github
/
fail2ban
mirror of https://github.com/fail2ban/fail2ban
1
0
Fork 0
Code Issues Releases Wiki Activity

Merge remote-tracking branch 'remotes/upstream/master' into ban-time-incr

pull/716/head
sebres 2014-09-16 13:53:15 +02:00
parent 53a30a2d42 bfaf33b6ba
commit 930678cc0e
10 changed files with 90 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
ChangeLog
View File

@ -29,6 +29,7 @@ ver. 0.9.1 (2014/xx/xx) - better, faster, stronger
provides defaults for the chain, port, protocol and name tags provides defaults for the chain, port, protocol and name tags
- Fixes: - Fixes:
* UTF-8 fixes in pure-ftp thanks to Johannes Weberhofer. Closes gh-806.
* systemd backend error on bad utf-8 in python3 * systemd backend error on bad utf-8 in python3
* badips.py action error when logging HTTP error raised with badips request * badips.py action error when logging HTTP error raised with badips request
* fail2ban-regex failed to work in python3 due to space/tab mix * fail2ban-regex failed to work in python3 due to space/tab mix
@ -61,12 +62,17 @@ ver. 0.9.1 (2014/xx/xx) - better, faster, stronger
* cyrus-imap -- also catch also failed logins via secured (imaps/pop3s). * cyrus-imap -- also catch also failed logins via secured (imaps/pop3s).
Regression was introduced while strengthening failregex in 0.8.11 (bd175f) Regression was introduced while strengthening failregex in 0.8.11 (bd175f)
Debian bug #755173 Debian bug #755173
* postfix-sasl -- added journalmatch. Thanks Luc Maisonobe * postfix-sasl - added journalmatch. Thanks Luc Maisonobe
* postfix* - match with a new daemon string (postfix/submission/smtpd).
Closes gh-804 . Thanks Paul Traina
* apache - added filter for AH01630 client denied by server configuration.
- New features: - New features:
- Added - New filters:
- monit filter. Thanks Jason H Martin - monit Thanks Jason H Martin
- directadmin filter. Thanks niorg - directadmin Thanks niorg
- New actions:
- symbiosis-blacklist-allports for Bytemark symbiosis firewall
- fail2ban-client can fetch the running server version - fail2ban-client can fetch the running server version
- Added Cloudflare API action - Added Cloudflare API action

4
THANKS
View File

@ -44,10 +44,11 @@ Hank Leininger
Hanno 'Rince' Wagner Hanno 'Rince' Wagner
Helmut Grohne Helmut Grohne
Iain Lea Iain Lea
Ioan Indreias
Ivo Truxa Ivo Truxa
John Thoe John Thoe
Jacques Lav!gnotte Jacques Lav!gnotte
Ioan Indreias Johannes Weberhofer
Jason H Martin Jason H Martin
Jisoo Park Jisoo Park
Joel M Snyder Joel M Snyder
@ -80,6 +81,7 @@ Mika (mkl)
Nick Munger Nick Munger
onorua onorua
Paul Marrapese Paul Marrapese
Paul Traina
Noel Butler Noel Butler
Patrick Börjesson Patrick Börjesson
Pressy Pressy

52
config/action.d/symbiosis-blacklist-allports.conf Normal file
View File

@ -0,0 +1,52 @@
# Fail2Ban configuration file for Bytemark Symbiosis firewall
#
# Author: Yaroslav Halchenko
#
[Definition]
# Option: actionstart
# Notes.: command executed once at the start of Fail2Ban.
# Values: CMD
#
actionstart =
# Option: actionstop
# Notes.: command executed once at the end of Fail2Ban
# Values: CMD
#
actionstop =
# Option: actioncheck
# Notes.: command executed once before each actionban command
# Values: CMD
#
actioncheck = iptables -n -L <chain>
# Option: actionban
# Notes.: command executed when banning an IP.
# Values: CMD
#
actionban = echo 'all' >| /etc/symbiosis/firewall/blacklist.d/<ip>.auto
iptables -I <chain> 1 -s <ip> -j <blocktype>
# Option: actionunban
# Notes.: command executed when unbanning an IP.
# Values: CMD
#
actionunban = rm -f /etc/symbiosis/firewall/blacklist.d/<ip>.auto
iptables -D <chain> -s <ip> -j <blocktype> || :
[Init]
# Option: chain
# Notes specifies the iptables chain to which the fail2ban rules should be
# added to. blacklist is a chain initiated by symbiosis firewall.
# Values: STRING Default: blacklist
chain = blacklist
# Option: blocktype
# Note: This is to match default symbiosis firewall type for blacklisted IPs
# Values: STRING
blocktype = DROP

2
config/filter.d/apache-auth.conf
View File

@ -10,7 +10,7 @@ before = apache-common.conf
[Definition] [Definition]
failregex = ^%(_apache_error_client)s (AH01797: )?client denied by server configuration: (uri )?\S*(, referer: \S+)?\s*$ failregex = ^%(_apache_error_client)s (AH(01797|01630): )?client denied by server configuration: (uri )?\S*(, referer: \S+)?\s*$
^%(_apache_error_client)s (AH01617: )?user .*? authentication failure for "\S*": Password Mismatch(, referer: \S+)?$ ^%(_apache_error_client)s (AH01617: )?user .*? authentication failure for "\S*": Password Mismatch(, referer: \S+)?$
^%(_apache_error_client)s (AH01618: )?user .*? not found(: )?\S*(, referer: \S+)?\s*$ ^%(_apache_error_client)s (AH01618: )?user .*? not found(: )?\S*(, referer: \S+)?\s*$
^%(_apache_error_client)s (AH01614: )?client used wrong authentication scheme: \S*(, referer: \S+)?\s*$ ^%(_apache_error_client)s (AH01614: )?client used wrong authentication scheme: \S*(, referer: \S+)?\s*$

4
config/filter.d/postfix-sasl.conf
View File

@ -7,10 +7,12 @@ before = common.conf
[Definition] [Definition]
_daemon = postfix/smtpd _daemon = postfix/(submission/)?smtp(d|s)
failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/]*={0,2})?\s*$ failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/]*={0,2})?\s*$
ignoreregex =
[Init] [Init]
journalmatch = _SYSTEMD_UNIT=postfix.service journalmatch = _SYSTEMD_UNIT=postfix.service

2
config/filter.d/postfix.conf
View File

@ -10,7 +10,7 @@ before = common.conf
[Definition] [Definition]
_daemon = postfix/smtpd _daemon = postfix/(submission/)?smtp(d|s)
failregex = ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 554 5\.7\.1 .*$ failregex = ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 554 5\.7\.1 .*$
^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 450 4\.7\.1 : Helo command rejected: Host not found; from=<> to=<> proto=ESMTP helo= *$ ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 450 4\.7\.1 : Helo command rejected: Host not found; from=<> to=<> proto=ESMTP helo= *$

10
config/filter.d/pure-ftpd.conf
View File

@ -15,7 +15,7 @@ before = common.conf
_daemon = pure-ftpd _daemon = pure-ftpd
# Error message specified in multiple languages # Error message specified in multiple languages
__errmsg = (?:<EFBFBD>ϥΪ<EFBFBD>\[.*\]<5D><><EFBFBD>ҥ<EFBFBD><D2A5><EFBFBD>|ʹ<><CAB9><EFBFBD><EFBFBD>\[.*\]<5D><>֤ʧ<D6A4><CAA7>|\[.*\] kullan<61>c<EFBFBD>s<EFBFBD> i<>in giri<72> hatal<61>|<7C><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> \[.*\]|Godkjennelse mislyktes for \[.*\]|Beh<65>righetskontroll misslyckas f<>r anv<6E>ndare \[.*\]|Autentifikacia uzivatela zlyhala \[.*\]|Autentificare esuata pentru utilizatorul \[.*\]|Autentica<63><61>o falhou para usu<73>rio \[.*\]|Autentyfikacja nie powiod<6F>a si<73> dla u<>ytkownika \[.*\]|Autorisatie faalde voor gebruiker \[.*\]|\[.*\] <20><><EFBFBD> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD>|Autenticazione falita per l'utente \[.*\]|Azonos<6F>t<EFBFBD>s sikertelen \[.*\] felhaszn<7A>l<EFBFBD>nak|\[.*\] c'est un batard, il connait pas son code|Erreur d'authentification pour l'utilisateur \[.*\]|Autentificaci<63>n fallida para el usuario \[.*\]|Authentication failed for user \[.*\]|Authentifizierung fehlgeschlagen f<>r Benutzer \[.*\].|Godkendelse mislykkedes for \[.*\]|Autentifikace u<>ivatele selhala \[.*\]) __errmsg = (?:Godkendelse mislykkedes for \[.*\]|Authentifizierung fehlgeschlagen für Benutzer \[.*\].|Authentication failed for user \[.*\]|Autentificación fallida para el usuario \[.*\]|\[.*\] c'est un batard, il connait pas son code|Erreur d'authentification pour l'utilisateur \[.*\]|Azonosítás sikertelen \[.*\] felhasználónak|Autenticazione falita per l'utente \[.*\]|Autorisatie faalde voor gebruiker \[.*\]|Godkjennelse mislyktes for \[.*\]|\[.*\] kullanýcýsý için giriþ hatalý|Autenticação falhou para usuário \[.*\]|Autentificare esuata pentru utilizatorul \[.*\]|Autentifikace uživatele selhala \[.*\]|Autentyfikacja nie powiodła się dla użytkownika \[.*\]|Autentifikacia uzivatela zlyhala \[.*\]|Behörighetskontroll misslyckas för användare \[.*\]|Авторизация не удалась пользователю \[.*\]|\[.*\] 嶸盪 檣隸 褒ぬ|妏蚚氪\[.*\]桄痐囮啖|使用者\[.*\]驗證失敗)
failregex = ^%(__prefix_line)s\(.+?@<HOST>\) \[WARNING\] %(__errmsg)s\s*$ failregex = ^%(__prefix_line)s\(.+?@<HOST>\) \[WARNING\] %(__errmsg)s\s*$
@ -24,7 +24,13 @@ ignoreregex =
# Author: Cyril Jaquier # Author: Cyril Jaquier
# Modified: Yaroslav Halchenko for pure-ftpd # Modified: Yaroslav Halchenko for pure-ftpd
# Documentation thanks to Blake on http://www.fail2ban.org/wiki/index.php?title=Fail2ban:Community_Portal # Documentation thanks to Blake on http://www.fail2ban.org/wiki/index.php?title=Fail2ban:Community_Portal
# UTF-8 editing and mechanism thanks to Johannes Weberhofer
# #
# Only logs to syslog though facility can be changed configuration file/command line # Only logs to syslog though facility can be changed configuration file/command line
# #
# fgrep -r MSG_AUTH_FAILED_LOG pure-ftpd-1.0.36/src # To get messages in the right encoding:
# grep MSG_AUTH_FAILED_LOG pure-ftpd-1.0.36/src/messages_[defhint]* | grep -Po '".?"' | recode latin1..utf-8 | tr -d '"' > messages
# grep MSG_AUTH_FAILED_LOG pure-ftpd-1.0.36/src/messages_[pr][to] | grep -Po '".?"' | recode latin1..utf-8 | tr -d '"' >> messages
# grep MSG_AUTH_FAILED_LOG pure-ftpd-1.0.36/src/messages_[cps][slkv] | grep -Po '".?"' | recode latin2..utf-8 | tr -d '"' >> messages
# grep MSG_AUTH_FAILED_LOG pure-ftpd-1.0.36/src/messages_ru | grep -Po '".?"' | recode KOI8-R..utf-8 | tr -d '"' >> messages
# grep MSG_AUTH_FAILED_LOG pure-ftpd-1.0.36/src/messages_[kz] | grep -Po '".*?"' | tr -d '"' | recode big5..utf-8 >> messages

12
config/jail.conf
View File

@ -414,7 +414,7 @@ logpath = /var/log/monit
[webmin-auth] [webmin-auth]
port = 10000 port = 10000
logpath = /var/log/auth.log logpath = %(syslog_authpriv)s
# #
@ -467,7 +467,7 @@ maxretry = 6
[vsftpd] [vsftpd]
# or overwrite it in jails.local to be # or overwrite it in jails.local to be
# logpath = /var/log/auth.log # logpath = %(syslog_authpriv)s
# if you want to rely on PAM failed login attempts # if you want to rely on PAM failed login attempts
# vsftpd's failregex should match both of those formats # vsftpd's failregex should match both of those formats
port = ftp,ftp-data,ftps,ftps-data port = ftp,ftp-data,ftps,ftps-data
@ -577,7 +577,7 @@ logpath = %(postfix_log)s
[perdition] [perdition]
port = imap3,imaps,pop3,pop3s port = imap3,imaps,pop3,pop3s
logpath = /var/log/maillog logpath = %(syslog_mail)s
[squirrelmail] [squirrelmail]
@ -701,13 +701,13 @@ maxretry = 5
[pam-generic] [pam-generic]
# pam-generic filter can be customized to monitor specific subset of 'tty's # pam-generic filter can be customized to monitor specific subset of 'tty's
banaction = iptables-allports banaction = iptables-allports
logpath = /var/log/auth.log logpath = %(syslog_authpriv)s
[xinetd-fail] [xinetd-fail]
banaction = iptables-multiport-log banaction = iptables-multiport-log
logpath = /var/log/daemon.log logpath = %(syslog_daemon)s
maxretry = 2 maxretry = 2
@ -737,7 +737,7 @@ action = %(banaction)s[name=%(__name__)s-tcp, port="%(tcpport)s", protocol="tcp
[nagios] [nagios]
enabled = false enabled = false
logpath = /var/log/messages ; nrpe.cfg may define a different log_facility logpath = %(syslog_daemon)s ; nrpe.cfg may define a different log_facility
maxretry = 1 maxretry = 1

3
fail2ban/tests/files/logs/apache-auth
View File

@ -19,6 +19,9 @@
# failJSON: { "time": "2013-07-20T21:34:49", "match": true , "host": "127.0.0.1" } # failJSON: { "time": "2013-07-20T21:34:49", "match": true , "host": "127.0.0.1" }
[Sat Jul 20 21:34:49.453232 2013] [access_compat:error] [pid 17512:tid 140123104306944] [client 127.0.0.1:51380] AH01797: client denied by server configuration: /var/www/html/noentry/cant_get_me.html [Sat Jul 20 21:34:49.453232 2013] [access_compat:error] [pid 17512:tid 140123104306944] [client 127.0.0.1:51380] AH01797: client denied by server configuration: /var/www/html/noentry/cant_get_me.html
# failJSON: { "time": "2014-09-14T21:44:43", "match": true , "host": "192.3.9.178" }
[Sun Sep 14 21:44:43.008606 2014] [authz_core:error] [pid 10691] [client 192.3.9.178:44271] AH01630: client denied by server configuration: /var/www/html/noentry/cant_get_me.html
# wget --http-user='' --http-password='' http://localhost/basic/file/cant_get_me.html -O /dev/null # wget --http-user='' --http-password='' http://localhost/basic/file/cant_get_me.html -O /dev/null
# failJSON: { "time": "2013-07-17T23:14:37", "match": true , "host": "127.0.0.1" } # failJSON: { "time": "2013-07-17T23:14:37", "match": true , "host": "127.0.0.1" }
[Wed Jul 17 23:14:37 2013] [error] [client 127.0.0.1] user not found: /basic/anon/cant_get_me.html [Wed Jul 17 23:14:37 2013] [error] [client 127.0.0.1] user not found: /basic/anon/cant_get_me.html

3
fail2ban/tests/files/logs/postfix-sasl
View File

@ -5,3 +5,6 @@ Dec 2 22:24:22 hel postfix/smtpd[7676]: warning: 114-44-142-233.dynamic.hinet.n
# failJSON: { "time": "2005-03-10T13:33:30", "match": true , "host": "1.1.1.1" } # failJSON: { "time": "2005-03-10T13:33:30", "match": true , "host": "1.1.1.1" }
Mar 10 13:33:30 gandalf postfix/smtpd[3937]: warning: HOSTNAME[1.1.1.1]: SASL LOGIN authentication failed: authentication failure Mar 10 13:33:30 gandalf postfix/smtpd[3937]: warning: HOSTNAME[1.1.1.1]: SASL LOGIN authentication failed: authentication failure
#3 Example from postfix post-debian changes to rename to add "submission" to syslog name
# failJSON: { "time": "2004-09-06T00:44:56", "match": true , "host": "82.221.106.233" }
Sep 6 00:44:56 trianon postfix/submission/smtpd[11538]: warning: unknown[82.221.106.233]: SASL LOGIN authentication failed: UGFzc3dvcmQ6