* Added Suggests on mailx and relevant comments in README.Debian about

invoking mail actions (closes: #396668) * Removed obsolete entries in TODO and README * README.Debian describes a bit issue of interpolations vs parameters passed from jail.{conf,local} into an action or a filter definition (closes: #398739) * Initial version of postfix filter (closes: #377711)
2006-12-07 04:07:59 +00:00 · 2006-12-07 04:07:59 +00:00 · 3a738497f8
parent ff491e48fa
commit 3a738497f8
4 changed files with 92 additions and 27 deletions
--- a/debian/README.Debian
+++ b/debian/README.Debian
@ -36,8 +36,47 @@ enabled = true
 NOTE: -e command line parameter is non existant in 0.7.x
-* Multiport banning:
+* Interpolations vs actions/filters parameters:
-Comment for the wishlist #373592.
+For details see #398739.
 Summary: every pair of .conf and then .local (if exists) files read
 separately from the others, so interpolations cannot penetrate from
 (for instance) jail.* into actions.d/iptables.conf. To overcome this,
 you are welcome to create/use any parameter which can be substituted
 in actions/filters [Definition] section, whenever it is also defined
 in the [Init] section of that file and used in place of necessary
 placement as <parameter>. Parameters can be specified in the
 definitions within jail.{conf,local}. For instance 1 lengthy example,
 where fwchain is both used as interpolation (in jail.local) and
 parameter (in iptables-flex.local).
 ==> /etc/fail2ban/jail.local <==
 [DEFAULT]
 action = iptables-flex[name=%(__name__)s, port=%(port)s, fwchain=%(fwchain)s, post_start_commands=%(post_start_commands)s, pre_end_commands=%(pre_end_commands)s]
 fwchain = INPUT
 [ssh]
 fwchain = ssh-tarpit
 ==> /etc/fail2ban/action.d/iptables-flex.local <==
 [Definition]
 actionstart = iptables -N fail2ban-<name>
               iptables -I <fwchain> -m state --state NEW -p <protocol> --dport <port> -j fail2ban-<name>
               iptables -I <fwchain> -j <whitelist>
 actionstop  = iptables -D <fwchain> -j <whitelist>
               iptables -D <fwchain> -m state --state NEW -p <protocol> --dport <port> -j fail2ban-<name>
               iptables -F fail2ban-<name>
               iptables -X fail2ban-<name>
 actioncheck = iptables -L <fwchain> | grep -q fail2ban-<name>
 actionban   = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
 actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP
 [Init]
 whitelist = ssh-whitelist
 fwchain = INPUT
 name = default
 port = ssh
 protocol = tcp
 * Multiport banning: Comment for the wishlist #373592.
 Default iptables rules for banning use --dport statement which allows to
 ban just a single port. For multiport banning you would need to adjust iptables
@ -69,16 +108,14 @@ Troubleshooting:
 To resolve the security bug #330827 [1] failregex expressions must
 provide a named group (?P<host>...) as a placeholder of the abuser's
-host. The naming of the group was introduced to capture possible
+host. Alternative tag (since 0.7.5) can be "<HOST>". The naming of the
-future generalizations of failregex to provide even more
+group was introduced to capture possible future generalizations of
-information. At a current point, all named groups are considered as
+failregex to provide even more information.
 possible locations of the host addresses, but usually you should need
 just a single group (?P<host>...)
 [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=330827
-You might benefit from using fail2ban-regex to construct and debug
+You might benefit from using fail2ban-regex command shipped along to
-your failregex statements.
+construct and debug your failregex statements.
 * "Interpolations" in the config file:
@ -89,21 +126,17 @@ might benefit from updating config file and adding appropriate
 information for the new sections.
 N.B. If you have some nice additional sections defined, I would really
-appreciate if you share them with me, so they could be eventually
+appreciate if you share them with me or upstream author, so they could
-included in the fail2ban package for general use by the rest of the
+be eventually included in the fail2ban package for general use by the
-community.
+rest of the community.
 * Mailing:
-As it was reported (bug #329722) you might need to provide a full
+Since actions.d/mail*.conf commands rely on presence of "mail"
-e-mail address in fail2ban.conf option MAIL:from to make your mail
+command, mailx package (or another package providing mailx
-server accept that email. I've added @localhost to both MAIL:from and
+functionality such as mailutils) is required if those actions are
-MAIL:to in the default configuration shipped with Debian. It seems to
+activated in jail.{conf,local}.
 work nicely now
 See TODO.Debian for more details, as well as the Debian Bug Tracking
 system.
 * Dirty exit:
@ -145,4 +178,25 @@ had enough of failed logins within "findtime" will be banned for
 "bantime" since [re]start moment, not since the last failed login
 time.
- -- Yaroslav O. Halchenko <debian@onerussian.com>, Fri, 10 Nov 2006 18:19:48 -0500
+
 * Syslog entries can be 'forged' by a regular user
 From
 http://fail2ban.sourceforge.net/wiki/index.php/FAQ_english#What_do_I_have_to_consider_when_using_Fail2ban
 Especially on systems wich provide ssh/CGI/PHP services to unknown
 users it is possible to block other users from ssh and probably other
 access as a unprivileged user may issue:
 logger -p auth.warning -t 'sshd[123]' 'Illegal user user1 from 1.2.3.4'
 N.B. chmod o-x /usr/bin/logger should provide at least obfuscation
 solution
 Or the malicious user may write via PHP's openlog()/syslog() to syslog.
 P.S. Anyone is welcome to recommend proper security solution to this
 issue, such as an alternative to sysklogd which allows better control
 over users logging to specific facilities (such as AUTH)
 -- Yaroslav O. Halchenko <debian@onerussian.com>, Wed,  6 Dec 2006 22:56:20 -0500
--- a/debian/TODO
+++ b/debian/TODO
@ -1,7 +1,6 @@
 * Collect more sections for other log files
-* Compose a filter for logwatch (almost done -- testing, submission)
+* Find proper answer to "Syslog entries can be 'forged' by a regular
-* In the next release split file configuration will be implemented,
+   user" mentioned in README.Debian
-   that is why no split files is enabled for current release 
+
-   (as of v0.6.1   Sun Mar 19 00:18:08 EST 2006)
+ -- Yaroslav O. Halchenko <debian@onerussian.com>  Wed,  6 Dec 2006 22:14:26 -0500
 -- Yaroslav O. Halchenko <debian@onerussian.com>, Sun Jan 15 15:18:13 2006
--- a/debian/changelog
+++ b/debian/changelog
@ -1,3 +1,15 @@
 fail2ban (0.7.4-5) unstable; urgency=low
  * Added Suggests on mailx and relevant comments in README.Debian about
    invoking mail actions (closes: #396668)
  * Removed obsolete entries in TODO and README
  * README.Debian describes a bit issue of interpolations vs parameters
    passed from jail.{conf,local} into an action or a filter definition
    (closes: #398739)
  * Initial version of postfix filter (closes: #377711)
 -- Yaroslav O. Halchenko <debian@onerussian.com>  Wed,  6 Dec 2006 22:14:26 -0500
 fail2ban (0.7.4-4) unstable; urgency=low
  * Added debian/backports to contain patches necessary for backporting. It
--- a/debian/control
+++ b/debian/control
@ -11,7 +11,7 @@ Standards-Version: 3.7.2
 Package: fail2ban
 Architecture: all
 Depends: ${python:Depends}, iptables, lsb-base (>=2.0-7)
-Suggests: python-gamin
+Suggests: python-gamin, mailx
 XB-Python-Version: ${python:Versions}
 Description: bans IPs that cause multiple authentication errors
 Monitors log files (e.g. /var/log/auth.log,