diff --git a/ChangeLog b/ChangeLog index 82b9bdd4..f0161b74 100644 --- a/ChangeLog +++ b/ChangeLog @@ -10,15 +10,23 @@ Fail2Ban (version 0.9.2.dev) 2014/xx/xx ver. 0.9.2 (2014/xx/xx) - increment ban time ---------- -- New features: - - increment ban time (+ observer) functionality introduced. +- Fixes: + * $ typo in jail.conf. Thanks Skibbi. Debian bug #767255 + * grep'ing for IP in *mail-whois-lines.conf should now match also + at the begginning and EOL. Thanks Dean Lee + * jail.conf + - php-url-fopen: separate logpath entries by newline + * purge database will be executed now (within observer). + * database functionality extended with bad ips. + * restoring currently banned ip after service restart fixed + (now < timeofban + bantime), ignore old log failures (already banned) + +- New Features: + * increment ban time (+ observer) functionality introduced. Thanks Serg G. Brester (sebres) -- Fixes: - - purge database will be executed now (within observer). - - database functionality extended with bad ips. - - restoring currently banned ip after service restart fixed - (now < timeofban + bantime), ignore old log failures (already banned) +- Enhancements: + * Enable multiport for firewallcmd-new action. Closes gh-834 ver. 0.9.1 (2014/10/29) - better, faster, stronger ---------- diff --git a/config/action.d/firewallcmd-new.conf b/config/action.d/firewallcmd-new.conf index 9754e3f3..ac72a68a 100644 --- a/config/action.d/firewallcmd-new.conf +++ b/config/action.d/firewallcmd-new.conf @@ -10,9 +10,9 @@ before = iptables-common.conf actionstart = firewall-cmd --direct --add-chain ipv4 filter f2b- firewall-cmd --direct --add-rule ipv4 filter f2b- 1000 -j RETURN - firewall-cmd --direct --add-rule ipv4 filter 0 -m state --state NEW -p --dport -j f2b- + firewall-cmd --direct --add-rule ipv4 filter 0 -m state --state NEW -p -m multiport --dports -j f2b- -actionstop = firewall-cmd --direct --remove-rule ipv4 filter 0 -m state --state NEW -p --dport -j f2b- +actionstop = firewall-cmd --direct --remove-rule ipv4 filter 0 -m state --state NEW -p -m multiport --dports -j f2b- firewall-cmd --direct --remove-rules ipv4 filter f2b- firewall-cmd --direct --remove-chain ipv4 filter f2b- @@ -43,7 +43,7 @@ chain = INPUT_direct # success # $ firewall-cmd --direct --add-rule ipv4 filter fail2ban-name 1000 -j RETURN # success -# $ sudo firewall-cmd --direct --add-rule ipv4 filter INPUT_direct 0 -m state --state NEW -p tcp --dport 22 -j fail2ban-name +# $ sudo firewall-cmd --direct --add-rule ipv4 filter INPUT_direct 0 -m state --state NEW -p tcp -m multiport --dports 22 -j fail2ban-name # success # $ firewall-cmd --direct --get-chains ipv4 filter # fail2ban-name diff --git a/config/action.d/mail-whois-lines.conf b/config/action.d/mail-whois-lines.conf index aa7d0950..5f760ac8 100644 --- a/config/action.d/mail-whois-lines.conf +++ b/config/action.d/mail-whois-lines.conf @@ -42,7 +42,7 @@ actionban = printf %%b "Hi,\n Here is more information about :\n `whois || echo missing whois program`\n\n Lines containing IP: in \n - `grep '[^0-9][^0-9]' `\n\n + `grep -E '(^|[^0-9])([^0-9]|$)' `\n\n Regards,\n Fail2Ban"|mail -s "[Fail2Ban] : banned from `uname -n`" diff --git a/config/action.d/sendmail-whois-lines.conf b/config/action.d/sendmail-whois-lines.conf index 270373e7..4169e82a 100644 --- a/config/action.d/sendmail-whois-lines.conf +++ b/config/action.d/sendmail-whois-lines.conf @@ -26,7 +26,7 @@ actionban = printf %%b "Subject: [Fail2Ban] : banned from `uname -n` Here is more information about :\n `/usr/bin/whois || echo missing whois program`\n\n Lines containing IP: in \n - `grep '[^0-9][^0-9]' `\n\n + `grep -E '(^|[^0-9])([^0-9]|$)' `\n\n Regards,\n Fail2Ban" | /usr/sbin/sendmail -f diff --git a/config/filter.d/named-refused.conf b/config/filter.d/named-refused.conf index 15eeedc4..eec3d667 100644 --- a/config/filter.d/named-refused.conf +++ b/config/filter.d/named-refused.conf @@ -38,6 +38,8 @@ failregex = ^%(__line_prefix)s( error:)?\s*client #\S+( \([\S.]+\))?: (vie ^%(__line_prefix)s( error:)?\s*client #\S+( \([\S.]+\))?: zone transfer '\S+/AXFR/\w+' denied\s*$ ^%(__line_prefix)s( error:)?\s*client #\S+( \([\S.]+\))?: bad zone transfer request: '\S+/IN': non-authoritative zone \(NOTAUTH\)\s*$ +ignoreregex = + # DEV Notes: # Trying to generalize the # structure which is general to capture general patterns in log diff --git a/config/filter.d/recidive.conf b/config/filter.d/recidive.conf index b38735ad..e2501cf6 100644 --- a/config/filter.d/recidive.conf +++ b/config/filter.d/recidive.conf @@ -29,6 +29,8 @@ _jailname = recidive failregex = ^(%(__prefix_line)s| %(_daemon)s%(__pid_re)s?:\s+)NOTICE\s+\[(?!%(_jailname)s\])(?:.*)\]\s+Ban\s+\s*$ +ignoreregex = + [Init] journalmatch = _SYSTEMD_UNIT=fail2ban.service PRIORITY=5 diff --git a/config/jail.conf b/config/jail.conf index 6255d7f1..70dcfd1c 100644 --- a/config/jail.conf +++ b/config/jail.conf @@ -324,7 +324,7 @@ maxretry = 2 [apache-shellshock] port = http,https -logpath = $(apache_error_log)s +logpath = %(apache_error_log)s maxretry = 1 [nginx-http-auth] @@ -340,7 +340,8 @@ logpath = %(nginx_error_log)s [php-url-fopen] port = http,https -logpath = %(nginx_access_log)s %(apache_access_log)s +logpath = %(nginx_access_log)s + %(apache_access_log)s [suhosin] diff --git a/fail2ban/server/actions.py b/fail2ban/server/actions.py index 8f7a0652..f4a833ca 100644 --- a/fail2ban/server/actions.py +++ b/fail2ban/server/actions.py @@ -246,8 +246,8 @@ class Actions(JailThread, Mapping): logSys.debug(self._jail.name + ": action terminated") return True - def __getBansMerged(self, mi, idx): - """Helper for lamda to get bans merged once + def __getBansMerged(self, mi, overalljails=False): + """Gets bans merged once, a helper for lambda(s), prevents stop of executing action by any exception inside. This function never returns None for ainfo lambdas - always a ticket (merged or single one) and prevents any errors through merging (to guarantee ban actions will be executed). @@ -256,26 +256,27 @@ class Actions(JailThread, Mapping): Parameters ---------- mi : dict - initial for lambda should contains {ip, ticket} - idx : str - key to get a merged bans : - 'all' - bans merged for all jails - 'jail' - bans merged for current jail only + merge info, initial for lambda should contains {ip, ticket} + overalljails : bool + switch to get a merged bans : + False - (default) bans merged for current jail only + True - bans merged for all jails of current ip address Returns ------- BanTicket merged or self ticket only """ + idx = 'all' if overalljails else 'jail' if idx in mi: return mi[idx] if mi[idx] is not None else mi['ticket'] try: jail=self._jail ip=mi['ip'] mi[idx] = None - if idx == 'all': + if overalljails: mi[idx] = jail.database.getBansMerged(ip=ip) - elif idx == 'jail': + else: mi[idx] = jail.database.getBansMerged(ip=ip, jail=jail) except Exception as e: logSys.error( @@ -312,11 +313,12 @@ class Actions(JailThread, Mapping): btime = bTicket.getBanTime(self.__banManager.getBanTime()) # retarded merge info via twice lambdas : once for merge, once for matches/failures: if self._jail.database is not None: - mi4ip = lambda idx, self=self, mi={'ip':ip, 'ticket':bTicket}: self.__getBansMerged(mi, idx) - aInfo["ipmatches"] = lambda: "\n".join(mi4ip('all').getMatches()) - aInfo["ipjailmatches"] = lambda: "\n".join(mi4ip('jail').getMatches()) - aInfo["ipfailures"] = lambda: mi4ip('all').getAttempt() - aInfo["ipjailfailures"] = lambda: mi4ip('jail').getAttempt() + mi4ip = lambda overalljails=False, self=self, \ + mi={'ip':ip, 'ticket':bTicket}: self.__getBansMerged(mi, overalljails) + aInfo["ipmatches"] = lambda: "\n".join(mi4ip(True).getMatches()) + aInfo["ipjailmatches"] = lambda: "\n".join(mi4ip().getMatches()) + aInfo["ipfailures"] = lambda: mi4ip(True).getAttempt() + aInfo["ipjailfailures"] = lambda: mi4ip().getAttempt() if btime != -1: bendtime = aInfo["time"] + btime diff --git a/fail2ban/server/filtersystemd.py b/fail2ban/server/filtersystemd.py index ce89d65a..3a42f61c 100644 --- a/fail2ban/server/filtersystemd.py +++ b/fail2ban/server/filtersystemd.py @@ -167,9 +167,10 @@ class FilterSystemd(JournalFilter): # pragma: systemd no cover logelements.append(logentry['_HOSTNAME']) if logentry.get('SYSLOG_IDENTIFIER'): logelements.append(logentry['SYSLOG_IDENTIFIER']) - if logentry.get('SYSLOG_PID') or logentry.get('_PID'): - logelements[-1] += ("[%i]" % logentry.get( - 'SYSLOG_PID', logentry['_PID'])) + if logentry.get('SYSLOG_PID'): + logelements[-1] += ("[%i]" % logentry['SYSLOG_PID']) + elif logentry.get('_PID'): + logelements[-1] += ("[%i]" % logentry['_PID']) logelements[-1] += ":" elif logentry.get('_COMM'): logelements.append(logentry['_COMM']) diff --git a/fail2ban/tests/databasetestcase.py b/fail2ban/tests/databasetestcase.py index 869e9e8f..48f8b3b3 100644 --- a/fail2ban/tests/databasetestcase.py +++ b/fail2ban/tests/databasetestcase.py @@ -323,5 +323,3 @@ class DatabaseTest(LogCaptureTestCase): self.db.purge() # Should leave jail as ban present self.assertEqual(len(self.db.getJailNames()), 1) self.assertEqual(len(self.db.getBans(jail=self.jail)), 1) - - diff --git a/fail2ban/tests/servertestcase.py b/fail2ban/tests/servertestcase.py index c0ca6bee..f467f5e8 100644 --- a/fail2ban/tests/servertestcase.py +++ b/fail2ban/tests/servertestcase.py @@ -816,14 +816,6 @@ class _BadThread(JailThread): class LoggingTests(LogCaptureTestCase): - def setUp(self): - """Call before every test case.""" - LogCaptureTestCase.setUp(self) - - def tearDown(self): - """Call after every test case.""" - LogCaptureTestCase.tearDown(self) - def testGetF2BLogger(self): testLogSys = getLogger("fail2ban.some.string.with.name") self.assertEqual(testLogSys.parent.name, "fail2ban") @@ -833,10 +825,12 @@ class LoggingTests(LogCaptureTestCase): prev_exchook = sys.__excepthook__ x = [] sys.__excepthook__ = lambda *args: x.append(args) - badThread = _BadThread() - badThread.start() - badThread.join() - self.assertTrue(self._is_logged("Unhandled exception")) - sys.__excepthook__ = prev_exchook + try: + badThread = _BadThread() + badThread.start() + badThread.join() + self.assertTrue(self._is_logged("Unhandled exception")) + finally: + sys.__excepthook__ = prev_exchook self.assertEqual(len(x), 1) self.assertEqual(x[0][0], RuntimeError)