diff --git a/client/jailreader.py b/client/jailreader.py index fb92d806..0750d25e 100644 --- a/client/jailreader.py +++ b/client/jailreader.py @@ -43,7 +43,11 @@ class JailReader(ConfigReader): self.__filter = None self.__force_enable = force_enable self.__actions = list() + self.__opts = None + def getRawOptions(self): + return self.__opts + def setName(self, value): self.__name = value diff --git a/client/jailsreader.py b/client/jailsreader.py index d32e6561..9c7c3dee 100644 --- a/client/jailsreader.py +++ b/client/jailsreader.py @@ -45,6 +45,9 @@ class JailsReader(ConfigReader): self.__jails = list() self.__force_enable = force_enable + def getJails(self): + return self.__jails + def read(self): return ConfigReader.read(self, "jail") diff --git a/config/jail.conf b/config/jail.conf index 6f9622c8..fc9a6c17 100644 --- a/config/jail.conf +++ b/config/jail.conf @@ -75,6 +75,22 @@ usedns = warn # The mail-whois action send a notification e-mail with a whois request # in the body. +[pam-generic] + +enabled = false +filter = pam-generic +action = iptables-allports[name=pam,protocol=all] +logpath = /var/log/secure + + +[xinetd-fail] + +enabled = false +filter = xinetd-fail +action = iptables-allports[name=xinetd,protocol=all] +logpath = /var/log/daemon*log + + [ssh-iptables] enabled = false @@ -84,6 +100,25 @@ action = iptables[name=SSH, port=ssh, protocol=tcp] logpath = /var/log/sshd.log maxretry = 5 + +[ssh-ddos] + +enabled = false +filter = sshd-ddos +action = iptables[name=SSHDDOS, port=ssh, protocol=tcp] +logpath = /var/log/sshd.log +maxretry = 2 + + +[dropbear] + +enabled = false +filter = dropbear +action = iptables[name=dropbear, port=ssh, protocol=tcp] +logpath = /var/log/messages +maxretry = 5 + + [proftpd-iptables] enabled = false @@ -94,6 +129,35 @@ logpath = /var/log/proftpd/proftpd.log maxretry = 6 +[gssftpd-iptables] + +enabled = false +filter = gssftpd +action = iptables[name=GSSFTPd, port=ftp, protocol=tcp] + sendmail-whois[name=GSSFTPd, dest=you@example.com] +logpath = /var/log/daemon.log +maxretry = 6 + + +[pure-ftpd] + +enabled = false +filter = pure-ftpd +action = iptables[name=pureftpd, port=ftp, protocol=tcp] +logpath = /var/log/pureftpd.log +maxretry = 6 + + +[wuftpd] + +enabled = false +filter = wuftpd +action = iptables[name=wuftpd, port=ftp, protocol=tcp] +logpath = /var/log/daemon.log +maxretry = 6 + + + # This jail forces the backend to "polling". [sasl-iptables] @@ -197,7 +261,26 @@ logpath = /var/log/apache*/*error.log maxretry = 2 -[nginx-http-auth] +[apache-overflows] + +enabled = false +filter = apache-overflows +action = iptables-multiport[name=apache-overflows,port="80,443"] +logpath = /var/log/apache*/*error.log + /home/www/myhomepage/error.log +maxretry = 2 + + +[apache-nohome] + +enabled = false +filter = apache-nohome +action = iptables-multiport[name=apache-nohome,port="80,443"] +logpath = /var/log/apache*/*error.log + /home/www/myhomepage/error.log +maxretry = 2 + + [nginx-http-auth] enabled = false @@ -206,6 +289,14 @@ action = iptables-multiport[name=nginx-http-auth,port="80,443"] logpath = /var/log/nginx/error.log +[squid] + +enabled = false +filter = squid +action = iptables-multiport[name=squid,port="80,443,8080"] +logpath = /var/log/squid/access.log + + # The hosts.deny path can be defined with the "file" argument if it is # not in /etc. [postfix-tcpwrapper] @@ -218,6 +309,46 @@ logpath = /var/log/postfix.log bantime = 300 +[cyrus-imap] + +enabled = false +filter = cyrus-imap +action = iptables-multiport[name=cyrus-imap,port="143,993"] +logpath = /var/log/mail*log + + +[courierlogin] + +enabled = false +filter = courierlogin +action = iptables-multiport[name=courierlogin,port="25,110,143,465,587,993,995"] +logpath = /var/log/mail*log + + +[couriersmtp] + +enabled = false +filter = couriersmtp +action = iptables-multiport[name=couriersmtp,port="25,465,587"] +logpath = /var/log/mail*log + + +[qmail-rbl] + +enabled = false +filter = qmail +action = iptables-multiport[name=qmail-rbl,port="25,465,587"] +logpath = /service/qmail/log/main/current + + +[sieve] + +enabled = false +filter = sieve +action = iptables-multiport[name=sieve,port="25,465,587"] +logpath = /var/log/mail*log + + # Do not ban anybody. Just report information about the remote host. # A notification is sent at most every 600 seconds (bantime). [vsftpd-notification] @@ -303,6 +434,25 @@ action = ipfw maxretry = 5 +[horde] + +enabled = false +filter = horde +logpath = /var/log/horde/horde.log +action = iptables-multiport[name=horde, port="http,https"] +maxretry = 5 + + +# Ban attackers that try to use PHP's URL-fopen() functionality +# through GET/POST variables. - Experimental, with more than a year +# of usage in production environments. +[php-url-fopen] + +enabled = false +action = iptables-multiport[name=php-url-open, port="http,https"] +filter = php-url-fopen +logpath = /var/www/*/logs/access_log +maxretry = 1 # Ban attackers that try to use PHP's URL-fopen() functionality # through GET/POST variables. - Experimental, with more than a year # of usage in production environments. @@ -380,6 +530,15 @@ logpath = /var/log/named/security.log ignoreip = 168.192.0.1 +[nsd] + +enabled = false +filter = nsd +action = iptables-multiport[name=nsd-tcp, port="domain", protocol=tcp] + iptables-multiport[name=nsd-udp, port="domain", protocol=udp] +logpath = /var/log/nsd.log + + [asterisk] enabled = false @@ -573,9 +732,9 @@ logpath = /var/log/mail.log [selinux-ssh] -enabled = false -filter = selinux-ssh -action = iptables[name=SELINUX-SSH, port=ssh, protocol=tcp] +enabled = false +filter = selinux-ssh +action = iptables[name=SELINUX-SSH, port=ssh, protocol=tcp] logpath = /var/log/audit/audit.log maxretry = 5 diff --git a/testcases/clientreadertestcase.py b/testcases/clientreadertestcase.py index 28387703..97f22dd4 100644 --- a/testcases/clientreadertestcase.py +++ b/testcases/clientreadertestcase.py @@ -21,7 +21,7 @@ __author__ = "Cyril Jaquier, Yaroslav Halchenko" __copyright__ = "Copyright (c) 2004 Cyril Jaquier, 2011-2013 Yaroslav Halchenko" __license__ = "GPL" -import os, tempfile, shutil, unittest +import os, glob, tempfile, shutil, unittest from client.configreader import ConfigReader from client.jailreader import JailReader @@ -251,6 +251,7 @@ class JailsReaderTest(LogCaptureTestCase): comm_commands = jails.convert() # by default None of the jails is enabled and we get no # commands to communicate to the server + self.maxDiff = None self.assertEqual(comm_commands, []) # We should not "read" some bogus jail @@ -260,6 +261,20 @@ class JailsReaderTest(LogCaptureTestCase): # and there should be no side-effects self.assertEqual(jails.convert(), old_comm_commands) + def testReadSockJailConfComplete(self): + jails = JailsReader(basedir='config', force_enable=True) + self.assertTrue(jails.read()) # opens fine + self.assertTrue(jails.getOptions()) # reads fine + # grab all filter names + filters = set(os.path.splitext(os.path.split(a)[1])[0] + for a in glob.glob(os.path.join('config', 'filter.d', '*.conf')) + if not a.endswith('common.conf')) + filters_jail = set(jail.getRawOptions()['filter'] for jail in jails.getJails()) + self.maxDiff = None + self.assertTrue(filters.issubset(filters_jail), + "More filters exists than are referenced in stock jail.conf %r" % filters.difference(filters_jail)) + self.assertTrue(filters_jail.issubset(filters), + "Stock jail.conf references non-existent filters %r" % filters_jail.difference(filters)) def testReadStockJailConfForceEnabled(self): # more of a smoke test to make sure that no obvious surprises