ENH+BF: use %(__name__) by default for filter, defined enabled = false by DEFAULT

Now jail.conf is really neat. BF: tests
2013-04-22 22:23:23 -04:00 · 2013-04-22 22:23:23 -04:00 · 3ba540eca3
parent 8a0ac30bd9
commit 3ba540eca3
2 changed files with 33 additions and 81 deletions
--- a/config/jail.conf
+++ b/config/jail.conf
@ -12,7 +12,7 @@
 # [DEFAULT]
 # bantime = 3600
 #
-# [ssh-iptables]
+# [sshd]
 # enabled = true
 #
 # See jail.conf(5) man page for more information
@ -71,22 +71,30 @@ usedns = warn
 #   auto:   will use the system locale setting
 logencoding = auto

+# "enabled" enables the jails.
+#  By default all jails are disabled, and it should stay this way.
+#  Enable only relevant to your setup jails in your .local or jail.d/*.conf
+#
+# Allowed values: true, false
+enabled = false
+
+
+# "filter" defines the filter to use by the jail.
+#  By default jails have names matching their filter name
+#
+filter = %(__name__)s
+

 #
 # ACTIONS
 #

-#
+# Some options used for actions
+
 # Destination email address used solely for the interpolations in
 # jail.{conf,local} configuration files.
 destemail = root@localhost

-# Default banning action (e.g. iptables, iptables-new,
-# iptables-multiport, shorewall, etc) It is used to define
-# action_* variables. Can be overridden globally or per
-# section within jail.local file
-banaction = iptables-multiport
-
 # E-mail action. Since 0.8.1 Fail2Ban uses sendmail MTA for the
 # mailing. Change mta configuration parameter to mail if you want to
 # revert to conventional 'mail'.
@ -101,17 +109,23 @@ chain = INPUT
 #
 # Action shortcuts. To be used to define action parameter

+# Default banning action (e.g. iptables, iptables-new,
+# iptables-multiport, shorewall, etc) It is used to define
+# action_* variables. Can be overridden globally or per
+# section within jail.local file
+banaction = iptables-multiport
+
 # The simplest action to take: ban only
 action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]

 # ban & send an e-mail with whois report to the destemail.
 action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
-              %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]
+            %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]

 # ban & send an e-mail with whois report and relevant log lines
 # to the destemail.
 action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
-               %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
+             %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]

 # Choose default action.  To change, just override value of 'action' with the
 # interpolation to the chosen action shortcut (e.g.  action_mw, action_mwl, etc) in jail.local
@ -129,23 +143,18 @@ action = %(action_)s

 [sshd]

-enabled  = true
-port     = ssh
-filter   = sshd
-logpath  = /var/log/auth.log
-		   /var/log/sshd.log
+port    = ssh
+logpath = /var/log/auth.log
+          /var/log/sshd.log

 [sshd-ddos]

-enabled  = false
-port     = ssh
-filter   = sshd-ddos
-logpath  = /var/log/auth.log
-		   /var/log/sshd.log
+port    = ssh
+logpath = /var/log/auth.log
+          /var/log/sshd.log

 [dropbear]

-enabled  = false
 port     = ssh
 filter   = sshd
 logpath  = /var/log/dropbear
@ -156,9 +165,7 @@ logpath  = /var/log/dropbear

 [pam-generic]

-enabled  = false
 # pam-generic filter can be customized to monitor specific subset of 'tty's
-filter   = pam-generic
 banaction = iptables-allports
 # port actually must be irrelevant but lets leave it all for some possible uses
 port     = anyport
@ -166,8 +173,6 @@ logpath  = /var/log/auth.log

 [xinetd-fail]

-enabled   = false
-filter    = xinetd-fail
 port      = all
 banaction = iptables-multiport-log
 logpath   = /var/log/daemon.log
@ -180,7 +185,6 @@ maxretry  = 2

 [sshd-tcpwrapper]

-enabled     = false
 filter      = sshd
 action      = hostsdeny
              sendmail-whois[name=SSH, dest=you@example.com]
@ -192,7 +196,6 @@ logpath     = /var/log/sshd.log

 [sshd-route]

-enabled = false
 filter = sshd
 action = route
 logpath = /var/log/sshd.log
@ -204,14 +207,12 @@ logpath = /var/log/sshd.log
 # requires the ipset package and kernel support.
 [sshd-iptables-ipset4]

-enabled  = false
 filter   = sshd
 action   = iptables-ipset-proto4[name=SSH, port=ssh, protocol=tcp]
 logpath  = /var/log/sshd.log

 [sshd-iptables-ipset6]

-enabled  = false
 filter   = sshd
 action   = iptables-ipset-proto6[name=SSH, port=ssh, protocol=tcp, bantime=600]
 logpath  = /var/log/sshd.log
@ -223,7 +224,6 @@ logpath  = /var/log/sshd.log

 [sshd-ipfw]

-enabled  = false
 filter   = sshd
 action   = ipfw[localhost=192.168.0.1]
           sendmail-whois[name="SSH,IPFW", dest=you@example.com]
@ -237,9 +237,7 @@ ignoreip = 168.192.0.1

 [apache-auth]

-enabled  = false
 port     = http,https
-filter   = apache-auth
 logpath  = /var/log/apache*/*error.log

 # Ban hosts which agent identifies spammer robots crawling the web
@ -247,9 +245,7 @@ logpath  = /var/log/apache*/*error.log

 [apache-badbots]

-enabled  = false
 port     = http,https
-filter   = apache-badbots
 logpath  = /var/log/apache*/*access.log
 		   /var/www/*/logs/access_log
 bantime  = 172800
@ -257,17 +253,13 @@ maxretry = 1

 [apache-noscript]

-enabled  = false
 port     = http,https
-filter   = apache-noscript
 logpath  = /var/log/apache*/*error.log
 maxretry = 6

 [apache-overflows]

-enabled  = false
 port     = http,https
-filter   = apache-overflows
 logpath  = /var/log/apache*/*error.log
 maxretry = 2

@ -277,9 +269,7 @@ maxretry = 2

 [php-url-fopen]

-enabled = false
 port    = http,https
-filter  = php-url-fopen
 logpath = /var/www/*/logs/access_log

 # A simple PHP-fastcgi jail which works with lighttpd.
@ -290,9 +280,7 @@ logpath = /var/www/*/logs/access_log

 [lighttpd-fastcgi]

-enabled = false
 port    = http,https
-filter  = lighttpd-fastcgi
 logpath = /var/log/lighttpd/error.log

 # Same as above for mod_auth
@ -300,22 +288,16 @@ logpath = /var/log/lighttpd/error.log

 [lighttpd-auth]

-enabled = false
 port    = http,https
-filter  = lighttpd-auth
 logpath = /var/log/lighttpd/error.log

 [roundcube-auth]

-enabled  = false
 port     = http,https
-filter   = roundcube-auth
 logpath  = /var/log/roundcube/userlogins

 [sogo-auth]

-enabled  = false
-filter   = sogo-auth
 port     = http,https
 # without proxy this would be:
 # port    = 20000
@ -325,7 +307,6 @@ logpath  = /var/log/sogo/sogo.log

 [apache-tcpwrapper]

-enabled  = false
 filter	 = apache-auth
 action   = hostsdeny
 logpath  = /var/log/apache*/*error.log
@ -339,24 +320,18 @@ maxretry = 6

 [proftpd]

-enabled  = false
 port     = ftp,ftp-data,ftps,ftps-data
-filter   = proftpd
 logpath  = /var/log/proftpd/proftpd.log

 [pure-ftpd]

-enabled  = false
 port     = ftp,ftp-data,ftps,ftps-data
-filter   = pure-ftpd
 logpath  = /var/log/auth.log
 maxretry = 6

 [vsftpd]

-enabled  = false
 port     = ftp,ftp-data,ftps,ftps-data
-filter   = vsftpd
 logpath  = /var/log/vsftpd.log
 # or overwrite it in jails.local to be
 # logpath = /var/log/auth.log
@ -368,7 +343,6 @@ logpath  = /var/log/vsftpd.log

 [vsftpd-notification]

-enabled  = false
 filter   = vsftpd
 action   = sendmail-whois[name=VSFTPD, dest=you@example.com]
 logpath  = /var/log/vsftpd.log
@ -378,9 +352,7 @@ bantime  = 1800

 [wuftpd]

-enabled  = false
 port     = ftp,ftp-data,ftps,ftps-data
-filter   = wuftpd
 logpath  = /var/log/syslog
 maxretry = 6

@ -390,16 +362,12 @@ maxretry = 6

 [couriersmtp]

-enabled  = false
 port     = smtp,ssmtp
-filter   = couriersmtp
 logpath  = /var/log/mail.log

 [postfix]

-enabled  = false
 port     = smtp,ssmtp
-filter   = postfix
 logpath  = /var/log/mail.log

 # The hosts.deny path can be defined with the "file" argument if it is
@ -407,7 +375,6 @@ logpath  = /var/log/mail.log

 [postfix-tcpwrapper]

-enabled  = false
 filter   = postfix
 action   = hostsdeny[file=/not/a/standard/path/hosts.deny]
           sendmail[name=Postfix, dest=you@example.com]
@ -421,7 +388,6 @@ bantime  = 300

 [courierauth]

-enabled  = false
 port     = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
 filter   = courierlogin
 logpath  = /var/log/mail.log
@ -429,9 +395,7 @@ logpath  = /var/log/mail.log

 [sasl]

-enabled  = false
 port     = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
-filter   = sasl
 # You might consider monitoring /var/log/mail.warn instead if you are
 # running postfix since it would provide the same log lines at the
 # "warn" level but overall at the smaller filesize.
@ -439,9 +403,7 @@ logpath  = /var/log/mail.log

 [dovecot]

-enabled = false
 port    = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
-filter  = dovecot
 logpath = /var/log/mail.log

 #
@ -475,7 +437,6 @@ logpath = /var/log/mail.log
 #
 # [named-refused-udp]
 #
-# enabled  = false
 # filter   = named-refused
 # port     = domain,953
 # protocol = udp
@ -486,7 +447,6 @@ logpath = /var/log/mail.log

 [named-refused]

-enabled  = false
 filter   = named-refused
 port     = domain,953
 logpath  = /var/log/named/security.log
@ -500,7 +460,6 @@ ignoreip = 168.192.0.1
 # see https://github.com/fail2ban/fail2ban/issues/37
 [asterisk-tcp]

-enabled  = false
 filter   = asterisk
 port     = 5060,5061
 protocol = tcp
@ -509,7 +468,6 @@ maxretry = 10

 [asterisk-udp]

-enabled  = false
 filter	 = asterisk
 port     = 5060,5061
 protocol = udp
@ -521,15 +479,11 @@ maxretry = 10
 # log-warning = 2
 [mysqld-auth]

-enabled  = false
-filter   = mysqld-auth
 port     = 3306
 logpath  = /var/log/mysqld.log

 [guacamole]

-enabled  = false
-filter   = guacamole
 port     = http,https
 logpath  = /var/log/tomcat*/catalina.out

@ -540,8 +494,6 @@ logpath  = /var/log/tomcat*/catalina.out
 #   an infinite loop constantly feeding itself with non-informative lines
 [recidive]

-enabled  = false
-filter   = recidive
 logpath  = /var/log/fail2ban.log
 action   = iptables-allports[name=recidive]
           sendmail-whois-lines[name=recidive, logpath=/var/log/fail2ban.log]
--- a/fail2ban/tests/clientreadertestcase.py
+++ b/fail2ban/tests/clientreadertestcase.py
@ -112,11 +112,11 @@ class JailReaderTest(unittest.TestCase):
 		self.assertRaises(ValueError, jail.read)

 	def testStockSSHJail(self):
-		jail = JailReader('ssh-iptables', basedir=CONFIG_DIR) # we are running tests from root project dir atm
+		jail = JailReader('sshd', basedir=CONFIG_DIR) # we are running tests from root project dir atm
 		self.assertTrue(jail.read())
 		self.assertTrue(jail.getOptions())
 		self.assertFalse(jail.isEnabled())
-		self.assertEqual(jail.getName(), 'ssh-iptables')
+		self.assertEqual(jail.getName(), 'sshd')

 	def testSplitOption(self):
 		action = "mail-whois[name=SSH]"
@ -195,7 +195,7 @@ class JailsReaderTest(unittest.TestCase):
 		self.assertTrue(len(comm_commands))

 		# and we know even some of them by heart
-		for j in ['ssh-iptables', 'recidive']:
+		for j in ['sshd', 'recidive']:
 			# by default we have 'auto' backend ATM
 			self.assertTrue(['add', j, 'auto'] in comm_commands)
 			# and warn on useDNS