github
/
fail2ban
mirror of https://github.com/fail2ban/fail2ban
1
0
Fork 0
Code Issues Releases Wiki Activity

Merge branches 'debian', 'deb/specifics', 'up/0.9-0.8', 'up/apache_noscript_extend', 'up/ipmasq', 'up/log_examples', 'up/mail_whois_lines', 'up/named_refused_fixed', 'up/pam_generic', 'up/proftpd_fix+extend', 'up/sshd_refused_connect' and 'up/vsftpd_optional_user' into build 

* debian:
  Confirms to policy 3.7.3 (no changes)
  Bye Bye dpatch: now everything is handled in git branches
  removing patches from dpatch system since they are in branches now
  added a  comment to README.Debian and to the list of examples for ipmasq example file
  Fixed == bashism (Closes: #464647). Thanks Raphael Geisser

* deb/specifics:
  slight tune ups in upstream sources destined only for debian are kept in this branch

* up/0.9-0.8:

* up/apache_noscript_extend:
  Extended apache-noscript filter with more file extensions and to react to "script not found or unable to stat" log message (closes: #456565). Thanks Tim Connors

* up/ipmasq:
  Added ipmasq rule file to restart fail2ban when iptables are wiped out (closes: #461417). Thanks Guido Bozzetto

* up/log_examples:
  up/log_examples: moved vsftpd log from up/vsftpd_optional_user
  added examples of log lines (for named-refused, pam-generic, sshd) under files/logs for easy testing

* up/mail_whois_lines:
  mail-whois-lines: moved fix for proper names from dpatch

* up/named_refused_fixed:
  named_refused: moved fix for proper config+filters from dpatch

* up/pam_generic:
  added pam-generic from dpatch

* up/proftpd_fix+extend:
  Fix/extension of proftpd failrexes (Closes: #461412). Thanks Guido Bozzetto

* up/sshd_refused_connect:

* up/vsftpd_optional_user:
  up/vsftpd_optional_user: moving examples into up/examples branch
  BF: vsftp anchoring
debian-releases/squeeze
Yaroslav Halchenko 2008-02-09 22:02:21 -05:00
parent 24d8b44c2a fc3a57b6c1 5f30cb0898 2d8df22cf1 af81bac456 9907401483 1da878481f a9ee3c0b47 86072e3d55 af29b27693 5c5c07fed6
commit b8d97d0983
28 changed files with 140 additions and 387 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
config/action.d/mail-whois-lines.conf
View File

@ -7,7 +7,7 @@
[Definition]
# Option: fwstart
# Option: actionstart
# Notes.: command executed once at the start of Fail2Ban.
# Values: CMD
#
@ -16,7 +16,7 @@ actionstart = echo -en "Hi,\n
Regards,\n
Fail2Ban"|mail -s "[Fail2Ban] <name>: started" <dest>
# Option: fwend
# Option: actionstop
# Notes.: command executed once at the end of Fail2Ban
# Values: CMD
#
@ -25,13 +25,13 @@ actionstop = echo -en "Hi,\n
Regards,\n
Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped" <dest>
# Option: fwcheck
# Notes.: command executed once before each fwban command
# Option: actioncheck
# Notes.: command executed once before each actionban command
# Values: CMD
#
actioncheck =
# Option: fwban
# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: <ip> IP address
@ -50,7 +50,7 @@ actionban = echo -en "Hi,\n
Regards,\n
Fail2Ban"|mail -s "[Fail2Ban] <name>: banned <ip>" <dest>
# Option: fwunban
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: <ip> IP address

4
config/fail2ban.conf
View File

@ -28,7 +28,7 @@ logtarget = /var/log/fail2ban.log
# Notes.: Set the socket file. This is used to communicate with the daemon. Do
# not remove this file when Fail2ban runs. It will not be possible to
# communicate with the server afterwards.
# Values: FILE Default: /tmp/fail2ban.sock
# Values: FILE Default: /var/run/fail2ban.sock
#
socket = /tmp/fail2ban.sock
socket = /var/run/fail2ban.sock

2
config/filter.d/apache-noscript.conf
View File

@ -14,7 +14,7 @@
# (?:::f{4,6}:)?(?P<host>\S+)
# Values: TEXT
#
failregex = [[]client <HOST>[]] File does not exist: .*(\.php|\.asp)
failregex = [[]client <HOST>[]] (File does not exist|script not found or unable to stat): .*(\.php|\.asp|\.exe|\.pl)
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.

9
config/filter.d/named-refused.conf
View File

@ -9,10 +9,8 @@
[Definition]
# if you want to catch only login erros from specific daemons, use smth like
#_named_rcodes=(?:REFUSED|SERVFAIL)
# To catch all REFUSED queries only
_named_rcodes=REFUSED
#
# Daemon name
_daemon=named
#
@ -28,7 +26,6 @@ __line_prefix=(?:\s\S+ %(__daemon_combs_re)s\s+)?
# Notes.: regex to match the password failures messages in the logfile.
# Values: TEXT
#
failregex = %(__line_prefix)sunexpected RCODE \(%(_named_rcodes)s\) resolving '.*': <HOST>#\S+$
%(__line_prefix)sclient <HOST>#\S+: query(?: \(cache\))? '.*' denied\s*$
failregex = %(__line_prefix)sclient <HOST>#\S+: query(?: \(cache\))? '.*' denied\s*$

25
config/filter.d/pam-generic.conf Normal file
View File

@ -0,0 +1,25 @@
# Fail2Ban configuration file for generic PAM authentication errors
#
# Author: Yaroslav Halchenko
#
# $Revision: $
#
[Definition]
# if you want to catch only login erros from specific daemons, use smth like
#_ttys_re=(?:ssh|pure-ftpd|ftp)
# To catch all failed logins
_ttys_re=\S*
#
# Shortcuts for easier comprehension of the failregex
__pid_re=(?:\[\d+\])
__pam_re=\(?pam_unix(?:\(\S+\))?\)?:?
__pam_combs_re=(?:%(__pid_re)s?:\s+%(__pam_re)s|%(__pam_re)s%(__pid_re)s?:)
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile.
# Values: TEXT
#
failregex = \s\S+ \S+%(__pam_combs_re)s\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=%(_ttys_re)s ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$

6
config/filter.d/proftpd.conf
View File

@ -14,8 +14,10 @@
# (?:::f{4,6}:)?(?P<host>\S+)
# Values: TEXT
#
failregex = USER \S+: no such user found from \S* ?\[<HOST>\] to \S+\s*$
\(\S*\[<HOST>\]\) - USER \S+ \(Login failed\): Incorrect password.$
failregex = \(\S+\[<HOST>\]\): USER \S+: no such user found from \S+ \[[0-9.]+\] to \S+:\S+$
\(\S+\[<HOST>\]\): USER \S+ \(Login failed\): Incorrect password\.$
\(\S+\[<HOST>\]\): SECURITY VIOLATION: \S+ login attempted\.$
\(\S+\[<HOST>\]\): Maximum login attempts \(\d+\) exceeded$
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.

2
config/filter.d/vsftpd.conf
View File

@ -14,7 +14,7 @@
# (?:::f{4,6}:)?(?P<host>\S+)
# Values: TEXT
#
failregex = vsftpd(?:\[\d+\])?: .* authentication failure; .* rhost=<HOST>\s*$
failregex = vsftpd(?:\(pam_unix\))?(?:\[\d+\])?:.* authentication failure; .* rhost=<HOST>(?:\s+user=\S*)?\s*$
\[.+\] FAIL LOGIN: Client "<HOST>"\s*$
# Option: ignoreregex

12
config/jail.conf
View File

@ -170,13 +170,13 @@ ignoreip = 168.192.0.1
# with bind9 installation. You will need something like this:
#
# logging {
# channel lame-servers_file {
# file "/var/log/named/lame-servers.log" versions 3 size 30m;
# channel security_file {
# file "/var/log/named/security.log" versions 3 size 30m;
# severity dynamic;
# print-time yes;
# };
# category lame-servers {
# lame-servers_file;
# category security {
# security_file;
# };
# }
#
@ -189,7 +189,7 @@ enabled = false
filter = named-refused
action = iptables-multiport[name=Named, port="domain,953", protocol=udp]
sendmail-whois[name=Named, dest=you@mail.com]
logpath = /var/log/named/lame-servers.log
logpath = /var/log/named/security.log
ignoreip = 168.192.0.1
# This jail blocks TCP traffic for DNS requests.
@ -200,6 +200,6 @@ enabled = false
filter = named-refused
action = iptables-multiport[name=Named, port="domain,953", protocol=tcp]
sendmail-whois[name=Named, dest=you@mail.com]
logpath = /var/log/named/lame-servers.log
logpath = /var/log/named/security.log
ignoreip = 168.192.0.1

10
debian/README.Debian vendored
View File

@ -107,6 +107,16 @@ banaction=iptables-new
Also you can redefine the whole action parameter if you like.
* Interaction with ipmasq
Comment to #461417
Although fail2ban should detect and recreate missing chains if the external
command wipes out iptables, it is better to explicitely to force-reload
fail2ban. For this reason there is examples/ipmasq-ZZZzzz|fail2ban.rul file is
shipped along to be installed under name ZZZzzz|fail2ban.rul within
/etc/ipmasq.
Troubleshooting:
---------------

4
debian/control vendored
View File

@ -2,13 +2,13 @@ Source: fail2ban
Section: net
Priority: optional
Maintainer: Yaroslav Halchenko <debian@onerussian.com>
Build-Depends: debhelper (>= 5.0.37.2), dpatch, python
Build-Depends: debhelper (>= 5.0.37.2), python
Build-Depends-Indep: python-central (>= 0.5.6)
XS-Python-Version: current, >= 2.4
Homepage: http://www.fail2ban.org
Vcs-Browser: http://git.onerussian.com/?p=fail2ban
Vcs-git: http://git.onerussian.com/vcs/fail2ban
Standards-Version: 3.7.2
Standards-Version: 3.7.3
Package: fail2ban

2
debian/fail2ban.init vendored
View File

@ -94,7 +94,7 @@ do_start()
if [ -e "$SOCKFILE" ]; then
log_failure_msg "Socket file $SOCKFILE is present"
[ "$1" == "force-start" ] \
[ "$1" = "force-start" ] \
&& log_success_msg "Starting anyway as requested" \
|| return 2
DAEMON_ARGS="$DAEMON_ARGS -x"

55
debian/patches/00_mail-whois-lines.dpatch vendored
View File

@ -1,55 +0,0 @@
#! /bin/sh /usr/share/dpatch/dpatch-run
## 00_mail-whois-lines.dpatch by Yaroslav Halchenko <debian@onerussian.com>
##
## All lines beginning with `## DP:' are a description of the patch.
## DP: New action which mails not only whois but the result of grep using the
## DP: abuser IP over the log files
@DPATCH@
diff -urNad trunk~/config/action.d/mail-whois-lines.conf trunk/config/action.d/mail-whois-lines.conf
--- trunk~/config/action.d/mail-whois-lines.conf 2007-08-14 19:12:48.000000000 -0400
+++ trunk/config/action.d/mail-whois-lines.conf 2007-08-14 19:24:17.000000000 -0400
@@ -7,7 +7,7 @@
[Definition]
-# Option: fwstart
+# Option: actionstart
# Notes.: command executed once at the start of Fail2Ban.
# Values: CMD
#
@@ -16,7 +16,7 @@
Regards,\n
Fail2Ban"|mail -s "[Fail2Ban] <name>: started" <dest>
-# Option: fwend
+# Option: actionstop
# Notes.: command executed once at the end of Fail2Ban
# Values: CMD
#
@@ -25,13 +25,13 @@
Regards,\n
Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped" <dest>
-# Option: fwcheck
-# Notes.: command executed once before each fwban command
+# Option: actioncheck
+# Notes.: command executed once before each actionban command
# Values: CMD
#
actioncheck =
-# Option: fwban
+# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: <ip> IP address
@@ -50,7 +50,7 @@
Regards,\n
Fail2Ban"|mail -s "[Fail2Ban] <name>: banned <ip>" <dest>
-# Option: fwunban
+# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: <ip> IP address

23
debian/patches/00_named_logtimeformat.dpatch vendored
View File

@ -1,23 +0,0 @@
#! /bin/sh /usr/share/dpatch/dpatch-run
## 00_named_logtimeformat.dpatch by Yaroslav Halchenko <debian@onerussian.com>
##
## All lines beginning with `## DP:' are a description of the patch.
## DP: No description.
@DPATCH@
diff -urNad trunk~/server/datedetector.py trunk/server/datedetector.py
--- trunk~/server/datedetector.py 2007-04-01 16:42:08.000000000 -0400
+++ trunk/server/datedetector.py 2007-07-29 22:28:52.000000000 -0400
@@ -80,6 +80,12 @@
template.setRegex("\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}")
template.setPattern("%Y-%m-%d %H:%M:%S")
self.__templates.append(template)
+ # named 26-Jul-2007 15:20:52.252
+ template = DateStrptime()
+ template.setName("Day-Month-Year Hour:Minute:Second[.Millisecond]")
+ template.setRegex("\d{2}-\S{3}-\d{4} \d{2}:\d{2}:\d{2}")
+ template.setPattern("%d-%b-%Y %H:%M:%S")
+ self.__templates.append(template)
# TAI64N
template = DateTai64n()
template.setName("TAI64N")

79
debian/patches/00_named_refused.dpatch vendored
View File

@ -1,79 +0,0 @@
#! /bin/sh /usr/share/dpatch/dpatch-run
## 00_named_refused.dpatch by Yaroslav Halchenko <debian@onerussian.com>
##
## All lines beginning with `## DP:' are a description of the patch.
## DP: No description.
@DPATCH@
diff -urNad trunk~/config/filter.d/named-refused.conf trunk/config/filter.d/named-refused.conf
--- trunk~/config/filter.d/named-refused.conf 2007-08-14 19:42:35.000000000 -0400
+++ trunk/config/filter.d/named-refused.conf 2007-08-17 12:36:28.000000000 -0400
@@ -9,10 +9,8 @@
[Definition]
-# if you want to catch only login erros from specific daemons, use smth like
-#_named_rcodes=(?:REFUSED|SERVFAIL)
-# To catch all REFUSED queries only
-_named_rcodes=REFUSED
+#
+# Daemon name
_daemon=named
#
@@ -28,7 +26,6 @@
# Notes.: regex to match the password failures messages in the logfile.
# Values: TEXT
#
-failregex = %(__line_prefix)sunexpected RCODE \(%(_named_rcodes)s\) resolving '.*': <HOST>#\S+$
- %(__line_prefix)sclient <HOST>#\S+: query(?: \(cache\))? '.*' denied\s*$
+failregex = %(__line_prefix)sclient <HOST>#\S+: query(?: \(cache\))? '.*' denied\s*$
diff -urNad trunk~/config/filter.d/named-refused.examples trunk/config/filter.d/named-refused.examples
--- trunk~/config/filter.d/named-refused.examples 1969-12-31 19:00:00.000000000 -0500
+++ trunk/config/filter.d/named-refused.examples 2007-08-17 12:36:00.000000000 -0400
@@ -0,0 +1,5 @@
+Jul 24 14:16:55 raid5 named[3935]: client 194.145.196.18#4795: query 'ricreig.com/NS/IN' denied
+Jul 24 14:16:56 raid5 named[3935]: client 62.123.164.113#32768: query 'ricreig.com/NS/IN' denied
+Jul 24 14:17:13 raid5 named[3935]: client 148.160.29.6#33081: query (cache) 'geo-mueller.de/NS/IN' denied
+Jul 24 14:20:25 raid5 named[3935]: client 148.160.29.6#33081: query (cache) 'shivaree.de/NS/IN' denied
+Jul 24 14:23:36 raid5 named[3935]: client 148.160.29.6#33081: query (cache) 'mietberatung.de/NS/IN' denied
diff -urNad trunk~/config/jail.conf trunk/config/jail.conf
--- trunk~/config/jail.conf 2007-08-14 19:12:48.000000000 -0400
+++ trunk/config/jail.conf 2007-08-17 12:36:00.000000000 -0400
@@ -170,13 +170,13 @@
# with bind9 installation. You will need something like this:
#
# logging {
-# channel lame-servers_file {
-# file "/var/log/named/lame-servers.log" versions 3 size 30m;
+# channel security_file {
+# file "/var/log/named/security.log" versions 3 size 30m;
# severity dynamic;
# print-time yes;
# };
-# category lame-servers {
-# lame-servers_file;
+# category security {
+# security_file;
# };
# }
#
@@ -189,7 +189,7 @@
filter = named-refused
action = iptables-multiport[name=Named, port="domain,953", protocol=udp]
sendmail-whois[name=Named, dest=you@mail.com]
-logpath = /var/log/named/lame-servers.log
+logpath = /var/log/named/security.log
ignoreip = 168.192.0.1
# This jail blocks TCP traffic for DNS requests.
@@ -200,6 +200,6 @@
filter = named-refused
action = iptables-multiport[name=Named, port="domain,953", protocol=tcp]
sendmail-whois[name=Named, dest=you@mail.com]
-logpath = /var/log/named/lame-servers.log
+logpath = /var/log/named/security.log
ignoreip = 168.192.0.1

47
debian/patches/00_pam_generic.dpatch vendored
View File

@ -1,47 +0,0 @@
#! /bin/sh /usr/share/dpatch/dpatch-run
## 00_pam_generic.dpatch by Yaroslav Halchenko <debian@onerussian.com>
##
## All lines beginning with `## DP:' are a description of the patch.
## DP: Filter and examples for a filter generic for any login errors reported with pam_unix.so
@DPATCH@
diff -urNad trunk~/config/filter.d/pam-generic.conf trunk/config/filter.d/pam-generic.conf
--- trunk~/config/filter.d/pam-generic.conf 1969-12-31 19:00:00.000000000 -0500
+++ trunk/config/filter.d/pam-generic.conf 2007-07-24 13:25:12.000000000 -0400
@@ -0,0 +1,25 @@
+# Fail2Ban configuration file for generic PAM authentication errors
+#
+# Author: Yaroslav Halchenko
+#
+# $Revision: $
+#
+
+[Definition]
+
+# if you want to catch only login erros from specific daemons, use smth like
+#_ttys_re=(?:ssh|pure-ftpd|ftp)
+# To catch all failed logins
+_ttys_re=\S*
+
+#
+# Shortcuts for easier comprehension of the failregex
+__pid_re=(?:\[\d+\])
+__pam_re=\(?pam_unix(?:\(\S+\))?\)?:?
+__pam_combs_re=(?:%(__pid_re)s?:\s+%(__pam_re)s|%(__pam_re)s%(__pid_re)s?:)
+
+# Option: failregex
+# Notes.: regex to match the password failures messages in the logfile.
+# Values: TEXT
+#
+failregex = \s\S+ \S+%(__pam_combs_re)s\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=%(_ttys_re)s ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$
diff -urNad trunk~/config/filter.d/pam-generic.examples trunk/config/filter.d/pam-generic.examples
--- trunk~/config/filter.d/pam-generic.examples 1969-12-31 19:00:00.000000000 -0500
+++ trunk/config/filter.d/pam-generic.examples 2007-07-24 13:24:49.000000000 -0400
@@ -0,0 +1,7 @@
+Feb 7 15:10:42 example pure-ftpd: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=pure-ftpd ruser=sample-user rhost=192.168.1.1
+May 12 09:47:54 vaio sshd[16004]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=71-13-115-12.static.mdsn.wi.charter.com user=root
+May 12 09:48:03 vaio sshd[16021]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=71-13-115-12.static.mdsn.wi.charter.com
+May 15 18:02:12 localhost proftpd: (pam_unix) authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=66.232.129.62 user=mark
+Nov 25 17:12:13 webmail pop(pam_unix)[4920]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=192.168.10.3 user=mailuser
+Jul 19 18:11:26 srv2 vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=an8767 rhost=www3.google.com
+Jul 19 18:11:26 srv2 vsftpd: pam_unix: authentication failure; logname= uid=0 euid=0 tty=ftp ruser=an8767 rhost=www3.google.com

33
debian/patches/00_ssh_strong_re.dpatch vendored
View File

@ -1,33 +0,0 @@
#! /bin/sh /usr/share/dpatch/dpatch-run
## 00_ssh_strong_re.dpatch by Yaroslav Halchenko <debian@onerussian.com>
##
## All lines beginning with `## DP:' are a description of the patch.
## DP: No description.
@DPATCH@
diff -urNad fail2ban~/config/filter.d/sshd.examples fail2ban/config/filter.d/sshd.examples
--- fail2ban~/config/filter.d/sshd.examples 1969-12-31 19:00:00.000000000 -0500
+++ fail2ban/config/filter.d/sshd.examples 2007-11-23 08:59:47.000000000 -0500
@@ -0,0 +1,22 @@
+#1
+Jun 21 16:47:48 digital-mlhhyiqscv sshd[13709]: error: PAM: Authentication failure for myhlj1374 from 192.030.0.6
+May 29 20:56:52 imago sshd[28732]: error: PAM: Authentication failure for stefanor from www.onerussian.com
+
+#2
+Feb 25 14:34:10 belka sshd[31602]: Failed password for invalid user ROOT from 194.117.26.69 port 50273 ssh2
+Feb 25 14:34:10 belka sshd[31602]: Failed password for invalid user ROOT from 194.117.26.70 port 12345
+
+#3
+Jan 5 01:31:41 www sshd[1643]: ROOT LOGIN REFUSED FROM 1.2.3.4
+Jan 5 01:31:41 www sshd[1643]: ROOT LOGIN REFUSED FROM ::ffff:1.2.3.4
+
+#4
+Jul 20 14:42:11 localhost sshd[22708]: Invalid user ftp from 211.114.51.213
+
+
+#5 new filter introduced after looking at 44087D8C.9090407@bluewin.ch
+Mar 3 00:17:22 [sshd] User root from 210.188.220.49 not allowed because not listed in AllowUsers
+Feb 25 14:34:11 belka sshd[31607]: User root from ferrari.inescn.pt not allowed because not listed in AllowUsers
+
+#6 ew filter introduced thanks to report Guido Bozzetto <reportbug@G-B.it>
+Nov 11 23:33:27 Server sshd[5174]: refused connect from _U2FsdGVkX19P3BCJmFBHhjLza8BcMH06WCUVwttMHpE=_@::ffff:218.249.210.161 (::ffff:218.249.210.161)

20
debian/patches/00_var_run_socket.dpatch vendored
View File

@ -1,20 +0,0 @@
#! /bin/sh /usr/share/dpatch/dpatch-run
## 00_var_run_socket.dpatch by Yaroslav Halchenko <debian@onerussian.com>
##
## All lines beginning with `## DP:' are a description of the patch.
## DP: to close 425746: move socket under /var/run
@DPATCH@
diff -urNad trunk~/config/fail2ban.conf trunk/config/fail2ban.conf
--- trunk~/config/fail2ban.conf 2007-05-05 21:30:21.000000000 -0400
+++ trunk/config/fail2ban.conf 2007-07-03 18:21:52.000000000 -0400
@@ -28,7 +28,7 @@
# Notes.: Set the socket file. This is used to communicate with the daemon. Do
# not remove this file when Fail2ban runs. It will not be possible to
# communicate with the server afterwards.
-# Values: FILE Default: /tmp/fail2ban.sock
+# Values: FILE Default: /var/run/fail2ban.sock
#
-socket = /tmp/fail2ban.sock
+socket = /var/run/fail2ban.sock

6
debian/patches/00list vendored
View File

@ -1,6 +0,0 @@
00_mail-whois-lines
00_var_run_socket
10_dbts_manpages
00_ssh_strong_re
00_pam_generic
00_named_refused

33
debian/patches/10_dbts_manpages.dpatch vendored
View File

@ -1,33 +0,0 @@
#! /bin/sh /usr/share/dpatch/dpatch-run
## 10_dbts_manpages.dpatch by <debian@onerussian.com>
##
## All lines beginning with `## DP:' are a description of the patch.
## DP: No description.
@DPATCH@
diff -urNad fail2ban-0.7.3~/man/fail2ban-client.1 fail2ban-0.7.3/man/fail2ban-client.1
--- fail2ban-0.7.3~/man/fail2ban-client.1 2006-09-28 15:34:06.000000000 -0400
+++ fail2ban-0.7.3/man/fail2ban-client.1 2006-09-28 22:58:38.000000000 -0400
@@ -82,7 +82,8 @@
Written by Cyril Jaquier <lostcontrol@users.sourceforge.net>.
Many contributions by Yaroslav O. Halchenko <debian@onerussian.com>.
.SH "REPORTING BUGS"
-Report bugs to <lostcontrol@users.sourceforge.net>
+Please report bugs via Debian bug tracking system
+http://www.debian.org/Bugs/.
.SH COPYRIGHT
Copyright \(co 2004-2006 Cyril Jaquier
.br
diff -urNad fail2ban-0.7.3~/man/fail2ban-server.1 fail2ban-0.7.3/man/fail2ban-server.1
--- fail2ban-0.7.3~/man/fail2ban-server.1 2006-09-28 15:34:06.000000000 -0400
+++ fail2ban-0.7.3/man/fail2ban-server.1 2006-09-28 22:59:25.000000000 -0400
@@ -33,7 +33,8 @@
Written by Cyril Jaquier <lostcontrol@users.sourceforge.net>.
Many contributions by Yaroslav O. Halchenko <debian@onerussian.com>.
.SH "REPORTING BUGS"
-Report bugs to <lostcontrol@users.sourceforge.net>
+Please report bugs via Debian bug tracking system
+http://www.debian.org/Bugs/.
.SH COPYRIGHT
Copyright \(co 2004-2006 Cyril Jaquier
.br

54
debian/patches/10_multiple_HOST_regexp.dpatch vendored
View File

@ -1,54 +0,0 @@
#! /bin/sh /usr/share/dpatch/dpatch-run
## 10_multiple_HOST_regexp.dpatch by Yaroslav Halchenko <debian@onerussian.com>
##
## All lines beginning with `## DP:' are a description of the patch.
## DP: No description.
@DPATCH@
diff -urNad fail2ban-0.7.5~/server/filter.py fail2ban-0.7.5/server/filter.py
--- fail2ban-0.7.5~/server/filter.py 2006-11-26 15:37:31.000000000 -0500
+++ fail2ban-0.7.5/server/filter.py 2006-12-22 13:30:25.000000000 -0500
@@ -170,8 +170,17 @@
self.__failRegex = value
self.__failRegexObj = None
else:
- # Replace "<HOST>" with default regular expression for host.
- regex = value.replace("<HOST>", "(?:::f{4,6}:)?(?P<host>\S+)")
+ # Replace "<HOST>"s with regular expression for a hostname,
+ # naming groups hostX where X is a number starting with 1
+ regex = value
+ oldregex = ''; k = 0
+ while ( regex != oldregex ):
+ oldregex = regex
+ k += 1
+ regex = regex.replace("<HOST>",
+ "(?:::f{4,6}:)?(?P<host%d>\S+)" % k,
+ 1)
+
self.__failRegex = regex
self.__failRegexObj = re.compile(regex)
logSys.info("Set failregex = %s" % self.__failRegex)
@@ -435,12 +444,18 @@
+ "this format")
else:
try:
- ipMatch = DNSUtils.textToIp(match.group("host"))
- if ipMatch:
- for ip in ipMatch:
- failList.append([ip, date])
+ allGroups = match.groupdict()
+ hostRe = re.compile('host\d*$')
+ # Select only groups named host\d*
+ hostGroups = filter(lambda x: hostRe.match(x[0]) and x[1],
+ allGroups.iteritems())
+ for hostGroup, hostEntry in hostGroups:
+ ipMatch = DNSUtils.textToIp(hostEntry)
+ if ipMatch:
+ for ip in ipMatch:
+ failList.append([ip, date])
except IndexError:
- logSys.error("There is no 'host' group in the rule. " +
+ logSys.error("There is no 'hostX' group in the rule. " +
"Please correct your configuration.")
return failList

11
debian/rules vendored
View File

@ -11,19 +11,14 @@
DESTDIR=$(CURDIR)/debian/fail2ban
# no parallel execution -- required for dpatch
.NOTPARALLEL:
include /usr/share/dpatch/dpatch.make
configure: configure-stamp
configure-stamp:
dh_testdir
touch configure-stamp
build: patch
build:
clean: clean-inits unpatch
clean: clean-inits
dh_testdir
dh_testroot
rm -f build-stamp configure-stamp
@ -57,7 +52,7 @@ binary-indep: install
dh_testroot
dh_installchangelogs CHANGELOG
dh_installdocs
dh_installexamples config/jail.conf
dh_installexamples config/jail.conf files/ipmasq-*
dh_installlogrotate
dh_pycentral
dh_installinit -- defaults 99

31
files/ipmasq-ZZZzzz|fail2ban.rul Normal file
View File

@ -0,0 +1,31 @@
#! /bin/sh
#
# ZZZzzz|fail2ban.rul
#
# Ultima modifica: 20060112 <Nauta@G-B.it> Creazione
# Ultima modifica: 20071205 <Nauta@G-B.it> Verifica sia in esecuzione
#
# Riconfigura le regole di filtraggio relative a fail2ban alla fine
# dell'inizializzazione delle regole.
# Solo all'avvio del sistema mostra la (ri)esecuzione dello script
_NAME=fail2ban
_INITSCRIPT=/etc/init.d/$_NAME
_CONFIG="/etc/$_NAME/$_NAME.local /etc/$_NAME/$_NAME.conf"
if [ -s $_INITSCRIPT ]; then
SOCKFILE=`sed -n -e '/^[^#]*socket\s*=/{
s/.*socket\s*=\s*\(\S\+\).*/\1/p;q}' $_CONFIG 2>/dev/null`
[ -z "$SOCKFILE" ] && SOCKFILE="/tmp/$_NAME.sock"
if [ -S "$SOCKFILE" ]; then # Is daemon running ?
if [ "$SHOWRULES" == "yes" ]; then
echo "#: Reinitializing $_NAME"
echo $_INITSCRIPT force-reload
else
[ ! $runlevel ] && HIDEOUTPUT=true
fi
if [ "$NOACT" != "yes" ]; then
eval $_INITSCRIPT force-reload ${HIDEOUTPUT:+\>/dev/null 2\>&1}
fi
fi # SOCKFILE is a socket
fi # _INITSCRIPT exist

5
files/logs/named-refused Normal file
View File

@ -0,0 +1,5 @@
Jul 24 14:16:55 raid5 named[3935]: client 194.145.196.18#4795: query 'ricreig.com/NS/IN' denied
Jul 24 14:16:56 raid5 named[3935]: client 62.123.164.113#32768: query 'ricreig.com/NS/IN' denied
Jul 24 14:17:13 raid5 named[3935]: client 148.160.29.6#33081: query (cache) 'geo-mueller.de/NS/IN' denied
Jul 24 14:20:25 raid5 named[3935]: client 148.160.29.6#33081: query (cache) 'shivaree.de/NS/IN' denied
Jul 24 14:23:36 raid5 named[3935]: client 148.160.29.6#33081: query (cache) 'mietberatung.de/NS/IN' denied

7
files/logs/pam-generic Normal file
View File

@ -0,0 +1,7 @@
Feb 7 15:10:42 example pure-ftpd: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=pure-ftpd ruser=sample-user rhost=192.168.1.1
May 12 09:47:54 vaio sshd[16004]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=71-13-115-12.static.mdsn.wi.charter.com user=root
May 12 09:48:03 vaio sshd[16021]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=71-13-115-12.static.mdsn.wi.charter.com
May 15 18:02:12 localhost proftpd: (pam_unix) authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=66.232.129.62 user=mark
Nov 25 17:12:13 webmail pop(pam_unix)[4920]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=192.168.10.3 user=mailuser
Jul 19 18:11:26 srv2 vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=an8767 rhost=www3.google.com
Jul 19 18:11:26 srv2 vsftpd: pam_unix: authentication failure; logname= uid=0 euid=0 tty=ftp ruser=an8767 rhost=www3.google.com

22
files/logs/sshd Normal file
View File

@ -0,0 +1,22 @@
#1
Jun 21 16:47:48 digital-mlhhyiqscv sshd[13709]: error: PAM: Authentication failure for myhlj1374 from 192.030.0.6
May 29 20:56:52 imago sshd[28732]: error: PAM: Authentication failure for stefanor from www.onerussian.com
#2
Feb 25 14:34:10 belka sshd[31602]: Failed password for invalid user ROOT from 194.117.26.69 port 50273 ssh2
Feb 25 14:34:10 belka sshd[31602]: Failed password for invalid user ROOT from 194.117.26.70 port 12345
#3
Jan 5 01:31:41 www sshd[1643]: ROOT LOGIN REFUSED FROM 1.2.3.4
Jan 5 01:31:41 www sshd[1643]: ROOT LOGIN REFUSED FROM ::ffff:1.2.3.4
#4
Jul 20 14:42:11 localhost sshd[22708]: Invalid user ftp from 211.114.51.213
#5 new filter introduced after looking at 44087D8C.9090407@bluewin.ch
Mar 3 00:17:22 [sshd] User root from 210.188.220.49 not allowed because not listed in AllowUsers
Feb 25 14:34:11 belka sshd[31607]: User root from ferrari.inescn.pt not allowed because not listed in AllowUsers
#6 ew filter introduced thanks to report Guido Bozzetto <reportbug@G-B.it>
Nov 11 23:33:27 Server sshd[5174]: refused connect from _U2FsdGVkX19P3BCJmFBHhjLza8BcMH06WCUVwttMHpE=_@::ffff:218.249.210.161 (::ffff:218.249.210.161)

7
files/logs/vsftpd Normal file
View File

@ -0,0 +1,7 @@
#1 PAM based
Oct 11 01:06:47 ServerJV vsftpd: (pam_unix) authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=209.67.1.67
Feb 6 12:02:29 server vsftpd(pam_unix)[15522]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=64.168.103.1 user=user1
#2 Internal
Fri Jan 19 12:20:33 2007 [pid 27202] [anonymous] FAIL LOGIN: Client "64.106.46.98"

3
man/fail2ban-client.1
View File

@ -259,7 +259,8 @@ action <ACT> for <JAIL>
Written by Cyril Jaquier <lostcontrol@users.sourceforge.net>.
Many contributions by Yaroslav O. Halchenko <debian@onerussian.com>.
.SH "REPORTING BUGS"
Report bugs to <lostcontrol@users.sourceforge.net>
Please report bugs via Debian bug tracking system
http://www.debian.org/Bugs/.
.SH COPYRIGHT
Copyright \(co 2004-2006 Cyril Jaquier
.br

3
man/fail2ban-server.1
View File

@ -35,7 +35,8 @@ print the version
Written by Cyril Jaquier <lostcontrol@users.sourceforge.net>.
Many contributions by Yaroslav O. Halchenko <debian@onerussian.com>.
.SH "REPORTING BUGS"
Report bugs to <lostcontrol@users.sourceforge.net>
Please report bugs via Debian bug tracking system
http://www.debian.org/Bugs/.
.SH COPYRIGHT
Copyright \(co 2004-2006 Cyril Jaquier
.br