github
/
fail2ban
mirror of https://github.com/fail2ban/fail2ban
1
0
Fork 0
Code Issues Releases Wiki Activity

Upgraded to fresh upstream 0.8.1

debian-upstream sdist/0.8.1
Yaroslav Halchenko 2007-10-16 17:01:23 -04:00
parent 8323a8cac8 e40468dfd3
commit bce05a1285
32 changed files with 843 additions and 98 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
CHANGELOG
View File

@ -4,9 +4,34 @@
|_| \__,_|_|_/___|_.__/\__,_|_||_|
=============================================================
Fail2Ban (version 0.8.0) 2007/05/03
Fail2Ban (version 0.8.1) 2007/08/14
=============================================================
ver. 0.8.1 (2007/08/14) - stable
----------
- Fixed vulnerability in sshd.conf. Thanks to Daniel B. Cid
- Expand <HOST> in ignoreregex. Thanks to Yaroslav Halchenko
- Improved regular expressions. Thanks to Yaroslav Halchenko
and others
- Added sendmail actions. The action started with "mail" are
now deprecated. Thanks to Raphaël Marichez
- Added "ignoreregex" support to fail2ban-regex
- Updated suse-initd and added it to MANIFEST. Thanks to
Christian Rauch
- Tightening up the pid check in redhat-initd. Thanks to
David Nutter
- Added webmin authentication filter. Thanks to Guillaume
Delvit
- Removed textToDns() which is not required anymore. Thanks
to Yaroslav Halchenko
- Added new action iptables-allports. Thanks to Yaroslav
Halchenko
- Added "named" date format to date detector. Thanks to
Yaroslav Halchenko
- Added filter file for named (bind9). Thanks to Yaroslav
Halchenko
- Fixed vsftpd filter. Thanks to Yaroslav Halchenko
ver. 0.8.0 (2007/05/03) - stable
----------
- Fixed RedHat init script. Thanks to Jonathan Underwood

2
PKG-INFO
View File

@ -1,6 +1,6 @@
Metadata-Version: 1.0
Name: fail2ban
Version: 0.8.0
Version: 0.8.1
Summary: Ban IPs that make too many password failure
Home-page: http://fail2ban.sourceforge.net
Author: Cyril Jaquier

10
README
View File

@ -4,7 +4,7 @@
|_| \__,_|_|_/___|_.__/\__,_|_||_|
=============================================================
Fail2Ban (version 0.8.0) 2007/05/03
Fail2Ban (version 0.8.1) 2007/08/14
=============================================================
Fail2Ban scans log files like /var/log/pwdfail and bans IP
@ -28,8 +28,8 @@ Optional:
To install, just do:
> tar xvfj fail2ban-0.8.0.tar.bz2
> cd fail2ban-0.8.0
> tar xvfj fail2ban-0.8.1.tar.bz2
> cd fail2ban-0.8.1
> python setup.py install
This will install Fail2Ban into /usr/share/fail2ban. The
@ -73,7 +73,9 @@ Jonathan Kamens, Stephen Gildea, Markus Hoffmann, Mark
Edgington, Patrick Börjesson, kojiro, zugeschmiert, Tyler,
Nick Munger, Christoph Haas, Justin Shore, Joël Bertrand,
René Berber, mEDI, Axel Thimm, Eric Gerbier, Christian Rauch,
Michael C. Haller, Jonathan Underwood, Hanno 'Rince' Wagner
Michael C. Haller, Jonathan Underwood, Hanno 'Rince' Wagner,
Daniel B. Cid, David Nutter, Raphaël Marichez, Guillaume
Delvit, Vaclav Misek
License:
--------

8
common/version.py
View File

@ -16,12 +16,12 @@
# Author: Cyril Jaquier
#
# $Revision: 578 $
# $Revision: 614 $
__author__ = "Cyril Jaquier"
__version__ = "$Revision: 578 $"
__date__ = "$Date: 2007-05-03 22:30:28 +0200 (Thu, 03 May 2007) $"
__version__ = "$Revision: 614 $"
__date__ = "$Date: 2007-08-14 23:39:15 +0200 (Tue, 14 Aug 2007) $"
__copyright__ = "Copyright (c) 2004 Cyril Jaquier"
__license__ = "GPL"
version = "0.8.0"
version = "0.8.1"

65
config/action.d/iptables-allports.conf Normal file
View File

@ -0,0 +1,65 @@
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
# Modified: Yaroslav O. Halchenko <debian@onerussian.com>
# made active on all ports from original iptables.conf
#
# $Revision: 606 $
#
[Definition]
# Option: actionstart
# Notes.: command executed once at the start of Fail2Ban.
# Values: CMD
#
actionstart = iptables -N fail2ban-<name>
iptables -A fail2ban-<name> -j RETURN
iptables -I INPUT -p <protocol> -j fail2ban-<name>
# Option: actionend
# Notes.: command executed once at the end of Fail2Ban
# Values: CMD
#
actionstop = iptables -D INPUT -p <protocol> -j fail2ban-<name>
iptables -F fail2ban-<name>
iptables -X fail2ban-<name>
# Option: actioncheck
# Notes.: command executed once before each actionban command
# Values: CMD
#
actioncheck = iptables -n -L INPUT | grep -q fail2ban-<name>
# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: <ip> IP address
# <failures> number of failures
# <time> unix timestamp of the ban time
# Values: CMD
#
actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: <ip> IP address
# <failures> number of failures
# <time> unix timestamp of the ban time
# Values: CMD
#
actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP
[Init]
# Defaut name of the chain
#
name = default
# Option: protocol
# Notes.: internally used by config reader for interpolations.
# Values: [ tcp | udp | icmp | all ] Default: tcp
#
protocol = tcp

2
config/action.d/mail-buffered.conf
View File

@ -12,7 +12,7 @@
# Values: CMD
#
actionstart = echo -en "Hi,\n
The jail <name> has been started successfuly.\n
The jail <name> has been started successfully.\n
Output will be buffered until <lines> lines are available.\n
Regards,\n
Fail2Ban"|mail -s "[Fail2Ban] <name>: started" <dest>

4
config/action.d/mail-whois-lines.conf
View File

@ -2,7 +2,7 @@
#
# Author: Cyril Jaquier
# Modified-By: Yaroslav Halchenko to include grepping on IP over log files
# $Revision: 520 $
# $Revision: 595 $
#
[Definition]
@ -12,7 +12,7 @@
# Values: CMD
#
actionstart = echo -en "Hi,\n
The jail <name> has been started successfuly.\n
The jail <name> has been started successfully.\n
Regards,\n
Fail2Ban"|mail -s "[Fail2Ban] <name>: started" <dest>

4
config/action.d/mail-whois.conf
View File

@ -2,7 +2,7 @@
#
# Author: Cyril Jaquier
#
# $Revision: 510 $
# $Revision: 595 $
#
[Definition]
@ -12,7 +12,7 @@
# Values: CMD
#
actionstart = echo -en "Hi,\n
The jail <name> has been started successfuly.\n
The jail <name> has been started successfully.\n
Regards,\n
Fail2Ban"|mail -s "[Fail2Ban] <name>: started" <dest>

4
config/action.d/mail.conf
View File

@ -2,7 +2,7 @@
#
# Author: Cyril Jaquier
#
# $Revision: 510 $
# $Revision: 595 $
#
[Definition]
@ -12,7 +12,7 @@
# Values: CMD
#
actionstart = echo -en "Hi,\n
The jail <name> has been started successfuly.\n
The jail <name> has been started successfully.\n
Regards,\n
Fail2Ban"|mail -s "[Fail2Ban] <name>: started" <dest>

105
config/action.d/sendmail-buffered.conf Normal file
View File

@ -0,0 +1,105 @@
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
#
# $Revision: 604 $
#
[Definition]
# Option: actionstart
# Notes.: command executed once at the start of Fail2Ban.
# Values: CMD
#
actionstart = echo -en "Subject: [Fail2Ban] <name>: started
From: Fail2Ban <<sender>>
To: <dest>\n
Hi,\n
The jail <name> has been started successfully.\n
Output will be buffered until <lines> lines are available.\n
Regards,\n
Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
# Option: actionend
# Notes.: command executed once at the end of Fail2Ban
# Values: CMD
#
actionstop = if [ -f <tmpfile> ]; then
echo -en "Subject: [Fail2Ban] <name>: summary
From: Fail2Ban <<sender>>
To: <dest>\n
Hi,\n
These hosts have been banned by Fail2Ban.\n
`cat <tmpfile>`
Regards,\n
Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
rm <tmpfile>
fi
echo -en "Subject: [Fail2Ban] <name>: stopped
From: Fail2Ban <<sender>>
To: <dest>\n
Hi,\n
The jail <name> has been stopped.\n
Regards,\n
Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
# Option: actioncheck
# Notes.: command executed once before each actionban command
# Values: CMD
#
actioncheck =
# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: <ip> IP address
# <failures> number of failures
# <time> unix timestamp of the ban time
# Values: CMD
#
actionban = echo `date`": <ip> (<failures> failures)" >> <tmpfile>
LINE=$( wc -l <tmpfile> | awk '{ print $1 }' )
if [ $LINE -eq <lines> ]; then
echo -en "Subject: [Fail2Ban] <name>: summary
From: Fail2Ban <<sender>>
To: <dest>\n
Hi,\n
These hosts have been banned by Fail2Ban.\n
`cat <tmpfile>`
Regards,\n
Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
rm <tmpfile>
fi
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: <ip> IP address
# <failures> number of failures
# <time> unix timestamp of the ban time
# Values: CMD
#
actionunban =
[Init]
# Defaut name of the chain
#
name = default
# Destination/Addressee of the mail
#
dest = root
# Sender of the mail
#
sender = fail2ban
# Default number of lines that are buffered
#
lines = 5
# Default temporary file
#
tmpfile = /tmp/fail2ban-mail.txt

88
config/action.d/sendmail-whois-lines.conf Normal file
View File

@ -0,0 +1,88 @@
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
#
# $Revision: 595 $
#
[Definition]
# Option: actionstart
# Notes.: command executed once at the start of Fail2Ban.
# Values: CMD
#
actionstart = echo -en "Subject: [Fail2Ban] <name>: started
From: Fail2Ban <<sender>>
To: <dest>\n
Hi,\n
The jail <name> has been started successfully.\n
Regards,\n
Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
# Option: actionend
# Notes.: command executed once at the end of Fail2Ban
# Values: CMD
#
actionstop = echo -en "Subject: [Fail2Ban] <name>: stopped
From: Fail2Ban <<sender>>
To: <dest>\n
Hi,\n
The jail <name> has been stopped.\n
Regards,\n
Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
# Option: actioncheck
# Notes.: command executed once before each actionban command
# Values: CMD
#
actioncheck =
# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: <ip> IP address
# <failures> number of failures
# <time> unix timestamp of the ban time
# Values: CMD
#
actionban = echo -en "Subject: [Fail2Ban] <name>: banned <ip>
From: Fail2Ban <<sender>>
To: <dest>\n
Hi,\n
The IP <ip> has just been banned by Fail2Ban after
<failures> attempts against <name>.\n\n
Here are more information about <ip>:\n
`/usr/bin/whois <ip>`\n\n
Lines containing IP:<ip> in <logpath>\n
`/bin/grep '\<<ip>\>' <logpath>`\n\n
Regards,\n
Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: <ip> IP address
# <failures> number of failures
# <time> unix timestamp of the ban time
# Values: CMD
#
actionunban =
[Init]
# Defaut name of the chain
#
name = default
# Destination/Addressee of the mail
#
dest = root
# Sender of the mail
#
sender = fail2ban
# Path to the log files which contain relevant lines for the abuser IP
#
logpath = /dev/null

82
config/action.d/sendmail-whois.conf Normal file
View File

@ -0,0 +1,82 @@
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
#
# $Revision: 595 $
#
[Definition]
# Option: actionstart
# Notes.: command executed once at the start of Fail2Ban.
# Values: CMD
#
actionstart = echo -en "Subject: [Fail2Ban] <name>: started
From: Fail2Ban <<sender>>
To: <dest>\n
Hi,\n
The jail <name> has been started successfully.\n
Regards,\n
Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
# Option: actionend
# Notes.: command executed once at the end of Fail2Ban
# Values: CMD
#
actionstop = echo -en "Subject: [Fail2Ban] <name>: stopped
From: Fail2Ban <<sender>>
To: <dest>\n
Hi,\n
The jail <name> has been stopped.\n
Regards,\n
Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
# Option: actioncheck
# Notes.: command executed once before each actionban command
# Values: CMD
#
actioncheck =
# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: <ip> IP address
# <failures> number of failures
# <time> unix timestamp of the ban time
# Values: CMD
#
actionban = echo -en "Subject: [Fail2Ban] <name>: banned <ip>
From: Fail2Ban <<sender>>
To: <dest>\n
Hi,\n
The IP <ip> has just been banned by Fail2Ban after
<failures> attempts against <name>.\n\n
Here are more information about <ip>:\n
`/usr/bin/whois <ip>`\n
Regards,\n
Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: <ip> IP address
# <failures> number of failures
# <time> unix timestamp of the ban time
# Values: CMD
#
actionunban =
[Init]
# Defaut name of the chain
#
name = default
# Destination/Addressee of the mail
#
dest = root
# Sender of the mail
#
sender = fail2ban

80
config/action.d/sendmail.conf Normal file
View File

@ -0,0 +1,80 @@
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
#
# $Revision: 595 $
#
[Definition]
# Option: actionstart
# Notes.: command executed once at the start of Fail2Ban.
# Values: CMD
#
actionstart = echo -en "Subject: [Fail2Ban] <name>: started
From: Fail2Ban <<sender>>
To: <dest>\n
Hi,\n
The jail <name> has been started successfully.\n
Regards,\n
Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
# Option: actionend
# Notes.: command executed once at the end of Fail2Ban
# Values: CMD
#
actionstop = echo -en "Subject: [Fail2Ban] <name>: stopped
From: Fail2Ban <<sender>>
To: <dest>\n
Hi,\n
The jail <name> has been stopped.\n
Regards,\n
Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
# Option: actioncheck
# Notes.: command executed once before each actionban command
# Values: CMD
#
actioncheck =
# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: <ip> IP address
# <failures> number of failures
# <time> unix timestamp of the ban time
# Values: CMD
#
actionban = echo -en "Subject: [Fail2Ban] <name>: banned <ip>
From: Fail2Ban <<sender>>
To: <dest>\n
Hi,\n
The IP <ip> has just been banned by Fail2Ban after
<failures> attempts against <name>.\n
Regards,\n
Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: <ip> IP address
# <failures> number of failures
# <time> unix timestamp of the ban time
# Values: CMD
#
actionunban =
[Init]
# Defaut name of the chain
#
name = default
# Destination/Addressee of the mail
#
dest = root
# Sender of the mail
#
sender = fail2ban

34
config/filter.d/named-refused.conf Normal file
View File

@ -0,0 +1,34 @@
# Fail2Ban configuration file for named (bind9). Trying to generalize the
# structure which is general to capture general patterns in log
# lines to cover different configurations/distributions
#
# Author: Yaroslav Halchenko
#
# $Revision: 608 $
#
[Definition]
# if you want to catch only login erros from specific daemons, use smth like
#_named_rcodes=(?:REFUSED|SERVFAIL)
# To catch all REFUSED queries only
_named_rcodes=REFUSED
_daemon=named
#
# Shortcuts for easier comprehension of the failregex
__pid_re=(?:\[\d+\])
__daemon_re=\(?%(_daemon)s(?:\(\S+\))?\)?:?
__daemon_combs_re=(?:%(__pid_re)s?:\s+%(__daemon_re)s|%(__daemon_re)s%(__pid_re)s?:)
# hostname daemon_id spaces
# this can be optional (for instance if we match named native log files)
__line_prefix=(?:\s\S+ %(__daemon_combs_re)s\s+)?
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile.
# Values: TEXT
#
failregex = %(__line_prefix)sunexpected RCODE \(%(_named_rcodes)s\) resolving '.*': <HOST>#\S+$
%(__line_prefix)sclient <HOST>#\S+: query(?: \(cache\))? '.*' denied\s*$

3
config/filter.d/proftpd.conf
View File

@ -2,7 +2,7 @@
#
# Author: Yaroslav Halchenko
#
# $Revision: 510 $
# $Revision: 603 $
#
[Definition]
@ -15,6 +15,7 @@
# Values: TEXT
#
failregex = USER \S+: no such user found from \S* ?\[<HOST>\] to \S+\s*$
\(\S*\[<HOST>\]\) - USER \S+ \(Login failed\): Incorrect password.$
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.

2
config/filter.d/pure-ftpd.conf
View File

@ -19,7 +19,7 @@ __errmsg = (?:Authentication failed for user|Erreur d'authentification pour l'ut
# (?:::f{4,6}:)?(?P<host>\S+)
# Values: TEXT
#
failregex = pure-ftpd: (.+?@<HOST>) \[WARNING\] %(__errmsg)s \[.+\]$
failregex = pure-ftpd(?:\[\d+\])?: (.+?@<HOST>) \[WARNING\] %(__errmsg)s \[.+\]$
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.

4
config/filter.d/sshd-ddos.conf
View File

@ -2,7 +2,7 @@
#
# Author: Yaroslav Halchenko
#
# $Revision: 510 $
# $Revision: 592 $
#
[Definition]
@ -14,7 +14,7 @@
# (?:::f{4,6}:)?(?P<host>\S+)
# Values: TEXT
#
failregex = sshd\[\S*\]: Did not receive identification string from <HOST>
failregex = sshd(?:\[\d+\])?: Did not receive identification string from <HOST>$
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.

12
config/filter.d/sshd.conf
View File

@ -2,7 +2,7 @@
#
# Author: Cyril Jaquier
#
# $Revision: 551 $
# $Revision: 613 $
#
[Definition]
@ -14,10 +14,12 @@
# (?:::f{4,6}:)?(?P<host>\S+)
# Values: TEXT
#
failregex = Authentication failure for .* from <HOST>
Failed [-/\w]+ for .* from <HOST>
ROOT LOGIN REFUSED .* FROM <HOST>
[iI](?:llegal|nvalid) user .* from <HOST>
failregex = (?:error: PAM: )?Authentication failure for .* from <HOST>\s*$
Failed [-/\w]+ for .* from <HOST>(?: port \d*)?(?: ssh\d*)?\s*$
ROOT LOGIN REFUSED.* FROM <HOST>\s*$
[iI](?:llegal|nvalid) user .* from <HOST>\s*$
User .+ from <HOST> not allowed because not listed in AllowUsers\s*$
User .+ from <HOST> not allowed because none of user's groups are listed in AllowGroups\s*$
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.

6
config/filter.d/vsftpd.conf
View File

@ -2,7 +2,7 @@
#
# Author: Cyril Jaquier
#
# $Revision: 534 $
# $Revision: 610 $
#
[Definition]
@ -14,8 +14,8 @@
# (?:::f{4,6}:)?(?P<host>\S+)
# Values: TEXT
#
failregex = vsftpd: .* authentication failure; .* rhost=<HOST>$
\[.+\] FAIL LOGIN: Client "<HOST>"$
failregex = vsftpd(?:\[\d+\])?: .* authentication failure; .* rhost=<HOST>\s*$
\[.+\] FAIL LOGIN: Client "<HOST>"\s*$
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.

28
config/filter.d/webmin-auth.conf Normal file
View File

@ -0,0 +1,28 @@
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
# Rule by : Delvit Guillaume
#
# $Revision: 601 $
#
[Definition]
# patern : webmin[15673]: Non-existent login as toto from 86.0.6.217
# webmin[29544]: Invalid login as root from 86.0.6.217
#
# Option: failregex
# Notes.: regex to match the password failure messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>\S+)
# Values: TEXT
#
failregex = webmin.* Non-existent login as .+ from <HOST>$
webmin.* Invalid login as .+ from <HOST>$
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =

4
config/filter.d/wuftpd.conf
View File

@ -2,7 +2,7 @@
#
# Author: Yaroslav Halchenko
#
# $Revision: $
# $Revision: 592 $
#
[Definition]
@ -11,4 +11,4 @@
# Notes.: regex to match the password failures messages in the logfile.
# Values: TEXT
#
failregex = wu-ftpd\[\d+\]:\s+\(pam_unix\)\s+authentication failure.* rhost=<HOST>
failregex = wu-ftpd(?:\[\d+\])?:\s+\(pam_unix\)\s+authentication failure.* rhost=<HOST>$

60
config/jail.conf
View File

@ -2,7 +2,7 @@
#
# Author: Cyril Jaquier
#
# $Revision: 552 $
# $Revision: 611 $
#
# The DEFAULT allows a global definition of the options. They can be override
@ -45,7 +45,7 @@ backend = auto
enabled = false
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
mail-whois[name=SSH, dest=yourmail@mail.com]
sendmail-whois[name=SSH, dest=you@mail.com, sender=fail2ban@mail.com]
logpath = /var/log/sshd.log
maxretry = 5
@ -54,7 +54,7 @@ maxretry = 5
enabled = false
filter = proftpd
action = iptables[name=ProFTPD, port=ftp, protocol=tcp]
mail-whois[name=ProFTPD, dest=yourmail@mail.com]
sendmail-whois[name=ProFTPD, dest=you@mail.com]
logpath = /var/log/proftpd/proftpd.log
maxretry = 6
@ -66,7 +66,7 @@ enabled = false
filter = sasl
backend = polling
action = iptables[name=sasl, port=smtp, protocol=tcp]
mail-whois[name=sasl, dest=yourmail@mail.com]
sendmail-whois[name=sasl, dest=you@mail.com]
logpath = /var/log/mail.log
# Here we use TCP-Wrappers instead of Netfilter/Iptables. "ignoreregex" is
@ -77,7 +77,7 @@ logpath = /var/log/mail.log
enabled = false
filter = sshd
action = hostsdeny
mail-whois[name=SSH, dest=yourmail@mail.com]
sendmail-whois[name=SSH, dest=you@mail.com]
ignoreregex = for myuser from
logpath = /var/log/sshd.log
@ -101,7 +101,7 @@ maxretry = 6
enabled = false
filter = postfix
action = hostsdeny[file=/not/a/standard/path/hosts.deny]
mail[name=Postfix, dest=yourmail@mail.com]
sendmail[name=Postfix, dest=you@mail.com]
logpath = /var/log/postfix.log
bantime = 300
@ -112,7 +112,7 @@ bantime = 300
enabled = false
filter = vsftpd
action = mail-whois[name=VSFTPD, dest=yourmail@mail.com]
action = sendmail-whois[name=VSFTPD, dest=you@mail.com]
logpath = /var/log/vsftpd.log
maxretry = 5
bantime = 1800
@ -124,7 +124,7 @@ bantime = 1800
enabled = false
filter = vsftpd
action = iptables[name=VSFTPD, port=ftp, protocol=tcp]
mail-whois[name=VSFTPD, dest=yourmail@mail.com]
sendmail-whois[name=VSFTPD, dest=you@mail.com]
logpath = /var/log/vsftpd.log
maxretry = 5
bantime = 1800
@ -137,7 +137,7 @@ bantime = 1800
enabled = false
filter = apache-badbots
action = iptables-multiport[name=BadBots, port="http,https"]
mail-buffered[name=BadBots, lines=5, dest=yourmail@mail.com]
sendmail-buffered[name=BadBots, lines=5, dest=you@mail.com]
logpath = /var/www/*/logs/access_log
bantime = 172800
maxretry = 1
@ -149,7 +149,7 @@ maxretry = 1
enabled = false
filter = apache-noscript
action = shorewall
mail[name=Postfix, dest=yourmail@mail.com]
sendmail[name=Postfix, dest=you@mail.com]
logpath = /var/log/apache2/error_log
# This jail uses ipfw, the standard firewall on FreeBSD. The "ignoreip"
@ -162,6 +162,44 @@ logpath = /var/log/apache2/error_log
enabled = false
filter = sshd
action = ipfw[localhost=192.168.0.1]
mail-whois[name="SSH,IPFW", dest=yourmail@mail.com]
sendmail-whois[name="SSH,IPFW", dest=you@mail.com]
logpath = /var/log/auth.log
ignoreip = 168.192.0.1
# These jails block attacks against named (bind9). By default, logging is off
# with bind9 installation. You will need something like this:
#
# logging {
# channel lame-servers_file {
# file "/var/log/named/lame-servers.log" versions 3 size 30m;
# severity dynamic;
# print-time yes;
# };
# category lame-servers {
# lame-servers_file;
# };
# }
#
# in your named.conf to provide proper logging.
# This jail blocks UDP traffic for DNS requests.
[named-refused-udp]
enabled = false
filter = named-refused
action = iptables-multiport[name=Named, port="domain,953", protocol=udp]
sendmail-whois[name=Named, dest=you@mail.com]
logpath = /var/log/named/lame-servers.log
ignoreip = 168.192.0.1
# This jail blocks TCP traffic for DNS requests.
[named-refused-tcp]
enabled = false
filter = named-refused
action = iptables-multiport[name=Named, port="domain,953", protocol=tcp]
sendmail-whois[name=Named, dest=you@mail.com]
logpath = /var/log/named/lame-servers.log
ignoreip = 168.192.0.1

109
fail2ban-regex
View File

@ -17,11 +17,11 @@
# Author: Cyril Jaquier
#
# $Revision: 530 $
# $Revision: 596 $
__author__ = "Cyril Jaquier"
__version__ = "$Revision: 530 $"
__date__ = "$Date: 2007-01-29 21:31:04 +0100 (Mon, 29 Jan 2007) $"
__version__ = "$Revision: 596 $"
__date__ = "$Date: 2007-07-10 21:54:01 +0200 (Tue, 10 Jul 2007) $"
__copyright__ = "Copyright (c) 2004 Cyril Jaquier"
__license__ = "GPL"
@ -68,6 +68,7 @@ class Fail2banRegex:
def __init__(self):
self.__filter = Filter(None)
self.__ignoreregex = list()
self.__failregex = list()
# Setup logging
logging.getLogger("fail2ban").handlers = []
@ -92,7 +93,7 @@ class Fail2banRegex:
@staticmethod
def dispUsage():
print "Usage: "+sys.argv[0]+" [OPTIONS] <LOG> <REGEX>"
print "Usage: "+sys.argv[0]+" [OPTIONS] <LOG> <REGEX> [IGNOREREGEX]"
print
print "Fail2Ban v" + version + " reads log file that contains password failure report"
print "and bans the corresponding IP addresses using firewall rules."
@ -111,6 +112,10 @@ class Fail2banRegex:
print " string a string representing a 'failregex'"
print " filename path to a filter file (filter.d/sshd.conf)"
print
print "IgnoreRegex:"
print " string a string representing an 'ignoreregex'"
print " filename path to a filter file (filter.d/sshd.conf)"
print
print "Report bugs to <lostcontrol@users.sourceforge.net>"
def getCmdLineOptions(self, optList):
@ -128,6 +133,35 @@ class Fail2banRegex:
def logIsFile(value):
return os.path.isfile(value)
def readIgnoreRegex(self, value):
if os.path.isfile(value):
reader = SafeConfigParser()
try:
reader.read(value)
print "Use ignoreregex file : " + value
self.__ignoreregex = [RegexStat(m)
for m in reader.get("Definition", "ignoreregex").split('\n')]
except NoSectionError:
print "No [Definition] section in " + value
print
return False
except NoOptionError:
print "No failregex option in " + value
print
return False
except MissingSectionHeaderError:
print "No section headers in " + value
print
return False
else:
if len(value) > 53:
stripReg = value[0:50] + "..."
else:
stripReg = value
print "Use ignoreregex line : " + stripReg
self.__ignoreregex = [RegexStat(value)]
return True
def readRegex(self, value):
if os.path.isfile(value):
reader = SafeConfigParser()
@ -157,8 +191,27 @@ class Fail2banRegex:
self.__failregex = [RegexStat(value)]
return True
def testIgnoreRegex(self, line):
found = False
for regex in self.__ignoreregex:
logging.getLogger("fail2ban").setLevel(logging.DEBUG)
try:
self.__filter.addIgnoreRegex(regex.getFailRegex())
try:
ret = self.__filter.ignoreLine(line)
if ret:
regex.inc()
except RegexException, e:
print e
return False
finally:
self.__filter.delIgnoreRegex(0)
logging.getLogger("fail2ban").setLevel(logging.CRITICAL)
def testRegex(self, line):
found = False
for regex in self.__ignoreregex:
self.__filter.addIgnoreRegex(regex.getFailRegex())
for regex in self.__failregex:
logging.getLogger("fail2ban").setLevel(logging.DEBUG)
try:
@ -182,6 +235,8 @@ class Fail2banRegex:
finally:
self.__filter.delFailRegex(0)
logging.getLogger("fail2ban").setLevel(logging.CRITICAL)
for regex in self.__ignoreregex:
self.__filter.delIgnoreRegex(0)
def printStats(self):
print
@ -191,25 +246,51 @@ class Fail2banRegex:
# Print title
cnt = 1
print "Failregex:"
print "Failregex"
print "|- Regular expressions:"
for failregex in self.__failregex:
print "[" + str(cnt) + "] " + failregex.getFailRegex()
print "| [" + str(cnt) + "] " + failregex.getFailRegex()
cnt += 1
cnt = 1
print
print "|"
# Print stats
cnt = 1
total = 0
print "Number of matches:"
print "`- Number of matches:"
for failregex in self.__failregex:
match = failregex.getStats()
total += match
print "[" + str(cnt) + "] " + str(match) + " match(es)"
print " [" + str(cnt) + "] " + str(match) + " match(es)"
cnt += 1
print
# Print title
cnt = 1
print "Ignoreregex"
print "|- Regular expressions:"
for failregex in self.__ignoreregex:
print "| [" + str(cnt) + "] " + failregex.getFailRegex()
cnt += 1
cnt = 1
print "|"
# Print stats
cnt = 1
print "`- Number of matches:"
for failregex in self.__ignoreregex:
match = failregex.getStats()
print " [" + str(cnt) + "] " + str(match) + " match(es)"
cnt += 1
print
print "Summary"
print "======="
print
if total == 0:
print "Sorry, no match"
print
@ -236,7 +317,7 @@ class Fail2banRegex:
print "Date template hits:"
for template in self.__filter.dateDetector.getTemplates():
print `template.getHits()` + " hit: " + template.getName()
print `template.getHits()` + " hit(s): " + template.getName()
print
@ -260,7 +341,7 @@ if __name__ == "__main__":
# Process command line
fail2banRegex.getCmdLineOptions(optList)
# We need exactly 3 parameters
if not len(sys.argv) == 3:
if not len(sys.argv) in (3, 4):
fail2banRegex.dispUsage()
sys.exit(-1)
else:
@ -269,6 +350,10 @@ if __name__ == "__main__":
print "============="
print
if len(sys.argv) == 4:
if fail2banRegex.readIgnoreRegex(sys.argv[3]) == False:
sys.exit(-1)
if fail2banRegex.readRegex(sys.argv[2]) == False:
sys.exit(-1)
@ -278,6 +363,7 @@ if __name__ == "__main__":
print "Use log file : " + sys.argv[1]
print
for line in hdlr:
fail2banRegex.testIgnoreRegex(line)
fail2banRegex.testRegex(line)
except IOError, e:
print e
@ -290,6 +376,7 @@ if __name__ == "__main__":
stripLog = sys.argv[1]
print "Use single line: " + stripLog
print
fail2banRegex.testIgnoreRegex(sys.argv[1])
fail2banRegex.testRegex(sys.argv[1])
if fail2banRegex.printStats():

2
files/redhat-initd
View File

@ -20,7 +20,7 @@ FAIL2BAN="/usr/bin/fail2ban-client"
RETVAL=0
getpid() {
pid=`ps -ef | grep fail2ban-|grep -v grep|awk '{print $2}'`
pid=`ps -eo pid,comm | grep fail2ban- | awk '{ print $1 }'`
}
start() {

96
files/suse-initd Executable file
View File

@ -0,0 +1,96 @@
#!/bin/sh
#
# /etc/init.d/fail2ban
# and its symbolic link
# /usr/sbin/rcfail2ban
#
### BEGIN INIT INFO
# Provides: fail2ban
# Required-Start: $syslog $remote_fs sendmail
# Required-Stop: $syslog $remote_fs
# Should-Stop: $time ypbind sendmail
# Default-Start: 3 5
# Default-Stop: 0 1 2 6
# Description: startup Fail2Ban
### END INIT INFO
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/sbin:/usr/sbin:/usr/bin:/bin
FAIL2BAN_BIN=/usr/local/bin/fail2ban-client
FAIL2BAN_SERVER=/usr/local/bin/fail2ban-server
FAIL2BAN_SOCKET=/tmp/fail2ban.sock
test -x $FAIL2BAN_BIN || { echo "$FAIL2BAN_BIN not installed";
if [ "$1" = "stop" ]; then exit 0;
else exit 5; fi; }
# Check for existence of needed config file and read it
FAIL2BAN_CONFIG=/etc/fail2ban/fail2ban.conf
test -r $FAIL2BAN_CONFIG || { echo "$FAIL2BAN_CONFIG not existing";
if [ "$1" = "stop" ]; then exit 0;
else exit 6; fi; }
. /etc/rc.status
# Reset status of this service
rc_reset
case "$1" in
start)
echo -n "Starting Fail2Ban "
/sbin/startproc $FAIL2BAN_BIN start &>/dev/null
rc_status -v
;;
stop)
echo -n "Shutting down Fail2ban "
/sbin/startproc $FAIL2BAN_BIN -q stop
rc_status -v
;;
try-restart|condrestart)
if test "$1" = "condrestart"; then
echo "${attn} Use try-restart ${done}(LSB)${attn} rather than condrestart ${warn}(RH)${norm}"
fi
$0 status
if test $? = 0; then
$0 restart
else
rc_reset # Not running is not a failure.
fi
rc_status
;;
restart)
$0 stop
echo -n "-wait a minute "
i=60
while [ -e $FAIL2BAN_SOCKET ] && [ $i -gt 0 ]; do
sleep 1
i=$[$i-1]
echo -n "."
done
echo "."
$0 start
# Remember status and be quiet
rc_status
;;
force-reload)
echo -n "Reload service Fail2ban "
/sbin/startproc $FAIL2BAN_BIN -q reload
rc_status -v
;;
reload)
echo -n "Reload service Fail2ban "
/sbin/startproc $FAIL2BAN_BIN -q reload
rc_status -v
;;
status)
echo -n "Checking for service Fail2ban "
/sbin/checkproc $FAIL2BAN_SERVER
rc_status -v
;;
probe)
test /etc/fail2ban/fail2ban.conf -nt /var/run/fail2ban.pid && echo reload
;;
*)
echo "Usage: $0 {start|stop|status|try-restart|restart|force-reload|reload|probe}"
exit 1
;;
esac
rc_exit

4
man/fail2ban-client.1
View File

@ -1,11 +1,11 @@
.\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.36.
.TH FAIL2BAN-CLIENT "1" "May 2007" "fail2ban-client v0.8.0" "User Commands"
.TH FAIL2BAN-CLIENT "1" "August 2007" "fail2ban-client v0.8.1" "User Commands"
.SH NAME
fail2ban-client \- configure and control the server
.SH DESCRIPTION
[?1034hUsage: ../fail2ban\-client [OPTIONS] <COMMAND>
.PP
Fail2Ban v0.8.0 reads log file that contains password failure report
Fail2Ban v0.8.1 reads log file that contains password failure report
and bans the corresponding IP addresses using firewall rules.
.SH OPTIONS
.TP

13
man/fail2ban-regex.1
View File

@ -1,12 +1,12 @@
.\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.36.
.TH FAIL2BAN-REGEX "1" "May 2007" "fail2ban-regex v0.8.0" "User Commands"
.TH FAIL2BAN-REGEX "1" "August 2007" "fail2ban-regex v0.8.1" "User Commands"
.SH NAME
fail2ban-regex \- test Fail2ban "failregex" option
.SH SYNOPSIS
.B fail2ban-regex
[\fIOPTIONS\fR] \fI<LOG> <REGEX>\fR
[\fIOPTIONS\fR] \fI<LOG> <REGEX> \fR[\fIIGNOREREGEX\fR]
.SH DESCRIPTION
Fail2Ban v0.8.0 reads log file that contains password failure report
Fail2Ban v0.8.1 reads log file that contains password failure report
and bans the corresponding IP addresses using firewall rules.
.PP
This tools can test regular expressions for "fail2ban".
@ -31,6 +31,13 @@ a string representing a 'failregex'
.TP
\fBfilename\fR
path to a filter file (filter.d/sshd.conf)
.SS "IgnoreRegex:"
.TP
\fBstring\fR
a string representing an 'ignoreregex'
.TP
\fBfilename\fR
path to a filter file (filter.d/sshd.conf)
.SH AUTHOR
Written by Cyril Jaquier <lostcontrol@users.sourceforge.net>.
Many contributions by Yaroslav O. Halchenko <debian@onerussian.com>.

4
man/fail2ban-server.1
View File

@ -1,12 +1,12 @@
.\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.36.
.TH FAIL2BAN-SERVER "1" "May 2007" "fail2ban-server v0.8.0" "User Commands"
.TH FAIL2BAN-SERVER "1" "August 2007" "fail2ban-server v0.8.1" "User Commands"
.SH NAME
fail2ban-server \- start the server
.SH SYNOPSIS
.B fail2ban-server
[\fIOPTIONS\fR]
.SH DESCRIPTION
Fail2Ban v0.8.0 reads log file that contains password failure report
Fail2Ban v0.8.1 reads log file that contains password failure report
and bans the corresponding IP addresses using firewall rules.
.PP
Only use this command for debugging purpose. Start the server with

12
server/datedetector.py
View File

@ -16,11 +16,11 @@
# Author: Cyril Jaquier
#
# $Revision: 568 $
# $Revision: 607 $
__author__ = "Cyril Jaquier"
__version__ = "$Revision: 568 $"
__date__ = "$Date: 2007-04-01 22:42:05 +0200 (Sun, 01 Apr 2007) $"
__version__ = "$Revision: 607 $"
__date__ = "$Date: 2007-08-09 00:16:22 +0200 (Thu, 09 Aug 2007) $"
__copyright__ = "Copyright (c) 2004 Cyril Jaquier"
__license__ = "GPL"
@ -80,6 +80,12 @@ class DateDetector:
template.setRegex("\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}")
template.setPattern("%Y-%m-%d %H:%M:%S")
self.__templates.append(template)
# named 26-Jul-2007 15:20:52.252
template = DateStrptime()
template.setName("Day-Month-Year Hour:Minute:Second[.Millisecond]")
template.setRegex("\d{2}-\S{3}-\d{4} \d{2}:\d{2}:\d{2}")
template.setPattern("%d-%b-%Y %H:%M:%S")
self.__templates.append(template)
# TAI64N
template = DateTai64n()
template.setName("TAI64N")

10
server/failregex.py
View File

@ -16,11 +16,11 @@
# Author: Cyril Jaquier
#
# $Revision: 503 $
# $Revision: 589 $
__author__ = "Cyril Jaquier"
__version__ = "$Revision: 503 $"
__date__ = "$Date: 2006-12-23 17:31:00 +0100 (Sat, 23 Dec 2006) $"
__version__ = "$Revision: 589 $"
__date__ = "$Date: 2007-06-25 23:43:25 +0200 (Mon, 25 Jun 2007) $"
__copyright__ = "Copyright (c) 2004 Cyril Jaquier"
__license__ = "GPL"
@ -40,9 +40,7 @@ class FailRegex(Regex):
# avoid construction of invalid object.
# @param value the regular expression
def __init__(self, value):
# Replace "<HOST>" with default regular expression for host.
regex = value.replace("<HOST>", "(?:::f{4,6}:)?(?P<host>\S+)")
def __init__(self, regex):
# Initializes the parent.
Regex.__init__(self, regex)
# Check for group "host"

48
server/filter.py
View File

@ -16,11 +16,11 @@
# Author: Cyril Jaquier
#
# $Revision: 567 $
# $Revision: 605 $
__author__ = "Cyril Jaquier"
__version__ = "$Revision: 567 $"
__date__ = "$Date: 2007-03-26 23:17:31 +0200 (Mon, 26 Mar 2007) $"
__version__ = "$Revision: 605 $"
__date__ = "$Date: 2007-08-08 00:11:34 +0200 (Wed, 08 Aug 2007) $"
__copyright__ = "Copyright (c) 2004 Cyril Jaquier"
__license__ = "GPL"
@ -413,6 +413,20 @@ class Filter(JailThread):
self.__closeLogFile()
return True
##
# Returns true if the line should be ignored.
#
# Uses ignoreregex.
# @param line: the line
# @return: a boolean
def ignoreLine(self, line):
for ignoreRegex in self.__ignoreRegex:
ignoreRegex.search(line)
if ignoreRegex.hasMatched():
return True
return False
##
# Finds the failure in a line.
#
@ -423,12 +437,9 @@ class Filter(JailThread):
def findFailure(self, line):
failList = list()
# Checks if we must ignore this line.
for ignoreRegex in self.__ignoreRegex:
ignoreRegex.search(line)
if ignoreRegex.hasMatched():
# The ignoreregex matched. Return.
logSys.debug("Ignoring this line")
return failList
if self.ignoreLine(line):
# The ignoreregex matched. Return.
return failList
# Iterates over all the regular expressions.
for failRegex in self.__failRegex:
failRegex.search(line)
@ -492,17 +503,6 @@ class DNSUtils:
% dns)
return list()
@staticmethod
def textToDns(text):
""" Search for possible DNS in an arbitrary text.
Thanks to Tom Pike.
"""
match = DNSUtils.DNS_CRE.match(text)
if match:
return match
else:
return None
@staticmethod
def searchIP(text):
""" Search if an IP address if directly available and return
@ -538,11 +538,9 @@ class DNSUtils:
ipList.append(plainIPStr)
if not ipList:
# Try to get IP from possible DNS
dns = DNSUtils.textToDns(text)
if not dns == None:
ip = DNSUtils.dnsToIp(dns.group(0))
for e in ip:
ipList.append(e)
ip = DNSUtils.dnsToIp(text)
for e in ip:
ipList.append(e)
return ipList
@staticmethod

9
server/regex.py
View File

@ -16,11 +16,11 @@
# Author: Cyril Jaquier
#
# $Revision: 505 $
# $Revision: 589 $
__author__ = "Cyril Jaquier"
__version__ = "$Revision: 505 $"
__date__ = "$Date: 2006-12-24 00:20:16 +0100 (Sun, 24 Dec 2006) $"
__version__ = "$Revision: 589 $"
__date__ = "$Date: 2007-06-25 23:43:25 +0200 (Mon, 25 Jun 2007) $"
__copyright__ = "Copyright (c) 2004 Cyril Jaquier"
__license__ = "GPL"
@ -42,6 +42,9 @@ class Regex:
def __init__(self, regex):
self._matchCache = None
# Perform shortcuts expansions.
# Replace "<HOST>" with default regular expression for host.
regex = regex.replace("<HOST>", "(?:::f{4,6}:)?(?P<host>\S+)")
if regex.lstrip() == '':
raise RegexException("Cannot add empty regex")
try: