From a8f4d3a8b458355264db76570ad0546def09465f Mon Sep 17 00:00:00 2001
From: Cyril Jaquier <cyril.jaquier@fail2ban.org>
Date: Tue, 22 Jul 2008 22:23:52 +0000
Subject: [PATCH 01/13] - Changed to SVN version.

git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@705 a942ae1a-1317-0410-a47c-b1dcaea8d605
---
 ChangeLog         | 5 ++++-
 README            | 6 +++---
 common/version.py | 2 +-
 3 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index c54efc49..a80e610a 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -4,9 +4,12 @@
              |_| \__,_|_|_/___|_.__/\__,_|_||_|
 
 =============================================================
-Fail2Ban (version 0.8.3)                           2008/07/17
+Fail2Ban (version 0.8.4)                           2008/??/??
 =============================================================
 
+ver. 0.8.4 (2008/??/??) - stable
+----------
+
 ver. 0.8.3 (2008/07/17) - stable
 ----------
 - Process failtickets as long as failmanager is not empty.
diff --git a/README b/README
index d413aca7..43363ea8 100644
--- a/README
+++ b/README
@@ -4,7 +4,7 @@
              |_| \__,_|_|_/___|_.__/\__,_|_||_|
 
 =============================================================
-Fail2Ban (version 0.8.3)                           2008/07/17
+Fail2Ban (version 0.8.4)                           2008/??/??
 =============================================================
 
 Fail2Ban scans log files like /var/log/pwdfail and bans IP
@@ -28,8 +28,8 @@ Optional:
 
 To install, just do:
 
-> tar xvfj fail2ban-0.8.3.tar.bz2
-> cd fail2ban-0.8.3
+> tar xvfj fail2ban-0.8.4.tar.bz2
+> cd fail2ban-0.8.4
 > python setup.py install
 
 This will install Fail2Ban into /usr/share/fail2ban. The
diff --git a/common/version.py b/common/version.py
index 8da11b94..a2bb1b41 100644
--- a/common/version.py
+++ b/common/version.py
@@ -24,4 +24,4 @@ __date__ = "$Date$"
 __copyright__ = "Copyright (c) 2004 Cyril Jaquier"
 __license__ = "GPL"
 
-version = "0.8.3"
+version = "0.8.3-SVN"

From 155c4652a42b980003c2bbf23a466099d56c8d05 Mon Sep 17 00:00:00 2001
From: Cyril Jaquier <cyril.jaquier@fail2ban.org>
Date: Tue, 22 Jul 2008 22:29:57 +0000
Subject: [PATCH 02/13] - Merged patches from Debian package. Thanks to
 Yaroslav Halchenko.

git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@706 a942ae1a-1317-0410-a47c-b1dcaea8d605
---
 ChangeLog                 | 2 ++
 config/filter.d/sshd.conf | 3 ++-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/ChangeLog b/ChangeLog
index a80e610a..c748972e 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -9,6 +9,8 @@ Fail2Ban (version 0.8.4)                           2008/??/??
 
 ver. 0.8.4 (2008/??/??) - stable
 ----------
+- Merged patches from Debian package. Thanks to Yaroslav
+  Halchenko.
 
 ver. 0.8.3 (2008/07/17) - stable
 ----------
diff --git a/config/filter.d/sshd.conf b/config/filter.d/sshd.conf
index 9a7c851a..642f2bf7 100644
--- a/config/filter.d/sshd.conf
+++ b/config/filter.d/sshd.conf
@@ -24,7 +24,8 @@ _daemon = sshd
 # Values:  TEXT
 #
 failregex = ^%(__prefix_line)s(?:error: PAM: )?Authentication failure for .* from <HOST>\s*$
-            ^%(__prefix_line)sFailed [-/\w]+ for .* from <HOST>(?: port \d*)?(?: ssh\d*)?$
+            ^%(__prefix_line)s(?:error: PAM: )?User not known to the underlying authentication module for .* from <HOST>\s*$
+            ^%(__prefix_line)sFailed (?:password|publickey) for .* from <HOST>(?: port \d*)?(?: ssh\d*)?$
             ^%(__prefix_line)sROOT LOGIN REFUSED.* FROM <HOST>\s*$
             ^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from <HOST>\s*$
             ^%(__prefix_line)sUser \S+ from <HOST> not allowed because not listed in AllowUsers$

From 3615c8ec8194d9f44bfcd78fcfe881c521abe61d Mon Sep 17 00:00:00 2001
From: Cyril Jaquier <cyril.jaquier@fail2ban.org>
Date: Tue, 12 Aug 2008 19:20:02 +0000
Subject: [PATCH 03/13] - Improved pattern. Thanks to Yaroslav Halchenko.

git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@707 a942ae1a-1317-0410-a47c-b1dcaea8d605
---
 config/filter.d/apache-noscript.conf | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/config/filter.d/apache-noscript.conf b/config/filter.d/apache-noscript.conf
index 636dcd53..25dd62d3 100644
--- a/config/filter.d/apache-noscript.conf
+++ b/config/filter.d/apache-noscript.conf
@@ -14,7 +14,8 @@
 #          (?:::f{4,6}:)?(?P<host>\S+)
 # Values:  TEXT
 #
-failregex = [[]client <HOST>[]] (File does not exist|script not found or unable to stat): .*(\.php|\.asp|\.exe|\.pl)
+failregex = [[]client <HOST>[]] (File does not exist|script not found or unable to stat): /\S*(\.php|\.asp|\.exe|\.pl)
+            [[]client <HOST>[]] script '/\S*(\.php|\.asp|\.exe|\.pl)\S*' not found or unable to stat *$
 
 # Option:  ignoreregex
 # Notes.:  regex to ignore. If this regex matches, the line is ignored.

From b26f9ca97ade568ceeac01e01fc39127525a4bdf Mon Sep 17 00:00:00 2001
From: Cyril Jaquier <cyril.jaquier@fail2ban.org>
Date: Tue, 12 Aug 2008 20:51:55 +0000
Subject: [PATCH 04/13] - Use current day and month instead of Jan 1st if both
 are not available in the log. Thanks to Andreas Itzchak Rehberg.

git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@708 a942ae1a-1317-0410-a47c-b1dcaea8d605
---
 ChangeLog              | 2 ++
 server/datetemplate.py | 5 +++++
 2 files changed, 7 insertions(+)

diff --git a/ChangeLog b/ChangeLog
index c748972e..87b0e658 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -11,6 +11,8 @@ ver. 0.8.4 (2008/??/??) - stable
 ----------
 - Merged patches from Debian package. Thanks to Yaroslav
   Halchenko.
+- Use current day and month instead of Jan 1st if both are
+  not available in the log. Thanks to Andreas Itzchak Rehberg
 
 ver. 0.8.3 (2008/07/17) - stable
 ----------
diff --git a/server/datetemplate.py b/server/datetemplate.py
index 806e2823..f7f19f0d 100644
--- a/server/datetemplate.py
+++ b/server/datetemplate.py
@@ -146,6 +146,11 @@ class DateStrptime(DateTemplate):
 				# that the log is not from this year but from the year before
 				if time.mktime(date) > MyTime.time():
 					date[0] -= 1
+				elif date[1] == 1 and date[2] == 1:
+					# If it is Jan 1st, it is either really Jan 1st or there
+					# is neither month nor day in the log.
+					date[1] = MyTime.gmtime()[1]
+					date[2] = MyTime.gmtime()[2]
 		return date
 
 

From e064ebba456f985989fc0b4b71f2b982bcc1c15f Mon Sep 17 00:00:00 2001
From: Cyril Jaquier <cyril.jaquier@fail2ban.org>
Date: Tue, 12 Aug 2008 20:59:17 +0000
Subject: [PATCH 05/13] - Added date pattern for Hour:Minute:Second. Thanks to
 Andreas Itzchak Rehberg.

git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@709 a942ae1a-1317-0410-a47c-b1dcaea8d605
---
 server/datedetector.py | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/server/datedetector.py b/server/datedetector.py
index 794b385a..580c99e8 100644
--- a/server/datedetector.py
+++ b/server/datedetector.py
@@ -101,6 +101,12 @@ class DateDetector:
 			template = DateISO8601()
 			template.setName("ISO 8601")
 			self.__templates.append(template)
+			# Only time information in the log
+			template = DateStrptime()
+			template.setName("Hour:Minute:Second")
+			template.setRegex("^\d{2}:\d{2}:\d{2}")
+			template.setPattern("%H:%M:%S")
+			self.__templates.append(template)
 		finally:
 			self.__lock.release()
 	

From 9e2a4a935aa27e9204de8c94e1af83b8c016cee8 Mon Sep 17 00:00:00 2001
From: Cyril Jaquier <cyril.jaquier@fail2ban.org>
Date: Tue, 12 Aug 2008 21:42:21 +0000
Subject: [PATCH 06/13] - Added date template for Day-Month-Year
 Hour:Minute:Second. - Values as string are shown in capital in the
 description.

git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@710 a942ae1a-1317-0410-a47c-b1dcaea8d605
---
 server/datedetector.py | 16 +++++++++++-----
 1 file changed, 11 insertions(+), 5 deletions(-)

diff --git a/server/datedetector.py b/server/datedetector.py
index 580c99e8..0f18cf98 100644
--- a/server/datedetector.py
+++ b/server/datedetector.py
@@ -43,19 +43,19 @@ class DateDetector:
 		try:
 			# standard
 			template = DateStrptime()
-			template.setName("Month Day Hour:Minute:Second")
+			template.setName("MONTH Day Hour:Minute:Second")
 			template.setRegex("^\S{3}\s{1,2}\d{1,2} \d{2}:\d{2}:\d{2}")
 			template.setPattern("%b %d %H:%M:%S")
 			self.__templates.append(template)
 			# asctime
 			template = DateStrptime()
-			template.setName("Weekday Month Day Hour:Minute:Second Year")
+			template.setName("WEEKDAY MONTH Day Hour:Minute:Second Year")
 			template.setRegex("\S{3} \S{3}\s{1,2}\d{1,2} \d{2}:\d{2}:\d{2} \d{4}")
 			template.setPattern("%a %b %d %H:%M:%S %Y")
 			self.__templates.append(template)
 			# asctime without year
 			template = DateStrptime()
-			template.setName("Weekday Month Day Hour:Minute:Second")
+			template.setName("WEEKDAY MONTH Day Hour:Minute:Second")
 			template.setRegex("\S{3} \S{3}\s{1,2}\d{1,2} \d{2}:\d{2}:\d{2}")
 			template.setPattern("%a %b %d %H:%M:%S")
 			self.__templates.append(template)
@@ -73,7 +73,7 @@ class DateDetector:
 			self.__templates.append(template)
 			# Apache format [31/Oct/2006:09:22:55 -0000]
 			template = DateStrptime()
-			template.setName("Day/Month/Year:Hour:Minute:Second")
+			template.setName("Day/MONTH/Year:Hour:Minute:Second")
 			template.setRegex("\d{2}/\S{3}/\d{4}:\d{2}:\d{2}:\d{2}")
 			template.setPattern("%d/%b/%Y:%H:%M:%S")
 			self.__templates.append(template)
@@ -85,10 +85,16 @@ class DateDetector:
 			self.__templates.append(template)
 			# named 26-Jul-2007 15:20:52.252 
 			template = DateStrptime()
-			template.setName("Day-Month-Year Hour:Minute:Second[.Millisecond]")
+			template.setName("Day-MONTH-Year Hour:Minute:Second[.Millisecond]")
 			template.setRegex("\d{2}-\S{3}-\d{4} \d{2}:\d{2}:\d{2}")
 			template.setPattern("%d-%b-%Y %H:%M:%S")
 			self.__templates.append(template)
+			# 17-07-2008 17:23:25
+			template = DateStrptime()
+			template.setName("Day-Month-Year Hour:Minute:Second")
+			template.setRegex("\d{2}-\d{2}-\d{4} \d{2}:\d{2}:\d{2}")
+			template.setPattern("%d-%m-%Y %H:%M:%S")
+			self.__templates.append(template)
 			# TAI64N
 			template = DateTai64n()
 			template.setName("TAI64N")

From 8db3e1f74a7fa69dffc6e380f99c64dbc99cc8dd Mon Sep 17 00:00:00 2001
From: Cyril Jaquier <cyril.jaquier@fail2ban.org>
Date: Tue, 12 Aug 2008 22:05:13 +0000
Subject: [PATCH 07/13] - Removed "timeregex" and "timepattern" stuff that is
 not needed anymore.

git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@711 a942ae1a-1317-0410-a47c-b1dcaea8d605
---
 client/filterreader.py | 10 ++--------
 common/protocol.py     |  2 --
 2 files changed, 2 insertions(+), 10 deletions(-)

diff --git a/client/filterreader.py b/client/filterreader.py
index 4bb36fda..4e546da2 100644
--- a/client/filterreader.py
+++ b/client/filterreader.py
@@ -53,20 +53,14 @@ class FilterReader(ConfigReader):
 		return ConfigReader.read(self, "filter.d/" + self.__file)
 	
 	def getOptions(self, pOpts):
-		opts = [["string", "timeregex", None],
-				["string", "timepattern", None],
-				["string", "ignoreregex", ""],
+		opts = [["string", "ignoreregex", ""],
 				["string", "failregex", ""]]
 		self.__opts = ConfigReader.getOptions(self, "Definition", opts, pOpts)
 	
 	def convert(self):
 		stream = list()
 		for opt in self.__opts:
-			if opt == "timeregex":
-				stream.append(["set", self.__name, "timeregex", self.__opts[opt]])
-			elif opt == "timepattern":
-				stream.append(["set", self.__name, "timepattern", self.__opts[opt]])
-			elif opt == "failregex":
+			if opt == "failregex":
 				for regex in self.__opts[opt].split('\n'):
 					# Do not send a command if the rule is empty.
 					if regex != '':
diff --git a/common/protocol.py b/common/protocol.py
index fa9f8b54..d0fbae73 100644
--- a/common/protocol.py
+++ b/common/protocol.py
@@ -72,8 +72,6 @@ protocol = [
 ['', "JAIL INFORMATION", ""],
 ["get <JAIL> logpath", "gets the list of the monitored files for <JAIL>"],
 ["get <JAIL> ignoreip", "gets the list of ignored IP addresses for <JAIL>"],
-["get <JAIL> timeregex", "gets the regular expression used for the time detection for <JAIL>"],
-["get <JAIL> timepattern", "gets the pattern used for the time detection for <JAIL>"],
 ["get <JAIL> failregex", "gets the list of regular expressions which matches the failures for <JAIL>"],
 ["get <JAIL> ignoreregex", "gets the list of regular expressions which matches patterns to ignore for <JAIL>"],
 ["get <JAIL> findtime", "gets the time for which the filter will look back for failures for <JAIL>"],

From 6ee4843d111b273f3a0bb0fd7e37a973230b7be6 Mon Sep 17 00:00:00 2001
From: Cyril Jaquier <cyril.jaquier@fail2ban.org>
Date: Tue, 12 Aug 2008 22:40:07 +0000
Subject: [PATCH 08/13] - Try to match the regex even if the line does not
 contain a valid date/time. Described in Debian #491253. Thanks to Yaroslav
 Halchenko.

git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@712 a942ae1a-1317-0410-a47c-b1dcaea8d605
---
 ChangeLog        |  6 +++++-
 server/filter.py | 19 ++++++++++---------
 2 files changed, 15 insertions(+), 10 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 87b0e658..f3e13719 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -12,7 +12,11 @@ ver. 0.8.4 (2008/??/??) - stable
 - Merged patches from Debian package. Thanks to Yaroslav
   Halchenko.
 - Use current day and month instead of Jan 1st if both are
-  not available in the log. Thanks to Andreas Itzchak Rehberg
+  not available in the log. Thanks to Andreas Itzchak
+  Rehberg.
+- Try to match the regex even if the line does not contain a
+  valid date/time. Described in Debian #491253. Thanks to
+  Yaroslav Halchenko.
 
 ver. 0.8.3 (2008/07/17) - stable
 ----------
diff --git a/server/filter.py b/server/filter.py
index f9901150..bf5d34f8 100644
--- a/server/filter.py
+++ b/server/filter.py
@@ -241,15 +241,16 @@ class Filter(JailThread):
 		except UnicodeDecodeError:
 			l = line
 		timeMatch = self.dateDetector.matchTime(l)
-		if not timeMatch:
-			# There is no valid time in this line
-			return []
-		# Lets split into time part and log part of the line
-		timeLine = timeMatch.group()
-		# Lets leave the beginning in as well, so if there is no
-		# anchore at the beginning of the time regexp, we don't
-		# at least allow injection. Should be harmless otherwise
-		logLine  = l[:timeMatch.start()] + l[timeMatch.end():]
+		if timeMatch:
+			# Lets split into time part and log part of the line
+			timeLine = timeMatch.group()
+			# Lets leave the beginning in as well, so if there is no
+			# anchore at the beginning of the time regexp, we don't
+			# at least allow injection. Should be harmless otherwise
+			logLine  = l[:timeMatch.start()] + l[timeMatch.end():]
+		else:
+			timeLine = l
+			logLine = l
 		return self.findFailure(timeLine, logLine)
 
 	def processLineAndAdd(self, line):

From 391a38a7a8f53f0cbfff153db3a52b9bccf8d7a5 Mon Sep 17 00:00:00 2001
From: Cyril Jaquier <cyril.jaquier@fail2ban.org>
Date: Fri, 10 Oct 2008 16:00:10 +0000
Subject: [PATCH 09/13] - Added new regex. Thanks to Tobias Offermann.

git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@713 a942ae1a-1317-0410-a47c-b1dcaea8d605
---
 config/filter.d/sshd.conf | 1 +
 1 file changed, 1 insertion(+)

diff --git a/config/filter.d/sshd.conf b/config/filter.d/sshd.conf
index 642f2bf7..2993b30f 100644
--- a/config/filter.d/sshd.conf
+++ b/config/filter.d/sshd.conf
@@ -32,6 +32,7 @@ failregex = ^%(__prefix_line)s(?:error: PAM: )?Authentication failure for .* fro
             ^%(__prefix_line)sauthentication failure; logname=\S* uid=\S* euid=\S* tty=\S* ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$
             ^%(__prefix_line)srefused connect from \S+ \(<HOST>\)\s*$
             ^%(__prefix_line)sAddress <HOST> .* POSSIBLE BREAK-IN ATTEMPT\s*$
+            ^%(__prefix_line)sUser \S+ from <HOST> not allowed because none of user's groups are listed in AllowGroups$
 
 # Option:  ignoreregex
 # Notes.:  regex to ignore. If this regex matches, the line is ignored.

From f6d44e6bc832bf68abd4b3b286c2a48102262610 Mon Sep 17 00:00:00 2001
From: Cyril Jaquier <cyril.jaquier@fail2ban.org>
Date: Fri, 10 Oct 2008 16:26:18 +0000
Subject: [PATCH 10/13] - Added new time format. No idea from where it comes...

git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@714 a942ae1a-1317-0410-a47c-b1dcaea8d605
---
 server/datedetector.py | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/server/datedetector.py b/server/datedetector.py
index 0f18cf98..e68e5bce 100644
--- a/server/datedetector.py
+++ b/server/datedetector.py
@@ -113,6 +113,12 @@ class DateDetector:
 			template.setRegex("^\d{2}:\d{2}:\d{2}")
 			template.setPattern("%H:%M:%S")
 			self.__templates.append(template)
+			# <09/16/08@05:03:30>
+			template = DateStrptime()
+			template.setName("<Month/Day/Year@Hour:Minute:Second>")
+			template.setRegex("^<\d{2}/\d{2}/\d{2}@\d{2}:\d{2}:\d{2}>")
+			template.setPattern("<%m/%d/%y@%H:%M:%S>")
+			self.__templates.append(template)
 		finally:
 			self.__lock.release()
 	

From bb8e6107955c3ac47f1982d0a42df8a2b116a47e Mon Sep 17 00:00:00 2001
From: Cyril Jaquier <cyril.jaquier@fail2ban.org>
Date: Mon, 13 Oct 2008 14:37:25 +0000
Subject: [PATCH 11/13] - Added apache-nohome.conf. Thanks to Yaroslav
 Halchenko.

git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@715 a942ae1a-1317-0410-a47c-b1dcaea8d605
---
 ChangeLog                          |  1 +
 MANIFEST                           |  1 +
 config/filter.d/apache-nohome.conf | 23 +++++++++++++++++++++++
 3 files changed, 25 insertions(+)
 create mode 100644 config/filter.d/apache-nohome.conf

diff --git a/ChangeLog b/ChangeLog
index f3e13719..86b6447b 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -17,6 +17,7 @@ ver. 0.8.4 (2008/??/??) - stable
 - Try to match the regex even if the line does not contain a
   valid date/time. Described in Debian #491253. Thanks to
   Yaroslav Halchenko.
+- Added/improved filters and date formats.
 
 ver. 0.8.3 (2008/07/17) - stable
 ----------
diff --git a/MANIFEST b/MANIFEST
index 11ed92af..f2bfa255 100644
--- a/MANIFEST
+++ b/MANIFEST
@@ -59,6 +59,7 @@ config/jail.conf
 config/filter.d/common.conf
 config/filter.d/apache-auth.conf
 config/filter.d/apache-badbots.conf
+config/filter.d/apache-nohome.conf
 config/filter.d/apache-noscript.conf
 config/filter.d/apache-overflows.conf
 config/filter.d/courierlogin.conf
diff --git a/config/filter.d/apache-nohome.conf b/config/filter.d/apache-nohome.conf
new file mode 100644
index 00000000..2673c2f4
--- /dev/null
+++ b/config/filter.d/apache-nohome.conf
@@ -0,0 +1,23 @@
+# Fail2Ban configuration file
+#
+# Author: Yaroslav O. Halchenko <debian@onerussian.com>
+#
+# $Revision: 569 $
+#
+
+[Definition]
+
+# Option:  failregex
+# Notes.:  regex to match failures to find a home directory on a server, which
+#          became popular last days. Most often attacker just uses IP instead of
+#          domain name -- so expect to see them in generic error.log if you have
+#          per-domain log files.
+# Values:  TEXT
+#
+failregex = [[]client <HOST>[]] File does not exist: .*/~.*
+
+# Option:  ignoreregex
+# Notes.:  regex to ignore. If this regex matches, the line is ignored.
+# Values:  TEXT
+#
+ignoreregex = 

From 622218271de1f7c94afcda7f592a6252b76e8846 Mon Sep 17 00:00:00 2001
From: Cyril Jaquier <cyril.jaquier@fail2ban.org>
Date: Mon, 13 Oct 2008 14:38:41 +0000
Subject: [PATCH 12/13] - Added svn:keywords property.

git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@716 a942ae1a-1317-0410-a47c-b1dcaea8d605
---
 config/filter.d/apache-nohome.conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/config/filter.d/apache-nohome.conf b/config/filter.d/apache-nohome.conf
index 2673c2f4..b6a00005 100644
--- a/config/filter.d/apache-nohome.conf
+++ b/config/filter.d/apache-nohome.conf
@@ -2,7 +2,7 @@
 #
 # Author: Yaroslav O. Halchenko <debian@onerussian.com>
 #
-# $Revision: 569 $
+# $Revision$
 #
 
 [Definition]

From 6cd56802bb78a44a2a3bc55e22c2990354100912 Mon Sep 17 00:00:00 2001
From: Cyril Jaquier <cyril.jaquier@fail2ban.org>
Date: Mon, 13 Oct 2008 14:56:54 +0000
Subject: [PATCH 13/13] - Added actions to report abuse to ISP, DShield and
 myNetWatchman. Thanks to Russell Odom.

git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@717 a942ae1a-1317-0410-a47c-b1dcaea8d605
---
 ChangeLog                          |   2 +
 MANIFEST                           |   3 +
 README                             |   3 +-
 config/action.d/complain.conf      |  86 ++++++++++++
 config/action.d/dshield.conf       | 210 +++++++++++++++++++++++++++++
 config/action.d/mynetwatchman.conf | 144 ++++++++++++++++++++
 6 files changed, 447 insertions(+), 1 deletion(-)
 create mode 100644 config/action.d/complain.conf
 create mode 100644 config/action.d/dshield.conf
 create mode 100644 config/action.d/mynetwatchman.conf

diff --git a/ChangeLog b/ChangeLog
index 86b6447b..c6a39d87 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -18,6 +18,8 @@ ver. 0.8.4 (2008/??/??) - stable
   valid date/time. Described in Debian #491253. Thanks to
   Yaroslav Halchenko.
 - Added/improved filters and date formats.
+- Added actions to report abuse to ISP, DShield and
+  myNetWatchman. Thanks to Russell Odom.
 
 ver. 0.8.3 (2008/07/17) - stable
 ----------
diff --git a/MANIFEST b/MANIFEST
index f2bfa255..1ea7a621 100644
--- a/MANIFEST
+++ b/MANIFEST
@@ -79,6 +79,8 @@ config/filter.d/vsftpd.conf
 config/filter.d/webmin-auth.conf
 config/filter.d/wuftpd.conf
 config/filter.d/xinetd-fail.conf
+config/action.d/complain.conf
+config/action.d/dshield.conf
 config/action.d/hostsdeny.conf
 config/action.d/ipfw.conf
 config/action.d/iptables.conf
@@ -90,6 +92,7 @@ config/action.d/mail.conf
 config/action.d/mail-buffered.conf
 config/action.d/mail-whois.conf
 config/action.d/mail-whois-lines.conf
+config/action.d/mynetwatchman.conf
 config/action.d/sendmail.conf
 config/action.d/sendmail-buffered.conf
 config/action.d/sendmail-whois.conf
diff --git a/README b/README
index 43363ea8..1c1cbf66 100644
--- a/README
+++ b/README
@@ -76,7 +76,8 @@ René Berber, mEDI, Axel Thimm, Eric Gerbier, Christian Rauch,
 Michael C. Haller, Jonathan Underwood, Hanno 'Rince' Wagner,
 Daniel B. Cid, David Nutter, Raphaël Marichez, Guillaume
 Delvit, Vaclav Misek, Adrien Clerc, Michael Hanselmann,
-Vincent Deffontaines, Bill Heaton and many others.
+Vincent Deffontaines, Bill Heaton, Russell Odom and many
+others.
 
 License:
 --------
diff --git a/config/action.d/complain.conf b/config/action.d/complain.conf
new file mode 100644
index 00000000..5e672475
--- /dev/null
+++ b/config/action.d/complain.conf
@@ -0,0 +1,86 @@
+# Fail2Ban configuration file
+#
+# Author: Russell Odom <russ@gloomytrousers.co.uk>
+# Sends a complaint e-mail to addresses listed in the whois record for an
+# offending IP address.
+#
+# You should provide the <logpath> in the jail config - lines from the log
+# matching the given IP address will be provided in the complaint as evidence.
+#
+# Note that we will try to use e-mail addresses that are most likely to be abuse
+# addresses (based on various keywords). If they aren't found we fall back on
+# any other addresses found in the whois record, with a few exceptions.
+# If no addresses are found, no e-mail is sent.
+#
+# $Revision$
+#
+
+[Definition]
+
+# Option:  actionstart
+# Notes.:  command executed once at the start of Fail2Ban.
+# Values:  CMD
+#
+actionstart =
+
+# Option:  actionstop
+# Notes.:  command executed once at the end of Fail2Ban
+# Values:  CMD
+#
+actionstop =
+
+# Option:  actioncheck
+# Notes.:  command executed once before each actionban command
+# Values:  CMD
+#
+actioncheck =
+
+# Option:  actionban
+# Notes.:  command executed when banning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    <ip>  IP address
+#          <failures>  number of failures
+#          <failtime>  unix timestamp of the last failure
+#          <bantime>  unix timestamp of the ban time
+# Values:  CMD
+#
+actionban = ADDRESSES=`whois <ip> | perl -e 'while (<STDIN>) { next if /^changed|@(ripe|apnic)\.net/io; $m += (/abuse|trouble:|report|spam|security/io?3:0); if (/([a-z0-9_\-\.+]+@[a-z0-9\-]+(\.[[a-z0-9\-]+)+)/io) { while (s/([a-z0-9_\-\.+]+@[a-z0-9\-]+(\.[[a-z0-9\-]+)+)//io) { if ($m) { $a{lc($1)}=$m } else { $b{lc($1)}=$m } } $m=0 } else { $m && --$m } } if (%%a) {print join(",",keys(%%a))} else {print join(",",keys(%%b))}'`
+	    IP=<ip>
+            if [ ! -z "$ADDRESSES" ]; then
+                (printf %%b "<message>\n"; date '+Note: Local timezone is %%z (%%Z)'; grep '<ip>' <logpath>) | <mailcmd> "Abuse from <ip>" $ADDRESSES <mailargs>
+            fi
+
+# Option:  actionunban
+# Notes.:  command executed when unbanning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    <ip>  IP address
+#          <bantime>  unix timestamp of the ban time
+#          <unbantime>  unix timestamp of the unban time
+# Values:  CMD
+#
+actionunban =
+
+[Init]
+message = Dear Sir/Madam,\n\nWe have detected abuse from the IP address $IP, which according to a whois lookup is on your network. We would appreciate if you would investigate and take action as appropriate.\n\nLog lines are given below, but please ask if you require any further information.\n\n(If you are not the correct person to contact about this please accept our apologies - your e-mail address was extracted from the whois record by an automated process. This mail was generated by Fail2Ban.)\n
+
+# Path to the log files which contain relevant lines for the abuser IP
+#
+logpath = /dev/null
+
+# Option:  mailcmd
+# Notes.:  Your system mail command. Is passed 2 args: subject and recipient
+# Values:  CMD  Default: mail -s
+#
+mailcmd = mail -s
+
+# Option:  mailargs
+# Notes.:  Additional arguments to mail command. e.g. for standard Unix mail:
+#          CC reports to another address:
+#              -c me@example.com
+#          Appear to come from a different address - the '--' indicates
+#          arguments to be passed to Sendmail:
+#              -- -f me@example.com
+# Values:  [ STRING ]  Default: (empty)
+#
+mailargs =
+
diff --git a/config/action.d/dshield.conf b/config/action.d/dshield.conf
new file mode 100644
index 00000000..b80698b4
--- /dev/null
+++ b/config/action.d/dshield.conf
@@ -0,0 +1,210 @@
+# Fail2Ban configuration file
+#
+# Author: Russell Odom <russ@gloomytrousers.co.uk>
+# Submits attack reports to DShield (http://www.dshield.org/)
+#
+# You MUST configure at least:
+# <port> (the port that's being attacked - use number not name).
+#
+# You SHOULD also provide:
+# <myip> (your public IP address, if it's not the address of eth0)
+# <userid> (your DShield userID, if you have one - recommended, but reports will
+# be used anonymously if not)
+# <protocol> (the protocol in use - defaults to tcp)
+#
+# Best practice is to provide <port> and <protocol> in jail.conf like this:
+# action = dshield[port=1234,protocol=tcp]
+#
+# ...and create "dshield.local" with contents something like this:
+# [Init]
+# myip = 10.0.0.1
+# userid = 12345
+#
+# Other useful configuration values are <mailargs> (you can use for specifying
+# a different sender address for the report e-mails, which should match what is
+# configured at DShield), and <lines>/<minreportinterval>/<maxbufferage> (to
+# configure how often the buffer is flushed).
+#
+# $Revision$
+
+[Definition]
+
+# Option:  actionstart
+# Notes.:  command executed once at the start of Fail2Ban.
+# Values:  CMD
+#
+actionstart =
+
+# Option:  actionstop
+# Notes.:  command executed once at the end of Fail2Ban
+# Values:  CMD
+#
+actionstop = if [ -f <tmpfile>.buffer ]; then
+                 cat <tmpfile>.buffer | <mailcmd> "FORMAT DSHIELD USERID <userid> TZ `date +%%z | sed 's/\([+-]..\)\(..\)/\1:\2/'` Fail2Ban" <dest> <mailargs>
+                 date +%%s > <tmpfile>.lastsent
+             fi
+             rm -f <tmpfile>.buffer <tmpfile>.first
+
+# Option:  actioncheck
+# Notes.:  command executed once before each actionban command
+# Values:  CMD
+#
+actioncheck =
+
+# Option:  actionban
+# Notes.:  command executed when banning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    <ip>  IP address
+#          <failures>  number of failures
+#          <time>  unix timestamp of the ban time
+# Values:  CMD
+#
+# See http://www.dshield.org/specs.html for more on report format/notes
+#
+# Note: We are currently using <time> for the timestamp because no tag is
+# available to indicate the timestamp of the log message(s) which triggered the
+# ban. Therefore the timestamps we are using in the report, whilst often only a
+# few seconds out, are incorrect. See
+# http://sourceforge.net/tracker/index.php?func=detail&aid=2017795&group_id=121032&atid=689047
+#
+actionban = TZONE=`date +%%z | sed 's/\([+-]..\)\(..\)/\1:\2/'`
+            DATETIME="`perl -e '@t=localtime(<time>);printf "%%4d-%%02d-%%02d %%02d:%%02d:%%02d",1900+$t[5],$t[4]+1,$t[3],$t[2],$t[1],$t[0]'` $TZONE"
+	    PROTOCOL=`awk '{IGNORECASE=1;if($1=="<protocol>"){print $2;exit}}' /etc/protocols`
+	    if [ -z "$PROTOCOL" ]; then PROTOCOL=<protocol>; fi
+            printf %%b "$DATETIME\t<userid>\t<failures>\t<ip>\t<srcport>\t<myip>\t<port>\t$PROTOCOL\t<tcpflags>\n" >> <tmpfile>.buffer
+            NOW=`date +%%s`
+            if [ ! -f <tmpfile>.first ]; then
+                echo <time> | cut -d. -f1 > <tmpfile>.first
+            fi
+            if [ ! -f <tmpfile>.lastsent ]; then
+                echo 0 > <tmpfile>.lastsent
+            fi
+            LOGAGE=$(($NOW - `cat <tmpfile>.first`))
+            LASTREPORT=$(($NOW - `cat <tmpfile>.lastsent`))
+            LINES=$( wc -l <tmpfile>.buffer | awk '{ print $1 }' )
+            if [ $LINES -ge <lines> && $LASTREPORT -gt <minreportinterval> ] || [ $LOGAGE -gt <maxbufferage> ]; then
+                cat <tmpfile>.buffer | <mailcmd> "FORMAT DSHIELD USERID <userid> TZ $TZONE Fail2Ban" <dest> <mailargs>
+                rm -f <tmpfile>.buffer <tmpfile>.first
+                echo $NOW > <tmpfile>.lastsent
+            fi
+
+# Option:  actionunban
+# Notes.:  command executed when unbanning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    <ip>  IP address
+#          <failures>  number of failures
+#          <time>  unix timestamp of the ban time
+# Values:  CMD
+#
+actionunban = if [ -f <tmpfile>.first ]; then
+                  NOW=`date +%%s`
+                  LOGAGE=$(($NOW - `cat <tmpfile>.first`))
+                  if [ $LOGAGE -gt <maxbufferage> ]; then
+                      cat <tmpfile>.buffer | <mailcmd> "FORMAT DSHIELD USERID <userid> TZ `date +%%z | sed 's/\([+-]..\)\(..\)/\1:\2/'` Fail2Ban" <dest> <mailargs>
+                      rm -f <tmpfile>.buffer <tmpfile>.first
+                      echo $NOW > <tmpfile>.lastsent
+                  fi
+              fi
+
+
+[Init]
+# Option:  port
+# Notes.:  The target port for the attack (numerical). MUST be provided in the
+#          jail config, as it cannot be detected here.
+# Values:  [ NUM ]  Default: ???
+#
+port = ???
+
+# Option:  userid
+# Notes.:  Your DSheild user ID. Should be provided either in the jail config or
+#          in a .local file.
+#          Register at https://secure.dshield.org/register.html
+# Values:  [ NUM ]  Default: 0
+#
+userid = 0
+
+# Option:  myip
+# Notes.:  TThe target IP for the attack (your public IP). Should be provided
+#          either in the jail config or in a .local file unless your PUBLIC IP
+#          is the first IP assigned to eth0
+# Values:  [ an IP address ]  Default: Tries to find the IP address of eth0,
+#          which in most cases will be a private IP, and therefore incorrect
+#
+myip = `ip -4 addr show dev eth0 | grep inet | head -1 | sed -r 's/.*inet ([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}).*/\1/'`
+
+# Option:  protocol
+# Notes.:  The protocol over which the attack is happening
+# Values:  [ tcp | udp | icmp | (any other protocol name from /etc/protocols) | NUM ] Default: tcp
+#
+protocol = tcp
+
+# Option:  lines
+# Notes.:  How many lines to buffer before making a report. Regardless of this,
+#          reports are sent a minimum of <minreportinterval> apart, or if the
+#          buffer contains an event over <maxbufferage> old, or on shutdown
+# Values:  [ NUM ]  Default: 50
+#
+lines = 50
+
+# Option:  minreportinterval
+# Notes.:  Minimum period (in seconds) that must elapse before we submit another
+#          batch of reports. DShield request a minimum of 1 hour (3600 secs)
+#          between reports.
+# Values:  [ NUM ]  Default: 3600
+#
+minreportinterval = 3600
+
+# Option:  maxbufferage
+# Notes.:  Maximum age (in seconds) of the oldest report in the buffer before we
+#          submit the batch, even if we haven't reached <lines> yet. Note that
+#          this is only checked on each ban/unban, and that we always send
+#          anything in the buffer on shutdown. Must be greater than
+#          <minreportinterval>.
+# Values:  [ NUM ]  Default: 21600 (6 hours)
+#
+maxbufferage = 21600
+
+# Option:  srcport
+# Notes.:  The source port of the attack. You're unlikely to have this info, so
+#          you can leave the default
+# Values:  [ NUM ]  Default: ???
+#
+srcport = ???
+
+# Option:  tcpflags
+# Notes.:  TCP flags on attack. You're unlikely to have this info, so you can
+#          leave empty
+# Values:  [ STRING ]  Default: (empty)
+#
+tcpflags =
+
+# Option:  mailcmd
+# Notes.:  Your system mail command. Is passed 2 args: subject and recipient
+# Values:  CMD  Default: mail -s
+#
+mailcmd = mail -s
+
+# Option:  mailargs
+# Notes.:  Additional arguments to mail command. e.g. for standard Unix mail:
+#          CC reports to another address:
+#              -c me@example.com
+#          Appear to come from a different address (the From address must match
+#          the one configured at DShield - the '--' indicates arguments to be
+#          passed to Sendmail):
+#              -- -f me@example.com
+# Values:  [ STRING ]  Default: (empty)
+#
+mailargs =
+
+# Option:  dest
+# Notes.:  Destination e-mail address for reports
+# Values:  [ STRING ]  Default: reports@dshield.org
+#
+dest = reports@dshield.org
+
+# Option:  tmpfile
+# Notes.:  Base name of temporary files used for buffering
+# Values:  [ STRING ]  Default: /tmp/fail2ban-dshield
+#
+tmpfile = /tmp/fail2ban-dshield
+
diff --git a/config/action.d/mynetwatchman.conf b/config/action.d/mynetwatchman.conf
new file mode 100644
index 00000000..15b91b11
--- /dev/null
+++ b/config/action.d/mynetwatchman.conf
@@ -0,0 +1,144 @@
+# Fail2Ban configuration file
+#
+# Author: Russell Odom <russ@gloomytrousers.co.uk>
+# Submits attack reports to myNetWatchman (http://www.mynetwatchman.com/)
+#
+# You MUST configure at least:
+# <port> (the port that's being attacked - use number not name).
+# <mnwlogin> (your mNW login).
+# <mnwpass> (your mNW password).
+#
+# You SHOULD also provide:
+# <myip> (your public IP address, if it's not the address of eth0)
+# <protocol> (the protocol in use - defaults to tcp)
+#
+# Best practice is to provide <port> and <protocol> in jail.conf like this:
+# action = mynetwatchman[port=1234,protocol=udp]
+#
+# ...and create "mynetwatchman.local" with contents something like this:
+# [Init]
+# mnwlogin = me@example.com
+# mnwpass = SECRET
+# myip = 10.0.0.1
+#
+# Another useful configuration value is <getcmd>, if you don't have wget
+# installed (an example config for curl is given below)
+#
+# $Revision$
+
+[Definition]
+
+# Option:  actionstart
+# Notes.:  command executed once at the start of Fail2Ban.
+# Values:  CMD
+#
+actionstart =
+
+# Option:  actionstop
+# Notes.:  command executed once at the end of Fail2Ban
+# Values:  CMD
+#
+actionstop =
+
+# Option:  actioncheck
+# Notes.:  command executed once before each actionban command
+# Values:  CMD
+#
+actioncheck =
+
+# Option:  actionban
+# Notes.:  command executed when banning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    <ip>  IP address
+#          <failures>  number of failures
+#          <time>  unix timestamp of the ban time
+# Values:  CMD
+#
+#
+# Note: We are currently using <time> for the timestamp because no tag is
+# available to indicate the timestamp of the log message(s) which triggered the
+# ban. Therefore the timestamps we are using in the report, whilst often only a
+# few seconds out, are incorrect. See
+# http://sourceforge.net/tracker/index.php?func=detail&aid=2017795&group_id=121032&atid=689047
+#
+actionban = MNWLOGIN=`perl -e '$s=shift;$s=~s/([\W])/"%%".uc(sprintf("%%2.2x",ord($1)))/eg;print $s' '<mnwlogin>'`
+            MNWPASS=`perl -e '$s=shift;$s=~s/([\W])/"%%".uc(sprintf("%%2.2x",ord($1)))/eg;print $s' '<mnwpass>'`
+	    PROTOCOL=`awk '{IGNORECASE=1;if($1=="<protocol>"){print $2;exit}}' /etc/protocols`
+	    if [ -z "$PROTOCOL" ]; then PROTOCOL=<protocol>; fi
+	    DATETIME=`perl -e '@t=gmtime(<time>);printf "%%4d-%%02d-%%02d+%%02d:%%02d:%%02d",1900+$t[5],$t[4]+1,$t[3],$t[2],$t[1],$t[0]'`
+            <getcmd> "<mnwurl>?AT=2&AV=0&AgentEmail=$MNWLOGIN&AgentPassword=$MNWPASS&AttackerIP=<ip>&SrcPort=<srcport>&ProtocolID=$PROTOCOL&DestPort=<port>&AttackCount=<failures>&VictimIP=<myip>&AttackDateTime=$DATETIME" 2>&1 >> <tmpfile>.out && grep -q 'Attack Report Insert Successful' <tmpfile>.out && rm -f <tmpfile>.out
+
+# Option:  actionunban
+# Notes.:  command executed when unbanning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    <ip>  IP address
+#          <failures>  number of failures
+#          <time>  unix timestamp of the ban time
+# Values:  CMD
+#
+actionunban =
+
+[Init]
+# Option:  port
+# Notes.:  The target port for the attack (numerical). MUST be provided in
+#          the jail config, as it cannot be detected here.
+# Values:  [ NUM ]  Default: ???
+#
+port = 0
+
+# Option:  mnwlogin
+# Notes.:  Your mNW login e-mail address. MUST be provided either in the jail
+#          config or in a .local file.
+#          Register at http://www.mynetwatchman.com/reg.asp
+# Values:  [ STRING ]  Default: (empty)
+#
+mnwlogin =
+
+# Option:  mnwpass
+# Notes.:  The password corresponding to your mNW login e-mail address. MUST be
+#          provided either in the jail config or in a .local file.
+# Values:  [ STRING ]  Default: (empty)
+#
+mnwpass =
+
+# Option:  myip
+# Notes.:  TThe target IP for the attack (your public IP). Should be overridden
+#          either in the jail config or in a .local file unless your PUBLIC IP
+#          is the first IP assigned to eth0
+# Values:  [ an IP address ]  Default: Tries to find the IP address of eth0,
+#          which in most cases will be a private IP, and therefore incorrect
+#
+myip = `ip -4 addr show dev eth0 | grep inet | head -1 | sed -r 's/.*inet ([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}).*/\1/'`
+
+# Option:  protocol
+# Notes.:  The protocol over which the attack is happening
+# Values:  [ tcp | udp | icmp | (any other protocol name from /etc/protocols) | NUM ] Default: tcp
+#
+protocol = tcp
+
+# Option:  getcmd
+# Notes.:  A command to fetch a URL. Should output page to STDOUT
+# Values:  CMD  Default: wget
+#
+getcmd = wget --no-verbose --tries=3 --waitretry=10 --connect-timeout=10 --read-timeout=60 --retry-connrefused --output-document=- --user-agent=Fail2Ban
+# Alternative value:
+# getcmd = curl --silent --show-error --retry 3 --connect-timeout 10 --max-time 60 --user-agent Fail2Ban
+
+# Option:  srcport
+# Notes.:  The source port of the attack. You're unlikely to have this info, so
+#          you can leave the default
+# Values:  [ NUM ]  Default: 0
+#
+srcport = 0
+
+# Option:  mnwurl
+# Notes.:  The report service URL on the mNW site
+# Values:  STRING  Default: http://mynetwatchman.com/insertwebreport.asp
+#
+mnwurl = http://mynetwatchman.com/insertwebreport.asp
+
+# Option:  tmpfile
+# Notes.:  Base name of temporary files
+# Values:  [ STRING ]  Default: /tmp/fail2ban-mynetwatchman
+#
+tmpfile = /tmp/fail2ban-mynetwatchman