From 1e2ddec48592ff7ff7abe2ce4cef742deec2853c Mon Sep 17 00:00:00 2001 From: Cyril Jaquier Date: Thu, 7 Jun 2007 21:29:18 +0000 Subject: [PATCH 02/26] - Fixed vulnerability in sshd.conf. Thanks to Daniel B. Cid git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@587 a942ae1a-1317-0410-a47c-b1dcaea8d605 --- CHANGELOG | 6 +++++- config/filter.d/sshd.conf | 9 +++++---- 2 files changed, 10 insertions(+), 5 deletions(-) diff --git a/CHANGELOG b/CHANGELOG index 94a7b411..67f301bc 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -4,9 +4,13 @@ |_| \__,_|_|_/___|_.__/\__,_|_||_| ============================================================= -Fail2Ban (version 0.8.0) 2007/05/03 +Fail2Ban (version 0.8.1) 2007/??/?? ============================================================= +ver. 0.8.1 (2007/??/??) - stable +---------- +- Fixed vulnerability in sshd.conf. Thanks to Daniel B. Cid + ver. 0.8.0 (2007/05/03) - stable ---------- - Fixed RedHat init script. Thanks to Jonathan Underwood diff --git a/config/filter.d/sshd.conf b/config/filter.d/sshd.conf index fa1d88ad..39416f43 100644 --- a/config/filter.d/sshd.conf +++ b/config/filter.d/sshd.conf @@ -14,10 +14,11 @@ # (?:::f{4,6}:)?(?P\S+) # Values: TEXT # -failregex = Authentication failure for .* from - Failed [-/\w]+ for .* from - ROOT LOGIN REFUSED .* FROM - [iI](?:llegal|nvalid) user .* from +failregex = Authentication failure for .* from $ + Failed [-/\w]+ for .* from $ + ROOT LOGIN REFUSED .* FROM $ + [iI](?:llegal|nvalid) user .* from $ + User .* from not allowed because not listed in AllowUsers$ # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. From 6d129491f7db5f3ac2688be35e96ea913932a241 Mon Sep 17 00:00:00 2001 From: Cyril Jaquier Date: Mon, 25 Jun 2007 21:43:25 +0000 Subject: [PATCH 03/26] - Expand in ignoreregex. Thanks to Yaroslav Halchenko git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@589 a942ae1a-1317-0410-a47c-b1dcaea8d605 --- server/failregex.py | 4 +--- server/regex.py | 3 +++ 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/server/failregex.py b/server/failregex.py index 275380b9..9889ca67 100644 --- a/server/failregex.py +++ b/server/failregex.py @@ -40,9 +40,7 @@ class FailRegex(Regex): # avoid construction of invalid object. # @param value the regular expression - def __init__(self, value): - # Replace "" with default regular expression for host. - regex = value.replace("", "(?:::f{4,6}:)?(?P\S+)") + def __init__(self, regex): # Initializes the parent. Regex.__init__(self, regex) # Check for group "host" diff --git a/server/regex.py b/server/regex.py index d3d6eee4..22fb6797 100644 --- a/server/regex.py +++ b/server/regex.py @@ -42,6 +42,9 @@ class Regex: def __init__(self, regex): self._matchCache = None + # Perform shortcuts expansions. + # Replace "" with default regular expression for host. + regex = regex.replace("", "(?:::f{4,6}:)?(?P\S+)") if regex.lstrip() == '': raise RegexException("Cannot add empty regex") try: From ad010a667e5686ef55508fcf584ca8caa71124fd Mon Sep 17 00:00:00 2001 From: Cyril Jaquier Date: Mon, 25 Jun 2007 21:43:44 +0000 Subject: [PATCH 04/26] - Expand in ignoreregex. Thanks to Yaroslav Halchenko git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@590 a942ae1a-1317-0410-a47c-b1dcaea8d605 --- CHANGELOG | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG b/CHANGELOG index 67f301bc..823ab2d6 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -10,6 +10,7 @@ Fail2Ban (version 0.8.1) 2007/??/?? ver. 0.8.1 (2007/??/??) - stable ---------- - Fixed vulnerability in sshd.conf. Thanks to Daniel B. Cid +- Expand in ignoreregex. Thanks to Yaroslav Halchenko ver. 0.8.0 (2007/05/03) - stable ---------- From e2334db7a6ab60cb017135c5263b6de823431e60 Mon Sep 17 00:00:00 2001 From: Cyril Jaquier Date: Mon, 25 Jun 2007 21:57:10 +0000 Subject: [PATCH 05/26] - Improved regular expressions. Thanks to Yaroslav Halchenko git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@592 a942ae1a-1317-0410-a47c-b1dcaea8d605 --- CHANGELOG | 1 + config/filter.d/pure-ftpd.conf | 2 +- config/filter.d/sshd-ddos.conf | 2 +- config/filter.d/vsftpd.conf | 2 +- config/filter.d/wuftpd.conf | 4 ++-- 5 files changed, 6 insertions(+), 5 deletions(-) diff --git a/CHANGELOG b/CHANGELOG index 823ab2d6..65d5ceb2 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -11,6 +11,7 @@ ver. 0.8.1 (2007/??/??) - stable ---------- - Fixed vulnerability in sshd.conf. Thanks to Daniel B. Cid - Expand in ignoreregex. Thanks to Yaroslav Halchenko +- Improved regular expressions. Thanks to Yaroslav Halchenko ver. 0.8.0 (2007/05/03) - stable ---------- diff --git a/config/filter.d/pure-ftpd.conf b/config/filter.d/pure-ftpd.conf index 31557468..1933d6e0 100644 --- a/config/filter.d/pure-ftpd.conf +++ b/config/filter.d/pure-ftpd.conf @@ -19,7 +19,7 @@ __errmsg = (?:Authentication failed for user|Erreur d'authentification pour l'ut # (?:::f{4,6}:)?(?P\S+) # Values: TEXT # -failregex = pure-ftpd: (.+?@) \[WARNING\] %(__errmsg)s \[.+\]$ +failregex = pure-ftpd(?:\[\d+\])?: (.+?@) \[WARNING\] %(__errmsg)s \[.+\]$ # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. diff --git a/config/filter.d/sshd-ddos.conf b/config/filter.d/sshd-ddos.conf index 2a907e88..9720ab4a 100644 --- a/config/filter.d/sshd-ddos.conf +++ b/config/filter.d/sshd-ddos.conf @@ -14,7 +14,7 @@ # (?:::f{4,6}:)?(?P\S+) # Values: TEXT # -failregex = sshd\[\S*\]: Did not receive identification string from +failregex = sshd(?:\[\d+\])?: Did not receive identification string from $ # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. diff --git a/config/filter.d/vsftpd.conf b/config/filter.d/vsftpd.conf index 34e3da92..3c4bb11b 100644 --- a/config/filter.d/vsftpd.conf +++ b/config/filter.d/vsftpd.conf @@ -14,7 +14,7 @@ # (?:::f{4,6}:)?(?P\S+) # Values: TEXT # -failregex = vsftpd: .* authentication failure; .* rhost=$ +failregex = vsftpd(?:\[\d+\])?: .* authentication failure; .* rhost=$ \[.+\] FAIL LOGIN: Client ""$ # Option: ignoreregex diff --git a/config/filter.d/wuftpd.conf b/config/filter.d/wuftpd.conf index e7981e1e..2d08022d 100644 --- a/config/filter.d/wuftpd.conf +++ b/config/filter.d/wuftpd.conf @@ -2,7 +2,7 @@ # # Author: Yaroslav Halchenko # -# $Revision: $ +# $Revision$ # [Definition] @@ -11,4 +11,4 @@ # Notes.: regex to match the password failures messages in the logfile. # Values: TEXT # -failregex = wu-ftpd\[\d+\]:\s+\(pam_unix\)\s+authentication failure.* rhost= +failregex = wu-ftpd(?:\[\d+\])?:\s+\(pam_unix\)\s+authentication failure.* rhost=$ From 32d1132416f103f072826d24ed5ef269db20abdd Mon Sep 17 00:00:00 2001 From: Cyril Jaquier Date: Mon, 25 Jun 2007 22:18:46 +0000 Subject: [PATCH 06/26] - Changed location git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@594 a942ae1a-1317-0410-a47c-b1dcaea8d605 --- .pydevproject | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.pydevproject b/.pydevproject index 07eba934..d71fe688 100644 --- a/.pydevproject +++ b/.pydevproject @@ -4,9 +4,9 @@ python 2.4 -/fail2ban-unstable/client -/fail2ban-unstable/server -/fail2ban-unstable/testcases -/fail2ban-unstable +/fail2ban-0.8/client +/fail2ban-0.8/server +/fail2ban-0.8/testcases +/fail2ban-0.8 From 08c2c557427617ced54d227b129e16d292f21eb8 Mon Sep 17 00:00:00 2001 From: Cyril Jaquier Date: Thu, 5 Jul 2007 16:10:33 +0000 Subject: [PATCH 07/26] =?UTF-8?q?-=20Added=20sendmail=20actions.=20The=20a?= =?UTF-8?q?ction=20started=20with=20"mail"=20are=20now=20deprecated.=20Tha?= =?UTF-8?q?nks=20to=20Rapha=C3=ABl=20Marichez=20-=20Fixed=20a=20small=20ty?= =?UTF-8?q?po?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@595 a942ae1a-1317-0410-a47c-b1dcaea8d605 --- CHANGELOG | 2 + MANIFEST | 4 + config/action.d/mail-buffered.conf | 2 +- config/action.d/mail-whois-lines.conf | 2 +- config/action.d/mail-whois.conf | 2 +- config/action.d/mail.conf | 2 +- config/action.d/sendmail-buffered.conf | 105 ++++++++++++++++++++++ config/action.d/sendmail-whois-lines.conf | 88 ++++++++++++++++++ config/action.d/sendmail-whois.conf | 82 +++++++++++++++++ config/action.d/sendmail.conf | 80 +++++++++++++++++ config/jail.conf | 20 ++--- 11 files changed, 375 insertions(+), 14 deletions(-) create mode 100644 config/action.d/sendmail-buffered.conf create mode 100644 config/action.d/sendmail-whois-lines.conf create mode 100644 config/action.d/sendmail-whois.conf create mode 100644 config/action.d/sendmail.conf diff --git a/CHANGELOG b/CHANGELOG index 65d5ceb2..fe76ac7c 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -12,6 +12,8 @@ ver. 0.8.1 (2007/??/??) - stable - Fixed vulnerability in sshd.conf. Thanks to Daniel B. Cid - Expand in ignoreregex. Thanks to Yaroslav Halchenko - Improved regular expressions. Thanks to Yaroslav Halchenko +- Added sendmail actions. The action started with "mail" are + now deprecated. Thanks to Raphaël Marichez ver. 0.8.0 (2007/05/03) - stable ---------- diff --git a/MANIFEST b/MANIFEST index 60f13e54..7de5196b 100644 --- a/MANIFEST +++ b/MANIFEST @@ -84,6 +84,10 @@ config/action.d/mail.conf config/action.d/mail-buffered.conf config/action.d/mail-whois.conf config/action.d/mail-whois-lines.conf +config/action.d/sendmail.conf +config/action.d/sendmail-buffered.conf +config/action.d/sendmail-whois.conf +config/action.d/sendmail-whois-lines.conf config/action.d/shorewall.conf config/fail2ban.conf man/fail2ban-client.1 diff --git a/config/action.d/mail-buffered.conf b/config/action.d/mail-buffered.conf index 973d48ec..a39ca2b2 100644 --- a/config/action.d/mail-buffered.conf +++ b/config/action.d/mail-buffered.conf @@ -12,7 +12,7 @@ # Values: CMD # actionstart = echo -en "Hi,\n - The jail has been started successfuly.\n + The jail has been started successfully.\n Output will be buffered until lines are available.\n Regards,\n Fail2Ban"|mail -s "[Fail2Ban] : started" diff --git a/config/action.d/mail-whois-lines.conf b/config/action.d/mail-whois-lines.conf index c4bb9784..7e371557 100644 --- a/config/action.d/mail-whois-lines.conf +++ b/config/action.d/mail-whois-lines.conf @@ -12,7 +12,7 @@ # Values: CMD # actionstart = echo -en "Hi,\n - The jail has been started successfuly.\n + The jail has been started successfully.\n Regards,\n Fail2Ban"|mail -s "[Fail2Ban] : started" diff --git a/config/action.d/mail-whois.conf b/config/action.d/mail-whois.conf index 044aa05b..39f7fdac 100644 --- a/config/action.d/mail-whois.conf +++ b/config/action.d/mail-whois.conf @@ -12,7 +12,7 @@ # Values: CMD # actionstart = echo -en "Hi,\n - The jail has been started successfuly.\n + The jail has been started successfully.\n Regards,\n Fail2Ban"|mail -s "[Fail2Ban] : started" diff --git a/config/action.d/mail.conf b/config/action.d/mail.conf index 2757aa74..7c901894 100644 --- a/config/action.d/mail.conf +++ b/config/action.d/mail.conf @@ -12,7 +12,7 @@ # Values: CMD # actionstart = echo -en "Hi,\n - The jail has been started successfuly.\n + The jail has been started successfully.\n Regards,\n Fail2Ban"|mail -s "[Fail2Ban] : started" diff --git a/config/action.d/sendmail-buffered.conf b/config/action.d/sendmail-buffered.conf new file mode 100644 index 00000000..836ed384 --- /dev/null +++ b/config/action.d/sendmail-buffered.conf @@ -0,0 +1,105 @@ +# Fail2Ban configuration file +# +# Author: Cyril Jaquier +# +# $Revision$ +# + +[Definition] + +# Option: actionstart +# Notes.: command executed once at the start of Fail2Ban. +# Values: CMD +# +actionstart = echo -en "Subject: [Fail2Ban] : started + From: Fail2Ban <> + To: \n + Hi,\n + The jail has been started successfully.\n + Output will be buffered until lines are available.\n + Regards,\n + Fail2Ban" | /usr/sbin/sendmail -f + +# Option: actionend +# Notes.: command executed once at the end of Fail2Ban +# Values: CMD +# +actionstop = if [ -f ]; then + echo -en "Subject: [Fail2Ban] : stopped + From: Fail2Ban <> + To: \n + Hi,\n + These hosts have been banned by Fail2Ban.\n + `cat ` + Regards,\n + Fail2Ban" | /usr/sbin/sendmail -f + rm + fi + echo -en "Subject: [Fail2Ban] : stopped + From: Fail2Ban <> + To: \n + Hi,\n + The jail has been stopped.\n + Regards,\n + Fail2Ban" | /usr/sbin/sendmail -f + +# Option: actioncheck +# Notes.: command executed once before each actionban command +# Values: CMD +# +actioncheck = + +# Option: actionban +# Notes.: command executed when banning an IP. Take care that the +# command is executed with Fail2Ban user rights. +# Tags: IP address +# number of failures +#