Merge branch '0.11'

2022-01-18 16:17:49 +01:00 · 2022-01-18 16:17:49 +01:00 · 970573d1cb
parent 095aeda840 35d73d9758
commit 970573d1cb
9 changed files with 135 additions and 93 deletions
--- a/4
+++ b/4
@ -393,8 +393,8 @@ files/fail2ban.service.in
 files/fail2ban-tmpfiles.conf
 files/fail2ban.upstart
 files/gen_badbots
-files/gentoo-confd
+files/fail2ban-openrc.conf
-files/gentoo-initd
+files/fail2ban-openrc.init.in
 files/ipmasq-ZZZzzz_fail2ban.rul
 files/logwatch/fail2ban
 files/logwatch/fail2ban-0.8.log
--- a/config/filter.d/sshd.conf
+++ b/config/filter.d/sshd.conf
@ -68,15 +68,17 @@ cmnfailed = <cmnfailed-<publickey>>
 mdre-normal =
 # used to differentiate "connection closed" with and without `[preauth]` (fail/nofail cases in ddos mode)
-mdre-normal-other = ^<F-NOFAIL><F-MLFFORGET>(Connection closed|Disconnected)</F-MLFFORGET></F-NOFAIL> (?:by|from)%(__authng_user)s <HOST>(?:%(__suff)s|\s*)$
+mdre-normal-other = ^<F-NOFAIL><F-MLFFORGET>(Connection (?:closed|reset)|Disconnected)</F-MLFFORGET></F-NOFAIL> (?:by|from)%(__authng_user)s <HOST>(?:%(__suff)s|\s*)$
 mdre-ddos = ^Did not receive identification string from <HOST>
-            ^kex_exchange_identification: (?:[Cc]lient sent invalid protocol identifier|[Cc]onnection closed by remote host)
+            ^kex_exchange_identification: (?:read: )?(?:[Cc]lient sent invalid protocol identifier|[Cc]onnection (?:closed by remote host|reset by peer))
            ^Bad protocol version identification '.*' from <HOST>
            ^<F-NOFAIL>SSH: Server;Ltype:</F-NOFAIL> (?:Authname|Version|Kex);Remote: <HOST>-\d+;[A-Z]\w+:
            ^Read from socket failed: Connection <F-MLFFORGET>reset</F-MLFFORGET> by peer
-# same as mdre-normal-other, but as failure (without <F-NOFAIL>) and [preauth] only:
+            ^banner exchange: Connection from <HOST><__on_port_opt>: invalid format
 # same as mdre-normal-other, but as failure (without <F-NOFAIL> with [preauth] and with <F-NOFAIL> on no preauth phase as helper to identify address):
 mdre-ddos-other = ^<F-MLFFORGET>(Connection (?:closed|reset)|Disconnected)</F-MLFFORGET> (?:by|from)%(__authng_user)s <HOST>%(__on_port_opt)s\s+\[preauth\]\s*$
                  ^<F-NOFAIL><F-MLFFORGET>(Connection (?:closed|reset)|Disconnected)</F-MLFFORGET></F-NOFAIL> (?:by|from)%(__authng_user)s <HOST>(?:%(__on_port_opt)s|\s*)$
 mdre-extra = ^Received <F-MLFFORGET>disconnect</F-MLFFORGET> from <HOST>%(__on_port_opt)s:\s*14: No(?: supported)? authentication methods available
            ^Unable to negotiate with <HOST>%(__on_port_opt)s: no matching <__alg_match> found.
--- a/fail2ban/server/server.py
+++ b/fail2ban/server/server.py
@ -391,7 +391,7 @@ class Server:
 		if isinstance(filter_, FileFilter):
 			return filter_.getLogPaths()
 		else: # pragma: systemd no cover
-			logSys.info("Jail %s is not a FileFilter instance" % name)
+			logSys.debug("Jail %s is not a FileFilter instance" % name)
 			return []
 	def addJournalMatch(self, name, match): # pragma: systemd no cover
@ -409,7 +409,7 @@ class Server:
 		if isinstance(filter_, JournalFilter):
 			return filter_.getJournalMatch()
 		else:
-			logSys.info("Jail %s is not a JournalFilter instance" % name)
+			logSys.debug("Jail %s is not a JournalFilter instance" % name)
 			return []
 	def setLogEncoding(self, name, encoding):
--- a/fail2ban/tests/files/logs/sshd
+++ b/fail2ban/tests/files/logs/sshd
@ -315,6 +315,11 @@ Feb 17 17:40:17 sshd[19725]: error: kex_exchange_identification: client sent inv
 # failJSON: { "time": "2005-02-17T17:40:18", "match": true , "host": "192.0.2.10", "desc": "ddos: flood attack vector, gh-2850" }
 Feb 17 17:40:18 sshd[19725]: error: kex_exchange_identification: Connection closed by remote host
 # failJSON: { "match": false }
 Mar  1 18:59:33 hostname sshd[1189575]: error: kex_exchange_identification: banner line too long
 # failJSON: { "time": "2005-03-01T18:59:33", "match": true , "host": "192.0.2.12", "desc": "ddos: port scanner, https payload on ssh port (banner exchange: invalid format, gh-3169)" }
 Mar  1 18:59:33 hostname sshd[1189575]: banner exchange: Connection from 192.0.2.12 port 44105: invalid format
 # failJSON: { "time": "2005-03-15T09:21:01", "match": true , "host": "192.0.2.212", "desc": "DDOS mode causes failure on close within preauth stage" }
 Mar 15 09:21:01 host sshd[2717]: Connection closed by 192.0.2.212 [preauth]
 # failJSON: { "time": "2005-03-15T09:21:02", "match": true , "host": "192.0.2.212", "desc": "DDOS mode causes failure on close within preauth stage" }
@ -328,6 +333,18 @@ Jun  6 04:17:04 host sshd[1189074]: Invalid user  from 192.0.2.68 port 34916
 # failJSON: { "time": "2005-06-06T04:17:09", "match": true , "host": "192.0.2.68", "dns": null, "user": "", "desc": "empty user, gh-2749" }
 Jun  6 04:17:09 host sshd[1189074]: Connection closed by invalid user  192.0.2.68 port 34916 [preauth]
 # failJSON: { "match": false, "desc": "ddos-failure without IP, retarded, must be triggered with next (closed) message, gh-3086"}
 Jun  7 04:10:35 host sshd[424228]: error: kex_exchange_identification: Connection closed by remote host
 # failJSON: { "time": "2005-06-07T04:10:35", "match": true , "host": "192.0.2.15", "desc": "kex_exchange_identification: Connection closed, gh-3086" }
 Jun  7 04:10:35 host sshd[424228]: Connection closed by 192.0.2.15 port 35352
 # failJSON: { "match": false }
 Jun  7 04:29:10 host sshd[649921]: Connection from 192.0.2.16 port 51280 on 192.0.2.16 port 22 rdomain ""
 # failJSON: { "time": "2005-06-07T04:29:10", "match": true, "host": "192.0.2.16", "desc": "ddos-failure without IP, must be triggered here because it became known above, gh-3086"}
 Jun  7 04:29:10 host sshd[649921]: error: kex_exchange_identification: read: Connection reset by peer
 # failJSON: { "match": false, "desc": "Connection reset already triggered above (known IP, no-fail helper unused here)" }
 Jun  7 04:29:10 host sshd[649921]: Connection reset by 192.0.2.16 port 51280
 # filterOptions: [{"mode": "extra"}, {"mode": "aggressive"}]
 # several other cases from gh-864:
--- a/files/fail2ban-openrc.conf
+++ b/files/fail2ban-openrc.conf
@ -0,0 +1,2 @@
 # For available options, plase run "fail2ban-server --help".
 #FAIL2BAN_OPTIONS="-x"
--- a/files/fail2ban-openrc.init.in
+++ b/files/fail2ban-openrc.init.in
@ -0,0 +1,86 @@
 #!/sbin/openrc-run
 # This file is part of Fail2Ban.
 #
 # Fail2Ban is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation; either version 2 of the License, or
 # (at your option) any later version.
 #
 # Fail2Ban is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with Fail2Ban; if not, write to the Free Software
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
 #
 # Author: Sireyessire, Cyril Jaquier
 #
 description="Ban hosts that cause multiple authentication errors"
 description_reload="reload configuration without dropping bans"
 extra_started_commands="reload"
 # Can't (and shouldn't) be changed by the end-user.
 #
 # Note that @BINDIR@ is already supplied by the build system. Some
 # day, it might be nice to have @RUNDIR@ supplied by the build system
 # as well, so that we don't have to hard-code /run here.
 FAIL2BAN_RUNDIR="/run/${RC_SVCNAME}"
 FAIL2BAN_SOCKET="${FAIL2BAN_RUNDIR}/${RC_SVCNAME}.sock"
 # The fail2ban-client program is also capable of starting and stopping
 # the server, but things are simpler if we let start-stop-daemon do it.
 command="@BINDIR@/fail2ban-server"
 pidfile="${FAIL2BAN_RUNDIR}/${RC_SVCNAME}.pid"
 # We force the pidfile/socket location in this service script because
 # we're taking responsibility for ensuring that their parent directory
 # exists and has the correct permissions (which we can't do if the
 # user is allowed to change them).
 command_args="${FAIL2BAN_OPTIONS} -p ${pidfile} -s ${FAIL2BAN_SOCKET}"
 retry="30"
 depend() {
 	use logger
 	after iptables
 }
 checkconfig() {
    "${command}" ${command_args} --test
 }
 start_pre() {
 	# If this isn't a restart, make sure that the user's config isn't
 	# busted before we try to start the daemon (this will produce
 	# better error messages than if we just try to start it blindly).
 	#
 	# If, on the other hand, this *is* a restart, then the stop_pre
 	# action will have ensured that the config is usable and we don't
 	# need to do that again.
 	if [ "${RC_CMD}" != "restart" ] ; then
 		checkconfig || return $?
 	fi
 	checkpath -d "${FAIL2BAN_RUNDIR}"
 }
 stop_pre() {
 	# If this is a restart, check to make sure the user's config
 	# isn't busted before we stop the running daemon.
 	if [ "${RC_CMD}" = "restart" ] ; then
 		checkconfig || return $?
 	fi
 }
 reload() {
 	# The fail2ban-client uses an undocumented protocol to tell
 	# the server to reload(), so we have to use it here rather
 	# than e.g. sending a signal to the server daemon. Note that
 	# the reload will fail (on the server side) if the new config
 	# is invalid; we therefore don't need to test it ourselves
 	# with checkconfig() before initiating the reload.
 	ebegin "Reloading ${RC_SVCNAME}"
 	"@BINDIR@/fail2ban-client" ${command_args} reload
 	eend $? "Failed to reload ${RC_SVCNAME}"
 }
--- a/files/gentoo-confd
+++ b/files/gentoo-confd
@ -1,8 +0,0 @@
 # Config file for /etc/init.d/fail2ban
 #
 # For information on options, see "/usr/bin/fail2ban-client -h".
 FAIL2BAN_OPTIONS=""
 # Force execution of the server even if the socket already exists:
 #FAIL2BAN_OPTIONS="-x"
--- a/files/gentoo-initd
+++ b/files/gentoo-initd
@ -1,60 +0,0 @@
 #!/sbin/openrc-run
 # This file is part of Fail2Ban.
 #
 # Fail2Ban is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation; either version 2 of the License, or
 # (at your option) any later version.
 #
 # Fail2Ban is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with Fail2Ban; if not, write to the Free Software
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
 #
 # Author: Sireyessire, Cyril Jaquier
 #
 description="Daemon to ban hosts that cause multiple authentication errors"
 description_reload="reload configuration"
 description_showlog="show fail2ban logs"
 extra_started_commands="reload showlog"
 FAIL2BAN="/usr/bin/fail2ban-client ${FAIL2BAN_OPTIONS}"
 depend() {
 	need net
 	need logger
 	after iptables
 }
 start() {
 	ebegin "Starting fail2ban"
 	mkdir -p /var/run/fail2ban || return 1
 	# remove stalled sock file after system crash
 	# bug 347477
 	rm -f /var/run/fail2ban/fail2ban.sock || return 1
 	start-stop-daemon --start --pidfile /var/run/fail2ban/fail2ban.pid \
 	-- ${FAIL2BAN} start
 	eend $? "Failed to start fail2ban"
 }
 stop() {
 	ebegin "Stopping fail2ban"
 	start-stop-daemon --stop --pidfile /var/run/fail2ban/fail2ban.pid --retry 30 \
 	-- ${FAIL2BAN} stop
 	eend $? "Failed to stop fail2ban"
 }
 reload() {
 	ebegin "Reloading fail2ban"
 	${FAIL2BAN} reload
 	eend $? "Failed to reload fail2ban"
 }
 showlog(){
 	less /var/log/fail2ban.log
 }
--- a/setup.py
+++ b/setup.py
@ -89,24 +89,27 @@ class install_scripts_f2b(install_scripts):
 			if install_dir.startswith(root):
 				install_dir = install_dir[len(root):]
 		except: # pragma: no cover
-			print('WARNING: Cannot find root-base option, check the bin-path to fail2ban-scripts in "fail2ban.service".')
+			print('WARNING: Cannot find root-base option, check the bin-path to fail2ban-scripts in "fail2ban.service" and "fail2ban-openrc.init".')
-		print('Creating %s/fail2ban.service (from fail2ban.service.in): @BINDIR@ -> %s' % (buildroot, install_dir))
+
-		with open(os.path.join(source_dir, 'files/fail2ban.service.in'), 'r') as fn:
+		scripts = ['fail2ban.service', 'fail2ban-openrc.init']
-			lines = fn.readlines()
+		for script in scripts:
-		fn = None
+			print('Creating %s/%s (from %s.in): @BINDIR@ -> %s' % (buildroot, script, script, install_dir))
-		if not dry_run:
+			with open(os.path.join(source_dir, 'files/%s.in' % script), 'r') as fn:
-			fn = open(os.path.join(buildroot, 'fail2ban.service'), 'w')
+				lines = fn.readlines()
-		try:
+			fn = None
-			for ln in lines:
+			if not dry_run:
-				ln = re.sub(r'@BINDIR@', lambda v: install_dir, ln)
+				fn = open(os.path.join(buildroot, script), 'w')
-				if dry_run:
+			try:
-					sys.stdout.write(' | ' + ln)
+				for ln in lines:
-					continue
+					ln = re.sub(r'@BINDIR@', lambda v: install_dir, ln)
-				fn.write(ln)
+					if dry_run:
-		finally:
+						sys.stdout.write(' | ' + ln)
-			if fn: fn.close()
+						continue
-		if dry_run:
+					fn.write(ln)
-			print(' `')
+			finally:
 				if fn: fn.close()
 			if dry_run:
 				print(' `')
 # Wrapper to specify fail2ban own options:
		`@ -0,0 +1,2 @@`
							`# For available options, plase run "fail2ban-server --help".`
							`#FAIL2BAN_OPTIONS="-x"`