From 638bb665234e58245ef1f4802441fa76ec2f5f2b Mon Sep 17 00:00:00 2001 From: Yaroslav Halchenko Date: Wed, 23 Mar 2011 20:35:56 +0000 Subject: [PATCH 1/9] BF: Use /var/run/fail2ban instead of /tmp for temp files in actions: see http://bugs.debian.org/544232 It should be robust since /var/run/fail2ban is guaranteed to exist to carry the socket file, and it will be owned by root (or some other dedicated fail2ban user) thus avoiding possibility for the exploit git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@767 a942ae1a-1317-0410-a47c-b1dcaea8d605 --- config/action.d/dshield.conf | 2 +- config/action.d/mail-buffered.conf | 2 +- config/action.d/mynetwatchman.conf | 2 +- config/action.d/sendmail-buffered.conf | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/config/action.d/dshield.conf b/config/action.d/dshield.conf index b80698b4..8549a550 100644 --- a/config/action.d/dshield.conf +++ b/config/action.d/dshield.conf @@ -206,5 +206,5 @@ dest = reports@dshield.org # Notes.: Base name of temporary files used for buffering # Values: [ STRING ] Default: /tmp/fail2ban-dshield # -tmpfile = /tmp/fail2ban-dshield +tmpfile = /var/run/fail2ban/tmp-dshield diff --git a/config/action.d/mail-buffered.conf b/config/action.d/mail-buffered.conf index 8a33d0ea..6fd51d23 100644 --- a/config/action.d/mail-buffered.conf +++ b/config/action.d/mail-buffered.conf @@ -81,7 +81,7 @@ lines = 5 # Default temporary file # -tmpfile = /tmp/fail2ban-mail.txt +tmpfile = /var/run/fail2ban/tmp-mail.txt # Destination/Addressee of the mail # diff --git a/config/action.d/mynetwatchman.conf b/config/action.d/mynetwatchman.conf index 15b91b11..f0e55153 100644 --- a/config/action.d/mynetwatchman.conf +++ b/config/action.d/mynetwatchman.conf @@ -141,4 +141,4 @@ mnwurl = http://mynetwatchman.com/insertwebreport.asp # Notes.: Base name of temporary files # Values: [ STRING ] Default: /tmp/fail2ban-mynetwatchman # -tmpfile = /tmp/fail2ban-mynetwatchman +tmpfile = /var/run/fail2ban/tmp-mynetwatchman diff --git a/config/action.d/sendmail-buffered.conf b/config/action.d/sendmail-buffered.conf index de8166ad..25a23b78 100644 --- a/config/action.d/sendmail-buffered.conf +++ b/config/action.d/sendmail-buffered.conf @@ -101,5 +101,5 @@ lines = 5 # Default temporary file # -tmpfile = /tmp/fail2ban-mail.txt +tmpfile = /var/run/fail2ban/tmp-mail.txt From 0073ba38387f5e319551ec242dc7cb1e16c7ee20 Mon Sep 17 00:00:00 2001 From: Yaroslav Halchenko Date: Wed, 23 Mar 2011 20:36:08 +0000 Subject: [PATCH 2/9] ENH: dropbear filter: see http://bugs.debian.org/546913 git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@768 a942ae1a-1317-0410-a47c-b1dcaea8d605 --- config/filter.d/dropbear.conf | 52 +++++++++++++++++++++++++++++++++++ 1 file changed, 52 insertions(+) create mode 100644 config/filter.d/dropbear.conf diff --git a/config/filter.d/dropbear.conf b/config/filter.d/dropbear.conf new file mode 100644 index 00000000..1309cc41 --- /dev/null +++ b/config/filter.d/dropbear.conf @@ -0,0 +1,52 @@ +# Fail2Ban configuration file +# +# Author: Francis Russell +# Zak B. Elep +# +# $Revision$ +# +# More information: http://bugs.debian.org/546913 + +[INCLUDES] + +# Read common prefixes. If any customizations available -- read them from +# common.local +before = common.conf + + +[Definition] + +_daemon = dropbear + +# Option: failregex +# Notes.: regex to match the password failures messages in the logfile. The +# host must be matched by a group named "host". The tag "" can +# be used for standard IP/hostname matching and is only an alias for +# (?:::f{4,6}:)?(?P\S+) +# Values: TEXT + +# These match the unmodified dropbear messages. It isn't possible to +# match the source of the 'exit before auth' messages from dropbear. +# +failregex = ^%(__prefix_line)slogin attempt for nonexistent user ('.*' )?from :.*\s*$ + ^%(__prefix_line)sbad password attempt for .+ from :.*\s*$ + +# The only line we need to match with the modified dropbear. + +# NOTE: The failregex below is ONLY intended to work with a patched +# version of Dropbear as described here: +# http://www.unchartedbackwaters.co.uk/pyblosxom/static/patches +# +# The standard Dropbear output doesn't provide enough information to +# ban all types of attack. The Dropbear patch adds IP address +# information to the 'exit before auth' message which is always +# produced for any form of non-successful login. It is that message +# which this file matches. + +# failregex = ^%(__prefix_line)sexit before auth from .*\s*$ + +# Option: ignoreregex +# Notes.: regex to ignore. If this regex matches, the line is ignored. +# Values: TEXT +# +ignoreregex = From 10faba516315478b86ed3ae19975897ebe577222 Mon Sep 17 00:00:00 2001 From: Yaroslav Halchenko Date: Wed, 23 Mar 2011 20:36:17 +0000 Subject: [PATCH 3/9] ENH: make filter.d/apache-overflows.conf catch more: see http://bugs.debian.org/574182 git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@769 a942ae1a-1317-0410-a47c-b1dcaea8d605 --- config/filter.d/apache-overflows.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/filter.d/apache-overflows.conf b/config/filter.d/apache-overflows.conf index c615158f..4567f7da 100644 --- a/config/filter.d/apache-overflows.conf +++ b/config/filter.d/apache-overflows.conf @@ -11,7 +11,7 @@ # Notes.: Regexp to catch Apache overflow attempts. # Values: TEXT # -failregex = [[]client []] (Invalid method in request|request failed: URI too long|erroneous characters after protocol string) +failregex = [[]client []] (Invalid (method|URI) in request|request failed: URI too long|erroneous characters after protocol string) # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. From 6558c03f8e138eaadcb2fa4b6bc93dad737a71fd Mon Sep 17 00:00:00 2001 From: Yaroslav Halchenko Date: Wed, 23 Mar 2011 20:36:28 +0000 Subject: [PATCH 4/9] NF: Adding found on a drive filter.d/dovecot.conf git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@770 a942ae1a-1317-0410-a47c-b1dcaea8d605 --- config/filter.d/dovecot.conf | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 config/filter.d/dovecot.conf diff --git a/config/filter.d/dovecot.conf b/config/filter.d/dovecot.conf new file mode 100644 index 00000000..5392d3a9 --- /dev/null +++ b/config/filter.d/dovecot.conf @@ -0,0 +1,23 @@ +# Fail2Ban configuration file for dovcot +# +# Author: +# +# $Revision: $ +# + +[Definition] + +# Option: failregex +# Notes.: regex to match the password failures messages in the logfile. The +# host must be matched by a group named "host". The tag "" can +# be used for standard IP/hostname matching and is only an alias for +# (?:::f{4,6}:)?(?P[\w\-.^_]+) +# Values: TEXT +# +failregex = .*(?: pop3-login|imap-login):.*(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed).*rip=(?P\S*),.* + +# Option: ignoreregex +# Notes.: regex to ignore. If this regex matches, the line is ignored. +# Values: TEXT +# +ignoreregex = From 3831fbf98b87fed2f5882e3190e10dfa0dd0e55c Mon Sep 17 00:00:00 2001 From: Yaroslav Halchenko Date: Wed, 23 Mar 2011 20:36:41 +0000 Subject: [PATCH 5/9] ENH: add to action.d/iptables*. Thanks Matthijs Kooijman: see http://bugs.debian.org/515599 git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@771 a942ae1a-1317-0410-a47c-b1dcaea8d605 --- config/action.d/iptables-allports.conf | 11 ++++++++--- config/action.d/iptables-multiport-log.conf | 12 +++++++++--- config/action.d/iptables-multiport.conf | 11 ++++++++--- config/action.d/iptables-new.conf | 11 ++++++++--- config/action.d/iptables.conf | 11 ++++++++--- 5 files changed, 41 insertions(+), 15 deletions(-) diff --git a/config/action.d/iptables-allports.conf b/config/action.d/iptables-allports.conf index 123bac69..1cc2daba 100644 --- a/config/action.d/iptables-allports.conf +++ b/config/action.d/iptables-allports.conf @@ -15,13 +15,13 @@ # actionstart = iptables -N fail2ban- iptables -A fail2ban- -j RETURN - iptables -I INPUT -p -j fail2ban- + iptables -I -p -j fail2ban- # Option: actionstop # Notes.: command executed once at the end of Fail2Ban # Values: CMD # -actionstop = iptables -D INPUT -p -j fail2ban- +actionstop = iptables -D -p -j fail2ban- iptables -F fail2ban- iptables -X fail2ban- @@ -29,7 +29,7 @@ actionstop = iptables -D INPUT -p -j fail2ban- # Notes.: command executed once before each actionban command # Values: CMD # -actioncheck = iptables -n -L INPUT | grep -q fail2ban- +actioncheck = iptables -n -L | grep -q fail2ban- # Option: actionban # Notes.: command executed when banning an IP. Take care that the @@ -63,3 +63,8 @@ name = default # protocol = tcp +# Option: chain +# Notes specifies the iptables chain to which the fail2ban rules should be +# added +# Values: STRING Default: INPUT +chain = INPUT diff --git a/config/action.d/iptables-multiport-log.conf b/config/action.d/iptables-multiport-log.conf index 3b4621db..9cdc4bab 100644 --- a/config/action.d/iptables-multiport-log.conf +++ b/config/action.d/iptables-multiport-log.conf @@ -5,7 +5,7 @@ # # make "fail2ban-" chain to match drop IP # make "fail2ban--log" chain to log and drop -# insert a jump to fail2ban- from -I INPUT if proto/port match +# insert a jump to fail2ban- from -I if proto/port match # # $Revision$ # @@ -18,7 +18,7 @@ # actionstart = iptables -N fail2ban- iptables -A fail2ban- -j RETURN - iptables -I INPUT 1 -p -m multiport --dports -j fail2ban- + iptables -I 1 -p -m multiport --dports -j fail2ban- iptables -N fail2ban--log iptables -I fail2ban--log -j LOG --log-prefix "$(expr fail2ban- : '\(.\{1,23\}\)'):DROP " --log-level warning -m limit --limit 6/m --limit-burst 2 iptables -A fail2ban--log -j DROP @@ -27,7 +27,7 @@ actionstart = iptables -N fail2ban- # Notes.: command executed once at the end of Fail2Ban # Values: CMD # -actionstop = iptables -D INPUT -p -m multiport --dports -j fail2ban- +actionstop = iptables -D -p -m multiport --dports -j fail2ban- iptables -F fail2ban- iptables -F fail2ban--log iptables -X fail2ban- @@ -76,3 +76,9 @@ port = ssh # Values: [ tcp | udp | icmp | all ] Default: tcp # protocol = tcp + +# Option: chain +# Notes specifies the iptables chain to which the fail2ban rules should be +# added +# Values: STRING Default: INPUT +chain = INPUT diff --git a/config/action.d/iptables-multiport.conf b/config/action.d/iptables-multiport.conf index fe3712d5..ad554f5c 100644 --- a/config/action.d/iptables-multiport.conf +++ b/config/action.d/iptables-multiport.conf @@ -13,13 +13,13 @@ # actionstart = iptables -N fail2ban- iptables -A fail2ban- -j RETURN - iptables -I INPUT -p -m multiport --dports -j fail2ban- + iptables -I -p -m multiport --dports -j fail2ban- # Option: actionstop # Notes.: command executed once at the end of Fail2Ban # Values: CMD # -actionstop = iptables -D INPUT -p -m multiport --dports -j fail2ban- +actionstop = iptables -D -p -m multiport --dports -j fail2ban- iptables -F fail2ban- iptables -X fail2ban- @@ -27,7 +27,7 @@ actionstop = iptables -D INPUT -p -m multiport --dports -j fai # Notes.: command executed once before each actionban command # Values: CMD # -actioncheck = iptables -n -L INPUT | grep -q fail2ban- +actioncheck = iptables -n -L | grep -q fail2ban- # Option: actionban # Notes.: command executed when banning an IP. Take care that the @@ -67,3 +67,8 @@ port = ssh # protocol = tcp +# Option: chain +# Notes specifies the iptables chain to which the fail2ban rules should be +# added +# Values: STRING Default: INPUT +chain = INPUT diff --git a/config/action.d/iptables-new.conf b/config/action.d/iptables-new.conf index 373826c2..c249de2d 100644 --- a/config/action.d/iptables-new.conf +++ b/config/action.d/iptables-new.conf @@ -15,13 +15,13 @@ # actionstart = iptables -N fail2ban- iptables -A fail2ban- -j RETURN - iptables -I INPUT -m state --state NEW -p --dport -j fail2ban- + iptables -I -m state --state NEW -p --dport -j fail2ban- # Option: actionstop # Notes.: command executed once at the end of Fail2Ban # Values: CMD # -actionstop = iptables -D INPUT -m state --state NEW -p --dport -j fail2ban- +actionstop = iptables -D -m state --state NEW -p --dport -j fail2ban- iptables -F fail2ban- iptables -X fail2ban- @@ -29,7 +29,7 @@ actionstop = iptables -D INPUT -m state --state NEW -p --dport # Notes.: command executed once before each actionban command # Values: CMD # -actioncheck = iptables -n -L INPUT | grep -q fail2ban- +actioncheck = iptables -n -L | grep -q fail2ban- # Option: actionban # Notes.: command executed when banning an IP. Take care that the @@ -69,3 +69,8 @@ port = ssh # protocol = tcp +# Option: chain +# Notes specifies the iptables chain to which the fail2ban rules should be +# added +# Values: STRING Default: INPUT +chain = INPUT diff --git a/config/action.d/iptables.conf b/config/action.d/iptables.conf index daef9267..09cfb98b 100644 --- a/config/action.d/iptables.conf +++ b/config/action.d/iptables.conf @@ -13,13 +13,13 @@ # actionstart = iptables -N fail2ban- iptables -A fail2ban- -j RETURN - iptables -I INPUT -p --dport -j fail2ban- + iptables -I -p --dport -j fail2ban- # Option: actionstop # Notes.: command executed once at the end of Fail2Ban # Values: CMD # -actionstop = iptables -D INPUT -p --dport -j fail2ban- +actionstop = iptables -D -p --dport -j fail2ban- iptables -F fail2ban- iptables -X fail2ban- @@ -27,7 +27,7 @@ actionstop = iptables -D INPUT -p --dport -j fail2ban- # Notes.: command executed once before each actionban command # Values: CMD # -actioncheck = iptables -n -L INPUT | grep -q fail2ban- +actioncheck = iptables -n -L | grep -q fail2ban- # Option: actionban # Notes.: command executed when banning an IP. Take care that the @@ -67,3 +67,8 @@ port = ssh # protocol = tcp +# Option: chain +# Notes specifies the iptables chain to which the fail2ban rules should be +# added +# Values: STRING Default: INPUT +chain = INPUT From 02e7dfb099ca0e417f6fc1d5c5d2ad88b7eb4b55 Mon Sep 17 00:00:00 2001 From: Yaroslav Halchenko Date: Wed, 23 Mar 2011 20:36:50 +0000 Subject: [PATCH 6/9] BF: allow space in the trailing of failregex for sasl.conf: see http://bugs.debian.org/573314 git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@772 a942ae1a-1317-0410-a47c-b1dcaea8d605 --- config/filter.d/sasl.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/filter.d/sasl.conf b/config/filter.d/sasl.conf index 5cd8a6d5..e316605f 100644 --- a/config/filter.d/sasl.conf +++ b/config/filter.d/sasl.conf @@ -14,7 +14,7 @@ # (?:::f{4,6}:)?(?P[\w\-.^_]+) # Values: TEXT # -failregex = (?i): warning: [-._\w]+\[\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [A-Za-z0-9+/]*={0,2})?$ +failregex = (?i): warning: [-._\w]+\[\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/]*={0,2})?$ # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. From 1cb48bbc96455ff2a0c510552a8a4a13b32881f8 Mon Sep 17 00:00:00 2001 From: Yaroslav Halchenko Date: Wed, 23 Mar 2011 20:37:00 +0000 Subject: [PATCH 7/9] BF: escaping () in pure-ftpd filter. Thanks Teodor See http://bugs.debian.org/544744 git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@773 a942ae1a-1317-0410-a47c-b1dcaea8d605 --- config/filter.d/pure-ftpd.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/filter.d/pure-ftpd.conf b/config/filter.d/pure-ftpd.conf index fbbfc2d1..345780dc 100644 --- a/config/filter.d/pure-ftpd.conf +++ b/config/filter.d/pure-ftpd.conf @@ -19,7 +19,7 @@ __errmsg = (?:Authentication failed for user|Erreur d'authentification pour l'ut # (?:::f{4,6}:)?(?P[\w\-.^_]+) # Values: TEXT # -failregex = pure-ftpd(?:\[\d+\])?: (.+?@) \[WARNING\] %(__errmsg)s \[.+\]$ +failregex = pure-ftpd(?:\[\d+\])?: \(.+?@\) \[WARNING\] %(__errmsg)s \[.+\]\s*$ # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. From d4b89d8404485de0e47743752ae3a34e6b1cfa6d Mon Sep 17 00:00:00 2001 From: Yaroslav Halchenko Date: Wed, 23 Mar 2011 20:37:10 +0000 Subject: [PATCH 8/9] BF: Allow for trailing spaces in proftpd logs See http://bugs.debian.org/507986 git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@774 a942ae1a-1317-0410-a47c-b1dcaea8d605 --- config/filter.d/proftpd.conf | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/config/filter.d/proftpd.conf b/config/filter.d/proftpd.conf index ec613b94..eb43a14d 100644 --- a/config/filter.d/proftpd.conf +++ b/config/filter.d/proftpd.conf @@ -14,10 +14,10 @@ # (?:::f{4,6}:)?(?P[\w\-.^_]+) # Values: TEXT # -failregex = \(\S+\[\]\)[: -]+ USER \S+: no such user found from \S+ \[\S+\] to \S+:\S+$ - \(\S+\[\]\)[: -]+ USER \S+ \(Login failed\): Incorrect password\.$ - \(\S+\[\]\)[: -]+ SECURITY VIOLATION: \S+ login attempted\.$ - \(\S+\[\]\)[: -]+ Maximum login attempts \(\d+\) exceeded$ +failregex = \(\S+\[\]\)[: -]+ USER \S+: no such user found from \S+ \[\S+\] to \S+:\S+ *$ + \(\S+\[\]\)[: -]+ USER \S+ \(Login failed\): Incorrect password\. *$ + \(\S+\[\]\)[: -]+ SECURITY VIOLATION: \S+ login attempted\. *$ + \(\S+\[\]\)[: -]+ Maximum login attempts \(\d+\) exceeded *$ # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. From eab9af9caa872ca0ebf080f07a1c359ee9ffa737 Mon Sep 17 00:00:00 2001 From: Yaroslav Halchenko Date: Wed, 23 Mar 2011 20:37:19 +0000 Subject: [PATCH 9/9] BF: proftpd filter -- if login failed -- count regardless of the reason for failure git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@775 a942ae1a-1317-0410-a47c-b1dcaea8d605 --- config/filter.d/proftpd.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/filter.d/proftpd.conf b/config/filter.d/proftpd.conf index eb43a14d..55a15da9 100644 --- a/config/filter.d/proftpd.conf +++ b/config/filter.d/proftpd.conf @@ -15,7 +15,7 @@ # Values: TEXT # failregex = \(\S+\[\]\)[: -]+ USER \S+: no such user found from \S+ \[\S+\] to \S+:\S+ *$ - \(\S+\[\]\)[: -]+ USER \S+ \(Login failed\): Incorrect password\. *$ + \(\S+\[\]\)[: -]+ USER \S+ \(Login failed\): .*$ \(\S+\[\]\)[: -]+ SECURITY VIOLATION: \S+ login attempted\. *$ \(\S+\[\]\)[: -]+ Maximum login attempts \(\d+\) exceeded *$