diff --git a/ChangeLog b/ChangeLog index 0d7b9bda..29b45051 100644 --- a/ChangeLog +++ b/ChangeLog @@ -473,6 +473,7 @@ releases. - fixed failregex AMI Asterisk authentification failed (see gh-1302) - removed invalid (vulnerable) regex blocking IPs using forign data (from header "from") thus not the IP-address that really originates the request (see gh-1927) + - fixed failregex for the SQL-injection attempts with single-quotes in connect-string (see gh-2011) * filter.d/dovecot.conf: - fixed failregex, see gh-1879 (partially cherry-picked from gh-1880) - extended to match pam_authenticate failures with "Permission denied" (gh-1897) @@ -486,6 +487,7 @@ releases. ### Enhancements * action.d/cloudflare.conf - Cloudflare API v4 implementation (gh-1651) +* action.d/firewallcmd-ipset.conf - new parameter `actiontype`, provides `allports` capability (gh-1167) * filter.d/kerio.conf - filter extended with new rules (see gh-1455) * filter.d/phpmyadmin-syslog.conf - new filter for phpMyAdmin using syslog for auth logging * filter.d/zoneminder.conf - new filter for ZoneMinder (gh-1376) diff --git a/config/action.d/firewallcmd-ipset.conf b/config/action.d/firewallcmd-ipset.conf index e99f32f1..a1065224 100644 --- a/config/action.d/firewallcmd-ipset.conf +++ b/config/action.d/firewallcmd-ipset.conf @@ -19,11 +19,11 @@ before = firewallcmd-common.conf [Definition] actionstart = ipset create hash:ip timeout - firewall-cmd --direct --add-rule filter 0 -p -m multiport --dports -m set --match-set src -j + firewall-cmd --direct --add-rule filter 0 -m set --match-set src -j actionflush = ipset flush -actionstop = firewall-cmd --direct --remove-rule filter 0 -p -m multiport --dports -m set --match-set src -j +actionstop = firewall-cmd --direct --remove-rule filter 0 -m set --match-set src -j ipset destroy @@ -48,6 +48,23 @@ chain = INPUT_direct default-timeout = 600 +# Option: actiontype +# Notes.: defines additions to the blocking rule +# Values: leave empty to block all attempts from the host +# Default: Value of the multiport +actiontype = + +# Option: allports +# Notes.: default addition to block all ports +# Usage.: use in jail config: banaction = firewallcmd-ipset[actiontype=] +# for all protocols: banaction = firewallcmd-ipset[actiontype=""] +allports = -p + +# Option: multiport +# Notes.: addition to block access only to specific ports +# Usage.: use in jail config: banaction = firewallcmd-ipset[actiontype=] +multiport = -p -m multiport --dports + ipmset = f2b- familyopt = diff --git a/config/filter.d/asterisk.conf b/config/filter.d/asterisk.conf index fa5ce487..337e9573 100644 --- a/config/filter.d/asterisk.conf +++ b/config/filter.d/asterisk.conf @@ -27,7 +27,7 @@ failregex = ^Registration from '[^']*' failed for '(:\d+)?' - (?:Wrong pas ^hacking attempt detected ''$ ^SecurityEvent="(?:FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)"(?:(?:,(?!RemoteAddress=)\w+="[^"]*")*|.*?),RemoteAddress="IPV[46]/(UDP|TCP|WS)//\d+"(?:,(?!RemoteAddress=)\w+="[^"]*")*$ ^"Rejecting unknown SIP connection from "$ - ^Request (?:'[^']*' )?from '[^']*' failed for '(?::\d+)?'\s\(callid: [^\)]*\) - (?:No matching endpoint found|Not match Endpoint(?: Contact)? ACL|(?:Failed|Error) to authenticate)\s*$ + ^Request (?:'[^']*' )?from '(?:[^']*|.*?)' failed for '(?::\d+)?'\s\(callid: [^\)]*\) - (?:No matching endpoint found|Not match Endpoint(?: Contact)? ACL|(?:Failed|Error) to authenticate)\s*$ # FreePBX (todo: make optional in v.0.10): # ^(%(__prefix_line)s|\[\]\s*WARNING%(__pid_re)s:?(?:\[C-[\da-f]*\])? )[^:]+: Friendly Scanner from $ diff --git a/fail2ban/tests/files/logs/asterisk b/fail2ban/tests/files/logs/asterisk index 837011e0..0955cfe7 100644 --- a/fail2ban/tests/files/logs/asterisk +++ b/fail2ban/tests/files/logs/asterisk @@ -80,9 +80,10 @@ Nov 4 18:30:40 localhost asterisk[32229]: NOTICE[32257]: chan_sip.c:23417 in han [2016-05-23 10:18:16] NOTICE[19388] res_pjsip/pjsip_distributor.c: Request from '"1000" ' failed for '1.2.3.4:48336' (callid: 276666022) - Failed to authenticate # failJSON: { "time": "2016-05-23T10:18:16", "match": true , "host": "1.2.3.4" } [2016-05-23 10:18:16] NOTICE[19388] res_pjsip/pjsip_distributor.c: Request from '"1000" ' failed for '1.2.3.4:48336' (callid: 276666022) - Error to authenticate -# Failed authentication with pjsip on Asterisk 13+ # failJSON: { "time": "2016-06-08T23:40:26", "match": true , "host": "2.3.4.5" } [2016-06-08 23:40:26] NOTICE[32497] res_pjsip/pjsip_distributor.c: Request from '"317" ' failed for '2.3.4.5:5089' (callid: 206f178f-896564cb-57573f49@1.2.3.4) - No matching endpoint found +# failJSON: { "time": "2017-12-14T22:18:00", "match": true , "host": "1.2.3.4" } +[2017-12-14 22:18:00] NOTICE[1943] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '' failed for '1.2.3.4:43678' (callid: UmOkE9yQPGOsF3Az24YTRe..) - No matching endpoint found # failJSON: { "time": "2016-06-09T00:01:02", "match": true , "host": "192.0.2.1" } [2016-06-09 00:01:02] NOTICE [22382] manager.c: 192.0.2.1 failed to authenticate as 'admin' diff --git a/fail2ban/tests/servertestcase.py b/fail2ban/tests/servertestcase.py index e2df7bb3..aab62fde 100644 --- a/fail2ban/tests/servertestcase.py +++ b/fail2ban/tests/servertestcase.py @@ -1666,7 +1666,7 @@ class ServerConfigReaderTests(LogCaptureTestCase): r"`firewall-cmd --direct --remove-rule ipv6 filter f2b-j-w-fwcmd-ap 0 -s 2001:db8:: -j REJECT --reject-with icmp6-port-unreachable`", ), }), - # firewallcmd-ipset -- + # firewallcmd-ipset (multiport) -- ('j-w-fwcmd-ipset', 'firewallcmd-ipset[name=%(__name__)s, bantime="10m", default-timeout=0, port="http", protocol="tcp", chain=""]', { 'ip4': (' f2b-j-w-fwcmd-ipset ',), 'ip6': (' f2b-j-w-fwcmd-ipset6 ',), 'ip4-start': ( @@ -1704,6 +1704,44 @@ class ServerConfigReaderTests(LogCaptureTestCase): r"`ipset del f2b-j-w-fwcmd-ipset6 2001:db8:: -exist`", ), }), + # firewallcmd-ipset (allports) -- + ('j-w-fwcmd-ipset-ap', 'firewallcmd-ipset[name=%(__name__)s, bantime="10m", actiontype=, protocol="tcp", chain=""]', { + 'ip4': (' f2b-j-w-fwcmd-ipset-ap ',), 'ip6': (' f2b-j-w-fwcmd-ipset-ap6 ',), + 'ip4-start': ( + "`ipset create f2b-j-w-fwcmd-ipset-ap hash:ip timeout 600`", + "`firewall-cmd --direct --add-rule ipv4 filter INPUT_direct 0 -p tcp -m set --match-set f2b-j-w-fwcmd-ipset-ap src -j REJECT --reject-with icmp-port-unreachable`", + ), + 'ip6-start': ( + "`ipset create f2b-j-w-fwcmd-ipset-ap6 hash:ip timeout 600 family inet6`", + "`firewall-cmd --direct --add-rule ipv6 filter INPUT_direct 0 -p tcp -m set --match-set f2b-j-w-fwcmd-ipset-ap6 src -j REJECT --reject-with icmp6-port-unreachable`", + ), + 'flush': ( + "`ipset flush f2b-j-w-fwcmd-ipset-ap`", + "`ipset flush f2b-j-w-fwcmd-ipset-ap6`", + ), + 'stop': ( + "`firewall-cmd --direct --remove-rule ipv4 filter INPUT_direct 0 -p tcp -m set --match-set f2b-j-w-fwcmd-ipset-ap src -j REJECT --reject-with icmp-port-unreachable`", + "`ipset flush f2b-j-w-fwcmd-ipset-ap`", + "`ipset destroy f2b-j-w-fwcmd-ipset-ap`", + "`firewall-cmd --direct --remove-rule ipv6 filter INPUT_direct 0 -p tcp -m set --match-set f2b-j-w-fwcmd-ipset-ap6 src -j REJECT --reject-with icmp6-port-unreachable`", + "`ipset flush f2b-j-w-fwcmd-ipset-ap6`", + "`ipset destroy f2b-j-w-fwcmd-ipset-ap6`", + ), + 'ip4-check': (), + 'ip6-check': (), + 'ip4-ban': ( + r"`ipset add f2b-j-w-fwcmd-ipset-ap 192.0.2.1 timeout 600 -exist`", + ), + 'ip4-unban': ( + r"`ipset del f2b-j-w-fwcmd-ipset-ap 192.0.2.1 -exist`", + ), + 'ip6-ban': ( + r"`ipset add f2b-j-w-fwcmd-ipset-ap6 2001:db8:: timeout 600 -exist`", + ), + 'ip6-unban': ( + r"`ipset del f2b-j-w-fwcmd-ipset-ap6 2001:db8:: -exist`", + ), + }), ) server = TestServer() transm = server._Server__transm