From 28f5d7b980a7f256b9e8640a5eca471e658c136c Mon Sep 17 00:00:00 2001 From: Daniel Black Date: Wed, 1 May 2013 00:15:46 +1000 Subject: [PATCH 01/25] ENH: opensuse script from opensuse: https://build.opensuse.org/package/view_file?expand=1&file=fail2ban.init&package=fail2ban&project=openSUSE%3AFactory --- files/suse-initd | 181 +++++++++++++++++++++++++---------------------- 1 file changed, 96 insertions(+), 85 deletions(-) mode change 100755 => 100644 files/suse-initd diff --git a/files/suse-initd b/files/suse-initd old mode 100755 new mode 100644 index 1dec63e2..b53fa540 --- a/files/suse-initd +++ b/files/suse-initd @@ -1,103 +1,114 @@ #!/bin/sh # -# /etc/init.d/fail2ban -# and its symbolic link -# /usr/sbin/rcfail2ban -# ### BEGIN INIT INFO # Provides: fail2ban -# Required-Start: $syslog $remote_fs sendmail -# Required-Stop: $syslog $remote_fs -# Should-Stop: $time ypbind sendmail +# Required-Start: $syslog $remote_fs $local_fs +# Should-Start: $time $network iptables +# Required-Stop: $syslog $remote_fs $local_fs +# Should-Stop: $time $network iptables # Default-Start: 3 5 # Default-Stop: 0 1 2 6 -# Description: startup Fail2Ban +# Pidfile: /var/run/fail2ban/fail2ban.pid +# Short-Description: Bans IPs with too many authentication failures +# Description: Start fail2ban to scan logfiles and ban IP addresses +# which make too many logfiles failures, and/or sent e-mails about ### END INIT INFO -PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/sbin:/usr/sbin:/usr/bin:/bin -FAIL2BAN_BIN=/usr/local/bin/fail2ban-client -FAIL2BAN_SERVER=/usr/local/bin/fail2ban-server -FAIL2BAN_SOCKET=/var/run/fail2ban/fail2ban.sock -test -x $FAIL2BAN_BIN || { echo "$FAIL2BAN_BIN not installed"; - if [ "$1" = "stop" ]; then exit 0; - else exit 5; fi; } -# Check for existence of needed config file and read it -FAIL2BAN_CONFIG=/etc/fail2ban/fail2ban.conf -test -r $FAIL2BAN_CONFIG || { echo "$FAIL2BAN_CONFIG not existing"; - if [ "$1" = "stop" ]; then exit 0; - else exit 6; fi; } +# Check for missing binaries (stale symlinks should not happen) +FAIL2BAN_CLI=/usr/bin/fail2ban-client +test -x $FAIL2BAN_CLI || { echo "$FAIL2BAN_CLI not installed"; + if [ "$1" = "stop" ]; then exit 0; + else exit 5; fi; } +FAIL2BAN_SRV=/usr/bin/fail2ban-server +test -x $FAIL2BAN_SRV || { echo "$FAIL2BAN_SRV not installed"; + if [ "$1" = "stop" ]; then exit 0; + else exit 5; fi; } + +FAIL2BAN_CONFIG="/etc/sysconfig/fail2ban" +FAIL2BAN_SOCKET_DIR="/var/run/fail2ban" +FAIL2BAN_SOCKET="$FAIL2BAN_SOCKET_DIR/fail2ban.sock" +FAIL2BAN_PID="$FAIL2BAN_SOCKET_DIR/fail2ban.pid" + +if [ -e $FAIL2BAN_CONFIG ]; then + . $FAIL2BAN_CONFIG +fi . /etc/rc.status - -# Reset status of this service rc_reset case "$1" in start) - echo -n "Starting Fail2Ban " - # a cleanup workaround, since /etc/init.d/boot.local removes only. - # regular files, and not sockets - if test -e $FAIL2BAN_SOCKET; then - if ! lsof -n $FAIL2BAN_SOCKET &>/dev/null; then - rm $FAIL2BAN_SOCKET - fi - fi - /sbin/startproc $FAIL2BAN_BIN start &>/dev/null - rc_status -v - ;; - stop) - echo -n "Shutting down Fail2ban " - /sbin/startproc $FAIL2BAN_BIN -q stop - rc_status -v - ;; - try-restart|condrestart) - if test "$1" = "condrestart"; then - echo "${attn} Use try-restart ${done}(LSB)${attn} rather than condrestart ${warn}(RH)${norm}" - fi - $0 status - if test $? = 0; then - $0 restart - else - rc_reset # Not running is not a failure. - fi - rc_status - ;; - restart) - $0 stop - echo -n "-wait a minute " - i=60 - while [ -e $FAIL2BAN_SOCKET ] && [ $i -gt 0 ]; do - sleep 1 - i=$[$i-1] - echo -n "." - done - echo "." - $0 start + echo -n "Starting fail2ban " - # Remember status and be quiet - rc_status - ;; - force-reload) - echo -n "Reload service Fail2ban " - /sbin/startproc $FAIL2BAN_BIN -q reload - rc_status -v - ;; - reload) - echo -n "Reload service Fail2ban " - /sbin/startproc $FAIL2BAN_BIN -q reload - rc_status -v - ;; + if [ ! -d $FAIL2BAN_SOCKET_DIR ]; then + mkdir -p $FAIL2BAN_SOCKET_DIR + fi + + if [ -e $FAIL2BAN_SOCKET ]; then + if ! lsof -n $FAIL2BAN_SOCKET &>/dev/null; then + rm $FAIL2BAN_SOCKET + fi + fi + $FAIL2BAN_CLI -x -q $FAIL2BAN_OPTIONS start &>/dev/null 2>&1 + + rc_status -v + ;; + stop) + echo -n "Shutting down fail2ban " + ## Stop daemon with built-in functionality 'stop' + /sbin/startproc -w $FAIL2BAN_CLI -q stop > /dev/null 2>&1 + + if [ -f $FAIL2BAN_SOCKET ] + then + echo "$FAIL2BAN_SOCKET not removed .. removing .." + rm $FAIL2BAN_SOCKET + fi + if [ -f $FAIL2BAN_PID ] + then + echo "$FAIL2BAN_PID not removed .. removing .." + rm $FAIL2BAN_PID + fi + + + rc_status -v + ;; + try-restart|condrestart) + $0 status + if test $? = 0; then + $0 restart + else + rc_reset # Not running is not a failure. + fi + rc_status + ;; + restart) + $0 stop + i=60 + while [ -e $FAIL2BAN_SOCKET ] && [ $i -gt 0 ]; do + sleep 1 + i=$[$i-1] + echo -n "." + done + $0 start + + rc_status + ;; + reload|force-reload) + echo -n "Reload service Fail2ban " + /sbin/startproc $FAIL2BAN_CLI -q reload > /dev/null 2>&1 + + rc_status -v + ;; status) - echo -n "Checking for service Fail2ban " - /sbin/checkproc $FAIL2BAN_SERVER - rc_status -v - ;; - probe) - test /etc/fail2ban/fail2ban.conf -nt /var/run/fail2ban.pid && echo reload - ;; + echo -n "Checking for service fail2ban " + /sbin/checkproc $FAIL2BAN_SRV + + rc_status -v + ;; *) - echo "Usage: $0 {start|stop|status|try-restart|restart|force-reload|reload|probe}" - exit 1 - ;; + echo "Usage: $0 {start|stop|status|try-restart|restart|force-reload|reload|probe}" + exit 1 + ;; esac -rc_exit \ No newline at end of file +rc_exit + From 13c154198fc3941e8f318c6c8d602df09d2cfbb2 Mon Sep 17 00:00:00 2001 From: Daniel Black Date: Fri, 3 May 2013 16:56:30 +1000 Subject: [PATCH 02/25] ENH: since it seems the default is to use file based logging, $syslog is in Should-{Start|Stop} like Debian https://github.com/fail2ban/fail2ban/blob/debian/debian/fail2ban.init --- files/suse-initd | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/files/suse-initd b/files/suse-initd index b53fa540..09c25687 100644 --- a/files/suse-initd +++ b/files/suse-initd @@ -2,10 +2,10 @@ # ### BEGIN INIT INFO # Provides: fail2ban -# Required-Start: $syslog $remote_fs $local_fs -# Should-Start: $time $network iptables -# Required-Stop: $syslog $remote_fs $local_fs -# Should-Stop: $time $network iptables +# Required-Start: $remote_fs $local_fs +# Should-Start: $syslog $time $network iptables +# Required-Stop: $remote_fs $local_fs +# Should-Stop: $syslog $time $network iptables # Default-Start: 3 5 # Default-Stop: 0 1 2 6 # Pidfile: /var/run/fail2ban/fail2ban.pid From 725d666ee69735e65d85597b5de70eff7faf805e Mon Sep 17 00:00:00 2001 From: Yaroslav Halchenko Date: Mon, 13 May 2013 12:56:21 -0400 Subject: [PATCH 03/25] Getting ready for further development --- ChangeLog | 10 +++++++++- DEVELOP | 4 +++- common/version.py | 2 +- 3 files changed, 13 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index e3ed79a7..6f98cc11 100644 --- a/ChangeLog +++ b/ChangeLog @@ -4,9 +4,17 @@ |_| \__,_|_|_/___|_.__/\__,_|_||_| ================================================================================ -Fail2Ban (version 0.8.9) 2013/05/13 +Fail2Ban (version 0.8.9.dev) 2013/??/?? ================================================================================ +ver. 0.8.10 (2013/XX/XXX) - NOT-YET-RELEASED +----------- + +- Fixes +- New Features +- Enhancements + + ver. 0.8.9 (2013/05/13) - wanna-be-stable ---------- diff --git a/DEVELOP b/DEVELOP index 6ccb162e..f067a865 100644 --- a/DEVELOP +++ b/DEVELOP @@ -338,8 +338,10 @@ Post Release Add the following to the top of the ChangeLog -ver. 0.8.9 (2013/XX/XXX) - wanna-be-stable +ver. 0.8.11 (2013/XX/XXX) - wanna-be-stable - Fixes - New Features - Enhancements +and adjust common/version.py to carry .dev suffix to signal +a version under development. diff --git a/common/version.py b/common/version.py index e6f948cd..86c45760 100644 --- a/common/version.py +++ b/common/version.py @@ -24,4 +24,4 @@ __author__ = "Cyril Jaquier, Yaroslav Halchenko" __copyright__ = "Copyright (c) 2004 Cyril Jaquier, 2011-2013 Yaroslav Halchenko" __license__ = "GPL" -version = "0.8.9" +version = "0.8.9.dev" From 5c8fb68a2cd803a820bc624ac47bf8462fb5cd4d Mon Sep 17 00:00:00 2001 From: silviogarbes Date: Tue, 14 May 2013 08:04:11 -0300 Subject: [PATCH 04/25] Update asterisk.conf MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Para ficar compatível com asterisk 11 --- config/filter.d/asterisk.conf | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/config/filter.d/asterisk.conf b/config/filter.d/asterisk.conf index 9ed69804..8ae67ff8 100644 --- a/config/filter.d/asterisk.conf +++ b/config/filter.d/asterisk.conf @@ -20,19 +20,23 @@ before = common.conf # (?:::f{4,6}:)?(?P\S+) # Values: TEXT # -failregex = NOTICE%(__pid_re)s .*: Registration from '.*' failed for '' - Wrong password$ - NOTICE%(__pid_re)s .*: Registration from '.*' failed for '' - No matching peer found$ - NOTICE%(__pid_re)s .*: Registration from '.*' failed for '' - Username/auth name mismatch$ - NOTICE%(__pid_re)s .*: Registration from '.*' failed for '' - Device does not match ACL$ - NOTICE%(__pid_re)s .*: Registration from '.*' failed for '' - Peer is not supposed to register$ - NOTICE%(__pid_re)s .*: Registration from '.*' failed for '' - ACL error (permit/deny)$ +failregex = NOTICE%(__pid_re)s .*: Registration from '.*' failed for ':.*' - Wrong password$ + NOTICE%(__pid_re)s .*: Registration from '.*' failed for ':.*' - No matching peer found$ + NOTICE%(__pid_re)s .*: Registration from '.*' failed for ':.*' - Username/auth name mismatch$ + NOTICE%(__pid_re)s .*: Registration from '.*' failed for ':.*' - Device does not match ACL$ + NOTICE%(__pid_re)s .*: Registration from '.*' failed for ':.*' - Peer is not supposed to register$ + NOTICE%(__pid_re)s .*: Registration from '.*' failed for ':.*' - ACL error (permit/deny)$ + NOTICE%(__pid_re)s.* .*: Call from '.*' \(:.*\) to extension '.*' rejected because extension not found in context 'default'.$ NOTICE%(__pid_re)s failed to authenticate as '.*'$ NOTICE%(__pid_re)s .*: No registration for peer '.*' \(from \)$ NOTICE%(__pid_re)s .*: Host failed MD5 authentication for '.*' (.*)$ NOTICE%(__pid_re)s .*: Failed to authenticate user .*@.*$ + SECURITY%(__pid_re)s .*: SecurityEvent="InvalidAccountID",EventTV=".*",Severity=".*",Service=".*",EventVersion=".*",AccountID=".*",SessionID=".*",LocalAddress=".*",RemoteAddress=".*/.*//.*"$ # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT # ignoreregex = + + From 52fa5f19b0d82bd0614db49460496bf7aa949371 Mon Sep 17 00:00:00 2001 From: silviogarbes Date: Tue, 14 May 2013 12:58:43 -0300 Subject: [PATCH 05/25] Update asterisk --- testcases/files/logs/asterisk | 3 +++ 1 file changed, 3 insertions(+) diff --git a/testcases/files/logs/asterisk b/testcases/files/logs/asterisk index 4715f608..21cc8826 100644 --- a/testcases/files/logs/asterisk +++ b/testcases/files/logs/asterisk @@ -9,3 +9,6 @@ [2012-02-13 17:39:20] NOTICE[1638] chan_iax2.c: No registration for peer 'Fail2ban' (from 1.2.3.4) [2012-02-13 17:44:26] NOTICE[1638] chan_iax2.c: Host 1.2.3.4 failed MD5 authentication for 'Fail2ban' (e7df7cd2ca07f4f1ab415d457a6e1c13 != 53ac4bc41ee4ec77888ed4aa50677247) [2012-02-13 17:37:07] NOTICE[1638] chan_sip.c: Failed to authenticate user "Fail2ban" ;tag=1r698745234 +[2013-02-05 23:44:42] NOTICE[436][C-00000fa9] chan_sip.c: Call from '' (176.58.76.57:10836) to extension '0972598285108' rejected because extension not found in context 'default'. +[2013-03-26 15:47:54] NOTICE[1237] chan_sip.c: Registration from '"100"sip:100@200.251.240.30' failed for '193.238.16.99:23930' - No matching peer found +[2013-05-13 07:10:53] SECURITY[1204] res_security_log.c: SecurityEvent="InvalidAccountID",EventTV="1368439853-500975",Severity="Error",Service="SIP",EventVersion="1",AccountID="00972599580679",SessionID="0x7f8ecc0421f8",LocalAddress="IPV4/UDP/200.251.240.30/5060",RemoteAddress="IPV4/UDP/82.205.8.77/5070" From 89e06bba15df7b56804134b5649564254bcc0843 Mon Sep 17 00:00:00 2001 From: Yaroslav Halchenko Date: Fri, 24 May 2013 11:15:46 -0400 Subject: [PATCH 06/25] BF: blocktype must be defined within [Init] -- adding [Init] section. Close #232 --- ChangeLog | 5 ++++- config/action.d/route.conf | 2 ++ config/action.d/shorewall.conf | 2 ++ 3 files changed, 8 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 6f98cc11..90a57f75 100644 --- a/ChangeLog +++ b/ChangeLog @@ -10,7 +10,10 @@ Fail2Ban (version 0.8.9.dev) 2013/??/?? ver. 0.8.10 (2013/XX/XXX) - NOT-YET-RELEASED ----------- -- Fixes +- Fixes: + Yaroslav Halchenko + * action.d/{route,shorewall}.conf - blocktype must be defined + within [Init]. Closes gh-232 - New Features - Enhancements diff --git a/config/action.d/route.conf b/config/action.d/route.conf index bb4ec8e1..123245e5 100644 --- a/config/action.d/route.conf +++ b/config/action.d/route.conf @@ -18,6 +18,8 @@ actionban = ip route add actionunban = ip route del +[Init] + # Option: blocktype # Note: Type can be blackhole, unreachable and prohibit. Unreachable and prohibit correspond to the ICMP reject messages. # Values: STRING diff --git a/config/action.d/shorewall.conf b/config/action.d/shorewall.conf index b165c701..81ac0518 100644 --- a/config/action.d/shorewall.conf +++ b/config/action.d/shorewall.conf @@ -48,6 +48,8 @@ actionban = shorewall # actionunban = shorewall allow +[Init] + # Option: blocktype # Note: This is what the action does with rules. # See man page of shorewall for options that include drop, logdrop, reject, or logreject From d2b1c73b92edf385908c270a0ca0e7418c12235d Mon Sep 17 00:00:00 2001 From: Yaroslav Halchenko Date: Fri, 24 May 2013 14:33:08 -0400 Subject: [PATCH 07/25] CFG: assure actions for all the jails --- ChangeLog | 4 +++- config/jail.conf | 8 +++----- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/ChangeLog b/ChangeLog index 90a57f75..a0eda6dd 100644 --- a/ChangeLog +++ b/ChangeLog @@ -16,7 +16,9 @@ ver. 0.8.10 (2013/XX/XXX) - NOT-YET-RELEASED within [Init]. Closes gh-232 - New Features - Enhancements - + Yaroslav Halchenko + * jail.conf -- assure all jails have actions and remove unused + ports specifications ver. 0.8.9 (2013/05/13) - wanna-be-stable ---------- diff --git a/config/jail.conf b/config/jail.conf index ec5b32ef..d3a23920 100644 --- a/config/jail.conf +++ b/config/jail.conf @@ -239,10 +239,8 @@ logpath = /var/log/roundcube/userlogins enabled = false filter = sogo-auth -port = http, https # without proxy this would be: # port = 20000 - action = iptables[name=SOGo, port="http,https"] logpath = /var/log/sogo/sogo.log @@ -253,7 +251,7 @@ logpath = /var/log/sogo/sogo.log [php-url-fopen] enabled = false -port = http,https +action = iptables[name=php-url-open, port="http,https"] filter = php-url-fopen logpath = /var/www/*/logs/access_log maxretry = 1 @@ -268,8 +266,8 @@ maxretry = 1 [lighttpd-fastcgi] enabled = false -port = http,https filter = lighttpd-fastcgi +action = iptables[name=lighttpd-fastcgi, port="http,https"] # adapt the following two items as needed logpath = /var/log/lighttpd/error.log maxretry = 2 @@ -280,8 +278,8 @@ maxretry = 2 [lighttpd-auth] enabled = false -port = http,https filter = lighttpd-auth +action = iptables[name=lighttpd-auth, port="http,https"] # adapt the following two items as needed logpath = /var/log/lighttpd/error.log maxretry = 2 From 8a57ffd2fb40aa4c4f28b58967d3af440e854933 Mon Sep 17 00:00:00 2001 From: Yaroslav Halchenko Date: Fri, 24 May 2013 14:33:48 -0400 Subject: [PATCH 08/25] TST: test all stock jails to have actions and correctly specifying blocktype --- testcases/clientreadertestcase.py | 32 +++++++++++++++++++++++++++++-- 1 file changed, 30 insertions(+), 2 deletions(-) diff --git a/testcases/clientreadertestcase.py b/testcases/clientreadertestcase.py index faa8dcd6..dbaa8ec2 100644 --- a/testcases/clientreadertestcase.py +++ b/testcases/clientreadertestcase.py @@ -144,10 +144,38 @@ class JailsReaderTest(unittest.TestCase): # and warn on useDNS self.assertTrue(['set', j, 'usedns', 'warn'] in comm_commands) self.assertTrue(['start', j] in comm_commands) + # last commands should be the 'start' commands self.assertEqual(comm_commands[-1][0], 'start') - # TODO: make sure that all of the jails have actions assigned, - # otherwise it makes little to no sense + + for j in jails._JailsReader__jails: + actions = j._JailReader__actions + jail_name = j.getName() + # make sure that all of the jails have actions assigned, + # otherwise it makes little to no sense + self.assertTrue(len(actions), + msg="No actions found for jail %s" % jail_name) + + # Test for presence of blocktype (in relation to gh-232) + for action in actions: + commands = action.convert() + file_ = action.getFile() + if '' in str(commands): + # Verify that it is among cInfo + self.assertTrue('blocktype' in action._ActionReader__cInfo) + # Verify that we have a call to set it up + blocktype_present = False + target_command = [ 'set', jail_name, 'setcinfo', file_, 'blocktype' ] + for command in commands: + if (len(command) > 5 and + command[:5] == target_command): + blocktype_present = True + continue + self.assertTrue( + blocktype_present, + msg="Found no %s command among %s" + % (target_command, str(commands)) ) + def testConfigurator(self): configurator = Configurator() From 244a96f9b3fb58867f073957714cf4d464cde80a Mon Sep 17 00:00:00 2001 From: Terence Namusonge Date: Sat, 25 May 2013 19:26:13 +0200 Subject: [PATCH 09/25] fixed failregex line for roundcube 0.9+ # Only works only if log driver: is set to 'syslog'. this is becoz fail2ban fails to 'read' the line due to the brackets around the date timestamp on logline when log driver is set to file --- config/filter.d/roundcube-auth.conf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/config/filter.d/roundcube-auth.conf b/config/filter.d/roundcube-auth.conf index 41766e31..7b153f44 100644 --- a/config/filter.d/roundcube-auth.conf +++ b/config/filter.d/roundcube-auth.conf @@ -1,6 +1,6 @@ # Fail2Ban configuration file for roundcube web server # -# Author: Teodor Micu & Yaroslav Halchenko +# Author: Teodor Micu & Yaroslav Halchenko & terence namusonge # # @@ -13,7 +13,7 @@ # (?:::f{4,6}:)?(?P[\w\-.^_]+) # Values: TEXT # -failregex = FAILED login for .*. from \s*$ +failregex = (FAILED login|Login failed) for .* from \s*$ # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. From 098c88a67b8db83beaac6d9820e20ee109e3e6d0 Mon Sep 17 00:00:00 2001 From: Terence Namusonge Date: Sun, 26 May 2013 07:46:29 +0200 Subject: [PATCH 10/25] failregex when roundcube log driver is set to 'syslog' --- testcases/files/logs/roundcube-auth | 1 + 1 file changed, 1 insertion(+) diff --git a/testcases/files/logs/roundcube-auth b/testcases/files/logs/roundcube-auth index d16f7266..04e0faf5 100644 --- a/testcases/files/logs/roundcube-auth +++ b/testcases/files/logs/roundcube-auth @@ -1 +1,2 @@ [22-Jan-2013 22:28:21 +0200]: FAILED login for user1 from 192.0.43.10 +May 26 07:12:40 hamster roundcube: IMAP Error: Login failed for sales@example.com from 10.1.1.47 From 7a4db4b4b9cd40671f3d444a45c7382c8fc3d637 Mon Sep 17 00:00:00 2001 From: Steven Hiscocks Date: Sun, 26 May 2013 14:29:59 +0100 Subject: [PATCH 11/25] TST: Fix fail2ban.conf reader test for unreliable dictionary order --- testcases/clientreadertestcase.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/testcases/clientreadertestcase.py b/testcases/clientreadertestcase.py index dbaa8ec2..a8c60bf8 100644 --- a/testcases/clientreadertestcase.py +++ b/testcases/clientreadertestcase.py @@ -193,7 +193,7 @@ class JailsReaderTest(unittest.TestCase): commands = configurator.getConfigStream() # and there is logging information left to be passed into the # server - self.assertEqual(commands, + self.assertEqual(sorted(commands), [['set', 'loglevel', 3], ['set', 'logtarget', '/var/log/fail2ban.log']]) From 567cd353a14c55b66ad8a6afd18758c3d6431901 Mon Sep 17 00:00:00 2001 From: Yaroslav Halchenko Date: Wed, 29 May 2013 09:41:20 -0400 Subject: [PATCH 12/25] DOC: Changelog entry fro preceeding merge from Terence --- ChangeLog | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ChangeLog b/ChangeLog index a0eda6dd..f68fdded 100644 --- a/ChangeLog +++ b/ChangeLog @@ -19,6 +19,8 @@ ver. 0.8.10 (2013/XX/XXX) - NOT-YET-RELEASED Yaroslav Halchenko * jail.conf -- assure all jails have actions and remove unused ports specifications + Terence Namusonge + * config/filter.d/roundcube-auth.conf -- support roundcube 0.9+ ver. 0.8.9 (2013/05/13) - wanna-be-stable ---------- From 39d32e0352922b21c8d7ba3a95a71ea65ebe07c1 Mon Sep 17 00:00:00 2001 From: Yaroslav Halchenko Date: Wed, 29 May 2013 09:56:15 -0400 Subject: [PATCH 13/25] Changelog for previous PR --- ChangeLog | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ChangeLog b/ChangeLog index f68fdded..69b87b06 100644 --- a/ChangeLog +++ b/ChangeLog @@ -21,6 +21,8 @@ ver. 0.8.10 (2013/XX/XXX) - NOT-YET-RELEASED ports specifications Terence Namusonge * config/filter.d/roundcube-auth.conf -- support roundcube 0.9+ + Daniel Black + * files/suse-initd -- update to the copy from stock SUSE ver. 0.8.9 (2013/05/13) - wanna-be-stable ---------- From 0f7b6093365e2f5dc8f2cf5e18660ea218358087 Mon Sep 17 00:00:00 2001 From: Daniel Black Date: Thu, 30 May 2013 09:43:39 +1000 Subject: [PATCH 14/25] ENH: port optional --- config/filter.d/asterisk.conf | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/config/filter.d/asterisk.conf b/config/filter.d/asterisk.conf index 8ae67ff8..8ff1dbbf 100644 --- a/config/filter.d/asterisk.conf +++ b/config/filter.d/asterisk.conf @@ -20,12 +20,12 @@ before = common.conf # (?:::f{4,6}:)?(?P\S+) # Values: TEXT # -failregex = NOTICE%(__pid_re)s .*: Registration from '.*' failed for ':.*' - Wrong password$ - NOTICE%(__pid_re)s .*: Registration from '.*' failed for ':.*' - No matching peer found$ - NOTICE%(__pid_re)s .*: Registration from '.*' failed for ':.*' - Username/auth name mismatch$ - NOTICE%(__pid_re)s .*: Registration from '.*' failed for ':.*' - Device does not match ACL$ - NOTICE%(__pid_re)s .*: Registration from '.*' failed for ':.*' - Peer is not supposed to register$ - NOTICE%(__pid_re)s .*: Registration from '.*' failed for ':.*' - ACL error (permit/deny)$ +failregex = NOTICE%(__pid_re)s .*: Registration from '.*' failed for '(:[0-9]+)?' - Wrong password$ + NOTICE%(__pid_re)s .*: Registration from '.*' failed for '(:[0-9]+)?' - No matching peer found$ + NOTICE%(__pid_re)s .*: Registration from '.*' failed for '(:[0-9]+)?' - Username/auth name mismatch$ + NOTICE%(__pid_re)s .*: Registration from '.*' failed for '(:[0-9]+)?' - Device does not match ACL$ + NOTICE%(__pid_re)s .*: Registration from '.*' failed for '(:[0-9]+)?' - Peer is not supposed to register$ + NOTICE%(__pid_re)s .*: Registration from '.*' failed for '(:[0-9]+)?' - ACL error (permit/deny)$ NOTICE%(__pid_re)s.* .*: Call from '.*' \(:.*\) to extension '.*' rejected because extension not found in context 'default'.$ NOTICE%(__pid_re)s failed to authenticate as '.*'$ NOTICE%(__pid_re)s .*: No registration for peer '.*' \(from \)$ From 4cf402d60e42003d7bb1c10e22eb99ebb57d0f71 Mon Sep 17 00:00:00 2001 From: Daniel Black Date: Thu, 30 May 2013 10:15:58 +1000 Subject: [PATCH 15/25] ENH/BF: constrain regex. Fix ACL error regex --- config/filter.d/asterisk.conf | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/config/filter.d/asterisk.conf b/config/filter.d/asterisk.conf index 8ff1dbbf..f177f53c 100644 --- a/config/filter.d/asterisk.conf +++ b/config/filter.d/asterisk.conf @@ -20,18 +20,18 @@ before = common.conf # (?:::f{4,6}:)?(?P\S+) # Values: TEXT # -failregex = NOTICE%(__pid_re)s .*: Registration from '.*' failed for '(:[0-9]+)?' - Wrong password$ - NOTICE%(__pid_re)s .*: Registration from '.*' failed for '(:[0-9]+)?' - No matching peer found$ - NOTICE%(__pid_re)s .*: Registration from '.*' failed for '(:[0-9]+)?' - Username/auth name mismatch$ - NOTICE%(__pid_re)s .*: Registration from '.*' failed for '(:[0-9]+)?' - Device does not match ACL$ - NOTICE%(__pid_re)s .*: Registration from '.*' failed for '(:[0-9]+)?' - Peer is not supposed to register$ - NOTICE%(__pid_re)s .*: Registration from '.*' failed for '(:[0-9]+)?' - ACL error (permit/deny)$ - NOTICE%(__pid_re)s.* .*: Call from '.*' \(:.*\) to extension '.*' rejected because extension not found in context 'default'.$ - NOTICE%(__pid_re)s failed to authenticate as '.*'$ - NOTICE%(__pid_re)s .*: No registration for peer '.*' \(from \)$ - NOTICE%(__pid_re)s .*: Host failed MD5 authentication for '.*' (.*)$ - NOTICE%(__pid_re)s .*: Failed to authenticate user .*@.*$ - SECURITY%(__pid_re)s .*: SecurityEvent="InvalidAccountID",EventTV=".*",Severity=".*",Service=".*",EventVersion=".*",AccountID=".*",SessionID=".*",LocalAddress=".*",RemoteAddress=".*/.*//.*"$ +failregex = NOTICE%(__pid_re)s [^:]+: Registration from '[^']*' failed for '(:[0-9]+)?' - Wrong password$ + NOTICE%(__pid_re)s [^:]+: Registration from '[^']*' failed for '(:[0-9]+)?' - No matching peer found$ + NOTICE%(__pid_re)s [^:]+: Registration from '[^']*' failed for '(:[0-9]+)?' - Username/auth name mismatch$ + NOTICE%(__pid_re)s [^:]+: Registration from '[^']*' failed for '(:[0-9]+)?' - Device does not match ACL$ + NOTICE%(__pid_re)s [^:]+: Registration from '[^']*' failed for '(:[0-9]+)?' - Peer is not supposed to register$ + NOTICE%(__pid_re)s [^:]+: Registration from '[^']*' failed for '(:[0-9]+)?' - ACL error \(permit/deny\)$ + NOTICE%(__pid_re)s\[[^:]+\] [^:]+: Call from '[^']*' \(:.*\) to extension '[0-9]+' rejected because extension not found in context 'default'.$ + NOTICE%(__pid_re)s [^:]+: Host failed to authenticate as '[^']*'$ + NOTICE%(__pid_re)s [^:]+: No registration for peer '[^']*' \(from \)$ + NOTICE%(__pid_re)s [^:]+: Host failed MD5 authentication for '[^']*' \([^)]+\)$ + NOTICE%(__pid_re)s [^:]+: Failed to authenticate user [^@]+@.*$ + SECURITY%(__pid_re)s [^:]+: SecurityEvent="InvalidAccountID",EventTV="[0-9-]+",Severity="[a-zA-Z]+",Service="[a-zA-Z]+",EventVersion="[0-9]+",AccountID="[0-9]+",SessionID="0x[0-9a-f]+",LocalAddress="IPV[46]/(UD|TC)P/[0-9a-fA-F:.]+/[0-9]+",RemoteAddress="IPV[46]/(UD|TC)P//[0-9]+"$ # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. From 916b5a7c234abe70599ddb889055ccc7c97c3c16 Mon Sep 17 00:00:00 2001 From: Daniel Black Date: Thu, 30 May 2013 10:24:48 +1000 Subject: [PATCH 16/25] TST: normalize logs to use example.com and 1.2.3.4 as IP --- testcases/files/logs/asterisk | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/testcases/files/logs/asterisk b/testcases/files/logs/asterisk index 21cc8826..667eee02 100644 --- a/testcases/files/logs/asterisk +++ b/testcases/files/logs/asterisk @@ -1,14 +1,14 @@ # Sample log files for asterisk -[2012-02-13 17:21:54] NOTICE[1638] chan_sip.c: Registration from '' failed for '1.2.3.4' - Wrong password -[2012-02-13 17:18:22] NOTICE[1638] chan_sip.c: Registration from '' failed for '1.2.3.4' - No matching peer found -[2012-02-13 17:21:21] NOTICE[1638] chan_sip.c: Registration from '' failed for '1.2.3.4' - Username/auth name mismatch -[2012-02-13 17:32:01] NOTICE[1638] chan_sip.c: Registration from '' failed for '1.2.3.4' - Device does not match ACL -[2012-02-13 17:34:10] NOTICE[1638] chan_sip.c: Registration from '' failed for '1.2.3.4' - Peer is not supposed to register -[2012-02-13 17:36:23] NOTICE[1638] chan_sip.c: Registration from '' failed for '1.2.3.4' - ACL error (permit/deny) +[2012-02-13 17:21:54] NOTICE[1638] chan_sip.c: Registration from '' failed for '1.2.3.4' - Wrong password +[2012-02-13 17:18:22] NOTICE[1638] chan_sip.c: Registration from '' failed for '1.2.3.4' - No matching peer found +[2012-02-13 17:21:21] NOTICE[1638] chan_sip.c: Registration from '' failed for '1.2.3.4' - Username/auth name mismatch +[2012-02-13 17:32:01] NOTICE[1638] chan_sip.c: Registration from '' failed for '1.2.3.4' - Device does not match ACL +[2012-02-13 17:34:10] NOTICE[1638] chan_sip.c: Registration from '' failed for '1.2.3.4' - Peer is not supposed to register +[2012-02-13 17:36:23] NOTICE[1638] chan_sip.c: Registration from '' failed for '1.2.3.4' - ACL error (permit/deny) [2012-02-13 17:53:59] NOTICE[1638] chan_iax2.c: Host 1.2.3.4 failed to authenticate as 'Fail2ban' [2012-02-13 17:39:20] NOTICE[1638] chan_iax2.c: No registration for peer 'Fail2ban' (from 1.2.3.4) [2012-02-13 17:44:26] NOTICE[1638] chan_iax2.c: Host 1.2.3.4 failed MD5 authentication for 'Fail2ban' (e7df7cd2ca07f4f1ab415d457a6e1c13 != 53ac4bc41ee4ec77888ed4aa50677247) [2012-02-13 17:37:07] NOTICE[1638] chan_sip.c: Failed to authenticate user "Fail2ban" ;tag=1r698745234 -[2013-02-05 23:44:42] NOTICE[436][C-00000fa9] chan_sip.c: Call from '' (176.58.76.57:10836) to extension '0972598285108' rejected because extension not found in context 'default'. -[2013-03-26 15:47:54] NOTICE[1237] chan_sip.c: Registration from '"100"sip:100@200.251.240.30' failed for '193.238.16.99:23930' - No matching peer found -[2013-05-13 07:10:53] SECURITY[1204] res_security_log.c: SecurityEvent="InvalidAccountID",EventTV="1368439853-500975",Severity="Error",Service="SIP",EventVersion="1",AccountID="00972599580679",SessionID="0x7f8ecc0421f8",LocalAddress="IPV4/UDP/200.251.240.30/5060",RemoteAddress="IPV4/UDP/82.205.8.77/5070" +[2013-02-05 23:44:42] NOTICE[436][C-00000fa9] chan_sip.c: Call from '' (1.2.3.4:10836) to extension '0972598285108' rejected because extension not found in context 'default'. +[2013-03-26 15:47:54] NOTICE[1237] chan_sip.c: Registration from '"100"sip:100@1.2.3.4' failed for '1.2.3.4:23930' - No matching peer found +[2013-05-13 07:10:53] SECURITY[1204] res_security_log.c: SecurityEvent="InvalidAccountID",EventTV="1368439853-500975",Severity="Error",Service="SIP",EventVersion="1",AccountID="00972599580679",SessionID="0x7f8ecc0421f8",LocalAddress="IPV4/UDP/1.2.3.4/5060",RemoteAddress="IPV4/UDP/1.2.3.4/5070" From e54498f6fe15e0016cbc6c195817e6cc817e7147 Mon Sep 17 00:00:00 2001 From: Daniel Black Date: Thu, 30 May 2013 10:25:03 +1000 Subject: [PATCH 17/25] DOC: how to do filter enhancements --- DEVELOP | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/DEVELOP b/DEVELOP index f067a865..00b7d6d5 100644 --- a/DEVELOP +++ b/DEVELOP @@ -34,9 +34,19 @@ When submitting pull requests on GitHub we ask you to: * Include a change to the relevant section of the ChangeLog; and * Include yourself in THANKS if not already there. -Testing +Filters ======= +* Include sample logs with 1.2.3.4 used for IP addresses and + example.com/example.org used for DNS names +* Ensure ./fail2ban-regex testcases/files/logs/{samplelog} config/filter.d/{filter}.conf + has matches for EVERY regex +* Ensure regexs end with a $ and are restrictive as possible. E.g. not .* if + [0-9]+ is sufficient + +Code Testing +============ + Existing tests can be run by executing `fail2ban-testcases`. This has options like --log-level that will probably be useful. `fail2ban-testcases --help` for full options. From 28fc14d01080a2cd86baf6d9479fc5e4e7ce7585 Mon Sep 17 00:00:00 2001 From: Daniel Black Date: Thu, 30 May 2013 10:27:30 +1000 Subject: [PATCH 18/25] DOC: credits --- ChangeLog | 2 ++ THANKS | 1 + 2 files changed, 3 insertions(+) diff --git a/ChangeLog b/ChangeLog index 69b87b06..5366135c 100644 --- a/ChangeLog +++ b/ChangeLog @@ -23,6 +23,8 @@ ver. 0.8.10 (2013/XX/XXX) - NOT-YET-RELEASED * config/filter.d/roundcube-auth.conf -- support roundcube 0.9+ Daniel Black * files/suse-initd -- update to the copy from stock SUSE + silviogarbes + * Updates to asterisk filter closes gh-227/gh-230. ver. 0.8.9 (2013/05/13) - wanna-be-stable ---------- diff --git a/THANKS b/THANKS index 9545d43a..0b74ba81 100644 --- a/THANKS +++ b/THANKS @@ -39,6 +39,7 @@ René Berber Robert Edeker Russell Odom Sireyessire +silviogarbes Stephen Gildea Steven Hiscocks Tom Pike From 05c88bd85d73ab15997dcd119bfc30c5f4a26065 Mon Sep 17 00:00:00 2001 From: Daniel Black Date: Thu, 30 May 2013 11:34:04 +1000 Subject: [PATCH 19/25] ENH: purge a few more .* --- config/filter.d/asterisk.conf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/config/filter.d/asterisk.conf b/config/filter.d/asterisk.conf index f177f53c..589a188c 100644 --- a/config/filter.d/asterisk.conf +++ b/config/filter.d/asterisk.conf @@ -26,11 +26,11 @@ failregex = NOTICE%(__pid_re)s [^:]+: Registration from '[^']*' failed for '(:[0-9]+)?' - Device does not match ACL$ NOTICE%(__pid_re)s [^:]+: Registration from '[^']*' failed for '(:[0-9]+)?' - Peer is not supposed to register$ NOTICE%(__pid_re)s [^:]+: Registration from '[^']*' failed for '(:[0-9]+)?' - ACL error \(permit/deny\)$ - NOTICE%(__pid_re)s\[[^:]+\] [^:]+: Call from '[^']*' \(:.*\) to extension '[0-9]+' rejected because extension not found in context 'default'.$ + NOTICE%(__pid_re)s\[[^:]+\] [^:]+: Call from '[^']*' \(:[0-9]+\) to extension '[0-9]+' rejected because extension not found in context 'default'.$ NOTICE%(__pid_re)s [^:]+: Host failed to authenticate as '[^']*'$ NOTICE%(__pid_re)s [^:]+: No registration for peer '[^']*' \(from \)$ NOTICE%(__pid_re)s [^:]+: Host failed MD5 authentication for '[^']*' \([^)]+\)$ - NOTICE%(__pid_re)s [^:]+: Failed to authenticate user [^@]+@.*$ + NOTICE%(__pid_re)s [^:]+: Failed to authenticate user [^@]+@\S*$ SECURITY%(__pid_re)s [^:]+: SecurityEvent="InvalidAccountID",EventTV="[0-9-]+",Severity="[a-zA-Z]+",Service="[a-zA-Z]+",EventVersion="[0-9]+",AccountID="[0-9]+",SessionID="0x[0-9a-f]+",LocalAddress="IPV[46]/(UD|TC)P/[0-9a-fA-F:.]+/[0-9]+",RemoteAddress="IPV[46]/(UD|TC)P//[0-9]+"$ # Option: ignoreregex From 47b063b022d45013bfbff4c23d4e01ccee16c4c1 Mon Sep 17 00:00:00 2001 From: Carlos Alberto Lopez Perez Date: Mon, 10 Jun 2013 19:41:13 +0200 Subject: [PATCH 20/25] Filter Asterisk: Add AUTH_UNKNOWN_DOMAIN error to list * I have been seeing bruteforcing attempts where asterisk fails with AUTH_UNKNOWN_DOMAIN (Not a local domain) --- config/filter.d/asterisk.conf | 1 + 1 file changed, 1 insertion(+) diff --git a/config/filter.d/asterisk.conf b/config/filter.d/asterisk.conf index 589a188c..c1b3dcab 100644 --- a/config/filter.d/asterisk.conf +++ b/config/filter.d/asterisk.conf @@ -26,6 +26,7 @@ failregex = NOTICE%(__pid_re)s [^:]+: Registration from '[^']*' failed for '(:[0-9]+)?' - Device does not match ACL$ NOTICE%(__pid_re)s [^:]+: Registration from '[^']*' failed for '(:[0-9]+)?' - Peer is not supposed to register$ NOTICE%(__pid_re)s [^:]+: Registration from '[^']*' failed for '(:[0-9]+)?' - ACL error \(permit/deny\)$ + NOTICE%(__pid_re)s [^:]+: Registration from '[^']*' failed for '(:[0-9]+)?' - Not a local domain$ NOTICE%(__pid_re)s\[[^:]+\] [^:]+: Call from '[^']*' \(:[0-9]+\) to extension '[0-9]+' rejected because extension not found in context 'default'.$ NOTICE%(__pid_re)s [^:]+: Host failed to authenticate as '[^']*'$ NOTICE%(__pid_re)s [^:]+: No registration for peer '[^']*' \(from \)$ From 7248ef4564d3ad3b8c24ac17b4caa666c79f2122 Mon Sep 17 00:00:00 2001 From: Carlos Alberto Lopez Perez Date: Tue, 11 Jun 2013 02:08:26 +0200 Subject: [PATCH 21/25] Filter Asterisk: Add sample log entry to testcase. * Sample log entry for AUTH_UNKNOWN_DOMAIN (Not a local domain) --- testcases/files/logs/asterisk | 1 + 1 file changed, 1 insertion(+) diff --git a/testcases/files/logs/asterisk b/testcases/files/logs/asterisk index 667eee02..45b69304 100644 --- a/testcases/files/logs/asterisk +++ b/testcases/files/logs/asterisk @@ -12,3 +12,4 @@ [2013-02-05 23:44:42] NOTICE[436][C-00000fa9] chan_sip.c: Call from '' (1.2.3.4:10836) to extension '0972598285108' rejected because extension not found in context 'default'. [2013-03-26 15:47:54] NOTICE[1237] chan_sip.c: Registration from '"100"sip:100@1.2.3.4' failed for '1.2.3.4:23930' - No matching peer found [2013-05-13 07:10:53] SECURITY[1204] res_security_log.c: SecurityEvent="InvalidAccountID",EventTV="1368439853-500975",Severity="Error",Service="SIP",EventVersion="1",AccountID="00972599580679",SessionID="0x7f8ecc0421f8",LocalAddress="IPV4/UDP/1.2.3.4/5060",RemoteAddress="IPV4/UDP/1.2.3.4/5070" +[2013-06-10 18:15:03] NOTICE[2723] chan_sip.c: Registration from '"100"' failed for '1.2.3.4' - Not a local domain From 4787777cee3c68868345ebfd721d26a0095e5aff Mon Sep 17 00:00:00 2001 From: Daniel Black Date: Tue, 11 Jun 2013 10:30:56 +1000 Subject: [PATCH 22/25] DOC: credits for gh-244 --- ChangeLog | 2 ++ THANKS | 1 + 2 files changed, 3 insertions(+) diff --git a/ChangeLog b/ChangeLog index 5366135c..e58bce06 100644 --- a/ChangeLog +++ b/ChangeLog @@ -25,6 +25,8 @@ ver. 0.8.10 (2013/XX/XXX) - NOT-YET-RELEASED * files/suse-initd -- update to the copy from stock SUSE silviogarbes * Updates to asterisk filter closes gh-227/gh-230. + Carlos Alberto Lopez Perez + * Updates to asterisk to include AUTH_UNKNOWN_DOMAIN - gh-244. ver. 0.8.9 (2013/05/13) - wanna-be-stable ---------- diff --git a/THANKS b/THANKS index 0b74ba81..ba33b766 100644 --- a/THANKS +++ b/THANKS @@ -9,6 +9,7 @@ Andrey G. Grozin Arturo 'Buanzo' Busleiman Axel Thimm Bill Heaton +Carlos Alberto Lopez Perez Christian Rauch Christoph Haas Christos Psonis From 6ccd57813cca617561fc67d2771361f30642eef7 Mon Sep 17 00:00:00 2001 From: Yaroslav Halchenko Date: Tue, 11 Jun 2013 14:56:25 -0400 Subject: [PATCH 23/25] BF: anchor apache- filters. Close #248 See https://vndh.net/note:fail2ban-089-denial-service for more information --- config/filter.d/apache-auth.conf | 10 +++++++--- config/filter.d/apache-common.conf | 17 +++++++++++++++++ config/filter.d/apache-nohome.conf | 8 +++++++- config/filter.d/apache-noscript.conf | 10 ++++++++-- config/filter.d/apache-overflows.conf | 8 +++++++- testcases/files/logs/apache-auth | 5 +++++ testcases/files/logs/apache-noscript | 1 + 7 files changed, 52 insertions(+), 7 deletions(-) create mode 100644 config/filter.d/apache-common.conf create mode 100644 testcases/files/logs/apache-auth create mode 100644 testcases/files/logs/apache-noscript diff --git a/config/filter.d/apache-auth.conf b/config/filter.d/apache-auth.conf index 66f6a1d6..ae3232f2 100644 --- a/config/filter.d/apache-auth.conf +++ b/config/filter.d/apache-auth.conf @@ -4,6 +4,12 @@ # # +[INCLUDES] + +# Read common prefixes. If any customizations available -- read them from +# common.local +before = apache-common.conf + [Definition] # Option: failregex @@ -13,9 +19,7 @@ # (?:::f{4,6}:)?(?P[\w\-.^_]+) # Values: TEXT # -failregex = [[]client []] user .* authentication failure - [[]client []] user .* not found - [[]client []] user .* password mismatch +failregex = ^%(_apache_error_client)s user .* (authentication failure|not found|password mismatch)\s*$ # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. diff --git a/config/filter.d/apache-common.conf b/config/filter.d/apache-common.conf new file mode 100644 index 00000000..c3829e2f --- /dev/null +++ b/config/filter.d/apache-common.conf @@ -0,0 +1,17 @@ +# Generic configuration items (to be used as interpolations) in other +# apache filters +# +# Author: Yaroslav Halchenko +# +# + +[INCLUDES] + +# Load customizations if any available +after = apache-common.local + + +[DEFAULT] + +# Common prefix for [error] apache messages which also would include +_apache_error_client = \[[^]]+\] \[error\] \[client \] diff --git a/config/filter.d/apache-nohome.conf b/config/filter.d/apache-nohome.conf index 6e738c68..1347b10d 100644 --- a/config/filter.d/apache-nohome.conf +++ b/config/filter.d/apache-nohome.conf @@ -4,6 +4,12 @@ # # +[INCLUDES] + +# Read common prefixes. If any customizations available -- read them from +# common.local +before = apache-common.conf + [Definition] # Option: failregex @@ -13,7 +19,7 @@ # per-domain log files. # Values: TEXT # -failregex = [[]client []] File does not exist: .*/~.* +failregex = ^%(_apache_error_client)s File does not exist: .*/~.* # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. diff --git a/config/filter.d/apache-noscript.conf b/config/filter.d/apache-noscript.conf index 5b48cb32..295e1b9f 100644 --- a/config/filter.d/apache-noscript.conf +++ b/config/filter.d/apache-noscript.conf @@ -4,6 +4,12 @@ # # +[INCLUDES] + +# Read common prefixes. If any customizations available -- read them from +# common.local +before = apache-common.conf + [Definition] # Option: failregex @@ -13,8 +19,8 @@ # (?:::f{4,6}:)?(?P[\w\-.^_]+) # Values: TEXT # -failregex = [[]client []] (File does not exist|script not found or unable to stat): /\S*(\.php|\.asp|\.exe|\.pl) - [[]client []] script '/\S*(\.php|\.asp|\.exe|\.pl)\S*' not found or unable to stat *$ +failregex = ^%(_apache_error_client)s (File does not exist|script not found or unable to stat): /\S*(\.php|\.asp|\.exe|\.pl)\s*$ + ^%(_apache_error_client)s script '/\S*(\.php|\.asp|\.exe|\.pl)\S*' not found or unable to stat\s*$ # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. diff --git a/config/filter.d/apache-overflows.conf b/config/filter.d/apache-overflows.conf index e25b79a4..1cf08db7 100644 --- a/config/filter.d/apache-overflows.conf +++ b/config/filter.d/apache-overflows.conf @@ -4,13 +4,19 @@ # # +[INCLUDES] + +# Read common prefixes. If any customizations available -- read them from +# common.local +before = apache-common.conf + [Definition] # Option: failregex # Notes.: Regexp to catch Apache overflow attempts. # Values: TEXT # -failregex = [[]client []] (Invalid (method|URI) in request|request failed: URI too long|erroneous characters after protocol string) +failregex = ^%(_apache_error_client)s (Invalid (method|URI) in request|request failed: URI too long|erroneous characters after protocol string) # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. diff --git a/testcases/files/logs/apache-auth b/testcases/files/logs/apache-auth new file mode 100644 index 00000000..cf0f6d30 --- /dev/null +++ b/testcases/files/logs/apache-auth @@ -0,0 +1,5 @@ +# Should not match -- DoS vector https://vndh.net/note:fail2ban-089-denial-service +[Sat Jun 01 02:17:42 2013] [error] [client 192.168.33.1] File does not exist: /srv/http/site/[client 192.168.0.1] user root not found + +# should match +[Sat Jun 01 02:17:42 2013] [error] [client 192.168.0.2] user root not found diff --git a/testcases/files/logs/apache-noscript b/testcases/files/logs/apache-noscript new file mode 100644 index 00000000..5d5d35ff --- /dev/null +++ b/testcases/files/logs/apache-noscript @@ -0,0 +1 @@ +[Sun Jun 09 07:57:47 2013] [error] [client 192.0.43.10] script '/usr/lib/cgi-bin/gitweb.cgiwp-login.php' not found or unable to stat From 728b5e8bf4d268bc09d31d83e9f319746cec10a5 Mon Sep 17 00:00:00 2001 From: Yaroslav Halchenko Date: Tue, 11 Jun 2013 14:57:15 -0400 Subject: [PATCH 24/25] Changes for 0.8.10 release (changelog, version, etc) --- ChangeLog | 24 +++++++++++++++--------- README.md | 8 ++++---- common/version.py | 2 +- man/fail2ban-client.1 | 6 +++--- man/fail2ban-regex.1 | 8 ++++---- man/fail2ban-server.1 | 6 +++--- 6 files changed, 30 insertions(+), 24 deletions(-) diff --git a/ChangeLog b/ChangeLog index e58bce06..5e592bd7 100644 --- a/ChangeLog +++ b/ChangeLog @@ -4,17 +4,23 @@ |_| \__,_|_|_/___|_.__/\__,_|_||_| ================================================================================ -Fail2Ban (version 0.8.9.dev) 2013/??/?? +Fail2Ban (version 0.8.10) 2013/06/11 ================================================================================ -ver. 0.8.10 (2013/XX/XXX) - NOT-YET-RELEASED +ver. 0.8.10 (2013/06/11) - wanna-be-secure ----------- -- Fixes: - Yaroslav Halchenko +Primarily bugfix and enhancements release, triggered by "bugs" in +apache- filters. If you are relying on listed below apache- filters, +upgrade asap and seek your distributions to patch their fail2ban +distribution with [6ccd5781]. + +- Fixes: Yaroslav Halchenko + * [6ccd5781] filter.d/apache-{auth,nohome,noscript,overflows} - anchor + failregex at the beginning (and where applicable at the end). + Addresses a possible DoS. Closes gh-248 * action.d/{route,shorewall}.conf - blocktype must be defined within [Init]. Closes gh-232 -- New Features - Enhancements Yaroslav Halchenko * jail.conf -- assure all jails have actions and remove unused @@ -23,10 +29,10 @@ ver. 0.8.10 (2013/XX/XXX) - NOT-YET-RELEASED * config/filter.d/roundcube-auth.conf -- support roundcube 0.9+ Daniel Black * files/suse-initd -- update to the copy from stock SUSE - silviogarbes - * Updates to asterisk filter closes gh-227/gh-230. - Carlos Alberto Lopez Perez - * Updates to asterisk to include AUTH_UNKNOWN_DOMAIN - gh-244. + silviogarbes & Daniel Black + * Updates to asterisk filter. Closes gh-227/gh-230. + Carlos Alberto Lopez Perez + * Updates to asterisk to include AUTH_UNKNOWN_DOMAIN. Closes gh-244. ver. 0.8.9 (2013/05/13) - wanna-be-stable ---------- diff --git a/README.md b/README.md index 91deaf19..dc6bf49f 100644 --- a/README.md +++ b/README.md @@ -2,9 +2,9 @@ / _|__ _(_) |_ ) |__ __ _ _ _ | _/ _` | | |/ /| '_ \/ _` | ' \ |_| \__,_|_|_/___|_.__/\__,_|_||_| - v0.8.9 2013/05/13 + v0.8.10 2013/06/11 -## Fail2Ban: ban hosts that cause multiple authentication errors +## Fail2Ban: ban hosts that cause multiple authentication errors Fail2Ban scans log files like /var/log/pwdfail and bans IP that makes too many password failures. It updates firewall rules to reject the IP address. These @@ -30,8 +30,8 @@ Optional: To install, just do: - tar xvfj fail2ban-0.8.9.tar.bz2 - cd fail2ban-0.8.9 + tar xvfj fail2ban-0.8.10.tar.bz2 + cd fail2ban-0.8.10 python setup.py install This will install Fail2Ban into /usr/share/fail2ban. The executable scripts are diff --git a/common/version.py b/common/version.py index 86c45760..fe99f95e 100644 --- a/common/version.py +++ b/common/version.py @@ -24,4 +24,4 @@ __author__ = "Cyril Jaquier, Yaroslav Halchenko" __copyright__ = "Copyright (c) 2004 Cyril Jaquier, 2011-2013 Yaroslav Halchenko" __license__ = "GPL" -version = "0.8.9.dev" +version = "0.8.10" diff --git a/man/fail2ban-client.1 b/man/fail2ban-client.1 index d7d620bc..a6eb461e 100644 --- a/man/fail2ban-client.1 +++ b/man/fail2ban-client.1 @@ -1,12 +1,12 @@ -.\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.40.10. -.TH FAIL2BAN-CLIENT "1" "May 2013" "fail2ban-client v0.8.9" "User Commands" +.\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.41.2. +.TH FAIL2BAN-CLIENT "1" "June 2013" "fail2ban-client v0.8.10" "User Commands" .SH NAME fail2ban-client \- configure and control the server .SH SYNOPSIS .B fail2ban-client [\fIOPTIONS\fR] \fI\fR .SH DESCRIPTION -Fail2Ban v0.8.9 reads log file that contains password failure report +Fail2Ban v0.8.10 reads log file that contains password failure report and bans the corresponding IP addresses using firewall rules. .SH OPTIONS .TP diff --git a/man/fail2ban-regex.1 b/man/fail2ban-regex.1 index a42d96d5..379cd761 100644 --- a/man/fail2ban-regex.1 +++ b/man/fail2ban-regex.1 @@ -1,12 +1,12 @@ -.\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.40.10. -.TH FAIL2BAN-REGEX "1" "May 2013" "fail2ban-regex v0.8.9" "User Commands" +.\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.41.2. +.TH FAIL2BAN-REGEX "1" "June 2013" "fail2ban-regex v0.8.10" "User Commands" .SH NAME fail2ban-regex \- test Fail2ban "failregex" option .SH SYNOPSIS .B fail2ban-regex [\fIOPTIONS\fR] \fI \fR[\fIIGNOREREGEX\fR] .SH DESCRIPTION -Fail2Ban v0.8.9 reads log file that contains password failure report +Fail2Ban v0.8.10 reads log file that contains password failure report and bans the corresponding IP addresses using firewall rules. .PP This tools can test regular expressions for "fail2ban". @@ -26,7 +26,7 @@ verbose output a string representing a log line .TP \fBfilename\fR -path to a log file (/var/log/auth.log) +path to a log file (\fI/var/log/auth.log\fP) .SH REGEX .TP \fBstring\fR diff --git a/man/fail2ban-server.1 b/man/fail2ban-server.1 index 43e9d6d4..3851db91 100644 --- a/man/fail2ban-server.1 +++ b/man/fail2ban-server.1 @@ -1,12 +1,12 @@ -.\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.40.10. -.TH FAIL2BAN-SERVER "1" "May 2013" "fail2ban-server v0.8.9" "User Commands" +.\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.41.2. +.TH FAIL2BAN-SERVER "1" "June 2013" "fail2ban-server v0.8.10" "User Commands" .SH NAME fail2ban-server \- start the server .SH SYNOPSIS .B fail2ban-server [\fIOPTIONS\fR] .SH DESCRIPTION -Fail2Ban v0.8.9 reads log file that contains password failure report +Fail2Ban v0.8.10 reads log file that contains password failure report and bans the corresponding IP addresses using firewall rules. .PP Only use this command for debugging purpose. Start the server with From 921d9a8e4b507ca08744056fc798c7864a78e114 Mon Sep 17 00:00:00 2001 From: Yaroslav Halchenko Date: Wed, 12 Jun 2013 13:20:00 -0400 Subject: [PATCH 25/25] DOC: add information on where to report vulnerabilities + pointer to HOWTO_Seek_Help originally following command was used to add header to all config files: sed -ie '/# Author/ i\# Please report vulnerabilities to fail2ban-vulnerabilities at lists dot sourceforge dot net\n# and see http://www.fail2ban.org/wiki/index.php/HOWTO_Seek_Help for generic bug-reports.\n#' action.d/* filter.d/* but it would be overkill ATM causing havoc in user-tuned configs -- postponed for now Also adjusted the release date for today (by mistake in 1 commit ... sorry) --- ChangeLog | 4 ++-- README.md | 9 +++++++-- 2 files changed, 9 insertions(+), 4 deletions(-) diff --git a/ChangeLog b/ChangeLog index 5e592bd7..230ee10d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -4,10 +4,10 @@ |_| \__,_|_|_/___|_.__/\__,_|_||_| ================================================================================ -Fail2Ban (version 0.8.10) 2013/06/11 +Fail2Ban (version 0.8.10) 2013/06/12 ================================================================================ -ver. 0.8.10 (2013/06/11) - wanna-be-secure +ver. 0.8.10 (2013/06/12) - wanna-be-secure ----------- Primarily bugfix and enhancements release, triggered by "bugs" in diff --git a/README.md b/README.md index dc6bf49f..05e92fd6 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ / _|__ _(_) |_ ) |__ __ _ _ _ | _/ _` | | |/ /| '_ \/ _` | ' \ |_| \__,_|_|_/___|_.__/\__,_|_||_| - v0.8.10 2013/06/11 + v0.8.10 2013/06/12 ## Fail2Ban: ban hosts that cause multiple authentication errors @@ -63,9 +63,14 @@ Code status: Contact: -------- +### You found a severe security vulnerability in Fail2Ban? +email details to fail2ban-vulnerabilities at lists dot sourceforge dot net . + ### You need some new features, you found bugs? visit [Issues](https://github.com/fail2ban/fail2ban/issues) -and if your issue is not yet known -- file a bug report. +and if your issue is not yet known -- file a bug report. See +[Fail2Ban wiki](http://www.fail2ban.org/wiki/index.php/HOWTO_Seek_Help) +on further instructions. ### You would like to troubleshoot or discuss? join the [mailing list](https://lists.sourceforge.net/lists/listinfo/fail2ban-users)