From 2a38820ed660b69fa5103b824d54fa6ae6cf4f83 Mon Sep 17 00:00:00 2001 From: Yaroslav Halchenko Date: Tue, 21 Sep 2010 17:52:44 +0000 Subject: [PATCH 01/21] debug entry for lines ignored due to falling below findtime (v2) git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@763 a942ae1a-1317-0410-a47c-b1dcaea8d605 --- server/filter.py | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/server/filter.py b/server/filter.py index ef18519c..6f1e4c7d 100644 --- a/server/filter.py +++ b/server/filter.py @@ -268,7 +268,11 @@ class Filter(JailThread): for element in self.processLine(line): ip = element[0] unixTime = element[1] + logSys.debug("Processing line with time:%s and ip:%s" + % (unixTime, ip)) if unixTime < MyTime.time() - self.getFindTime(): + logSys.debug("Ignore line since time %s < %s - %s" + % (unixTime, MyTime.time(), self.getFindTime())) break if self.inIgnoreIPList(ip): logSys.debug("Ignore %s" % ip) From 12304f7a3e7fcebef0b4901412750ba73d718b88 Mon Sep 17 00:00:00 2001 From: Yaroslav Halchenko Date: Mon, 27 Sep 2010 13:10:40 +0000 Subject: [PATCH 02/21] Tai64N stores time in GMT, we need to convert to local time before returning git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@764 a942ae1a-1317-0410-a47c-b1dcaea8d605 --- server/datetemplate.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/server/datetemplate.py b/server/datetemplate.py index 284d374b..711c6c99 100644 --- a/server/datetemplate.py +++ b/server/datetemplate.py @@ -1,4 +1,4 @@ -# -*- coding: utf8 -*- +# -*- coding: utf-8 -*- # This file is part of Fail2Ban. # # Fail2Ban is free software; you can redistribute it and/or modify @@ -168,7 +168,8 @@ class DateTai64n(DateTemplate): # extract part of format which represents seconds since epoch value = dateMatch.group() seconds_since_epoch = value[2:17] - date = list(time.gmtime(int(seconds_since_epoch, 16))) + # convert seconds from HEX into local time stamp + date = list(time.localtime(int(seconds_since_epoch, 16))) return date From 521631cfcc3ab14be02c95ed3a29835670cfcfc0 Mon Sep 17 00:00:00 2001 From: Yaroslav Halchenko Date: Mon, 27 Sep 2010 13:10:48 +0000 Subject: [PATCH 03/21] default ignoreip to ignore entire loopback zone (/8): see http://bugs.debian.org/598200 git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@765 a942ae1a-1317-0410-a47c-b1dcaea8d605 --- config/jail.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/jail.conf b/config/jail.conf index 41a56ffd..81a736d0 100644 --- a/config/jail.conf +++ b/config/jail.conf @@ -13,7 +13,7 @@ # "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not # ban a host which matches an address in this list. Several addresses can be # defined using space separator. -ignoreip = 127.0.0.1 +ignoreip = 127.0.0.1/8 # "bantime" is the number of seconds that a host is banned. bantime = 600 From 35e43cf65043ebf91a60378960af46a7e1245587 Mon Sep 17 00:00:00 2001 From: Yaroslav Halchenko Date: Mon, 27 Sep 2010 09:11:47 -0400 Subject: [PATCH 04/21] debian: default ignoreip to ignore entire loopback zone (/8): see http://bugs.debian.org/598200 --- debian/jail.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/debian/jail.conf b/debian/jail.conf index 931db9af..c0f8973c 100644 --- a/debian/jail.conf +++ b/debian/jail.conf @@ -18,7 +18,7 @@ [DEFAULT] # "ignoreip" can be an IP address, a CIDR mask or a DNS host -ignoreip = 127.0.0.1 +ignoreip = 127.0.0.1/8 bantime = 600 maxretry = 3 From db6aadfc39a182b92907a5b547ad46b1b40716b9 Mon Sep 17 00:00:00 2001 From: Yaroslav Halchenko Date: Mon, 27 Sep 2010 09:16:34 -0400 Subject: [PATCH 05/21] spellcheck debian/jail.conf (Closes: #598206). Thanks Christoph Anton Mitterer --- debian/jail.conf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/debian/jail.conf b/debian/jail.conf index c0f8973c..358ee939 100644 --- a/debian/jail.conf +++ b/debian/jail.conf @@ -12,7 +12,7 @@ # $Revision: 281 $ # -# The DEFAULT allows a global definition of the options. They can be override +# The DEFAULT allows a global definition of the options. They can be overridden # in each jail afterwards. [DEFAULT] @@ -39,7 +39,7 @@ destemail = root@localhost # Default banning action (e.g. iptables, iptables-new, # iptables-multiport, shorewall, etc) It is used to define -# action_* variables. Can be overriden globally or per +# action_* variables. Can be overridden globally or per # section within jail.local file banaction = iptables-multiport @@ -263,7 +263,7 @@ logpath = /var/log/mail.log # in your named.conf to provide proper logging # !!! WARNING !!! -# Since UDP is connectionless protocol, spoofing of IP and immitation +# Since UDP is connection-less protocol, spoofing of IP and imitation # of illegal actions is way too simple. Thus enabling of this filter # might provide an easy way for implementing a DoS against a chosen # victim. See From 7b54c7b33b82af9c1f8119bd9055a5c28654ee86 Mon Sep 17 00:00:00 2001 From: Yaroslav Halchenko Date: Mon, 27 Sep 2010 13:18:32 +0000 Subject: [PATCH 06/21] spellcheck jail.conf. Thanks Christoph Anton Mitterer git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@766 a942ae1a-1317-0410-a47c-b1dcaea8d605 --- config/jail.conf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/config/jail.conf b/config/jail.conf index 81a736d0..4ec8a34a 100644 --- a/config/jail.conf +++ b/config/jail.conf @@ -5,7 +5,7 @@ # $Revision$ # -# The DEFAULT allows a global definition of the options. They can be override +# The DEFAULT allows a global definition of the options. They can be overridden # in each jail afterwards. [DEFAULT] @@ -212,7 +212,7 @@ ignoreip = 168.192.0.1 # This jail blocks UDP traffic for DNS requests. # !!! WARNING !!! -# Since UDP is connectionless protocol, spoofing of IP and immitation +# Since UDP is connection-less protocol, spoofing of IP and imitation # of illegal actions is way too simple. Thus enabling of this filter # might provide an easy way for implementing a DoS against a chosen # victim. See From eb5bcdad81cd3e3259ca7d16e23bca7dbfc9893d Mon Sep 17 00:00:00 2001 From: Yaroslav Halchenko Date: Wed, 23 Mar 2011 15:55:01 -0400 Subject: [PATCH 07/21] Boosted policy compliance version to 3.9.1 (no changes seems to be due) --- debian/control | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/debian/control b/debian/control index 2cfcfb27..a164a95f 100644 --- a/debian/control +++ b/debian/control @@ -8,7 +8,7 @@ XS-Python-Version: current, >= 2.4 Homepage: http://www.fail2ban.org Vcs-Browser: http://git.onerussian.com/?p=deb/fail2ban.git Vcs-git: git://git.onerussian.com/deb/fail2ban.git -Standards-Version: 3.8.4 +Standards-Version: 3.9.1 Package: fail2ban From cfd6cf7b1b2996cdc60cd0c92b2c0213fe1804c2 Mon Sep 17 00:00:00 2001 From: Yaroslav Halchenko Date: Wed, 23 Mar 2011 15:55:43 -0400 Subject: [PATCH 08/21] debian/copyright: updated copyright years --- debian/copyright | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/debian/copyright b/debian/copyright index 3cccad34..a9204ca6 100644 --- a/debian/copyright +++ b/debian/copyright @@ -6,7 +6,7 @@ It was downloaded from http://www.sourceforge.net/projects/fail2ban Author: Cyril Jaquier: http://fail2ban.sourceforge.net -Copyright: 2004, 2005, 2006, 2007 Cyril Jaquier +Copyright: 2004-2009 Cyril Jaquier This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -19,13 +19,13 @@ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License -along with this program; if not, write to the +along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA. On Debian systems, the complete text of the GNU General Public License, version 2, can be found in /usr/share/common-licenses/GPL-2. -The Debian packaging is (C) 2006, Yaroslav Halchenko +The Debian packaging is (C) 2006-2011, Yaroslav Halchenko and is licensed under the GPL, see above. From 97ac5bd205401d18f307621abbf59e6218dec8e8 Mon Sep 17 00:00:00 2001 From: Yaroslav Halchenko Date: Wed, 23 Mar 2011 16:00:01 -0400 Subject: [PATCH 09/21] ENH: slight rewordings of the long description (Closes: #588176) --- debian/control | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/debian/control b/debian/control index a164a95f..e1f3b65e 100644 --- a/debian/control +++ b/debian/control @@ -17,16 +17,17 @@ Depends: ${python:Depends}, ${misc:Depends}, lsb-base (>=2.0-7) Recommends: iptables, whois Suggests: python-gamin, mailx XB-Python-Version: ${python:Versions} -Description: bans IPs that cause multiple authentication errors - Monitors log files (e.g. /var/log/auth.log, +Description: ban hosts that cause multiple authentication errors + Fail2ban monitors log files (e.g. /var/log/auth.log, /var/log/apache/access.log) and temporarily or persistently bans - failure-prone addresses by updating existing firewall rules. The - software was completely rewritten at version 0.7.0 and now allows + failure-prone addresses by updating existing firewall rules. Fail2ban allows easy specification of different actions to be taken such as to ban an IP using iptables or hostsdeny rules, or simply to send a - notification email. Currently, by default, supports ssh/apache/vsftpd - but configuration can be easily extended for monitoring any other ASCII - file. All filters and actions are given in the config files, thus - fail2ban can be adopted to be used with a variety of files and - firewalls. + notification email. + . + By default, it comes with filter expressions for various services + (sshd, apache, qmail, proftpd, sasl etc.) but configuration can be + easily extended for monitoring any other text file. All filters and + actions are given in the config files, thus fail2ban can be adopted + to be used with a variety of files and firewalls. From a6bc0e517f680fb6e52a0992731aef72bcfdd125 Mon Sep 17 00:00:00 2001 From: Yaroslav Halchenko Date: Wed, 23 Mar 2011 16:09:00 -0400 Subject: [PATCH 10/21] ENH: adjusted description for sasl jail (Closes: #615952) --- debian/jail.conf | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/debian/jail.conf b/debian/jail.conf index 358ee939..10b7c3ca 100644 --- a/debian/jail.conf +++ b/debian/jail.conf @@ -238,8 +238,9 @@ logpath = /var/log/mail.log enabled = false port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s filter = sasl -# You might consider monitoring /var/log/warn.log instead -# if you are running postfix. See http://bugs.debian.org/507990 +# You might consider monitoring /var/log/mail.warn instead if you are +# running postfix since it would provide the same log lines at the +# "warn" level but overall at the smaller filesize. logpath = /var/log/mail.log From 638bb665234e58245ef1f4802441fa76ec2f5f2b Mon Sep 17 00:00:00 2001 From: Yaroslav Halchenko Date: Wed, 23 Mar 2011 20:35:56 +0000 Subject: [PATCH 11/21] BF: Use /var/run/fail2ban instead of /tmp for temp files in actions: see http://bugs.debian.org/544232 It should be robust since /var/run/fail2ban is guaranteed to exist to carry the socket file, and it will be owned by root (or some other dedicated fail2ban user) thus avoiding possibility for the exploit git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@767 a942ae1a-1317-0410-a47c-b1dcaea8d605 --- config/action.d/dshield.conf | 2 +- config/action.d/mail-buffered.conf | 2 +- config/action.d/mynetwatchman.conf | 2 +- config/action.d/sendmail-buffered.conf | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/config/action.d/dshield.conf b/config/action.d/dshield.conf index b80698b4..8549a550 100644 --- a/config/action.d/dshield.conf +++ b/config/action.d/dshield.conf @@ -206,5 +206,5 @@ dest = reports@dshield.org # Notes.: Base name of temporary files used for buffering # Values: [ STRING ] Default: /tmp/fail2ban-dshield # -tmpfile = /tmp/fail2ban-dshield +tmpfile = /var/run/fail2ban/tmp-dshield diff --git a/config/action.d/mail-buffered.conf b/config/action.d/mail-buffered.conf index 8a33d0ea..6fd51d23 100644 --- a/config/action.d/mail-buffered.conf +++ b/config/action.d/mail-buffered.conf @@ -81,7 +81,7 @@ lines = 5 # Default temporary file # -tmpfile = /tmp/fail2ban-mail.txt +tmpfile = /var/run/fail2ban/tmp-mail.txt # Destination/Addressee of the mail # diff --git a/config/action.d/mynetwatchman.conf b/config/action.d/mynetwatchman.conf index 15b91b11..f0e55153 100644 --- a/config/action.d/mynetwatchman.conf +++ b/config/action.d/mynetwatchman.conf @@ -141,4 +141,4 @@ mnwurl = http://mynetwatchman.com/insertwebreport.asp # Notes.: Base name of temporary files # Values: [ STRING ] Default: /tmp/fail2ban-mynetwatchman # -tmpfile = /tmp/fail2ban-mynetwatchman +tmpfile = /var/run/fail2ban/tmp-mynetwatchman diff --git a/config/action.d/sendmail-buffered.conf b/config/action.d/sendmail-buffered.conf index de8166ad..25a23b78 100644 --- a/config/action.d/sendmail-buffered.conf +++ b/config/action.d/sendmail-buffered.conf @@ -101,5 +101,5 @@ lines = 5 # Default temporary file # -tmpfile = /tmp/fail2ban-mail.txt +tmpfile = /var/run/fail2ban/tmp-mail.txt From 0073ba38387f5e319551ec242dc7cb1e16c7ee20 Mon Sep 17 00:00:00 2001 From: Yaroslav Halchenko Date: Wed, 23 Mar 2011 20:36:08 +0000 Subject: [PATCH 12/21] ENH: dropbear filter: see http://bugs.debian.org/546913 git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@768 a942ae1a-1317-0410-a47c-b1dcaea8d605 --- config/filter.d/dropbear.conf | 52 +++++++++++++++++++++++++++++++++++ 1 file changed, 52 insertions(+) create mode 100644 config/filter.d/dropbear.conf diff --git a/config/filter.d/dropbear.conf b/config/filter.d/dropbear.conf new file mode 100644 index 00000000..1309cc41 --- /dev/null +++ b/config/filter.d/dropbear.conf @@ -0,0 +1,52 @@ +# Fail2Ban configuration file +# +# Author: Francis Russell +# Zak B. Elep +# +# $Revision$ +# +# More information: http://bugs.debian.org/546913 + +[INCLUDES] + +# Read common prefixes. If any customizations available -- read them from +# common.local +before = common.conf + + +[Definition] + +_daemon = dropbear + +# Option: failregex +# Notes.: regex to match the password failures messages in the logfile. The +# host must be matched by a group named "host". The tag "" can +# be used for standard IP/hostname matching and is only an alias for +# (?:::f{4,6}:)?(?P\S+) +# Values: TEXT + +# These match the unmodified dropbear messages. It isn't possible to +# match the source of the 'exit before auth' messages from dropbear. +# +failregex = ^%(__prefix_line)slogin attempt for nonexistent user ('.*' )?from :.*\s*$ + ^%(__prefix_line)sbad password attempt for .+ from :.*\s*$ + +# The only line we need to match with the modified dropbear. + +# NOTE: The failregex below is ONLY intended to work with a patched +# version of Dropbear as described here: +# http://www.unchartedbackwaters.co.uk/pyblosxom/static/patches +# +# The standard Dropbear output doesn't provide enough information to +# ban all types of attack. The Dropbear patch adds IP address +# information to the 'exit before auth' message which is always +# produced for any form of non-successful login. It is that message +# which this file matches. + +# failregex = ^%(__prefix_line)sexit before auth from .*\s*$ + +# Option: ignoreregex +# Notes.: regex to ignore. If this regex matches, the line is ignored. +# Values: TEXT +# +ignoreregex = From 10faba516315478b86ed3ae19975897ebe577222 Mon Sep 17 00:00:00 2001 From: Yaroslav Halchenko Date: Wed, 23 Mar 2011 20:36:17 +0000 Subject: [PATCH 13/21] ENH: make filter.d/apache-overflows.conf catch more: see http://bugs.debian.org/574182 git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@769 a942ae1a-1317-0410-a47c-b1dcaea8d605 --- config/filter.d/apache-overflows.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/filter.d/apache-overflows.conf b/config/filter.d/apache-overflows.conf index c615158f..4567f7da 100644 --- a/config/filter.d/apache-overflows.conf +++ b/config/filter.d/apache-overflows.conf @@ -11,7 +11,7 @@ # Notes.: Regexp to catch Apache overflow attempts. # Values: TEXT # -failregex = [[]client []] (Invalid method in request|request failed: URI too long|erroneous characters after protocol string) +failregex = [[]client []] (Invalid (method|URI) in request|request failed: URI too long|erroneous characters after protocol string) # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. From 6558c03f8e138eaadcb2fa4b6bc93dad737a71fd Mon Sep 17 00:00:00 2001 From: Yaroslav Halchenko Date: Wed, 23 Mar 2011 20:36:28 +0000 Subject: [PATCH 14/21] NF: Adding found on a drive filter.d/dovecot.conf git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@770 a942ae1a-1317-0410-a47c-b1dcaea8d605 --- config/filter.d/dovecot.conf | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 config/filter.d/dovecot.conf diff --git a/config/filter.d/dovecot.conf b/config/filter.d/dovecot.conf new file mode 100644 index 00000000..5392d3a9 --- /dev/null +++ b/config/filter.d/dovecot.conf @@ -0,0 +1,23 @@ +# Fail2Ban configuration file for dovcot +# +# Author: +# +# $Revision: $ +# + +[Definition] + +# Option: failregex +# Notes.: regex to match the password failures messages in the logfile. The +# host must be matched by a group named "host". The tag "" can +# be used for standard IP/hostname matching and is only an alias for +# (?:::f{4,6}:)?(?P[\w\-.^_]+) +# Values: TEXT +# +failregex = .*(?: pop3-login|imap-login):.*(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed).*rip=(?P\S*),.* + +# Option: ignoreregex +# Notes.: regex to ignore. If this regex matches, the line is ignored. +# Values: TEXT +# +ignoreregex = From 3831fbf98b87fed2f5882e3190e10dfa0dd0e55c Mon Sep 17 00:00:00 2001 From: Yaroslav Halchenko Date: Wed, 23 Mar 2011 20:36:41 +0000 Subject: [PATCH 15/21] ENH: add to action.d/iptables*. Thanks Matthijs Kooijman: see http://bugs.debian.org/515599 git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@771 a942ae1a-1317-0410-a47c-b1dcaea8d605 --- config/action.d/iptables-allports.conf | 11 ++++++++--- config/action.d/iptables-multiport-log.conf | 12 +++++++++--- config/action.d/iptables-multiport.conf | 11 ++++++++--- config/action.d/iptables-new.conf | 11 ++++++++--- config/action.d/iptables.conf | 11 ++++++++--- 5 files changed, 41 insertions(+), 15 deletions(-) diff --git a/config/action.d/iptables-allports.conf b/config/action.d/iptables-allports.conf index 123bac69..1cc2daba 100644 --- a/config/action.d/iptables-allports.conf +++ b/config/action.d/iptables-allports.conf @@ -15,13 +15,13 @@ # actionstart = iptables -N fail2ban- iptables -A fail2ban- -j RETURN - iptables -I INPUT -p -j fail2ban- + iptables -I -p -j fail2ban- # Option: actionstop # Notes.: command executed once at the end of Fail2Ban # Values: CMD # -actionstop = iptables -D INPUT -p -j fail2ban- +actionstop = iptables -D -p -j fail2ban- iptables -F fail2ban- iptables -X fail2ban- @@ -29,7 +29,7 @@ actionstop = iptables -D INPUT -p -j fail2ban- # Notes.: command executed once before each actionban command # Values: CMD # -actioncheck = iptables -n -L INPUT | grep -q fail2ban- +actioncheck = iptables -n -L | grep -q fail2ban- # Option: actionban # Notes.: command executed when banning an IP. Take care that the @@ -63,3 +63,8 @@ name = default # protocol = tcp +# Option: chain +# Notes specifies the iptables chain to which the fail2ban rules should be +# added +# Values: STRING Default: INPUT +chain = INPUT diff --git a/config/action.d/iptables-multiport-log.conf b/config/action.d/iptables-multiport-log.conf index 3b4621db..9cdc4bab 100644 --- a/config/action.d/iptables-multiport-log.conf +++ b/config/action.d/iptables-multiport-log.conf @@ -5,7 +5,7 @@ # # make "fail2ban-" chain to match drop IP # make "fail2ban--log" chain to log and drop -# insert a jump to fail2ban- from -I INPUT if proto/port match +# insert a jump to fail2ban- from -I if proto/port match # # $Revision$ # @@ -18,7 +18,7 @@ # actionstart = iptables -N fail2ban- iptables -A fail2ban- -j RETURN - iptables -I INPUT 1 -p -m multiport --dports -j fail2ban- + iptables -I 1 -p -m multiport --dports -j fail2ban- iptables -N fail2ban--log iptables -I fail2ban--log -j LOG --log-prefix "$(expr fail2ban- : '\(.\{1,23\}\)'):DROP " --log-level warning -m limit --limit 6/m --limit-burst 2 iptables -A fail2ban--log -j DROP @@ -27,7 +27,7 @@ actionstart = iptables -N fail2ban- # Notes.: command executed once at the end of Fail2Ban # Values: CMD # -actionstop = iptables -D INPUT -p -m multiport --dports -j fail2ban- +actionstop = iptables -D -p -m multiport --dports -j fail2ban- iptables -F fail2ban- iptables -F fail2ban--log iptables -X fail2ban- @@ -76,3 +76,9 @@ port = ssh # Values: [ tcp | udp | icmp | all ] Default: tcp # protocol = tcp + +# Option: chain +# Notes specifies the iptables chain to which the fail2ban rules should be +# added +# Values: STRING Default: INPUT +chain = INPUT diff --git a/config/action.d/iptables-multiport.conf b/config/action.d/iptables-multiport.conf index fe3712d5..ad554f5c 100644 --- a/config/action.d/iptables-multiport.conf +++ b/config/action.d/iptables-multiport.conf @@ -13,13 +13,13 @@ # actionstart = iptables -N fail2ban- iptables -A fail2ban- -j RETURN - iptables -I INPUT -p -m multiport --dports -j fail2ban- + iptables -I -p -m multiport --dports -j fail2ban- # Option: actionstop # Notes.: command executed once at the end of Fail2Ban # Values: CMD # -actionstop = iptables -D INPUT -p -m multiport --dports -j fail2ban- +actionstop = iptables -D -p -m multiport --dports -j fail2ban- iptables -F fail2ban- iptables -X fail2ban- @@ -27,7 +27,7 @@ actionstop = iptables -D INPUT -p -m multiport --dports -j fai # Notes.: command executed once before each actionban command # Values: CMD # -actioncheck = iptables -n -L INPUT | grep -q fail2ban- +actioncheck = iptables -n -L | grep -q fail2ban- # Option: actionban # Notes.: command executed when banning an IP. Take care that the @@ -67,3 +67,8 @@ port = ssh # protocol = tcp +# Option: chain +# Notes specifies the iptables chain to which the fail2ban rules should be +# added +# Values: STRING Default: INPUT +chain = INPUT diff --git a/config/action.d/iptables-new.conf b/config/action.d/iptables-new.conf index 373826c2..c249de2d 100644 --- a/config/action.d/iptables-new.conf +++ b/config/action.d/iptables-new.conf @@ -15,13 +15,13 @@ # actionstart = iptables -N fail2ban- iptables -A fail2ban- -j RETURN - iptables -I INPUT -m state --state NEW -p --dport -j fail2ban- + iptables -I -m state --state NEW -p --dport -j fail2ban- # Option: actionstop # Notes.: command executed once at the end of Fail2Ban # Values: CMD # -actionstop = iptables -D INPUT -m state --state NEW -p --dport -j fail2ban- +actionstop = iptables -D -m state --state NEW -p --dport -j fail2ban- iptables -F fail2ban- iptables -X fail2ban- @@ -29,7 +29,7 @@ actionstop = iptables -D INPUT -m state --state NEW -p --dport # Notes.: command executed once before each actionban command # Values: CMD # -actioncheck = iptables -n -L INPUT | grep -q fail2ban- +actioncheck = iptables -n -L | grep -q fail2ban- # Option: actionban # Notes.: command executed when banning an IP. Take care that the @@ -69,3 +69,8 @@ port = ssh # protocol = tcp +# Option: chain +# Notes specifies the iptables chain to which the fail2ban rules should be +# added +# Values: STRING Default: INPUT +chain = INPUT diff --git a/config/action.d/iptables.conf b/config/action.d/iptables.conf index daef9267..09cfb98b 100644 --- a/config/action.d/iptables.conf +++ b/config/action.d/iptables.conf @@ -13,13 +13,13 @@ # actionstart = iptables -N fail2ban- iptables -A fail2ban- -j RETURN - iptables -I INPUT -p --dport -j fail2ban- + iptables -I -p --dport -j fail2ban- # Option: actionstop # Notes.: command executed once at the end of Fail2Ban # Values: CMD # -actionstop = iptables -D INPUT -p --dport -j fail2ban- +actionstop = iptables -D -p --dport -j fail2ban- iptables -F fail2ban- iptables -X fail2ban- @@ -27,7 +27,7 @@ actionstop = iptables -D INPUT -p --dport -j fail2ban- # Notes.: command executed once before each actionban command # Values: CMD # -actioncheck = iptables -n -L INPUT | grep -q fail2ban- +actioncheck = iptables -n -L | grep -q fail2ban- # Option: actionban # Notes.: command executed when banning an IP. Take care that the @@ -67,3 +67,8 @@ port = ssh # protocol = tcp +# Option: chain +# Notes specifies the iptables chain to which the fail2ban rules should be +# added +# Values: STRING Default: INPUT +chain = INPUT From 02e7dfb099ca0e417f6fc1d5c5d2ad88b7eb4b55 Mon Sep 17 00:00:00 2001 From: Yaroslav Halchenko Date: Wed, 23 Mar 2011 20:36:50 +0000 Subject: [PATCH 16/21] BF: allow space in the trailing of failregex for sasl.conf: see http://bugs.debian.org/573314 git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@772 a942ae1a-1317-0410-a47c-b1dcaea8d605 --- config/filter.d/sasl.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/filter.d/sasl.conf b/config/filter.d/sasl.conf index 5cd8a6d5..e316605f 100644 --- a/config/filter.d/sasl.conf +++ b/config/filter.d/sasl.conf @@ -14,7 +14,7 @@ # (?:::f{4,6}:)?(?P[\w\-.^_]+) # Values: TEXT # -failregex = (?i): warning: [-._\w]+\[\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [A-Za-z0-9+/]*={0,2})?$ +failregex = (?i): warning: [-._\w]+\[\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/]*={0,2})?$ # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. From 1cb48bbc96455ff2a0c510552a8a4a13b32881f8 Mon Sep 17 00:00:00 2001 From: Yaroslav Halchenko Date: Wed, 23 Mar 2011 20:37:00 +0000 Subject: [PATCH 17/21] BF: escaping () in pure-ftpd filter. Thanks Teodor See http://bugs.debian.org/544744 git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@773 a942ae1a-1317-0410-a47c-b1dcaea8d605 --- config/filter.d/pure-ftpd.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/filter.d/pure-ftpd.conf b/config/filter.d/pure-ftpd.conf index fbbfc2d1..345780dc 100644 --- a/config/filter.d/pure-ftpd.conf +++ b/config/filter.d/pure-ftpd.conf @@ -19,7 +19,7 @@ __errmsg = (?:Authentication failed for user|Erreur d'authentification pour l'ut # (?:::f{4,6}:)?(?P[\w\-.^_]+) # Values: TEXT # -failregex = pure-ftpd(?:\[\d+\])?: (.+?@) \[WARNING\] %(__errmsg)s \[.+\]$ +failregex = pure-ftpd(?:\[\d+\])?: \(.+?@\) \[WARNING\] %(__errmsg)s \[.+\]\s*$ # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. From d4b89d8404485de0e47743752ae3a34e6b1cfa6d Mon Sep 17 00:00:00 2001 From: Yaroslav Halchenko Date: Wed, 23 Mar 2011 20:37:10 +0000 Subject: [PATCH 18/21] BF: Allow for trailing spaces in proftpd logs See http://bugs.debian.org/507986 git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@774 a942ae1a-1317-0410-a47c-b1dcaea8d605 --- config/filter.d/proftpd.conf | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/config/filter.d/proftpd.conf b/config/filter.d/proftpd.conf index ec613b94..eb43a14d 100644 --- a/config/filter.d/proftpd.conf +++ b/config/filter.d/proftpd.conf @@ -14,10 +14,10 @@ # (?:::f{4,6}:)?(?P[\w\-.^_]+) # Values: TEXT # -failregex = \(\S+\[\]\)[: -]+ USER \S+: no such user found from \S+ \[\S+\] to \S+:\S+$ - \(\S+\[\]\)[: -]+ USER \S+ \(Login failed\): Incorrect password\.$ - \(\S+\[\]\)[: -]+ SECURITY VIOLATION: \S+ login attempted\.$ - \(\S+\[\]\)[: -]+ Maximum login attempts \(\d+\) exceeded$ +failregex = \(\S+\[\]\)[: -]+ USER \S+: no such user found from \S+ \[\S+\] to \S+:\S+ *$ + \(\S+\[\]\)[: -]+ USER \S+ \(Login failed\): Incorrect password\. *$ + \(\S+\[\]\)[: -]+ SECURITY VIOLATION: \S+ login attempted\. *$ + \(\S+\[\]\)[: -]+ Maximum login attempts \(\d+\) exceeded *$ # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. From eab9af9caa872ca0ebf080f07a1c359ee9ffa737 Mon Sep 17 00:00:00 2001 From: Yaroslav Halchenko Date: Wed, 23 Mar 2011 20:37:19 +0000 Subject: [PATCH 19/21] BF: proftpd filter -- if login failed -- count regardless of the reason for failure git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@775 a942ae1a-1317-0410-a47c-b1dcaea8d605 --- config/filter.d/proftpd.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/filter.d/proftpd.conf b/config/filter.d/proftpd.conf index eb43a14d..55a15da9 100644 --- a/config/filter.d/proftpd.conf +++ b/config/filter.d/proftpd.conf @@ -15,7 +15,7 @@ # Values: TEXT # failregex = \(\S+\[\]\)[: -]+ USER \S+: no such user found from \S+ \[\S+\] to \S+:\S+ *$ - \(\S+\[\]\)[: -]+ USER \S+ \(Login failed\): Incorrect password\. *$ + \(\S+\[\]\)[: -]+ USER \S+ \(Login failed\): .*$ \(\S+\[\]\)[: -]+ SECURITY VIOLATION: \S+ login attempted\. *$ \(\S+\[\]\)[: -]+ Maximum login attempts \(\d+\) exceeded *$ From 350c5f676b85cbdec7ac802220af72e88f45b0fc Mon Sep 17 00:00:00 2001 From: Yaroslav Halchenko Date: Wed, 23 Mar 2011 16:56:57 -0400 Subject: [PATCH 20/21] debian/jail.conf: closing " for protocol specification not sure how it did not have any negative impact before :-/ --- debian/jail.conf | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/debian/jail.conf b/debian/jail.conf index 10b7c3ca..258bbd7d 100644 --- a/debian/jail.conf +++ b/debian/jail.conf @@ -55,15 +55,15 @@ protocol = tcp # Action shortcuts. To be used to define action parameter # The simplest action to take: ban only -action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s] +action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s"] # ban & send an e-mail with whois report to the destemail. -action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s] - %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s] +action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s"] + %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s"] # ban & send an e-mail with whois report and relevant log lines # to the destemail. -action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s] +action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s"] %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s] # Choose default action. To change, just override value of 'action' with the From 086176c4df3156358ececd14a94ab9f236a4d85d Mon Sep 17 00:00:00 2001 From: Yaroslav Halchenko Date: Wed, 23 Mar 2011 16:59:39 -0400 Subject: [PATCH 21/21] debian/jail.conf: got 'chain' parameter to be specified for iptables actions (Closes: #515599) + trailing whitespaces were removed Thanks to Christoph Anton Mitterer for the original bugreport raising the concern and Matthijs Kooijman for giving 'chains parameter' idea --- debian/jail.conf | 23 +++++++++++++---------- 1 file changed, 13 insertions(+), 10 deletions(-) diff --git a/debian/jail.conf b/debian/jail.conf index 258bbd7d..b07ccc6e 100644 --- a/debian/jail.conf +++ b/debian/jail.conf @@ -38,8 +38,8 @@ destemail = root@localhost # # Default banning action (e.g. iptables, iptables-new, -# iptables-multiport, shorewall, etc) It is used to define -# action_* variables. Can be overridden globally or per +# iptables-multiport, shorewall, etc) It is used to define +# action_* variables. Can be overridden globally or per # section within jail.local file banaction = iptables-multiport @@ -51,24 +51,27 @@ mta = sendmail # Default protocol protocol = tcp +# Specify chain where jumps would need to be added in iptables-* actions +chain = INPUT + # # Action shortcuts. To be used to define action parameter # The simplest action to take: ban only -action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s"] +action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] # ban & send an e-mail with whois report to the destemail. -action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s"] - %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s"] +action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] + %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"] # ban & send an e-mail with whois report and relevant log lines # to the destemail. -action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s"] - %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s] - +action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] + %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"] + # Choose default action. To change, just override value of 'action' with the # interpolation to the chosen action shortcut (e.g. action_mw, action_mwl, etc) in jail.local -# globally (section [DEFAULT]) or per specific section +# globally (section [DEFAULT]) or per specific section action = %(action_)s # @@ -78,7 +81,7 @@ action = %(action_)s # Next jails corresponds to the standard configuration in Fail2ban 0.6 which # was shipped in Debian. Enable any defined here jail by including # -# [SECTION_NAME] +# [SECTION_NAME] # enabled = true #