added optional port regex (closes gh-1902) --- ChangeLog | 1 + config/filter.d/postfix-rbl.conf | 3 ++- config/filter.d/postfix-sasl.conf | 3 ++- config/filter.d/postfix.conf | 15 ++++++++------- fail2ban/tests/files/logs/postfix-sasl | 2 ++ 5 files changed, 15 insertions(+), 9 deletions(-) diff --git a/ChangeLog b/ChangeLog index ae7d51c3..1c4620d3 100644 --- a/ChangeLog +++ b/ChangeLog @@ -29,6 +29,7 @@ releases. * filter.d/asterisk.conf - fixed failregex AMI Asterisk authentification failed (see gh-1302) * filter.d/dovecot.conf - fixed failregex, see gh-1879 (partially cherry-picked from gh-1880) * filter.d/exim.conf - fixed failregex for case of flood attempts with `D=0s` (gh-1887) +* filter.d/postfix-*.conf - added optional port regex (gh-1902) ### New Features diff --git a/config/filter.d/postfix-rbl.conf b/config/filter.d/postfix-rbl.conf index 0a9078f0..10bd98d7 100644 --- a/config/filter.d/postfix-rbl.conf +++ b/config/filter.d/postfix-rbl.conf @@ -11,8 +11,9 @@ before = common.conf [Definition] _daemon = postfix(-\w+)?/smtpd +_port = (?::\d+)? -failregex = ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[\]: [45]54 [45]\.7\.1 Service unavailable; Client host \[\S+\] blocked\b +failregex = ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[\]%(_port)s: [45]54 [45]\.7\.1 Service unavailable; Client host \[\S+\] blocked\b ignoreregex = diff --git a/config/filter.d/postfix-sasl.conf b/config/filter.d/postfix-sasl.conf index 1a24ca94..d354b74a 100644 --- a/config/filter.d/postfix-sasl.conf +++ b/config/filter.d/postfix-sasl.conf @@ -8,8 +8,9 @@ before = common.conf [Definition] _daemon = postfix(-\w+)?/(?:submission/|smtps/)?smtp[ds] +_port = (?::\d+)? -failregex = ^%(__prefix_line)swarning: [-._\w]+\[\]: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(:[ A-Za-z0-9+/:]*={0,2})?\s*$ +failregex = ^%(__prefix_line)swarning: [-._\w]+\[\]%(_port)s: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(:[ A-Za-z0-9+/:]*={0,2})?\s*$ ignoreregex = authentication failed: Connection lost to authentication server$ diff --git a/config/filter.d/postfix.conf b/config/filter.d/postfix.conf index 3051409b..7255384e 100644 --- a/config/filter.d/postfix.conf +++ b/config/filter.d/postfix.conf @@ -11,14 +11,15 @@ before = common.conf [Definition] _daemon = postfix(-\w+)?/(?:submission/|smtps/)?smtp[ds] +_port = (?::\d+)? -failregex = ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[\]: 554 5\.7\.1 .*$ - ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[\]: 450 4\.7\.1 Client host rejected: cannot find your hostname, (\[\S*\]); from=<\S*> to=<\S+> proto=ESMTP helo=<\S*>$ - ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[\]: 450 4\.7\.1 : Helo command rejected: Host not found; from=<> to=<> proto=ESMTP helo= *$ - ^%(__prefix_line)sNOQUEUE: reject: EHLO from \S+\[\]: 504 5\.5\.2 <\S+>: Helo command rejected: need fully-qualified hostname; - ^%(__prefix_line)sNOQUEUE: reject: VRFY from \S+\[\]: 550 5\.1\.1 .*$ - ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[\]: 450 4\.1\.8 <\S*>: Sender address rejected: Domain not found; from=<\S*> to=<\S+> proto=ESMTP helo=<\S*>$ - ^%(__prefix_line)simproper command pipelining after \S+ from [^[]*\[\]:?$ +failregex = ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[\]%(_port)s: 554 5\.7\.1 .*$ + ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[\]%(_port)s: 450 4\.7\.1 Client host rejected: cannot find your hostname, (\[\S*\]); from=<\S*> to=<\S+> proto=ESMTP helo=<\S*>$ + ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[\]%(_port)s: 450 4\.7\.1 : Helo command rejected: Host not found; from=<> to=<> proto=ESMTP helo= *$ + ^%(__prefix_line)sNOQUEUE: reject: EHLO from \S+\[\]%(_port)s: 504 5\.5\.2 <\S+>: Helo command rejected: need fully-qualified hostname; + ^%(__prefix_line)sNOQUEUE: reject: VRFY from \S+\[\]%(_port)s: 550 5\.1\.1 .*$ + ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[\]%(_port)s: 450 4\.1\.8 <\S*>: Sender address rejected: Domain not found; from=<\S*> to=<\S+> proto=ESMTP helo=<\S*>$ + ^%(__prefix_line)simproper command pipelining after \S+ from [^[]*\[\]%(_port)s:?$ ignoreregex = diff --git a/fail2ban/tests/files/logs/postfix-sasl b/fail2ban/tests/files/logs/postfix-sasl index cdcb5121..fef2076b 100644 --- a/fail2ban/tests/files/logs/postfix-sasl +++ b/fail2ban/tests/files/logs/postfix-sasl @@ -30,3 +30,5 @@ Apr 12 02:24:11 xxx postfix/smtps/smtpd[42]: warning: astra4139.startdedicated.d # failJSON: { "time": "2005-08-03T15:30:49", "match": true , "host": "98.191.84.74" } Aug 3 15:30:49 ksusha postfix/smtpd[17041]: warning: mail.foldsandwalker.com[98.191.84.74]: SASL Plain authentication failed: +# failJSON: { "time": "2005-08-04T16:47:52", "match": true , "host": "192.0.2.237", "desc": "cover optional port after host" } +Aug 4 16:47:52 mail3 postfix/smtpd[31152]: warning: unknown[192.0.2.237]:55729: SASL LOGIN authentication failed: authentication failure