mirror of https://github.com/fail2ban/fail2ban
MRG: merge ChangeLog and jail.conf
Daniel Black
commit
95f3f38682
|
|
@ -71,6 +71,8 @@ ver. 0.8.11 (2013/XX/XXX) - loves-unittests
|
||||||
* action.d/apf.conf - add action for Advanced Policy Firewall (apf)
|
* action.d/apf.conf - add action for Advanced Policy Firewall (apf)
|
||||||
Amir Caspi and kjohnsonecl
|
Amir Caspi and kjohnsonecl
|
||||||
* filter.d/uwimap-auth - filter for uwimap-auth IMAP/POP server
|
* filter.d/uwimap-auth - filter for uwimap-auth IMAP/POP server
|
||||||
|
Steven Hiscocks and Daniel Black
|
||||||
|
* filter.d/selinux-{common,ssh} -- add SELinux date and ssh filter
|
||||||
|
|
||||||
- Enhancements:
|
- Enhancements:
|
||||||
François Boulogne and Frédéric
|
François Boulogne and Frédéric
|
||||||
|
|
|
||||||
|
|
@ -0,0 +1,21 @@
|
||||||
|
# Fail2Ban configuration file for generic SELinux audit messages
|
||||||
|
#
|
||||||
|
# Author: Daniel Black
|
||||||
|
#
|
||||||
|
# This file is not intended to be used directly, and should be included into a
|
||||||
|
# filter file which would define following variables. See selinux-ssh.conf as
|
||||||
|
# and example.
|
||||||
|
#
|
||||||
|
# _type
|
||||||
|
# _uid
|
||||||
|
# _auid
|
||||||
|
# _subj
|
||||||
|
# _msg
|
||||||
|
#
|
||||||
|
# Also one of these variables must include <HOST>.
|
||||||
|
#
|
||||||
|
[Definition]
|
||||||
|
|
||||||
|
failregex = ^type=%(_type)s msg=audit\(:\d+\): (user )?pid=\d+ uid=%(_uid)s auid=%(_auid)s ses=\d+ subj=%(_subj)s msg='%(_msg)s'$
|
||||||
|
|
||||||
|
ignoreregex =
|
||||||
|
|
@ -0,0 +1,24 @@
|
||||||
|
# Fail2Ban configuration file for SELinux ssh authentication errors
|
||||||
|
#
|
||||||
|
# Author: Daniel Black
|
||||||
|
#
|
||||||
|
#
|
||||||
|
# Note: USER_LOGIN is ignored as this is the duplicate messsage
|
||||||
|
# ssh logs after 3 USER_AUTH failures.
|
||||||
|
#
|
||||||
|
[INCLUDES]
|
||||||
|
|
||||||
|
after = selinux-common.conf
|
||||||
|
|
||||||
|
[Definition]
|
||||||
|
|
||||||
|
_type = USER_(ERR|AUTH)
|
||||||
|
_uid = 0
|
||||||
|
_auid = \d+
|
||||||
|
_subj = (?:unconfined_u|system_u):system_r:sshd_t:s0-s0:c0\.c1023
|
||||||
|
|
||||||
|
_exe =/usr/sbin/sshd
|
||||||
|
_terminal = ssh
|
||||||
|
|
||||||
|
_msg = op=\S+ acct=(?P<_quote_acct>"?)\S+(?P=_quote_acct) exe="%(_exe)s" hostname=(\?|(\d+\.){3}\d+) addr=<HOST> terminal=%(_terminal)s res=failed
|
||||||
|
|
||||||
|
|
@ -485,3 +485,9 @@ enabled = false
|
||||||
filter = dovecot
|
filter = dovecot
|
||||||
action = iptables-multiport[name=dovecot-auth, port="pop3,pop3s,imap,imaps,submission,smtps,sieve", protocol=tcp]
|
action = iptables-multiport[name=dovecot-auth, port="pop3,pop3s,imap,imaps,submission,smtps,sieve", protocol=tcp]
|
||||||
logpath = /var/log/secure
|
logpath = /var/log/secure
|
||||||
|
|
||||||
|
[selinux-ssh]
|
||||||
|
enabled = false
|
||||||
|
filter = selinux-ssh
|
||||||
|
action = iptables[name=SELINUX-SSH, port=ssh, protocol=tcp]
|
||||||
|
logpath = /var/log/audit/audit.log
|
||||||
|
|
|
||||||
|
|
@ -0,0 +1,29 @@
|
||||||
|
# failJSON: { "time": "2013-07-09T02:45:16", "match": false , "host": "173.242.116.187" }
|
||||||
|
type=USER_LOGIN msg=audit(1373330716.415:4063): user pid=11998 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login acct="root" exe="/usr/sbin/sshd" hostname=? addr=173.242.116.187 terminal=ssh res=failed'
|
||||||
|
|
||||||
|
# failJSON: { "time": "2013-07-09T02:45:17", "match": false , "host": "173.242.116.187" }
|
||||||
|
type=USER_LOGIN msg=audit(1373330717.441:4068): user pid=12000 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login acct=28756E6B6E6F776E207573657229 exe="/usr/sbin/sshd" hostname=? addr=173.242.116.187 terminal=ssh res=failed'
|
||||||
|
|
||||||
|
# failJSON: { "time": "2013-07-09T02:45:17", "match": true , "host": "173.242.116.187" }
|
||||||
|
type=USER_ERR msg=audit(1373330717.575:4070): user pid=12000 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:bad_ident acct="?" exe="/usr/sbin/sshd" hostname=173.242.116.187 addr=173.242.116.187 terminal=ssh res=failed'
|
||||||
|
|
||||||
|
# failJSON: { "time": "2013-07-09T02:45:17", "match": false , "host": "173.242.116.187" }
|
||||||
|
type=USER_LOGIN msg=audit(1373330717.576:4073): user pid=12000 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login acct=28696E76616C6964207573657229 exe="/usr/sbin/sshd" hostname=? addr=173.242.116.187 terminal=ssh res=failed'
|
||||||
|
|
||||||
|
# failJSON: { "time": "2013-06-30T01:02:08", "match": false , "host": "113.240.248.18" }
|
||||||
|
type=USER_LOGIN msg=audit(1372546928.726:52008): user pid=21569 uid=0 auid=0 ses=76 subj=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login acct="sshd" exe="/usr/sbin/sshd" hostname=? addr=113.240.248.18 terminal=ssh res=failed'
|
||||||
|
|
||||||
|
# failJSON: { "time": "2013-06-30T03:58:20", "match": true , "host": "113.240.248.18" }
|
||||||
|
type=USER_ERR msg=audit(1372557500.401:61747): user pid=23684 uid=0 auid=0 ses=76 subj=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:bad_ident acct="?" exe="/usr/sbin/sshd" hostname=113.240.248.18 addr=113.240.248.18 terminal=ssh res=failed'
|
||||||
|
|
||||||
|
# failJSON: { "time": "2013-06-30T03:58:20", "match": false , "host": "113.240.248.18" }
|
||||||
|
type=USER_LOGIN msg=audit(1372557500.402:61750): user pid=23684 uid=0 auid=0 ses=76 subj=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login acct=28696E76616C6964207573657229 exe="/usr/sbin/sshd" hostname=? addr=113.240.248.18 terminal=ssh res=failed'
|
||||||
|
|
||||||
|
# failJSON: { "time": "2013-07-06T18:48:00", "match": true , "host": "194.228.20.113" }
|
||||||
|
type=USER_AUTH msg=audit(1373129280.772:9): user pid=1277 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=pubkey acct="root" exe="/usr/sbin/sshd" hostname=? addr=194.228.20.113 terminal=ssh res=failed'
|
||||||
|
|
||||||
|
# failJSON: { "time": "2013-10-30T07:57:43", "match": true , "host": "192.168.3.100" }
|
||||||
|
type=USER_AUTH msg=audit(1383116263.930:603): pid=12887 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=password acct="dan" exe="/usr/sbin/sshd" hostname=? addr=192.168.3.100 terminal=ssh res=failed'
|
||||||
|
|
||||||
|
# failJSON: { "time": "2013-10-30T07:54:08", "match": false , "host": "192.168.3.100" }
|
||||||
|
type=USER_LOGIN msg=audit(1383116048.450:595): pid=12354 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login acct="dan" exe="/usr/sbin/sshd" hostname=? addr=192.168.3.100 terminal=ssh res=failed'
|
||||||
|
|
@ -23,6 +23,7 @@ __copyright__ = "Copyright (c) 2013 Steven Hiscocks"
|
||||||
__license__ = "GPL"
|
__license__ = "GPL"
|
||||||
|
|
||||||
import unittest, sys, os, fileinput, re, datetime, inspect
|
import unittest, sys, os, fileinput, re, datetime, inspect
|
||||||
|
from ConfigParser import InterpolationMissingOptionError
|
||||||
|
|
||||||
if sys.version_info >= (2, 6):
|
if sys.version_info >= (2, 6):
|
||||||
import json
|
import json
|
||||||
|
|
@ -131,7 +132,7 @@ def testSampleRegexsFactory(name):
|
||||||
|
|
||||||
return testFilter
|
return testFilter
|
||||||
|
|
||||||
for filter_ in os.listdir(os.path.join(CONFIG_DIR, "filter.d")):
|
for filter_ in filter(lambda x: not x.endswith('common.conf'), os.listdir(os.path.join(CONFIG_DIR, "filter.d"))):
|
||||||
filterName = filter_.rpartition(".")[0]
|
filterName = filter_.rpartition(".")[0]
|
||||||
setattr(
|
setattr(
|
||||||
FilterSamplesRegex,
|
FilterSamplesRegex,
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue