diff --git a/config/action.d/dshield.conf b/config/action.d/dshield.conf index b80698b4..8549a550 100644 --- a/config/action.d/dshield.conf +++ b/config/action.d/dshield.conf @@ -206,5 +206,5 @@ dest = reports@dshield.org # Notes.: Base name of temporary files used for buffering # Values: [ STRING ] Default: /tmp/fail2ban-dshield # -tmpfile = /tmp/fail2ban-dshield +tmpfile = /var/run/fail2ban/tmp-dshield diff --git a/config/action.d/iptables-allports.conf b/config/action.d/iptables-allports.conf index 9637f650..c370d10b 100644 --- a/config/action.d/iptables-allports.conf +++ b/config/action.d/iptables-allports.conf @@ -15,13 +15,13 @@ # actionstart = iptables -N fail2ban- iptables -A fail2ban- -j RETURN - iptables -I INPUT -p -j fail2ban- + iptables -I -p -j fail2ban- # Option: actionstop # Notes.: command executed once at the end of Fail2Ban # Values: CMD # -actionstop = iptables -D INPUT -p -j fail2ban- +actionstop = iptables -D -p -j fail2ban- iptables -F fail2ban- iptables -X fail2ban- @@ -29,7 +29,7 @@ actionstop = iptables -D INPUT -p -j fail2ban- # Notes.: command executed once before each actionban command # Values: CMD # -actioncheck = iptables -n -L INPUT | grep -q fail2ban- +actioncheck = iptables -n -L | grep -q fail2ban- # Option: actionban # Notes.: command executed when banning an IP. Take care that the @@ -63,3 +63,8 @@ name = default # protocol = tcp +# Option: chain +# Notes specifies the iptables chain to which the fail2ban rules should be +# added +# Values: STRING Default: INPUT +chain = INPUT diff --git a/config/action.d/iptables-multiport-log.conf b/config/action.d/iptables-multiport-log.conf index 240a056f..f89164f6 100644 --- a/config/action.d/iptables-multiport-log.conf +++ b/config/action.d/iptables-multiport-log.conf @@ -5,7 +5,7 @@ # # make "fail2ban-" chain to match drop IP # make "fail2ban--log" chain to log and drop -# insert a jump to fail2ban- from -I INPUT if proto/port match +# insert a jump to fail2ban- from -I if proto/port match # # $Revision: 668 $ # @@ -18,7 +18,7 @@ # actionstart = iptables -N fail2ban- iptables -A fail2ban- -j RETURN - iptables -I INPUT 1 -p -m multiport --dports -j fail2ban- + iptables -I 1 -p -m multiport --dports -j fail2ban- iptables -N fail2ban--log iptables -I fail2ban--log -j LOG --log-prefix "$(expr fail2ban- : '\(.\{1,23\}\)'):DROP " --log-level warning -m limit --limit 6/m --limit-burst 2 iptables -A fail2ban--log -j DROP @@ -27,7 +27,7 @@ actionstart = iptables -N fail2ban- # Notes.: command executed once at the end of Fail2Ban # Values: CMD # -actionstop = iptables -D INPUT -p -m multiport --dports -j fail2ban- +actionstop = iptables -D -p -m multiport --dports -j fail2ban- iptables -F fail2ban- iptables -F fail2ban--log iptables -X fail2ban- @@ -76,3 +76,9 @@ port = ssh # Values: [ tcp | udp | icmp | all ] Default: tcp # protocol = tcp + +# Option: chain +# Notes specifies the iptables chain to which the fail2ban rules should be +# added +# Values: STRING Default: INPUT +chain = INPUT diff --git a/config/action.d/iptables-multiport.conf b/config/action.d/iptables-multiport.conf index 84c7d533..f0aebbac 100644 --- a/config/action.d/iptables-multiport.conf +++ b/config/action.d/iptables-multiport.conf @@ -13,13 +13,13 @@ # actionstart = iptables -N fail2ban- iptables -A fail2ban- -j RETURN - iptables -I INPUT -p -m multiport --dports -j fail2ban- + iptables -I -p -m multiport --dports -j fail2ban- # Option: actionstop # Notes.: command executed once at the end of Fail2Ban # Values: CMD # -actionstop = iptables -D INPUT -p -m multiport --dports -j fail2ban- +actionstop = iptables -D -p -m multiport --dports -j fail2ban- iptables -F fail2ban- iptables -X fail2ban- @@ -27,7 +27,7 @@ actionstop = iptables -D INPUT -p -m multiport --dports -j fai # Notes.: command executed once before each actionban command # Values: CMD # -actioncheck = iptables -n -L INPUT | grep -q fail2ban- +actioncheck = iptables -n -L | grep -q fail2ban- # Option: actionban # Notes.: command executed when banning an IP. Take care that the @@ -67,3 +67,8 @@ port = ssh # protocol = tcp +# Option: chain +# Notes specifies the iptables chain to which the fail2ban rules should be +# added +# Values: STRING Default: INPUT +chain = INPUT diff --git a/config/action.d/iptables-new.conf b/config/action.d/iptables-new.conf index 1c2a306c..17517024 100644 --- a/config/action.d/iptables-new.conf +++ b/config/action.d/iptables-new.conf @@ -15,13 +15,13 @@ # actionstart = iptables -N fail2ban- iptables -A fail2ban- -j RETURN - iptables -I INPUT -m state --state NEW -p --dport -j fail2ban- + iptables -I -m state --state NEW -p --dport -j fail2ban- # Option: actionstop # Notes.: command executed once at the end of Fail2Ban # Values: CMD # -actionstop = iptables -D INPUT -m state --state NEW -p --dport -j fail2ban- +actionstop = iptables -D -m state --state NEW -p --dport -j fail2ban- iptables -F fail2ban- iptables -X fail2ban- @@ -29,7 +29,7 @@ actionstop = iptables -D INPUT -m state --state NEW -p --dport # Notes.: command executed once before each actionban command # Values: CMD # -actioncheck = iptables -n -L INPUT | grep -q fail2ban- +actioncheck = iptables -n -L | grep -q fail2ban- # Option: actionban # Notes.: command executed when banning an IP. Take care that the @@ -69,3 +69,8 @@ port = ssh # protocol = tcp +# Option: chain +# Notes specifies the iptables chain to which the fail2ban rules should be +# added +# Values: STRING Default: INPUT +chain = INPUT diff --git a/config/action.d/iptables.conf b/config/action.d/iptables.conf index 7f07f41c..cfc526bd 100644 --- a/config/action.d/iptables.conf +++ b/config/action.d/iptables.conf @@ -13,13 +13,13 @@ # actionstart = iptables -N fail2ban- iptables -A fail2ban- -j RETURN - iptables -I INPUT -p --dport -j fail2ban- + iptables -I -p --dport -j fail2ban- # Option: actionstop # Notes.: command executed once at the end of Fail2Ban # Values: CMD # -actionstop = iptables -D INPUT -p --dport -j fail2ban- +actionstop = iptables -D -p --dport -j fail2ban- iptables -F fail2ban- iptables -X fail2ban- @@ -27,7 +27,7 @@ actionstop = iptables -D INPUT -p --dport -j fail2ban- # Notes.: command executed once before each actionban command # Values: CMD # -actioncheck = iptables -n -L INPUT | grep -q fail2ban- +actioncheck = iptables -n -L | grep -q fail2ban- # Option: actionban # Notes.: command executed when banning an IP. Take care that the @@ -67,3 +67,8 @@ port = ssh # protocol = tcp +# Option: chain +# Notes specifies the iptables chain to which the fail2ban rules should be +# added +# Values: STRING Default: INPUT +chain = INPUT diff --git a/config/action.d/mail-buffered.conf b/config/action.d/mail-buffered.conf index 04788ab9..b2255a11 100644 --- a/config/action.d/mail-buffered.conf +++ b/config/action.d/mail-buffered.conf @@ -81,7 +81,7 @@ lines = 5 # Default temporary file # -tmpfile = /tmp/fail2ban-mail.txt +tmpfile = /var/run/fail2ban/tmp-mail.txt # Destination/Addressee of the mail # diff --git a/config/action.d/mynetwatchman.conf b/config/action.d/mynetwatchman.conf index 15b91b11..f0e55153 100644 --- a/config/action.d/mynetwatchman.conf +++ b/config/action.d/mynetwatchman.conf @@ -141,4 +141,4 @@ mnwurl = http://mynetwatchman.com/insertwebreport.asp # Notes.: Base name of temporary files # Values: [ STRING ] Default: /tmp/fail2ban-mynetwatchman # -tmpfile = /tmp/fail2ban-mynetwatchman +tmpfile = /var/run/fail2ban/tmp-mynetwatchman diff --git a/config/action.d/sendmail-buffered.conf b/config/action.d/sendmail-buffered.conf index 90a482de..ad78b577 100644 --- a/config/action.d/sendmail-buffered.conf +++ b/config/action.d/sendmail-buffered.conf @@ -101,5 +101,5 @@ lines = 5 # Default temporary file # -tmpfile = /tmp/fail2ban-mail.txt +tmpfile = /var/run/fail2ban/tmp-mail.txt diff --git a/config/filter.d/apache-overflows.conf b/config/filter.d/apache-overflows.conf index 760fde66..dd936248 100644 --- a/config/filter.d/apache-overflows.conf +++ b/config/filter.d/apache-overflows.conf @@ -11,7 +11,7 @@ # Notes.: Regexp to catch Apache overflow attempts. # Values: TEXT # -failregex = [[]client []] (Invalid method in request|request failed: URI too long|erroneous characters after protocol string) +failregex = [[]client []] (Invalid (method|URI) in request|request failed: URI too long|erroneous characters after protocol string) # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. diff --git a/config/filter.d/dovecot.conf b/config/filter.d/dovecot.conf new file mode 100644 index 00000000..5392d3a9 --- /dev/null +++ b/config/filter.d/dovecot.conf @@ -0,0 +1,23 @@ +# Fail2Ban configuration file for dovcot +# +# Author: +# +# $Revision: $ +# + +[Definition] + +# Option: failregex +# Notes.: regex to match the password failures messages in the logfile. The +# host must be matched by a group named "host". The tag "" can +# be used for standard IP/hostname matching and is only an alias for +# (?:::f{4,6}:)?(?P[\w\-.^_]+) +# Values: TEXT +# +failregex = .*(?: pop3-login|imap-login):.*(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed).*rip=(?P\S*),.* + +# Option: ignoreregex +# Notes.: regex to ignore. If this regex matches, the line is ignored. +# Values: TEXT +# +ignoreregex = diff --git a/config/filter.d/dropbear.conf b/config/filter.d/dropbear.conf new file mode 100644 index 00000000..1309cc41 --- /dev/null +++ b/config/filter.d/dropbear.conf @@ -0,0 +1,52 @@ +# Fail2Ban configuration file +# +# Author: Francis Russell +# Zak B. Elep +# +# $Revision$ +# +# More information: http://bugs.debian.org/546913 + +[INCLUDES] + +# Read common prefixes. If any customizations available -- read them from +# common.local +before = common.conf + + +[Definition] + +_daemon = dropbear + +# Option: failregex +# Notes.: regex to match the password failures messages in the logfile. The +# host must be matched by a group named "host". The tag "" can +# be used for standard IP/hostname matching and is only an alias for +# (?:::f{4,6}:)?(?P\S+) +# Values: TEXT + +# These match the unmodified dropbear messages. It isn't possible to +# match the source of the 'exit before auth' messages from dropbear. +# +failregex = ^%(__prefix_line)slogin attempt for nonexistent user ('.*' )?from :.*\s*$ + ^%(__prefix_line)sbad password attempt for .+ from :.*\s*$ + +# The only line we need to match with the modified dropbear. + +# NOTE: The failregex below is ONLY intended to work with a patched +# version of Dropbear as described here: +# http://www.unchartedbackwaters.co.uk/pyblosxom/static/patches +# +# The standard Dropbear output doesn't provide enough information to +# ban all types of attack. The Dropbear patch adds IP address +# information to the 'exit before auth' message which is always +# produced for any form of non-successful login. It is that message +# which this file matches. + +# failregex = ^%(__prefix_line)sexit before auth from .*\s*$ + +# Option: ignoreregex +# Notes.: regex to ignore. If this regex matches, the line is ignored. +# Values: TEXT +# +ignoreregex = diff --git a/config/filter.d/sasl.conf b/config/filter.d/sasl.conf index f62fb5ea..775a69a7 100644 --- a/config/filter.d/sasl.conf +++ b/config/filter.d/sasl.conf @@ -14,7 +14,7 @@ # (?:::f{4,6}:)?(?P[\w\-.^_]+) # Values: TEXT # -failregex = (?i): warning: [-._\w]+\[\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [A-Za-z0-9+/]*={0,2})?$ +failregex = (?i): warning: [-._\w]+\[\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/]*={0,2})?$ # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. diff --git a/config/jail.conf b/config/jail.conf index b729e155..35164505 100644 --- a/config/jail.conf +++ b/config/jail.conf @@ -5,7 +5,7 @@ # $Revision: 747 $ # -# The DEFAULT allows a global definition of the options. They can be override +# The DEFAULT allows a global definition of the options. They can be overridden # in each jail afterwards. [DEFAULT] @@ -13,7 +13,7 @@ # "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not # ban a host which matches an address in this list. Several addresses can be # defined using space separator. -ignoreip = 127.0.0.1 +ignoreip = 127.0.0.1/8 # "bantime" is the number of seconds that a host is banned. bantime = 600 @@ -212,7 +212,7 @@ ignoreip = 168.192.0.1 # This jail blocks UDP traffic for DNS requests. # !!! WARNING !!! -# Since UDP is connectionless protocol, spoofing of IP and immitation +# Since UDP is connection-less protocol, spoofing of IP and imitation # of illegal actions is way too simple. Thus enabling of this filter # might provide an easy way for implementing a DoS against a chosen # victim. See diff --git a/debian/control b/debian/control index 2cfcfb27..e1f3b65e 100644 --- a/debian/control +++ b/debian/control @@ -8,7 +8,7 @@ XS-Python-Version: current, >= 2.4 Homepage: http://www.fail2ban.org Vcs-Browser: http://git.onerussian.com/?p=deb/fail2ban.git Vcs-git: git://git.onerussian.com/deb/fail2ban.git -Standards-Version: 3.8.4 +Standards-Version: 3.9.1 Package: fail2ban @@ -17,16 +17,17 @@ Depends: ${python:Depends}, ${misc:Depends}, lsb-base (>=2.0-7) Recommends: iptables, whois Suggests: python-gamin, mailx XB-Python-Version: ${python:Versions} -Description: bans IPs that cause multiple authentication errors - Monitors log files (e.g. /var/log/auth.log, +Description: ban hosts that cause multiple authentication errors + Fail2ban monitors log files (e.g. /var/log/auth.log, /var/log/apache/access.log) and temporarily or persistently bans - failure-prone addresses by updating existing firewall rules. The - software was completely rewritten at version 0.7.0 and now allows + failure-prone addresses by updating existing firewall rules. Fail2ban allows easy specification of different actions to be taken such as to ban an IP using iptables or hostsdeny rules, or simply to send a - notification email. Currently, by default, supports ssh/apache/vsftpd - but configuration can be easily extended for monitoring any other ASCII - file. All filters and actions are given in the config files, thus - fail2ban can be adopted to be used with a variety of files and - firewalls. + notification email. + . + By default, it comes with filter expressions for various services + (sshd, apache, qmail, proftpd, sasl etc.) but configuration can be + easily extended for monitoring any other text file. All filters and + actions are given in the config files, thus fail2ban can be adopted + to be used with a variety of files and firewalls. diff --git a/debian/copyright b/debian/copyright index 3cccad34..a9204ca6 100644 --- a/debian/copyright +++ b/debian/copyright @@ -6,7 +6,7 @@ It was downloaded from http://www.sourceforge.net/projects/fail2ban Author: Cyril Jaquier: http://fail2ban.sourceforge.net -Copyright: 2004, 2005, 2006, 2007 Cyril Jaquier +Copyright: 2004-2009 Cyril Jaquier This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -19,13 +19,13 @@ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License -along with this program; if not, write to the +along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA. On Debian systems, the complete text of the GNU General Public License, version 2, can be found in /usr/share/common-licenses/GPL-2. -The Debian packaging is (C) 2006, Yaroslav Halchenko +The Debian packaging is (C) 2006-2011, Yaroslav Halchenko and is licensed under the GPL, see above. diff --git a/debian/jail.conf b/debian/jail.conf index 931db9af..b07ccc6e 100644 --- a/debian/jail.conf +++ b/debian/jail.conf @@ -12,13 +12,13 @@ # $Revision: 281 $ # -# The DEFAULT allows a global definition of the options. They can be override +# The DEFAULT allows a global definition of the options. They can be overridden # in each jail afterwards. [DEFAULT] # "ignoreip" can be an IP address, a CIDR mask or a DNS host -ignoreip = 127.0.0.1 +ignoreip = 127.0.0.1/8 bantime = 600 maxretry = 3 @@ -38,8 +38,8 @@ destemail = root@localhost # # Default banning action (e.g. iptables, iptables-new, -# iptables-multiport, shorewall, etc) It is used to define -# action_* variables. Can be overriden globally or per +# iptables-multiport, shorewall, etc) It is used to define +# action_* variables. Can be overridden globally or per # section within jail.local file banaction = iptables-multiport @@ -51,24 +51,27 @@ mta = sendmail # Default protocol protocol = tcp +# Specify chain where jumps would need to be added in iptables-* actions +chain = INPUT + # # Action shortcuts. To be used to define action parameter # The simplest action to take: ban only -action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s] +action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] # ban & send an e-mail with whois report to the destemail. -action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s] - %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s] +action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] + %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"] # ban & send an e-mail with whois report and relevant log lines # to the destemail. -action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s] - %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s] - +action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] + %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"] + # Choose default action. To change, just override value of 'action' with the # interpolation to the chosen action shortcut (e.g. action_mw, action_mwl, etc) in jail.local -# globally (section [DEFAULT]) or per specific section +# globally (section [DEFAULT]) or per specific section action = %(action_)s # @@ -78,7 +81,7 @@ action = %(action_)s # Next jails corresponds to the standard configuration in Fail2ban 0.6 which # was shipped in Debian. Enable any defined here jail by including # -# [SECTION_NAME] +# [SECTION_NAME] # enabled = true # @@ -238,8 +241,9 @@ logpath = /var/log/mail.log enabled = false port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s filter = sasl -# You might consider monitoring /var/log/warn.log instead -# if you are running postfix. See http://bugs.debian.org/507990 +# You might consider monitoring /var/log/mail.warn instead if you are +# running postfix since it would provide the same log lines at the +# "warn" level but overall at the smaller filesize. logpath = /var/log/mail.log @@ -263,7 +267,7 @@ logpath = /var/log/mail.log # in your named.conf to provide proper logging # !!! WARNING !!! -# Since UDP is connectionless protocol, spoofing of IP and immitation +# Since UDP is connection-less protocol, spoofing of IP and imitation # of illegal actions is way too simple. Thus enabling of this filter # might provide an easy way for implementing a DoS against a chosen # victim. See diff --git a/server/datetemplate.py b/server/datetemplate.py index 890370d9..e8c1a5a9 100644 --- a/server/datetemplate.py +++ b/server/datetemplate.py @@ -1,4 +1,4 @@ -# -*- coding: utf8 -*- +# -*- coding: utf-8 -*- # This file is part of Fail2Ban. # # Fail2Ban is free software; you can redistribute it and/or modify @@ -168,7 +168,8 @@ class DateTai64n(DateTemplate): # extract part of format which represents seconds since epoch value = dateMatch.group() seconds_since_epoch = value[2:17] - date = list(time.gmtime(int(seconds_since_epoch, 16))) + # convert seconds from HEX into local time stamp + date = list(time.localtime(int(seconds_since_epoch, 16))) return date diff --git a/server/filter.py b/server/filter.py index b011ef09..26dc3f03 100644 --- a/server/filter.py +++ b/server/filter.py @@ -268,7 +268,11 @@ class Filter(JailThread): for element in self.processLine(line): ip = element[0] unixTime = element[1] + logSys.debug("Processing line with time:%s and ip:%s" + % (unixTime, ip)) if unixTime < MyTime.time() - self.getFindTime(): + logSys.debug("Ignore line since time %s < %s - %s" + % (unixTime, MyTime.time(), self.getFindTime())) break if self.inIgnoreIPList(ip): logSys.debug("Ignore %s" % ip)