merged with upstream release 0.6.1

debian-releases/etch
Yaroslav Halchenko 2006-03-19 05:20:44 +00:00
parent 49e8d86983
commit 4fa0eba064
17 changed files with 965 additions and 115 deletions

View File

@ -4,9 +4,41 @@
|_| \__,_|_|_/___|_.__/\__,_|_||_|
=============================================================
Fail2Ban (version 0.6.0) 2005/11/20
Fail2Ban (version 0.6.1) 2006/03/16
=============================================================
ver. 0.6.1 (2006/03/16) - stable
----------
- Added permanent banning. Set banTime to a negative value to
enable this feature (-1 is perfect). Thanks to Mannone
- Fixed locale bug. Thanks to Fernando José
- Fixed crash when time format does not match data
- Propagated patch from Debian to fix fail2ban search path
addition to the path search list: now it is added first.
Thanks to Nick Craig-Wood
- Added SMTP authentification for mail notification. Thanks
to Markus Hoffmann
- Removed debug mode as it is confusing for people
- Added parsing of timestamp in TAI64N format (#1275325).
Thanks to Mark Edgington
- Added patch #1382936 (Default formatted syslog logging).
Thanks to Patrick Börjesson
- Removed 192.168.0.0/16 from ignoreip. Attacks could also
come from the local network.
- Robust startup: if iptables module does not get fully
initialized after startup of fail2ban, fail2ban will do
"maxreinit" attempts to initialize its own firewall. It
will sleep between attempts for "polltime" number of
seconds (closes Debian: #334272). Thanks to Yaroslav
Halchenko
- Added "interpolations" in fail2ban.conf. This is provided
by the ConfigParser module. Old configuration files still
work. Thanks to Yaroslav Halchenko
- Added initial support for hosts.deny and shorewall. Need
more testing. Please test. Thanks to kojiro from Gentoo
forum for hosts.deny support
- Added support for vsftpd. Thanks to zugeschmiert
ver. 0.6.0 (2005/11/20) - stable
----------
- Propagated patches introduced by Debian maintainer

View File

@ -1,6 +1,6 @@
Metadata-Version: 1.0
Name: fail2ban
Version: 0.6.0
Version: 0.6.1
Summary: Ban IPs that make too many password failure
Home-page: http://fail2ban.sourceforge.net
Author: Cyril Jaquier

27
README
View File

@ -4,7 +4,7 @@
|_| \__,_|_|_/___|_.__/\__,_|_||_|
=============================================================
Fail2Ban (version 0.6.0) 2005/11/20
Fail2Ban (version 0.6.1) 2006/03/16
=============================================================
Fail2Ban scans log files like /var/log/pwdfail and bans IP
@ -58,12 +58,12 @@ Require: python-2.4 (http://www.python.org)
To install, just do:
> tar xvfj fail2ban-0.6.0.tar.bz2
> cd fail2ban-0.6.0
> tar xvfj fail2ban-0.6.1.tar.bz2
> cd fail2ban-0.6.1
> python setup.py install
This will install Fail2Ban into /usr/lib/fail2ban. The fail2ban
executable is placed into /usr/bin.
This will install Fail2Ban into /usr/lib/fail2ban. The
fail2ban executable is placed into /usr/bin.
Gentoo: ebuilds are available on the website.
Debian: Fail2Ban is in Debian unstable.
@ -74,8 +74,17 @@ Fail2Ban should now be correctly installed. Just type:
> fail2ban -h
to see if everything is alright. You can configure fail2ban
with a config file. Copy config/fail2ban.conf.default to
/etc/fail2ban.conf.
with a config file. Different kind of configuration files are
available:
iptables: copy config/fail2ban.conf.iptables to
/etc/fail2ban.conf
hosts.deny: copy config/fail2ban.conf.hostsdeny to
/etc/fail2ban.conf
shorewall: copy config/fail2ban.conf.shorewall to
/etc/fail2ban.conf
Do not forget to edit fail2ban.conf to meet your needs.
You can use the initd script available in config/. Copy
<dist>-initd to /etc/init.d/fail2ban. Gentoo users must copy
@ -96,7 +105,6 @@ the value stored in fail2ban.conf. Here are the command line
options:
-b start in background
-d start in debug mode
-c <FILE> read configuration file FILE
-p <FILE> create PID lock in FILE
-h display this help message
@ -124,7 +132,8 @@ Thanks:
Kévin Drapel, Marvin Rouge, Sireyessire, Robert Edeker,
Tom Pike, Iain Lea, Andrey G. Grozin, Yaroslav Halchenko,
Jonathan Kamens, Stephen Gildea
Jonathan Kamens, Stephen Gildea, Markus Hoffmann, Mark
Edgington, Patrick Börjesson, kojiro, zugeschmiert
License:
--------

84
TODO
View File

@ -4,20 +4,92 @@
|_| \__,_|_|_/___|_.__/\__,_|_||_|
=============================================================
ToDo $Revision: 1.5 $
ToDo $Revision: 1.11 $
=============================================================
See Feature Request Tracking System at SourceForge.net
- improve installation process (better prefix support)
- install Fail2ban into /usr/share
- improve documentation and website for user
- use Doxygen
- use PyLint to check the code
- better configuration files
- add a check to see if the time of the log messages is
correctly detected (valid regexp)
- split configuration files in /etc/fail2ban/services.d
Example: /etc/fail2ban/services.d/apache
- template for common services in /etc/fail2ban/scripts.d
Example: /etc/fail2ban/scripts.d/apache
- use Gentoo Portage style for scripts.
- banning engines script in /etc/fail2ban/scripts.d
Example: /etc/fail2ban/scripts.d/iptables
Will be mostly bash scripting which is more "user
friendly".
- split configuration files in /etc/fail2ban/services.d
for log files
Example: /etc/fail2ban/services.d/apache
Mainly regular expressions.
- template for common regex in /etc/fail2ban/templates.d
Example: /etc/fail2ban/templates.d/date
Mainly regular expressions.
- remove debug mode (root check)
- better return values in function
- use more email.Utils in mail.py
- add gettext support. Is this really needed for a server
utility?
- send an email when fail2ban is running
- add multithreading. Python threading is not really
efficient. However, fail2ban could benefit of it. We could
use threads like this:
- one thread which check for host to unban.
- one thread per file to watch. This will allow things like
different polling time for each file.
<srv> is read-only (we only read log files) thus no locks
are required. However, <meth> is read-write and must take
care of concurrency in case of multithreading.
- add FAM/Gamin support. Should be quite efficient with
threading. Take care that handle_one_event() release the
Python lock.
- add a test framework. We could use unittest which is in
Python since 2.1. It should be possible to run all tests
automatically.
- add client/server using socket. Something similar to
gdesklets. DBUS seems to be designed for desktop use.
- fail2ban start -> start the daemon.
- fail2ban stop -> stop the daemon.
- fail2ban add <srv> <meth> -> add <srv> monitoring with
<meth> ban method (iptables, hosts.deny, etc).
- fail2ban del <srv> -> remove <srv> monitoring.
- fail2ban status <srv> -> query current fail2ban status.
Should return infos like a ban counter. Could be graph
with rrdtool.
- fail2ban pause <srv> -> suspend monitoring.
- fail2ban resume <srv> -> resume monitoring.
- fail2ban list -> list available services.
- fail2ban flush <srv> -> flush the <srv> ban list.
- remove PID file.
- remove most of the command lines options if possible.
- add the possibility to specify wildcard in log files.
Example: logfile = /var/log/apache2/access-*.log
Should we start one thread per file or just one thread per
serivce?
- autodetect date format in log file. Match the most popular
format and sort them using the hit ratio. Should avoid
user problem with regex and not have a big impact on perfs.
- restart automatically the daemon if an exception occurs.

View File

@ -0,0 +1,327 @@
# Fail2Ban configuration file
#
# $Revision: 1.2 $
#
# 2005.06.21 modified for readability Iain Lea iain@bricbrac.de
[DEFAULT]
# Option: background
# Notes.: start fail2ban as a daemon. Output is redirect to logfile.
# Values: [true | false] Default: false
#
background = false
# Option: logtargets
# Notes.: log targets. Space separated list of logging targets.
# Values: STDERR SYSLOG file Default: /var/log/fail2ban.log
#
logtargets = /var/log/fail2ban.log
# Option: syslog-target
# Notes.: where to find syslog facility if logtarget SYSLOG.
# Values: SOCKET HOST HOST:PORT Default: /dev/log
#
syslog-target = /dev/log
# Option: syslog-facility
# Notes.: which syslog facility to use if logtarget SYSLOG.
# Values: NUM Default: 1
#
syslog-facility = 1
# Option: pidlock
# Notes.: path of the PID lock file (must be able to write to file).
# Values: FILE Default: /var/run/fail2ban.pid
#
pidlock = /var/run/fail2ban.pid
# Option: maxfailures
# Notes.: number of failures before IP gets banned.
# Values: NUM Default: 5
#
maxfailures = 5
# Option: bantime
# Notes.: number of seconds an IP will be banned. If set to a negative
# value, IP will never be unbanned (permanent banning).
# Values: NUM Default: 600
#
bantime = 600
# Option: findtime
# Notes.: lifetime in seconds of a "failed" log entry.
# Values: NUM Default: 600
#
findtime = 600
# Option: ignoreip
# Notes.: space separated list of IP's to be ignored by fail2ban.
# You can use CIDR mask in order to specify a range.
# Example: ignoreip = 192.168.0.1/24 123.45.235.65
# Values: IP Default:
#
ignoreip =
# Option: cmdstart
# Notes.: command executed once at the start of Fail2Ban
# Values: CMD Default:
#
cmdstart =
# Option: cmdend
# Notes.: command executed once at the end of Fail2Ban.
# Values: CMD Default:
#
cmdend =
# Option: polltime
# Notes.: number of seconds fail2ban sleeps between iterations.
# Values: NUM Default: 1
#
polltime = 1
# Option: reinittime
# Notes.: minimal number of seconds between the re-initialization of
# firewalls due to external changes in their rules (see fwcheck)
# Values: NUM Default: 100
#
reinittime = 10
# Option: maxreinits
# Notes.: maximal number of re-initialization of firewalls due to external
# changes. -1 stays for infinite, so only reinittime is of importance
# Values: NUM Default: -1
#
maxreinits = -1
# NOTE: Interpolations
#
# fwstart, as well as fwend, fwcheck, fwban, fwunban, use interpolations
# so %(__name__)s will be substituted by a name of each section
# (unless the option is overriden in a section).
# If you are going to use interpolations in your setup, please make
# sure that you specified options port and protocol (which also has
# an option in DEFAULT).
#
# Option: hostsdeny
# Notes.: hosts.deny file path.
# Values: STR Default: /etc/hosts.deny
#
hostsdeny = /etc/hosts.deny
# Option: fwban
# Notes.: command executed when banning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: <ip> IP address
# <failures> number of failures
# <failtime> unix timestamp of the last failure
# <bantime> unix timestamp of the ban time
# Values: CMD
# Default: iptables -I INPUT 1 -s <ip> -j DROP
#
fwban = IP=<ip> && echo "ALL: $IP" >> %(hostsdeny)s
# Option: fwunban
# Notes.: command executed when unbanning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: <ip> IP address
# <bantime> unix timestamp of the ban time
# <unbantime> unix timestamp of the unban time
# Values: CMD
# Default: iptables -D INPUT -s <ip> -j DROP
#
fwunban = IP=<ip> && sed -i.old s/ALL:\ $IP// %(hostsdeny)s
[MAIL]
# Option: enabled
# Notes.: enable mail notification when banning an IP address.
# Values: [true | false] Default: false
#
enabled = false
# Option: host
# Notes.: host running the mail server.
# Values: STR Default: localhost
#
host = localhost
# Option: port
# Notes.: port of the mail server.
# Values: INT Default: 25
#
port = 25
# Option: user
# Notes.: the username for smtp-server if authentification is required.
# if user is empty, no authentification is done.
# Values: STR Default:
#
user =
# Option: password
# Notes.: the smtp-user's password if authentification is required.
# Values: STR Default:
#
password =
# Option: from
# Notes.: e-mail address of the sender.
# Values: MAIL Default: fail2ban
#
from = fail2ban
# Option: to
# Notes.: e-mail addresses of the receiver. Addresses are space
# separated.
# Values: MAIL Default: root
#
to = root
# Option: localtime
# Notes.: report local time (including timezone) or GMT
# Values: [true | false] Default: false
#
localtime = true
# Option: subject
# Notes.: subject of the e-mail.
# Tags: <section> active section (eg ssh, apache, etc)
# <ip> IP address
# <failures> number of failures
# <failtime> unix timestamp of the last failure
# Values: TEXT Default: [Fail2Ban] <section>: Banned <ip>
#
subject = [Fail2Ban] <section>: Banned <ip>
# Option: message
# Notes.: message of the e-mail.
# Tags: <section> active section (eg ssh, apache, etc)
# <ip> IP address
# <failures> number of failures
# <failtime> unix timestamp of the last failure
# <br> new line
# Values: TEXT Default:
#
message = Hi,<br>
The IP <ip> has just been banned by Fail2Ban after
<failures> attempts against <section>.<br>
Regards,<br>
Fail2Ban
# You can define a new section for each log file to check for
# password failure. Each section has to define the following
# options: logfile, fwban, fwunban, timeregex, timepattern,
# failregex.
[Apache]
# Option: enabled
# Notes.: enable monitoring for this section.
# Values: [true | false] Default: false
#
enabled = false
# Option: logfile
# Notes.: logfile to monitor.
# Values: FILE Default: /var/log/httpd/access_log
#
logfile = /var/log/httpd/access_log
# Option: timeregex
# Notes.: regex to match timestamp in Apache logfile. For TAI64N format,
# use timeregex = @[0-9a-f]{24}
# Values: [Wed Jan 05 15:08:01 2005]
# Default: \S{3} \S{3} \d{2} \d{2}:\d{2}:\d{2} \d{4}
#
timeregex = \S{3} \S{3} \d{2} \d{2}:\d{2}:\d{2} \d{4}
# Option: timepattern
# Notes.: format used in "timeregex" fields definition. Note that '%' must be
# escaped with '%' (see http://rgruet.free.fr/PQR2.3.html#timeModule).
# For TAI64N format, use timepattern = tai64n
# Values: TEXT Default: %%a %%b %%d %%H:%%M:%%S %%Y
#
timepattern = %%a %%b %%d %%H:%%M:%%S %%Y
# Option: failregex
# Notes.: regex to match the password failure messages in the logfile.
# Values: TEXT Default: authentication failure|user .* not found
#
failregex = authentication failure|user .* not found
[VSFTPD]
# Option: enabled
# Notes.: enable monitoring for this section.
# Values: [true | false] Default: false
#
enabled = false
# Option: logfile
# Notes.: logfile to monitor.
# Values: FILE Default: /var/log/secure
#
logfile = /var/log/vsftpd.log
# Option: port
# Notes.: specifies port to monitor
# Values: [ NUM | STRING ] Default:
#
port = ftp
# Option: timeregex
# Notes.: regex to match timestamp in VSFTPD logfile.
# Values: [Mar 7 17:53:28]
# Default: \S{3}\s{1,2}\d{1,2} \d{2}:\d{2}:\d{2}
#
timeregex = \S{3}\s{1,2}\d{1,2} \d{2}:\d{2}:\d{2}
# Option: timepattern
# Notes.: format used in "timeregex" fields definition. Note that '%' must be
# escaped with '%' (see http://rgruet.free.fr/PQR2.3.html#timeModule)
# Values: TEXT Default: %%b %%d %%H:%%M:%%S
#
timepattern = %%b %%d %%H:%%M:%%S
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile.
# Values: TEXT Default: Authentication failure|Failed password|Invalid user
#
failregex = FAIL LOGIN
[SSH]
# Option: enabled
# Notes.: enable monitoring for this section.
# Values: [true | false] Default: true
#
enabled = true
# Option: logfile
# Notes.: logfile to monitor.
# Values: FILE Default: /var/log/secure
#
logfile = /var/log/secure
# Option: timeregex
# Notes.: regex to match timestamp in SSH logfile. For TAI64N format,
# use timeregex = @[0-9a-f]{24}
# Values: [Mar 7 17:53:28]
# Default: \S{3}\s{1,2}\d{1,2} \d{2}:\d{2}:\d{2}
#
timeregex = \S{3}\s{1,2}\d{1,2} \d{2}:\d{2}:\d{2}
# Option: timepattern
# Notes.: format used in "timeregex" fields definition. Note that '%' must be
# escaped with '%' (see http://rgruet.free.fr/PQR2.3.html#timeModule).
# For TAI64N format, use timepattern = tai64n
# Values: TEXT Default: %%b %%d %%H:%%M:%%S
#
timepattern = %%b %%d %%H:%%M:%%S
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile.
# Values: TEXT Default: Authentication failure|Failed password|Invalid user
#
failregex = Authentication failure|Failed password|Invalid user

View File

@ -21,13 +21,6 @@ background = true
#
verbose = 1
# Option: debug
# Notes.: enable debug mode. No real commands gets executed but only
# reported, more verbose output, bypass root user test.
# Values: [true | false] Default: false
#
debug = false
# Option: logtargets
# Notes.: log targets. Space separated list of logging targets.
# Values: STDERR SYSLOG file Default: /var/log/fail2ban.log
@ -59,7 +52,8 @@ pidlock = /var/run/fail2ban.pid
maxfailures = 5
# Option: bantime
# Notes.: number of seconds an IP will be banned.
# Notes.: number of seconds an IP will be banned. If set to a negative
# value, IP will never be unbanned (permanent banning).
# Values: NUM Default: 600
#
bantime = 600
@ -74,22 +68,21 @@ findtime = 600
# Notes.: space separated list of IP's to be ignored by fail2ban.
# You can use CIDR mask in order to specify a range.
# Example: ignoreip = 192.168.0.1/24 123.45.235.65
# Values: IP Default:
# Values: IP Default:
#
ignoreip =
ignoreip =
# Option: cmdstart
# Notes.: command executed once at the start of Fail2Ban
# Values: CMD Default:
#
cmdstart =
cmdstart =
# Option: cmdend
# Notes.: command executed once at the end of Fail2Ban.
# Values: CMD Default:
#
cmdend =
cmdend =
# Option: polltime
# Notes.: number of seconds fail2ban sleeps between iterations.
@ -111,15 +104,14 @@ reinittime = 10
#
maxreinits = -1
#
# NOTE: Interpolations
#
# fwstart, as well as fwend, fwcheck, fwban, fwunban, ise interpolations
# so %(__name__)s will be substituted by a name of each section
# (unless the option is overriden in a section).
# If you are going to use interpolations in your setup, please make
# sure that you specified options port and protocol (which also has
# an option in DEFAULT)
# fwstart, as well as fwend, fwcheck, fwban, fwunban, use interpolations
# so %(__name__)s will be substituted by a name of each section
# (unless the option is overriden in a section).
# If you are going to use interpolations in your setup, please make
# sure that you specified options port and protocol (which also has
# an option in DEFAULT).
#
# Option: protocol
@ -173,7 +165,6 @@ fwban = iptables -I fail2ban-%(__name__)s 1 -s <ip> -j DROP
#
fwunban = iptables -D fail2ban-%(__name__)s -s <ip> -j DROP
[MAIL]
# Option: enabled
# Notes.: enable mail notification when banning an IP address.
@ -193,6 +184,19 @@ host = localhost
#
port = 25
# Option: user
# Notes.: the username for smtp-server if authentification is required.
# if user is empty, no authentification is done.
# Values: STR Default:
#
user =
# Option: password
# Notes.: the smtp-user's password if authentification is required.
# Values: STR Default:
#
password =
# Option: from
# Notes.: e-mail address of the sender.
# Values: MAIL Default: fail2ban
@ -250,20 +254,21 @@ message = Hi,<br>
#
enabled = false
# Option: port
# Notes.: specifies port to monitor
# Values: [ NUM | STRING ] Default:
#
port = http
# Option: logfile
# Notes.: logfile to monitor.
# Values: FILE Default: /var/log/apache/error.log
#
logfile = /var/log/apache/error.log
# Option: port
# Notes.: specifies port to monitor
# Values: [ NUM | STRING ] Default:
#
port = http
# Option: timeregex
# Notes.: regex to match timestamp in Apache error logfile.
# Notes.: regex to match timestamp in Apache logfile. For TAI64N format,
# use timeregex = @[0-9a-f]{24}
# Values: [Wed Jan 05 15:08:01 2005]
# Default: \S{3} \S{3} \d{2} \d{2}:\d{2}:\d{2} \d{4}
#
@ -271,7 +276,8 @@ timeregex = \S{3} \S{3} \d{2} \d{2}:\d{2}:\d{2} \d{4}
# Option: timepattern
# Notes.: format used in "timeregex" fields definition. Note that '%' must be
# escaped with '%' (see http://rgruet.free.fr/PQR2.3.html#timeModule)
# escaped with '%' (see http://rgruet.free.fr/PQR2.3.html#timeModule).
# For TAI64N format, use timepattern = tai64n
# Values: TEXT Default: %%a %%b %%d %%H:%%M:%%S %%Y
#
timepattern = %%a %%b %%d %%H:%%M:%%S %%Y
@ -289,18 +295,18 @@ failregex = [[]client (?P<host>\S*)[]] user .*(?:: authentication failure|not fo
#
enabled = false
# Option: port
# Notes.: specifies port to monitor
# Values: [ NUM | STRING ] Default:
#
port = http
# Option: logfile
# Notes.: logfile to monitor.
# Values: FILE Default: /var/log/apache/access.log
#
logfile = /var/log/apache/access.log
# Option: port
# Notes.: specifies port to monitor
# Values: [ NUM | STRING ] Default:
#
port = http
# Option: maxfailures
# Notes.: number of failures before IP gets banned.
# Values: NUM Default: 5
@ -327,6 +333,45 @@ timepattern = %%d/%%b/%%Y:%%H:%%M:%%S
#
failregex = ^(?P<host>\S*) -.*"GET .*(?:awstats\.pl\?configdir=|index2\.php\?_REQUEST\[option\].*)\|echo.*
[VSFTPD]
# Option: enabled
# Notes.: enable monitoring for this section.
# Values: [true | false] Default: false
#
enabled = false
# Option: logfile
# Notes.: logfile to monitor.
# Values: FILE Default: /var/log/secure
#
logfile = /var/log/vsftpd.log
# Option: port
# Notes.: specifies port to monitor
# Values: [ NUM | STRING ] Default:
#
port = ftp
# Option: timeregex
# Notes.: regex to match timestamp in VSFTPD logfile.
# Values: [Mar 7 17:53:28]
# Default: \S{3}\s{1,2}\d{1,2} \d{2}:\d{2}:\d{2}
#
timeregex = \S{3}\s{1,2}\d{1,2} \d{2}:\d{2}:\d{2}
# Option: timepattern
# Notes.: format used in "timeregex" fields definition. Note that '%' must be
# escaped with '%' (see http://rgruet.free.fr/PQR2.3.html#timeModule)
# Values: TEXT Default: %%b %%d %%H:%%M:%%S
#
timepattern = %%b %%d %%H:%%M:%%S
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile.
# Values: TEXT Default: Authentication failure|Failed password|Invalid user
#
failregex = FAIL LOGIN
[SSH]
# Option: enabled
# Notes.: enable monitoring for this section.
@ -334,20 +379,21 @@ failregex = ^(?P<host>\S*) -.*"GET .*(?:awstats\.pl\?configdir=|index2\.php\?_RE
#
enabled = true
# Option: port
# Notes.: specifies port to monitor
# Values: [ NUM | STRING ] Default:
#
port = ssh
# Option: logfile
# Notes.: logfile to monitor.
# Values: FILE Default: /var/log/auth.log
#
logfile = /var/log/auth.log
# Option: port
# Notes.: specifies port to monitor
# Values: [ NUM | STRING ] Default:
#
port = ssh
# Option: timeregex
# Notes.: regex to match timestamp in SSH logfile.
# Notes.: regex to match timestamp in SSH logfile. For TAI64N format,
# use timeregex = @[0-9a-f]{24}
# Values: [Mar 7 17:53:28]
# Default: \S{3}\s{1,2}\d{1,2} \d{2}:\d{2}:\d{2}
#
@ -355,7 +401,8 @@ timeregex = \S{3}\s{1,2}\d{1,2} \d{2}:\d{2}:\d{2}
# Option: timepattern
# Notes.: format used in "timeregex" fields definition. Note that '%' must be
# escaped with '%' (see http://rgruet.free.fr/PQR2.3.html#timeModule)
# escaped with '%' (see http://rgruet.free.fr/PQR2.3.html#timeModule).
# For TAI64N format, use timepattern = tai64n
# Values: TEXT Default: %%b %%d %%H:%%M:%%S
#
timepattern = %%b %%d %%H:%%M:%%S

View File

@ -0,0 +1,314 @@
# Fail2Ban configuration file
#
# $Revision: 1.2 $
#
# 2005.06.21 modified for readability Iain Lea iain@bricbrac.de
[DEFAULT]
# Option: background
# Notes.: start fail2ban as a daemon. Output is redirect to logfile.
# Values: [true | false] Default: false
#
background = false
# Option: logtargets
# Notes.: log targets. Space separated list of logging targets.
# Values: STDERR SYSLOG file Default: /var/log/fail2ban.log
#
logtargets = /var/log/fail2ban.log
# Option: syslog-target
# Notes.: where to find syslog facility if logtarget SYSLOG.
# Values: SOCKET HOST HOST:PORT Default: /dev/log
#
syslog-target = /dev/log
# Option: syslog-facility
# Notes.: which syslog facility to use if logtarget SYSLOG.
# Values: NUM Default: 1
#
syslog-facility = 1
# Option: pidlock
# Notes.: path of the PID lock file (must be able to write to file).
# Values: FILE Default: /var/run/fail2ban.pid
#
pidlock = /var/run/fail2ban.pid
# Option: maxfailures
# Notes.: number of failures before IP gets banned.
# Values: NUM Default: 5
#
maxfailures = 5
# Option: bantime
# Notes.: number of seconds an IP will be banned. If set to a negative
# value, IP will never be unbanned (permanent banning).
# Values: NUM Default: 600
#
bantime = 600
# Option: findtime
# Notes.: lifetime in seconds of a "failed" log entry.
# Values: NUM Default: 600
#
findtime = 600
# Option: ignoreip
# Notes.: space separated list of IP's to be ignored by fail2ban.
# You can use CIDR mask in order to specify a range.
# Example: ignoreip = 192.168.0.1/24 123.45.235.65
# Values: IP Default:
#
ignoreip =
# Option: cmdstart
# Notes.: command executed once at the start of Fail2Ban
# Values: CMD Default:
#
cmdstart =
# Option: cmdend
# Notes.: command executed once at the end of Fail2Ban.
# Values: CMD Default:
#
cmdend =
# Option: polltime
# Notes.: number of seconds fail2ban sleeps between iterations.
# Values: NUM Default: 1
#
polltime = 1
# Option: reinittime
# Notes.: minimal number of seconds between the re-initialization of
# firewalls due to external changes in their rules (see fwcheck)
# Values: NUM Default: 100
#
reinittime = 10
# Option: maxreinits
# Notes.: maximal number of re-initialization of firewalls due to external
# changes. -1 stays for infinite, so only reinittime is of importance
# Values: NUM Default: -1
#
maxreinits = -1
# NOTE: Interpolations
#
# fwstart, as well as fwend, fwcheck, fwban, fwunban, use interpolations
# so %(__name__)s will be substituted by a name of each section
# (unless the option is overriden in a section).
# If you are going to use interpolations in your setup, please make
# sure that you specified options port and protocol (which also has
# an option in DEFAULT).
#
# Option: fwban
# Notes.: command executed when banning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: <ip> IP address
# <failures> number of failures
# <failtime> unix timestamp of the last failure
# <bantime> unix timestamp of the ban time
# Values: CMD
# Default: iptables -I INPUT 1 -s <ip> -j DROP
#
fwban = shorewall drop <ip>
# Option: fwunban
# Notes.: command executed when unbanning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: <ip> IP address
# <bantime> unix timestamp of the ban time
# <unbantime> unix timestamp of the unban time
# Values: CMD
# Default: iptables -D INPUT -s <ip> -j DROP
#
fwunban = shorewall allow <ip>
[MAIL]
# Option: enabled
# Notes.: enable mail notification when banning an IP address.
# Values: [true | false] Default: false
#
enabled = false
# Option: host
# Notes.: host running the mail server.
# Values: STR Default: localhost
#
host = localhost
# Option: port
# Notes.: port of the mail server.
# Values: INT Default: 25
#
port = 25
# Option: user
# Notes.: the username for smtp-server if authentification is required.
# if user is empty, no authentification is done.
# Values: STR Default:
#
user =
# Option: password
# Notes.: the smtp-user's password if authentification is required.
# Values: STR Default:
#
password =
# Option: from
# Notes.: e-mail address of the sender.
# Values: MAIL Default: fail2ban
#
from = fail2ban
# Option: to
# Notes.: e-mail addresses of the receiver. Addresses are space
# separated.
# Values: MAIL Default: root
#
to = root
# Option: localtime
# Notes.: report local time (including timezone) or GMT
# Values: [true | false] Default: false
#
localtime = true
# Option: subject
# Notes.: subject of the e-mail.
# Tags: <section> active section (eg ssh, apache, etc)
# <ip> IP address
# <failures> number of failures
# <failtime> unix timestamp of the last failure
# Values: TEXT Default: [Fail2Ban] <section>: Banned <ip>
#
subject = [Fail2Ban] <section>: Banned <ip>
# Option: message
# Notes.: message of the e-mail.
# Tags: <section> active section (eg ssh, apache, etc)
# <ip> IP address
# <failures> number of failures
# <failtime> unix timestamp of the last failure
# <br> new line
# Values: TEXT Default:
#
message = Hi,<br>
The IP <ip> has just been banned by Fail2Ban after
<failures> attempts against <section>.<br>
Regards,<br>
Fail2Ban
# You can define a new section for each log file to check for
# password failure. Each section has to define the following
# options: logfile, fwban, fwunban, timeregex, timepattern,
# failregex.
[Apache]
# Option: enabled
# Notes.: enable monitoring for this section.
# Values: [true | false] Default: false
#
enabled = false
# Option: logfile
# Notes.: logfile to monitor.
# Values: FILE Default: /var/log/httpd/access_log
#
logfile = /var/log/httpd/access_log
# Option: timeregex
# Notes.: regex to match timestamp in Apache logfile. For TAI64N format,
# use timeregex = @[0-9a-f]{24}
# Values: [Wed Jan 05 15:08:01 2005]
# Default: \S{3} \S{3} \d{2} \d{2}:\d{2}:\d{2} \d{4}
#
timeregex = \S{3} \S{3} \d{2} \d{2}:\d{2}:\d{2} \d{4}
# Option: timepattern
# Notes.: format used in "timeregex" fields definition. Note that '%' must be
# escaped with '%' (see http://rgruet.free.fr/PQR2.3.html#timeModule).
# For TAI64N format, use timepattern = tai64n
# Values: TEXT Default: %%a %%b %%d %%H:%%M:%%S %%Y
#
timepattern = %%a %%b %%d %%H:%%M:%%S %%Y
# Option: failregex
# Notes.: regex to match the password failure messages in the logfile.
# Values: TEXT Default: authentication failure|user .* not found
#
failregex = authentication failure|user .* not found
[VSFTPD]
# Option: enabled
# Notes.: enable monitoring for this section.
# Values: [true | false] Default: false
#
enabled = false
# Option: logfile
# Notes.: logfile to monitor.
# Values: FILE Default: /var/log/secure
#
logfile = /var/log/vsftpd.log
# Option: timeregex
# Notes.: regex to match timestamp in VSFTPD logfile.
# Values: [Mar 7 17:53:28]
# Default: \S{3}\s{1,2}\d{1,2} \d{2}:\d{2}:\d{2}
#
timeregex = \S{3}\s{1,2}\d{1,2} \d{2}:\d{2}:\d{2}
# Option: timepattern
# Notes.: format used in "timeregex" fields definition. Note that '%' must be
# escaped with '%' (see http://rgruet.free.fr/PQR2.3.html#timeModule)
# Values: TEXT Default: %%b %%d %%H:%%M:%%S
#
timepattern = %%b %%d %%H:%%M:%%S
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile.
# Values: TEXT Default: Authentication failure|Failed password|Invalid user
#
failregex = FAIL LOGIN
[SSH]
# Option: enabled
# Notes.: enable monitoring for this section.
# Values: [true | false] Default: true
#
enabled = true
# Option: logfile
# Notes.: logfile to monitor.
# Values: FILE Default: /var/log/secure
#
logfile = /var/log/secure
# Option: timeregex
# Notes.: regex to match timestamp in SSH logfile. For TAI64N format,
# use timeregex = @[0-9a-f]{24}
# Values: [Mar 7 17:53:28]
# Default: \S{3}\s{1,2}\d{1,2} \d{2}:\d{2}:\d{2}
#
timeregex = \S{3}\s{1,2}\d{1,2} \d{2}:\d{2}:\d{2}
# Option: timepattern
# Notes.: format used in "timeregex" fields definition. Note that '%' must be
# escaped with '%' (see http://rgruet.free.fr/PQR2.3.html#timeModule).
# For TAI64N format, use timepattern = tai64n
# Values: TEXT Default: %%b %%d %%H:%%M:%%S
#
timepattern = %%b %%d %%H:%%M:%%S
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile.
# Values: TEXT Default: Authentication failure|Failed password|Invalid user
#
failregex = Authentication failure|Failed password|Invalid user

7
debian/TODO vendored
View File

@ -1,4 +1,7 @@
* Collect more sections for other log files
* Compose a filter for logwatch
* Compose a filter for logwatch (almost done -- testing, submission)
* In the next release split file configuration will be implemented,
that is why no split files is enabled for current release
(as of v0.6.1 Sun Mar 19 00:18:08 EST 2006)
-- debian@onerussian.com
-- Yaroslav O. Halchenko <debian@onerussian.com>, Sun Jan 15 15:18:13 2006

6
debian/changelog vendored
View File

@ -1,3 +1,9 @@
fail2ban (0.6.1-0.1) unstable; urgency=low
* New upstream release
-- Yaroslav Halchenko <debian@onerussian.com> Sat, 18 Mar 2006 23:11:53 -0500
fail2ban (0.6.0-8) unstable; urgency=low
* Minor adjustments to reduce the deviation from the upstream code

View File

@ -18,15 +18,22 @@
# Author: Cyril Jaquier
#
# $Revision: 1.5 $
# $Revision: 1.7 $
__author__ = "Cyril Jaquier"
__version__ = "$Revision: 1.5 $"
__date__ = "$Date: 2005/11/20 17:07:47 $"
__version__ = "$Revision: 1.7 $"
__date__ = "$Date: 2005/12/27 15:09:50 $"
__copyright__ = "Copyright (c) 2004 Cyril Jaquier"
__license__ = "GPL"
import sys, traceback, logging
import sys, traceback, logging, locale
# Set the locale with the user's default setting
try:
locale.setlocale(locale.LC_ALL, '')
except Exception:
print "Unable to set locale to " + `locale.getdefaultlocale()`
sys.exit(-1)
# Inserts our own modules path first in the list
# fix for bug #343821
@ -42,8 +49,9 @@ logSys = logging.getLogger("fail2ban")
# Get PID lock file instance
pidLock = PIDLock()
# Start the application. Handle all the unhandled exceptions
# Handle all the unhandled exceptions
try:
# Start the application
fail2ban.main()
except SystemExit:
# We called sys.exit(). Nothing wrong so just pass

View File

@ -15,13 +15,13 @@
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
# Author: Cyril Jaquier
# Modified by: Yaroslav Halchenko (SYSLOG, findtime)
#
# $Revision: 1.21 $
# Modified by: Yaroslav Halchenko (SYSLOG, findtime, and oth)
#
# $Revision: 1.24 $
__author__ = "Cyril Jaquier"
__version__ = "$Revision: 1.21 $"
__date__ = "$Date: 2005/11/20 17:07:47 $"
__version__ = "$Revision: 1.24 $"
__date__ = "$Date: 2006/01/22 11:10:29 $"
__copyright__ = "Copyright (c) 2004 Cyril Jaquier"
__license__ = "GPL"
@ -206,13 +206,14 @@ def main():
stdout.setFormatter(formatter)
conf["kill"] = False
conf["debug"] = False
conf["verbose"] = 0
conf["conffile"] = "/etc/fail2ban.conf"
# Reads the command line options.
try:
cmdOpts = 'hvVbdkc:t:f:i:r:p:e:'
cmdLongOpts = ['help', 'version']
cmdLongOpts = ['help','version']
optList, args = getopt.getopt(sys.argv[1:], cmdOpts, cmdLongOpts)
except getopt.GetoptError:
dispUsage()
@ -228,7 +229,7 @@ def main():
# Reads the config file and create a LogReader instance for
# each log file to check.
confReader = ConfigReader(conf["conffile"]);
confReader = ConfigReader(conf["conffile"])
confReader.openConf()
# Options
@ -264,7 +265,7 @@ def main():
# PID lock
pidLock.setPath(conf["pidlock"])
# Now we can kill properly a running instance if needed
if conf["kill"]:
pid = pidLock.exists()
@ -289,7 +290,7 @@ def main():
# Bug fix for #1234699
os.umask(0077)
for target in conf["logtargets"].split():
# target formatter
# target formatter
# By default global formatter is taken. Is different for SYSLOG
tformatter = formatter
if target == "STDERR":
@ -335,9 +336,7 @@ def main():
# Set formatter and add handler to logger
hdlr.setFormatter(tformatter)
logSys.addHandler(hdlr)
# Process some options
# Verbose level
if conf["verbose"]:
logSys.warn("Verbose level is "+`conf["verbose"]`)
@ -345,14 +344,14 @@ def main():
logSys.setLevel(logging.INFO)
elif conf["verbose"] > 1:
logSys.setLevel(logging.DEBUG)
# Set debug log level
if conf["debug"]:
logSys.setLevel(logging.DEBUG)
formatterstring = ('%(levelname)s: [%(filename)s (%(lineno)d)] ' +
if conf["verbose"] > 2:
formatterstring = ('%(levelname)s: [%(filename)s (%(lineno)d)] ' +
'%(message)s')
formatter = logging.Formatter("%(asctime)s " + formatterstring)
stdout.setFormatter(formatter)
formatter = logging.Formatter("%(asctime)s " + formatterstring)
stdout.setFormatter(formatter)
# Debug mode. Should only be used by developers
if conf["debug"]:
logSys.warn("DEBUG MODE: FIREWALL COMMANDS ARE _NOT_ EXECUTED BUT " +
"ONLY DISPLAYED IN THE LOG MESSAGES")
@ -365,7 +364,7 @@ def main():
logSys.error("You must be root")
if not conf["debug"]:
sys.exit(-1)
# Checks that no instance of Fail2Ban is currently running.
pid = pidLock.exists()
if pid:
@ -388,6 +387,8 @@ def main():
["int", "port", "25"],
["str", "from", "root"],
["str", "to", "root"],
["str", "user", ''],
["str", "password", ''],
["bool", "localtime", False],
["str", "subject", "[Fail2Ban] Banned <ip>"],
["str", "message", "Fail2Ban notification"])
@ -400,6 +401,8 @@ def main():
logSys.debug("Mail enabled")
mail = Mail(mailConf["host"], mailConf["port"])
mail.setFromAddr(mailConf["from"])
mail.setUser(mailConf["user"])
mail.setPassword(mailConf["password"])
mail.setToAddr(mailConf["to"])
mail.setLocalTimeFlag(mailConf["localtime"])
logSys.debug("to: " + mailConf["to"] + " from: " + mailConf["from"])
@ -458,10 +461,10 @@ def main():
element[1].addIgnoreIP(ip)
else:
logSys.warn(ip + " is not a valid IP address")
# Startup loop -- necessary to avoid crash if it takes time for iptables
# to startup
# To avoid introduction of new config options, reusing maxreinits and polltime
# to startup. To avoid introduction of new config options, reusing
# maxreinits and polltime.
reinits = 0
while True:
try:
@ -471,9 +474,10 @@ def main():
reinits += 1
logSys.warn(e)
if conf["maxreinits"] < 0 or (reinits < conf["maxreinits"]):
logSys.warn("#%d attempt to initialize the firewalls"%reinits)
logSys.warn("#%d attempt to initialize the firewalls" % reinits)
else:
logSys.error("Exiting: Too many attempts to initialize the firewall")
logSys.error("Exiting: Too many attempts to initialize the " +
"firewall")
killApp()
time.sleep(conf["polltime"])

View File

@ -16,11 +16,11 @@
# Author: Cyril Jaquier
#
# $Revision: 1.9 $
# $Revision: 1.10 $
__author__ = "Cyril Jaquier"
__version__ = "$Revision: 1.9 $"
__date__ = "$Date: 2005/11/20 17:07:47 $"
__version__ = "$Revision: 1.10 $"
__date__ = "$Date: 2005/12/16 23:48:52 $"
__copyright__ = "Copyright (c) 2004 Cyril Jaquier"
__license__ = "GPL"
@ -86,7 +86,11 @@ class Firewall:
ip = aInfo["ip"]
if not self.inBanList(ip):
crtTime = time.time()
logSys.warn("%s: Ban "%self.section + ip)
if self.banTime < 0:
banMsg = "Ban (permanent)"
else:
banMsg = "Ban (%d s)"%self.banTime
logSys.warn("%s: %s "%(self.section, banMsg) + ip)
self.banList[ip] = crtTime
aInfo["bantime"] = crtTime
self.runCheck(debug)
@ -138,8 +142,12 @@ class Firewall:
return None
def checkForUnBan(self, debug):
""" Check for IP to remove from ban list.
""" Check for IP to remove from ban list. If banTime is smaller than
zero, IP will be never removed.
"""
if self.banTime < 0:
# Permanent banning
return
banListTemp = self.banList.copy()
for element in banListTemp.iteritems():
btime = element[1]

View File

@ -16,11 +16,11 @@
# Author: Cyril Jaquier
#
# $Revision: 1.14 $
# $Revision: 1.16 $
__author__ = "Cyril Jaquier"
__version__ = "$Revision: 1.14 $"
__date__ = "$Date: 2005/11/20 17:07:47 $"
__version__ = "$Revision: 1.16 $"
__date__ = "$Date: 2006/01/03 15:13:04 $"
__copyright__ = "Copyright (c) 2004 Cyril Jaquier"
__license__ = "GPL"
@ -210,7 +210,18 @@ class LogReader:
Pattern should describe the date construction of
value.
"""
date = list(time.strptime(value, self.timepattern))
try:
# Check if the parsed value is in TAI64N format
if not self.timepattern.lower() == "tai64n":
date = list(time.strptime(value, self.timepattern))
else:
# extract part of format which represents seconds since epoch
seconds_since_epoch = value[2:17]
date = list(time.gmtime(int(seconds_since_epoch, 16)))
except ValueError, e:
logSys.error(e)
logSys.error("Please check the format and your locale settings.")
return None
if date[0] < 2000:
# There is probably no year field in the logs
date[0] = time.gmtime()[0]

View File

@ -14,9 +14,6 @@ firewall rules to reject the IP address.
\fB\-b\fR
start in background
.TP
\fB\-d\fR
start in debug mode. Commands are NOT executed but only displayed
.TP
\fB\-c\fR \fIFILE\fR
read configuration file \fIFILE\fR
.TP

View File

@ -18,11 +18,11 @@
# Author: Cyril Jaquier
#
# $Revision: 1.5 $
# $Revision: 1.6 $
__author__ = "Cyril Jaquier"
__version__ = "$Revision: 1.5 $"
__date__ = "$Date: 2005/11/20 17:07:47 $"
__version__ = "$Revision: 1.6 $"
__date__ = "$Date: 2006/01/22 11:08:42 $"
__copyright__ = "Copyright (c) 2004 Cyril Jaquier"
__license__ = "GPL"
@ -78,5 +78,5 @@ if obsoleteFiles:
if argv[1] == "install":
print
print "Please do not forget to update your configuration file."
print "Use config/fail2ban.conf.default as example."
print "Use config/fail2ban.conf.* as example."
print

View File

@ -16,11 +16,11 @@
# Author: Cyril Jaquier
#
# $Revision: 1.2 $
# $Revision: 1.3 $
__author__ = "Cyril Jaquier"
__version__ = "$Revision: 1.2 $"
__date__ = "$Date: 2005/11/20 17:07:47 $"
__version__ = "$Revision: 1.3 $"
__date__ = "$Date: 2006/01/03 15:13:41 $"
__copyright__ = "Copyright (c) 2004 Cyril Jaquier"
__license__ = "GPL"
@ -44,6 +44,16 @@ class Mail:
""" Set from: address
"""
self.fromAddr = fromAddr
def setUser(self, user):
""" Set smtpuser
"""
self.user = user
def setPassword(self, password):
""" Set smtppassword
"""
self.password = password
def setToAddr(self, toAddr):
""" Set to: address
@ -69,6 +79,8 @@ class Mail:
try:
server = smtplib.SMTP(self.host, self.port)
#server.set_debuglevel(1)
if not self.user == '':
server.login(self.user, self.password)
server.sendmail(self.fromAddr, self.toAddr, mail)
logSys.debug("Email sent to " + `self.toAddr`)
server.quit()

View File

@ -16,12 +16,12 @@
# Author: Cyril Jaquier
#
# $Revision: 1.13 $
# $Revision: 1.15 $
__author__ = "Cyril Jaquier"
__version__ = "$Revision: 1.13 $"
__date__ = "$Date: 2005/11/20 17:07:47 $"
__version__ = "$Revision: 1.15 $"
__date__ = "$Date: 2006/03/15 23:07:12 $"
__copyright__ = "Copyright (c) 2004 Cyril Jaquier"
__license__ = "GPL"
version = "0.6.0"
version = "0.6.1"