From 3ba540eca3a2274c0ef05389367e4e15f1fe706f Mon Sep 17 00:00:00 2001
From: Yaroslav Halchenko <debian@onerussian.com>
Date: Mon, 22 Apr 2013 22:23:23 -0400
Subject: [PATCH] ENH+BF: use %(__name__) by default for filter, defined
 enabled = false by DEFAULT

Now jail.conf is really neat.

BF: tests
---
 config/jail.conf                       | 108 +++++++------------------
 fail2ban/tests/clientreadertestcase.py |   6 +-
 2 files changed, 33 insertions(+), 81 deletions(-)

diff --git a/config/jail.conf b/config/jail.conf
index 651ac3b3..7a869b67 100644
--- a/config/jail.conf
+++ b/config/jail.conf
@@ -12,7 +12,7 @@
 # [DEFAULT]
 # bantime = 3600
 #
-# [ssh-iptables]
+# [sshd]
 # enabled = true
 #
 # See jail.conf(5) man page for more information
@@ -71,22 +71,30 @@ usedns = warn
 #   auto:   will use the system locale setting
 logencoding = auto
 
+# "enabled" enables the jails.
+#  By default all jails are disabled, and it should stay this way.
+#  Enable only relevant to your setup jails in your .local or jail.d/*.conf
+#
+# Allowed values: true, false
+enabled = false
+
+
+# "filter" defines the filter to use by the jail.
+#  By default jails have names matching their filter name
+#
+filter = %(__name__)s
+
 
 #
 # ACTIONS
 #
 
-#
+# Some options used for actions
+
 # Destination email address used solely for the interpolations in
 # jail.{conf,local} configuration files.
 destemail = root@localhost
 
-# Default banning action (e.g. iptables, iptables-new,
-# iptables-multiport, shorewall, etc) It is used to define
-# action_* variables. Can be overridden globally or per
-# section within jail.local file
-banaction = iptables-multiport
-
 # E-mail action. Since 0.8.1 Fail2Ban uses sendmail MTA for the
 # mailing. Change mta configuration parameter to mail if you want to
 # revert to conventional 'mail'.
@@ -101,17 +109,23 @@ chain = INPUT
 #
 # Action shortcuts. To be used to define action parameter
 
+# Default banning action (e.g. iptables, iptables-new,
+# iptables-multiport, shorewall, etc) It is used to define
+# action_* variables. Can be overridden globally or per
+# section within jail.local file
+banaction = iptables-multiport
+
 # The simplest action to take: ban only
 action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
 
 # ban & send an e-mail with whois report to the destemail.
 action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
-              %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]
+            %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]
 
 # ban & send an e-mail with whois report and relevant log lines
 # to the destemail.
 action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
-               %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
+             %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
 
 # Choose default action.  To change, just override value of 'action' with the
 # interpolation to the chosen action shortcut (e.g.  action_mw, action_mwl, etc) in jail.local
@@ -129,23 +143,18 @@ action = %(action_)s
 
 [sshd]
 
-enabled  = true
-port     = ssh
-filter   = sshd
-logpath  = /var/log/auth.log
-		   /var/log/sshd.log
+port    = ssh
+logpath = /var/log/auth.log
+          /var/log/sshd.log
 
 [sshd-ddos]
 
-enabled  = false
-port     = ssh
-filter   = sshd-ddos
-logpath  = /var/log/auth.log
-		   /var/log/sshd.log
+port    = ssh
+logpath = /var/log/auth.log
+          /var/log/sshd.log
 
 [dropbear]
 
-enabled  = false
 port     = ssh
 filter   = sshd
 logpath  = /var/log/dropbear
@@ -156,9 +165,7 @@ logpath  = /var/log/dropbear
 
 [pam-generic]
 
-enabled  = false
 # pam-generic filter can be customized to monitor specific subset of 'tty's
-filter   = pam-generic
 banaction = iptables-allports
 # port actually must be irrelevant but lets leave it all for some possible uses
 port     = anyport
@@ -166,8 +173,6 @@ logpath  = /var/log/auth.log
 
 [xinetd-fail]
 
-enabled   = false
-filter    = xinetd-fail
 port      = all
 banaction = iptables-multiport-log
 logpath   = /var/log/daemon.log
@@ -180,7 +185,6 @@ maxretry  = 2
 
 [sshd-tcpwrapper]
 
-enabled     = false
 filter      = sshd
 action      = hostsdeny
               sendmail-whois[name=SSH, dest=you@example.com]
@@ -192,7 +196,6 @@ logpath     = /var/log/sshd.log
 
 [sshd-route]
 
-enabled = false
 filter = sshd
 action = route
 logpath = /var/log/sshd.log
@@ -204,14 +207,12 @@ logpath = /var/log/sshd.log
 # requires the ipset package and kernel support.
 [sshd-iptables-ipset4]
 
-enabled  = false
 filter   = sshd
 action   = iptables-ipset-proto4[name=SSH, port=ssh, protocol=tcp]
 logpath  = /var/log/sshd.log
 
 [sshd-iptables-ipset6]
 
-enabled  = false
 filter   = sshd
 action   = iptables-ipset-proto6[name=SSH, port=ssh, protocol=tcp, bantime=600]
 logpath  = /var/log/sshd.log
@@ -223,7 +224,6 @@ logpath  = /var/log/sshd.log
 
 [sshd-ipfw]
 
-enabled  = false
 filter   = sshd
 action   = ipfw[localhost=192.168.0.1]
            sendmail-whois[name="SSH,IPFW", dest=you@example.com]
@@ -237,9 +237,7 @@ ignoreip = 168.192.0.1
 
 [apache-auth]
 
-enabled  = false
 port     = http,https
-filter   = apache-auth
 logpath  = /var/log/apache*/*error.log
 
 # Ban hosts which agent identifies spammer robots crawling the web
@@ -247,9 +245,7 @@ logpath  = /var/log/apache*/*error.log
 
 [apache-badbots]
 
-enabled  = false
 port     = http,https
-filter   = apache-badbots
 logpath  = /var/log/apache*/*access.log
 		   /var/www/*/logs/access_log
 bantime  = 172800
@@ -257,17 +253,13 @@ maxretry = 1
 
 [apache-noscript]
 
-enabled  = false
 port     = http,https
-filter   = apache-noscript
 logpath  = /var/log/apache*/*error.log
 maxretry = 6
 
 [apache-overflows]
 
-enabled  = false
 port     = http,https
-filter   = apache-overflows
 logpath  = /var/log/apache*/*error.log
 maxretry = 2
 
@@ -277,9 +269,7 @@ maxretry = 2
 
 [php-url-fopen]
 
-enabled = false
 port    = http,https
-filter  = php-url-fopen
 logpath = /var/www/*/logs/access_log
 
 # A simple PHP-fastcgi jail which works with lighttpd.
@@ -290,9 +280,7 @@ logpath = /var/www/*/logs/access_log
 
 [lighttpd-fastcgi]
 
-enabled = false
 port    = http,https
-filter  = lighttpd-fastcgi
 logpath = /var/log/lighttpd/error.log
 
 # Same as above for mod_auth
@@ -300,22 +288,16 @@ logpath = /var/log/lighttpd/error.log
 
 [lighttpd-auth]
 
-enabled = false
 port    = http,https
-filter  = lighttpd-auth
 logpath = /var/log/lighttpd/error.log
 
 [roundcube-auth]
 
-enabled  = false
 port     = http,https
-filter   = roundcube-auth
 logpath  = /var/log/roundcube/userlogins
 
 [sogo-auth]
 
-enabled  = false
-filter   = sogo-auth
 port     = http,https
 # without proxy this would be:
 # port    = 20000
@@ -325,7 +307,6 @@ logpath  = /var/log/sogo/sogo.log
 
 [apache-tcpwrapper]
 
-enabled  = false
 filter	 = apache-auth
 action   = hostsdeny
 logpath  = /var/log/apache*/*error.log
@@ -339,24 +320,18 @@ maxretry = 6
 
 [proftpd]
 
-enabled  = false
 port     = ftp,ftp-data,ftps,ftps-data
-filter   = proftpd
 logpath  = /var/log/proftpd/proftpd.log
 
 [pure-ftpd]
 
-enabled  = false
 port     = ftp,ftp-data,ftps,ftps-data
-filter   = pure-ftpd
 logpath  = /var/log/auth.log
 maxretry = 6
 
 [vsftpd]
 
-enabled  = false
 port     = ftp,ftp-data,ftps,ftps-data
-filter   = vsftpd
 logpath  = /var/log/vsftpd.log
 # or overwrite it in jails.local to be
 # logpath = /var/log/auth.log
@@ -368,7 +343,6 @@ logpath  = /var/log/vsftpd.log
 
 [vsftpd-notification]
 
-enabled  = false
 filter   = vsftpd
 action   = sendmail-whois[name=VSFTPD, dest=you@example.com]
 logpath  = /var/log/vsftpd.log
@@ -378,9 +352,7 @@ bantime  = 1800
 
 [wuftpd]
 
-enabled  = false
 port     = ftp,ftp-data,ftps,ftps-data
-filter   = wuftpd
 logpath  = /var/log/syslog
 maxretry = 6
 
@@ -390,16 +362,12 @@ maxretry = 6
 
 [couriersmtp]
 
-enabled  = false
 port     = smtp,ssmtp
-filter   = couriersmtp
 logpath  = /var/log/mail.log
 
 [postfix]
 
-enabled  = false
 port     = smtp,ssmtp
-filter   = postfix
 logpath  = /var/log/mail.log
 
 # The hosts.deny path can be defined with the "file" argument if it is
@@ -407,7 +375,6 @@ logpath  = /var/log/mail.log
 
 [postfix-tcpwrapper]
 
-enabled  = false
 filter   = postfix
 action   = hostsdeny[file=/not/a/standard/path/hosts.deny]
            sendmail[name=Postfix, dest=you@example.com]
@@ -421,7 +388,6 @@ bantime  = 300
 
 [courierauth]
 
-enabled  = false
 port     = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
 filter   = courierlogin
 logpath  = /var/log/mail.log
@@ -429,9 +395,7 @@ logpath  = /var/log/mail.log
 
 [sasl]
 
-enabled  = false
 port     = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
-filter   = sasl
 # You might consider monitoring /var/log/mail.warn instead if you are
 # running postfix since it would provide the same log lines at the
 # "warn" level but overall at the smaller filesize.
@@ -439,9 +403,7 @@ logpath  = /var/log/mail.log
 
 [dovecot]
 
-enabled = false
 port    = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
-filter  = dovecot
 logpath = /var/log/mail.log
 
 #
@@ -475,7 +437,6 @@ logpath = /var/log/mail.log
 #
 # [named-refused-udp]
 #
-# enabled  = false
 # filter   = named-refused
 # port     = domain,953
 # protocol = udp
@@ -486,7 +447,6 @@ logpath = /var/log/mail.log
 
 [named-refused]
 
-enabled  = false
 filter   = named-refused
 port     = domain,953
 logpath  = /var/log/named/security.log
@@ -500,7 +460,6 @@ ignoreip = 168.192.0.1
 # see https://github.com/fail2ban/fail2ban/issues/37
 [asterisk-tcp]
 
-enabled  = false
 filter   = asterisk
 port     = 5060,5061
 protocol = tcp
@@ -509,7 +468,6 @@ maxretry = 10
 
 [asterisk-udp]
 
-enabled  = false
 filter	 = asterisk
 port     = 5060,5061
 protocol = udp
@@ -521,15 +479,11 @@ maxretry = 10
 # log-warning = 2
 [mysqld-auth]
 
-enabled  = false
-filter   = mysqld-auth
 port     = 3306
 logpath  = /var/log/mysqld.log
 
 [guacamole]
 
-enabled  = false
-filter   = guacamole
 port     = http,https
 logpath  = /var/log/tomcat*/catalina.out
 
@@ -540,8 +494,6 @@ logpath  = /var/log/tomcat*/catalina.out
 #   an infinite loop constantly feeding itself with non-informative lines
 [recidive]
 
-enabled  = false
-filter   = recidive
 logpath  = /var/log/fail2ban.log
 action   = iptables-allports[name=recidive]
            sendmail-whois-lines[name=recidive, logpath=/var/log/fail2ban.log]
diff --git a/fail2ban/tests/clientreadertestcase.py b/fail2ban/tests/clientreadertestcase.py
index e55420d8..f049c208 100644
--- a/fail2ban/tests/clientreadertestcase.py
+++ b/fail2ban/tests/clientreadertestcase.py
@@ -112,11 +112,11 @@ class JailReaderTest(unittest.TestCase):
 		self.assertRaises(ValueError, jail.read)
 
 	def testStockSSHJail(self):
-		jail = JailReader('ssh-iptables', basedir=CONFIG_DIR) # we are running tests from root project dir atm
+		jail = JailReader('sshd', basedir=CONFIG_DIR) # we are running tests from root project dir atm
 		self.assertTrue(jail.read())
 		self.assertTrue(jail.getOptions())
 		self.assertFalse(jail.isEnabled())
-		self.assertEqual(jail.getName(), 'ssh-iptables')
+		self.assertEqual(jail.getName(), 'sshd')
 
 	def testSplitOption(self):
 		action = "mail-whois[name=SSH]"
@@ -195,7 +195,7 @@ class JailsReaderTest(unittest.TestCase):
 		self.assertTrue(len(comm_commands))
 
 		# and we know even some of them by heart
-		for j in ['ssh-iptables', 'recidive']:
+		for j in ['sshd', 'recidive']:
 			# by default we have 'auto' backend ATM
 			self.assertTrue(['add', j, 'auto'] in comm_commands)
 			# and warn on useDNS