mirror of https://github.com/fail2ban/fail2ban
Merge pull request #562 from grooverdan/jail.conf-complete_and_correct
ENH: Jail.conf now has all filters and TST: a mechanism to test this is trueepull/542/merge
commit
755af0a51e
|
@ -43,7 +43,11 @@ class JailReader(ConfigReader):
|
|||
self.__filter = None
|
||||
self.__force_enable = force_enable
|
||||
self.__actions = list()
|
||||
self.__opts = None
|
||||
|
||||
def getRawOptions(self):
|
||||
return self.__opts
|
||||
|
||||
def setName(self, value):
|
||||
self.__name = value
|
||||
|
||||
|
|
|
@ -45,6 +45,9 @@ class JailsReader(ConfigReader):
|
|||
self.__jails = list()
|
||||
self.__force_enable = force_enable
|
||||
|
||||
def getJails(self):
|
||||
return self.__jails
|
||||
|
||||
def read(self):
|
||||
return ConfigReader.read(self, "jail")
|
||||
|
||||
|
|
167
config/jail.conf
167
config/jail.conf
|
@ -75,6 +75,22 @@ usedns = warn
|
|||
# The mail-whois action send a notification e-mail with a whois request
|
||||
# in the body.
|
||||
|
||||
[pam-generic]
|
||||
|
||||
enabled = false
|
||||
filter = pam-generic
|
||||
action = iptables-allports[name=pam,protocol=all]
|
||||
logpath = /var/log/secure
|
||||
|
||||
|
||||
[xinetd-fail]
|
||||
|
||||
enabled = false
|
||||
filter = xinetd-fail
|
||||
action = iptables-allports[name=xinetd,protocol=all]
|
||||
logpath = /var/log/daemon*log
|
||||
|
||||
|
||||
[ssh-iptables]
|
||||
|
||||
enabled = false
|
||||
|
@ -84,6 +100,25 @@ action = iptables[name=SSH, port=ssh, protocol=tcp]
|
|||
logpath = /var/log/sshd.log
|
||||
maxretry = 5
|
||||
|
||||
|
||||
[ssh-ddos]
|
||||
|
||||
enabled = false
|
||||
filter = sshd-ddos
|
||||
action = iptables[name=SSHDDOS, port=ssh, protocol=tcp]
|
||||
logpath = /var/log/sshd.log
|
||||
maxretry = 2
|
||||
|
||||
|
||||
[dropbear]
|
||||
|
||||
enabled = false
|
||||
filter = dropbear
|
||||
action = iptables[name=dropbear, port=ssh, protocol=tcp]
|
||||
logpath = /var/log/messages
|
||||
maxretry = 5
|
||||
|
||||
|
||||
[proftpd-iptables]
|
||||
|
||||
enabled = false
|
||||
|
@ -94,6 +129,35 @@ logpath = /var/log/proftpd/proftpd.log
|
|||
maxretry = 6
|
||||
|
||||
|
||||
[gssftpd-iptables]
|
||||
|
||||
enabled = false
|
||||
filter = gssftpd
|
||||
action = iptables[name=GSSFTPd, port=ftp, protocol=tcp]
|
||||
sendmail-whois[name=GSSFTPd, dest=you@example.com]
|
||||
logpath = /var/log/daemon.log
|
||||
maxretry = 6
|
||||
|
||||
|
||||
[pure-ftpd]
|
||||
|
||||
enabled = false
|
||||
filter = pure-ftpd
|
||||
action = iptables[name=pureftpd, port=ftp, protocol=tcp]
|
||||
logpath = /var/log/pureftpd.log
|
||||
maxretry = 6
|
||||
|
||||
|
||||
[wuftpd]
|
||||
|
||||
enabled = false
|
||||
filter = wuftpd
|
||||
action = iptables[name=wuftpd, port=ftp, protocol=tcp]
|
||||
logpath = /var/log/daemon.log
|
||||
maxretry = 6
|
||||
|
||||
|
||||
|
||||
# This jail forces the backend to "polling".
|
||||
[sasl-iptables]
|
||||
|
||||
|
@ -197,7 +261,26 @@ logpath = /var/log/apache*/*error.log
|
|||
maxretry = 2
|
||||
|
||||
|
||||
[nginx-http-auth]
|
||||
[apache-overflows]
|
||||
|
||||
enabled = false
|
||||
filter = apache-overflows
|
||||
action = iptables-multiport[name=apache-overflows,port="80,443"]
|
||||
logpath = /var/log/apache*/*error.log
|
||||
/home/www/myhomepage/error.log
|
||||
maxretry = 2
|
||||
|
||||
|
||||
[apache-nohome]
|
||||
|
||||
enabled = false
|
||||
filter = apache-nohome
|
||||
action = iptables-multiport[name=apache-nohome,port="80,443"]
|
||||
logpath = /var/log/apache*/*error.log
|
||||
/home/www/myhomepage/error.log
|
||||
maxretry = 2
|
||||
|
||||
|
||||
[nginx-http-auth]
|
||||
|
||||
enabled = false
|
||||
|
@ -206,6 +289,14 @@ action = iptables-multiport[name=nginx-http-auth,port="80,443"]
|
|||
logpath = /var/log/nginx/error.log
|
||||
|
||||
|
||||
[squid]
|
||||
|
||||
enabled = false
|
||||
filter = squid
|
||||
action = iptables-multiport[name=squid,port="80,443,8080"]
|
||||
logpath = /var/log/squid/access.log
|
||||
|
||||
|
||||
# The hosts.deny path can be defined with the "file" argument if it is
|
||||
# not in /etc.
|
||||
[postfix-tcpwrapper]
|
||||
|
@ -218,6 +309,46 @@ logpath = /var/log/postfix.log
|
|||
bantime = 300
|
||||
|
||||
|
||||
[cyrus-imap]
|
||||
|
||||
enabled = false
|
||||
filter = cyrus-imap
|
||||
action = iptables-multiport[name=cyrus-imap,port="143,993"]
|
||||
logpath = /var/log/mail*log
|
||||
|
||||
|
||||
[courierlogin]
|
||||
|
||||
enabled = false
|
||||
filter = courierlogin
|
||||
action = iptables-multiport[name=courierlogin,port="25,110,143,465,587,993,995"]
|
||||
logpath = /var/log/mail*log
|
||||
|
||||
|
||||
[couriersmtp]
|
||||
|
||||
enabled = false
|
||||
filter = couriersmtp
|
||||
action = iptables-multiport[name=couriersmtp,port="25,465,587"]
|
||||
logpath = /var/log/mail*log
|
||||
|
||||
|
||||
[qmail-rbl]
|
||||
|
||||
enabled = false
|
||||
filter = qmail
|
||||
action = iptables-multiport[name=qmail-rbl,port="25,465,587"]
|
||||
logpath = /service/qmail/log/main/current
|
||||
|
||||
|
||||
[sieve]
|
||||
|
||||
enabled = false
|
||||
filter = sieve
|
||||
action = iptables-multiport[name=sieve,port="25,465,587"]
|
||||
logpath = /var/log/mail*log
|
||||
|
||||
|
||||
# Do not ban anybody. Just report information about the remote host.
|
||||
# A notification is sent at most every 600 seconds (bantime).
|
||||
[vsftpd-notification]
|
||||
|
@ -303,6 +434,25 @@ action = ipfw
|
|||
maxretry = 5
|
||||
|
||||
|
||||
[horde]
|
||||
|
||||
enabled = false
|
||||
filter = horde
|
||||
logpath = /var/log/horde/horde.log
|
||||
action = iptables-multiport[name=horde, port="http,https"]
|
||||
maxretry = 5
|
||||
|
||||
|
||||
# Ban attackers that try to use PHP's URL-fopen() functionality
|
||||
# through GET/POST variables. - Experimental, with more than a year
|
||||
# of usage in production environments.
|
||||
[php-url-fopen]
|
||||
|
||||
enabled = false
|
||||
action = iptables-multiport[name=php-url-open, port="http,https"]
|
||||
filter = php-url-fopen
|
||||
logpath = /var/www/*/logs/access_log
|
||||
maxretry = 1
|
||||
# Ban attackers that try to use PHP's URL-fopen() functionality
|
||||
# through GET/POST variables. - Experimental, with more than a year
|
||||
# of usage in production environments.
|
||||
|
@ -380,6 +530,15 @@ logpath = /var/log/named/security.log
|
|||
ignoreip = 168.192.0.1
|
||||
|
||||
|
||||
[nsd]
|
||||
|
||||
enabled = false
|
||||
filter = nsd
|
||||
action = iptables-multiport[name=nsd-tcp, port="domain", protocol=tcp]
|
||||
iptables-multiport[name=nsd-udp, port="domain", protocol=udp]
|
||||
logpath = /var/log/nsd.log
|
||||
|
||||
|
||||
[asterisk]
|
||||
|
||||
enabled = false
|
||||
|
@ -573,9 +732,9 @@ logpath = /var/log/mail.log
|
|||
|
||||
|
||||
[selinux-ssh]
|
||||
enabled = false
|
||||
filter = selinux-ssh
|
||||
action = iptables[name=SELINUX-SSH, port=ssh, protocol=tcp]
|
||||
enabled = false
|
||||
filter = selinux-ssh
|
||||
action = iptables[name=SELINUX-SSH, port=ssh, protocol=tcp]
|
||||
logpath = /var/log/audit/audit.log
|
||||
maxretry = 5
|
||||
|
||||
|
|
|
@ -21,7 +21,7 @@ __author__ = "Cyril Jaquier, Yaroslav Halchenko"
|
|||
__copyright__ = "Copyright (c) 2004 Cyril Jaquier, 2011-2013 Yaroslav Halchenko"
|
||||
__license__ = "GPL"
|
||||
|
||||
import os, tempfile, shutil, unittest
|
||||
import os, glob, tempfile, shutil, unittest
|
||||
|
||||
from client.configreader import ConfigReader
|
||||
from client.jailreader import JailReader
|
||||
|
@ -251,6 +251,7 @@ class JailsReaderTest(LogCaptureTestCase):
|
|||
comm_commands = jails.convert()
|
||||
# by default None of the jails is enabled and we get no
|
||||
# commands to communicate to the server
|
||||
self.maxDiff = None
|
||||
self.assertEqual(comm_commands, [])
|
||||
|
||||
# We should not "read" some bogus jail
|
||||
|
@ -260,6 +261,20 @@ class JailsReaderTest(LogCaptureTestCase):
|
|||
# and there should be no side-effects
|
||||
self.assertEqual(jails.convert(), old_comm_commands)
|
||||
|
||||
def testReadSockJailConfComplete(self):
|
||||
jails = JailsReader(basedir='config', force_enable=True)
|
||||
self.assertTrue(jails.read()) # opens fine
|
||||
self.assertTrue(jails.getOptions()) # reads fine
|
||||
# grab all filter names
|
||||
filters = set(os.path.splitext(os.path.split(a)[1])[0]
|
||||
for a in glob.glob(os.path.join('config', 'filter.d', '*.conf'))
|
||||
if not a.endswith('common.conf'))
|
||||
filters_jail = set(jail.getRawOptions()['filter'] for jail in jails.getJails())
|
||||
self.maxDiff = None
|
||||
self.assertTrue(filters.issubset(filters_jail),
|
||||
"More filters exists than are referenced in stock jail.conf %r" % filters.difference(filters_jail))
|
||||
self.assertTrue(filters_jail.issubset(filters),
|
||||
"Stock jail.conf references non-existent filters %r" % filters_jail.difference(filters))
|
||||
|
||||
def testReadStockJailConfForceEnabled(self):
|
||||
# more of a smoke test to make sure that no obvious surprises
|
||||
|
|
Loading…
Reference in New Issue