Merge branch 'debian' into debian-release

* debian: (21 commits) debian/jail.conf: got 'chain' parameter to be specified for iptables actions (Closes: #515599) debian/jail.conf: closing " for protocol specification BF: proftpd filter -- if login failed -- count regardless of the reason for failure BF: Allow for trailing spaces in proftpd logs BF: escaping () in pure-ftpd filter. Thanks Teodor BF: allow space in the trailing of failregex for sasl.conf: see http://bugs.debian.org/573314 ENH: add <chain> to action.d/iptables*. Thanks Matthijs Kooijman: see http://bugs.debian.org/515599 NF: Adding found on a drive filter.d/dovecot.conf ENH: make filter.d/apache-overflows.conf catch more: see http://bugs.debian.org/574182 ENH: dropbear filter: see http://bugs.debian.org/546913 BF: Use /var/run/fail2ban instead of /tmp for temp files in actions: see http://bugs.debian.org/544232 ENH: adjusted description for sasl jail (Closes: #615952) ENH: slight rewordings of the long description (Closes: #588176) debian/copyright: updated copyright years Boosted policy compliance version to 3.9.1 (no changes seems to be due) spellcheck jail.conf. Thanks Christoph Anton Mitterer spellcheck debian/jail.conf (Closes: #598206). Thanks Christoph Anton Mitterer debian: default ignoreip to ignore entire loopback zone (/8): see http://bugs.debian.org/598200 default ignoreip to ignore entire loopback zone (/8): see http://bugs.debian.org/598200 Tai64N stores time in GMT, we need to convert to local time before returning ...
2011-03-23 17:04:21 -04:00 · 2011-03-23 17:04:21 -04:00 · ba09fae1ac
parent 4c288cd156 086176c4df
commit ba09fae1ac
19 changed files with 165 additions and 54 deletions
--- a/config/action.d/dshield.conf
+++ b/config/action.d/dshield.conf
@ -206,5 +206,5 @@ dest = reports@dshield.org
 # Notes.:  Base name of temporary files used for buffering
 # Values:  [ STRING ]  Default: /tmp/fail2ban-dshield
 #
-tmpfile = /tmp/fail2ban-dshield
+tmpfile = /var/run/fail2ban/tmp-dshield

--- a/config/action.d/iptables-allports.conf
+++ b/config/action.d/iptables-allports.conf
@ -15,13 +15,13 @@
 #
 actionstart = iptables -N fail2ban-<name>
              iptables -A fail2ban-<name> -j RETURN
-              iptables -I INPUT -p <protocol> -j fail2ban-<name>
+              iptables -I <chain> -p <protocol> -j fail2ban-<name>

 # Option:  actionstop
 # Notes.:  command executed once at the end of Fail2Ban
 # Values:  CMD
 #
-actionstop = iptables -D INPUT -p <protocol> -j fail2ban-<name>
+actionstop = iptables -D <chain> -p <protocol> -j fail2ban-<name>
             iptables -F fail2ban-<name>
             iptables -X fail2ban-<name>

@ -29,7 +29,7 @@ actionstop = iptables -D INPUT -p <protocol> -j fail2ban-<name>
 # Notes.:  command executed once before each actionban command
 # Values:  CMD
 #
-actioncheck = iptables -n -L INPUT | grep -q fail2ban-<name>
+actioncheck = iptables -n -L <chain> | grep -q fail2ban-<name>

 # Option:  actionban
 # Notes.:  command executed when banning an IP. Take care that the
@ -63,3 +63,8 @@ name = default
 #
 protocol = tcp

+# Option:  chain
+# Notes    specifies the iptables chain to which the fail2ban rules should be
+#          added
+# Values:  STRING  Default: INPUT
+chain = INPUT
--- a/config/action.d/iptables-multiport-log.conf
+++ b/config/action.d/iptables-multiport-log.conf
@ -5,7 +5,7 @@
 #
 # make "fail2ban-<name>" chain to match drop IP
 # make "fail2ban-<name>-log" chain to log and drop
-# insert a jump to fail2ban-<name> from -I INPUT if proto/port match
+# insert a jump to fail2ban-<name> from -I <chain> if proto/port match
 #
 # $Revision: 668 $
 #
@ -18,7 +18,7 @@
 #
 actionstart = iptables -N fail2ban-<name>
              iptables -A fail2ban-<name> -j RETURN
-              iptables -I INPUT 1 -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
+              iptables -I <chain> 1 -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
              iptables -N fail2ban-<name>-log
              iptables -I fail2ban-<name>-log -j LOG --log-prefix "$(expr fail2ban-<name> : '\(.\{1,23\}\)'):DROP " --log-level warning -m limit --limit 6/m --limit-burst 2
              iptables -A fail2ban-<name>-log -j DROP
@ -27,7 +27,7 @@ actionstart = iptables -N fail2ban-<name>
 # Notes.:  command executed once at the end of Fail2Ban
 # Values:  CMD
 #
-actionstop = iptables -D INPUT -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
+actionstop = iptables -D <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
             iptables -F fail2ban-<name>
             iptables -F fail2ban-<name>-log
             iptables -X fail2ban-<name>
@ -76,3 +76,9 @@ port = ssh
 # Values:  [ tcp | udp | icmp | all ] Default: tcp
 #
 protocol = tcp
+
+# Option:  chain
+# Notes    specifies the iptables chain to which the fail2ban rules should be
+#          added
+# Values:  STRING  Default: INPUT
+chain = INPUT
--- a/config/action.d/iptables-multiport.conf
+++ b/config/action.d/iptables-multiport.conf
@ -13,13 +13,13 @@
 #
 actionstart = iptables -N fail2ban-<name>
              iptables -A fail2ban-<name> -j RETURN
-              iptables -I INPUT -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
+              iptables -I <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name>

 # Option:  actionstop
 # Notes.:  command executed once at the end of Fail2Ban
 # Values:  CMD
 #
-actionstop = iptables -D INPUT -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
+actionstop = iptables -D <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
             iptables -F fail2ban-<name>
             iptables -X fail2ban-<name>

@ -27,7 +27,7 @@ actionstop = iptables -D INPUT -p <protocol> -m multiport --dports <port> -j fai
 # Notes.:  command executed once before each actionban command
 # Values:  CMD
 #
-actioncheck = iptables -n -L INPUT | grep -q fail2ban-<name>
+actioncheck = iptables -n -L <chain> | grep -q fail2ban-<name>

 # Option:  actionban
 # Notes.:  command executed when banning an IP. Take care that the
@ -67,3 +67,8 @@ port = ssh
 #
 protocol = tcp

+# Option:  chain
+# Notes    specifies the iptables chain to which the fail2ban rules should be
+#          added
+# Values:  STRING  Default: INPUT
+chain = INPUT
--- a/config/action.d/iptables-new.conf
+++ b/config/action.d/iptables-new.conf
@ -15,13 +15,13 @@
 #
 actionstart = iptables -N fail2ban-<name>
              iptables -A fail2ban-<name> -j RETURN
-              iptables -I INPUT -m state --state NEW -p <protocol> --dport <port> -j fail2ban-<name>
+              iptables -I <chain> -m state --state NEW -p <protocol> --dport <port> -j fail2ban-<name>

 # Option:  actionstop
 # Notes.:  command executed once at the end of Fail2Ban
 # Values:  CMD
 #
-actionstop = iptables -D INPUT -m state --state NEW -p <protocol> --dport <port> -j fail2ban-<name>
+actionstop = iptables -D <chain> -m state --state NEW -p <protocol> --dport <port> -j fail2ban-<name>
             iptables -F fail2ban-<name>
             iptables -X fail2ban-<name>

@ -29,7 +29,7 @@ actionstop = iptables -D INPUT -m state --state NEW -p <protocol> --dport <port>
 # Notes.:  command executed once before each actionban command
 # Values:  CMD
 #
-actioncheck = iptables -n -L INPUT | grep -q fail2ban-<name>
+actioncheck = iptables -n -L <chain> | grep -q fail2ban-<name>

 # Option:  actionban
 # Notes.:  command executed when banning an IP. Take care that the
@ -69,3 +69,8 @@ port = ssh
 #
 protocol = tcp

+# Option:  chain
+# Notes    specifies the iptables chain to which the fail2ban rules should be
+#          added
+# Values:  STRING  Default: INPUT
+chain = INPUT
--- a/config/action.d/iptables.conf
+++ b/config/action.d/iptables.conf
@ -13,13 +13,13 @@
 #
 actionstart = iptables -N fail2ban-<name>
              iptables -A fail2ban-<name> -j RETURN
-              iptables -I INPUT -p <protocol> --dport <port> -j fail2ban-<name>
+              iptables -I <chain> -p <protocol> --dport <port> -j fail2ban-<name>

 # Option:  actionstop
 # Notes.:  command executed once at the end of Fail2Ban
 # Values:  CMD
 #
-actionstop = iptables -D INPUT -p <protocol> --dport <port> -j fail2ban-<name>
+actionstop = iptables -D <chain> -p <protocol> --dport <port> -j fail2ban-<name>
             iptables -F fail2ban-<name>
             iptables -X fail2ban-<name>

@ -27,7 +27,7 @@ actionstop = iptables -D INPUT -p <protocol> --dport <port> -j fail2ban-<name>
 # Notes.:  command executed once before each actionban command
 # Values:  CMD
 #
-actioncheck = iptables -n -L INPUT | grep -q fail2ban-<name>
+actioncheck = iptables -n -L <chain> | grep -q fail2ban-<name>

 # Option:  actionban
 # Notes.:  command executed when banning an IP. Take care that the
@ -67,3 +67,8 @@ port = ssh
 #
 protocol = tcp

+# Option:  chain
+# Notes    specifies the iptables chain to which the fail2ban rules should be
+#          added
+# Values:  STRING  Default: INPUT
+chain = INPUT
--- a/config/action.d/mail-buffered.conf
+++ b/config/action.d/mail-buffered.conf
@ -81,7 +81,7 @@ lines = 5

 # Default temporary file
 #
-tmpfile = /tmp/fail2ban-mail.txt
+tmpfile = /var/run/fail2ban/tmp-mail.txt

 # Destination/Addressee of the mail
 #
--- a/config/action.d/mynetwatchman.conf
+++ b/config/action.d/mynetwatchman.conf
@ -141,4 +141,4 @@ mnwurl = http://mynetwatchman.com/insertwebreport.asp
 # Notes.:  Base name of temporary files
 # Values:  [ STRING ]  Default: /tmp/fail2ban-mynetwatchman
 #
-tmpfile = /tmp/fail2ban-mynetwatchman
+tmpfile = /var/run/fail2ban/tmp-mynetwatchman
--- a/config/action.d/sendmail-buffered.conf
+++ b/config/action.d/sendmail-buffered.conf
@ -101,5 +101,5 @@ lines = 5

 # Default temporary file
 #
-tmpfile = /tmp/fail2ban-mail.txt
+tmpfile = /var/run/fail2ban/tmp-mail.txt

--- a/config/filter.d/apache-overflows.conf
+++ b/config/filter.d/apache-overflows.conf
@ -11,7 +11,7 @@
 # Notes.:  Regexp to catch Apache overflow attempts.
 # Values:  TEXT
 #
-failregex = [[]client <HOST>[]] (Invalid method in request|request failed: URI too long|erroneous characters after protocol string)
+failregex = [[]client <HOST>[]] (Invalid (method|URI) in request|request failed: URI too long|erroneous characters after protocol string)

 # Option:  ignoreregex
 # Notes.:  regex to ignore. If this regex matches, the line is ignored.
--- a/config/filter.d/dovecot.conf
+++ b/config/filter.d/dovecot.conf
@ -0,0 +1,23 @@
+# Fail2Ban configuration file for dovcot
+#
+# Author: 
+#
+# $Revision: $
+#
+
+[Definition]
+
+# Option:  failregex
+# Notes.:  regex to match the password failures messages in the logfile. The
+#          host must be matched by a group named "host". The tag "<HOST>" can
+#          be used for standard IP/hostname matching and is only an alias for
+#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
+# Values:  TEXT
+#
+failregex = .*(?: pop3-login|imap-login):.*(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed).*rip=(?P<host>\S*),.*
+
+# Option:  ignoreregex
+# Notes.:  regex to ignore. If this regex matches, the line is ignored.
+# Values:  TEXT
+#
+ignoreregex = 
--- a/config/filter.d/dropbear.conf
+++ b/config/filter.d/dropbear.conf
@ -0,0 +1,52 @@
+# Fail2Ban configuration file
+#
+# Author: Francis Russell
+#         Zak B. Elep
+#
+# $Revision$
+#
+# More information: http://bugs.debian.org/546913
+
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# common.local
+before = common.conf
+
+
+[Definition]
+
+_daemon = dropbear
+
+# Option:  failregex
+# Notes.:  regex to match the password failures messages in the logfile. The
+#          host must be matched by a group named "host". The tag "<HOST>" can
+#          be used for standard IP/hostname matching and is only an alias for
+#          (?:::f{4,6}:)?(?P<host>\S+)
+# Values:  TEXT
+
+# These match the unmodified dropbear messages. It isn't possible to
+# match the source of the 'exit before auth' messages from dropbear.
+#
+failregex = ^%(__prefix_line)slogin attempt for nonexistent user ('.*' )?from <HOST>:.*\s*$
+            ^%(__prefix_line)sbad password attempt for .+ from <HOST>:.*\s*$
+
+# The only line we need to match with the modified dropbear.
+
+# NOTE: The failregex below is ONLY intended to work with a patched
+# version of Dropbear as described here:
+# http://www.unchartedbackwaters.co.uk/pyblosxom/static/patches
+#
+# The standard Dropbear output doesn't provide enough information to
+# ban all types of attack.  The Dropbear patch adds IP address
+# information to the 'exit before auth' message which is always
+# produced for any form of non-successful login. It is that message
+# which this file matches.
+
+# failregex = ^%(__prefix_line)sexit before auth from <HOST>.*\s*$
+
+# Option:  ignoreregex
+# Notes.:  regex to ignore. If this regex matches, the line is ignored.
+# Values:  TEXT
+#
+ignoreregex = 
--- a/config/filter.d/sasl.conf
+++ b/config/filter.d/sasl.conf
@ -14,7 +14,7 @@
 #          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
 # Values: TEXT
 #
-failregex = (?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [A-Za-z0-9+/]*={0,2})?$
+failregex = (?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/]*={0,2})?$

 # Option:  ignoreregex
 # Notes.:  regex to ignore. If this regex matches, the line is ignored.
--- a/config/jail.conf
+++ b/config/jail.conf
@ -5,7 +5,7 @@
 # $Revision: 747 $
 #

-# The DEFAULT allows a global definition of the options. They can be override
+# The DEFAULT allows a global definition of the options. They can be overridden
 # in each jail afterwards.

 [DEFAULT]
@ -13,7 +13,7 @@
 # "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
 # ban a host which matches an address in this list. Several addresses can be
 # defined using space separator.
-ignoreip = 127.0.0.1
+ignoreip = 127.0.0.1/8

 # "bantime" is the number of seconds that a host is banned.
 bantime  = 600
@ -212,7 +212,7 @@ ignoreip = 168.192.0.1
 # This jail blocks UDP traffic for DNS requests.

 # !!! WARNING !!!
-#   Since UDP is connectionless protocol, spoofing of IP and immitation
+#   Since UDP is connection-less protocol, spoofing of IP and imitation
 #   of illegal actions is way too simple.  Thus enabling of this filter
 #   might provide an easy way for implementing a DoS against a chosen
 #   victim. See
--- a/debian/control
+++ b/debian/control
@ -8,7 +8,7 @@ XS-Python-Version: current, >= 2.4
 Homepage: http://www.fail2ban.org
 Vcs-Browser: http://git.onerussian.com/?p=deb/fail2ban.git
 Vcs-git: git://git.onerussian.com/deb/fail2ban.git
-Standards-Version: 3.8.4
+Standards-Version: 3.9.1


 Package: fail2ban
@ -17,16 +17,17 @@ Depends: ${python:Depends}, ${misc:Depends}, lsb-base (>=2.0-7)
 Recommends: iptables, whois
 Suggests: python-gamin, mailx
 XB-Python-Version: ${python:Versions}
-Description: bans IPs that cause multiple authentication errors
- Monitors log files (e.g. /var/log/auth.log,
+Description: ban hosts that cause multiple authentication errors
+ Fail2ban monitors log files (e.g. /var/log/auth.log,
 /var/log/apache/access.log) and temporarily or persistently bans
- failure-prone addresses by updating existing firewall rules. The
- software was completely rewritten at version 0.7.0 and now allows
+ failure-prone addresses by updating existing firewall rules.  Fail2ban allows
 easy specification of different actions to be taken such as to ban an
 IP using iptables or hostsdeny rules, or simply to send a
- notification email. Currently, by default, supports ssh/apache/vsftpd
- but configuration can be easily extended for monitoring any other ASCII
- file. All filters and actions are given in the config files, thus
- fail2ban can be adopted to be used with a variety of files and
- firewalls.
+ notification email.
+ .
+ By default, it comes with filter expressions for various services
+ (sshd, apache, qmail, proftpd, sasl etc.) but configuration can be
+ easily extended for monitoring any other text file.  All filters and
+ actions are given in the config files, thus fail2ban can be adopted
+ to be used with a variety of files and firewalls.

--- a/debian/copyright
+++ b/debian/copyright
@ -6,7 +6,7 @@ It was downloaded from http://www.sourceforge.net/projects/fail2ban
 Author: Cyril Jaquier: <lostcontrol@users.sourceforge.net>
        http://fail2ban.sourceforge.net

-Copyright: 2004, 2005, 2006, 2007 Cyril Jaquier
+Copyright: 2004-2009 Cyril Jaquier

 This program is free software; you can redistribute it and/or modify
 it under the terms of the GNU General Public License as published by
@ -26,6 +26,6 @@ MA 02110-1301, USA.
 On Debian systems, the complete text of the GNU General Public
 License, version 2, can be found in /usr/share/common-licenses/GPL-2.

-The Debian packaging is (C) 2006, Yaroslav Halchenko <debian@onerussian.com>
+The Debian packaging is (C) 2006-2011, Yaroslav Halchenko <debian@onerussian.com>
 and is licensed under the GPL, see above.

--- a/debian/jail.conf
+++ b/debian/jail.conf
@ -12,13 +12,13 @@
 # $Revision: 281 $
 #

-# The DEFAULT allows a global definition of the options. They can be override
+# The DEFAULT allows a global definition of the options. They can be overridden
 # in each jail afterwards.

 [DEFAULT]

 # "ignoreip" can be an IP address, a CIDR mask or a DNS host
-ignoreip = 127.0.0.1
+ignoreip = 127.0.0.1/8
 bantime  = 600
 maxretry = 3

@ -39,7 +39,7 @@ destemail = root@localhost

 # Default banning action (e.g. iptables, iptables-new,
 # iptables-multiport, shorewall, etc) It is used to define
-# action_* variables. Can be overriden globally or per 
+# action_* variables. Can be overridden globally or per
 # section within jail.local file
 banaction = iptables-multiport

@ -51,20 +51,23 @@ mta = sendmail
 # Default protocol
 protocol = tcp

+# Specify chain where jumps would need to be added in iptables-* actions
+chain = INPUT
+
 #
 # Action shortcuts. To be used to define action parameter

 # The simplest action to take: ban only
-action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s]
+action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]

 # ban & send an e-mail with whois report to the destemail.
-action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s]
-              %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s]
+action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
+              %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]

 # ban & send an e-mail with whois report and relevant log lines
 # to the destemail.
-action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s]
-               %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s]
+action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
+               %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]

 # Choose default action.  To change, just override value of 'action' with the
 # interpolation to the chosen action shortcut (e.g.  action_mw, action_mwl, etc) in jail.local
@ -238,8 +241,9 @@ logpath  = /var/log/mail.log
 enabled  = false
 port	 = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
 filter   = sasl
-# You might consider monitoring /var/log/warn.log instead
-# if you are running postfix. See http://bugs.debian.org/507990
+# You might consider monitoring /var/log/mail.warn instead if you are
+# running postfix since it would provide the same log lines at the
+# "warn" level but overall at the smaller filesize.
 logpath  = /var/log/mail.log


@ -263,7 +267,7 @@ logpath  = /var/log/mail.log
 # in your named.conf to provide proper logging

 # !!! WARNING !!!
-#   Since UDP is connectionless protocol, spoofing of IP and immitation
+#   Since UDP is connection-less protocol, spoofing of IP and imitation
 #   of illegal actions is way too simple.  Thus enabling of this filter
 #   might provide an easy way for implementing a DoS against a chosen
 #   victim. See
--- a/server/datetemplate.py
+++ b/server/datetemplate.py
@ -1,4 +1,4 @@
-# -*- coding: utf8 -*-
+# -*- coding: utf-8 -*-
 # This file is part of Fail2Ban.
 #
 # Fail2Ban is free software; you can redistribute it and/or modify
@ -168,7 +168,8 @@ class DateTai64n(DateTemplate):
 			# extract part of format which represents seconds since epoch
 			value = dateMatch.group()
 			seconds_since_epoch = value[2:17]
-			date = list(time.gmtime(int(seconds_since_epoch, 16)))
+			# convert seconds from HEX into local time stamp
+			date = list(time.localtime(int(seconds_since_epoch, 16)))
 		return date


--- a/server/filter.py
+++ b/server/filter.py
@ -268,7 +268,11 @@ class Filter(JailThread):
 		for element in self.processLine(line):
 			ip = element[0]
 			unixTime = element[1]
+			logSys.debug("Processing line with time:%s and ip:%s"
+						 % (unixTime, ip))
 			if unixTime < MyTime.time() - self.getFindTime():
+				logSys.debug("Ignore line since time %s < %s - %s"
+							 % (unixTime, MyTime.time(), self.getFindTime()))
 				break
 			if self.inIgnoreIPList(ip):
 				logSys.debug("Ignore %s" % ip)