github
/
fail2ban
mirror of https://github.com/fail2ban/fail2ban
1
0
Fork 0
Code Issues Releases Wiki Activity

decided to use "interpolations" in the config file to make it more readable

debian-releases/etch debian/0.6.0-3
Yaroslav Halchenko 2006-01-15 20:18:39 +00:00
parent a0dfb0f9e6
commit 55d7440fe1
4 changed files with 99 additions and 94 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

164
config/fail2ban.conf.default
View File

@ -111,6 +111,68 @@ reinittime = 10
# #
maxreinits = -1 maxreinits = -1
#
# NOTE: Interpolations
#
# fwstart, as well as fwend, fwcheck, fwban, fwunban, ise interpolations
# so %(__name__)s will be substituted by a name of each section
# (unless the option is overriden in a section).
# If you are going to use interpolations in your setup, please make
# sure that you specified options port and protocol (which also has
# an option in DEFAULT)
#
# Option: protocol
# Notes.: internally used by config reader for interpolations.
# Values: [ tcp | udp | icmp | all ] Default: tcp
#
protocol = tcp
# Option: fwstart
# Notes.: command executed once at the start of Fail2Ban.
# Values: CMD Default:
#
fwstart = iptables -N fail2ban-%(__name__)s
iptables -A fail2ban-%(__name__)s -j RETURN
iptables -I INPUT -p %(protocol)s --dport %(port)s -j fail2ban-%(__name__)s
# Option: fwend
# Notes.: command executed once at the end of Fail2Ban
# Values: CMD Default:
#
fwend = iptables -D INPUT -p %(protocol)s --dport %(port)s -j fail2ban-%(__name__)s
iptables -F fail2ban-%(__name__)s
iptables -X fail2ban-%(__name__)s
# Option: fwcheck
# Notes.: command executed once before each fwban command
# Values: CMD Default:
#
fwcheck = iptables -L INPUT | grep -q fail2ban-%(__name__)s
# Option: fwban
# Notes.: command executed when banning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: <ip> IP address
# <failures> number of failures
# <failtime> unix timestamp of the last failure
# <bantime> unix timestamp of the ban time
# Values: CMD
# Default: iptables -I INPUT 1 -s <ip> -j DROP
#
fwban = iptables -I fail2ban-%(__name__)s 1 -s <ip> -j DROP
# Option: fwunban
# Notes.: command executed when unbanning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: <ip> IP address
# <bantime> unix timestamp of the ban time
# <unbantime> unix timestamp of the unban time
# Values: CMD
# Default: iptables -D INPUT -s <ip> -j DROP
#
fwunban = iptables -D fail2ban-%(__name__)s -s <ip> -j DROP
[MAIL] [MAIL]
# Option: enabled # Option: enabled
@ -188,57 +250,18 @@ message = Hi,<br>
# #
enabled = false enabled = false
# Option: port
# Notes.: specifies port to monitor
# Values: [ NUM | STRING ] Default:
#
port = http
# Option: logfile # Option: logfile
# Notes.: logfile to monitor. # Notes.: logfile to monitor.
# Values: FILE Default: /var/log/apache/access.log # Values: FILE Default: /var/log/apache/access.log
# #
logfile = /var/log/apache/access.log logfile = /var/log/apache/access.log
# Option: fwstart
# Notes.: command executed once at the start of Fail2Ban
# Values: CMD Default:
#
fwstart = iptables -N fail2ban-http
iptables -A fail2ban-http -j RETURN
iptables -I INPUT -p tcp --dport http -j fail2ban-http
# Option: fwend
# Notes.: command executed once at the end of Fail2Ban
# Values: CMD Default:
#
fwend = iptables -D INPUT -p tcp --dport http -j fail2ban-http
iptables -F fail2ban-http
iptables -X fail2ban-http
# Option: fwcheck
# Notes.: command executed once before each fwban command
# Values: CMD Default:
#
fwcheck = iptables -L INPUT | grep -q fail2ban-http
# Option: fwban
# Notes.: command executed when banning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: <ip> IP address
# <failures> number of failures
# <failtime> unix timestamp of the last failure
# <bantime> unix timestamp of the ban time
# Values: CMD
# Default: iptables -I INPUT 1 -s <ip> -j DROP
#
fwban = iptables -I fail2ban-http 1 -s <ip> -j DROP
# Option: fwunban
# Notes.: command executed when unbanning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: <ip> IP address
# <bantime> unix timestamp of the ban time
# <unbantime> unix timestamp of the unban time
# Values: CMD
# Default: iptables -D INPUT -s <ip> -j DROP
#
fwunban = iptables -D fail2ban-http -s <ip> -j DROP
# Option: timeregex # Option: timeregex
# Notes.: regex to match timestamp in Apache logfile. # Notes.: regex to match timestamp in Apache logfile.
# Values: [Wed Jan 05 15:08:01 2005] # Values: [Wed Jan 05 15:08:01 2005]
@ -267,57 +290,18 @@ failregex = [[]client (?P<host>\S*)[]] user .*(?:: authentication failure|not fo
# #
enabled = true enabled = true
# Option: port
# Notes.: specifies port to monitor
# Values: [ NUM | STRING ] Default:
#
port = ssh
# Option: logfile # Option: logfile
# Notes.: logfile to monitor. # Notes.: logfile to monitor.
# Values: FILE Default: /var/log/auth.log # Values: FILE Default: /var/log/auth.log
# #
logfile = /var/log/auth.log logfile = /var/log/auth.log
# Option: fwstart
# Notes.: command executed once at the start of Fail2Ban
# Values: CMD Default:
#
fwstart = iptables -N fail2ban-ssh
iptables -A fail2ban-ssh -j RETURN
iptables -I INPUT -p tcp --dport ssh -j fail2ban-ssh
# Option: fwend
# Notes.: command executed once at the end of Fail2Ban
# Values: CMD Default:
#
fwend = iptables -D INPUT -p tcp --dport ssh -j fail2ban-ssh
iptables -F fail2ban-ssh
iptables -X fail2ban-ssh
# Option: fwcheck
# Notes.: command executed once before each fwban command
# Values: CMD Default:
#
fwcheck = iptables -L INPUT | grep -q fail2ban-ssh
# Option: fwbanrule
# Notes.: command executed when banning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: <ip> IP address
# <failures> number of failures
# <failtime> unix timestamp of the last failure
# <bantime> unix timestamp of the ban time
# Values: CMD
# Default: iptables -I INPUT 1 -s <ip> -j DROP
#
fwban = iptables -I fail2ban-ssh 1 -s <ip> -j DROP
# Option: fwunbanrule
# Notes.: command executed when unbanning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: <ip> IP address
# <bantime> unix timestamp of the ban time
# <unbantime> unix timestamp of the unban time
# Values: CMD
# Default: iptables -D INPUT -s <ip> -j DROP
#
fwunban = iptables -D fail2ban-ssh -s <ip> -j DROP
# Option: timeregex # Option: timeregex
# Notes.: regex to match timestamp in SSH logfile. # Notes.: regex to match timestamp in SSH logfile.
# Values: [Mar 7 17:53:28] # Values: [Mar 7 17:53:28]

2
confreader/configreader.py
View File

@ -80,6 +80,8 @@ class ConfigReader:
v = self.configParser.get(sec, option[1]) v = self.configParser.get(sec, option[1])
values[option[1]] = v values[option[1]] = v
logSys.debug("%s: Accepted value %s=%s"%(
sec, option[1], `v`))
except NoOptionError: except NoOptionError:
logSys.warn("No '" + option[1] + "' defined in '" + sec + logSys.warn("No '" + option[1] + "' defined in '" + sec +
"'. Using default one: '" + `option[2]` + "'") "'. Using default one: '" + `option[2]` + "'")

15
debian/README.Debian vendored
View File

@ -34,6 +34,19 @@ just a single group (?P<host>...)
[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=330827 [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=330827
"Interpolations" in the config file:
Since version 0.6.0-3 to reduce duplication, thus to improve
readability of the config file, interpolations provided by the module
ConfigParser are used. If you had custom sections defined before, you
might benefit from updating config file and adding appropriate
information for the new sections.
N.B. If you have some nice additional sections defined, I would really
appreciate if you share them with me, so they could be eventually
included in the fail2ban package for general use by the rest of the
community.
Mailing: Mailing:
As it was reported (bug #329722) you might need to provide a full As it was reported (bug #329722) you might need to provide a full
@ -60,4 +73,4 @@ had enough of failed logins within "findtime" will be banned for
"bantime" since [re]start moment, not since the last failed login "bantime" since [re]start moment, not since the last failed login
time. time.
-- Yaroslav O. Halchenko <debian@onerussian.com>, Sun Nov 20 21:44:56 2005 -- Yaroslav O. Halchenko <debian@onerussian.com>, Sun Jan 15 15:18:13 2006

6
debian/changelog vendored
View File

@ -1,6 +1,12 @@
fail2ban (0.6.0-3) unstable; urgency=low fail2ban (0.6.0-3) unstable; urgency=low
* ignoreip is now empty by default (closes: #347766) * ignoreip is now empty by default (closes: #347766)
* increased verbosity in verbose=2 mode: now prints options accepted
from the config file
* to make fail2ban.conf more compact, thus to improve its readability,
fail2ban.conf was converted to use "interpolations" provided by
ConfigParser class. fw{start,end,{,un}ban} options were moved into
DEFAULT section and required options (port, protocol) were added
-- Yaroslav Halchenko <debian@onerussian.com> Thu, 12 Jan 2006 18:32:14 -0500 -- Yaroslav Halchenko <debian@onerussian.com> Thu, 12 Jan 2006 18:32:14 -0500