* Only block new connects by using a new action iptables-new instead of

iptables (Closes: #350746) * Updated README.Debian to reflect transition over to 0.7 branch and to comment on 350746
2006-11-11 00:10:10 +00:00 · 2006-11-11 00:10:10 +00:00 · 24ada3c63e
parent 5cc9bc9ce6
commit 24ada3c63e
4 changed files with 133 additions and 27 deletions
--- a/debian/README.Debian
+++ b/debian/README.Debian
@ -1,43 +1,44 @@
-fail2ban for Debian
+fail2ban (>=0.7.0) for Debian
-------------------
+-----------------------------
-This package is ~95% identical to the upstream version. Few features
+This package is ~99% identical to the upstream version. Few features
 could have been added but not yet propagated into upstream version and
-some modifications might be Debian-specific (logsys logging
+some modifications might be Debian-specific. Debian specific jail.conf
-format). And although due to tight collaboration with upstream author
+file is shipped. Original upstream file is available from
-most of the Debian modifications penetrate into the next upstream, few
+/usr/share/doc/fail2ban/examples/jail.conf
 features present in Debian release were rejected by the upstream
 author (-e option for instance).
 Currently, the major difference with upstream: python libraries are
 placed under /usr/share/fail2ban instead of /usr/lib/fail2ban to
 comply with policy regarding architecture independent resources.
-Also the main config file /etc/fail2ban.conf is a copy of
+Upgrade from 0.6 versions:
-/usr/share/doc/examples/fail2ban.conf.iptables. There are config files
+-------------------------
-for banning via shorewall or hosts.deny are provided BUT they might
+
-miss additional sections present in fail2ban.conf. Please copy them
+* New Config Files Format:
-taking care about added sections. Those files will be obsolete in the
+
-next release which would handle split configuration files.
+If you had introduced your own sections in /etc/fail2ban.conf, you
 would need manually to convert them into a new format. At minimum you
 need to create /etc/fail2ban/filter.d/NAME.local (leave .conf files
 for me and upstream please to avoid any conflicts -- introduce your
 changes in .local) with failregex in [Definition] section. And provide
 appropriate jail definition in /etc/fail2ban/jail.local
 Default behavior:
 -----------------
 * Enabled Sections:
 Only handling of ssh files is enabled by default. If you want to use
 fail2ban with apache, please enable apache section manually in
-/etc/fail2ban.conf or enable section using command line parameter -e
+/etc/fail2ban/jail.local by including next lines:
-in /etc/default/fail2ban to avoid conflicts during upgrade of the
+
-config file.
+[apache]
 enabled = true
 NOTE: -e command line parameter is non existant in 0.7.x
 N.B. '-e' command line parameter is present solely in Debian release
 of fail2ban, thus it will not work if you decided to proceed with
 vanilla upstream.
 * Multiport banning:
 Comment for the wishlist #373592.
 Default iptables rules for banning use --dport statement which allows to
 ban just a single port. For multiport banning you would need to adjust iptables
 rules to use multiport module ( -m multiport --dports %(port)s ). If you would
@ -46,6 +47,21 @@ don't have --dport %(port)s statement at all (can be redefined on per-section
 basis as well)
 Such option is not enabled by default since multiport module might not be
 compiled for some hand compiled kernels.
 * Blocking of NEW connections only
 Comment for the wishlist #350746.
 It might be benefitial in some cases to ban only new connections. For
 that just use iptables-new action instead of default iptables:
 /etc/fail2ban/jail.local:
 [DEFAULT]
 action = iptables-new[name=%(__name__)s, port=%(port)s]
 or override action within interesting for you section
 Troubleshooting:
 ---------------
@ -61,6 +77,8 @@ just a single group (?P<host>...)
 [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=330827
 You might benefit from using fail2ban-regex to construct and debug
 your failregex statements.
 * "Interpolations" in the config file:
@ -127,4 +145,4 @@ had enough of failed logins within "findtime" will be banned for
 "bantime" since [re]start moment, not since the last failed login
 time.
- -- Yaroslav O. Halchenko <debian@onerussian.com>, Sun, 19 Mar 2006 00:27:22 -0500
+ -- Yaroslav O. Halchenko <debian@onerussian.com>, Fri, 10 Nov 2006 18:19:48 -0500
--- a/debian/changelog
+++ b/debian/changelog
@ -1,8 +1,12 @@
 fail2ban (0.7.4-3~1) unstable; urgency=low
  * Reincarnated logrotate configuration (Closes: #397878)
  * Only block new connects by using a new action iptables-new instead of
    iptables (Closes: #350746)
  * Updated README.Debian to reflect transition over to 0.7 branch and to
    comment on 350746
- -- Yaroslav Halchenko <debian@onerussian.com>  Fri, 10 Nov 2006 10:53:39 -0500
+ -- Yaroslav Halchenko <debian@onerussian.com>  Fri, 10 Nov 2006 18:02:54 -0500
 fail2ban (0.7.4-2) unstable; urgency=low
--- a/debian/patches/00_iptables_NEW.dpatch
+++ b/debian/patches/00_iptables_NEW.dpatch
@ -0,0 +1,83 @@
 #! /bin/sh /usr/share/dpatch/dpatch-run
 ## 00_iptables_NEW.dpatch by Yaroslav Halchenko <debian@onerussian.com>
 ##
 ## All lines beginning with `## DP:' are a description of the patch.
 ## DP: No description.
@DPATCH@
 diff -urNad fail2ban-0.7.4~/config/action.d/iptables-new.conf fail2ban-0.7.4/config/action.d/iptables-new.conf
 --- fail2ban-0.7.4~/config/action.d/iptables-new.conf	1969-12-31 19:00:00.000000000 -0500
 +++ fail2ban-0.7.4/config/action.d/iptables-new.conf	2006-11-10 18:01:27.000000000 -0500
@@ -0,0 +1,72 @@
 +# Fail2Ban configuration file
 +#
 +# Author: Cyril Jaquier
 +# Copied from iptables.conf and modified by Yaroslav Halchenko 
 +#  to fullfill the needs of bugreporter dbts#350746.
 +#
 +# $Revision: 394 $
 +#
 +
 +[Definition]
 +
 +# Option:  fwstart
 +# Notes.:  command executed once at the start of Fail2Ban.
 +# Values:  CMD
 +#
 +actionstart = iptables -N fail2ban-<name>
 +              iptables -A fail2ban-<name> -j RETURN
 +              iptables -I INPUT -m state --state NEW -p <protocol> --dport <port> -j fail2ban-<name>
 +
 +# Option:  fwend
 +# Notes.:  command executed once at the end of Fail2Ban
 +# Values:  CMD
 +#
 +actionstop = iptables -D INPUT -m state --state NEW -p <protocol> --dport <port> -j fail2ban-<name>
 +             iptables -F fail2ban-<name>
 +             iptables -X fail2ban-<name>
 +
 +# Option:  fwcheck
 +# Notes.:  command executed once before each fwban command
 +# Values:  CMD
 +#
 +actioncheck = iptables -L INPUT | grep -q fail2ban-<name>
 +
 +# Option:  fwban
 +# Notes.:  command executed when banning an IP. Take care that the
 +#          command is executed with Fail2Ban user rights.
 +# Tags:    <ip>  IP address
 +#          <failures>  number of failures
 +#          <failtime>  unix timestamp of the last failure
 +#          <bantime>  unix timestamp of the ban time
 +# Values:  CMD
 +#
 +actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
 +
 +# Option:  fwunban
 +# Notes.:  command executed when unbanning an IP. Take care that the
 +#          command is executed with Fail2Ban user rights.
 +# Tags:    <ip>  IP address
 +#          <bantime>  unix timestamp of the ban time
 +#          <unbantime>  unix timestamp of the unban time
 +# Values:  CMD
 +#
 +actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP
 +
 +[Init]
 +
 +# Defaut name of the chain
 +#
 +name = default
 +
 +# Option:  port
 +# Notes.:  specifies port to monitor
 +# Values:  [ NUM | STRING ]  Default:
 +#
 +port = ssh
 +
 +# Option:  protocol
 +# Notes.:  internally used by config reader for interpolations.
 +# Values:  [ tcp | udp | icmp | all ] Default: tcp
 +#
 +protocol = tcp
 +
--- a/debian/patches/00list
+++ b/debian/patches/00list
@ -1,4 +1,5 @@
 X00_rigid_python24
 00_share_insteadof_lib
 00_iptables_NEW
 10_dbts_manpages
 10_wuftpd_section