github
/
fail2ban
mirror of https://github.com/fail2ban/fail2ban
1
0
Fork 0
Code Issues Releases Wiki Activity

Merge branch 'upstream' into build 

* upstream:
  - Use 80 columns.
  - Fixed maxretry/findtime rate. Many thanks to Christos Psonis. Tracker #2019714.
  - Made the named-refused regex a bit less restrictive in order to match logs with "view". Thanks to Stephen Gildea.
  - Use timetuple instead of utctimetuple for ISO 8601. Maybe not a 100% correct fix but seems to work. Tracker #2500276.
  - Changed <HOST> template to be more restrictive. Debian bug #514163.
  - Added cyrus-imap and sieve filters. Thanks to Jan Wagner. Debian bug #513953.
  - Pull a commit from Yaroslav git repo. BF: addressing added bang to ssh log (closes: #512193).
  - Added missing semi-colon in the bind9 example. Thanks to Yaroslav Halchenko.
  - Added NetBSD ipfilter (ipf command) action. Thanks to Ed Ravin. Tracker #2484115.
  - Improved SASL filter. Thanks to Loic Pefferkorn. Tracker #2310410.
  - Added CPanel date format. Thanks to David Collins. Tracker #1967610.
  - Added nagios script. Thanks to Sebastian Mueller.
  - Removed print.
  - Removed begin-line anchor for "standard" timestamp. Fixed Debian bug #500824.
  - Remove socket file on startup is fail2ban crashed. Thanks to Detlef Reichelt.

Conflicts:

	config/filter.d/sshd.conf
	server/filter.py
debian-releases/squeeze
Yaroslav Halchenko 2009-07-09 00:55:57 -04:00
parent 3114418b1e fec4e7d286
commit a687363fff
33 changed files with 530 additions and 321 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

400
ChangeLog
View File

@ -1,109 +1,102 @@
__ _ _ ___ _ __ _ _ ___ _
/ _|__ _(_) |_ ) |__ __ _ _ _ / _|__ _(_) |_ ) |__ __ _ _ _
| _/ _` | | |/ /| '_ \/ _` | ' \ | _/ _` | | |/ /| '_ \/ _` | ' \
|_| \__,_|_|_/___|_.__/\__,_|_||_| |_| \__,_|_|_/___|_.__/\__,_|_||_|
============================================================= ================================================================================
Fail2Ban (version 0.8.4) 2008/??/?? Fail2Ban (version 0.8.4) 2009/02/??
============================================================= ================================================================================
ver. 0.8.4 (2008/??/??) - stable ver. 0.8.4 (2009/??/??) - stable
---------- ----------
- Merged patches from Debian package. Thanks to Yaroslav - Merged patches from Debian package. Thanks to Yaroslav Halchenko.
Halchenko. - Use current day and month instead of Jan 1st if both are not available in the
- Use current day and month instead of Jan 1st if both are log. Thanks to Andreas Itzchak Rehberg.
not available in the log. Thanks to Andreas Itzchak - Try to match the regex even if the line does not contain a valid date/time.
Rehberg. Described in Debian #491253. Thanks to Yaroslav Halchenko.
- Try to match the regex even if the line does not contain a
valid date/time. Described in Debian #491253. Thanks to
Yaroslav Halchenko.
- Added/improved filters and date formats. - Added/improved filters and date formats.
- Added actions to report abuse to ISP, DShield and - Added actions to report abuse to ISP, DShield and myNetWatchman. Thanks to
myNetWatchman. Thanks to Russell Odom. Russell Odom.
- Suse init script. Remove socket file on startup is fail2ban crashed. Thanks to
Detlef Reichelt.
- Removed begin-line anchor for "standard" timestamp. Fixed Debian bug #500824.
- Added nagios script. Thanks to Sebastian Mueller.
- Added CPanel date format. Thanks to David Collins. Tracker #1967610.
- Improved SASL filter. Thanks to Loic Pefferkorn. Tracker #2310410.
- Added NetBSD ipfilter (ipf command) action. Thanks to Ed Ravin. Tracker
#2484115.
- Added cyrus-imap and sieve filters. Thanks to Jan Wagner. Debian bug #513953.
- Changed <HOST> template to be more restrictive. Debian bug #514163.
- Use timetuple instead of utctimetuple for ISO 8601. Maybe not a 100% correct
fix but seems to work. Tracker #2500276.
- Made the named-refused regex a bit less restrictive in order to match logs
with "view". Thanks to Stephen Gildea.
- Fixed maxretry/findtime rate. Many thanks to Christos Psonis. Tracker
#2019714.
ver. 0.8.3 (2008/07/17) - stable ver. 0.8.3 (2008/07/17) - stable
---------- ----------
- Process failtickets as long as failmanager is not empty. - Process failtickets as long as failmanager is not empty.
- Added "pam-generic" filter and more configuration fixes. - Added "pam-generic" filter and more configuration fixes. Thanks to Yaroslav
Thanks to Yaroslav Halchenko. Halchenko.
- Fixed socket path in redhat and suse init script. Thanks to - Fixed socket path in redhat and suse init script. Thanks to Jim Wight.
Jim Wight. - Fixed PID file while started in daemon mode. Thanks to Christian Jobic who
- Fixed PID file while started in daemon mode. Thanks to submitted a similar patch.
Christian Jobic who submitted a similar patch.
- Fixed "fail2ban-client get <jail> logpath". Bug #1916986. - Fixed "fail2ban-client get <jail> logpath". Bug #1916986.
- Added gssftpd filter. Thanks to Kevin Zembower. - Added gssftpd filter. Thanks to Kevin Zembower.
- Added "Day/Month/Year Hour:Minute:Second" date template. - Added "Day/Month/Year Hour:Minute:Second" date template. Thanks to Dennis
Thanks to Dennis Winter. Winter.
- Fixed ignoreregex processing in fail2ban-client. Thanks to - Fixed ignoreregex processing in fail2ban-client. Thanks to René Berber.
René Berber.
- Added ISO 8601 date/time format. - Added ISO 8601 date/time format.
- Added and changed some logging level and messages. - Added and changed some logging level and messages.
- Added missing ignoreregex to filters. Thanks to Klaus - Added missing ignoreregex to filters. Thanks to Klaus Lehmann.
Lehmann. - Use poll instead of select in asyncore.loop. This should solve the "Unknown
- Use poll instead of select in asyncore.loop. This should error 514". Thanks to Michael Geiger and Klaus Lehmann.
solve the "Unknown error 514". Thanks to Michael Geiger and
Klaus Lehmann.
ver. 0.8.2 (2008/03/06) - stable ver. 0.8.2 (2008/03/06) - stable
---------- ----------
- Fixed named filter. Thanks to Yaroslav Halchenko - Fixed named filter. Thanks to Yaroslav Halchenko
- Fixed wrong path for apache-auth in jail.conf. Thanks to - Fixed wrong path for apache-auth in jail.conf. Thanks to Vincent Deffontaines
Vincent Deffontaines - Fixed timezone bug with epoch date template. Thanks to Michael Hanselmann
- Fixed timezone bug with epoch date template. Thanks to - Added "full line failregex" patch. Thanks to Yaroslav Halchenko. It will be
Michael Hanselmann possible to create stronger failregex against log injection
- Added "full line failregex" patch. Thanks to Yaroslav
Halchenko. It will be possible to create stronger failregex
against log injection
- Fixed ipfw action script. Thanks to Nick Munger - Fixed ipfw action script. Thanks to Nick Munger
- Removed date from logging message when using SYSLOG. Thanks - Removed date from logging message when using SYSLOG. Thanks to Iain Lea
to Iain Lea - Fixed "ignore IPs". Only the first value was taken into account. Thanks to
- Fixed "ignore IPs". Only the first value was taken into Adrien Clerc
account. Thanks to Adrien Clerc
- Moved socket to /var/run/fail2ban. - Moved socket to /var/run/fail2ban.
- Rewrote the communication server. - Rewrote the communication server.
- Refactoring. Reduced number of files. - Refactoring. Reduced number of files.
- Removed Python 2.4. Minimum required version is now Python - Removed Python 2.4. Minimum required version is now Python 2.3.
2.3.
- New log rotation detection algorithm. - New log rotation detection algorithm.
- Print monitored files in status. - Print monitored files in status.
- Create a PID file in /var/run/fail2ban/. Thanks to Julien - Create a PID file in /var/run/fail2ban/. Thanks to Julien Perez.
Perez. - Fixed "Feb 29" bug. Thanks to James Andrewartha who pointed this out. Thanks
- Fixed "Feb 29" bug. Thanks to James Andrewartha who pointed to Yaroslav Halchenko for the fix.
this out. Thanks to Yaroslav Halchenko for the fix. - "reload <jail>" reloads a single jail and the parameters in fail2ban.conf.
- "reload <jail>" reloads a single jail and the parameters in
fail2ban.conf.
- Added Mac OS/X startup script. Thanks to Bill Heaton. - Added Mac OS/X startup script. Thanks to Bill Heaton.
- Absorbed some Debian patches. Thanks to Yaroslav Halchenko. - Absorbed some Debian patches. Thanks to Yaroslav Halchenko.
- Replaced "echo" with "printf" in actions. Fix #1839673 - Replaced "echo" with "printf" in actions. Fix #1839673
- Replaced "reject" with "drop" in shorwall action. Fix - Replaced "reject" with "drop" in shorwall action. Fix #1854875
#1854875
- Fixed Debian bug #456567, #468477, #462060, #461426 - Fixed Debian bug #456567, #468477, #462060, #461426
- readline is now optional in fail2ban-client (not needed in - readline is now optional in fail2ban-client (not needed in fail2ban-server).
fail2ban-server).
ver. 0.8.1 (2007/08/14) - stable ver. 0.8.1 (2007/08/14) - stable
---------- ----------
- Fixed vulnerability in sshd.conf. Thanks to Daniel B. Cid - Fixed vulnerability in sshd.conf. Thanks to Daniel B. Cid
- Expand <HOST> in ignoreregex. Thanks to Yaroslav Halchenko - Expand <HOST> in ignoreregex. Thanks to Yaroslav Halchenko
- Improved regular expressions. Thanks to Yaroslav Halchenko - Improved regular expressions. Thanks to Yaroslav Halchenko and others
and others - Added sendmail actions. The action started with "mail" are now deprecated.
- Added sendmail actions. The action started with "mail" are Thanks to Raphaël Marichez
now deprecated. Thanks to Raphaël Marichez
- Added "ignoreregex" support to fail2ban-regex - Added "ignoreregex" support to fail2ban-regex
- Updated suse-initd and added it to MANIFEST. Thanks to - Updated suse-initd and added it to MANIFEST. Thanks to Christian Rauch
Christian Rauch - Tightening up the pid check in redhat-initd. Thanks to David Nutter
- Tightening up the pid check in redhat-initd. Thanks to - Added webmin authentication filter. Thanks to Guillaume Delvit
David Nutter - Removed textToDns() which is not required anymore. Thanks to Yaroslav
- Added webmin authentication filter. Thanks to Guillaume
Delvit
- Removed textToDns() which is not required anymore. Thanks
to Yaroslav Halchenko
- Added new action iptables-allports. Thanks to Yaroslav
Halchenko
- Added "named" date format to date detector. Thanks to
Yaroslav Halchenko
- Added filter file for named (bind9). Thanks to Yaroslav
Halchenko Halchenko
- Added new action iptables-allports. Thanks to Yaroslav Halchenko
- Added "named" date format to date detector. Thanks to Yaroslav Halchenko
- Added filter file for named (bind9). Thanks to Yaroslav Halchenko
- Fixed vsftpd filter. Thanks to Yaroslav Halchenko - Fixed vsftpd filter. Thanks to Yaroslav Halchenko
ver. 0.8.0 (2007/05/03) - stable ver. 0.8.0 (2007/05/03) - stable
@ -123,20 +116,17 @@ ver. 0.7.8 (2007/03/21) - release candidate
---------- ----------
- Fixed asctime pattern in datedetector.py - Fixed asctime pattern in datedetector.py
- Added new filters/actions. Thanks to Yaroslav Halchenko - Added new filters/actions. Thanks to Yaroslav Halchenko
- Added Suse init script and modified gentoo-initd. Thanks to - Added Suse init script and modified gentoo-initd. Thanks to Christian Rauch
Christian Rauch
- Moved every locking statements in a try..finally block - Moved every locking statements in a try..finally block
ver. 0.7.7 (2007/02/08) - release candidate ver. 0.7.7 (2007/02/08) - release candidate
---------- ----------
- Added signal handling in fail2ban-client - Added signal handling in fail2ban-client
- Added a wonderful visual effect when waiting on the server - Added a wonderful visual effect when waiting on the server
- fail2ban-client returns an error code if configuration is - fail2ban-client returns an error code if configuration is not valid
not valid
- Added new filters/actions. Thanks to Yaroslav Halchenko - Added new filters/actions. Thanks to Yaroslav Halchenko
- Call Python interpreter directly (instead of using "env") - Call Python interpreter directly (instead of using "env")
- Added file support to fail2ban-regex. Benchmark feature has - Added file support to fail2ban-regex. Benchmark feature has been removed
been removed
- Added cacti script and template. - Added cacti script and template.
- Added IP list in "status <JAIL>". Thanks to Eric Gerbier - Added IP list in "status <JAIL>". Thanks to Eric Gerbier
@ -146,60 +136,53 @@ ver. 0.7.6 (2007/01/04) - beta
- Use /dev/log for SYSLOG output. Thanks to Joerg Sommrey - Use /dev/log for SYSLOG output. Thanks to Joerg Sommrey
- Use numeric output for iptables in "actioncheck" - Use numeric output for iptables in "actioncheck"
- Fixed removal of host in hosts.deny. Thanks to René Berber - Fixed removal of host in hosts.deny. Thanks to René Berber
- Added new date format (2006-12-21 06:43:20) and Exim4 - Added new date format (2006-12-21 06:43:20) and Exim4 filter. Thanks to mEDI
filter. Thanks to mEDI - Several "failregex" and "ignoreregex" are now accepted. Creation of rules
- Several "failregex" and "ignoreregex" are now accepted. should be easier now.
Creation of rules should be easier now.
- Added license in COPYING. Thanks to Axel Thimm - Added license in COPYING. Thanks to Axel Thimm
- Allow comma in action options. The value of the option must - Allow comma in action options. The value of the option must be escaped with "
be escaped with " or '. Thanks to Yaroslav Halchenko or '. Thanks to Yaroslav Halchenko
- Now Fail2ban goes in /usr/share/fail2ban instead of - Now Fail2ban goes in /usr/share/fail2ban instead of /usr/lib/fail2ban. This is
/usr/lib/fail2ban. This is more compliant with FHS. Thanks more compliant with FHS. Thanks to Axel Thimm and Yaroslav Halchenko
to Axel Thimm and Yaroslav Halchenko
ver. 0.7.5 (2006/12/07) - beta ver. 0.7.5 (2006/12/07) - beta
---------- ----------
- Do not ban a host that is currently banned. Thanks to - Do not ban a host that is currently banned. Thanks to Yaroslav Halchenko
Yaroslav Halchenko - The supported tags in "action(un)ban" are <ip>, <failures> and <time>
- The supported tags in "action(un)ban" are <ip>, <failures>
and <time>
- Fixed refactoring bug (getLastcommand -> getLastAction) - Fixed refactoring bug (getLastcommand -> getLastAction)
- Added option "ignoreregex" in filter scripts and jail.conf. - Added option "ignoreregex" in filter scripts and jail.conf. Feature Request
Feature Request #1283304 #1283304
- Fixed a bug in user defined time regex/pattern - Fixed a bug in user defined time regex/pattern
- Improved documentation - Improved documentation
- Moved version.py and protocol.py to common/ - Moved version.py and protocol.py to common/
- Merged "maxtime" option with "findtime" - Merged "maxtime" option with "findtime"
- Added "<HOST>" tag support in failregex which matches - Added "<HOST>" tag support in failregex which matches default IP
default IP address/hostname. "(?P<host>\S)" is still valid address/hostname. "(?P<host>\S)" is still valid and supported
and supported - Fixed exception when calling fail2ban-server with unknown option
- Fixed exception when calling fail2ban-server with unknown - Fixed Debian bug 400162. The "socket" option is now handled correctly by
option fail2ban-client
- Fixed Debian bug 400162. The "socket" option is now handled
correctly by fail2ban-client
- Fixed RedHat init script. Thanks to Justin Shore - Fixed RedHat init script. Thanks to Justin Shore
- Changed timeout to 30 secondes before assuming the server - Changed timeout to 30 secondes before assuming the server cannot be started.
cannot be started. Thanks to Joël Bertrand Thanks to Joël Bertrand
ver. 0.7.4 (2006/11/01) - beta ver. 0.7.4 (2006/11/01) - beta
---------- ----------
- Improved configuration files. Thanks to Yaroslav Halchenko - Improved configuration files. Thanks to Yaroslav Halchenko
- Added man page for "fail2ban-regex" - Added man page for "fail2ban-regex"
- Moved ban/unban messages from "info" level to "warn" - Moved ban/unban messages from "info" level to "warn"
- Added "-s" option to specify the socket path and "socket" - Added "-s" option to specify the socket path and "socket" option in
option in "fail2ban.conf" "fail2ban.conf"
- Added "backend" option in "jail.conf" - Added "backend" option in "jail.conf"
- Added more filters/actions and jail samples. Thanks to Nick - Added more filters/actions and jail samples. Thanks to Nick Munger, Christoph
Munger, Christoph Haas Haas
- Improved testing framework - Improved testing framework
- Fixed a bug in the return code handling of the executed - Fixed a bug in the return code handling of the executed commands. Thanks to
commands. Thanks to Yaroslav Halchenko Yaroslav Halchenko
- Signal handling. There is a bug with join() and signal in - Signal handling. There is a bug with join() and signal in Python
Python
- Better debugging output for "fail2ban-regex" - Better debugging output for "fail2ban-regex"
- Added support for more date format - Added support for more date format
- cPickle does not work with Python 2.5. Use pickle instead - cPickle does not work with Python 2.5. Use pickle instead (performance is not
(performance is not a problem in our case) a problem in our case)
ver. 0.7.3 (2006/09/28) - beta ver. 0.7.3 (2006/09/28) - beta
---------- ----------
@ -219,15 +202,13 @@ ver. 0.7.2 (2006/09/10) - beta
- Improved client output - Improved client output
- Added more get/set commands - Added more get/set commands
- Added more configuration templates - Added more configuration templates
- Removed "logpath" and "maxretry" from filter templates. - Removed "logpath" and "maxretry" from filter templates. They must be defined
They must be defined in jail.conf now in jail.conf now
- Added interactive mode. Use "-i" - Added interactive mode. Use "-i"
- Added a date detector. "timeregex" and "timepattern" are no - Added a date detector. "timeregex" and "timepattern" are no more needed
more needed - Added "fail2ban-regex". This is a tool to help finding "failregex"
- Added "fail2ban-regex". This is a tool to help finding - Improved server communication. Start a new thread for each incoming request.
"failregex" Fail2ban is not really thread-safe yet
- Improved server communication. Start a new thread for each
incoming request. Fail2ban is not really thread-safe yet
ver. 0.7.1 (2006/08/23) - alpha ver. 0.7.1 (2006/08/23) - alpha
---------- ----------
@ -238,106 +219,91 @@ ver. 0.7.1 (2006/08/23) - alpha
ver. 0.7.0 (2006/08/23) - alpha ver. 0.7.0 (2006/08/23) - alpha
---------- ----------
- Almost a complete rewrite :) Fail2ban design is really - Almost a complete rewrite :) Fail2ban design is really better (IMHO). There is
better (IMHO). There is a lot of new features a lot of new features
- Client/Server architecture - Client/Server architecture
- Multithreading. Each jail has its own threads: one for the - Multithreading. Each jail has its own threads: one for the log reading and
log reading and another for the actions another for the actions
- Execute several actions - Execute several actions
- Split configuration files. They are more readable and easy - Split configuration files. They are more readable and easy to use
to use - failregex uses group (<host>) now. This feature was already present in the
- failregex uses group (<host>) now. This feature was already Debian package
present in the Debian package
- lots of things... - lots of things...
ver. 0.6.1 (2006/03/16) - stable ver. 0.6.1 (2006/03/16) - stable
---------- ----------
- Added permanent banning. Set banTime to a negative value to - Added permanent banning. Set banTime to a negative value to enable this
enable this feature (-1 is perfect). Thanks to Mannone feature (-1 is perfect). Thanks to Mannone
- Fixed locale bug. Thanks to Fernando José - Fixed locale bug. Thanks to Fernando José
- Fixed crash when time format does not match data - Fixed crash when time format does not match data
- Propagated patch from Debian to fix fail2ban search path - Propagated patch from Debian to fix fail2ban search path addition to the path
addition to the path search list: now it is added first. search list: now it is added first. Thanks to Nick Craig-Wood
Thanks to Nick Craig-Wood - Added SMTP authentification for mail notification. Thanks to Markus Hoffmann
- Added SMTP authentification for mail notification. Thanks
to Markus Hoffmann
- Removed debug mode as it is confusing for people - Removed debug mode as it is confusing for people
- Added parsing of timestamp in TAI64N format (#1275325). - Added parsing of timestamp in TAI64N format (#1275325). Thanks to Mark
Thanks to Mark Edgington Edgington
- Added patch #1382936 (Default formatted syslog logging). - Added patch #1382936 (Default formatted syslog logging). Thanks to Patrick
Thanks to Patrick B<>rjesson B<>rjesson
- Removed 192.168.0.0/16 from ignoreip. Attacks could also - Removed 192.168.0.0/16 from ignoreip. Attacks could also come from the local
come from the local network. network.
- Robust startup: if iptables module does not get fully - Robust startup: if iptables module does not get fully initialized after
initialized after startup of fail2ban, fail2ban will do startup of fail2ban, fail2ban will do "maxreinit" attempts to initialize its
"maxreinit" attempts to initialize its own firewall. It own firewall. It will sleep between attempts for "polltime" number of seconds
will sleep between attempts for "polltime" number of (closes Debian: #334272). Thanks to Yaroslav Halchenko
seconds (closes Debian: #334272). Thanks to Yaroslav - Added "interpolations" in fail2ban.conf. This is provided by the ConfigParser
Halchenko module. Old configuration files still work. Thanks to Yaroslav Halchenko
- Added "interpolations" in fail2ban.conf. This is provided - Added initial support for hosts.deny and shorewall. Need more testing. Please
by the ConfigParser module. Old configuration files still test. Thanks to kojiro from Gentoo forum for hosts.deny support
work. Thanks to Yaroslav Halchenko
- Added initial support for hosts.deny and shorewall. Need
more testing. Please test. Thanks to kojiro from Gentoo
forum for hosts.deny support
- Added support for vsftpd. Thanks to zugeschmiert - Added support for vsftpd. Thanks to zugeschmiert
ver. 0.6.0 (2005/11/20) - stable ver. 0.6.0 (2005/11/20) - stable
---------- ----------
- Propagated patches introduced by Debian maintainer - Propagated patches introduced by Debian maintainer (Yaroslav Halchenko):
(Yaroslav Halchenko): * Added an option to report local time (including timezone) or GMT in mail
* Added an option to report local time (including timezone) notification.
or GMT in mail notification.
ver. 0.5.5 (2005/10/26) - beta ver. 0.5.5 (2005/10/26) - beta
---------- ----------
- Propagated patches introduced by Debian maintainer - Propagated patches introduced by Debian maintainer (Yaroslav Halchenko):
(Yaroslav Halchenko): * Introduced fwcheck option to verify consistency of the chains. Implemented
* Introduced fwcheck option to verify consistency of the automatic restart of fail2ban main function in case check of fwban or
chains. Implemented automatic restart of fail2ban main fwunban command failed (closes: #329163, #331695). (Introduced patch was
function in case check of fwban or fwunban command failed further adjusted by upstream author).
(closes: #329163, #331695). (Introduced patch was further
adjusted by upstream author).
* Added -f command line parameter for [findtime]. * Added -f command line parameter for [findtime].
* Added a cleanup of firewall rules on emergency shutdown * Added a cleanup of firewall rules on emergency shutdown when unknown
when unknown exception is catched. exception is catched.
* Fail2ban should not crash now if a wrong file name is * Fail2ban should not crash now if a wrong file name is specified in config.
specified in config. * reordered code a bit so that log targets are setup right after background
* reordered code a bit so that log targets are setup right and then only loglevel (verbose, debug) is processed, so the warning could
after background and then only loglevel (verbose, debug) be seen in the logs
is processed, so the warning could be seen in the logs * Added a keyword <section> in parsing of the subject and the body of an email
* Added a keyword <section> in parsing of the subject and sent out by fail2ban (closes: #330311)
the body of an email sent out by fail2ban (closes:
#330311)
ver. 0.5.4 (2005/09/13) - beta ver. 0.5.4 (2005/09/13) - beta
---------- ----------
- Fixed bug #1286222. - Fixed bug #1286222.
- Propagated patches introduced by Debian maintainer - Propagated patches introduced by Debian maintainer (Yaroslav Halchenko):
(Yaroslav Halchenko): * Fixed handling of SYSLOG logging target. Now it can log to any SYSLOG target
* Fixed handling of SYSLOG logging target. Now it can log and facility as directed by the config
to any SYSLOG target and facility as directed by the
config
* Format of SYSLOG entries fixed to look closer to standard * Format of SYSLOG entries fixed to look closer to standard
* Fixed errata in config/gentoo-confd * Fixed errata in config/gentoo-confd
* Introduced findtime configuration variable to control the * Introduced findtime configuration variable to control the lifetime of caught
lifetime of caught "failed" log entries "failed" log entries
ver. 0.5.3 (2005/09/08) - beta ver. 0.5.3 (2005/09/08) - beta
---------- ----------
- Fixed a bug when overriding "maxfailures" or "bantime". - Fixed a bug when overriding "maxfailures" or "bantime". Thanks to Yaroslav
Thanks to Yaroslav Halchenko Halchenko
- Added more debug output if an error occurs when sending - Added more debug output if an error occurs when sending mail. Thanks to
mail. Thanks to Stephen Gildea Stephen Gildea
- Renamed "maxretry" to "maxfailures" and changed default - Renamed "maxretry" to "maxfailures" and changed default value to 5. Thanks to
value to 5. Thanks to Stephen Gildea Stephen Gildea
- Hopefully fixed bug #1256075 - Hopefully fixed bug #1256075
- Fixed bug #1262345 - Fixed bug #1262345
- Fixed exception handling in PIDLock - Fixed exception handling in PIDLock
- Removed warning when using "-V" or "-h" with no config - Removed warning when using "-V" or "-h" with no config file. Thanks to
file. Thanks to Yaroslav Halchenko Yaroslav Halchenko
- Removed "-i eth0" from config file. Thanks to Yaroslav - Removed "-i eth0" from config file. Thanks to Yaroslav Halchenko
Halchenko
ver. 0.5.2 (2005/08/06) - beta ver. 0.5.2 (2005/08/06) - beta
---------- ----------
@ -353,11 +319,9 @@ ver. 0.5.1 (2005/07/23) - beta
---------- ----------
- Fixed bugs #1241756, #1239557 - Fixed bugs #1241756, #1239557
- Added log targets in configuration file. Removed -l option - Added log targets in configuration file. Removed -l option
- Changed iptables rules in order to create a separated chain - Changed iptables rules in order to create a separated chain for each section
for each section
- Fixed static banList in firewall.py - Fixed static banList in firewall.py
- Added an initd script for Debian. Thanks to Yaroslav - Added an initd script for Debian. Thanks to Yaroslav Halchenko
Halchenko
- Check for obsolete files after install - Check for obsolete files after install
ver. 0.5.0 (2005/07/12) - beta ver. 0.5.0 (2005/07/12) - beta
@ -365,24 +329,22 @@ ver. 0.5.0 (2005/07/12) - beta
- Added support for CIDR mask in ignoreip - Added support for CIDR mask in ignoreip
- Added mail notification support - Added mail notification support
- Fixed bug #1234699 - Fixed bug #1234699
- Added tags replacement in rules definition. Should allow a - Added tags replacement in rules definition. Should allow a clean solution for
clean solution for Feature Request #1229479 Feature Request #1229479
- Removed "interface" and "firewall" options - Removed "interface" and "firewall" options
- Added start and end commands in the configuration file. - Added start and end commands in the configuration file. Thanks to Yaroslav
Thanks to Yaroslav Halchenko Halchenko
- Added firewall rules definition in the configuration file - Added firewall rules definition in the configuration file
- Cleaned fail2ban.py - Cleaned fail2ban.py
- Added an initd script for RedHat/Fedora. Thanks to Andrey - Added an initd script for RedHat/Fedora. Thanks to Andrey G. Grozin
G. Grozin
ver. 0.4.1 (2005/06/30) - stable ver. 0.4.1 (2005/06/30) - stable
---------- ----------
- Fixed textToDNS method which generated wrong matches for - Fixed textToDNS method which generated wrong matches for "rhost=12-xyz...".
"rhost=12-xyz...". Thanks to Tom Pike Thanks to Tom Pike
- fail2ban.conf modified for readability. Thanks to Iain Lea - fail2ban.conf modified for readability. Thanks to Iain Lea
- Added an initd script for Gentoo - Added an initd script for Gentoo
- Changed default PID lock file location from /tmp to - Changed default PID lock file location from /tmp to /var/run
/var/run
ver. 0.4.0 (2005/04/24) - stable ver. 0.4.0 (2005/04/24) - stable
---------- ----------
@ -398,8 +360,8 @@ ver. 0.3.1 (2005/03/31) - beta
ver. 0.3.0 (2005/02/24) - beta ver. 0.3.0 (2005/02/24) - beta
---------- ----------
- Re-writting of parts of the code in order to handle several - Re-writting of parts of the code in order to handle several log files with
log files with different rules different rules
- Removed sshd.py because it is no more needed - Removed sshd.py because it is no more needed
- Fixed a bug when exiting with IP in the ban list - Fixed a bug when exiting with IP in the ban list
- Added PID lock file - Added PID lock file
@ -409,26 +371,22 @@ ver. 0.3.0 (2005/02/24) - beta
ver. 0.1.2 (2004/11/21) - beta ver. 0.1.2 (2004/11/21) - beta
---------- ----------
- Add ipfw and ipfwadm support. The rules are taken from - Add ipfw and ipfwadm support. The rules are taken from BlockIt. Thanks to
BlockIt. Thanks to Robert Edeker Robert Edeker
- Add -e option which allows to set the interface. Thanks to - Add -e option which allows to set the interface. Thanks to Robert Edeker who
Robert Edeker who reminded me this reminded me this
- Small code cleaning - Small code cleaning
ver. 0.1.1 (2004/10/23) - beta ver. 0.1.1 (2004/10/23) - beta
---------- ----------
- Add SIGTERM handler in order to exit nicely when in daemon - Add SIGTERM handler in order to exit nicely when in daemon mode
mode - Add -r option which allows to set the maximum number of login failures
- Add -r option which allows to set the maximum number of - Remove the Metalog class as the log file are not so syslog daemon specific
login failures - Rewrite log reader to be service centered. Sshd support added. Match "Failed
- Remove the Metalog class as the log file are not so syslog password" and "Illegal user"
daemon specific
- Rewrite log reader to be service centered. Sshd support
added. Match "Failed password" and "Illegal user"
- Add /etc/fail2ban.conf configuration support - Add /etc/fail2ban.conf configuration support
- Code documentation - Code documentation
ver. 0.1.0 (2004/10/12) - alpha ver. 0.1.0 (2004/10/12) - alpha
---------- ----------
- Initial release - Initial release

94
README
View File

@ -1,21 +1,19 @@
__ _ _ ___ _ __ _ _ ___ _
/ _|__ _(_) |_ ) |__ __ _ _ _ / _|__ _(_) |_ ) |__ __ _ _ _
| _/ _` | | |/ /| '_ \/ _` | ' \ | _/ _` | | |/ /| '_ \/ _` | ' \
|_| \__,_|_|_/___|_.__/\__,_|_||_| |_| \__,_|_|_/___|_.__/\__,_|_||_|
============================================================= ================================================================================
Fail2Ban (version 0.8.4) 2008/??/?? Fail2Ban (version 0.8.4) 2009/??/??
============================================================= ================================================================================
Fail2Ban scans log files like /var/log/pwdfail and bans IP Fail2Ban scans log files like /var/log/pwdfail and bans IP that makes too many
that makes too many password failures. It updates firewall password failures. It updates firewall rules to reject the IP address. These
rules to reject the IP address. These rules can be defined by rules can be defined by the user. Fail2Ban can read multiple log files such as
the user. Fail2Ban can read multiple log files such as sshd sshd or Apache web server ones.
or Apache web server ones.
This README is a quick introduction to Fail2ban. More This README is a quick introduction to Fail2ban. More documentation, FAQ, HOWTOs
documentation, FAQ, HOWTOs are available on the project are available on the project website: http://www.fail2ban.org
website: http://www.fail2ban.org
Installation: Installation:
------------- -------------
@ -32,33 +30,32 @@ To install, just do:
> cd fail2ban-0.8.4 > cd fail2ban-0.8.4
> python setup.py install > python setup.py install
This will install Fail2Ban into /usr/share/fail2ban. The This will install Fail2Ban into /usr/share/fail2ban. The executable scripts are
executable scripts are placed into /usr/bin. placed into /usr/bin.
It is possible that Fail2ban is already packaged for your It is possible that Fail2ban is already packaged for your distribution. In this
distribution. In this case, you should use it. case, you should use it.
Fail2Ban should be correctly installed now. Just type: Fail2Ban should be correctly installed now. Just type:
> fail2ban-client -h > fail2ban-client -h
to see if everything is alright. You should always use to see if everything is alright. You should always use fail2ban-client and never
fail2ban-client and never call fail2ban-server directly. call fail2ban-server directly.
Configuration: Configuration:
-------------- --------------
You can configure Fail2ban using the files in /etc/fail2ban. You can configure Fail2ban using the files in /etc/fail2ban. It is possible to
It is possible to configure the server using commands sent to configure the server using commands sent to it by fail2ban-client. The available
it by fail2ban-client. The available commands are described commands are described in the man page of fail2ban-client. Please refer to it or
in the man page of fail2ban-client. Please refer to it or to to the website: http://www.fail2ban.org
the website: http://www.fail2ban.org
Contact: Contact:
-------- --------
You need some new features, you found bugs or you just You need some new features, you found bugs or you just appreciate this program,
appreciate this program, you can contact me at: you can contact me at:
Website: http://www.fail2ban.org Website: http://www.fail2ban.org
@ -67,34 +64,27 @@ Cyril Jaquier: <cyril.jaquier@fail2ban.org>
Thanks: Thanks:
------- -------
Kévin Drapel, Marvin Rouge, Sireyessire, Robert Edeker, Kévin Drapel, Marvin Rouge, Sireyessire, Robert Edeker, Tom Pike, Iain Lea,
Tom Pike, Iain Lea, Andrey G. Grozin, Yaroslav Halchenko, Andrey G. Grozin, Yaroslav Halchenko, Jonathan Kamens, Stephen Gildea, Markus
Jonathan Kamens, Stephen Gildea, Markus Hoffmann, Mark Hoffmann, Mark Edgington, Patrick Börjesson, kojiro, zugeschmiert, Tyler, Nick
Edgington, Patrick Börjesson, kojiro, zugeschmiert, Tyler, Munger, Christoph Haas, Justin Shore, Joël Bertrand, René Berber, mEDI, Axel
Nick Munger, Christoph Haas, Justin Shore, Joël Bertrand, Thimm, Eric Gerbier, Christian Rauch, Michael C. Haller, Jonathan Underwood,
René Berber, mEDI, Axel Thimm, Eric Gerbier, Christian Rauch, Hanno 'Rince' Wagner, Daniel B. Cid, David Nutter, Raphaël Marichez, Guillaume
Michael C. Haller, Jonathan Underwood, Hanno 'Rince' Wagner, Delvit, Vaclav Misek, Adrien Clerc, Michael Hanselmann, Vincent Deffontaines,
Daniel B. Cid, David Nutter, Raphaël Marichez, Guillaume Bill Heaton, Russell Odom, Christos Psonis and many others.
Delvit, Vaclav Misek, Adrien Clerc, Michael Hanselmann,
Vincent Deffontaines, Bill Heaton, Russell Odom and many
others.
License: License:
-------- --------
Fail2Ban is free software; you can redistribute it Fail2Ban is free software; you can redistribute it and/or modify it under the
and/or modify it under the terms of the GNU General Public terms of the GNU General Public License as published by the Free Software
License as published by the Free Software Foundation; either Foundation; either version 2 of the License, or (at your option) any later
version 2 of the License, or (at your option) any later
version. version.
Fail2Ban is distributed in the hope that it will be Fail2Ban is distributed in the hope that it will be useful, but WITHOUT ANY
useful, but WITHOUT ANY WARRANTY; without even the implied WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PARTICULAR PURPOSE. See the GNU General Public License for more details.
PURPOSE. See the GNU General Public License for more
details.
You should have received a copy of the GNU General Public You should have received a copy of the GNU General Public License along with
License along with Fail2Ban; if not, write to the Free Fail2Ban; if not, write to the Free Software Foundation, Inc., 59 Temple Place,
Software Foundation, Inc., 59 Temple Place, Suite 330, Suite 330, Boston, MA 02111-1307 USA
Boston, MA 02111-1307 USA

36
TODO
View File

@ -1,11 +1,11 @@
__ _ _ ___ _ __ _ _ ___ _
/ _|__ _(_) |_ ) |__ __ _ _ _ / _|__ _(_) |_ ) |__ __ _ _ _
| _/ _` | | |/ /| '_ \/ _` | ' \ | _/ _` | | |/ /| '_ \/ _` | ' \
|_| \__,_|_|_/___|_.__/\__,_|_||_| |_| \__,_|_|_/___|_.__/\__,_|_||_|
============================================================= ================================================================================
ToDo $Revision: 653 $ ToDo $Revision$
============================================================= ================================================================================
Legend: Legend:
- not yet done - not yet done
@ -15,26 +15,24 @@ Legend:
- Removed relative imports - Removed relative imports
- Cleanup fail2ban-client and fail2ban-server. Move code to - Cleanup fail2ban-client and fail2ban-server. Move code to server/ and client/
server/ and client/
- Add timeout to external commands (signal alarm, watchdog - Add timeout to external commands (signal alarm, watchdog thread, etc)
thread, etc)
- New backend: pyinotify - New backend: pyinotify
- Uniformize filters and actions name. Use the software name - Uniformize filters and actions name. Use the software name (openssh, postfix,
(openssh, postfix, proftp) proftp)
- Added <USER> tag for failregex. Add features using this - Added <USER> tag for failregex. Add features using this information. Maybe add
information. Maybe add more tags more tags
- Look at the memory consumption. Decrease memory usage - Look at the memory consumption. Decrease memory usage
- More detailed statistics - More detailed statistics
- Auto-enable function (search for log files), check - Auto-enable function (search for log files), check modification date to see if
modification date to see if service is still in use service is still in use
- Improve parsing of the action parameters in jailreader.py - Improve parsing of the action parameters in jailreader.py
@ -44,8 +42,8 @@ Legend:
- Multiline log reading - Multiline log reading
- Improve execution of action. Why does subprocess.call - Improve execution of action. Why does subprocess.call deadlock with
deadlock with multi-jails? multi-jails?
# see Feature Request Tracking System at SourceForge.net # see Feature Request Tracking System at SourceForge.net

57
config/action.d/ipfilter.conf Normal file
View File

@ -0,0 +1,57 @@
# Fail2Ban configuration file
#
# NetBSD ipfilter (ipf command) ban/unban
#
# Author: Ed Ravin <eravin@panix.com>
#
#
[Definition]
# Option: actionstart
# Notes.: command executed once at the start of Fail2Ban.
# Values: CMD
#
# enable IPF if not already enabled
actionstart = /sbin/ipf -E
# Option: actionstop
# Notes.: command executed once at the end of Fail2Ban
# Values: CMD
#
# don't disable IPF with "/sbin/ipf -D", there may be other filters in use
actionstop =
# Option: actioncheck
# Notes.: command executed once before each actionban command
# Values: CMD
#
actioncheck =
# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: <ip> IP address
# <failures> number of failures
# <time> unix timestamp of the ban time
# Values: CMD
#
actionban = echo block in quick from <ip>/32 | /sbin/ipf -f -
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: <ip> IP address
# <failures> number of failures
# <time> unix timestamp of the ban time
# Values: CMD
#
# note -r option used to remove matching rule
actionunban = echo block in quick from <ip>/32 | /sbin/ipf -r -f -
[Init]

2
config/filter.d/apache-auth.conf
View File

@ -11,7 +11,7 @@
# Notes.: regex to match the password failure messages in the logfile. The # Notes.: regex to match the password failure messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can # host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for # be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>\S+) # (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT # Values: TEXT
# #
failregex = [[]client <HOST>[]] user .* authentication failure failregex = [[]client <HOST>[]] user .* authentication failure

2
config/filter.d/apache-noscript.conf
View File

@ -11,7 +11,7 @@
# Notes.: regex to match the password failure messages in the logfile. The # Notes.: regex to match the password failure messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can # host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for # be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>\S+) # (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT # Values: TEXT
# #
failregex = [[]client <HOST>[]] (File does not exist|script not found or unable to stat): /\S*(\.php|\.asp|\.exe|\.pl) failregex = [[]client <HOST>[]] (File does not exist|script not found or unable to stat): /\S*(\.php|\.asp|\.exe|\.pl)

2
config/filter.d/common.conf
View File

@ -3,7 +3,7 @@
# #
# Author: Yaroslav Halchenko # Author: Yaroslav Halchenko
# #
# $Revision: $ # $Revision$
# #
[INCLUDES] [INCLUDES]

2
config/filter.d/courierlogin.conf
View File

@ -12,7 +12,7 @@
# Notes.: regex to match the password failures messages in the logfile. The # Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can # host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for # be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>\S+) # (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT # Values: TEXT
# #
failregex = LOGIN FAILED, .*, ip=\[<HOST>\]$ failregex = LOGIN FAILED, .*, ip=\[<HOST>\]$

2
config/filter.d/couriersmtp.conf
View File

@ -11,7 +11,7 @@
# Notes.: regex to match the password failures messages in the logfile. The # Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can # host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for # be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>\S+) # (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT # Values: TEXT
# #
failregex = error,relay=<HOST>,.*550 User unknown failregex = error,relay=<HOST>,.*550 User unknown

26
config/filter.d/cyrus-imap.conf Normal file
View File

@ -0,0 +1,26 @@
# Fail2Ban configuration file
#
# Author: Jan Wagner <waja@cyconet.org>
#
# $Revision$
#
[Definition]
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT
#
failregex = : badlogin: .*\[<HOST>\] plaintext .*SASL\(-13\): authentication failure: checkpass failed$
: badlogin: .*\[<HOST>\] LOGIN \[SASL\(-13\): authentication failure: checkpass failed\]$
: badlogin: .*\[<HOST>\] (?:CRAM-MD5|NTLM) \[SASL\(-13\): authentication failure: incorrect (?:digest|NTLM) response\]$
: badlogin: .*\[<HOST>\] DIGEST-MD5 \[SASL\(-13\): authentication failure: client response doesn't match what we generated\]$
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =

2
config/filter.d/exim.conf
View File

@ -11,7 +11,7 @@
# Notes.: regex to match the password failures messages in the logfile. The # Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can # host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for # be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>\S+) # (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT # Values: TEXT
# #
failregex = \[<HOST>\] .*(?:rejected by local_scan|Unrouteable address) failregex = \[<HOST>\] .*(?:rejected by local_scan|Unrouteable address)

2
config/filter.d/named-refused.conf
View File

@ -26,7 +26,7 @@ __line_prefix=(?:\s\S+ %(__daemon_combs_re)s\s+)?
# Notes.: regex to match the password failures messages in the logfile. # Notes.: regex to match the password failures messages in the logfile.
# Values: TEXT # Values: TEXT
# #
failregex = %(__line_prefix)sclient <HOST>#\S+: query(?: \(cache\))? '.*' denied\s*$ failregex = %(__line_prefix)sclient <HOST>#.+: query(?: \(cache\))? '.*' denied\s*$
# Option: ignoreregex # Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored. # Notes.: regex to ignore. If this regex matches, the line is ignored.

2
config/filter.d/postfix.conf
View File

@ -11,7 +11,7 @@
# Notes.: regex to match the password failures messages in the logfile. The # Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can # host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for # be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>\S+) # (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT # Values: TEXT
# #
failregex = reject: RCPT from (.*)\[<HOST>\]: 554 failregex = reject: RCPT from (.*)\[<HOST>\]: 554

2
config/filter.d/proftpd.conf
View File

@ -11,7 +11,7 @@
# Notes.: regex to match the password failures messages in the logfile. The # Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can # host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for # be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>\S+) # (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT # Values: TEXT
# #
failregex = \(\S+\[<HOST>\]\)[: -]+ USER \S+: no such user found from \S+ \[\S+\] to \S+:\S+$ failregex = \(\S+\[<HOST>\]\)[: -]+ USER \S+: no such user found from \S+ \[\S+\] to \S+:\S+$

2
config/filter.d/pure-ftpd.conf
View File

@ -16,7 +16,7 @@ __errmsg = (?:Authentication failed for user|Erreur d'authentification pour l'ut
# Notes.: regex to match the password failures messages in the logfile. The # Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can # host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for # be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>\S+) # (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT # Values: TEXT
# #
failregex = pure-ftpd(?:\[\d+\])?: (.+?@<HOST>) \[WARNING\] %(__errmsg)s \[.+\]$ failregex = pure-ftpd(?:\[\d+\])?: (.+?@<HOST>) \[WARNING\] %(__errmsg)s \[.+\]$

2
config/filter.d/qmail.conf
View File

@ -11,7 +11,7 @@
# Notes.: regex to match the password failures messages in the logfile. The # Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can # host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for # be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>\S+) # (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT # Values: TEXT
# #
failregex = (?:[\d,.]+[\d,.] rblsmtpd: |421 badiprbl: ip )<HOST> failregex = (?:[\d,.]+[\d,.] rblsmtpd: |421 badiprbl: ip )<HOST>

4
config/filter.d/sasl.conf
View File

@ -11,10 +11,10 @@
# Notes.: regex to match the password failures messages in the logfile. The # Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can # host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for # be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>\S+) # (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT # Values: TEXT
# #
failregex = : warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed$ failregex = (?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [A-Za-z0-9+/]*={0,2})?$
# Option: ignoreregex # Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored. # Notes.: regex to ignore. If this regex matches, the line is ignored.

22
config/filter.d/sieve.conf Normal file
View File

@ -0,0 +1,22 @@
# Fail2Ban configuration file
#
# Author: Jan Wagner <waja@cyconet.org>
#
# $Revision$
#
[Definition]
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching.
# Values: TEXT
#
failregex = : badlogin: .*\[<HOST>\] (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failure$
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =

2
config/filter.d/sshd-ddos.conf
View File

@ -11,7 +11,7 @@
# Notes.: regex to match the password failures messages in the logfile. The # Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can # host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for # be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>\S+) # (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT # Values: TEXT
# #
failregex = sshd(?:\[\d+\])?: Did not receive identification string from <HOST>$ failregex = sshd(?:\[\d+\])?: Did not receive identification string from <HOST>$

2
config/filter.d/sshd.conf
View File

@ -20,7 +20,7 @@ _daemon = sshd
# Notes.: regex to match the password failures messages in the logfile. The # Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can # host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for # be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>\S+) # (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT # Values: TEXT
# #
failregex = ^%(__prefix_line)s(?:error: PAM: )?Authentication failure for .* from <HOST>\s*$ failregex = ^%(__prefix_line)s(?:error: PAM: )?Authentication failure for .* from <HOST>\s*$

2
config/filter.d/vsftpd.conf
View File

@ -11,7 +11,7 @@
# Notes.: regex to match the password failures messages in the logfile. The # Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can # host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for # be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>\S+) # (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT # Values: TEXT
# #
failregex = vsftpd(?:\(pam_unix\))?(?:\[\d+\])?:.* authentication failure; .* rhost=<HOST>(?:\s+user=\S*)?\s*$ failregex = vsftpd(?:\(pam_unix\))?(?:\[\d+\])?:.* authentication failure; .* rhost=<HOST>(?:\s+user=\S*)?\s*$

2
config/filter.d/webmin-auth.conf
View File

@ -15,7 +15,7 @@
# Notes.: regex to match the password failure messages in the logfile. The # Notes.: regex to match the password failure messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can # host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for # be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>\S+) # (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT # Values: TEXT
# #
failregex = webmin.* Non-existent login as .+ from <HOST>$ failregex = webmin.* Non-existent login as .+ from <HOST>$

2
config/filter.d/xinetd-fail.conf
View File

@ -11,7 +11,7 @@
# Notes.: regex to match the password failures messages in the logfile. The # Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can # host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for # be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>\S+) # (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT # Values: TEXT
# #
# Cfr.: /var/log/(daemon\.|sys)log # Cfr.: /var/log/(daemon\.|sys)log

106
files/nagios/check_fail2ban Normal file
View File

@ -0,0 +1,106 @@
#!/bin/bash
#
# Usage: ./check_fail2ban
###############################################################################################
# Description:
# This plugin will check the status of Fail2ban.
#
# Created: 2008-10-25 (Sebastian Mueller)
#
# Changes: 2008-10-26 fixed some issues (Sebastian Mueller)
# Changes: 2009-01-25 add the second check, when server is not replying and the
# process is hang-up (Sebastian Mueller)
#
# please visit my website http://www.elchtest.eu or my personal WIKI http://wiki.elchtest.eu
#
################################################################################################
# if you have any questions, send a mail to linux@krabbe-offline.de
#
# this script is for my personal use. read the script before running/using it!!!
#
#
# YOU HAVE BEEN WARNED. THIS MAY DESTROY YOUR MACHINE. I ACCEPT NO RESPONSIBILITY.
###############################################################################################
SECOND_CHECK=0
STATE_OK=0
STATE_CRITICAL=2
######################################################################
# Read the Status from fail2ban-client
######################################################################
check_processes_fail2ban()
{
F2B=`sudo -u root fail2ban-client ping | awk -F " " '{print $3}'`
exit_fail2ban=0
if [[ $F2B = "pong" ]]; then
exit_fail2ban=$STATE_OK
else
exit_fail2ban=$STATE_CRITICAL
fi
}
######################################################################
# first check in the Background, PID will be killed when no response
# after 10 seconds, might be possible, otherwise the scipt will be
# pressent in your memory all the time
#
######################################################################
check_processes_fail2ban &
pid=$!
typeset -i i=0
while ps $pid >/dev/null
do
sleep 1
i=$i+1
if [ $i -ge 10 ]
then
kill $pid
SECOND_CHECK=1
exit_fail2ban=$STATE_CRITICAL
break
fi
done
######################################################################
# when the Server response (doesent mean the FAIL2BAN is working)
# in the first step, then it will run again and test the Service
# and provide the real status
######################################################################
if [ $SECOND_CHECK -eq 0 ]; then
check_processes_fail2ban
elif [ $SECOND_CHECK -eq 1 ]; then
exit_fail2ban=$STATE_CRITICAL
fi
######################################################################
# Mainmenu
######################################################################
final_exit=$exit_fail2ban
if [ $final_exit -eq 0 ]; then
echo "SYSTEM OK - Fail2ban is working normaly"
exitstatus=$STATE_OK
elif [ $final_exit -ne "0" ]; then
echo "SYSTEM WARNING - Fail2Ban is not working"
######################################################################
# If don't have a Nagios Server for monitoring, remove the comment and
# add your Mail Addres. You can check it with a Cron Job once a hour.
# put a txt file on your server and describe how to fix the issue, this
# could be attached to the mail.
######################################################################
# mutt -s "FAIL2BAN NOT WORKING" your@email.com < /home/f2ban.txt
exitstatus=$STATE_CRITICAL
fi
exit $exitstatus

18
files/nagios/f2ban.txt Normal file
View File

@ -0,0 +1,18 @@
It seems that Fail2ban is currently not working, please login and check
HELP:
1.) stop the Service
/etc/init.d/fail2ban stop
2.) delete the socket if avalible
rm /tmp/fail2ban.sock
3.) start the Service
/etc/init.d/fail2ban start
4.) check if fail2ban is working
fail2ban-client ping
Answer should be "pong"
5.) if the answer is not "pong" run away or CRY FOR HELP ;-)

7
files/suse-initd
View File

@ -35,6 +35,13 @@ rc_reset
case "$1" in case "$1" in
start) start)
echo -n "Starting Fail2Ban " echo -n "Starting Fail2Ban "
# a cleanup workaround, since /etc/init.d/boot.local removes only.
# regular files, and not sockets
if test -e $FAIL2BAN_SOCKET; then
if ! lsof -n $FAIL2BAN_SOCKET &>/dev/null; then
rm $FAIL2BAN_SOCKET
fi
fi
/sbin/startproc $FAIL2BAN_BIN start &>/dev/null /sbin/startproc $FAIL2BAN_BIN start &>/dev/null
rc_status -v rc_status -v
;; ;;

6
server/datedetector.py
View File

@ -77,6 +77,12 @@ class DateDetector:
template.setRegex("\d{2}/\S{3}/\d{4}:\d{2}:\d{2}:\d{2}") template.setRegex("\d{2}/\S{3}/\d{4}:\d{2}:\d{2}:\d{2}")
template.setPattern("%d/%b/%Y:%H:%M:%S") template.setPattern("%d/%b/%Y:%H:%M:%S")
self.__templates.append(template) self.__templates.append(template)
# CPanel 05/20/2008:01:57:39
template = DateStrptime()
template.setName("Month/Day/Year:Hour:Minute:Second")
template.setRegex("\d{2}/\d{2}/\d{4}:\d{2}:\d{2}:\d{2}")
template.setPattern("%m/%d/%Y:%H:%M:%S")
self.__templates.append(template)
# Exim 2006-12-21 06:43:20 # Exim 2006-12-21 06:43:20
template = DateStrptime() template = DateStrptime()
template.setName("Year-Month-Day Hour:Minute:Second") template.setName("Year-Month-Day Hour:Minute:Second")

5
server/datetemplate.py
View File

@ -132,7 +132,7 @@ class DateStrptime(DateTemplate):
conv = self.convertLocale(dateMatch.group()) conv = self.convertLocale(dateMatch.group())
try: try:
date = list(time.strptime(conv, self.getPattern())) date = list(time.strptime(conv, self.getPattern()))
except ValueError: except ValueError, e:
# Try to add the current year to the pattern. Should fix # Try to add the current year to the pattern. Should fix
# the "Feb 29" issue. # the "Feb 29" issue.
conv += " %s" % MyTime.gmtime()[0] conv += " %s" % MyTime.gmtime()[0]
@ -187,6 +187,5 @@ class DateISO8601(DateTemplate):
if dateMatch: if dateMatch:
# Parses the date. # Parses the date.
value = dateMatch.group() value = dateMatch.group()
print value date = list(iso8601.parse_date(value).timetuple())
date = list(iso8601.parse_date(value).utctimetuple())
return date return date

8
server/faildata.py
View File

@ -34,6 +34,7 @@ class FailData:
def __init__(self): def __init__(self):
self.__retry = 0 self.__retry = 0
self.__lastTime = 0 self.__lastTime = 0
self.__lastReset = 0
def setRetry(self, value): def setRetry(self, value):
self.__retry = value self.__retry = value
@ -50,4 +51,9 @@ class FailData:
def getLastTime(self): def getLastTime(self):
return self.__lastTime return self.__lastTime
def getLastReset(self):
return self.__lastReset
def setLastReset(self, value):
self.__lastReset = value

4
server/failmanager.py
View File

@ -90,11 +90,15 @@ class FailManager:
unixTime = ticket.getTime() unixTime = ticket.getTime()
if self.__failList.has_key(ip): if self.__failList.has_key(ip):
fData = self.__failList[ip] fData = self.__failList[ip]
if fData.getLastReset() < unixTime - self.__maxTime:
fData.setLastReset(unixTime)
fData.setRetry(0)
fData.inc() fData.inc()
fData.setLastTime(unixTime) fData.setLastTime(unixTime)
else: else:
fData = FailData() fData = FailData()
fData.inc() fData.inc()
fData.setLastReset(unixTime)
fData.setLastTime(unixTime) fData.setLastTime(unixTime)
self.__failList[ip] = fData self.__failList[ip] = fData
self.__failTotal += 1 self.__failTotal += 1

2
server/filter.py
View File

@ -492,7 +492,7 @@ import socket, struct
class DNSUtils: class DNSUtils:
IP_CRE = re.compile("(?:\d{1,3}\.){3}\d{1,3}$") IP_CRE = re.compile("^(?:\d{1,3}\.){3}\d{1,3}$")
#@staticmethod #@staticmethod
def dnsToIp(dns): def dnsToIp(dns):

16
testcases/failmanagertestcase.py
View File

@ -39,7 +39,12 @@ class AddFailure(unittest.TestCase):
['193.168.0.128', 1167605999.0], ['193.168.0.128', 1167605999.0],
['87.142.124.10', 1167605999.0], ['87.142.124.10', 1167605999.0],
['87.142.124.10', 1167605999.0], ['87.142.124.10', 1167605999.0],
['87.142.124.10', 1167605999.0]] ['87.142.124.10', 1167605999.0],
['100.100.10.10', 1000000000.0],
['100.100.10.10', 1000000500.0],
['100.100.10.10', 1000001000.0],
['100.100.10.10', 1000001500.0],
['100.100.10.10', 1000002000.0]]
self.__failManager = FailManager() self.__failManager = FailManager()
for i in self.__items: for i in self.__items:
@ -49,7 +54,7 @@ class AddFailure(unittest.TestCase):
"""Call after every test case.""" """Call after every test case."""
def testAdd(self): def testAdd(self):
self.assertEqual(self.__failManager.size(), 2) self.assertEqual(self.__failManager.size(), 3)
def _testDel(self): def _testDel(self):
self.__failManager.delFailure('193.168.0.128') self.__failManager.delFailure('193.168.0.128')
@ -76,3 +81,10 @@ class AddFailure(unittest.TestCase):
def testbanNOK(self): def testbanNOK(self):
self.__failManager.setMaxRetry(10) self.__failManager.setMaxRetry(10)
self.assertRaises(FailManagerEmpty, self.__failManager.toBan) self.assertRaises(FailManagerEmpty, self.__failManager.toBan)
def testWindow(self):
ticket = self.__failManager.toBan()
self.assertNotEqual(ticket.getIP(), "100.100.10.10")
ticket = self.__failManager.toBan()
self.assertNotEqual(ticket.getIP(), "100.100.10.10")
self.assertRaises(FailManagerEmpty, self.__failManager.toBan)

8
testcases/filtertestcase.py
View File

@ -99,7 +99,7 @@ class GetFailures(unittest.TestCase):
output = ('193.168.0.128', 3, 1124013599.0) output = ('193.168.0.128', 3, 1124013599.0)
self.__filter.addLogPath(GetFailures.FILENAME_01) self.__filter.addLogPath(GetFailures.FILENAME_01)
self.__filter.addFailRegex("(?:(?:Authentication failure|Failed [-/\w+]+) for(?: [iI](?:llegal|nvalid) user)?|[Ii](?:llegal|nvalid) user|ROOT LOGIN REFUSED) .*(?: from|FROM) (?:::f{4,6}:)?(?P<host>\S*)") self.__filter.addFailRegex("(?:(?:Authentication failure|Failed [-/\w+]+) for(?: [iI](?:llegal|nvalid) user)?|[Ii](?:llegal|nvalid) user|ROOT LOGIN REFUSED) .*(?: from|FROM) <HOST>")
self.__filter.getFailures(GetFailures.FILENAME_01) self.__filter.getFailures(GetFailures.FILENAME_01)
@ -116,7 +116,7 @@ class GetFailures(unittest.TestCase):
output = ('141.3.81.106', 4, 1124013539.0) output = ('141.3.81.106', 4, 1124013539.0)
self.__filter.addLogPath(GetFailures.FILENAME_02) self.__filter.addLogPath(GetFailures.FILENAME_02)
self.__filter.addFailRegex("Failed .* (?:::f{4,6}:)(?P<host>\S*)") self.__filter.addFailRegex("Failed .* from <HOST>")
self.__filter.getFailures(GetFailures.FILENAME_02) self.__filter.getFailures(GetFailures.FILENAME_02)
@ -133,7 +133,7 @@ class GetFailures(unittest.TestCase):
output = ('203.162.223.135', 6, 1124013544.0) output = ('203.162.223.135', 6, 1124013544.0)
self.__filter.addLogPath(GetFailures.FILENAME_03) self.__filter.addLogPath(GetFailures.FILENAME_03)
self.__filter.addFailRegex("error,relay=(?:::f{4,6}:)?(?P<host>\S*),.*550 User unknown") self.__filter.addFailRegex("error,relay=<HOST>,.*550 User unknown")
self.__filter.getFailures(GetFailures.FILENAME_03) self.__filter.getFailures(GetFailures.FILENAME_03)
@ -151,7 +151,7 @@ class GetFailures(unittest.TestCase):
('212.41.96.185', 4, 1124013598.0)] ('212.41.96.185', 4, 1124013598.0)]
self.__filter.addLogPath(GetFailures.FILENAME_04) self.__filter.addLogPath(GetFailures.FILENAME_04)
self.__filter.addFailRegex("Invalid user .* (?P<host>\S*)") self.__filter.addFailRegex("Invalid user .* <HOST>")
self.__filter.getFailures(GetFailures.FILENAME_04) self.__filter.getFailures(GetFailures.FILENAME_04)