From 82506f0586d5e3365c74dbb3d51d2ab31bede2a0 Mon Sep 17 00:00:00 2001 From: sebres Date: Mon, 14 Nov 2022 18:51:06 +0100 Subject: [PATCH 1/8] filter.d/selinux-ssh.conf, filter.d/selinux-common.conf: fixes #3405 (new format with GS and additional parameters, e. g. grantors) --- config/filter.d/selinux-common.conf | 2 +- config/filter.d/selinux-ssh.conf | 4 +++- fail2ban/tests/files/logs/selinux-ssh | 3 +++ 3 files changed, 7 insertions(+), 2 deletions(-) diff --git a/config/filter.d/selinux-common.conf b/config/filter.d/selinux-common.conf index b3e0ae4f..ad4a77f5 100644 --- a/config/filter.d/selinux-common.conf +++ b/config/filter.d/selinux-common.conf @@ -14,7 +14,7 @@ [Definition] -failregex = ^type=%(_type)s msg=audit\(:\d+\): (user )?pid=\d+ uid=%(_uid)s auid=%(_auid)s ses=\d+ subj=%(_subj)s msg='%(_msg)s'$ +failregex = ^type=%(_type)s msg=audit\(:\d+\): (user )?pid=\d+ uid=%(_uid)s auid=%(_auid)s ses=\d+ subj=%(_subj)s msg='%(_msg)s'(?:\x1D|$) ignoreregex = diff --git a/config/filter.d/selinux-ssh.conf b/config/filter.d/selinux-ssh.conf index 6955094f..e5793c0a 100644 --- a/config/filter.d/selinux-ssh.conf +++ b/config/filter.d/selinux-ssh.conf @@ -15,7 +15,9 @@ _subj = (?:unconfined_u|system_u):system_r:sshd_t:s0-s0:c0\.c1023 _exe =/usr/sbin/sshd _terminal = ssh -_msg = op=\S+ acct=(?P<_quote_acct>"?)\S+(?P=_quote_acct) exe="%(_exe)s" hostname=(\?|(\d+\.){3}\d+) addr= terminal=%(_terminal)s res=failed +_anygrp = (?!acct=|exe=|addr=|terminal=|res=)\w+=(?:".*"|\S*) + +_msg = (?:%(_anygrp)s )*acct=(?:"[^"]+"|\S+) exe="%(_exe)s" (?:%(_anygrp)s )*addr= terminal=%(_terminal)s res=failed # DEV Notes: # diff --git a/fail2ban/tests/files/logs/selinux-ssh b/fail2ban/tests/files/logs/selinux-ssh index f9e1b828..6ba552fe 100644 --- a/fail2ban/tests/files/logs/selinux-ssh +++ b/fail2ban/tests/files/logs/selinux-ssh @@ -27,3 +27,6 @@ type=USER_AUTH msg=audit(1383116263.000:603): pid=12887 uid=0 auid=4294967295 se # failJSON: { "time": "2013-10-30T07:54:08", "match": false , "host": "192.168.3.100" } type=USER_LOGIN msg=audit(1383116048.000:595): pid=12354 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login acct="dan" exe="/usr/sbin/sshd" hostname=? addr=192.168.3.100 terminal=ssh res=failed' + +# failJSON: { "time": "2022-11-14T00:11:11", "match": true , "host": "192.0.2.111" } +type=USER_AUTH msg=audit(1668381071.000:373474): pid=173582 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:authentication grantors=? acct="root" exe="/usr/sbin/sshd" hostname=192.0.2.111 addr=192.0.2.111 terminal=ssh res=failed'UID="root" AUID="unset" From cbb097a2b35260c516ede8620efa4e8317d9ce1c Mon Sep 17 00:00:00 2001 From: sebres Date: Mon, 14 Nov 2022 18:56:01 +0100 Subject: [PATCH 2/8] small amend (non capturing group) --- config/filter.d/selinux-common.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/filter.d/selinux-common.conf b/config/filter.d/selinux-common.conf index ad4a77f5..dc9616d2 100644 --- a/config/filter.d/selinux-common.conf +++ b/config/filter.d/selinux-common.conf @@ -14,7 +14,7 @@ [Definition] -failregex = ^type=%(_type)s msg=audit\(:\d+\): (user )?pid=\d+ uid=%(_uid)s auid=%(_auid)s ses=\d+ subj=%(_subj)s msg='%(_msg)s'(?:\x1D|$) +failregex = ^type=%(_type)s msg=audit\(:\d+\): (?:user )?pid=\d+ uid=%(_uid)s auid=%(_auid)s ses=\d+ subj=%(_subj)s msg='%(_msg)s'(?:\x1D|$) ignoreregex = From ae5fe2e0032b8055a6a3c707f4cabfdd283f4245 Mon Sep 17 00:00:00 2001 From: "Sergey G. Brester" Date: Tue, 15 Nov 2022 14:29:59 +0100 Subject: [PATCH 3/8] amend to #3405, eliminate catch-all --- config/filter.d/selinux-ssh.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/filter.d/selinux-ssh.conf b/config/filter.d/selinux-ssh.conf index e5793c0a..0e38eb11 100644 --- a/config/filter.d/selinux-ssh.conf +++ b/config/filter.d/selinux-ssh.conf @@ -15,7 +15,7 @@ _subj = (?:unconfined_u|system_u):system_r:sshd_t:s0-s0:c0\.c1023 _exe =/usr/sbin/sshd _terminal = ssh -_anygrp = (?!acct=|exe=|addr=|terminal=|res=)\w+=(?:".*"|\S*) +_anygrp = (?!acct=|exe=|addr=|terminal=|res=)\w+=(?:"[^"]+"|\S*) _msg = (?:%(_anygrp)s )*acct=(?:"[^"]+"|\S+) exe="%(_exe)s" (?:%(_anygrp)s )*addr= terminal=%(_terminal)s res=failed From 05c162ef102026450244b41a6806e1137f340aba Mon Sep 17 00:00:00 2001 From: Andrey Alekseenko Date: Sat, 14 Apr 2018 17:01:36 +0300 Subject: [PATCH 4/8] Create filter for Dante SOCKS server --- config/filter.d/dante.conf | 16 ++++++++++++++++ config/jail.conf | 5 +++++ fail2ban/tests/files/logs/dante | 4 ++++ 3 files changed, 25 insertions(+) create mode 100644 config/filter.d/dante.conf create mode 100644 fail2ban/tests/files/logs/dante diff --git a/config/filter.d/dante.conf b/config/filter.d/dante.conf new file mode 100644 index 00000000..b597d461 --- /dev/null +++ b/config/filter.d/dante.conf @@ -0,0 +1,16 @@ +# Fail2Ban filter for dante +# +# Make sure you have "log: error" set in your "client pass" directive +# + +[INCLUDES] +before = common.conf + +[Definition] +_daemon = danted + +failregex = ^%(__prefix_line)sinfo: block\(1\): tcp/accept \]: \.\d+ [\d.]+: error after reading \d+ bytes in \d+ seconds: (could not access user "\w+"'s records in the system password file: no system error|system password authentication failed for user "\w+")$ + +[Init] +journalmatch = _SYSTEMD_UNIT=danted.service + diff --git a/config/jail.conf b/config/jail.conf index fe8db527..f4990e09 100644 --- a/config/jail.conf +++ b/config/jail.conf @@ -978,3 +978,8 @@ banaction = %(banaction_allports)s [monitorix] port = 8080 logpath = /var/log/monitorix-httpd + +[dante] +port = 1080 +logpath = %(syslog_daemon)s + diff --git a/fail2ban/tests/files/logs/dante b/fail2ban/tests/files/logs/dante new file mode 100644 index 00000000..a7f08eb2 --- /dev/null +++ b/fail2ban/tests/files/logs/dante @@ -0,0 +1,4 @@ +# failJSON: { "time": "2005-04-14T15:35:03", "match": true , "host": "1.2.3.4" } +Apr 14 15:35:03 vps111111 danted[17969]: info: block(1): tcp/accept ]: 1.2.3.4.50550 0.0.0.0.1080: error after reading 35 bytes in 0 seconds: could not access user "roooooooot"'s records in the system password file: no system error +# failJSON: { "time": "2005-04-14T15:44:26", "match": true , "host": "1.2.3.4" } +Apr 14 15:44:26 vps111111 danted[1846]: info: block(1): tcp/accept ]: 1.2.3.4.57178 0.0.0.0.1080: error after reading 18 bytes in 0 seconds: system password authentication failed for user "aland" From df91b047d2104e0dd26636d2cea33b480538c919 Mon Sep 17 00:00:00 2001 From: Andrey Alekseenko Date: Mon, 13 Aug 2018 20:22:37 +0300 Subject: [PATCH 5/8] Dante SOCKS server: handle "1 byte/second" case Thanks to @Loriowar and @sebres for pointing it out --- config/filter.d/dante.conf | 2 +- fail2ban/tests/files/logs/dante | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/config/filter.d/dante.conf b/config/filter.d/dante.conf index b597d461..d95f96b4 100644 --- a/config/filter.d/dante.conf +++ b/config/filter.d/dante.conf @@ -9,7 +9,7 @@ before = common.conf [Definition] _daemon = danted -failregex = ^%(__prefix_line)sinfo: block\(1\): tcp/accept \]: \.\d+ [\d.]+: error after reading \d+ bytes in \d+ seconds: (could not access user "\w+"'s records in the system password file: no system error|system password authentication failed for user "\w+")$ +failregex = ^%(__prefix_line)sinfo: block\(1\): tcp/accept \]: \.\d+ [\d.]+: error after reading \d+ bytes? in \d+ seconds?: (could not access user "\w+"'s records in the system password file: no system error|system password authentication failed for user "\w+")$ [Init] journalmatch = _SYSTEMD_UNIT=danted.service diff --git a/fail2ban/tests/files/logs/dante b/fail2ban/tests/files/logs/dante index a7f08eb2..80d6744f 100644 --- a/fail2ban/tests/files/logs/dante +++ b/fail2ban/tests/files/logs/dante @@ -2,3 +2,5 @@ Apr 14 15:35:03 vps111111 danted[17969]: info: block(1): tcp/accept ]: 1.2.3.4.50550 0.0.0.0.1080: error after reading 35 bytes in 0 seconds: could not access user "roooooooot"'s records in the system password file: no system error # failJSON: { "time": "2005-04-14T15:44:26", "match": true , "host": "1.2.3.4" } Apr 14 15:44:26 vps111111 danted[1846]: info: block(1): tcp/accept ]: 1.2.3.4.57178 0.0.0.0.1080: error after reading 18 bytes in 0 seconds: system password authentication failed for user "aland" +# failJSON: { "time": "2005-04-14T15:44:26", "match": true , "host": "1.2.3.4" } +Apr 14 15:44:26 vps111111 danted[1846]: info: block(1): tcp/accept ]: 1.2.3.4.57178 0.0.0.0.1080: error after reading 1 byte in 1 second: system password authentication failed for user "aland" From 996553f33015547fd2872564bc212ed974b87620 Mon Sep 17 00:00:00 2001 From: "Sergey G. Brester" Date: Fri, 18 Nov 2022 12:31:11 +0100 Subject: [PATCH 6/8] review, simplify regex and capture user name --- config/filter.d/dante.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/filter.d/dante.conf b/config/filter.d/dante.conf index d95f96b4..986f1946 100644 --- a/config/filter.d/dante.conf +++ b/config/filter.d/dante.conf @@ -9,7 +9,7 @@ before = common.conf [Definition] _daemon = danted -failregex = ^%(__prefix_line)sinfo: block\(1\): tcp/accept \]: \.\d+ [\d.]+: error after reading \d+ bytes? in \d+ seconds?: (could not access user "\w+"'s records in the system password file: no system error|system password authentication failed for user "\w+")$ +failregex = ^%(__prefix_line)sinfo: block\(1\): tcp/accept \]: \.\d+ [\d.]+: error after reading \d+ bytes? in \d+ seconds?: (could not access |system password authentication failed for )user "[^"]+" [Init] journalmatch = _SYSTEMD_UNIT=danted.service From efbbcb41ea51db6722a3ed78767579c98dc2cd0a Mon Sep 17 00:00:00 2001 From: "Sergey G. Brester" Date: Fri, 18 Nov 2022 12:32:15 +0100 Subject: [PATCH 7/8] non capturing group --- config/filter.d/dante.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/filter.d/dante.conf b/config/filter.d/dante.conf index 986f1946..e3f6f7b2 100644 --- a/config/filter.d/dante.conf +++ b/config/filter.d/dante.conf @@ -9,7 +9,7 @@ before = common.conf [Definition] _daemon = danted -failregex = ^%(__prefix_line)sinfo: block\(1\): tcp/accept \]: \.\d+ [\d.]+: error after reading \d+ bytes? in \d+ seconds?: (could not access |system password authentication failed for )user "[^"]+" +failregex = ^%(__prefix_line)sinfo: block\(1\): tcp/accept \]: \.\d+ [\d.]+: error after reading \d+ bytes? in \d+ seconds?: (?:could not access |system password authentication failed for )user "[^"]+" [Init] journalmatch = _SYSTEMD_UNIT=danted.service From 432e7e1e93936f09e349e80d94254e5f43d0cc8a Mon Sep 17 00:00:00 2001 From: "Sergey G. Brester" Date: Mon, 28 Nov 2022 13:21:15 +0100 Subject: [PATCH 8/8] no warning if no config value but default (debug message now) closes #3420 --- fail2ban/client/configreader.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fail2ban/client/configreader.py b/fail2ban/client/configreader.py index 1b5a56a2..c7f965ce 100644 --- a/fail2ban/client/configreader.py +++ b/fail2ban/client/configreader.py @@ -277,7 +277,7 @@ class ConfigReaderUnshared(SafeConfigParserWithIncludes): # TODO: validate error handling here. except NoOptionError: if not optvalue is None: - logSys.warning("'%s' not defined in '%s'. Using default one: %r" + logSys.debug("'%s' not defined in '%s'. Using default one: %r" % (optname, sec, optvalue)) values[optname] = optvalue # elif logSys.getEffectiveLevel() <= logLevel: