github
/
fail2ban
mirror of https://github.com/fail2ban/fail2ban
1
0
Fork 0
Code Issues Releases Wiki Activity

Merge branch 'master' into 0.10

pull/1824/head
sebres 2017-07-03 12:43:48 +02:00
parent 1307e0a5b9 9f55ed86df
commit 33fcf8d809
4 changed files with 19 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
ChangeLog
View File

@ -325,6 +325,9 @@ releases.
### Fixes ### Fixes
* Fix for systemd-backend: fail2ban hits the ulimit (out of file descriptors), see gh-991. * Fix for systemd-backend: fail2ban hits the ulimit (out of file descriptors), see gh-991.
Partially back-ported from v.0.10. Partially back-ported from v.0.10.
* action.d/bsd-ipfw.conf
- Make the rule number, the action starts looking for a free slot to insert
the new rule, configurable (gh-1689)
* filter.d/apache-overflows.conf: * filter.d/apache-overflows.conf:
- Fixes resources greedy expression (see gh-1790); - Fixes resources greedy expression (see gh-1790);
- Rewritten without end-anchor ($), because of potential vulnerability on very long URLs. - Rewritten without end-anchor ($), because of potential vulnerability on very long URLs.

10
config/action.d/bsd-ipfw.conf
View File

@ -14,7 +14,7 @@
# Notes.: command executed once at the start of Fail2Ban. # Notes.: command executed once at the start of Fail2Ban.
# Values: CMD # Values: CMD
# #
actionstart = ipfw show | fgrep -q 'table(<table>)' || ( ipfw show | awk 'BEGIN { b = 1 } { if ($1 <= b) { b = $1 + 1 } else { e = b } } END { if (e) exit e <br> else exit b }'; num=$?; ipfw -q add $num <blocktype> <block> from table\(<table>\) to me <port>; echo $num > "<startstatefile>" ) actionstart = ipfw show | fgrep -q 'table(<table>)' || ( ipfw show | awk 'BEGIN { b = <lowest_rule_num> } { if ($1 < b) {} else if ($1 == b) { b = $1 + 1 } else { e = b } } END { if (e) exit e <br> else exit b }'; num=$?; ipfw -q add $num <blocktype> <block> from table\(<table>\) to me <port>; echo $num > "<startstatefile>" )
# Option: actionstop # Option: actionstop
@ -81,3 +81,11 @@ block = ip
# Values: STRING # Values: STRING
# #
blocktype = unreach port blocktype = unreach port
# Option: lowest_rule_num
# Notes: When fail2ban starts with action and there is no rule for the given table yet
# then fail2ban will start looking for an empty slot starting with this rule number.
# Values: NUM
lowest_rule_num = 111

3
config/filter.d/proftpd.conf
View File

@ -27,5 +27,8 @@ failregex = ^USER .*: no such user found from \S+ \[\S+\] to \S+:\S+ *$
ignoreregex = ignoreregex =
[Init]
journalmatch = _SYSTEMD_UNIT=proftpd.service
# Author: Yaroslav Halchenko # Author: Yaroslav Halchenko
# Daniel Black - hardening of regex # Daniel Black - hardening of regex

9
fail2ban/tests/banmanagertestcase.py
View File

@ -198,13 +198,12 @@ class StatusExtendedCymruInfo(unittest.TestCase):
"country": ["nxdomain"], "country": ["nxdomain"],
"rir": ["nxdomain"]}) "rir": ["nxdomain"]})
# even for private IPs ASNs defined
# Since it outputs for all active tickets we would get previous results # Since it outputs for all active tickets we would get previous results
# and new ones # and new ones
ticket = BanTicket("10.0.0.0", 1167606000.0) ticket = BanTicket("8.0.0.0", 1167606000.0)
self.assertTrue(self.__banManager.addBanTicket(ticket)) self.assertTrue(self.__banManager.addBanTicket(ticket))
cymru_info = self._getBanListExtendedCymruInfo() cymru_info = self._getBanListExtendedCymruInfo()
self.assertDictEqual(dict((k, sorted(v)) for k, v in cymru_info.iteritems()), self.assertDictEqual(dict((k, sorted(v)) for k, v in cymru_info.iteritems()),
{"asn": sorted(["nxdomain", "4565",]), {"asn": sorted(["nxdomain", "3356",]),
"country": sorted(["nxdomain", "unknown"]), "country": sorted(["nxdomain", "US"]),
"rir": sorted(["nxdomain", "other"])}) "rir": sorted(["nxdomain", "arin"])})