fixed timeregex for apache

2006-02-10 18:08:01 +00:00 · 2006-02-10 18:08:01 +00:00 · eb4047f85c
parent 38fa465cae
commit eb4047f85c
3 changed files with 45 additions and 16 deletions
--- a/config/fail2ban.conf.default
+++ b/config/fail2ban.conf.default
@ -263,18 +263,19 @@ port = http
 logfile = /var/log/apache/access.log

 # Option:  timeregex
-# Notes.:  regex to match timestamp in Apache logfile.
-# Values:  [Wed Jan 05 15:08:01 2005]
+# Notes.:  regex to match timestamp in Apache logfile. Seems to be
+#          Debian specific configuration
+# Values:  [08/Feb/2006:01:08:46]
 # Default: \S{3} \S{3} \d{2} \d{2}:\d{2}:\d{2} \d{4}
 #
-timeregex = \S{3} \S{3} \d{2} \d{2}:\d{2}:\d{2} \d{4}
+timeregex = \d{2}/\S{3}/\d{4}:\d{2}:\d{2}:\d{2}

 # Option:  timepattern
 # Notes.:  format used in "timeregex" fields definition. Note that '%' must be
 #          escaped with '%' (see http://rgruet.free.fr/PQR2.3.html#timeModule)
 # Values:  TEXT  Default:  %%a %%b %%d %%H:%%M:%%S %%Y
 #
-timepattern = %%a %%b %%d %%H:%%M:%%S %%Y
+timepattern = %%d/%%b/%%Y:%%H:%%M:%%S

 # Option:  failregex
 # Notes.:  regex to match the password failure messages in the logfile.
@ -312,14 +313,14 @@ maxfailures = 2
 # Values:  [Wed Jan 05 15:08:01 2005]
 # Default: \S{3} \S{3} \d{2} \d{2}:\d{2}:\d{2} \d{4}
 #
-timeregex = \S{3} \S{3} \d{2} \d{2}:\d{2}:\d{2} \d{4}
+timeregex = \d{2}/\S{3}/\d{4}:\d{2}:\d{2}:\d{2}

 # Option:  timepattern
 # Notes.:  format used in "timeregex" fields definition. Note that '%' must be
 #          escaped with '%' (see http://rgruet.free.fr/PQR2.3.html#timeModule)
 # Values:  TEXT  Default:  %%a %%b %%d %%H:%%M:%%S %%Y
 #
-timepattern = %%a %%b %%d %%H:%%M:%%S %%Y
+timepattern = %%d/%%b/%%Y:%%H:%%M:%%S

 # Option:  failregex
 # Notes.:  regex to match the password failure messages in the logfile.
--- a/debian/README.Debian
+++ b/debian/README.Debian
@ -1,12 +1,14 @@
 fail2ban for Debian
 -------------------

-This package is ~96% identical to the upstream version. Few feature
+This package is ~95% identical to the upstream version. Few feature
 could have been added but not yet propagated into upstream
-version. Due to tight collaboration with upstream author most of the
-Debian modifications penetrate into the next upstream.
+version. And although due to tight collaboration with upstream author
+most of the Debian modifications penetrate into the next upstream, few
+features present in Debian release were rejected by the upstream
+author (-e option for instance)

-Currently the main difference with upstream: python libraries are
+Currently, the major difference with upstream: python libraries are
 placed under /usr/share/fail2ban instead of /usr/lib/fail2ban to
 comply with policy regarding architecture independent resources.

@ -19,10 +21,14 @@ fail2ban with apache, please enable apache section manually in
 in /etc/default/fail2ban to avoid conflicts during upgrade of the
 config file.

+N.B. '-e' command line parameter is present solely in Debian release
+ of fail2ban, thus it will not work if you decided to proceed with
+ vanilla upstream.
+
 Troubleshooting:
 ---------------

-Updated failregex:
+* Updated failregex:

 To resolve the security bug #330827 [1] failregex expressions must
 provide a named group (?P<host>...) as a placeholder of the abuser's
@ -34,7 +40,8 @@ just a single group (?P<host>...)

 [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=330827

-"Interpolations" in the config file:
+
+* "Interpolations" in the config file:

 Since version 0.6.0-3 to reduce duplication, thus to improve
 readability of the config file, interpolations provided by the module
@ -47,7 +54,8 @@ appreciate if you share them with me, so they could be eventually
 included in the fail2ban package for general use by the rest of the
 community.

-Mailing:
+
+* Mailing:

 As it was reported (bug #329722) you might need to provide a full
 e-mail address in fail2ban.conf option MAIL:from to make your mail
@ -58,13 +66,26 @@ work nicely now
 See TODO.Debian for more details, as well as the Debian Bug Tracking
 system.

-Dirty exit:
+
+* Dirty exit:

 If firewall rules gets cleaned out before fail2ban exits (like was
 happening with firestarter), errors get reported during the exit of
 fail2ban, but they are "safe" and can be ignored.

-Ban time:
+
+* Ban "Not allowed" attempts:
+
+Make sure that you have
+ChallengeResponseAuthentication no
+PasswordAuthentication yes
+
+Details from the bug report #350980 [2]
+
+[2]  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=350980
+
+
+* Bantime:

 An IP is banned for "bantime" not since the last failed login attempt
 from the IP, but rather since the moment when failed login was
--- a/debian/changelog
+++ b/debian/changelog
@ -1,5 +1,12 @@
-fail2ban (0.6.0-3.3) unstable; urgency=low
+fail2ban (0.6.0-3.4) UNRELEASED; urgency=low

+  * Modifications in README.Debian to reflect a "finding" on
+    not-AllowedUsers banning which requires default Debian configuration
+    of "ChallengeResponseAuthentication no" and "PasswordAuthentication
+    yes"
+  * Fixed Apache timeregex and timepattern to confirm
+    the fomat of time stamp used in Debian's acccess.log (error.log uses
+    RFC 2822 format)
  * Added section ApacheAttacks to specify some common patterns of attacks on
    a webserver (awstats.pl as a try). This section stays split from Apache
    since it is of different nature and might be not appropriate for some