Merge remote-tracking branch 'upstream/master' into bf/1000-asteriskBlocksSelf

Conflicts: ChangeLog
2015-04-26 15:13:59 -04:00 · 2015-04-26 15:13:59 -04:00 · b530d88eca
parent 72f4bcfbff 878cbd008e
commit b530d88eca
7 changed files with 28 additions and 10 deletions
--- a/.travis.yml
+++ b/.travis.yml
@ -18,7 +18,7 @@ install:
  - if [[ $TRAVIS_PYTHON_VERSION == 2.7 ]]; then travis_retry sudo apt-get install -qq python-gamin; cp /usr/share/pyshared/gamin.py /usr/lib/pyshared/python2.7/_gamin.so $VIRTUAL_ENV/lib/python2.7/site-packages/; fi
  - if [[ $TRAVIS_PYTHON_VERSION == 2.7 ]]; then cd ..; travis_retry pip install -q coveralls; cd -; fi
  # overcome buggy pypy
-  - if [[ $TRAVIS_PYTHON_VERSION == pypy ]] ; then dpkg --compare-versions $(pypy --version 2>&1 | awk '/PyPy/{print $2;}') ge 2.5.1 || { cd /tmp; wget http://buildbot.pypy.org/nightly/trunk/pypy-c-jit-latest-linux64.tar.bz2; tar -xjvf pypy*bz2; cd pypy-*/bin/; export PATH=$PWD:$PATH; cd -; } ; fi
+  - if [[ $TRAVIS_PYTHON_VERSION == pypy ]] ; then dpkg --compare-versions $(pypy --version 2>&1 | awk '/PyPy/{print $2;}') ge 2.5.1 || { d=$PWD; cd /tmp; wget http://buildbot.pypy.org/nightly/trunk/pypy-c-jit-latest-linux64.tar.bz2; tar -xjvf pypy*bz2; cd pypy-*/bin/; export PATH=$PWD:$PATH; cd $d; } ; fi
 script:
  - if [[ $TRAVIS_PYTHON_VERSION == 2.7 ]]; then coverage run --rcfile=.travis_coveragerc setup.py test; else python setup.py test; fi
 # test installation
--- a/5
+++ b/5
@ -40,7 +40,10 @@ ver. 0.9.2 (2014/XX/XXX) - wanna-be-released
   * firewallcmd-* actions: split output into separate lines for grepping (gh-908)
   * Guard unicode encode/decode issues while storing records in the database.
     Fixes "binding parameter error (unsupported type)" (gh-973), thanks to kot for reporting
-   * filter.d/asterisk.conf - Match hacking attempt IP instead of asterisk server IP
+   * filter.d/sshd added regex for matching openSUSE ssh authentication failure 
+   * filter.d/asterisk.conf - Dropped "Sending fake auth rejection" failregex since it incorrectly targets the asterisk server itself
+   * filter.d/asterisk.conf - Added matching "hacking attempt detected" logs
+

 - New Features:
   - New filters:
--- a/config/filter.d/sshd.conf
+++ b/config/filter.d/sshd.conf
@ -33,6 +33,7 @@ failregex = ^%(__prefix_line)s(?:error: PAM: )?[aA]uthentication (?:failure|erro
            ^(?P<__prefix>%(__prefix_line)s)User .+ not allowed because account is locked<SKIPLINES>(?P=__prefix)(?:error: )?Received disconnect from <HOST>: 11: .+ \[preauth\]$
            ^(?P<__prefix>%(__prefix_line)s)Disconnecting: Too many authentication failures for .+? \[preauth\]<SKIPLINES>(?P=__prefix)(?:error: )?Connection closed by <HOST> \[preauth\]$
            ^(?P<__prefix>%(__prefix_line)s)Connection from <HOST> port \d+(?: on \S+ port \d+)?<SKIPLINES>(?P=__prefix)Disconnecting: Too many authentication failures for .+? \[preauth\]$
+            ^%(__prefix_line)spam_unix\(sshd:auth\):\s+authentication failure;\s*logname=\S*\s*uid=\d*\s*euid=\d*\s*tty=\S*\s*ruser=\S*\s*rhost=<HOST>\s.*$

 ignoreregex = 

--- a/fail2ban/tests/files/logs/sshd
+++ b/fail2ban/tests/files/logs/sshd
@ -148,3 +148,8 @@ Apr 27 13:02:04 host sshd[29116]: User root not allowed because account is locke
 Apr 27 13:02:04 host sshd[29116]: input_userauth_request: invalid user root [preauth]
 # failJSON: { "time": "2005-04-27T13:02:04", "match": true , "host": "1.2.3.4", "desc": "No Bye-Bye" }
 Apr 27 13:02:04 host sshd[29116]: Received disconnect from 1.2.3.4: 11: Normal Shutdown, Thank you for playing [preauth]
+
+# Match sshd auth errors on OpenSUSE systems
+# failJSON: { "time": "2015-04-16T20:02:50", "match": true , "host": "222.186.21.217", "desc": "Authentication for user failed" }
+2015-04-16T18:02:50.321974+00:00 host sshd[2716]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.21.217  user=root
+
--- a/fail2ban/tests/filtertestcase.py
+++ b/fail2ban/tests/filtertestcase.py
@ -224,7 +224,7 @@ class IgnoreIP(LogCaptureTestCase):
 			self.assertTrue(self.filter.inIgnoreIPList(ip))

 	def testIgnoreIPNOK(self):
-		ipList = "", "999.999.999.999", "abcdef", "192.168.0."
+		ipList = "", "999.999.999.999", "abcdef.abcdef", "192.168.0."
 		for ip in ipList:
 			self.filter.addIgnoreIP(ip)
 			self.assertFalse(self.filter.inIgnoreIPList(ip))
@ -1023,7 +1023,8 @@ class DNSUtilsTests(unittest.TestCase):
 	def testIpToName(self):
 		res = DNSUtils.ipToName('66.249.66.1')
 		self.assertEqual(res, 'crawl-66-249-66-1.googlebot.com')
-		res = DNSUtils.ipToName('10.0.0.0')
+		# invalid ip (TEST-NET-1 according to RFC 5737)
+		res = DNSUtils.ipToName('192.0.2.0')
 		self.assertEqual(res, None)

 	def testAddr2bin(self):
--- a/fail2ban/tests/servertestcase.py
+++ b/fail2ban/tests/servertestcase.py
@ -71,19 +71,24 @@ class TransmitterBase(unittest.TestCase):
 		"""Call after every test case."""
 		self.server.quit()

-	def setGetTest(self, cmd, inValue, outValue=None, outCode=0, jail=None):
+	def setGetTest(self, cmd, inValue, outValue=None, outCode=0, jail=None, repr_=False):
 		setCmd = ["set", cmd, inValue]
 		getCmd = ["get", cmd]
 		if jail is not None:
 			setCmd.insert(1, jail)
 			getCmd.insert(1, jail)
+
 		if outValue is None:
 			outValue = inValue

-		self.assertEqual(self.transm.proceed(setCmd), (outCode, outValue))
+		def v(x):
+			"""Prepare value for comparison"""
+			return (repr(x) if repr_ else x)
+
+		self.assertEqual(v(self.transm.proceed(setCmd)), v((outCode, outValue)))
 		if not outCode:
 			# if we expected to get it set without problem, check new value
-			self.assertEqual(self.transm.proceed(getCmd), (0, outValue))
+			self.assertEqual(v(self.transm.proceed(getCmd)), v((0, outValue)))

 	def setGetTestNOK(self, cmd, inValue, jail=None):
 		setCmd = ["set", cmd, inValue]
@ -794,8 +799,11 @@ class TransmitterLogging(TransmitterBase):
 			**{True: {},    # should work on Linux
 			   False: dict( # expect to fail otherwise
 				   outCode=1,
-				   outValue=Exception('Failed to change log target'))}
-				[platform.system() in ('Linux',)])
+				   outValue=Exception('Failed to change log target'),
+				   repr_=True # Exceptions are not comparable apparently
+                                  )
+			  }[platform.system() in ('Linux',)]
+		)

 	def testLogLevel(self):
 		self.setGetTest("loglevel", "HEAVYDEBUG")
--- a/fail2ban/tests/utils.py
+++ b/fail2ban/tests/utils.py
@ -153,7 +153,7 @@ def gatherTests(regexps=None, no_network=False):
 	for file_ in os.listdir(
 		os.path.abspath(os.path.dirname(action_d.__file__))):
 		if file_.startswith("test_") and file_.endswith(".py"):
-			if no_network and file_ in ['test_badips.py']: #pragma: no cover
+			if no_network and file_ in ['test_badips.py','test_smtp.py']: #pragma: no cover
 				# Test required network
 				continue
 			tests.addTest(testloader.loadTestsFromName(