diff --git a/config/action.d/mail-whois-lines.conf b/config/action.d/mail-whois-lines.conf index a26306c9..83ede2a9 100644 --- a/config/action.d/mail-whois-lines.conf +++ b/config/action.d/mail-whois-lines.conf @@ -7,7 +7,7 @@ [Definition] -# Option: fwstart +# Option: actionstart # Notes.: command executed once at the start of Fail2Ban. # Values: CMD # @@ -16,7 +16,7 @@ actionstart = echo -en "Hi,\n Regards,\n Fail2Ban"|mail -s "[Fail2Ban] : started" -# Option: fwend +# Option: actionstop # Notes.: command executed once at the end of Fail2Ban # Values: CMD # @@ -25,13 +25,13 @@ actionstop = echo -en "Hi,\n Regards,\n Fail2Ban"|mail -s "[Fail2Ban] : stopped" -# Option: fwcheck -# Notes.: command executed once before each fwban command +# Option: actioncheck +# Notes.: command executed once before each actionban command # Values: CMD # actioncheck = -# Option: fwban +# Option: actionban # Notes.: command executed when banning an IP. Take care that the # command is executed with Fail2Ban user rights. # Tags: IP address @@ -50,7 +50,7 @@ actionban = echo -en "Hi,\n Regards,\n Fail2Ban"|mail -s "[Fail2Ban] : banned " -# Option: fwunban +# Option: actionunban # Notes.: command executed when unbanning an IP. Take care that the # command is executed with Fail2Ban user rights. # Tags: IP address diff --git a/config/fail2ban.conf b/config/fail2ban.conf index 598cc015..7d18c0e2 100644 --- a/config/fail2ban.conf +++ b/config/fail2ban.conf @@ -28,7 +28,7 @@ logtarget = /var/log/fail2ban.log # Notes.: Set the socket file. This is used to communicate with the daemon. Do # not remove this file when Fail2ban runs. It will not be possible to # communicate with the server afterwards. -# Values: FILE Default: /tmp/fail2ban.sock +# Values: FILE Default: /var/run/fail2ban.sock # -socket = /tmp/fail2ban.sock +socket = /var/run/fail2ban.sock diff --git a/config/filter.d/apache-noscript.conf b/config/filter.d/apache-noscript.conf index 12ffeee3..9f903215 100644 --- a/config/filter.d/apache-noscript.conf +++ b/config/filter.d/apache-noscript.conf @@ -14,7 +14,7 @@ # (?:::f{4,6}:)?(?P\S+) # Values: TEXT # -failregex = [[]client []] File does not exist: .*(\.php|\.asp) +failregex = [[]client []] (File does not exist|script not found or unable to stat): .*(\.php|\.asp|\.exe|\.pl) # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. diff --git a/config/filter.d/named-refused.conf b/config/filter.d/named-refused.conf index 435a2e70..7b002389 100644 --- a/config/filter.d/named-refused.conf +++ b/config/filter.d/named-refused.conf @@ -9,10 +9,8 @@ [Definition] -# if you want to catch only login erros from specific daemons, use smth like -#_named_rcodes=(?:REFUSED|SERVFAIL) -# To catch all REFUSED queries only -_named_rcodes=REFUSED +# +# Daemon name _daemon=named # @@ -28,7 +26,6 @@ __line_prefix=(?:\s\S+ %(__daemon_combs_re)s\s+)? # Notes.: regex to match the password failures messages in the logfile. # Values: TEXT # -failregex = %(__line_prefix)sunexpected RCODE \(%(_named_rcodes)s\) resolving '.*': #\S+$ - %(__line_prefix)sclient #\S+: query(?: \(cache\))? '.*' denied\s*$ +failregex = %(__line_prefix)sclient #\S+: query(?: \(cache\))? '.*' denied\s*$ diff --git a/config/filter.d/pam-generic.conf b/config/filter.d/pam-generic.conf new file mode 100644 index 00000000..55e9efd0 --- /dev/null +++ b/config/filter.d/pam-generic.conf @@ -0,0 +1,25 @@ +# Fail2Ban configuration file for generic PAM authentication errors +# +# Author: Yaroslav Halchenko +# +# $Revision: $ +# + +[Definition] + +# if you want to catch only login erros from specific daemons, use smth like +#_ttys_re=(?:ssh|pure-ftpd|ftp) +# To catch all failed logins +_ttys_re=\S* + +# +# Shortcuts for easier comprehension of the failregex +__pid_re=(?:\[\d+\]) +__pam_re=\(?pam_unix(?:\(\S+\))?\)?:? +__pam_combs_re=(?:%(__pid_re)s?:\s+%(__pam_re)s|%(__pam_re)s%(__pid_re)s?:) + +# Option: failregex +# Notes.: regex to match the password failures messages in the logfile. +# Values: TEXT +# +failregex = \s\S+ \S+%(__pam_combs_re)s\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=%(_ttys_re)s ruser=\S* rhost=(?:\s+user=.*)?\s*$ diff --git a/config/filter.d/proftpd.conf b/config/filter.d/proftpd.conf index 331849b7..e2e5c1db 100644 --- a/config/filter.d/proftpd.conf +++ b/config/filter.d/proftpd.conf @@ -14,8 +14,10 @@ # (?:::f{4,6}:)?(?P\S+) # Values: TEXT # -failregex = USER \S+: no such user found from \S* ?\[\] to \S+\s*$ - \(\S*\[\]\) - USER \S+ \(Login failed\): Incorrect password.$ +failregex = \(\S+\[\]\): USER \S+: no such user found from \S+ \[[0-9.]+\] to \S+:\S+$ + \(\S+\[\]\): USER \S+ \(Login failed\): Incorrect password\.$ + \(\S+\[\]\): SECURITY VIOLATION: \S+ login attempted\.$ + \(\S+\[\]\): Maximum login attempts \(\d+\) exceeded$ # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. diff --git a/config/filter.d/vsftpd.conf b/config/filter.d/vsftpd.conf index 3775e803..f409e128 100644 --- a/config/filter.d/vsftpd.conf +++ b/config/filter.d/vsftpd.conf @@ -14,7 +14,7 @@ # (?:::f{4,6}:)?(?P\S+) # Values: TEXT # -failregex = vsftpd(?:\[\d+\])?: .* authentication failure; .* rhost=\s*$ +failregex = vsftpd(?:\(pam_unix\))?(?:\[\d+\])?:.* authentication failure; .* rhost=(?:\s+user=\S*)?\s*$ \[.+\] FAIL LOGIN: Client ""\s*$ # Option: ignoreregex diff --git a/config/jail.conf b/config/jail.conf index f7f134f2..bed8e03f 100644 --- a/config/jail.conf +++ b/config/jail.conf @@ -170,13 +170,13 @@ ignoreip = 168.192.0.1 # with bind9 installation. You will need something like this: # # logging { -# channel lame-servers_file { -# file "/var/log/named/lame-servers.log" versions 3 size 30m; +# channel security_file { +# file "/var/log/named/security.log" versions 3 size 30m; # severity dynamic; # print-time yes; # }; -# category lame-servers { -# lame-servers_file; +# category security { +# security_file; # }; # } # @@ -189,7 +189,7 @@ enabled = false filter = named-refused action = iptables-multiport[name=Named, port="domain,953", protocol=udp] sendmail-whois[name=Named, dest=you@mail.com] -logpath = /var/log/named/lame-servers.log +logpath = /var/log/named/security.log ignoreip = 168.192.0.1 # This jail blocks TCP traffic for DNS requests. @@ -200,6 +200,6 @@ enabled = false filter = named-refused action = iptables-multiport[name=Named, port="domain,953", protocol=tcp] sendmail-whois[name=Named, dest=you@mail.com] -logpath = /var/log/named/lame-servers.log +logpath = /var/log/named/security.log ignoreip = 168.192.0.1 diff --git a/debian/README.Debian b/debian/README.Debian index 34303403..faf52b10 100644 --- a/debian/README.Debian +++ b/debian/README.Debian @@ -107,6 +107,16 @@ banaction=iptables-new Also you can redefine the whole action parameter if you like. +* Interaction with ipmasq + Comment to #461417 + +Although fail2ban should detect and recreate missing chains if the external +command wipes out iptables, it is better to explicitely to force-reload +fail2ban. For this reason there is examples/ipmasq-ZZZzzz|fail2ban.rul file is +shipped along to be installed under name ZZZzzz|fail2ban.rul within +/etc/ipmasq. + + Troubleshooting: --------------- diff --git a/debian/control b/debian/control index 45957b40..fa9403d3 100644 --- a/debian/control +++ b/debian/control @@ -2,13 +2,13 @@ Source: fail2ban Section: net Priority: optional Maintainer: Yaroslav Halchenko -Build-Depends: debhelper (>= 5.0.37.2), dpatch, python +Build-Depends: debhelper (>= 5.0.37.2), python Build-Depends-Indep: python-central (>= 0.5.6) XS-Python-Version: current, >= 2.4 Homepage: http://www.fail2ban.org Vcs-Browser: http://git.onerussian.com/?p=fail2ban Vcs-git: http://git.onerussian.com/vcs/fail2ban -Standards-Version: 3.7.2 +Standards-Version: 3.7.3 Package: fail2ban diff --git a/debian/fail2ban.init b/debian/fail2ban.init index 5522f53b..c2bd3729 100755 --- a/debian/fail2ban.init +++ b/debian/fail2ban.init @@ -94,7 +94,7 @@ do_start() if [ -e "$SOCKFILE" ]; then log_failure_msg "Socket file $SOCKFILE is present" - [ "$1" == "force-start" ] \ + [ "$1" = "force-start" ] \ && log_success_msg "Starting anyway as requested" \ || return 2 DAEMON_ARGS="$DAEMON_ARGS -x" diff --git a/debian/patches/00_mail-whois-lines.dpatch b/debian/patches/00_mail-whois-lines.dpatch deleted file mode 100755 index 33ad6bef..00000000 --- a/debian/patches/00_mail-whois-lines.dpatch +++ /dev/null @@ -1,55 +0,0 @@ -#! /bin/sh /usr/share/dpatch/dpatch-run -## 00_mail-whois-lines.dpatch by Yaroslav Halchenko -## -## All lines beginning with `## DP:' are a description of the patch. -## DP: New action which mails not only whois but the result of grep using the -## DP: abuser IP over the log files - -@DPATCH@ -diff -urNad trunk~/config/action.d/mail-whois-lines.conf trunk/config/action.d/mail-whois-lines.conf ---- trunk~/config/action.d/mail-whois-lines.conf 2007-08-14 19:12:48.000000000 -0400 -+++ trunk/config/action.d/mail-whois-lines.conf 2007-08-14 19:24:17.000000000 -0400 -@@ -7,7 +7,7 @@ - - [Definition] - --# Option: fwstart -+# Option: actionstart - # Notes.: command executed once at the start of Fail2Ban. - # Values: CMD - # -@@ -16,7 +16,7 @@ - Regards,\n - Fail2Ban"|mail -s "[Fail2Ban] : started" - --# Option: fwend -+# Option: actionstop - # Notes.: command executed once at the end of Fail2Ban - # Values: CMD - # -@@ -25,13 +25,13 @@ - Regards,\n - Fail2Ban"|mail -s "[Fail2Ban] : stopped" - --# Option: fwcheck --# Notes.: command executed once before each fwban command -+# Option: actioncheck -+# Notes.: command executed once before each actionban command - # Values: CMD - # - actioncheck = - --# Option: fwban -+# Option: actionban - # Notes.: command executed when banning an IP. Take care that the - # command is executed with Fail2Ban user rights. - # Tags: IP address -@@ -50,7 +50,7 @@ - Regards,\n - Fail2Ban"|mail -s "[Fail2Ban] : banned " - --# Option: fwunban -+# Option: actionunban - # Notes.: command executed when unbanning an IP. Take care that the - # command is executed with Fail2Ban user rights. - # Tags: IP address diff --git a/debian/patches/00_named_logtimeformat.dpatch b/debian/patches/00_named_logtimeformat.dpatch deleted file mode 100755 index 672f86e5..00000000 --- a/debian/patches/00_named_logtimeformat.dpatch +++ /dev/null @@ -1,23 +0,0 @@ -#! /bin/sh /usr/share/dpatch/dpatch-run -## 00_named_logtimeformat.dpatch by Yaroslav Halchenko -## -## All lines beginning with `## DP:' are a description of the patch. -## DP: No description. - -@DPATCH@ -diff -urNad trunk~/server/datedetector.py trunk/server/datedetector.py ---- trunk~/server/datedetector.py 2007-04-01 16:42:08.000000000 -0400 -+++ trunk/server/datedetector.py 2007-07-29 22:28:52.000000000 -0400 -@@ -80,6 +80,12 @@ - template.setRegex("\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}") - template.setPattern("%Y-%m-%d %H:%M:%S") - self.__templates.append(template) -+ # named 26-Jul-2007 15:20:52.252 -+ template = DateStrptime() -+ template.setName("Day-Month-Year Hour:Minute:Second[.Millisecond]") -+ template.setRegex("\d{2}-\S{3}-\d{4} \d{2}:\d{2}:\d{2}") -+ template.setPattern("%d-%b-%Y %H:%M:%S") -+ self.__templates.append(template) - # TAI64N - template = DateTai64n() - template.setName("TAI64N") diff --git a/debian/patches/00_named_refused.dpatch b/debian/patches/00_named_refused.dpatch deleted file mode 100755 index 97dfde57..00000000 --- a/debian/patches/00_named_refused.dpatch +++ /dev/null @@ -1,79 +0,0 @@ -#! /bin/sh /usr/share/dpatch/dpatch-run -## 00_named_refused.dpatch by Yaroslav Halchenko -## -## All lines beginning with `## DP:' are a description of the patch. -## DP: No description. - -@DPATCH@ -diff -urNad trunk~/config/filter.d/named-refused.conf trunk/config/filter.d/named-refused.conf ---- trunk~/config/filter.d/named-refused.conf 2007-08-14 19:42:35.000000000 -0400 -+++ trunk/config/filter.d/named-refused.conf 2007-08-17 12:36:28.000000000 -0400 -@@ -9,10 +9,8 @@ - - [Definition] - --# if you want to catch only login erros from specific daemons, use smth like --#_named_rcodes=(?:REFUSED|SERVFAIL) --# To catch all REFUSED queries only --_named_rcodes=REFUSED -+# -+# Daemon name - _daemon=named - - # -@@ -28,7 +26,6 @@ - # Notes.: regex to match the password failures messages in the logfile. - # Values: TEXT - # --failregex = %(__line_prefix)sunexpected RCODE \(%(_named_rcodes)s\) resolving '.*': #\S+$ -- %(__line_prefix)sclient #\S+: query(?: \(cache\))? '.*' denied\s*$ -+failregex = %(__line_prefix)sclient #\S+: query(?: \(cache\))? '.*' denied\s*$ - - -diff -urNad trunk~/config/filter.d/named-refused.examples trunk/config/filter.d/named-refused.examples ---- trunk~/config/filter.d/named-refused.examples 1969-12-31 19:00:00.000000000 -0500 -+++ trunk/config/filter.d/named-refused.examples 2007-08-17 12:36:00.000000000 -0400 -@@ -0,0 +1,5 @@ -+Jul 24 14:16:55 raid5 named[3935]: client 194.145.196.18#4795: query 'ricreig.com/NS/IN' denied -+Jul 24 14:16:56 raid5 named[3935]: client 62.123.164.113#32768: query 'ricreig.com/NS/IN' denied -+Jul 24 14:17:13 raid5 named[3935]: client 148.160.29.6#33081: query (cache) 'geo-mueller.de/NS/IN' denied -+Jul 24 14:20:25 raid5 named[3935]: client 148.160.29.6#33081: query (cache) 'shivaree.de/NS/IN' denied -+Jul 24 14:23:36 raid5 named[3935]: client 148.160.29.6#33081: query (cache) 'mietberatung.de/NS/IN' denied -diff -urNad trunk~/config/jail.conf trunk/config/jail.conf ---- trunk~/config/jail.conf 2007-08-14 19:12:48.000000000 -0400 -+++ trunk/config/jail.conf 2007-08-17 12:36:00.000000000 -0400 -@@ -170,13 +170,13 @@ - # with bind9 installation. You will need something like this: - # - # logging { --# channel lame-servers_file { --# file "/var/log/named/lame-servers.log" versions 3 size 30m; -+# channel security_file { -+# file "/var/log/named/security.log" versions 3 size 30m; - # severity dynamic; - # print-time yes; - # }; --# category lame-servers { --# lame-servers_file; -+# category security { -+# security_file; - # }; - # } - # -@@ -189,7 +189,7 @@ - filter = named-refused - action = iptables-multiport[name=Named, port="domain,953", protocol=udp] - sendmail-whois[name=Named, dest=you@mail.com] --logpath = /var/log/named/lame-servers.log -+logpath = /var/log/named/security.log - ignoreip = 168.192.0.1 - - # This jail blocks TCP traffic for DNS requests. -@@ -200,6 +200,6 @@ - filter = named-refused - action = iptables-multiport[name=Named, port="domain,953", protocol=tcp] - sendmail-whois[name=Named, dest=you@mail.com] --logpath = /var/log/named/lame-servers.log -+logpath = /var/log/named/security.log - ignoreip = 168.192.0.1 - diff --git a/debian/patches/00_pam_generic.dpatch b/debian/patches/00_pam_generic.dpatch deleted file mode 100755 index f087526d..00000000 --- a/debian/patches/00_pam_generic.dpatch +++ /dev/null @@ -1,47 +0,0 @@ -#! /bin/sh /usr/share/dpatch/dpatch-run -## 00_pam_generic.dpatch by Yaroslav Halchenko -## -## All lines beginning with `## DP:' are a description of the patch. -## DP: Filter and examples for a filter generic for any login errors reported with pam_unix.so - -@DPATCH@ -diff -urNad trunk~/config/filter.d/pam-generic.conf trunk/config/filter.d/pam-generic.conf ---- trunk~/config/filter.d/pam-generic.conf 1969-12-31 19:00:00.000000000 -0500 -+++ trunk/config/filter.d/pam-generic.conf 2007-07-24 13:25:12.000000000 -0400 -@@ -0,0 +1,25 @@ -+# Fail2Ban configuration file for generic PAM authentication errors -+# -+# Author: Yaroslav Halchenko -+# -+# $Revision: $ -+# -+ -+[Definition] -+ -+# if you want to catch only login erros from specific daemons, use smth like -+#_ttys_re=(?:ssh|pure-ftpd|ftp) -+# To catch all failed logins -+_ttys_re=\S* -+ -+# -+# Shortcuts for easier comprehension of the failregex -+__pid_re=(?:\[\d+\]) -+__pam_re=\(?pam_unix(?:\(\S+\))?\)?:? -+__pam_combs_re=(?:%(__pid_re)s?:\s+%(__pam_re)s|%(__pam_re)s%(__pid_re)s?:) -+ -+# Option: failregex -+# Notes.: regex to match the password failures messages in the logfile. -+# Values: TEXT -+# -+failregex = \s\S+ \S+%(__pam_combs_re)s\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=%(_ttys_re)s ruser=\S* rhost=(?:\s+user=.*)?\s*$ -diff -urNad trunk~/config/filter.d/pam-generic.examples trunk/config/filter.d/pam-generic.examples ---- trunk~/config/filter.d/pam-generic.examples 1969-12-31 19:00:00.000000000 -0500 -+++ trunk/config/filter.d/pam-generic.examples 2007-07-24 13:24:49.000000000 -0400 -@@ -0,0 +1,7 @@ -+Feb 7 15:10:42 example pure-ftpd: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=pure-ftpd ruser=sample-user rhost=192.168.1.1 -+May 12 09:47:54 vaio sshd[16004]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=71-13-115-12.static.mdsn.wi.charter.com user=root -+May 12 09:48:03 vaio sshd[16021]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=71-13-115-12.static.mdsn.wi.charter.com -+May 15 18:02:12 localhost proftpd: (pam_unix) authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=66.232.129.62 user=mark -+Nov 25 17:12:13 webmail pop(pam_unix)[4920]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=192.168.10.3 user=mailuser -+Jul 19 18:11:26 srv2 vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=an8767 rhost=www3.google.com -+Jul 19 18:11:26 srv2 vsftpd: pam_unix: authentication failure; logname= uid=0 euid=0 tty=ftp ruser=an8767 rhost=www3.google.com diff --git a/debian/patches/00_ssh_strong_re.dpatch b/debian/patches/00_ssh_strong_re.dpatch deleted file mode 100755 index 288c11ad..00000000 --- a/debian/patches/00_ssh_strong_re.dpatch +++ /dev/null @@ -1,33 +0,0 @@ -#! /bin/sh /usr/share/dpatch/dpatch-run -## 00_ssh_strong_re.dpatch by Yaroslav Halchenko -## -## All lines beginning with `## DP:' are a description of the patch. -## DP: No description. - -@DPATCH@ -diff -urNad fail2ban~/config/filter.d/sshd.examples fail2ban/config/filter.d/sshd.examples ---- fail2ban~/config/filter.d/sshd.examples 1969-12-31 19:00:00.000000000 -0500 -+++ fail2ban/config/filter.d/sshd.examples 2007-11-23 08:59:47.000000000 -0500 -@@ -0,0 +1,22 @@ -+#1 -+Jun 21 16:47:48 digital-mlhhyiqscv sshd[13709]: error: PAM: Authentication failure for myhlj1374 from 192.030.0.6 -+May 29 20:56:52 imago sshd[28732]: error: PAM: Authentication failure for stefanor from www.onerussian.com -+ -+#2 -+Feb 25 14:34:10 belka sshd[31602]: Failed password for invalid user ROOT from 194.117.26.69 port 50273 ssh2 -+Feb 25 14:34:10 belka sshd[31602]: Failed password for invalid user ROOT from 194.117.26.70 port 12345 -+ -+#3 -+Jan 5 01:31:41 www sshd[1643]: ROOT LOGIN REFUSED FROM 1.2.3.4 -+Jan 5 01:31:41 www sshd[1643]: ROOT LOGIN REFUSED FROM ::ffff:1.2.3.4 -+ -+#4 -+Jul 20 14:42:11 localhost sshd[22708]: Invalid user ftp from 211.114.51.213 -+ -+ -+#5 new filter introduced after looking at 44087D8C.9090407@bluewin.ch -+Mar 3 00:17:22 [sshd] User root from 210.188.220.49 not allowed because not listed in AllowUsers -+Feb 25 14:34:11 belka sshd[31607]: User root from ferrari.inescn.pt not allowed because not listed in AllowUsers -+ -+#6 ew filter introduced thanks to report Guido Bozzetto -+Nov 11 23:33:27 Server sshd[5174]: refused connect from _U2FsdGVkX19P3BCJmFBHhjLza8BcMH06WCUVwttMHpE=_@::ffff:218.249.210.161 (::ffff:218.249.210.161) diff --git a/debian/patches/00_var_run_socket.dpatch b/debian/patches/00_var_run_socket.dpatch deleted file mode 100755 index 20cfe715..00000000 --- a/debian/patches/00_var_run_socket.dpatch +++ /dev/null @@ -1,20 +0,0 @@ -#! /bin/sh /usr/share/dpatch/dpatch-run -## 00_var_run_socket.dpatch by Yaroslav Halchenko -## -## All lines beginning with `## DP:' are a description of the patch. -## DP: to close 425746: move socket under /var/run - -@DPATCH@ -diff -urNad trunk~/config/fail2ban.conf trunk/config/fail2ban.conf ---- trunk~/config/fail2ban.conf 2007-05-05 21:30:21.000000000 -0400 -+++ trunk/config/fail2ban.conf 2007-07-03 18:21:52.000000000 -0400 -@@ -28,7 +28,7 @@ - # Notes.: Set the socket file. This is used to communicate with the daemon. Do - # not remove this file when Fail2ban runs. It will not be possible to - # communicate with the server afterwards. --# Values: FILE Default: /tmp/fail2ban.sock -+# Values: FILE Default: /var/run/fail2ban.sock - # --socket = /tmp/fail2ban.sock -+socket = /var/run/fail2ban.sock - diff --git a/debian/patches/00list b/debian/patches/00list deleted file mode 100644 index c8726331..00000000 --- a/debian/patches/00list +++ /dev/null @@ -1,6 +0,0 @@ -00_mail-whois-lines -00_var_run_socket -10_dbts_manpages -00_ssh_strong_re -00_pam_generic -00_named_refused diff --git a/debian/patches/10_dbts_manpages.dpatch b/debian/patches/10_dbts_manpages.dpatch deleted file mode 100755 index 1cf5315d..00000000 --- a/debian/patches/10_dbts_manpages.dpatch +++ /dev/null @@ -1,33 +0,0 @@ -#! /bin/sh /usr/share/dpatch/dpatch-run -## 10_dbts_manpages.dpatch by -## -## All lines beginning with `## DP:' are a description of the patch. -## DP: No description. - -@DPATCH@ -diff -urNad fail2ban-0.7.3~/man/fail2ban-client.1 fail2ban-0.7.3/man/fail2ban-client.1 ---- fail2ban-0.7.3~/man/fail2ban-client.1 2006-09-28 15:34:06.000000000 -0400 -+++ fail2ban-0.7.3/man/fail2ban-client.1 2006-09-28 22:58:38.000000000 -0400 -@@ -82,7 +82,8 @@ - Written by Cyril Jaquier . - Many contributions by Yaroslav O. Halchenko . - .SH "REPORTING BUGS" --Report bugs to -+Please report bugs via Debian bug tracking system -+http://www.debian.org/Bugs/. - .SH COPYRIGHT - Copyright \(co 2004-2006 Cyril Jaquier - .br -diff -urNad fail2ban-0.7.3~/man/fail2ban-server.1 fail2ban-0.7.3/man/fail2ban-server.1 ---- fail2ban-0.7.3~/man/fail2ban-server.1 2006-09-28 15:34:06.000000000 -0400 -+++ fail2ban-0.7.3/man/fail2ban-server.1 2006-09-28 22:59:25.000000000 -0400 -@@ -33,7 +33,8 @@ - Written by Cyril Jaquier . - Many contributions by Yaroslav O. Halchenko . - .SH "REPORTING BUGS" --Report bugs to -+Please report bugs via Debian bug tracking system -+http://www.debian.org/Bugs/. - .SH COPYRIGHT - Copyright \(co 2004-2006 Cyril Jaquier - .br diff --git a/debian/patches/10_multiple_HOST_regexp.dpatch b/debian/patches/10_multiple_HOST_regexp.dpatch deleted file mode 100755 index b791a932..00000000 --- a/debian/patches/10_multiple_HOST_regexp.dpatch +++ /dev/null @@ -1,54 +0,0 @@ -#! /bin/sh /usr/share/dpatch/dpatch-run -## 10_multiple_HOST_regexp.dpatch by Yaroslav Halchenko -## -## All lines beginning with `## DP:' are a description of the patch. -## DP: No description. - -@DPATCH@ -diff -urNad fail2ban-0.7.5~/server/filter.py fail2ban-0.7.5/server/filter.py ---- fail2ban-0.7.5~/server/filter.py 2006-11-26 15:37:31.000000000 -0500 -+++ fail2ban-0.7.5/server/filter.py 2006-12-22 13:30:25.000000000 -0500 -@@ -170,8 +170,17 @@ - self.__failRegex = value - self.__failRegexObj = None - else: -- # Replace "" with default regular expression for host. -- regex = value.replace("", "(?:::f{4,6}:)?(?P\S+)") -+ # Replace ""s with regular expression for a hostname, -+ # naming groups hostX where X is a number starting with 1 -+ regex = value -+ oldregex = ''; k = 0 -+ while ( regex != oldregex ): -+ oldregex = regex -+ k += 1 -+ regex = regex.replace("", -+ "(?:::f{4,6}:)?(?P\S+)" % k, -+ 1) -+ - self.__failRegex = regex - self.__failRegexObj = re.compile(regex) - logSys.info("Set failregex = %s" % self.__failRegex) -@@ -435,12 +444,18 @@ - + "this format") - else: - try: -- ipMatch = DNSUtils.textToIp(match.group("host")) -- if ipMatch: -- for ip in ipMatch: -- failList.append([ip, date]) -+ allGroups = match.groupdict() -+ hostRe = re.compile('host\d*$') -+ # Select only groups named host\d* -+ hostGroups = filter(lambda x: hostRe.match(x[0]) and x[1], -+ allGroups.iteritems()) -+ for hostGroup, hostEntry in hostGroups: -+ ipMatch = DNSUtils.textToIp(hostEntry) -+ if ipMatch: -+ for ip in ipMatch: -+ failList.append([ip, date]) - except IndexError: -- logSys.error("There is no 'host' group in the rule. " + -+ logSys.error("There is no 'hostX' group in the rule. " + - "Please correct your configuration.") - return failList - diff --git a/debian/rules b/debian/rules index cc4dbfb5..3a51c192 100755 --- a/debian/rules +++ b/debian/rules @@ -11,19 +11,14 @@ DESTDIR=$(CURDIR)/debian/fail2ban -# no parallel execution -- required for dpatch -.NOTPARALLEL: - -include /usr/share/dpatch/dpatch.make - configure: configure-stamp configure-stamp: dh_testdir touch configure-stamp -build: patch +build: -clean: clean-inits unpatch +clean: clean-inits dh_testdir dh_testroot rm -f build-stamp configure-stamp @@ -57,7 +52,7 @@ binary-indep: install dh_testroot dh_installchangelogs CHANGELOG dh_installdocs - dh_installexamples config/jail.conf + dh_installexamples config/jail.conf files/ipmasq-* dh_installlogrotate dh_pycentral dh_installinit -- defaults 99 diff --git a/files/ipmasq-ZZZzzz|fail2ban.rul b/files/ipmasq-ZZZzzz|fail2ban.rul new file mode 100644 index 00000000..e371208d --- /dev/null +++ b/files/ipmasq-ZZZzzz|fail2ban.rul @@ -0,0 +1,31 @@ +#! /bin/sh +# +# ZZZzzz|fail2ban.rul +# +# Ultima modifica: 20060112 Creazione +# Ultima modifica: 20071205 Verifica sia in esecuzione +# +# Riconfigura le regole di filtraggio relative a fail2ban alla fine +# dell'inizializzazione delle regole. +# Solo all'avvio del sistema mostra la (ri)esecuzione dello script + +_NAME=fail2ban +_INITSCRIPT=/etc/init.d/$_NAME +_CONFIG="/etc/$_NAME/$_NAME.local /etc/$_NAME/$_NAME.conf" + +if [ -s $_INITSCRIPT ]; then + SOCKFILE=`sed -n -e '/^[^#]*socket\s*=/{ + s/.*socket\s*=\s*\(\S\+\).*/\1/p;q}' $_CONFIG 2>/dev/null` + [ -z "$SOCKFILE" ] && SOCKFILE="/tmp/$_NAME.sock" + if [ -S "$SOCKFILE" ]; then # Is daemon running ? + if [ "$SHOWRULES" == "yes" ]; then + echo "#: Reinitializing $_NAME" + echo $_INITSCRIPT force-reload + else + [ ! $runlevel ] && HIDEOUTPUT=true + fi + if [ "$NOACT" != "yes" ]; then + eval $_INITSCRIPT force-reload ${HIDEOUTPUT:+\>/dev/null 2\>&1} + fi + fi # SOCKFILE is a socket +fi # _INITSCRIPT exist diff --git a/files/logs/named-refused b/files/logs/named-refused new file mode 100644 index 00000000..6608ae2f --- /dev/null +++ b/files/logs/named-refused @@ -0,0 +1,5 @@ +Jul 24 14:16:55 raid5 named[3935]: client 194.145.196.18#4795: query 'ricreig.com/NS/IN' denied +Jul 24 14:16:56 raid5 named[3935]: client 62.123.164.113#32768: query 'ricreig.com/NS/IN' denied +Jul 24 14:17:13 raid5 named[3935]: client 148.160.29.6#33081: query (cache) 'geo-mueller.de/NS/IN' denied +Jul 24 14:20:25 raid5 named[3935]: client 148.160.29.6#33081: query (cache) 'shivaree.de/NS/IN' denied +Jul 24 14:23:36 raid5 named[3935]: client 148.160.29.6#33081: query (cache) 'mietberatung.de/NS/IN' denied diff --git a/files/logs/pam-generic b/files/logs/pam-generic new file mode 100644 index 00000000..d84ab153 --- /dev/null +++ b/files/logs/pam-generic @@ -0,0 +1,7 @@ +Feb 7 15:10:42 example pure-ftpd: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=pure-ftpd ruser=sample-user rhost=192.168.1.1 +May 12 09:47:54 vaio sshd[16004]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=71-13-115-12.static.mdsn.wi.charter.com user=root +May 12 09:48:03 vaio sshd[16021]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=71-13-115-12.static.mdsn.wi.charter.com +May 15 18:02:12 localhost proftpd: (pam_unix) authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=66.232.129.62 user=mark +Nov 25 17:12:13 webmail pop(pam_unix)[4920]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=192.168.10.3 user=mailuser +Jul 19 18:11:26 srv2 vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=an8767 rhost=www3.google.com +Jul 19 18:11:26 srv2 vsftpd: pam_unix: authentication failure; logname= uid=0 euid=0 tty=ftp ruser=an8767 rhost=www3.google.com diff --git a/files/logs/sshd b/files/logs/sshd new file mode 100644 index 00000000..8fce625e --- /dev/null +++ b/files/logs/sshd @@ -0,0 +1,22 @@ +#1 +Jun 21 16:47:48 digital-mlhhyiqscv sshd[13709]: error: PAM: Authentication failure for myhlj1374 from 192.030.0.6 +May 29 20:56:52 imago sshd[28732]: error: PAM: Authentication failure for stefanor from www.onerussian.com + +#2 +Feb 25 14:34:10 belka sshd[31602]: Failed password for invalid user ROOT from 194.117.26.69 port 50273 ssh2 +Feb 25 14:34:10 belka sshd[31602]: Failed password for invalid user ROOT from 194.117.26.70 port 12345 + +#3 +Jan 5 01:31:41 www sshd[1643]: ROOT LOGIN REFUSED FROM 1.2.3.4 +Jan 5 01:31:41 www sshd[1643]: ROOT LOGIN REFUSED FROM ::ffff:1.2.3.4 + +#4 +Jul 20 14:42:11 localhost sshd[22708]: Invalid user ftp from 211.114.51.213 + + +#5 new filter introduced after looking at 44087D8C.9090407@bluewin.ch +Mar 3 00:17:22 [sshd] User root from 210.188.220.49 not allowed because not listed in AllowUsers +Feb 25 14:34:11 belka sshd[31607]: User root from ferrari.inescn.pt not allowed because not listed in AllowUsers + +#6 ew filter introduced thanks to report Guido Bozzetto +Nov 11 23:33:27 Server sshd[5174]: refused connect from _U2FsdGVkX19P3BCJmFBHhjLza8BcMH06WCUVwttMHpE=_@::ffff:218.249.210.161 (::ffff:218.249.210.161) diff --git a/files/logs/vsftpd b/files/logs/vsftpd new file mode 100644 index 00000000..a8b6a4cf --- /dev/null +++ b/files/logs/vsftpd @@ -0,0 +1,7 @@ +#1 PAM based +Oct 11 01:06:47 ServerJV vsftpd: (pam_unix) authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=209.67.1.67 +Feb 6 12:02:29 server vsftpd(pam_unix)[15522]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=64.168.103.1 user=user1 + +#2 Internal +Fri Jan 19 12:20:33 2007 [pid 27202] [anonymous] FAIL LOGIN: Client "64.106.46.98" + diff --git a/man/fail2ban-client.1 b/man/fail2ban-client.1 index 719ad7f8..525d5be4 100644 --- a/man/fail2ban-client.1 +++ b/man/fail2ban-client.1 @@ -259,7 +259,8 @@ action for Written by Cyril Jaquier . Many contributions by Yaroslav O. Halchenko . .SH "REPORTING BUGS" -Report bugs to +Please report bugs via Debian bug tracking system +http://www.debian.org/Bugs/. .SH COPYRIGHT Copyright \(co 2004-2006 Cyril Jaquier .br diff --git a/man/fail2ban-server.1 b/man/fail2ban-server.1 index dfa3b185..fdc66375 100644 --- a/man/fail2ban-server.1 +++ b/man/fail2ban-server.1 @@ -35,7 +35,8 @@ print the version Written by Cyril Jaquier . Many contributions by Yaroslav O. Halchenko . .SH "REPORTING BUGS" -Report bugs to +Please report bugs via Debian bug tracking system +http://www.debian.org/Bugs/. .SH COPYRIGHT Copyright \(co 2004-2006 Cyril Jaquier .br