diff --git a/ChangeLog b/ChangeLog index 0e67489a..beb99614 100644 --- a/ChangeLog +++ b/ChangeLog @@ -39,6 +39,10 @@ ver. 0.11.0-dev-0 (2017/??/??) - development nightly edition ports are enclosed in curly braces `{ }` in the `jail.local` etc. This may cause a double-brackets now. ### Fixes +* jail.conf: port `imap3` replaced with `imap` everywhere, since imap3 is not a standard port and old rarely + (if ever) used and can missing on some systems (e. g. debian stretch), see gh-1942. +* config/paths-common.conf: added missing initial values (and small normalization in config/paths-*.conf) + in order to avoid errors while interpolating (e. g. starting with systemd-backend), see gh-1955. * action.d/pf.conf: - fixed syntax error in achnor definition (documentation, see gh-1919); - enclose ports in braces for multiport jails (see gh-1925); diff --git a/config/jail.conf b/config/jail.conf index 007068cd..ce171424 100644 --- a/config/jail.conf +++ b/config/jail.conf @@ -227,10 +227,11 @@ action_cf_mwl = cloudflare[cfuser="%(cfemail)s", cftoken="%(cfapikey)s"] # Report block via blocklist.de fail2ban reporting service API # -# See the IMPORTANT note in action.d/blocklist_de.conf for when to -# use this action. Create a file jail.d/blocklist_de.local containing -# [Init] -# blocklist_de_apikey = {api key from registration] +# See the IMPORTANT note in action.d/blocklist_de.conf for when to use this action. +# Specify expected parameters in file action.d/blocklist_de.local or if the interpolation +# `action_blocklist_de` used for the action, set value of `blocklist_de_apikey` +# in your `jail.local` globally (section [DEFAULT]) or per specific jail section (resp. in +# corresponding jail.d/my-jail.local file). # action_blocklist_de = blocklist_de[email="%(sender)s", service=%(filter)s, apikey="%(blocklist_de_apikey)s", agent="%(fail2ban_agent)s"] @@ -659,7 +660,7 @@ logpath = /opt/kerio/mailserver/store/logs/security.log [courier-auth] -port = smtp,465,submission,imap3,imaps,pop3,pop3s +port = smtp,465,submission,imap,imaps,pop3,pop3s logpath = %(syslog_mail)s backend = %(syslog_backend)s @@ -667,7 +668,7 @@ backend = %(syslog_backend)s [postfix-sasl] filter = postfix[mode=auth] -port = smtp,465,submission,imap3,imaps,pop3,pop3s +port = smtp,465,submission,imap,imaps,pop3,pop3s # You might consider monitoring /var/log/mail.warn instead if you are # running postfix since it would provide the same log lines at the # "warn" level but overall at the smaller filesize. @@ -677,27 +678,27 @@ backend = %(postfix_backend)s [perdition] -port = imap3,imaps,pop3,pop3s +port = imap,imaps,pop3,pop3s logpath = %(syslog_mail)s backend = %(syslog_backend)s [squirrelmail] -port = smtp,465,submission,imap2,imap3,imaps,pop3,pop3s,http,https,socks +port = smtp,465,submission,imap,imap2,imaps,pop3,pop3s,http,https,socks logpath = /var/lib/squirrelmail/prefs/squirrelmail_access_log [cyrus-imap] -port = imap3,imaps +port = imap,imaps logpath = %(syslog_mail)s backend = %(syslog_backend)s [uwimap-auth] -port = imap3,imaps +port = imap,imaps logpath = %(syslog_mail)s backend = %(syslog_backend)s diff --git a/config/paths-common.conf b/config/paths-common.conf index 51323d6b..7383cafe 100644 --- a/config/paths-common.conf +++ b/config/paths-common.conf @@ -9,21 +9,36 @@ after = paths-overrides.local default_backend = %(default/backend)s +# Initial common values (to overwrite in path-.conf)... +# There is no sensible generic defaults for syslog log targets, thus +# leaving them empty here (resp. set to mostly used variant) in order +# to avoid errors while parsing/interpolating configs. +# +# Note systemd-backend does not need the logpath at all. +# +syslog_local0 = /var/log/messages + +syslog_authpriv = /var/log/auth.log +syslog_daemon = %(syslog_local0)s +syslog_ftp = %(syslog_local0)s +syslog_mail = +syslog_mail_warn = +syslog_user = %(syslog_local0)s + +# Set the default syslog backend target to default_backend +syslog_backend = %(default_backend)s + +# Default values for several jails: + sshd_log = %(syslog_authpriv)s sshd_backend = %(default_backend)s dropbear_log = %(syslog_authpriv)s dropbear_backend = %(default_backend)s -# There is no sensible generic defaults for syslog log targets, thus -# leaving them empty here so that no errors while parsing/interpolating configs -syslog_daemon = -syslog_ftp = -syslog_local0 = -syslog_mail_warn = -syslog_user = -# Set the default syslog backend target to default_backend -syslog_backend = %(default_backend)s +apache_error_log = /var/log/apache2/*error.log + +apache_access_log = /var/log/apache2/*access.log # from /etc/audit/auditd.conf auditd_log = /var/log/audit/audit.log diff --git a/config/paths-debian.conf b/config/paths-debian.conf index 1ca4d242..e096f972 100644 --- a/config/paths-debian.conf +++ b/config/paths-debian.conf @@ -15,23 +15,12 @@ syslog_mail = /var/log/mail.log # syslog_mail_warn = /var/log/mail.warn syslog_mail_warn = %(syslog_mail)s -syslog_authpriv = /var/log/auth.log - -# syslog_auth = /var/log/auth.log -# syslog_user = /var/log/user.log syslog_ftp = /var/log/syslog syslog_daemon = /var/log/daemon.log -syslog_local0 = /var/log/messages - - -apache_error_log = /var/log/apache2/*error.log - -apache_access_log = /var/log/apache2/*access.log - exim_main_log = /var/log/exim4/mainlog # was in debian squeezy but not in wheezy diff --git a/config/paths-fedora.conf b/config/paths-fedora.conf index d13645b1..3d637e1f 100644 --- a/config/paths-fedora.conf +++ b/config/paths-fedora.conf @@ -15,15 +15,6 @@ syslog_mail_warn = /var/log/maillog syslog_authpriv = /var/log/secure -syslog_user = /var/log/messages - -syslog_ftp = /var/log/messages - -syslog_daemon = /var/log/messages - -syslog_local0 = /var/log/messages - - apache_error_log = /var/log/httpd/*error_log apache_access_log = /var/log/httpd/*access_log diff --git a/config/paths-freebsd.conf b/config/paths-freebsd.conf index 91b23636..550ee887 100644 --- a/config/paths-freebsd.conf +++ b/config/paths-freebsd.conf @@ -15,19 +15,10 @@ syslog_mail = /var/log/maillog syslog_mail_warn = /var/log/maillog -syslog_authpriv = /var/log/auth.log - # note - is only ftp.info - if notice /var/log/messages may be needed syslog_ftp = /var/log/xferlog -syslog_daemon = /var/log/messages - -syslog_local0 = /var/log/messages - # Linux things -# we fake to avoid parse error in startups - -auditd_log = /dev/null # http://svnweb.freebsd.org/ports/head/www/apache24/files/patch-docs__conf__extra__httpd-ssl.conf.in?view=markup # http://svnweb.freebsd.org/ports/head/www/apache22/files/patch-docs__conf__extra__httpd-ssl.conf.in?view=markup diff --git a/config/paths-opensuse.conf b/config/paths-opensuse.conf index 227a5e98..f1d70ce7 100644 --- a/config/paths-opensuse.conf +++ b/config/paths-opensuse.conf @@ -9,24 +9,12 @@ after = paths-overrides.local [DEFAULT] -syslog_local0 = /var/log/messages - syslog_mail = /var/log/mail syslog_mail_warn = %(syslog_mail)s syslog_authpriv = %(syslog_local0)s -syslog_user = %(syslog_local0)s - -syslog_ftp = %(syslog_local0)s - -syslog_daemon = %(syslog_local0)s - -apache_error_log = /var/log/apache2/*error_log - -apache_access_log = /var/log/apache2/*access_log - pureftpd_log = %(syslog_local0)s exim_main_log = /var/log/exim/main.log diff --git a/config/paths-osx.conf b/config/paths-osx.conf index d1b99b38..2fffd65a 100644 --- a/config/paths-osx.conf +++ b/config/paths-osx.conf @@ -17,11 +17,11 @@ syslog_mail_warn = /var/log/mail.warn syslog_authpriv = /var/log/secure.log #syslog_auth = -#syslog_user = +syslog_user = -#syslog_ftp = +syslog_ftp = -#syslog_daemon = +syslog_daemon = -#syslog_local0 = +syslog_local0 = diff --git a/files/gentoo-initd b/files/gentoo-initd index d4e52bcb..0fb157cd 100755 --- a/files/gentoo-initd +++ b/files/gentoo-initd @@ -18,6 +18,9 @@ # Author: Sireyessire, Cyril Jaquier # +description="Daemon to ban hosts that cause multiple authentication errors" +description_reload="reload configuration" +description_showlog="show fail2ban logs" extra_started_commands="reload showlog" FAIL2BAN="/usr/bin/fail2ban-client ${FAIL2BAN_OPTIONS}"