github
/
fail2ban
mirror of https://github.com/fail2ban/fail2ban
1
0
Fork 0
Code Issues Releases Wiki Activity

Merge branch '0.10' into 0.11

pull/1976/merge
sebres 2017-11-06 18:57:53 +01:00
parent 12419b75f2 7e756da2b9
commit 70b933f405
9 changed files with 46 additions and 64 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
ChangeLog
View File

@ -39,6 +39,10 @@ ver. 0.11.0-dev-0 (2017/??/??) - development nightly edition
ports are enclosed in curly braces `{ }` in the `jail.local` etc. This may cause a double-brackets now. ports are enclosed in curly braces `{ }` in the `jail.local` etc. This may cause a double-brackets now.
### Fixes ### Fixes
* jail.conf: port `imap3` replaced with `imap` everywhere, since imap3 is not a standard port and old rarely
(if ever) used and can missing on some systems (e. g. debian stretch), see gh-1942.
* config/paths-common.conf: added missing initial values (and small normalization in config/paths-*.conf)
in order to avoid errors while interpolating (e. g. starting with systemd-backend), see gh-1955.
* action.d/pf.conf: * action.d/pf.conf:
- fixed syntax error in achnor definition (documentation, see gh-1919); - fixed syntax error in achnor definition (documentation, see gh-1919);
- enclose ports in braces for multiport jails (see gh-1925); - enclose ports in braces for multiport jails (see gh-1925);

21
config/jail.conf
View File

@ -227,10 +227,11 @@ action_cf_mwl = cloudflare[cfuser="%(cfemail)s", cftoken="%(cfapikey)s"]
# Report block via blocklist.de fail2ban reporting service API # Report block via blocklist.de fail2ban reporting service API
# #
# See the IMPORTANT note in action.d/blocklist_de.conf for when to # See the IMPORTANT note in action.d/blocklist_de.conf for when to use this action.
# use this action. Create a file jail.d/blocklist_de.local containing # Specify expected parameters in file action.d/blocklist_de.local or if the interpolation
# [Init] # `action_blocklist_de` used for the action, set value of `blocklist_de_apikey`
# blocklist_de_apikey = {api key from registration] # in your `jail.local` globally (section [DEFAULT]) or per specific jail section (resp. in
# corresponding jail.d/my-jail.local file).
# #
action_blocklist_de = blocklist_de[email="%(sender)s", service=%(filter)s, apikey="%(blocklist_de_apikey)s", agent="%(fail2ban_agent)s"] action_blocklist_de = blocklist_de[email="%(sender)s", service=%(filter)s, apikey="%(blocklist_de_apikey)s", agent="%(fail2ban_agent)s"]
@ -659,7 +660,7 @@ logpath = /opt/kerio/mailserver/store/logs/security.log
[courier-auth] [courier-auth]
port = smtp,465,submission,imap3,imaps,pop3,pop3s port = smtp,465,submission,imap,imaps,pop3,pop3s
logpath = %(syslog_mail)s logpath = %(syslog_mail)s
backend = %(syslog_backend)s backend = %(syslog_backend)s
@ -667,7 +668,7 @@ backend = %(syslog_backend)s
[postfix-sasl] [postfix-sasl]
filter = postfix[mode=auth] filter = postfix[mode=auth]
port = smtp,465,submission,imap3,imaps,pop3,pop3s port = smtp,465,submission,imap,imaps,pop3,pop3s
# You might consider monitoring /var/log/mail.warn instead if you are # You might consider monitoring /var/log/mail.warn instead if you are
# running postfix since it would provide the same log lines at the # running postfix since it would provide the same log lines at the
# "warn" level but overall at the smaller filesize. # "warn" level but overall at the smaller filesize.
@ -677,27 +678,27 @@ backend = %(postfix_backend)s
[perdition] [perdition]
port = imap3,imaps,pop3,pop3s port = imap,imaps,pop3,pop3s
logpath = %(syslog_mail)s logpath = %(syslog_mail)s
backend = %(syslog_backend)s backend = %(syslog_backend)s
[squirrelmail] [squirrelmail]
port = smtp,465,submission,imap2,imap3,imaps,pop3,pop3s,http,https,socks port = smtp,465,submission,imap,imap2,imaps,pop3,pop3s,http,https,socks
logpath = /var/lib/squirrelmail/prefs/squirrelmail_access_log logpath = /var/lib/squirrelmail/prefs/squirrelmail_access_log
[cyrus-imap] [cyrus-imap]
port = imap3,imaps port = imap,imaps
logpath = %(syslog_mail)s logpath = %(syslog_mail)s
backend = %(syslog_backend)s backend = %(syslog_backend)s
[uwimap-auth] [uwimap-auth]
port = imap3,imaps port = imap,imaps
logpath = %(syslog_mail)s logpath = %(syslog_mail)s
backend = %(syslog_backend)s backend = %(syslog_backend)s

33
config/paths-common.conf
View File

@ -9,21 +9,36 @@ after = paths-overrides.local
default_backend = %(default/backend)s default_backend = %(default/backend)s
# Initial common values (to overwrite in path-<distribution>.conf)...
# There is no sensible generic defaults for syslog log targets, thus
# leaving them empty here (resp. set to mostly used variant) in order
# to avoid errors while parsing/interpolating configs.
#
# Note systemd-backend does not need the logpath at all.
#
syslog_local0 = /var/log/messages
syslog_authpriv = /var/log/auth.log
syslog_daemon = %(syslog_local0)s
syslog_ftp = %(syslog_local0)s
syslog_mail =
syslog_mail_warn =
syslog_user = %(syslog_local0)s
# Set the default syslog backend target to default_backend
syslog_backend = %(default_backend)s
# Default values for several jails:
sshd_log = %(syslog_authpriv)s sshd_log = %(syslog_authpriv)s
sshd_backend = %(default_backend)s sshd_backend = %(default_backend)s
dropbear_log = %(syslog_authpriv)s dropbear_log = %(syslog_authpriv)s
dropbear_backend = %(default_backend)s dropbear_backend = %(default_backend)s
# There is no sensible generic defaults for syslog log targets, thus apache_error_log = /var/log/apache2/*error.log
# leaving them empty here so that no errors while parsing/interpolating configs
syslog_daemon = apache_access_log = /var/log/apache2/*access.log
syslog_ftp =
syslog_local0 =
syslog_mail_warn =
syslog_user =
# Set the default syslog backend target to default_backend
syslog_backend = %(default_backend)s
# from /etc/audit/auditd.conf # from /etc/audit/auditd.conf
auditd_log = /var/log/audit/audit.log auditd_log = /var/log/audit/audit.log

11
config/paths-debian.conf
View File

@ -15,23 +15,12 @@ syslog_mail = /var/log/mail.log
# syslog_mail_warn = /var/log/mail.warn # syslog_mail_warn = /var/log/mail.warn
syslog_mail_warn = %(syslog_mail)s syslog_mail_warn = %(syslog_mail)s
syslog_authpriv = /var/log/auth.log
# syslog_auth = /var/log/auth.log
#
syslog_user = /var/log/user.log syslog_user = /var/log/user.log
syslog_ftp = /var/log/syslog syslog_ftp = /var/log/syslog
syslog_daemon = /var/log/daemon.log syslog_daemon = /var/log/daemon.log
syslog_local0 = /var/log/messages
apache_error_log = /var/log/apache2/*error.log
apache_access_log = /var/log/apache2/*access.log
exim_main_log = /var/log/exim4/mainlog exim_main_log = /var/log/exim4/mainlog
# was in debian squeezy but not in wheezy # was in debian squeezy but not in wheezy

9
config/paths-fedora.conf
View File

@ -15,15 +15,6 @@ syslog_mail_warn = /var/log/maillog
syslog_authpriv = /var/log/secure syslog_authpriv = /var/log/secure
syslog_user = /var/log/messages
syslog_ftp = /var/log/messages
syslog_daemon = /var/log/messages
syslog_local0 = /var/log/messages
apache_error_log = /var/log/httpd/*error_log apache_error_log = /var/log/httpd/*error_log
apache_access_log = /var/log/httpd/*access_log apache_access_log = /var/log/httpd/*access_log

9
config/paths-freebsd.conf
View File

@ -15,19 +15,10 @@ syslog_mail = /var/log/maillog
syslog_mail_warn = /var/log/maillog syslog_mail_warn = /var/log/maillog
syslog_authpriv = /var/log/auth.log
# note - is only ftp.info - if notice /var/log/messages may be needed # note - is only ftp.info - if notice /var/log/messages may be needed
syslog_ftp = /var/log/xferlog syslog_ftp = /var/log/xferlog
syslog_daemon = /var/log/messages
syslog_local0 = /var/log/messages
# Linux things # Linux things
# we fake to avoid parse error in startups
auditd_log = /dev/null
# http://svnweb.freebsd.org/ports/head/www/apache24/files/patch-docs__conf__extra__httpd-ssl.conf.in?view=markup # http://svnweb.freebsd.org/ports/head/www/apache24/files/patch-docs__conf__extra__httpd-ssl.conf.in?view=markup
# http://svnweb.freebsd.org/ports/head/www/apache22/files/patch-docs__conf__extra__httpd-ssl.conf.in?view=markup # http://svnweb.freebsd.org/ports/head/www/apache22/files/patch-docs__conf__extra__httpd-ssl.conf.in?view=markup

12
config/paths-opensuse.conf
View File

@ -9,24 +9,12 @@ after = paths-overrides.local
[DEFAULT] [DEFAULT]
syslog_local0 = /var/log/messages
syslog_mail = /var/log/mail syslog_mail = /var/log/mail
syslog_mail_warn = %(syslog_mail)s syslog_mail_warn = %(syslog_mail)s
syslog_authpriv = %(syslog_local0)s syslog_authpriv = %(syslog_local0)s
syslog_user = %(syslog_local0)s
syslog_ftp = %(syslog_local0)s
syslog_daemon = %(syslog_local0)s
apache_error_log = /var/log/apache2/*error_log
apache_access_log = /var/log/apache2/*access_log
pureftpd_log = %(syslog_local0)s pureftpd_log = %(syslog_local0)s
exim_main_log = /var/log/exim/main.log exim_main_log = /var/log/exim/main.log

8
config/paths-osx.conf
View File

@ -17,11 +17,11 @@ syslog_mail_warn = /var/log/mail.warn
syslog_authpriv = /var/log/secure.log syslog_authpriv = /var/log/secure.log
#syslog_auth = #syslog_auth =
#syslog_user = syslog_user =
#syslog_ftp = syslog_ftp =
#syslog_daemon = syslog_daemon =
#syslog_local0 = syslog_local0 =

3
files/gentoo-initd
View File

@ -18,6 +18,9 @@
# Author: Sireyessire, Cyril Jaquier # Author: Sireyessire, Cyril Jaquier
# #
description="Daemon to ban hosts that cause multiple authentication errors"
description_reload="reload configuration"
description_showlog="show fail2ban logs"
extra_started_commands="reload showlog" extra_started_commands="reload showlog"
FAIL2BAN="/usr/bin/fail2ban-client ${FAIL2BAN_OPTIONS}" FAIL2BAN="/usr/bin/fail2ban-client ${FAIL2BAN_OPTIONS}"