mirror of https://github.com/fail2ban/fail2ban
Merge commit 'upstream/0.8.4+svn20110323' into debian
* commit 'upstream/0.8.4+svn20110323': (37 commits) BF: proftpd filter -- if login failed -- count regardless of the reason for failure BF: Allow for trailing spaces in proftpd logs BF: escaping () in pure-ftpd filter. Thanks Teodor BF: allow space in the trailing of failregex for sasl.conf: see http://bugs.debian.org/573314 ENH: add <chain> to action.d/iptables*. Thanks Matthijs Kooijman: see http://bugs.debian.org/515599 NF: Adding found on a drive filter.d/dovecot.conf ENH: make filter.d/apache-overflows.conf catch more: see http://bugs.debian.org/574182 ENH: dropbear filter: see http://bugs.debian.org/546913 BF: Use /var/run/fail2ban instead of /tmp for temp files in actions: see http://bugs.debian.org/544232 spellcheck jail.conf. Thanks Christoph Anton Mitterer default ignoreip to ignore entire loopback zone (/8): see http://bugs.debian.org/598200 Tai64N stores time in GMT, we need to convert to local time before returning debug entry for lines ignored due to falling below findtime (v2) disabling entirely named-refused-udp jail with a big fat warning added time module. bug reported in buanzo's blog at http://blogs.buanzo.com.ar/2009/04/fail2ban-patch-ban-ip-address-manually.html - Patch to make log file descriptors cloexec to stop leaking file descriptors on fork/exec. Thanks to Jonathan Underwood. https://bugzilla.redhat.com/show_bug.cgi?id=230191#c24 - Changed to SVN version. - Release 0.8.4. - Oups... Forgot the ChangeLog... - Check the inode number for rotation in addition to checking the first line of the file. Thanks to Jonathan Kamens. - Red Hat Bugzilla - Bug 503852 - SF.net Bug #2800279. ...pull/3/head
commit
898fab7758
|
@ -24,4 +24,4 @@ __date__ = "$Date: 2009-09-07 21:13:45 +0200 (Mon, 07 Sep 2009) $"
|
|||
__copyright__ = "Copyright (c) 2004 Cyril Jaquier"
|
||||
__license__ = "GPL"
|
||||
|
||||
version = "0.8.4"
|
||||
version = "0.8.4-SVN"
|
||||
|
|
|
@ -206,5 +206,5 @@ dest = reports@dshield.org
|
|||
# Notes.: Base name of temporary files used for buffering
|
||||
# Values: [ STRING ] Default: /tmp/fail2ban-dshield
|
||||
#
|
||||
tmpfile = /tmp/fail2ban-dshield
|
||||
tmpfile = /var/run/fail2ban/tmp-dshield
|
||||
|
||||
|
|
|
@ -15,13 +15,13 @@
|
|||
#
|
||||
actionstart = iptables -N fail2ban-<name>
|
||||
iptables -A fail2ban-<name> -j RETURN
|
||||
iptables -I INPUT -p <protocol> -j fail2ban-<name>
|
||||
iptables -I <chain> -p <protocol> -j fail2ban-<name>
|
||||
|
||||
# Option: actionstop
|
||||
# Notes.: command executed once at the end of Fail2Ban
|
||||
# Values: CMD
|
||||
#
|
||||
actionstop = iptables -D INPUT -p <protocol> -j fail2ban-<name>
|
||||
actionstop = iptables -D <chain> -p <protocol> -j fail2ban-<name>
|
||||
iptables -F fail2ban-<name>
|
||||
iptables -X fail2ban-<name>
|
||||
|
||||
|
@ -29,7 +29,7 @@ actionstop = iptables -D INPUT -p <protocol> -j fail2ban-<name>
|
|||
# Notes.: command executed once before each actionban command
|
||||
# Values: CMD
|
||||
#
|
||||
actioncheck = iptables -n -L INPUT | grep -q fail2ban-<name>
|
||||
actioncheck = iptables -n -L <chain> | grep -q fail2ban-<name>
|
||||
|
||||
# Option: actionban
|
||||
# Notes.: command executed when banning an IP. Take care that the
|
||||
|
@ -63,3 +63,8 @@ name = default
|
|||
#
|
||||
protocol = tcp
|
||||
|
||||
# Option: chain
|
||||
# Notes specifies the iptables chain to which the fail2ban rules should be
|
||||
# added
|
||||
# Values: STRING Default: INPUT
|
||||
chain = INPUT
|
||||
|
|
|
@ -5,7 +5,7 @@
|
|||
#
|
||||
# make "fail2ban-<name>" chain to match drop IP
|
||||
# make "fail2ban-<name>-log" chain to log and drop
|
||||
# insert a jump to fail2ban-<name> from -I INPUT if proto/port match
|
||||
# insert a jump to fail2ban-<name> from -I <chain> if proto/port match
|
||||
#
|
||||
# $Revision: 668 $
|
||||
#
|
||||
|
@ -18,7 +18,7 @@
|
|||
#
|
||||
actionstart = iptables -N fail2ban-<name>
|
||||
iptables -A fail2ban-<name> -j RETURN
|
||||
iptables -I INPUT 1 -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
|
||||
iptables -I <chain> 1 -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
|
||||
iptables -N fail2ban-<name>-log
|
||||
iptables -I fail2ban-<name>-log -j LOG --log-prefix "$(expr fail2ban-<name> : '\(.\{1,23\}\)'):DROP " --log-level warning -m limit --limit 6/m --limit-burst 2
|
||||
iptables -A fail2ban-<name>-log -j DROP
|
||||
|
@ -27,7 +27,7 @@ actionstart = iptables -N fail2ban-<name>
|
|||
# Notes.: command executed once at the end of Fail2Ban
|
||||
# Values: CMD
|
||||
#
|
||||
actionstop = iptables -D INPUT -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
|
||||
actionstop = iptables -D <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
|
||||
iptables -F fail2ban-<name>
|
||||
iptables -F fail2ban-<name>-log
|
||||
iptables -X fail2ban-<name>
|
||||
|
@ -76,3 +76,9 @@ port = ssh
|
|||
# Values: [ tcp | udp | icmp | all ] Default: tcp
|
||||
#
|
||||
protocol = tcp
|
||||
|
||||
# Option: chain
|
||||
# Notes specifies the iptables chain to which the fail2ban rules should be
|
||||
# added
|
||||
# Values: STRING Default: INPUT
|
||||
chain = INPUT
|
||||
|
|
|
@ -13,13 +13,13 @@
|
|||
#
|
||||
actionstart = iptables -N fail2ban-<name>
|
||||
iptables -A fail2ban-<name> -j RETURN
|
||||
iptables -I INPUT -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
|
||||
iptables -I <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
|
||||
|
||||
# Option: actionstop
|
||||
# Notes.: command executed once at the end of Fail2Ban
|
||||
# Values: CMD
|
||||
#
|
||||
actionstop = iptables -D INPUT -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
|
||||
actionstop = iptables -D <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
|
||||
iptables -F fail2ban-<name>
|
||||
iptables -X fail2ban-<name>
|
||||
|
||||
|
@ -27,7 +27,7 @@ actionstop = iptables -D INPUT -p <protocol> -m multiport --dports <port> -j fai
|
|||
# Notes.: command executed once before each actionban command
|
||||
# Values: CMD
|
||||
#
|
||||
actioncheck = iptables -n -L INPUT | grep -q fail2ban-<name>
|
||||
actioncheck = iptables -n -L <chain> | grep -q fail2ban-<name>
|
||||
|
||||
# Option: actionban
|
||||
# Notes.: command executed when banning an IP. Take care that the
|
||||
|
@ -67,3 +67,8 @@ port = ssh
|
|||
#
|
||||
protocol = tcp
|
||||
|
||||
# Option: chain
|
||||
# Notes specifies the iptables chain to which the fail2ban rules should be
|
||||
# added
|
||||
# Values: STRING Default: INPUT
|
||||
chain = INPUT
|
||||
|
|
|
@ -15,13 +15,13 @@
|
|||
#
|
||||
actionstart = iptables -N fail2ban-<name>
|
||||
iptables -A fail2ban-<name> -j RETURN
|
||||
iptables -I INPUT -m state --state NEW -p <protocol> --dport <port> -j fail2ban-<name>
|
||||
iptables -I <chain> -m state --state NEW -p <protocol> --dport <port> -j fail2ban-<name>
|
||||
|
||||
# Option: actionstop
|
||||
# Notes.: command executed once at the end of Fail2Ban
|
||||
# Values: CMD
|
||||
#
|
||||
actionstop = iptables -D INPUT -m state --state NEW -p <protocol> --dport <port> -j fail2ban-<name>
|
||||
actionstop = iptables -D <chain> -m state --state NEW -p <protocol> --dport <port> -j fail2ban-<name>
|
||||
iptables -F fail2ban-<name>
|
||||
iptables -X fail2ban-<name>
|
||||
|
||||
|
@ -29,7 +29,7 @@ actionstop = iptables -D INPUT -m state --state NEW -p <protocol> --dport <port>
|
|||
# Notes.: command executed once before each actionban command
|
||||
# Values: CMD
|
||||
#
|
||||
actioncheck = iptables -n -L INPUT | grep -q fail2ban-<name>
|
||||
actioncheck = iptables -n -L <chain> | grep -q fail2ban-<name>
|
||||
|
||||
# Option: actionban
|
||||
# Notes.: command executed when banning an IP. Take care that the
|
||||
|
@ -69,3 +69,8 @@ port = ssh
|
|||
#
|
||||
protocol = tcp
|
||||
|
||||
# Option: chain
|
||||
# Notes specifies the iptables chain to which the fail2ban rules should be
|
||||
# added
|
||||
# Values: STRING Default: INPUT
|
||||
chain = INPUT
|
||||
|
|
|
@ -13,13 +13,13 @@
|
|||
#
|
||||
actionstart = iptables -N fail2ban-<name>
|
||||
iptables -A fail2ban-<name> -j RETURN
|
||||
iptables -I INPUT -p <protocol> --dport <port> -j fail2ban-<name>
|
||||
iptables -I <chain> -p <protocol> --dport <port> -j fail2ban-<name>
|
||||
|
||||
# Option: actionstop
|
||||
# Notes.: command executed once at the end of Fail2Ban
|
||||
# Values: CMD
|
||||
#
|
||||
actionstop = iptables -D INPUT -p <protocol> --dport <port> -j fail2ban-<name>
|
||||
actionstop = iptables -D <chain> -p <protocol> --dport <port> -j fail2ban-<name>
|
||||
iptables -F fail2ban-<name>
|
||||
iptables -X fail2ban-<name>
|
||||
|
||||
|
@ -27,7 +27,7 @@ actionstop = iptables -D INPUT -p <protocol> --dport <port> -j fail2ban-<name>
|
|||
# Notes.: command executed once before each actionban command
|
||||
# Values: CMD
|
||||
#
|
||||
actioncheck = iptables -n -L INPUT | grep -q fail2ban-<name>
|
||||
actioncheck = iptables -n -L <chain> | grep -q fail2ban-<name>
|
||||
|
||||
# Option: actionban
|
||||
# Notes.: command executed when banning an IP. Take care that the
|
||||
|
@ -67,3 +67,8 @@ port = ssh
|
|||
#
|
||||
protocol = tcp
|
||||
|
||||
# Option: chain
|
||||
# Notes specifies the iptables chain to which the fail2ban rules should be
|
||||
# added
|
||||
# Values: STRING Default: INPUT
|
||||
chain = INPUT
|
||||
|
|
|
@ -81,7 +81,7 @@ lines = 5
|
|||
|
||||
# Default temporary file
|
||||
#
|
||||
tmpfile = /tmp/fail2ban-mail.txt
|
||||
tmpfile = /var/run/fail2ban/tmp-mail.txt
|
||||
|
||||
# Destination/Addressee of the mail
|
||||
#
|
||||
|
|
|
@ -141,4 +141,4 @@ mnwurl = http://mynetwatchman.com/insertwebreport.asp
|
|||
# Notes.: Base name of temporary files
|
||||
# Values: [ STRING ] Default: /tmp/fail2ban-mynetwatchman
|
||||
#
|
||||
tmpfile = /tmp/fail2ban-mynetwatchman
|
||||
tmpfile = /var/run/fail2ban/tmp-mynetwatchman
|
||||
|
|
|
@ -101,5 +101,5 @@ lines = 5
|
|||
|
||||
# Default temporary file
|
||||
#
|
||||
tmpfile = /tmp/fail2ban-mail.txt
|
||||
tmpfile = /var/run/fail2ban/tmp-mail.txt
|
||||
|
||||
|
|
|
@ -11,7 +11,7 @@
|
|||
# Notes.: Regexp to catch Apache overflow attempts.
|
||||
# Values: TEXT
|
||||
#
|
||||
failregex = [[]client <HOST>[]] (Invalid method in request|request failed: URI too long|erroneous characters after protocol string)
|
||||
failregex = [[]client <HOST>[]] (Invalid (method|URI) in request|request failed: URI too long|erroneous characters after protocol string)
|
||||
|
||||
# Option: ignoreregex
|
||||
# Notes.: regex to ignore. If this regex matches, the line is ignored.
|
||||
|
|
|
@ -0,0 +1,23 @@
|
|||
# Fail2Ban configuration file for dovcot
|
||||
#
|
||||
# Author:
|
||||
#
|
||||
# $Revision: $
|
||||
#
|
||||
|
||||
[Definition]
|
||||
|
||||
# Option: failregex
|
||||
# Notes.: regex to match the password failures messages in the logfile. The
|
||||
# host must be matched by a group named "host". The tag "<HOST>" can
|
||||
# be used for standard IP/hostname matching and is only an alias for
|
||||
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
|
||||
# Values: TEXT
|
||||
#
|
||||
failregex = .*(?: pop3-login|imap-login):.*(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed).*rip=(?P<host>\S*),.*
|
||||
|
||||
# Option: ignoreregex
|
||||
# Notes.: regex to ignore. If this regex matches, the line is ignored.
|
||||
# Values: TEXT
|
||||
#
|
||||
ignoreregex =
|
|
@ -0,0 +1,52 @@
|
|||
# Fail2Ban configuration file
|
||||
#
|
||||
# Author: Francis Russell
|
||||
# Zak B. Elep
|
||||
#
|
||||
# $Revision$
|
||||
#
|
||||
# More information: http://bugs.debian.org/546913
|
||||
|
||||
[INCLUDES]
|
||||
|
||||
# Read common prefixes. If any customizations available -- read them from
|
||||
# common.local
|
||||
before = common.conf
|
||||
|
||||
|
||||
[Definition]
|
||||
|
||||
_daemon = dropbear
|
||||
|
||||
# Option: failregex
|
||||
# Notes.: regex to match the password failures messages in the logfile. The
|
||||
# host must be matched by a group named "host". The tag "<HOST>" can
|
||||
# be used for standard IP/hostname matching and is only an alias for
|
||||
# (?:::f{4,6}:)?(?P<host>\S+)
|
||||
# Values: TEXT
|
||||
|
||||
# These match the unmodified dropbear messages. It isn't possible to
|
||||
# match the source of the 'exit before auth' messages from dropbear.
|
||||
#
|
||||
failregex = ^%(__prefix_line)slogin attempt for nonexistent user ('.*' )?from <HOST>:.*\s*$
|
||||
^%(__prefix_line)sbad password attempt for .+ from <HOST>:.*\s*$
|
||||
|
||||
# The only line we need to match with the modified dropbear.
|
||||
|
||||
# NOTE: The failregex below is ONLY intended to work with a patched
|
||||
# version of Dropbear as described here:
|
||||
# http://www.unchartedbackwaters.co.uk/pyblosxom/static/patches
|
||||
#
|
||||
# The standard Dropbear output doesn't provide enough information to
|
||||
# ban all types of attack. The Dropbear patch adds IP address
|
||||
# information to the 'exit before auth' message which is always
|
||||
# produced for any form of non-successful login. It is that message
|
||||
# which this file matches.
|
||||
|
||||
# failregex = ^%(__prefix_line)sexit before auth from <HOST>.*\s*$
|
||||
|
||||
# Option: ignoreregex
|
||||
# Notes.: regex to ignore. If this regex matches, the line is ignored.
|
||||
# Values: TEXT
|
||||
#
|
||||
ignoreregex =
|
|
@ -14,10 +14,10 @@
|
|||
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
|
||||
# Values: TEXT
|
||||
#
|
||||
failregex = \(\S+\[<HOST>\]\)[: -]+ USER \S+: no such user found from \S+ \[\S+\] to \S+:\S+$
|
||||
\(\S+\[<HOST>\]\)[: -]+ USER \S+ \(Login failed\): Incorrect password\.$
|
||||
\(\S+\[<HOST>\]\)[: -]+ SECURITY VIOLATION: \S+ login attempted\.$
|
||||
\(\S+\[<HOST>\]\)[: -]+ Maximum login attempts \(\d+\) exceeded$
|
||||
failregex = \(\S+\[<HOST>\]\)[: -]+ USER \S+: no such user found from \S+ \[\S+\] to \S+:\S+ *$
|
||||
\(\S+\[<HOST>\]\)[: -]+ USER \S+ \(Login failed\): .*$
|
||||
\(\S+\[<HOST>\]\)[: -]+ SECURITY VIOLATION: \S+ login attempted\. *$
|
||||
\(\S+\[<HOST>\]\)[: -]+ Maximum login attempts \(\d+\) exceeded *$
|
||||
|
||||
# Option: ignoreregex
|
||||
# Notes.: regex to ignore. If this regex matches, the line is ignored.
|
||||
|
|
|
@ -19,7 +19,7 @@ __errmsg = (?:Authentication failed for user|Erreur d'authentification pour l'ut
|
|||
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
|
||||
# Values: TEXT
|
||||
#
|
||||
failregex = pure-ftpd(?:\[\d+\])?: (.+?@<HOST>) \[WARNING\] %(__errmsg)s \[.+\]$
|
||||
failregex = pure-ftpd(?:\[\d+\])?: \(.+?@<HOST>\) \[WARNING\] %(__errmsg)s \[.+\]\s*$
|
||||
|
||||
# Option: ignoreregex
|
||||
# Notes.: regex to ignore. If this regex matches, the line is ignored.
|
||||
|
|
|
@ -14,7 +14,7 @@
|
|||
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
|
||||
# Values: TEXT
|
||||
#
|
||||
failregex = (?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [A-Za-z0-9+/]*={0,2})?$
|
||||
failregex = (?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/]*={0,2})?$
|
||||
|
||||
# Option: ignoreregex
|
||||
# Notes.: regex to ignore. If this regex matches, the line is ignored.
|
||||
|
|
|
@ -5,7 +5,7 @@
|
|||
# $Revision: 747 $
|
||||
#
|
||||
|
||||
# The DEFAULT allows a global definition of the options. They can be override
|
||||
# The DEFAULT allows a global definition of the options. They can be overridden
|
||||
# in each jail afterwards.
|
||||
|
||||
[DEFAULT]
|
||||
|
@ -13,7 +13,7 @@
|
|||
# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
|
||||
# ban a host which matches an address in this list. Several addresses can be
|
||||
# defined using space separator.
|
||||
ignoreip = 127.0.0.1
|
||||
ignoreip = 127.0.0.1/8
|
||||
|
||||
# "bantime" is the number of seconds that a host is banned.
|
||||
bantime = 600
|
||||
|
@ -211,14 +211,22 @@ ignoreip = 168.192.0.1
|
|||
# in your named.conf to provide proper logging.
|
||||
# This jail blocks UDP traffic for DNS requests.
|
||||
|
||||
[named-refused-udp]
|
||||
|
||||
enabled = false
|
||||
filter = named-refused
|
||||
action = iptables-multiport[name=Named, port="domain,953", protocol=udp]
|
||||
sendmail-whois[name=Named, dest=you@mail.com]
|
||||
logpath = /var/log/named/security.log
|
||||
ignoreip = 168.192.0.1
|
||||
# !!! WARNING !!!
|
||||
# Since UDP is connection-less protocol, spoofing of IP and imitation
|
||||
# of illegal actions is way too simple. Thus enabling of this filter
|
||||
# might provide an easy way for implementing a DoS against a chosen
|
||||
# victim. See
|
||||
# http://nion.modprobe.de/blog/archives/690-fail2ban-+-dns-fail.html
|
||||
# Please DO NOT USE this jail unless you know what you are doing.
|
||||
#
|
||||
# [named-refused-udp]
|
||||
#
|
||||
# enabled = false
|
||||
# filter = named-refused
|
||||
# action = iptables-multiport[name=Named, port="domain,953", protocol=udp]
|
||||
# sendmail-whois[name=Named, dest=you@mail.com]
|
||||
# logpath = /var/log/named/security.log
|
||||
# ignoreip = 168.192.0.1
|
||||
|
||||
# This jail blocks TCP traffic for DNS requests.
|
||||
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
# -*- coding: utf8 -*-
|
||||
# -*- coding: utf-8 -*-
|
||||
# This file is part of Fail2Ban.
|
||||
#
|
||||
# Fail2Ban is free software; you can redistribute it and/or modify
|
||||
|
@ -168,7 +168,8 @@ class DateTai64n(DateTemplate):
|
|||
# extract part of format which represents seconds since epoch
|
||||
value = dateMatch.group()
|
||||
seconds_since_epoch = value[2:17]
|
||||
date = list(time.gmtime(int(seconds_since_epoch, 16)))
|
||||
# convert seconds from HEX into local time stamp
|
||||
date = list(time.localtime(int(seconds_since_epoch, 16)))
|
||||
return date
|
||||
|
||||
|
||||
|
|
|
@ -31,7 +31,7 @@ from datedetector import DateDetector
|
|||
from mytime import MyTime
|
||||
from failregex import FailRegex, Regex, RegexException
|
||||
|
||||
import logging, re, os
|
||||
import logging, re, os, fcntl, time
|
||||
|
||||
# Gets the instance of the logger.
|
||||
logSys = logging.getLogger("fail2ban.filter")
|
||||
|
@ -268,7 +268,11 @@ class Filter(JailThread):
|
|||
for element in self.processLine(line):
|
||||
ip = element[0]
|
||||
unixTime = element[1]
|
||||
logSys.debug("Processing line with time:%s and ip:%s"
|
||||
% (unixTime, ip))
|
||||
if unixTime < MyTime.time() - self.getFindTime():
|
||||
logSys.debug("Ignore line since time %s < %s - %s"
|
||||
% (unixTime, MyTime.time(), self.getFindTime()))
|
||||
break
|
||||
if self.inIgnoreIPList(ip):
|
||||
logSys.debug("Ignore %s" % ip)
|
||||
|
@ -469,6 +473,9 @@ class FileContainer:
|
|||
|
||||
def open(self):
|
||||
self.__handler = open(self.__filename)
|
||||
# Set the file descriptor to be FD_CLOEXEC
|
||||
fd = self.__handler.fileno()
|
||||
fcntl.fcntl(fd, fcntl.F_SETFD, fd | fcntl.FD_CLOEXEC)
|
||||
firstLine = self.__handler.readline()
|
||||
# Computes the MD5 of the first line.
|
||||
myHash = md5.new(firstLine).digest()
|
||||
|
|
Loading…
Reference in New Issue