Merge pull request #562 from grooverdan/jail.conf-complete_and_correct

ENH: Jail.conf now has all filters and TST: a mechanism to test this is truee
pull/542/merge
Daniel Black 11 years ago
commit 755af0a51e

@ -43,6 +43,10 @@ class JailReader(ConfigReader):
self.__filter = None
self.__force_enable = force_enable
self.__actions = list()
self.__opts = None
def getRawOptions(self):
return self.__opts
def setName(self, value):
self.__name = value

@ -45,6 +45,9 @@ class JailsReader(ConfigReader):
self.__jails = list()
self.__force_enable = force_enable
def getJails(self):
return self.__jails
def read(self):
return ConfigReader.read(self, "jail")

@ -75,6 +75,22 @@ usedns = warn
# The mail-whois action send a notification e-mail with a whois request
# in the body.
[pam-generic]
enabled = false
filter = pam-generic
action = iptables-allports[name=pam,protocol=all]
logpath = /var/log/secure
[xinetd-fail]
enabled = false
filter = xinetd-fail
action = iptables-allports[name=xinetd,protocol=all]
logpath = /var/log/daemon*log
[ssh-iptables]
enabled = false
@ -84,6 +100,25 @@ action = iptables[name=SSH, port=ssh, protocol=tcp]
logpath = /var/log/sshd.log
maxretry = 5
[ssh-ddos]
enabled = false
filter = sshd-ddos
action = iptables[name=SSHDDOS, port=ssh, protocol=tcp]
logpath = /var/log/sshd.log
maxretry = 2
[dropbear]
enabled = false
filter = dropbear
action = iptables[name=dropbear, port=ssh, protocol=tcp]
logpath = /var/log/messages
maxretry = 5
[proftpd-iptables]
enabled = false
@ -94,6 +129,35 @@ logpath = /var/log/proftpd/proftpd.log
maxretry = 6
[gssftpd-iptables]
enabled = false
filter = gssftpd
action = iptables[name=GSSFTPd, port=ftp, protocol=tcp]
sendmail-whois[name=GSSFTPd, dest=you@example.com]
logpath = /var/log/daemon.log
maxretry = 6
[pure-ftpd]
enabled = false
filter = pure-ftpd
action = iptables[name=pureftpd, port=ftp, protocol=tcp]
logpath = /var/log/pureftpd.log
maxretry = 6
[wuftpd]
enabled = false
filter = wuftpd
action = iptables[name=wuftpd, port=ftp, protocol=tcp]
logpath = /var/log/daemon.log
maxretry = 6
# This jail forces the backend to "polling".
[sasl-iptables]
@ -197,7 +261,26 @@ logpath = /var/log/apache*/*error.log
maxretry = 2
[nginx-http-auth]
[apache-overflows]
enabled = false
filter = apache-overflows
action = iptables-multiport[name=apache-overflows,port="80,443"]
logpath = /var/log/apache*/*error.log
/home/www/myhomepage/error.log
maxretry = 2
[apache-nohome]
enabled = false
filter = apache-nohome
action = iptables-multiport[name=apache-nohome,port="80,443"]
logpath = /var/log/apache*/*error.log
/home/www/myhomepage/error.log
maxretry = 2
[nginx-http-auth]
enabled = false
@ -206,6 +289,14 @@ action = iptables-multiport[name=nginx-http-auth,port="80,443"]
logpath = /var/log/nginx/error.log
[squid]
enabled = false
filter = squid
action = iptables-multiport[name=squid,port="80,443,8080"]
logpath = /var/log/squid/access.log
# The hosts.deny path can be defined with the "file" argument if it is
# not in /etc.
[postfix-tcpwrapper]
@ -218,6 +309,46 @@ logpath = /var/log/postfix.log
bantime = 300
[cyrus-imap]
enabled = false
filter = cyrus-imap
action = iptables-multiport[name=cyrus-imap,port="143,993"]
logpath = /var/log/mail*log
[courierlogin]
enabled = false
filter = courierlogin
action = iptables-multiport[name=courierlogin,port="25,110,143,465,587,993,995"]
logpath = /var/log/mail*log
[couriersmtp]
enabled = false
filter = couriersmtp
action = iptables-multiport[name=couriersmtp,port="25,465,587"]
logpath = /var/log/mail*log
[qmail-rbl]
enabled = false
filter = qmail
action = iptables-multiport[name=qmail-rbl,port="25,465,587"]
logpath = /service/qmail/log/main/current
[sieve]
enabled = false
filter = sieve
action = iptables-multiport[name=sieve,port="25,465,587"]
logpath = /var/log/mail*log
# Do not ban anybody. Just report information about the remote host.
# A notification is sent at most every 600 seconds (bantime).
[vsftpd-notification]
@ -303,6 +434,25 @@ action = ipfw
maxretry = 5
[horde]
enabled = false
filter = horde
logpath = /var/log/horde/horde.log
action = iptables-multiport[name=horde, port="http,https"]
maxretry = 5
# Ban attackers that try to use PHP's URL-fopen() functionality
# through GET/POST variables. - Experimental, with more than a year
# of usage in production environments.
[php-url-fopen]
enabled = false
action = iptables-multiport[name=php-url-open, port="http,https"]
filter = php-url-fopen
logpath = /var/www/*/logs/access_log
maxretry = 1
# Ban attackers that try to use PHP's URL-fopen() functionality
# through GET/POST variables. - Experimental, with more than a year
# of usage in production environments.
@ -380,6 +530,15 @@ logpath = /var/log/named/security.log
ignoreip = 168.192.0.1
[nsd]
enabled = false
filter = nsd
action = iptables-multiport[name=nsd-tcp, port="domain", protocol=tcp]
iptables-multiport[name=nsd-udp, port="domain", protocol=udp]
logpath = /var/log/nsd.log
[asterisk]
enabled = false
@ -573,9 +732,9 @@ logpath = /var/log/mail.log
[selinux-ssh]
enabled = false
filter = selinux-ssh
action = iptables[name=SELINUX-SSH, port=ssh, protocol=tcp]
enabled = false
filter = selinux-ssh
action = iptables[name=SELINUX-SSH, port=ssh, protocol=tcp]
logpath = /var/log/audit/audit.log
maxretry = 5

@ -21,7 +21,7 @@ __author__ = "Cyril Jaquier, Yaroslav Halchenko"
__copyright__ = "Copyright (c) 2004 Cyril Jaquier, 2011-2013 Yaroslav Halchenko"
__license__ = "GPL"
import os, tempfile, shutil, unittest
import os, glob, tempfile, shutil, unittest
from client.configreader import ConfigReader
from client.jailreader import JailReader
@ -251,6 +251,7 @@ class JailsReaderTest(LogCaptureTestCase):
comm_commands = jails.convert()
# by default None of the jails is enabled and we get no
# commands to communicate to the server
self.maxDiff = None
self.assertEqual(comm_commands, [])
# We should not "read" some bogus jail
@ -260,6 +261,20 @@ class JailsReaderTest(LogCaptureTestCase):
# and there should be no side-effects
self.assertEqual(jails.convert(), old_comm_commands)
def testReadSockJailConfComplete(self):
jails = JailsReader(basedir='config', force_enable=True)
self.assertTrue(jails.read()) # opens fine
self.assertTrue(jails.getOptions()) # reads fine
# grab all filter names
filters = set(os.path.splitext(os.path.split(a)[1])[0]
for a in glob.glob(os.path.join('config', 'filter.d', '*.conf'))
if not a.endswith('common.conf'))
filters_jail = set(jail.getRawOptions()['filter'] for jail in jails.getJails())
self.maxDiff = None
self.assertTrue(filters.issubset(filters_jail),
"More filters exists than are referenced in stock jail.conf %r" % filters.difference(filters_jail))
self.assertTrue(filters_jail.issubset(filters),
"Stock jail.conf references non-existent filters %r" % filters_jail.difference(filters))
def testReadStockJailConfForceEnabled(self):
# more of a smoke test to make sure that no obvious surprises

Loading…
Cancel
Save