diff --git a/MANIFEST b/MANIFEST index 48c751a0e..c2df1e51f 100644 --- a/MANIFEST +++ b/MANIFEST @@ -393,8 +393,8 @@ files/fail2ban.service.in files/fail2ban-tmpfiles.conf files/fail2ban.upstart files/gen_badbots -files/gentoo-confd -files/gentoo-initd +files/fail2ban-openrc.conf +files/fail2ban-openrc.init.in files/ipmasq-ZZZzzz_fail2ban.rul files/logwatch/fail2ban files/logwatch/fail2ban-0.8.log diff --git a/config/filter.d/sshd.conf b/config/filter.d/sshd.conf index e79422627..d5d189b06 100644 --- a/config/filter.d/sshd.conf +++ b/config/filter.d/sshd.conf @@ -68,15 +68,17 @@ cmnfailed = > mdre-normal = # used to differentiate "connection closed" with and without `[preauth]` (fail/nofail cases in ddos mode) -mdre-normal-other = ^(Connection closed|Disconnected) (?:by|from)%(__authng_user)s (?:%(__suff)s|\s*)$ +mdre-normal-other = ^(Connection (?:closed|reset)|Disconnected) (?:by|from)%(__authng_user)s (?:%(__suff)s|\s*)$ mdre-ddos = ^Did not receive identification string from - ^kex_exchange_identification: (?:[Cc]lient sent invalid protocol identifier|[Cc]onnection closed by remote host) + ^kex_exchange_identification: (?:read: )?(?:[Cc]lient sent invalid protocol identifier|[Cc]onnection (?:closed by remote host|reset by peer)) ^Bad protocol version identification '.*' from ^SSH: Server;Ltype: (?:Authname|Version|Kex);Remote: -\d+;[A-Z]\w+: ^Read from socket failed: Connection reset by peer -# same as mdre-normal-other, but as failure (without ) and [preauth] only: + ^banner exchange: Connection from <__on_port_opt>: invalid format +# same as mdre-normal-other, but as failure (without with [preauth] and with on no preauth phase as helper to identify address): mdre-ddos-other = ^(Connection (?:closed|reset)|Disconnected) (?:by|from)%(__authng_user)s %(__on_port_opt)s\s+\[preauth\]\s*$ + ^(Connection (?:closed|reset)|Disconnected) (?:by|from)%(__authng_user)s (?:%(__on_port_opt)s|\s*)$ mdre-extra = ^Received disconnect from %(__on_port_opt)s:\s*14: No(?: supported)? authentication methods available ^Unable to negotiate with %(__on_port_opt)s: no matching <__alg_match> found. diff --git a/fail2ban/server/server.py b/fail2ban/server/server.py index fcd04a4b0..3853bbc4c 100644 --- a/fail2ban/server/server.py +++ b/fail2ban/server/server.py @@ -391,7 +391,7 @@ class Server: if isinstance(filter_, FileFilter): return filter_.getLogPaths() else: # pragma: systemd no cover - logSys.info("Jail %s is not a FileFilter instance" % name) + logSys.debug("Jail %s is not a FileFilter instance" % name) return [] def addJournalMatch(self, name, match): # pragma: systemd no cover @@ -409,7 +409,7 @@ class Server: if isinstance(filter_, JournalFilter): return filter_.getJournalMatch() else: - logSys.info("Jail %s is not a JournalFilter instance" % name) + logSys.debug("Jail %s is not a JournalFilter instance" % name) return [] def setLogEncoding(self, name, encoding): diff --git a/fail2ban/tests/files/logs/sshd b/fail2ban/tests/files/logs/sshd index 5d23f96f5..99c3756b8 100644 --- a/fail2ban/tests/files/logs/sshd +++ b/fail2ban/tests/files/logs/sshd @@ -315,6 +315,11 @@ Feb 17 17:40:17 sshd[19725]: error: kex_exchange_identification: client sent inv # failJSON: { "time": "2005-02-17T17:40:18", "match": true , "host": "192.0.2.10", "desc": "ddos: flood attack vector, gh-2850" } Feb 17 17:40:18 sshd[19725]: error: kex_exchange_identification: Connection closed by remote host +# failJSON: { "match": false } +Mar 1 18:59:33 hostname sshd[1189575]: error: kex_exchange_identification: banner line too long +# failJSON: { "time": "2005-03-01T18:59:33", "match": true , "host": "192.0.2.12", "desc": "ddos: port scanner, https payload on ssh port (banner exchange: invalid format, gh-3169)" } +Mar 1 18:59:33 hostname sshd[1189575]: banner exchange: Connection from 192.0.2.12 port 44105: invalid format + # failJSON: { "time": "2005-03-15T09:21:01", "match": true , "host": "192.0.2.212", "desc": "DDOS mode causes failure on close within preauth stage" } Mar 15 09:21:01 host sshd[2717]: Connection closed by 192.0.2.212 [preauth] # failJSON: { "time": "2005-03-15T09:21:02", "match": true , "host": "192.0.2.212", "desc": "DDOS mode causes failure on close within preauth stage" } @@ -328,6 +333,18 @@ Jun 6 04:17:04 host sshd[1189074]: Invalid user from 192.0.2.68 port 34916 # failJSON: { "time": "2005-06-06T04:17:09", "match": true , "host": "192.0.2.68", "dns": null, "user": "", "desc": "empty user, gh-2749" } Jun 6 04:17:09 host sshd[1189074]: Connection closed by invalid user 192.0.2.68 port 34916 [preauth] +# failJSON: { "match": false, "desc": "ddos-failure without IP, retarded, must be triggered with next (closed) message, gh-3086"} +Jun 7 04:10:35 host sshd[424228]: error: kex_exchange_identification: Connection closed by remote host +# failJSON: { "time": "2005-06-07T04:10:35", "match": true , "host": "192.0.2.15", "desc": "kex_exchange_identification: Connection closed, gh-3086" } +Jun 7 04:10:35 host sshd[424228]: Connection closed by 192.0.2.15 port 35352 + +# failJSON: { "match": false } +Jun 7 04:29:10 host sshd[649921]: Connection from 192.0.2.16 port 51280 on 192.0.2.16 port 22 rdomain "" +# failJSON: { "time": "2005-06-07T04:29:10", "match": true, "host": "192.0.2.16", "desc": "ddos-failure without IP, must be triggered here because it became known above, gh-3086"} +Jun 7 04:29:10 host sshd[649921]: error: kex_exchange_identification: read: Connection reset by peer +# failJSON: { "match": false, "desc": "Connection reset already triggered above (known IP, no-fail helper unused here)" } +Jun 7 04:29:10 host sshd[649921]: Connection reset by 192.0.2.16 port 51280 + # filterOptions: [{"mode": "extra"}, {"mode": "aggressive"}] # several other cases from gh-864: diff --git a/files/fail2ban-openrc.conf b/files/fail2ban-openrc.conf new file mode 100644 index 000000000..9454ef688 --- /dev/null +++ b/files/fail2ban-openrc.conf @@ -0,0 +1,2 @@ +# For available options, plase run "fail2ban-server --help". +#FAIL2BAN_OPTIONS="-x" diff --git a/files/fail2ban-openrc.init.in b/files/fail2ban-openrc.init.in new file mode 100755 index 000000000..2c56ee3a7 --- /dev/null +++ b/files/fail2ban-openrc.init.in @@ -0,0 +1,86 @@ +#!/sbin/openrc-run +# This file is part of Fail2Ban. +# +# Fail2Ban is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# Fail2Ban is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with Fail2Ban; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. +# +# Author: Sireyessire, Cyril Jaquier +# + +description="Ban hosts that cause multiple authentication errors" +description_reload="reload configuration without dropping bans" +extra_started_commands="reload" + +# Can't (and shouldn't) be changed by the end-user. +# +# Note that @BINDIR@ is already supplied by the build system. Some +# day, it might be nice to have @RUNDIR@ supplied by the build system +# as well, so that we don't have to hard-code /run here. +FAIL2BAN_RUNDIR="/run/${RC_SVCNAME}" +FAIL2BAN_SOCKET="${FAIL2BAN_RUNDIR}/${RC_SVCNAME}.sock" + +# The fail2ban-client program is also capable of starting and stopping +# the server, but things are simpler if we let start-stop-daemon do it. +command="@BINDIR@/fail2ban-server" +pidfile="${FAIL2BAN_RUNDIR}/${RC_SVCNAME}.pid" + +# We force the pidfile/socket location in this service script because +# we're taking responsibility for ensuring that their parent directory +# exists and has the correct permissions (which we can't do if the +# user is allowed to change them). +command_args="${FAIL2BAN_OPTIONS} -p ${pidfile} -s ${FAIL2BAN_SOCKET}" +retry="30" + +depend() { + use logger + after iptables +} + +checkconfig() { + "${command}" ${command_args} --test +} + +start_pre() { + # If this isn't a restart, make sure that the user's config isn't + # busted before we try to start the daemon (this will produce + # better error messages than if we just try to start it blindly). + # + # If, on the other hand, this *is* a restart, then the stop_pre + # action will have ensured that the config is usable and we don't + # need to do that again. + if [ "${RC_CMD}" != "restart" ] ; then + checkconfig || return $? + fi + checkpath -d "${FAIL2BAN_RUNDIR}" +} + +stop_pre() { + # If this is a restart, check to make sure the user's config + # isn't busted before we stop the running daemon. + if [ "${RC_CMD}" = "restart" ] ; then + checkconfig || return $? + fi +} + +reload() { + # The fail2ban-client uses an undocumented protocol to tell + # the server to reload(), so we have to use it here rather + # than e.g. sending a signal to the server daemon. Note that + # the reload will fail (on the server side) if the new config + # is invalid; we therefore don't need to test it ourselves + # with checkconfig() before initiating the reload. + ebegin "Reloading ${RC_SVCNAME}" + "@BINDIR@/fail2ban-client" ${command_args} reload + eend $? "Failed to reload ${RC_SVCNAME}" +} diff --git a/files/gentoo-confd b/files/gentoo-confd deleted file mode 100644 index 00d19f8bb..000000000 --- a/files/gentoo-confd +++ /dev/null @@ -1,8 +0,0 @@ -# Config file for /etc/init.d/fail2ban -# -# For information on options, see "/usr/bin/fail2ban-client -h". - -FAIL2BAN_OPTIONS="" - -# Force execution of the server even if the socket already exists: -#FAIL2BAN_OPTIONS="-x" diff --git a/files/gentoo-initd b/files/gentoo-initd deleted file mode 100755 index 0fb157cda..000000000 --- a/files/gentoo-initd +++ /dev/null @@ -1,60 +0,0 @@ -#!/sbin/openrc-run -# This file is part of Fail2Ban. -# -# Fail2Ban is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; either version 2 of the License, or -# (at your option) any later version. -# -# Fail2Ban is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with Fail2Ban; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. -# -# Author: Sireyessire, Cyril Jaquier -# - -description="Daemon to ban hosts that cause multiple authentication errors" -description_reload="reload configuration" -description_showlog="show fail2ban logs" -extra_started_commands="reload showlog" - -FAIL2BAN="/usr/bin/fail2ban-client ${FAIL2BAN_OPTIONS}" - -depend() { - need net - need logger - after iptables -} - -start() { - ebegin "Starting fail2ban" - mkdir -p /var/run/fail2ban || return 1 - # remove stalled sock file after system crash - # bug 347477 - rm -f /var/run/fail2ban/fail2ban.sock || return 1 - start-stop-daemon --start --pidfile /var/run/fail2ban/fail2ban.pid \ - -- ${FAIL2BAN} start - eend $? "Failed to start fail2ban" -} - -stop() { - ebegin "Stopping fail2ban" - start-stop-daemon --stop --pidfile /var/run/fail2ban/fail2ban.pid --retry 30 \ - -- ${FAIL2BAN} stop - eend $? "Failed to stop fail2ban" -} - -reload() { - ebegin "Reloading fail2ban" - ${FAIL2BAN} reload - eend $? "Failed to reload fail2ban" -} - -showlog(){ - less /var/log/fail2ban.log -} diff --git a/setup.py b/setup.py index 98413273c..91f71cf23 100755 --- a/setup.py +++ b/setup.py @@ -89,24 +89,27 @@ class install_scripts_f2b(install_scripts): if install_dir.startswith(root): install_dir = install_dir[len(root):] except: # pragma: no cover - print('WARNING: Cannot find root-base option, check the bin-path to fail2ban-scripts in "fail2ban.service".') - print('Creating %s/fail2ban.service (from fail2ban.service.in): @BINDIR@ -> %s' % (buildroot, install_dir)) - with open(os.path.join(source_dir, 'files/fail2ban.service.in'), 'r') as fn: - lines = fn.readlines() - fn = None - if not dry_run: - fn = open(os.path.join(buildroot, 'fail2ban.service'), 'w') - try: - for ln in lines: - ln = re.sub(r'@BINDIR@', lambda v: install_dir, ln) - if dry_run: - sys.stdout.write(' | ' + ln) - continue - fn.write(ln) - finally: - if fn: fn.close() - if dry_run: - print(' `') + print('WARNING: Cannot find root-base option, check the bin-path to fail2ban-scripts in "fail2ban.service" and "fail2ban-openrc.init".') + + scripts = ['fail2ban.service', 'fail2ban-openrc.init'] + for script in scripts: + print('Creating %s/%s (from %s.in): @BINDIR@ -> %s' % (buildroot, script, script, install_dir)) + with open(os.path.join(source_dir, 'files/%s.in' % script), 'r') as fn: + lines = fn.readlines() + fn = None + if not dry_run: + fn = open(os.path.join(buildroot, script), 'w') + try: + for ln in lines: + ln = re.sub(r'@BINDIR@', lambda v: install_dir, ln) + if dry_run: + sys.stdout.write(' | ' + ln) + continue + fn.write(ln) + finally: + if fn: fn.close() + if dry_run: + print(' `') # Wrapper to specify fail2ban own options: