From eb4047f85cf7458ed2ff0298913be3b8109c1e66 Mon Sep 17 00:00:00 2001 From: Yaroslav Halchenko Date: Fri, 10 Feb 2006 18:08:01 +0000 Subject: [PATCH] fixed timeregex for apache --- config/fail2ban.conf.default | 13 ++++++------ debian/README.Debian | 39 +++++++++++++++++++++++++++--------- debian/changelog | 9 ++++++++- 3 files changed, 45 insertions(+), 16 deletions(-) diff --git a/config/fail2ban.conf.default b/config/fail2ban.conf.default index 91821d94..4e07c2b4 100644 --- a/config/fail2ban.conf.default +++ b/config/fail2ban.conf.default @@ -263,18 +263,19 @@ port = http logfile = /var/log/apache/access.log # Option: timeregex -# Notes.: regex to match timestamp in Apache logfile. -# Values: [Wed Jan 05 15:08:01 2005] +# Notes.: regex to match timestamp in Apache logfile. Seems to be +# Debian specific configuration +# Values: [08/Feb/2006:01:08:46] # Default: \S{3} \S{3} \d{2} \d{2}:\d{2}:\d{2} \d{4} # -timeregex = \S{3} \S{3} \d{2} \d{2}:\d{2}:\d{2} \d{4} +timeregex = \d{2}/\S{3}/\d{4}:\d{2}:\d{2}:\d{2} # Option: timepattern # Notes.: format used in "timeregex" fields definition. Note that '%' must be # escaped with '%' (see http://rgruet.free.fr/PQR2.3.html#timeModule) # Values: TEXT Default: %%a %%b %%d %%H:%%M:%%S %%Y # -timepattern = %%a %%b %%d %%H:%%M:%%S %%Y +timepattern = %%d/%%b/%%Y:%%H:%%M:%%S # Option: failregex # Notes.: regex to match the password failure messages in the logfile. @@ -312,14 +313,14 @@ maxfailures = 2 # Values: [Wed Jan 05 15:08:01 2005] # Default: \S{3} \S{3} \d{2} \d{2}:\d{2}:\d{2} \d{4} # -timeregex = \S{3} \S{3} \d{2} \d{2}:\d{2}:\d{2} \d{4} +timeregex = \d{2}/\S{3}/\d{4}:\d{2}:\d{2}:\d{2} # Option: timepattern # Notes.: format used in "timeregex" fields definition. Note that '%' must be # escaped with '%' (see http://rgruet.free.fr/PQR2.3.html#timeModule) # Values: TEXT Default: %%a %%b %%d %%H:%%M:%%S %%Y # -timepattern = %%a %%b %%d %%H:%%M:%%S %%Y +timepattern = %%d/%%b/%%Y:%%H:%%M:%%S # Option: failregex # Notes.: regex to match the password failure messages in the logfile. diff --git a/debian/README.Debian b/debian/README.Debian index 9f0a0886..d8ad922c 100644 --- a/debian/README.Debian +++ b/debian/README.Debian @@ -1,12 +1,14 @@ fail2ban for Debian ------------------- -This package is ~96% identical to the upstream version. Few feature +This package is ~95% identical to the upstream version. Few feature could have been added but not yet propagated into upstream -version. Due to tight collaboration with upstream author most of the -Debian modifications penetrate into the next upstream. +version. And although due to tight collaboration with upstream author +most of the Debian modifications penetrate into the next upstream, few +features present in Debian release were rejected by the upstream +author (-e option for instance) -Currently the main difference with upstream: python libraries are +Currently, the major difference with upstream: python libraries are placed under /usr/share/fail2ban instead of /usr/lib/fail2ban to comply with policy regarding architecture independent resources. @@ -19,10 +21,14 @@ fail2ban with apache, please enable apache section manually in in /etc/default/fail2ban to avoid conflicts during upgrade of the config file. +N.B. '-e' command line parameter is present solely in Debian release + of fail2ban, thus it will not work if you decided to proceed with + vanilla upstream. + Troubleshooting: --------------- -Updated failregex: +* Updated failregex: To resolve the security bug #330827 [1] failregex expressions must provide a named group (?P...) as a placeholder of the abuser's @@ -34,7 +40,8 @@ just a single group (?P...) [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=330827 -"Interpolations" in the config file: + +* "Interpolations" in the config file: Since version 0.6.0-3 to reduce duplication, thus to improve readability of the config file, interpolations provided by the module @@ -47,7 +54,8 @@ appreciate if you share them with me, so they could be eventually included in the fail2ban package for general use by the rest of the community. -Mailing: + +* Mailing: As it was reported (bug #329722) you might need to provide a full e-mail address in fail2ban.conf option MAIL:from to make your mail @@ -58,13 +66,26 @@ work nicely now See TODO.Debian for more details, as well as the Debian Bug Tracking system. -Dirty exit: + +* Dirty exit: If firewall rules gets cleaned out before fail2ban exits (like was happening with firestarter), errors get reported during the exit of fail2ban, but they are "safe" and can be ignored. -Ban time: + +* Ban "Not allowed" attempts: + +Make sure that you have +ChallengeResponseAuthentication no +PasswordAuthentication yes + +Details from the bug report #350980 [2] + +[2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=350980 + + +* Bantime: An IP is banned for "bantime" not since the last failed login attempt from the IP, but rather since the moment when failed login was diff --git a/debian/changelog b/debian/changelog index 1b78800e..806079a2 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,5 +1,12 @@ -fail2ban (0.6.0-3.3) unstable; urgency=low +fail2ban (0.6.0-3.4) UNRELEASED; urgency=low + * Modifications in README.Debian to reflect a "finding" on + not-AllowedUsers banning which requires default Debian configuration + of "ChallengeResponseAuthentication no" and "PasswordAuthentication + yes" + * Fixed Apache timeregex and timepattern to confirm + the fomat of time stamp used in Debian's acccess.log (error.log uses + RFC 2822 format) * Added section ApacheAttacks to specify some common patterns of attacks on a webserver (awstats.pl as a try). This section stays split from Apache since it is of different nature and might be not appropriate for some