* Added a filter pam_generic to catch any login errors.

* Added iptables-allports.
pull/3/head
Yaroslav Halchenko 2007-06-25 16:51:05 +00:00
parent bc0806d459
commit 2e55bc57c7
5 changed files with 142 additions and 0 deletions

2
debian/changelog vendored
View File

@ -4,6 +4,8 @@ fail2ban (0.8.0-3~pre1) unstable; urgency=low
Andrewartha. Andrewartha.
* Added optional regexp entry for process PID in some entries (closes: * Added optional regexp entry for process PID in some entries (closes:
#426050). Thanks Roderick Schertler. #426050). Thanks Roderick Schertler.
* Added a filter pam_generic to catch any login errors.
* Added iptables-allports.
-- Yaroslav Halchenko <debian@onerussian.com> Tue, 19 Jun 2007 23:04:02 -0400 -- Yaroslav Halchenko <debian@onerussian.com> Tue, 19 Jun 2007 23:04:02 -0400

10
debian/jail.conf vendored
View File

@ -87,6 +87,16 @@ filter = sshd
logpath = /var/log/auth.log logpath = /var/log/auth.log
maxretry = 6 maxretry = 6
# Generic filter for pam. Has to be used with action which bans all ports
# such as iptables-allports, shorewall
[pam-generic]
enabled = false
filter = pam-generic
banaction = iptables-allports
logpath = /var/log/auth.log
maxretry = 6
[ssh-ddos] [ssh-ddos]

82
debian/patches/00_iptables_allports.dpatch vendored Executable file
View File

@ -0,0 +1,82 @@
#! /bin/sh /usr/share/dpatch/dpatch-run
## 00_iptables_allports.dpatch by Yaroslav Halchenko <debian@onerussian.com>
##
## All lines beginning with `## DP:' are a description of the patch.
## DP: No description.
@DPATCH@
diff -urNad trunk~/config/action.d/iptables-allports.conf trunk/config/action.d/iptables-allports.conf
--- trunk~/config/action.d/iptables-allports.conf 1969-12-31 19:00:00.000000000 -0500
+++ trunk/config/action.d/iptables-allports.conf 2007-06-25 12:49:34.000000000 -0400
@@ -0,0 +1,71 @@
+# Fail2Ban configuration file
+#
+# Author: Cyril Jaquier
+# Modified: Yaroslav O. Halchenko <debian@onerussian.com>
+# made active on all ports from original iptables.conf
+#
+# $Revision: $
+#
+
+[Definition]
+
+# Option: actionstart
+# Notes.: command executed once at the start of Fail2Ban.
+# Values: CMD
+#
+actionstart = iptables -N fail2ban-<name>
+ iptables -A fail2ban-<name> -j RETURN
+ iptables -I INPUT -p <protocol> -j fail2ban-<name>
+
+# Option: actionend
+# Notes.: command executed once at the end of Fail2Ban
+# Values: CMD
+#
+actionstop = iptables -D INPUT -p <protocol> -j fail2ban-<name>
+ iptables -F fail2ban-<name>
+ iptables -X fail2ban-<name>
+
+# Option: actioncheck
+# Notes.: command executed once before each actionban command
+# Values: CMD
+#
+actioncheck = iptables -n -L INPUT | grep -q fail2ban-<name>
+
+# Option: actionban
+# Notes.: command executed when banning an IP. Take care that the
+# command is executed with Fail2Ban user rights.
+# Tags: <ip> IP address
+# <failures> number of failures
+# <time> unix timestamp of the ban time
+# Values: CMD
+#
+actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
+
+# Option: actionunban
+# Notes.: command executed when unbanning an IP. Take care that the
+# command is executed with Fail2Ban user rights.
+# Tags: <ip> IP address
+# <failures> number of failures
+# <time> unix timestamp of the ban time
+# Values: CMD
+#
+actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP
+
+[Init]
+
+# Defaut name of the chain
+#
+name = default
+
+# Option: port
+# Notes.: specifies port to monitor
+# Values: [ NUM | STRING ] Default:
+#
+port = ssh
+
+# Option: protocol
+# Notes.: internally used by config reader for interpolations.
+# Values: [ tcp | udp | icmp | all ] Default: tcp
+#
+protocol = tcp
+

46
debian/patches/00_pam_generic.dpatch vendored Executable file
View File

@ -0,0 +1,46 @@
#! /bin/sh /usr/share/dpatch/dpatch-run
## 00_pam_generic.dpatch by Yaroslav Halchenko <debian@onerussian.com>
##
## All lines beginning with `## DP:' are a description of the patch.
## DP: Filter and examples for a filter generic for any login errors reported with pam_unix.so
@DPATCH@
diff -urNad trunk~/config/filter.d/pam-generic.conf trunk/config/filter.d/pam-generic.conf
--- trunk~/config/filter.d/pam-generic.conf 1969-12-31 19:00:00.000000000 -0500
+++ trunk/config/filter.d/pam-generic.conf 2007-06-25 12:41:38.000000000 -0400
@@ -0,0 +1,26 @@
+# Fail2Ban configuration file for wuftpd
+#
+# Author: Yaroslav Halchenko
+#
+# $Revision: $
+#
+
+[Definition]
+
+# if you want to catch only login erros from specific daemons, use smth like
+#_ttys_re=(?:ssh|pure-ftpd)
+# To catch all failed logins
+_ttys_re=\S*
+
+#
+# Shortcuts for easier comprehension of the failregex
+__pid_re=(?:\[\d+\])
+__pam_re=\(pam_unix\)
+__pam_combs_re=(?:%(__pid_re)s?:\s+%(__pam_re)s|%(__pam_re)s%(__pid_re)s?:)
+
+# Option: failregex
+# Notes.: regex to match the password failures messages in the logfile.
+# Values: TEXT
+#
+failregex = \s\S+ \S+%(__pam_combs_re)s\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=%(_ttys_re)s ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$
+
diff -urNad trunk~/config/filter.d/pam-generic.examples trunk/config/filter.d/pam-generic.examples
--- trunk~/config/filter.d/pam-generic.examples 1969-12-31 19:00:00.000000000 -0500
+++ trunk/config/filter.d/pam-generic.examples 2007-06-25 12:41:38.000000000 -0400
@@ -0,0 +1,5 @@
+Feb 7 15:10:42 example pure-ftpd: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=pure-ftpd ruser=sample-user rhost=192.168.1.1
+May 12 09:47:54 vaio sshd[16004]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=71-13-115-12.static.mdsn.wi.charter.com user=root
+May 12 09:48:03 vaio sshd[16021]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=71-13-115-12.static.mdsn.wi.charter.com
+May 15 18:02:12 localhost proftpd: (pam_unix) authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=66.232.129.62 user=mark
+Nov 25 17:12:13 webmail pop(pam_unix)[4920]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=192.168.10.3 user=mailuser

View File

@ -2,3 +2,5 @@
00_HOST_ignoreregex 00_HOST_ignoreregex
00_daemon_pids 00_daemon_pids
10_dbts_manpages 10_dbts_manpages
00_iptables_allports
00_pam_generic