From 3ec725a2ba50784ee3f17aa16e0e4eff63a89715 Mon Sep 17 00:00:00 2001 From: Simon Brown Date: Mon, 26 Oct 2015 17:35:38 -0700 Subject: [PATCH 01/42] Created file From https://github.com/beezwax/filemaker-fail2ban/blob/master/fail2ban/filter.d/screensharingd.conf --- config/filter.d/screensharingd.conf | 33 +++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 config/filter.d/screensharingd.conf diff --git a/config/filter.d/screensharingd.conf b/config/filter.d/screensharingd.conf new file mode 100644 index 00000000..c0b5d32c --- /dev/null +++ b/config/filter.d/screensharingd.conf @@ -0,0 +1,33 @@ +# Fail2Ban configuration file +# +# Author: Simon Brown +# +# $Revision: 1 $ +# +# Filter for Mac OS X Screen Sharing service + +[INCLUDES] + +# Read common prefixes. If any customizations available -- read them from +# common.local +before = common.conf + + +[Definition] + +_daemon = screensharingd + +# Option: failregex +# Notes.: regex to match the password failures messages in the logfile. The +# host must be matched by a group named "host". The tag "" can +# be used for standard IP/hostname matching and is only an alias for +# (?:::f{4,6}:)?(?P[\w\-.^_]+) +# Values: TEXT +# +failregex = ^.+ screensharingd.+: Authentication: FAILED :: User Name: .+ :: Viewer Address: :: .*$ + +# Option: ignoreregex +# Notes.: regex to ignore. If this regex matches, the line is ignored. +# Values: TEXT +# +ignoreregex = From 80546c61642248445b5140bf5f156dca058cd858 Mon Sep 17 00:00:00 2001 From: Simon Brown Date: Mon, 26 Oct 2015 17:50:49 -0700 Subject: [PATCH 02/42] Added in settings for screensharingd filter --- config/jail.conf | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/config/jail.conf b/config/jail.conf index fd7f376e..e056ea3c 100644 --- a/config/jail.conf +++ b/config/jail.conf @@ -786,3 +786,10 @@ returntype = DROP bantime = 3600 maxretry = 1 findtime = 1 + +[screensharing] +# For Mac OS Screen Sharing Service +enabled = true +filter = screensharingd +logpath = %(system_log)s +maxretry = 4 From de14946542f0cbc8eece09329ca03418086c36da Mon Sep 17 00:00:00 2001 From: Simon Brown Date: Mon, 26 Oct 2015 18:02:07 -0700 Subject: [PATCH 03/42] Added new path variable for system.log Logging location for the majority of Mac OS daemons. --- config/paths-osx.conf | 2 ++ 1 file changed, 2 insertions(+) diff --git a/config/paths-osx.conf b/config/paths-osx.conf index d1b99b38..4f4df632 100644 --- a/config/paths-osx.conf +++ b/config/paths-osx.conf @@ -25,3 +25,5 @@ syslog_authpriv = /var/log/secure.log #syslog_local0 = +# Default Mac OS log location for syslog output. +system_log = /var/log/system.log From d17d837b8c855091f7cca3231c8ac05c4963553b Mon Sep 17 00:00:00 2001 From: Simon Brown Date: Tue, 27 Oct 2015 10:28:07 -0700 Subject: [PATCH 04/42] Update jail.conf Added logencoding to screensharing jail to avoid encoding error messages in fail2ban log --- config/jail.conf | 1 + 1 file changed, 1 insertion(+) diff --git a/config/jail.conf b/config/jail.conf index e056ea3c..2b9e9eaf 100644 --- a/config/jail.conf +++ b/config/jail.conf @@ -792,4 +792,5 @@ findtime = 1 enabled = true filter = screensharingd logpath = %(system_log)s +logencoding=utf-8 maxretry = 4 From 4c3f778b826248809273d1287271e599a1f0f64e Mon Sep 17 00:00:00 2001 From: Simon Brown Date: Tue, 27 Oct 2015 10:33:30 -0700 Subject: [PATCH 05/42] Replaced .* with literal Per Serg's suggestions. Possible I'm missing some auth attempt types, but I couldn't find anything where literal wasn't sufficient. --- config/filter.d/screensharingd.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/filter.d/screensharingd.conf b/config/filter.d/screensharingd.conf index c0b5d32c..fc9f6aed 100644 --- a/config/filter.d/screensharingd.conf +++ b/config/filter.d/screensharingd.conf @@ -24,7 +24,7 @@ _daemon = screensharingd # (?:::f{4,6}:)?(?P[\w\-.^_]+) # Values: TEXT # -failregex = ^.+ screensharingd.+: Authentication: FAILED :: User Name: .+ :: Viewer Address: :: .*$ +failregex = ^.+ screensharingd.+: Authentication: FAILED :: User Name: .+ :: Viewer Address: :: Type: DH$ # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. From b3a18631e214ad970e87d2704e3d8027bb76359d Mon Sep 17 00:00:00 2001 From: Simon Brown Date: Tue, 27 Oct 2015 10:43:43 -0700 Subject: [PATCH 06/42] Sample log for test case --- fail2ban/tests/files/logs/screenshare | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 fail2ban/tests/files/logs/screenshare diff --git a/fail2ban/tests/files/logs/screenshare b/fail2ban/tests/files/logs/screenshare new file mode 100644 index 00000000..d3736f82 --- /dev/null +++ b/fail2ban/tests/files/logs/screenshare @@ -0,0 +1,5 @@ +Oct 27 09:24:46 test1.beezwax.net screensharingd[1170]: Authentication: SUCCEEDED :: User Name: simon :: Viewer Address: 192.168.5.247 :: Type: DH +Oct 27 09:25:41 test1.beezwax.net screensharingd[1170]: Authentication: FAILED :: User Name: sdfsdfs () mro :: Viewer Address: 192.168.5.247 :: Type: DH +Oct 27 09:25:49 test1.beezwax.net screensharingd[1170]: Authentication: FAILED :: User Name: sdfsdfs :: :: Viewer Address: 192.168.5.247 :: Type: DH +Oct 27 09:25:58 test1.beezwax.net screensharingd[1170]: Authentication: FAILED :: User Name: sdfsdfs _+ :: Viewer Address: 192.168.5.247 :: Type: DH +Oct 27 09:26:09 test1.beezwax.net screensharingd[1170]: Authentication: FAILED :: User Name: sdfsdfs @! s:: :: Viewer Address: 192.168.5.247 :: Type: DH From 3e4a77a5687550a47888720856d0b652cf6745d9 Mon Sep 17 00:00:00 2001 From: Simon Brown Date: Tue, 27 Oct 2015 12:31:51 -0700 Subject: [PATCH 07/42] Added json metadata --- fail2ban/tests/files/logs/screenshare | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/fail2ban/tests/files/logs/screenshare b/fail2ban/tests/files/logs/screenshare index d3736f82..73425b43 100644 --- a/fail2ban/tests/files/logs/screenshare +++ b/fail2ban/tests/files/logs/screenshare @@ -1,5 +1,14 @@ +# failJSON: { "time": "Oct 27 09:24:46", "match": false , "host": "192.168.5.247" } Oct 27 09:24:46 test1.beezwax.net screensharingd[1170]: Authentication: SUCCEEDED :: User Name: simon :: Viewer Address: 192.168.5.247 :: Type: DH +# failJSON: { "time": "Oct 27 09:25:41", "match": true , "host": "192.168.5.247" } Oct 27 09:25:41 test1.beezwax.net screensharingd[1170]: Authentication: FAILED :: User Name: sdfsdfs () mro :: Viewer Address: 192.168.5.247 :: Type: DH +# failJSON: { "time": "Oct 27 09:25:49", "match": true , "host": "192.168.5.247" } Oct 27 09:25:49 test1.beezwax.net screensharingd[1170]: Authentication: FAILED :: User Name: sdfsdfs :: :: Viewer Address: 192.168.5.247 :: Type: DH -Oct 27 09:25:58 test1.beezwax.net screensharingd[1170]: Authentication: FAILED :: User Name: sdfsdfs _+ :: Viewer Address: 192.168.5.247 :: Type: DH +# failJSON: { "time": "Oct 27 09:26:09", "match": true , "host": "192.168.5.247" } Oct 27 09:26:09 test1.beezwax.net screensharingd[1170]: Authentication: FAILED :: User Name: sdfsdfs @! s:: :: Viewer Address: 192.168.5.247 :: Type: DH +# failJSON: { "time": "Oct 27 09:23:20", "match": false , "host": "192.168.5.247" } +Oct 27 09:23:20 fm100 com.apple.xpc.launchd[1] (com.apple.xpc.launchd.domain.pid.SecurityAgent.1156): Path not allowed in target domain: type = uid, path = /System/Library/Frameworks/AppKit.framework/Versions/C/XPCServices/SandboxedServiceRunner.xpc/Contents/MacOS/SandboxedServiceRunner error = 1: Operation not permitted, origin = /System/Library/Frameworks/Security.framework/Versions/A/XPCServices/SecurityAgent.xpc +# failJSON: { "time": "Oct 27 09:23:20", "match": false , "host": "192.168.5.247" } +Oct 27 09:23:20 fm100.beezwax.net ManagedClient[1155]: MCXCCacheMCXRecordAndGraph(): vproc_swap_integer(NULL, VPROC_GSK_PERUSER_SUSPEND, &(uid=1027), NULL) failed +# failJSON: { "time": "Oct 27 12:26:44", "match": false , "host": "192.168.5.247" } +Oct 27 12:26:44 fm100.beezwax.net digest-service[3828]: digest-request: kdc failed with 36150275 proto=unknown From 6a5f10ee72eed02fb8aa66af6beb4c7e57fc6c97 Mon Sep 17 00:00:00 2001 From: Simon Brown Date: Tue, 27 Oct 2015 16:27:14 -0700 Subject: [PATCH 08/42] name change & new sample data changed name to match daemon, log samples with year --- fail2ban/tests/files/logs/screenshare | 14 -------------- fail2ban/tests/files/logs/screenshared | 18 ++++++++++++++++++ 2 files changed, 18 insertions(+), 14 deletions(-) delete mode 100644 fail2ban/tests/files/logs/screenshare create mode 100644 fail2ban/tests/files/logs/screenshared diff --git a/fail2ban/tests/files/logs/screenshare b/fail2ban/tests/files/logs/screenshare deleted file mode 100644 index 73425b43..00000000 --- a/fail2ban/tests/files/logs/screenshare +++ /dev/null @@ -1,14 +0,0 @@ -# failJSON: { "time": "Oct 27 09:24:46", "match": false , "host": "192.168.5.247" } -Oct 27 09:24:46 test1.beezwax.net screensharingd[1170]: Authentication: SUCCEEDED :: User Name: simon :: Viewer Address: 192.168.5.247 :: Type: DH -# failJSON: { "time": "Oct 27 09:25:41", "match": true , "host": "192.168.5.247" } -Oct 27 09:25:41 test1.beezwax.net screensharingd[1170]: Authentication: FAILED :: User Name: sdfsdfs () mro :: Viewer Address: 192.168.5.247 :: Type: DH -# failJSON: { "time": "Oct 27 09:25:49", "match": true , "host": "192.168.5.247" } -Oct 27 09:25:49 test1.beezwax.net screensharingd[1170]: Authentication: FAILED :: User Name: sdfsdfs :: :: Viewer Address: 192.168.5.247 :: Type: DH -# failJSON: { "time": "Oct 27 09:26:09", "match": true , "host": "192.168.5.247" } -Oct 27 09:26:09 test1.beezwax.net screensharingd[1170]: Authentication: FAILED :: User Name: sdfsdfs @! s:: :: Viewer Address: 192.168.5.247 :: Type: DH -# failJSON: { "time": "Oct 27 09:23:20", "match": false , "host": "192.168.5.247" } -Oct 27 09:23:20 fm100 com.apple.xpc.launchd[1] (com.apple.xpc.launchd.domain.pid.SecurityAgent.1156): Path not allowed in target domain: type = uid, path = /System/Library/Frameworks/AppKit.framework/Versions/C/XPCServices/SandboxedServiceRunner.xpc/Contents/MacOS/SandboxedServiceRunner error = 1: Operation not permitted, origin = /System/Library/Frameworks/Security.framework/Versions/A/XPCServices/SecurityAgent.xpc -# failJSON: { "time": "Oct 27 09:23:20", "match": false , "host": "192.168.5.247" } -Oct 27 09:23:20 fm100.beezwax.net ManagedClient[1155]: MCXCCacheMCXRecordAndGraph(): vproc_swap_integer(NULL, VPROC_GSK_PERUSER_SUSPEND, &(uid=1027), NULL) failed -# failJSON: { "time": "Oct 27 12:26:44", "match": false , "host": "192.168.5.247" } -Oct 27 12:26:44 fm100.beezwax.net digest-service[3828]: digest-request: kdc failed with 36150275 proto=unknown diff --git a/fail2ban/tests/files/logs/screenshared b/fail2ban/tests/files/logs/screenshared new file mode 100644 index 00000000..63e1dfb4 --- /dev/null +++ b/fail2ban/tests/files/logs/screenshared @@ -0,0 +1,18 @@ +# NOTE: dates here include years -- this is NOT the typical configuration for the system.log +# file on Mac OS. However, matches will not pass unless year is included. +# +# failJSON: { "match": false } +Oct 27 2015 09:24:46 test1.beezwax.net screensharingd[1170]: Authentication: SUCCEEDED :: User Name: simon :: Viewer Address: 192.168.5.247 :: Type: DH +# failJSON: { "match": false } +Oct 27 2015 09:23:20 test1 com.apple.xpc.launchd[1] (com.apple.xpc.launchd.domain.pid.SecurityAgent.1156): Path not allowed in target domain: type = uid, path = /System/Library/Frameworks/AppKit.framework/Versions/C/XPCServices/SandboxedServiceRunner.xpc/Contents/MacOS/SandboxedServiceRunner error = 1: Operation not permitted, origin = /System/Library/Frameworks/Security.framework/Versions/A/XPCServices/SecurityAgent.xpc +# failJSON: { "match": false } +Oct 27 2015 09:23:20 test1.beezwax.net ManagedClient[1155]: MCXCCacheMCXRecordAndGraph(): vproc_swap_integer(NULL, VPROC_GSK_PERUSER_SUSPEND, &(uid=1027), NULL) failed +# failJSON: { "match": false } +Oct 27 2015 12:26:44 test1.beezwax.net digest-service[3828]: digest-request: kdc failed with 36150275 proto=unknown +# +# failJSON: { "time": "2015-10-27T12:35:40", "match": true , "host": "192.168.5.247" } +Oct 27 2015 12:35:40 test1.beezwax.net screensharingd[1170]: Authentication: FAILED :: User Name: sdfsdfs () mro :: Viewer Address: 192.168.5.247 :: Type: DH +# failJSON: { "time": "2015-10-27T12:35:50", "match": true , "host": "192.168.5.247" } +Oct 27 2015 12:35:50 test1.beezwax.net screensharingd[1170]: Authentication: FAILED :: User Name: brown_s :: :: Viewer Address: 192.168.5.247 :: Type: DH +# failJSON: { "time": "2015-10-27T12:26:01", "match": true , "host": "192.168.5.247" } +Oct 27 2015 12:26:01 test1.beezwax.net screensharingd[1170]: Authentication: FAILED :: User Name: brown @! s:: :: Viewer Address: 192.168.5.247 :: Type: DH From 3dd1c305ce536d42fba397ac516abc3dd43d5f35 Mon Sep 17 00:00:00 2001 From: Simon Brown Date: Tue, 27 Oct 2015 21:20:12 -0700 Subject: [PATCH 09/42] added entry for new screensharingd filter --- ChangeLog | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ChangeLog b/ChangeLog index 391eabc6..a6e53a02 100644 --- a/ChangeLog +++ b/ChangeLog @@ -39,6 +39,8 @@ ver. 0.9.4 (2015/XX/XXX) - wanna-be-released (gh-1226) * Added filter for openhab domotic software authentication failure with the rest api and web interface (gh-1223) + * Added filter for Mac OS screen sharing (VNC) daemon + ver. 0.9.3 (2015/08/01) - lets-all-stay-friends ---------- From 4b4d5a95b7af7aaca0c8bc9858bd78c6d3b75320 Mon Sep 17 00:00:00 2001 From: Simon Brown Date: Tue, 27 Oct 2015 21:30:20 -0700 Subject: [PATCH 10/42] Changed regex prequel Use standard prefix macro instead of literal daemon name. --- config/filter.d/screensharingd.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/filter.d/screensharingd.conf b/config/filter.d/screensharingd.conf index fc9f6aed..fbaff542 100644 --- a/config/filter.d/screensharingd.conf +++ b/config/filter.d/screensharingd.conf @@ -24,7 +24,7 @@ _daemon = screensharingd # (?:::f{4,6}:)?(?P[\w\-.^_]+) # Values: TEXT # -failregex = ^.+ screensharingd.+: Authentication: FAILED :: User Name: .+ :: Viewer Address: :: Type: DH$ +failregex = ^%(__prefix_line)sAuthentication: Authentication: FAILED :: User Name: .+ :: Viewer Address: :: Type: DH$ # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. From acee68a9ee94a084576e91f74f226efb41b231d7 Mon Sep 17 00:00:00 2001 From: Simon Brown Date: Wed, 28 Oct 2015 15:11:11 -0700 Subject: [PATCH 11/42] Made screensharing jail off by default Also added note about requiring paths-osx.conf. --- config/jail.conf | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/config/jail.conf b/config/jail.conf index 2b9e9eaf..65ffdef1 100644 --- a/config/jail.conf +++ b/config/jail.conf @@ -788,8 +788,9 @@ maxretry = 1 findtime = 1 [screensharing] -# For Mac OS Screen Sharing Service -enabled = true +# For Mac OS Screen Sharing Service (VNC) +# Requires the 'before' statement in the [INCLUDE] section to include paths-osx.conf +enabled = false filter = screensharingd logpath = %(system_log)s logencoding=utf-8 From c936d19805aae62fa71fb8087313b889713901be Mon Sep 17 00:00:00 2001 From: Simon Brown Date: Wed, 28 Oct 2015 15:30:31 -0700 Subject: [PATCH 12/42] Fixed name (again?) --- fail2ban/tests/files/logs/{screenshared => screensharingd} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename fail2ban/tests/files/logs/{screenshared => screensharingd} (100%) diff --git a/fail2ban/tests/files/logs/screenshared b/fail2ban/tests/files/logs/screensharingd similarity index 100% rename from fail2ban/tests/files/logs/screenshared rename to fail2ban/tests/files/logs/screensharingd From bed28eaa62b6c1737c2030ce2ced56dc5ef20316 Mon Sep 17 00:00:00 2001 From: Simon Brown Date: Wed, 28 Oct 2015 15:32:58 -0700 Subject: [PATCH 13/42] clarified comments on sample log format --- fail2ban/tests/files/logs/screensharingd | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/fail2ban/tests/files/logs/screensharingd b/fail2ban/tests/files/logs/screensharingd index 63e1dfb4..c43a5c41 100644 --- a/fail2ban/tests/files/logs/screensharingd +++ b/fail2ban/tests/files/logs/screensharingd @@ -1,5 +1,5 @@ -# NOTE: dates here include years -- this is NOT the typical configuration for the system.log -# file on Mac OS. However, matches will not pass unless year is included. +# NOTE: dates here include years -- this is not the typical configuration for the system.log +# file on Mac OS. However, without it the test routines will use 2004 as the year and matches will not pass. # # failJSON: { "match": false } Oct 27 2015 09:24:46 test1.beezwax.net screensharingd[1170]: Authentication: SUCCEEDED :: User Name: simon :: Viewer Address: 192.168.5.247 :: Type: DH From cabd46f069d7fc585b02c0ac88e7069af202e419 Mon Sep 17 00:00:00 2001 From: Simon Brown Date: Wed, 28 Oct 2015 20:58:25 -0700 Subject: [PATCH 14/42] Fixed blatant typo in regex However, still failing test, even though ```PYTHONPATH=. fail2ban-regex -v fail2ban/tests/files/logs/screensharingd /etc/fail2ban/filter.d/screensharingd.conf``` gives desired result --- config/filter.d/screensharingd.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/filter.d/screensharingd.conf b/config/filter.d/screensharingd.conf index fbaff542..c5e3e858 100644 --- a/config/filter.d/screensharingd.conf +++ b/config/filter.d/screensharingd.conf @@ -24,7 +24,7 @@ _daemon = screensharingd # (?:::f{4,6}:)?(?P[\w\-.^_]+) # Values: TEXT # -failregex = ^%(__prefix_line)sAuthentication: Authentication: FAILED :: User Name: .+ :: Viewer Address: :: Type: DH$ +failregex = ^%(__prefix_line)sAuthentication: FAILED :: User Name: .+ :: Viewer Address: :: Type: DH$ # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. From 65bc5cf6ba08f64fc13c03f5c44d7911a7f0179f Mon Sep 17 00:00:00 2001 From: Simon Brown Date: Thu, 29 Oct 2015 09:03:01 -0700 Subject: [PATCH 15/42] Now using a literal logpath for screensharing jail --- config/jail.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/jail.conf b/config/jail.conf index 65ffdef1..7470039c 100644 --- a/config/jail.conf +++ b/config/jail.conf @@ -792,6 +792,6 @@ findtime = 1 # Requires the 'before' statement in the [INCLUDE] section to include paths-osx.conf enabled = false filter = screensharingd -logpath = %(system_log)s +logpath = /var/log/system.log logencoding=utf-8 maxretry = 4 From 5839a3bd80c73a5ff6a0f725d4453963505eb68a Mon Sep 17 00:00:00 2001 From: Simon Brown Date: Thu, 29 Oct 2015 16:07:54 -0700 Subject: [PATCH 16/42] Removed includes comment for screensharing jail --- config/jail.conf | 1 - 1 file changed, 1 deletion(-) diff --git a/config/jail.conf b/config/jail.conf index 7470039c..2aaea7ea 100644 --- a/config/jail.conf +++ b/config/jail.conf @@ -789,7 +789,6 @@ findtime = 1 [screensharing] # For Mac OS Screen Sharing Service (VNC) -# Requires the 'before' statement in the [INCLUDE] section to include paths-osx.conf enabled = false filter = screensharingd logpath = /var/log/system.log From d16ad805975afdade337dc052f88a198866efe3e Mon Sep 17 00:00:00 2001 From: Simon Brown Date: Mon, 2 Nov 2015 09:06:32 -0800 Subject: [PATCH 17/42] removed false matches For non-screensharingd related messages --- fail2ban/tests/files/logs/screensharingd | 6 ------ 1 file changed, 6 deletions(-) diff --git a/fail2ban/tests/files/logs/screensharingd b/fail2ban/tests/files/logs/screensharingd index c43a5c41..0ec0ebd6 100644 --- a/fail2ban/tests/files/logs/screensharingd +++ b/fail2ban/tests/files/logs/screensharingd @@ -3,12 +3,6 @@ # # failJSON: { "match": false } Oct 27 2015 09:24:46 test1.beezwax.net screensharingd[1170]: Authentication: SUCCEEDED :: User Name: simon :: Viewer Address: 192.168.5.247 :: Type: DH -# failJSON: { "match": false } -Oct 27 2015 09:23:20 test1 com.apple.xpc.launchd[1] (com.apple.xpc.launchd.domain.pid.SecurityAgent.1156): Path not allowed in target domain: type = uid, path = /System/Library/Frameworks/AppKit.framework/Versions/C/XPCServices/SandboxedServiceRunner.xpc/Contents/MacOS/SandboxedServiceRunner error = 1: Operation not permitted, origin = /System/Library/Frameworks/Security.framework/Versions/A/XPCServices/SecurityAgent.xpc -# failJSON: { "match": false } -Oct 27 2015 09:23:20 test1.beezwax.net ManagedClient[1155]: MCXCCacheMCXRecordAndGraph(): vproc_swap_integer(NULL, VPROC_GSK_PERUSER_SUSPEND, &(uid=1027), NULL) failed -# failJSON: { "match": false } -Oct 27 2015 12:26:44 test1.beezwax.net digest-service[3828]: digest-request: kdc failed with 36150275 proto=unknown # # failJSON: { "time": "2015-10-27T12:35:40", "match": true , "host": "192.168.5.247" } Oct 27 2015 12:35:40 test1.beezwax.net screensharingd[1170]: Authentication: FAILED :: User Name: sdfsdfs () mro :: Viewer Address: 192.168.5.247 :: Type: DH From 3e16f33dbe840d507b687517699072a5e100101c Mon Sep 17 00:00:00 2001 From: Simon Brown Date: Mon, 2 Nov 2015 09:08:47 -0800 Subject: [PATCH 18/42] Removed old svn revision comment --- config/filter.d/screensharingd.conf | 2 -- 1 file changed, 2 deletions(-) diff --git a/config/filter.d/screensharingd.conf b/config/filter.d/screensharingd.conf index c5e3e858..4cd76465 100644 --- a/config/filter.d/screensharingd.conf +++ b/config/filter.d/screensharingd.conf @@ -2,8 +2,6 @@ # # Author: Simon Brown # -# $Revision: 1 $ -# # Filter for Mac OS X Screen Sharing service [INCLUDES] From 69bb532db0c9c34bf7c68ba0ed7adb769206f58d Mon Sep 17 00:00:00 2001 From: Simon Brown Date: Mon, 2 Nov 2015 09:26:45 -0800 Subject: [PATCH 19/42] removed system.log --- config/paths-osx.conf | 3 --- 1 file changed, 3 deletions(-) diff --git a/config/paths-osx.conf b/config/paths-osx.conf index 4f4df632..180923c0 100644 --- a/config/paths-osx.conf +++ b/config/paths-osx.conf @@ -24,6 +24,3 @@ syslog_authpriv = /var/log/secure.log #syslog_daemon = #syslog_local0 = - -# Default Mac OS log location for syslog output. -system_log = /var/log/system.log From dfaf82d68a39662e475b3a0403a64de04fda7e76 Mon Sep 17 00:00:00 2001 From: Yaroslav Halchenko Date: Fri, 18 Dec 2015 09:23:12 -0500 Subject: [PATCH 20/42] Changelog entry for PartOf in .service fix --- ChangeLog | 3 +++ 1 file changed, 3 insertions(+) diff --git a/ChangeLog b/ChangeLog index 90bcfcb3..74a88115 100644 --- a/ChangeLog +++ b/ChangeLog @@ -68,6 +68,9 @@ ver. 0.9.4 (2015/XX/XXX) - wanna-be-released * Performance improvements while monitoring large number of files (gh-1265). Use associative array (dict) for monitored log files to speed up lookup operations. Thanks @kshetragia + * Specified that fail2ban is PartOf iptables.service firewalld.service in + .service file -- would reload fail2ban if those services are restarted + ver. 0.9.3 (2015/08/01) - lets-all-stay-friends ---------- From 28c98322933f36d5ba4ea12ea638fb573b53dbc6 Mon Sep 17 00:00:00 2001 From: Yaroslav Halchenko Date: Tue, 29 Dec 2015 19:43:52 -0500 Subject: [PATCH 21/42] RF: harmonize jail.conf (no explicit enabled=false in jails, match filter name for screesharingd, etc) --- config/jail.conf | 26 ++++++-------------------- 1 file changed, 6 insertions(+), 20 deletions(-) diff --git a/config/jail.conf b/config/jail.conf index 02543705..41a43e56 100644 --- a/config/jail.conf +++ b/config/jail.conf @@ -240,7 +240,6 @@ backend = %(dropbear_backend)s port = ssh logpath = %(auditd_log)s -maxretry = 5 # @@ -266,7 +265,6 @@ maxretry = 1 port = http,https logpath = %(apache_error_log)s -maxretry = 6 [apache-overflows] @@ -304,18 +302,21 @@ port = http,https logpath = %(apache_error_log)s maxretry = 2 + [apache-shellshock] port = http,https logpath = %(apache_error_log)s maxretry = 1 + [openhab-auth] filter = openhab action = iptables-allports[name=NoAuthFailures] logpath = /opt/openhab/logs/request.log + [nginx-http-auth] port = http,https @@ -335,6 +336,7 @@ port = http,https logpath = %(nginx_error_log)s maxretry = 2 + # Ban attackers that try to use PHP's URL-fopen() functionality # through GET/POST variables. - Experimental, with more than a year # of usage in production environments. @@ -399,7 +401,6 @@ logpath = /var/log/sogo/sogo.log logpath = /var/log/tine20/tine20.log port = http,https -maxretry = 5 # @@ -420,7 +421,6 @@ logpath = /var/log/tomcat*/catalina.out [monit] #Ban clients brute-forcing the monit gui login -filter = monit port = 2812 logpath = /var/log/monit @@ -473,7 +473,6 @@ backend = %(proftpd_backend)s port = ftp,ftp-data,ftps,ftps-data logpath = %(pureftpd_log)s backend = %(pureftpd_backend)s -maxretry = 6 [gssftpd] @@ -481,7 +480,6 @@ maxretry = 6 port = ftp,ftp-data,ftps,ftps-data logpath = %(syslog_daemon)s backend = %(syslog_backend)s -maxretry = 6 [wuftpd] @@ -489,7 +487,6 @@ maxretry = 6 port = ftp,ftp-data,ftps,ftps-data logpath = %(wuftpd_log)s backend = %(wuftpd_backend)s -maxretry = 6 [vsftpd] @@ -724,7 +721,6 @@ maxretry = 10 port = 3306 logpath = %(mysql_log)s backend = %(mysql_backend)s -maxretry = 5 # Jail for more extended banning of persistent abusers @@ -740,7 +736,6 @@ logpath = /var/log/fail2ban.log banaction = %(banaction_allports)s bantime = 604800 ; 1 week findtime = 86400 ; 1 day -maxretry = 5 # Generic filter for PAM. Has to be used with action which bans all @@ -786,7 +781,6 @@ action = %(banaction)s[name=%(__name__)s-tcp, port="%(tcpport)s", protocol="tcp # nobody except your own Nagios server should ever probe nrpe [nagios] -enabled = false logpath = %(syslog_daemon)s ; nrpe.cfg may define a different log_facility backend = %(syslog_backend)s maxretry = 1 @@ -794,18 +788,14 @@ maxretry = 1 [oracleims] # see "oracleims" filter file for configuration requirement for Oracle IMS v6 and above -enabled = false logpath = /opt/sun/comms/messaging64/log/mail.log_current -maxretry = 6 banaction = %(banaction_allports)s [directadmin] -enabled = false logpath = /var/log/directadmin/login.log port = 2222 [portsentry] -enabled = false logpath = /var/lib/portsentry/portsentry.history maxretry = 1 @@ -826,16 +816,12 @@ findtime = 1 [murmur] # AKA mumble-server port = 64738 -filter = murmur action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol=tcp, chain="%(chain)s", actname=%(banaction)s-tcp] %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol=udp, chain="%(chain)s", actname=%(banaction)s-udp] logpath = /var/log/mumble-server/mumble-server.log -[screensharing] +[screensharingd] # For Mac OS Screen Sharing Service (VNC) -enabled = false -filter = screensharingd logpath = /var/log/system.log -logencoding=utf-8 -maxretry = 4 +logencoding = utf-8 From b76aede40d4202bdf5b5c8908162429b30370e33 Mon Sep 17 00:00:00 2001 From: Yaroslav Halchenko Date: Tue, 29 Dec 2015 19:56:45 -0500 Subject: [PATCH 22/42] ENH(TST): verify that passed bantime is non-0 and int --- fail2ban/tests/clientreadertestcase.py | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/fail2ban/tests/clientreadertestcase.py b/fail2ban/tests/clientreadertestcase.py index d19090be..e6860a47 100644 --- a/fail2ban/tests/clientreadertestcase.py +++ b/fail2ban/tests/clientreadertestcase.py @@ -594,6 +594,12 @@ class JailsReaderTest(LogCaptureTestCase): # by default we have lots of jails ;) self.assertTrue(len(comm_commands)) + # some common sanity checks for commands + for command in comm_commands: + if len(command) >= 3 and [command[0], command[2]] == ['set', 'bantime']: + self.assertTrue(isinstance(command[3], int)) + self.assertTrue(command[3] > 0) + # and we know even some of them by heart for j in ['sshd', 'recidive']: # by default we have 'auto' backend ATM From cf334421bdd287e4b5fe81344d50386f1f2d8f4a Mon Sep 17 00:00:00 2001 From: sebres Date: Wed, 30 Dec 2015 20:17:12 +0100 Subject: [PATCH 23/42] Provides fail2ban version to jail (as interpolation variable during parse of jail.conf); BF: use `fail2ban_agent` as user-agent in actions badips, blocklist_de, etc. (closes #1271, closes #1272) --- config/action.d/badips.conf | 2 +- config/action.d/blocklist_de.conf | 2 +- config/action.d/mynetwatchman.conf | 8 +++++-- config/jail.conf | 11 +++++++-- fail2ban/client/jailreader.py | 5 ++++ fail2ban/tests/clientreadertestcase.py | 32 +++++++++++++++++++++++++- 6 files changed, 53 insertions(+), 7 deletions(-) diff --git a/config/action.d/badips.conf b/config/action.d/badips.conf index 4a5c0f97..70b46546 100644 --- a/config/action.d/badips.conf +++ b/config/action.d/badips.conf @@ -10,7 +10,7 @@ [Definition] -actionban = curl --fail --user-agent "fail2ban v0.8.12" http://www.badips.com/add// +actionban = curl --fail --user-agent "" http://www.badips.com/add// [Init] diff --git a/config/action.d/blocklist_de.conf b/config/action.d/blocklist_de.conf index 6d520694..2f31d8b9 100644 --- a/config/action.d/blocklist_de.conf +++ b/config/action.d/blocklist_de.conf @@ -54,7 +54,7 @@ actioncheck = # Tags: See jail.conf(5) man page # Values: CMD # -actionban = curl --fail --data-urlencode 'server=' --data 'apikey=' --data 'service=' --data 'ip=' --data-urlencode 'logs=' --data 'format=text' --user-agent "fail2ban v0.8.12" "https://www.blocklist.de/en/httpreports.html" +actionban = curl --fail --data-urlencode 'server=' --data 'apikey=' --data 'service=' --data 'ip=' --data-urlencode 'logs=' --data 'format=text' --user-agent "" "https://www.blocklist.de/en/httpreports.html" # Option: actionunban # Notes.: command executed when unbanning an IP. Take care that the diff --git a/config/action.d/mynetwatchman.conf b/config/action.d/mynetwatchman.conf index 5245a4e3..8f3edf9e 100644 --- a/config/action.d/mynetwatchman.conf +++ b/config/action.d/mynetwatchman.conf @@ -111,13 +111,17 @@ myip = `ip -4 addr show dev eth0 | grep inet | head -n 1 | sed -r 's/.*inet ([0- # protocol = tcp +# Option: agent +# Default: Fail2ban +agent = Fail2ban + # Option: getcmd # Notes.: A command to fetch a URL. Should output page to STDOUT # Values: CMD Default: wget # -getcmd = wget --no-verbose --tries=3 --waitretry=10 --connect-timeout=10 --read-timeout=60 --retry-connrefused --output-document=- --user-agent=Fail2Ban +getcmd = wget --no-verbose --tries=3 --waitretry=10 --connect-timeout=10 --read-timeout=60 --retry-connrefused --output-document=- --user-agent= # Alternative value: -# getcmd = curl --silent --show-error --retry 3 --connect-timeout 10 --max-time 60 --user-agent Fail2Ban +# getcmd = curl --silent --show-error --retry 3 --connect-timeout 10 --max-time 60 --user-agent # Option: srcport # Notes.: The source port of the attack. You're unlikely to have this info, so diff --git a/config/jail.conf b/config/jail.conf index 02543705..1d560288 100644 --- a/config/jail.conf +++ b/config/jail.conf @@ -146,6 +146,9 @@ chain = INPUT # Usually should be overridden in a particular jail port = 0:65535 +# Format of user-agent https://tools.ietf.org/html/rfc7231#section-5.5.3 +fail2ban_agent = Fail2Ban/%(fail2ban_version)s + # # Action shortcuts. To be used to define action parameter @@ -187,7 +190,7 @@ action_cf_mwl = cloudflare[cfuser="%(cfemail)s", cftoken="%(cfapikey)s"] # [Init] # blocklist_de_apikey = {api key from registration] # -action_blocklist_de = blocklist_de[email="%(sender)s", service=%(filter)s, apikey="%(blocklist_de_apikey)s"] +action_blocklist_de = blocklist_de[email="%(sender)s", service=%(filter)s, apikey="%(blocklist_de_apikey)s", agent="%(fail2ban_agent)s"] # Report ban via badips.com, and use as blacklist # @@ -197,7 +200,11 @@ action_blocklist_de = blocklist_de[email="%(sender)s", service=%(filter)s, apik # NOTE: This action relies on banaction being present on start and therefore # should be last action defined for a jail. # -action_badips = badips.py[category="%(name)s", banaction="%(banaction)s"] +action_badips = badips.py[category="%(__name__)s", banaction="%(banaction)s", agent="%(fail2ban_agent)s"] +# +# Report ban via badips.com (uses action.d/badips.conf for reporting only) +# +action_badips_report = badips[category="%(__name__)s", agent="%(fail2ban_agent)s"] # Choose default action. To change, just override value of 'action' with the # interpolation to the chosen action shortcut (e.g. action_mw, action_mwl, etc) in jail.local diff --git a/fail2ban/client/jailreader.py b/fail2ban/client/jailreader.py index 54ac59fa..56b8889c 100644 --- a/fail2ban/client/jailreader.py +++ b/fail2ban/client/jailreader.py @@ -32,6 +32,7 @@ import re from .configreader import ConfigReaderUnshared, ConfigReader from .filterreader import FilterReader from .actionreader import ActionReader +from ..version import version from ..helpers import getLogger from ..helpers import splitcommaspace @@ -108,6 +109,10 @@ class JailReader(ConfigReader): ["string", "filter", ""], ["string", "action", ""]] + # Before interpolation (substitution) add static options always available as default: + defsec = self._cfg.get_defaults() + defsec["fail2ban_version"] = version + # Read first options only needed for merge defaults ('known/...' from filter): self.__opts = ConfigReader.getOptions(self, self.__name, opts1st) if not self.__opts: diff --git a/fail2ban/tests/clientreadertestcase.py b/fail2ban/tests/clientreadertestcase.py index d19090be..fcabc727 100644 --- a/fail2ban/tests/clientreadertestcase.py +++ b/fail2ban/tests/clientreadertestcase.py @@ -28,18 +28,20 @@ import re import shutil import tempfile import unittest -from ..client.configreader import ConfigReaderUnshared +from ..client.configreader import ConfigReader, ConfigReaderUnshared from ..client import configparserinc from ..client.jailreader import JailReader from ..client.filterreader import FilterReader from ..client.jailsreader import JailsReader from ..client.actionreader import ActionReader from ..client.configurator import Configurator +from ..version import version from .utils import LogCaptureTestCase TEST_FILES_DIR = os.path.join(os.path.dirname(__file__), "files") from .utils import CONFIG_DIR +CONFIG_DIR_TESTSHARE_CFG = {} STOCK = os.path.exists(os.path.join('config','fail2ban.conf')) @@ -251,6 +253,34 @@ class JailReaderTest(LogCaptureTestCase): result = JailReader.extractOptions(option) self.assertEqual(expected, result) + def testVersionAgent(self): + jail = JailReader('blocklisttest', force_enable=True, basedir=CONFIG_DIR) + # emulate jail.read(), because such jail not exists: + ConfigReader.read(jail, "jail"); + sections = jail._cfg.get_sections() + sections['blocklisttest'] = dict((('__name__', 'blocklisttest'), + ('filter', ''), ('failregex', '^test $'), + ('sender', 'f2b-test@example.com'), ('blocklist_de_apikey', 'test-key'), + ('action', + '%(action_blocklist_de)s\n' + '%(action_badips_report)s\n' + '%(action_badips)s\n' + 'mynetwatchman[port=1234,protocol=udp,agent="%(fail2ban_agent)s"]' + ), + )) + # get options: + self.assertTrue(jail.getOptions()) + # convert and get stream + stream = jail.convert() + # get action and retrieve agent from it, compare with agent saved in version: + act = [o for o in stream if len(o) > 4 and (o[4] == 'agent' or o[4].endswith('badips.py'))] + useragent = 'Fail2Ban/%s' % version + self.assertEqual(len(act), 4) + self.assertEqual(act[0], ['set', 'blocklisttest', 'action', 'blocklist_de', 'agent', useragent]) + self.assertEqual(act[1], ['set', 'blocklisttest', 'action', 'badips', 'agent', useragent]) + self.assertEqual(eval(act[2][5]).get('agent', ''), useragent) + self.assertEqual(act[3], ['set', 'blocklisttest', 'action', 'mynetwatchman', 'agent', useragent]) + def testGlob(self): d = tempfile.mkdtemp(prefix="f2b-temp") # Generate few files From e133762a282e8059ad89b5130a3123ea6e0f526f Mon Sep 17 00:00:00 2001 From: Jordan Moeser Date: Thu, 31 Dec 2015 11:16:23 +1000 Subject: [PATCH 24/42] Added HAProxy HTTP Auth filter --- ChangeLog | 2 ++ config/filter.d/haproxy-http-auth.conf | 37 +++++++++++++++++++++ config/jail.conf | 9 +++++ fail2ban/tests/files/logs/haproxy-http-auth | 4 +++ 4 files changed, 52 insertions(+) create mode 100644 config/filter.d/haproxy-http-auth.conf create mode 100644 fail2ban/tests/files/logs/haproxy-http-auth diff --git a/ChangeLog b/ChangeLog index 8b5344be..81575f62 100644 --- a/ChangeLog +++ b/ChangeLog @@ -44,6 +44,8 @@ ver. 0.9.4 (2015/XX/XXX) - wanna-be-released request processing rate (ngx_http_limit_req_module) - murmur - ban hosts that repeatedly attempt to connect to murmur/mumble-server with an invalid server password or certificate. + - haproxy-http-auth - filter to match failed HTTP Authentications against a + HAProxy server * New jails: - murmur - bans TCP and UDP from the bad host on the default murmur port. * sshd filter got new failregex to match "maximum authentication diff --git a/config/filter.d/haproxy-http-auth.conf b/config/filter.d/haproxy-http-auth.conf new file mode 100644 index 00000000..7c371dde --- /dev/null +++ b/config/filter.d/haproxy-http-auth.conf @@ -0,0 +1,37 @@ +# Fail2Ban filter configuration file to match failed login attempts to +# HAProxy HTTP Authentication protected servers. +# +# PLEASE NOTE - When a user first hits the HTTP Auth a 401 is returned by the server +# which prompts their browser to ask for login details. +# This initial 401 is logged by HAProxy. +# In other words, even successful logins will have at least 1 fail regex match. +# Please keep this in mind when setting findtime and maxretry for jails. +# +# Author: Jordan Moeser +# + +[INCLUDES] + +# Read common prefixes. If any customizations available -- read them from +# common.local +before = common.conf + + +[Definition] + +_daemon = haproxy + +# Option: failregex +# Notes.: regex to match the password failures messages in the logfile. The +# host must be matched by a group named "host". The tag "" can +# be used for standard IP/hostname matching and is only an alias for +# (?:::f{4,6}:)?(?P[\w\-.^_]+) +# Values: TEXT +# +failregex = ^%(__prefix_line)s.*NOSRV.*401 + +# Option: ignoreregex +# Notes.: regex to ignore. If this regex matches, the line is ignored. +# Values: TEXT +# +ignoreregex = diff --git a/config/jail.conf b/config/jail.conf index 02543705..9788bd25 100644 --- a/config/jail.conf +++ b/config/jail.conf @@ -839,3 +839,12 @@ filter = screensharingd logpath = /var/log/system.log logencoding=utf-8 maxretry = 4 + +[haproxy-http-auth] +# HAProxy by default doesn't log to file you'll need to set it up to forward +# logs to a syslog server which would then write them to disk. +# See "haproxy-http-auth" filter for a brief cautionary note when setting +# maxretry and findtime. +enabled = false +filter = haproxy-http-auth +logpath = /var/log/haproxy.log diff --git a/fail2ban/tests/files/logs/haproxy-http-auth b/fail2ban/tests/files/logs/haproxy-http-auth new file mode 100644 index 00000000..298f1972 --- /dev/null +++ b/fail2ban/tests/files/logs/haproxy-http-auth @@ -0,0 +1,4 @@ +# failJSON: { "match": false } +Nov 14 22:45:27 test haproxy[760]: 192.168.33.1:58444 [14/Nov/2015:22:45:25.439] main app/app1 1939/0/1/0/1940 403 5168 - - ---- 3/3/0/0/0 0/0 "GET / HTTP/1.1" +# failJSON: { "time": "2004-11-14T22:45:11", "match": true , "host": "192.168.33.1" } +Nov 14 22:45:11 test haproxy[760]: 192.168.33.1:58430 [14/Nov/2015:22:45:11.608] main main/ -1/-1/-1/-1/0 401 248 - - PR-- 0/0/0/0/0 0/0 "GET / HTTP/1.1" From ac311214329c3e8100ba9b37091de01475dd522f Mon Sep 17 00:00:00 2001 From: sebres Date: Thu, 31 Dec 2015 02:30:25 +0100 Subject: [PATCH 25/42] amend to fix fail2ban-version: correct user-agent for badips.py "Fail2Ban/ver", changeable within jail/config now; --- config/action.d/badips.py | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/config/action.d/badips.py b/config/action.d/badips.py index 99e1866a..5248e994 100644 --- a/config/action.d/badips.py +++ b/config/action.d/badips.py @@ -21,7 +21,6 @@ import sys if sys.version_info < (2, 7): raise ImportError("badips.py action requires Python >= 2.7") import json -from functools import partial import threading import logging if sys.version_info >= (3, ): @@ -72,6 +71,9 @@ class BadIPsAction(ActionBase): updateperiod : int, optional Time in seconds between updating bad IPs blacklist. Default 900 (15 minutes) + agent : str, optional + User agent transmitted to server. + Default `Fail2Ban/ver.` Raises ------ @@ -80,13 +82,14 @@ class BadIPsAction(ActionBase): """ _badips = "http://www.badips.com" - _Request = partial( - Request, headers={'User-Agent': "Fail2Ban %s" % f2bVersion}) + def _Request(self, url, **argv): + return Request(url, headers={'User-Agent': self.agent}, **argv) def __init__(self, jail, name, category, score=3, age="24h", key=None, - banaction=None, bancategory=None, bankey=None, updateperiod=900): + banaction=None, bancategory=None, bankey=None, updateperiod=900, agent=None): super(BadIPsAction, self).__init__(jail, name) + self.agent = agent if agent is not None else ("Fail2Ban/%s" % f2bVersion) self.category = category self.score = score self.age = age From 618e97bce8a1ad359e191d84835f3400152acbed Mon Sep 17 00:00:00 2001 From: Alexander Belykh Date: Mon, 4 Jan 2016 01:36:28 +0600 Subject: [PATCH 26/42] Add nftables actions --- config/action.d/nftables-allports.conf | 52 +++++++++++++++++++++++++ config/action.d/nftables-common.conf | 50 ++++++++++++++++++++++++ config/action.d/nftables-multiport.conf | 51 ++++++++++++++++++++++++ 3 files changed, 153 insertions(+) create mode 100644 config/action.d/nftables-allports.conf create mode 100644 config/action.d/nftables-common.conf create mode 100644 config/action.d/nftables-multiport.conf diff --git a/config/action.d/nftables-allports.conf b/config/action.d/nftables-allports.conf new file mode 100644 index 00000000..34622f65 --- /dev/null +++ b/config/action.d/nftables-allports.conf @@ -0,0 +1,52 @@ +# Fail2Ban configuration file +# +# Author: Cyril Jaquier +# Modified: Yaroslav O. Halchenko +# made active on all ports from original iptables.conf +# Modified: Alexander Belykh +# adapted for nftables +# + +[INCLUDES] + +before = nftables-common.conf + +[Definition] + +# Option: actionstart +# Notes.: command executed once at the start of Fail2Ban. +# Values: CMD +# +actionstart = add set filter f2b- { type ipv4_addr\; } + insert rule filter ip protocol ip saddr @f2b- + +# Option: actionstop +# Notes.: command executed once at the end of Fail2Ban +# Values: CMD +# +actionstop = HANDLE_ID=$( --handle --numeric list chain filter | grep -m1 'ip saddr @f2b- # handle' | grep -oe ' handle [0-9]*'); delete rule filter $HANDLE_ID + delete set filter f2b- +# Option: actioncheck +# Notes.: command executed once before each actionban command +# Values: CMD +# +actioncheck = list chain filter | grep -q '@f2b-[ \t]' + +# Option: actionban +# Notes.: command executed when banning an IP. Take care that the +# command is executed with Fail2Ban user rights. +# Tags: See jail.conf(5) man page +# Values: CMD +# +actionban = add element filter f2b- { } + +# Option: actionunban +# Notes.: command executed when unbanning an IP. Take care that the +# command is executed with Fail2Ban user rights. +# Tags: See jail.conf(5) man page +# Values: CMD +# +actionunban = delete element filter f2b- { } + +[Init] + diff --git a/config/action.d/nftables-common.conf b/config/action.d/nftables-common.conf new file mode 100644 index 00000000..a0534d35 --- /dev/null +++ b/config/action.d/nftables-common.conf @@ -0,0 +1,50 @@ +# Fail2Ban configuration file +# +# Author: Daniel Black +# Modified: Alexander Belykh +# adapted for nftables +# +# This is a included configuration file and includes the definitions for the nftables +# used in all nftables based actions by default. +# +# The user can override the defaults in nftables-common.local + +[INCLUDES] + +after = nftables-common.local + +[Init] + +# Option: chain +# Notes specifies the nftables chain to which the Fail2Ban rules should be +# added +# Values: STRING Default: input +chain = input + +# Default name of the filtering set +# +name = default + +# Option: port +# Notes.: specifies port to monitor +# Values: [ NUM | STRING ] Default: +# +port = ssh + +# Option: protocol +# Notes.: internally used by config reader for interpolations. +# Values: [ tcp | udp ] Default: tcp +# +protocol = tcp + +# Option: blocktype +# Note: This is what the action does with rules. This can be any jump target +# as per the nftables man page (section 8). Common values are drop +# reject, reject with icmp type host-unreachable +# Values: STRING +blocktype = reject + +# Option: nftables +# Notes.: Actual command to be executed, including common to all calls options +# Values: STRING +nftables = nft diff --git a/config/action.d/nftables-multiport.conf b/config/action.d/nftables-multiport.conf new file mode 100644 index 00000000..ad61bf63 --- /dev/null +++ b/config/action.d/nftables-multiport.conf @@ -0,0 +1,51 @@ +# Fail2Ban configuration file +# +# Author: Cyril Jaquier +# Modified by Yaroslav Halchenko for multiport banning +# Modified: Alexander Belykh +# adapted for nftables +# + +[INCLUDES] + +before = nftables-common.conf + +[Definition] + +# Option: actionstart +# Notes.: command executed once at the start of Fail2Ban. +# Values: CMD +# +actionstart = add set filter f2b- { type ipv4_addr\; } + insert rule filter dport { } ip saddr @f2b- + +# Option: actionstop +# Notes.: command executed once at the end of Fail2Ban +# Values: CMD +# +actionstop = HANDLE_ID=$( --handle --numeric list chain filter | grep -m1 'ip saddr @f2b- # handle' | grep -oe ' handle [0-9]*'); delete rule filter $HANDLE_ID + delete set filter f2b- +# Option: actioncheck +# Notes.: command executed once before each actionban command +# Values: CMD +# +actioncheck = list chain filter | grep -q '@f2b-[ \t]' + +# Option: actionban +# Notes.: command executed when banning an IP. Take care that the +# command is executed with Fail2Ban user rights. +# Tags: See jail.conf(5) man page +# Values: CMD +# +actionban = add element filter f2b- { } + +# Option: actionunban +# Notes.: command executed when unbanning an IP. Take care that the +# command is executed with Fail2Ban user rights. +# Tags: See jail.conf(5) man page +# Values: CMD +# +actionunban = delete element filter f2b- { } + +[Init] + From 69f5623f83180dda4e9461f553fd676f029b3ba9 Mon Sep 17 00:00:00 2001 From: sebres Date: Mon, 4 Jan 2016 09:30:32 +0100 Subject: [PATCH 27/42] code simplifying (remove duplication): agent will be always supplied as parameter from jail.conf --- config/action.d/badips.py | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/config/action.d/badips.py b/config/action.d/badips.py index 5248e994..025289ca 100644 --- a/config/action.d/badips.py +++ b/config/action.d/badips.py @@ -32,7 +32,6 @@ else: from urllib import urlencode from fail2ban.server.actions import ActionBase -from fail2ban.version import version as f2bVersion class BadIPsAction(ActionBase): @@ -86,10 +85,10 @@ class BadIPsAction(ActionBase): return Request(url, headers={'User-Agent': self.agent}, **argv) def __init__(self, jail, name, category, score=3, age="24h", key=None, - banaction=None, bancategory=None, bankey=None, updateperiod=900, agent=None): + banaction=None, bancategory=None, bankey=None, updateperiod=900, agent="Fail2Ban"): super(BadIPsAction, self).__init__(jail, name) - self.agent = agent if agent is not None else ("Fail2Ban/%s" % f2bVersion) + self.agent = agent self.category = category self.score = score self.age = age From 25a09352e48a303d66d1e207e2e3b51b3d2e9793 Mon Sep 17 00:00:00 2001 From: sebres Date: Mon, 4 Jan 2016 14:46:43 +0100 Subject: [PATCH 28/42] + ChangeLog entry --- ChangeLog | 3 +++ 1 file changed, 3 insertions(+) diff --git a/ChangeLog b/ChangeLog index 8b5344be..36c727fe 100644 --- a/ChangeLog +++ b/ChangeLog @@ -28,6 +28,7 @@ ver. 0.9.4 (2015/XX/XXX) - wanna-be-released for python version < 3.x (gh-1248) * Use postfix_log logpath for postfix-rbl jail * filters.d/postfix.conf - add 'Sender address rejected: Domain not found' failregex + * use `fail2ban_agent` as user-agent in actions badips, blocklist_de, etc (gh-1271) - New Features: * New interpolation feature for definition config readers - `` @@ -72,6 +73,8 @@ ver. 0.9.4 (2015/XX/XXX) - wanna-be-released operations. Thanks @kshetragia * Specified that fail2ban is PartOf iptables.service firewalld.service in .service file -- would reload fail2ban if those services are restarted + * Provides new default `fail2ban_version` and interpolation variable + `fail2ban_agent` in jail.conf ver. 0.9.3 (2015/08/01) - lets-all-stay-friends From f7f91a8bd45d83fa106c2c827e91d53d1e9b75dc Mon Sep 17 00:00:00 2001 From: Alexander Belykh Date: Tue, 5 Jan 2016 19:03:47 +0600 Subject: [PATCH 29/42] Refactor common code out of nftables-multiport/allports.conf --- config/action.d/nftables-allports.conf | 38 +++----------------- config/action.d/nftables-common.conf | 46 +++++++++++++++++++++++++ config/action.d/nftables-multiport.conf | 41 ++++------------------ 3 files changed, 56 insertions(+), 69 deletions(-) diff --git a/config/action.d/nftables-allports.conf b/config/action.d/nftables-allports.conf index 34622f65..afd0ca84 100644 --- a/config/action.d/nftables-allports.conf +++ b/config/action.d/nftables-allports.conf @@ -13,40 +13,10 @@ before = nftables-common.conf [Definition] -# Option: actionstart -# Notes.: command executed once at the start of Fail2Ban. -# Values: CMD +# Option: nftables_mode +# Notes.: additional expressions for nftables filter rule +# Values: nftables expressions # -actionstart = add set filter f2b- { type ipv4_addr\; } - insert rule filter ip protocol ip saddr @f2b- - -# Option: actionstop -# Notes.: command executed once at the end of Fail2Ban -# Values: CMD -# -actionstop = HANDLE_ID=$( --handle --numeric list chain filter | grep -m1 'ip saddr @f2b- # handle' | grep -oe ' handle [0-9]*'); delete rule filter $HANDLE_ID - delete set filter f2b- -# Option: actioncheck -# Notes.: command executed once before each actionban command -# Values: CMD -# -actioncheck = list chain filter | grep -q '@f2b-[ \t]' - -# Option: actionban -# Notes.: command executed when banning an IP. Take care that the -# command is executed with Fail2Ban user rights. -# Tags: See jail.conf(5) man page -# Values: CMD -# -actionban = add element filter f2b- { } - -# Option: actionunban -# Notes.: command executed when unbanning an IP. Take care that the -# command is executed with Fail2Ban user rights. -# Tags: See jail.conf(5) man page -# Values: CMD -# -actionunban = delete element filter f2b- { } +nftables_mode = ip protocol [Init] - diff --git a/config/action.d/nftables-common.conf b/config/action.d/nftables-common.conf index a0534d35..e65618ef 100644 --- a/config/action.d/nftables-common.conf +++ b/config/action.d/nftables-common.conf @@ -1,6 +1,9 @@ # Fail2Ban configuration file # # Author: Daniel Black +# Author: Cyril Jaquier +# Modified: Yaroslav O. Halchenko +# made active on all ports from original iptables.conf # Modified: Alexander Belykh # adapted for nftables # @@ -13,6 +16,49 @@ after = nftables-common.local +[Definition] + +# Option: nftables_mode +# Notes.: additional expressions for nftables filter rule +# Values: nftables expressions +# +nftables_mode = dport { } + +# Option: actionstart +# Notes.: command executed once at the start of Fail2Ban. +# Values: CMD +# +actionstart = add set filter f2b- { type ipv4_addr\; } + insert rule filter %(nftables_mode)s ip saddr @f2b- + +# Option: actionstop +# Notes.: command executed once at the end of Fail2Ban +# Values: CMD +# +actionstop = HANDLE_ID=$( --handle --numeric list chain filter | grep -m1 'ip saddr @f2b- # handle' | grep -oe ' handle [0-9]*'); delete rule filter $HANDLE_ID + delete set filter f2b- +# Option: actioncheck +# Notes.: command executed once before each actionban command +# Values: CMD +# +actioncheck = list chain filter | grep -q '@f2b-[ \t]' + +# Option: actionban +# Notes.: command executed when banning an IP. Take care that the +# command is executed with Fail2Ban user rights. +# Tags: See jail.conf(5) man page +# Values: CMD +# +actionban = add element filter f2b- { } + +# Option: actionunban +# Notes.: command executed when unbanning an IP. Take care that the +# command is executed with Fail2Ban user rights. +# Tags: See jail.conf(5) man page +# Values: CMD +# +actionunban = delete element filter f2b- { } + [Init] # Option: chain diff --git a/config/action.d/nftables-multiport.conf b/config/action.d/nftables-multiport.conf index ad61bf63..3c6455e2 100644 --- a/config/action.d/nftables-multiport.conf +++ b/config/action.d/nftables-multiport.conf @@ -1,7 +1,8 @@ # Fail2Ban configuration file # # Author: Cyril Jaquier -# Modified by Yaroslav Halchenko for multiport banning +# Modified: Yaroslav O. Halchenko +# made active on all ports from original iptables.conf # Modified: Alexander Belykh # adapted for nftables # @@ -12,40 +13,10 @@ before = nftables-common.conf [Definition] -# Option: actionstart -# Notes.: command executed once at the start of Fail2Ban. -# Values: CMD +# Option: nftables_mode +# Notes.: additional expressions for nftables filter rule +# Values: nftables expressions # -actionstart = add set filter f2b- { type ipv4_addr\; } - insert rule filter dport { } ip saddr @f2b- - -# Option: actionstop -# Notes.: command executed once at the end of Fail2Ban -# Values: CMD -# -actionstop = HANDLE_ID=$( --handle --numeric list chain filter | grep -m1 'ip saddr @f2b- # handle' | grep -oe ' handle [0-9]*'); delete rule filter $HANDLE_ID - delete set filter f2b- -# Option: actioncheck -# Notes.: command executed once before each actionban command -# Values: CMD -# -actioncheck = list chain filter | grep -q '@f2b-[ \t]' - -# Option: actionban -# Notes.: command executed when banning an IP. Take care that the -# command is executed with Fail2Ban user rights. -# Tags: See jail.conf(5) man page -# Values: CMD -# -actionban = add element filter f2b- { } - -# Option: actionunban -# Notes.: command executed when unbanning an IP. Take care that the -# command is executed with Fail2Ban user rights. -# Tags: See jail.conf(5) man page -# Values: CMD -# -actionunban = delete element filter f2b- { } +nftables_mode = dport { } [Init] - From cb2d70d7a8a47a8f42e6c2a443b27cc150d669ba Mon Sep 17 00:00:00 2001 From: Alexander Belykh Date: Tue, 5 Jan 2016 19:04:44 +0600 Subject: [PATCH 30/42] Add ChangeLog entry for new nftables actions --- ChangeLog | 3 +++ 1 file changed, 3 insertions(+) diff --git a/ChangeLog b/ChangeLog index 8b5344be..6d42a837 100644 --- a/ChangeLog +++ b/ChangeLog @@ -37,6 +37,9 @@ ver. 0.9.4 (2015/XX/XXX) - wanna-be-released filter.d/*.local file. As extension to interpolation `%(known/parameter)s`, that does not works for filter and action init parameters + * New actions: + - nftables-multiport and nftables-allports - filtering using nftables + framework. Note: it requires a pre-existing chain for the filtering rule. * New filters: - openhab - domotic software authentication failure with the rest api and web interface (gh-1223) From 1983e155808f30eb0eb775061252e3dad1bd2b19 Mon Sep 17 00:00:00 2001 From: Alexander Belykh Date: Wed, 6 Jan 2016 16:55:29 +0600 Subject: [PATCH 31/42] Add empty line between parameters in nftables-common.conf --- config/action.d/nftables-common.conf | 1 + 1 file changed, 1 insertion(+) diff --git a/config/action.d/nftables-common.conf b/config/action.d/nftables-common.conf index e65618ef..534eec2f 100644 --- a/config/action.d/nftables-common.conf +++ b/config/action.d/nftables-common.conf @@ -37,6 +37,7 @@ actionstart = add set filter f2b- { type ipv4_addr\; } # actionstop = HANDLE_ID=$( --handle --numeric list chain filter | grep -m1 'ip saddr @f2b- # handle' | grep -oe ' handle [0-9]*'); delete rule filter $HANDLE_ID delete set filter f2b- + # Option: actioncheck # Notes.: command executed once before each actionban command # Values: CMD From 260c30535d71c5ee1d07f843536bd4e9f6163358 Mon Sep 17 00:00:00 2001 From: Alexander Belykh Date: Wed, 6 Jan 2016 17:13:30 +0600 Subject: [PATCH 32/42] Escape curly braces in nftables actions --- config/action.d/nftables-common.conf | 8 ++++---- config/action.d/nftables-multiport.conf | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/config/action.d/nftables-common.conf b/config/action.d/nftables-common.conf index 534eec2f..157f3c77 100644 --- a/config/action.d/nftables-common.conf +++ b/config/action.d/nftables-common.conf @@ -22,13 +22,13 @@ after = nftables-common.local # Notes.: additional expressions for nftables filter rule # Values: nftables expressions # -nftables_mode = dport { } +nftables_mode = dport \{ \} # Option: actionstart # Notes.: command executed once at the start of Fail2Ban. # Values: CMD # -actionstart = add set filter f2b- { type ipv4_addr\; } +actionstart = add set filter f2b- \{ type ipv4_addr\; \} insert rule filter %(nftables_mode)s ip saddr @f2b- # Option: actionstop @@ -50,7 +50,7 @@ actioncheck = list chain filter | grep -q '@f2b-[ \t]' # Tags: See jail.conf(5) man page # Values: CMD # -actionban = add element filter f2b- { } +actionban = add element filter f2b- \{ \} # Option: actionunban # Notes.: command executed when unbanning an IP. Take care that the @@ -58,7 +58,7 @@ actionban = add element filter f2b- { } # Tags: See jail.conf(5) man page # Values: CMD # -actionunban = delete element filter f2b- { } +actionunban = delete element filter f2b- \{ \} [Init] diff --git a/config/action.d/nftables-multiport.conf b/config/action.d/nftables-multiport.conf index 3c6455e2..d1afafb3 100644 --- a/config/action.d/nftables-multiport.conf +++ b/config/action.d/nftables-multiport.conf @@ -17,6 +17,6 @@ before = nftables-common.conf # Notes.: additional expressions for nftables filter rule # Values: nftables expressions # -nftables_mode = dport { } +nftables_mode = dport \{ \} [Init] From 9779eeb986e323608207f9790556d7b9ce6816f1 Mon Sep 17 00:00:00 2001 From: Alexander Belykh Date: Wed, 6 Jan 2016 17:33:14 +0600 Subject: [PATCH 33/42] Add nftables_type/family/table parameters --- config/action.d/nftables-common.conf | 32 ++++++++++++++++++++++------ 1 file changed, 25 insertions(+), 7 deletions(-) diff --git a/config/action.d/nftables-common.conf b/config/action.d/nftables-common.conf index 157f3c77..26e35892 100644 --- a/config/action.d/nftables-common.conf +++ b/config/action.d/nftables-common.conf @@ -28,21 +28,21 @@ nftables_mode = dport \{ \} # Notes.: command executed once at the start of Fail2Ban. # Values: CMD # -actionstart = add set filter f2b- \{ type ipv4_addr\; \} - insert rule filter %(nftables_mode)s ip saddr @f2b- +actionstart = add set f2b- \{ type \; \} + insert rule %(nftables_mode)s ip saddr @f2b- # Option: actionstop # Notes.: command executed once at the end of Fail2Ban # Values: CMD # -actionstop = HANDLE_ID=$( --handle --numeric list chain filter | grep -m1 'ip saddr @f2b- # handle' | grep -oe ' handle [0-9]*'); delete rule filter $HANDLE_ID - delete set filter f2b- +actionstop = HANDLE_ID=$( --handle --numeric list chain | grep -m1 'ip saddr @f2b- # handle' | grep -oe ' handle [0-9]*'); delete rule $HANDLE_ID + delete set f2b- # Option: actioncheck # Notes.: command executed once before each actionban command # Values: CMD # -actioncheck = list chain filter | grep -q '@f2b-[ \t]' +actioncheck = list chain | grep -q '@f2b-[ \t]' # Option: actionban # Notes.: command executed when banning an IP. Take care that the @@ -50,7 +50,7 @@ actioncheck = list chain filter | grep -q '@f2b-[ \t]' # Tags: See jail.conf(5) man page # Values: CMD # -actionban = add element filter f2b- \{ \} +actionban = add element f2b- \{ \} # Option: actionunban # Notes.: command executed when unbanning an IP. Take care that the @@ -58,10 +58,28 @@ actionban = add element filter f2b- \{ \} # Tags: See jail.conf(5) man page # Values: CMD # -actionunban = delete element filter f2b- \{ \} +actionunban = delete element f2b- \{ \} [Init] +# Option: nftables_type +# Notes.: address type to work with +# Values: [ipv4_addr | ipv6_addr] Default: ipv4_addr +# +nftables_type = ipv4_addr + +# Option: nftables_family +# Notes.: address family to work in +# Values: [ip | ip6 | inet] Default: inet +# +nftables_family = inet + +# Option: nftables_table +# Notes.: table in the address family to work in +# Values: STRING Default: filter +# +nftables_table = filter + # Option: chain # Notes specifies the nftables chain to which the Fail2Ban rules should be # added From 985e8938a4a7aa4181851ad962cfe0c6a3a8fba3 Mon Sep 17 00:00:00 2001 From: Alexander Belykh Date: Wed, 6 Jan 2016 17:39:54 +0600 Subject: [PATCH 34/42] Refactor nftables actionstop into smaller parts --- config/action.d/nftables-common.conf | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/config/action.d/nftables-common.conf b/config/action.d/nftables-common.conf index 26e35892..80657c5c 100644 --- a/config/action.d/nftables-common.conf +++ b/config/action.d/nftables-common.conf @@ -31,11 +31,15 @@ nftables_mode = dport \{ \} actionstart = add set f2b- \{ type \; \} insert rule %(nftables_mode)s ip saddr @f2b- +_nft_list = --handle --numeric list chain +_nft_get_handle_id = grep -m1 'ip saddr @f2b- # handle' | grep -oe ' handle [0-9]*' + # Option: actionstop # Notes.: command executed once at the end of Fail2Ban # Values: CMD # -actionstop = HANDLE_ID=$( --handle --numeric list chain | grep -m1 'ip saddr @f2b- # handle' | grep -oe ' handle [0-9]*'); delete rule $HANDLE_ID +actionstop = HANDLE_ID=$(%(_nft_list)s | %(_nft_get_handle_id)s) + delete rule $HANDLE_ID delete set f2b- # Option: actioncheck From 40c0bed82c649ad7731bbe33ba773a25e55a6163 Mon Sep 17 00:00:00 2001 From: local Date: Sun, 10 Jan 2016 00:05:03 +0100 Subject: [PATCH 35/42] action_mw, action_mwl, action_cf_mwl ignore the "sender" option when sending a notification email. This commit adds "sender="%(sender)s"" to the three actions to correct this issue. --- config/jail.conf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/config/jail.conf b/config/jail.conf index 7560f582..2bf28f6d 100644 --- a/config/jail.conf +++ b/config/jail.conf @@ -164,12 +164,12 @@ action_ = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s # ban & send an e-mail with whois report to the destemail. action_mw = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] - %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"] + %(mta)s-whois[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"] # ban & send an e-mail with whois report and relevant log lines # to the destemail. action_mwl = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] - %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"] + %(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"] # See the IMPORTANT note in action.d/xarf-login-attack for when to use this action # @@ -181,7 +181,7 @@ action_xarf = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(po # ban IP on CloudFlare & send an e-mail with whois report and relevant log lines # to the destemail. action_cf_mwl = cloudflare[cfuser="%(cfemail)s", cftoken="%(cfapikey)s"] - %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"] + %(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"] # Report block via blocklist.de fail2ban reporting service API # From 58a8736e0f2e35eba89b3b236fbfafae84194821 Mon Sep 17 00:00:00 2001 From: local Date: Sun, 10 Jan 2016 00:10:05 +0100 Subject: [PATCH 36/42] Updating changelog. --- ChangeLog | 1 + 1 file changed, 1 insertion(+) diff --git a/ChangeLog b/ChangeLog index 36c727fe..2220097e 100644 --- a/ChangeLog +++ b/ChangeLog @@ -29,6 +29,7 @@ ver. 0.9.4 (2015/XX/XXX) - wanna-be-released * Use postfix_log logpath for postfix-rbl jail * filters.d/postfix.conf - add 'Sender address rejected: Domain not found' failregex * use `fail2ban_agent` as user-agent in actions badips, blocklist_de, etc (gh-1271) + * Fix ignoring the sender option by action_mw, action_mwl and action_c_mwl - New Features: * New interpolation feature for definition config readers - `` From d7b46509d86cbf7fce447a7439bcfcfc91801cc8 Mon Sep 17 00:00:00 2001 From: Jordan Moeser Date: Tue, 12 Jan 2016 08:37:33 +1000 Subject: [PATCH 37/42] Update haproxy-http-auth.conf Updated failregex to be more strict --- config/filter.d/haproxy-http-auth.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/filter.d/haproxy-http-auth.conf b/config/filter.d/haproxy-http-auth.conf index 7c371dde..298ca292 100644 --- a/config/filter.d/haproxy-http-auth.conf +++ b/config/filter.d/haproxy-http-auth.conf @@ -28,7 +28,7 @@ _daemon = haproxy # (?:::f{4,6}:)?(?P[\w\-.^_]+) # Values: TEXT # -failregex = ^%(__prefix_line)s.*NOSRV.*401 +failregex = ^%(__prefix_line)s.* -1/-1/-1/-1/\+*\d* 401 # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. From 294a7790a9a32f98448e1e2a2d7a5cfdf741c35f Mon Sep 17 00:00:00 2001 From: Louis Sautier Date: Thu, 28 Jan 2016 23:40:34 +0100 Subject: [PATCH 38/42] gentoo-initd: do not hide useful output Gentoo applies a patch for this: https://bugs.gentoo.org/show_bug.cgi?id=536320 --- files/gentoo-initd | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/files/gentoo-initd b/files/gentoo-initd index 98c5edf9..e939b987 100755 --- a/files/gentoo-initd +++ b/files/gentoo-initd @@ -34,19 +34,19 @@ start() { # remove stalled sock file after system crash # bug 347477 rm -f /var/run/fail2ban/fail2ban.sock || return 1 - ${FAIL2BAN} start &> /dev/null + ${FAIL2BAN} start eend $? "Failed to start fail2ban" } stop() { ebegin "Stopping fail2ban" - ${FAIL2BAN} stop &> /dev/null + ${FAIL2BAN} stop eend $? "Failed to stop fail2ban" } reload() { ebegin "Reloading fail2ban" - ${FAIL2BAN} reload > /dev/null + ${FAIL2BAN} reload eend $? "Failed to reload fail2ban" } From 869d99dd377ff45efa5796bb3be2500e41f32dc3 Mon Sep 17 00:00:00 2001 From: Louis Sautier Date: Thu, 28 Jan 2016 23:52:02 +0100 Subject: [PATCH 39/42] Remove compression and count from logrotate Initially reported at https://bugs.gentoo.org/show_bug.cgi?id=549856 --- ChangeLog | 2 ++ files/fail2ban-logrotate | 4 +--- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 4460f94c..69245dc9 100644 --- a/ChangeLog +++ b/ChangeLog @@ -30,6 +30,8 @@ ver. 0.9.4 (2015/XX/XXX) - wanna-be-released * filters.d/postfix.conf - add 'Sender address rejected: Domain not found' failregex * use `fail2ban_agent` as user-agent in actions badips, blocklist_de, etc (gh-1271) * Fix ignoring the sender option by action_mw, action_mwl and action_c_mwl + * Remove compression and rotation count from logrotate (inherit them from + the global logrotate config) - New Features: * New interpolation feature for definition config readers - `` diff --git a/files/fail2ban-logrotate b/files/fail2ban-logrotate index 8d94a8b3..13a94537 100644 --- a/files/fail2ban-logrotate +++ b/files/fail2ban-logrotate @@ -6,11 +6,9 @@ # https://github.com/fail2ban/fail2ban/blob/debian/debian/fail2ban.logrotate /var/log/fail2ban.log { - rotate 7 missingok notifempty - compress postrotate - /usr/bin/fail2ban-client flushlogs 1>/dev/null || true + /usr/bin/fail2ban-client flushlogs >/dev/null || true endscript } From b5a07741c82acdb9448584a0d39d3df09d28e162 Mon Sep 17 00:00:00 2001 From: Pierre GINDRAUD Date: Mon, 8 Feb 2016 11:08:10 +0100 Subject: [PATCH 40/42] Add new regex into postfix filter. The new regexp is able to detect bad formatted SMTP EHLO command --- ChangeLog | 1 + config/filter.d/postfix.conf | 1 + fail2ban/tests/files/logs/postfix | 3 +++ 3 files changed, 5 insertions(+) diff --git a/ChangeLog b/ChangeLog index 4460f94c..644a6d16 100644 --- a/ChangeLog +++ b/ChangeLog @@ -79,6 +79,7 @@ ver. 0.9.4 (2015/XX/XXX) - wanna-be-released .service file -- would reload fail2ban if those services are restarted * Provides new default `fail2ban_version` and interpolation variable `fail2ban_agent` in jail.conf + * Enhance filter 'postfix' to ban incoming SMTP client with no fqdn hostname ver. 0.9.3 (2015/08/01) - lets-all-stay-friends diff --git a/config/filter.d/postfix.conf b/config/filter.d/postfix.conf index f6a8578b..25141863 100644 --- a/config/filter.d/postfix.conf +++ b/config/filter.d/postfix.conf @@ -15,6 +15,7 @@ _daemon = postfix/(submission/)?smtp(d|s) failregex = ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[\]: 554 5\.7\.1 .*$ ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[\]: 450 4\.7\.1 Client host rejected: cannot find your hostname, (\[\S*\]); from=<\S*> to=<\S+> proto=ESMTP helo=<\S*>$ ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[\]: 450 4\.7\.1 : Helo command rejected: Host not found; from=<> to=<> proto=ESMTP helo= *$ + ^%(__prefix_line)sNOQUEUE: reject: EHLO from \S+\[\]: 504 5\.5\.2 <\S+>: Helo command rejected: need fully-qualified hostname; ^%(__prefix_line)sNOQUEUE: reject: VRFY from \S+\[\]: 550 5\.1\.1 .*$ ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[\]: 450 4\.1\.8 <\S*>: Sender address rejected: Domain not found; from=<\S*> to=<\S+> proto=ESMTP helo=<\S*>$ ^%(__prefix_line)simproper command pipelining after \S+ from [^[]*\[\]:?$ diff --git a/fail2ban/tests/files/logs/postfix b/fail2ban/tests/files/logs/postfix index 4934a29e..800c7f0c 100644 --- a/fail2ban/tests/files/logs/postfix +++ b/fail2ban/tests/files/logs/postfix @@ -26,3 +26,6 @@ Dec 21 21:17:29 xxx postfix/smtpd[7150]: NOQUEUE: reject: RCPT from badserver.ex # failJSON: { "time": "2004-11-22T22:33:44", "match": true , "host": "1.2.3.4" } Nov 22 22:33:44 xxx postfix/smtpd[11111]: NOQUEUE: reject: RCPT from 1-2-3-4.example.com[1.2.3.4]: 450 4.1.8 : Sender address rejected: Domain not found; from= to= proto=ESMTP helo=<1-2-3-4.example.com> + +# failJSON: { "time": "2005-01-31T13:55:24", "match": true , "host": "78.107.251.238" } +Jan 31 13:55:24 xxx postfix/smtpd[3462]: NOQUEUE: reject: EHLO from s271272.static.corbina.ru[78.107.251.238]: 504 5.5.2 : Helo command rejected: need fully-qualified hostname; proto=SMTP helo= From 257b7049d859c45f514fd1d9c83eed85cdc48384 Mon Sep 17 00:00:00 2001 From: 3eBoP Date: Thu, 28 Jan 2016 14:41:10 +0100 Subject: [PATCH 41/42] Update asterisk filter: changed regex for "Call from ...". Sometimes extension can have a plus symbol (+) because they can be phone number. Closes #1309 --- ChangeLog | 1 + config/filter.d/asterisk.conf | 2 +- fail2ban/tests/files/logs/asterisk | 8 ++++++++ 3 files changed, 10 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 644a6d16..e128a91a 100644 --- a/ChangeLog +++ b/ChangeLog @@ -30,6 +30,7 @@ ver. 0.9.4 (2015/XX/XXX) - wanna-be-released * filters.d/postfix.conf - add 'Sender address rejected: Domain not found' failregex * use `fail2ban_agent` as user-agent in actions badips, blocklist_de, etc (gh-1271) * Fix ignoring the sender option by action_mw, action_mwl and action_c_mwl + * Changed filter.d/asterisk regex for "Call from ..." (few vulnerable now) - New Features: * New interpolation feature for definition config readers - `` diff --git a/config/filter.d/asterisk.conf b/config/filter.d/asterisk.conf index b446c44e..6ce65c4f 100644 --- a/config/filter.d/asterisk.conf +++ b/config/filter.d/asterisk.conf @@ -19,7 +19,7 @@ iso8601 = \d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.\d+[+-]\d{4} log_prefix= (?:NOTICE|SECURITY)%(__pid_re)s:?(?:\[C-[\da-f]*\])? \S+:\d*( in \w+:)? failregex = ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Registration from '[^']*' failed for '(:\d+)?' - (Wrong password|Username/auth name mismatch|No matching peer found|Not a local domain|Device does not match ACL|Peer is not supposed to register|ACL error \(permit/deny\)|Not a local domain)$ - ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Call from '[^']*' \(:\d+\) to extension '\d+' rejected because extension not found in context 'default'\.$ + ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Call from '[^']*' \(:\d+\) to extension '[\d+]+' rejected because extension not found in context 'default'\.$ ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Host failed to authenticate as '[^']*'$ ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s No registration for peer '[^']*' \(from \)$ ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Host failed MD5 authentication for '[^']*' \([^)]+\)$ diff --git a/fail2ban/tests/files/logs/asterisk b/fail2ban/tests/files/logs/asterisk index ab018ba9..57b53a02 100644 --- a/fail2ban/tests/files/logs/asterisk +++ b/fail2ban/tests/files/logs/asterisk @@ -59,3 +59,11 @@ Nov 4 18:30:40 localhost asterisk[32229]: NOTICE[32257]: chan_sip.c:23417 in han # match UTF-8 in SessionID # failJSON: { "time": "2015-05-25T07:52:36", "match": true, "host": "10.250.251.252" } [2015-05-25 07:52:36] SECURITY[6988] res_security_log.c: SecurityEvent="InvalidAccountID",EventTV="2015-05-25T07:52:36.888+0300",Severity="Error",Service="PJSIP",EventVersion="1",AccountID="70000180",SessionID="Негодяй",LocalAddress="IPV4/UDP/1.2.3.4/5060",RemoteAddress="IPV4/UDP/10.250.251.252/5061" + +# match phone numbers with + symbol +# failJSON: { "time": "2016-01-28T10:22:27", "match": true , "host": "1.2.3.4" } +[2016-01-28 10:22:27] NOTICE[3477][C-000003bb] chan_sip.c: Call from '' (1.2.3.4:10836) to extension '++441772285411' rejected because extension not found in context 'default'. +# failJSON: { "time": "2016-01-28T10:23:57", "match": true , "host": "1.2.3.4" } +[2016-01-28 10:23:57] NOTICE[3477][C-000003bc] chan_sip.c: Call from '' (1.2.3.4:10836) to extension '+441772285403' rejected because extension not found in context 'default'. +# failJSON: { "time": "2016-01-28T10:34:31", "match": true , "host": "1.2.3.4" } +[2016-01-28 10:34:31] NOTICE[3477][C-000003c3] chan_sip.c: Call from '' (1.2.3.4:10836) to extension '0+441772285407' rejected because extension not found in context 'default'. From d8e81eb417ae0e91b077c5c8b2fad26a9ff6de87 Mon Sep 17 00:00:00 2001 From: sebres Date: Mon, 8 Feb 2016 11:47:21 +0100 Subject: [PATCH 42/42] regexp rewritten (few vulnerable as previous) + test case added --- config/filter.d/asterisk.conf | 2 +- fail2ban/tests/files/logs/asterisk | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/config/filter.d/asterisk.conf b/config/filter.d/asterisk.conf index 6ce65c4f..3975fb29 100644 --- a/config/filter.d/asterisk.conf +++ b/config/filter.d/asterisk.conf @@ -19,7 +19,7 @@ iso8601 = \d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.\d+[+-]\d{4} log_prefix= (?:NOTICE|SECURITY)%(__pid_re)s:?(?:\[C-[\da-f]*\])? \S+:\d*( in \w+:)? failregex = ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Registration from '[^']*' failed for '(:\d+)?' - (Wrong password|Username/auth name mismatch|No matching peer found|Not a local domain|Device does not match ACL|Peer is not supposed to register|ACL error \(permit/deny\)|Not a local domain)$ - ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Call from '[^']*' \(:\d+\) to extension '[\d+]+' rejected because extension not found in context 'default'\.$ + ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Call from '[^']*' \(:\d+\) to extension '[^']*' rejected because extension not found in context ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Host failed to authenticate as '[^']*'$ ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s No registration for peer '[^']*' \(from \)$ ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Host failed MD5 authentication for '[^']*' \([^)]+\)$ diff --git a/fail2ban/tests/files/logs/asterisk b/fail2ban/tests/files/logs/asterisk index 57b53a02..aa32a290 100644 --- a/fail2ban/tests/files/logs/asterisk +++ b/fail2ban/tests/files/logs/asterisk @@ -60,10 +60,10 @@ Nov 4 18:30:40 localhost asterisk[32229]: NOTICE[32257]: chan_sip.c:23417 in han # failJSON: { "time": "2015-05-25T07:52:36", "match": true, "host": "10.250.251.252" } [2015-05-25 07:52:36] SECURITY[6988] res_security_log.c: SecurityEvent="InvalidAccountID",EventTV="2015-05-25T07:52:36.888+0300",Severity="Error",Service="PJSIP",EventVersion="1",AccountID="70000180",SessionID="Негодяй",LocalAddress="IPV4/UDP/1.2.3.4/5060",RemoteAddress="IPV4/UDP/10.250.251.252/5061" -# match phone numbers with + symbol +# match phone numbers with + symbol (and without number, or other context) # failJSON: { "time": "2016-01-28T10:22:27", "match": true , "host": "1.2.3.4" } [2016-01-28 10:22:27] NOTICE[3477][C-000003bb] chan_sip.c: Call from '' (1.2.3.4:10836) to extension '++441772285411' rejected because extension not found in context 'default'. -# failJSON: { "time": "2016-01-28T10:23:57", "match": true , "host": "1.2.3.4" } -[2016-01-28 10:23:57] NOTICE[3477][C-000003bc] chan_sip.c: Call from '' (1.2.3.4:10836) to extension '+441772285403' rejected because extension not found in context 'default'. # failJSON: { "time": "2016-01-28T10:34:31", "match": true , "host": "1.2.3.4" } [2016-01-28 10:34:31] NOTICE[3477][C-000003c3] chan_sip.c: Call from '' (1.2.3.4:10836) to extension '0+441772285407' rejected because extension not found in context 'default'. +# failJSON: { "time": "2016-01-28T10:34:33", "match": true , "host": "1.2.3.4" } +[2016-01-28 10:34:33] NOTICE[3477][C-000003c3] chan_sip.c: Call from '' (1.2.3.4:10836) to extension '' rejected because extension not found in context 'my-context'.