Merge pull request #591 from grooverdan/master_to_0.9

MRG: Master to 0.9 2014-01-19
pull/573/merge
Daniel Black 2014-01-18 20:12:11 -08:00
commit 79da66df5d
11 changed files with 74 additions and 22 deletions

View File

@ -7,7 +7,6 @@
Fail2Ban (version 0.9.0a2) 2014/??/?? Fail2Ban (version 0.9.0a2) 2014/??/??
================================================================================ ================================================================================
ver. 0.9.0 (2014/??/??) - alpha ver. 0.9.0 (2014/??/??) - alpha
---------- ----------
@ -76,21 +75,21 @@ configuration before relying on it.
same jail -- use actname option to disambiguate. same jail -- use actname option to disambiguate.
* Add honeypot email address to exim-spam filter as argument * Add honeypot email address to exim-spam filter as argument
ver. 0.8.12 (2013/12/XX) - things-can-only-get-better ver. 0.8.12 (2014/01/XX) - things-can-only-get-better
-----------
- IMPORTANT incompatible changes: - IMPORTANT incompatible changes:
- Rename firewall-cmd-direct-new to firewallcmd-new to fit within jail name
name length. As per gh-395
- mysqld-syslog-iptables jailname was too long. Renamed to mysqld-syslog.
Part of gh-447.
- Fixes: - Fixes:
- Rename firewall-cmd-direct-new to firewall-cmd-new to fit within jail name
name length. As per gh-395
- allow for ",milliseconds" in the custom date format of proftpd.log - allow for ",milliseconds" in the custom date format of proftpd.log
- allow for ", referer ..." in apache-* filter for apache error logs. - allow for ", referer ..." in apache-* filter for apache error logs.
- allow for spaces at the beginning of kernel messages. Closes gh-448 - allow for spaces at the beginning of kernel messages. Closes gh-448
- recidive jail to block all protocols. Closes gh-440. Thanks Ioan Indreias - recidive jail to block all protocols. Closes gh-440. Thanks Ioan Indreias
- smtps not a IANA standard and has been removed from Arch. Replaced with - smtps not a IANA standard and has been removed from Arch. Replaced with
465. Thanks Stefan. Closes gh-447 465. Thanks Stefan. Closes gh-447
- mysqld-syslog-iptables rule was too long. Part of gh-447.
- add 'flushlogs' command to allow logrotation without clobbering logtarget - add 'flushlogs' command to allow logrotation without clobbering logtarget
settings. Closes gh-458, Debian bug #697333, Redhat bug #891798. settings. Closes gh-458, Debian bug #697333, Redhat bug #891798.
- complain action - ensure where not matching other IPs in log sample. - complain action - ensure where not matching other IPs in log sample.
@ -102,18 +101,19 @@ ver. 0.8.12 (2013/12/XX) - things-can-only-get-better
send. This ensures that all data is sent before closing the connection. send. This ensures that all data is sent before closing the connection.
- Removed unnecessary reference to as yet undeclared $jail_name when checking - Removed unnecessary reference to as yet undeclared $jail_name when checking
a specific jail in nagios script. a specific jail in nagios script.
- Filter dovecot reordered session and TLS items in regex with wider scope
for session characters. Thanks Ivo Truxa. Closes gh-586
- A single bad failregex or command syntax in configuration files won't stop
fail2ban from starting. Thanks Tomasz Ciolek. Closes gh-585.
- Enhancements: - Enhancements:
- added firewallcmd-ipset action
- long names on jails documented based on iptables limit of 30 less - long names on jails documented based on iptables limit of 30 less
len("fail2ban-"). len("fail2ban-").
- remove indentation of name and loglevel while logging to SYSLOG to - remove indentation of name and loglevel while logging to SYSLOG to
resolve syslog(-ng) parsing problems. Closes Debian bug #730202. resolve syslog(-ng) parsing problems. Closes Debian bug #730202.
- added squid filter. Thanks Roman Gelfand.
- updated check_fail2ban to return performance data for all jails. - updated check_fail2ban to return performance data for all jails.
- filter apache-noscript now includes php cgi scripts. - filter apache-noscript now includes php cgi scripts.
Thanks dani. Closes gh-503 Thanks dani. Closes gh-503
- added ufw action. Thanks Guilhem Lettron. lp-#701522
- exim-spam filter to match spamassassin log entry for option SAdevnull. - exim-spam filter to match spamassassin log entry for option SAdevnull.
Thanks Ivo Truxa. Closes gh-533 Thanks Ivo Truxa. Closes gh-533
- filter.d/nsd.conf -- also amended Unix date template to match nsd format - filter.d/nsd.conf -- also amended Unix date template to match nsd format
@ -128,7 +128,7 @@ ver. 0.8.12 (2013/12/XX) - things-can-only-get-better
- New Features: - New Features:
- filter.d/solid-pop3d -- added thanks to Jacques Lav!gnotte on mailinglist. - filter.d/solid-pop3d -- added thanks to Jacques Lav!gnotte on mailinglist.
- Add filter for apache-modsecurity - Add filter for apache-modsecurity.
- filter.d/nsd.conf -- also amended Unix date template to match nsd format - filter.d/nsd.conf -- also amended Unix date template to match nsd format
- Added openwebmail filter thanks Ivo Truxa. Closes gh-543 - Added openwebmail filter thanks Ivo Truxa. Closes gh-543
- Added filter for freeswitch. Thanks Jim and editors and authors of - Added filter for freeswitch. Thanks Jim and editors and authors of
@ -136,6 +136,15 @@ ver. 0.8.12 (2013/12/XX) - things-can-only-get-better
- Added groupoffice filter thanks to logs from Merijn Schering. - Added groupoffice filter thanks to logs from Merijn Schering.
Closes gh-566 Closes gh-566
- Added filter for horde - Added filter for horde
- Added filter for squid. Thanks Roman Gelfand.
- Added filter for ejabberd-auth.
- Added filter.d/openwebmail filter thanks Ivo Truxa. Closes gh-543
- Added filter.d/groupoffice filter thanks to logs from Merijn Schering.
Closes gh-566
- Added action.d/badips. Thanks to Amy for making a nice API.
- Added firewallcmd-ipset action.
- Added ufw action. Thanks Guilhem Lettron. lp-#701522
- Added blocklist_de action.
ver. 0.8.11 (2013/11/13) - loves-unittests-and-tight-DoS-free-filter-regexes ver. 0.8.11 (2013/11/13) - loves-unittests-and-tight-DoS-free-filter-regexes

View File

@ -173,6 +173,7 @@ config/filter.d/common.conf
config/filter.d/apache-auth.conf config/filter.d/apache-auth.conf
config/filter.d/apache-badbots.conf config/filter.d/apache-badbots.conf
config/filter.d/apache-botsearch.conf config/filter.d/apache-botsearch.conf
config/filter.d/apache-modsecurity.conf
config/filter.d/apache-nohome.conf config/filter.d/apache-nohome.conf
config/filter.d/apache-noscript.conf config/filter.d/apache-noscript.conf
config/filter.d/apache-overflows.conf config/filter.d/apache-overflows.conf
@ -181,11 +182,15 @@ config/filter.d/counter-strike.conf
config/filter.d/courier-auth.conf config/filter.d/courier-auth.conf
config/filter.d/courier-smtp.conf config/filter.d/courier-smtp.conf
config/filter.d/cyrus-imap.conf config/filter.d/cyrus-imap.conf
config/filter.d/ejabberd-auth.conf
config/filter.d/exim.conf config/filter.d/exim.conf
config/filter.d/freeswitch.conf
config/filter.d/gssftpd.conf config/filter.d/gssftpd.conf
config/filter.d/kerio.conf config/filter.d/kerio.conf
config/filter.d/horde.conf
config/filter.d/suhosin.conf config/filter.d/suhosin.conf
config/filter.d/named-refused.conf config/filter.d/named-refused.conf
config/filter.d/nsd.conf
config/filter.d/openwebmail.conf config/filter.d/openwebmail.conf
config/filter.d/pam-generic.conf config/filter.d/pam-generic.conf
config/filter.d/php-url-fopen.conf config/filter.d/php-url-fopen.conf
@ -199,6 +204,7 @@ config/filter.d/pure-ftpd.conf
config/filter.d/qmail.conf config/filter.d/qmail.conf
config/filter.d/sieve.conf config/filter.d/sieve.conf
config/filter.d/solid-pop3d.conf config/filter.d/solid-pop3d.conf
config/filter.d/squid.conf
config/filter.d/sshd.conf config/filter.d/sshd.conf
config/filter.d/sshd-ddos.conf config/filter.d/sshd-ddos.conf
config/filter.d/stunnel.conf config/filter.d/stunnel.conf
@ -231,9 +237,11 @@ config/filter.d/ejabberd-auth.conf
config/filter.d/guacamole.conf config/filter.d/guacamole.conf
config/filter.d/sendmail-spam.conf config/filter.d/sendmail-spam.conf
config/action.d/apf.conf config/action.d/apf.conf
config/action.d/blocklist_de.conf
config/action.d/osx-afctl.conf config/action.d/osx-afctl.conf
config/action.d/osx-ipfw.conf config/action.d/osx-ipfw.conf
config/action.d/sendmail-common.conf config/action.d/sendmail-common.conf
config/action.d/badips.conf
config/action.d/bsd-ipfw.conf config/action.d/bsd-ipfw.conf
config/action.d/dummy.conf config/action.d/dummy.conf
config/action.d/firewallcmd-new.conf config/action.d/firewallcmd-new.conf
@ -268,6 +276,7 @@ config/action.d/sendmail-whois-lines.conf
config/action.d/shorewall.conf config/action.d/shorewall.conf
config/action.d/xarf-login-attack.conf config/action.d/xarf-login-attack.conf
config/action.d/ufw.conf config/action.d/ufw.conf
config/fail2ban.conf
doc/run-rootless.txt doc/run-rootless.txt
man/fail2ban-client.1 man/fail2ban-client.1
man/fail2ban.1 man/fail2ban.1

2
THANKS
View File

@ -12,6 +12,7 @@ ache
ag4ve (Shawn) ag4ve (Shawn)
Alasdair D. Campbell Alasdair D. Campbell
Amir Caspi Amir Caspi
Amy
Andrey G. Grozin Andrey G. Grozin
Andy Fragen Andy Fragen
Arturo 'Buanzo' Busleiman Arturo 'Buanzo' Busleiman
@ -85,6 +86,7 @@ TESTOVIK
Tom Pike Tom Pike
Tomas Pihl Tomas Pihl
Tony Lawrence Tony Lawrence
Tomasz Ciolek
Tyler Tyler
Vaclav Misek Vaclav Misek
Vincent Deffontaines Vincent Deffontaines

View File

@ -137,6 +137,7 @@ class Fail2banClient:
def __processCmd(self, cmd, showRet = True): def __processCmd(self, cmd, showRet = True):
beautifier = Beautifier() beautifier = Beautifier()
ret = True
for c in cmd: for c in cmd:
beautifier.setInputCmd(c) beautifier.setInputCmd(c)
try: try:
@ -147,10 +148,10 @@ class Fail2banClient:
if showRet: if showRet:
print beautifier.beautify(ret[1]) print beautifier.beautify(ret[1])
else: else:
ret = False
logSys.error("NOK: " + `ret[1].args`) logSys.error("NOK: " + `ret[1].args`)
if showRet: if showRet:
print beautifier.beautifyError(ret[1]) print beautifier.beautifyError(ret[1])
return False
except socket.error: except socket.error:
if showRet: if showRet:
logSys.error("Unable to contact server. Is it running?") logSys.error("Unable to contact server. Is it running?")
@ -159,7 +160,7 @@ class Fail2banClient:
if showRet: if showRet:
logSys.error(e) logSys.error(e)
return False return False
return True return ret
## ##
# Process a command line. # Process a command line.

View File

@ -0,0 +1,19 @@
# Fail2ban reporting to badips.com
#
# Note: This reports and IP only and does not actually ban traffic. Use
# another action in the same jail if you want bans to occur.
#
# Set the category to the appropriate value before use.
#
# To get see register and optional key to get personalised graphs see:
# http://www.badips.com/blog/personalized-statistics-track-the-attackers-of-all-your-servers-with-one-key
[Definition]
actionban = curl --fail --user-agent "fail2ban v0.8.12" http://www.badips.com/add/<category>/<ip>
[Init]
# Option: category
# Notes.: Values are from the list here: http://www.badips.com/get/categories
category =

View File

@ -10,7 +10,7 @@ before = common.conf
_daemon = (auth|dovecot(-auth)?|auth-worker) _daemon = (auth|dovecot(-auth)?|auth-worker)
failregex = ^%(__prefix_line)s(pam_unix(\(dovecot:auth\))?:)?\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=\S* rhost=<HOST>(\s+user=\S*)?\s*$ failregex = ^%(__prefix_line)s(pam_unix(\(dovecot:auth\))?:)?\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=\S* rhost=<HOST>(\s+user=\S*)?\s*$
^%(__prefix_line)s(pop3|imap)-login: (Info: )?(Aborted login|Disconnected)(: Inactivity)? \(((no auth attempts|auth failed, \d+ attempts)( in \d+ secs)?|tried to use (disabled|disallowed) \S+ auth)\):( user=<\S*>,)?( method=\S+,)? rip=<HOST>, lip=(\d{1,3}\.){3}\d{1,3}(, session=<\w+>)?(, TLS( handshaking)?(: Disconnected)?)?\s*$ ^%(__prefix_line)s(pop3|imap)-login: (Info: )?(Aborted login|Disconnected)(: Inactivity)? \(((no auth attempts|auth failed, \d+ attempts)( in \d+ secs)?|tried to use (disabled|disallowed) \S+ auth)\):( user=<\S*>,)?( method=\S+,)? rip=<HOST>, lip=(\d{1,3}\.){3}\d{1,3}(, TLS( handshaking)?(: Disconnected)?)?(, session=<\S+>)?\s*$
^%(__prefix_line)s(Info|dovecot: auth\(default\)): pam\(\S+,<HOST>\): pam_authenticate\(\) failed: (User not known to the underlying authentication module: \d+ Time\(s\)|Authentication failure \(password mismatch\?\))\s*$ ^%(__prefix_line)s(Info|dovecot: auth\(default\)): pam\(\S+,<HOST>\): pam_authenticate\(\) failed: (User not known to the underlying authentication module: \d+ Time\(s\)|Authentication failure \(password mismatch\?\))\s*$
ignoreregex = ignoreregex =

View File

@ -42,3 +42,9 @@ Jul 02 13:49:32 hostname dovecot[442]: dovecot: auth(default): pam(account@MYSER
# failJSON: { "time": "2005-04-19T05:22:20", "match": true , "host": "80.255.3.104" } # failJSON: { "time": "2005-04-19T05:22:20", "match": true , "host": "80.255.3.104" }
Apr 19 05:22:20 vm5 auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=informix rhost=80.255.3.104 Apr 19 05:22:20 vm5 auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=informix rhost=80.255.3.104
# failJSON: { "time": "2005-01-13T20:51:05", "match": true , "host": "1.2.3.4" }
Jan 13 20:51:05 valhalla dovecot: pop3-login: Disconnected: Inactivity (auth failed, 1 attempts in 178 secs): user=<ivo>, method=PLAIN, rip=1.2.3.4, lip=1.1.2.2, session=<6brQWt/vCADDhP/+>
# failJSON: { "time": "2005-01-14T15:54:30", "match": true , "host": "1.2.3.4" }
Jan 14 15:54:30 valhalla dovecot: pop3-login: Disconnected (auth failed, 1 attempts in 2 secs): user=<ivo>, method=PLAIN, rip=1.2.3.4, lip=1.1.2.2, TLS: Disconnected, session=<q454Xu/vMwBZApgg>

View File

@ -1,12 +1,12 @@
.\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.40.4. .\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.41.2.
.TH FAIL2BAN-CLIENT "1" "November 2013" "fail2ban-client v0.8.11" "User Commands" .TH FAIL2BAN-CLIENT "1" "January 2014" "fail2ban-client v0.8.12" "User Commands"
.SH NAME .SH NAME
fail2ban-client \- configure and control the server fail2ban-client \- configure and control the server
.SH SYNOPSIS .SH SYNOPSIS
.B fail2ban-client .B fail2ban-client
[\fIOPTIONS\fR] \fI<COMMAND>\fR [\fIOPTIONS\fR] \fI<COMMAND>\fR
.SH DESCRIPTION .SH DESCRIPTION
Fail2Ban v0.8.11 reads log file that contains password failure report Fail2Ban v0.8.12 reads log file that contains password failure report
and bans the corresponding IP addresses using firewall rules. and bans the corresponding IP addresses using firewall rules.
.SH OPTIONS .SH OPTIONS
.TP .TP
@ -82,6 +82,10 @@ file
.TP .TP
\fBget logtarget\fR \fBget logtarget\fR
gets logging target gets logging target
.TP
\fBflushlogs\fR
flushes the logtarget if a file
and reopens it. For log rotation.
.IP .IP
JAIL CONTROL JAIL CONTROL
.TP .TP

View File

@ -1,5 +1,5 @@
.\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.40.4. .\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.41.2.
.TH FAIL2BAN-REGEX "1" "November 2013" "fail2ban-regex 0.8.11" "User Commands" .TH FAIL2BAN-REGEX "1" "January 2014" "fail2ban-regex 0.8.12" "User Commands"
.SH NAME .SH NAME
fail2ban-regex \- test Fail2ban "failregex" option fail2ban-regex \- test Fail2ban "failregex" option
.SH SYNOPSIS .SH SYNOPSIS
@ -16,7 +16,7 @@ string
a string representing a log line a string representing a log line
.TP .TP
filename filename
path to a log file (/var/log/auth.log) path to a log file (\fI/var/log/auth.log\fP)
.SS "REGEX:" .SS "REGEX:"
.TP .TP
string string

View File

@ -1,12 +1,12 @@
.\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.40.4. .\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.41.2.
.TH FAIL2BAN-SERVER "1" "November 2013" "fail2ban-server v0.8.11" "User Commands" .TH FAIL2BAN-SERVER "1" "January 2014" "fail2ban-server v0.8.12" "User Commands"
.SH NAME .SH NAME
fail2ban-server \- start the server fail2ban-server \- start the server
.SH SYNOPSIS .SH SYNOPSIS
.B fail2ban-server .B fail2ban-server
[\fIOPTIONS\fR] [\fIOPTIONS\fR]
.SH DESCRIPTION .SH DESCRIPTION
Fail2Ban v0.8.11 reads log file that contains password failure report Fail2Ban v0.8.12 reads log file that contains password failure report
and bans the corresponding IP addresses using firewall rules. and bans the corresponding IP addresses using firewall rules.
.PP .PP
Only use this command for debugging purpose. Start the server with Only use this command for debugging purpose. Start the server with

View File

@ -130,6 +130,8 @@ name of the filter -- filename of the filter in /etc/fail2ban/filter.d/ without
.TP .TP
.B logpath .B logpath
filename(s) of the log files to be monitored. Globs -- paths containing * and ? or [0-9] -- can be used however only the files that exist at start up matching this glob pattern will be considered. filename(s) of the log files to be monitored. Globs -- paths containing * and ? or [0-9] -- can be used however only the files that exist at start up matching this glob pattern will be considered.
Ensure syslog or the program that generates the log file isn't configured to compress repeated log messages to "\fI*last message repeated 5 time*s\fR" otherwise it will fail to detect. This is called \fIRepeatedMsgReduction\fR in rsyslog and should be \fIOff\fR.
.TP .TP
.B action .B action
action(s) from \fI/etc/fail2ban/action.d/\fR without the \fI.conf\fR/\fI.local\fR extension. Arguments can be passed to actions to override the default values from the [Init] section in the action file. Arguments are specified by [name=value,name2=value]. Values can also be quoted. More that one action can be specified (in separate lines). action(s) from \fI/etc/fail2ban/action.d/\fR without the \fI.conf\fR/\fI.local\fR extension. Arguments can be passed to actions to override the default values from the [Init] section in the action file. Arguments are specified by [name=value,name2=value]. Values can also be quoted. More that one action can be specified (in separate lines).