diff --git a/debian/README.Debian b/debian/README.Debian index 2bac1680..072af3cf 100644 --- a/debian/README.Debian +++ b/debian/README.Debian @@ -36,8 +36,47 @@ enabled = true NOTE: -e command line parameter is non existant in 0.7.x -* Multiport banning: -Comment for the wishlist #373592. +* Interpolations vs actions/filters parameters: +For details see #398739. + +Summary: every pair of .conf and then .local (if exists) files read +separately from the others, so interpolations cannot penetrate from +(for instance) jail.* into actions.d/iptables.conf. To overcome this, +you are welcome to create/use any parameter which can be substituted +in actions/filters [Definition] section, whenever it is also defined +in the [Init] section of that file and used in place of necessary +placement as . Parameters can be specified in the +definitions within jail.{conf,local}. For instance 1 lengthy example, +where fwchain is both used as interpolation (in jail.local) and +parameter (in iptables-flex.local). + +==> /etc/fail2ban/jail.local <== +[DEFAULT] +action = iptables-flex[name=%(__name__)s, port=%(port)s, fwchain=%(fwchain)s, post_start_commands=%(post_start_commands)s, pre_end_commands=%(pre_end_commands)s] +fwchain = INPUT +[ssh] +fwchain = ssh-tarpit +==> /etc/fail2ban/action.d/iptables-flex.local <== +[Definition] +actionstart = iptables -N fail2ban- + iptables -I -m state --state NEW -p --dport -j fail2ban- + iptables -I -j +actionstop = iptables -D -j + iptables -D -m state --state NEW -p --dport -j fail2ban- + iptables -F fail2ban- + iptables -X fail2ban- +actioncheck = iptables -L | grep -q fail2ban- +actionban = iptables -I fail2ban- 1 -s -j DROP +actionunban = iptables -D fail2ban- -s -j DROP +[Init] +whitelist = ssh-whitelist +fwchain = INPUT +name = default +port = ssh +protocol = tcp + + +* Multiport banning: Comment for the wishlist #373592. Default iptables rules for banning use --dport statement which allows to ban just a single port. For multiport banning you would need to adjust iptables @@ -69,16 +108,14 @@ Troubleshooting: To resolve the security bug #330827 [1] failregex expressions must provide a named group (?P...) as a placeholder of the abuser's -host. The naming of the group was introduced to capture possible -future generalizations of failregex to provide even more -information. At a current point, all named groups are considered as -possible locations of the host addresses, but usually you should need -just a single group (?P...) +host. Alternative tag (since 0.7.5) can be "". The naming of the +group was introduced to capture possible future generalizations of +failregex to provide even more information. [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=330827 -You might benefit from using fail2ban-regex to construct and debug -your failregex statements. +You might benefit from using fail2ban-regex command shipped along to +construct and debug your failregex statements. * "Interpolations" in the config file: @@ -89,21 +126,17 @@ might benefit from updating config file and adding appropriate information for the new sections. N.B. If you have some nice additional sections defined, I would really -appreciate if you share them with me, so they could be eventually -included in the fail2ban package for general use by the rest of the -community. +appreciate if you share them with me or upstream author, so they could +be eventually included in the fail2ban package for general use by the +rest of the community. * Mailing: -As it was reported (bug #329722) you might need to provide a full -e-mail address in fail2ban.conf option MAIL:from to make your mail -server accept that email. I've added @localhost to both MAIL:from and -MAIL:to in the default configuration shipped with Debian. It seems to -work nicely now - -See TODO.Debian for more details, as well as the Debian Bug Tracking -system. +Since actions.d/mail*.conf commands rely on presence of "mail" +command, mailx package (or another package providing mailx +functionality such as mailutils) is required if those actions are +activated in jail.{conf,local}. * Dirty exit: @@ -145,4 +178,25 @@ had enough of failed logins within "findtime" will be banned for "bantime" since [re]start moment, not since the last failed login time. - -- Yaroslav O. Halchenko , Fri, 10 Nov 2006 18:19:48 -0500 + +* Syslog entries can be 'forged' by a regular user + +From +http://fail2ban.sourceforge.net/wiki/index.php/FAQ_english#What_do_I_have_to_consider_when_using_Fail2ban + +Especially on systems wich provide ssh/CGI/PHP services to unknown +users it is possible to block other users from ssh and probably other +access as a unprivileged user may issue: + +logger -p auth.warning -t 'sshd[123]' 'Illegal user user1 from 1.2.3.4' + +N.B. chmod o-x /usr/bin/logger should provide at least obfuscation +solution + +Or the malicious user may write via PHP's openlog()/syslog() to syslog. + +P.S. Anyone is welcome to recommend proper security solution to this +issue, such as an alternative to sysklogd which allows better control +over users logging to specific facilities (such as AUTH) + + -- Yaroslav O. Halchenko , Wed, 6 Dec 2006 22:56:20 -0500 diff --git a/debian/TODO b/debian/TODO index cd9eff97..1dc1e13d 100644 --- a/debian/TODO +++ b/debian/TODO @@ -1,7 +1,6 @@ * Collect more sections for other log files -* Compose a filter for logwatch (almost done -- testing, submission) -* In the next release split file configuration will be implemented, - that is why no split files is enabled for current release - (as of v0.6.1 Sun Mar 19 00:18:08 EST 2006) +* Find proper answer to "Syslog entries can be 'forged' by a regular + user" mentioned in README.Debian + + -- Yaroslav O. Halchenko Wed, 6 Dec 2006 22:14:26 -0500 - -- Yaroslav O. Halchenko , Sun Jan 15 15:18:13 2006 diff --git a/debian/changelog b/debian/changelog index f93580cd..1d858aed 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,15 @@ +fail2ban (0.7.4-5) unstable; urgency=low + + * Added Suggests on mailx and relevant comments in README.Debian about + invoking mail actions (closes: #396668) + * Removed obsolete entries in TODO and README + * README.Debian describes a bit issue of interpolations vs parameters + passed from jail.{conf,local} into an action or a filter definition + (closes: #398739) + * Initial version of postfix filter (closes: #377711) + + -- Yaroslav O. Halchenko Wed, 6 Dec 2006 22:14:26 -0500 + fail2ban (0.7.4-4) unstable; urgency=low * Added debian/backports to contain patches necessary for backporting. It diff --git a/debian/control b/debian/control index 27319430..86dfefbc 100644 --- a/debian/control +++ b/debian/control @@ -11,7 +11,7 @@ Standards-Version: 3.7.2 Package: fail2ban Architecture: all Depends: ${python:Depends}, iptables, lsb-base (>=2.0-7) -Suggests: python-gamin +Suggests: python-gamin, mailx XB-Python-Version: ${python:Versions} Description: bans IPs that cause multiple authentication errors Monitors log files (e.g. /var/log/auth.log,