Merge pull request #634 from grooverdan/jail-prune

ENH: purge excessive jail variations
2014-03-12 11:31:45 +11:00 · 2014-03-12 11:31:45 +11:00 · 79dab54619
parent 721b1473f0 50d938e0bf
commit 79dab54619
7 changed files with 51 additions and 224 deletions
--- a/config/common-paths.conf
+++ b/config/common-paths.conf
@ -54,3 +54,4 @@ dovecot_log = %(syslog_mail_warn)s
 # Seems to be set at compile time only to LOG_LOCAL0 (src/const.h) at Notice level
 solidpop3d_log = %(syslog_local0)s

+mysql_log = %(syslog_daemon)s
--- a/config/fedora-paths.conf
+++ b/config/fedora-paths.conf
@ -32,3 +32,4 @@ apache_access_log = /var/log/httpd/*access_log
 # proftpd_log = /var/log/proftpd/auth.log
 # Tested and it worked out in /var/log/messages so assuming syslog_ftp for now.

+mysql_log = /var/lib/mysql/mysqld.log
--- a/config/filter.d/sendmail-reject.conf
+++ b/config/filter.d/sendmail-reject.conf
@ -19,16 +19,32 @@ before = common.conf

 [Definition]

-_daemon = (?:sm-(mta|acceptingconnections))
+_daemon = (?:(sm-(mta|acceptingconnections)|sendmail))

 failregex = ^%(__prefix_line)s\w{14}: ruleset=check_rcpt, arg1=(?P<email><\S+@\S+>), relay=(\S+ )?\[<HOST>\]( \(may be forged\))?, reject=(550 5\.7\.1 (?P=email)\.\.\. Relaying denied\. (IP name possibly forged \[(\d+\.){3}\d+\]|Proper authentication required\.|IP name lookup failed \[(\d+\.){3}\d+\])|553 5\.1\.8 (?P=email)\.\.\. Domain of sender address \S+ does not exist|550 5\.[71]\.1 (?P=email)\.\.\. (Rejected: .*|User unknown))$
            ^%(__prefix_line)sruleset=check_relay, arg1=(?P<dom>\S+), arg2=<HOST>, relay=((?P=dom) )?\[(\d+\.){3}\d+\]( \(may be forged\))?, reject=421 4\.3\.2 (Connection rate limit exceeded\.|Too many open connections\.)$
            ^%(__prefix_line)s\w{14}: rejecting commands from  (\S+ )?\[<HOST>\] due to pre-greeting traffic after \d+ seconds$
            ^%(__prefix_line)s\w{14}: (\S+ )?\[<HOST>\]: ((?i)expn|vrfy) \S+ \[rejected\]$
+            ^(?P<__prefix>%(__prefix_line)s\w+: )<[^@]+@[^>]+>\.\.\. No such user here<SKIPLINES>(?P=__prefix)from=<[^@]+@[^>]+>, size=\d+, class=\d+, nrcpts=\d+, bodytype=\w+, proto=E?SMTP, daemon=MTA, relay=\S+ \[<HOST>\]$


 ignoreregex =

-# DEV Notes:
+
+[Init]
+
+# "maxlines" is number of log lines to buffer for multi-line regex searches
+maxlines = 10
+
+# DEV NOTES:
+# 
+# Regarding the last multiline regex:
+#
+# There can be a nunber of non-related lines between the first and second part
+# of this regex maxlines of 10 is quite generious. Only one of the 
+# "No such user" lines needs to be matched before the line with the HOST.
+#
+# Note the capture __prefix, includes both the __prefix_lines (which includes
+# the sendmail PID), but also the \w+ which the the sendmail assigned mail ID.
 #
 # Author: Daniel Black and Fabian Wenk
--- a/config/filter.d/sendmail-spam.conf
+++ b/config/filter.d/sendmail-spam.conf
@ -1,30 +0,0 @@
-# Fail2ban filter for sendmail spam
-#
-
-[INCLUDES]
-
-# Read common prefixes. If any customizations available -- read them from
-# common.local
-before = common.conf
-
-[Definition]
-
-_daemon = sendmail
-
-failregex = ^(?P<__prefix>%(__prefix_line)s\w+: )<[^@]+@[^>]+>\.\.\. No such user here<SKIPLINES>(?P=__prefix)from=<[^@]+@[^>]+>, size=\d+, class=\d+, nrcpts=\d+, bodytype=\w+, proto=E?SMTP, daemon=MTA, relay=\S+ \[<HOST>\]$
-
-[Init]
-
-# "maxlines" is number of log lines to buffer for multi-line regex searches
-maxlines = 10
-
-# DEV NOTES:
-# 
-# There can be a nunber of non-related lines between the first and second part
-# of this regex maxlines of 10 is quite generious. Only one of the 
-# "No such user" lines needs to be matched before the line with the HOST.
-#
-# Note the capture __prefix, includes both the __prefix_lines (which includes
-# the sendmail PID), but also the \w+ which the the sendmail assigned mail ID.
-#
-# Author: Daniel Black
--- a/config/jail.conf
+++ b/config/jail.conf
@ -222,102 +222,6 @@ logpath  = %(auditd_log)s
 maxretry = 5


-# Here we use TCP-Wrappers instead of Netfilter/Iptables. "ignoreregex" is
-# used to avoid banning the user "myuser".
-[ssh-tcpwrapper]
-
-filter      = sshd
-action      = hostsdeny[daemon_list=sshd]
-              sendmail-whois[name=SSH, dest=you@example.com]
-ignoreregex = for myuser from
-logpath     = %(sshd_log)s
-
-
-# Here we use blackhole routes for not requiring any additional kernel support
-# to store large volumes of banned IPs
-
-[sshd-route]
-
-filter = sshd
-action = route
-logpath = %(sshd_log)s
-
-
-# Here we use a combination of Netfilter/Iptables and IPsets
-# for storing large volumes of banned IPs
-#
-# IPset comes in two versions. See ipset -V for which one to use
-# requires the ipset package and kernel support.
-[sshd-iptables-ipset4]
-
-filter   = sshd
-action   = iptables-ipset-proto4[name=SSH, port=ssh, protocol=tcp]
-logpath  = %(sshd_log)s
-
-
-[sshd-iptables-ipset6]
-
-filter   = sshd
-action   = iptables-ipset-proto6[name=SSH, port=ssh, protocol=tcp, bantime=600]
-logpath  = %(sshd_log)s
-
-
-[sshd-apf]
-
-filter  = sshd
-action  = apf[name=SSH]
-logpath = %(sshd_log)s
-maxretry = 5
-
-
-# This jail uses ipfw, the standard firewall on FreeBSD. The "ignoreip"
-# option is overridden in this jail. Moreover, the action "mail-whois" defines
-# the variable "name" which contains a comma using "". The characters '' are
-# valid too.
-[sshd-ipfw]
-
-filter   = sshd
-action   = ipfw[localhost=192.168.0.1]
-           sendmail-whois[name="SSH,IPFW", dest=you@example.com]
-logpath  = %(sshd_log)s
-
-
-# bsd-ipfw is ipfw used by BSD. It uses ipfw tables.
-# table number must be unique.
-#
-# This will create a deny rule for that table ONLY if a rule
-# for the table doesn't ready exist.
-#
-[sshd-bsd-ipfw]
-
-filter   = sshd
-action   = bsd-ipfw[port=ssh,table=1]
-logpath  = %(sshd_log)s
-
-
-[sshd-pf]
-# PF is a BSD based firewall
-filter  = sshd
-action  = pf
-logpath = %(sshd_log)s
-maxretry= 5
-
-
-# ipfw for osx (less capabilities that BSD)
-[osx-sshd-ipfw]
-
-filter = sshd
-action = osx-ipfw
-logpath = %(sshd_log)s
-
-
-[osx-sshd-afctl]
-
-filter   = sshd
-action   = osx-afctl[bantime=600]
-logpath  = %(sshd_log)s
-maxretry = 5
-
 #
 # HTTP servers
 #
@ -518,26 +422,6 @@ port     = ftp,ftp-data,ftps,ftps-data
 logpath  = %(vsftpd_log)s


-# Do not ban anybody. Just report information about the remote host.
-# A notification is sent at most every 600 seconds (bantime).
-[vsftpd-notification]
-
-filter   = vsftpd
-action   = sendmail-whois[name=VSFTPD, dest=you@example.com]
-logpath  = %(vsftpd_log)s
-maxretry = 5
-bantime  = 1800
-
-
-# Same as above but with banning the IP address.
-[vsftpd-iptables]
-
-filter   = vsftpd
-port     = ftp,ftp-data,ftps,ftps-data
-logpath  = %(syslog_ftp)s
-maxretry = 5
-bantime  = 1800
-
 #
 # Mail servers
 #
@ -580,33 +464,10 @@ port    = smtp,465,submission
 logpath = /service/qmail/log/main/current


-# The hosts.deny path can be defined with the "file" argument if it is
-# not in /etc.
-[postfix-tcpwrapper]
-
-filter   = postfix
-action   = hostsdeny[file=/not/a/standard/path/hosts.deny]
-           sendmail[name=Postfix, dest=you@example.com]
-logpath  = %(postfix_log)s
-bantime  = 300
-
-
-[sendmail-spam]
-
-logpath  = %(syslog_mail_warn)s
-
-
 # dovecot defaults to logging to the mail syslog facility
 # but can be set by syslog_facility in the dovecot configuration.
 [dovecot]

-port    = pop3,pop3s,imap,imaps,submission,465,sieve
-logpath = %(syslog_mail_warn)s
-
-
-[dovecot-auth]
-
-filter  = dovecot
 port    = pop3,pop3s,imap,imaps,submission,465,sieve
 logpath = %(dovecot_log)s

@ -628,12 +489,15 @@ logpath = %(solidpop3d_log)s
 port   = smtp,465,submission
 logpath = /var/log/exim/mainlog

+
 [exim-spam]
+
 port   = smtp,465,submission
 logpath = /var/log/exim/mainlog


 [kerio]
+
 port    = imap,smtp,imaps,465
 logpath = /opt/kerio/mailserver/store/logs/security.log

@ -746,46 +610,21 @@ logpath  = /var/log/freeswitch.log
 maxretry = 10


-#  Historical support (before https://github.com/fail2ban/fail2ban/issues/37 was fixed )
-#  use [asterisk] for new jails
-[asterisk-tcp]
-
-filter   = asterisk
-port     = 5060,5061
-logpath  = /var/log/asterisk/messages
-maxretry = 10
-
-
-#  Historical support (before https://github.com/fail2ban/fail2ban/issues/37 was fixed )
-#  use [asterisk] for new jails
-[asterisk-udp]
-
-filter   = asterisk
-port     = 5060,5061
-protocol = udp
-logpath  = /var/log/asterisk/messages
-maxretry = 10
-
-
 # To log wrong MySQL access attempts add to /etc/my.cnf in [mysqld] or
 # equivalent section:
-# log-error=/var/log/mysqld.log
 # log-warning = 2
+#
+# for syslog (daemon facility)
+# [mysqld_safe]
+# syslog
+#
+# for own logfile
+# [mysqld]
+# log-error=/var/log/mysqld.log
 [mysqld-auth]

 port     = 3306
-logpath  = /var/log/mysqld.log
-maxretry = 5
-
-
-# This requires my.cnf to contain (check the mysql version supports this)
-# [mysqld_safe]
-# syslog
-[mysqld-syslog]
-
-port     = 3306
-filter   = mysqld-auth
-logpath  = %(syslog_daemon)s
+logpath  = %(mysql_log)s
 maxretry = 5


--- a/fail2ban/tests/files/logs/sendmail-reject
+++ b/fail2ban/tests/files/logs/sendmail-reject
@ -65,3 +65,22 @@ Feb 13 01:16:50 batman sm-mta[25815]: s1D0GoSs025815: [217.193.142.180]: vrfy in
 # failJSON: { "time": "2005-02-22T14:02:44", "match": true , "host": "24.73.201.194" }
 Feb 22 14:02:44 batman sm-mta[4030]: s1MD2hsd004030: rrcs-24-73-201-194.se.biz.rr.com [24.73.201.194]: VRFY root [rejected]

+
+# failJSON: { "match": false }
+Nov  3 11:35:30 Microsoft sendmail[26254]: rA37ZTSC026254: <arhipov@domain.com>... No such user here
+# failJSON: { "match": false }
+Nov  3 11:35:30 Microsoft sendmail[26254]: rA37ZTSC026254: <anatoliy@domain.com>... No such user here
+# failJSON: { "match": false }
+Nov  3 11:35:30 Microsoft sendmail[26254]: rA37ZTSC026254: <artem@domain.com>... No such user here
+# failJSON: { "match": false }
+Nov  3 11:35:30 Microsoft sendmail[26254]: rA37ZTSC026254: <anto@domain.com>... No such user here
+# failJSON: { "match": false }
+Nov  3 11:35:30 Microsoft sendmail[26254]: rA37ZTSC026254: <anton@domain.com>... No such user here
+# failJSON: { "time": "2004-11-03T11:35:30", "match": true , "host": "95.32.23.163" }
+Nov  3 11:35:30 Microsoft sendmail[26254]: rA37ZTSC026254: from=<davaojk25@domain.com>, size=0, class=0, nrcpts=0, bodytype=8BITMIME, proto=ESMTP, daemon=MTA, relay=163.23.32.95.dsl-dynamic.vsi.ru [95.32.23.163]
+
+# failJSON: { "match": false }
+Nov  3 11:35:30 Microsoft sendmail[26254]: rA37ZTSC026254: <anton@domain.com>... No such user here
+# Different mail ID shouldn't match
+# failJSON: { "match": false }
+Nov  3 11:35:30 Microsoft sendmail[26254]: rA37ZTSC026255: from=<davaojk25@domain.com>, size=0, class=0, nrcpts=0, bodytype=8BITMIME, proto=ESMTP, daemon=MTA, relay=163.23.32.95.dsl-dynamic.vsi.ru [95.32.23.163]
--- a/fail2ban/tests/files/logs/sendmail-spam
+++ b/fail2ban/tests/files/logs/sendmail-spam
@ -1,19 +0,0 @@
-
-# failJSON: { "match": false }
-Nov  3 11:35:30 Microsoft sendmail[26254]: rA37ZTSC026254: <arhipov@domain.com>... No such user here
-# failJSON: { "match": false }
-Nov  3 11:35:30 Microsoft sendmail[26254]: rA37ZTSC026254: <anatoliy@domain.com>... No such user here
-# failJSON: { "match": false }
-Nov  3 11:35:30 Microsoft sendmail[26254]: rA37ZTSC026254: <artem@domain.com>... No such user here
-# failJSON: { "match": false }
-Nov  3 11:35:30 Microsoft sendmail[26254]: rA37ZTSC026254: <anto@domain.com>... No such user here
-# failJSON: { "match": false }
-Nov  3 11:35:30 Microsoft sendmail[26254]: rA37ZTSC026254: <anton@domain.com>... No such user here
-# failJSON: { "time": "2004-11-03T11:35:30", "match": true , "host": "95.32.23.163" }
-Nov  3 11:35:30 Microsoft sendmail[26254]: rA37ZTSC026254: from=<davaojk25@domain.com>, size=0, class=0, nrcpts=0, bodytype=8BITMIME, proto=ESMTP, daemon=MTA, relay=163.23.32.95.dsl-dynamic.vsi.ru [95.32.23.163]
-
-# failJSON: { "match": false }
-Nov  3 11:35:30 Microsoft sendmail[26254]: rA37ZTSC026254: <anton@domain.com>... No such user here
-# Different mail ID shouldn't match
-# failJSON: { "match": false }
-Nov  3 11:35:30 Microsoft sendmail[26254]: rA37ZTSC026255: from=<davaojk25@domain.com>, size=0, class=0, nrcpts=0, bodytype=8BITMIME, proto=ESMTP, daemon=MTA, relay=163.23.32.95.dsl-dynamic.vsi.ru [95.32.23.163]