github
/
fail2ban
mirror of https://github.com/fail2ban/fail2ban
1
0
Fork 0
Code Issues Releases Wiki Activity

Merge branch 'master' of https://github.com/fail2ban/fail2ban

pull/401/head
bes.internal 2013-10-22 18:31:19 +03:00
parent 7bbfe5c67c b61fe0f12d
commit 6eb57b7f49
10 changed files with 111 additions and 54 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
ChangeLog
View File

@ -49,6 +49,9 @@ ver. 0.8.11 (2013/XX/XXX) - loves-unittests
to Should- rc init fields
- New Features:
Edgar Hoch
* action.d/firewall-cmd-direct-new.conf - action for firewalld
from https://bugzilla.redhat.com/show_bug.cgi?id=979622
Andy Fragen and Daniel Black
* filter.d/osx-ipfw.conf - ipfw action for OSX based on random rule
numbers.
@ -86,6 +89,8 @@ ver. 0.8.11 (2013/XX/XXX) - loves-unittests
* filter.d/gssftpd - anchored regex at start
* filter.d/sogo-auth - anchor regex at start
* filter.d/mysqld-auth.conf - mysql can use syslog
* filter.d/postfix-sasl - renamed from sasl, anchor at start and base on
syslog
* fail2ban-regex - now generates http://www.debuggex.com urls for debugging
regular expressions with the -D parameter.
* filter.d/sshd - regex enhancements to support openssh-6.3. Closes Debian

4
config/action.d/complain.conf
View File

@ -78,7 +78,7 @@ logpath = /dev/null
# Option: mailcmd
# Notes.: Your system mail command. Is passed 2 args: subject and recipient
# Values: CMD Default: mail -s
# Values: CMD
#
mailcmd = mail -s
@ -89,7 +89,7 @@ mailcmd = mail -s
# Appear to come from a different address - the '--' indicates
# arguments to be passed to Sendmail:
# -- -f me@example.com
# Values: [ STRING ] Default: (empty)
# Values: [ STRING ]
#
mailargs =

22
config/action.d/dshield.conf
View File

@ -106,7 +106,7 @@ actionunban = if [ -f <tmpfile>.first ]; then
# Option: port
# Notes.: The target port for the attack (numerical). MUST be provided in the
# jail config, as it cannot be detected here.
# Values: [ NUM ] Default: ???
# Values: [ NUM ]
#
port = ???
@ -114,7 +114,7 @@ port = ???
# Notes.: Your DShield user ID. Should be provided either in the jail config or
# in a .local file.
# Register at https://secure.dshield.org/register.html
# Values: [ NUM ] Default: 0
# Values: [ NUM ]
#
userid = 0
@ -137,7 +137,7 @@ protocol = tcp
# Notes.: How many lines to buffer before making a report. Regardless of this,
# reports are sent a minimum of <minreportinterval> apart, or if the
# buffer contains an event over <maxbufferage> old, or on shutdown
# Values: [ NUM ] Default: 50
# Values: [ NUM ]
#
lines = 50
@ -145,7 +145,7 @@ lines = 50
# Notes.: Minimum period (in seconds) that must elapse before we submit another
# batch of reports. DShield request a minimum of 1 hour (3600 secs)
# between reports.
# Values: [ NUM ] Default: 3600
# Values: [ NUM ]
#
minreportinterval = 3600
@ -154,27 +154,27 @@ minreportinterval = 3600
# submit the batch, even if we haven't reached <lines> yet. Note that
# this is only checked on each ban/unban, and that we always send
# anything in the buffer on shutdown. Must be greater than
# Values: [ NUM ] Default: 21600 (6 hours)
# Values: [ NUM ]
#
maxbufferage = 21600
# Option: srcport
# Notes.: The source port of the attack. You're unlikely to have this info, so
# you can leave the default
# Values: [ NUM ] Default: ???
# Values: [ NUM ]
#
srcport = ???
# Option: tcpflags
# Notes.: TCP flags on attack. You're unlikely to have this info, so you can
# leave empty
# Values: [ STRING ] Default: (empty)
# Values: [ STRING ]
#
tcpflags =
# Option: mailcmd
# Notes.: Your system mail command. Is passed 2 args: subject and recipient
# Values: CMD Default: mail -s
# Values: CMD
#
mailcmd = mail -s
@ -186,19 +186,19 @@ mailcmd = mail -s
# the one configured at DShield - the '--' indicates arguments to be
# passed to Sendmail):
# -- -f me@example.com
# Values: [ STRING ] Default: (empty)
# Values: [ STRING ]
#
mailargs =
# Option: dest
# Notes.: Destination e-mail address for reports
# Values: [ STRING ] Default: reports@dshield.org
# Values: [ STRING ]
#
dest = reports@dshield.org
# Option: tmpfile
# Notes.: Base name of temporary files used for buffering
# Values: [ STRING ] Default: /var/run/fail2ban/tmp-dshield
# Values: [ STRING ]
#
tmpfile = /var/run/fail2ban/tmp-dshield

58
config/action.d/firewall-cmd-direct-new.conf Normal file
View File

@ -0,0 +1,58 @@
# Fail2Ban configuration file
#
# Author: Edgar Hoch
# Copied from iptables-new.conf and modified for use with firewalld by Edgar Hoch.
# It uses "firewall-cmd" instead of "iptables".
# firewall-cmd is based on the command of version firewalld-0.3.4-1.fc19.
[INCLUDES]
before = iptables-blocktype.conf
[Definition]
actionstart = firewall-cmd --direct --add-chain ipv4 filter fail2ban-<name>
firewall-cmd --direct --add-rule ipv4 filter fail2ban-<name> 1000 -j RETURN
firewall-cmd --direct --add-rule ipv4 filter <chain> 0 -m state --state NEW -p <protocol> --dport <port> -j fail2ban-<name>
# The following rule does not work, because firewalld keeps its own database of firewall rules.
# firewall-cmd --direct --passthrough ipv4 -F fail2ban-<name>
# The better rule would be the following, but firewall-cmd has not implemented this command with firewalld-0.3.3-2.fc19 .
# firewall-cmd --direct --flush-chain ipv4 filter fail2ban-<name>
# The following is a workaround using a loop to implement the --flush-chain command.
# https://fedorahosted.org/firewalld/ticket/10
actionstop = firewall-cmd --direct --remove-rule ipv4 filter <chain> 0 -m state --state NEW -p <protocol> --dport <port> -j fail2ban-<name>
( IFS='|' ; for r in $( firewall-cmd --direct --get-rules ipv4 filter fail2ban-<name> | tr '\n' '|' ) ; do eval firewall-cmd --direct --remove-rule ipv4 filter fail2ban-<name> $r ; done )
firewall-cmd --direct --remove-chain ipv4 filter fail2ban-<name>
actioncheck = firewall-cmd --direct --get-chains ipv4 filter | grep -q 'fail2ban-<name>[ \t]'
actionban = firewall-cmd --direct --add-rule ipv4 filter fail2ban-<name> 0 -s <ip> -j <blocktype>
actionunban = firewall-cmd --direct --remove-rule ipv4 filter fail2ban-<name> 0 -s <ip> -j <blocktype>
[Init]
# Default name of the chain
#
name = default
# Option: port
# Notes.: specifies port to monitor
# Values: [ NUM | STRING ]
#
port = ssh
# Option: protocol
# Notes.: internally used by config reader for interpolations.
# Values: [ tcp | udp | icmp | all ]
#
protocol = tcp
# Option: chain
# Notes specifies the iptables chain to which the fail2ban rules should be
# added
# Values: [ STRING ]
#
chain = INPUT_direct

2
config/action.d/pf.conf
View File

@ -56,7 +56,7 @@ actionunban = /sbin/pfctl -t <tablename> -T delete <ip>/32
[Init]
# Option: tablename
# Notes.: The pf table name.
# Values: [ STRING ] Default: fail2ban
# Values: [ STRING ]
#
tablename = fail2ban

34
config/fail2ban.conf
View File

@ -11,24 +11,24 @@
[Definition]
# Option: loglevel
# Notes.: Set the log level output.
# 1 = ERROR
# 2 = WARN
# 3 = INFO
# 4 = DEBUG
# Values: NUM Default: 3
# Option: loglevel
# Notes.: Set the log level output.
# 1 = ERROR
# 2 = WARN
# 3 = INFO
# 4 = DEBUG
# Values: [ NUM ] Default: 1
#
loglevel = 3
# Option: logtarget
# Notes.: Set the log target. This could be a file, SYSLOG, STDERR or STDOUT.
# Only one log target can be specified.
# If you change logtarget from the default value and you are
# using logrotate -- also adjust or disable rotation in the
# corresponding configuration file
# (e.g. /etc/logrotate.d/fail2ban on Debian systems)
# Values: STDOUT STDERR SYSLOG file Default: /var/log/fail2ban.log
# Option: logtarget
# Notes.: Set the log target. This could be a file, SYSLOG, STDERR or STDOUT.
# Only one log target can be specified.
# If you change logtarget from the default value and you are
# using logrotate -- also adjust or disable rotation in the
# corresponding configuration file
# (e.g. /etc/logrotate.d/fail2ban on Debian systems)
# Values: [ STDOUT | STDERR | SYSLOG | FILE ] Default: STDERR
#
logtarget = /var/log/fail2ban.log
@ -36,14 +36,14 @@ logtarget = /var/log/fail2ban.log
# Notes.: Set the socket file. This is used to communicate with the daemon. Do
# not remove this file when Fail2ban runs. It will not be possible to
# communicate with the server afterwards.
# Values: FILE Default: /var/run/fail2ban/fail2ban.sock
# Values: [ FILE ] Default: /var/run/fail2ban/fail2ban.sock
#
socket = /var/run/fail2ban/fail2ban.sock
# Option: pidfile
# Notes.: Set the PID file. This is used to store the process ID of the
# fail2ban server.
# Values: FILE Default: /var/run/fail2ban/fail2ban.pid
# Values: [ FILE ] Default: /var/run/fail2ban/fail2ban.pid
#
pidfile = /var/run/fail2ban/fail2ban.pid

16
config/filter.d/postfix-sasl.conf Normal file
View File

@ -0,0 +1,16 @@
# Fail2Ban configuration file
#
# Author: Yaroslav Halchenko
#
#
[INCLUDES]
before = common.conf
[Definition]
_daemon = postfix/smtpd
failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/]*={0,2})?\s*$

22
config/filter.d/sasl.conf
View File

@ -1,22 +0,0 @@
# Fail2Ban configuration file
#
# Author: Yaroslav Halchenko
#
#
[Definition]
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT
#
failregex = (?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/]*={0,2})?\s*$
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =

2
config/jail.conf
View File

@ -92,7 +92,7 @@ maxretry = 6
[sasl-iptables]
enabled = false
filter = sasl
filter = postfix-sasl
backend = polling
action = iptables[name=sasl, port=smtp, protocol=tcp]
sendmail-whois[name=sasl, dest=you@example.com]

0
testcases/files/logs/sasl → testcases/files/logs/postfix-sasl
View File