* Only block new connects by using a new action iptables-new instead of

iptables (Closes: #350746) * Updated README.Debian to reflect transition over to 0.7 branch and to comment on 350746
18 years ago · 24ada3c63e
parent 5cc9bc9ce6
commit 24ada3c63e
4 changed files with 133 additions and 27 deletions
--- a/debian/README.Debian
+++ b/debian/README.Debian
@ -1,51 +1,67 @@
-fail2ban for Debian
-------------------
+fail2ban (>=0.7.0) for Debian
+-----------------------------

-This package is ~95% identical to the upstream version. Few features
+This package is ~99% identical to the upstream version. Few features
 could have been added but not yet propagated into upstream version and
-some modifications might be Debian-specific (logsys logging
-format). And although due to tight collaboration with upstream author
-most of the Debian modifications penetrate into the next upstream, few
-features present in Debian release were rejected by the upstream
-author (-e option for instance).
+some modifications might be Debian-specific. Debian specific jail.conf
+file is shipped. Original upstream file is available from
+/usr/share/doc/fail2ban/examples/jail.conf

 Currently, the major difference with upstream: python libraries are
 placed under /usr/share/fail2ban instead of /usr/lib/fail2ban to
 comply with policy regarding architecture independent resources.

-Also the main config file /etc/fail2ban.conf is a copy of
-/usr/share/doc/examples/fail2ban.conf.iptables. There are config files
-for banning via shorewall or hosts.deny are provided BUT they might
-miss additional sections present in fail2ban.conf. Please copy them
-taking care about added sections. Those files will be obsolete in the
-next release which would handle split configuration files.
+Upgrade from 0.6 versions:
+-------------------------
+
+* New Config Files Format:
+
+If you had introduced your own sections in /etc/fail2ban.conf, you
+would need manually to convert them into a new format. At minimum you
+need to create /etc/fail2ban/filter.d/NAME.local (leave .conf files
+for me and upstream please to avoid any conflicts -- introduce your
+changes in .local) with failregex in [Definition] section. And provide
+appropriate jail definition in /etc/fail2ban/jail.local

-Default behavior:
-----------------

 * Enabled Sections:

 Only handling of ssh files is enabled by default. If you want to use
 fail2ban with apache, please enable apache section manually in
-/etc/fail2ban.conf or enable section using command line parameter -e
-in /etc/default/fail2ban to avoid conflicts during upgrade of the
-config file.
+/etc/fail2ban/jail.local by including next lines:
+
+[apache]
+enabled = true
+
+NOTE: -e command line parameter is non existant in 0.7.x

-N.B. '-e' command line parameter is present solely in Debian release
- of fail2ban, thus it will not work if you decided to proceed with
- vanilla upstream.

 * Multiport banning:
+Comment for the wishlist #373592.

-Comment for the wishlist #373592. 
 Default iptables rules for banning use --dport statement which allows to
 ban just a single port. For multiport banning you would need to adjust iptables
 rules to use multiport module ( -m multiport --dports %(port)s ). If you would
 like to ban all ports for that host, just redefine fwban/fwunban commands to
-don't have --dport %(port)s statement at all (can be redefined on per-section 
+don't have --dport %(port)s statement at all (can be redefined on per-section
 basis as well)
-Such option is not enabled by default since multiport module might not be 
+Such option is not enabled by default since multiport module might not be
 compiled for some hand compiled kernels.
+
+
+* Blocking of NEW connections only
+Comment for the wishlist #350746.
+
+It might be benefitial in some cases to ban only new connections. For
+that just use iptables-new action instead of default iptables:
+/etc/fail2ban/jail.local:
+
+[DEFAULT]
+action = iptables-new[name=%(__name__)s, port=%(port)s]
+
+or override action within interesting for you section
+
+
 Troubleshooting:
 ---------------

@ -61,6 +77,8 @@ just a single group (?P<host>...)

 [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=330827

+You might benefit from using fail2ban-regex to construct and debug
+your failregex statements.

 * "Interpolations" in the config file:

@ -127,4 +145,4 @@ had enough of failed logins within "findtime" will be banned for
 "bantime" since [re]start moment, not since the last failed login
 time.

- -- Yaroslav O. Halchenko <debian@onerussian.com>, Sun, 19 Mar 2006 00:27:22 -0500
+ -- Yaroslav O. Halchenko <debian@onerussian.com>, Fri, 10 Nov 2006 18:19:48 -0500
--- a/debian/changelog
+++ b/debian/changelog
@ -1,8 +1,12 @@
 fail2ban (0.7.4-3~1) unstable; urgency=low

  * Reincarnated logrotate configuration (Closes: #397878)
+  * Only block new connects by using a new action iptables-new instead of
+    iptables (Closes: #350746)
+  * Updated README.Debian to reflect transition over to 0.7 branch and to
+    comment on 350746

- -- Yaroslav Halchenko <debian@onerussian.com>  Fri, 10 Nov 2006 10:53:39 -0500
+ -- Yaroslav Halchenko <debian@onerussian.com>  Fri, 10 Nov 2006 18:02:54 -0500

 fail2ban (0.7.4-2) unstable; urgency=low

--- a/debian/patches/00_iptables_NEW.dpatch
+++ b/debian/patches/00_iptables_NEW.dpatch
@ -0,0 +1,83 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 00_iptables_NEW.dpatch by Yaroslav Halchenko <debian@onerussian.com>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: No description.
+
+@DPATCH@
+diff -urNad fail2ban-0.7.4~/config/action.d/iptables-new.conf fail2ban-0.7.4/config/action.d/iptables-new.conf
+--- fail2ban-0.7.4~/config/action.d/iptables-new.conf	1969-12-31 19:00:00.000000000 -0500
+++ fail2ban-0.7.4/config/action.d/iptables-new.conf	2006-11-10 18:01:27.000000000 -0500
+@@ -0,0 +1,72 @@
+# Fail2Ban configuration file
+#
+# Author: Cyril Jaquier
+# Copied from iptables.conf and modified by Yaroslav Halchenko 
+#  to fullfill the needs of bugreporter dbts#350746.
+#
+# $Revision: 394 $
+#
+
+[Definition]
+
+# Option:  fwstart
+# Notes.:  command executed once at the start of Fail2Ban.
+# Values:  CMD
+#
+actionstart = iptables -N fail2ban-<name>
+              iptables -A fail2ban-<name> -j RETURN
+              iptables -I INPUT -m state --state NEW -p <protocol> --dport <port> -j fail2ban-<name>
+
+# Option:  fwend
+# Notes.:  command executed once at the end of Fail2Ban
+# Values:  CMD
+#
+actionstop = iptables -D INPUT -m state --state NEW -p <protocol> --dport <port> -j fail2ban-<name>
+             iptables -F fail2ban-<name>
+             iptables -X fail2ban-<name>
+
+# Option:  fwcheck
+# Notes.:  command executed once before each fwban command
+# Values:  CMD
+#
+actioncheck = iptables -L INPUT | grep -q fail2ban-<name>
+
+# Option:  fwban
+# Notes.:  command executed when banning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    <ip>  IP address
+#          <failures>  number of failures
+#          <failtime>  unix timestamp of the last failure
+#          <bantime>  unix timestamp of the ban time
+# Values:  CMD
+#
+actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
+
+# Option:  fwunban
+# Notes.:  command executed when unbanning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    <ip>  IP address
+#          <bantime>  unix timestamp of the ban time
+#          <unbantime>  unix timestamp of the unban time
+# Values:  CMD
+#
+actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP
+
+[Init]
+
+# Defaut name of the chain
+#
+name = default
+
+# Option:  port
+# Notes.:  specifies port to monitor
+# Values:  [ NUM | STRING ]  Default:
+#
+port = ssh
+
+# Option:  protocol
+# Notes.:  internally used by config reader for interpolations.
+# Values:  [ tcp | udp | icmp | all ] Default: tcp
+#
+protocol = tcp
+
--- a/debian/patches/00list
+++ b/debian/patches/00list
@ -1,4 +1,5 @@
 X00_rigid_python24
 00_share_insteadof_lib
+00_iptables_NEW
 10_dbts_manpages
 10_wuftpd_section