github
/
fail2ban
mirror of https://github.com/fail2ban/fail2ban
1
0
Fork 0
Code Issues Releases Wiki Activity

ENH+BF: use %(__name__) by default for filter, defined enabled = false by DEFAULT 

Now jail.conf is really neat.

BF: tests
pull/185/head
Yaroslav Halchenko 2013-04-22 22:23:23 -04:00
parent 8a0ac30bd9
commit 3ba540eca3
2 changed files with 33 additions and 81 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

108
config/jail.conf
View File

@ -12,7 +12,7 @@
# [DEFAULT] # [DEFAULT]
# bantime = 3600 # bantime = 3600
# #
# [ssh-iptables] # [sshd]
# enabled = true # enabled = true
# #
# See jail.conf(5) man page for more information # See jail.conf(5) man page for more information
@ -71,22 +71,30 @@ usedns = warn
# auto: will use the system locale setting # auto: will use the system locale setting
logencoding = auto logencoding = auto
# "enabled" enables the jails.
# By default all jails are disabled, and it should stay this way.
# Enable only relevant to your setup jails in your .local or jail.d/*.conf
#
# Allowed values: true, false
enabled = false
# "filter" defines the filter to use by the jail.
# By default jails have names matching their filter name
#
filter = %(__name__)s
# #
# ACTIONS # ACTIONS
# #
# # Some options used for actions
# Destination email address used solely for the interpolations in # Destination email address used solely for the interpolations in
# jail.{conf,local} configuration files. # jail.{conf,local} configuration files.
destemail = root@localhost destemail = root@localhost
# Default banning action (e.g. iptables, iptables-new,
# iptables-multiport, shorewall, etc) It is used to define
# action_* variables. Can be overridden globally or per
# section within jail.local file
banaction = iptables-multiport
# E-mail action. Since 0.8.1 Fail2Ban uses sendmail MTA for the # E-mail action. Since 0.8.1 Fail2Ban uses sendmail MTA for the
# mailing. Change mta configuration parameter to mail if you want to # mailing. Change mta configuration parameter to mail if you want to
# revert to conventional 'mail'. # revert to conventional 'mail'.
@ -101,17 +109,23 @@ chain = INPUT
# #
# Action shortcuts. To be used to define action parameter # Action shortcuts. To be used to define action parameter
# Default banning action (e.g. iptables, iptables-new,
# iptables-multiport, shorewall, etc) It is used to define
# action_* variables. Can be overridden globally or per
# section within jail.local file
banaction = iptables-multiport
# The simplest action to take: ban only # The simplest action to take: ban only
action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
# ban & send an e-mail with whois report to the destemail. # ban & send an e-mail with whois report to the destemail.
action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
%(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"] %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]
# ban & send an e-mail with whois report and relevant log lines # ban & send an e-mail with whois report and relevant log lines
# to the destemail. # to the destemail.
action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
%(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"] %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
# Choose default action. To change, just override value of 'action' with the # Choose default action. To change, just override value of 'action' with the
# interpolation to the chosen action shortcut (e.g. action_mw, action_mwl, etc) in jail.local # interpolation to the chosen action shortcut (e.g. action_mw, action_mwl, etc) in jail.local
@ -129,23 +143,18 @@ action = %(action_)s
[sshd] [sshd]
enabled = true port = ssh
port = ssh logpath = /var/log/auth.log
filter = sshd /var/log/sshd.log
logpath = /var/log/auth.log
/var/log/sshd.log
[sshd-ddos] [sshd-ddos]
enabled = false port = ssh
port = ssh logpath = /var/log/auth.log
filter = sshd-ddos /var/log/sshd.log
logpath = /var/log/auth.log
/var/log/sshd.log
[dropbear] [dropbear]
enabled = false
port = ssh port = ssh
filter = sshd filter = sshd
logpath = /var/log/dropbear logpath = /var/log/dropbear
@ -156,9 +165,7 @@ logpath = /var/log/dropbear
[pam-generic] [pam-generic]
enabled = false
# pam-generic filter can be customized to monitor specific subset of 'tty's # pam-generic filter can be customized to monitor specific subset of 'tty's
filter = pam-generic
banaction = iptables-allports banaction = iptables-allports
# port actually must be irrelevant but lets leave it all for some possible uses # port actually must be irrelevant but lets leave it all for some possible uses
port = anyport port = anyport
@ -166,8 +173,6 @@ logpath = /var/log/auth.log
[xinetd-fail] [xinetd-fail]
enabled = false
filter = xinetd-fail
port = all port = all
banaction = iptables-multiport-log banaction = iptables-multiport-log
logpath = /var/log/daemon.log logpath = /var/log/daemon.log
@ -180,7 +185,6 @@ maxretry = 2
[sshd-tcpwrapper] [sshd-tcpwrapper]
enabled = false
filter = sshd filter = sshd
action = hostsdeny action = hostsdeny
sendmail-whois[name=SSH, dest=you@example.com] sendmail-whois[name=SSH, dest=you@example.com]
@ -192,7 +196,6 @@ logpath = /var/log/sshd.log
[sshd-route] [sshd-route]
enabled = false
filter = sshd filter = sshd
action = route action = route
logpath = /var/log/sshd.log logpath = /var/log/sshd.log
@ -204,14 +207,12 @@ logpath = /var/log/sshd.log
# requires the ipset package and kernel support. # requires the ipset package and kernel support.
[sshd-iptables-ipset4] [sshd-iptables-ipset4]
enabled = false
filter = sshd filter = sshd
action = iptables-ipset-proto4[name=SSH, port=ssh, protocol=tcp] action = iptables-ipset-proto4[name=SSH, port=ssh, protocol=tcp]
logpath = /var/log/sshd.log logpath = /var/log/sshd.log
[sshd-iptables-ipset6] [sshd-iptables-ipset6]
enabled = false
filter = sshd filter = sshd
action = iptables-ipset-proto6[name=SSH, port=ssh, protocol=tcp, bantime=600] action = iptables-ipset-proto6[name=SSH, port=ssh, protocol=tcp, bantime=600]
logpath = /var/log/sshd.log logpath = /var/log/sshd.log
@ -223,7 +224,6 @@ logpath = /var/log/sshd.log
[sshd-ipfw] [sshd-ipfw]
enabled = false
filter = sshd filter = sshd
action = ipfw[localhost=192.168.0.1] action = ipfw[localhost=192.168.0.1]
sendmail-whois[name="SSH,IPFW", dest=you@example.com] sendmail-whois[name="SSH,IPFW", dest=you@example.com]
@ -237,9 +237,7 @@ ignoreip = 168.192.0.1
[apache-auth] [apache-auth]
enabled = false
port = http,https port = http,https
filter = apache-auth
logpath = /var/log/apache*/*error.log logpath = /var/log/apache*/*error.log
# Ban hosts which agent identifies spammer robots crawling the web # Ban hosts which agent identifies spammer robots crawling the web
@ -247,9 +245,7 @@ logpath = /var/log/apache*/*error.log
[apache-badbots] [apache-badbots]
enabled = false
port = http,https port = http,https
filter = apache-badbots
logpath = /var/log/apache*/*access.log logpath = /var/log/apache*/*access.log
/var/www/*/logs/access_log /var/www/*/logs/access_log
bantime = 172800 bantime = 172800
@ -257,17 +253,13 @@ maxretry = 1
[apache-noscript] [apache-noscript]
enabled = false
port = http,https port = http,https
filter = apache-noscript
logpath = /var/log/apache*/*error.log logpath = /var/log/apache*/*error.log
maxretry = 6 maxretry = 6
[apache-overflows] [apache-overflows]
enabled = false
port = http,https port = http,https
filter = apache-overflows
logpath = /var/log/apache*/*error.log logpath = /var/log/apache*/*error.log
maxretry = 2 maxretry = 2
@ -277,9 +269,7 @@ maxretry = 2
[php-url-fopen] [php-url-fopen]
enabled = false
port = http,https port = http,https
filter = php-url-fopen
logpath = /var/www/*/logs/access_log logpath = /var/www/*/logs/access_log
# A simple PHP-fastcgi jail which works with lighttpd. # A simple PHP-fastcgi jail which works with lighttpd.
@ -290,9 +280,7 @@ logpath = /var/www/*/logs/access_log
[lighttpd-fastcgi] [lighttpd-fastcgi]
enabled = false
port = http,https port = http,https
filter = lighttpd-fastcgi
logpath = /var/log/lighttpd/error.log logpath = /var/log/lighttpd/error.log
# Same as above for mod_auth # Same as above for mod_auth
@ -300,22 +288,16 @@ logpath = /var/log/lighttpd/error.log
[lighttpd-auth] [lighttpd-auth]
enabled = false
port = http,https port = http,https
filter = lighttpd-auth
logpath = /var/log/lighttpd/error.log logpath = /var/log/lighttpd/error.log
[roundcube-auth] [roundcube-auth]
enabled = false
port = http,https port = http,https
filter = roundcube-auth
logpath = /var/log/roundcube/userlogins logpath = /var/log/roundcube/userlogins
[sogo-auth] [sogo-auth]
enabled = false
filter = sogo-auth
port = http,https port = http,https
# without proxy this would be: # without proxy this would be:
# port = 20000 # port = 20000
@ -325,7 +307,6 @@ logpath = /var/log/sogo/sogo.log
[apache-tcpwrapper] [apache-tcpwrapper]
enabled = false
filter = apache-auth filter = apache-auth
action = hostsdeny action = hostsdeny
logpath = /var/log/apache*/*error.log logpath = /var/log/apache*/*error.log
@ -339,24 +320,18 @@ maxretry = 6
[proftpd] [proftpd]
enabled = false
port = ftp,ftp-data,ftps,ftps-data port = ftp,ftp-data,ftps,ftps-data
filter = proftpd
logpath = /var/log/proftpd/proftpd.log logpath = /var/log/proftpd/proftpd.log
[pure-ftpd] [pure-ftpd]
enabled = false
port = ftp,ftp-data,ftps,ftps-data port = ftp,ftp-data,ftps,ftps-data
filter = pure-ftpd
logpath = /var/log/auth.log logpath = /var/log/auth.log
maxretry = 6 maxretry = 6
[vsftpd] [vsftpd]
enabled = false
port = ftp,ftp-data,ftps,ftps-data port = ftp,ftp-data,ftps,ftps-data
filter = vsftpd
logpath = /var/log/vsftpd.log logpath = /var/log/vsftpd.log
# or overwrite it in jails.local to be # or overwrite it in jails.local to be
# logpath = /var/log/auth.log # logpath = /var/log/auth.log
@ -368,7 +343,6 @@ logpath = /var/log/vsftpd.log
[vsftpd-notification] [vsftpd-notification]
enabled = false
filter = vsftpd filter = vsftpd
action = sendmail-whois[name=VSFTPD, dest=you@example.com] action = sendmail-whois[name=VSFTPD, dest=you@example.com]
logpath = /var/log/vsftpd.log logpath = /var/log/vsftpd.log
@ -378,9 +352,7 @@ bantime = 1800
[wuftpd] [wuftpd]
enabled = false
port = ftp,ftp-data,ftps,ftps-data port = ftp,ftp-data,ftps,ftps-data
filter = wuftpd
logpath = /var/log/syslog logpath = /var/log/syslog
maxretry = 6 maxretry = 6
@ -390,16 +362,12 @@ maxretry = 6
[couriersmtp] [couriersmtp]
enabled = false
port = smtp,ssmtp port = smtp,ssmtp
filter = couriersmtp
logpath = /var/log/mail.log logpath = /var/log/mail.log
[postfix] [postfix]
enabled = false
port = smtp,ssmtp port = smtp,ssmtp
filter = postfix
logpath = /var/log/mail.log logpath = /var/log/mail.log
# The hosts.deny path can be defined with the "file" argument if it is # The hosts.deny path can be defined with the "file" argument if it is
@ -407,7 +375,6 @@ logpath = /var/log/mail.log
[postfix-tcpwrapper] [postfix-tcpwrapper]
enabled = false
filter = postfix filter = postfix
action = hostsdeny[file=/not/a/standard/path/hosts.deny] action = hostsdeny[file=/not/a/standard/path/hosts.deny]
sendmail[name=Postfix, dest=you@example.com] sendmail[name=Postfix, dest=you@example.com]
@ -421,7 +388,6 @@ bantime = 300
[courierauth] [courierauth]
enabled = false
port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter = courierlogin filter = courierlogin
logpath = /var/log/mail.log logpath = /var/log/mail.log
@ -429,9 +395,7 @@ logpath = /var/log/mail.log
[sasl] [sasl]
enabled = false
port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter = sasl
# You might consider monitoring /var/log/mail.warn instead if you are # You might consider monitoring /var/log/mail.warn instead if you are
# running postfix since it would provide the same log lines at the # running postfix since it would provide the same log lines at the
# "warn" level but overall at the smaller filesize. # "warn" level but overall at the smaller filesize.
@ -439,9 +403,7 @@ logpath = /var/log/mail.log
[dovecot] [dovecot]
enabled = false
port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter = dovecot
logpath = /var/log/mail.log logpath = /var/log/mail.log
# #
@ -475,7 +437,6 @@ logpath = /var/log/mail.log
# #
# [named-refused-udp] # [named-refused-udp]
# #
# enabled = false
# filter = named-refused # filter = named-refused
# port = domain,953 # port = domain,953
# protocol = udp # protocol = udp
@ -486,7 +447,6 @@ logpath = /var/log/mail.log
[named-refused] [named-refused]
enabled = false
filter = named-refused filter = named-refused
port = domain,953 port = domain,953
logpath = /var/log/named/security.log logpath = /var/log/named/security.log
@ -500,7 +460,6 @@ ignoreip = 168.192.0.1
# see https://github.com/fail2ban/fail2ban/issues/37 # see https://github.com/fail2ban/fail2ban/issues/37
[asterisk-tcp] [asterisk-tcp]
enabled = false
filter = asterisk filter = asterisk
port = 5060,5061 port = 5060,5061
protocol = tcp protocol = tcp
@ -509,7 +468,6 @@ maxretry = 10
[asterisk-udp] [asterisk-udp]
enabled = false
filter = asterisk filter = asterisk
port = 5060,5061 port = 5060,5061
protocol = udp protocol = udp
@ -521,15 +479,11 @@ maxretry = 10
# log-warning = 2 # log-warning = 2
[mysqld-auth] [mysqld-auth]
enabled = false
filter = mysqld-auth
port = 3306 port = 3306
logpath = /var/log/mysqld.log logpath = /var/log/mysqld.log
[guacamole] [guacamole]
enabled = false
filter = guacamole
port = http,https port = http,https
logpath = /var/log/tomcat*/catalina.out logpath = /var/log/tomcat*/catalina.out
@ -540,8 +494,6 @@ logpath = /var/log/tomcat*/catalina.out
# an infinite loop constantly feeding itself with non-informative lines # an infinite loop constantly feeding itself with non-informative lines
[recidive] [recidive]
enabled = false
filter = recidive
logpath = /var/log/fail2ban.log logpath = /var/log/fail2ban.log
action = iptables-allports[name=recidive] action = iptables-allports[name=recidive]
sendmail-whois-lines[name=recidive, logpath=/var/log/fail2ban.log] sendmail-whois-lines[name=recidive, logpath=/var/log/fail2ban.log]

6
fail2ban/tests/clientreadertestcase.py
View File

@ -112,11 +112,11 @@ class JailReaderTest(unittest.TestCase):
self.assertRaises(ValueError, jail.read) self.assertRaises(ValueError, jail.read)
def testStockSSHJail(self): def testStockSSHJail(self):
jail = JailReader('ssh-iptables', basedir=CONFIG_DIR) # we are running tests from root project dir atm jail = JailReader('sshd', basedir=CONFIG_DIR) # we are running tests from root project dir atm
self.assertTrue(jail.read()) self.assertTrue(jail.read())
self.assertTrue(jail.getOptions()) self.assertTrue(jail.getOptions())
self.assertFalse(jail.isEnabled()) self.assertFalse(jail.isEnabled())
self.assertEqual(jail.getName(), 'ssh-iptables') self.assertEqual(jail.getName(), 'sshd')
def testSplitOption(self): def testSplitOption(self):
action = "mail-whois[name=SSH]" action = "mail-whois[name=SSH]"
@ -195,7 +195,7 @@ class JailsReaderTest(unittest.TestCase):
self.assertTrue(len(comm_commands)) self.assertTrue(len(comm_commands))
# and we know even some of them by heart # and we know even some of them by heart
for j in ['ssh-iptables', 'recidive']: for j in ['sshd', 'recidive']:
# by default we have 'auto' backend ATM # by default we have 'auto' backend ATM
self.assertTrue(['add', j, 'auto'] in comm_commands) self.assertTrue(['add', j, 'auto'] in comm_commands)
# and warn on useDNS # and warn on useDNS