Merge pull request #625 from grooverdan/distro-paths-gh-315

MRG: Distro paths

config/common-paths.conf

@@ -0,0 +1,56 @@
+# Common
+#
+
+[INCLUDES]
+
+after  = paths-overrides.local
+
+[DEFAULT]
+
+
+
+sshd_log = %(syslog_authpriv)s
+
+dropbear_log = %(syslog_authpriv)s
+
+
+# from /etc/audit/auditd.conf
+auditd_log = /var/log/audit/audit.log
+
+
+nginx_error_log = /var/log/nginx/error.log
+
+nginx_access_log = /var/log/nginx/access.log
+
+
+lighttpd_error_log = /var/log/lighttpd/error.log
+
+# http://www.hardened-php.net/suhosin/configuration.html#suhosin.log.syslog.facility
+# syslog_user is the default. Lighttpd also hooks errors into its log.
+
+suhosin_log = %(syslog_user)s %(lighttpd_error_log)s
+
+# defaults to ftp or local2 if ftp doesn't exist
+proftpd_log = %(syslog_ftp)s 
+
+# http://svnweb.freebsd.org/ports/head/ftp/proftpd/files/patch-src_proftpd.8.in?view=markup
+# defaults to ftp but can be overwritten.
+pureftpd_log = %(syslog_ftp)s
+
+# ftp, daemon and then local7 are tried at configure time however it is overwriteable at configure time
+#
+wuftpd_log = %(syslog_ftp)s
+
+# syslog_enable defaults to no. so it defaults to vsftpd_log_file setting of /var/log/vsftpd.log
+# No distro seems to set it to syslog by default
+# If syslog set it defaults to ftp facility if exists at compile time otherwise falls back to daemonlog.
+vsftpd_log = /var/log/vsftpd.log
+
+# Technically syslog_facility in main.cf can overwrite but no-one sane does this.
+postfix_log = %(syslog_mail_warn)s
+
+dovecot_log = %(syslog_mail_warn)s
+
+# Seems to be set at compile time only to LOG_LOCAL0 (src/const.h) at Notice level
+solidpop3d_log = %(syslog_local0)s
+

config/debian-paths.conf

@@ -0,0 +1,39 @@
+# Debian
+
+[INCLUDES]
+
+before = common-paths.conf
+
+after  = paths-overrides.local
+
+
+[DEFAULT]
+
+syslog_mail = /var/log/mail.log
+
+syslog_mail_warn = /var/log/mail.warn
+
+syslog_authpriv = /var/log/auth.log
+
+# syslog_auth = /var/log/auth.log
+#
+syslog_user  =  /var/log/user.log
+
+syslog_ftp = /var/log/syslog
+
+syslog_daemon =  /var/log/daemon.log
+
+syslog_local0 =  /var/log/messages
+
+
+apache_error_log = /var/log/apache2/*error.log
+
+apache_access_log = /var/log/apache2/*access.log
+
+
+# was in debian squeezy but not in wheezy
+# /etc/proftpd/proftpd.conf (SystemLog)
+proftpd_log = /var/log/proftpd/proftpd.log
+
+
+

config/fedora-paths.conf

@@ -0,0 +1,34 @@
+# Fedora
+
+[INCLUDES]
+
+before = common-paths.conf
+
+after  = paths-overrides.local
+
+
+[DEFAULT]
+
+syslog_mail = /var/log/maillog
+
+syslog_mail_warn = /var/log/maillog
+
+syslog_authpriv = /var/log/secure
+
+syslog_user =  /var/log/messages
+
+syslog_ftp  = /var/log/messages
+
+syslog_daemon  = /var/log/messages
+
+syslog_local0  = /var/log/messages
+
+
+apache_error_log = /var/log/httpd/*error_log
+
+apache_access_log = /var/log/httpd/*access_log
+
+# /etc/proftpd/proftpd.conf (ExtendedLog for Anonymous)
+# proftpd_log = /var/log/proftpd/auth.log
+# Tested and it worked out in /var/log/messages so assuming syslog_ftp for now.
+

config/freebsd-paths.conf

@@ -0,0 +1,46 @@
+# FreeBSD
+
+[INCLUDES]
+
+before = common-paths.conf
+
+after  = paths-overrides.local
+
+
+[DEFAULT]
+
+# http://www.freebsd.org/doc/handbook/configtuning-syslog.html
+#
+syslog_mail = /var/log/maillog
+
+syslog_mail_warn = /var/log/maillog
+
+syslog_authpriv = /var/log/auth.log
+
+# note - is only ftp.info - if notice /var/log/messages may be needed
+syslog_ftp = /var/log/xferlog
+
+syslog_daemon = /var/log/messages
+
+syslog_local0 = /var/log/messages
+
+# Linux things
+# we fake to avoid parse error in startups
+
+auditd_log = /dev/null
+
+# http://svnweb.freebsd.org/ports/head/www/apache24/files/patch-docs__conf__extra__httpd-ssl.conf.in?view=markup
+# http://svnweb.freebsd.org/ports/head/www/apache22/files/patch-docs__conf__extra__httpd-ssl.conf.in?view=markup
+# http://svnweb.freebsd.org/ports/head/www/apache24/files/patch-config.layout
+# http://svnweb.freebsd.org/ports/head/www/apache22/files/patch-config.layout
+
+apache_error_log = /usr/local/www/logs/*error[_.]log
+
+apache_access_log = /usr/local/www/logs/*access[_.]log
+
+# http://svnweb.freebsd.org/ports/head/www/nginx/Makefile?view=markup
+
+nginx_error_log = /var/log/nginx-error.log
+
+nginx_access_log = /var/log/nginx-access.log
+

config/jail.conf

@@ -30,6 +30,12 @@
 
 # Comments: use '#' for comment lines and ';' (following a space) for inline comments
 
+
+[INCLUDES]
+
+#before = disto-paths.conf
+before = debian-paths.conf
+
 # The DEFAULT allows a global definition of the options. They can be overridden
 # in each jail afterwards.
 
@@ -192,27 +198,27 @@ action = %(action_)s
 [sshd]
 
 port    = ssh
-logpath = /var/log/auth.log
-          /var/log/sshd.log
+logpath = %(sshd_log)s
+
 
 [sshd-ddos]
 # This jail corresponds to the standard configuration in Fail2ban.
 # The mail-whois action send a notification e-mail with a whois request
 # in the body.
 port    = ssh
-logpath = /var/log/auth.log
-          /var/log/sshd.log
+logpath = %(sshd_log)s
+
 
 [dropbear]
 
 port     = ssh
-logpath  = /var/log/dropbear
+logpath  = %(dropbear_log)s
 
 
 [selinux-ssh]
 
 port     = ssh
-logpath  = /var/log/audit/audit.log
+logpath  = %(auditd_log)s
 maxretry = 5
 
 
@@ -224,7 +230,7 @@ filter      = sshd
 action      = hostsdeny[daemon_list=sshd]
               sendmail-whois[name=SSH, dest=you@example.com]
 ignoreregex = for myuser from
-logpath     = /var/log/sshd.log
+logpath     = %(sshd_log)s
 
 
 # Here we use blackhole routes for not requiring any additional kernel support
@@ -234,7 +240,7 @@ logpath     = /var/log/sshd.log
 
 filter = sshd
 action = route
-logpath = /var/log/sshd.log
+logpath = %(sshd_log)s
 
 
 # Here we use a combination of Netfilter/Iptables and IPsets
@@ -246,21 +252,21 @@ logpath = /var/log/sshd.log
 
 filter   = sshd
 action   = iptables-ipset-proto4[name=SSH, port=ssh, protocol=tcp]
-logpath  = /var/log/sshd.log
+logpath  = %(sshd_log)s
 
 
 [sshd-iptables-ipset6]
 
 filter   = sshd
 action   = iptables-ipset-proto6[name=SSH, port=ssh, protocol=tcp, bantime=600]
-logpath  = /var/log/sshd.log
+logpath  = %(sshd_log)s
 
 
 [sshd-apf]
 
 filter  = sshd
 action  = apf[name=SSH]
-logpath = /var/log/secure
+logpath = %(sshd_log)s
 maxretry = 5
 
 
@@ -273,7 +279,7 @@ maxretry = 5
 filter   = sshd
 action   = ipfw[localhost=192.168.0.1]
            sendmail-whois[name="SSH,IPFW", dest=you@example.com]
-logpath  = /var/log/auth.log
+logpath  = %(sshd_log)s
 
 
 # bsd-ipfw is ipfw used by BSD. It uses ipfw tables.
@@ -286,14 +292,14 @@ logpath  = /var/log/auth.log
 
 filter   = sshd
 action   = bsd-ipfw[port=ssh,table=1]
-logpath  = /var/log/auth.log
+logpath  = %(sshd_log)s
 
 
 [sshd-pf]
 # PF is a BSD based firewall
 filter  = sshd
 action  = pf
-logpath = /var/log/sshd.log
+logpath = %(sshd_log)s
 maxretry= 5
 
 
@@ -302,14 +308,14 @@ maxretry= 5
 
 filter = sshd
 action = osx-ipfw
-logpath = /var/log/secure.log
+logpath = %(sshd_log)s
 
 
 [osx-sshd-afctl]
 
 filter   = sshd
 action   = osx-afctl[bantime=600]
-logpath  = /var/log/secure.log
+logpath  = %(sshd_log)s
 maxretry = 5
 
 #
@@ -319,15 +325,14 @@ maxretry = 5
 [apache-auth]
 
 port     = http,https
-logpath  = /var/log/apache*/*error.log
+logpath  = %(apache_error_log)s
 
 
 [apache-badbots]
 # Ban hosts which agent identifies spammer robots crawling the web
 # for email addresses. The mail outputs are buffered.
 port     = http,https
-logpath  = /var/log/apache*/*access.log
-          /var/www/*/logs/access_log
+logpath  = %(apache_access_log)s
 bantime  = 172800
 maxretry = 1
 
@@ -335,45 +340,42 @@ maxretry = 1
 [apache-noscript]
 
 port     = http,https
-logpath  = /var/log/apache*/*error.log
+logpath  = %(apache_error_log)s
 maxretry = 6
 
 
 [apache-overflows]
 
 port     = http,https
-logpath  = /var/log/apache*/*error.log
-          /var/www/*/logs/error_log
+logpath  = %(apache_error_log)s
 maxretry = 2
 
 
 [apache-nohome]
 
 port     = http,https
-logpath  = /var/log/apache*/*error.log
-          /var/www/*/logs/error_log
+logpath  = %(apache_error_log)s
 maxretry = 2
 
 
 [apache-botsearch]
 
 port     = http,https
-logpath  = /var/log/apache*/*error.log
+logpath  = %(apache_error_log)s
 maxretry = 2
 
 
 [apache-modsecurity]
 
 port     = http,https
-logpath  = /var/log/apache*/*error.log
-          /var/www/*/logs/error_log
+logpath  = %(apache_error_log)s
 maxretry = 2
 
 
 [nginx-http-auth]
 
 ports   = http,https
-logpath = /var/log/nginx/error.log
+logpath = %(nginx_error_log)s
 
 
 # Ban attackers that try to use PHP's URL-fopen() functionality
@@ -383,20 +385,20 @@ logpath = /var/log/nginx/error.log
 [php-url-fopen]
 
 port    = http,https
-logpath = /var/www/*/logs/access_log
+logpath = %(nginx_access_log)s %(apache_access_log)s
 
 
 [suhosin]
 
 port    = http,https
-logpath = /var/log/lighttpd/error.log
+logpath = %(suhosin_log)s
 
 
 [lighttpd-auth]
 # Same as above for Apache's mod_auth
 # It catches wrong authentifications
 port    = http,https
-logpath = /var/log/lighttpd/error.log
+logpath = %(lighttpd_error_log)s
 
 
 #
@@ -483,27 +485,27 @@ logpath = /var/log/3proxy.log
 [proftpd]
 
 port     = ftp,ftp-data,ftps,ftps-data
-logpath  = /var/log/proftpd/proftpd.log
+logpath  = %(proftpd_log)s
 
 
 [pure-ftpd]
 
 port     = ftp,ftp-data,ftps,ftps-data
-logpath  = /var/log/auth.log
+logpath  = %(pureftpd_log)s
 maxretry = 6
 
 
 [gssftpd]
 
 port     = ftp,ftp-data,ftps,ftps-data
-logpath  = /var/log/daemon.log
+logpath  = %(syslog_daemon)s
 maxretry = 6
 
 
 [wuftpd]
 
 port     = ftp,ftp-data,ftps,ftps-data
-logpath  = /var/log/daemon.log
+logpath  = %(wuftpd_log)s
 maxretry = 6
 
 
@@ -513,7 +515,7 @@ maxretry = 6
 # if you want to rely on PAM failed login attempts
 # vsftpd's failregex should match both of those formats
 port     = ftp,ftp-data,ftps,ftps-data
-logpath  = /var/log/vsftpd.log
+logpath  = %(vsftpd_log)s
 
 
 # Do not ban anybody. Just report information about the remote host.
@@ -522,7 +524,7 @@ logpath  = /var/log/vsftpd.log
 
 filter   = vsftpd
 action   = sendmail-whois[name=VSFTPD, dest=you@example.com]
-logpath  = /var/log/vsftpd.log
+logpath  = %(vsftpd_log)s
 maxretry = 5
 bantime  = 1800
 
@@ -532,7 +534,7 @@ bantime  = 1800
 
 filter   = vsftpd
 port     = ftp,ftp-data,ftps,ftps-data
-logpath  = /var/log/syslog
+logpath  = %(syslog_ftp)s
 maxretry = 5
 bantime  = 1800
 
@@ -550,25 +552,25 @@ logpath  = /root/path/to/assp/logs/maillog.txt
 [courier-smtp]
 
 port     = smtp,465,submission
-logpath  = /var/log/mail.log
+logpath  = %(syslog_mail)s
 
 
 [postfix]
 
 port     = smtp,465,submission
-logpath  = /var/log/mail.log
+logpath  = %(postfix_log)s
 
 
 [sendmail-auth]
 
 port    = submission,465,smtp
-logpath = /var/log/mail.log
+logpath = %(syslog_mail)s
 
 
 [sendmail-reject]
 
 port     = smtp
-logpath  = /var/log/mail.log
+logpath  = %(syslog_mail)s
 
 
 [qmail-rbl]
@@ -585,13 +587,13 @@ logpath = /service/qmail/log/main/current
 filter   = postfix
 action   = hostsdeny[file=/not/a/standard/path/hosts.deny]
            sendmail[name=Postfix, dest=you@example.com]
-logpath  = /var/log/postfix.log
+logpath  = %(postfix_log)s
 bantime  = 300
 
 
 [sendmail-spam]
 
-logpath  = /var/log/mail.log
+logpath  = %(syslog_mail_warn)s
 
 
 # dovecot defaults to logging to the mail syslog facility
@@ -599,26 +601,26 @@ logpath  = /var/log/mail.log
 [dovecot]
 
 port    = pop3,pop3s,imap,imaps,submission,465,sieve
-logpath = /var/log/mail.log
+logpath = %(syslog_mail_warn)s
 
 
 [dovecot-auth]
 
 filter  = dovecot
 port    = pop3,pop3s,imap,imaps,submission,465,sieve
-logpath = /var/log/secure
+logpath = %(dovecot_log)s
 
 
 [sieve]
 
 port   = smtp,465,submission
-logpath = /var/log/mail*log
+logpath = %(dovecot_log)s
 
 
 [solid-pop3d]
 
 port    = pop3,pop3s
-logpath = /var/log/mail.log
+logpath = %(solidpop3d_log)s
 
 
 [exim]
@@ -644,7 +646,7 @@ logpath = /opt/kerio/mailserver/store/logs/security.log
 [courier-auth]
 
 port     = smtp,465,submission,imap3,imaps,pop3,pop3s
-logpath  = /var/log/mail.log
+logpath  = %(syslog_mail)s
 
 
 [postfix-sasl]
@@ -653,7 +655,7 @@ port     = smtp,465,submission,imap3,imaps,pop3,pop3s
 # You might consider monitoring /var/log/mail.warn instead if you are
 # running postfix since it would provide the same log lines at the
 # "warn" level but overall at the smaller filesize.
-logpath  = /var/log/mail.log
+logpath  = %(postfix_log)s
 
 
 [perdition]
@@ -671,13 +673,13 @@ logpath = /var/lib/squirrelmail/prefs/squirrelmail_access_log
 [cyrus-imap]
 
 port   = imap3,imaps
-logpath = /var/log/mail*log
+logpath = %(syslog_mail)s
 
 
 [uwimap-auth]
 
 port   = imap3,imaps
-logpath = /var/log/mail*log
+logpath = %(syslog_mail)s
 
 
 #
@@ -783,7 +785,7 @@ maxretry = 5
 
 port     = 3306
 filter   = mysqld-auth
-logpath  = /var/log/daemon.log
+logpath  = %(syslog_daemon)s
 maxretry = 5
 
 

config/osx-paths.conf

@@ -0,0 +1,27 @@
+# OSX
+#
+
+[INCLUDES]
+
+before = common-paths.conf
+
+after  = paths-overrides.local
+
+
+[DEFAULT]
+
+syslog_mail = /var/log/mail.log
+
+syslog_mail_warn = /var/log/mail.warn
+
+syslog_authpriv = /var/log/secure.log
+#syslog_auth = 
+
+#syslog_user = 
+
+#syslog_ftp = 
+
+#syslog_daemon = 
+
+#syslog_local0 =
+

fail2ban/client/jailsreader.py

@@ -67,6 +67,8 @@ class JailsReader(ConfigReader):
 		# Get the options of all jails.
 		parse_status = True
 		for sec in sections:
+			if sec == 'INCLUDES':
+				continue
 			jail = JailReader(sec, basedir=self.getBaseDir(),
 							  force_enable=self.__force_enable)
 			jail.read()

fail2ban/tests/clientreadertestcase.py

@@ -435,7 +435,8 @@ class JailsReaderTest(LogCaptureTestCase):
 		# All jails must have filter and action set
 		# TODO: evolve into a parametric test
 		for jail in jails.sections():
-
+			if jail == 'INCLUDES':
+				continue
 			filterName = jails.get(jail, 'filter')
 			allFilters.add(filterName)
 			self.assertTrue(len(filterName))