github
/
fail2ban
mirror of https://github.com/fail2ban/fail2ban
1
0
Fork 0
Code Issues Releases Wiki Activity

Release 0.8.10 -- wanna-be-secure, addresses possible DoS with apache- filters 

-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.12 (GNU/Linux)
 
 iEYEABECAAYFAlG4rtUACgkQjRFFY3XAJMhs/wCgsckW7ZfzhhQ2qGK+ZPiovg25
 b9oAn3Yno88518YaISGbPqMhHMfrncU+
 =LQh1
 -----END PGP SIGNATURE-----

Merge tag '0.8.10' into debian

Release 0.8.10 -- wanna-be-secure, addresses possible DoS with apache- filters

* tag '0.8.10': (25 commits)
  DOC: add information on where to report vulnerabilities + pointer to HOWTO_Seek_Help
  Changes for 0.8.10 release (changelog, version, etc)
  BF: anchor apache- filters.  Close #248
  DOC: credits for gh-244
  Filter Asterisk: Add sample log entry to testcase.
  Filter Asterisk: Add AUTH_UNKNOWN_DOMAIN error to list
  ENH: purge a few more .*
  DOC: credits
  DOC: how to do filter enhancements
  TST: normalize logs to use example.com and 1.2.3.4 as IP
  ENH/BF: constrain regex. Fix ACL error regex
  ENH: port optional
  Changelog for previous PR
  DOC: Changelog entry fro preceeding merge from Terence
  TST: Fix fail2ban.conf reader test for unreliable dictionary order
  failregex when roundcube log driver is set to 'syslog'
  fixed failregex line for roundcube 0.9+
  TST: test all stock jails to have actions and correctly specifying blocktype
  CFG: assure actions for all the jails
  BF: blocktype must be defined within [Init] -- adding [Init] section.  Close #232
  ...
pull/808/head
Yaroslav Halchenko 2013-06-12 13:25:15 -04:00
parent 8811f4c5a8 921d9a8e4b
commit 3ed3c3af3d
24 changed files with 279 additions and 137 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
ChangeLog
View File

@ -4,9 +4,36 @@
|_| \__,_|_|_/___|_.__/\__,_|_||_| |_| \__,_|_|_/___|_.__/\__,_|_||_|
================================================================================ ================================================================================
Fail2Ban (version 0.8.9) 2013/05/13 Fail2Ban (version 0.8.10) 2013/06/12
================================================================================ ================================================================================
ver. 0.8.10 (2013/06/12) - wanna-be-secure
-----------
Primarily bugfix and enhancements release, triggered by "bugs" in
apache- filters. If you are relying on listed below apache- filters,
upgrade asap and seek your distributions to patch their fail2ban
distribution with [6ccd5781].
- Fixes: Yaroslav Halchenko
* [6ccd5781] filter.d/apache-{auth,nohome,noscript,overflows} - anchor
failregex at the beginning (and where applicable at the end).
Addresses a possible DoS. Closes gh-248
* action.d/{route,shorewall}.conf - blocktype must be defined
within [Init]. Closes gh-232
- Enhancements
Yaroslav Halchenko
* jail.conf -- assure all jails have actions and remove unused
ports specifications
Terence Namusonge
* config/filter.d/roundcube-auth.conf -- support roundcube 0.9+
Daniel Black
* files/suse-initd -- update to the copy from stock SUSE
silviogarbes & Daniel Black
* Updates to asterisk filter. Closes gh-227/gh-230.
Carlos Alberto Lopez Perez
* Updates to asterisk to include AUTH_UNKNOWN_DOMAIN. Closes gh-244.
ver. 0.8.9 (2013/05/13) - wanna-be-stable ver. 0.8.9 (2013/05/13) - wanna-be-stable
---------- ----------

16
DEVELOP
View File

@ -34,9 +34,19 @@ When submitting pull requests on GitHub we ask you to:
* Include a change to the relevant section of the ChangeLog; and * Include a change to the relevant section of the ChangeLog; and
* Include yourself in THANKS if not already there. * Include yourself in THANKS if not already there.
Testing Filters
======= =======
* Include sample logs with 1.2.3.4 used for IP addresses and
example.com/example.org used for DNS names
* Ensure ./fail2ban-regex testcases/files/logs/{samplelog} config/filter.d/{filter}.conf
has matches for EVERY regex
* Ensure regexs end with a $ and are restrictive as possible. E.g. not .* if
[0-9]+ is sufficient
Code Testing
============
Existing tests can be run by executing `fail2ban-testcases`. This has options Existing tests can be run by executing `fail2ban-testcases`. This has options
like --log-level that will probably be useful. `fail2ban-testcases --help` for like --log-level that will probably be useful. `fail2ban-testcases --help` for
full options. full options.
@ -338,8 +348,10 @@ Post Release
Add the following to the top of the ChangeLog Add the following to the top of the ChangeLog
ver. 0.8.9 (2013/XX/XXX) - wanna-be-stable ver. 0.8.11 (2013/XX/XXX) - wanna-be-stable
- Fixes - Fixes
- New Features - New Features
- Enhancements - Enhancements
and adjust common/version.py to carry .dev suffix to signal
a version under development.

15
README.md
View File

@ -2,9 +2,9 @@
/ _|__ _(_) |_ ) |__ __ _ _ _ / _|__ _(_) |_ ) |__ __ _ _ _
| _/ _` | | |/ /| '_ \/ _` | ' \ | _/ _` | | |/ /| '_ \/ _` | ' \
|_| \__,_|_|_/___|_.__/\__,_|_||_| |_| \__,_|_|_/___|_.__/\__,_|_||_|
v0.8.9 2013/05/13 v0.8.10 2013/06/12
## Fail2Ban: ban hosts that cause multiple authentication errors ## Fail2Ban: ban hosts that cause multiple authentication errors
Fail2Ban scans log files like /var/log/pwdfail and bans IP that makes too many Fail2Ban scans log files like /var/log/pwdfail and bans IP that makes too many
password failures. It updates firewall rules to reject the IP address. These password failures. It updates firewall rules to reject the IP address. These
@ -30,8 +30,8 @@ Optional:
To install, just do: To install, just do:
tar xvfj fail2ban-0.8.9.tar.bz2 tar xvfj fail2ban-0.8.10.tar.bz2
cd fail2ban-0.8.9 cd fail2ban-0.8.10
python setup.py install python setup.py install
This will install Fail2Ban into /usr/share/fail2ban. The executable scripts are This will install Fail2Ban into /usr/share/fail2ban. The executable scripts are
@ -63,9 +63,14 @@ Code status:
Contact: Contact:
-------- --------
### You found a severe security vulnerability in Fail2Ban?
email details to fail2ban-vulnerabilities at lists dot sourceforge dot net .
### You need some new features, you found bugs? ### You need some new features, you found bugs?
visit [Issues](https://github.com/fail2ban/fail2ban/issues) visit [Issues](https://github.com/fail2ban/fail2ban/issues)
and if your issue is not yet known -- file a bug report. and if your issue is not yet known -- file a bug report. See
[Fail2Ban wiki](http://www.fail2ban.org/wiki/index.php/HOWTO_Seek_Help)
on further instructions.
### You would like to troubleshoot or discuss? ### You would like to troubleshoot or discuss?
join the [mailing list](https://lists.sourceforge.net/lists/listinfo/fail2ban-users) join the [mailing list](https://lists.sourceforge.net/lists/listinfo/fail2ban-users)

2
THANKS
View File

@ -9,6 +9,7 @@ Andrey G. Grozin
Arturo 'Buanzo' Busleiman Arturo 'Buanzo' Busleiman
Axel Thimm Axel Thimm
Bill Heaton Bill Heaton
Carlos Alberto Lopez Perez
Christian Rauch Christian Rauch
Christoph Haas Christoph Haas
Christos Psonis Christos Psonis
@ -39,6 +40,7 @@ René Berber
Robert Edeker Robert Edeker
Russell Odom Russell Odom
Sireyessire Sireyessire
silviogarbes
Stephen Gildea Stephen Gildea
Steven Hiscocks Steven Hiscocks
Tom Pike Tom Pike

2
common/version.py
View File

@ -24,4 +24,4 @@ __author__ = "Cyril Jaquier, Yaroslav Halchenko"
__copyright__ = "Copyright (c) 2004 Cyril Jaquier, 2011-2013 Yaroslav Halchenko" __copyright__ = "Copyright (c) 2004 Cyril Jaquier, 2011-2013 Yaroslav Halchenko"
__license__ = "GPL" __license__ = "GPL"
version = "0.8.9" version = "0.8.10"

2
config/action.d/route.conf
View File

@ -18,6 +18,8 @@
actionban = ip route add <blocktype> <ip> actionban = ip route add <blocktype> <ip>
actionunban = ip route del <blocktype> <ip> actionunban = ip route del <blocktype> <ip>
[Init]
# Option: blocktype # Option: blocktype
# Note: Type can be blackhole, unreachable and prohibit. Unreachable and prohibit correspond to the ICMP reject messages. # Note: Type can be blackhole, unreachable and prohibit. Unreachable and prohibit correspond to the ICMP reject messages.
# Values: STRING # Values: STRING

2
config/action.d/shorewall.conf
View File

@ -48,6 +48,8 @@ actionban = shorewall <blocktype> <ip>
# #
actionunban = shorewall allow <ip> actionunban = shorewall allow <ip>
[Init]
# Option: blocktype # Option: blocktype
# Note: This is what the action does with rules. # Note: This is what the action does with rules.
# See man page of shorewall for options that include drop, logdrop, reject, or logreject # See man page of shorewall for options that include drop, logdrop, reject, or logreject

10
config/filter.d/apache-auth.conf
View File

@ -4,6 +4,12 @@
# #
# #
[INCLUDES]
# Read common prefixes. If any customizations available -- read them from
# common.local
before = apache-common.conf
[Definition] [Definition]
# Option: failregex # Option: failregex
@ -13,9 +19,7 @@
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+) # (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT # Values: TEXT
# #
failregex = [[]client <HOST>[]] user .* authentication failure failregex = ^%(_apache_error_client)s user .* (authentication failure|not found|password mismatch)\s*$
[[]client <HOST>[]] user .* not found
[[]client <HOST>[]] user .* password mismatch
# Option: ignoreregex # Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored. # Notes.: regex to ignore. If this regex matches, the line is ignored.

17
config/filter.d/apache-common.conf Normal file
View File

@ -0,0 +1,17 @@
# Generic configuration items (to be used as interpolations) in other
# apache filters
#
# Author: Yaroslav Halchenko
#
#
[INCLUDES]
# Load customizations if any available
after = apache-common.local
[DEFAULT]
# Common prefix for [error] apache messages which also would include <HOST>
_apache_error_client = \[[^]]+\] \[error\] \[client <HOST>\]

8
config/filter.d/apache-nohome.conf
View File

@ -4,6 +4,12 @@
# #
# #
[INCLUDES]
# Read common prefixes. If any customizations available -- read them from
# common.local
before = apache-common.conf
[Definition] [Definition]
# Option: failregex # Option: failregex
@ -13,7 +19,7 @@
# per-domain log files. # per-domain log files.
# Values: TEXT # Values: TEXT
# #
failregex = [[]client <HOST>[]] File does not exist: .*/~.* failregex = ^%(_apache_error_client)s File does not exist: .*/~.*
# Option: ignoreregex # Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored. # Notes.: regex to ignore. If this regex matches, the line is ignored.

10
config/filter.d/apache-noscript.conf
View File

@ -4,6 +4,12 @@
# #
# #
[INCLUDES]
# Read common prefixes. If any customizations available -- read them from
# common.local
before = apache-common.conf
[Definition] [Definition]
# Option: failregex # Option: failregex
@ -13,8 +19,8 @@
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+) # (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT # Values: TEXT
# #
failregex = [[]client <HOST>[]] (File does not exist|script not found or unable to stat): /\S*(\.php|\.asp|\.exe|\.pl) failregex = ^%(_apache_error_client)s (File does not exist|script not found or unable to stat): /\S*(\.php|\.asp|\.exe|\.pl)\s*$
[[]client <HOST>[]] script '/\S*(\.php|\.asp|\.exe|\.pl)\S*' not found or unable to stat *$ ^%(_apache_error_client)s script '/\S*(\.php|\.asp|\.exe|\.pl)\S*' not found or unable to stat\s*$
# Option: ignoreregex # Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored. # Notes.: regex to ignore. If this regex matches, the line is ignored.

8
config/filter.d/apache-overflows.conf
View File

@ -4,13 +4,19 @@
# #
# #
[INCLUDES]
# Read common prefixes. If any customizations available -- read them from
# common.local
before = apache-common.conf
[Definition] [Definition]
# Option: failregex # Option: failregex
# Notes.: Regexp to catch Apache overflow attempts. # Notes.: Regexp to catch Apache overflow attempts.
# Values: TEXT # Values: TEXT
# #
failregex = [[]client <HOST>[]] (Invalid (method|URI) in request|request failed: URI too long|erroneous characters after protocol string) failregex = ^%(_apache_error_client)s (Invalid (method|URI) in request|request failed: URI too long|erroneous characters after protocol string)
# Option: ignoreregex # Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored. # Notes.: regex to ignore. If this regex matches, the line is ignored.

25
config/filter.d/asterisk.conf
View File

@ -20,19 +20,24 @@ before = common.conf
# (?:::f{4,6}:)?(?P<host>\S+) # (?:::f{4,6}:)?(?P<host>\S+)
# Values: TEXT # Values: TEXT
# #
failregex = NOTICE%(__pid_re)s .*: Registration from '.*' failed for '<HOST>' - Wrong password$ failregex = NOTICE%(__pid_re)s [^:]+: Registration from '[^']*' failed for '<HOST>(:[0-9]+)?' - Wrong password$
NOTICE%(__pid_re)s .*: Registration from '.*' failed for '<HOST>' - No matching peer found$ NOTICE%(__pid_re)s [^:]+: Registration from '[^']*' failed for '<HOST>(:[0-9]+)?' - No matching peer found$
NOTICE%(__pid_re)s .*: Registration from '.*' failed for '<HOST>' - Username/auth name mismatch$ NOTICE%(__pid_re)s [^:]+: Registration from '[^']*' failed for '<HOST>(:[0-9]+)?' - Username/auth name mismatch$
NOTICE%(__pid_re)s .*: Registration from '.*' failed for '<HOST>' - Device does not match ACL$ NOTICE%(__pid_re)s [^:]+: Registration from '[^']*' failed for '<HOST>(:[0-9]+)?' - Device does not match ACL$
NOTICE%(__pid_re)s .*: Registration from '.*' failed for '<HOST>' - Peer is not supposed to register$ NOTICE%(__pid_re)s [^:]+: Registration from '[^']*' failed for '<HOST>(:[0-9]+)?' - Peer is not supposed to register$
NOTICE%(__pid_re)s .*: Registration from '.*' failed for '<HOST>' - ACL error (permit/deny)$ NOTICE%(__pid_re)s [^:]+: Registration from '[^']*' failed for '<HOST>(:[0-9]+)?' - ACL error \(permit/deny\)$
NOTICE%(__pid_re)s <HOST> failed to authenticate as '.*'$ NOTICE%(__pid_re)s [^:]+: Registration from '[^']*' failed for '<HOST>(:[0-9]+)?' - Not a local domain$
NOTICE%(__pid_re)s .*: No registration for peer '.*' \(from <HOST>\)$ NOTICE%(__pid_re)s\[[^:]+\] [^:]+: Call from '[^']*' \(<HOST>:[0-9]+\) to extension '[0-9]+' rejected because extension not found in context 'default'.$
NOTICE%(__pid_re)s .*: Host <HOST> failed MD5 authentication for '.*' (.*)$ NOTICE%(__pid_re)s [^:]+: Host <HOST> failed to authenticate as '[^']*'$
NOTICE%(__pid_re)s .*: Failed to authenticate user .*@<HOST>.*$ NOTICE%(__pid_re)s [^:]+: No registration for peer '[^']*' \(from <HOST>\)$
NOTICE%(__pid_re)s [^:]+: Host <HOST> failed MD5 authentication for '[^']*' \([^)]+\)$
NOTICE%(__pid_re)s [^:]+: Failed to authenticate user [^@]+@<HOST>\S*$
SECURITY%(__pid_re)s [^:]+: SecurityEvent="InvalidAccountID",EventTV="[0-9-]+",Severity="[a-zA-Z]+",Service="[a-zA-Z]+",EventVersion="[0-9]+",AccountID="[0-9]+",SessionID="0x[0-9a-f]+",LocalAddress="IPV[46]/(UD|TC)P/[0-9a-fA-F:.]+/[0-9]+",RemoteAddress="IPV[46]/(UD|TC)P/<HOST>/[0-9]+"$
# Option: ignoreregex # Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored. # Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT # Values: TEXT
# #
ignoreregex = ignoreregex =

4
config/filter.d/roundcube-auth.conf
View File

@ -1,6 +1,6 @@
# Fail2Ban configuration file for roundcube web server # Fail2Ban configuration file for roundcube web server
# #
# Author: Teodor Micu & Yaroslav Halchenko # Author: Teodor Micu & Yaroslav Halchenko & terence namusonge
# #
# #
@ -13,7 +13,7 @@
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+) # (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT # Values: TEXT
# #
failregex = FAILED login for .*. from <HOST>\s*$ failregex = (FAILED login|Login failed) for .* from <HOST>\s*$
# Option: ignoreregex # Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored. # Notes.: regex to ignore. If this regex matches, the line is ignored.

8
config/jail.conf
View File

@ -239,10 +239,8 @@ logpath = /var/log/roundcube/userlogins
enabled = false enabled = false
filter = sogo-auth filter = sogo-auth
port = http, https
# without proxy this would be: # without proxy this would be:
# port = 20000 # port = 20000
action = iptables[name=SOGo, port="http,https"] action = iptables[name=SOGo, port="http,https"]
logpath = /var/log/sogo/sogo.log logpath = /var/log/sogo/sogo.log
@ -253,7 +251,7 @@ logpath = /var/log/sogo/sogo.log
[php-url-fopen] [php-url-fopen]
enabled = false enabled = false
port = http,https action = iptables[name=php-url-open, port="http,https"]
filter = php-url-fopen filter = php-url-fopen
logpath = /var/www/*/logs/access_log logpath = /var/www/*/logs/access_log
maxretry = 1 maxretry = 1
@ -268,8 +266,8 @@ maxretry = 1
[lighttpd-fastcgi] [lighttpd-fastcgi]
enabled = false enabled = false
port = http,https
filter = lighttpd-fastcgi filter = lighttpd-fastcgi
action = iptables[name=lighttpd-fastcgi, port="http,https"]
# adapt the following two items as needed # adapt the following two items as needed
logpath = /var/log/lighttpd/error.log logpath = /var/log/lighttpd/error.log
maxretry = 2 maxretry = 2
@ -280,8 +278,8 @@ maxretry = 2
[lighttpd-auth] [lighttpd-auth]
enabled = false enabled = false
port = http,https
filter = lighttpd-auth filter = lighttpd-auth
action = iptables[name=lighttpd-auth, port="http,https"]
# adapt the following two items as needed # adapt the following two items as needed
logpath = /var/log/lighttpd/error.log logpath = /var/log/lighttpd/error.log
maxretry = 2 maxretry = 2

181
files/suse-initd Executable file → Normal file
View File

@ -1,103 +1,114 @@
#!/bin/sh #!/bin/sh
# #
# /etc/init.d/fail2ban
# and its symbolic link
# /usr/sbin/rcfail2ban
#
### BEGIN INIT INFO ### BEGIN INIT INFO
# Provides: fail2ban # Provides: fail2ban
# Required-Start: $syslog $remote_fs sendmail # Required-Start: $remote_fs $local_fs
# Required-Stop: $syslog $remote_fs # Should-Start: $syslog $time $network iptables
# Should-Stop: $time ypbind sendmail # Required-Stop: $remote_fs $local_fs
# Should-Stop: $syslog $time $network iptables
# Default-Start: 3 5 # Default-Start: 3 5
# Default-Stop: 0 1 2 6 # Default-Stop: 0 1 2 6
# Description: startup Fail2Ban # Pidfile: /var/run/fail2ban/fail2ban.pid
# Short-Description: Bans IPs with too many authentication failures
# Description: Start fail2ban to scan logfiles and ban IP addresses
# which make too many logfiles failures, and/or sent e-mails about
### END INIT INFO ### END INIT INFO
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/sbin:/usr/sbin:/usr/bin:/bin
FAIL2BAN_BIN=/usr/local/bin/fail2ban-client
FAIL2BAN_SERVER=/usr/local/bin/fail2ban-server
FAIL2BAN_SOCKET=/var/run/fail2ban/fail2ban.sock
test -x $FAIL2BAN_BIN || { echo "$FAIL2BAN_BIN not installed";
if [ "$1" = "stop" ]; then exit 0;
else exit 5; fi; }
# Check for existence of needed config file and read it # Check for missing binaries (stale symlinks should not happen)
FAIL2BAN_CONFIG=/etc/fail2ban/fail2ban.conf FAIL2BAN_CLI=/usr/bin/fail2ban-client
test -r $FAIL2BAN_CONFIG || { echo "$FAIL2BAN_CONFIG not existing"; test -x $FAIL2BAN_CLI || { echo "$FAIL2BAN_CLI not installed";
if [ "$1" = "stop" ]; then exit 0; if [ "$1" = "stop" ]; then exit 0;
else exit 6; fi; } else exit 5; fi; }
FAIL2BAN_SRV=/usr/bin/fail2ban-server
test -x $FAIL2BAN_SRV || { echo "$FAIL2BAN_SRV not installed";
if [ "$1" = "stop" ]; then exit 0;
else exit 5; fi; }
FAIL2BAN_CONFIG="/etc/sysconfig/fail2ban"
FAIL2BAN_SOCKET_DIR="/var/run/fail2ban"
FAIL2BAN_SOCKET="$FAIL2BAN_SOCKET_DIR/fail2ban.sock"
FAIL2BAN_PID="$FAIL2BAN_SOCKET_DIR/fail2ban.pid"
if [ -e $FAIL2BAN_CONFIG ]; then
. $FAIL2BAN_CONFIG
fi
. /etc/rc.status . /etc/rc.status
# Reset status of this service
rc_reset rc_reset
case "$1" in case "$1" in
start) start)
echo -n "Starting Fail2Ban " echo -n "Starting fail2ban "
# a cleanup workaround, since /etc/init.d/boot.local removes only.
# regular files, and not sockets
if test -e $FAIL2BAN_SOCKET; then
if ! lsof -n $FAIL2BAN_SOCKET &>/dev/null; then
rm $FAIL2BAN_SOCKET
fi
fi
/sbin/startproc $FAIL2BAN_BIN start &>/dev/null
rc_status -v
;;
stop)
echo -n "Shutting down Fail2ban "
/sbin/startproc $FAIL2BAN_BIN -q stop
rc_status -v
;;
try-restart|condrestart)
if test "$1" = "condrestart"; then
echo "${attn} Use try-restart ${done}(LSB)${attn} rather than condrestart ${warn}(RH)${norm}"
fi
$0 status
if test $? = 0; then
$0 restart
else
rc_reset # Not running is not a failure.
fi
rc_status
;;
restart)
$0 stop
echo -n "-wait a minute "
i=60
while [ -e $FAIL2BAN_SOCKET ] && [ $i -gt 0 ]; do
sleep 1
i=$[$i-1]
echo -n "."
done
echo "."
$0 start
# Remember status and be quiet if [ ! -d $FAIL2BAN_SOCKET_DIR ]; then
rc_status mkdir -p $FAIL2BAN_SOCKET_DIR
;; fi
force-reload)
echo -n "Reload service Fail2ban " if [ -e $FAIL2BAN_SOCKET ]; then
/sbin/startproc $FAIL2BAN_BIN -q reload if ! lsof -n $FAIL2BAN_SOCKET &>/dev/null; then
rc_status -v rm $FAIL2BAN_SOCKET
;; fi
reload) fi
echo -n "Reload service Fail2ban " $FAIL2BAN_CLI -x -q $FAIL2BAN_OPTIONS start &>/dev/null 2>&1
/sbin/startproc $FAIL2BAN_BIN -q reload
rc_status -v rc_status -v
;; ;;
stop)
echo -n "Shutting down fail2ban "
## Stop daemon with built-in functionality 'stop'
/sbin/startproc -w $FAIL2BAN_CLI -q stop > /dev/null 2>&1
if [ -f $FAIL2BAN_SOCKET ]
then
echo "$FAIL2BAN_SOCKET not removed .. removing .."
rm $FAIL2BAN_SOCKET
fi
if [ -f $FAIL2BAN_PID ]
then
echo "$FAIL2BAN_PID not removed .. removing .."
rm $FAIL2BAN_PID
fi
rc_status -v
;;
try-restart|condrestart)
$0 status
if test $? = 0; then
$0 restart
else
rc_reset # Not running is not a failure.
fi
rc_status
;;
restart)
$0 stop
i=60
while [ -e $FAIL2BAN_SOCKET ] && [ $i -gt 0 ]; do
sleep 1
i=$[$i-1]
echo -n "."
done
$0 start
rc_status
;;
reload|force-reload)
echo -n "Reload service Fail2ban "
/sbin/startproc $FAIL2BAN_CLI -q reload > /dev/null 2>&1
rc_status -v
;;
status) status)
echo -n "Checking for service Fail2ban " echo -n "Checking for service fail2ban "
/sbin/checkproc $FAIL2BAN_SERVER /sbin/checkproc $FAIL2BAN_SRV
rc_status -v
;; rc_status -v
probe) ;;
test /etc/fail2ban/fail2ban.conf -nt /var/run/fail2ban.pid && echo reload
;;
*) *)
echo "Usage: $0 {start|stop|status|try-restart|restart|force-reload|reload|probe}" echo "Usage: $0 {start|stop|status|try-restart|restart|force-reload|reload|probe}"
exit 1 exit 1
;; ;;
esac esac
rc_exit rc_exit

6
man/fail2ban-client.1
View File

@ -1,12 +1,12 @@
.\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.40.10. .\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.41.2.
.TH FAIL2BAN-CLIENT "1" "May 2013" "fail2ban-client v0.8.9" "User Commands" .TH FAIL2BAN-CLIENT "1" "June 2013" "fail2ban-client v0.8.10" "User Commands"
.SH NAME .SH NAME
fail2ban-client \- configure and control the server fail2ban-client \- configure and control the server
.SH SYNOPSIS .SH SYNOPSIS
.B fail2ban-client .B fail2ban-client
[\fIOPTIONS\fR] \fI<COMMAND>\fR [\fIOPTIONS\fR] \fI<COMMAND>\fR
.SH DESCRIPTION .SH DESCRIPTION
Fail2Ban v0.8.9 reads log file that contains password failure report Fail2Ban v0.8.10 reads log file that contains password failure report
and bans the corresponding IP addresses using firewall rules. and bans the corresponding IP addresses using firewall rules.
.SH OPTIONS .SH OPTIONS
.TP .TP

8
man/fail2ban-regex.1
View File

@ -1,12 +1,12 @@
.\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.40.10. .\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.41.2.
.TH FAIL2BAN-REGEX "1" "May 2013" "fail2ban-regex v0.8.9" "User Commands" .TH FAIL2BAN-REGEX "1" "June 2013" "fail2ban-regex v0.8.10" "User Commands"
.SH NAME .SH NAME
fail2ban-regex \- test Fail2ban "failregex" option fail2ban-regex \- test Fail2ban "failregex" option
.SH SYNOPSIS .SH SYNOPSIS
.B fail2ban-regex .B fail2ban-regex
[\fIOPTIONS\fR] \fI<LOG> <REGEX> \fR[\fIIGNOREREGEX\fR] [\fIOPTIONS\fR] \fI<LOG> <REGEX> \fR[\fIIGNOREREGEX\fR]
.SH DESCRIPTION .SH DESCRIPTION
Fail2Ban v0.8.9 reads log file that contains password failure report Fail2Ban v0.8.10 reads log file that contains password failure report
and bans the corresponding IP addresses using firewall rules. and bans the corresponding IP addresses using firewall rules.
.PP .PP
This tools can test regular expressions for "fail2ban". This tools can test regular expressions for "fail2ban".
@ -26,7 +26,7 @@ verbose output
a string representing a log line a string representing a log line
.TP .TP
\fBfilename\fR \fBfilename\fR
path to a log file (/var/log/auth.log) path to a log file (\fI/var/log/auth.log\fP)
.SH REGEX .SH REGEX
.TP .TP
\fBstring\fR \fBstring\fR

6
man/fail2ban-server.1
View File

@ -1,12 +1,12 @@
.\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.40.10. .\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.41.2.
.TH FAIL2BAN-SERVER "1" "May 2013" "fail2ban-server v0.8.9" "User Commands" .TH FAIL2BAN-SERVER "1" "June 2013" "fail2ban-server v0.8.10" "User Commands"
.SH NAME .SH NAME
fail2ban-server \- start the server fail2ban-server \- start the server
.SH SYNOPSIS .SH SYNOPSIS
.B fail2ban-server .B fail2ban-server
[\fIOPTIONS\fR] [\fIOPTIONS\fR]
.SH DESCRIPTION .SH DESCRIPTION
Fail2Ban v0.8.9 reads log file that contains password failure report Fail2Ban v0.8.10 reads log file that contains password failure report
and bans the corresponding IP addresses using firewall rules. and bans the corresponding IP addresses using firewall rules.
.PP .PP
Only use this command for debugging purpose. Start the server with Only use this command for debugging purpose. Start the server with

34
testcases/clientreadertestcase.py
View File

@ -144,10 +144,38 @@ class JailsReaderTest(unittest.TestCase):
# and warn on useDNS # and warn on useDNS
self.assertTrue(['set', j, 'usedns', 'warn'] in comm_commands) self.assertTrue(['set', j, 'usedns', 'warn'] in comm_commands)
self.assertTrue(['start', j] in comm_commands) self.assertTrue(['start', j] in comm_commands)
# last commands should be the 'start' commands # last commands should be the 'start' commands
self.assertEqual(comm_commands[-1][0], 'start') self.assertEqual(comm_commands[-1][0], 'start')
# TODO: make sure that all of the jails have actions assigned,
# otherwise it makes little to no sense for j in jails._JailsReader__jails:
actions = j._JailReader__actions
jail_name = j.getName()
# make sure that all of the jails have actions assigned,
# otherwise it makes little to no sense
self.assertTrue(len(actions),
msg="No actions found for jail %s" % jail_name)
# Test for presence of blocktype (in relation to gh-232)
for action in actions:
commands = action.convert()
file_ = action.getFile()
if '<blocktype>' in str(commands):
# Verify that it is among cInfo
self.assertTrue('blocktype' in action._ActionReader__cInfo)
# Verify that we have a call to set it up
blocktype_present = False
target_command = [ 'set', jail_name, 'setcinfo', file_, 'blocktype' ]
for command in commands:
if (len(command) > 5 and
command[:5] == target_command):
blocktype_present = True
continue
self.assertTrue(
blocktype_present,
msg="Found no %s command among %s"
% (target_command, str(commands)) )
def testConfigurator(self): def testConfigurator(self):
configurator = Configurator() configurator = Configurator()
@ -165,7 +193,7 @@ class JailsReaderTest(unittest.TestCase):
commands = configurator.getConfigStream() commands = configurator.getConfigStream()
# and there is logging information left to be passed into the # and there is logging information left to be passed into the
# server # server
self.assertEqual(commands, self.assertEqual(sorted(commands),
[['set', 'loglevel', 3], [['set', 'loglevel', 3],
['set', 'logtarget', '/var/log/fail2ban.log']]) ['set', 'logtarget', '/var/log/fail2ban.log']])

5
testcases/files/logs/apache-auth Normal file
View File

@ -0,0 +1,5 @@
# Should not match -- DoS vector https://vndh.net/note:fail2ban-089-denial-service
[Sat Jun 01 02:17:42 2013] [error] [client 192.168.33.1] File does not exist: /srv/http/site/[client 192.168.0.1] user root not found
# should match
[Sat Jun 01 02:17:42 2013] [error] [client 192.168.0.2] user root not found

1
testcases/files/logs/apache-noscript Normal file
View File

@ -0,0 +1 @@
[Sun Jun 09 07:57:47 2013] [error] [client 192.0.43.10] script '/usr/lib/cgi-bin/gitweb.cgiwp-login.php' not found or unable to stat

16
testcases/files/logs/asterisk
View File

@ -1,11 +1,15 @@
# Sample log files for asterisk # Sample log files for asterisk
[2012-02-13 17:21:54] NOTICE[1638] chan_sip.c: Registration from '<sip:301@asclepios.eyepea.be>' failed for '1.2.3.4' - Wrong password [2012-02-13 17:21:54] NOTICE[1638] chan_sip.c: Registration from '<sip:301@example.com>' failed for '1.2.3.4' - Wrong password
[2012-02-13 17:18:22] NOTICE[1638] chan_sip.c: Registration from '<sip:301@asclepios.eyepea.be>' failed for '1.2.3.4' - No matching peer found [2012-02-13 17:18:22] NOTICE[1638] chan_sip.c: Registration from '<sip:301@example.com>' failed for '1.2.3.4' - No matching peer found
[2012-02-13 17:21:21] NOTICE[1638] chan_sip.c: Registration from '<sip:301@asclepios.eyepea.be>' failed for '1.2.3.4' - Username/auth name mismatch [2012-02-13 17:21:21] NOTICE[1638] chan_sip.c: Registration from '<sip:301@example.com>' failed for '1.2.3.4' - Username/auth name mismatch
[2012-02-13 17:32:01] NOTICE[1638] chan_sip.c: Registration from '<sip:301@asclepios.eyepea.be>' failed for '1.2.3.4' - Device does not match ACL [2012-02-13 17:32:01] NOTICE[1638] chan_sip.c: Registration from '<sip:301@example.com>' failed for '1.2.3.4' - Device does not match ACL
[2012-02-13 17:34:10] NOTICE[1638] chan_sip.c: Registration from '<sip:301@asclepios.eyepea.be>' failed for '1.2.3.4' - Peer is not supposed to register [2012-02-13 17:34:10] NOTICE[1638] chan_sip.c: Registration from '<sip:301@example.com>' failed for '1.2.3.4' - Peer is not supposed to register
[2012-02-13 17:36:23] NOTICE[1638] chan_sip.c: Registration from '<sip:301@asclepios.eyepea.be>' failed for '1.2.3.4' - ACL error (permit/deny) [2012-02-13 17:36:23] NOTICE[1638] chan_sip.c: Registration from '<sip:301@example.com>' failed for '1.2.3.4' - ACL error (permit/deny)
[2012-02-13 17:53:59] NOTICE[1638] chan_iax2.c: Host 1.2.3.4 failed to authenticate as 'Fail2ban' [2012-02-13 17:53:59] NOTICE[1638] chan_iax2.c: Host 1.2.3.4 failed to authenticate as 'Fail2ban'
[2012-02-13 17:39:20] NOTICE[1638] chan_iax2.c: No registration for peer 'Fail2ban' (from 1.2.3.4) [2012-02-13 17:39:20] NOTICE[1638] chan_iax2.c: No registration for peer 'Fail2ban' (from 1.2.3.4)
[2012-02-13 17:44:26] NOTICE[1638] chan_iax2.c: Host 1.2.3.4 failed MD5 authentication for 'Fail2ban' (e7df7cd2ca07f4f1ab415d457a6e1c13 != 53ac4bc41ee4ec77888ed4aa50677247) [2012-02-13 17:44:26] NOTICE[1638] chan_iax2.c: Host 1.2.3.4 failed MD5 authentication for 'Fail2ban' (e7df7cd2ca07f4f1ab415d457a6e1c13 != 53ac4bc41ee4ec77888ed4aa50677247)
[2012-02-13 17:37:07] NOTICE[1638] chan_sip.c: Failed to authenticate user "Fail2ban" <sip:301@1.2.3.4>;tag=1r698745234 [2012-02-13 17:37:07] NOTICE[1638] chan_sip.c: Failed to authenticate user "Fail2ban" <sip:301@1.2.3.4>;tag=1r698745234
[2013-02-05 23:44:42] NOTICE[436][C-00000fa9] chan_sip.c: Call from '' (1.2.3.4:10836) to extension '0972598285108' rejected because extension not found in context 'default'.
[2013-03-26 15:47:54] NOTICE[1237] chan_sip.c: Registration from '"100"sip:100@1.2.3.4' failed for '1.2.3.4:23930' - No matching peer found
[2013-05-13 07:10:53] SECURITY[1204] res_security_log.c: SecurityEvent="InvalidAccountID",EventTV="1368439853-500975",Severity="Error",Service="SIP",EventVersion="1",AccountID="00972599580679",SessionID="0x7f8ecc0421f8",LocalAddress="IPV4/UDP/1.2.3.4/5060",RemoteAddress="IPV4/UDP/1.2.3.4/5070"
[2013-06-10 18:15:03] NOTICE[2723] chan_sip.c: Registration from '"100"<sip:100@192.168.0.2:5060>' failed for '1.2.3.4' - Not a local domain

1
testcases/files/logs/roundcube-auth
View File

@ -1 +1,2 @@
[22-Jan-2013 22:28:21 +0200]: FAILED login for user1 from 192.0.43.10 [22-Jan-2013 22:28:21 +0200]: FAILED login for user1 from 192.0.43.10
May 26 07:12:40 hamster roundcube: IMAP Error: Login failed for sales@example.com from 10.1.1.47