github
/
fail2ban
mirror of https://github.com/fail2ban/fail2ban
1
0
Fork 0
Code Issues Releases Wiki Activity

MRG: 0.8.11 to 0.9 

Epnoc of selinux is now true UTC

Merge multiline support and date detection in filter
pull/413/head
Daniel Black 2013-11-02 15:59:05 +11:00
parent 5a2623f0df a9fe3d5df9
commit 47d35c9d80
107 changed files with 2196 additions and 1047 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

92
ChangeLog
View File

@ -47,8 +47,31 @@ code-review and minor additions from Yaroslav Halchenko.
Some filters have been change as required to capture these elements in the
right timezone correctly.
ver. 0.8.11 (2013/XX/XXX) - loves-unittests
-----------
ver. 0.8.11 (2013/11/XXX) - loves-unittests and tight, DoS free, filter regexes
In light of CVE-2013-2178 that triggered our last release we have put a
significant effort into tightening all of the regexs of our filters to avoid
another similar vulnerability. All filters have been updated and some to
include more failure regexs supporting previously unbanned failures and
support for newer application versions too. There are test cases for most log
cases of failures now.
As usual if you have other examples that demonstrate that a filter is
insufficient please give us an example log line on the github issue tracker
http://github.com/fail2ban/fail2ban/issues and NOT on a random blog in some
obscure corner of the Internet.
During the tightening of the regexs to avoid DoS vulnerabilities there is the
possibility that we have inadvertently, despite our best intentions,
incorrectly allowed a failure to continue. We will fix this as quickly as
humanly possible.
IMPORTANT incompatible changes:
Filter name changes:
* 'lighttpd-fastcgi' filter has been renamed to 'suhosin'
* 'sasl' has been renamed to 'postfix-sasl'
These will require changing in jail.{conf,local} if using these filters.
Exim filter has been split into an spam and a relay/auth filter.
- Fixes:
Daniel Black & Marcel Dopita
@ -66,15 +89,36 @@ ver. 0.8.11 (2013/XX/XXX) - loves-unittests
- All backends, possible race condition: do not read from a file
initially reported empty. Originally could have lead to
accounting for detected log lines multiple times.
- Do not crash if executing a command in fail2ban-client interactive
mode has failed (e.g. due to incorrect syntax). Closes gh-353
Daniel Black & Мернов Георгий
* filter.d/dovecot.conf -- Fix when no TLS enabled - line doesn't end in ,
Daniel Black & Georgiy Mernov & ftoppi & Мернов Георгий
* filter.d/exim.conf -- regex hardening and extra failure examples in
sample logs
* filter.d/named-refused.conf - BIND 9.9.3 regex changes
Daniel Black & Sebastian Arcus
* filter.d/asterisk -- more regexes
Daniel Black
* action.d/hostsdeny -- NOTE: new dependancy 'ed'. Switched to use 'ed' across
all platforms to ensure permissions are the same before and after a ban -
closes gh-266. hostsdeny supports daemon_list now too.
* action.d/bsd-ipfw - action option unsed. Change blocktype to port unreach
instead of deny for consistancy.
* filter.d/roundcube-auth - timezone offset can be positive or negative
* action.d/bsd-ipfw - action option unsed. Fixed to blocktype for
consistency. default to port unreach instead of deny
* filter.d/dropbear - fix regexs to match standard dropbear and the patched
http://www.unchartedbackwaters.co.uk/files/dropbear/dropbear-0.52.patch
and add PAM is it in dropbear-2013.60 source code.
* filter.d/{asterisk,assp,dovecot,proftpd}.conf -- regex hardening
and extra failure examples in sample logs
* filter.d/apache-auth - added expressions for mod_authz, mod_auth and
mod_auth_digest failures.
* filter.d/recidive -- support f2b syslog target and anchor regex at start
* filter.d/mysqld-auth.conf - mysql can use syslog
* filter.d/sshd - regex enhancements to support openssh-6.3. Closes Debian
bug #722970
Rolf Fokkens
* action.d/dshield.conf and complain.conf -- reorder mailx arguments.
https://bugzilla.redhat.com/show_bug.cgi?id=998020
@ -85,33 +129,53 @@ ver. 0.8.11 (2013/XX/XXX) - loves-unittests
* files/redhat-initd - rewritten to use stock init.d functions thus
avoiding problems with getpid. Also $network and iptables moved
to Should- rc init fields
Rick Mellor
* filter.d/vsftp - fix capture with tty=ftp
- New Features:
Edgar Hoch
* action.d/firewall-cmd-direct-new.conf - action for firewalld
from https://bugzilla.redhat.com/show_bug.cgi?id=979622
Andy Fragen and Daniel Black
* filter.d/osx-ipfw.conf - ipfw action for OSX based on random rule
* filter.d/osx-ipfw.conf - ipfw action for OSX based on random rule
numbers.
Anonymous:
* action.d/osx-afctl - an action based on afctl for osx
Daniel Black & ykimon
* filter.d/3proxy.conf -- filter added
* fail2ban-regex - now generates http://www.debuggex.com urls for debugging
regular expressions with the -D parameter.
Daniel Black
* filter.d/exim-spam.conf -- a splitout of exim's spam regexes
with additions for greater control over filtering spam.
* add date expression for apache-2.4 - milliseconds
Christophe Carles & Daniel Black
* filter.d/perdition.conf -- filter added
Mark McKinstry
* action.d/apf.conf - add action for Advanced Policy Firewall (apf)
Amir Caspi and kjohnsonecl
* filter.d/uwimap-auth - filter for uwimap-auth IMAP/POP server
Steven Hiscocks and Daniel Black
* filter.d/selinux-{common,ssh} -- add SELinux date and ssh filter
- Enhancements:
François Boulogne and Frédéric
* filter.d/lighttpd - auth regexs for lighttpd-1.4.31
Daniel Black
* filter.d/{asterisk,assp,dovecot,proftpd}.conf -- regex hardening
and extra failure examples in sample logs
* filter.d/apache-auth - added expressions for mod_authz, mod_auth and
mod_auth_digest failures.
Daniel Black & Georgiy Mernov & ftoppi & Мернов Георгий
* filter.d/exim.conf -- regex hardening and extra failure examples in
sample logs
* filter.d/named-refused.conf - BIND 9.9.3 regex changes
Daniel Black & Sebastian Arcus
* filter.d/asterisk -- more regexes
* reorder parsing of jail.conf, jail.d/*.conf, jail.local, jail.d/*.local
and likewise for fail2ban.{conf|local|d/*.conf|d/*.local}. Closes gh-392
* jail.conf now has asterisk jail - no need for asterisk-tcp and
asterisk-udp. Users should replace existing jails with asterisk to
reduce duplicate parsing of the asterisk log file.
* filter.d/{suhosin,pam-generic,gssftpd,sogo-auth,webmin}- regex anchor at
start
* filter.d/vsftpd - anchored regex at start. disable old pam format regex
* filter.d/pam-generic - added syslog prefix. Disabled support for
linux-pam before version 0.99.2.0 (2005)
* filter.d/postfix-sasl - renamed from sasl, anchor at start and base on
syslog
* filter.d/qmail - rewrote regex to anchor at start. Added regex for
another "in the wild" patch to rblsmtp.
Yaroslav Halchenko
* fail2ban-regex -- refactored to provide more details (missing and
ignored lines, control over logging, etc) while maintaining look&feel
@ -132,8 +196,6 @@ ver. 0.8.11 (2013/XX/XXX) - loves-unittests
* filter/named-refused - added refused on zone transfer
* filter.d/{courier{login,smtp},proftpd,sieve,wuftpd,xinetd} - General
regex impovements
* IMPORTANT: 'lighttpd-fastcgi' filter has been renamed to 'suhosin', which
will require changing in jail.{conf,local} if using this filter.
Zurd
* filter.d/postfix - add filter for VRFY failures. closes gh-322.
Orion Poplawski

455
DEVELOP
View File

@ -1,6 +1,6 @@
__ _ _ ___ _
/ _|__ _(_) |_ ) |__ __ _ _ _
| _/ _` | | |/ /| '_ \/ _` | ' \
__ _ _ ___ _
/ _|__ _(_) |_ ) |__ __ _ _ _
| _/ _` | | |/ /| '_ \/ _` | ' \
|_| \__,_|_|_/___|_.__/\__,_|_||_|
================================================================================
@ -26,7 +26,7 @@ Pull Requests
When submitting pull requests on GitHub we ask you to:
* Clearly describe the problem you're solving;
* Don't introduce regressions that will make it hard for systems adminstrators
* Don't introduce regressions that will make it hard for systems administrators
to update;
* If adding a major feature rebase your changes on master and get to a single commit;
* Include test cases (see below);
@ -37,49 +37,307 @@ When submitting pull requests on GitHub we ask you to:
Filters
=======
* Include sample logs with 1.2.3.4 used for IP addresses and
example.com/example.org used for DNS names
* Ensure sample log is provided in testcases/files/logs/ with same name as the
filter. Each log line should include match meta data for time & IP above
every line (see other sample log files for examples)
* Ensure regexs start with a ^ and are restrictive as possible. E.g. not .* if
\d+ is sufficient
* Use the functionality of regexs http://docs.python.org/2/library/re.html
* Take a look at the source code of the application. You may see optional or
extra log messages, or parts there of, that need to form part of your regex.
Filters are tricky. They need to:
* work with a variety of the versions of the software that generates the logs;
* work with the range of logging configuration options available in the
software;
* work with multiple operating systems;
* not make assumptions about the log format in excess of the software
(e.g. do not assume a username doesn't contain spaces and use \S+ unless
you've checked the source code);
* account for how future versions of the software will log messages
(e.g. guess what would happen to the log message if different authentication
types are added);
* not be susceptible to DoS vulnerabilities (see Filter Security below); and
* match intended log lines only.
If you only have a basic knowledge of regular repressions read
http://docs.python.org/2/library/re.html first.
Please follow the steps from Filter Test Cases to Developing Filter Regular
Expressions and submit a GitHub pull request (PR) afterwards. If you get stuck,
you can push your unfinished changes and still submit a PR -- describe
what you have done, what is the hurdle, and we'll attempt to help (PR
will be automagically updated with future commits you would push to
complete it).
Filter test cases
-----------------
Purpose:
Start by finding the log messages that the application generates related to
some form of authentication failure. If you are adding to an existing filter
think about whether the log messages are of a similar importance and purpose
to the existing filter. If you were a user of Fail2Ban, and did a package
update of Fail2Ban that started matching new log messages, would anything
unexpected happen? Would the bantime/findtime for the jail be appropriate for
the new log messages? If it doesn't, perhaps it needs to be in a separate
filter definition, for example like exim filter aims at authentication failures
and exim-spam at log messages related to spam.
Even if it is a new filter you may consider separating the log messages into
different filters based on purpose.
Cause:
Are some of the log lines a result of the same action? For example, is a PAM
failure log message, followed by an application specific failure message the
result of the same user/script action? If you add regular expressions for
both you would end up with two failures for a single action.
Therefore, select the most appropriate log message and document the other log
message) with a test case not to match it and a description as to why you chose
one over another.
With the selected log lines consider what action has caused those log
messages and whether they could have been generated by accident? Could
the log message be occurring due to the first step towards the application
asking for authentication? Could the log messages occur often? If some of
these are true make a note of this in the jail.conf example that you provide.
Samples:
It is important to include log file samples so any future change in the regular
expression will still work with the log lines you have identified.
The sample log messages are provided in a file under testcases/files/logs/
named identically as the corresponding filter (but without .conf extension).
Each log line should be preceded by a line with failJSON metadata (so the logs
lines are tested in the test suite) directly above the log line. If there is
any specific information about the log message, such as version or an
application configuration option that is needed for the message to occur,
include this in a comment (line beginning with #) above the failJSON metadata.
Log samples should include only one, definitely not more than 3, examples of
log messages of the same form. If log messages are different in different
versions of the application log messages that show this are encouraged.
Also attempt to inject an IP into the application (e.g. by specifying
it as a username) so that Fail2Ban possibly detects the IP
from user input rather than the true origin. See the Filter Security section
and the top example in testcases/files/logs/apache-auth as to how to do this.
One you have discovered that this is possible, correct the regex so it doesn't
match and provide this as a test case with "match": false (see failJSON below).
If the mechanism to create the log message isn't obvious provide a
configuration and/or sample scripts testcases/files/config/{filtername} and
reference these in the comments above the log line.
FailJSON metadata:
A failJSON metadata is a comment immediately above the log message. It will
look like:
# failJSON: { "time": "2013-06-10T10:10:59", "match": true , "host": "93.184.216.119" }
Time should match the time of the log message. It is in a specific format of
Year-Month-Day'T'Hour:minute:Second. If your log message does not include a
year, like the example below, the year should be listed as 2005, if before Sun
Aug 14 10am UTC, and 2004 if afterwards. Here is an example failJSON
line preceding a sample log line:
# failJSON: { "time": "2005-03-24T15:25:51", "match": true , "host": "198.51.100.87" }
Mar 24 15:25:51 buffalo1 dropbear[4092]: bad password attempt for 'root' from 198.51.100.87:5543
The "host" in failJSON should contain the IP or domain that should be blocked.
For long lines that you do not want to be matched (e.g. from log injection
attacks) and any log lines to be excluded (see "Cause" section above), set
"match": false in the failJSON and describe the reason in the comment above.
After developing regexes, the following command will test all failJSON metadata
against the log lines in all sample log files
./fail2ban-testcases testSampleRegex
Developing Filter Regular Expressions
-------------------------------------
Date/Time:
At the moment, Fail2Ban depends on log lines to have time stamps. That is why
before starting to develop failregex, check if your log line format known to
Fail2Ban. Copy the time component from the log line and append an IP address to
test with following command:
./fail2ban-regex "2013-09-19 02:46:12 1.2.3.4" "<HOST>"
Output of such command should contain something like:
Date template hits:
|- [# of hits] date format
| [1] Year-Month-Day Hour:Minute:Second
Ensure that the template description matches time/date elements in your log line
time stamp. If there is no matched format then date template needs to be added
to server/datedetector.py. Ensure that a new template is added in the order
that more specific matches occur first and that there is no confusion between a
Day and a Month.
Filter file:
The filter is specified in a config/filter.d/{filtername}.conf file. Filter file
can have sections INCLUDES (optional) and Definition as follows:
[INCLUDES]
before = common.conf
after = filtername.local
[Definition]
failregex = ....
ignoreregex = ....
This is also documented in the man page jail.conf (section 5). Other definitions
can be added to make failregex's more readable and maintainable to be used
through string Interpolations (see http://docs.python.org/2.7/library/configparser.html)
General rules:
Use "before" if you need to include a common set of rules, like syslog or if
there is a common set of regexes for multiple filters.
Use "after" if you wish to allow the user to overwrite a set of customisations
of the current filter. This file doesn't need to exist.
Try to avoid using ignoreregex mainly for performance reasons. The case when you
would use it is if in trying to avoid using it, you end up with an unreadable
failregex.
Syslog:
If your application logs to syslog you can take advantage of log line prefix
definitions present in common.conf. So as a base use:
[INCLUDES]
before = common.conf
[Definition]
_daemon = app
failregex = ^%(__prefix_line)s
In this example common.conf defines __prefix_line which also contains the
_daemon name (in syslog terms the service) you have just specified. _daemon
can also be a regex.
For example, to capture following line _daemon should be set to "dovecot"
Dec 12 11:19:11 dunnart dovecot: pop3-login: Aborted login (tried to use disabled plaintext auth): rip=190.210.136.21, lip=113.212.99.193
and then ^%(__prefix_line)s would match "Dec 12 11:19:11 dunnart dovecot:
". Note it matches the trailing space(s) as well.
Substitutions (AKA string interpolations):
We have used string interpolations in above examples. They are useful for
making the regexes more readable, reuse generic patterns in multiple failregex
lines, and also to refer definition of regex parts to specific filters or even
to the user. General principle is that value of a _name variable replaces
occurrences of %(_name)s within the same section or anywhere in the config file
if defined in [DEFAULT] section.
Regular Expressions:
Regular expressions (failregex, ignoreregex) assume that the date/time has been
removed from the log line (this is just how fail2ban works internally ATM).
If the format is like '<date...> error 1.2.3.4 is evil' then you need to match
the < at the start so regex should be similar to '^<> <HOST> is evil$' using
<HOST> where the IP/domain name appears in the log line.
The following general rules apply to regular expressions:
* ensure regexes start with a ^ and are as restrictive as possible. E.g. do not
use .* if \d+ is sufficient;
* use functionality of Python regexes defined in the standard Python re library
http://docs.python.org/2/library/re.html;
* make regular expressions readable (as much as possible). E.g.
(?:...) represents a non-capturing regex but (...) is more readable, thus
preferred.
If you have only a basic knowledge of regular repressions we advise to read
http://docs.python.org/2/library/re.html first. It doesn't take long and would
remind you e.g. which characters you need to escape and which you don't.
Developing/testing a regex:
You can develop a regex in a file or using command line depending on your
preference. You can also use samples you have already created in the test cases
or test them one at a time.
The general tool for testing Fail2Ban regexes is fail2ban-regex. To see how to
use it run:
./fail2ban-regex --help
Take note of -l heavydebug / -l debug and -v as they might be very useful.
TIP: Take a look at the source code of the application you are developing
failregex for. You may see optional or extra log messages, or parts there
of, that need to form part of your regex. It may also reveal how some
parts are constrained and different formats depending on configuration or
less common usages.
TIP: For looking through source code - http://sourcecodebrowser.com/ . It has
call graphs and can browse different versions.
TIP: Some applications log spaces at the end. If you are not sure add \s*$ as
the end part of the regex.
If your regex is not matching, http://www.debuggex.com/?flavor=python can help
to tune it:
* use regex from the ./fail2ban-regex output (to ensure all substitutions are
done) and replace <HOST> with (?&.ipv4). Make sure that regex type set to
Python;
* for the test data put your log output with the time removed;
- when you have fixed the regex put it back into your filter file.
Please spread the good word about debuggex - Serge Toarca is kindly continuing
its free availability to Open Source developers.
Finishing up:
If you've added a new filter, add a new entry in config/jail.conf. The theory
here is that a user will create a jail.local with [filtername]\nenable=true to
enable your jail.
So more specifically in the [filter] section in jail.conf:
* ensure that you have "enabled = false" (users will enable as needed);
* use "filter =" set to your filter name;
* use a typical action to disable ports associated with the application;
* set "logpath" to the usual location of application log file;
* if the default findtime or bantime isn't appropriate to the filter, specify
more appropriate choices (possibly with a brief comment line).
Submit github pull request (See "Pull Requests" above) for
github.com/fail2ban/fail2ban containing your great work.
Filter Security
---------------
Poor filter regular expressions are suseptable to DoS attacks.
Poor filter regular expressions are susceptible to DoS attacks.
When a remote user has the ability to introduce text that will match the
filter regex, such that the inserted text matches the <HOST> part, they have the
When a remote user has the ability to introduce text that would match filter's
failregex, while matching inserted text to the <HOST> part, they have the
ability to deny any host they choose.
So the <HOST> part must be anchored on text generated by the application, and not
the user, to a sufficient extent that the user cannot insert the entire text.
So the <HOST> part must be anchored on text generated by the application, and
not the user, to a extent sufficient to prevent user inserting the entire text
matching this or any other failregex.
Filters are matched against the log line with their date removed.
Ideally filter regex should anchor to the beginning and end of the log line
however as more applications log at the beginning than the end, achoring the
Ideally filter regex should anchor at the beginning and at the end of log line.
However as more applications log at the beginning than the end, anchoring the
beginning is more important. If the log file used by the application is shared
with other applications, like system logs, ensure the other application that
use that log file do not log user generated text at the beginning of the line,
or, if they do, ensure the regexs of the filter are sufficient to mitigate the
risk of insertion.
with other applications, like system logs, ensure the other application that use
that log file do not log user generated text at the beginning of the line, or,
if they do, ensure the regexes of the filter are sufficient to mitigate the risk
of insertion.
When creating a regex that extends back to the begining remember the date part
has been removed within fail2ban so theres no need to match that. If the format
is like '<date...> error 1.2.3.4 is evil' then you will need to match the < at
the start so here the regex would start like '^<> <HOST> is evil$'.
Some applications log spaces at the end. If you're not sure add \s*$ as the
end part of the regex.
Examples of poor filters
------------------------
@ -96,13 +354,13 @@ We make a failregex
Now think evil. The user does the command 'blah from 1.2.3.44'
The program diliently logs:
The program diligently logs:
Apr-07-13 07:08:36 Invalid command blah from 1.2.3.44 from 1.2.3.4
And fail2ban matches 1.2.3.44 as the IP that it ban. A DoS attack was successful.
The fix here is that the command can be anything so .* is approprate.
The fix here is that the command can be anything so .* is appropriate.
^Invalid command .* from <HOST>
@ -121,10 +379,10 @@ banned.
2. Filter regex can match other user injected data
From the apache vulnerability CVE-2013-2178
From the Apache vulnerability CVE-2013-2178
( original ref: https://vndh.net/note:fail2ban-089-denial-service ).
An example bad regex for apache:
An example bad regex for Apache:
failregex = [[]client <HOST>[]] user .* not found
@ -140,10 +398,10 @@ Now the log line will be:
As this log line doesn't match other expressions hence it matches the above
regex and blocks 192.168.33.1 as a denial of service from the HTTP requester.
3. Applicaiton generates two identical log messages with different meanings
3. Application generates two identical log messages with different meanings
If the application generates the following two messages under different
circmstances:
circumstances:
client <IP>: authentication failed
client <USER>: authentication failed
@ -179,7 +437,7 @@ coverage run bin/fail2ban-testcases
coverage html
Then look at htmlcov/index.html and see how much coverage your test cases
exert over the codebase. Full coverage is a good thing however it may not be
exert over the code base. Full coverage is a good thing however it may not be
complete. Try to ensure tests cover as many independent paths through the
code.
@ -270,7 +528,7 @@ Design
Fail2Ban was initially developed with Python 2.3 (IIRC). It should
still be compatible with Python 2.4 and such compatibility assurance
makes code ... old-fashioned in many places (RF-Note). In 0.7 the
design went through major refactoring into client/server,
design went through major re-factoring into client/server,
a-thread-per-jail design which made it a bit difficult to follow.
Below you can find a sketchy description of the main components of the
system to orient yourself better.
@ -381,7 +639,7 @@ one way or another provide
except FailManagerEmpty:
self.failManager.cleanup(MyTime.time())
thus channeling "ban tickets" from their failManager to the
thus channelling "ban tickets" from their failManager to the
corresponding jail.
action.py
@ -411,6 +669,61 @@ Releasing
* https://bugzilla.redhat.com/buglist.cgi?query_format=advanced&bug_status=NEW&bug_status=ASSIGNED&component=fail2ban&classification=Red%20Hat&classification=Fedora
* http://www.freebsd.org/cgi/query-pr-summary.cgi?text=fail2ban
# Make sure the tests pass
./fail2ban-testcases-all
# Ensure the version is correct
in:
* ./common/version.py
* top of ChangeLog
* README.md
# Ensure the MANIFEST is complete
Run:
python setup.py sdist
Look for errors like:
'testcases/files/logs/mysqld.log' not a regular file -- skipping
Which indicates that testcases/files/logs/mysqld.log has been moved or is a directory
tar -C /tmp -jxf dist/fail2ban-0.9.0.tar.bz2
# clean up current direcory
diff -rul --exclude \*.pyc . /tmp/fail2ban-0.9.0/
# Only differences should be files that you don't want distributed.
# Ensure the tests work from the tarball
cd /tmp/fail2ban-0.9.0/ && ./fail2ban-testcases-all
# Add/finalize the corresponding entry in the ChangeLog
To generate a list of committers use e.g.
git shortlog -sn 0.8.10.. | sed -e 's,^[ 0-9\t]*,,g' | tr '\n' '\|' | sed -e 's:|:, :g'
Ensure the top of the ChangeLog has the right version and current date.
Ensure the top entry of the ChangeLog has the right version and current date.
# Update man pages
(cd man ; ./generate-man )
git commit -m 'DOC/ENH: update man pages for release' man/*
# Prepare source and rpm binary distributions
python setup.py sdist
python setup.py bdist_rpm
python setup.py upload
# Provide a release sample to distributors
* Debian: Yaroslav Halchenko <debian@onerussian.com>
@ -425,41 +738,31 @@ Releasing
https://build.opensuse.org/package/users?package=fail2ban&project=openSUSE%3AFactory
* Mac Ports: @Malbrouck on github (gh-49)
https://trac.macports.org/browser/trunk/dports/security/fail2ban/Portfile
An potentially to the fail2ban-users directory.
# Wait for feedback from distributors
# Ensure the version is correct in ./common/version.py
# Prepare a release notice https://github.com/fail2ban/fail2ban/releases/new
# Add/finalize the corresponding entry in the ChangeLog
Upload the source/binaries from the dist directory and tag the release using the URL
To generate a list of committers use e.g.
git shortlog -sn 0.8.8.. | sed -e 's,^[ 0-9\t]*,,g' | tr '\n' '\|' | sed -e 's:|:, :g'
Ensure the top of the ChangeLog has the right version and current date.
Ensure the top entry of the ChangeLog has the right version and current date.
# Update man pages
(cd man ; ./generate-man )
git commit -m 'update man pages for release' man/*
# Make sure the tests pass
./fail2ban-testcases-all
# Prepare/upload source and rpm binary distributions
python setup.py check
python setup.py sdist
python setup.py bdist_rpm
python setup.py upload
# Upload source/binaries to sourceforge http://sourceforge.net/projects/fail2ban/
# Run the following and update the wiki with output:
python -c 'import fail2ban.protocol; fail2ban.protocol.printWiki()'
page: http://www.fail2ban.org/wiki/index.php/Commands
* Update:
http://www.fail2ban.org/wiki/index.php/Downloads
http://www.fail2ban.org/wiki/index.php/ChangeLog
http://www.fail2ban.org/wiki/index.php/Requirements (Check requirement)
http://www.fail2ban.org/wiki/index.php/Main_Page (Add to News)
http://www.fail2ban.org/wiki/index.php/Features
* See if any filters are upgraded:
http://www.fail2ban.org/wiki/index.php/Special:AllPages
# Email users and development list of release
# notify distributors
@ -469,15 +772,17 @@ Post Release
Add the following to the top of the ChangeLog
ver. 0.8.12 (2013/XX/XXX) - wanna-be-released
ver. 0.9.1 (2014/XX/XXX) - wanna-be-released
-----------
- Fixes:
- New Features:
- Enhancements:
Alter the git shortlog command in the previous section to refer to the just
released version.
and adjust common/version.py to carry .dev suffix to signal
a version under development.

30
MANIFEST
View File

@ -91,6 +91,14 @@ fail2ban/exceptions.py
fail2ban/helpers.py
fail2ban/version.py
fail2ban/protocol.py
fail2ban-client
fail2ban-server
fail2ban-testcases
fail2ban-regex
fail2ban-testcases-all
setup.py
setup.cfg
kill-server
config/jail.conf
config/filter.d/common.conf
config/filter.d/apache-auth.conf
@ -111,7 +119,7 @@ config/filter.d/pure-ftpd.conf
config/filter.d/qmail.conf
config/filter.d/pam-generic.conf
config/filter.d/php-url-fopen.conf
config/filter.d/sasl.conf
config/filter.d/postfix-sasl.conf
config/filter.d/sieve.conf
config/filter.d/sshd.conf
config/filter.d/sshd-ddos.conf
@ -126,10 +134,24 @@ config/filter.d/lighttpd-auth.conf
config/filter.d/recidive.conf
config/filter.d/roundcube-auth.conf
config/filter.d/assp.conf
config/filter.d/mysqld-auth.conf
config/filter.d/sogo-auth.conf
config/filter.d/mysqld-auth.conf
config/filter.d/selinux-common.conf
config/filter.d/selinux-ssh.conf
config/filter.d/3proxy.conf
config/filter.d/apache-common.conf
config/filter.d/exim-common.conf
config/filter.d/exim-spam.conf
config/filter.d/perdition.conf
config/filter.d/uwimap-auth.conf
config/action.d/apf.conf
config/action.d/osx-afctl.conf
config/action.d/osx-ipfw.conf
config/action.d/sendmail-common.conf
config/action.d/bsd-ipfw.conf
config/action.d/dummy.conf
config/action.d/firewall-cmd-direct-new.conf
config/action.d/iptables-ipset-proto6-allports.conf
config/action.d/iptables-blocktype.conf
config/action.d/iptables-ipset-proto4.conf
config/action.d/iptables-ipset-proto6.conf
@ -157,6 +179,7 @@ config/action.d/sendmail-whois.conf
config/action.d/sendmail-whois-lines.conf
config/action.d/shorewall.conf
config/fail2ban.conf
doc/run-rootless.txt
man/fail2ban-client.1
man/fail2ban.1
man/jail.conf.5
@ -178,9 +201,8 @@ files/cacti/fail2ban_stats.sh
files/cacti/cacti_host_template_fail2ban.xml
files/cacti/README
files/nagios/check_fail2ban
files/nagios/f2ban.txt
files/nagios/README
files/bash-completion
files/fail2ban-tmpfiles.conf
files/fail2ban.service
files/ipmasq-ZZZzzz_fail2ban.rul
files/nagios/README

4
README.md
View File

@ -31,8 +31,8 @@ Optional:
To install, just do:
tar xvfj fail2ban-0.8.10.tar.bz2
cd fail2ban-0.8.10
tar xvfj fail2ban-0.8.11.tar.bz2
cd fail2ban-0.8.11
python setup.py install
This will install Fail2Ban into /usr/share/fail2ban. The executable scripts are

20
THANKS
View File

@ -1,21 +1,26 @@
Fail2Ban is an open source project with many contributions from its
users community. Below is an alphabetically sorted partial list of the
contributors to the project. If you have been left off, please let us
know (preferably send a pull request on github with the "fix") and you
will be added
Fail2Ban is an open source project which was conceived and originally
developed by Cyril Jaquier until 2010. Since then Fail2Ban grew into
a community-driven project with many contributions from its users.
Below is an alphabetically sorted partial list of the contributors to
the project. If you have been left off, please let us know
(preferably send a pull request on github with the "fix") and you will
be added
Adrien Clerc
ache
Amir Caspi
Andrey G. Grozin
Andy Fragen
Arturo 'Buanzo' Busleiman
Axel Thimm
Beau Raines
Bill Heaton
Carlos Alberto Lopez Perez
Christian Rauch
Christophe Carles
Christoph Haas
Christos Psonis
Cyril Jaquier
Daniel B. Cid
Daniel Black
David Nutter
@ -34,16 +39,19 @@ Joël Bertrand
JP Espinosa
Justin Shore
Kévin Drapel
kjohnsonecl
kojiro
Manuel Arostegui Ramirez
Marcel Dopita
Mark Edgington
Mark McKinstry
Markus Hoffmann
Marvin Rouge
mEDI
Мернов Георгий
Michael C. Haller
Michael Hanselmann
NickMunger
Nick Munger
Patrick Börjesson
Raphaël Marichez
René Berber

10
bin/fail2ban-client
View File

@ -147,8 +147,9 @@ class Fail2banClient:
if showRet:
print beautifier.beautify(ret[1])
else:
logSys.debug("NOK: " + `ret[1].args`)
print beautifier.beautifyError(ret[1])
logSys.error("NOK: " + `ret[1].args`)
if showRet:
print beautifier.beautifyError(ret[1])
return False
except socket.error:
if showRet:
@ -375,7 +376,10 @@ class Fail2banClient:
if cmd == "help":
self.dispUsage()
elif not cmd == "":
self.__processCommand(shlex.split(cmd))
try:
self.__processCommand(shlex.split(cmd))
except Exception, e:
logSys.error(e)
except (EOFError, KeyboardInterrupt):
print
return True

62
bin/fail2ban-regex
View File

@ -23,15 +23,13 @@ and bans the corresponding IP addresses using firewall rules.
This tools can test regular expressions for "fail2ban".
Report bugs to https://github.com/fail2ban/fail2ban/issues
"""
__author__ = "Cyril Jaquier, Yaroslav Halchenko"
__copyright__ = "Copyright (c) 2004-2008 Cyril Jaquier, 2012-2013 Yaroslav Halchenko"
__license__ = "GPL"
import getopt, sys, time, logging, os, locale, shlex
import getopt, sys, time, logging, os, locale, shlex, urllib
from optparse import OptionParser, Option
from ConfigParser import NoOptionError, NoSectionError, MissingSectionHeaderError
@ -51,6 +49,12 @@ from fail2ban.tests.utils import FormatterWithTraceBack
# Gets the instance of the logger.
logSys = logging.getLogger("fail2ban")
def debuggexURL(sample, regex):
q = urllib.urlencode({ 're': regex.replace('<HOST>', '(?&.ipv4)'),
'str': sample,
'flavor': 'python' })
return 'http://www.debuggex.com/?' + q
def shortstr(s, l=53):
"""Return shortened string
"""
@ -103,6 +107,15 @@ REGEX:
IGNOREREGEX:
string a string representing an 'ignoreregex'
filename path to a filter file (filter.d/sshd.conf)
Copyright (c) 2004-2008 Cyril Jaquier, 2008- Fail2Ban Contributors
Copyright of modifications held by their respective authors.
Licensed under the GNU General Public License v2 (GPL).
Written by Cyril Jaquier <cyril.jaquier@fail2ban.org>.
Many contributions by Yaroslav O. Halchenko and Steven Hiscocks.
Report bugs to https://github.com/fail2ban/fail2ban/issues
""",
version="%prog " + version)
@ -116,14 +129,15 @@ IGNOREREGEX:
Option("-m", "--journalmatch",
help="journalctl style matches overriding filter file. "
"\"systemd-journal\" only"),
Option("-v", "--verbose", action='store_true',
help="Be verbose in output"),
Option('-l', "--log-level", type="choice",
dest="log_level",
choices=('heavydebug', 'debug', 'info', 'warning', 'error', 'fatal'),
default=None,
help="Log level for the Fail2Ban logger to use"),
Option("-v", "--verbose", action='store_true',
help="Be verbose in output"),
Option("-D", "--debuggex", action='store_true',
help="Produce debuggex.com urls for debugging there"),
Option("--print-all-missed", action='store_true',
help="Either to print all missed lines"),
Option("--print-all-ignored", action='store_true',
@ -132,7 +146,6 @@ IGNOREREGEX:
help="Enrich log-messages with compressed tracebacks"),
Option("--full-traceback", action='store_true',
help="Either to make the tracebacks full, not compressed (as by default)"),
])
return p
@ -171,7 +184,9 @@ class LineStats(object):
def __init__(self):
self.tested = self.matched = 0
self.missed_lines = []
self.missed_lines_timeextracted = []
self.ignored_lines = []
self.ignored_lines_timeextracted = []
def __str__(self):
return "%(tested)d lines, %(ignored)d ignored, %(matched)d matched, %(missed)d missed" % self
@ -195,6 +210,7 @@ class Fail2banRegex(object):
def __init__(self, opts):
self._verbose = opts.verbose
self._debuggex = opts.debuggex
self._print_all_missed = opts.print_all_missed
self._print_all_ignored = opts.print_all_ignored
self._maxlines_set = False # so we allow to override maxlines in cmdline
@ -306,7 +322,7 @@ class Fail2banRegex(object):
orgLineBuffer = self._filter._Filter__lineBuffer
fullBuffer = len(orgLineBuffer) >= self._filter.getMaxLines()
try:
ret = self._filter.processLine(line, checkAllRegex=True)
line, ret = self._filter.processLine(line, checkAllRegex=True)
for match in ret:
# Append True/False flag depending if line was matched by
# more than one regex
@ -318,13 +334,13 @@ class Fail2banRegex(object):
print e
return False
except IndexError:
print "Sorry, but no <host> found in regex"
print "Sorry, but no <HOST> found in regex"
return False
for bufLine in orgLineBuffer[int(fullBuffer):]:
if bufLine not in self._filter._Filter__lineBuffer:
if self.removeMissedLine(bufLine):
self._line_stats.matched += 1
return len(ret) > 0
return line, ret
def removeMissedLine(self, line):
"""Remove `line` from missed lines, by comparing without time match"""
@ -350,27 +366,49 @@ class Fail2banRegex(object):
# skip comment and empty lines
continue
is_ignored = fail2banRegex.testIgnoreRegex(line)
line_datetimestripped, ret = fail2banRegex.testRegex(line)
if is_ignored:
self._line_stats.ignored_lines.append(line)
self._line_stats.ignored_lines_timeextracted.append(line_datetimestripped)
if fail2banRegex.testRegex(line):
if len(ret) > 0:
assert(not is_ignored)
self._line_stats.matched += 1
else:
if not is_ignored:
self._line_stats.missed_lines.append(line)
self._line_stats.missed_lines_timeextracted.append(line_datetimestripped)
self._line_stats.tested += 1
if line_no % 10 == 0:
self._filter.dateDetector.sortTemplate()
def printLines(self, ltype):
lstats = self._line_stats
assert(len(lstats.missed_lines) == lstats.tested - (lstats.matched + lstats.ignored))
l = lstats[ltype + '_lines']
if len(l):
header = "%s line(s):" % (ltype.capitalize(),)
if len(l) < 20 or getattr(self, '_print_all_' + ltype):
if self._debuggex:
if ltype == 'missed':
regexlist = self._failregex
else:
regexlist = self._ignoreregex
l = lstats[ltype + '_lines_timeextracted']
lines = len(l)*len(regexlist)
if lines < 20 or getattr(self, '_print_all_' + ltype):
ans = [[]]
for arg in [l, regexlist]:
ans = [ x + [y] for x in ans for y in arg ]
b = map(lambda a: a[0] + ' | ' + a[1].getFailRegex() + ' | ' + debuggexURL(a[0], a[1].getFailRegex()), ans)
pprint_list([x.rstrip() for x in b], header)
else:
print "%s: too many to print. Use --print-all-%s " \
"to print all %d lines" % (header, ltype, lines)
elif len(l) < 20 or getattr(self, '_print_all_' + ltype):
pprint_list([x.rstrip() for x in l], header)
else:
print "%s: too many to print. Use --print-all-%s " \

43
config/action.d/apf.conf Normal file
View File

@ -0,0 +1,43 @@
# Fail2Ban configuration file
#
# Author: Mark McKinstry
#
[Definition]
# Option: actionstart
# Notes.: command executed once at the start of Fail2Ban.
# Values: CMD
#
actionstart =
# Option: actionstop
# Notes.: command executed once at the end of Fail2Ban
# Values: CMD
#
actionstop =
# Option: actioncheck
# Notes.: command executed once before each actionban command
# Values: CMD
#
actioncheck =
# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: <ip> IP address
# <failures> number of failures
# <time> unix timestamp of the ban time
# Values: CMD
#
actionban = apf --deny <ip> "banned by Fail2Ban <name>"
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: <ip> IP address
# <failures> number of failures
# <time> unix timestamp of the ban time
# Values: CMD
#
actionunban = apf --remove <ip>

4
config/action.d/complain.conf
View File

@ -78,7 +78,7 @@ logpath = /dev/null
# Option: mailcmd
# Notes.: Your system mail command. Is passed 2 args: subject and recipient
# Values: CMD Default: mail -s
# Values: CMD
#
mailcmd = mail -s
@ -89,7 +89,7 @@ mailcmd = mail -s
# Appear to come from a different address - the '--' indicates
# arguments to be passed to Sendmail:
# -- -f me@example.com
# Values: [ STRING ] Default: (empty)
# Values: [ STRING ]
#
mailargs =

22
config/action.d/dshield.conf
View File

@ -106,7 +106,7 @@ actionunban = if [ -f <tmpfile>.first ]; then
# Option: port
# Notes.: The target port for the attack (numerical). MUST be provided in the
# jail config, as it cannot be detected here.
# Values: [ NUM ] Default: ???
# Values: [ NUM ]
#
port = ???
@ -114,7 +114,7 @@ port = ???
# Notes.: Your DShield user ID. Should be provided either in the jail config or
# in a .local file.
# Register at https://secure.dshield.org/register.html
# Values: [ NUM ] Default: 0
# Values: [ NUM ]
#
userid = 0
@ -137,7 +137,7 @@ protocol = tcp
# Notes.: How many lines to buffer before making a report. Regardless of this,
# reports are sent a minimum of <minreportinterval> apart, or if the
# buffer contains an event over <maxbufferage> old, or on shutdown
# Values: [ NUM ] Default: 50
# Values: [ NUM ]
#
lines = 50
@ -145,7 +145,7 @@ lines = 50
# Notes.: Minimum period (in seconds) that must elapse before we submit another
# batch of reports. DShield request a minimum of 1 hour (3600 secs)
# between reports.
# Values: [ NUM ] Default: 3600
# Values: [ NUM ]
#
minreportinterval = 3600
@ -154,27 +154,27 @@ minreportinterval = 3600
# submit the batch, even if we haven't reached <lines> yet. Note that
# this is only checked on each ban/unban, and that we always send
# anything in the buffer on shutdown. Must be greater than
# Values: [ NUM ] Default: 21600 (6 hours)
# Values: [ NUM ]
#
maxbufferage = 21600
# Option: srcport
# Notes.: The source port of the attack. You're unlikely to have this info, so
# you can leave the default
# Values: [ NUM ] Default: ???
# Values: [ NUM ]
#
srcport = ???
# Option: tcpflags
# Notes.: TCP flags on attack. You're unlikely to have this info, so you can
# leave empty
# Values: [ STRING ] Default: (empty)
# Values: [ STRING ]
#
tcpflags =
# Option: mailcmd
# Notes.: Your system mail command. Is passed 2 args: subject and recipient
# Values: CMD Default: mail -s
# Values: CMD
#
mailcmd = mail -s
@ -186,19 +186,19 @@ mailcmd = mail -s
# the one configured at DShield - the '--' indicates arguments to be
# passed to Sendmail):
# -- -f me@example.com
# Values: [ STRING ] Default: (empty)
# Values: [ STRING ]
#
mailargs =
# Option: dest
# Notes.: Destination e-mail address for reports
# Values: [ STRING ] Default: reports@dshield.org
# Values: [ STRING ]
#
dest = reports@dshield.org
# Option: tmpfile
# Notes.: Base name of temporary files used for buffering
# Values: [ STRING ] Default: /var/run/fail2ban/tmp-dshield
# Values: [ STRING ]
#
tmpfile = /var/run/fail2ban/tmp-dshield

58
config/action.d/firewall-cmd-direct-new.conf Normal file
View File

@ -0,0 +1,58 @@
# Fail2Ban configuration file
#
# Author: Edgar Hoch
# Copied from iptables-new.conf and modified for use with firewalld by Edgar Hoch.
# It uses "firewall-cmd" instead of "iptables".
# firewall-cmd is based on the command of version firewalld-0.3.4-1.fc19.
[INCLUDES]
before = iptables-blocktype.conf
[Definition]
actionstart = firewall-cmd --direct --add-chain ipv4 filter fail2ban-<name>
firewall-cmd --direct --add-rule ipv4 filter fail2ban-<name> 1000 -j RETURN
firewall-cmd --direct --add-rule ipv4 filter <chain> 0 -m state --state NEW -p <protocol> --dport <port> -j fail2ban-<name>
# The following rule does not work, because firewalld keeps its own database of firewall rules.
# firewall-cmd --direct --passthrough ipv4 -F fail2ban-<name>
# The better rule would be the following, but firewall-cmd has not implemented this command with firewalld-0.3.3-2.fc19 .
# firewall-cmd --direct --flush-chain ipv4 filter fail2ban-<name>
# The following is a workaround using a loop to implement the --flush-chain command.
# https://fedorahosted.org/firewalld/ticket/10
actionstop = firewall-cmd --direct --remove-rule ipv4 filter <chain> 0 -m state --state NEW -p <protocol> --dport <port> -j fail2ban-<name>
( IFS='|' ; for r in $( firewall-cmd --direct --get-rules ipv4 filter fail2ban-<name> | tr '\n' '|' ) ; do eval firewall-cmd --direct --remove-rule ipv4 filter fail2ban-<name> $r ; done )
firewall-cmd --direct --remove-chain ipv4 filter fail2ban-<name>
actioncheck = firewall-cmd --direct --get-chains ipv4 filter | grep -q 'fail2ban-<name>[ \t]'
actionban = firewall-cmd --direct --add-rule ipv4 filter fail2ban-<name> 0 -s <ip> -j <blocktype>
actionunban = firewall-cmd --direct --remove-rule ipv4 filter fail2ban-<name> 0 -s <ip> -j <blocktype>
[Init]
# Default name of the chain
#
name = default
# Option: port
# Notes.: specifies port to monitor
# Values: [ NUM | STRING ]
#
port = ssh
# Option: protocol
# Notes.: internally used by config reader for interpolations.
# Values: [ tcp | udp | icmp | all ]
#
protocol = tcp
# Option: chain
# Notes specifies the iptables chain to which the fail2ban rules should be
# added
# Values: [ STRING ]
#
chain = INPUT_direct

9
config/action.d/iptables-ipset-proto4.conf
View File

@ -11,12 +11,11 @@
# IPset was a feature introduced in the linux kernel 2.6.39 and 3.0.0 kernels.
#
# If you are running on an older kernel you make need to patch in external
# modules.
# modules. Debian squeeze can do this with:
# apt-get install xtables-addons-source
# module-assistant auto-install xtables-addons
#
# On Debian machines this can be done with:
#
# apt-get install ipset xtables-addons-source
# module-assistant auto-install xtables-addons
# Debian wheezy and above uses protocol 6
[INCLUDES]

64
config/action.d/iptables-ipset-proto6-allports.conf Normal file
View File

@ -0,0 +1,64 @@
# Fail2Ban configuration file
#
# Author: Daniel Black
#
# This is for ipset protocol 6 (and hopefully later) (ipset v6.14).
# Use ipset -V to see the protocol and version. Version 4 should use
# iptables-ipset-proto4.conf.
#
# This requires the program ipset which is normally in package called ipset.
#
# IPset was a feature introduced in the linux kernel 2.6.39 and 3.0.0 kernels.
#
# If you are running on an older kernel you make need to patch in external
# modules which probably won't be protocol version 6.
[INCLUDES]
before = iptables-blocktype.conf
[Definition]
# Option: actionstart
# Notes.: command executed once at the start of Fail2Ban.
# Values: CMD
#
actionstart = ipset create fail2ban-<name> hash:ip timeout <bantime>
iptables -I INPUT -m set --match-set fail2ban-<name> src -j <blocktype>
# Option: actionstop
# Notes.: command executed once at the end of Fail2Ban
# Values: CMD
#
actionstop = iptables -D INPUT -m set --match-set fail2ban-<name> src -j <blocktype>
ipset flush fail2ban-<name>
ipset destroy fail2ban-<name>
# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionban = ipset add fail2ban-<name> <ip> timeout <bantime> -exist
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionunban = ipset del fail2ban-<name> <ip> -exist
[Init]
# Default name of the ipset
#
name = default
# Option: bantime
# Notes: specifies the bantime in seconds (handled internally rather than by fail2ban)
# Values: [ NUM ] Default: 600
bantime = 600

9
config/action.d/iptables-ipset-proto6.conf
View File

@ -12,11 +12,6 @@
#
# If you are running on an older kernel you make need to patch in external
# modules.
#
# On Debian machines this can be done with:
#
# apt-get install ipset xtables-addons-source
# module-assistant auto-install xtables-addons
[INCLUDES]
@ -30,13 +25,13 @@ before = iptables-blocktype.conf
# Values: CMD
#
actionstart = ipset create fail2ban-<name> hash:ip timeout <bantime>
iptables -I INPUT -p <protocol> -m multiport --dports <port> -m set --match-set fail2ban-<name> src -j DROP
iptables -I INPUT -p <protocol> -m multiport --dports <port> -m set --match-set fail2ban-<name> src -j <blocktype>
# Option: actionstop
# Notes.: command executed once at the end of Fail2Ban
# Values: CMD
#
actionstop = iptables -D INPUT -p <protocol> -m multiport --dports <port> -m set --match-set fail2ban-<name> src -j DROP
actionstop = iptables -D INPUT -p <protocol> -m multiport --dports <port> -m set --match-set fail2ban-<name> src -j <blocktype>
ipset flush fail2ban-<name>
ipset destroy fail2ban-<name>

6
config/action.d/mail-buffered.conf
View File

@ -14,7 +14,7 @@ actionstart = printf %%b "Hi,\n
The jail <name> has been started successfully.\n
Output will be buffered until <lines> lines are available.\n
Regards,\n
Fail2Ban"|mail -s "[Fail2Ban] <name>: started" <dest>
Fail2Ban"|mail -s "[Fail2Ban] <name>: started on `uname -n`" <dest>
# Option: actionstop
# Notes.: command executed once at the end of Fail2Ban
@ -25,13 +25,13 @@ actionstop = if [ -f <tmpfile> ]; then
These hosts have been banned by Fail2Ban.\n
`cat <tmpfile>`
Regards,\n
Fail2Ban"|mail -s "[Fail2Ban] <name>: Summary" <dest>
Fail2Ban"|mail -s "[Fail2Ban] <name>: Summary from `uname -n`" <dest>
rm <tmpfile>
fi
printf %%b "Hi,\n
The jail <name> has been stopped.\n
Regards,\n
Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped" <dest>
Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped on `uname -n`" <dest>
# Option: actioncheck
# Notes.: command executed once before each actionban command

6
config/action.d/mail-whois-lines.conf
View File

@ -13,7 +13,7 @@
actionstart = printf %%b "Hi,\n
The jail <name> has been started successfully.\n
Regards,\n
Fail2Ban"|mail -s "[Fail2Ban] <name>: started" <dest>
Fail2Ban"|mail -s "[Fail2Ban] <name>: started on `uname -n`" <dest>
# Option: actionstop
# Notes.: command executed once at the end of Fail2Ban
@ -22,7 +22,7 @@ actionstart = printf %%b "Hi,\n
actionstop = printf %%b "Hi,\n
The jail <name> has been stopped.\n
Regards,\n
Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped" <dest>
Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped on `uname -n`" <dest>
# Option: actioncheck
# Notes.: command executed once before each actionban command
@ -44,7 +44,7 @@ actionban = printf %%b "Hi,\n
Lines containing IP:<ip> in <logpath>\n
`grep '\<<ip>\>' <logpath>`\n\n
Regards,\n
Fail2Ban"|mail -s "[Fail2Ban] <name>: banned <ip>" <dest>
Fail2Ban"|mail -s "[Fail2Ban] <name>: banned <ip> from `uname -n`" <dest>
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the

6
config/action.d/mail-whois.conf
View File

@ -13,7 +13,7 @@
actionstart = printf %%b "Hi,\n
The jail <name> has been started successfully.\n
Regards,\n
Fail2Ban"|mail -s "[Fail2Ban] <name>: started" <dest>
Fail2Ban"|mail -s "[Fail2Ban] <name>: started on `uname -n`" <dest>
# Option: actionstop
# Notes.: command executed once at the end of Fail2Ban
@ -22,7 +22,7 @@ actionstart = printf %%b "Hi,\n
actionstop = printf %%b "Hi,\n
The jail <name> has been stopped.\n
Regards,\n
Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped" <dest>
Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped on `uname -n`" <dest>
# Option: actioncheck
# Notes.: command executed once before each actionban command
@ -42,7 +42,7 @@ actionban = printf %%b "Hi,\n
Here are more information about <ip>:\n
`whois <ip>`\n
Regards,\n
Fail2Ban"|mail -s "[Fail2Ban] <name>: banned <ip>" <dest>
Fail2Ban"|mail -s "[Fail2Ban] <name>: banned <ip> from `uname -n`" <dest>
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the

6
config/action.d/mail.conf
View File

@ -13,7 +13,7 @@
actionstart = printf %%b "Hi,\n
The jail <name> has been started successfully.\n
Regards,\n
Fail2Ban"|mail -s "[Fail2Ban] <name>: started" <dest>
Fail2Ban"|mail -s "[Fail2Ban] <name>: started on `uname -n`" <dest>
# Option: actionstop
# Notes.: command executed once at the end of Fail2Ban
@ -22,7 +22,7 @@ actionstart = printf %%b "Hi,\n
actionstop = printf %%b "Hi,\n
The jail <name> has been stopped.\n
Regards,\n
Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped" <dest>
Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped on `uname -n`" <dest>
# Option: actioncheck
# Notes.: command executed once before each actionban command
@ -40,7 +40,7 @@ actionban = printf %%b "Hi,\n
The IP <ip> has just been banned by Fail2Ban after
<failures> attempts against <name>.\n
Regards,\n
Fail2Ban"|mail -s "[Fail2Ban] <name>: banned <ip>" <dest>
Fail2Ban"|mail -s "[Fail2Ban] <name>: banned <ip> from `uname -n`" <dest>
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the

16
config/action.d/osx-afctl.conf Normal file
View File

@ -0,0 +1,16 @@
# Fail2Ban configuration file for using afctl on Mac OS X Server 10.5
#
# Anonymous author
# http://www.fail2ban.org/wiki/index.php?title=HOWTO_Mac_OS_X_Server_(10.5)&diff=prev&oldid=4081
#
# Ref: https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man8/afctl.8.html
[Definition]
actionstart =
actionstop =
actioncheck =
actionban = /usr/libexec/afctl -a <ip> -t <bantime>
actionunban = /usr/libexec/afctl -r <ip>
[Init]
bantime = 2880

2
config/action.d/pf.conf
View File

@ -56,7 +56,7 @@ actionunban = /sbin/pfctl -t <tablename> -T delete <ip>/32
[Init]
# Option: tablename
# Notes.: The pf table name.
# Values: [ STRING ] Default: fail2ban
# Values: [ STRING ]
#
tablename = fail2ban

8
config/action.d/sendmail-buffered.conf
View File

@ -14,7 +14,7 @@ before = sendmail-common.conf
# Notes.: command executed once at the start of Fail2Ban.
# Values: CMD
#
actionstart = printf %%b "Subject: [Fail2Ban] <name>: started
actionstart = printf %%b "Subject: [Fail2Ban] <name>: started on `uname -n`
From: <sendername> <<sender>>
To: <dest>\n
Hi,\n
@ -28,7 +28,7 @@ actionstart = printf %%b "Subject: [Fail2Ban] <name>: started
# Values: CMD
#
actionstop = if [ -f <tmpfile> ]; then
printf %%b "Subject: [Fail2Ban] <name>: summary
printf %%b "Subject: [Fail2Ban] <name>: summary from `uname -n`
From: <sendername> <<sender>>
To: <dest>\n
Hi,\n
@ -38,7 +38,7 @@ actionstop = if [ -f <tmpfile> ]; then
Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
rm <tmpfile>
fi
printf %%b "Subject: [Fail2Ban] <name>: stopped
printf %%b "Subject: [Fail2Ban] <name>: stopped on `uname -n`
From: Fail2Ban <<sender>>
To: <dest>\n
Hi,\n
@ -61,7 +61,7 @@ actioncheck =
actionban = printf %%b "`date`: <ip> (<failures> failures)\n" >> <tmpfile>
LINE=$( wc -l <tmpfile> | awk '{ print $1 }' )
if [ $LINE -ge <lines> ]; then
printf %%b "Subject: [Fail2Ban] <name>: summary
printf %%b "Subject: [Fail2Ban] <name>: summary from `uname -n`
From: <sendername> <<sender>>
To: <dest>\n
Hi,\n

6
config/action.d/sendmail-whois-lines.conf
View File

@ -14,7 +14,7 @@ before = sendmail-common.conf
# Notes.: command executed once at the start of Fail2Ban.
# Values: CMD
#
actionstart = printf %%b "Subject: [Fail2Ban] <name>: started
actionstart = printf %%b "Subject: [Fail2Ban] <name>: started on `uname -n`
Date: `LC_TIME=C date -u +"%%a, %%d %%h %%Y %%T +0000"`
From: <sendername> <<sender>>
To: <dest>\n
@ -27,7 +27,7 @@ actionstart = printf %%b "Subject: [Fail2Ban] <name>: started
# Notes.: command executed once at the end of Fail2Ban
# Values: CMD
#
actionstop = printf %%b "Subject: [Fail2Ban] <name>: stopped
actionstop = printf %%b "Subject: [Fail2Ban] <name>: stopped on `uname -n`
Date: `LC_TIME=C date -u +"%%a, %%d %%h %%Y %%T +0000"`
From: <sendername> <<sender>>
To: <dest>\n
@ -48,7 +48,7 @@ actioncheck =
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionban = printf %%b "Subject: [Fail2Ban] <name>: banned <ip>
actionban = printf %%b "Subject: [Fail2Ban] <name>: banned <ip> from `uname -n`
Date: `LC_TIME=C date -u +"%%a, %%d %%h %%Y %%T +0000"`
From: <sendername> <<sender>>
To: <dest>\n

6
config/action.d/sendmail-whois.conf
View File

@ -14,7 +14,7 @@ before = sendmail-common.conf
# Notes.: command executed once at the start of Fail2Ban.
# Values: CMD
#
actionstart = printf %%b "Subject: [Fail2Ban] <name>: started
actionstart = printf %%b "Subject: [Fail2Ban] <name>: started on `uname -n`
Date: `LC_TIME=C date -u +"%%a, %%d %%h %%Y %%T +0000"`
From: <sendername> <<sender>>
To: <dest>\n
@ -27,7 +27,7 @@ actionstart = printf %%b "Subject: [Fail2Ban] <name>: started
# Notes.: command executed once at the end of Fail2Ban
# Values: CMD
#
actionstop = printf %%b "Subject: [Fail2Ban] <name>: stopped
actionstop = printf %%b "Subject: [Fail2Ban] <name>: stopped on `uname -n`
Date: `LC_TIME=C date -u +"%%a, %%d %%h %%Y %%T +0000"`
From: <sendername> <<sender>>
To: <dest>\n
@ -48,7 +48,7 @@ actioncheck =
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionban = printf %%b "Subject: [Fail2Ban] <name>: banned <ip>
actionban = printf %%b "Subject: [Fail2Ban] <name>: banned <ip> from `uname -n`
Date: `LC_TIME=C date -u +"%%a, %%d %%h %%Y %%T +0000"`
From: <sendername> <<sender>>
To: <dest>\n

6
config/action.d/sendmail.conf
View File

@ -14,7 +14,7 @@ before = sendmail-common.conf
# Notes.: command executed once at the start of Fail2Ban.
# Values: CMD
#
actionstart = printf %%b "Subject: [Fail2Ban] <name>: started
actionstart = printf %%b "Subject: [Fail2Ban] <name>: started on `uname -n`
Date: `LC_TIME=C date -u +"%%a, %%d %%h %%Y %%T +0000"`
From: <sendername> <<sender>>
To: <dest>\n
@ -27,7 +27,7 @@ actionstart = printf %%b "Subject: [Fail2Ban] <name>: started
# Notes.: command executed once at the end of Fail2Ban
# Values: CMD
#
actionstop = printf %%b "Subject: [Fail2Ban] <name>: stopped
actionstop = printf %%b "Subject: [Fail2Ban] <name>: stopped on `uname -n`
Date: `LC_TIME=C date -u +"%%a, %%d %%h %%Y %%T +0000"`
From: <sendername> <<sender>>
To: <dest>\n
@ -48,7 +48,7 @@ actioncheck =
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionban = printf %%b "Subject: [Fail2Ban] <name>: banned <ip>
actionban = printf %%b "Subject: [Fail2Ban] <name>: banned <ip> from `uname -n`
Date: `LC_TIME=C date -u +"%%a, %%d %%h %%Y %%T +0000"`
From: <sendername> <<sender>>
To: <dest>\n

34
config/fail2ban.conf
View File

@ -11,24 +11,24 @@
[Definition]
# Option: loglevel
# Notes.: Set the log level output.
# 1 = ERROR
# 2 = WARN
# 3 = INFO
# 4 = DEBUG
# Values: NUM Default: 3
# Option: loglevel
# Notes.: Set the log level output.
# 1 = ERROR
# 2 = WARN
# 3 = INFO
# 4 = DEBUG
# Values: [ NUM ] Default: 1
#
loglevel = 3
# Option: logtarget
# Notes.: Set the log target. This could be a file, SYSLOG, STDERR or STDOUT.
# Only one log target can be specified.
# If you change logtarget from the default value and you are
# using logrotate -- also adjust or disable rotation in the
# corresponding configuration file
# (e.g. /etc/logrotate.d/fail2ban on Debian systems)
# Values: STDOUT STDERR SYSLOG file Default: /var/log/fail2ban.log
# Option: logtarget
# Notes.: Set the log target. This could be a file, SYSLOG, STDERR or STDOUT.
# Only one log target can be specified.
# If you change logtarget from the default value and you are
# using logrotate -- also adjust or disable rotation in the
# corresponding configuration file
# (e.g. /etc/logrotate.d/fail2ban on Debian systems)
# Values: [ STDOUT | STDERR | SYSLOG | FILE ] Default: STDERR
#
logtarget = /var/log/fail2ban.log
@ -36,14 +36,14 @@ logtarget = /var/log/fail2ban.log
# Notes.: Set the socket file. This is used to communicate with the daemon. Do
# not remove this file when Fail2ban runs. It will not be possible to
# communicate with the server afterwards.
# Values: FILE Default: /var/run/fail2ban/fail2ban.sock
# Values: [ FILE ] Default: /var/run/fail2ban/fail2ban.sock
#
socket = /var/run/fail2ban/fail2ban.sock
# Option: pidfile
# Notes.: Set the PID file. This is used to store the process ID of the
# fail2ban server.
# Values: FILE Default: /var/run/fail2ban/fail2ban.pid
# Values: [ FILE ] Default: /var/run/fail2ban/fail2ban.pid
#
pidfile = /var/run/fail2ban/fail2ban.pid

20
config/filter.d/3proxy.conf
View File

@ -1,18 +1,18 @@
# Fail2Ban configuration file
# Fail2Ban filter for 3proxy
#
# Author: Daniel Black
#
# Requested by ykimon in https://github.com/fail2ban/fail2ban/issues/246
#
[Definition]
# Option: failregex
# Notes.: http://www.3proxy.ru/howtoe.asp#ERRORS indicates that 01-09 are
# all authentication problems (%E field)
# Log format is: "L%d-%m-%Y %H:%M:%S %z %N.%p %E %U %C:%c %R:%r %O %I %h %T"
# Values: TEXT
#
failregex = ^\s[+-]\d{4} \S+ \d{3}0[1-9] \S+ <HOST>:\d+ [\d.]+:\d+ \d+ \d+ \d+\s
ignoreregex =
# DEV Notes:
# http://www.3proxy.ru/howtoe.asp#ERRORS indicates that 01-09 are
# all authentication problems (%E field)
# Log format is: "L%d-%m-%Y %H:%M:%S %z %N.%p %E %U %C:%c %R:%r %O %I %h %T"
#
# Requested by ykimon in https://github.com/fail2ban/fail2ban/issues/246
# Author: Daniel Black

48
config/filter.d/apache-auth.conf
View File

@ -1,17 +1,33 @@
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
#
# Fail2Ban apache-auth filter
#
[INCLUDES]
# Read common prefixes. If any customizations available -- read them from
# common.local
# apache-common.local
before = apache-common.conf
[Definition]
failregex = ^%(_apache_error_client)s (AH01797: )?client denied by server configuration: (uri )?\S*\s*$
^%(_apache_error_client)s (AH01617: )?user .* authentication failure for "\S*": Password Mismatch$
^%(_apache_error_client)s (AH01618: )?user .* not found(: )?\S*\s*$
^%(_apache_error_client)s (AH01614: )?client used wrong authentication scheme: \S*\s*$
^%(_apache_error_client)s (AH\d+: )?Authorization of user \S+ to access \S* failed, reason: .*$
^%(_apache_error_client)s (AH0179[24]: )?(Digest: )?user .*: password mismatch: \S*\s*$
^%(_apache_error_client)s (AH0179[01]: |Digest: )user `.*' in realm `.+' (not found|denied by provider): \S*\s*$
^%(_apache_error_client)s (AH01631: )?user .*: authorization failure for "\S*":\s*$
^%(_apache_error_client)s (AH01775: )?(Digest: )?invalid nonce .* received - length is not \S+\s*$
^%(_apache_error_client)s (AH01788: )?(Digest: )?realm mismatch - got `.*' but expected `.+'\s*$
^%(_apache_error_client)s (AH01789: )?(Digest: )?unknown algorithm `.*' received: \S*\s*$
^%(_apache_error_client)s (AH01793: )?invalid qop `.*' received: \S*\s*$
^%(_apache_error_client)s (AH01777: )?(Digest: )?invalid nonce .* received - user attempted time travel\s*$
ignoreregex =
# DEV Notes:
#
# This filter matches the authorization failures of Apache. It takes the log messages
# from the modules in aaa that return HTTP_UNAUTHORIZED, HTTP_METHOD_NOT_ALLOWED or
# HTTP_FORBIDDEN and not AUTH_GENERAL_ERROR or HTTP_INTERNAL_SERVER_ERROR.
@ -34,23 +50,5 @@ before = apache-common.conf
# ^%(_apache_error_client)s (AH01779: )?user .*: one-time-nonce mismatch - sending new nonce\s*$
# ^%(_apache_error_client)s (AH02486: )?realm mismatch - got `.*' but no realm specified\s*$
#
failregex = ^%(_apache_error_client)s (AH01797: )?client denied by server configuration: (uri )?\S*\s*$
^%(_apache_error_client)s (AH01617: )?user .* authentication failure for "\S*": Password Mismatch$
^%(_apache_error_client)s (AH01618: )?user .* not found(: )?\S*\s*$
^%(_apache_error_client)s (AH01614: )?client used wrong authentication scheme: \S*\s*$
^%(_apache_error_client)s (AH\d+: )?Authorization of user \S+ to access \S* failed, reason: .*$
^%(_apache_error_client)s (AH0179[24]: )?(Digest: )?user .*: password mismatch: \S*\s*$
^%(_apache_error_client)s (AH0179[01]: |Digest: )user `.*' in realm `.+' (not found|denied by provider): \S*\s*$
^%(_apache_error_client)s (AH01631: )?user .*: authorization failure for "\S*":\s*$
^%(_apache_error_client)s (AH01775: )?(Digest: )?invalid nonce .* received - length is not \S+\s*$
^%(_apache_error_client)s (AH01788: )?(Digest: )?realm mismatch - got `.*' but expected `.+'\s*$
^%(_apache_error_client)s (AH01789: )?(Digest: )?unknown algorithm `.*' received: \S*\s*$
^%(_apache_error_client)s (AH01793: )?invalid qop `.*' received: \S*\s*$
^%(_apache_error_client)s (AH01777: )?(Digest: )?invalid nonce .* received - user attempted time travel\s*$
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
# Author: Cyril Jaquier
# Major edits by Daniel Black

26
config/filter.d/apache-badbots.conf
View File

@ -1,27 +1,21 @@
# Fail2Ban configuration file
#
# List of bad bots fetched from http://www.user-agents.org
# Generated on Sun Feb 11 01:09:15 EST 2007 by ./badbots.sh
#
# Author: Yaroslav Halchenko
#
#
# Regexp to catch known spambots and software alike. Please verify
# that it is your intent to block IPs which were driven by
# above mentioned bots.
[Definition]
badbotscustom = EmailCollector|WebEMailExtrac|TrackBack/1\.02|sogou music spider
badbots = atSpider/1\.0|autoemailspider|China Local Browse 2\.6|ContentSmartz|DataCha0s/2\.0|DBrowse 1\.4b|DBrowse 1\.4d|Demo Bot DOT 16b|Demo Bot Z 16b|DSurf15a 01|DSurf15a 71|DSurf15a 81|DSurf15a VA|EBrowse 1\.4b|Educate Search VxB|EmailSiphon|EmailWolf 1\.00|ESurf15a 15|ExtractorPro|Franklin Locator 1\.8|FSurf15a 01|Full Web Bot 0416B|Full Web Bot 0516B|Full Web Bot 2816B|Industry Program 1\.0\.x|ISC Systems iRc Search 2\.1|IUPUI Research Bot v 1\.9a|LARBIN-EXPERIMENTAL \(efp@gmx\.net\)|LetsCrawl\.com/1\.0 +http\://letscrawl\.com/|Lincoln State Web Browser|LWP\:\:Simple/5\.803|Mac Finder 1\.0\.xx|MFC Foundation Class Library 4\.0|Microsoft URL Control - 6\.00\.8xxx|Missauga Locate 1\.0\.0|Missigua Locator 1\.9|Missouri College Browse|Mizzu Labs 2\.2|Mo College 1\.9|Mozilla/2\.0 \(compatible; NEWT ActiveX; Win32\)|Mozilla/3\.0 \(compatible; Indy Library\)|Mozilla/4\.0 \(compatible; Advanced Email Extractor v2\.xx\)|Mozilla/4\.0 \(compatible; Iplexx Spider/1\.0 http\://www\.iplexx\.at\)|Mozilla/4\.0 \(compatible; MSIE 5\.0; Windows NT; DigExt; DTS Agent|Mozilla/4\.0 efp@gmx\.net|Mozilla/5\.0 \(Version\: xxxx Type\:xx\)|MVAClient|NASA Search 1\.0|Nsauditor/1\.x|PBrowse 1\.4b|PEval 1\.4b|Poirot|Port Huron Labs|Production Bot 0116B|Production Bot 2016B|Production Bot DOT 3016B|Program Shareware 1\.0\.2|PSurf15a 11|PSurf15a 51|PSurf15a VA|psycheclone|RSurf15a 41|RSurf15a 51|RSurf15a 81|searchbot admin@google\.com|sogou spider|sohu agent|SSurf15a 11 |TSurf15a 11|Under the Rainbow 2\.2|User-Agent\: Mozilla/4\.0 \(compatible; MSIE 6\.0; Windows NT 5\.1\)|WebVulnCrawl\.blogspot\.com/1\.0 libwww-perl/5\.803|Wells Search II|WEP Search 00
# Option: failregex
# Notes.: Regexp to catch known spambots and software alike. Please verify
# that it is your intent to block IPs which were driven by
# above mentioned bots.
# Values: TEXT
#
failregex = ^<HOST> -.*"(GET|POST).*HTTP.*"(?:%(badbots)s|%(badbotscustom)s)"$
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
# DEV Notes:
# List of bad bots fetched from http://www.user-agents.org
# Generated on Sun Feb 11 01:09:15 EST 2007 by ./badbots.sh
#
# Author: Yaroslav Halchenko

13
config/filter.d/apache-common.conf
View File

@ -1,21 +1,20 @@
# Generic configuration items (to be used as interpolations) in other
# apache filters
#
# Author: Yaroslav Halchenko
#
#
# apache filters.
[INCLUDES]
# Load customizations if any available
after = apache-common.local
[DEFAULT]
_apache_error_client = \[\] \[(error|\S+:\S+)\]( \[pid \d+:\S+ \d+\])? \[client <HOST>(:\d{1,5})?\]
# Common prefix for [error] apache messages which also would include <HOST>
# Depending on the version it could be
# 2.2: [Sat Jun 01 11:23:08 2013] [error] [client 1.2.3.4]
# 2.4: [Thu Jun 27 11:55:44.569531 2013] [core:info] [pid 4101:tid 2992634688] [client 1.2.3.4:46652]
#
# Reference: https://github.com/fail2ban/fail2ban/issues/268
_apache_error_client = \[\] \[(error|\S+:\S+)\]( \[pid \d+:\S+ \d+\])? \[client <HOST>(:\d{1,5})?\]
#
# Author: Yaroslav Halchenko

26
config/filter.d/apache-nohome.conf
View File

@ -1,28 +1,20 @@
# Fail2Ban configuration file
#
# Author: Yaroslav O. Halchenko <debian@onerussian.com>
#
# Fail2Ban filter to web requests for home directories on Apache servers
#
# Regex to match failures to find a home directory on a server, which
# became popular last days. Most often attacker just uses IP instead of
# domain name -- so expect to see them in generic error.log if you have
# per-domain log files.
[INCLUDES]
# Read common prefixes. If any customizations available -- read them from
# common.local
# overwrite with apache-common.local if _apache_error_client is incorrect.
before = apache-common.conf
[Definition]
# Option: failregex
# Notes.: regex to match failures to find a home directory on a server, which
# became popular last days. Most often attacker just uses IP instead of
# domain name -- so expect to see them in generic error.log if you have
# per-domain log files.
# Values: TEXT
#
failregex = ^%(_apache_error_client)s (AH00128: )?File does not exist: .*/~.*
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
# Author: Yaroslav O. Halchenko <debian@onerussian.com>

21
config/filter.d/apache-noscript.conf
View File

@ -1,29 +1,18 @@
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
# Fail2Ban filter to block web requests for scripts (on non scripted websites)
#
#
[INCLUDES]
# Read common prefixes. If any customizations available -- read them from
# common.local
# overwrite with apache-common.local if _apache_error_client is incorrect.
before = apache-common.conf
[Definition]
# Option: failregex
# Notes.: regex to match the password failure messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT
#
failregex = ^%(_apache_error_client)s (File does not exist|script not found or unable to stat): /\S*(\.php|\.asp|\.exe|\.pl)\s*$
^%(_apache_error_client)s script '/\S*(\.php|\.asp|\.exe|\.pl)\S*' not found or unable to stat\s*$
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
# Author: Cyril Jaquier

18
config/filter.d/apache-overflows.conf
View File

@ -1,25 +1,15 @@
# Fail2Ban configuration file
#
# Author: Tim Connors
#
# Fail2Ban filter to block web requests on a long or suspicious nature
#
[INCLUDES]
# Read common prefixes. If any customizations available -- read them from
# common.local
# overwrite with apache-common.local if _apache_error_client is incorrect.
before = apache-common.conf
[Definition]
# Option: failregex
# Notes.: Regexp to catch Apache overflow attempts.
# Values: TEXT
#
failregex = ^%(_apache_error_client)s (Invalid (method|URI) in request|request failed: URI too long|erroneous characters after protocol string)
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
# Author: Tim Connors

27
config/filter.d/assp.conf
View File

@ -1,33 +1,24 @@
# Fail2Ban configuration file
# for Anti-Spam SMTP Proxy Server also known as ASSP
# Fail2Ban filter for Anti-Spam SMTP Proxy Server also known as ASSP
#
# Honmepage: http://www.magicvillage.de/~Fritz_Borgstedt/assp/0003D91C-8000001C/
# ProjektSite: http://sourceforge.net/projects/assp/?source=directory
#
# Author: Enrico Labedzki (enrico.labedzki@deiwos.de)
#
[Definition]
# Option: failregex
# Notes.: regex to match the SMTP failure messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>\S+)
# Values: TEXT
#
# Examples: Apr-27-13 02:33:09 Blocking 217.194.197.97 - too much AUTH errors (41);
# Dec-29-12 17:10:31 [SSL-out] 200.247.87.82 SSL negotiation with client failed: SSL accept attempt failed with unknown errorerror:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol;
# Dec-30-12 04:01:47 [SSL-out] 81.82.232.66 max sender authentication errors (5) exceeded
__assp_actions = (?:dropping|refusing)
failregex = ^(:? \[SSL-out\])? <HOST> max sender authentication errors \(\d{,3}\) exceeded -- %(__assp_actions)s connection - after reply: \d{3} \d{1}\.\d{1}.\d{1} Error: authentication failed: \w+;$
^(?: \[SSL-out\])? <HOST> SSL negotiation with client failed: SSL accept attempt failed with unknown error.*:unknown protocol;$
^ Blocking <HOST> - too much AUTH errors \(\d{,3}\);$
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
# DEV Notes:
#
# Examples: Apr-27-13 02:33:09 Blocking 217.194.197.97 - too much AUTH errors (41);
# Dec-29-12 17:10:31 [SSL-out] 200.247.87.82 SSL negotiation with client failed: SSL accept attempt failed with unknown errorerror:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol;
# Dec-30-12 04:01:47 [SSL-out] 81.82.232.66 max sender authentication errors (5) exceeded
#
# Author: Enrico Labedzki (enrico.labedzki@deiwos.de)

24
config/filter.d/asterisk.conf
View File

@ -1,22 +1,11 @@
# Fail2Ban configuration file
# Fail2Ban filter for asterisk authentication failures
#
# Author: Xavier Devlamynck
#
#
[INCLUDES]
# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf
[Definition]
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile.
# Values: TEXT
#
__pid_re = (?:\[\d+\])
# All Asterisk log messages begin like this:
log_prefix= \[\]\s*(?:NOTICE|SECURITY)%(__pid_re)s:?(?:\[\S+\d*\])? \S+:\d*
failregex = ^%(log_prefix)s Registration from '[^']*' failed for '<HOST>(:\d+)?' - Wrong password$
@ -34,10 +23,7 @@ failregex = ^%(log_prefix)s Registration from '[^']*' failed for '<HOST>(:\d+)?'
^%(log_prefix)s (?:handle_request_subscribe: )?Sending fake auth rejection for (device|user) \d*<sip:[^@]+@<HOST>>;tag=\w+\S*$
^%(log_prefix)s SecurityEvent="(FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)",EventTV="[\d-]+",Severity="[\w]+",Service="[\w]+",EventVersion="\d+",AccountID="\d+",SessionID="0x[\da-f]+",LocalAddress="IPV[46]/(UD|TC)P/[\da-fA-F:.]+/\d+",RemoteAddress="IPV[46]/(UD|TC)P/<HOST>/\d+"(,Challenge="\w+",ReceivedChallenge="\w+")?(,ReceivedHash="[\da-f]+")?$
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
# Author: Xavier Devlamynck

8
config/filter.d/common.conf
View File

@ -1,9 +1,6 @@
# Generic configuration items (to be used as interpolations) in other
# filters or actions configurations
#
# Author: Yaroslav Halchenko
#
#
[INCLUDES]
@ -41,12 +38,14 @@ __kernel_prefix = kernel: \[\d+\.\d+\]
__hostname = \S+
# A MD5 hex
# EXAMPLES: 07:06:27:55:b0:e3:0c:3c:5a:28:2d:7c:7e:4c:77:5f
__md5hex = (?:[\da-f]{2}:){15}[\da-f]{2}
# bsdverbose is where syslogd is started with -v or -vv and results in <4.3> or
# <auth.info> appearing before the host as per testcases/files/logs/bsd/*.
__bsd_syslog_verbose = (<[^.]+\.[^.]+>)
#
# Common line prefixes (beginnings) which could be used in filters
#
# [bsdverbose]? [hostname] [vserver tag] daemon_id spaces
@ -54,3 +53,4 @@ __bsd_syslog_verbose = (<[^.]+\.[^.]+>)
# This can be optional (for instance if we match named native log files)
__prefix_line = \s*%(__bsd_syslog_verbose)s?\s*(?:%(__hostname)s )?(?:%(__kernel_prefix)s )?(?:@vserver_\S+ )?%(__daemon_combs_re)s?\s%(__daemon_extra_re)s?\s*
# Author: Yaroslav Halchenko

21
config/filter.d/courier-auth.conf
View File

@ -1,8 +1,4 @@
# Fail2Ban configuration file
#
# Author: Christoph Haas
# Modified by: Cyril Jaquier
#
# Fail2Ban filter for courier authentication failures
#
[INCLUDES]
@ -11,22 +7,13 @@
# common.local
before = common.conf
[Definition]
_daemon = (?:courier)?(?:imapd?|pop3d?)(?:login)?(?:-ssl)?
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT
#
failregex = ^%(__prefix_line)sLOGIN FAILED, user=.*, ip=\[<HOST>\]$
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
# Author: Christoph Haas
# Modified by: Cyril Jaquier

18
config/filter.d/courier-smtp.conf
View File

@ -1,6 +1,4 @@
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
# Fail2Ban filter to block relay attempts though a Courier smtp server
#
#
@ -10,22 +8,12 @@
# common.local
before = common.conf
[Definition]
_daemon = courieresmtpd
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT
#
failregex = ^%(__prefix_line)serror,relay=<HOST>,.*: 550 User unknown\.$
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
# Author: Cyril Jaquier

17
config/filter.d/cyrus-imap.conf
View File

@ -1,6 +1,5 @@
# Fail2Ban configuration file
# Fail2Ban filter for authentication failures on Cyrus imap server
#
# Author: Jan Wagner <waja@cyconet.org>
#
#
@ -10,22 +9,12 @@
# common.local
before = common.conf
[Definition]
_daemon = (?:cyrus/)?(?:imapd?|pop3d?)
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT
#
failregex = ^%(__prefix_line)sbadlogin: \S+ ?\[<HOST>\] \S+ .*?\[?SASL\(-13\): authentication failure: .*\]?$
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
# Author: Jan Wagner <waja@cyconet.org>

29
config/filter.d/dovecot.conf
View File

@ -1,7 +1,5 @@
# Fail2Ban configuration file for dovecot
# Fail2Ban filter Dovecot authentication and pop3/imap server
#
# Author: Martin Waschbuesch
# Daniel Black (rewrote with begin and end anchors)
[INCLUDES]
@ -9,26 +7,21 @@ before = common.conf
[Definition]
_daemon = dovecot(-auth)?
_daemon = (auth|dovecot(-auth)?|auth-worker)
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile.
# first regex is essentially a copy of pam-generic.conf
# Values: TEXT
#
failregex = ^%(__prefix_line)s(pam_unix(\(\S+\))?:)?\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=\S* rhost=<HOST>(\s+user=\S*)?\s*$
failregex = ^%(__prefix_line)s(pam_unix(\(dovecot:auth\))?:)?\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=\S* rhost=<HOST>(\s+user=\S*)?\s*$
^%(__prefix_line)s(pop3|imap)-login: (Info: )?(Aborted login|Disconnected)(: Inactivity)? \(((no auth attempts|auth failed, \d+ attempts)( in \d+ secs)?|tried to use disabled \S+ auth)\):( user=<\S*>,)?( method=\S+,)? rip=<HOST>, lip=(\d{1,3}\.){3}\d{1,3}(, session=<\w+>)?(, TLS( handshaking)?(: Disconnected)?)?\s*$
^%(__prefix_line)s(Info|dovecot: auth\(default\)): pam\(\S+,<HOST>\): pam_authenticate\(\) failed: (User not known to the underlying authentication module: \d+ Time\(s\)|Authentication failure \(password mismatch\?\))\s*$
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
[Init]
# Option: journalmatch
# Notes.: systemd journalctl style match filter for journal based backends
# Values: TEXT
#
journalmatch = _SYSTEMD_UNIT=dovecot.service
# DEV Notes:
# * the first regex is essentially a copy of pam-generic.conf
# * Probably doesn't do dovecot sql/ldap backends properly
#
# Author: Martin Waschbuesch
# Daniel Black (rewrote with begin and end anchors)

59
config/filter.d/dropbear.conf
View File

@ -1,8 +1,15 @@
# Fail2Ban configuration file
# Fail2Ban filter for dropbear
#
# Author: Francis Russell
# Zak B. Elep
# NOTE: The regex below is ONLY intended to work with a patched
# version of Dropbear as described here:
# http://www.unchartedbackwaters.co.uk/pyblosxom/static/patches
# ^%(__prefix_line)sexit before auth from <HOST>.*\s*$
#
# The standard Dropbear output doesn't provide enough information to
# ban all types of attack. The Dropbear patch adds IP address
# information to the 'exit before auth' message which is always
# produced for any form of non-successful login. It is that message
# which this file matches.
#
# More information: http://bugs.debian.org/546913
@ -12,41 +19,23 @@
# common.local
before = common.conf
[Definition]
_daemon = dropbear
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>\S+)
# Values: TEXT
failregex = ^%(__prefix_line)s[Ll]ogin attempt for nonexistent user ('.*' )?from <HOST>:.*$
^%(__prefix_line)s[Bb]ad (PAM )?password attempt for .+ from <HOST>.*$
^%(__prefix_line)s[Ee]xit before auth \(user '.+', \d+ fails\): Max auth tries reached - user '.+' from <HOST>:\d+\s*$
# These match the unmodified dropbear messages. It isn't possible to
# match the source of the 'exit before auth' messages from dropbear.
#
failregex = ^%(__prefix_line)s(L|l)ogin attempt for nonexistent user ('.*' )?from <HOST>:.*\s*$
^%(__prefix_line)s(B|b)ad password attempt for .+ from <HOST>:.*\s*$
^%(__prefix_line)sExit before auth \(user '.+', \d+ fails\): Max auth tries reached - user '.+' from <HOST>:\d+\s*$
# The only line we need to match with the modified dropbear.
# NOTE: The failregex below is ONLY intended to work with a patched
# version of Dropbear as described here:
# http://www.unchartedbackwaters.co.uk/pyblosxom/static/patches
#
# The standard Dropbear output doesn't provide enough information to
# ban all types of attack. The Dropbear patch adds IP address
# information to the 'exit before auth' message which is always
# produced for any form of non-successful login. It is that message
# which this file matches.
# failregex = ^%(__prefix_line)sexit before auth from <HOST>.*\s*$
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
# DEV Notes:
#
# The first two regexs here match the unmodified dropbear messages. It isn't
# possible to match the source of the 'exit before auth' messages from dropbear
# as they don't include the "from <HOST>" bit.
#
# The second last failregex line we need to match with the modified dropbear.
#
# Author: Francis Russell
# Zak B. Elep

11
config/filter.d/exim-common.conf
View File

@ -1,17 +1,18 @@
# Fail2Ban configuration file for exim
#
# Author: Daniel Black
# Fail2Ban filter file for common exim expressions
#
# This is to be used by other exim filters
[INCLUDES]
# Load customizations if any available
#
after = exim-common.local
[Definition]
# From exim source code: ./src/receive.c:add_host_info_for_log
host_info = H=([\w.-]+ )?(\(\S+\) )?\[<HOST>\](:\d+)? (I=\[\S+\]:\d+ )?(U=\S+ )?(P=e?smtp )?
pid = ( \[\d+\])?
# DEV Notes:
# From exim source code: ./src/receive.c:add_host_info_for_log
#
# Author: Daniel Black

21
config/filter.d/exim-spam.conf
View File

@ -1,9 +1,5 @@
# Fail2Ban configuration file
# Fail2Ban filter for exim the spam rejection messages
#
# Author: Cyril Jaquier
# Daniel Black (rewrote with strong regexs)
#
[INCLUDES]
@ -11,19 +7,16 @@
# exim-common.local
before = exim-common.conf
[Definition]
# Option: failregex
# Notes.: This includes the spam rejection messages of exim.
# Note the %(host_info) defination contains a <HOST> match
failregex = ^%(pid)s \S+ F=(<>|\S+@\S+) %(host_info)srejected by local_scan\(\): .{0,256}$
^%(pid)s %(host_info)sF=(<>|[^@]+@\S+) rejected RCPT [^@]+@\S+: .*dnsbl.*\s*$
^%(pid)s \S+ %(host_info)sF=(<>|[^@]+@\S+) rejected after DATA: This message contains a virus \(\S+\)\.\s*$
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
# DEV Notes:
# The %(host_info) defination contains a <HOST> match
#
# Author: Cyril Jaquier
# Daniel Black (rewrote with strong regexs)

22
config/filter.d/exim.conf
View File

@ -1,7 +1,7 @@
# Fail2Ban configuration file
# Fail2Ban filter for exim
#
# Author: Cyril Jaquier
# Daniel Black (rewrote with strong regexs)
# This includes the rejection messages of exim. For spam and filter
# related bans use the exim-spam.conf
#
@ -11,22 +11,18 @@
# exim-common.local
before = exim-common.conf
[Definition]
# Option: failregex
# Notes.: This includes the rejection messages of exim. For spam and filter
# related bans use the exim-spam.conf
# Note the %(host_info) defination contains a <HOST> match
failregex = ^%(pid)s %(host_info)ssender verify fail for <\S+>: (?:Unknown user|Unrouteable address|all relevant MX records point to non-existent hosts)\s*$
^%(pid)s (plain|login) authenticator failed for (\S+ )?\(\S+\) \[<HOST>\]: 535 Incorrect authentication data( \(set_id=.*\)|: \d+ Time\(s\))?\s*$
^%(pid)s %(host_info)sF=(<>|[^@]+@\S+) rejected RCPT [^@]+@\S+: (relay not permitted|Sender verify failed|Unknown user)\s*$
^%(pid)s SMTP protocol synchronization error \(.*\): rejected (connection from|"\S+") %(host_info)s(next )?input=".*"\s*$
^%(pid)s SMTP call from \S+ \[<HOST>\](:\d+)? (I=\[\S+\]:\d+ )?dropped: too many nonmail commands \(last was "\S+"\)\s*$
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
# DEV Notes:
# The %(host_info) defination contains a <HOST> match
#
# Author: Cyril Jaquier
# Daniel Black (rewrote with strong regexs)

23
config/filter.d/gssftpd.conf
View File

@ -1,19 +1,18 @@
# Fail2Ban configuration file for wuftpd
#
# Author: Kevin Zembower (copied from wsftpd.conf)
# Fail2Ban filter file for gssftp
#
# Note: gssftp is part of the krb5-appl-servers in Fedora
#
[INCLUDES]
before = common.conf
[Definition]
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile.
# Values: TEXT
#
failregex = ftpd(?:\[\d+\])?:\s+repeated login failures from <HOST> \(\S+\)$
_daemon = ftpd
failregex = ^%(__prefix_line)srepeated login failures from <HOST> \(\S+\)$
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
# Author: Kevin Zembower
# Edited: Daniel Black - syslog based daemon

14
config/filter.d/lighttpd-auth.conf
View File

@ -1,18 +1,10 @@
# Fail2Ban configuration file
#
# Author: Francois Boulogne <fboulogne@april.org>
# Fail2Ban filter to match wrong passwords as notified by lighttpd's auth Module
#
[Definition]
# Option: failregex
# Notes.: regex to match wrong passwords as notified by lighttpd's auth Module
# Values: TEXT
#
failregex = ^: \(http_auth\.c\.\d+\) (password doesn\'t match .* username: .*|digest: auth failed for .*: wrong password|get_password failed), IP: <HOST>\s*$
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
# Author: Francois Boulogne <fboulogne@april.org>

35
config/filter.d/mysqld-auth.conf
View File

@ -1,8 +1,11 @@
# Fail2Ban configuration file for unsuccesfull MySQL authentication attempts
# Fail2Ban filter for unsuccesfull MySQL authentication attempts
#
# Authors: Artur Penttinen
# Yaroslav O. Halchenko
#
# To log wrong MySQL access attempts add to /etc/my.cnf in [mysqld]:
# log-error=/var/log/mysqld.log
# log-warning = 2
#
# If using mysql syslog [mysql_safe] has syslog in /etc/my.cnf
[INCLUDES]
@ -10,22 +13,20 @@
# common.local
before = common.conf
[Definition]
#_daemon = mysqld
_daemon = mysqld
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT
# 130322 11:26:54 [Warning] Access denied for user 'root'@'127.0.0.1' (using password: YES)
failregex = Access denied for user '\w+'@'<HOST>' (to database '[^']*'|\(using password: (YES|NO)\))*\s*$
failregex = ^%(__prefix_line)s(\d{6} \s?\d{1,2}:\d{2}:\d{2} )?\[Warning\] Access denied for user '\w+'@'<HOST>' (to database '[^']*'|\(using password: (YES|NO)\))*\s*$
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
# DEV Notes:
#
# Technically __prefix_line can equate to an empty string hence it can support
# syslog and non-syslog at once.
# Example:
# 130322 11:26:54 [Warning] Access denied for user 'root'@'127.0.0.1' (using password: YES)
#
# Authors: Artur Penttinen
# Yaroslav O. Halchenko

32
config/filter.d/named-refused.conf
View File

@ -1,28 +1,46 @@
# Fail2Ban configuration file for named (bind9). Trying to generalize the
# structure which is general to capture general patterns in log
# lines to cover different configurations/distributions
# Fail2Ban filter file for named (bind9).
#
# Author: Yaroslav Halchenko
# This filter blocks attacks against named (bind9) however it requires special
# configuration on bind.
#
# By default, logging is off with bind9 installation.
#
# You will need something like this in your named.conf to provide proper logging.
#
# logging {
# channel security_file {
# file "/var/log/named/security.log" versions 3 size 30m;
# severity dynamic;
# print-time yes;
# };
# category security {
# security_file;
# };
# };
[Definition]
#
# Daemon name
_daemon=named
#
# Shortcuts for easier comprehension of the failregex
__pid_re=(?:\[\d+\])
__daemon_re=\(?%(_daemon)s(?:\(\S+\))?\)?:?
__daemon_combs_re=(?:%(__pid_re)s?:\s+%(__daemon_re)s|%(__daemon_re)s%(__pid_re)s?:)
# hostname daemon_id spaces
# this can be optional (for instance if we match named native log files)
__line_prefix=(?:\s\S+ %(__daemon_combs_re)s\s+)?
failregex = ^%(__line_prefix)s( error:)?\s*client <HOST>#\S+( \([\S.]+\))?: (view (internal|external): )?query(?: \(cache\))? '.*' denied\s*$
^%(__line_prefix)s( error:)?\s*client <HOST>#\S+( \([\S.]+\))?: zone transfer '\S+/AXFR/\w+' denied\s*$
^%(__line_prefix)s( error:)?\s*client <HOST>#\S+( \([\S.]+\))?: bad zone transfer request: '\S+/IN': non-authoritative zone \(NOTAUTH\)\s*$
# DEV Notes:
# Trying to generalize the
# structure which is general to capture general patterns in log
# lines to cover different configurations/distributions
#
# Author: Yaroslav Halchenko

35
config/filter.d/pam-generic.conf
View File

@ -1,30 +1,29 @@
# Fail2Ban configuration file for generic PAM authentication errors
#
# Author: Yaroslav Halchenko
#
#
[INCLUDES]
before = common.conf
[Definition]
# if you want to catch only login erros from specific daemons, use smth like
# if you want to catch only login errors from specific daemons, use something like
#_ttys_re=(?:ssh|pure-ftpd|ftp)
# To catch all failed logins
#
# Default: catch all failed logins
_ttys_re=\S*
#
# Shortcuts for easier comprehension of the failregex
__pid_re=(?:\[\d+\])
__pam_re=\(?pam_unix(?:\(\S+\))?\)?:?
__pam_combs_re=(?:%(__pid_re)s?:\s+%(__pam_re)s|%(__pam_re)s%(__pid_re)s?:)
_daemon = \S+
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile.
# Values: TEXT
#
failregex = \s\S+ \S+%(__pam_combs_re)s\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=%(_ttys_re)s ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$
failregex = ^%(__prefix_line)s%(__pam_re)s\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=%(_ttys_re)s ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
# DEV Notes:
#
# for linux-pam before 0.99.2.0 (late 2005) (removed before 0.8.11 release)
# _daemon = \S*\(?pam_unix\)?
# failregex = ^%(__prefix_line)sauthentication failure; logname=\S* uid=\S* euid=\S* tty=%(_ttys_re)s ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$
#
# Author: Yaroslav Halchenko

8
config/filter.d/perdition.conf
View File

@ -1,6 +1,4 @@
# Fail2Ban configuration file
#
# Author: Christophe Carles and Daniel Black
# Fail2Ban filter for perdition
#
#
@ -14,3 +12,7 @@ _daemon=perdition.\S+
failregex = ^%(__prefix_line)sAuth: <HOST>:\d+->(\d{1,3}\.){3}\d{1,3}:\d+ client-secure=\S+ authorisation_id=NONE authentication_id=".+" server="\S+" protocol=\S+ server-secure=\S+ status="failed: (local authentication failure|Re-Authentication Failure)"$
^%(__prefix_line)sFatal Error reading authentication information from client <HOST>:\d+->(\d{1,3}\.){3}\d{1,3}:\d+: Exiting child$
ignoreregex =
# Author: Christophe Carles and Daniel Black

31
config/filter.d/php-url-fopen.conf
View File

@ -1,23 +1,20 @@
# Fail2Ban configuration file
# Fail2Ban filter for URLs with a URL as a script parameters
# which can be an indication of a fopen url php injection
#
# Example of web requests in Apache access log:
# 66.185.212.172 - - [26/Mar/2009:08:44:20 -0500] "GET /index.php?n=http://eatmyfood.hostinginfive.com/pizza.htm? HTTP/1.1" 200 114 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)"
[Definition]
failregex = ^<HOST> -.*"(GET|POST).*\?.*\=http\:\/\/.* HTTP\/.*$
ignoreregex =
# DEV Notes:
#
# Author: Arturo 'Buanzo' Busleiman <buanzo@buanzo.com.ar>
# Version 2
# fixes the failregex so REFERERS that contain =http:// don't get blocked
# (mentioned by "fasuto" (no real email provided... blog comment) in this entry:
# http://blogs.buanzo.com.ar/2009/04/fail2ban-filter-for-php-injection-attacks.html#comment-1489
#
[Definition]
# Option: failregex
# Notes.: regex to match this kind of request:
#
# 66.185.212.172 - - [26/Mar/2009:08:44:20 -0500] "GET /index.php?n=http://eatmyfood.hostinginfive.com/pizza.htm? HTTP/1.1" 200 114 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)"
#
failregex = ^<HOST> -.*"(GET|POST).*\?.*\=http\:\/\/.* HTTP\/.*$
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
# Author: Arturo 'Buanzo' Busleiman <buanzo@buanzo.com.ar>

14
config/filter.d/postfix-sasl.conf Normal file
View File

@ -0,0 +1,14 @@
# Fail2Ban filter for postfix authentication failures
#
[INCLUDES]
before = common.conf
[Definition]
_daemon = postfix/smtpd
failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/]*={0,2})?\s*$
# Author: Yaroslav Halchenko

22
config/filter.d/postfix.conf
View File

@ -1,6 +1,4 @@
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
# Fail2Ban filter for selected Postfix SMTP rejections
#
#
@ -10,32 +8,18 @@
# common.local
before = common.conf
[Definition]
_daemon = postfix/smtpd
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT
#
failregex = ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 554 5\.7\.1 .*$
^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 450 4\.7\.1 : Helo command rejected: Host not found; from=<> to=<> proto=ESMTP helo= *$
^%(__prefix_line)sNOQUEUE: reject: VRFY from \S+\[<HOST>\]: 550 5\.1\.1 .*$
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
[Init]
# Option: journalmatch
# Notes.: systemd journalctl style match filter for journal based backends
# Values: TEXT
#
journalmatch = _SYSTEMD_UNIT=postfix.service
# Author: Cyril Jaquier

26
config/filter.d/proftpd.conf
View File

@ -1,36 +1,22 @@
# Fail2Ban configuration file
#
# Author: Yaroslav Halchenko
# Daniel Black - hardening of regex
# Fail2Ban fitler for the Proftpd FTP daemon
#
[INCLUDES]
# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf
[Definition]
_deamon = proftpd
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT
#
_daemon = proftpd
__suffix_failed_login = (User not authorized for login|No such user found|Incorrect password|Password expired|Account disabled|Invalid shell: '\S+'|User in \S+|Limit (access|configuration) denies login|Not a UserAlias|maximum login length exceeded).?
failregex = ^%(__prefix_line)s%(__hostname)s \(\S+\[<HOST>\]\)[: -]+ USER .*: no such user found from \S+ \[\S+\] to \S+:\S+ *$
^%(__prefix_line)s%(__hostname)s \(\S+\[<HOST>\]\)[: -]+ USER .* \(Login failed\): %(__suffix_failed_login)s\s*$
^%(__prefix_line)s%(__hostname)s \(\S+\[<HOST>\]\)[: -]+ SECURITY VIOLATION: .* login attempted\. *$
^%(__prefix_line)s%(__hostname)s \(\S+\[<HOST>\]\)[: -]+ Maximum login attempts \(\d+\) exceeded *$
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
# Author: Yaroslav Halchenko
# Daniel Black - hardening of regex

25
config/filter.d/pure-ftpd.conf
View File

@ -1,28 +1,19 @@
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
# Modified: Yaroslav Halchenko for pure-ftpd
# Fail2Ban filter for pureftp
#
#
#
[INCLUDES]
before = common.conf
[Definition]
# Error message specified in multiple languages
__errmsg = (?:Authentication failed for user|Erreur d'authentification pour l'utilisateur)
#
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT
#
failregex = pure-ftpd(?:\[\d+\])?: \(.+?@<HOST>\) \[WARNING\] %(__errmsg)s \[.+\]\s*$
failregex = ^%(__prefix_line)s\(.+?@<HOST>\) \[WARNING\] %(__errmsg)s \[.+\]\s*$
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
# Author: Cyril Jaquier
# Modified: Yaroslav Halchenko for pure-ftpd

37
config/filter.d/qmail.conf
View File

@ -1,22 +1,31 @@
# Fail2Ban configuration file
# Fail2Ban filters for qmail RBL patches/fake proxies
#
# Author: Cyril Jaquier
# the default djb RBL implementation doesn't log any rejections
# so is useless with this filter.
#
# One patch is here:
#
# http://www.tjsi.com/rblsmtpd/faq/ patch to rblsmtpd
[INCLUDES]
before = common.conf
[Definition]
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT
#
failregex = (?:[\d,.]+[\d,.] rblsmtpd: |421 badiprbl: ip )<HOST>
_daemon = (?:qmail|rblsmtpd)
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
failregex = ^%(__prefix_line)s\d+\.\d+ rblsmtpd: <HOST> pid \d+ \S+ 4\d\d \S+\s*$
^%(__prefix_line)s\d+\.\d+ qmail-smtpd: 4\d\d badiprbl: ip <HOST> rbl: \S+\s*$
^%(__prefix_line)s\S+ blocked <HOST> \S+ -\s*$
ignoreregex =
# DEV Notes:
#
ignoreregex =
# These seem to be for two or 3 different patches to qmail or rblsmtpd
# so you'll probably only ever see one of these regex's that match.
#
# ref: https://github.com/fail2ban/fail2ban/pull/386
#
# Author: Daniel Black

36
config/filter.d/recidive.conf
View File

@ -1,9 +1,8 @@
# Fail2Ban configuration file
# Fail2Ban filter for repeat bans
#
# Author: Tom Hendrikx, modifications by Amir Caspi
#
# This filter monitors the fail2ban log file, and enables you to add long
# time bans for ip addresses that get banned by fail2ban multiple times.
#
# Reasons to use this: block very persistent attackers for a longer time,
# stop receiving email notifications about the same attacker over and
# over again.
@ -13,34 +12,25 @@
# drawbacks, namely in that it works only with iptables, or if you use a
# different blocking mechanism for this jail versus others (e.g. hostsdeny
# for most jails, and shorewall for this one).
#
[INCLUDES]
# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf
[Definition]
_daemon = fail2ban\.actions
# The name of the jail that this filter is used for. In jail.conf, name the
# jail using this filter 'recidive', or change this line!
_jailname = recidive
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>\S+)
# Values: TEXT
#
failregex = fail2ban.actions:\s+WARNING\s+\[(?:.*)\]\s+Ban\s+<HOST>
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
# Ignore our own bans, to keep our counts exact.
ignoreregex = fail2ban.actions:\s+WARNING\s+\[%(_jailname)s\]\s+Ban\s+<HOST>
failregex = ^(%(__prefix_line)s|,\d{3} fail2ban.actions:\s+)WARNING\s+\[(?!%(_jailname)s\])(?:.*)\]\s+Ban\s+<HOST>\s*$
[Init]
# Option: journalmatch
# Notes.: systemd journalctl style match filter for journal based backends
# Values: TEXT
#
journalmatch = _SYSTEMD_UNIT=fail2ban.service
# Author: Tom Hendrikx, modifications by Amir Caspi

14
config/filter.d/roundcube-auth.conf
View File

@ -1,6 +1,5 @@
# Fail2Ban configuration file for roundcube web server
#
# Author: Teodor Micu & Yaroslav Halchenko & terence namusonge
#
#
@ -10,17 +9,8 @@ before = common.conf
[Definition]
# Option: failregex
# Notes.: regex to match the password failure messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT
#
failregex = ^\s*(\[\])?(%(__hostname)s roundcube: IMAP Error)?: (FAILED login|Login failed) for .*? from <HOST>(\. AUTHENTICATE .*)?\s*$
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
# Author: Teodor Micu & Yaroslav Halchenko & terence namusonge

22
config/filter.d/sasl.conf
View File

@ -1,22 +0,0 @@
# Fail2Ban configuration file
#
# Author: Yaroslav Halchenko
#
#
[Definition]
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT
#
failregex = (?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/]*={0,2})?\s*$
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =

21
config/filter.d/selinux-common.conf Normal file
View File

@ -0,0 +1,21 @@
# Fail2Ban configuration file for generic SELinux audit messages
#
# This file is not intended to be used directly, and should be included into a
# filter file which would define following variables. See selinux-ssh.conf as
# and example.
#
# _type
# _uid
# _auid
# _subj
# _msg
#
# Also one of these variables must include <HOST>.
[Definition]
failregex = ^type=%(_type)s msg=audit\(:\d+\): (user )?pid=\d+ uid=%(_uid)s auid=%(_auid)s ses=\d+ subj=%(_subj)s msg='%(_msg)s'$
ignoreregex =
# Author: Daniel Black

25
config/filter.d/selinux-ssh.conf Normal file
View File

@ -0,0 +1,25 @@
# Fail2Ban configuration file for SELinux ssh authentication errors
#
[INCLUDES]
after = selinux-common.conf
[Definition]
_type = USER_(ERR|AUTH)
_uid = 0
_auid = \d+
_subj = (?:unconfined_u|system_u):system_r:sshd_t:s0-s0:c0\.c1023
_exe =/usr/sbin/sshd
_terminal = ssh
_msg = op=\S+ acct=(?P<_quote_acct>"?)\S+(?P=_quote_acct) exe="%(_exe)s" hostname=(\?|(\d+\.){3}\d+) addr=<HOST> terminal=%(_terminal)s res=failed
# DEV Notes:
#
# Note: USER_LOGIN is ignored as this is the duplicate messsage
# ssh logs after 3 USER_AUTH failures.
#
# Author: Daniel Black

18
config/filter.d/sieve.conf
View File

@ -1,7 +1,4 @@
# Fail2Ban configuration file
#
# Author: Jan Wagner <waja@cyconet.org>
#
# Fail2Ban filter for sieve authentication failures
#
[INCLUDES]
@ -10,21 +7,12 @@
# common.local
before = common.conf
[Definition]
_deamon = (?:cyrus/)?(?:tim)?sieved?
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching.
# Values: TEXT
#
failregex = ^%(__prefix_line)sbadlogin: \S+ ?\[<HOST>\] \S+ authentication failure$
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
# Author: Jan Wagner <waja@cyconet.org>

25
config/filter.d/sogo-auth.conf
View File

@ -1,20 +1,17 @@
# /etc/fail2ban/filter.d/sogo-auth.conf
#
# Fail2Ban configuration file
# By Arnd Brandes
# SOGo
# Fail2ban filter for SOGo authentcation
#
# Log file usually in /var/log/sogo/sogo.log
[Definition]
# Option: failregex
# Filter Ban in /var/log/sogo/sogo.log
# Note: the error log may contain multiple hosts, whereas the first one
# is the client and all others are poxys. We match the first one, only
failregex = Login from '<HOST>' for user '.*' might not have worked( - password policy: \d* grace: -?\d* expire: -?\d* bound: -?\d*)?\s*$
failregex = ^ sogod \[\d+\]: SOGoRootPage Login from '<HOST>' for user '.*' might not have worked( - password policy: \d* grace: -?\d* expire: -?\d* bound: -?\d*)?\s*$
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
#
# DEV Notes:
#
# The error log may contain multiple hosts, whereas the first one
# is the client and all others are poxys. We match the first one, only
#
# Author: Arnd Brandes

21
config/filter.d/sshd-ddos.conf
View File

@ -1,6 +1,4 @@
# Fail2Ban configuration file
#
# Author: Yaroslav Halchenko
# Fail2Ban ssh filter for at attempted exploit
#
# The regex here also relates to a exploit:
#
@ -20,25 +18,12 @@ before = common.conf
_daemon = sshd
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT
#
failregex = ^%(__prefix_line)sDid not receive identification string from <HOST>\s*$
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
[Init]
# Option: journalmatch
# Notes.: systemd journalctl style match filter for journal based backend
# Values: TEXT
#
journalmatch = _SYSTEMD_UNIT=sshd.service + _COMM=sshd
# Author: Yaroslav Halchenko

29
config/filter.d/sshd.conf
View File

@ -1,7 +1,4 @@
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
#
# Fail2Ban filter for openssh
#
[INCLUDES]
@ -10,24 +7,13 @@
# common.local
before = common.conf
[Definition]
_daemon = sshd
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Multiline regexs should use tag "<SKIPLINES>" to separate lines.
# This allows lines between the matching lines to continue to be
# searched for other failures. This tag can be used multiple times.
# Values: TEXT
#
failregex = ^%(__prefix_line)s(?:error: PAM: )?[aA]uthentication (?:failure|error) for .* from <HOST>( via \S+)?\s*$
^%(__prefix_line)s(?:error: PAM: )?User not known to the underlying authentication module for .* from <HOST>\s*$
^%(__prefix_line)sFailed \S+ for .* from <HOST>(?: port \d*)?(?: ssh\d*)?\s*$
^%(__prefix_line)sFailed \S+ for .* from <HOST>(?: port \d*)?(?: ssh\d*)?(: (ruser .{0,100}|(\S+ ID \S+ \(serial \d+\) CA )?\S+ %(__md5hex)s(, client user ".{0,100}", client host ".{0,100}")?))?\s*$
^%(__prefix_line)sROOT LOGIN REFUSED.* FROM <HOST>\s*$
^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from <HOST>\s*$
^%(__prefix_line)sUser .+ from <HOST> not allowed because not listed in AllowUsers\s*$
@ -38,10 +24,6 @@ failregex = ^%(__prefix_line)s(?:error: PAM: )?[aA]uthentication (?:failure|erro
^%(__prefix_line)sUser .+ from <HOST> not allowed because none of user's groups are listed in AllowGroups\s*$
^(?P<__prefix>%(__prefix_line)s)User .+ not allowed because account is locked<SKIPLINES>(?P=__prefix)(?:error: )?Received disconnect from <HOST>: 11: Bye Bye \[preauth\]$
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
[Init]
@ -49,8 +31,7 @@ ignoreregex =
# "maxlines" is number of log lines to buffer for multi-line regex searches
maxlines = 10
# Option: journalmatch
# Notes.: systemd journalctl style match filter for journal based backend
# Values: TEXT
#
journalmatch = _SYSTEMD_UNIT=sshd.service + _COMM=sshd
# Author: Cyril Jaquier, Yaroslav Halchenko, Petr Voralek, Daniel Black

31
config/filter.d/suhosin.conf
View File

@ -1,19 +1,28 @@
# Fail2Ban configuration file
# Fail2Ban filter for suhosian PHP hardening
#
# Author: Arturo 'Buanzo' Busleiman <buanzo@buanzo.com.ar>
# This occurs with lighttpd or directly from the plugin
#
[INCLUDES]
# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf
[Definition]
# Option: failregex
# Notes.: regex to match ALERTS as notified by lighttpd's FastCGI Module
# Values: TEXT
_daemon = (?:lighttpd|suhosin)
_lighttpd_prefix = (?:\(mod_fastcgi\.c\.\d+\) FastCGI-stderr:\s)
failregex = ^%(__prefix_line)s%(_lighttpd_prefix)s?ALERT - .* \(attacker '<HOST>', file '.*'(?:, line \d+)?\)$
ignoreregex =
# DEV Notes:
#
# https://github.com/stefanesser/suhosin/blob/1fba865ab73cc98a3109f88d85eb82c1bfc29b37/log.c#L161
failregex = ALERT - .* \(attacker '<HOST>', file '.*'(?:, line \d+)?\)$
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
# Author: Arturo 'Buanzo' Busleiman <buanzo@buanzo.com.ar>

17
config/filter.d/uwimap-auth.conf Normal file
View File

@ -0,0 +1,17 @@
# Fail2Ban filter for uwimap
#
[INCLUDES]
before = common.conf
[Definition]
_daemon = (?:ipop3d|imapd)
failregex = ^%(__prefix_line)sLogin (?:failed|excessive login failures|disabled|SYSTEM BREAK-IN ATTEMPT) user=\S* auth=\S* host=.*\[<HOST>\]\s*$
^%(__prefix_line)sFailed .* override of user=.* host=.*\[<HOST>\]\s*$
ignoreregex =
# Author: Amir Caspi

29
config/filter.d/vsftpd.conf
View File

@ -1,23 +1,18 @@
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
#
# Fail2Ban filter for vsftp
#
[INCLUDES]
before = common.conf
[Definition]
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT
#
failregex = vsftpd(?:\(pam_unix\))?(?:\[\d+\])?:.* authentication failure; .* rhost=<HOST>(?:\s+user=\S*)?\s*$
\[.+\] FAIL LOGIN: Client "<HOST>"\s*$
__pam_re=\(?pam_unix(?:\(\S+\))?\)?:?
_daemon = vsftpd
failregex = ^%(__prefix_line)s%(__pam_re)s\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=(ftp)? ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$
^ \[pid \d+\] \[.+\] FAIL LOGIN: Client "<HOST>"\s*$
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
# Author: Cyril Jaquier

39
config/filter.d/webmin-auth.conf
View File

@ -1,27 +1,24 @@
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
# Rule by : Delvit Guillaume
#
# Fail2Ban filter for webmin
#
[INCLUDES]
before = common.conf
[Definition]
# patern : webmin[15673]: Non-existent login as toto from 86.0.6.217
_daemon = webmin
[Definition]
failregex = ^%(__prefix_line)sNon-existent login as .+ from <HOST>\s*$
^%(__prefix_line)sInvalid login as .+ from <HOST>\s*$
ignoreregex =
# DEV Notes:
#
# pattern : webmin[15673]: Non-existent login as toto from 86.0.6.217
# webmin[29544]: Invalid login as root from 86.0.6.217
#
# Option: failregex
# Notes.: regex to match the password failure messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT
#
failregex = webmin.* Non-existent login as .+ from <HOST>\s*$
webmin.* Invalid login as .+ from <HOST>\s*$
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
# Rule Author: Delvit Guillaume

12
config/filter.d/wuftpd.conf
View File

@ -1,7 +1,5 @@
# Fail2Ban configuration file for wuftpd
#
# Author: Yaroslav Halchenko
#
#
[INCLUDES]
@ -14,14 +12,8 @@ before = common.conf
_daemon = wu-ftpd
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile.
# Values: TEXT
#
failregex = ^%(__prefix_line)sfailed login from \S+ \[<HOST>\]\s*$
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
# Author: Yaroslav Halchenko

29
config/filter.d/xinetd-fail.conf
View File

@ -1,6 +1,6 @@
# Fail2Ban configuration file
# Fail2Ban filter for xinetd failures
#
# Author: Guido Bozzetto
# Cfr.: /var/log/(daemon\.|sys)log
#
#
@ -10,29 +10,18 @@
# common.local
before = common.conf
[Definition]
_daemon = xinetd
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT
#
# Cfr.: /var/log/(daemon\.|sys)log
# libwrap => tcp wrappers: hosts.(allow|deny)
# address => xinetd: deny_from|only_from
# load => xinetd: max_load (temporary problem)
#
failregex = ^%(__prefix_line)sFAIL: \S+ address from=<HOST>$
^%(__prefix_line)sFAIL: \S+ libwrap from=<HOST>$
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
# DEV Notes:
#
# libwrap => tcp wrappers: hosts.(allow|deny)
# address => xinetd: deny_from|only_from
#
# Author: Guido Bozzetto

202
config/jail.conf
View File

@ -1,14 +1,23 @@
# Fail2Ban jail specifications file
# Fail2Ban jail base specification file
#
# WARNING: heavily refactored in 0.9.0 release. Please review and
# customize settings for your setup.
#
# Comments: use '#' for comment lines and ';' (following a space) for inline comments
#
# Changes: in most of the cases you should not modify this
# file, but provide customizations in jail.local file,
# or separate .conf files under jail.d/ directory, e.g.:
#
# HOW TO ACTIVATE JAILS:
#
# YOU SHOULD NOT MODIFY THIS FILE.
#
# It will probably be overwitten or improved in a distribution update.
#
# Provide customizations in a jail.local file or a jail.d/customisation.local.
# For example to change the default bantime for all jails and to enable the
# ssh-iptables jail the following (uncommented) would appear in the .local file.
# See man 5 jail.conf for details.
#
# [DEFAULT]
# bantime = 3600
#
@ -17,6 +26,10 @@
#
# See jail.conf(5) man page for more information
# Comments: use '#' for comment lines and ';' (following a space) for inline comments
# The DEFAULT allows a global definition of the options. They can be overridden
# in each jail afterwards.
@ -156,7 +169,9 @@ logpath = /var/log/auth.log
/var/log/sshd.log
[sshd-ddos]
# This jail corresponds to the standard configuration in Fail2ban.
# The mail-whois action send a notification e-mail with a whois request
# in the body.
port = ssh
logpath = /var/log/auth.log
/var/log/sshd.log
@ -168,27 +183,17 @@ filter = sshd
logpath = /var/log/dropbear
# Generic filter for PAM. Has to be used with action which bans all
# ports such as iptables-allports, shorewall
[pam-generic]
[selinux-ssh]
# pam-generic filter can be customized to monitor specific subset of 'tty's
banaction = iptables-allports
logpath = /var/log/auth.log
port = ssh
logpath = /var/log/audit/audit.log
maxretry = 5
[xinetd-fail]
banaction = iptables-multiport-log
logpath = /var/log/daemon.log
maxretry = 2
# .. custom jails
# Here we use TCP-Wrappers instead of Netfilter/Iptables. "ignoreregex" is
# used to avoid banning the user "myuser".
[sshd-tcpwrapper]
[ssh-tcpwrapper]
filter = sshd
action = hostsdeny[daemon_list=sshd]
@ -196,6 +201,7 @@ action = hostsdeny[daemon_list=sshd]
ignoreregex = for myuser from
logpath = /var/log/sshd.log
# Here we use blackhole routes for not requiring any additional kernel support
# to store large volumes of banned IPs
@ -205,6 +211,7 @@ filter = sshd
action = route
logpath = /var/log/sshd.log
# Here we use a combination of Netfilter/Iptables and IPsets
# for storing large volumes of banned IPs
#
@ -216,12 +223,22 @@ filter = sshd
action = iptables-ipset-proto4[name=SSH, port=ssh, protocol=tcp]
logpath = /var/log/sshd.log
[sshd-iptables-ipset6]
filter = sshd
action = iptables-ipset-proto6[name=SSH, port=ssh, protocol=tcp, bantime=600]
logpath = /var/log/sshd.log
[sshd-apf]
filter = sshd
action = apf[name=SSH]
logpath = /var/log/secure
maxretry = 5
# This jail uses ipfw, the standard firewall on FreeBSD. The "ignoreip"
# option is overridden in this jail. Moreover, the action "mail-whois" defines
# the variable "name" which contains a comma using "". The characters '' are
@ -233,34 +250,42 @@ action = ipfw[localhost=192.168.0.1]
sendmail-whois[name="SSH,IPFW", dest=you@example.com]
logpath = /var/log/auth.log
# bsd-ipfw is ipfw used by BSD. It uses ipfw tables.
# table number must be unique.
#
# This will create a deny rule for that table ONLY if a rule
# for the table doesn't ready exist.
#
[ssh-bsd-ipfw]
[sshd-bsd-ipfw]
filter = sshd
action = bsd-ipfw[port=ssh,table=1]
logpath = /var/log/auth.log
# PF is a BSD based firewall
[ssh-pf]
[sshd-pf]
filter = sshd
action = pf
logpath = /var/log/sshd.log
maxretry= 5
# ipfw for osx (less capabilities that BSD)
[osx-ssh-ipfw]
enabled = false
# ipfw for osx (less capabilities that BSD)
[osx-sshd-ipfw]
filter = sshd
action = osx-ipfw
logpath = /var/log/secure.log
[osx-sshd-afctl]
filter = sshd
action = osx-afctl[bantime=600]
logpath = /var/log/secure.log
maxretry = 5
#
# HTTP servers
#
@ -315,20 +340,37 @@ logpath = /var/log/lighttpd/error.log
port = http,https
logpath = /var/log/lighttpd/error.log
[roundcube-auth]
port = http,https
logpath = /var/log/roundcube/userlogins
[sogo-auth]
# Monitor SOGo groupware server
port = http,https
# without proxy this would be:
# port = 20000
logpath = /var/log/sogo/sogo.log
[guacamole]
port = http,https
logpath = /var/log/tomcat*/catalina.out
[webmin-auth]
port = 10000
logpath = /var/log/auth.log
# ... custom jails
# This jail demonstrates the use of wildcards in "logpath".
# Moreover, it is possible to give other files on a new line.
[apache-tcpwrapper]
filter = apache-auth
@ -338,7 +380,6 @@ maxretry = 6
[3proxy]
filter = 3proxy
port = 3128
logpath = /var/log/3proxy.log
@ -367,9 +408,9 @@ logpath = /var/log/vsftpd.log
# if you want to rely on PAM failed login attempts
# vsftpd's failregex should match both of those formats
# Do not ban anybody. Just report information about the remote host.
# A notification is sent at most every 600 seconds (bantime).
[vsftpd-notification]
filter = vsftpd
@ -379,11 +420,14 @@ maxretry = 5
bantime = 1800
[wuftpd]
# Same as above but with banning the IP address.
[vsftpd-iptables]
filter = vsftpd
port = ftp,ftp-data,ftps,ftps-data
logpath = /var/log/syslog
maxretry = 6
maxretry = 5
bantime = 1800
#
# Mail servers
@ -395,18 +439,18 @@ maxretry = 6
port = smtp,ssmtp,submission
logpath = /root/path/to/assp/logs/maillog.txt
[courier-smtp]
port = smtp,ssmtp,submission
logpath = /var/log/mail.log
[postfix]
port = smtp,ssmtp,submission
logpath = /var/log/mail.log
# The hosts.deny path can be defined with the "file" argument if it is
# not in /etc.
[postfix-tcpwrapper]
@ -416,13 +460,29 @@ action = hostsdeny[file=/not/a/standard/path/hosts.deny]
logpath = /var/log/postfix.log
bantime = 300
# dovecot defaults to logging to the mail syslog facility
# but can be set by syslog_facility in the dovecot configuration.
[dovecot]
port = pop3,pop3s,imap,imaps,submission,smtps,sieve
logpath = /var/log/mail.log
[dovecot-auth]
filter = dovecot
port = pop3,pop3s,imap,imaps,submission,smtps,sieve
logpath = /var/log/secure
[exim]
port = smtp,ssmtp,submission
logpath = /var/log/exim/mainlog
[exim-spam]
[exim-spam]
port = smtp,ssmtp,submission
logpath = /var/log/exim/mainlog
@ -438,7 +498,7 @@ port = smtp,ssmtp,submission,imap2,imap3,imaps,pop3,pop3s
logpath = /var/log/mail.log
[sasl]
[postfix-sasl]
port = smtp,ssmtp,submission,imap2,imap3,imaps,pop3,pop3s
# You might consider monitoring /var/log/mail.warn instead if you are
@ -446,10 +506,6 @@ port = smtp,ssmtp,submission,imap2,imap3,imaps,pop3,pop3s
# "warn" level but overall at the smaller filesize.
logpath = /var/log/mail.log
[dovecot]
port = smtp,ssmtp,submission,imap2,imap3,imaps,pop3,pop3s
logpath = /var/log/mail.log
[perdition]
@ -460,22 +516,6 @@ logpath = /var/log/maillog
# DNS servers
#
# These jails block attacks against named (bind9). By default, logging is off
# with bind9 installation. You will need something like this:
#
# logging {
# channel security_file {
# file "/var/log/named/security.log" versions 3 size 30m;
# severity dynamic;
# print-time yes;
# };
# category security {
# security_file;
# };
# };
#
# in your named.conf to provide proper logging.
# This jail blocks UDP traffic for DNS requests.
# !!! WARNING !!!
# Since UDP is connection-less protocol, spoofing of IP and imitation
@ -485,6 +525,8 @@ logpath = /var/log/maillog
# http://nion.modprobe.de/blog/archives/690-fail2ban-+-dns-fail.html
# Please DO NOT USE this jail unless you know what you are doing.
#
# IMPORTANT: see filter.d/named-refused for instructions to enable logging
# This jail blocks UDP traffic for DNS requests.
# [named-refused-udp]
#
# filter = named-refused
@ -492,6 +534,7 @@ logpath = /var/log/maillog
# protocol = udp
# logpath = /var/log/named/security.log
# IMPORTANT: see filter.d/named-refused for instructions to enable logging
# This jail blocks TCP traffic for DNS requests.
[named-refused]
@ -506,12 +549,32 @@ logpath = /var/log/named/security.log
[asterisk]
port = 5060,5061
logpath = /var/log/asterisk/messages
maxretry = 10
# Astrix requires both tcp and udp
action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
%(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
%(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"]
logpath = /var/log/asterisk/messages
maxretry = 10
# Historical support (before https://github.com/fail2ban/fail2ban/issues/37 was fixed )
# use [asterisk] for new jails
[asterisk-tcp]
filter = asterisk
port = 5060,5061
logpath = /var/log/asterisk/messages
maxretry = 10
# Historical support (before https://github.com/fail2ban/fail2ban/issues/37 was fixed )
# use [asterisk] for new jails
[asterisk-udp]
filter = asterisk
port = 5060,5061
protocol = udp
logpath = /var/log/asterisk/messages
maxretry = 10
# To log wrong MySQL access attempts add to /etc/my.cnf:
# log-error=/var/log/mysqld.log
@ -520,11 +583,15 @@ action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp",
port = 3306
logpath = /var/log/mysqld.log
maxretry = 5
[guacamole]
port = http,https
logpath = /var/log/tomcat*/catalina.out
[mysqld-syslog-iptables]
filter = mysqld-auth
logpath = /var/log/daemon.log
maxretry = 5
# Jail for more extended banning of persistent abusers
# !!! WARNING !!!
@ -534,9 +601,24 @@ logpath = /var/log/tomcat*/catalina.out
[recidive]
logpath = /var/log/fail2ban.log
action = iptables-allports[name=recidive]
sendmail-whois-lines[name=recidive, logpath=/var/log/fail2ban.log]
port = all
protocol = all
bantime = 604800 ; 1 week
findtime = 86400 ; 1 day
maxretry = 5
# Generic filter for PAM. Has to be used with action which bans all
# ports such as iptables-allports, shorewall
[pam-generic]
# pam-generic filter can be customized to monitor specific subset of 'tty's
banaction = iptables-allports
logpath = /var/log/auth.log
[xinetd-fail]
banaction = iptables-multiport-log
logpath = /var/log/daemon.log
maxretry = 2

13
fail2ban/client/configreader.py
View File

@ -54,16 +54,19 @@ class ConfigReader(SafeConfigParserWithIncludes):
% self._basedir)
basename = os.path.join(self._basedir, filename)
logSys.debug("Reading configs for %s under %s " % (basename, self._basedir))
config_files = [ basename + ".conf",
basename + ".local" ]
# choose only existing ones
config_files = filter(os.path.exists, config_files)
config_files = [ basename + ".conf" ]
# possible further customizations under a .conf.d directory
config_dir = basename + '.d'
config_files += sorted(glob.glob('%s/*.conf' % config_dir))
config_files.append(basename + ".local")
config_files += sorted(glob.glob('%s/*.local' % config_dir))
# choose only existing ones
config_files = filter(os.path.exists, config_files)
if len(config_files):
# at least one config exists and accessible
logSys.debug("Reading config files: " + ', '.join(config_files))

22
fail2ban/client/jailreader.py
View File

@ -24,7 +24,7 @@ __author__ = "Cyril Jaquier"
__copyright__ = "Copyright (c) 2004 Cyril Jaquier"
__license__ = "GPL"
import logging, re, glob
import logging, re, glob, os.path
from configreader import ConfigReader
from filterreader import FilterReader
@ -63,7 +63,23 @@ class JailReader(ConfigReader):
def isEnabled(self):
return self.__force_enable or self.__opts["enabled"]
@staticmethod
def _glob(path):
"""Given a path for glob return list of files to be passed to server.
Dangling symlinks are warned about and not returned
"""
pathList = []
for p in glob.glob(path):
if not os.path.exists(p):
logSys.warning("File %s doesn't even exist, thus cannot be monitored" % p)
elif not os.path.lexists(p):
logSys.warning("File %s is a dangling link, thus cannot be monitored" % p)
else:
pathList.append(p)
return pathList
def getOptions(self):
opts = [["bool", "enabled", "false"],
["string", "logpath", "/var/log/messages"],
@ -131,7 +147,7 @@ class JailReader(ConfigReader):
self.__opts.get('backend', None) != "systemd":
found_files = 0
for path in self.__opts[opt].split("\n"):
pathList = glob.glob(path)
pathList = JailReader._glob(path)
if len(pathList) == 0:
logSys.error("No file(s) found for glob %s" % path)
for p in pathList:

18
fail2ban/helpers.py
View File

@ -17,24 +17,12 @@
# along with Fail2Ban; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
__author__ = "Cyril Jaquier, Arturo 'Buanzo' Busleiman"
__copyright__ = "Copyright (c) 2009 Cyril Jaquier"
__author__ = "Cyril Jaquier, Arturo 'Buanzo' Busleiman, Yaroslav Halchenko"
__license__ = "GPL"
def formatExceptionInfo():
""" Author: Arturo 'Buanzo' Busleiman """
""" Consistently format exception information """
import sys
cla, exc = sys.exc_info()[:2]
excName = cla.__name__
try:
excArgs = exc.__dict__["args"]
# Assure that we always return a string, without unneeded
# 'decorations' with python <= 2.5 where args would be a tuple
if isinstance(excArgs, tuple) and len(excArgs) == 1:
excArgs = excArgs[0]
excArgs = str(excArgs)
except KeyError:
# And always provide a string output
excArgs = str(exc)
return (excName, excArgs)
return (cla.__name__, str(exc))

4
fail2ban/server/action.py
View File

@ -381,6 +381,10 @@ class Action:
#@staticmethod
def executeCmd(realCmd, timeout=60):
logSys.debug(realCmd)
if not realCmd:
logSys.debug("Nothing to do")
return True
_cmd_lock.acquire()
try: # Try wrapped within another try needed for python version < 2.5
stdout = tempfile.TemporaryFile(suffix=".stdout", prefix="fai2ban_")

4
fail2ban/server/datedetector.py
View File

@ -72,6 +72,8 @@ class DateDetector:
self.appendTemplate("%d/%m/%y %H:%M:%S")
# Apache format [31/Oct/2006:09:22:55 -0000]
self.appendTemplate("%d/%b/%Y:%H:%M:%S %z")
# [31/Oct/2006:09:22:55]
self.appendTemplate("%d/%b/%Y:%H:%M:%S")
# CPanel 05/20/2008:01:57:39
self.appendTemplate("%m/%d/%Y:%H:%M:%S")
# custom for syslog-ng 2006.12.21 06:43:20
@ -80,6 +82,8 @@ class DateDetector:
self.appendTemplate("%d-%b-%Y %H:%M:%S.%f")
# roundcube 26-Jul-2007 15:20:52 +0200
self.appendTemplate("%d-%b-%Y %H:%M:%S %z")
# 26-Jul-2007 15:20:52
self.appendTemplate("%d-%b-%Y %H:%M:%S")
# 17-07-2008 17:23:25
self.appendTemplate("%d-%m-%Y %H:%M:%S")
# 01-27-2012 16:22:44.252

3
fail2ban/server/datetemplate.py
View File

@ -82,8 +82,7 @@ class DateEpoch(DateTemplate):
def __init__(self):
DateTemplate.__init__(self)
# We already know the format for TAI64N
self.setRegex("^\d{10}(\.\d{6})?")
self.setRegex("(?:^|(?P<selinux>(?<=audit\()))\d{10}(?:\.\d{3,6})?(?(selinux)(?=:\d+\)))")
def getDate(self, line):
dateMatch = self.matchDate(line)

52
fail2ban/server/filter.py
View File

@ -73,7 +73,7 @@ class Filter(JailThread):
## Line buffer
self.__lineBuffer = []
## Store last time stamp, applicable for multi-line
self.__lastTimeLine = ""
self.__lastTimeText = ""
self.__lastDate = None
self.dateDetector = DateDetector()
@ -361,15 +361,27 @@ class Filter(JailThread):
def processLine(self, line, returnRawHost=False, checkAllRegex=False):
"""Split the time portion from log msg and return findFailures on them
"""
line = line.rstrip('\r\n')
l = line.rstrip('\r\n')
logSys.log(7, "Working on line %r", line)
return self.findFailure(line, returnRawHost, checkAllRegex)
timeMatch = self.dateDetector.matchTime(l)
if timeMatch:
# Lets split into time part and log part of the line
timeText = timeMatch.group()
# Lets leave the beginning in as well, so if there is no
# anchore at the beginning of the time regexp, we don't
# at least allow injection. Should be harmless otherwise
logLine = l[:timeMatch.start()] + l[timeMatch.end():]
else:
timeText = None
logLine = l
return logLine, self.findFailure(timeText, logLine, returnRawHost, checkAllRegex)
def processLineAndAdd(self, line):
"""Processes the line for failures and populates failManager
"""
for element in self.processLine(line):
for element in self.processLine(line)[1]:
failregex = element[0]
ip = element[1]
unixTime = element[2]
@ -407,7 +419,7 @@ class Filter(JailThread):
# to find the logging time.
# @return a dict with IP and timestamp.
def findFailure(self, logLine,
def findFailure(self, timeText, logLine,
returnRawHost=False, checkAllRegex=False):
failList = list()
@ -417,22 +429,24 @@ class Filter(JailThread):
logSys.log(7, "Matched ignoreregex and was \"%s\" ignored", logLine)
return failList
dateTimeMatch = self.dateDetector.getTime(logLine)
if dateTimeMatch is not None:
# Lets split into time part and log part of the line
date = dateTimeMatch[0]
timeMatch = dateTimeMatch[1]
if timeText:
timeLine = timeMatch.group()
self.__lastTimeLine = timeLine
self.__lastDate = date
# Lets leave the beginning in as well, so if there is no
# anchore at the beginning of the time regexp, we don't
# at least allow injection. Should be harmless otherwise
logLine = logLine[:timeMatch.start()] + logLine[timeMatch.end():]
dateTimeMatch = self.dateDetector.getTime(timeText)
if dateTimeMatch is None:
logSys.error("findFailure failed to parse timeText: " + timeText)
date = self.__lastDate
else:
# Lets split into time part and log part of the line
date = dateTimeMatch[0]
timeMatch = dateTimeMatch[1]
self.__lastTimeText = timeText
self.__lastDate = date
else:
timeLine = self.__lastTimeLine or logLine
timeText = self.__lastTimeText or logLine
date = self.__lastDate
self.__lineBuffer = (self.__lineBuffer + [logLine])[-self.__lineBufferSize:]
@ -461,7 +475,7 @@ class Filter(JailThread):
"file a detailed issue on"
" https://github.com/fail2ban/fail2ban/issues "
"in order to get support for this format."
% (logLine, timeLine))
% (logLine, timeText))
else:
self.__lineBuffer = failRegex.getUnmatchedLines()
try:

13
fail2ban/server/iso8601.py
View File

@ -115,7 +115,7 @@ def parse_date(datestring):
default.
"""
if not isinstance(datestring, basestring):
raise ParseError("Expecting a string %r" % datestring)
raise ValueError("Expecting a string %r" % datestring)
m = ISO8601_REGEX.match(datestring)
if not m:
raise ParseError("Unable to parse date string %r" % datestring)
@ -125,6 +125,11 @@ def parse_date(datestring):
groups["fraction"] = 0
else:
groups["fraction"] = int(float("0.%s" % groups["fraction"]) * 1e6)
return datetime(int(groups["year"]), int(groups["month"]), int(groups["day"]),
int(groups["hour"]), int(groups["minute"]), int(groups["second"]),
int(groups["fraction"]), tz)
try:
return datetime(int(groups["year"]), int(groups["month"]), int(groups["day"]),
int(groups["hour"]), int(groups["minute"]), int(groups["second"]),
int(groups["fraction"]), tz)
except Exception, e:
raise ParseError("Failed to create a valid datetime record due to: %s"
% e)

50
fail2ban/tests/actiontestcase.py
View File

@ -59,6 +59,11 @@ class ExecuteAction(unittest.TestCase):
def _is_logged(self, s):
return s in self._log.getvalue()
def testNameChange(self):
self.assertEqual(self.__action.getName(), "Test")
self.__action.setName("Tricky Test")
self.assertEqual(self.__action.getName(), "Tricky Test")
def testSubstituteRecursiveTags(self):
aInfo = {
'HOST': "192.0.2.0",
@ -102,9 +107,15 @@ class ExecuteAction(unittest.TestCase):
def testExecuteActionBan(self):
self.__action.setActionStart("touch /tmp/fail2ban.test")
self.assertEqual(self.__action.getActionStart(), "touch /tmp/fail2ban.test")
self.__action.setActionStop("rm -f /tmp/fail2ban.test")
self.assertEqual(self.__action.getActionStop(), 'rm -f /tmp/fail2ban.test')
self.__action.setActionBan("echo -n")
self.assertEqual(self.__action.getActionBan(), 'echo -n')
self.__action.setActionCheck("[ -e /tmp/fail2ban.test ]")
self.assertEqual(self.__action.getActionCheck(), '[ -e /tmp/fail2ban.test ]')
self.__action.setActionUnban("true")
self.assertEqual(self.__action.getActionUnban(), 'true')
self.assertFalse(self._is_logged('returned'))
# no action was actually executed yet
@ -113,6 +124,45 @@ class ExecuteAction(unittest.TestCase):
self.assertTrue(self._is_logged('Invariant check failed'))
self.assertTrue(self._is_logged('returned successfully'))
def testExecuteActionEmptyUnban(self):
self.__action.setActionUnban("")
self.assertTrue(self.__action.execActionUnban(None))
self.assertTrue(self._is_logged('Nothing to do'))
def testExecuteActionStartCtags(self):
self.__action.setCInfo("HOST","192.0.2.0")
self.__action.setActionStart("touch /tmp/fail2ban.test.<HOST>")
self.__action.setActionStop("rm -f /tmp/fail2ban.test.<HOST>")
self.__action.setActionCheck("[ -e /tmp/fail2ban.test.192.0.2.0 ]")
self.assertTrue(self.__action.execActionStart())
def testExecuteActionCheckRestoreEnvironment(self):
self.__action.setActionStart("")
self.__action.setActionStop("rm -f /tmp/fail2ban.test")
self.__action.setActionBan("rm /tmp/fail2ban.test")
self.__action.setActionCheck("[ -e /tmp/fail2ban.test ]")
self.assertFalse(self.__action.execActionBan(None))
self.assertTrue(self._is_logged('Unable to restore environment'))
def testExecuteActionChangeCtags(self):
self.__action.setCInfo("ROST","192.0.2.0")
self.assertEqual(self.__action.getCInfo("ROST"),"192.0.2.0")
self.__action.delCInfo("ROST")
self.assertRaises(KeyError, self.__action.getCInfo, "ROST")
def testExecuteActionUnbanAinfo(self):
aInfo = {
'ABC': "123",
}
self.__action.setActionBan("touch /tmp/fail2ban.test.123")
self.__action.setActionUnban("rm /tmp/fail2ban.test.<ABC>")
self.assertTrue(self.__action.execActionBan(None))
self.assertTrue(self.__action.execActionUnban(aInfo))
def testExecuteActionStartEmpty(self):
self.__action.setActionStart("")
self.assertTrue(self.__action.execActionStart())
self.assertTrue(self._is_logged('Nothing to do'))
def testExecuteIncorrectCmd(self):
Action.executeCmd('/bin/ls >/dev/null\nbogusXXX now 2>/dev/null')

18
fail2ban/tests/clientreadertestcase.py
View File

@ -88,25 +88,25 @@ option = %s
self.assertEqual(self._getoption(), 1)
self._write("c.conf", "2") # overwrite
self.assertEqual(self._getoption(), 2)
self._write("c.local", "3") # add override in .local
self.assertEqual(self._getoption(), 3)
self._write("c.d/98.conf", "998") # add 1st override in .d/
self.assertEqual(self._getoption(), 998)
self._write("c.d/90.conf", "990") # add previously sorted override in .d/
self.assertEqual(self._getoption(), 998) # should stay the same
self._write("c.d/99.conf", "999") # now override in a way without sorting we possibly get a failure
self.assertEqual(self._getoption(), 999)
self._write("c.local", "3") # add override in .local
self.assertEqual(self._getoption(), 3)
self._write("c.d/1.local", "4") # add override in .local
self.assertEqual(self._getoption(), 4)
self._remove("c.d/1.local")
self._remove("c.local")
self.assertEqual(self._getoption(), 999)
self._remove("c.d/99.conf")
self.assertEqual(self._getoption(), 998)
self._remove("c.d/98.conf")
self.assertEqual(self._getoption(), 990)
self._remove("c.d/90.conf")
self.assertEqual(self._getoption(), 3)
self._remove("c.conf") # we allow to stay without .conf
self.assertEqual(self._getoption(), 3)
self._write("c.conf", "1")
self._remove("c.local")
self.assertEqual(self._getoption(), 1)
self.assertEqual(self._getoption(), 2)
def testInterpolations(self):
self.assertFalse(self.c.read('i')) # nothing is there yet
@ -252,7 +252,7 @@ class JailsReaderTest(unittest.TestCase):
# and it must be readable as a Filter
filterReader = FilterReader(filterName, jail, {})
filterReader.setBaseDir(CONFIG_DIR)
self.assertTrue(filterReader.read()) # opens fine
self.assertTrue(filterReader.read(),"Failed to read filter:" + filterName) # opens fine
filterReader.getOptions({}) # reads fine
# test if filter has failregex set

83
fail2ban/tests/datedetectortestcase.py
View File

@ -69,39 +69,52 @@ class DateDetectorTest(unittest.TestCase):
date = [2005, 1, 23, 21, 59, 59, 6, 23, -1]
dateUnix = 1106513999.0
for sdate in (
"Jan 23 21:59:59",
"Sun Jan 23 21:59:59.011 2005",
"Sun Jan 23 21:59:59 2005",
"Sun Jan 23 21:59:59",
"2005/01/23 21:59:59",
"2005.01.23 21:59:59",
"23/01/2005 21:59:59",
"23/01/05 21:59:59",
"23/Jan/2005:21:59:59 +0100",
"01/23/2005:21:59:59",
"2005-01-23 21:59:59",
"23-Jan-2005 21:59:59.02",
"23-Jan-2005 21:59:59 +0100",
"23-01-2005 21:59:59",
"01-23-2005 21:59:59.252", # reported on f2b, causes Feb29 fix to break
"@4000000041f4104f00000000", # TAI64N
"2005-01-23T20:59:59.252Z", #ISO 8601
"2005-01-23T15:59:59-05:00", #ISO 8601 with TZ
"<01/23/05@21:59:59>",
"050123 21:59:59", # MySQL
"Jan 23, 2005 9:59:59 PM", # Apache Tomcat
"Jan-23-05 21:59:59", # ASSP like
for anchored, sdate in (
(False, "Jan 23 21:59:59"),
(False, "Sun Jan 23 21:59:59 2005"),
(False, "Sun Jan 23 21:59:59"),
(False, "2005/01/23 21:59:59"),
(False, "2005.01.23 21:59:59"),
(False, "23/01/2005 21:59:59"),
(False, "23/01/05 21:59:59"),
(False, "23/Jan/2005:21:59:59"),
(False, "23/Jan/2005:21:59:59 +0100"),
(False, "01/23/2005:21:59:59"),
(False, "2005-01-23 21:59:59"),
(False, "23-Jan-2005 21:59:59"),
(False, "23-Jan-2005 21:59:59.02"),
(False, "23-Jan-2005 21:59:59 +0100"),
(False, "23-01-2005 21:59:59"),
(False, "01-23-2005 21:59:59.252"), # reported on f2b, causes Feb29 fix to break
(False, "@4000000041f4104f00000000"), # TAI64N
(False, "2005-01-23T20:59:59.252Z"), #ISO 8601
(False, "2005-01-23T15:59:59-05:00"), #ISO 8601 with TZ
(True, "<01/23/05@21:59:59>"),
(True, "050123 21:59:59"), # MySQL
(True, "Jan-23-05 21:59:59"), # ASSP like
(False, "Jan 23, 2005 9:59:59 PM"), # Apache Tomcat
(True, "1106513999"), # Regular epoch
(True, "1106513999.000"), # Regular epoch with millisec
(False, "audit(1106513999.000:987)"), # SELinux
):
log = sdate + "[sshd] error: PAM: Authentication failure"
# exclude
for should_match, prefix in ((True, ""),
(not anchored, "bogus-prefix ")):
ldate = prefix + sdate # logged date
log = ldate + "[sshd] error: PAM: Authentication failure"
# exclude
# yoh: on [:6] see in above test
logtime = self.__datedetector.getTime(log)
self.assertNotEqual(logtime, None, "getTime retrieved nothing: failure for %s" % sdate)
( logUnix, logMatch ) = logtime
self.assertEqual(logUnix, dateUnix, "getTime comparison failure for %s: \"%s\" is not \"%s\"" % (sdate, logUnix, dateUnix))
self.assertEqual(logMatch.group(), sdate)
# yoh: on [:6] see in above test
logtime = self.__datedetector.getTime(log)
if should_match:
self.assertNotEqual(logtime, None, "getTime retrieved nothing: failure for %s, anchored: %r, log: %s" % ( sdate, anchored, log))
( logUnix, logMatch ) = logtime
self.assertEqual(logUnix, dateUnix, "getTime comparison failure for %s: \"%s\" is not \"%s\"" % (sdate, logUnix, dateUnix))
if sdate.startswith('audit('):
# yes, special case, the group only matches the number
sdate = '1106513999.000'
self.assertEqual(logMatch.group(), sdate)
else:
self.assertEqual(logtime, None, "getTime should have not matched for %r Got: %s" % (ldate, logtime))
def testStableSortTemplate(self):
old_names = [x.getName() for x in self.__datedetector.getTemplates()]
@ -177,6 +190,14 @@ class DateDetectorTest(unittest.TestCase):
print("WARNING: The following date templates overlap:")
pprint.pprint(overlapedTemplates)
def testDateTemplate(self):
t = DateTemplate()
t.setRegex('^a{3,5}b?c*$')
self.assertEqual(t.getRegex(), '^a{3,5}b?c*$')
self.assertRaises(Exception, t.getDate, '')
self.assertEqual(t.matchDate('aaaac').group(), 'aaaac')
# def testDefaultTempate(self):
# self.__datedetector.setDefaultRegex("^\S{3}\s{1,2}\d{1,2} \d{2}:\d{2}:\d{2}")
# self.__datedetector.setDefaultPattern("%b %d %H:%M:%S")

59
fail2ban/tests/dummyjail.py Normal file
View File

@ -0,0 +1,59 @@
# emacs: -*- mode: python; py-indent-offset: 4; indent-tabs-mode: t -*-
# vi: set ft=python sts=4 ts=4 sw=4 noet :
# This file is part of Fail2Ban.
#
# Fail2Ban is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# Fail2Ban is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with Fail2Ban; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
# Fail2Ban developers
__copyright__ = "Copyright (c) 2012 Yaroslav Halchenko"
__license__ = "GPL"
from threading import Lock
class DummyJail(object):
"""A simple 'jail' to suck in all the tickets generated by Filter's
"""
def __init__(self):
self.lock = Lock()
self.queue = []
def __len__(self):
try:
self.lock.acquire()
return len(self.queue)
finally:
self.lock.release()
def putFailTicket(self, ticket):
try:
self.lock.acquire()
self.queue.append(ticket)
finally:
self.lock.release()
def getFailTicket(self):
try:
self.lock.acquire()
try:
return self.queue.pop()
except IndexError:
return False
finally:
self.lock.release()
def getName(self):
return "DummyJail #%s with %d tickets" % (id(self), len(self))

12
fail2ban/tests/failmanagertestcase.py
View File

@ -54,9 +54,19 @@ class AddFailure(unittest.TestCase):
def tearDown(self):
"""Call after every test case."""
def testAdd(self):
def testFailManagerAdd(self):
self.assertEqual(self.__failManager.size(), 3)
self.assertEqual(self.__failManager.getFailTotal(), 13)
self.__failManager.setFailTotal(0)
self.assertEqual(self.__failManager.getFailTotal(), 0)
self.__failManager.setFailTotal(13)
def testFailManagerMaxTime(self):
self.assertEqual(self.__failManager.getMaxTime(), 600)
self.__failManager.setMaxTime(13)
self.assertEqual(self.__failManager.getMaxTime(), 13)
self.__failManager.setMaxTime(600)
def _testDel(self):
self.__failManager.delFailure('193.168.0.128')
self.__failManager.delFailure('111.111.1.111')

10
fail2ban/tests/files/logs/dovecot
View File

@ -29,3 +29,13 @@ Jun 23 00:52:43 vhost1-ua dovecot: pop3-login: Disconnected: Inactivity (auth fa
Jul 02 13:49:31 hostname dovecot[442]: pop3-login: Aborted login (auth failed, 1 attempts in 17 secs): user=<test>, method=PLAIN, rip=192.51.100.13, lip=203.0.113.17, session=<YADINsQCDs5BH8Pg>
# failJSON: { "time": "2005-07-02T13:49:32", "match": true , "host": "192.51.100.13" }
Jul 02 13:49:32 hostname dovecot[442]: pop3-login: Disconnected (no auth attempts in 58 secs): user=<>, rip=192.51.100.13, lip=203.0.113.17, session=<LgDINsQCkttVIMPg>
# failJSON: { "time": "2005-07-02T13:49:32", "match": true , "host": "200.76.17.206" }
Jul 02 13:49:32 hostname dovecot[442]: dovecot: auth(default): pam(account@MYSERVERNAME.com,200.76.17.206): pam_authenticate() failed: User not known to the underlying authentication module: 2 Time(s)
# failJSON: { "time": "2013-08-11T03:56:40", "match": true , "host": "1.2.3.4" }
2013-08-11 03:56:40 auth-worker(default): Info: pam(username,1.2.3.4): pam_authenticate() failed: Authentication failure (password mismatch?)
# failJSON: { "time": "2005-04-19T05:22:20", "match": true , "host": "80.255.3.104" }
Apr 19 05:22:20 vm5 auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=informix rhost=80.255.3.104

5
fail2ban/tests/files/logs/mysqld-auth
View File

@ -10,3 +10,8 @@
130324 19:01:39 [Warning] Access denied for user 'root'@'61.147.108.35' (using password: NO)
# failJSON: { "time": "2013-03-24T19:01:40", "match": true , "host": "61.147.108.35" }
130324 19:01:40 [Warning] Access denied for user 'root'@'61.147.108.35' (using password: YES)
# failJSON: { "time": "2004-09-16T21:30:26", "match": true , "host": "74.207.241.159" }
Sep 16 21:30:26 catinthehat mysqld: 130916 21:30:26 [Warning] Access denied for user 'hacker'@'74.207.241.159' (using password: YES)
# failJSON: { "time": "2004-09-16T21:30:32", "match": true , "host": "74.207.241.159" }
Sep 16 21:30:32 catinthehat mysqld: 130916 21:30:32 [Warning] Access denied for user 'hacker'@'74.207.241.159' (using password: NO)

13
fail2ban/tests/files/logs/pam-generic
View File

@ -6,9 +6,12 @@ May 12 09:47:54 vaio sshd[16004]: (pam_unix) authentication failure; logname= ui
May 12 09:48:03 vaio sshd[16021]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=71-13-115-12.static.mdsn.wi.charter.com
# failJSON: { "time": "2005-05-15T18:02:12", "match": true , "host": "66.232.129.62" }
May 15 18:02:12 localhost proftpd: (pam_unix) authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=66.232.129.62 user=mark
# failJSON: { "time": "2004-11-25T17:12:13", "match": true , "host": "192.168.10.3" }
# linux-pam messages before commit f0f9c4479303b5a9c37667cf07f58426dc081676 (release 0.99.2.0 ) - nolonger supported
# failJSON: { "time": "2004-11-25T17:12:13", "match": false }
Nov 25 17:12:13 webmail pop(pam_unix)[4920]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=192.168.10.3 user=mailuser
# failJSON: { "time": "2005-07-19T18:11:26", "match": true , "host": "www3.google.com" }
Jul 19 18:11:26 srv2 vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=an8767 rhost=www3.google.com
# failJSON: { "time": "2005-07-19T18:11:26", "match": true , "host": "www3.google.com" }
Jul 19 18:11:26 srv2 vsftpd: pam_unix: authentication failure; logname= uid=0 euid=0 tty=ftp ruser=an8767 rhost=www3.google.com
# failJSON: { "time": "2005-07-19T18:11:26", "match": true , "host": "www.google.com" }
Jul 19 18:11:26 srv2 vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=an8767 rhost=www.google.com
# failJSON: { "time": "2005-07-19T18:11:26", "match": true , "host": "www.google.com" }
Jul 19 18:11:26 srv2 vsftpd: pam_unix: authentication failure; logname= uid=0 euid=0 tty=ftp ruser=an8767 rhost=www.google.com

0
fail2ban/tests/files/logs/sasl → fail2ban/tests/files/logs/postfix-sasl
View File

2
fail2ban/tests/files/logs/pure-ftpd
View File

@ -1,4 +1,2 @@
# failJSON: { "time": "2005-01-31T16:54:07", "match": true , "host": "24.79.92.194" }
Jan 31 16:54:07 desktop pure-ftpd: (?@24.79.92.194) [WARNING] Authentication failed for user [Administrator]
# failJSON: { "time": "2004-11-05T18:54:02", "match": true , "host": "server202181210195.ixlink.net" }
Nov 5 18:54:02 pure-ftpd: (?@server202181210195.ixlink.net) [WARNING] Authentication failed for user [Administrator]

6
fail2ban/tests/files/logs/qmail
View File

@ -2,3 +2,9 @@
Sep 6 07:33:33 sd6 qmail: 1157520813.485077 rblsmtpd: 198.51.100.77 pid 19597 sbl-xbl.spamhaus.org: 451 http://www.spamhaus.org/query/bl?ip=198.51.100.77
# failJSON: { "time": "2004-09-06T07:18:29", "match": true , "host": "198.51.100.54" }
Sep 6 07:18:29 sd6 qmail: 1157519909.633171 qmail-smtpd: 421 badiprbl: ip 198.51.100.54 rbl: example.com
# http://www.tjsi.com/rblsmtpd/faq/
# failJSON: { "time": "2005-06-30T15:13:33", "match": true , "host": "193.111.120.47" }
Jun 30 15:13:33 ns1 rblsmtpd: relays.ordb.org blocked 193.111.120.47 ordb-test.null.dk -
# failJSON: { "time": "2005-06-30T15:13:55", "match": true , "host": "192.203.178.107" }
Jun 30 15:13:55 ns1 rblsmtpd: relays.osirusoft.com blocked 192.203.178.107 sbl.crynwr.com -

4
fail2ban/tests/files/logs/recidive
View File

@ -4,3 +4,7 @@
2006-02-13 16:07:31,183 fail2ban.actions: WARNING [sendmail] Unban 1.2.3.4
# failJSON: { "match": false }
2006-02-13 15:52:30,388 fail2ban.actions: WARNING [recidive] Ban 1.2.3.4
# syslog example
# failJSON: { "time": "2004-09-16T00:44:55", "match": true , "host": "10.0.0.7" }
Sep 16 00:44:55 spaceman fail2ban.actions: WARNING [jail] Ban 10.0.0.7

29
fail2ban/tests/files/logs/selinux-ssh Normal file
View File

@ -0,0 +1,29 @@
# failJSON: { "time": "2013-07-09T01:45:16", "match": false , "host": "173.242.116.187" }
type=USER_LOGIN msg=audit(1373330716.415:4063): user pid=11998 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login acct="root" exe="/usr/sbin/sshd" hostname=? addr=173.242.116.187 terminal=ssh res=failed'
# failJSON: { "time": "2013-07-09T01:45:17", "match": false , "host": "173.242.116.187" }
type=USER_LOGIN msg=audit(1373330717.000:4068): user pid=12000 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login acct=28756E6B6E6F776E207573657229 exe="/usr/sbin/sshd" hostname=? addr=173.242.116.187 terminal=ssh res=failed'
# failJSON: { "time": "2013-07-09T01:45:17", "match": true , "host": "173.242.116.187" }
type=USER_ERR msg=audit(1373330717.000:4070): user pid=12000 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:bad_ident acct="?" exe="/usr/sbin/sshd" hostname=173.242.116.187 addr=173.242.116.187 terminal=ssh res=failed'
# failJSON: { "time": "2013-07-09T01:45:17", "match": false , "host": "173.242.116.187" }
type=USER_LOGIN msg=audit(1373330717.000:4073): user pid=12000 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login acct=28696E76616C6964207573657229 exe="/usr/sbin/sshd" hostname=? addr=173.242.116.187 terminal=ssh res=failed'
# failJSON: { "time": "2013-06-30T01:02:08", "match": false , "host": "113.240.248.18" }
type=USER_LOGIN msg=audit(1372546928.000:52008): user pid=21569 uid=0 auid=0 ses=76 subj=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login acct="sshd" exe="/usr/sbin/sshd" hostname=? addr=113.240.248.18 terminal=ssh res=failed'
# failJSON: { "time": "2013-06-30T02:58:20", "match": true , "host": "113.240.248.18" }
type=USER_ERR msg=audit(1372557500.000:61747): user pid=23684 uid=0 auid=0 ses=76 subj=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:bad_ident acct="?" exe="/usr/sbin/sshd" hostname=113.240.248.18 addr=113.240.248.18 terminal=ssh res=failed'
# failJSON: { "time": "2013-06-30T03:58:20", "match": false , "host": "113.240.248.18" }
type=USER_LOGIN msg=audit(1372557500.000:61750): user pid=23684 uid=0 auid=0 ses=76 subj=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login acct=28696E76616C6964207573657229 exe="/usr/sbin/sshd" hostname=? addr=113.240.248.18 terminal=ssh res=failed'
# failJSON: { "time": "2013-07-06T17:48:00", "match": true , "host": "194.228.20.113" }
type=USER_AUTH msg=audit(1373129280.000:9): user pid=1277 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=pubkey acct="root" exe="/usr/sbin/sshd" hostname=? addr=194.228.20.113 terminal=ssh res=failed'
# failJSON: { "time": "2013-10-30T07:57:43", "match": true , "host": "192.168.3.100" }
type=USER_AUTH msg=audit(1383116263.000:603): pid=12887 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=password acct="dan" exe="/usr/sbin/sshd" hostname=? addr=192.168.3.100 terminal=ssh res=failed'
# failJSON: { "time": "2013-10-30T07:54:08", "match": false , "host": "192.168.3.100" }
type=USER_LOGIN msg=audit(1383116048.000:595): pid=12354 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login acct="dan" exe="/usr/sbin/sshd" hostname=? addr=192.168.3.100 terminal=ssh res=failed'

9
fail2ban/tests/files/logs/sshd
View File

@ -99,3 +99,12 @@ May 27 00:16:33 host sshd[2364]: User root not allowed because account is locked
May 27 00:16:33 host sshd[2364]: input_userauth_request: invalid user root [preauth]
# failJSON: { "time": "2005-05-27T00:16:33", "match": true , "host": "198.51.100.76" }
May 27 00:16:33 host sshd[2364]: Received disconnect from 198.51.100.76: 11: Bye Bye [preauth]
# failJSON: { "time": "2004-09-29T16:28:02", "match": true , "host": "127.0.0.1" }
Sep 29 16:28:02 spaceman sshd[16699]: Failed password for dan from 127.0.0.1 port 45416 ssh1
# failJSON: { "time": "2004-09-29T17:15:02", "match": true , "host": "127.0.0.1" }
Sep 29 17:15:02 spaceman sshd[12946]: Failed hostbased for dan from 127.0.0.1 port 45785 ssh2: RSA 8c:e3:aa:0f:64:51:02:f7:14:79:89:3f:65:84:7c:30, client user "dan", client host "localhost.localdomain"
# failJSON: { "time": "2004-09-29T17:15:02", "match": true , "host": "127.0.0.1" }
Sep 29 17:15:02 spaceman sshd[12946]: Failed hostbased for dan from 127.0.0.1 port 45785 ssh2: DSA 01:c0:79:41:91:31:9a:7d:95:23:91:ac:b1:6d:59:81, client user "dan", client host "localhost.localdomain"

22
fail2ban/tests/files/logs/uwimap-auth Normal file
View File

@ -0,0 +1,22 @@
# failJSON: { "time": "2005-07-03T20:56:53", "match": true , "host": "81.169.154.112" }
Jul 3 20:56:53 Linux2 imapd[666]: Login failed user=lizdy auth=lizdy host=h2066373.stratoserver.net [81.169.154.112]
# failJSON: { "time": "2005-07-29T18:30:19", "match": true , "host": "198.52.115.74" }
Jul 29 18:30:19 Linux2 ipop3d[25745]: Login failed user=info auth=info host=74-115-52-198-dedicated.multacom.com [198.52.115.74]
# http://lists.freebsd.org/pipermail/freebsd-questions/2005-January/072073.html
# failJSON: { "time": "2005-01-14T20:28:07", "match": true , "host": "198.52.115.74" }
Jan 14 20:28:07 grog imapd[19343]: Login excessive login failures user=user auth=user host=74-115-52-198-dedicated.multacom.com [198.52.115.74]
#http://us.generation-nt.com/answer/uw-imapd-doesnt-authenticate-users-help-194297331.html
# failJSON: { "time": "2005-04-08T16:32:01", "match": true , "host": "198.52.115.74" }
Apr 8 16:32:01 abdon imapd[29087]: Login excessive login failures user=brada auth=brada host=xxxxxx [198.52.115.74]
# http://www.howtoforge.com/forums/showthread.php?t=3786
# failJSON: { "time": "2005-04-08T16:32:01", "match": true , "host": "127.0.0.1" }
Apr 8 16:32:01 abdon imapd[21172]: Login disabled user=test auth=test host=localhost.localdomain [127.0.0.1]
# http://mailman2.u.washington.edu/pipermail/imap-uw/2008-February/001889.html
# failJSON: { "time": "2005-02-23T12:36:01", "match": true , "host": "127.0.55.22" }
Feb 23 12:36:01 r2 imapd[3473]: Failed uwmaster override of user=pro1 host=r22.j.de [127.0.55.22]

6
fail2ban/tests/files/logs/vsftpd
View File

@ -1,10 +1,14 @@
#1 PAM based
# failJSON: { "time": "2004-10-11T01:06:47", "match": true , "host": "209.67.1.67" }
Oct 11 01:06:47 ServerJV vsftpd: (pam_unix) authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=209.67.1.67
# failJSON: { "time": "2005-02-06T12:02:29", "match": true , "host": "64.168.103.1" }
# Pam pre 0.99.2.0 - https://github.com/fail2ban/fail2ban/pull/358
# failJSON: { "time": "2005-02-06T12:02:29", "match": false , "host": "64.168.103.1" }
Feb 6 12:02:29 server vsftpd(pam_unix)[15522]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=64.168.103.1 user=user1
#2 Internal
# failJSON: { "time": "2007-01-19T12:20:33", "match": true , "host": "64.106.46.98" }
Fri Jan 19 12:20:33 2007 [pid 27202] [anonymous] FAIL LOGIN: Client "64.106.46.98"
# failJSON: { "time": "2004-10-23T21:15:42", "match": true , "host": "58.254.172.161" }
Oct 23 21:15:42 vps vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=test rhost=58.254.172.161

4
fail2ban/tests/files/logs/webmin-auth
View File

@ -7,3 +7,7 @@ Dec 13 08:15:18 sb1 webmin[25875]: Invalid login as root from 89.2.49.230
#2 User does not exists
# failJSON: { "time": "2004-12-12T23:14:19", "match": true , "host": "188.40.105.142" }
Dec 12 23:14:19 sb1 webmin[22134]: Non-existent login as robert from 188.40.105.142
# failJSON: { "time": "2004-09-25T10:38:11", "match": true , "host": "14.200.251.155" }
Sep 25 10:38:11 platypus webmin[27249]: Non-existent login as admin@goodeyedeer.com.au from 14.200.251.155

31
fail2ban/tests/filtertestcase.py
View File

@ -357,36 +357,7 @@ class LogFileMonitor(unittest.TestCase):
from threading import Lock
class DummyJail(object):
"""A simple 'jail' to suck in all the tickets generated by Filter's
"""
def __init__(self):
self.lock = Lock()
self.queue = []
def __len__(self):
try:
self.lock.acquire()
return len(self.queue)
finally:
self.lock.release()
def putFailTicket(self, ticket):
try:
self.lock.acquire()
self.queue.append(ticket)
finally:
self.lock.release()
def getFailTicket(self):
try:
self.lock.acquire()
return self.queue.pop()
finally:
self.lock.release()
def getName(self):
return "DummyJail #%s with %d tickets" % (id(self), len(self))
from dummyjail import DummyJail
def get_monitor_failures_testcase(Filter_):
"""Generator of TestCase's for different filters/backends

26
fail2ban/tests/misctestcase.py
View File

@ -169,3 +169,29 @@ class TestsUtilsTest(unittest.TestCase):
# in this case compressed and not should be the same (?)
self.assertTrue(pindex > 10) # we should have some traceback
self.assertEqual(s[:pindex], s[pindex+1:pindex*2 + 1])
from fail2ban.server import iso8601
import datetime
class CustomDateFormatsTest(unittest.TestCase):
def testIso8601(self):
date = iso8601.parse_date("2007-01-25T12:00:00Z")
self.assertEqual(
date,
datetime.datetime(2007, 1, 25, 12, 0, tzinfo=iso8601.Utc()))
self.assertRaises(ValueError, iso8601.parse_date, None)
self.assertRaises(ValueError, iso8601.parse_date, date)
self.assertRaises(iso8601.ParseError, iso8601.parse_date, "")
self.assertRaises(iso8601.ParseError, iso8601.parse_date, "Z")
self.assertRaises(iso8601.ParseError,
iso8601.parse_date, "2007-01-01T120:00:00Z")
self.assertRaises(iso8601.ParseError,
iso8601.parse_date, "2007-13-01T12:00:00Z")
def testTimeZone(self):
# Just verify consistent operation and improve coverage ;)
self.assertEqual(iso8601.parse_timezone(None), iso8601.UTC)
self.assertEqual(iso8601.parse_timezone('Z'), iso8601.UTC)

14
fail2ban/tests/samplestestcase.py
View File

@ -104,7 +104,7 @@ def testSampleRegexsFactory(name):
faildata = {}
ret = self.filter.processLine(
line, returnRawHost=True, checkAllRegex=True)
line, returnRawHost=True, checkAllRegex=True)[1]
if not ret:
# Check line is flagged as none match
self.assertFalse(faildata.get('match', True),
@ -123,12 +123,18 @@ def testSampleRegexsFactory(name):
self.assertEqual(host, faildata.get("host", None))
t = faildata.get("time", None)
jsonTimeLocal = datetime.datetime.strptime(t, "%Y-%m-%dT%H:%M:%S")
try:
jsonTimeLocal = datetime.datetime.strptime(t, "%Y-%m-%dT%H:%M:%S")
except ValueError:
jsonTimeLocal = datetime.datetime.strptime(t, "%Y-%m-%dT%H:%M:%S.%f")
jsonTime = time.mktime(jsonTimeLocal.utctimetuple())
jsonTime += jsonTimeLocal.microsecond / 1000000
self.assertEqual(fail2banTime, jsonTime,
"UTC Time mismatch fail2ban %s (%s) != failJson %s (%s) (diff %i seconds) on: %s:%i %r:" %
"UTC Time mismatch fail2ban %s (%s) != failJson %s (%s) (diff %.3f seconds) on: %s:%i %r:" %
(fail2banTime, time.strftime("%Y-%m-%dT%H:%M:%S", time.gmtime(fail2banTime)),
jsonTime, time.strftime("%Y-%m-%dT%H:%M:%S", time.gmtime(jsonTime)),
fail2banTime - jsonTime, logFile.filename(), logFile.filelineno(), line ) )
@ -144,7 +150,7 @@ def testSampleRegexsFactory(name):
return testFilter
for filter_ in os.listdir(os.path.join(CONFIG_DIR, "filter.d")):
for filter_ in filter(lambda x: not x.endswith('common.conf'), os.listdir(os.path.join(CONFIG_DIR, "filter.d"))):
filterName = filter_.rpartition(".")[0]
setattr(
FilterSamplesRegex,

11
fail2ban/tests/servertestcase.py
View File

@ -324,12 +324,23 @@ class Transmitter(TransmitterBase):
self.transm.proceed(["set", self.jailName, "dellogpath", value]),
(0, []))
def testJailLogPathInvalidFile(self):
# Invalid file
value = "this_file_shouldn't_exist"
result = self.transm.proceed(
["set", self.jailName, "addlogpath", value])
self.assertTrue(isinstance(result[1], IOError))
def testJailLogPathBrokenSymlink(self):
# Broken symlink
name = tempfile.mktemp(prefix='tmp_fail2ban_broken_symlink')
sname = name + '.slink'
os.symlink(name, sname)
result = self.transm.proceed(
["set", self.jailName, "addlogpath", sname])
self.assertTrue(isinstance(result[1], IOError))
os.unlink(sname)
def testJailIgnoreIP(self):
self.jailAddDelTest(
"ignoreip",

Some files were not shown because too many files have changed in this diff Show More