ENH: framework for distro paths

config/common-paths.conf

@@ -0,0 +1,44 @@
+# Common
+#
+
+[INCLUDES]
+
+before = common-paths.conf
+
+after  = paths-overrides.local
+
+[DEFAULT]
+
+
+
+sshd_log = %(syslog_authpriv)s
+
+dropbear_log = %(syslog_authpriv)s
+
+
+# from /etc/audit/auditd.conf
+auditd_log = /var/log/audit/audit.log
+
+
+nginx_error_log = /var/log/nginx/error.log
+
+nginx_access_log = /var/log/nginx/access.log
+
+
+lighttpd_error_log = /var/log/lighttpd/error.log
+
+# http://www.hardened-php.net/suhosin/configuration.html#suhosin.log.syslog.facility
+# syslog_user is the default. Lighttpd also hooks errors into its log.
+
+suhosin_log = %(syslog_user)s %(lighttpd_error_log)s
+
+# defaults to ftp or local2 if ftp doesn't exist
+proftpd_log = %(syslog_ftp)s
+
+# http://svnweb.freebsd.org/ports/head/ftp/proftpd/files/patch-src_proftpd.8.in?view=markup
+# defaults to ftp but can be overwritten.
+pureftpd_log = %(syslog_ftp)s
+
+
+postfix_log = %(syslog_mail_warn)s
+

config/debian-paths.conf

@@ -0,0 +1,41 @@
+# Debian
+
+[INCLUDES]
+
+before = common-paths.conf
+
+after  = paths-overrides.local
+
+
+[DEFAULT]
+
+syslog_mail = /var/log/mail.log
+
+syslog_mail_warn = /var/log/mail.warn
+
+syslog_authpriv = /var/log/auth.log
+
+syslog_auth = /var/log/auth.log
+
+syslog_daemon =  /var/log/daemon.log
+
+
+syslog_user  =  /var/log/user.log
+
+syslog_ftp = /var/log/syslog
+
+
+apache_error_log = /var/log/apache2/*error.log
+
+apache_access_log = /var/log/apache2/*access.log
+
+
+lighttpd_error_log = /var/log/lighttpd/error.log
+
+
+# was in debian squeezy but not in wheezy
+# /etc/proftpd/proftpd.conf (SystemLog)
+proftpd_log =/var/log/proftpd/proftpd.log
+
+
+

config/fedora-paths.conf

@@ -0,0 +1,32 @@
+# Fedora
+
+
+[INCLUDES]
+
+before = common-paths.conf
+
+after  = paths-overrides.local
+
+[DEFAULT]
+
+syslog_mail = /var/log/maillog
+
+syslog_mail_warn = /var/log/mail.warn
+
+syslog_authpriv = /var/log/secure
+
+syslog_user =  /var/log/messages
+
+syslog_ftp  = /var/log/messages
+
+
+# Or should this be /etc/httpd/logs/.. since is the original symlink?
+
+apache_error_log = /var/log/httpd/error_log
+
+apache_access_log = /var/log/httpd/access_log
+
+# /etc/proftpd/proftpd.conf (ExtendedLog for Anonymous)
+# proftpd_log = /var/log/proftpd/auth.log
+# Tested and it worked out in /var/log/messages so assuming syslog_ftp for now.
+

config/freebsd-paths.conf

@@ -0,0 +1,40 @@
+# FreeBSD
+
+[INCLUDES]
+
+before = common-paths.conf
+
+after  = paths-overrides.local
+
+[DEFAULT]
+
+syslog_mail = /var/log/maillog
+
+syslog_mail_warn = /var/log/maillog
+
+syslog_authpriv = /var/log/auth.log
+
+
+syslog_ftp = ???
+
+# Linux things
+# we fake to avoid parse error in startups
+
+auditd_log = /dev/null
+
+# http://svnweb.freebsd.org/ports/head/www/apache24/files/patch-docs__conf__extra__httpd-ssl.conf.in?view=markup
+# http://svnweb.freebsd.org/ports/head/www/apache22/files/patch-docs__conf__extra__httpd-ssl.conf.in?view=markup
+# http://svnweb.freebsd.org/ports/head/www/apache24/files/patch-config.layout
+# http://svnweb.freebsd.org/ports/head/www/apache22/files/patch-config.layout
+
+apache_error_log = /usr/local/www/logs/*error[_.]log
+
+apache_access_log = /usr/local/www/logs/*access[_.]log
+
+# http://svnweb.freebsd.org/ports/head/www/nginx/Makefile?view=markup
+
+nginx_error_log = /var/log/nginx-error.log
+
+nginx_access_log = /var/log/nginx-access.log
+
+lighttpd_error_log = 

config/jail.conf

@@ -30,6 +30,12 @@
 
 # Comments: use '#' for comment lines and ';' (following a space) for inline comments
 
+
+[INCLUDES]
+
+#before = disto-paths.conf
+before = debian-paths.conf
+
 # The DEFAULT allows a global definition of the options. They can be overridden
 # in each jail afterwards.
 
@@ -192,27 +198,27 @@ action = %(action_)s
 [sshd]
 
 port    = ssh
-logpath = /var/log/auth.log
+logpath = %(sshd_log)s
-          /var/log/sshd.log
+
 
 [sshd-ddos]
 # This jail corresponds to the standard configuration in Fail2ban.
 # The mail-whois action send a notification e-mail with a whois request
 # in the body.
 port    = ssh
-logpath = /var/log/auth.log
+logpath = %(sshd_log)s
-          /var/log/sshd.log
+
 
 [dropbear]
 
 port     = ssh
-logpath  = /var/log/dropbear
+logpath  = %(dropbear_log)s
 
 
 [selinux-ssh]
 
 port     = ssh
-logpath  = /var/log/audit/audit.log
+logpath  = %(auditd_log)s
 maxretry = 5
 
 
@@ -224,7 +230,7 @@ filter      = sshd
 action      = hostsdeny[daemon_list=sshd]
               sendmail-whois[name=SSH, dest=you@example.com]
 ignoreregex = for myuser from
-logpath     = /var/log/sshd.log
+logpath     = %(sshd_log)s
 
 
 # Here we use blackhole routes for not requiring any additional kernel support
@@ -234,7 +240,7 @@ logpath     = /var/log/sshd.log
 
 filter = sshd
 action = route
-logpath = /var/log/sshd.log
+logpath = %(sshd_log)s
 
 
 # Here we use a combination of Netfilter/Iptables and IPsets
@@ -246,21 +252,21 @@ logpath = /var/log/sshd.log
 
 filter   = sshd
 action   = iptables-ipset-proto4[name=SSH, port=ssh, protocol=tcp]
-logpath  = /var/log/sshd.log
+logpath  = %(sshd_log)s
 
 
 [sshd-iptables-ipset6]
 
 filter   = sshd
 action   = iptables-ipset-proto6[name=SSH, port=ssh, protocol=tcp, bantime=600]
-logpath  = /var/log/sshd.log
+logpath  = %(sshd_log)s
 
 
 [sshd-apf]
 
 filter  = sshd
 action  = apf[name=SSH]
-logpath = /var/log/secure
+logpath = %(sshd_log)s
 maxretry = 5
 
 
@@ -273,7 +279,7 @@ maxretry = 5
 filter   = sshd
 action   = ipfw[localhost=192.168.0.1]
            sendmail-whois[name="SSH,IPFW", dest=you@example.com]
-logpath  = /var/log/auth.log
+logpath  = %(sshd_log)s
 
 
 # bsd-ipfw is ipfw used by BSD. It uses ipfw tables.
@@ -286,14 +292,14 @@ logpath  = /var/log/auth.log
 
 filter   = sshd
 action   = bsd-ipfw[port=ssh,table=1]
-logpath  = /var/log/auth.log
+logpath  = %(sshd_log)s
 
 
 [sshd-pf]
 # PF is a BSD based firewall
 filter  = sshd
 action  = pf
-logpath = /var/log/sshd.log
+logpath = %(sshd_log)s
 maxretry= 5
 
 
@@ -302,14 +308,14 @@ maxretry= 5
 
 filter = sshd
 action = osx-ipfw
-logpath = /var/log/secure.log
+logpath = %(sshd_log)s
 
 
 [osx-sshd-afctl]
 
 filter   = sshd
 action   = osx-afctl[bantime=600]
-logpath  = /var/log/secure.log
+logpath  = %(sshd_log)s
 maxretry = 5
 
 #
@@ -319,15 +325,14 @@ maxretry = 5
 [apache-auth]
 
 port     = http,https
-logpath  = /var/log/apache*/*error.log
+logpath  = %(apache_error_log)s
 
 
 [apache-badbots]
 # Ban hosts which agent identifies spammer robots crawling the web
 # for email addresses. The mail outputs are buffered.
 port     = http,https
-logpath  = /var/log/apache*/*access.log
+logpath  = %(apache_access_log)s
-          /var/www/*/logs/access_log
 bantime  = 172800
 maxretry = 1
 
@@ -335,45 +340,42 @@ maxretry = 1
 [apache-noscript]
 
 port     = http,https
-logpath  = /var/log/apache*/*error.log
+logpath  = %(apache_error_log)s
 maxretry = 6
 
 
 [apache-overflows]
 
 port     = http,https
-logpath  = /var/log/apache*/*error.log
+logpath  = %(apache_error_log)s
-          /var/www/*/logs/error_log
 maxretry = 2
 
 
 [apache-nohome]
 
 port     = http,https
-logpath  = /var/log/apache*/*error.log
+logpath  = %(apache_error_log)s
-          /var/www/*/logs/error_log
 maxretry = 2
 
 
 [apache-botsearch]
 
 port     = http,https
-logpath  = /var/log/apache*/*error.log
+logpath  = %(apache_error_log)s
 maxretry = 2
 
 
 [apache-modsecurity]
 
 port     = http,https
-logpath  = /var/log/apache*/*error.log
+logpath  = %(apache_error_log)s
-          /var/www/*/logs/error_log
 maxretry = 2
 
 
 [nginx-http-auth]
 
 ports   = http,https
-logpath = /var/log/nginx/error.log
+logpath = %(nginx_error_log)s
 
 
 # Ban attackers that try to use PHP's URL-fopen() functionality
@@ -383,20 +385,20 @@ logpath = /var/log/nginx/error.log
 [php-url-fopen]
 
 port    = http,https
-logpath = /var/www/*/logs/access_log
+logpath = %(nginx_access_log)s %(apache_access_log)s
 
 
 [suhosin]
 
 port    = http,https
-logpath = /var/log/lighttpd/error.log
+logpath = %(suhosin_log)s
 
 
 [lighttpd-auth]
 # Same as above for Apache's mod_auth
 # It catches wrong authentifications
 port    = http,https
-logpath = /var/log/lighttpd/error.log
+logpath = %(lighttpd_error_log)s
 
 
 #
@@ -483,7 +485,7 @@ logpath  = /var/log/proftpd/proftpd.log
 [pure-ftpd]
 
 port     = ftp,ftp-data,ftps,ftps-data
-logpath  = /var/log/auth.log
+logpath  = %(pureftpd_log)s
 maxretry = 6
 
 

config/osx-paths.conf

@@ -0,0 +1,24 @@
+# OSX
+#
+
+[INCLUDES]
+
+before = common-paths.conf
+
+after  = paths-overrides.local
+
+
+[DEFAULT]
+
+syslog_authpriv = /var/log/secure.log
+
+#syslog_auth = /var/log/auth.log
+
+
+
+
+
+syslog_mail = /var/log/mail.log
+
+syslog_mail_warn = /var/log/mail.warn
+

fail2ban/client/jailsreader.py

@@ -67,6 +67,8 @@ class JailsReader(ConfigReader):
 		# Get the options of all jails.
 		parse_status = True
 		for sec in sections:
+			if sec == 'INCLUDES':
+				continue
 			jail = JailReader(sec, basedir=self.getBaseDir(),
 							  force_enable=self.__force_enable)
 			jail.read()

fail2ban/tests/clientreadertestcase.py

@@ -435,7 +435,8 @@ class JailsReaderTest(LogCaptureTestCase):
 		# All jails must have filter and action set
 		# TODO: evolve into a parametric test
 		for jail in jails.sections():
-
+			if jail == 'INCLUDES':
+				continue
 			filterName = jails.get(jail, 'filter')
 			allFilters.add(filterName)
 			self.assertTrue(len(filterName))