Merge branches 'debian', 'deb/specifics', 'up/0.9-0.8', 'up/apache_noscript_extend', 'up/ipmasq', 'up/log_examples', 'up/mail_whois_lines', 'up/named_refused_fixed', 'up/pam_generic', 'up/proftpd_fix+extend', 'up/sshd_refused_connect' and 'up/vsftpd_optional_user' into build

* debian:
  Confirms to policy 3.7.3 (no changes)
  Bye Bye dpatch: now everything is handled in git branches
  removing patches from dpatch system since they are in branches now
  added a  comment to README.Debian and to the list of examples for ipmasq example file
  Fixed == bashism (Closes: #464647). Thanks Raphael Geisser

* deb/specifics:
  slight tune ups in upstream sources destined only for debian are kept in this branch

* up/0.9-0.8:

* up/apache_noscript_extend:
  Extended apache-noscript filter with more file extensions and to react to "script not found or unable to stat" log message (closes: #456565). Thanks Tim Connors

* up/ipmasq:
  Added ipmasq rule file to restart fail2ban when iptables are wiped out (closes: #461417). Thanks Guido Bozzetto

* up/log_examples:
  up/log_examples: moved vsftpd log from up/vsftpd_optional_user
  added examples of log lines (for named-refused, pam-generic, sshd) under files/logs for easy testing

* up/mail_whois_lines:
  mail-whois-lines: moved fix for proper names from dpatch

* up/named_refused_fixed:
  named_refused: moved fix for proper config+filters from dpatch

* up/pam_generic:
  added pam-generic from dpatch

* up/proftpd_fix+extend:
  Fix/extension of proftpd failrexes (Closes: #461412). Thanks Guido Bozzetto

* up/sshd_refused_connect:

* up/vsftpd_optional_user:
  up/vsftpd_optional_user: moving examples into up/examples branch
  BF: vsftp anchoring
debian-releases/squeeze
Yaroslav Halchenko 2008-02-09 22:02:21 -05:00
28 changed files with 140 additions and 387 deletions

View File

@ -7,7 +7,7 @@
[Definition] [Definition]
# Option: fwstart # Option: actionstart
# Notes.: command executed once at the start of Fail2Ban. # Notes.: command executed once at the start of Fail2Ban.
# Values: CMD # Values: CMD
# #
@ -16,7 +16,7 @@ actionstart = echo -en "Hi,\n
Regards,\n Regards,\n
Fail2Ban"|mail -s "[Fail2Ban] <name>: started" <dest> Fail2Ban"|mail -s "[Fail2Ban] <name>: started" <dest>
# Option: fwend # Option: actionstop
# Notes.: command executed once at the end of Fail2Ban # Notes.: command executed once at the end of Fail2Ban
# Values: CMD # Values: CMD
# #
@ -25,13 +25,13 @@ actionstop = echo -en "Hi,\n
Regards,\n Regards,\n
Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped" <dest> Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped" <dest>
# Option: fwcheck # Option: actioncheck
# Notes.: command executed once before each fwban command # Notes.: command executed once before each actionban command
# Values: CMD # Values: CMD
# #
actioncheck = actioncheck =
# Option: fwban # Option: actionban
# Notes.: command executed when banning an IP. Take care that the # Notes.: command executed when banning an IP. Take care that the
# command is executed with Fail2Ban user rights. # command is executed with Fail2Ban user rights.
# Tags: <ip> IP address # Tags: <ip> IP address
@ -50,7 +50,7 @@ actionban = echo -en "Hi,\n
Regards,\n Regards,\n
Fail2Ban"|mail -s "[Fail2Ban] <name>: banned <ip>" <dest> Fail2Ban"|mail -s "[Fail2Ban] <name>: banned <ip>" <dest>
# Option: fwunban # Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the # Notes.: command executed when unbanning an IP. Take care that the
# command is executed with Fail2Ban user rights. # command is executed with Fail2Ban user rights.
# Tags: <ip> IP address # Tags: <ip> IP address

View File

@ -28,7 +28,7 @@ logtarget = /var/log/fail2ban.log
# Notes.: Set the socket file. This is used to communicate with the daemon. Do # Notes.: Set the socket file. This is used to communicate with the daemon. Do
# not remove this file when Fail2ban runs. It will not be possible to # not remove this file when Fail2ban runs. It will not be possible to
# communicate with the server afterwards. # communicate with the server afterwards.
# Values: FILE Default: /tmp/fail2ban.sock # Values: FILE Default: /var/run/fail2ban.sock
# #
socket = /tmp/fail2ban.sock socket = /var/run/fail2ban.sock

View File

@ -14,7 +14,7 @@
# (?:::f{4,6}:)?(?P<host>\S+) # (?:::f{4,6}:)?(?P<host>\S+)
# Values: TEXT # Values: TEXT
# #
failregex = [[]client <HOST>[]] File does not exist: .*(\.php|\.asp) failregex = [[]client <HOST>[]] (File does not exist|script not found or unable to stat): .*(\.php|\.asp|\.exe|\.pl)
# Option: ignoreregex # Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored. # Notes.: regex to ignore. If this regex matches, the line is ignored.

View File

@ -9,10 +9,8 @@
[Definition] [Definition]
# if you want to catch only login erros from specific daemons, use smth like #
#_named_rcodes=(?:REFUSED|SERVFAIL) # Daemon name
# To catch all REFUSED queries only
_named_rcodes=REFUSED
_daemon=named _daemon=named
# #
@ -28,7 +26,6 @@ __line_prefix=(?:\s\S+ %(__daemon_combs_re)s\s+)?
# Notes.: regex to match the password failures messages in the logfile. # Notes.: regex to match the password failures messages in the logfile.
# Values: TEXT # Values: TEXT
# #
failregex = %(__line_prefix)sunexpected RCODE \(%(_named_rcodes)s\) resolving '.*': <HOST>#\S+$ failregex = %(__line_prefix)sclient <HOST>#\S+: query(?: \(cache\))? '.*' denied\s*$
%(__line_prefix)sclient <HOST>#\S+: query(?: \(cache\))? '.*' denied\s*$

View File

@ -0,0 +1,25 @@
# Fail2Ban configuration file for generic PAM authentication errors
#
# Author: Yaroslav Halchenko
#
# $Revision: $
#
[Definition]
# if you want to catch only login erros from specific daemons, use smth like
#_ttys_re=(?:ssh|pure-ftpd|ftp)
# To catch all failed logins
_ttys_re=\S*
#
# Shortcuts for easier comprehension of the failregex
__pid_re=(?:\[\d+\])
__pam_re=\(?pam_unix(?:\(\S+\))?\)?:?
__pam_combs_re=(?:%(__pid_re)s?:\s+%(__pam_re)s|%(__pam_re)s%(__pid_re)s?:)
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile.
# Values: TEXT
#
failregex = \s\S+ \S+%(__pam_combs_re)s\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=%(_ttys_re)s ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$

View File

@ -14,8 +14,10 @@
# (?:::f{4,6}:)?(?P<host>\S+) # (?:::f{4,6}:)?(?P<host>\S+)
# Values: TEXT # Values: TEXT
# #
failregex = USER \S+: no such user found from \S* ?\[<HOST>\] to \S+\s*$ failregex = \(\S+\[<HOST>\]\): USER \S+: no such user found from \S+ \[[0-9.]+\] to \S+:\S+$
\(\S*\[<HOST>\]\) - USER \S+ \(Login failed\): Incorrect password.$ \(\S+\[<HOST>\]\): USER \S+ \(Login failed\): Incorrect password\.$
\(\S+\[<HOST>\]\): SECURITY VIOLATION: \S+ login attempted\.$
\(\S+\[<HOST>\]\): Maximum login attempts \(\d+\) exceeded$
# Option: ignoreregex # Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored. # Notes.: regex to ignore. If this regex matches, the line is ignored.

View File

@ -14,7 +14,7 @@
# (?:::f{4,6}:)?(?P<host>\S+) # (?:::f{4,6}:)?(?P<host>\S+)
# Values: TEXT # Values: TEXT
# #
failregex = vsftpd(?:\[\d+\])?: .* authentication failure; .* rhost=<HOST>\s*$ failregex = vsftpd(?:\(pam_unix\))?(?:\[\d+\])?:.* authentication failure; .* rhost=<HOST>(?:\s+user=\S*)?\s*$
\[.+\] FAIL LOGIN: Client "<HOST>"\s*$ \[.+\] FAIL LOGIN: Client "<HOST>"\s*$
# Option: ignoreregex # Option: ignoreregex

View File

@ -170,13 +170,13 @@ ignoreip = 168.192.0.1
# with bind9 installation. You will need something like this: # with bind9 installation. You will need something like this:
# #
# logging { # logging {
# channel lame-servers_file { # channel security_file {
# file "/var/log/named/lame-servers.log" versions 3 size 30m; # file "/var/log/named/security.log" versions 3 size 30m;
# severity dynamic; # severity dynamic;
# print-time yes; # print-time yes;
# }; # };
# category lame-servers { # category security {
# lame-servers_file; # security_file;
# }; # };
# } # }
# #
@ -189,7 +189,7 @@ enabled = false
filter = named-refused filter = named-refused
action = iptables-multiport[name=Named, port="domain,953", protocol=udp] action = iptables-multiport[name=Named, port="domain,953", protocol=udp]
sendmail-whois[name=Named, dest=you@mail.com] sendmail-whois[name=Named, dest=you@mail.com]
logpath = /var/log/named/lame-servers.log logpath = /var/log/named/security.log
ignoreip = 168.192.0.1 ignoreip = 168.192.0.1
# This jail blocks TCP traffic for DNS requests. # This jail blocks TCP traffic for DNS requests.
@ -200,6 +200,6 @@ enabled = false
filter = named-refused filter = named-refused
action = iptables-multiport[name=Named, port="domain,953", protocol=tcp] action = iptables-multiport[name=Named, port="domain,953", protocol=tcp]
sendmail-whois[name=Named, dest=you@mail.com] sendmail-whois[name=Named, dest=you@mail.com]
logpath = /var/log/named/lame-servers.log logpath = /var/log/named/security.log
ignoreip = 168.192.0.1 ignoreip = 168.192.0.1

10
debian/README.Debian vendored
View File

@ -107,6 +107,16 @@ banaction=iptables-new
Also you can redefine the whole action parameter if you like. Also you can redefine the whole action parameter if you like.
* Interaction with ipmasq
Comment to #461417
Although fail2ban should detect and recreate missing chains if the external
command wipes out iptables, it is better to explicitely to force-reload
fail2ban. For this reason there is examples/ipmasq-ZZZzzz|fail2ban.rul file is
shipped along to be installed under name ZZZzzz|fail2ban.rul within
/etc/ipmasq.
Troubleshooting: Troubleshooting:
--------------- ---------------

4
debian/control vendored
View File

@ -2,13 +2,13 @@ Source: fail2ban
Section: net Section: net
Priority: optional Priority: optional
Maintainer: Yaroslav Halchenko <debian@onerussian.com> Maintainer: Yaroslav Halchenko <debian@onerussian.com>
Build-Depends: debhelper (>= 5.0.37.2), dpatch, python Build-Depends: debhelper (>= 5.0.37.2), python
Build-Depends-Indep: python-central (>= 0.5.6) Build-Depends-Indep: python-central (>= 0.5.6)
XS-Python-Version: current, >= 2.4 XS-Python-Version: current, >= 2.4
Homepage: http://www.fail2ban.org Homepage: http://www.fail2ban.org
Vcs-Browser: http://git.onerussian.com/?p=fail2ban Vcs-Browser: http://git.onerussian.com/?p=fail2ban
Vcs-git: http://git.onerussian.com/vcs/fail2ban Vcs-git: http://git.onerussian.com/vcs/fail2ban
Standards-Version: 3.7.2 Standards-Version: 3.7.3
Package: fail2ban Package: fail2ban

View File

@ -94,7 +94,7 @@ do_start()
if [ -e "$SOCKFILE" ]; then if [ -e "$SOCKFILE" ]; then
log_failure_msg "Socket file $SOCKFILE is present" log_failure_msg "Socket file $SOCKFILE is present"
[ "$1" == "force-start" ] \ [ "$1" = "force-start" ] \
&& log_success_msg "Starting anyway as requested" \ && log_success_msg "Starting anyway as requested" \
|| return 2 || return 2
DAEMON_ARGS="$DAEMON_ARGS -x" DAEMON_ARGS="$DAEMON_ARGS -x"

View File

@ -1,55 +0,0 @@
#! /bin/sh /usr/share/dpatch/dpatch-run
## 00_mail-whois-lines.dpatch by Yaroslav Halchenko <debian@onerussian.com>
##
## All lines beginning with `## DP:' are a description of the patch.
## DP: New action which mails not only whois but the result of grep using the
## DP: abuser IP over the log files
@DPATCH@
diff -urNad trunk~/config/action.d/mail-whois-lines.conf trunk/config/action.d/mail-whois-lines.conf
--- trunk~/config/action.d/mail-whois-lines.conf 2007-08-14 19:12:48.000000000 -0400
+++ trunk/config/action.d/mail-whois-lines.conf 2007-08-14 19:24:17.000000000 -0400
@@ -7,7 +7,7 @@
[Definition]
-# Option: fwstart
+# Option: actionstart
# Notes.: command executed once at the start of Fail2Ban.
# Values: CMD
#
@@ -16,7 +16,7 @@
Regards,\n
Fail2Ban"|mail -s "[Fail2Ban] <name>: started" <dest>
-# Option: fwend
+# Option: actionstop
# Notes.: command executed once at the end of Fail2Ban
# Values: CMD
#
@@ -25,13 +25,13 @@
Regards,\n
Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped" <dest>
-# Option: fwcheck
-# Notes.: command executed once before each fwban command
+# Option: actioncheck
+# Notes.: command executed once before each actionban command
# Values: CMD
#
actioncheck =
-# Option: fwban
+# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: <ip> IP address
@@ -50,7 +50,7 @@
Regards,\n
Fail2Ban"|mail -s "[Fail2Ban] <name>: banned <ip>" <dest>
-# Option: fwunban
+# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: <ip> IP address

View File

@ -1,23 +0,0 @@
#! /bin/sh /usr/share/dpatch/dpatch-run
## 00_named_logtimeformat.dpatch by Yaroslav Halchenko <debian@onerussian.com>
##
## All lines beginning with `## DP:' are a description of the patch.
## DP: No description.
@DPATCH@
diff -urNad trunk~/server/datedetector.py trunk/server/datedetector.py
--- trunk~/server/datedetector.py 2007-04-01 16:42:08.000000000 -0400
+++ trunk/server/datedetector.py 2007-07-29 22:28:52.000000000 -0400
@@ -80,6 +80,12 @@
template.setRegex("\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}")
template.setPattern("%Y-%m-%d %H:%M:%S")
self.__templates.append(template)
+ # named 26-Jul-2007 15:20:52.252
+ template = DateStrptime()
+ template.setName("Day-Month-Year Hour:Minute:Second[.Millisecond]")
+ template.setRegex("\d{2}-\S{3}-\d{4} \d{2}:\d{2}:\d{2}")
+ template.setPattern("%d-%b-%Y %H:%M:%S")
+ self.__templates.append(template)
# TAI64N
template = DateTai64n()
template.setName("TAI64N")

View File

@ -1,79 +0,0 @@
#! /bin/sh /usr/share/dpatch/dpatch-run
## 00_named_refused.dpatch by Yaroslav Halchenko <debian@onerussian.com>
##
## All lines beginning with `## DP:' are a description of the patch.
## DP: No description.
@DPATCH@
diff -urNad trunk~/config/filter.d/named-refused.conf trunk/config/filter.d/named-refused.conf
--- trunk~/config/filter.d/named-refused.conf 2007-08-14 19:42:35.000000000 -0400
+++ trunk/config/filter.d/named-refused.conf 2007-08-17 12:36:28.000000000 -0400
@@ -9,10 +9,8 @@
[Definition]
-# if you want to catch only login erros from specific daemons, use smth like
-#_named_rcodes=(?:REFUSED|SERVFAIL)
-# To catch all REFUSED queries only
-_named_rcodes=REFUSED
+#
+# Daemon name
_daemon=named
#
@@ -28,7 +26,6 @@
# Notes.: regex to match the password failures messages in the logfile.
# Values: TEXT
#
-failregex = %(__line_prefix)sunexpected RCODE \(%(_named_rcodes)s\) resolving '.*': <HOST>#\S+$
- %(__line_prefix)sclient <HOST>#\S+: query(?: \(cache\))? '.*' denied\s*$
+failregex = %(__line_prefix)sclient <HOST>#\S+: query(?: \(cache\))? '.*' denied\s*$
diff -urNad trunk~/config/filter.d/named-refused.examples trunk/config/filter.d/named-refused.examples
--- trunk~/config/filter.d/named-refused.examples 1969-12-31 19:00:00.000000000 -0500
+++ trunk/config/filter.d/named-refused.examples 2007-08-17 12:36:00.000000000 -0400
@@ -0,0 +1,5 @@
+Jul 24 14:16:55 raid5 named[3935]: client 194.145.196.18#4795: query 'ricreig.com/NS/IN' denied
+Jul 24 14:16:56 raid5 named[3935]: client 62.123.164.113#32768: query 'ricreig.com/NS/IN' denied
+Jul 24 14:17:13 raid5 named[3935]: client 148.160.29.6#33081: query (cache) 'geo-mueller.de/NS/IN' denied
+Jul 24 14:20:25 raid5 named[3935]: client 148.160.29.6#33081: query (cache) 'shivaree.de/NS/IN' denied
+Jul 24 14:23:36 raid5 named[3935]: client 148.160.29.6#33081: query (cache) 'mietberatung.de/NS/IN' denied
diff -urNad trunk~/config/jail.conf trunk/config/jail.conf
--- trunk~/config/jail.conf 2007-08-14 19:12:48.000000000 -0400
+++ trunk/config/jail.conf 2007-08-17 12:36:00.000000000 -0400
@@ -170,13 +170,13 @@
# with bind9 installation. You will need something like this:
#
# logging {
-# channel lame-servers_file {
-# file "/var/log/named/lame-servers.log" versions 3 size 30m;
+# channel security_file {
+# file "/var/log/named/security.log" versions 3 size 30m;
# severity dynamic;
# print-time yes;
# };
-# category lame-servers {
-# lame-servers_file;
+# category security {
+# security_file;
# };
# }
#
@@ -189,7 +189,7 @@
filter = named-refused
action = iptables-multiport[name=Named, port="domain,953", protocol=udp]
sendmail-whois[name=Named, dest=you@mail.com]
-logpath = /var/log/named/lame-servers.log
+logpath = /var/log/named/security.log
ignoreip = 168.192.0.1
# This jail blocks TCP traffic for DNS requests.
@@ -200,6 +200,6 @@
filter = named-refused
action = iptables-multiport[name=Named, port="domain,953", protocol=tcp]
sendmail-whois[name=Named, dest=you@mail.com]
-logpath = /var/log/named/lame-servers.log
+logpath = /var/log/named/security.log
ignoreip = 168.192.0.1

View File

@ -1,47 +0,0 @@
#! /bin/sh /usr/share/dpatch/dpatch-run
## 00_pam_generic.dpatch by Yaroslav Halchenko <debian@onerussian.com>
##
## All lines beginning with `## DP:' are a description of the patch.
## DP: Filter and examples for a filter generic for any login errors reported with pam_unix.so
@DPATCH@
diff -urNad trunk~/config/filter.d/pam-generic.conf trunk/config/filter.d/pam-generic.conf
--- trunk~/config/filter.d/pam-generic.conf 1969-12-31 19:00:00.000000000 -0500
+++ trunk/config/filter.d/pam-generic.conf 2007-07-24 13:25:12.000000000 -0400
@@ -0,0 +1,25 @@
+# Fail2Ban configuration file for generic PAM authentication errors
+#
+# Author: Yaroslav Halchenko
+#
+# $Revision: $
+#
+
+[Definition]
+
+# if you want to catch only login erros from specific daemons, use smth like
+#_ttys_re=(?:ssh|pure-ftpd|ftp)
+# To catch all failed logins
+_ttys_re=\S*
+
+#
+# Shortcuts for easier comprehension of the failregex
+__pid_re=(?:\[\d+\])
+__pam_re=\(?pam_unix(?:\(\S+\))?\)?:?
+__pam_combs_re=(?:%(__pid_re)s?:\s+%(__pam_re)s|%(__pam_re)s%(__pid_re)s?:)
+
+# Option: failregex
+# Notes.: regex to match the password failures messages in the logfile.
+# Values: TEXT
+#
+failregex = \s\S+ \S+%(__pam_combs_re)s\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=%(_ttys_re)s ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$
diff -urNad trunk~/config/filter.d/pam-generic.examples trunk/config/filter.d/pam-generic.examples
--- trunk~/config/filter.d/pam-generic.examples 1969-12-31 19:00:00.000000000 -0500
+++ trunk/config/filter.d/pam-generic.examples 2007-07-24 13:24:49.000000000 -0400
@@ -0,0 +1,7 @@
+Feb 7 15:10:42 example pure-ftpd: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=pure-ftpd ruser=sample-user rhost=192.168.1.1
+May 12 09:47:54 vaio sshd[16004]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=71-13-115-12.static.mdsn.wi.charter.com user=root
+May 12 09:48:03 vaio sshd[16021]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=71-13-115-12.static.mdsn.wi.charter.com
+May 15 18:02:12 localhost proftpd: (pam_unix) authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=66.232.129.62 user=mark
+Nov 25 17:12:13 webmail pop(pam_unix)[4920]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=192.168.10.3 user=mailuser
+Jul 19 18:11:26 srv2 vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=an8767 rhost=www3.google.com
+Jul 19 18:11:26 srv2 vsftpd: pam_unix: authentication failure; logname= uid=0 euid=0 tty=ftp ruser=an8767 rhost=www3.google.com

View File

@ -1,33 +0,0 @@
#! /bin/sh /usr/share/dpatch/dpatch-run
## 00_ssh_strong_re.dpatch by Yaroslav Halchenko <debian@onerussian.com>
##
## All lines beginning with `## DP:' are a description of the patch.
## DP: No description.
@DPATCH@
diff -urNad fail2ban~/config/filter.d/sshd.examples fail2ban/config/filter.d/sshd.examples
--- fail2ban~/config/filter.d/sshd.examples 1969-12-31 19:00:00.000000000 -0500
+++ fail2ban/config/filter.d/sshd.examples 2007-11-23 08:59:47.000000000 -0500
@@ -0,0 +1,22 @@
+#1
+Jun 21 16:47:48 digital-mlhhyiqscv sshd[13709]: error: PAM: Authentication failure for myhlj1374 from 192.030.0.6
+May 29 20:56:52 imago sshd[28732]: error: PAM: Authentication failure for stefanor from www.onerussian.com
+
+#2
+Feb 25 14:34:10 belka sshd[31602]: Failed password for invalid user ROOT from 194.117.26.69 port 50273 ssh2
+Feb 25 14:34:10 belka sshd[31602]: Failed password for invalid user ROOT from 194.117.26.70 port 12345
+
+#3
+Jan 5 01:31:41 www sshd[1643]: ROOT LOGIN REFUSED FROM 1.2.3.4
+Jan 5 01:31:41 www sshd[1643]: ROOT LOGIN REFUSED FROM ::ffff:1.2.3.4
+
+#4
+Jul 20 14:42:11 localhost sshd[22708]: Invalid user ftp from 211.114.51.213
+
+
+#5 new filter introduced after looking at 44087D8C.9090407@bluewin.ch
+Mar 3 00:17:22 [sshd] User root from 210.188.220.49 not allowed because not listed in AllowUsers
+Feb 25 14:34:11 belka sshd[31607]: User root from ferrari.inescn.pt not allowed because not listed in AllowUsers
+
+#6 ew filter introduced thanks to report Guido Bozzetto <reportbug@G-B.it>
+Nov 11 23:33:27 Server sshd[5174]: refused connect from _U2FsdGVkX19P3BCJmFBHhjLza8BcMH06WCUVwttMHpE=_@::ffff:218.249.210.161 (::ffff:218.249.210.161)

View File

@ -1,20 +0,0 @@
#! /bin/sh /usr/share/dpatch/dpatch-run
## 00_var_run_socket.dpatch by Yaroslav Halchenko <debian@onerussian.com>
##
## All lines beginning with `## DP:' are a description of the patch.
## DP: to close 425746: move socket under /var/run
@DPATCH@
diff -urNad trunk~/config/fail2ban.conf trunk/config/fail2ban.conf
--- trunk~/config/fail2ban.conf 2007-05-05 21:30:21.000000000 -0400
+++ trunk/config/fail2ban.conf 2007-07-03 18:21:52.000000000 -0400
@@ -28,7 +28,7 @@
# Notes.: Set the socket file. This is used to communicate with the daemon. Do
# not remove this file when Fail2ban runs. It will not be possible to
# communicate with the server afterwards.
-# Values: FILE Default: /tmp/fail2ban.sock
+# Values: FILE Default: /var/run/fail2ban.sock
#
-socket = /tmp/fail2ban.sock
+socket = /var/run/fail2ban.sock

View File

@ -1,6 +0,0 @@
00_mail-whois-lines
00_var_run_socket
10_dbts_manpages
00_ssh_strong_re
00_pam_generic
00_named_refused

View File

@ -1,33 +0,0 @@
#! /bin/sh /usr/share/dpatch/dpatch-run
## 10_dbts_manpages.dpatch by <debian@onerussian.com>
##
## All lines beginning with `## DP:' are a description of the patch.
## DP: No description.
@DPATCH@
diff -urNad fail2ban-0.7.3~/man/fail2ban-client.1 fail2ban-0.7.3/man/fail2ban-client.1
--- fail2ban-0.7.3~/man/fail2ban-client.1 2006-09-28 15:34:06.000000000 -0400
+++ fail2ban-0.7.3/man/fail2ban-client.1 2006-09-28 22:58:38.000000000 -0400
@@ -82,7 +82,8 @@
Written by Cyril Jaquier <lostcontrol@users.sourceforge.net>.
Many contributions by Yaroslav O. Halchenko <debian@onerussian.com>.
.SH "REPORTING BUGS"
-Report bugs to <lostcontrol@users.sourceforge.net>
+Please report bugs via Debian bug tracking system
+http://www.debian.org/Bugs/.
.SH COPYRIGHT
Copyright \(co 2004-2006 Cyril Jaquier
.br
diff -urNad fail2ban-0.7.3~/man/fail2ban-server.1 fail2ban-0.7.3/man/fail2ban-server.1
--- fail2ban-0.7.3~/man/fail2ban-server.1 2006-09-28 15:34:06.000000000 -0400
+++ fail2ban-0.7.3/man/fail2ban-server.1 2006-09-28 22:59:25.000000000 -0400
@@ -33,7 +33,8 @@
Written by Cyril Jaquier <lostcontrol@users.sourceforge.net>.
Many contributions by Yaroslav O. Halchenko <debian@onerussian.com>.
.SH "REPORTING BUGS"
-Report bugs to <lostcontrol@users.sourceforge.net>
+Please report bugs via Debian bug tracking system
+http://www.debian.org/Bugs/.
.SH COPYRIGHT
Copyright \(co 2004-2006 Cyril Jaquier
.br

View File

@ -1,54 +0,0 @@
#! /bin/sh /usr/share/dpatch/dpatch-run
## 10_multiple_HOST_regexp.dpatch by Yaroslav Halchenko <debian@onerussian.com>
##
## All lines beginning with `## DP:' are a description of the patch.
## DP: No description.
@DPATCH@
diff -urNad fail2ban-0.7.5~/server/filter.py fail2ban-0.7.5/server/filter.py
--- fail2ban-0.7.5~/server/filter.py 2006-11-26 15:37:31.000000000 -0500
+++ fail2ban-0.7.5/server/filter.py 2006-12-22 13:30:25.000000000 -0500
@@ -170,8 +170,17 @@
self.__failRegex = value
self.__failRegexObj = None
else:
- # Replace "<HOST>" with default regular expression for host.
- regex = value.replace("<HOST>", "(?:::f{4,6}:)?(?P<host>\S+)")
+ # Replace "<HOST>"s with regular expression for a hostname,
+ # naming groups hostX where X is a number starting with 1
+ regex = value
+ oldregex = ''; k = 0
+ while ( regex != oldregex ):
+ oldregex = regex
+ k += 1
+ regex = regex.replace("<HOST>",
+ "(?:::f{4,6}:)?(?P<host%d>\S+)" % k,
+ 1)
+
self.__failRegex = regex
self.__failRegexObj = re.compile(regex)
logSys.info("Set failregex = %s" % self.__failRegex)
@@ -435,12 +444,18 @@
+ "this format")
else:
try:
- ipMatch = DNSUtils.textToIp(match.group("host"))
- if ipMatch:
- for ip in ipMatch:
- failList.append([ip, date])
+ allGroups = match.groupdict()
+ hostRe = re.compile('host\d*$')
+ # Select only groups named host\d*
+ hostGroups = filter(lambda x: hostRe.match(x[0]) and x[1],
+ allGroups.iteritems())
+ for hostGroup, hostEntry in hostGroups:
+ ipMatch = DNSUtils.textToIp(hostEntry)
+ if ipMatch:
+ for ip in ipMatch:
+ failList.append([ip, date])
except IndexError:
- logSys.error("There is no 'host' group in the rule. " +
+ logSys.error("There is no 'hostX' group in the rule. " +
"Please correct your configuration.")
return failList

11
debian/rules vendored
View File

@ -11,19 +11,14 @@
DESTDIR=$(CURDIR)/debian/fail2ban DESTDIR=$(CURDIR)/debian/fail2ban
# no parallel execution -- required for dpatch
.NOTPARALLEL:
include /usr/share/dpatch/dpatch.make
configure: configure-stamp configure: configure-stamp
configure-stamp: configure-stamp:
dh_testdir dh_testdir
touch configure-stamp touch configure-stamp
build: patch build:
clean: clean-inits unpatch clean: clean-inits
dh_testdir dh_testdir
dh_testroot dh_testroot
rm -f build-stamp configure-stamp rm -f build-stamp configure-stamp
@ -57,7 +52,7 @@ binary-indep: install
dh_testroot dh_testroot
dh_installchangelogs CHANGELOG dh_installchangelogs CHANGELOG
dh_installdocs dh_installdocs
dh_installexamples config/jail.conf dh_installexamples config/jail.conf files/ipmasq-*
dh_installlogrotate dh_installlogrotate
dh_pycentral dh_pycentral
dh_installinit -- defaults 99 dh_installinit -- defaults 99

View File

@ -0,0 +1,31 @@
#! /bin/sh
#
# ZZZzzz|fail2ban.rul
#
# Ultima modifica: 20060112 <Nauta@G-B.it> Creazione
# Ultima modifica: 20071205 <Nauta@G-B.it> Verifica sia in esecuzione
#
# Riconfigura le regole di filtraggio relative a fail2ban alla fine
# dell'inizializzazione delle regole.
# Solo all'avvio del sistema mostra la (ri)esecuzione dello script
_NAME=fail2ban
_INITSCRIPT=/etc/init.d/$_NAME
_CONFIG="/etc/$_NAME/$_NAME.local /etc/$_NAME/$_NAME.conf"
if [ -s $_INITSCRIPT ]; then
SOCKFILE=`sed -n -e '/^[^#]*socket\s*=/{
s/.*socket\s*=\s*\(\S\+\).*/\1/p;q}' $_CONFIG 2>/dev/null`
[ -z "$SOCKFILE" ] && SOCKFILE="/tmp/$_NAME.sock"
if [ -S "$SOCKFILE" ]; then # Is daemon running ?
if [ "$SHOWRULES" == "yes" ]; then
echo "#: Reinitializing $_NAME"
echo $_INITSCRIPT force-reload
else
[ ! $runlevel ] && HIDEOUTPUT=true
fi
if [ "$NOACT" != "yes" ]; then
eval $_INITSCRIPT force-reload ${HIDEOUTPUT:+\>/dev/null 2\>&1}
fi
fi # SOCKFILE is a socket
fi # _INITSCRIPT exist

5
files/logs/named-refused Normal file
View File

@ -0,0 +1,5 @@
Jul 24 14:16:55 raid5 named[3935]: client 194.145.196.18#4795: query 'ricreig.com/NS/IN' denied
Jul 24 14:16:56 raid5 named[3935]: client 62.123.164.113#32768: query 'ricreig.com/NS/IN' denied
Jul 24 14:17:13 raid5 named[3935]: client 148.160.29.6#33081: query (cache) 'geo-mueller.de/NS/IN' denied
Jul 24 14:20:25 raid5 named[3935]: client 148.160.29.6#33081: query (cache) 'shivaree.de/NS/IN' denied
Jul 24 14:23:36 raid5 named[3935]: client 148.160.29.6#33081: query (cache) 'mietberatung.de/NS/IN' denied

7
files/logs/pam-generic Normal file
View File

@ -0,0 +1,7 @@
Feb 7 15:10:42 example pure-ftpd: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=pure-ftpd ruser=sample-user rhost=192.168.1.1
May 12 09:47:54 vaio sshd[16004]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=71-13-115-12.static.mdsn.wi.charter.com user=root
May 12 09:48:03 vaio sshd[16021]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=71-13-115-12.static.mdsn.wi.charter.com
May 15 18:02:12 localhost proftpd: (pam_unix) authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=66.232.129.62 user=mark
Nov 25 17:12:13 webmail pop(pam_unix)[4920]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=192.168.10.3 user=mailuser
Jul 19 18:11:26 srv2 vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=an8767 rhost=www3.google.com
Jul 19 18:11:26 srv2 vsftpd: pam_unix: authentication failure; logname= uid=0 euid=0 tty=ftp ruser=an8767 rhost=www3.google.com

22
files/logs/sshd Normal file
View File

@ -0,0 +1,22 @@
#1
Jun 21 16:47:48 digital-mlhhyiqscv sshd[13709]: error: PAM: Authentication failure for myhlj1374 from 192.030.0.6
May 29 20:56:52 imago sshd[28732]: error: PAM: Authentication failure for stefanor from www.onerussian.com
#2
Feb 25 14:34:10 belka sshd[31602]: Failed password for invalid user ROOT from 194.117.26.69 port 50273 ssh2
Feb 25 14:34:10 belka sshd[31602]: Failed password for invalid user ROOT from 194.117.26.70 port 12345
#3
Jan 5 01:31:41 www sshd[1643]: ROOT LOGIN REFUSED FROM 1.2.3.4
Jan 5 01:31:41 www sshd[1643]: ROOT LOGIN REFUSED FROM ::ffff:1.2.3.4
#4
Jul 20 14:42:11 localhost sshd[22708]: Invalid user ftp from 211.114.51.213
#5 new filter introduced after looking at 44087D8C.9090407@bluewin.ch
Mar 3 00:17:22 [sshd] User root from 210.188.220.49 not allowed because not listed in AllowUsers
Feb 25 14:34:11 belka sshd[31607]: User root from ferrari.inescn.pt not allowed because not listed in AllowUsers
#6 ew filter introduced thanks to report Guido Bozzetto <reportbug@G-B.it>
Nov 11 23:33:27 Server sshd[5174]: refused connect from _U2FsdGVkX19P3BCJmFBHhjLza8BcMH06WCUVwttMHpE=_@::ffff:218.249.210.161 (::ffff:218.249.210.161)

7
files/logs/vsftpd Normal file
View File

@ -0,0 +1,7 @@
#1 PAM based
Oct 11 01:06:47 ServerJV vsftpd: (pam_unix) authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=209.67.1.67
Feb 6 12:02:29 server vsftpd(pam_unix)[15522]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=64.168.103.1 user=user1
#2 Internal
Fri Jan 19 12:20:33 2007 [pid 27202] [anonymous] FAIL LOGIN: Client "64.106.46.98"

View File

@ -259,7 +259,8 @@ action <ACT> for <JAIL>
Written by Cyril Jaquier <lostcontrol@users.sourceforge.net>. Written by Cyril Jaquier <lostcontrol@users.sourceforge.net>.
Many contributions by Yaroslav O. Halchenko <debian@onerussian.com>. Many contributions by Yaroslav O. Halchenko <debian@onerussian.com>.
.SH "REPORTING BUGS" .SH "REPORTING BUGS"
Report bugs to <lostcontrol@users.sourceforge.net> Please report bugs via Debian bug tracking system
http://www.debian.org/Bugs/.
.SH COPYRIGHT .SH COPYRIGHT
Copyright \(co 2004-2006 Cyril Jaquier Copyright \(co 2004-2006 Cyril Jaquier
.br .br

View File

@ -35,7 +35,8 @@ print the version
Written by Cyril Jaquier <lostcontrol@users.sourceforge.net>. Written by Cyril Jaquier <lostcontrol@users.sourceforge.net>.
Many contributions by Yaroslav O. Halchenko <debian@onerussian.com>. Many contributions by Yaroslav O. Halchenko <debian@onerussian.com>.
.SH "REPORTING BUGS" .SH "REPORTING BUGS"
Report bugs to <lostcontrol@users.sourceforge.net> Please report bugs via Debian bug tracking system
http://www.debian.org/Bugs/.
.SH COPYRIGHT .SH COPYRIGHT
Copyright \(co 2004-2006 Cyril Jaquier Copyright \(co 2004-2006 Cyril Jaquier
.br .br