github
/
fail2ban
mirror of https://github.com/fail2ban/fail2ban
1
0
Fork 0
Code Issues Releases Wiki Activity

Merge commit '0.8.8-212-gf6f30f1' into 0.9 

* commit '0.8.8-212-gf6f30f1': (24 commits)
  DOC: tune up formatting (spaces) and prelude for the changelog entry
  DOC: more ChangeLog entries all the way back to 0.8.8
  DOC: move new actions and filters to New Features in ChangeLog
  DOC: tomcat and Guacmole are next release
  DOC: credit man page edits
  DOC: developers please rebase and use a single commit
  DOC: post release ChangeLog entry
  DOC: ChangeLog - current HEAD back to ce3ab34
  DOC: begining of ChangeLog
  DOC: version/date of release
  DOC: ChangeLog versions and dates for Releasing
  DOC: guidance for pull requests
  BF:  filter.d/sshd "Did not receive identification string" relates to an exploit so document this in sshd-ddos.conf but leave it out of authentication based blocks in sshd.conf
  DOC: a plugin to thanks for the community support
  Add After, PIDFile, and change WantedBy to multi-user.target in fail2ban.server
  DOC: slight tune ups to README (we are no longer compatible with python 2.3 ;) )
  ENH: more openssh fail messages from openssh source code (CVS 20121205)
  Add systemd unit file and tmpfiles.d configuration files
  BF: do not rely on scripts being under /usr -- might differ eg on Fedora -- rely on import of common.version (Closes gh-112)
  RF: move exceptions used by both client and server into common/exceptions.py
  ...

Conflicts:
	ChangeLog
	README
pull/185/head
Yaroslav Halchenko 2013-04-22 09:55:27 -04:00
parent 1fcb5efbd7 f6f30f122e
commit 698c74d9ed
7 changed files with 158 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

96
ChangeLog
View File

@ -21,35 +21,113 @@ Will carry all fixes in 0.8.x series and new features and enhancements
ver. 0.8.9 (2013/04/XXX) - wanna-be-stable
----------
This release incorporates 144 (XXX) non-merge commits from 14
contributors (sorted by number of commits): Yaroslav Halchenko, Daniel
Black, Steven Hiscocks, ArndRa, hamilton5, pigsyn, Erwan Ben Souiden,
Michael Gebetsroither, Orion Poplawski, Artur Penttinen, sebres,
Nicolas Collignon, Pascal Borreli, blotus:
Although primarily a bugfix release, it incorporates many new
enhancements, few new features, but more importantly -- quite extended
tests battery with current 94% coverage. This release incorporates
more than a 100 of non-merge commits from 14 contributors (sorted by
number of commits): Yaroslav Halchenko, Daniel Black, Steven Hiscocks,
ArndRa, hamilton5, pigsyn, Erwan Ben Souiden, Michael Gebetsroither,
Orion Poplawski, Artur Penttinen, sebres, Nicolas Collignon, Pascal
Borreli, blotus:
- Fixes:
Yaroslav Halchenko
* [6f4dad46] Documentation python-2.4 is the minimium version.
* [1eb23cf8] do not rely on scripts being under /usr -- might differ eg on
Fedora. Closes gh-112. Thanks to Camusensei for the bug report.
* [bf4d4af1] Changes for atomic writes. Thanks to Steven Hiscocks for
insight. Closes gh-103.
* [ab044b75] delay check for the existence of config directory until read.
* [3b4084d4] fixing up for handling of TAI64N timestamps.
* [154aa38e] do not shutdown logging until all jails stop.
Orion Poplawski
* [e4aedfdc00] pyinotify - use bitwise op on masks and do not try tracking
newly created directories.
Nicolas Collignon
* [39667ff6] Avoid leaking file descriptors. Closes gh-167.
Sergey Brester
* [b6bb2f88 and d17b4153] invalid date recognition, irregular because of
sorting template list.
Steven Hiscocks
* [7a442f07] When changing log target with python2.{4,5} handle KeyError.
Closes gh-147, gh-148.
* [b6a68f51] Fix delaction on server side. Closes gh-124.
Daniel Black
* [f0610c01] Allow more that a one word command when changing and Action via
the fail2ban-client. Closes gh-134.
blotus
* [96eb8986] ' and " should also be escaped in action tags Closes gh-109
- New features:
Yaroslav Halchenko
* [9ba27353] Add support for jail.d/{confilefile} and fail2ban.d/{configfile}
to provide additional flexibility to system adminstrators. Thanks to
beilber for the idea. Closes gh-114.
* [3ce53e87] Add exim filter.
Erwan Ben Souiden
* [d7d5228] add nagios integration documentation and script to ensure
fail2ban is running. Closes gh-166.
Artur Penttinen
* [29d0df5] Add mysqld filter. Closes gh-152.
ArndRaphael Brandes
* [bba3fd8] Add Sogo filter. Closes gh-117.
Michael Gebetsriother
* [f9b78ba] Add action route to block at routing level.
Teodor Micu & Yaroslav Halchenko
* [5f2d383] Add roundcube auth filter. Closes Debian bug #699442.
Daniel Black
* [be06b1b] Add action for iptables-ipsets. Closes gh-102.
Soulard Morgan
* [f336d9f] Add filter for webmin. Closes gh-99.
- Enhancements:
Steven Hiscocks
* [3d6791f] Ensure restart of Actions after a check fails occurs
consistently. Closes gh-172.
* [MANY] Improvements to test cases, travis, and code coverage (coveralls).
* [b36835f] Add get cinfo to fail2ban-client. Closes gh-124.
* [ce3ab34] Added ability to specify PID file.
Orion Poplawski
* [ddebcab] Enhance fail2ban.service definition dependencies and Pidfile.
Closes gh-142.
Yaroslav Halchenko
* [MANY] Lots of improvements to log messages, man pages and test cases.
* [91d5736] Postfix filter improvements - empty helo, from and rcpt to.
Closes gh-126. Bug report by Michael Heuberger.
* [40c5a2d] adding more of diagnostic messages into -client while starting
the daemon.
Daniel Black
* [3aeb1a9] Add jail.conf manual page. Closes gh-143.
* [MANY] man page edits.
* [7cd6dab] Added help command to fail2ban-client.
* [c8c7b0b,23bbc60] Better logging of log file read errors.
* [3665e6d] Added code coverage to development process.
Pascal Borreli
* [a2b29b4] Fixed lots of typos in config files and documentation.
hamilton5
* [7ede1e8] Update dovecot filter config.
Special Kudos also go to Fabian Wenk, Arturo 'Buanzo' Busleiman, Tom
Hendrikx and other TBN heroes supporting users on fail2ban-users
mailing list and IRC.
ver. 0.8.8 (2012/12/06) - stable
----------
- Fixes:
Alan Jenkins
* [8c38907] Removed 'POSSIBLE BREAK-IN ATTEMPT' from sshd filter to avoid
banning due to misconfigured DNS. Close gh-64
banning due to misconfigured DNS. Closes gh-64
Yaroslav Halchenko
* [83109bc] IMPORTANT: escape the content of <matches> (if used in
custom action files) since its value could contain arbitrary
symbols. Thanks for discovery go to the NBS System security
team
* [0935566,5becaf8] Various python 2.4 and 2.5 compatibility fixes. Close gh-83
* [0935566,5becaf8] Various python 2.4 and 2.5 compatibility fixes. Closes gh-83
* [b159eab] do not enable pyinotify backend if pyinotify < 0.8.3
* [37a2e59] store IP as a base, non-unicode str to avoid spurious messages
in the console. Close gh-91
in the console. Closes gh-91
- New features:
David Engeset
* [2d672d1,6288ec2] 'unbanip' command for the client + avoidance of touching
the log file to take 'banip' or 'unbanip' in effect. Close gh-81, gh-86
the log file to take 'banip' or 'unbanip' in effect. Closes gh-81, gh-86
Yaroslav Halchenko
- Enhancements:
* [2d66f31] replaced uninformative "Invalid command" message with warning log

27
DEVELOP
View File

@ -21,6 +21,19 @@ would like to add to Fail2Ban, the best way to do so it to use the GitHub Pull
Request feature. You can find more details on the Fail2Ban wiki
(http://www.fail2ban.org/wiki/index.php/Get_Involved)
Pull Requests
=============
When submitting pull requests on GitHub we ask you to:
* Clearly describe the problem you're solving;
* Don't introduce regressions that will make it hard for systems adminstrators
to update;
* If adding a major feature rebase your changes on master and get to a single commit;
* Include test cases (see below);
* Include sample logs (if relevant);
* Include a change to the relevant section of the ChangeLog; and
* Include yourself in THANKS if not already there.
Testing
=======
@ -257,6 +270,10 @@ Releasing
git shortlog -sn 0.8.8.. | sed -e 's,^[ 0-9\t]*,,g' | tr '\n' '\|' | sed -e 's:|:, :g'
Ensure the top of the ChangeLog has the right version and current date.
Ensure the top entry of the ChangeLog has the right version and current date.
# Update man pages
(cd man ; ./generate-man )
@ -280,3 +297,13 @@ Releasing
# Email users and development list of release
TODO notifying distributors etc.
Post Release:
Add the following to the top of the ChangeLog
ver. 0.8.9 (2013/XX/XXX) - wanna-be-stable
- Fixes
- New Features
- Enhancements

37
README
View File

@ -13,13 +13,13 @@ rules can be defined by the user. Fail2Ban can read multiple log files such as
sshd or Apache web server ones.
This README is a quick introduction to Fail2ban. More documentation, FAQ, HOWTOs
are available on the project website: http://www.fail2ban.org
are available in fail2ban(1) manpage and on the website http://www.fail2ban.org
Installation:
-------------
Required:
>=python-2.3 or >=python-3.0 (http://www.python.org)
>=python-2.4 or >=python-3.0 (http://www.python.org)
Optional:
pyinotify:
@ -38,42 +38,43 @@ To install, just do:
This will install Fail2Ban into /usr/share/fail2ban. The executable scripts are
placed into /usr/bin.
It is possible that Fail2ban is already packaged for your distribution. In this
case, you should use it.
It is possible that Fail2ban is already packaged for your distribution. In
this case, you should use it.
Fail2Ban should be correctly installed now. Just type:
> fail2ban-client -h
to see if everything is alright. You should always use fail2ban-client and never
call fail2ban-server directly.
to see if everything is alright. You should always use fail2ban-client and
never call fail2ban-server directly.
Configuration:
--------------
You can configure Fail2Ban using the files in /etc/fail2ban. It is
possible to configure the server using commands sent to it by
fail2ban-client. The available commands are described in the
fail2ban-client(1) manpage. Also see fail2ban(1) manpage for further
references and find even more documentation on the website:
http://www.fail2ban.org
You can configure Fail2Ban using the files in /etc/fail2ban. It is possible to
configure the server using commands sent to it by fail2ban-client. The
available commands are described in the fail2ban-client(1) manpage. Also see
fail2ban(1) manpage for further references and find even more documentation on
the website: http://www.fail2ban.org
Contact:
--------
Website: http://www.fail2ban.org
You need some new features, you found bugs: visit
https://github.com/fail2ban/fail2ban/issues
You need some new features, you found bugs?
visit https://github.com/fail2ban/fail2ban/issues
and if your issue is not yet known -- file a bug report.
If you would like to troubleshoot or discuss: join the mailing list
You would like to troubleshoot or discuss?
join the mailing list
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
If you just appreciate this program: send kudos to the original author
(Cyril Jaquier: <cyril.jaquier@fail2ban.org>) or the mailing list
You just appreciate this program:
send kudos to the original author (Cyril Jaquier <cyril.jaquier@fail2ban.org>)
or better to the mailing list
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
since Fail2Ban is "community-driven" for years now.
Thanks:
-------

7
config/filter.d/sshd-ddos.conf
View File

@ -2,6 +2,13 @@
#
# Author: Yaroslav Halchenko
#
# The regex here also relates to a exploit:
#
# http://www.securityfocus.com/bid/17958/exploit
# The example code here shows the pushing of the exploit straight after
# reading the server version. This is where the client version string normally
# pushed. As such the server will read this unparsible information as
# "Did not receive identification string".
[INCLUDES]

4
config/filter.d/sshd.conf
View File

@ -25,12 +25,14 @@ _daemon = sshd
#
failregex = ^%(__prefix_line)s(?:error: PAM: )?Authentication failure for .* from <HOST>\s*$
^%(__prefix_line)s(?:error: PAM: )?User not known to the underlying authentication module for .* from <HOST>\s*$
^%(__prefix_line)sFailed (?:password|publickey) for .* from <HOST>(?: port \d*)?(?: ssh\d*)?\s*$
^%(__prefix_line)sFailed \S+ for .* from <HOST>(?: port \d*)?(?: ssh\d*)?\s*$
^%(__prefix_line)sROOT LOGIN REFUSED.* FROM <HOST>\s*$
^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from <HOST>\s*$
^%(__prefix_line)sUser .+ from <HOST> not allowed because not listed in AllowUsers\s*$
^%(__prefix_line)sUser .+ from <HOST> not allowed because listed in DenyUsers\s*$
^%(__prefix_line)sUser .+ from <HOST> not allowed because not in any group\s*$
^%(__prefix_line)srefused connect from \S+ \(<HOST>\)\s*$
^%(__prefix_line)sUser .+ from <HOST> not allowed because a group is listed in DenyGroups\s*$
^%(__prefix_line)sUser .+ from <HOST> not allowed because none of user's groups are listed in AllowGroups\s*$
# Option: ignoreregex

1
files/fail2ban-tmpfiles.conf Normal file
View File

@ -0,0 +1 @@
D /var/run/fail2ban 0755 root root -

14
files/fail2ban.service Normal file
View File

@ -0,0 +1,14 @@
[Unit]
Description=Fail2ban Service
After=syslog.target network.target
[Service]
Type=forking
ExecStart=/usr/bin/fail2ban-client -x start
ExecStop=/usr/bin/fail2ban-client stop
ExecReload=/usr/bin/fail2ban-client reload
PIDFile=/var/run/fail2ban/fail2ban.pid
Restart=always
[Install]
WantedBy=multi-user.target