Merge pull request #562 from grooverdan/jail.conf-complete_and_correct

ENH: Jail.conf now has all filters and TST: a mechanism to test this is truee
11 years ago · 755af0a51e
parent 614f43effb c700910155
commit 755af0a51e
4 changed files with 186 additions and 5 deletions
--- a/client/jailreader.py
+++ b/client/jailreader.py
@ -43,7 +43,11 @@ class JailReader(ConfigReader):
 		self.__filter = None
 		self.__force_enable = force_enable
 		self.__actions = list()
+		self.__opts = None
 	
+	def getRawOptions(self):
+		return self.__opts
+
 	def setName(self, value):
 		self.__name = value
 	
--- a/client/jailsreader.py
+++ b/client/jailsreader.py
@ -45,6 +45,9 @@ class JailsReader(ConfigReader):
 		self.__jails = list()
 		self.__force_enable = force_enable

+	def getJails(self):
+		return self.__jails
+
 	def read(self):
 		return ConfigReader.read(self, "jail")

--- a/config/jail.conf
+++ b/config/jail.conf
@ -75,6 +75,22 @@ usedns = warn
 # The mail-whois action send a notification e-mail with a whois request
 # in the body.

+[pam-generic]
+
+enabled = false
+filter  = pam-generic
+action  = iptables-allports[name=pam,protocol=all]
+logpath = /var/log/secure
+
+
+[xinetd-fail]
+
+enabled = false
+filter  = xinetd-fail
+action  = iptables-allports[name=xinetd,protocol=all]
+logpath = /var/log/daemon*log
+
+
 [ssh-iptables]

 enabled  = false
@ -84,6 +100,25 @@ action   = iptables[name=SSH, port=ssh, protocol=tcp]
 logpath  = /var/log/sshd.log
 maxretry = 5

+
+[ssh-ddos]
+
+enabled  = false
+filter   = sshd-ddos
+action   = iptables[name=SSHDDOS, port=ssh, protocol=tcp]
+logpath  = /var/log/sshd.log
+maxretry = 2
+
+
+[dropbear]
+
+enabled  = false
+filter   = dropbear
+action   = iptables[name=dropbear, port=ssh, protocol=tcp]
+logpath  = /var/log/messages
+maxretry = 5
+
+
 [proftpd-iptables]

 enabled  = false
@ -94,6 +129,35 @@ logpath  = /var/log/proftpd/proftpd.log
 maxretry = 6


+[gssftpd-iptables]
+
+enabled  = false
+filter   = gssftpd
+action   = iptables[name=GSSFTPd, port=ftp, protocol=tcp]
+           sendmail-whois[name=GSSFTPd, dest=you@example.com]
+logpath  = /var/log/daemon.log
+maxretry = 6
+
+
+[pure-ftpd]
+
+enabled  = false
+filter   = pure-ftpd
+action   = iptables[name=pureftpd, port=ftp, protocol=tcp]
+logpath  = /var/log/pureftpd.log
+maxretry = 6
+
+
+[wuftpd]
+
+enabled  = false
+filter   = wuftpd
+action   = iptables[name=wuftpd, port=ftp, protocol=tcp]
+logpath  = /var/log/daemon.log
+maxretry = 6
+
+
+
 # This jail forces the backend to "polling".
 [sasl-iptables]

@ -197,7 +261,26 @@ logpath  = /var/log/apache*/*error.log
 maxretry = 2


-[nginx-http-auth]
+[apache-overflows]
+
+enabled  = false
+filter	 = apache-overflows
+action   = iptables-multiport[name=apache-overflows,port="80,443"]
+logpath  = /var/log/apache*/*error.log
+           /home/www/myhomepage/error.log
+maxretry = 2
+
+
+[apache-nohome]
+
+enabled  = false
+filter	 = apache-nohome
+action   = iptables-multiport[name=apache-nohome,port="80,443"]
+logpath  = /var/log/apache*/*error.log
+           /home/www/myhomepage/error.log
+maxretry = 2
+
+
 [nginx-http-auth]

 enabled = false
@ -206,6 +289,14 @@ action  = iptables-multiport[name=nginx-http-auth,port="80,443"]
 logpath = /var/log/nginx/error.log


+[squid]
+
+enabled = false
+filter  = squid
+action  = iptables-multiport[name=squid,port="80,443,8080"]
+logpath = /var/log/squid/access.log
+
+
 # The hosts.deny path can be defined with the "file" argument if it is
 # not in /etc.
 [postfix-tcpwrapper]
@ -218,6 +309,46 @@ logpath  = /var/log/postfix.log
 bantime  = 300


+[cyrus-imap]
+
+enabled = false
+filter  = cyrus-imap
+action  = iptables-multiport[name=cyrus-imap,port="143,993"]
+logpath = /var/log/mail*log
+
+
+[courierlogin]
+
+enabled = false
+filter  = courierlogin
+action  = iptables-multiport[name=courierlogin,port="25,110,143,465,587,993,995"]
+logpath = /var/log/mail*log
+
+
+[couriersmtp]
+
+enabled = false
+filter  = couriersmtp
+action  = iptables-multiport[name=couriersmtp,port="25,465,587"]
+logpath = /var/log/mail*log
+
+
+[qmail-rbl]
+
+enabled = false
+filter  = qmail
+action  = iptables-multiport[name=qmail-rbl,port="25,465,587"]
+logpath = /service/qmail/log/main/current
+
+
+[sieve]
+
+enabled = false
+filter  = sieve
+action  = iptables-multiport[name=sieve,port="25,465,587"]
+logpath = /var/log/mail*log
+
+
 # Do not ban anybody. Just report information about the remote host.
 # A notification is sent at most every 600 seconds (bantime).
 [vsftpd-notification]
@ -303,6 +434,25 @@ action   = ipfw
 maxretry = 5


+[horde]
+
+enabled  = false
+filter   = horde
+logpath  = /var/log/horde/horde.log
+action   = iptables-multiport[name=horde, port="http,https"]
+maxretry = 5
+
+
+# Ban attackers that try to use PHP's URL-fopen() functionality
+# through GET/POST variables. - Experimental, with more than a year
+# of usage in production environments.
+[php-url-fopen]
+
+enabled  = false
+action   = iptables-multiport[name=php-url-open, port="http,https"]
+filter   = php-url-fopen
+logpath  = /var/www/*/logs/access_log
+maxretry = 1
 # Ban attackers that try to use PHP's URL-fopen() functionality
 # through GET/POST variables. - Experimental, with more than a year
 # of usage in production environments.
@ -380,6 +530,15 @@ logpath  = /var/log/named/security.log
 ignoreip = 168.192.0.1


+[nsd]
+
+enabled = false
+filter  = nsd
+action  = iptables-multiport[name=nsd-tcp, port="domain", protocol=tcp]
+          iptables-multiport[name=nsd-udp, port="domain", protocol=udp]
+logpath = /var/log/nsd.log
+
+
 [asterisk]

 enabled  = false
@ -573,9 +732,9 @@ logpath = /var/log/mail.log


 [selinux-ssh]
-enabled = false
-filter  = selinux-ssh
-action  = iptables[name=SELINUX-SSH, port=ssh, protocol=tcp]
+enabled  = false
+filter   = selinux-ssh
+action   = iptables[name=SELINUX-SSH, port=ssh, protocol=tcp]
 logpath  = /var/log/audit/audit.log
 maxretry = 5

--- a/testcases/clientreadertestcase.py
+++ b/testcases/clientreadertestcase.py
@ -21,7 +21,7 @@ __author__ = "Cyril Jaquier, Yaroslav Halchenko"
 __copyright__ = "Copyright (c) 2004 Cyril Jaquier, 2011-2013 Yaroslav Halchenko"
 __license__ = "GPL"

-import os, tempfile, shutil, unittest
+import os, glob, tempfile, shutil, unittest

 from client.configreader import ConfigReader
 from client.jailreader import JailReader
@ -251,6 +251,7 @@ class JailsReaderTest(LogCaptureTestCase):
 		comm_commands = jails.convert()
 		# by default None of the jails is enabled and we get no
 		# commands to communicate to the server
+		self.maxDiff = None
 		self.assertEqual(comm_commands, [])

 		# We should not "read" some bogus jail
@ -260,6 +261,20 @@ class JailsReaderTest(LogCaptureTestCase):
 		# and there should be no side-effects
 		self.assertEqual(jails.convert(), old_comm_commands)

+	def testReadSockJailConfComplete(self):
+		jails = JailsReader(basedir='config', force_enable=True)
+		self.assertTrue(jails.read())		  # opens fine
+		self.assertTrue(jails.getOptions())	  # reads fine
+		# grab all filter names
+		filters = set(os.path.splitext(os.path.split(a)[1])[0]
+			for a in glob.glob(os.path.join('config', 'filter.d', '*.conf'))
+				if not a.endswith('common.conf'))
+		filters_jail = set(jail.getRawOptions()['filter'] for jail in jails.getJails())
+		self.maxDiff = None
+		self.assertTrue(filters.issubset(filters_jail),
+			"More filters exists than are referenced in stock jail.conf %r" % filters.difference(filters_jail))
+		self.assertTrue(filters_jail.issubset(filters),
+			"Stock jail.conf references non-existent filters %r" % filters_jail.difference(filters))

 	def testReadStockJailConfForceEnabled(self):
 		# more of a smoke test to make sure that no obvious surprises