From c5ba76aab8c8604fe3a3c2f84e21a962aebd5c50 Mon Sep 17 00:00:00 2001 From: sebres Date: Wed, 25 Mar 2015 01:10:53 +0100 Subject: [PATCH 01/11] fix test for invalid IP (use TEST-NET-1 according to RFC 5737): since fef031b3cd41c99a4843d5d5b52217b7694eff72 failed, because on some platforms like vm:debian 10.0.0.0 returns 'localhost' (intern network). --- fail2ban/tests/filtertestcase.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/fail2ban/tests/filtertestcase.py b/fail2ban/tests/filtertestcase.py index 8fa13dfa..c7c11f61 100644 --- a/fail2ban/tests/filtertestcase.py +++ b/fail2ban/tests/filtertestcase.py @@ -1023,7 +1023,8 @@ class DNSUtilsTests(unittest.TestCase): def testIpToName(self): res = DNSUtils.ipToName('66.249.66.1') self.assertEqual(res, 'crawl-66-249-66-1.googlebot.com') - res = DNSUtils.ipToName('10.0.0.0') + # invalid ip (TEST-NET-1 according to RFC 5737) + res = DNSUtils.ipToName('192.0.2.0') self.assertEqual(res, None) def testAddr2bin(self): From 6da0c4ad48f2c44c55904518ba2db69fbe5ed0d3 Mon Sep 17 00:00:00 2001 From: sebres Date: Wed, 25 Mar 2015 01:50:51 +0100 Subject: [PATCH 02/11] very long time resolving IP for address "abcdef" on some PDC, under NAT etc. - replaced via "abcdef.abcdef" to prevent searching in local domains; --- fail2ban/tests/filtertestcase.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fail2ban/tests/filtertestcase.py b/fail2ban/tests/filtertestcase.py index c7c11f61..75f91584 100644 --- a/fail2ban/tests/filtertestcase.py +++ b/fail2ban/tests/filtertestcase.py @@ -224,7 +224,7 @@ class IgnoreIP(LogCaptureTestCase): self.assertTrue(self.filter.inIgnoreIPList(ip)) def testIgnoreIPNOK(self): - ipList = "", "999.999.999.999", "abcdef", "192.168.0." + ipList = "", "999.999.999.999", "abcdef.abcdef", "192.168.0." for ip in ipList: self.filter.addIgnoreIP(ip) self.assertFalse(self.filter.inIgnoreIPList(ip)) From eb05cd7bd556f3da65c2fb4ec2ef91a27fcc68b3 Mon Sep 17 00:00:00 2001 From: Yaroslav Halchenko Date: Wed, 25 Mar 2015 11:27:22 -0400 Subject: [PATCH 03/11] BF(OSX): apparently exceptions could not be compared for identity, use repr --- fail2ban/tests/servertestcase.py | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) diff --git a/fail2ban/tests/servertestcase.py b/fail2ban/tests/servertestcase.py index 66825923..b851c54b 100644 --- a/fail2ban/tests/servertestcase.py +++ b/fail2ban/tests/servertestcase.py @@ -71,19 +71,24 @@ class TransmitterBase(unittest.TestCase): """Call after every test case.""" self.server.quit() - def setGetTest(self, cmd, inValue, outValue=None, outCode=0, jail=None): + def setGetTest(self, cmd, inValue, outValue=None, outCode=0, jail=None, repr_=False): setCmd = ["set", cmd, inValue] getCmd = ["get", cmd] if jail is not None: setCmd.insert(1, jail) getCmd.insert(1, jail) + if outValue is None: outValue = inValue - self.assertEqual(self.transm.proceed(setCmd), (outCode, outValue)) + def v(x): + """Prepare value for comparison""" + return (repr(x) if repr_ else x) + + self.assertEqual(v(self.transm.proceed(setCmd)), v((outCode, outValue))) if not outCode: # if we expected to get it set without problem, check new value - self.assertEqual(self.transm.proceed(getCmd), (0, outValue)) + self.assertEqual(v(self.transm.proceed(getCmd)), v((0, outValue))) def setGetTestNOK(self, cmd, inValue, jail=None): setCmd = ["set", cmd, inValue] @@ -794,8 +799,11 @@ class TransmitterLogging(TransmitterBase): **{True: {}, # should work on Linux False: dict( # expect to fail otherwise outCode=1, - outValue=Exception('Failed to change log target'))} - [platform.system() in ('Linux',)]) + outValue=Exception('Failed to change log target'), + repr_=True # Exceptions are not comparable apparently + ) + }[platform.system() in ('Linux',)] + ) def testLogLevel(self): self.setGetTest("loglevel", "HEAVYDEBUG") From b2c1673d28e5f4606e39331828d3ed7beb94e94e Mon Sep 17 00:00:00 2001 From: Yaroslav Halchenko Date: Wed, 25 Mar 2015 12:56:25 -0400 Subject: [PATCH 04/11] BF: if install pypy -- come back to original directory --- .travis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index 8d27ca75..bad7e16e 100644 --- a/.travis.yml +++ b/.travis.yml @@ -18,7 +18,7 @@ install: - if [[ $TRAVIS_PYTHON_VERSION == 2.7 ]]; then travis_retry sudo apt-get install -qq python-gamin; cp /usr/share/pyshared/gamin.py /usr/lib/pyshared/python2.7/_gamin.so $VIRTUAL_ENV/lib/python2.7/site-packages/; fi - if [[ $TRAVIS_PYTHON_VERSION == 2.7 ]]; then cd ..; travis_retry pip install -q coveralls; cd -; fi # overcome buggy pypy - - if [[ $TRAVIS_PYTHON_VERSION == pypy ]] ; then dpkg --compare-versions $(pypy --version 2>&1 | awk '/PyPy/{print $2;}') ge 2.5.1 || { cd /tmp; wget http://buildbot.pypy.org/nightly/trunk/pypy-c-jit-latest-linux64.tar.bz2; tar -xjvf pypy*bz2; cd pypy-*/bin/; export PATH=$PWD:$PATH; cd -; } ; fi + - if [[ $TRAVIS_PYTHON_VERSION == pypy ]] ; then dpkg --compare-versions $(pypy --version 2>&1 | awk '/PyPy/{print $2;}') ge 2.5.1 || { d=$PWD; cd /tmp; wget http://buildbot.pypy.org/nightly/trunk/pypy-c-jit-latest-linux64.tar.bz2; tar -xjvf pypy*bz2; cd pypy-*/bin/; export PATH=$PWD:$PATH; cd $d; } ; fi script: - if [[ $TRAVIS_PYTHON_VERSION == 2.7 ]]; then coverage run --rcfile=.travis_coveragerc setup.py test; else python setup.py test; fi # test installation From aa8113c128e0343c6019bf130dd6920735a97997 Mon Sep 17 00:00:00 2001 From: Orion Poplawski Date: Tue, 7 Apr 2015 15:52:29 -0600 Subject: [PATCH 05/11] Do not run smtp tests if no_network set --- fail2ban/tests/utils.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fail2ban/tests/utils.py b/fail2ban/tests/utils.py index dbe5cee3..ec3be64c 100644 --- a/fail2ban/tests/utils.py +++ b/fail2ban/tests/utils.py @@ -153,7 +153,7 @@ def gatherTests(regexps=None, no_network=False): for file_ in os.listdir( os.path.abspath(os.path.dirname(action_d.__file__))): if file_.startswith("test_") and file_.endswith(".py"): - if no_network and file_ in ['test_badips.py']: #pragma: no cover + if no_network and file_ in ['test_badips.py','test_smtp.py']: #pragma: no cover # Test required network continue tests.addTest(testloader.loadTestsFromName( From 8825a5f31b984fe52f705df6cec4720c9c1f0beb Mon Sep 17 00:00:00 2001 From: Markus Oesterle Date: Thu, 16 Apr 2015 19:48:28 +0200 Subject: [PATCH 06/11] updated filter.d/sshd.conf Added line to match sshd auth errors on OpenSuSE systems --- config/filter.d/sshd.conf | 1 + 1 file changed, 1 insertion(+) diff --git a/config/filter.d/sshd.conf b/config/filter.d/sshd.conf index 6589e21b..f6274a30 100644 --- a/config/filter.d/sshd.conf +++ b/config/filter.d/sshd.conf @@ -33,6 +33,7 @@ failregex = ^%(__prefix_line)s(?:error: PAM: )?[aA]uthentication (?:failure|erro ^(?P<__prefix>%(__prefix_line)s)User .+ not allowed because account is locked(?P=__prefix)(?:error: )?Received disconnect from : 11: .+ \[preauth\]$ ^(?P<__prefix>%(__prefix_line)s)Disconnecting: Too many authentication failures for .+? \[preauth\](?P=__prefix)(?:error: )?Connection closed by \[preauth\]$ ^(?P<__prefix>%(__prefix_line)s)Connection from port \d+(?: on \S+ port \d+)?(?P=__prefix)Disconnecting: Too many authentication failures for .+? \[preauth\]$ + ^%(__prefix_line)spam_unix\(sshd:auth\):\s+authentication failure.*rhost=\s.*$ ignoreregex = From b9a09af914a0cd2a701bc819878aa6cb9bae1a51 Mon Sep 17 00:00:00 2001 From: Markus Oesterle Date: Thu, 16 Apr 2015 21:33:57 +0200 Subject: [PATCH 07/11] Added changes to ChangeLog & updated sample test cases --- ChangeLog | 1 + fail2ban/tests/files/logs/sshd | 5 +++++ 2 files changed, 6 insertions(+) diff --git a/ChangeLog b/ChangeLog index 19eacf83..239d3da9 100644 --- a/ChangeLog +++ b/ChangeLog @@ -40,6 +40,7 @@ ver. 0.9.2 (2014/XX/XXX) - wanna-be-released * firewallcmd-* actions: split output into separate lines for grepping (gh-908) * Guard unicode encode/decode issues while storing records in the database. Fixes "binding parameter error (unsupported type)" (gh-973), thanks to kot for reporting + * filter.d/sshd added regex for matching openSUSE ssh authentication failure - New Features: - New filters: diff --git a/fail2ban/tests/files/logs/sshd b/fail2ban/tests/files/logs/sshd index a6e54196..f1f0d982 100644 --- a/fail2ban/tests/files/logs/sshd +++ b/fail2ban/tests/files/logs/sshd @@ -148,3 +148,8 @@ Apr 27 13:02:04 host sshd[29116]: User root not allowed because account is locke Apr 27 13:02:04 host sshd[29116]: input_userauth_request: invalid user root [preauth] # failJSON: { "time": "2005-04-27T13:02:04", "match": true , "host": "1.2.3.4", "desc": "No Bye-Bye" } Apr 27 13:02:04 host sshd[29116]: Received disconnect from 1.2.3.4: 11: Normal Shutdown, Thank you for playing [preauth] + +# Match sshd auth errors on OpenSUSE systems +# failJSON: { "time": "Thu Apr 16 19:02:50 2015", "match": true , "host": "222.186.21.217", "desc": "Authentification for user failed" } +2015-04-16T18:02:50.321974+00:00 host sshd[2716]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.21.217 user=root + From 7a1f1c6b0c8e6f64532be4750a610082144ed635 Mon Sep 17 00:00:00 2001 From: Markus Oesterle Date: Thu, 16 Apr 2015 21:54:57 +0200 Subject: [PATCH 08/11] Fixed the UTC -> CEST difference... --- fail2ban/tests/files/logs/sshd | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fail2ban/tests/files/logs/sshd b/fail2ban/tests/files/logs/sshd index f1f0d982..30073eda 100644 --- a/fail2ban/tests/files/logs/sshd +++ b/fail2ban/tests/files/logs/sshd @@ -150,6 +150,6 @@ Apr 27 13:02:04 host sshd[29116]: input_userauth_request: invalid user root [pre Apr 27 13:02:04 host sshd[29116]: Received disconnect from 1.2.3.4: 11: Normal Shutdown, Thank you for playing [preauth] # Match sshd auth errors on OpenSUSE systems -# failJSON: { "time": "Thu Apr 16 19:02:50 2015", "match": true , "host": "222.186.21.217", "desc": "Authentification for user failed" } +# failJSON: { "time": "2015-04-16T20:02:50", "match": true , "host": "222.186.21.217", "desc": "Authentification for user failed" } 2015-04-16T18:02:50.321974+00:00 host sshd[2716]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.21.217 user=root From 6ba389c70c8f7f1ff712ad5abb33c9d20c83eccb Mon Sep 17 00:00:00 2001 From: Markus Oesterle Date: Thu, 16 Apr 2015 23:43:57 +0200 Subject: [PATCH 09/11] Fixed typo in filter description authentification instead of authentication --- fail2ban/tests/files/logs/sshd | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fail2ban/tests/files/logs/sshd b/fail2ban/tests/files/logs/sshd index 30073eda..2f4400bb 100644 --- a/fail2ban/tests/files/logs/sshd +++ b/fail2ban/tests/files/logs/sshd @@ -150,6 +150,6 @@ Apr 27 13:02:04 host sshd[29116]: input_userauth_request: invalid user root [pre Apr 27 13:02:04 host sshd[29116]: Received disconnect from 1.2.3.4: 11: Normal Shutdown, Thank you for playing [preauth] # Match sshd auth errors on OpenSUSE systems -# failJSON: { "time": "2015-04-16T20:02:50", "match": true , "host": "222.186.21.217", "desc": "Authentification for user failed" } +# failJSON: { "time": "2015-04-16T20:02:50", "match": true , "host": "222.186.21.217", "desc": "Authentication for user failed" } 2015-04-16T18:02:50.321974+00:00 host sshd[2716]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.21.217 user=root From 5f2807b41f5af5fd9badc32c630117e19784227b Mon Sep 17 00:00:00 2001 From: Markus Oesterle Date: Fri, 17 Apr 2015 10:04:35 +0200 Subject: [PATCH 10/11] replaced .* before rhost with regex matching all the previous fields --- config/filter.d/sshd.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/filter.d/sshd.conf b/config/filter.d/sshd.conf index f6274a30..e69c8622 100644 --- a/config/filter.d/sshd.conf +++ b/config/filter.d/sshd.conf @@ -33,7 +33,7 @@ failregex = ^%(__prefix_line)s(?:error: PAM: )?[aA]uthentication (?:failure|erro ^(?P<__prefix>%(__prefix_line)s)User .+ not allowed because account is locked(?P=__prefix)(?:error: )?Received disconnect from : 11: .+ \[preauth\]$ ^(?P<__prefix>%(__prefix_line)s)Disconnecting: Too many authentication failures for .+? \[preauth\](?P=__prefix)(?:error: )?Connection closed by \[preauth\]$ ^(?P<__prefix>%(__prefix_line)s)Connection from port \d+(?: on \S+ port \d+)?(?P=__prefix)Disconnecting: Too many authentication failures for .+? \[preauth\]$ - ^%(__prefix_line)spam_unix\(sshd:auth\):\s+authentication failure.*rhost=\s.*$ + ^%(__prefix_line)spam_unix\(sshd:auth\):\s+authentication failure;\s*logname=\S*\s*uid=\d*\s*euid=\d*\s*tty=\S*\s*ruser=\S*\s*rhost=.*$ ignoreregex = From f8c7247f42ebfac4e5ad761b14898cc9324ed438 Mon Sep 17 00:00:00 2001 From: Markus Oesterle Date: Fri, 17 Apr 2015 10:22:01 +0200 Subject: [PATCH 11/11] added \s after host --- config/filter.d/sshd.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/filter.d/sshd.conf b/config/filter.d/sshd.conf index e69c8622..b000cd49 100644 --- a/config/filter.d/sshd.conf +++ b/config/filter.d/sshd.conf @@ -33,7 +33,7 @@ failregex = ^%(__prefix_line)s(?:error: PAM: )?[aA]uthentication (?:failure|erro ^(?P<__prefix>%(__prefix_line)s)User .+ not allowed because account is locked(?P=__prefix)(?:error: )?Received disconnect from : 11: .+ \[preauth\]$ ^(?P<__prefix>%(__prefix_line)s)Disconnecting: Too many authentication failures for .+? \[preauth\](?P=__prefix)(?:error: )?Connection closed by \[preauth\]$ ^(?P<__prefix>%(__prefix_line)s)Connection from port \d+(?: on \S+ port \d+)?(?P=__prefix)Disconnecting: Too many authentication failures for .+? \[preauth\]$ - ^%(__prefix_line)spam_unix\(sshd:auth\):\s+authentication failure;\s*logname=\S*\s*uid=\d*\s*euid=\d*\s*tty=\S*\s*ruser=\S*\s*rhost=.*$ + ^%(__prefix_line)spam_unix\(sshd:auth\):\s+authentication failure;\s*logname=\S*\s*uid=\d*\s*euid=\d*\s*tty=\S*\s*ruser=\S*\s*rhost=\s.*$ ignoreregex =