Merge: opensolaris docs/fixes, no 'sed -i' in hostsdeny, sshd regex tuneups

Origin: from https://github.com/jamesstout/fail2ban

* 'OpenSolaris' of https://github.com/jamesstout/fail2ban:
  ENH: Removed unused log line
  BF: fail2ban.local needs section headers
  ENH: Use .local config files for logtarget and jail
  ENH+TST: ssh failure messages for OpenSolaris and OS X
  ENH: fail message matching for OpenSolaris and OS X
  ENH: extra daemon info regex
  ENH: actionunban back to a sed command
  Readme for config on Solaris
  create socket/pid dir if needed
  Extra patterns for Solaris
  change sed to perl for Solaris

Conflicts:
	config/filter.d/sshd.conf

README.Solaris

@@ -0,0 +1,141 @@
+# vim:tw=80:ft=txt
+
+README FOR SOLARIS INSTALLATIONS
+
+By Roy Sigurd Karlsbakk <roy@karlsbakk.net>
+
+ABOUT
+
+This readme is meant for those wanting to install fail2ban on Solaris 10,
+OpenSolaris, OpenIndiana etc. To some degree it may as well be useful for
+users of older Solaris versions and Nexenta, but don't rely on it.
+
+READ ME FIRST
+
+If I use the term Solaris, I am talking about any Solaris dialect, that is, the
+official Sun/Oracle ones or derivates. If I describe an OS as
+"OpenSolaris-based", it means it's either OpenSolaris, OpenIndiana or one of the
+other, but /not/ the Nexenta family, since this only uses the OpenSolaris/
+IllumOS kernel and not the userland. If I say Solaris 10, I mean Solaris 10 and
+perhaps, if you're lucky and have some good gods on your side, it may also apply
+to Solaris 9 or even 8 and hopefully in the new Solaris 11 whenever that may be
+released. Quoted lines of code, settings et cetera are indented with two spaces.
+This does _not_ mean you should use that indentation, especially in config files
+where they can be harmful. Optional settings are prefixed with OPT: while
+required settings are prefixed with REQ:. If no prefix is found, regard it as a
+required setting.
+
+INSTALLATION ON SOLARIS
+
+The installation is straight forward on Solaris as well as on linux/bsd/etc.
+./setup.py install installs the general packages in /usr/bin on OpenSolaris-
+based distros or (at least on this box) under /usr/sfw/bin on Solaris 10. In
+the files/ directory you will find the file solaris-fail2ban.xml containing the
+Solaris service. To install this, run the following command as root (or with
+sudo):
+
+  svccfg import files/solaris-fail2ban.xml
+
+This should normally without giving an error. If you get an error, deal with it,
+and please post any relevant info (or fixes?) to the fail2ban mailing list.
+Next install the service handler - copy the script in and allow it to be executed:
+
+  cp files/solaris-svc-fail2ban /lib/svc/method/svc-fail2ban
+  chmod +x /lib/svc/method/svc-fail2ban
+
+CONFIGURE SYSLOG
+
+For some reason, a default Solaris installation does not log ssh login attempts,
+and since fail2ban works by monitoring logs, enabling this logging is rather
+important for it to work. To enable this, edit /etc/syslog.conf and add a line
+at the end:
+
+  auth.info					/var/adm/auth.log
+
+Save the file and exit, and run
+
+  touch /var/adm/auth.log
+
+The Solaris system logger will _not_ create a non-existing file. Now, restart
+the system logger.
+
+  svcadm restart system-log
+
+Try to ssh into localhost with ssh asdf@localhost and enter an invalid password.
+Make sure this is logged in the above file. When done, you may configure
+fail2ban.
+
+FAIL2BAN CONFIGURATION
+
+OPT: Create /etc/fail2ban/fail2ban.local containing:
+
+# Fail2Ban main configuration file
+#
+# Comments: use '#' for comment lines and ';' for inline comments
+#
+# Changes:  in most of the cases you should not modify this
+#           file, but provide customizations in fail2ban.local file, e.g.:
+#
+# [Definition]
+# loglevel = 4
+#
+[Definition]
+
+# Option:  logtarget
+# Notes.:  Set the log target. This could be a file, SYSLOG, STDERR or STDOUT.
+#          Only one log target can be specified.
+#          If you change logtarget from the default value and you are
+#          using logrotate -- also adjust or disable rotation in the
+#          corresponding configuration file
+#          (e.g. /etc/logrotate.d/fail2ban on Debian systems)
+# Values:  STDOUT STDERR SYSLOG file  Default:  /var/log/fail2ban.log
+#
+logtarget = /var/adm/fail2ban.log
+
+
+REQ: Create /etc/fail2ban/jail.local containing:
+
+[ssh-tcpwrapper]
+
+enabled     = true
+filter      = sshd
+action      = hostsdeny
+              sendmail-whois[name=SSH, dest=you@example.com]
+ignoreregex = for myuser from
+logpath     = /var/adm/auth.log
+
+Set the sendmail dest address to something useful or drop the line to stop it spamming you.
+Set 'myuser' to your username to avoid banning yourself or drop it.
+
+START (OR RESTART) FAIL2BAN
+
+Enable the fail2ban service with
+
+  svcadm enable fail2ban
+
+When done, check that all services are running well
+
+  svcs -xv
+
+GOTCHAS AND FIXMES
+
+* It seems the installation may be starting fail2ban automatically. If this is
+  done, fail2ban will not start, but no errors will be returned from svcs
+  (above). Check if it's running with 'ps -ef | grep fail2ban' and manually kill
+  the PID if it is. Re-enable fail2ban and try again
+
+    svcadm disable fail2ban
+    svcadm enable fail2ban
+
+* If svcs -xv says that fail2ban failed to start or svcs says it's in maintenance mode
+  chcek /var/svc/log/network-fail2ban:default.log for clues. 
+  Check permissions on /var/adm, /var/adm/auth.log /var/adm/fail2ban.log and /var/run/fail2ban
+  You may need to:
+
+  sudo mkdir /var/run/fail2ban
+
+* Fail2ban adds lines like these to /etc/hosts.deny:
+
+    ALL: 1.2.3.4
+
+  wouldn't it be better to just block sshd?

config/action.d/hostsdeny.conf

@@ -39,7 +39,7 @@ actionban = IP=<ip> &&
 # Tags:    See jail.conf(5) man page
 # Values:  CMD
 #
-actionunban = IP=<ip> && sed -i.old /ALL:\ $IP/d <file>
+actionunban = IP=<ip> && sed  /ALL:\ $IP/d <file> > <file>.new && mv <file>.new <file>
 
 [Init]
 

config/filter.d/common.conf

@@ -27,6 +27,10 @@ __pid_re = (?:\[\d+\])
 # EXAMPLES: pam_rhosts_auth, [sshd], pop(pam_unix)
 __daemon_re = [\[\(]?%(_daemon)s(?:\(\S+\))?[\]\)]?:?
 
+# extra daemon info
+# EXAMPLE: [ID 800047 auth.info]
+__daemon_extra_re = (?:\[ID \d+ \S+\])
+
 # Combinations of daemon name and PID
 # EXAMPLES: sshd[31607], pop(pam_unix)[4920]
 __daemon_combs_re = (?:%(__pid_re)s?:\s+%(__daemon_re)s|%(__daemon_re)s%(__pid_re)s?:)
@@ -42,5 +46,5 @@ __hostname = \S+
 #
 #       [hostname] [vserver tag] daemon_id spaces
 # this can be optional (for instance if we match named native log files)
-__prefix_line = \s*(?:%(__hostname)s )?(?:%(__kernel_prefix)s )?(?:@vserver_\S+ )?%(__daemon_combs_re)s?\s*
+__prefix_line = \s*(?:%(__hostname)s )?(?:%(__kernel_prefix)s )?(?:@vserver_\S+ )?%(__daemon_combs_re)s?\s%(__daemon_extra_re)s?\s*
 

config/filter.d/sshd.conf

@@ -22,7 +22,7 @@ _daemon = sshd
 #          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
 # Values:  TEXT
 #
-failregex = ^%(__prefix_line)s(?:error: PAM: )?[A|a]uthentication (?:failure|error) for .* from <HOST>\s*$
+failregex = ^%(__prefix_line)s(?:error: PAM: )?[aA]uthentication (?:failure|error) for .* from <HOST>\s*$
             ^%(__prefix_line)s(?:error: PAM: )?User not known to the underlying authentication module for .* from <HOST>\s*$
             ^%(__prefix_line)sFailed \S+ for .* from <HOST>(?: port \d*)?(?: ssh\d*)?\s*$
             ^%(__prefix_line)sROOT LOGIN REFUSED.* FROM <HOST>\s*$

files/solaris-svc-fail2ban

@@ -17,8 +17,26 @@ fi
 
 ENV="/usr/bin/env -i LANG=C PATH=/usr/local/bin:/usr/bin:/bin:/opt/sfw/bin:/usr/sfw/bin"
 
+# get socket/pid conf and check dir exists
+# sock and pid default dirs are currently the same
+# mkdir if it doesn't exist
+SOCK_FILE=$(sed "/^\#/d" "$F2B_CONF" | grep "socket"  | tail -1 | cut -d "=" -f2-)
+SOCK_DIR=$(dirname $SOCK_FILE)
+if [ -n "$SOCK_DIR" ]; then
+	if [ ! -d "$SOCK_DIR" ]; then
+		mkdir "$SOCK_DIR" || exit 1
+	fi
+fi
+
 case $1 in
 	start)
+		# remove any lingering sockets
+		# don't quote the var for the -e test
+		if [ -n "$SOCK_FILE" ]; then
+			if [ -e $SOCK_FILE ]; then
+				rm -f $SOCK_FILE || exit 1
+			fi
+		fi
 		[ -f /etc/fail2ban.conf ] || touch /etc/fail2ban.conf
 		echo "Starting fail2ban-server with $F2B_CONF"
 		eval $ENV /usr/local/bin/fail2ban-client start &

testcases/files/logs/sshd

@@ -13,7 +13,6 @@ Jan  5 01:31:41 www sshd[1643]: ROOT LOGIN REFUSED FROM ::ffff:1.2.3.4
 #4
 Jul 20 14:42:11 localhost sshd[22708]: Invalid user ftp from 211.114.51.213
 
-
 #5 new filter introduced after looking at 44087D8C.9090407@bluewin.ch
 Mar  3 00:17:22 [sshd] User root from 210.188.220.49 not allowed because not listed in AllowUsers
 Feb 25 14:34:11 belka sshd[31607]: User root from ferrari.inescn.pt not allowed because not listed in AllowUsers
@@ -29,5 +28,21 @@ Oct 15 19:51:35 server sshd[7592]: Address 1.2.3.4 maps to 1234.bbbbbb.com, but
 #8 DenyUsers https://github.com/fail2ban/fail2ban/issues/47
 Apr 16 22:01:15 al-ribat sshd[5154]: User root from 46.45.128.3 not allowed because listed in DenyUsers
 
-# http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=648020
-Nov  8 11:19:38 bar sshd[25427]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=1.2.3.6
+#9 OpenSolaris patch - pull https://github.com/fail2ban/fail2ban/pull/182
+Mar 29 05:59:23 dusky sshd[20878]: [ID 800047 auth.info] Failed keyboard-interactive for <invalid username> from 205.186.180.55 port 42742 ssh2
+Mar 29 05:20:09 dusky sshd[19558]: [ID 800047 auth.info] Failed keyboard-interactive for james from 205.186.180.30 port 54520 ssh2
+
+#10 OSX syslog error
+Apr 29 14:53:38 Jamess-iMac.local sshd[47831]: error: PAM: authentication error for james from dusky via 192.168.1.201
+Apr 29 17:16:20 Jamess-iMac.local sshd[62312]: error: PAM: authentication error for james from n29.c07.mtsvc.net via 192.168.1.201
+Apr 29 20:11:08 Jamess-iMac.local sshd[63814]: [ID 800047 auth.info] Failed keyboard-interactive for <invalid username> from 205.186.180.35 port 42742 ssh2
+Apr 29 20:12:08 Jamess-iMac.local sshd[63814]: [ID 800047 auth.info] Failed keyboard-interactive for james from 205.186.180.22 port 54520 ssh2
+Apr 29 20:13:08 Jamess-iMac.local sshd[63814]: Failed keyboard-interactive for james from 205.186.180.42 port 54520 ssh2
+Apr 29 20:14:08 Jamess-iMac.local sshd[63814]: Failed keyboard-interactive for <invalid username> from 205.186.180.44 port 42742 ssh2
+Apr 30 01:42:12 Jamess-iMac.local sshd[2554]: Failed keyboard-interactive/pam for invalid user jamedds from 205.186.180.77 port 33723 ssh2
+Apr 29 12:53:38 Jamess-iMac.local sshd[47831]: error: PAM: authentication failure for james from 205.186.180.88 via 192.168.1.201
+Apr 29 13:53:38 Jamess-iMac.local sshd[47831]: error: PAM: Authentication failure for james from 205.186.180.99 via 192.168.1.201
+Apr 29 15:53:38 Jamess-iMac.local sshd[47831]: error: PAM: Authentication error for james from 205.186.180.100 via 192.168.1.201
+Apr 29 16:53:38 Jamess-iMac.local sshd[47831]: error: PAM: authentication error for james from 205.186.180.101 via 192.168.1.201
+Apr 29 17:53:38 Jamess-iMac.local sshd[47831]: error: PAM: authentication error for james from 205.186.180.102
+Apr 29 18:53:38 Jamess-iMac.local sshd[47831]: error: PAM: authentication error for james from 205.186.180.103