github
/
fail2ban
mirror of https://github.com/fail2ban/fail2ban
1
0
Fork 0
Code Issues Releases Wiki Activity

* New upstream release, which incorporates fixes introduced in 3~pre 

non-released versions (which were suggested to the users to overcome
  problems reported in bug reports). In particular attention should be paid
  to upstream changelog entries

  - Several "failregex" and "ignoreregex" are now accepted.
    Creation of rules should be easier now.
  
    This is an alternative solution to 'multiple <HOST>' entries fix,
    which is not applied to this shipped version - pay cautios if upgrading
    from 0.7.5-3~pre?
 
  - Allow comma in action options. The value of the option must
    be escaped with " or '. 
    That allowed to implement requested ability to ban multiple ports
    at once (See 373592). README.Debian and jail.conf adjusted to reflect
    possible use of iptables-mport
  - Now Fail2ban goes in /usr/share/fail2ban instead of
    /usr/lib/fail2ban. This is more compliant with FHS.
    Patch 00_share_insteadof_lib no longer applied
* Refactored installed by debian package jail.conf:
  - Added option banaction which is to incorporate banning agent
    (usually some flavor of iptables rule), which can then be easily
    overriden globally or per section
  
  - Multiple actions are defined as action_* to serve as shortcuts
pull/3/head
Yaroslav Halchenko 2007-01-04 18:08:09 +00:00
parent e8ce484c05
commit 7fa686a7f2
7 changed files with 161 additions and 160 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
debian/changelog vendored
View File

@ -1,3 +1,38 @@
fail2ban (0.7.6-1~pre1) UNRELEASED; urgency=low
* New upstream release, which incorporates fixes introduced in 3~pre
non-released versions (which were suggested to the users to overcome
problems reported in bug reports). In particular attention should be paid
to upstream changelog entries
- Several "failregex" and "ignoreregex" are now accepted.
Creation of rules should be easier now.
This is an alternative solution to 'multiple <HOST>' entries fix,
which is not applied to this shipped version - pay cautios if upgrading
from 0.7.5-3~pre?
- Allow comma in action options. The value of the option must
be escaped with " or '.
That allowed to implement requested ability to ban multiple ports
at once (See 373592). README.Debian and jail.conf adjusted to reflect
possible use of iptables-mport
- Now Fail2ban goes in /usr/share/fail2ban instead of
/usr/lib/fail2ban. This is more compliant with FHS.
Patch 00_share_insteadof_lib no longer applied
* Refactored installed by debian package jail.conf:
- Added option banaction which is to incorporate banning agent
(usually some flavor of iptables rule), which can then be easily
overriden globally or per section
- Multiple actions are defined as action_* to serve as shortcuts
-- Yaroslav Halchenko <debian@onerussian.com> Thu, 4 Jan 2007 12:21:30 -0500
fail2ban (0.7.5-3~pre6) unstable; urgency=low fail2ban (0.7.5-3~pre6) unstable; urgency=low
* Fail2ban now bans vsftpd logins (corrected logfile path and failregex) * Fail2ban now bans vsftpd logins (corrected logfile path and failregex)

53
debian/jail.conf vendored
View File

@ -33,31 +33,48 @@ backend = polling
# jail.{conf,local} configuration files. # jail.{conf,local} configuration files.
destemail = root@localhost destemail = root@localhost
# Default action to take: ban only #
action = iptables[name=%(__name__)s, port=%(port)s] # ACTIONS
#
# Default banning action (e.g. iptables, iptables-new,
# iptables-multiport, etc) It is used to define action_* variables. Can
# be overriden globally or per section within jail.local file
banaction = iptables
# The simplest action to take: ban only
action_i = %(banaction)s[name=%(__name__)s, port="%(port)s"]
# Following actions can be chosen as an alternatives to the above action. # Following actions can be chosen as an alternatives to the above action.
# To activate, just copy/paste+uncomment chosen 2 (excluding comments) lines
# into jail.local
# Default action to take: ban & send an e-mail with whois report # Action to take: ban & send an e-mail with whois report to the destemail.
# to the destemail. action_i_mw = %(banaction)s[name=%(__name__)s, port="%(port)s"]
# action = iptables[name=%(__name__)s, port=%(port)s] mail-whois[name=%(__name__)s, dest="%(destemail)s"]
# mail-whois[name=%(__name__)s, dest=%(destemail)s]
# Default action to take: ban & send an e-mail with whois report # Action to take: ban & send an e-mail with whois report
# and relevant log lines to the destemail. # and relevant log lines to the destemail.
# action = iptables[name=%(__name__)s, port=%(port)s] action_i_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s"]
# mail-whois-lines[name=%(__name__)s, dest=%(destemail)s, logpath=%(logpath)s] mail-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s]
# Next jails corresponds to the standard configuration in Fail2ban 0.6 # Choose default action. To change, just override value of 'action' with the
# which was shipped in Debian. Please enable any defined here jail by including # chosen action (e.g. action_i_mw, action_i_mwl, etc) in jail.local
# globally (section [DEFAULT]) or per specific section (e.g. ssh)
action = action_i
# #
# [SECTION_NAME] # JAILS
#
# Next jails corresponds to the standard configuration in Fail2ban 0.6 which
# was shipped in Debian. Please enable any defined here jail by including
#
# [SECTION_NAME]
# enabled = true # enabled = true
# #
# in /etc/fail2ban/jail.local. # in /etc/fail2ban/jail.local.
# #
# Optionally you may override any other parameter (e.g. banaction,
# action, port, logpath, etc) in that section within jail.local
[ssh] [ssh]
@ -88,6 +105,14 @@ filter = apache-auth
logpath = /var/log/apache*/*access.log logpath = /var/log/apache*/*access.log
maxretry = 6 maxretry = 6
[apache-multiport]
enabled = false
banaction = iptables-multiport
port = http,https
filter = apache-auth
logpath = /var/log/apache*/*access.log
maxretry = 6
[apache-noscript] [apache-noscript]

80
debian/patches/00_iptables-mports.dpatch vendored Executable file
View File

@ -0,0 +1,80 @@
#! /bin/sh /usr/share/dpatch/dpatch-run
## 00_iptables-mports.dpatch by Yaroslav Halchenko <debian@onerussian.com>
##
## All lines beginning with `## DP:' are a description of the patch.
## DP: No description.
@DPATCH@
diff -urNad fail2ban-0.7.5~/config/action.d/iptables-multiport.conf fail2ban-0.7.5/config/action.d/iptables-multiport.conf
--- fail2ban-0.7.5~/config/action.d/iptables-multiport.conf 1969-12-31 19:00:00.000000000 -0500
+++ fail2ban-0.7.5/config/action.d/iptables-multiport.conf 2007-01-04 12:28:46.000000000 -0500
@@ -0,0 +1,69 @@
+# Fail2Ban configuration file
+#
+# Author: Cyril Jaquier
+# Modified by Yaroslav Halchenko for multiport banning
+# $Revision: 455 $
+#
+
+[Definition]
+
+# Option: fwstart
+# Notes.: command executed once at the start of Fail2Ban.
+# Values: CMD
+#
+actionstart = iptables -N fail2ban-<name>
+ iptables -A fail2ban-<name> -j RETURN
+ iptables -I INPUT -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
+
+# Option: fwend
+# Notes.: command executed once at the end of Fail2Ban
+# Values: CMD
+#
+actionstop = iptables -D INPUT -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
+ iptables -F fail2ban-<name>
+ iptables -X fail2ban-<name>
+
+# Option: fwcheck
+# Notes.: command executed once before each fwban command
+# Values: CMD
+#
+actioncheck = iptables -L INPUT | grep -q fail2ban-<name>
+
+# Option: fwban
+# Notes.: command executed when banning an IP. Take care that the
+# command is executed with Fail2Ban user rights.
+# Tags: <ip> IP address
+# <failures> number of failures
+# <time> unix timestamp of the ban time
+# Values: CMD
+#
+actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
+
+# Option: fwunban
+# Notes.: command executed when unbanning an IP. Take care that the
+# command is executed with Fail2Ban user rights.
+# Tags: <ip> IP address
+# <failures> number of failures
+# <time> unix timestamp of the ban time
+# Values: CMD
+#
+actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP
+
+[Init]
+
+# Defaut name of the chain
+#
+name = default
+
+# Option: port
+# Notes.: specifies port to monitor
+# Values: [ NUM | STRING ] Default:
+#
+port = ssh
+
+# Option: protocol
+# Notes.: internally used by config reader for interpolations.
+# Values: [ tcp | udp | icmp | all ] Default: tcp
+#
+protocol = tcp
+

84
debian/patches/00_share_insteadof_lib.dpatch vendored
View File

@ -1,84 +0,0 @@
#! /bin/sh /usr/share/dpatch/dpatch-run
## 00_share_insteadof_lib.dpatch by Yaroslav Halchenko <debian@onerussian.com>
##
## All lines beginning with `## DP:' are a description of the patch.
## DP: No description.
@DPATCH@
diff -urNad fail2ban-0.7.5~/fail2ban-client fail2ban-0.7.5/fail2ban-client
--- fail2ban-0.7.5~/fail2ban-client 2006-12-07 20:59:15.000000000 -0500
+++ fail2ban-0.7.5/fail2ban-client 2006-12-07 20:59:15.000000000 -0500
@@ -30,7 +30,7 @@
# Inserts our own modules path first in the list
# fix for bug #343821
-sys.path.insert(1, "/usr/lib/fail2ban")
+sys.path.insert(1, "/usr/share/fail2ban")
# Now we can import our modules
from common.version import version
diff -urNad fail2ban-0.7.5~/fail2ban-regex fail2ban-0.7.5/fail2ban-regex
--- fail2ban-0.7.5~/fail2ban-regex 2006-11-16 15:59:47.000000000 -0500
+++ fail2ban-0.7.5/fail2ban-regex 2006-12-07 20:59:15.000000000 -0500
@@ -29,7 +29,7 @@
# Inserts our own modules path first in the list
# fix for bug #343821
-sys.path.insert(1, "/usr/lib/fail2ban")
+sys.path.insert(1, "/usr/share/fail2ban")
from common.version import version
from server.filter import Filter
diff -urNad fail2ban-0.7.5~/fail2ban-server fail2ban-0.7.5/fail2ban-server
--- fail2ban-0.7.5~/fail2ban-server 2006-12-07 20:59:15.000000000 -0500
+++ fail2ban-0.7.5/fail2ban-server 2006-12-07 20:59:15.000000000 -0500
@@ -29,7 +29,7 @@
# Inserts our own modules path first in the list
# fix for bug #343821
-sys.path.insert(1, "/usr/lib/fail2ban")
+sys.path.insert(1, "/usr/share/fail2ban")
from common.version import version
from server.server import Server
diff -urNad fail2ban-0.7.5~/fail2ban-testcases fail2ban-0.7.5/fail2ban-testcases
--- fail2ban-0.7.5~/fail2ban-testcases 2006-12-07 20:59:15.000000000 -0500
+++ fail2ban-0.7.5/fail2ban-testcases 2006-12-07 20:59:15.000000000 -0500
@@ -30,7 +30,7 @@
# Inserts our own modules path first in the list
# fix for bug #343821
-sys.path.insert(1, "/usr/lib/fail2ban")
+sys.path.insert(1, "/usr/share/fail2ban")
from common.version import version
from testcases import banmanagertestcase
diff -urNad fail2ban-0.7.5~/setup.cfg fail2ban-0.7.5/setup.cfg
--- fail2ban-0.7.5~/setup.cfg 2006-11-01 16:08:43.000000000 -0500
+++ fail2ban-0.7.5/setup.cfg 2006-12-07 20:59:15.000000000 -0500
@@ -1,5 +1,5 @@
[install]
-install-purelib=/usr/lib/fail2ban
+install-purelib=/usr/share/fail2ban
[sdist]
formats=bztar
diff -urNad fail2ban-0.7.5~/setup.py fail2ban-0.7.5/setup.py
--- fail2ban-0.7.5~/setup.py 2006-12-07 20:59:15.000000000 -0500
+++ fail2ban-0.7.5/setup.py 2006-12-07 21:10:02.000000000 -0500
@@ -84,13 +84,13 @@
[
"fail2ban.py"
],
- "/usr/lib/fail2ban/firewall/":
+ "/usr/share/fail2ban/firewall/":
[
"iptables.py",
"ipfwadm.py",
"ipfw.py"
],
- "/usr/lib/fail2ban/":
+ "/usr/share/fail2ban/":
[
"version.py",
"protocol.py"

4
debian/patches/00list vendored
View File

@ -1,8 +1,6 @@
00_share_insteadof_lib 00_iptables-mports
00_iptables_NEW 00_iptables_NEW
00_mail-whois-lines 00_mail-whois-lines
10_dbts_manpages 10_dbts_manpages
10_wuftpd_section 10_wuftpd_section
10_vsftpd_regex 10_vsftpd_regex
10_ssh-ddos_section
10_multiple_HOST_regexp

52
debian/patches/10_ssh-ddos_section.dpatch vendored
View File

@ -1,52 +0,0 @@
#! /bin/sh /usr/share/dpatch/dpatch-run
## 10_ssh-ddos_section.dpatch by Yaroslav Halchenko <debian@onerussian.com>
##
## All lines beginning with `## DP:' are a description of the patch.
## DP: No description.
@DPATCH@
diff -urNad fail2ban-0.7.4~/config/filter.d/sshd-ddos.conf fail2ban-0.7.4/config/filter.d/sshd-ddos.conf
--- fail2ban-0.7.4~/config/filter.d/sshd-ddos.conf 1969-12-31 19:00:00.000000000 -0500
+++ fail2ban-0.7.4/config/filter.d/sshd-ddos.conf 2006-12-26 21:59:03.000000000 -0500
@@ -0,0 +1,22 @@
+# Fail2Ban configuration file
+#
+# Author: Yaroslav Halchenko
+#
+# $Revision: 471 $
+#
+
+[Definition]
+
+# Option: failregex
+# Notes.: regex to match the password failures messages in the logfile. The
+# host must be matched by a group named "host". The tag "<HOST>" can
+# be used for standard IP/hostname matching.
+# Values: TEXT
+#
+failregex = sshd\[\S*\]: Did not receive identification string from <HOST>
+
+# Option: ignoreregex
+# Notes.: regex to ignore. If this regex matches, the line is ignored.
+# Values: TEXT
+#
+ignoreregex =
diff -urNad fail2ban-0.7.4~/config/jail.conf fail2ban-0.7.4/config/jail.conf
--- fail2ban-0.7.4~/config/jail.conf 2006-10-19 16:13:01.000000000 -0400
+++ fail2ban-0.7.4/config/jail.conf 2006-12-26 22:00:03.000000000 -0500
@@ -33,6 +33,15 @@
logpath = /var/log/sshd.log
maxretry = 5
+[ssh-ddos-iptables]
+
+enabled = false
+filter = sshd-ddos
+action = iptables[name=SSH, port=ssh, protocol=tcp]
+ mail-whois[name=SSH, dest=yourmail@mail.com]
+logpath = /var/log/sshd.log
+maxretry = 5
+
[proftpd-iptables]
enabled = false

13
debian/patches/10_vsftpd_regex.dpatch vendored
View File

@ -5,15 +5,14 @@
## DP: No description. ## DP: No description.
@DPATCH@ @DPATCH@
diff -urNad fail2ban-0.7.5~/config/filter.d/vsftpd.conf fail2ban-0.7.5/config/filter.d/vsftpd.conf diff -urNad fail2ban-0.7.6~/config/filter.d/vsftpd.conf fail2ban-0.7.6/config/filter.d/vsftpd.conf
--- fail2ban-0.7.5~/config/filter.d/vsftpd.conf 2006-11-19 16:34:49.000000000 -0500 --- fail2ban-0.7.6~/config/filter.d/vsftpd.conf 2006-12-23 04:56:55.000000000 -0500
+++ fail2ban-0.7.5/config/filter.d/vsftpd.conf 2006-12-21 23:50:14.000000000 -0500 +++ fail2ban-0.7.6/config/filter.d/vsftpd.conf 2007-01-04 12:42:01.000000000 -0500
@@ -13,7 +13,7 @@ @@ -15,6 +15,7 @@
# be used for standard IP/hostname matching.
# Values: TEXT # Values: TEXT
# #
-failregex = vsftpd: \(pam_unix\) authentication failure; .* rhost=<HOST> failregex = vsftpd: \(pam_unix\) authentication failure; .* rhost=<HOST>
+failregex = (?:vsftpd: \(pam_unix\) authentication failure; .* rhost=<HOST>|\[.+\] FAIL LOGIN: Client "<HOST>"$) + \[.+\] FAIL LOGIN: Client "<HOST>"$
# Option: ignoreregex # Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored. # Notes.: regex to ignore. If this regex matches, the line is ignored.