From 743a531eb59a4f3704dda68557fb34481538e159 Mon Sep 17 00:00:00 2001 From: Yaroslav Halchenko Date: Sat, 21 May 2016 10:08:54 -0400 Subject: [PATCH 1/8] BF: make :port and I=[ip]:port optional for a "AUTH command used when not advertised" Closes #1430 --- config/filter.d/exim.conf | 2 +- fail2ban/tests/files/logs/exim | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/config/filter.d/exim.conf b/config/filter.d/exim.conf index 4aadf15c..54ad20d8 100644 --- a/config/filter.d/exim.conf +++ b/config/filter.d/exim.conf @@ -18,7 +18,7 @@ failregex = ^%(pid)s %(host_info)ssender verify fail for <\S+>: (?:Unknown user| ^%(pid)s %(host_info)sF=(<>|[^@]+@\S+) rejected RCPT [^@]+@\S+: (relay not permitted|Sender verify failed|Unknown user)\s*$ ^%(pid)s SMTP protocol synchronization error \([^)]*\): rejected (connection from|"\S+") %(host_info)s(next )?input=".*"\s*$ ^%(pid)s SMTP call from \S+ \[\](:\d+)? (I=\[\S+\](:\d+)? )?dropped: too many nonmail commands \(last was "\S+"\)\s*$ - ^%(pid)s SMTP protocol error in "AUTH \S*(| \S*)" H=(|\S* )(|\(\S*\) )\[\]\:\d+ I=\[\S*\]\:\d+ AUTH command used when not advertised\s*$ + ^%(pid)s SMTP protocol error in "AUTH \S*(| \S*)" H=(|\S* )(|\(\S*\) )\[\](?:\:\d+)? (?:I=\[\S*\]\:\d+ )?AUTH command used when not advertised\s*$ ^%(pid)s no MAIL in SMTP connection from (|\S* )(|\(\S*\) )\[\]\:\d+ I=\[\S*\]\:\d+ D=\d+s(| C=\S*)\s*$ ^%(pid)s \S+ SMTP connection from (|\S* )(|\(\S*\) )\[\]\:\d+ I=\[\S*\]\:\d+ closed by DROP in ACL\s*$ diff --git a/fail2ban/tests/files/logs/exim b/fail2ban/tests/files/logs/exim index a3b287d4..4b3a7ff5 100644 --- a/fail2ban/tests/files/logs/exim +++ b/fail2ban/tests/files/logs/exim @@ -48,6 +48,8 @@ 2016-03-18 00:34:06 [7513] SMTP protocol error in "AUTH LOGIN" H=(ylmf-pc) [45.32.34.167]:60723 I=[172.89.0.6]:587 AUTH command used when not advertised # failJSON: { "time": "2016-03-19T18:40:44", "match": true , "host": "92.45.204.170" } 2016-03-19 18:40:44 [26221] SMTP protocol error in "AUTH LOGIN aW5mb0BtYW5iYXQub3Jn" H=([127.0.0.1]) [92.45.204.170]:14243 I=[172.89.0.6]:587 AUTH command used when not advertised +# failJSON: { "time": "2016-05-17T06:25:27", "match": true , "host": "69.10.61.61", "desc": "from gh-1430" } +2016-05-17 06:25:27 SMTP protocol error in "AUTH LOGIN" H=(ylmf-pc) [69.10.61.61] AUTH command used when not advertised # failJSON: { "time": "2016-03-21T06:38:05", "match": true , "host": "49.212.207.15" } 2016-03-21 06:38:05 [5718] no MAIL in SMTP connection from www3005.sakura.ne.jp [49.212.207.15]:28890 I=[172.89.0.6]:25 D=21s C=EHLO,STARTTLS # failJSON: { "time": "2016-03-21T06:57:36", "match": true , "host": "122.165.71.116" } From 8b8cf2a660b5727d2a864b61917d4279f80c1b60 Mon Sep 17 00:00:00 2001 From: Yaroslav Halchenko Date: Sat, 21 May 2016 10:27:16 -0400 Subject: [PATCH 2/8] ENH: exim filters -- make more use of %(host_info)s which in turn made more flexible --- config/filter.d/exim-common.conf | 2 +- config/filter.d/exim.conf | 8 ++++---- fail2ban/tests/files/logs/exim | 2 ++ 3 files changed, 7 insertions(+), 5 deletions(-) diff --git a/config/filter.d/exim-common.conf b/config/filter.d/exim-common.conf index 1c0a0a20..8f9553fe 100644 --- a/config/filter.d/exim-common.conf +++ b/config/filter.d/exim-common.conf @@ -9,7 +9,7 @@ after = exim-common.local [Definition] -host_info = H=([\w.-]+ )?(\(\S+\) )?\[\](:\d+)? (I=\[\S+\]:\d+ )?(U=\S+ )?(P=e?smtp )? +host_info = (H=([\w.-]+ )?(\(\S+\) )?)?\[\](:\d+)? (I=\[\S+\](:\d+)? )?(U=\S+ )?(P=e?smtp )? pid = ( \[\d+\])? # DEV Notes: diff --git a/config/filter.d/exim.conf b/config/filter.d/exim.conf index 54ad20d8..517e3de7 100644 --- a/config/filter.d/exim.conf +++ b/config/filter.d/exim.conf @@ -17,10 +17,10 @@ failregex = ^%(pid)s %(host_info)ssender verify fail for <\S+>: (?:Unknown user| ^%(pid)s \w+ authenticator failed for (\S+ )?\(\S+\) \[\](:\d+)?( I=\[\S+\](:\d+)?)?: 535 Incorrect authentication data( \(set_id=.*\)|: \d+ Time\(s\))?\s*$ ^%(pid)s %(host_info)sF=(<>|[^@]+@\S+) rejected RCPT [^@]+@\S+: (relay not permitted|Sender verify failed|Unknown user)\s*$ ^%(pid)s SMTP protocol synchronization error \([^)]*\): rejected (connection from|"\S+") %(host_info)s(next )?input=".*"\s*$ - ^%(pid)s SMTP call from \S+ \[\](:\d+)? (I=\[\S+\](:\d+)? )?dropped: too many nonmail commands \(last was "\S+"\)\s*$ - ^%(pid)s SMTP protocol error in "AUTH \S*(| \S*)" H=(|\S* )(|\(\S*\) )\[\](?:\:\d+)? (?:I=\[\S*\]\:\d+ )?AUTH command used when not advertised\s*$ - ^%(pid)s no MAIL in SMTP connection from (|\S* )(|\(\S*\) )\[\]\:\d+ I=\[\S*\]\:\d+ D=\d+s(| C=\S*)\s*$ - ^%(pid)s \S+ SMTP connection from (|\S* )(|\(\S*\) )\[\]\:\d+ I=\[\S*\]\:\d+ closed by DROP in ACL\s*$ + ^%(pid)s SMTP call from \S+ %(host_info)sdropped: too many nonmail commands \(last was "\S+"\)\s*$ + ^%(pid)s SMTP protocol error in "AUTH \S*(| \S*)" %(host_info)sAUTH command used when not advertised\s*$ + ^%(pid)s no MAIL in SMTP connection from (|\S* )(|\(\S*\) )%(host_info)sD=\d+s(| C=\S*)\s*$ + ^%(pid)s \S+ SMTP connection from (|\S* )(|\(\S*\) )%(host_info)sclosed by DROP in ACL\s*$ ignoreregex = diff --git a/fail2ban/tests/files/logs/exim b/fail2ban/tests/files/logs/exim index 4b3a7ff5..9da5ff22 100644 --- a/fail2ban/tests/files/logs/exim +++ b/fail2ban/tests/files/logs/exim @@ -54,6 +54,8 @@ 2016-03-21 06:38:05 [5718] no MAIL in SMTP connection from www3005.sakura.ne.jp [49.212.207.15]:28890 I=[172.89.0.6]:25 D=21s C=EHLO,STARTTLS # failJSON: { "time": "2016-03-21T06:57:36", "match": true , "host": "122.165.71.116" } 2016-03-21 06:57:36 [5908] no MAIL in SMTP connection from [122.165.71.116]:2056 I=[172.89.0.6]:25 D=10s +# failJSON: { "time": "2016-03-21T06:57:36", "match": true , "host": "122.165.71.116" } +2016-03-21 06:57:36 [5908] no MAIL in SMTP connection from [122.165.71.116]:2056 I=[172.89.0.6]:25 D=10s # failJSON: { "time": "2016-03-21T04:07:49", "match": true , "host": "174.137.147.204" } 2016-03-21 04:07:49 [25874] 1ahr79-0006jK-G9 SMTP connection from (voyeur.webair.com) [174.137.147.204]:44884 I=[172.89.0.6]:25 closed by DROP in ACL # failJSON: { "time": "2016-03-21T04:33:13", "match": true , "host": "206.214.71.53" } From 48a8324662afdeed4016fd4630712331af66d610 Mon Sep 17 00:00:00 2001 From: Yaroslav Halchenko Date: Mon, 30 May 2016 11:02:12 -0400 Subject: [PATCH 3/8] ENH: use non-capturing regex groups in exim-common and exim filters --- config/filter.d/exim-common.conf | 4 ++-- config/filter.d/exim.conf | 12 ++++++------ 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/config/filter.d/exim-common.conf b/config/filter.d/exim-common.conf index 8f9553fe..0e1b74fa 100644 --- a/config/filter.d/exim-common.conf +++ b/config/filter.d/exim-common.conf @@ -9,8 +9,8 @@ after = exim-common.local [Definition] -host_info = (H=([\w.-]+ )?(\(\S+\) )?)?\[\](:\d+)? (I=\[\S+\](:\d+)? )?(U=\S+ )?(P=e?smtp )? -pid = ( \[\d+\])? +host_info = (?:H=([\w.-]+ )?(?:\(\S+\) )?)?\[\](?::\d+)? (?:I=\[\S+\](:\d+)? )?(?:U=\S+ )?(?:P=e?smtp )? +pid = (?: \[\d+\])? # DEV Notes: # From exim source code: ./src/receive.c:add_host_info_for_log diff --git a/config/filter.d/exim.conf b/config/filter.d/exim.conf index 517e3de7..1ef74b01 100644 --- a/config/filter.d/exim.conf +++ b/config/filter.d/exim.conf @@ -14,13 +14,13 @@ before = exim-common.conf [Definition] failregex = ^%(pid)s %(host_info)ssender verify fail for <\S+>: (?:Unknown user|Unrouteable address|all relevant MX records point to non-existent hosts)\s*$ - ^%(pid)s \w+ authenticator failed for (\S+ )?\(\S+\) \[\](:\d+)?( I=\[\S+\](:\d+)?)?: 535 Incorrect authentication data( \(set_id=.*\)|: \d+ Time\(s\))?\s*$ - ^%(pid)s %(host_info)sF=(<>|[^@]+@\S+) rejected RCPT [^@]+@\S+: (relay not permitted|Sender verify failed|Unknown user)\s*$ - ^%(pid)s SMTP protocol synchronization error \([^)]*\): rejected (connection from|"\S+") %(host_info)s(next )?input=".*"\s*$ + ^%(pid)s \w+ authenticator failed for (\S+ )?\(\S+\) \[\](?::\d+)?(?: I=\[\S+\](:\d+)?)?: 535 Incorrect authentication data( \(set_id=.*\)|: \d+ Time\(s\))?\s*$ + ^%(pid)s %(host_info)sF=(?:<>|[^@]+@\S+) rejected RCPT [^@]+@\S+: (?:relay not permitted|Sender verify failed|Unknown user)\s*$ + ^%(pid)s SMTP protocol synchronization error \([^)]*\): rejected (?:connection from|"\S+") %(host_info)s(?:next )?input=".*"\s*$ ^%(pid)s SMTP call from \S+ %(host_info)sdropped: too many nonmail commands \(last was "\S+"\)\s*$ - ^%(pid)s SMTP protocol error in "AUTH \S*(| \S*)" %(host_info)sAUTH command used when not advertised\s*$ - ^%(pid)s no MAIL in SMTP connection from (|\S* )(|\(\S*\) )%(host_info)sD=\d+s(| C=\S*)\s*$ - ^%(pid)s \S+ SMTP connection from (|\S* )(|\(\S*\) )%(host_info)sclosed by DROP in ACL\s*$ + ^%(pid)s SMTP protocol error in "AUTH \S*(?:| \S*)" %(host_info)sAUTH command used when not advertised\s*$ + ^%(pid)s no MAIL in SMTP connection from (?:|\S* )(?:|\(\S*\) )%(host_info)sD=\d+s(?:| C=\S*)\s*$ + ^%(pid)s \S+ SMTP connection from (?:|\S* )(?:|\(\S*\) )%(host_info)sclosed by DROP in ACL\s*$ ignoreregex = From 64346614804e91285bfb1fcbb407d0e1cdff618e Mon Sep 17 00:00:00 2001 From: Yaroslav Halchenko Date: Mon, 30 May 2016 12:12:53 -0400 Subject: [PATCH 4/8] RF: for consistency use (?:XXX)? instead of (?:|XXX) --- config/filter.d/exim.conf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/config/filter.d/exim.conf b/config/filter.d/exim.conf index 1ef74b01..a1d699c0 100644 --- a/config/filter.d/exim.conf +++ b/config/filter.d/exim.conf @@ -18,9 +18,9 @@ failregex = ^%(pid)s %(host_info)ssender verify fail for <\S+>: (?:Unknown user| ^%(pid)s %(host_info)sF=(?:<>|[^@]+@\S+) rejected RCPT [^@]+@\S+: (?:relay not permitted|Sender verify failed|Unknown user)\s*$ ^%(pid)s SMTP protocol synchronization error \([^)]*\): rejected (?:connection from|"\S+") %(host_info)s(?:next )?input=".*"\s*$ ^%(pid)s SMTP call from \S+ %(host_info)sdropped: too many nonmail commands \(last was "\S+"\)\s*$ - ^%(pid)s SMTP protocol error in "AUTH \S*(?:| \S*)" %(host_info)sAUTH command used when not advertised\s*$ - ^%(pid)s no MAIL in SMTP connection from (?:|\S* )(?:|\(\S*\) )%(host_info)sD=\d+s(?:| C=\S*)\s*$ - ^%(pid)s \S+ SMTP connection from (?:|\S* )(?:|\(\S*\) )%(host_info)sclosed by DROP in ACL\s*$ + ^%(pid)s SMTP protocol error in "AUTH \S*(?: \S*)?" %(host_info)sAUTH command used when not advertised\s*$ + ^%(pid)s no MAIL in SMTP connection from (?:\S* )?(?:\(\S*\) )?%(host_info)sD=\d+s(?: C=\S*)?\s*$ + ^%(pid)s \S+ SMTP connection from (?:\S* )?(?:\(\S*\) )?%(host_info)sclosed by DROP in ACL\s*$ ignoreregex = From ced6c8307b66e1959a8fd4262b561229cb9fef60 Mon Sep 17 00:00:00 2001 From: Yaroslav Halchenko Date: Thu, 2 Jun 2016 20:56:28 -0400 Subject: [PATCH 5/8] BF: finalize that sample log line for exim4 was intended in 743a531eb59a4f3704dda68557fb34481538e159 to be an entry without a port after the [host] --- fail2ban/tests/files/logs/exim | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fail2ban/tests/files/logs/exim b/fail2ban/tests/files/logs/exim index 9da5ff22..9053bf8d 100644 --- a/fail2ban/tests/files/logs/exim +++ b/fail2ban/tests/files/logs/exim @@ -55,7 +55,7 @@ # failJSON: { "time": "2016-03-21T06:57:36", "match": true , "host": "122.165.71.116" } 2016-03-21 06:57:36 [5908] no MAIL in SMTP connection from [122.165.71.116]:2056 I=[172.89.0.6]:25 D=10s # failJSON: { "time": "2016-03-21T06:57:36", "match": true , "host": "122.165.71.116" } -2016-03-21 06:57:36 [5908] no MAIL in SMTP connection from [122.165.71.116]:2056 I=[172.89.0.6]:25 D=10s +2016-03-21 06:57:36 [5908] no MAIL in SMTP connection from [122.165.71.116] I=[172.89.0.6]:25 D=10s # failJSON: { "time": "2016-03-21T04:07:49", "match": true , "host": "174.137.147.204" } 2016-03-21 04:07:49 [25874] 1ahr79-0006jK-G9 SMTP connection from (voyeur.webair.com) [174.137.147.204]:44884 I=[172.89.0.6]:25 closed by DROP in ACL # failJSON: { "time": "2016-03-21T04:33:13", "match": true , "host": "206.214.71.53" } From f85fb45b29768f687546ba25f805977cf00b6e43 Mon Sep 17 00:00:00 2001 From: Ludovic Gasc Date: Tue, 7 Jun 2016 11:40:35 +0200 Subject: [PATCH 6/8] Asterisk pjsip (#1456) * Improve PJSIP log support for Asterisk 13+ * Update changelog: filter.d/asterisk.conf - fix security log support for PJSIP and Asterisk 13+ * Change pjsip regexp with sebres observation, thanks to @nturcksin --- ChangeLog | 1 + config/filter.d/asterisk.conf | 1 + fail2ban/tests/files/logs/asterisk | 4 ++++ 3 files changed, 6 insertions(+) diff --git a/ChangeLog b/ChangeLog index 76719f16..21b8adfc 100644 --- a/ChangeLog +++ b/ChangeLog @@ -25,6 +25,7 @@ ver. 0.9.5 (2016/XX/XXX) - wanna-be-released added new parameter `__date_ambit` * gentoo-initd fixed --pidfile bug: `--pidfile` is option of start-stop-daemon, not argument of fail2ban (see gh-1434) + * filter.d/asterisk.conf - fix security log support for PJSIP and Asterisk 13+ - New Features: * New Actions: diff --git a/config/filter.d/asterisk.conf b/config/filter.d/asterisk.conf index 01063efa..f6ccdd4f 100644 --- a/config/filter.d/asterisk.conf +++ b/config/filter.d/asterisk.conf @@ -27,6 +27,7 @@ failregex = ^%(__prefix_line)s%(log_prefix)s Registration from '[^']*' failed fo ^%(__prefix_line)s%(log_prefix)s hacking attempt detected ''$ ^%(__prefix_line)s%(log_prefix)s SecurityEvent="(FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)",EventTV="([\d-]+|%(iso8601)s)",Severity="[\w]+",Service="[\w]+",EventVersion="\d+",AccountID="(\d*|)",SessionID=".+",LocalAddress="IPV[46]/(UDP|TCP|WS)/[\da-fA-F:.]+/\d+",RemoteAddress="IPV[46]/(UDP|TCP|WS)//\d+"(,Challenge="[\w/]+")?(,ReceivedChallenge="\w+")?(,Response="\w+",ExpectedResponse="\w*")?(,ReceivedHash="[\da-f]+")?(,ACLName="\w+")?$ ^%(__prefix_line)s%(log_prefix)s "Rejecting unknown SIP connection from "$ + ^%(__prefix_line)s%(log_prefix)s Request from '[^']*' failed for '(?::\d+)?' \(callid: \w*\) - No matching endpoint found$ ignoreregex = diff --git a/fail2ban/tests/files/logs/asterisk b/fail2ban/tests/files/logs/asterisk index aa32a290..3f49beec 100644 --- a/fail2ban/tests/files/logs/asterisk +++ b/fail2ban/tests/files/logs/asterisk @@ -67,3 +67,7 @@ Nov 4 18:30:40 localhost asterisk[32229]: NOTICE[32257]: chan_sip.c:23417 in han [2016-01-28 10:34:31] NOTICE[3477][C-000003c3] chan_sip.c: Call from '' (1.2.3.4:10836) to extension '0+441772285407' rejected because extension not found in context 'default'. # failJSON: { "time": "2016-01-28T10:34:33", "match": true , "host": "1.2.3.4" } [2016-01-28 10:34:33] NOTICE[3477][C-000003c3] chan_sip.c: Call from '' (1.2.3.4:10836) to extension '' rejected because extension not found in context 'my-context'. + +# Failed authentication with pjsip on Asterisk 13+ +# failJSON: { "time": "2016-05-23T10:18:16", "match": true , "host": "1.2.3.4" } +[2016-05-23 10:18:16] NOTICE[19388] res_pjsip/pjsip_distributor.c: Request from '"1000" ' failed for '1.2.3.4:48336' (callid: 276666022) - No matching endpoint found \ No newline at end of file From 11f7cf5ad82b26c59f5d62c35b38343264483980 Mon Sep 17 00:00:00 2001 From: Yaroslav Halchenko Date: Tue, 7 Jun 2016 21:38:39 -0400 Subject: [PATCH 7/8] DOC: changelog for recent exim filters tune up --- ChangeLog | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 21b8adfc..3f985b20 100644 --- a/ChangeLog +++ b/ChangeLog @@ -30,6 +30,7 @@ ver. 0.9.5 (2016/XX/XXX) - wanna-be-released - New Features: * New Actions: - action.d/firewallcmd-rich-rules and action.d/firewallcmd-rich-logging (gh-1367) + - Enhancements: * Extreme speedup of all sqlite database operations (gh-1436), by using of following sqlite options: @@ -38,7 +39,9 @@ ver. 0.9.5 (2016/XX/XXX) - wanna-be-released - (temp_store = MEMORY) temporary tables and indices are kept in memory * journald journalmatch for pure-ftpd (gh-1362) * Add additional regex filter for dovecot ldap authentication failures (gh-1370) - * added additional regex filters for exim (gh-1371) + * filter.d/exim*conf + - added additional regexes (gh-1371) + - made port entry optional ver. 0.9.4 (2016/03/08) - for-you-ladies From af8b650a371da68d1a35d2ad326dfddc5a6af7f6 Mon Sep 17 00:00:00 2001 From: "Serg G. Brester" Date: Mon, 13 Jun 2016 12:56:53 +0200 Subject: [PATCH 8/8] badip timeout option introduced, set to 30 seconds in our test cases (#1463) cherry-picked from 0.10 (little bit modified in test_badips.py, because no --fast option in test cases) --- config/action.d/badips.py | 11 +++++++---- fail2ban/tests/action_d/test_badips.py | 1 + 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/config/action.d/badips.py b/config/action.d/badips.py index 025289ca..4bc879a1 100644 --- a/config/action.d/badips.py +++ b/config/action.d/badips.py @@ -80,14 +80,17 @@ class BadIPsAction(ActionBase): If invalid `category`, `score`, `banaction` or `updateperiod`. """ + TIMEOUT = 10 _badips = "http://www.badips.com" def _Request(self, url, **argv): return Request(url, headers={'User-Agent': self.agent}, **argv) def __init__(self, jail, name, category, score=3, age="24h", key=None, - banaction=None, bancategory=None, bankey=None, updateperiod=900, agent="Fail2Ban"): + banaction=None, bancategory=None, bankey=None, updateperiod=900, agent="Fail2Ban", + timeout=TIMEOUT): super(BadIPsAction, self).__init__(jail, name) + self.timeout = timeout self.agent = agent self.category = category self.score = score @@ -119,7 +122,7 @@ class BadIPsAction(ActionBase): """ try: response = urlopen( - self._Request("/".join([self._badips, "get", "categories"])), None, 3) + self._Request("/".join([self._badips, "get", "categories"])), timeout=self.timeout) except HTTPError as response: messages = json.loads(response.read().decode('utf-8')) self._logSys.error( @@ -173,7 +176,7 @@ class BadIPsAction(ActionBase): urlencode({'age': age})]) if key: url = "&".join([url, urlencode({'key': key})]) - response = urlopen(self._Request(url)) + response = urlopen(self._Request(url), timeout=self.timeout) except HTTPError as response: messages = json.loads(response.read().decode('utf-8')) self._logSys.error( @@ -358,7 +361,7 @@ class BadIPsAction(ActionBase): url = "/".join([self._badips, "add", self.category, aInfo['ip']]) if self.key: url = "?".join([url, urlencode({'key': self.key})]) - response = urlopen(self._Request(url)) + response = urlopen(self._Request(url), timeout=self.timeout) except HTTPError as response: messages = json.loads(response.read().decode('utf-8')) self._logSys.error( diff --git a/fail2ban/tests/action_d/test_badips.py b/fail2ban/tests/action_d/test_badips.py index a7f148b1..3f71b7a3 100644 --- a/fail2ban/tests/action_d/test_badips.py +++ b/fail2ban/tests/action_d/test_badips.py @@ -37,6 +37,7 @@ if sys.version_info >= (2,7): self.jail.actions.add("badips", pythonModule, initOpts={ 'category': "ssh", 'banaction': "test", + 'timeout': 30, }) self.action = self.jail.actions["badips"]