diff --git a/ChangeLog b/ChangeLog index cd1b4e96..322674e7 100644 --- a/ChangeLog +++ b/ChangeLog @@ -39,6 +39,7 @@ ver. 0.9.1 (2014/xx/xx) - better, faster, stronger * Fail2ban-regex - add print-all-matched option. Closes gh-652 * Suppress fail2ban-client warnings for non-critical config options * Match non "Bye Bye" disconnect messages for sshd locked account regex + * Add tag to iptables-ipsets. ver. 0.9.0 (2014/03/14) - beta ---------- diff --git a/MANIFEST b/MANIFEST index 7df49199..92edcca8 100644 --- a/MANIFEST +++ b/MANIFEST @@ -258,7 +258,7 @@ config/action.d/dummy.conf config/action.d/firewallcmd-new.conf config/action.d/firewallcmd-ipset.conf config/action.d/iptables-ipset-proto6-allports.conf -config/action.d/iptables-blocktype.conf +config/action.d/iptables-common.conf config/action.d/iptables-ipset-proto4.conf config/action.d/iptables-ipset-proto6.conf config/action.d/iptables-xt_recent-echo.conf diff --git a/THANKS b/THANKS index cd033d8e..5752c475 100644 --- a/THANKS +++ b/THANKS @@ -87,6 +87,7 @@ Robert Edeker Rolf Fokkens Roman Gelfand Russell Odom +SATO Kentaro Sebastian Arcus Serg G. Brester Sireyessire diff --git a/config/action.d/firewallcmd-ipset.conf b/config/action.d/firewallcmd-ipset.conf index 03e30c3c..38b0f3d3 100644 --- a/config/action.d/firewallcmd-ipset.conf +++ b/config/action.d/firewallcmd-ipset.conf @@ -14,7 +14,7 @@ [INCLUDES] -before = iptables-blocktype.conf +before = iptables-common.conf [Definition] @@ -31,22 +31,6 @@ actionunban = ipset del fail2ban- -exist [Init] -# Default name of the chain -# -name = default - -# Option: port -# Notes.: specifies port to monitor -# Values: [ NUM | STRING ] -# -port = ssh - -# Option: protocol -# Notes.: internally used by config reader for interpolations. -# Values: [ tcp | udp | icmp | all ] -# -protocol = tcp - # Option: chain # Notes specifies the iptables chain to which the fail2ban rules should be # added diff --git a/config/action.d/firewallcmd-new.conf b/config/action.d/firewallcmd-new.conf index 62887967..9754e3f3 100644 --- a/config/action.d/firewallcmd-new.conf +++ b/config/action.d/firewallcmd-new.conf @@ -4,7 +4,7 @@ [INCLUDES] -before = iptables-blocktype.conf +before = iptables-common.conf [Definition] @@ -24,22 +24,6 @@ actionunban = firewall-cmd --direct --remove-rule ipv4 filter f2b- 0 -s -s -j [Init] -# Default name of the chain -# -name = default - -# Option: protocol -# Notes.: internally used by config reader for interpolations. -# Values: [ tcp | udp | icmp | all ] Default: tcp -# -protocol = tcp - -# Option: chain -# Notes specifies the iptables chain to which the fail2ban rules should be -# added -# Values: STRING Default: INPUT -chain = INPUT diff --git a/config/action.d/iptables-blocktype.conf b/config/action.d/iptables-blocktype.conf deleted file mode 100644 index c505e49c..00000000 --- a/config/action.d/iptables-blocktype.conf +++ /dev/null @@ -1,22 +0,0 @@ -# Fail2Ban configuration file -# -# Author: Daniel Black -# -# This is a included configuration file and includes the defination for the blocktype -# used in all iptables based actions by default. -# -# The user can override the default in iptables-blocktype.local - -[INCLUDES] - -after = iptables-blocktype.local - -[Init] - -# Option: blocktype -# Note: This is what the action does with rules. This can be any jump target -# as per the iptables man page (section 8). Common values are DROP -# REJECT, REJECT --reject-with icmp-port-unreachable -# Values: STRING -blocktype = REJECT --reject-with icmp-port-unreachable - diff --git a/config/action.d/iptables-common.conf b/config/action.d/iptables-common.conf new file mode 100644 index 00000000..c191c5a1 --- /dev/null +++ b/config/action.d/iptables-common.conf @@ -0,0 +1,45 @@ +# Fail2Ban configuration file +# +# Author: Daniel Black +# +# This is a included configuration file and includes the definitions for the iptables +# used in all iptables based actions by default. +# +# The user can override the defaults in iptables-common.local + +[INCLUDES] + +after = iptables-blocktype.local + iptables-common.local +# iptables-blocktype.local is obsolete + +[Init] + +# Option: chain +# Notes specifies the iptables chain to which the Fail2Ban rules should be +# added +# Values: STRING Default: INPUT +chain = INPUT + +# Default name of the chain +# +name = default + +# Option: port +# Notes.: specifies port to monitor +# Values: [ NUM | STRING ] Default: +# +port = ssh + +# Option: protocol +# Notes.: internally used by config reader for interpolations. +# Values: [ tcp | udp | icmp | all ] Default: tcp +# +protocol = tcp + +# Option: blocktype +# Note: This is what the action does with rules. This can be any jump target +# as per the iptables man page (section 8). Common values are DROP +# REJECT, REJECT --reject-with icmp-port-unreachable +# Values: STRING +blocktype = REJECT --reject-with icmp-port-unreachable diff --git a/config/action.d/iptables-ipset-proto4.conf b/config/action.d/iptables-ipset-proto4.conf index fc03c68c..c72b1a85 100644 --- a/config/action.d/iptables-ipset-proto4.conf +++ b/config/action.d/iptables-ipset-proto4.conf @@ -19,7 +19,7 @@ [INCLUDES] -before = iptables-blocktype.conf +before = iptables-common.conf [Definition] @@ -28,13 +28,13 @@ before = iptables-blocktype.conf # Values: CMD # actionstart = ipset --create f2b- iphash - iptables -I INPUT -p -m multiport --dports -m set --match-set f2b- src -j + iptables -I -p -m multiport --dports -m set --match-set f2b- src -j # Option: actionstop # Notes.: command executed once at the end of Fail2Ban # Values: CMD # -actionstop = iptables -D INPUT -p -m multiport --dports -m set --match-set f2b- src -j +actionstop = iptables -D -p -m multiport --dports -m set --match-set f2b- src -j ipset --flush f2b- ipset --destroy f2b- @@ -56,18 +56,3 @@ actionunban = ipset --test f2b- && ipset --del f2b- [Init] -# Default name of the ipset -# -name = default - -# Option: port -# Notes.: specifies port to monitor -# Values: [ NUM | STRING ] Default: ssh -# -port = ssh - -# Option: protocol -# Notes.: internally used by config reader for interpolations. -# Values: [ tcp | udp | icmp | all ] Default: tcp -# -protocol = tcp diff --git a/config/action.d/iptables-ipset-proto6-allports.conf b/config/action.d/iptables-ipset-proto6-allports.conf index 72fba9cd..aaeee461 100644 --- a/config/action.d/iptables-ipset-proto6-allports.conf +++ b/config/action.d/iptables-ipset-proto6-allports.conf @@ -15,8 +15,7 @@ [INCLUDES] -before = iptables-blocktype.conf - +before = iptables-common.conf [Definition] @@ -25,13 +24,13 @@ before = iptables-blocktype.conf # Values: CMD # actionstart = ipset create f2b- hash:ip timeout - iptables -I INPUT -m set --match-set f2b- src -j + iptables -I -m set --match-set f2b- src -j # Option: actionstop # Notes.: command executed once at the end of Fail2Ban # Values: CMD # -actionstop = iptables -D INPUT -m set --match-set f2b- src -j +actionstop = iptables -D -m set --match-set f2b- src -j ipset flush f2b- ipset destroy f2b- @@ -53,12 +52,8 @@ actionunban = ipset del f2b- -exist [Init] -# Default name of the ipset -# -name = default - # Option: bantime # Notes: specifies the bantime in seconds (handled internally rather than by fail2ban) # Values: [ NUM ] Default: 600 - +# bantime = 600 diff --git a/config/action.d/iptables-ipset-proto6.conf b/config/action.d/iptables-ipset-proto6.conf index 5d848110..bd36c49e 100644 --- a/config/action.d/iptables-ipset-proto6.conf +++ b/config/action.d/iptables-ipset-proto6.conf @@ -15,8 +15,7 @@ [INCLUDES] -before = iptables-blocktype.conf - +before = iptables-common.conf [Definition] @@ -25,13 +24,13 @@ before = iptables-blocktype.conf # Values: CMD # actionstart = ipset create f2b- hash:ip timeout - iptables -I INPUT -p -m multiport --dports -m set --match-set f2b- src -j + iptables -I -p -m multiport --dports -m set --match-set f2b- src -j # Option: actionstop # Notes.: command executed once at the end of Fail2Ban # Values: CMD # -actionstop = iptables -D INPUT -p -m multiport --dports -m set --match-set f2b- src -j +actionstop = iptables -D -p -m multiport --dports -m set --match-set f2b- src -j ipset flush f2b- ipset destroy f2b- @@ -53,24 +52,8 @@ actionunban = ipset del f2b- -exist [Init] -# Default name of the ipset -# -name = default - -# Option: port -# Notes.: specifies port to monitor -# Values: [ NUM | STRING ] Default: ssh -# -port = ssh - -# Option: protocol -# Notes.: internally used by config reader for interpolations. -# Values: [ tcp | udp | icmp | all ] Default: tcp -# -protocol = tcp - # Option: bantime # Notes: specifies the bantime in seconds (handled internally rather than by fail2ban) # Values: [ NUM ] Default: 600 - +# bantime = 600 diff --git a/config/action.d/iptables-multiport-log.conf b/config/action.d/iptables-multiport-log.conf index 5a611033..f4d80d6c 100644 --- a/config/action.d/iptables-multiport-log.conf +++ b/config/action.d/iptables-multiport-log.conf @@ -11,7 +11,7 @@ [INCLUDES] -before = iptables-blocktype.conf +before = iptables-common.conf [Definition] @@ -60,24 +60,3 @@ actionunban = iptables -D f2b- -s -j f2b--log [Init] -# Default name of the chain -# -name = default - -# Option: port -# Notes.: specifies port to monitor -# Values: [ NUM | STRING ] Default: -# -port = ssh - -# Option: protocol -# Notes.: internally used by config reader for interpolations. -# Values: [ tcp | udp | icmp | all ] Default: tcp -# -protocol = tcp - -# Option: chain -# Notes specifies the iptables chain to which the fail2ban rules should be -# added -# Values: STRING Default: INPUT -chain = INPUT diff --git a/config/action.d/iptables-multiport.conf b/config/action.d/iptables-multiport.conf index ab3225bc..b70baf92 100644 --- a/config/action.d/iptables-multiport.conf +++ b/config/action.d/iptables-multiport.conf @@ -6,7 +6,7 @@ [INCLUDES] -before = iptables-blocktype.conf +before = iptables-common.conf [Definition] @@ -50,24 +50,3 @@ actionunban = iptables -D f2b- -s -j [Init] -# Default name of the chain -# -name = default - -# Option: port -# Notes.: specifies port to monitor -# Values: [ NUM | STRING ] Default: -# -port = ssh - -# Option: protocol -# Notes.: internally used by config reader for interpolations. -# Values: [ tcp | udp | icmp | all ] Default: tcp -# -protocol = tcp - -# Option: chain -# Notes specifies the iptables chain to which the fail2ban rules should be -# added -# Values: STRING Default: INPUT -chain = INPUT diff --git a/config/action.d/iptables-new.conf b/config/action.d/iptables-new.conf index 9a4587b1..3c6657d9 100644 --- a/config/action.d/iptables-new.conf +++ b/config/action.d/iptables-new.conf @@ -8,8 +8,7 @@ [INCLUDES] -before = iptables-blocktype.conf - +before = iptables-common.conf [Definition] @@ -53,24 +52,3 @@ actionunban = iptables -D f2b- -s -j [Init] -# Default name of the chain -# -name = default - -# Option: port -# Notes.: specifies port to monitor -# Values: [ NUM | STRING ] Default: -# -port = ssh - -# Option: protocol -# Notes.: internally used by config reader for interpolations. -# Values: [ tcp | udp | icmp | all ] Default: tcp -# -protocol = tcp - -# Option: chain -# Notes specifies the iptables chain to which the fail2ban rules should be -# added -# Values: STRING Default: INPUT -chain = INPUT diff --git a/config/action.d/iptables-xt_recent-echo.conf b/config/action.d/iptables-xt_recent-echo.conf index 5d309b56..1a72968f 100644 --- a/config/action.d/iptables-xt_recent-echo.conf +++ b/config/action.d/iptables-xt_recent-echo.conf @@ -6,8 +6,7 @@ [INCLUDES] -before = iptables-blocktype.conf - +before = iptables-common.conf [Definition] @@ -33,14 +32,14 @@ before = iptables-blocktype.conf # own rules. The 3600 second timeout is independent and acts as a # safeguard in case the fail2ban process dies unexpectedly. The # shorter of the two timeouts actually matters. -actionstart = if [ `id -u` -eq 0 ];then iptables -I INPUT -m recent --update --seconds 3600 --name f2b- -j ;fi +actionstart = if [ `id -u` -eq 0 ];then iptables -I -m recent --update --seconds 3600 --name f2b- -j ;fi # Option: actionstop # Notes.: command executed once at the end of Fail2Ban # Values: CMD # actionstop = echo / > /proc/net/xt_recent/f2b- - if [ `id -u` -eq 0 ];then iptables -D INPUT -m recent --update --seconds 3600 --name f2b- -j ;fi + if [ `id -u` -eq 0 ];then iptables -D -m recent --update --seconds 3600 --name f2b- -j ;fi # Option: actioncheck # Notes.: command executed once before each actionban command @@ -66,12 +65,3 @@ actionunban = echo - > /proc/net/xt_recent/f2b- [Init] -# Default name of the chain -# -name = default - -# Option: protocol -# Notes.: internally used by config reader for interpolations. -# Values: [ tcp | udp | icmp | all ] Default: tcp -# -protocol = tcp diff --git a/config/action.d/iptables.conf b/config/action.d/iptables.conf index 5afe4bf1..a956fc55 100644 --- a/config/action.d/iptables.conf +++ b/config/action.d/iptables.conf @@ -6,7 +6,7 @@ [INCLUDES] -before = iptables-blocktype.conf +before = iptables-common.conf [Definition] @@ -50,24 +50,3 @@ actionunban = iptables -D f2b- -s -j [Init] -# Default name of the chain -# -name = default - -# Option: port -# Notes.: specifies port to monitor -# Values: [ NUM | STRING ] Default: -# -port = ssh - -# Option: protocol -# Notes.: internally used by config reader for interpolations. -# Values: [ tcp | udp | icmp | all ] Default: tcp -# -protocol = tcp - -# Option: chain -# Notes specifies the iptables chain to which the fail2ban rules should be -# added -# Values: STRING Default: INPUT -chain = INPUT