From 9fb167b5e11530df0383aac858a17fcaf638a6aa Mon Sep 17 00:00:00 2001 From: sebres Date: Fri, 9 Sep 2016 09:14:29 +0200 Subject: [PATCH 1/5] filter.d/vsftpd.conf: optional reason message after FAIL LOGIN, closes #1543 --- ChangeLog | 3 +++ config/filter.d/vsftpd.conf | 2 +- fail2ban/tests/files/logs/vsftpd | 3 +++ 3 files changed, 7 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 5f97c9965..ff68bab8c 100644 --- a/ChangeLog +++ b/ChangeLog @@ -32,6 +32,9 @@ releases. - Extended failregex and test cases to handle ASSP V1 and V2 (gh-1494) * `filter.d/postfix-sasl.conf` - Allow for having no trailing space after 'failed:' (gh-1497) +* `filter.d/vsftpd.conf` + - Optional reason part in message after FAIL LOGIN (gh-1543) + ### New Features diff --git a/config/filter.d/vsftpd.conf b/config/filter.d/vsftpd.conf index 930b0d7eb..2ecc44d34 100644 --- a/config/filter.d/vsftpd.conf +++ b/config/filter.d/vsftpd.conf @@ -14,7 +14,7 @@ __pam_re=\(?%(__pam_auth)s(?:\(\S+\))?\)?:? _daemon = vsftpd failregex = ^%(__prefix_line)s%(__pam_re)s\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=(ftp)? ruser=\S* rhost=(?:\s+user=.*)?\s*$ - ^ \[pid \d+\] \[.+\] FAIL LOGIN: Client ""\s*$ + ^ \[pid \d+\] \[[^\]]+\] FAIL LOGIN: Client ""(?:\s*$|,) ignoreregex = diff --git a/fail2ban/tests/files/logs/vsftpd b/fail2ban/tests/files/logs/vsftpd index bcd7f6114..3205fac35 100644 --- a/fail2ban/tests/files/logs/vsftpd +++ b/fail2ban/tests/files/logs/vsftpd @@ -12,3 +12,6 @@ Fri Jan 19 12:20:33 2007 [pid 27202] [anonymous] FAIL LOGIN: Client "64.106.46.9 # failJSON: { "time": "2004-10-23T21:15:42", "match": true , "host": "58.254.172.161" } Oct 23 21:15:42 vps vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=test rhost=58.254.172.161 + +# failJSON: { "time": "2016-09-08T00:39:49", "match": true , "host": "192.0.2.1" } +Thu Sep 8 00:39:49 2016 [pid 15019] [guest] FAIL LOGIN: Client "::ffff:192.0.2.1", "User is not in the allow user list." From 1071db2256e5a39e5b0cbbe3dc37434e378bbffb Mon Sep 17 00:00:00 2001 From: "Serg G. Brester" Date: Tue, 20 Sep 2016 00:00:26 +0200 Subject: [PATCH 2/5] filter.py: easy-fix to use sha1 instead of md5 if its usage prohibited by some systems following strict standards (like FIPS) closes gh-1540 --- fail2ban/server/filter.py | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/fail2ban/server/filter.py b/fail2ban/server/filter.py index b2031096c..459a47d0a 100644 --- a/fail2ban/server/filter.py +++ b/fail2ban/server/filter.py @@ -742,7 +742,12 @@ class FileFilter(Filter): try: import hashlib - md5sum = hashlib.md5 + try: + md5sum = hashlib.md5 + # try to use it (several standards like FIPS forbid it): + md5sum(' ').hexdigest() + except: # pragma: no cover + md5sum = hashlib.sha1 except ImportError: # pragma: no cover # hashlib was introduced in Python 2.5. For compatibility with those # elderly Pythons, import from md5 From 0f1d1a0d4d4943317b8b5d1457b29c93a7a37dc8 Mon Sep 17 00:00:00 2001 From: sebres Date: Wed, 21 Sep 2016 09:22:18 +0200 Subject: [PATCH 3/5] ChangeLog: FIPS compliant --- ChangeLog | 1 + 1 file changed, 1 insertion(+) diff --git a/ChangeLog b/ChangeLog index ff68bab8c..c46e795ec 100644 --- a/ChangeLog +++ b/ChangeLog @@ -23,6 +23,7 @@ releases. * Fixed test case "testSetupInstallRoot" for not default python version (also using direct call, out of virtualenv); * Fixed ambiguous wrong recognized date pattern resp. its optional parts (see gh-1512); +* FIPS compliant, use sha1 instead of md5 if it not allowed (see gh-1540) * `filter.d/asterisk.conf` - Fixed to match different asterisk log prefix (source file: method:) * `filter.d/ignorecommands/apache-fakegooglebot` From a406c6eb3a20621e43e84cb644ff2c19873d629f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Viktor=20Sz=C3=A9pe?= Date: Thu, 22 Sep 2016 20:29:26 +0000 Subject: [PATCH 4/5] By the author: > Yes, scripting is not supported in path. https://bitbucket.org/tildeslash/monit/issues/372/webadmin-shows-only-the-first-part-of#comment-27946048 --- files/monit/fail2ban | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/files/monit/fail2ban b/files/monit/fail2ban index 8e6c94190..7873dbe06 100644 --- a/files/monit/fail2ban +++ b/files/monit/fail2ban @@ -1,7 +1,7 @@ check process fail2ban with pidfile /var/run/fail2ban/fail2ban.pid group services start program = "/etc/init.d/fail2ban force-start" - stop program = "/etc/init.d/fail2ban stop || :" + stop program = "/etc/init.d/fail2ban stop" if failed unixsocket /var/run/fail2ban/fail2ban.sock then restart if 5 restarts within 5 cycles then timeout From 8e3e333d54e4cef7332fdc4a8eea25bc1c2b30a5 Mon Sep 17 00:00:00 2001 From: "Serg G. Brester" Date: Tue, 27 Sep 2016 14:17:45 +0200 Subject: [PATCH 5/5] Update ChangeLog --- ChangeLog | 1 + 1 file changed, 1 insertion(+) diff --git a/ChangeLog b/ChangeLog index c46e795ec..4f4c28639 100644 --- a/ChangeLog +++ b/ChangeLog @@ -24,6 +24,7 @@ releases. using direct call, out of virtualenv); * Fixed ambiguous wrong recognized date pattern resp. its optional parts (see gh-1512); * FIPS compliant, use sha1 instead of md5 if it not allowed (see gh-1540) +* Monit config: scripting is not supported in path (gh-1556) * `filter.d/asterisk.conf` - Fixed to match different asterisk log prefix (source file: method:) * `filter.d/ignorecommands/apache-fakegooglebot`