Merge branch '0.11'

MANIFEST

@@ -393,8 +393,8 @@ files/fail2ban.service.in
 files/fail2ban-tmpfiles.conf
 files/fail2ban.upstart
 files/gen_badbots
-files/gentoo-confd
-files/gentoo-initd
+files/fail2ban-openrc.conf
+files/fail2ban-openrc.init.in
 files/ipmasq-ZZZzzz_fail2ban.rul
 files/logwatch/fail2ban
 files/logwatch/fail2ban-0.8.log

config/filter.d/sshd.conf

@@ -68,15 +68,17 @@ cmnfailed = <cmnfailed-<publickey>>
 
 mdre-normal =
 # used to differentiate "connection closed" with and without `[preauth]` (fail/nofail cases in ddos mode)
-mdre-normal-other = ^<F-NOFAIL><F-MLFFORGET>(Connection closed|Disconnected)</F-MLFFORGET></F-NOFAIL> (?:by|from)%(__authng_user)s <HOST>(?:%(__suff)s|\s*)$
+mdre-normal-other = ^<F-NOFAIL><F-MLFFORGET>(Connection (?:closed|reset)|Disconnected)</F-MLFFORGET></F-NOFAIL> (?:by|from)%(__authng_user)s <HOST>(?:%(__suff)s|\s*)$
 
 mdre-ddos = ^Did not receive identification string from <HOST>
-            ^kex_exchange_identification: (?:[Cc]lient sent invalid protocol identifier|[Cc]onnection closed by remote host)
+            ^kex_exchange_identification: (?:read: )?(?:[Cc]lient sent invalid protocol identifier|[Cc]onnection (?:closed by remote host|reset by peer))
             ^Bad protocol version identification '.*' from <HOST>
             ^<F-NOFAIL>SSH: Server;Ltype:</F-NOFAIL> (?:Authname|Version|Kex);Remote: <HOST>-\d+;[A-Z]\w+:
             ^Read from socket failed: Connection <F-MLFFORGET>reset</F-MLFFORGET> by peer
-# same as mdre-normal-other, but as failure (without <F-NOFAIL>) and [preauth] only:
+            ^banner exchange: Connection from <HOST><__on_port_opt>: invalid format
+# same as mdre-normal-other, but as failure (without <F-NOFAIL> with [preauth] and with <F-NOFAIL> on no preauth phase as helper to identify address):
 mdre-ddos-other = ^<F-MLFFORGET>(Connection (?:closed|reset)|Disconnected)</F-MLFFORGET> (?:by|from)%(__authng_user)s <HOST>%(__on_port_opt)s\s+\[preauth\]\s*$
+                  ^<F-NOFAIL><F-MLFFORGET>(Connection (?:closed|reset)|Disconnected)</F-MLFFORGET></F-NOFAIL> (?:by|from)%(__authng_user)s <HOST>(?:%(__on_port_opt)s|\s*)$
 
 mdre-extra = ^Received <F-MLFFORGET>disconnect</F-MLFFORGET> from <HOST>%(__on_port_opt)s:\s*14: No(?: supported)? authentication methods available
             ^Unable to negotiate with <HOST>%(__on_port_opt)s: no matching <__alg_match> found.

fail2ban/server/server.py

@@ -391,7 +391,7 @@ class Server:
 		if isinstance(filter_, FileFilter):
 			return filter_.getLogPaths()
 		else: # pragma: systemd no cover
-			logSys.info("Jail %s is not a FileFilter instance" % name)
+			logSys.debug("Jail %s is not a FileFilter instance" % name)
 			return []
 	
 	def addJournalMatch(self, name, match): # pragma: systemd no cover
@@ -409,7 +409,7 @@ class Server:
 		if isinstance(filter_, JournalFilter):
 			return filter_.getJournalMatch()
 		else:
-			logSys.info("Jail %s is not a JournalFilter instance" % name)
+			logSys.debug("Jail %s is not a JournalFilter instance" % name)
 			return []
 	
 	def setLogEncoding(self, name, encoding):

fail2ban/tests/files/logs/sshd

@@ -315,6 +315,11 @@ Feb 17 17:40:17 sshd[19725]: error: kex_exchange_identification: client sent inv
 # failJSON: { "time": "2005-02-17T17:40:18", "match": true , "host": "192.0.2.10", "desc": "ddos: flood attack vector, gh-2850" }
 Feb 17 17:40:18 sshd[19725]: error: kex_exchange_identification: Connection closed by remote host
 
+# failJSON: { "match": false }
+Mar  1 18:59:33 hostname sshd[1189575]: error: kex_exchange_identification: banner line too long
+# failJSON: { "time": "2005-03-01T18:59:33", "match": true , "host": "192.0.2.12", "desc": "ddos: port scanner, https payload on ssh port (banner exchange: invalid format, gh-3169)" }
+Mar  1 18:59:33 hostname sshd[1189575]: banner exchange: Connection from 192.0.2.12 port 44105: invalid format
+
 # failJSON: { "time": "2005-03-15T09:21:01", "match": true , "host": "192.0.2.212", "desc": "DDOS mode causes failure on close within preauth stage" }
 Mar 15 09:21:01 host sshd[2717]: Connection closed by 192.0.2.212 [preauth]
 # failJSON: { "time": "2005-03-15T09:21:02", "match": true , "host": "192.0.2.212", "desc": "DDOS mode causes failure on close within preauth stage" }
@@ -328,6 +333,18 @@ Jun  6 04:17:04 host sshd[1189074]: Invalid user  from 192.0.2.68 port 34916
 # failJSON: { "time": "2005-06-06T04:17:09", "match": true , "host": "192.0.2.68", "dns": null, "user": "", "desc": "empty user, gh-2749" }
 Jun  6 04:17:09 host sshd[1189074]: Connection closed by invalid user  192.0.2.68 port 34916 [preauth]
 
+# failJSON: { "match": false, "desc": "ddos-failure without IP, retarded, must be triggered with next (closed) message, gh-3086"}
+Jun  7 04:10:35 host sshd[424228]: error: kex_exchange_identification: Connection closed by remote host
+# failJSON: { "time": "2005-06-07T04:10:35", "match": true , "host": "192.0.2.15", "desc": "kex_exchange_identification: Connection closed, gh-3086" }
+Jun  7 04:10:35 host sshd[424228]: Connection closed by 192.0.2.15 port 35352
+
+# failJSON: { "match": false }
+Jun  7 04:29:10 host sshd[649921]: Connection from 192.0.2.16 port 51280 on 192.0.2.16 port 22 rdomain ""
+# failJSON: { "time": "2005-06-07T04:29:10", "match": true, "host": "192.0.2.16", "desc": "ddos-failure without IP, must be triggered here because it became known above, gh-3086"}
+Jun  7 04:29:10 host sshd[649921]: error: kex_exchange_identification: read: Connection reset by peer
+# failJSON: { "match": false, "desc": "Connection reset already triggered above (known IP, no-fail helper unused here)" }
+Jun  7 04:29:10 host sshd[649921]: Connection reset by 192.0.2.16 port 51280
+
 # filterOptions: [{"mode": "extra"}, {"mode": "aggressive"}]
 
 # several other cases from gh-864:

files/fail2ban-openrc.conf

@@ -0,0 +1,2 @@
+# For available options, plase run "fail2ban-server --help".
+#FAIL2BAN_OPTIONS="-x"

files/fail2ban-openrc.init.in

@@ -0,0 +1,86 @@
+#!/sbin/openrc-run
+# This file is part of Fail2Ban.
+#
+# Fail2Ban is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# Fail2Ban is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with Fail2Ban; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+#
+# Author: Sireyessire, Cyril Jaquier
+#
+
+description="Ban hosts that cause multiple authentication errors"
+description_reload="reload configuration without dropping bans"
+extra_started_commands="reload"
+
+# Can't (and shouldn't) be changed by the end-user.
+#
+# Note that @BINDIR@ is already supplied by the build system. Some
+# day, it might be nice to have @RUNDIR@ supplied by the build system
+# as well, so that we don't have to hard-code /run here.
+FAIL2BAN_RUNDIR="/run/${RC_SVCNAME}"
+FAIL2BAN_SOCKET="${FAIL2BAN_RUNDIR}/${RC_SVCNAME}.sock"
+
+# The fail2ban-client program is also capable of starting and stopping
+# the server, but things are simpler if we let start-stop-daemon do it.
+command="@BINDIR@/fail2ban-server"
+pidfile="${FAIL2BAN_RUNDIR}/${RC_SVCNAME}.pid"
+
+# We force the pidfile/socket location in this service script because
+# we're taking responsibility for ensuring that their parent directory
+# exists and has the correct permissions (which we can't do if the
+# user is allowed to change them).
+command_args="${FAIL2BAN_OPTIONS} -p ${pidfile} -s ${FAIL2BAN_SOCKET}"
+retry="30"
+
+depend() {
+	use logger
+	after iptables
+}
+
+checkconfig() {
+    "${command}" ${command_args} --test
+}
+
+start_pre() {
+	# If this isn't a restart, make sure that the user's config isn't
+	# busted before we try to start the daemon (this will produce
+	# better error messages than if we just try to start it blindly).
+	#
+	# If, on the other hand, this *is* a restart, then the stop_pre
+	# action will have ensured that the config is usable and we don't
+	# need to do that again.
+	if [ "${RC_CMD}" != "restart" ] ; then
+		checkconfig || return $?
+	fi
+	checkpath -d "${FAIL2BAN_RUNDIR}"
+}
+
+stop_pre() {
+	# If this is a restart, check to make sure the user's config
+	# isn't busted before we stop the running daemon.
+	if [ "${RC_CMD}" = "restart" ] ; then
+		checkconfig || return $?
+	fi
+}
+
+reload() {
+	# The fail2ban-client uses an undocumented protocol to tell
+	# the server to reload(), so we have to use it here rather
+	# than e.g. sending a signal to the server daemon. Note that
+	# the reload will fail (on the server side) if the new config
+	# is invalid; we therefore don't need to test it ourselves
+	# with checkconfig() before initiating the reload.
+	ebegin "Reloading ${RC_SVCNAME}"
+	"@BINDIR@/fail2ban-client" ${command_args} reload
+	eend $? "Failed to reload ${RC_SVCNAME}"
+}

files/gentoo-confd

@@ -1,8 +0,0 @@
-# Config file for /etc/init.d/fail2ban
-#
-# For information on options, see "/usr/bin/fail2ban-client -h".
-
-FAIL2BAN_OPTIONS=""
-
-# Force execution of the server even if the socket already exists:
-#FAIL2BAN_OPTIONS="-x"

files/gentoo-initd

@@ -1,60 +0,0 @@
-#!/sbin/openrc-run
-# This file is part of Fail2Ban.
-#
-# Fail2Ban is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2 of the License, or
-# (at your option) any later version.
-#
-# Fail2Ban is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with Fail2Ban; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
-#
-# Author: Sireyessire, Cyril Jaquier
-#
-
-description="Daemon to ban hosts that cause multiple authentication errors"
-description_reload="reload configuration"
-description_showlog="show fail2ban logs"
-extra_started_commands="reload showlog"
-
-FAIL2BAN="/usr/bin/fail2ban-client ${FAIL2BAN_OPTIONS}"
-
-depend() {
-	need net
-	need logger
-	after iptables
-}
-
-start() {
-	ebegin "Starting fail2ban"
-	mkdir -p /var/run/fail2ban || return 1
-	# remove stalled sock file after system crash
-	# bug 347477
-	rm -f /var/run/fail2ban/fail2ban.sock || return 1
-	start-stop-daemon --start --pidfile /var/run/fail2ban/fail2ban.pid \
-	-- ${FAIL2BAN} start
-	eend $? "Failed to start fail2ban"
-}
-
-stop() {
-	ebegin "Stopping fail2ban"
-	start-stop-daemon --stop --pidfile /var/run/fail2ban/fail2ban.pid --retry 30 \
-	-- ${FAIL2BAN} stop
-	eend $? "Failed to stop fail2ban"
-}
-
-reload() {
-	ebegin "Reloading fail2ban"
-	${FAIL2BAN} reload
-	eend $? "Failed to reload fail2ban"
-}
-
-showlog(){
-	less /var/log/fail2ban.log
-}

setup.py

@@ -89,24 +89,27 @@ class install_scripts_f2b(install_scripts):
 			if install_dir.startswith(root):
 				install_dir = install_dir[len(root):]
 		except: # pragma: no cover
-			print('WARNING: Cannot find root-base option, check the bin-path to fail2ban-scripts in "fail2ban.service".')
-		print('Creating %s/fail2ban.service (from fail2ban.service.in): @BINDIR@ -> %s' % (buildroot, install_dir))
-		with open(os.path.join(source_dir, 'files/fail2ban.service.in'), 'r') as fn:
-			lines = fn.readlines()
-		fn = None
-		if not dry_run:
-			fn = open(os.path.join(buildroot, 'fail2ban.service'), 'w')
-		try:
-			for ln in lines:
-				ln = re.sub(r'@BINDIR@', lambda v: install_dir, ln)
-				if dry_run:
-					sys.stdout.write(' | ' + ln)
-					continue
-				fn.write(ln)
-		finally:
-			if fn: fn.close()
-		if dry_run:
-			print(' `')
+			print('WARNING: Cannot find root-base option, check the bin-path to fail2ban-scripts in "fail2ban.service" and "fail2ban-openrc.init".')
+
+		scripts = ['fail2ban.service', 'fail2ban-openrc.init']
+		for script in scripts:
+			print('Creating %s/%s (from %s.in): @BINDIR@ -> %s' % (buildroot, script, script, install_dir))
+			with open(os.path.join(source_dir, 'files/%s.in' % script), 'r') as fn:
+				lines = fn.readlines()
+			fn = None
+			if not dry_run:
+				fn = open(os.path.join(buildroot, script), 'w')
+			try:
+				for ln in lines:
+					ln = re.sub(r'@BINDIR@', lambda v: install_dir, ln)
+					if dry_run:
+						sys.stdout.write(' | ' + ln)
+						continue
+					fn.write(ln)
+			finally:
+				if fn: fn.close()
+			if dry_run:
+				print(' `')
 
 
 # Wrapper to specify fail2ban own options: