From c2bb3253ad3266d9e86eea549333befcd5205b95 Mon Sep 17 00:00:00 2001 From: TorontoMedia Date: Thu, 1 Jan 2015 05:27:18 -0500 Subject: [PATCH 1/9] Update ChangeLog --- ChangeLog | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index df52d48f..cc37ee9f 100644 --- a/ChangeLog +++ b/ChangeLog @@ -317,7 +317,7 @@ some obscure corner of the Internet. Many thanks to our contributors for this release Daniel Black, Yaroslav Halchenko, Steven Hiscocks, Mark McKinstry, Andy Fragen, Orion Poplawski, Alexander Dietrich, JP Espinosa, Jamyn Shanley, Beau Raines, François -Boulogne and others who have helped on IRC and mailing list, logged issues +Boulogne, Donald Yandt and others who have helped on IRC and mailing list, logged issues and bug requests. - IMPORTANT incompatible changes: @@ -422,7 +422,8 @@ and bug requests. * filter.d/uwimap-auth - filter for uwimap-auth IMAP/POP server Steven Hiscocks and Daniel Black * filter.d/selinux-{common,ssh} -- add SELinux date and ssh filter - + Donald Yandt + * action.d/firewallcmd-{multiport,allports}.conf --added two new actions - Enhancements: François Boulogne and Frédéric * filter.d/lighttpd - auth regexs for lighttpd-1.4.31 From 591e44475347845e6c27cada89bb3225f075563f Mon Sep 17 00:00:00 2001 From: TorontoMedia Date: Thu, 1 Jan 2015 05:32:06 -0500 Subject: [PATCH 2/9] Create firewallcmd-allports.conf --- config/action.d/firewallcmd-allports.conf | 52 +++++++++++++++++++++++ 1 file changed, 52 insertions(+) create mode 100644 config/action.d/firewallcmd-allports.conf diff --git a/config/action.d/firewallcmd-allports.conf b/config/action.d/firewallcmd-allports.conf new file mode 100644 index 00000000..a478f25c --- /dev/null +++ b/config/action.d/firewallcmd-allports.conf @@ -0,0 +1,52 @@ +# Fail2Ban configuration file +# +# Author: Donald Yandt +# Because of the --remove-rules in stop this action requires firewalld-0.3.8+ + + +[INCLUDES] + +before = iptables-blocktype.conf + +actionstart = firewall-cmd --direct --add-chain ipv4 filter f2b- + firewall-cmd --direct --add-rule ipv4 filter f2b- 1000 -j RETURN + firewall-cmd --direct --add-rule ipv4 filter 0 -j f2b- + +actionstop = firewall-cmd --direct --remove-rule ipv4 filter 0 -j f2b- + firewall-cmd --direct --remove-rules ipv4 filter f2b- + firewall-cmd --direct --remove-chain ipv4 filter f2b- + + +# Note: uses regular expression word boundaries '\b' +# Example actioncheck: firewall-cmd --direct --get-chains ipv4 filter | grep -q '\bf2b-recidive\b' + +actioncheck = firewall-cmd --direct --get-chains ipv4 filter | grep -q '\bf2b-\b' + +actionban = firewall-cmd --direct --add-rule ipv4 filter f2b- 0 -s -j + +actionunban = firewall-cmd --direct --remove-rule ipv4 filter f2b- 0 -s -j + +[Init] + +# Default name of the chain +# +name = default + +chain = INPUT_direct + +# DEV NOTES: +# +# Author: Donald Yandt +# Uses "FirewallD" instead of the "iptables daemon". +# +# +# Output: + +# actionstart: +# $ firewall-cmd --direct --add-chain ipv4 filter f2b-recidive +# success +# $ firewall-cmd --direct --add-rule ipv4 filter f2b-recidive 1000 -j RETURN +# success +# $ sudo firewall-cmd --direct --add-rule ipv4 filter INPUT_direct 0 -j f2b-recidive +# success + From 50e5fd9ed71164aa545a4757cd72ded5c5aa86d4 Mon Sep 17 00:00:00 2001 From: TorontoMedia Date: Thu, 1 Jan 2015 05:32:41 -0500 Subject: [PATCH 3/9] Create firewallcmd-multiport.conf --- config/action.d/firewallcmd-multiport.conf | 61 ++++++++++++++++++++++ 1 file changed, 61 insertions(+) create mode 100644 config/action.d/firewallcmd-multiport.conf diff --git a/config/action.d/firewallcmd-multiport.conf b/config/action.d/firewallcmd-multiport.conf new file mode 100644 index 00000000..5f800423 --- /dev/null +++ b/config/action.d/firewallcmd-multiport.conf @@ -0,0 +1,61 @@ +# Fail2Ban configuration file +# +# Author: Donald Yandt +# Because of the --remove-rules in stop this action requires firewalld-0.3.8+ + +[INCLUDES] + +before = iptables-blocktype.conf + +[Definition] + +actionstart = firewall-cmd --direct --add-chain ipv4 filter f2b- + firewall-cmd --direct --add-rule ipv4 filter f2b- 1000 -j RETURN + firewall-cmd --direct --add-rule ipv4 filter 0 -m state --state NEW -p -m multiport --dports -j f2b- + +actionstop = firewall-cmd --direct --remove-rule ipv4 filter 0 -m state --state NEW -p -m multiport --dports -j f2b- + firewall-cmd --direct --remove-rules ipv4 filter f2b- + firewall-cmd --direct --remove-chain ipv4 filter f2b- + +# Note: uses regular expression word boundaries '\b' +# Example actioncheck: firewall-cmd --direct --get-chains ipv4 filter | grep -q '\bf2b-apache-modsecurity\b' +actioncheck = firewall-cmd --direct --get-chains ipv4 filter | grep -q '\bf2b-\b' + +actionban = firewall-cmd --direct --add-rule ipv4 filter f2b- 0 -s -j + +actionunban = firewall-cmd --direct --remove-rule ipv4 filter f2b- 0 -s -j + +[Init] + +# Default name of the chain +name = default + +chain = INPUT_direct + +port = 1:65535 + +# Option: protocol +# Values: [ tcp | udp | icmp | all ] + +protocol = tcp + + + +# DEV NOTES: +# +# Author: Donald Yandt +# Uses "FirewallD" instead of the "iptables daemon". +# +# +# Output: +# actionstart: +# $ firewall-cmd --direct --add-chain ipv4 filter f2b-apache-modsecurity +# success +# $ firewall-cmd --direct --add-rule ipv4 filter f2b-apache-modsecurity 1000 -j RETURN +# success +# $ sudo firewall-cmd --direct --add-rule ipv4 filter INPUT_direct 0 -m state --state NEW -p tcp -m multiport --dports 80,443 -j f2b-apache-modsecurity +# success +# actioncheck: +# $ firewall-cmd --direct --get-chains ipv4 filter f2b-apache-modsecurity | grep -q '\bf2b-apache-modsecurity\b' +# f2b-apache-modsecurity + From 1dfd9941df3fd0e278de20b6fdf2ee1aec87af8b Mon Sep 17 00:00:00 2001 From: TorontoMedia Date: Thu, 1 Jan 2015 05:33:20 -0500 Subject: [PATCH 4/9] Update THANKS --- THANKS | 1 + 1 file changed, 1 insertion(+) diff --git a/THANKS b/THANKS index 61e99466..1185f6b9 100644 --- a/THANKS +++ b/THANKS @@ -33,6 +33,7 @@ Daniel B. Daniel Black David Nutter Derek Atkins +Donald Yandt Eric Gerbier Enrico Labedzki Eugene Hopkinson (SlowRiot) From a47001ea0ea7b6f3d2a5b1aa9cef13022deb86a0 Mon Sep 17 00:00:00 2001 From: TorontoMedia Date: Thu, 1 Jan 2015 12:41:31 -0500 Subject: [PATCH 5/9] Updated ChangeLog --- ChangeLog | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index cc37ee9f..b5593554 100644 --- a/ChangeLog +++ b/ChangeLog @@ -30,6 +30,9 @@ ver. 0.9.2 (2014/XX/XXX) - wanna-be-released (opposite to simply set failregex/ignoreregex that overwrites it), see gh-867. - Monit config for fail2ban in /files/monit + - New actions: + - action.d/firewallcmd-multiport Thanks Donald Yandt + - action.d/firewallcmd-multiport Thanks Donald Yandt - Enhancements: * Enable multiport for firewallcmd-new action. Closes gh-834 @@ -422,8 +425,7 @@ and bug requests. * filter.d/uwimap-auth - filter for uwimap-auth IMAP/POP server Steven Hiscocks and Daniel Black * filter.d/selinux-{common,ssh} -- add SELinux date and ssh filter - Donald Yandt - * action.d/firewallcmd-{multiport,allports}.conf --added two new actions + - Enhancements: François Boulogne and Frédéric * filter.d/lighttpd - auth regexs for lighttpd-1.4.31 From 9f91cb2fd8bcbbfb4b8892cce527519ceb6a54c2 Mon Sep 17 00:00:00 2001 From: TorontoMedia Date: Thu, 1 Jan 2015 12:44:34 -0500 Subject: [PATCH 6/9] Created firewallcmd-allports --- config/action.d/firewallcmd-allports.conf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/config/action.d/firewallcmd-allports.conf b/config/action.d/firewallcmd-allports.conf index a478f25c..c0c378a4 100644 --- a/config/action.d/firewallcmd-allports.conf +++ b/config/action.d/firewallcmd-allports.conf @@ -17,10 +17,10 @@ actionstop = firewall-cmd --direct --remove-rule ipv4 filter 0 -j f2b- -# Note: uses regular expression word boundaries '\b' -# Example actioncheck: firewall-cmd --direct --get-chains ipv4 filter | grep -q '\bf2b-recidive\b' +# Note: uses regular expression whitespaces '\s' & end of line '$' +# Example actioncheck: firewall-cmd --direct --get-chains ipv4 filter | grep -q '\sf2b-recidive$' -actioncheck = firewall-cmd --direct --get-chains ipv4 filter | grep -q '\bf2b-\b' +actioncheck = firewall-cmd --direct --get-chains ipv4 filter | grep -q '\sf2b-$' actionban = firewall-cmd --direct --add-rule ipv4 filter f2b- 0 -s -j From 7eed55266b7fac7c997a06d6770491bc0aabedd2 Mon Sep 17 00:00:00 2001 From: TorontoMedia Date: Thu, 1 Jan 2015 12:46:48 -0500 Subject: [PATCH 7/9] Created firewallcmd-multiport --- config/action.d/firewallcmd-multiport.conf | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/config/action.d/firewallcmd-multiport.conf b/config/action.d/firewallcmd-multiport.conf index 5f800423..da73f9f1 100644 --- a/config/action.d/firewallcmd-multiport.conf +++ b/config/action.d/firewallcmd-multiport.conf @@ -17,9 +17,10 @@ actionstop = firewall-cmd --direct --remove-rule ipv4 filter 0 -m state firewall-cmd --direct --remove-rules ipv4 filter f2b- firewall-cmd --direct --remove-chain ipv4 filter f2b- -# Note: uses regular expression word boundaries '\b' -# Example actioncheck: firewall-cmd --direct --get-chains ipv4 filter | grep -q '\bf2b-apache-modsecurity\b' -actioncheck = firewall-cmd --direct --get-chains ipv4 filter | grep -q '\bf2b-\b' +# Note: uses regular expression whitespaces '\s' & end of line '$' +# Example actioncheck: firewall-cmd --direct --get-chains ipv4 filter | grep -q '\sf2b-apache-modsecurity$' + +actioncheck = firewall-cmd --direct --get-chains ipv4 filter | grep -q '\sf2b-$' actionban = firewall-cmd --direct --add-rule ipv4 filter f2b- 0 -s -j @@ -32,8 +33,10 @@ name = default chain = INPUT_direct +# Could also use port numbers separated by a comma. port = 1:65535 + # Option: protocol # Values: [ tcp | udp | icmp | all ] @@ -56,6 +59,6 @@ protocol = tcp # $ sudo firewall-cmd --direct --add-rule ipv4 filter INPUT_direct 0 -m state --state NEW -p tcp -m multiport --dports 80,443 -j f2b-apache-modsecurity # success # actioncheck: -# $ firewall-cmd --direct --get-chains ipv4 filter f2b-apache-modsecurity | grep -q '\bf2b-apache-modsecurity\b' +# $ firewall-cmd --direct --get-chains ipv4 filter f2b-apache-modsecurity | grep -q '\sf2b-apache-modsecurity$' # f2b-apache-modsecurity From 948eec64252ecf7169fd9d282e05a9ad247530d5 Mon Sep 17 00:00:00 2001 From: TorontoMedia Date: Thu, 1 Jan 2015 12:56:17 -0500 Subject: [PATCH 8/9] Upd --- ChangeLog | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index b5593554..d3e42ada 100644 --- a/ChangeLog +++ b/ChangeLog @@ -320,7 +320,7 @@ some obscure corner of the Internet. Many thanks to our contributors for this release Daniel Black, Yaroslav Halchenko, Steven Hiscocks, Mark McKinstry, Andy Fragen, Orion Poplawski, Alexander Dietrich, JP Espinosa, Jamyn Shanley, Beau Raines, François -Boulogne, Donald Yandt and others who have helped on IRC and mailing list, logged issues +Boulogne and others who have helped on IRC and mailing list, logged issues and bug requests. - IMPORTANT incompatible changes: From 74c3d5d96cd7e6406896e5024590f393e4c58493 Mon Sep 17 00:00:00 2001 From: TorontoMedia Date: Thu, 1 Jan 2015 13:26:11 -0500 Subject: [PATCH 9/9] Updated ChangeLog --- ChangeLog | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index d3e42ada..ba39d73e 100644 --- a/ChangeLog +++ b/ChangeLog @@ -31,9 +31,8 @@ ver. 0.9.2 (2014/XX/XXX) - wanna-be-released see gh-867. - Monit config for fail2ban in /files/monit - New actions: - - action.d/firewallcmd-multiport Thanks Donald Yandt - - action.d/firewallcmd-multiport Thanks Donald Yandt - + - action.d/firewallcmd-multiport and action.d/firewallcmd-allports Thanks Donald Yandt + - Enhancements: * Enable multiport for firewallcmd-new action. Closes gh-834 * files/debian-initd migrated from the debian branch and should be