Added a "ban ip" command to fail2ban-client (manual IP banning for a certain jail).

Added two new jails: lighttpd-fastcgi and php-url-fopen.
Fixed release date for 0.8.3 (was ??/??).
Added "beta" version 0.8.4 which new items (see above).


git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/trunk@734 a942ae1a-1317-0410-a47c-b1dcaea8d605

ChangeLog

@@ -12,9 +12,13 @@ ver. 0.9.0 (2009/??/??) - alpha
 - Added new prefix remover.
 - Added ISO 8601 date/time format.
 - Removed deprecated mail*.conf actions.
-- Added fail2ban-client command to manually ban a given IP for a given jail
 
-ver. 0.8.3 (2008/??/??) - stable
+ver. 0.8.4 (2009/??/??) - beta
+----------
+- Added "banip" command to fail2ban-client. Manually ban a given IP for a given jail.
+- Added jails lighttpd-fastci and php-url-fopen
+
+ver. 0.8.3 (2008/07/18) - stable
 ----------
 - Process failtickets as long as failmanager is not empty.
 - Added "pam-generic" filter and more configuration fixes.

common/protocol.py

@@ -59,6 +59,7 @@ protocol = [
 ["set <JAIL> delignoreregex <INDEX>", "removes the regular expression at <INDEX> for ignoreregex"], 
 ["set <JAIL> findtime <TIME>", "sets the number of seconds <TIME> for which the filter will look back for <JAIL>"], 
 ["set <JAIL> bantime <TIME>", "sets the number of seconds <TIME> a host will be banned for <JAIL>"], 
+["set <JAIL> banip <IP>", "manually Ban <IP> for <JAIL>"], 
 ["set <JAIL> maxretry <RETRY>", "sets the number of failures <RETRY> before banning the host for <JAIL>"], 
 ["set <JAIL> addaction <ACT>", "adds a new action named <NAME> for <JAIL>"], 
 ["set <JAIL> delaction <ACT>", "removes the action <NAME> from <JAIL>"], 

config/filter.d/lighttpd-fastcgi.conf

@@ -0,0 +1,18 @@
+# Fail2Ban configuration file
+#
+# Author: Arturo 'Buanzo' Busleiman <buanzo@buanzo.com.ar>
+#
+
+[Definition]
+
+# Option:  failregex
+# Notes.:  regex to match ALERTS as notified by lighttpd's FastCGI Module
+# Values:  TEXT
+#
+failregex = .*ALERT\ -\ .*attacker\ \'<HOST>\'
+
+# Option:  ignoreregex
+# Notes.:  regex to ignore. If this regex matches, the line is ignored.
+# Values:  TEXT
+#
+ignoreregex = 

config/filter.d/php-url-fopen.conf

@@ -0,0 +1,23 @@
+# Fail2Ban configuration file
+#
+# Author: Arturo 'Buanzo' Busleiman <buanzo@buanzo.com.ar>
+# Version 2
+# fixes the failregex so REFERERS that contain =http:// don't get blocked
+# (mentioned by "fasuto" (no real email provided... blog comment) in this entry:
+# http://blogs.buanzo.com.ar/2009/04/fail2ban-filter-for-php-injection-attacks.html#comment-1489
+#
+
+[Definition]
+
+# Option:  failregex
+# Notes.:  regex to match this kind of request:
+#
+# 66.185.212.172 - - [26/Mar/2009:08:44:20 -0500] "GET /index.php?n=http://eatmyfood.hostinginfive.com/pizza.htm? HTTP/1.1" 200 114 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)"
+#
+failregex = ^<HOST> -.*"(GET|POST).*\?.*\=http\:\/\/.* HTTP\/.*$
+
+# Option:  ignoreregex
+# Notes.:  regex to ignore. If this regex matches, the line is ignored.
+# Values:  TEXT
+#
+ignoreregex = 

config/jail.conf

@@ -152,6 +152,34 @@ action   = shorewall
            sendmail[name=Postfix, dest=you@mail.com]
 logpath  = /var/log/apache2/error_log
 
+# Ban attackers that try to use PHP's URL-fopen() functionality
+# through GET/POST variables. - Experimental, with more than a year
+# of usage in production environments.
+
+[php-url-fopen]
+
+enabled = false
+port    = http,https
+filter  = php-url-fopen
+logpath = /var/www/*/logs/access_log
+maxretry = 1
+
+# A simple PHP-fastcgi jail which works with lighttpd.
+# If you run a lighttpd server, then you probably will
+# find these kinds of messages in your error_log:
+# ALERT – tried to register forbidden variable ‘GLOBALS’
+# through GET variables (attacker '1.2.3.4', file '/var/www/default/htdocs/index.php')
+# This jail would block the IP 1.2.3.4.
+
+[lighttpd-fastcgi]
+
+enabled = true
+port    = http,https
+filter  = lighttpd-fastcgi
+# adapt the following two items as needed
+logpath = /var/log/lighttpd/error.log
+maxretry = 2
+
 # This jail uses ipfw, the standard firewall on FreeBSD. The "ignoreip"
 # option is overridden in this jail. Moreover, the action "mail-whois" defines
 # the variable "name" which contains a comma using "". The characters '' are

server/filter.py

@@ -179,6 +179,17 @@ class Filter(JailThread):
 	def run(self):
 		raise Exception("run() is abstract")
 	
+	##
+	# Ban an IP - http://blogs.buanzo.com.ar/2009/04/fail2ban-patch-ban-ip-address-manually.html
+	# Arturo 'Buanzo' Busleiman <buanzo@buanzo.com.ar>
+	#
+	# to enable banip fail2ban-client BAN command
+	
+	def addBannedIP(self, ip):
+		unixTime = time.time()
+		self.failManager.addFailure(FailTicket(ip, unixTime))
+		return ip
+	
 	##
 	# Add an IP/DNS to the ignore list.
 	#

server/server.py

@@ -222,6 +222,9 @@ class Server:
 	def setBanTime(self, name, value):
 		self.__jails.getAction(name).setBanTime(value)
 	
+	def setBanIP(self, name, value):
+		return self.__jails.getFilter(name).addBannedIP(value)
+		
 	def getBanTime(self, name):
 		return self.__jails.getAction(name).getBanTime()
 	

server/transmitter.py

@@ -164,6 +164,9 @@ class Transmitter:
 			value = command[2]
 			self.__server.setBanTime(name, int(value))
 			return self.__server.getBanTime(name)
+		elif command[1] == "banip":
+			value = command[2]
+			return self.__server.setBanIP(name,value)
 		elif command[1] == "addaction":
 			value = command[2]
 			self.__server.addAction(name, value)