From 97d417926dc1e9eef637c3ba3b45d3c48814b0e0 Mon Sep 17 00:00:00 2001 From: sebres Date: Wed, 15 Mar 2017 17:56:46 +0100 Subject: [PATCH 1/2] repairs testing of missing samples for all regex after filter settings (mode) changed --- fail2ban/server/filter.py | 9 +++---- fail2ban/tests/samplestestcase.py | 44 ++++++++++++++++++++----------- 2 files changed, 32 insertions(+), 21 deletions(-) diff --git a/fail2ban/server/filter.py b/fail2ban/server/filter.py index 6b782fcc..ca2dae86 100644 --- a/fail2ban/server/filter.py +++ b/fail2ban/server/filter.py @@ -183,15 +183,12 @@ class Filter(JailThread): "valid", index) ## - # Get the regular expression which matches the failure. + # Get the regular expressions as list. # - # @return the regular expression + # @return the regular expression list def getFailRegex(self): - failRegex = list() - for regex in self.__failRegex: - failRegex.append(regex.getRegex()) - return failRegex + return [regex.getRegex() for regex in self.__failRegex] ## # Add the regular expression which matches the failure. diff --git a/fail2ban/tests/samplestestcase.py b/fail2ban/tests/samplestestcase.py index 1d33cc44..00a8f305 100644 --- a/fail2ban/tests/samplestestcase.py +++ b/fail2ban/tests/samplestestcase.py @@ -99,8 +99,8 @@ class FilterSamplesRegex(unittest.TestCase): optval = opt[3] elif opt[0] == 'set': optval = [opt[3]] - else: - continue + else: # pragma: no cover - unexpected + self.fail('Unexpected config-token %r in stream' % (opt,)) for optval in optval: if opt[2] == "prefregex": self.filter.prefRegex = optval @@ -115,11 +115,13 @@ class FilterSamplesRegex(unittest.TestCase): # test regexp contains greedy catch-all before , that is # not hard-anchored at end or has not precise sub expression after : - for fr in self.filter.getFailRegex(): + regexList = self.filter.getFailRegex() + for fr in regexList: if RE_WRONG_GREED.search(fr): # pragma: no cover raise AssertionError("Following regexp of \"%s\" contains greedy catch-all before , " "that is not hard-anchored at end or has not precise sub expression after :\n%s" % (name, str(fr).replace(RE_HOST, ''))) + return regexList def testSampleRegexsFactory(name, basedir): def testFilter(self): @@ -128,8 +130,17 @@ def testSampleRegexsFactory(name, basedir): os.path.isfile(os.path.join(TEST_FILES_DIR, "logs", name)), "No sample log file available for '%s' filter" % name) - regexsUsed = set() + regexList = None + regexsUsedIdx = set() + regexsUsedRe = set() filenames = [name] + + def _testMissingSamples(): + for failRegexIndex, failRegex in enumerate(regexList): + self.assertTrue( + failRegexIndex in regexsUsedIdx or failRegex in regexsUsedRe, + "Regex for filter '%s' has no samples: %i: %r" % + (name, failRegexIndex, failRegex)) i = 0 while i < len(filenames): filename = filenames[i]; i += 1; @@ -143,25 +154,30 @@ def testSampleRegexsFactory(name, basedir): faildata = json.loads(jsonREMatch.group(2)) # filterOptions - dict in JSON to control filter options (e. g. mode, etc.): if jsonREMatch.group(1) == 'filterOptions': + # another filter mode - we should check previous also: + if self.filter is not None: + _testMissingSamples() + regexsUsedIdx = set() # clear used indices (possible overlapping by mode change) + # read filter with another setting: self.filter = None - self._readFilter(name, basedir, opts=faildata) + regexList = self._readFilter(name, basedir, opts=faildata) continue # addFILE - filename to "include" test-files should be additionally parsed: if jsonREMatch.group(1) == 'addFILE': filenames.append(faildata) continue # failJSON - faildata contains info of the failure to check it. - except ValueError as e: + except ValueError as e: # pragma: no cover - we've valid json's raise ValueError("%s: %s:%i" % (e, logFile.filename(), logFile.filelineno())) line = next(logFile) elif line.startswith("#") or not line.strip(): continue - else: + else: # pragma: no cover - normally unreachable faildata = {} if self.filter is None: - self._readFilter(name, basedir, opts=None) + regexList = self._readFilter(name, basedir, opts=None) try: ret = self.filter.processLine(line) @@ -174,7 +190,8 @@ def testSampleRegexsFactory(name, basedir): failregex, fid, fail2banTime, fail = ret[0] # Bypass no failure helpers-regexp: if not faildata.get('match', False) and (fid is None or fail.get('nofail')): - regexsUsed.add(failregex) + regexsUsedIdx.add(failregex) + regexsUsedRe.add(regexList[failregex]) continue # Check line is flagged to match @@ -208,16 +225,13 @@ def testSampleRegexsFactory(name, basedir): jsonTime, time.strftime("%Y-%m-%dT%H:%M:%S", time.gmtime(jsonTime)), fail2banTime - jsonTime) ) - regexsUsed.add(failregex) + regexsUsedIdx.add(failregex) + regexsUsedRe.add(regexList[failregex]) except AssertionError as e: # pragma: no cover raise AssertionError("%s on: %s:%i, line:\n%s" % ( e, logFile.filename(), logFile.filelineno(), line)) - for failRegexIndex, failRegex in enumerate(self.filter.getFailRegex()): - self.assertTrue( - failRegexIndex in regexsUsed, - "Regex for filter '%s' has no samples: %i: %r" % - (name, failRegexIndex, failRegex)) + _testMissingSamples() return testFilter From 5561423be3b2d4636f5484183c3ad470fd326d06 Mon Sep 17 00:00:00 2001 From: sebres Date: Wed, 15 Mar 2017 18:00:53 +0100 Subject: [PATCH 2/2] filter.d/sshd.conf: fixed failregex format - some parts are optional, new ddos more precise rule (Connection reset by with host entry); closes gh-1719 --- config/filter.d/sshd.conf | 7 ++++--- .../tests/config/filter.d/zzz-sshd-obsolete-multiline.conf | 5 +++-- fail2ban/tests/files/logs/sshd | 7 ++++++- 3 files changed, 13 insertions(+), 6 deletions(-) diff --git a/config/filter.d/sshd.conf b/config/filter.d/sshd.conf index 8163aa03..320ab59c 100644 --- a/config/filter.d/sshd.conf +++ b/config/filter.d/sshd.conf @@ -41,17 +41,18 @@ cmnfailre = ^[aA]uthentication (?:failure|error|failed) for .* ^User .+ from not allowed because a group is listed in DenyGroups\s*%(__suff)s$ ^User .+ from not allowed because none of user's groups are listed in AllowGroups\s*%(__suff)s$ ^pam_unix\(sshd:auth\):\s+authentication failure;\s*logname=\S*\s*uid=\d*\s*euid=\d*\s*tty=\S*\s*ruser=\S*\s*rhost=\s.*%(__suff)s$ - ^(error: )?maximum authentication attempts exceeded for .* from %(__on_port_opt)s(?: ssh\d*)? \[preauth\]$ + ^(error: )?maximum authentication attempts exceeded for .* from %(__on_port_opt)s(?: ssh\d*)?%(__suff)s$ ^User .+ not allowed because account is locked%(__suff)s - ^Disconnecting: Too many authentication failures for .+?%(__suff)s + ^Disconnecting: Too many authentication failures(?: for .+?)?%(__suff)s ^Received disconnect from : 11: ^Connection closed by %(__suff)s$ mdre-normal = mdre-ddos = ^Did not receive identification string from %(__suff)s$ + ^Connection reset by %(__on_port_opt)s%(__suff)s ^SSH: Server;Ltype: (?:Authname|Version|Kex);Remote: -\d+;[A-Z]\w+: - ^Read from socket failed: Connection reset by peer \[preauth\] + ^Read from socket failed: Connection reset by peer%(__suff)s mdre-extra = ^Received disconnect from %(__on_port_opt)s:\s*14: No supported authentication methods available%(__suff)s$ ^Unable to negotiate with %(__on_port_opt)s: no matching (?:cipher|key exchange method) found. diff --git a/fail2ban/tests/config/filter.d/zzz-sshd-obsolete-multiline.conf b/fail2ban/tests/config/filter.d/zzz-sshd-obsolete-multiline.conf index 4f28e60f..d6eecd4b 100644 --- a/fail2ban/tests/config/filter.d/zzz-sshd-obsolete-multiline.conf +++ b/fail2ban/tests/config/filter.d/zzz-sshd-obsolete-multiline.conf @@ -40,12 +40,13 @@ cmnfailre = ^%(__prefix_line_sl)s[aA]uthentication (?:failure|error|failed) for ^%(__prefix_line_sl)spam_unix\(sshd:auth\):\s+authentication failure;\s*logname=\S*\s*uid=\d*\s*euid=\d*\s*tty=\S*\s*ruser=\S*\s*rhost=\s.*%(__suff)s$ ^%(__prefix_line_sl)s(error: )?maximum authentication attempts exceeded for .* from %(__on_port_opt)s(?: ssh\d*)? \[preauth\]$ ^%(__prefix_line_ml1)sUser .+ not allowed because account is locked%(__prefix_line_ml2)sReceived disconnect from : 11: .+%(__suff)s$ - ^%(__prefix_line_ml1)sDisconnecting: Too many authentication failures for .+?%(__prefix_line_ml2)sConnection closed by %(__suff)s$ - ^%(__prefix_line_ml1)sConnection from %(__on_port_opt)s%(__prefix_line_ml2)sDisconnecting: Too many authentication failures for .+%(__suff)s$ + ^%(__prefix_line_ml1)sDisconnecting: Too many authentication failures(?: for .+?)?%(__suff)s%(__prefix_line_ml2)sConnection closed by %(__suff)s$ + ^%(__prefix_line_ml1)sConnection from %(__on_port_opt)s%(__prefix_line_ml2)sDisconnecting: Too many authentication failures(?: for .+?)?%(__suff)s$ mdre-normal = mdre-ddos = ^%(__prefix_line_sl)sDid not receive identification string from %(__suff)s$ + ^%(__prefix_line_sl)sConnection reset by %(__on_port_opt)s%(__suff)s ^%(__prefix_line_ml1)sSSH: Server;Ltype: (?:Authname|Version|Kex);Remote: -\d+;[A-Z]\w+:.*%(__prefix_line_ml2)sRead from socket failed: Connection reset by peer%(__suff)s$ mdre-extra = ^%(__prefix_line_sl)sReceived disconnect from %(__on_port_opt)s:\s*14: No supported authentication methods available%(__suff)s$ diff --git a/fail2ban/tests/files/logs/sshd b/fail2ban/tests/files/logs/sshd index b53b3d96..fe19591c 100644 --- a/fail2ban/tests/files/logs/sshd +++ b/fail2ban/tests/files/logs/sshd @@ -168,7 +168,7 @@ Feb 12 04:09:21 localhost sshd[26713]: Disconnecting: Too many authentication fa # failJSON: { "match": false } Feb 12 04:09:18 localhost sshd[26713]: Connection from 115.249.163.77 port 51353 on 127.0.0.1 port 22 # failJSON: { "time": "2005-02-12T04:09:21", "match": true , "host": "115.249.163.77", "desc": "Multiline match with interface address" } -Feb 12 04:09:21 localhost sshd[26713]: Disconnecting: Too many authentication failures for root [preauth] +Feb 12 04:09:21 localhost sshd[26713]: Disconnecting: Too many authentication failures [preauth] # failJSON: { "time": "2004-11-23T21:50:37", "match": true , "host": "61.0.0.1", "desc": "New logline format as openssh 6.8 to replace prev multiline version" } Nov 23 21:50:37 myhost sshd[21810]: error: maximum authentication attempts exceeded for root from 61.0.0.1 port 49940 ssh2 [preauth] @@ -208,6 +208,11 @@ Nov 24 23:46:41 host sshd[32686]: SSH: Server;Ltype: Authname;Remote: 127.0.0.1- # failJSON: { "time": "2004-11-24T23:46:43", "match": true , "host": "127.0.0.1", "desc": "Multiline for connection reset by peer (3)" } Nov 24 23:46:43 host sshd[32686]: fatal: Read from socket failed: Connection reset by peer [preauth] +# gh-1719: +# failJSON: { "time": "2005-03-15T09:20:57", "match": true , "host": "192.0.2.39", "desc": "Singleline for connection reset by" } +Mar 15 09:20:57 host sshd[28972]: Connection reset by 192.0.2.39 port 14282 [preauth] + + # filterOptions: {"mode": "extra"} # several other cases from gh-864: