From 04cd3f5bd5424d537b2a61fd340db4227b4fec2d Mon Sep 17 00:00:00 2001
From: Cyril Jaquier <cyril.jaquier@fail2ban.org>
Date: Mon, 8 Jan 2007 21:40:37 +0000
Subject: [PATCH] - Added new filters/actions. Thanks to Yaroslav Halchenko

git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/trunk@520 a942ae1a-1317-0410-a47c-b1dcaea8d605
---
 CHANGELOG                               |  1 +
 MANIFEST                                |  4 ++
 config/action.d/iptables-multiport.conf | 69 +++++++++++++++++++++++
 config/action.d/iptables-new.conf       | 71 +++++++++++++++++++++++
 config/action.d/mail-whois-lines.conf   | 75 +++++++++++++++++++++++++
 config/filter.d/vsftpd.conf             |  1 +
 config/filter.d/wuftpd.conf             | 14 +++++
 7 files changed, 235 insertions(+)
 create mode 100644 config/action.d/iptables-multiport.conf
 create mode 100644 config/action.d/iptables-new.conf
 create mode 100644 config/action.d/mail-whois-lines.conf
 create mode 100644 config/filter.d/wuftpd.conf

diff --git a/CHANGELOG b/CHANGELOG
index bd9e6631..ac8ed752 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -13,6 +13,7 @@ ver. 0.7.7 (2007/??/??)
 - Added a wonderful visual effect when waiting on the server
 - fail2ban-client returns an error code if configuration is
   not valid
+- Added new filters/actions. Thanks to Yaroslav Halchenko
 
 ver. 0.7.6 (2007/01/04) - beta
 ----------
diff --git a/MANIFEST b/MANIFEST
index 57911033..2a71efd5 100644
--- a/MANIFEST
+++ b/MANIFEST
@@ -70,9 +70,13 @@ config/filter.d/courierlogin.conf
 config/filter.d/sshd.conf
 config/filter.d/proftpd.conf
 config/filter.d/sasl.conf
+config/filter.d/wuftpd.conf
 config/action.d/iptables.conf
+config/action.d/iptables-multiport.conf
+config/action.d/iptables-new.conf
 config/action.d/ipfw.conf
 config/action.d/mail-whois.conf
+config/action.d/mail-whois-lines.conf
 config/action.d/mail.conf
 config/action.d/hostsdeny.conf
 config/action.d/shorewall.conf
diff --git a/config/action.d/iptables-multiport.conf b/config/action.d/iptables-multiport.conf
new file mode 100644
index 00000000..f881a782
--- /dev/null
+++ b/config/action.d/iptables-multiport.conf
@@ -0,0 +1,69 @@
+# Fail2Ban configuration file
+#
+# Author: Cyril Jaquier
+# Modified by Yaroslav Halchenko for multiport banning
+# $Revision$
+#
+
+[Definition]
+
+# Option:  actionstart
+# Notes.:  command executed once at the start of Fail2Ban.
+# Values:  CMD
+#
+actionstart = iptables -N fail2ban-<name>
+              iptables -A fail2ban-<name> -j RETURN
+              iptables -I INPUT -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
+
+# Option:  actionend
+# Notes.:  command executed once at the end of Fail2Ban
+# Values:  CMD
+#
+actionstop = iptables -D INPUT -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
+             iptables -F fail2ban-<name>
+             iptables -X fail2ban-<name>
+
+# Option:  actioncheck
+# Notes.:  command executed once before each actionban command
+# Values:  CMD
+#
+actioncheck = iptables -n -L INPUT | grep -q fail2ban-<name>
+
+# Option:  actionban
+# Notes.:  command executed when banning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    <ip>  IP address
+#          <failures>  number of failures
+#          <time>  unix timestamp of the ban time
+# Values:  CMD
+#
+actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
+
+# Option:  actionunban
+# Notes.:  command executed when unbanning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    <ip>  IP address
+#          <failures>  number of failures
+#          <time>  unix timestamp of the ban time
+# Values:  CMD
+#
+actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP
+
+[Init]
+
+# Defaut name of the chain
+#
+name = default
+
+# Option:  port
+# Notes.:  specifies port to monitor
+# Values:  [ NUM | STRING ]  Default:
+#
+port = ssh
+
+# Option:  protocol
+# Notes.:  internally used by config reader for interpolations.
+# Values:  [ tcp | udp | icmp | all ] Default: tcp
+#
+protocol = tcp
+
diff --git a/config/action.d/iptables-new.conf b/config/action.d/iptables-new.conf
new file mode 100644
index 00000000..ef9571c5
--- /dev/null
+++ b/config/action.d/iptables-new.conf
@@ -0,0 +1,71 @@
+# Fail2Ban configuration file
+#
+# Author: Cyril Jaquier
+# Copied from iptables.conf and modified by Yaroslav Halchenko 
+#  to fullfill the needs of bugreporter dbts#350746.
+#
+# $Revision$
+#
+
+[Definition]
+
+# Option:  actionstart
+# Notes.:  command executed once at the start of Fail2Ban.
+# Values:  CMD
+#
+actionstart = iptables -N fail2ban-<name>
+              iptables -A fail2ban-<name> -j RETURN
+              iptables -I INPUT -m state --state NEW -p <protocol> --dport <port> -j fail2ban-<name>
+
+# Option:  actionend
+# Notes.:  command executed once at the end of Fail2Ban
+# Values:  CMD
+#
+actionstop = iptables -D INPUT -m state --state NEW -p <protocol> --dport <port> -j fail2ban-<name>
+             iptables -F fail2ban-<name>
+             iptables -X fail2ban-<name>
+
+# Option:  actioncheck
+# Notes.:  command executed once before each actionban command
+# Values:  CMD
+#
+actioncheck = iptables -n -L INPUT | grep -q fail2ban-<name>
+
+# Option:  actionban
+# Notes.:  command executed when banning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    <ip>  IP address
+#          <failures>  number of failures
+#          <time>  unix timestamp of the ban time
+# Values:  CMD
+#
+actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
+
+# Option:  actionunban
+# Notes.:  command executed when unbanning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    <ip>  IP address
+#          <failures>  number of failures
+#          <time>  unix timestamp of the ban time
+# Values:  CMD
+#
+actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP
+
+[Init]
+
+# Defaut name of the chain
+#
+name = default
+
+# Option:  port
+# Notes.:  specifies port to monitor
+# Values:  [ NUM | STRING ]  Default:
+#
+port = ssh
+
+# Option:  protocol
+# Notes.:  internally used by config reader for interpolations.
+# Values:  [ tcp | udp | icmp | all ] Default: tcp
+#
+protocol = tcp
+
diff --git a/config/action.d/mail-whois-lines.conf b/config/action.d/mail-whois-lines.conf
new file mode 100644
index 00000000..c4bb9784
--- /dev/null
+++ b/config/action.d/mail-whois-lines.conf
@@ -0,0 +1,75 @@
+# Fail2Ban configuration file
+#
+# Author: Cyril Jaquier
+# Modified-By: Yaroslav Halchenko to include grepping on IP over log files
+# $Revision$
+#
+
+[Definition]
+
+# Option:  fwstart
+# Notes.:  command executed once at the start of Fail2Ban.
+# Values:  CMD
+#
+actionstart = echo -en "Hi,\n
+              The jail <name> has been started successfuly.\n
+              Regards,\n
+              Fail2Ban"|mail -s "[Fail2Ban] <name>: started" <dest>
+
+# Option:  fwend
+# Notes.:  command executed once at the end of Fail2Ban
+# Values:  CMD
+#
+actionstop = echo -en "Hi,\n
+             The jail <name> has been stopped.\n
+             Regards,\n
+             Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped" <dest>
+
+# Option:  fwcheck
+# Notes.:  command executed once before each fwban command
+# Values:  CMD
+#
+actioncheck = 
+
+# Option:  fwban
+# Notes.:  command executed when banning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    <ip>  IP address
+#          <failures>  number of failures
+#          <failtime>  unix timestamp of the last failure
+#          <bantime>  unix timestamp of the ban time
+# Values:  CMD
+#
+actionban = echo -en "Hi,\n
+            The IP <ip> has just been banned by Fail2Ban after
+            <failures> attempts against <name>.\n\n
+            Here are more information about <ip>:\n
+            `whois <ip>`\n\n
+            Lines containing IP:<ip> in <logpath>\n
+            `grep '\<<ip>\>' <logpath>`\n\n
+            Regards,\n
+            Fail2Ban"|mail -s "[Fail2Ban] <name>: banned <ip>" <dest>
+
+# Option:  fwunban
+# Notes.:  command executed when unbanning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    <ip>  IP address
+#          <bantime>  unix timestamp of the ban time
+#          <unbantime>  unix timestamp of the unban time
+# Values:  CMD
+#
+actionunban = 
+
+[Init]
+
+# Defaut name of the chain
+#
+name = default
+
+# Destinataire of the mail
+#
+dest = root
+
+# Path to the log files which contain relevant lines for the abuser IP
+#
+logpath = /dev/null
diff --git a/config/filter.d/vsftpd.conf b/config/filter.d/vsftpd.conf
index 4955fcfc..19c5d496 100644
--- a/config/filter.d/vsftpd.conf
+++ b/config/filter.d/vsftpd.conf
@@ -15,6 +15,7 @@
 # Values: TEXT
 #
 failregex = vsftpd: \(pam_unix\) authentication failure; .* rhost=<HOST>
+            \[.+\] FAIL LOGIN: Client "<HOST>"$
 
 # Option:  ignoreregex
 # Notes.:  regex to ignore. If this regex matches, the line is ignored.
diff --git a/config/filter.d/wuftpd.conf b/config/filter.d/wuftpd.conf
new file mode 100644
index 00000000..e7981e1e
--- /dev/null
+++ b/config/filter.d/wuftpd.conf
@@ -0,0 +1,14 @@
+# Fail2Ban configuration file for wuftpd
+#
+# Author: Yaroslav Halchenko
+#
+# $Revision:  $
+#
+
+[Definition]
+
+# Option: failregex
+# Notes.: regex to match the password failures messages in the logfile.
+# Values: TEXT
+#
+failregex = wu-ftpd\[\d+\]:\s+\(pam_unix\)\s+authentication failure.* rhost=<HOST>