github
/
fail2ban
mirror of https://github.com/fail2ban/fail2ban
1
0
Fork 0
Code Issues Releases Wiki Activity

Merge commit '0.8.9-13-g39d32e0' into 0.9 

* commit '0.8.9-13-g39d32e0':
  Changelog for previous PR
  DOC: Changelog entry fro preceeding merge from Terence
  TST: Fix fail2ban.conf reader test for unreliable dictionary order
  failregex when roundcube log driver is set to 'syslog'
  fixed failregex line for roundcube 0.9+
  TST: test all stock jails to have actions and correctly specifying blocktype
  CFG: assure actions for all the jails
  BF: blocktype must be defined within [Init] -- adding [Init] section.  Close #232
  ENH: since it seems the default is to use file based logging, $syslog is in Should-{Start|Stop} like Debian https://github.com/fail2ban/fail2ban/blob/debian/debian/fail2ban.init
  ENH: opensuse script from opensuse: https://build.opensuse.org/package/view_file?expand=1&file=fail2ban.init&package=fail2ban&project=openSUSE%3AFactory

Conflicts:
	ChangeLog
	config/jail.conf
	testcases/clientreadertestcase.py -- had to "git show XXX | patch -p2" under tests/ 2 commits: 8a57ffd 7a4db4b
pull/272/head
Yaroslav Halchenko 2013-05-29 11:32:35 -04:00
parent 92188a462d 39d32e0352
commit a3161f59fa
7 changed files with 145 additions and 91 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
ChangeLog
View File

@ -44,9 +44,19 @@ code-review and minor additions from Yaroslav Halchenko.
ver. 0.8.10 (2013/XX/XXX) - NOT-YET-RELEASED ver. 0.8.10 (2013/XX/XXX) - NOT-YET-RELEASED
----------- -----------
- Fixes - Fixes:
Yaroslav Halchenko
* action.d/{route,shorewall}.conf - blocktype must be defined
within [Init]. Closes gh-232
- New Features - New Features
- Enhancements - Enhancements
Yaroslav Halchenko
* jail.conf -- assure all jails have actions and remove unused
ports specifications
Terence Namusonge
* config/filter.d/roundcube-auth.conf -- support roundcube 0.9+
Daniel Black
* files/suse-initd -- update to the copy from stock SUSE
ver. 0.8.9 (2013/05/13) - wanna-be-stable ver. 0.8.9 (2013/05/13) - wanna-be-stable
---------- ----------

2
config/action.d/route.conf
View File

@ -18,6 +18,8 @@
actionban = ip route add <blocktype> <ip> actionban = ip route add <blocktype> <ip>
actionunban = ip route del <blocktype> <ip> actionunban = ip route del <blocktype> <ip>
[Init]
# Option: blocktype # Option: blocktype
# Note: Type can be blackhole, unreachable and prohibit. Unreachable and prohibit correspond to the ICMP reject messages. # Note: Type can be blackhole, unreachable and prohibit. Unreachable and prohibit correspond to the ICMP reject messages.
# Values: STRING # Values: STRING

2
config/action.d/shorewall.conf
View File

@ -48,6 +48,8 @@ actionban = shorewall <blocktype> <ip>
# #
actionunban = shorewall allow <ip> actionunban = shorewall allow <ip>
[Init]
# Option: blocktype # Option: blocktype
# Note: This is what the action does with rules. # Note: This is what the action does with rules.
# See man page of shorewall for options that include drop, logdrop, reject, or logreject # See man page of shorewall for options that include drop, logdrop, reject, or logreject

4
config/filter.d/roundcube-auth.conf
View File

@ -1,6 +1,6 @@
# Fail2Ban configuration file for roundcube web server # Fail2Ban configuration file for roundcube web server
# #
# Author: Teodor Micu & Yaroslav Halchenko # Author: Teodor Micu & Yaroslav Halchenko & terence namusonge
# #
# #
@ -13,7 +13,7 @@
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+) # (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT # Values: TEXT
# #
failregex = FAILED login for .*. from <HOST>\s*$ failregex = (FAILED login|Login failed) for .* from <HOST>\s*$
# Option: ignoreregex # Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored. # Notes.: regex to ignore. If this regex matches, the line is ignored.

34
fail2ban/tests/clientreadertestcase.py
View File

@ -280,10 +280,38 @@ class JailsReaderTest(unittest.TestCase):
# and warn on useDNS # and warn on useDNS
self.assertTrue(['set', j, 'usedns', 'warn'] in comm_commands) self.assertTrue(['set', j, 'usedns', 'warn'] in comm_commands)
self.assertTrue(['start', j] in comm_commands) self.assertTrue(['start', j] in comm_commands)
# last commands should be the 'start' commands # last commands should be the 'start' commands
self.assertEqual(comm_commands[-1][0], 'start') self.assertEqual(comm_commands[-1][0], 'start')
# TODO: make sure that all of the jails have actions assigned,
# otherwise it makes little to no sense for j in jails._JailsReader__jails:
actions = j._JailReader__actions
jail_name = j.getName()
# make sure that all of the jails have actions assigned,
# otherwise it makes little to no sense
self.assertTrue(len(actions),
msg="No actions found for jail %s" % jail_name)
# Test for presence of blocktype (in relation to gh-232)
for action in actions:
commands = action.convert()
file_ = action.getFile()
if '<blocktype>' in str(commands):
# Verify that it is among cInfo
self.assertTrue('blocktype' in action._ActionReader__cInfo)
# Verify that we have a call to set it up
blocktype_present = False
target_command = [ 'set', jail_name, 'setcinfo', file_, 'blocktype' ]
for command in commands:
if (len(command) > 5 and
command[:5] == target_command):
blocktype_present = True
continue
self.assertTrue(
blocktype_present,
msg="Found no %s command among %s"
% (target_command, str(commands)) )
def testConfigurator(self): def testConfigurator(self):
configurator = Configurator() configurator = Configurator()
@ -301,7 +329,7 @@ class JailsReaderTest(unittest.TestCase):
commands = configurator.getConfigStream() commands = configurator.getConfigStream()
# and there is logging information left to be passed into the # and there is logging information left to be passed into the
# server # server
self.assertEqual(commands, self.assertEqual(sorted(commands),
[['set', 'loglevel', 3], [['set', 'loglevel', 3],
['set', 'logtarget', '/var/log/fail2ban.log']]) ['set', 'logtarget', '/var/log/fail2ban.log']])

1
fail2ban/tests/files/logs/roundcube-auth
View File

@ -1 +1,2 @@
[22-Jan-2013 22:28:21 +0200]: FAILED login for user1 from 192.0.43.10 [22-Jan-2013 22:28:21 +0200]: FAILED login for user1 from 192.0.43.10
May 26 07:12:40 hamster roundcube: IMAP Error: Login failed for sales@example.com from 10.1.1.47

181
files/suse-initd Executable file → Normal file
View File

@ -1,103 +1,114 @@
#!/bin/sh #!/bin/sh
# #
# /etc/init.d/fail2ban
# and its symbolic link
# /usr/sbin/rcfail2ban
#
### BEGIN INIT INFO ### BEGIN INIT INFO
# Provides: fail2ban # Provides: fail2ban
# Required-Start: $syslog $remote_fs sendmail # Required-Start: $remote_fs $local_fs
# Required-Stop: $syslog $remote_fs # Should-Start: $syslog $time $network iptables
# Should-Stop: $time ypbind sendmail # Required-Stop: $remote_fs $local_fs
# Should-Stop: $syslog $time $network iptables
# Default-Start: 3 5 # Default-Start: 3 5
# Default-Stop: 0 1 2 6 # Default-Stop: 0 1 2 6
# Description: startup Fail2Ban # Pidfile: /var/run/fail2ban/fail2ban.pid
# Short-Description: Bans IPs with too many authentication failures
# Description: Start fail2ban to scan logfiles and ban IP addresses
# which make too many logfiles failures, and/or sent e-mails about
### END INIT INFO ### END INIT INFO
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/sbin:/usr/sbin:/usr/bin:/bin
FAIL2BAN_BIN=/usr/local/bin/fail2ban-client
FAIL2BAN_SERVER=/usr/local/bin/fail2ban-server
FAIL2BAN_SOCKET=/var/run/fail2ban/fail2ban.sock
test -x $FAIL2BAN_BIN || { echo "$FAIL2BAN_BIN not installed";
if [ "$1" = "stop" ]; then exit 0;
else exit 5; fi; }
# Check for existence of needed config file and read it # Check for missing binaries (stale symlinks should not happen)
FAIL2BAN_CONFIG=/etc/fail2ban/fail2ban.conf FAIL2BAN_CLI=/usr/bin/fail2ban-client
test -r $FAIL2BAN_CONFIG || { echo "$FAIL2BAN_CONFIG not existing"; test -x $FAIL2BAN_CLI || { echo "$FAIL2BAN_CLI not installed";
if [ "$1" = "stop" ]; then exit 0; if [ "$1" = "stop" ]; then exit 0;
else exit 6; fi; } else exit 5; fi; }
FAIL2BAN_SRV=/usr/bin/fail2ban-server
test -x $FAIL2BAN_SRV || { echo "$FAIL2BAN_SRV not installed";
if [ "$1" = "stop" ]; then exit 0;
else exit 5; fi; }
FAIL2BAN_CONFIG="/etc/sysconfig/fail2ban"
FAIL2BAN_SOCKET_DIR="/var/run/fail2ban"
FAIL2BAN_SOCKET="$FAIL2BAN_SOCKET_DIR/fail2ban.sock"
FAIL2BAN_PID="$FAIL2BAN_SOCKET_DIR/fail2ban.pid"
if [ -e $FAIL2BAN_CONFIG ]; then
. $FAIL2BAN_CONFIG
fi
. /etc/rc.status . /etc/rc.status
# Reset status of this service
rc_reset rc_reset
case "$1" in case "$1" in
start) start)
echo -n "Starting Fail2Ban " echo -n "Starting fail2ban "
# a cleanup workaround, since /etc/init.d/boot.local removes only.
# regular files, and not sockets
if test -e $FAIL2BAN_SOCKET; then
if ! lsof -n $FAIL2BAN_SOCKET &>/dev/null; then
rm $FAIL2BAN_SOCKET
fi
fi
/sbin/startproc $FAIL2BAN_BIN start &>/dev/null
rc_status -v
;;
stop)
echo -n "Shutting down Fail2ban "
/sbin/startproc $FAIL2BAN_BIN -q stop
rc_status -v
;;
try-restart|condrestart)
if test "$1" = "condrestart"; then
echo "${attn} Use try-restart ${done}(LSB)${attn} rather than condrestart ${warn}(RH)${norm}"
fi
$0 status
if test $? = 0; then
$0 restart
else
rc_reset # Not running is not a failure.
fi
rc_status
;;
restart)
$0 stop
echo -n "-wait a minute "
i=60
while [ -e $FAIL2BAN_SOCKET ] && [ $i -gt 0 ]; do
sleep 1
i=$[$i-1]
echo -n "."
done
echo "."
$0 start
# Remember status and be quiet if [ ! -d $FAIL2BAN_SOCKET_DIR ]; then
rc_status mkdir -p $FAIL2BAN_SOCKET_DIR
;; fi
force-reload)
echo -n "Reload service Fail2ban " if [ -e $FAIL2BAN_SOCKET ]; then
/sbin/startproc $FAIL2BAN_BIN -q reload if ! lsof -n $FAIL2BAN_SOCKET &>/dev/null; then
rc_status -v rm $FAIL2BAN_SOCKET
;; fi
reload) fi
echo -n "Reload service Fail2ban " $FAIL2BAN_CLI -x -q $FAIL2BAN_OPTIONS start &>/dev/null 2>&1
/sbin/startproc $FAIL2BAN_BIN -q reload
rc_status -v rc_status -v
;; ;;
stop)
echo -n "Shutting down fail2ban "
## Stop daemon with built-in functionality 'stop'
/sbin/startproc -w $FAIL2BAN_CLI -q stop > /dev/null 2>&1
if [ -f $FAIL2BAN_SOCKET ]
then
echo "$FAIL2BAN_SOCKET not removed .. removing .."
rm $FAIL2BAN_SOCKET
fi
if [ -f $FAIL2BAN_PID ]
then
echo "$FAIL2BAN_PID not removed .. removing .."
rm $FAIL2BAN_PID
fi
rc_status -v
;;
try-restart|condrestart)
$0 status
if test $? = 0; then
$0 restart
else
rc_reset # Not running is not a failure.
fi
rc_status
;;
restart)
$0 stop
i=60
while [ -e $FAIL2BAN_SOCKET ] && [ $i -gt 0 ]; do
sleep 1
i=$[$i-1]
echo -n "."
done
$0 start
rc_status
;;
reload|force-reload)
echo -n "Reload service Fail2ban "
/sbin/startproc $FAIL2BAN_CLI -q reload > /dev/null 2>&1
rc_status -v
;;
status) status)
echo -n "Checking for service Fail2ban " echo -n "Checking for service fail2ban "
/sbin/checkproc $FAIL2BAN_SERVER /sbin/checkproc $FAIL2BAN_SRV
rc_status -v
;; rc_status -v
probe) ;;
test /etc/fail2ban/fail2ban.conf -nt /var/run/fail2ban.pid && echo reload
;;
*) *)
echo "Usage: $0 {start|stop|status|try-restart|restart|force-reload|reload|probe}" echo "Usage: $0 {start|stop|status|try-restart|restart|force-reload|reload|probe}"
exit 1 exit 1
;; ;;
esac esac
rc_exit rc_exit