Merge pull request #591 from grooverdan/master_to_0.9

MRG: Master to 0.9 2014-01-19
2014-01-18 20:12:11 -08:00 · 2014-01-18 20:12:11 -08:00 · 79da66df5d
parent 77aab8d97a a650178bd1
commit 79da66df5d
11 changed files with 74 additions and 22 deletions
--- a/29
+++ b/29
@ -7,7 +7,6 @@
 Fail2Ban (version 0.9.0a2)                                            2014/??/??
 ================================================================================

-
 ver. 0.9.0 (2014/??/??) - alpha
 ----------

@ -76,21 +75,21 @@ configuration before relying on it.
     same jail -- use actname option to disambiguate.
   * Add honeypot email address to exim-spam filter as argument

-ver. 0.8.12 (2013/12/XX) - things-can-only-get-better
-----------
+ver. 0.8.12 (2014/01/XX) - things-can-only-get-better

 - IMPORTANT incompatible changes:
+  - Rename firewall-cmd-direct-new to firewallcmd-new to fit within jail name
+    name length. As per gh-395
+  - mysqld-syslog-iptables jailname was too long. Renamed to mysqld-syslog.
+	  Part of gh-447.

 - Fixes:
-  - Rename firewall-cmd-direct-new to firewall-cmd-new to fit within jail name
-    name length. As per gh-395
  - allow for ",milliseconds" in the custom date format of proftpd.log
  - allow for ", referer ..." in apache-* filter for apache error logs.
  - allow for spaces at the beginning of kernel messages. Closes gh-448
  - recidive jail to block all protocols. Closes gh-440. Thanks Ioan Indreias
  - smtps not a IANA standard and has been removed from Arch. Replaced with
    465. Thanks Stefan. Closes gh-447
-  - mysqld-syslog-iptables rule was too long. Part of gh-447.
  - add 'flushlogs' command to allow logrotation without clobbering logtarget
    settings. Closes gh-458, Debian bug #697333, Redhat bug #891798.
  - complain action - ensure where not matching other IPs in log sample.
@ -102,18 +101,19 @@ ver. 0.8.12 (2013/12/XX) - things-can-only-get-better
 	  send. This ensures that all data is sent before closing the connection.
  - Removed unnecessary reference to as yet undeclared $jail_name when checking
    a specific jail in nagios script.
+  - Filter dovecot reordered session and TLS items in regex with wider scope
+    for session characters. Thanks Ivo Truxa. Closes gh-586
+  - A single bad failregex or command syntax in configuration files won't stop
+    fail2ban from starting. Thanks Tomasz Ciolek. Closes gh-585.

 - Enhancements:
-  - added firewallcmd-ipset action
  - long names on jails documented based on iptables limit of 30 less
    len("fail2ban-").
  - remove indentation of name and loglevel while logging to SYSLOG to
    resolve syslog(-ng) parsing problems. Closes Debian bug #730202.
-  - added squid filter. Thanks Roman Gelfand.
  - updated check_fail2ban to return performance data for all jails.
  - filter apache-noscript now includes php cgi scripts.
    Thanks dani. Closes gh-503
-  - added ufw action. Thanks Guilhem Lettron. lp-#701522
  - exim-spam filter to match spamassassin log entry for option SAdevnull.
    Thanks Ivo Truxa. Closes gh-533
  - filter.d/nsd.conf -- also amended Unix date template to match nsd format
@ -128,7 +128,7 @@ ver. 0.8.12 (2013/12/XX) - things-can-only-get-better
 - New Features:

  - filter.d/solid-pop3d -- added thanks to Jacques Lav!gnotte on mailinglist.
-  - Add filter for apache-modsecurity
+  - Add filter for apache-modsecurity.
  - filter.d/nsd.conf -- also amended Unix date template to match nsd format
  - Added openwebmail filter thanks Ivo Truxa. Closes gh-543
  - Added filter for freeswitch. Thanks Jim and editors and authors of 
@ -136,6 +136,15 @@ ver. 0.8.12 (2013/12/XX) - things-can-only-get-better
  - Added groupoffice filter thanks to logs from Merijn Schering.
    Closes gh-566
  - Added filter for horde
+  - Added filter for squid. Thanks Roman Gelfand.
+  - Added filter for ejabberd-auth.
+  - Added filter.d/openwebmail filter thanks Ivo Truxa. Closes gh-543
+  - Added filter.d/groupoffice filter thanks to logs from Merijn Schering.
+    Closes gh-566
+  - Added action.d/badips. Thanks to Amy for making a nice API.
+  - Added firewallcmd-ipset action.
+  - Added ufw action. Thanks Guilhem Lettron. lp-#701522
+  - Added blocklist_de action.


 ver. 0.8.11 (2013/11/13) - loves-unittests-and-tight-DoS-free-filter-regexes
--- a/9
+++ b/9
@ -173,6 +173,7 @@ config/filter.d/common.conf
 config/filter.d/apache-auth.conf
 config/filter.d/apache-badbots.conf
 config/filter.d/apache-botsearch.conf
+config/filter.d/apache-modsecurity.conf
 config/filter.d/apache-nohome.conf
 config/filter.d/apache-noscript.conf
 config/filter.d/apache-overflows.conf
@ -181,11 +182,15 @@ config/filter.d/counter-strike.conf
 config/filter.d/courier-auth.conf
 config/filter.d/courier-smtp.conf
 config/filter.d/cyrus-imap.conf
+config/filter.d/ejabberd-auth.conf
 config/filter.d/exim.conf
+config/filter.d/freeswitch.conf
 config/filter.d/gssftpd.conf
 config/filter.d/kerio.conf
+config/filter.d/horde.conf
 config/filter.d/suhosin.conf
 config/filter.d/named-refused.conf
+config/filter.d/nsd.conf
 config/filter.d/openwebmail.conf
 config/filter.d/pam-generic.conf
 config/filter.d/php-url-fopen.conf
@ -199,6 +204,7 @@ config/filter.d/pure-ftpd.conf
 config/filter.d/qmail.conf
 config/filter.d/sieve.conf
 config/filter.d/solid-pop3d.conf
+config/filter.d/squid.conf
 config/filter.d/sshd.conf
 config/filter.d/sshd-ddos.conf
 config/filter.d/stunnel.conf
@ -231,9 +237,11 @@ config/filter.d/ejabberd-auth.conf
 config/filter.d/guacamole.conf
 config/filter.d/sendmail-spam.conf
 config/action.d/apf.conf
+config/action.d/blocklist_de.conf
 config/action.d/osx-afctl.conf
 config/action.d/osx-ipfw.conf
 config/action.d/sendmail-common.conf
+config/action.d/badips.conf
 config/action.d/bsd-ipfw.conf
 config/action.d/dummy.conf
 config/action.d/firewallcmd-new.conf
@ -268,6 +276,7 @@ config/action.d/sendmail-whois-lines.conf
 config/action.d/shorewall.conf
 config/action.d/xarf-login-attack.conf
 config/action.d/ufw.conf
+config/fail2ban.conf
 doc/run-rootless.txt
 man/fail2ban-client.1
 man/fail2ban.1
--- a/2
+++ b/2
@ -12,6 +12,7 @@ ache
 ag4ve (Shawn)
 Alasdair D. Campbell
 Amir Caspi
+Amy
 Andrey G. Grozin
 Andy Fragen
 Arturo 'Buanzo' Busleiman
@ -85,6 +86,7 @@ TESTOVIK
 Tom Pike
 Tomas Pihl
 Tony Lawrence
+Tomasz Ciolek
 Tyler
 Vaclav Misek
 Vincent Deffontaines
--- a/bin/fail2ban-client
+++ b/bin/fail2ban-client
@ -137,6 +137,7 @@ class Fail2banClient:

 	def __processCmd(self, cmd, showRet = True):
 		beautifier = Beautifier()
+		ret = True
 		for c in cmd:
 			beautifier.setInputCmd(c)
 			try:
@ -147,10 +148,10 @@ class Fail2banClient:
 					if showRet:
 						print beautifier.beautify(ret[1])
 				else:
+					ret = False
 					logSys.error("NOK: " + `ret[1].args`)
 					if showRet:
 						print beautifier.beautifyError(ret[1])
-					return False
 			except socket.error:
 				if showRet:
 					logSys.error("Unable to contact server. Is it running?")
@ -159,7 +160,7 @@ class Fail2banClient:
 				if showRet:
 					logSys.error(e)
 				return False
-		return True
+		return ret

 	##
 	# Process a command line.
--- a/config/action.d/badips.conf
+++ b/config/action.d/badips.conf
@ -0,0 +1,19 @@
+# Fail2ban reporting to badips.com
+#
+# Note: This reports and IP only and does not actually ban traffic. Use 
+# another action in the same jail if you want bans to occur.
+#
+# Set the category to the appropriate value before use.
+#
+# To get see register and optional key to get personalised graphs see:
+# http://www.badips.com/blog/personalized-statistics-track-the-attackers-of-all-your-servers-with-one-key
+
+[Definition]
+
+actionban = curl --fail  --user-agent "fail2ban v0.8.12" http://www.badips.com/add/<category>/<ip>
+
+[Init]
+
+# Option: category
+# Notes.: Values are from the list here: http://www.badips.com/get/categories
+category = 
--- a/config/filter.d/dovecot.conf
+++ b/config/filter.d/dovecot.conf
@ -10,7 +10,7 @@ before = common.conf
 _daemon = (auth|dovecot(-auth)?|auth-worker)

 failregex = ^%(__prefix_line)s(pam_unix(\(dovecot:auth\))?:)?\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=\S* rhost=<HOST>(\s+user=\S*)?\s*$
-            ^%(__prefix_line)s(pop3|imap)-login: (Info: )?(Aborted login|Disconnected)(: Inactivity)? \(((no auth attempts|auth failed, \d+ attempts)( in \d+ secs)?|tried to use (disabled|disallowed) \S+ auth)\):( user=<\S*>,)?( method=\S+,)? rip=<HOST>, lip=(\d{1,3}\.){3}\d{1,3}(, session=<\w+>)?(, TLS( handshaking)?(: Disconnected)?)?\s*$
+            ^%(__prefix_line)s(pop3|imap)-login: (Info: )?(Aborted login|Disconnected)(: Inactivity)? \(((no auth attempts|auth failed, \d+ attempts)( in \d+ secs)?|tried to use (disabled|disallowed) \S+ auth)\):( user=<\S*>,)?( method=\S+,)? rip=<HOST>, lip=(\d{1,3}\.){3}\d{1,3}(, TLS( handshaking)?(: Disconnected)?)?(, session=<\S+>)?\s*$
            ^%(__prefix_line)s(Info|dovecot: auth\(default\)): pam\(\S+,<HOST>\): pam_authenticate\(\) failed: (User not known to the underlying authentication module: \d+ Time\(s\)|Authentication failure \(password mismatch\?\))\s*$

 ignoreregex = 
--- a/fail2ban/tests/files/logs/dovecot
+++ b/fail2ban/tests/files/logs/dovecot
@ -42,3 +42,9 @@ Jul 02 13:49:32 hostname dovecot[442]: dovecot: auth(default): pam(account@MYSER
 # failJSON: { "time": "2005-04-19T05:22:20", "match": true , "host": "80.255.3.104" }
 Apr 19 05:22:20 vm5 auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=informix rhost=80.255.3.104

+
+# failJSON: { "time": "2005-01-13T20:51:05", "match": true , "host": "1.2.3.4" }
+Jan 13 20:51:05 valhalla dovecot: pop3-login: Disconnected: Inactivity (auth failed, 1 attempts in 178 secs): user=<ivo>, method=PLAIN, rip=1.2.3.4, lip=1.1.2.2, session=<6brQWt/vCADDhP/+>
+# failJSON: { "time": "2005-01-14T15:54:30", "match": true , "host": "1.2.3.4" }
+Jan 14 15:54:30 valhalla dovecot: pop3-login: Disconnected (auth failed, 1 attempts in 2 secs): user=<ivo>, method=PLAIN, rip=1.2.3.4, lip=1.1.2.2, TLS: Disconnected, session=<q454Xu/vMwBZApgg>
+
--- a/man/fail2ban-client.1
+++ b/man/fail2ban-client.1
@ -1,12 +1,12 @@
-.\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.40.4.
-.TH FAIL2BAN-CLIENT "1" "November 2013" "fail2ban-client v0.8.11" "User Commands"
+.\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.41.2.
+.TH FAIL2BAN-CLIENT "1" "January 2014" "fail2ban-client v0.8.12" "User Commands"
 .SH NAME
 fail2ban-client \- configure and control the server
 .SH SYNOPSIS
 .B fail2ban-client
 [\fIOPTIONS\fR] \fI<COMMAND>\fR
 .SH DESCRIPTION
-Fail2Ban v0.8.11 reads log file that contains password failure report
+Fail2Ban v0.8.12 reads log file that contains password failure report
 and bans the corresponding IP addresses using firewall rules.
 .SH OPTIONS
 .TP
@ -82,6 +82,10 @@ file
 .TP
 \fBget logtarget\fR
 gets logging target
+.TP
+\fBflushlogs\fR
+flushes the logtarget if a file
+and reopens it. For log rotation.
 .IP
 JAIL CONTROL
 .TP
--- a/man/fail2ban-regex.1
+++ b/man/fail2ban-regex.1
@ -1,5 +1,5 @@
-.\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.40.4.
-.TH FAIL2BAN-REGEX "1" "November 2013" "fail2ban-regex 0.8.11" "User Commands"
+.\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.41.2.
+.TH FAIL2BAN-REGEX "1" "January 2014" "fail2ban-regex 0.8.12" "User Commands"
 .SH NAME
 fail2ban-regex \- test Fail2ban "failregex" option
 .SH SYNOPSIS
@ -16,7 +16,7 @@ string
 a string representing a log line
 .TP
 filename
-path to a log file (/var/log/auth.log)
+path to a log file (\fI/var/log/auth.log\fP)
 .SS "REGEX:"
 .TP
 string
--- a/man/fail2ban-server.1
+++ b/man/fail2ban-server.1
@ -1,12 +1,12 @@
-.\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.40.4.
-.TH FAIL2BAN-SERVER "1" "November 2013" "fail2ban-server v0.8.11" "User Commands"
+.\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.41.2.
+.TH FAIL2BAN-SERVER "1" "January 2014" "fail2ban-server v0.8.12" "User Commands"
 .SH NAME
 fail2ban-server \- start the server
 .SH SYNOPSIS
 .B fail2ban-server
 [\fIOPTIONS\fR]
 .SH DESCRIPTION
-Fail2Ban v0.8.11 reads log file that contains password failure report
+Fail2Ban v0.8.12 reads log file that contains password failure report
 and bans the corresponding IP addresses using firewall rules.
 .PP
 Only use this command for debugging purpose. Start the server with
--- a/man/jail.conf.5
+++ b/man/jail.conf.5
@ -130,6 +130,8 @@ name of the filter -- filename of the filter in /etc/fail2ban/filter.d/ without
 .TP
 .B logpath
 filename(s) of the log files to be monitored. Globs -- paths containing * and ? or [0-9] -- can be used however only the files that exist at start up matching this glob pattern will be considered.
+
+Ensure syslog or the program that generates the log file isn't configured to compress repeated log messages to "\fI*last message repeated 5 time*s\fR" otherwise it will fail to detect. This is called \fIRepeatedMsgReduction\fR in rsyslog and should be \fIOff\fR.
 .TP
 .B action
 action(s) from \fI/etc/fail2ban/action.d/\fR without the \fI.conf\fR/\fI.local\fR extension. Arguments can be passed to actions to override the default values from the [Init] section in the action file. Arguments are specified by [name=value,name2=value]. Values can also be quoted. More that one action can be specified (in separate lines).