From 5aec43ae352cb17e03924fce6c26d2b6fbdddfd6 Mon Sep 17 00:00:00 2001
From: Arturo 'Buanzo' Busleiman <buanzo@buanzo.com.ar>
Date: Fri, 28 Aug 2009 22:26:17 +0000
Subject: [PATCH] Added a "ban ip" command to fail2ban-client (manual IP
 banning for a certain jail). Added two new jails: lighttpd-fastcgi and
 php-url-fopen. Fixed release date for 0.8.3 (was ??/??). Added "beta" version
 0.8.4 which new items (see above).

git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/trunk@734 a942ae1a-1317-0410-a47c-b1dcaea8d605
---
 ChangeLog                             |  8 ++++++--
 common/protocol.py                    |  1 +
 config/filter.d/lighttpd-fastcgi.conf | 18 +++++++++++++++++
 config/filter.d/php-url-fopen.conf    | 23 ++++++++++++++++++++++
 config/jail.conf                      | 28 +++++++++++++++++++++++++++
 server/filter.py                      | 11 +++++++++++
 server/server.py                      |  3 +++
 server/transmitter.py                 |  3 +++
 8 files changed, 93 insertions(+), 2 deletions(-)
 create mode 100644 config/filter.d/lighttpd-fastcgi.conf
 create mode 100644 config/filter.d/php-url-fopen.conf

diff --git a/ChangeLog b/ChangeLog
index 5baa7a88..c8ce79cd 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -12,9 +12,13 @@ ver. 0.9.0 (2009/??/??) - alpha
 - Added new prefix remover.
 - Added ISO 8601 date/time format.
 - Removed deprecated mail*.conf actions.
-- Added fail2ban-client command to manually ban a given IP for a given jail
 
-ver. 0.8.3 (2008/??/??) - stable
+ver. 0.8.4 (2009/??/??) - beta
+----------
+- Added "banip" command to fail2ban-client. Manually ban a given IP for a given jail.
+- Added jails lighttpd-fastci and php-url-fopen
+
+ver. 0.8.3 (2008/07/18) - stable
 ----------
 - Process failtickets as long as failmanager is not empty.
 - Added "pam-generic" filter and more configuration fixes.
diff --git a/common/protocol.py b/common/protocol.py
index fa9f8b54..7e80edfd 100644
--- a/common/protocol.py
+++ b/common/protocol.py
@@ -59,6 +59,7 @@ protocol = [
 ["set <JAIL> delignoreregex <INDEX>", "removes the regular expression at <INDEX> for ignoreregex"], 
 ["set <JAIL> findtime <TIME>", "sets the number of seconds <TIME> for which the filter will look back for <JAIL>"], 
 ["set <JAIL> bantime <TIME>", "sets the number of seconds <TIME> a host will be banned for <JAIL>"], 
+["set <JAIL> banip <IP>", "manually Ban <IP> for <JAIL>"], 
 ["set <JAIL> maxretry <RETRY>", "sets the number of failures <RETRY> before banning the host for <JAIL>"], 
 ["set <JAIL> addaction <ACT>", "adds a new action named <NAME> for <JAIL>"], 
 ["set <JAIL> delaction <ACT>", "removes the action <NAME> from <JAIL>"], 
diff --git a/config/filter.d/lighttpd-fastcgi.conf b/config/filter.d/lighttpd-fastcgi.conf
new file mode 100644
index 00000000..1c6e3fce
--- /dev/null
+++ b/config/filter.d/lighttpd-fastcgi.conf
@@ -0,0 +1,18 @@
+# Fail2Ban configuration file
+#
+# Author: Arturo 'Buanzo' Busleiman <buanzo@buanzo.com.ar>
+#
+
+[Definition]
+
+# Option:  failregex
+# Notes.:  regex to match ALERTS as notified by lighttpd's FastCGI Module
+# Values:  TEXT
+#
+failregex = .*ALERT\ -\ .*attacker\ \'<HOST>\'
+
+# Option:  ignoreregex
+# Notes.:  regex to ignore. If this regex matches, the line is ignored.
+# Values:  TEXT
+#
+ignoreregex = 
diff --git a/config/filter.d/php-url-fopen.conf b/config/filter.d/php-url-fopen.conf
new file mode 100644
index 00000000..68927e06
--- /dev/null
+++ b/config/filter.d/php-url-fopen.conf
@@ -0,0 +1,23 @@
+# Fail2Ban configuration file
+#
+# Author: Arturo 'Buanzo' Busleiman <buanzo@buanzo.com.ar>
+# Version 2
+# fixes the failregex so REFERERS that contain =http:// don't get blocked
+# (mentioned by "fasuto" (no real email provided... blog comment) in this entry:
+# http://blogs.buanzo.com.ar/2009/04/fail2ban-filter-for-php-injection-attacks.html#comment-1489
+#
+
+[Definition]
+
+# Option:  failregex
+# Notes.:  regex to match this kind of request:
+#
+# 66.185.212.172 - - [26/Mar/2009:08:44:20 -0500] "GET /index.php?n=http://eatmyfood.hostinginfive.com/pizza.htm? HTTP/1.1" 200 114 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)"
+#
+failregex = ^<HOST> -.*"(GET|POST).*\?.*\=http\:\/\/.* HTTP\/.*$
+
+# Option:  ignoreregex
+# Notes.:  regex to ignore. If this regex matches, the line is ignored.
+# Values:  TEXT
+#
+ignoreregex = 
diff --git a/config/jail.conf b/config/jail.conf
index 57bc9839..1fc8c4aa 100644
--- a/config/jail.conf
+++ b/config/jail.conf
@@ -152,6 +152,34 @@ action   = shorewall
            sendmail[name=Postfix, dest=you@mail.com]
 logpath  = /var/log/apache2/error_log
 
+# Ban attackers that try to use PHP's URL-fopen() functionality
+# through GET/POST variables. - Experimental, with more than a year
+# of usage in production environments.
+
+[php-url-fopen]
+
+enabled = false
+port    = http,https
+filter  = php-url-fopen
+logpath = /var/www/*/logs/access_log
+maxretry = 1
+
+# A simple PHP-fastcgi jail which works with lighttpd.
+# If you run a lighttpd server, then you probably will
+# find these kinds of messages in your error_log:
+# ALERT – tried to register forbidden variable ‘GLOBALS’
+# through GET variables (attacker '1.2.3.4', file '/var/www/default/htdocs/index.php')
+# This jail would block the IP 1.2.3.4.
+
+[lighttpd-fastcgi]
+
+enabled = true
+port    = http,https
+filter  = lighttpd-fastcgi
+# adapt the following two items as needed
+logpath = /var/log/lighttpd/error.log
+maxretry = 2
+
 # This jail uses ipfw, the standard firewall on FreeBSD. The "ignoreip"
 # option is overridden in this jail. Moreover, the action "mail-whois" defines
 # the variable "name" which contains a comma using "". The characters '' are
diff --git a/server/filter.py b/server/filter.py
index 42fb110d..d9a265a1 100644
--- a/server/filter.py
+++ b/server/filter.py
@@ -179,6 +179,17 @@ class Filter(JailThread):
 	def run(self):
 		raise Exception("run() is abstract")
 	
+	##
+	# Ban an IP - http://blogs.buanzo.com.ar/2009/04/fail2ban-patch-ban-ip-address-manually.html
+	# Arturo 'Buanzo' Busleiman <buanzo@buanzo.com.ar>
+	#
+	# to enable banip fail2ban-client BAN command
+	
+	def addBannedIP(self, ip):
+		unixTime = time.time()
+		self.failManager.addFailure(FailTicket(ip, unixTime))
+		return ip
+	
 	##
 	# Add an IP/DNS to the ignore list.
 	#
diff --git a/server/server.py b/server/server.py
index 973bfbfc..0938e2f7 100644
--- a/server/server.py
+++ b/server/server.py
@@ -222,6 +222,9 @@ class Server:
 	def setBanTime(self, name, value):
 		self.__jails.getAction(name).setBanTime(value)
 	
+	def setBanIP(self, name, value):
+		return self.__jails.getFilter(name).addBannedIP(value)
+		
 	def getBanTime(self, name):
 		return self.__jails.getAction(name).getBanTime()
 	
diff --git a/server/transmitter.py b/server/transmitter.py
index 40a79137..cb9d668d 100644
--- a/server/transmitter.py
+++ b/server/transmitter.py
@@ -164,6 +164,9 @@ class Transmitter:
 			value = command[2]
 			self.__server.setBanTime(name, int(value))
 			return self.__server.getBanTime(name)
+		elif command[1] == "banip":
+			value = command[2]
+			return self.__server.setBanIP(name,value)
 		elif command[1] == "addaction":
 			value = command[2]
 			self.__server.addAction(name, value)