diff --git a/ChangeLog b/ChangeLog index 8174993a..f32a1858 100644 --- a/ChangeLog +++ b/ChangeLog @@ -7,7 +7,6 @@ Fail2Ban (version 0.9.0a2) 2014/??/?? ================================================================================ - ver. 0.9.0 (2014/??/??) - alpha ---------- @@ -76,21 +75,21 @@ configuration before relying on it. same jail -- use actname option to disambiguate. * Add honeypot email address to exim-spam filter as argument -ver. 0.8.12 (2013/12/XX) - things-can-only-get-better ------------ +ver. 0.8.12 (2014/01/XX) - things-can-only-get-better - IMPORTANT incompatible changes: + - Rename firewall-cmd-direct-new to firewallcmd-new to fit within jail name + name length. As per gh-395 + - mysqld-syslog-iptables jailname was too long. Renamed to mysqld-syslog. + Part of gh-447. - Fixes: - - Rename firewall-cmd-direct-new to firewall-cmd-new to fit within jail name - name length. As per gh-395 - allow for ",milliseconds" in the custom date format of proftpd.log - allow for ", referer ..." in apache-* filter for apache error logs. - allow for spaces at the beginning of kernel messages. Closes gh-448 - recidive jail to block all protocols. Closes gh-440. Thanks Ioan Indreias - smtps not a IANA standard and has been removed from Arch. Replaced with 465. Thanks Stefan. Closes gh-447 - - mysqld-syslog-iptables rule was too long. Part of gh-447. - add 'flushlogs' command to allow logrotation without clobbering logtarget settings. Closes gh-458, Debian bug #697333, Redhat bug #891798. - complain action - ensure where not matching other IPs in log sample. @@ -102,18 +101,19 @@ ver. 0.8.12 (2013/12/XX) - things-can-only-get-better send. This ensures that all data is sent before closing the connection. - Removed unnecessary reference to as yet undeclared $jail_name when checking a specific jail in nagios script. + - Filter dovecot reordered session and TLS items in regex with wider scope + for session characters. Thanks Ivo Truxa. Closes gh-586 + - A single bad failregex or command syntax in configuration files won't stop + fail2ban from starting. Thanks Tomasz Ciolek. Closes gh-585. - Enhancements: - - added firewallcmd-ipset action - long names on jails documented based on iptables limit of 30 less len("fail2ban-"). - remove indentation of name and loglevel while logging to SYSLOG to resolve syslog(-ng) parsing problems. Closes Debian bug #730202. - - added squid filter. Thanks Roman Gelfand. - updated check_fail2ban to return performance data for all jails. - filter apache-noscript now includes php cgi scripts. Thanks dani. Closes gh-503 - - added ufw action. Thanks Guilhem Lettron. lp-#701522 - exim-spam filter to match spamassassin log entry for option SAdevnull. Thanks Ivo Truxa. Closes gh-533 - filter.d/nsd.conf -- also amended Unix date template to match nsd format @@ -128,7 +128,7 @@ ver. 0.8.12 (2013/12/XX) - things-can-only-get-better - New Features: - filter.d/solid-pop3d -- added thanks to Jacques Lav!gnotte on mailinglist. - - Add filter for apache-modsecurity + - Add filter for apache-modsecurity. - filter.d/nsd.conf -- also amended Unix date template to match nsd format - Added openwebmail filter thanks Ivo Truxa. Closes gh-543 - Added filter for freeswitch. Thanks Jim and editors and authors of @@ -136,6 +136,15 @@ ver. 0.8.12 (2013/12/XX) - things-can-only-get-better - Added groupoffice filter thanks to logs from Merijn Schering. Closes gh-566 - Added filter for horde + - Added filter for squid. Thanks Roman Gelfand. + - Added filter for ejabberd-auth. + - Added filter.d/openwebmail filter thanks Ivo Truxa. Closes gh-543 + - Added filter.d/groupoffice filter thanks to logs from Merijn Schering. + Closes gh-566 + - Added action.d/badips. Thanks to Amy for making a nice API. + - Added firewallcmd-ipset action. + - Added ufw action. Thanks Guilhem Lettron. lp-#701522 + - Added blocklist_de action. ver. 0.8.11 (2013/11/13) - loves-unittests-and-tight-DoS-free-filter-regexes diff --git a/MANIFEST b/MANIFEST index a2103e59..7a997382 100644 --- a/MANIFEST +++ b/MANIFEST @@ -173,6 +173,7 @@ config/filter.d/common.conf config/filter.d/apache-auth.conf config/filter.d/apache-badbots.conf config/filter.d/apache-botsearch.conf +config/filter.d/apache-modsecurity.conf config/filter.d/apache-nohome.conf config/filter.d/apache-noscript.conf config/filter.d/apache-overflows.conf @@ -181,11 +182,15 @@ config/filter.d/counter-strike.conf config/filter.d/courier-auth.conf config/filter.d/courier-smtp.conf config/filter.d/cyrus-imap.conf +config/filter.d/ejabberd-auth.conf config/filter.d/exim.conf +config/filter.d/freeswitch.conf config/filter.d/gssftpd.conf config/filter.d/kerio.conf +config/filter.d/horde.conf config/filter.d/suhosin.conf config/filter.d/named-refused.conf +config/filter.d/nsd.conf config/filter.d/openwebmail.conf config/filter.d/pam-generic.conf config/filter.d/php-url-fopen.conf @@ -199,6 +204,7 @@ config/filter.d/pure-ftpd.conf config/filter.d/qmail.conf config/filter.d/sieve.conf config/filter.d/solid-pop3d.conf +config/filter.d/squid.conf config/filter.d/sshd.conf config/filter.d/sshd-ddos.conf config/filter.d/stunnel.conf @@ -231,9 +237,11 @@ config/filter.d/ejabberd-auth.conf config/filter.d/guacamole.conf config/filter.d/sendmail-spam.conf config/action.d/apf.conf +config/action.d/blocklist_de.conf config/action.d/osx-afctl.conf config/action.d/osx-ipfw.conf config/action.d/sendmail-common.conf +config/action.d/badips.conf config/action.d/bsd-ipfw.conf config/action.d/dummy.conf config/action.d/firewallcmd-new.conf @@ -268,6 +276,7 @@ config/action.d/sendmail-whois-lines.conf config/action.d/shorewall.conf config/action.d/xarf-login-attack.conf config/action.d/ufw.conf +config/fail2ban.conf doc/run-rootless.txt man/fail2ban-client.1 man/fail2ban.1 diff --git a/THANKS b/THANKS index 46dcd4c1..d983cf85 100644 --- a/THANKS +++ b/THANKS @@ -12,6 +12,7 @@ ache ag4ve (Shawn) Alasdair D. Campbell Amir Caspi +Amy Andrey G. Grozin Andy Fragen Arturo 'Buanzo' Busleiman @@ -85,6 +86,7 @@ TESTOVIK Tom Pike Tomas Pihl Tony Lawrence +Tomasz Ciolek Tyler Vaclav Misek Vincent Deffontaines diff --git a/bin/fail2ban-client b/bin/fail2ban-client index 6275d420..c8778849 100755 --- a/bin/fail2ban-client +++ b/bin/fail2ban-client @@ -137,6 +137,7 @@ class Fail2banClient: def __processCmd(self, cmd, showRet = True): beautifier = Beautifier() + ret = True for c in cmd: beautifier.setInputCmd(c) try: @@ -147,10 +148,10 @@ class Fail2banClient: if showRet: print beautifier.beautify(ret[1]) else: + ret = False logSys.error("NOK: " + `ret[1].args`) if showRet: print beautifier.beautifyError(ret[1]) - return False except socket.error: if showRet: logSys.error("Unable to contact server. Is it running?") @@ -159,7 +160,7 @@ class Fail2banClient: if showRet: logSys.error(e) return False - return True + return ret ## # Process a command line. diff --git a/config/action.d/badips.conf b/config/action.d/badips.conf new file mode 100644 index 00000000..4a5c0f97 --- /dev/null +++ b/config/action.d/badips.conf @@ -0,0 +1,19 @@ +# Fail2ban reporting to badips.com +# +# Note: This reports and IP only and does not actually ban traffic. Use +# another action in the same jail if you want bans to occur. +# +# Set the category to the appropriate value before use. +# +# To get see register and optional key to get personalised graphs see: +# http://www.badips.com/blog/personalized-statistics-track-the-attackers-of-all-your-servers-with-one-key + +[Definition] + +actionban = curl --fail --user-agent "fail2ban v0.8.12" http://www.badips.com/add// + +[Init] + +# Option: category +# Notes.: Values are from the list here: http://www.badips.com/get/categories +category = diff --git a/config/filter.d/dovecot.conf b/config/filter.d/dovecot.conf index 0d64f5ed..a0c93834 100644 --- a/config/filter.d/dovecot.conf +++ b/config/filter.d/dovecot.conf @@ -10,7 +10,7 @@ before = common.conf _daemon = (auth|dovecot(-auth)?|auth-worker) failregex = ^%(__prefix_line)s(pam_unix(\(dovecot:auth\))?:)?\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=\S* rhost=(\s+user=\S*)?\s*$ - ^%(__prefix_line)s(pop3|imap)-login: (Info: )?(Aborted login|Disconnected)(: Inactivity)? \(((no auth attempts|auth failed, \d+ attempts)( in \d+ secs)?|tried to use (disabled|disallowed) \S+ auth)\):( user=<\S*>,)?( method=\S+,)? rip=, lip=(\d{1,3}\.){3}\d{1,3}(, session=<\w+>)?(, TLS( handshaking)?(: Disconnected)?)?\s*$ + ^%(__prefix_line)s(pop3|imap)-login: (Info: )?(Aborted login|Disconnected)(: Inactivity)? \(((no auth attempts|auth failed, \d+ attempts)( in \d+ secs)?|tried to use (disabled|disallowed) \S+ auth)\):( user=<\S*>,)?( method=\S+,)? rip=, lip=(\d{1,3}\.){3}\d{1,3}(, TLS( handshaking)?(: Disconnected)?)?(, session=<\S+>)?\s*$ ^%(__prefix_line)s(Info|dovecot: auth\(default\)): pam\(\S+,\): pam_authenticate\(\) failed: (User not known to the underlying authentication module: \d+ Time\(s\)|Authentication failure \(password mismatch\?\))\s*$ ignoreregex = diff --git a/fail2ban/tests/files/logs/dovecot b/fail2ban/tests/files/logs/dovecot index 2e44aeb3..164a24cc 100644 --- a/fail2ban/tests/files/logs/dovecot +++ b/fail2ban/tests/files/logs/dovecot @@ -42,3 +42,9 @@ Jul 02 13:49:32 hostname dovecot[442]: dovecot: auth(default): pam(account@MYSER # failJSON: { "time": "2005-04-19T05:22:20", "match": true , "host": "80.255.3.104" } Apr 19 05:22:20 vm5 auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=informix rhost=80.255.3.104 + +# failJSON: { "time": "2005-01-13T20:51:05", "match": true , "host": "1.2.3.4" } +Jan 13 20:51:05 valhalla dovecot: pop3-login: Disconnected: Inactivity (auth failed, 1 attempts in 178 secs): user=, method=PLAIN, rip=1.2.3.4, lip=1.1.2.2, session=<6brQWt/vCADDhP/+> +# failJSON: { "time": "2005-01-14T15:54:30", "match": true , "host": "1.2.3.4" } +Jan 14 15:54:30 valhalla dovecot: pop3-login: Disconnected (auth failed, 1 attempts in 2 secs): user=, method=PLAIN, rip=1.2.3.4, lip=1.1.2.2, TLS: Disconnected, session= + diff --git a/man/fail2ban-client.1 b/man/fail2ban-client.1 index 62ae0edd..7542d5be 100644 --- a/man/fail2ban-client.1 +++ b/man/fail2ban-client.1 @@ -1,12 +1,12 @@ -.\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.40.4. -.TH FAIL2BAN-CLIENT "1" "November 2013" "fail2ban-client v0.8.11" "User Commands" +.\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.41.2. +.TH FAIL2BAN-CLIENT "1" "January 2014" "fail2ban-client v0.8.12" "User Commands" .SH NAME fail2ban-client \- configure and control the server .SH SYNOPSIS .B fail2ban-client [\fIOPTIONS\fR] \fI\fR .SH DESCRIPTION -Fail2Ban v0.8.11 reads log file that contains password failure report +Fail2Ban v0.8.12 reads log file that contains password failure report and bans the corresponding IP addresses using firewall rules. .SH OPTIONS .TP @@ -82,6 +82,10 @@ file .TP \fBget logtarget\fR gets logging target +.TP +\fBflushlogs\fR +flushes the logtarget if a file +and reopens it. For log rotation. .IP JAIL CONTROL .TP diff --git a/man/fail2ban-regex.1 b/man/fail2ban-regex.1 index e2c99565..1dec0860 100644 --- a/man/fail2ban-regex.1 +++ b/man/fail2ban-regex.1 @@ -1,5 +1,5 @@ -.\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.40.4. -.TH FAIL2BAN-REGEX "1" "November 2013" "fail2ban-regex 0.8.11" "User Commands" +.\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.41.2. +.TH FAIL2BAN-REGEX "1" "January 2014" "fail2ban-regex 0.8.12" "User Commands" .SH NAME fail2ban-regex \- test Fail2ban "failregex" option .SH SYNOPSIS @@ -16,7 +16,7 @@ string a string representing a log line .TP filename -path to a log file (/var/log/auth.log) +path to a log file (\fI/var/log/auth.log\fP) .SS "REGEX:" .TP string diff --git a/man/fail2ban-server.1 b/man/fail2ban-server.1 index 147bdeaa..d2c7cf6f 100644 --- a/man/fail2ban-server.1 +++ b/man/fail2ban-server.1 @@ -1,12 +1,12 @@ -.\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.40.4. -.TH FAIL2BAN-SERVER "1" "November 2013" "fail2ban-server v0.8.11" "User Commands" +.\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.41.2. +.TH FAIL2BAN-SERVER "1" "January 2014" "fail2ban-server v0.8.12" "User Commands" .SH NAME fail2ban-server \- start the server .SH SYNOPSIS .B fail2ban-server [\fIOPTIONS\fR] .SH DESCRIPTION -Fail2Ban v0.8.11 reads log file that contains password failure report +Fail2Ban v0.8.12 reads log file that contains password failure report and bans the corresponding IP addresses using firewall rules. .PP Only use this command for debugging purpose. Start the server with diff --git a/man/jail.conf.5 b/man/jail.conf.5 index 5101e3b8..dfcef468 100644 --- a/man/jail.conf.5 +++ b/man/jail.conf.5 @@ -130,6 +130,8 @@ name of the filter -- filename of the filter in /etc/fail2ban/filter.d/ without .TP .B logpath filename(s) of the log files to be monitored. Globs -- paths containing * and ? or [0-9] -- can be used however only the files that exist at start up matching this glob pattern will be considered. + +Ensure syslog or the program that generates the log file isn't configured to compress repeated log messages to "\fI*last message repeated 5 time*s\fR" otherwise it will fail to detect. This is called \fIRepeatedMsgReduction\fR in rsyslog and should be \fIOff\fR. .TP .B action action(s) from \fI/etc/fail2ban/action.d/\fR without the \fI.conf\fR/\fI.local\fR extension. Arguments can be passed to actions to override the default values from the [Init] section in the action file. Arguments are specified by [name=value,name2=value]. Values can also be quoted. More that one action can be specified (in separate lines).