Merge branch 'master' into 0.10

2017-07-03 12:43:48 +02:00 · 2017-07-03 12:43:48 +02:00 · 33fcf8d809
parent 1307e0a5b9 9f55ed86df
commit 33fcf8d809
4 changed files with 19 additions and 6 deletions
--- a/3
+++ b/3
@ -325,6 +325,9 @@ releases.
 ### Fixes
 * Fix for systemd-backend: fail2ban hits the ulimit (out of file descriptors), see gh-991.
  Partially back-ported from v.0.10.
+* action.d/bsd-ipfw.conf
+    - Make the rule number, the action starts looking for a free slot to insert
+      the new rule, configurable (gh-1689)
 * filter.d/apache-overflows.conf:
    - Fixes resources greedy expression (see gh-1790);
    - Rewritten without end-anchor ($), because of potential vulnerability on very long URLs.
--- a/config/action.d/bsd-ipfw.conf
+++ b/config/action.d/bsd-ipfw.conf
@ -14,7 +14,7 @@
 # Notes.:  command executed once at the start of Fail2Ban.
 # Values:  CMD
 #
-actionstart = ipfw show | fgrep -q 'table(<table>)' || ( ipfw show | awk 'BEGIN { b = 1 } { if ($1 <= b) { b = $1 + 1 } else { e = b } } END { if (e) exit e <br> else exit b }'; num=$?; ipfw -q add $num <blocktype> <block> from table\(<table>\) to me <port>; echo $num > "<startstatefile>" )
+actionstart = ipfw show | fgrep -q 'table(<table>)' || ( ipfw show | awk 'BEGIN { b = <lowest_rule_num> } { if ($1 < b) {} else if ($1 == b) { b = $1 + 1 } else { e = b } } END { if (e) exit e <br> else exit b }'; num=$?; ipfw -q add $num <blocktype> <block> from table\(<table>\) to me <port>; echo $num > "<startstatefile>" )


 # Option:  actionstop
@ -81,3 +81,11 @@ block = ip
 # Values:  STRING
 #
 blocktype = unreach port
+
+# Option:  lowest_rule_num
+# Notes:   When fail2ban starts with action and there is no rule for the given table yet
+#          then fail2ban will start looking for an empty slot starting with this rule number.
+# Values:  NUM
+lowest_rule_num = 111
+
+
--- a/config/filter.d/proftpd.conf
+++ b/config/filter.d/proftpd.conf
@ -27,5 +27,8 @@ failregex = ^USER .*: no such user found from \S+ \[\S+\] to \S+:\S+ *$

 ignoreregex = 

+[Init]
+journalmatch = _SYSTEMD_UNIT=proftpd.service
+
 # Author: Yaroslav Halchenko
 #         Daniel Black - hardening of regex
--- a/fail2ban/tests/banmanagertestcase.py
+++ b/fail2ban/tests/banmanagertestcase.py
@ -198,13 +198,12 @@ class StatusExtendedCymruInfo(unittest.TestCase):
 						   "country": ["nxdomain"],
 						   "rir": ["nxdomain"]})

-		# even for private IPs ASNs defined
 		# Since it outputs for all active tickets we would get previous results
 		# and new ones
-		ticket = BanTicket("10.0.0.0", 1167606000.0)
+		ticket = BanTicket("8.0.0.0", 1167606000.0)
 		self.assertTrue(self.__banManager.addBanTicket(ticket))
 		cymru_info = self._getBanListExtendedCymruInfo()
 		self.assertDictEqual(dict((k, sorted(v)) for k, v in cymru_info.iteritems()),
-						  {"asn": sorted(["nxdomain", "4565",]),
-						   "country": sorted(["nxdomain", "unknown"]),
-						   "rir": sorted(["nxdomain", "other"])})
+						  {"asn": sorted(["nxdomain", "3356",]),
+						   "country": sorted(["nxdomain", "US"]),
+						   "rir": sorted(["nxdomain", "arin"])})