Merge branch '0.10' into 0.11

2017-10-18 19:03:08 +02:00 · 2017-10-18 19:03:08 +02:00 · 76f5e3659e
parent 93634dd822 0e66e3cc57
commit 76f5e3659e
11 changed files with 38 additions and 26 deletions
--- a/14
+++ b/14
@ -34,14 +34,21 @@ Incompatibility list (compared to v.0.9):
 ver. 0.11.0-dev-0 (2017/??/??) - development nightly edition
 -----------

+### Incompatibility list:
+* The configuration for multiport jails using banaction `pf` can be incompatible after upgrade, if
+  ports are enclosed in curly braces `{ }` in the `jail.local` etc. This may cause a double-brackets now.
+
 ### Fixes
+* action.d/pf.conf: 
+  - fixed syntax error in achnor definition (documentation, see gh-1919);
+  - enclose ports in braces for multiport jails (see gh-1925);

 ### New Features

 ### Enhancements


-ver. 0.10.1-dev-1 (2017/??/??) - development current edition
+ver. 0.10.1 (2017/10/12) - succeeded-before-friday-the-13th
 -----------

 ### Fixes
@ -429,7 +436,10 @@ releases.
    - Fixes resources greedy expression (see gh-1790);
    - Rewritten without end-anchor ($), because of potential vulnerability on very long URLs.
 * filter.d/apache-badbots.conf - extended to recognize Jorgee Vulnerability Scanner (gh-1882)
-* filter.d/asterisk.conf - fixed failregex AMI Asterisk authentification failed (see gh-1302)
+* filter.d/asterisk.conf
+    - fixed failregex AMI Asterisk authentification failed (see gh-1302)
+    - removed invalid (vulnerable) regex blocking IPs using forign data (from header "from")
+      thus not the IP-address that really originates the request (see gh-1927)
 * filter.d/dovecot.conf:
    - fixed failregex, see gh-1879 (partially cherry-picked from gh-1880)
    - extended to match pam_authenticate failures with "Permission denied" (gh-1897)
--- a/6
+++ b/6
@ -120,6 +120,7 @@ config/filter.d/openwebmail.conf
 config/filter.d/oracleims.conf
 config/filter.d/pam-generic.conf
 config/filter.d/perdition.conf
+config/filter.d/phpmyadmin-syslog.conf
 config/filter.d/php-url-fopen.conf
 config/filter.d/portsentry.conf
 config/filter.d/postfix.conf
@ -148,6 +149,7 @@ config/filter.d/vsftpd.conf
 config/filter.d/webmin-auth.conf
 config/filter.d/wuftpd.conf
 config/filter.d/xinetd-fail.conf
+config/filter.d/zoneminder.conf
 config/jail.conf
 config/paths-arch.conf
 config/paths-common.conf
@ -311,6 +313,7 @@ fail2ban/tests/files/logs/openwebmail
 fail2ban/tests/files/logs/oracleims
 fail2ban/tests/files/logs/pam-generic
 fail2ban/tests/files/logs/perdition
+fail2ban/tests/files/logs/phpmyadmin-syslog
 fail2ban/tests/files/logs/php-url-fopen
 fail2ban/tests/files/logs/portsentry
 fail2ban/tests/files/logs/postfix
@ -338,6 +341,7 @@ fail2ban/tests/files/logs/vsftpd
 fail2ban/tests/files/logs/webmin-auth
 fail2ban/tests/files/logs/wuftpd
 fail2ban/tests/files/logs/xinetd-fail
+fail2ban/tests/files/logs/zoneminder
 fail2ban/tests/files/logs/zzz-generic-example
 fail2ban/tests/files/logs/zzz-sshd-obsolete-multiline
 fail2ban/tests/files/testcase01a.log
@ -366,7 +370,7 @@ files/cacti/fail2ban_stats.sh
 files/cacti/README
 files/debian-initd
 files/fail2ban-logrotate
-files/fail2ban.service
+files/fail2ban.service.in
 files/fail2ban-tmpfiles.conf
 files/fail2ban.upstart
 files/gen_badbots
--- a/config/action.d/pf.conf
+++ b/config/action.d/pf.conf
@ -18,8 +18,8 @@
 # also, these rulesets are loaded into (nested) anchors
 # to enable them, add
 #     anchor f2b {
-#        name1
-#        name2
+#        anchor name1
+#        anchor name2
 #        ...
 #     }
 # to your main pf ruleset, where "namei" are the names of the jails
@ -110,5 +110,5 @@ allports = any
 # Option: multiport
 # Notes.: addition to block access only to specific ports
 # Usage.: use in jail config: "banaction = pf[actiontype=<multiport>]"
-multiport = any port <port>
+multiport = any port {<port>}

--- a/config/filter.d/apache-botsearch.conf
+++ b/config/filter.d/apache-botsearch.conf
@ -3,7 +3,7 @@
 # This filter is aimed at blocking specific URLs that don't exist. This
 # could be a set of URLs places in a Disallow: directive in robots.txt or
 # just some web services that don't exist caused bots are searching for
-# exploitable content. This filter is designed to have a low false postitive
+# exploitable content. This filter is designed to have a low false positive
 # rate due.
 #
 # An alternative to this is the apache-noscript filter which blocks all
@ -36,4 +36,4 @@ webroot = /var/www/

 # DEV Notes:
 #
-# Author: Daniel Black
+# Author: Daniel Black
--- a/config/filter.d/asterisk.conf
+++ b/config/filter.d/asterisk.conf
@ -24,7 +24,6 @@ failregex = ^Registration from '[^']*' failed for '<HOST>(:\d+)?' - (?:Wrong pas
            ^Call from '[^']*' \(<HOST>:\d+\) to extension '[^']*' rejected because extension not found in context
            ^(?:Host )?<HOST> (?:failed (?:to authenticate\b|MD5 authentication\b)|tried to authenticate with nonexistent user\b)
            ^No registration for peer '[^']*' \(from <HOST>\)$
-            ^Failed to authenticate (?:user|device) [^@]+@<HOST>\S*$
            ^hacking attempt detected '<HOST>'$
            ^SecurityEvent="(?:FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)"(?:(?:,(?!RemoteAddress=)\w+="[^"]*")*|.*?),RemoteAddress="IPV[46]/(UDP|TCP|WS)/<HOST>/\d+"(?:,(?!RemoteAddress=)\w+="[^"]*")*$
            ^"Rejecting unknown SIP connection from <HOST>"$
--- a/fail2ban/tests/files/logs/asterisk
+++ b/fail2ban/tests/files/logs/asterisk
@ -1,6 +1,4 @@
 # Sample log files for asterisk 
-# failJSON: { "time": "2013-07-25T07:26:43", "match": true , "host": "1.2.3.4" }
-[2013-07-25 07:26:43] NOTICE[26015][C-000006b2] chan_sip.c: Failed to authenticate device 101<sip:101@1.2.3.4>;tag=deadbeef
 # failJSON: { "time": "2012-02-13T17:21:54", "match": true , "host": "1.2.3.4" }
 [2012-02-13 17:21:54] NOTICE[1638] chan_sip.c: Registration from '<sip:301@example.com>' failed for '1.2.3.4' - Wrong password
 # failJSON: { "time": "2012-02-13T17:18:22", "match": true , "host": "1.2.3.4" }
@ -19,8 +17,6 @@
 [2012-02-13 17:39:20] NOTICE[1638] chan_iax2.c: No registration for peer 'Fail2ban' (from 1.2.3.4)
 # failJSON: { "time": "2012-02-13T17:44:26", "match": true , "host": "1.2.3.4" }
 [2012-02-13 17:44:26] NOTICE[1638] chan_iax2.c: Host 1.2.3.4 failed MD5 authentication for 'Fail2ban' (e7df7cd2ca07f4f1ab415d457a6e1c13 != 53ac4bc41ee4ec77888ed4aa50677247)
-# failJSON: { "time": "2012-02-13T17:37:07", "match": true , "host": "1.2.3.4" }
-[2012-02-13 17:37:07] NOTICE[1638] chan_sip.c: Failed to authenticate user "Fail2ban" <sip:301@1.2.3.4>;tag=1r698745234
 # failJSON: { "time": "2013-02-05T23:44:42", "match": true , "host": "1.2.3.4" }
 [2013-02-05 23:44:42] NOTICE[436][C-00000fa9] chan_sip.c: Call from '' (1.2.3.4:10836) to extension '0972598285108' rejected because extension not found in context 'default'.
 # failJSON: { "time": "2013-03-26T15:47:54", "match": true , "host": "1.2.3.4" }
--- a/fail2ban/tests/servertestcase.py
+++ b/fail2ban/tests/servertestcase.py
@ -1524,7 +1524,7 @@ class ServerConfigReaderTests(LogCaptureTestCase):
 					'ip4': (), 'ip6': (),
 					'start': (
 						'`echo "table <f2b-j-w-pf> persist counters" | pfctl -a f2b/j-w-pf -f-`',
-						'`echo "block quick proto tcp from <f2b-j-w-pf> to any port <port>" | pfctl -a f2b/j-w-pf -f-`',
+						'`echo "block quick proto tcp from <f2b-j-w-pf> to any port {<port>}" | pfctl -a f2b/j-w-pf -f-`',
 					),
 					'stop': (
 						'`pfctl -a f2b/j-w-pf -sr 2>/dev/null | grep -v f2b-j-w-pf | pfctl -a f2b/j-w-pf -f-`',
@ -1538,12 +1538,12 @@ class ServerConfigReaderTests(LogCaptureTestCase):
 					'ip6-ban':   ("`pfctl -a f2b/j-w-pf -t f2b-j-w-pf -T add 2001:db8::`",),
 					'ip6-unban': ("`pfctl -a f2b/j-w-pf -t f2b-j-w-pf -T delete 2001:db8::`",),
 				}),
-				# pf multiport with custom port --
-				('j-w-pf-mp', 'pf[actiontype=<multiport>][name=%(__name__)s, port=http]', {
+				# pf multiport with custom ports --
+				('j-w-pf-mp', 'pf[actiontype=<multiport>][name=%(__name__)s, port="http,https"]', {
 					'ip4': (), 'ip6': (),
 					'start': (
 						'`echo "table <f2b-j-w-pf-mp> persist counters" | pfctl -a f2b/j-w-pf-mp -f-`',
-						'`echo "block quick proto tcp from <f2b-j-w-pf-mp> to any port http" | pfctl -a f2b/j-w-pf-mp -f-`',
+						'`echo "block quick proto tcp from <f2b-j-w-pf-mp> to any port {http,https}" | pfctl -a f2b/j-w-pf-mp -f-`',
 					),
 					'stop': (
 						'`pfctl -a f2b/j-w-pf-mp -sr 2>/dev/null | grep -v f2b-j-w-pf-mp | pfctl -a f2b/j-w-pf-mp -f-`',
--- a/man/fail2ban-client.1
+++ b/man/fail2ban-client.1
@ -1,12 +1,12 @@
 .\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.47.4.
-.TH FAIL2BAN-CLIENT "1" "August 2017" "fail2ban-client v0.10.0" "User Commands"
+.TH FAIL2BAN-CLIENT "1" "October 2017" "fail2ban-client v0.10.2.dev1" "User Commands"
 .SH NAME
 fail2ban-client \- configure and control the server
 .SH SYNOPSIS
 .B fail2ban-client
 [\fI\,OPTIONS\/\fR] \fI\,<COMMAND>\/\fR
 .SH DESCRIPTION
-Fail2Ban v0.10.0 reads log file that contains password failure report
+Fail2Ban v0.10.2.dev1 reads log file that contains password failure report
 and bans the corresponding IP addresses using firewall rules.
 .SH OPTIONS
 .TP
@ -29,6 +29,9 @@ logging level
 \fB\-d\fR
 dump configuration. For debugging
 .TP
+\fB\-\-dp\fR, \fB\-\-dump\-pretty\fR
+dump the configuration using more human readable representation
+.TP
 \fB\-t\fR, \fB\-\-test\fR
 test configuration (can be also specified with start parameters)
 .TP
--- a/man/fail2ban-regex.1
+++ b/man/fail2ban-regex.1
@ -1,5 +1,5 @@
 .\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.47.4.
-.TH FAIL2BAN-REGEX "1" "August 2017" "fail2ban-regex 0.10.0" "User Commands"
+.TH FAIL2BAN-REGEX "1" "October 2017" "fail2ban-regex 0.10.2.dev1" "User Commands"
 .SH NAME
 fail2ban-regex \- test Fail2ban "failregex" option
 .SH SYNOPSIS
--- a/man/fail2ban-server.1
+++ b/man/fail2ban-server.1
@ -1,12 +1,12 @@
 .\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.47.4.
-.TH FAIL2BAN-SERVER "1" "August 2017" "fail2ban-server v0.10.0" "User Commands"
+.TH FAIL2BAN-SERVER "1" "October 2017" "fail2ban-server v0.10.2.dev1" "User Commands"
 .SH NAME
 fail2ban-server \- start the server
 .SH SYNOPSIS
 .B fail2ban-server
 [\fI\,OPTIONS\/\fR]
 .SH DESCRIPTION
-Fail2Ban v0.10.0 reads log file that contains password failure report
+Fail2Ban v0.10.2.dev1 reads log file that contains password failure report
 and bans the corresponding IP addresses using firewall rules.
 .SH OPTIONS
 .TP
@ -23,15 +23,15 @@ pidfile path
 logging level
 .HP
 \fB\-\-logtarget\fR <FILE>|STDOUT|STDERR|SYSLOG
-logging target
-.br
-Note. If fail2ban running as systemd-service, for logging to the systemd-journal, the logtarget could be set to STDOUT
 .HP
 \fB\-\-syslogsocket\fR auto|<FILE>
 .TP
 \fB\-d\fR
 dump configuration. For debugging
 .TP
+\fB\-\-dp\fR, \fB\-\-dump\-pretty\fR
+dump the configuration using more human readable representation
+.TP
 \fB\-t\fR, \fB\-\-test\fR
 test configuration (can be also specified with start parameters)
 .TP
--- a/man/fail2ban-testcases.1
+++ b/man/fail2ban-testcases.1
@ -1,5 +1,5 @@
 .\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.47.4.
-.TH FAIL2BAN-TESTCASES "1" "August 2017" "fail2ban-testcases 0.10.0" "User Commands"
+.TH FAIL2BAN-TESTCASES "1" "October 2017" "fail2ban-testcases 0.10.2.dev1" "User Commands"
 .SH NAME
 fail2ban-testcases \- run Fail2Ban unit-tests
 .SH SYNOPSIS