Merge branch 'upstream-0.8' into upstream

* upstream-0.8: spellcheck jail.conf. Thanks Christoph Anton Mitterer default ignoreip to ignore entire loopback zone (/8): see http://bugs.debian.org/598200 Tai64N stores time in GMT, we need to convert to local time before returning debug entry for lines ignored due to falling below findtime (v2) disabling entirely named-refused-udp jail with a big fat warning added time module. bug reported in buanzo's blog at http://blogs.buanzo.com.ar/2009/04/fail2ban-patch-ban-ip-address-manually.html
2011-03-23 13:36:22 -04:00 · 2011-03-23 13:36:22 -04:00 · 2394a465fa
parent 1b8a52fa48 7b54c7b33b
commit 2394a465fa
3 changed files with 26 additions and 13 deletions
--- a/config/jail.conf
+++ b/config/jail.conf
@ -5,7 +5,7 @@
 # $Revision: 747 $
 #

-# The DEFAULT allows a global definition of the options. They can be override
+# The DEFAULT allows a global definition of the options. They can be overridden
 # in each jail afterwards.

 [DEFAULT]
@ -13,7 +13,7 @@
 # "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
 # ban a host which matches an address in this list. Several addresses can be
 # defined using space separator.
-ignoreip = 127.0.0.1
+ignoreip = 127.0.0.1/8

 # "bantime" is the number of seconds that a host is banned.
 bantime  = 600
@ -211,14 +211,22 @@ ignoreip = 168.192.0.1
 # in your named.conf to provide proper logging.
 # This jail blocks UDP traffic for DNS requests.

-[named-refused-udp]
-
-enabled  = false
-filter   = named-refused
-action   = iptables-multiport[name=Named, port="domain,953", protocol=udp]
-           sendmail-whois[name=Named, dest=you@mail.com]
-logpath  = /var/log/named/security.log
-ignoreip = 168.192.0.1
+# !!! WARNING !!!
+#   Since UDP is connection-less protocol, spoofing of IP and imitation
+#   of illegal actions is way too simple.  Thus enabling of this filter
+#   might provide an easy way for implementing a DoS against a chosen
+#   victim. See
+#    http://nion.modprobe.de/blog/archives/690-fail2ban-+-dns-fail.html
+#   Please DO NOT USE this jail unless you know what you are doing.
+#
+# [named-refused-udp]
+#
+# enabled  = false
+# filter   = named-refused
+# action   = iptables-multiport[name=Named, port="domain,953", protocol=udp]
+#            sendmail-whois[name=Named, dest=you@mail.com]
+# logpath  = /var/log/named/security.log
+# ignoreip = 168.192.0.1

 # This jail blocks TCP traffic for DNS requests.

--- a/server/datetemplate.py
+++ b/server/datetemplate.py
@ -1,4 +1,4 @@
-# -*- coding: utf8 -*-
+# -*- coding: utf-8 -*-
 # This file is part of Fail2Ban.
 #
 # Fail2Ban is free software; you can redistribute it and/or modify
@ -168,7 +168,8 @@ class DateTai64n(DateTemplate):
 			# extract part of format which represents seconds since epoch
 			value = dateMatch.group()
 			seconds_since_epoch = value[2:17]
-			date = list(time.gmtime(int(seconds_since_epoch, 16)))
+			# convert seconds from HEX into local time stamp
+			date = list(time.localtime(int(seconds_since_epoch, 16)))
 		return date


--- a/server/filter.py
+++ b/server/filter.py
@ -31,7 +31,7 @@ from datedetector import DateDetector
 from mytime import MyTime
 from failregex import FailRegex, Regex, RegexException

-import logging, re, os, fcntl
+import logging, re, os, fcntl, time

 # Gets the instance of the logger.
 logSys = logging.getLogger("fail2ban.filter")
@ -268,7 +268,11 @@ class Filter(JailThread):
 		for element in self.processLine(line):
 			ip = element[0]
 			unixTime = element[1]
+			logSys.debug("Processing line with time:%s and ip:%s"
+						 % (unixTime, ip))
 			if unixTime < MyTime.time() - self.getFindTime():
+				logSys.debug("Ignore line since time %s < %s - %s"
+							 % (unixTime, MyTime.time(), self.getFindTime()))
 				break
 			if self.inIgnoreIPList(ip):
 				logSys.debug("Ignore %s" % ip)