diff --git a/config/common-paths.conf b/config/common-paths.conf new file mode 100644 index 00000000..6a6c71ad --- /dev/null +++ b/config/common-paths.conf @@ -0,0 +1,56 @@ +# Common +# + +[INCLUDES] + +after = paths-overrides.local + +[DEFAULT] + + + +sshd_log = %(syslog_authpriv)s + +dropbear_log = %(syslog_authpriv)s + + +# from /etc/audit/auditd.conf +auditd_log = /var/log/audit/audit.log + + +nginx_error_log = /var/log/nginx/error.log + +nginx_access_log = /var/log/nginx/access.log + + +lighttpd_error_log = /var/log/lighttpd/error.log + +# http://www.hardened-php.net/suhosin/configuration.html#suhosin.log.syslog.facility +# syslog_user is the default. Lighttpd also hooks errors into its log. + +suhosin_log = %(syslog_user)s %(lighttpd_error_log)s + +# defaults to ftp or local2 if ftp doesn't exist +proftpd_log = %(syslog_ftp)s + +# http://svnweb.freebsd.org/ports/head/ftp/proftpd/files/patch-src_proftpd.8.in?view=markup +# defaults to ftp but can be overwritten. +pureftpd_log = %(syslog_ftp)s + +# ftp, daemon and then local7 are tried at configure time however it is overwriteable at configure time +# +wuftpd_log = %(syslog_ftp)s + +# syslog_enable defaults to no. so it defaults to vsftpd_log_file setting of /var/log/vsftpd.log +# No distro seems to set it to syslog by default +# If syslog set it defaults to ftp facility if exists at compile time otherwise falls back to daemonlog. +vsftpd_log = /var/log/vsftpd.log + +# Technically syslog_facility in main.cf can overwrite but no-one sane does this. +postfix_log = %(syslog_mail_warn)s + +dovecot_log = %(syslog_mail_warn)s + +# Seems to be set at compile time only to LOG_LOCAL0 (src/const.h) at Notice level +solidpop3d_log = %(syslog_local0)s + diff --git a/config/debian-paths.conf b/config/debian-paths.conf new file mode 100644 index 00000000..e2236823 --- /dev/null +++ b/config/debian-paths.conf @@ -0,0 +1,39 @@ +# Debian + +[INCLUDES] + +before = common-paths.conf + +after = paths-overrides.local + + +[DEFAULT] + +syslog_mail = /var/log/mail.log + +syslog_mail_warn = /var/log/mail.warn + +syslog_authpriv = /var/log/auth.log + +# syslog_auth = /var/log/auth.log +# +syslog_user = /var/log/user.log + +syslog_ftp = /var/log/syslog + +syslog_daemon = /var/log/daemon.log + +syslog_local0 = /var/log/messages + + +apache_error_log = /var/log/apache2/*error.log + +apache_access_log = /var/log/apache2/*access.log + + +# was in debian squeezy but not in wheezy +# /etc/proftpd/proftpd.conf (SystemLog) +proftpd_log = /var/log/proftpd/proftpd.log + + + diff --git a/config/fedora-paths.conf b/config/fedora-paths.conf new file mode 100644 index 00000000..cad2c106 --- /dev/null +++ b/config/fedora-paths.conf @@ -0,0 +1,34 @@ +# Fedora + +[INCLUDES] + +before = common-paths.conf + +after = paths-overrides.local + + +[DEFAULT] + +syslog_mail = /var/log/maillog + +syslog_mail_warn = /var/log/maillog + +syslog_authpriv = /var/log/secure + +syslog_user = /var/log/messages + +syslog_ftp = /var/log/messages + +syslog_daemon = /var/log/messages + +syslog_local0 = /var/log/messages + + +apache_error_log = /var/log/httpd/*error_log + +apache_access_log = /var/log/httpd/*access_log + +# /etc/proftpd/proftpd.conf (ExtendedLog for Anonymous) +# proftpd_log = /var/log/proftpd/auth.log +# Tested and it worked out in /var/log/messages so assuming syslog_ftp for now. + diff --git a/config/freebsd-paths.conf b/config/freebsd-paths.conf new file mode 100644 index 00000000..ee636a04 --- /dev/null +++ b/config/freebsd-paths.conf @@ -0,0 +1,46 @@ +# FreeBSD + +[INCLUDES] + +before = common-paths.conf + +after = paths-overrides.local + + +[DEFAULT] + +# http://www.freebsd.org/doc/handbook/configtuning-syslog.html +# +syslog_mail = /var/log/maillog + +syslog_mail_warn = /var/log/maillog + +syslog_authpriv = /var/log/auth.log + +# note - is only ftp.info - if notice /var/log/messages may be needed +syslog_ftp = /var/log/xferlog + +syslog_daemon = /var/log/messages + +syslog_local0 = /var/log/messages + +# Linux things +# we fake to avoid parse error in startups + +auditd_log = /dev/null + +# http://svnweb.freebsd.org/ports/head/www/apache24/files/patch-docs__conf__extra__httpd-ssl.conf.in?view=markup +# http://svnweb.freebsd.org/ports/head/www/apache22/files/patch-docs__conf__extra__httpd-ssl.conf.in?view=markup +# http://svnweb.freebsd.org/ports/head/www/apache24/files/patch-config.layout +# http://svnweb.freebsd.org/ports/head/www/apache22/files/patch-config.layout + +apache_error_log = /usr/local/www/logs/*error[_.]log + +apache_access_log = /usr/local/www/logs/*access[_.]log + +# http://svnweb.freebsd.org/ports/head/www/nginx/Makefile?view=markup + +nginx_error_log = /var/log/nginx-error.log + +nginx_access_log = /var/log/nginx-access.log + diff --git a/config/jail.conf b/config/jail.conf index f96a959a..fb064a0e 100644 --- a/config/jail.conf +++ b/config/jail.conf @@ -30,6 +30,12 @@ # Comments: use '#' for comment lines and ';' (following a space) for inline comments + +[INCLUDES] + +#before = disto-paths.conf +before = debian-paths.conf + # The DEFAULT allows a global definition of the options. They can be overridden # in each jail afterwards. @@ -192,27 +198,27 @@ action = %(action_)s [sshd] port = ssh -logpath = /var/log/auth.log - /var/log/sshd.log +logpath = %(sshd_log)s + [sshd-ddos] # This jail corresponds to the standard configuration in Fail2ban. # The mail-whois action send a notification e-mail with a whois request # in the body. port = ssh -logpath = /var/log/auth.log - /var/log/sshd.log +logpath = %(sshd_log)s + [dropbear] port = ssh -logpath = /var/log/dropbear +logpath = %(dropbear_log)s [selinux-ssh] port = ssh -logpath = /var/log/audit/audit.log +logpath = %(auditd_log)s maxretry = 5 @@ -224,7 +230,7 @@ filter = sshd action = hostsdeny[daemon_list=sshd] sendmail-whois[name=SSH, dest=you@example.com] ignoreregex = for myuser from -logpath = /var/log/sshd.log +logpath = %(sshd_log)s # Here we use blackhole routes for not requiring any additional kernel support @@ -234,7 +240,7 @@ logpath = /var/log/sshd.log filter = sshd action = route -logpath = /var/log/sshd.log +logpath = %(sshd_log)s # Here we use a combination of Netfilter/Iptables and IPsets @@ -246,21 +252,21 @@ logpath = /var/log/sshd.log filter = sshd action = iptables-ipset-proto4[name=SSH, port=ssh, protocol=tcp] -logpath = /var/log/sshd.log +logpath = %(sshd_log)s [sshd-iptables-ipset6] filter = sshd action = iptables-ipset-proto6[name=SSH, port=ssh, protocol=tcp, bantime=600] -logpath = /var/log/sshd.log +logpath = %(sshd_log)s [sshd-apf] filter = sshd action = apf[name=SSH] -logpath = /var/log/secure +logpath = %(sshd_log)s maxretry = 5 @@ -273,7 +279,7 @@ maxretry = 5 filter = sshd action = ipfw[localhost=192.168.0.1] sendmail-whois[name="SSH,IPFW", dest=you@example.com] -logpath = /var/log/auth.log +logpath = %(sshd_log)s # bsd-ipfw is ipfw used by BSD. It uses ipfw tables. @@ -286,14 +292,14 @@ logpath = /var/log/auth.log filter = sshd action = bsd-ipfw[port=ssh,table=1] -logpath = /var/log/auth.log +logpath = %(sshd_log)s [sshd-pf] # PF is a BSD based firewall filter = sshd action = pf -logpath = /var/log/sshd.log +logpath = %(sshd_log)s maxretry= 5 @@ -302,14 +308,14 @@ maxretry= 5 filter = sshd action = osx-ipfw -logpath = /var/log/secure.log +logpath = %(sshd_log)s [osx-sshd-afctl] filter = sshd action = osx-afctl[bantime=600] -logpath = /var/log/secure.log +logpath = %(sshd_log)s maxretry = 5 # @@ -319,15 +325,14 @@ maxretry = 5 [apache-auth] port = http,https -logpath = /var/log/apache*/*error.log +logpath = %(apache_error_log)s [apache-badbots] # Ban hosts which agent identifies spammer robots crawling the web # for email addresses. The mail outputs are buffered. port = http,https -logpath = /var/log/apache*/*access.log - /var/www/*/logs/access_log +logpath = %(apache_access_log)s bantime = 172800 maxretry = 1 @@ -335,45 +340,42 @@ maxretry = 1 [apache-noscript] port = http,https -logpath = /var/log/apache*/*error.log +logpath = %(apache_error_log)s maxretry = 6 [apache-overflows] port = http,https -logpath = /var/log/apache*/*error.log - /var/www/*/logs/error_log +logpath = %(apache_error_log)s maxretry = 2 [apache-nohome] port = http,https -logpath = /var/log/apache*/*error.log - /var/www/*/logs/error_log +logpath = %(apache_error_log)s maxretry = 2 [apache-botsearch] port = http,https -logpath = /var/log/apache*/*error.log +logpath = %(apache_error_log)s maxretry = 2 [apache-modsecurity] port = http,https -logpath = /var/log/apache*/*error.log - /var/www/*/logs/error_log +logpath = %(apache_error_log)s maxretry = 2 [nginx-http-auth] ports = http,https -logpath = /var/log/nginx/error.log +logpath = %(nginx_error_log)s # Ban attackers that try to use PHP's URL-fopen() functionality @@ -383,20 +385,20 @@ logpath = /var/log/nginx/error.log [php-url-fopen] port = http,https -logpath = /var/www/*/logs/access_log +logpath = %(nginx_access_log)s %(apache_access_log)s [suhosin] port = http,https -logpath = /var/log/lighttpd/error.log +logpath = %(suhosin_log)s [lighttpd-auth] # Same as above for Apache's mod_auth # It catches wrong authentifications port = http,https -logpath = /var/log/lighttpd/error.log +logpath = %(lighttpd_error_log)s # @@ -483,27 +485,27 @@ logpath = /var/log/3proxy.log [proftpd] port = ftp,ftp-data,ftps,ftps-data -logpath = /var/log/proftpd/proftpd.log +logpath = %(proftpd_log)s [pure-ftpd] port = ftp,ftp-data,ftps,ftps-data -logpath = /var/log/auth.log +logpath = %(pureftpd_log)s maxretry = 6 [gssftpd] port = ftp,ftp-data,ftps,ftps-data -logpath = /var/log/daemon.log +logpath = %(syslog_daemon)s maxretry = 6 [wuftpd] port = ftp,ftp-data,ftps,ftps-data -logpath = /var/log/daemon.log +logpath = %(wuftpd_log)s maxretry = 6 @@ -513,7 +515,7 @@ maxretry = 6 # if you want to rely on PAM failed login attempts # vsftpd's failregex should match both of those formats port = ftp,ftp-data,ftps,ftps-data -logpath = /var/log/vsftpd.log +logpath = %(vsftpd_log)s # Do not ban anybody. Just report information about the remote host. @@ -522,7 +524,7 @@ logpath = /var/log/vsftpd.log filter = vsftpd action = sendmail-whois[name=VSFTPD, dest=you@example.com] -logpath = /var/log/vsftpd.log +logpath = %(vsftpd_log)s maxretry = 5 bantime = 1800 @@ -532,7 +534,7 @@ bantime = 1800 filter = vsftpd port = ftp,ftp-data,ftps,ftps-data -logpath = /var/log/syslog +logpath = %(syslog_ftp)s maxretry = 5 bantime = 1800 @@ -550,25 +552,25 @@ logpath = /root/path/to/assp/logs/maillog.txt [courier-smtp] port = smtp,465,submission -logpath = /var/log/mail.log +logpath = %(syslog_mail)s [postfix] port = smtp,465,submission -logpath = /var/log/mail.log +logpath = %(postfix_log)s [sendmail-auth] port = submission,465,smtp -logpath = /var/log/mail.log +logpath = %(syslog_mail)s [sendmail-reject] port = smtp -logpath = /var/log/mail.log +logpath = %(syslog_mail)s [qmail-rbl] @@ -585,13 +587,13 @@ logpath = /service/qmail/log/main/current filter = postfix action = hostsdeny[file=/not/a/standard/path/hosts.deny] sendmail[name=Postfix, dest=you@example.com] -logpath = /var/log/postfix.log +logpath = %(postfix_log)s bantime = 300 [sendmail-spam] -logpath = /var/log/mail.log +logpath = %(syslog_mail_warn)s # dovecot defaults to logging to the mail syslog facility @@ -599,26 +601,26 @@ logpath = /var/log/mail.log [dovecot] port = pop3,pop3s,imap,imaps,submission,465,sieve -logpath = /var/log/mail.log +logpath = %(syslog_mail_warn)s [dovecot-auth] filter = dovecot port = pop3,pop3s,imap,imaps,submission,465,sieve -logpath = /var/log/secure +logpath = %(dovecot_log)s [sieve] port = smtp,465,submission -logpath = /var/log/mail*log +logpath = %(dovecot_log)s [solid-pop3d] port = pop3,pop3s -logpath = /var/log/mail.log +logpath = %(solidpop3d_log)s [exim] @@ -644,7 +646,7 @@ logpath = /opt/kerio/mailserver/store/logs/security.log [courier-auth] port = smtp,465,submission,imap3,imaps,pop3,pop3s -logpath = /var/log/mail.log +logpath = %(syslog_mail)s [postfix-sasl] @@ -653,7 +655,7 @@ port = smtp,465,submission,imap3,imaps,pop3,pop3s # You might consider monitoring /var/log/mail.warn instead if you are # running postfix since it would provide the same log lines at the # "warn" level but overall at the smaller filesize. -logpath = /var/log/mail.log +logpath = %(postfix_log)s [perdition] @@ -671,13 +673,13 @@ logpath = /var/lib/squirrelmail/prefs/squirrelmail_access_log [cyrus-imap] port = imap3,imaps -logpath = /var/log/mail*log +logpath = %(syslog_mail)s [uwimap-auth] port = imap3,imaps -logpath = /var/log/mail*log +logpath = %(syslog_mail)s # @@ -783,7 +785,7 @@ maxretry = 5 port = 3306 filter = mysqld-auth -logpath = /var/log/daemon.log +logpath = %(syslog_daemon)s maxretry = 5 diff --git a/config/osx-paths.conf b/config/osx-paths.conf new file mode 100644 index 00000000..cbe17151 --- /dev/null +++ b/config/osx-paths.conf @@ -0,0 +1,27 @@ +# OSX +# + +[INCLUDES] + +before = common-paths.conf + +after = paths-overrides.local + + +[DEFAULT] + +syslog_mail = /var/log/mail.log + +syslog_mail_warn = /var/log/mail.warn + +syslog_authpriv = /var/log/secure.log +#syslog_auth = + +#syslog_user = + +#syslog_ftp = + +#syslog_daemon = + +#syslog_local0 = + diff --git a/fail2ban/client/jailsreader.py b/fail2ban/client/jailsreader.py index 17e2ac22..047749b3 100644 --- a/fail2ban/client/jailsreader.py +++ b/fail2ban/client/jailsreader.py @@ -67,6 +67,8 @@ class JailsReader(ConfigReader): # Get the options of all jails. parse_status = True for sec in sections: + if sec == 'INCLUDES': + continue jail = JailReader(sec, basedir=self.getBaseDir(), force_enable=self.__force_enable) jail.read() diff --git a/fail2ban/tests/clientreadertestcase.py b/fail2ban/tests/clientreadertestcase.py index 471a328b..48261d11 100644 --- a/fail2ban/tests/clientreadertestcase.py +++ b/fail2ban/tests/clientreadertestcase.py @@ -435,7 +435,8 @@ class JailsReaderTest(LogCaptureTestCase): # All jails must have filter and action set # TODO: evolve into a parametric test for jail in jails.sections(): - + if jail == 'INCLUDES': + continue filterName = jails.get(jail, 'filter') allFilters.add(filterName) self.assertTrue(len(filterName))