github
/
fail2ban
mirror of https://github.com/fail2ban/fail2ban
1
0
Fork 0
Code Issues Releases Wiki Activity

Merge branch 'master' of https://github.com/fail2ban/fail2ban into ban-time-incr; 

Conflicts in ChangeLog resolved;
obsolete imports removed;
pull/716/head
sebres 2014-06-19 17:40:00 +02:00
parent 6ecd7ddddf 94232d7c31
commit ccf2521a6d
12 changed files with 114 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
ChangeLog
View File

@ -27,9 +27,9 @@ ver. 0.9.1 (2014/xx/xx) - better, faster, stronger
* Database now returns persistent bans on restart (bantime < 0) * Database now returns persistent bans on restart (bantime < 0)
* Recursive action tags now fully processed. Fixes issue with bsd-ipfw * Recursive action tags now fully processed. Fixes issue with bsd-ipfw
action action
* Correct times for non-timezone date times formats - Thanks sebres * Correct times for non-timezone date times formats during DST.
* Fixed TypeError with "ipfailures" and "ipjailfailures" action tags. * Fixed TypeError with "ipfailures" and "ipjailfailures" action tags.
Thanks Serg G. Brester Thanks Serg G. Brester (sebres)
- New features: - New features:
- Added monit filter thanks Jason H Martin. - Added monit filter thanks Jason H Martin.

4
THANKS
View File

@ -49,6 +49,7 @@ John Thoe
Jacques Lav!gnotte Jacques Lav!gnotte
Ioan Indreias Ioan Indreias
Jason H Martin Jason H Martin
Joel M Snyder
Jonathan Kamens Jonathan Kamens
Jonathan Lanning Jonathan Lanning
Jonathan Underwood Jonathan Underwood
@ -76,6 +77,7 @@ Michael Hanselmann
Mika (mkl) Mika (mkl)
Nick Munger Nick Munger
onorua onorua
Paul Marrapese
Noel Butler Noel Butler
Patrick Börjesson Patrick Börjesson
Raphaël Marichez Raphaël Marichez
@ -86,7 +88,7 @@ Rolf Fokkens
Roman Gelfand Roman Gelfand
Russell Odom Russell Odom
Sebastian Arcus Sebastian Arcus
sebres Serg G. Brester (sebres)
Sireyessire Sireyessire
silviogarbes silviogarbes
Stefan Tatschner Stefan Tatschner

15
bin/fail2ban-regex
View File

@ -25,11 +25,11 @@ This tools can test regular expressions for "fail2ban".
""" """
__author__ = "Cyril Jaquier, Yaroslav Halchenko" __author__ = "Fail2Ban Developers"
__copyright__ = "Copyright (c) 2004-2008 Cyril Jaquier, 2012-2013 Yaroslav Halchenko" __copyright__ = "Copyright (c) 2004-2008 Cyril Jaquier, 2012-2014 Yaroslav Halchenko"
__license__ = "GPL" __license__ = "GPL"
import getopt, sys, time, logging, os, locale, shlex, urllib import getopt, sys, time, logging, os, locale, shlex, time, urllib
from optparse import OptionParser, Option from optparse import OptionParser, Option
from ConfigParser import NoOptionError, NoSectionError, MissingSectionHeaderError from ConfigParser import NoOptionError, NoSectionError, MissingSectionHeaderError
@ -223,6 +223,7 @@ class Fail2banRegex(object):
self._filter = Filter(None) self._filter = Filter(None)
self._ignoreregex = list() self._ignoreregex = list()
self._failregex = list() self._failregex = list()
self._time_elapsed = None
self._line_stats = LineStats() self._line_stats = LineStats()
if opts.maxlines: if opts.maxlines:
@ -348,7 +349,7 @@ class Fail2banRegex(object):
return line, ret return line, ret
def process(self, test_lines): def process(self, test_lines):
t0 = time.time()
for line_no, line in enumerate(test_lines): for line_no, line in enumerate(test_lines):
if isinstance(line, tuple): if isinstance(line, tuple):
line_datetimestripped, ret = fail2banRegex.testRegex( line_datetimestripped, ret = fail2banRegex.testRegex(
@ -383,6 +384,7 @@ class Fail2banRegex(object):
if line_no % 10 == 0 and self._filter.dateDetector is not None: if line_no % 10 == 0 and self._filter.dateDetector is not None:
self._filter.dateDetector.sortTemplate() self._filter.dateDetector.sortTemplate()
self._time_elapsed = time.time() - t0
@ -456,7 +458,10 @@ class Fail2banRegex(object):
template.hits, template.name)) template.hits, template.name))
pprint_list(out, "[# of hits] date format") pprint_list(out, "[# of hits] date format")
print "\nLines: %s" % self._line_stats print "\nLines: %s" % self._line_stats,
if self._time_elapsed is not None:
print "[processed in %.2f sec]" % self._time_elapsed,
print
if self._print_all_matched: if self._print_all_matched:
self.printLines('matched') self.printLines('matched')

4
config/action.d/badips.py
View File

@ -161,7 +161,7 @@ class BadIPsAction(ActionBase):
"/".join([self._badips, "get", "list", category, str(score)]), "/".join([self._badips, "get", "list", category, str(score)]),
urlencode({'age': age})]) urlencode({'age': age})])
if key: if key:
url = "&".join([url, urlencode({"key", key})]) url = "&".join([url, urlencode({'key': key})])
response = urlopen(self._Request(url)) response = urlopen(self._Request(url))
except HTTPError as response: except HTTPError as response:
messages = json.loads(response.read().decode('utf-8')) messages = json.loads(response.read().decode('utf-8'))
@ -346,7 +346,7 @@ class BadIPsAction(ActionBase):
try: try:
url = "/".join([self._badips, "add", self.category, aInfo['ip']]) url = "/".join([self._badips, "add", self.category, aInfo['ip']])
if self.key: if self.key:
url = "?".join([url, urlencode({"key", self.key})]) url = "?".join([url, urlencode({'key': self.key})])
response = urlopen(self._Request(url)) response = urlopen(self._Request(url))
except HTTPError as response: except HTTPError as response:
messages = json.loads(response.read().decode('utf-8')) messages = json.loads(response.read().decode('utf-8'))

61
config/filter.d/oracleims.conf Normal file
View File

@ -0,0 +1,61 @@
# Fail2Ban configuration file
# for Oracle IMS with XML logging
#
# Author: Joel Snyder/jms@opus1.com/2014-June-01
#
#
[INCLUDES]
# Read common prefixes.
# If any customizations available -- read them from
# common.local
before = common.conf
[Definition]
# Option: failregex
# Notes.: regex to match the password failures messages
# in the logfile. The host must be matched by a
# group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is
# only an alias for
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT
#
#
# CONFIGURATION REQUIREMENTS FOR ORACLE IMS v6 and ABOVE:
#
# In OPTION.DAT you must have LOG_FORMAT=4 and
# bit 5 of LOG_CONNECTION must be set.
#
# Many of these sub-fields are optional and can be turned on and off
# by the system manager. We need the "tr" field
# (transport information (present if bit 5 of LOG_CONNECTION is
# set and transport information is available)).
# "di" should be there by default if you have LOG_FORMAT=4.
# Do not use "mi" as this is not included by default.
#
# Typical line IF YOU ARE USING TAGGING ! ! ! is:
# <co ts="2014-06-02T09:45:50.29" pi="123f.3f8.4397"
# sc="tcp_local" dr="+" ac="U"
# tr="TCP|192.245.12.223|25|151.1.71.144|59762" ap="SMTP"
# mi="Bad password"
# us="01ko8hqnoif09qx0np@imap.opus1.com"
# di="535 5.7.8 Bad username or password (Authentication failed)."/>
# Format is generally documented in the PORT_ACCESS mapping
# at http://docs.oracle.com/cd/E19563-01/819-4428/bgaur/index.html
#
# All that would be on one line.
# Note that you MUST have LOG_FORMAT=4 for this to work!
#
failregex = ^.*tr="[A-Z]+\|[0-9.]+\|\d+\|<HOST>\|\d+" ap="[^"]*" mi="Bad password" us="[^"]*" di="535 5.7.8 Bad username or password( \(Authentication failed\))?\."/>$
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =

2
config/filter.d/sshd.conf
View File

@ -32,7 +32,7 @@ failregex = ^%(__prefix_line)s(?:error: PAM: )?[aA]uthentication (?:failure|erro
^%(__prefix_line)sUser .+ from <HOST> not allowed because none of user's groups are listed in AllowGroups\s*$ ^%(__prefix_line)sUser .+ from <HOST> not allowed because none of user's groups are listed in AllowGroups\s*$
^(?P<__prefix>%(__prefix_line)s)User .+ not allowed because account is locked<SKIPLINES>(?P=__prefix)(?:error: )?Received disconnect from <HOST>: 11: .+ \[preauth\]$ ^(?P<__prefix>%(__prefix_line)s)User .+ not allowed because account is locked<SKIPLINES>(?P=__prefix)(?:error: )?Received disconnect from <HOST>: 11: .+ \[preauth\]$
^(?P<__prefix>%(__prefix_line)s)Disconnecting: Too many authentication failures for .+? \[preauth\]<SKIPLINES>(?P=__prefix)(?:error: )?Connection closed by <HOST> \[preauth\]$ ^(?P<__prefix>%(__prefix_line)s)Disconnecting: Too many authentication failures for .+? \[preauth\]<SKIPLINES>(?P=__prefix)(?:error: )?Connection closed by <HOST> \[preauth\]$
^(?P<__prefix>%(__prefix_line)s)Connection from <HOST> port \d+<SKIPLINES>(?P=__prefix)Disconnecting: Too many authentication failures for .+? \[preauth\]$ ^(?P<__prefix>%(__prefix_line)s)Connection from <HOST> port \d+(?: on \S+ port \d+)?<SKIPLINES>(?P=__prefix)Disconnecting: Too many authentication failures for .+? \[preauth\]$
ignoreregex = ignoreregex =

8
config/jail.conf
View File

@ -739,3 +739,11 @@ action = %(banaction)s[name=%(__name__)s-tcp, port="%(tcpport)s", protocol="tcp
enabled = false enabled = false
logpath = /var/log/messages ; nrpe.cfg may define a different log_facility logpath = /var/log/messages ; nrpe.cfg may define a different log_facility
maxretry = 1 maxretry = 1
[oracleims]
# see "oracleims" filter file for configuration requirement for Oracle IMS v6 and above
enabled = false
logpath = /opt/sun/comms/messaging64/log/mail.log_current
maxretry = 6
banaction = iptables-allports

4
fail2ban/server/observer.py
View File

@ -29,10 +29,6 @@ import time, logging
import threading import threading
import os, datetime, math, json, random import os, datetime, math, json, random
import sys import sys
if sys.version_info >= (3, 3):
import importlib.machinery
else:
import imp
from .mytime import MyTime from .mytime import MyTime
# Gets the instance of the logger. # Gets the instance of the logger.

19
fail2ban/tests/files/logs/oracleims Normal file
View File

@ -0,0 +1,19 @@
# CONFIGURATION REQUIREMENTS FOR ORACLE IMS v6.3 and ABOVE:
#
# In OPTION.DAT you must have LOG_FORMAT=4 and
# bit 5 of LOG_CONNECTION must be set.
#
# Many of these sub-fields are optional and can be turned on and off
# by the system manager. We need the "tr" field
# (transport information (present if bit 5 of LOG_CONNECTION is
# set and transport information is available)).
# "di" should be there by default if you have LOG_FORMAT=4.
#
# failJSON: { "time": "2014-06-02T22:02:13", "match": false , "host": "23.122.129.179" }
<co ts="2014-06-02T22:02:13.94" pi="72a9.3b4.3774" sc="tcp_submit" dr="+" ac="U" tr="TCP|192.245.12.223|465|23.122.129.179|60766" ap="SMTP/TLS-128-RC4" mi="Authentication successful - switched to channel tcp_submit" us="jaugustine@example.org" di="235 2.7.0 LOGIN authentication successful."/>
# failJSON: { "time": "2014-06-02T16:06:33", "match": true , "host": "89.96.245.78" }
<co ts="2014-06-02T16:06:33.99" pi="72aa.17f0.25622" sc="tcp_local" dr="+" ac="U" tr="TCP|192.245.12.223|25|89.96.245.78|4299" ap="SMTP" mi="Bad password" us="nic@transcend.com" di="535 5.7.8 Bad username or password (Authentication failed)."/>
# failJSON: { "time": "2014-06-02T10:08:07", "match": true , "host": "71.95.206.106" }
<co ts="2014-06-02T10:08:07.56" pi="123f.8e2.9022" sc="tcp_local" dr="+" ac="U" tr="TCP|192.245.12.223|25|71.95.206.106|56591" ap="SMTP" mi="Bad password" us="romeo.julieta@opus1.com" di="535 5.7.8 Bad username or password (Authentication failed)."/>
# failJSON: { "time": "2014-06-02T09:54:58", "match": true , "host": "151.1.71.144" }
<co ts="2014-06-02T09:54:58.82" pi="123f.715.7116" sc="tcp_local" dr="+" ac="U" tr="TCP|192.245.12.223|25|151.1.71.144|58406" ap="SMTP" mi="Bad password" us="01ko8hqnoif09qx0np@imap.opus1.com" di="535 5.7.8 Bad username or password (Authentication failed)."/>

5
fail2ban/tests/files/logs/sshd
View File

@ -137,6 +137,11 @@ Feb 12 04:09:18 localhost sshd[26713]: Connection from 115.249.163.77 port 51353
# failJSON: { "time": "2005-02-12T04:09:21", "match": true , "host": "115.249.163.77", "desc": "from gh-457" } # failJSON: { "time": "2005-02-12T04:09:21", "match": true , "host": "115.249.163.77", "desc": "from gh-457" }
Feb 12 04:09:21 localhost sshd[26713]: Disconnecting: Too many authentication failures for root [preauth] Feb 12 04:09:21 localhost sshd[26713]: Disconnecting: Too many authentication failures for root [preauth]
# failJSON: { "match": false }
Feb 12 04:09:18 localhost sshd[26713]: Connection from 115.249.163.77 port 51353 on 127.0.0.1 port 22
# failJSON: { "time": "2005-02-12T04:09:21", "match": true , "host": "115.249.163.77", "desc": "Multiline match with interface address" }
Feb 12 04:09:21 localhost sshd[26713]: Disconnecting: Too many authentication failures for root [preauth]
# failJSON: { "match": false } # failJSON: { "match": false }
Apr 27 13:02:04 host sshd[29116]: User root not allowed because account is locked Apr 27 13:02:04 host sshd[29116]: User root not allowed because account is locked
# failJSON: { "match": false } # failJSON: { "match": false }

2
files/bash-completion
View File

@ -154,7 +154,7 @@ _fail2ban () {
fi fi
return 0 return 0
;; ;;
delfailregex|delignoregex) delfailregex|delignoreregex)
COMPREPLY=( $( compgen -W \ COMPREPLY=( $( compgen -W \
"$( "$1" get "$jail" "${prev/del/}" 2>/dev/null | awk -F"[][]" '{print $2}')" \ "$( "$1" get "$jail" "${prev/del/}" 2>/dev/null | awk -F"[][]" '{print $2}')" \
-- "$cur" ) ) -- "$cur" ) )