From 8f792f52fbbb92c0ac2ede441b9f5b986114b88d Mon Sep 17 00:00:00 2001 From: Lee Clemens Date: Mon, 27 Apr 2015 13:10:27 -0400 Subject: [PATCH 1/4] Add drupal-auth filter and jail --- ChangeLog | 1 + config/filter.d/drupal-auth.conf | 26 ++++++++++++++++++++++++++ config/jail.conf | 5 +++++ fail2ban/tests/files/logs/drupal-auth | 7 +++++++ 4 files changed, 39 insertions(+) create mode 100644 config/filter.d/drupal-auth.conf create mode 100644 fail2ban/tests/files/logs/drupal-auth diff --git a/ChangeLog b/ChangeLog index 97d2b08d..02eac37a 100644 --- a/ChangeLog +++ b/ChangeLog @@ -50,6 +50,7 @@ ver. 0.9.2 (2014/XX/XXX) - wanna-be-released - postfix-rbl Thanks Lee Clemens - apache-fakegooglebot.conf Thanks Lee Clemens - nginx-botsearch Thanks Frantisek Sumsal + - drupal-auth Thanks Lee Clemens - New recursive embedded substitution feature added: - `<HOST>` becomes `` for PREF=`IPV4`; - `<HOST>` becomes `1.2.3.4` for PREF=`IPV4` and IPV4HOST=`1.2.3.4`; diff --git a/config/filter.d/drupal-auth.conf b/config/filter.d/drupal-auth.conf new file mode 100644 index 00000000..b60abe3e --- /dev/null +++ b/config/filter.d/drupal-auth.conf @@ -0,0 +1,26 @@ +# Fail2Ban filter to block repeated failed login attempts to Drupal site(s) +# +# +# Drupal must be setup to use Syslog, which defaults to the following format: +# +# !base_url|!timestamp|!type|!ip|!request_uri|!referer|!uid|!link|!message +# +# + +[INCLUDES] + +before = common.conf + + +[Definition] + +failregex = ^%(__prefix_line)s(https?:\/\/)([\da-z\.-]+)\.([a-z\.]{2,6})(\/[\w\.-]+)*\|\d{10}\|user\|\|.+\|.+\|\d\|.*\|Login attempt failed for .+\.$ + +ignoreregex = + + +# DEV Notes: +# +# https://www.drupal.org/documentation/modules/syslog +# +# Author: Lee Clemens diff --git a/config/jail.conf b/config/jail.conf index c7946660..732aeab9 100644 --- a/config/jail.conf +++ b/config/jail.conf @@ -385,6 +385,11 @@ maxretry = 5 # # +[drupal-auth] + +port = http,https +logpath = %(syslog_daemon)s + [guacamole] port = http,https diff --git a/fail2ban/tests/files/logs/drupal-auth b/fail2ban/tests/files/logs/drupal-auth new file mode 100644 index 00000000..5e7194d9 --- /dev/null +++ b/fail2ban/tests/files/logs/drupal-auth @@ -0,0 +1,7 @@ +# failJSON: { "time": "2005-04-26T13:15:25", "match": true , "host": "1.2.3.4" } +Apr 26 13:15:25 webserver example.com: https://example.com|1430068525|user|1.2.3.4|https://example.com/?q=user|https://example.com/?q=user|0||Login attempt failed for drupaladmin. +# failJSON: { "time": "2005-04-26T13:15:25", "match": true , "host": "1.2.3.4" } +Apr 26 13:15:25 webserver example.com: https://example.com/subdir|1430068525|user|1.2.3.4|https://example.com/subdir/user|https://example.com/subdir/user|0||Login attempt failed for drupaladmin. + +# failJSON: { "time": "2005-04-26T13:19:08", "match": false , "host": "1.2.3.4" } +Apr 26 13:19:08 webserver example.com: https://example.com|1430068748|user|1.2.3.4|https://example.com/user|https://example.com/user|1||Session opened for drupaladmin. From 7ae0ef24082a118b7addcfb9907281b24ff1081c Mon Sep 17 00:00:00 2001 From: Aaron Brice Date: Fri, 24 Apr 2015 17:19:31 -0700 Subject: [PATCH 2/4] Fix actions in ufw.conf On Ubuntu 15.04 the ufw action was not working. - With empty , receiving errors: 2015-04-24 16:28:35,204 fail2ban.filter [8527]: INFO [sshd] Found 43.255.190.157 2015-04-24 16:28:35,695 fail2ban.actions [8527]: NOTICE [sshd] Ban 43.255.190.157 2015-04-24 16:28:35,802 fail2ban.action [8527]: ERROR [ -n "" ] && app="app " -- stdout: b'' 2015-04-24 16:28:35,803 fail2ban.action [8527]: ERROR [ -n "" ] && app="app " -- stderr: b'' 2015-04-24 16:28:35,803 fail2ban.action [8527]: ERROR [ -n "" ] && app="app " -- returned 1 - With action = ufw[application=OpenSSH], it was silently not doing anything (no errors after "Ban x.x.x.x", but no IP addresses in ufw status). Re-arranged the bash commands on two lines, and it works with or without . --- ChangeLog | 1 + THANKS | 1 + config/action.d/ufw.conf | 6 ++++-- 3 files changed, 6 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 02eac37a..dcc516f9 100644 --- a/ChangeLog +++ b/ChangeLog @@ -11,6 +11,7 @@ ver. 0.9.2 (2014/XX/XXX) - wanna-be-released ----------- - Fixes: + * Fix ufw action commands * infinite busy loop on _escapedTags match in substituteRecursiveTags gh-907. Thanks TonyThompson * port[s] typo in jail.conf/nginx-http-auth gh-913. Thanks Frederik Wagner (fnerdwq) diff --git a/THANKS b/THANKS index 5482b21d..5ae86a3c 100644 --- a/THANKS +++ b/THANKS @@ -6,6 +6,7 @@ the project. If you have been left off, please let us know (preferably send a pull request on github with the "fix") and you will be added +Aaron Brice Adam Tkac Adrien Clerc ache diff --git a/config/action.d/ufw.conf b/config/action.d/ufw.conf index 04b8b32c..d2f731f2 100644 --- a/config/action.d/ufw.conf +++ b/config/action.d/ufw.conf @@ -13,9 +13,11 @@ actionstop = actioncheck = -actionban = [ -n "" ] && app="app " ; ufw insert from to $app +actionban = [ -n "" ] && app="app " + ufw insert from to $app -actionunban = [ -n "" ] && app="app " ; ufw delete from to $app +actionunban = [ -n "" ] && app="app " + ufw delete from to $app [Init] # Option: insertpos From c0e1333fe6c0e9b3632bc9c13137f90b48817e52 Mon Sep 17 00:00:00 2001 From: Yaroslav Halchenko Date: Tue, 28 Apr 2015 23:51:00 -0400 Subject: [PATCH 3/4] BF: if no /dev/log on Linux -- don't expect setting syslog to work --- fail2ban/tests/servertestcase.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fail2ban/tests/servertestcase.py b/fail2ban/tests/servertestcase.py index b851c54b..fd43bd24 100644 --- a/fail2ban/tests/servertestcase.py +++ b/fail2ban/tests/servertestcase.py @@ -802,7 +802,7 @@ class TransmitterLogging(TransmitterBase): outValue=Exception('Failed to change log target'), repr_=True # Exceptions are not comparable apparently ) - }[platform.system() in ('Linux',)] + }[platform.system() in ('Linux',) and os.path.exists('/dev/log')] ) def testLogLevel(self): From acc4c2d10409b061474b94933162a2adaad322c7 Mon Sep 17 00:00:00 2001 From: Yaroslav Halchenko Date: Tue, 28 Apr 2015 23:52:48 -0400 Subject: [PATCH 4/4] Hope for release tomorrow --- ChangeLog | 2 +- README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index e122e62d..8a81399b 100644 --- a/ChangeLog +++ b/ChangeLog @@ -6,7 +6,7 @@ Fail2Ban: Changelog =================== -ver. 0.9.2 (2015/04/26) - better-quick-now-than-later +ver. 0.9.2 (2015/04/29) - better-quick-now-than-later ---------- - Fixes: diff --git a/README.md b/README.md index d45c58d9..92dedd8c 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ / _|__ _(_) |_ ) |__ __ _ _ _ | _/ _` | | |/ /| '_ \/ _` | ' \ |_| \__,_|_|_/___|_.__/\__,_|_||_| - v0.9.2 2015/04/26 + v0.9.2 2015/04/29 ## Fail2Ban: ban hosts that cause multiple authentication errors