github
/
fail2ban
mirror of https://github.com/fail2ban/fail2ban
1
0
Fork 0
Code Issues Releases Wiki Activity

fixed timeregex for apache

debian-releases/etch
Yaroslav Halchenko 2006-02-10 18:08:01 +00:00
parent 38fa465cae
commit eb4047f85c
3 changed files with 45 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
config/fail2ban.conf.default
View File

@ -263,18 +263,19 @@ port = http
logfile = /var/log/apache/access.log logfile = /var/log/apache/access.log
# Option: timeregex # Option: timeregex
# Notes.: regex to match timestamp in Apache logfile. # Notes.: regex to match timestamp in Apache logfile. Seems to be
# Values: [Wed Jan 05 15:08:01 2005] # Debian specific configuration
# Values: [08/Feb/2006:01:08:46]
# Default: \S{3} \S{3} \d{2} \d{2}:\d{2}:\d{2} \d{4} # Default: \S{3} \S{3} \d{2} \d{2}:\d{2}:\d{2} \d{4}
# #
timeregex = \S{3} \S{3} \d{2} \d{2}:\d{2}:\d{2} \d{4} timeregex = \d{2}/\S{3}/\d{4}:\d{2}:\d{2}:\d{2}
# Option: timepattern # Option: timepattern
# Notes.: format used in "timeregex" fields definition. Note that '%' must be # Notes.: format used in "timeregex" fields definition. Note that '%' must be
# escaped with '%' (see http://rgruet.free.fr/PQR2.3.html#timeModule) # escaped with '%' (see http://rgruet.free.fr/PQR2.3.html#timeModule)
# Values: TEXT Default: %%a %%b %%d %%H:%%M:%%S %%Y # Values: TEXT Default: %%a %%b %%d %%H:%%M:%%S %%Y
# #
timepattern = %%a %%b %%d %%H:%%M:%%S %%Y timepattern = %%d/%%b/%%Y:%%H:%%M:%%S
# Option: failregex # Option: failregex
# Notes.: regex to match the password failure messages in the logfile. # Notes.: regex to match the password failure messages in the logfile.
@ -312,14 +313,14 @@ maxfailures = 2
# Values: [Wed Jan 05 15:08:01 2005] # Values: [Wed Jan 05 15:08:01 2005]
# Default: \S{3} \S{3} \d{2} \d{2}:\d{2}:\d{2} \d{4} # Default: \S{3} \S{3} \d{2} \d{2}:\d{2}:\d{2} \d{4}
# #
timeregex = \S{3} \S{3} \d{2} \d{2}:\d{2}:\d{2} \d{4} timeregex = \d{2}/\S{3}/\d{4}:\d{2}:\d{2}:\d{2}
# Option: timepattern # Option: timepattern
# Notes.: format used in "timeregex" fields definition. Note that '%' must be # Notes.: format used in "timeregex" fields definition. Note that '%' must be
# escaped with '%' (see http://rgruet.free.fr/PQR2.3.html#timeModule) # escaped with '%' (see http://rgruet.free.fr/PQR2.3.html#timeModule)
# Values: TEXT Default: %%a %%b %%d %%H:%%M:%%S %%Y # Values: TEXT Default: %%a %%b %%d %%H:%%M:%%S %%Y
# #
timepattern = %%a %%b %%d %%H:%%M:%%S %%Y timepattern = %%d/%%b/%%Y:%%H:%%M:%%S
# Option: failregex # Option: failregex
# Notes.: regex to match the password failure messages in the logfile. # Notes.: regex to match the password failure messages in the logfile.

39
debian/README.Debian vendored
View File

@ -1,12 +1,14 @@
fail2ban for Debian fail2ban for Debian
------------------- -------------------
This package is ~96% identical to the upstream version. Few feature This package is ~95% identical to the upstream version. Few feature
could have been added but not yet propagated into upstream could have been added but not yet propagated into upstream
version. Due to tight collaboration with upstream author most of the version. And although due to tight collaboration with upstream author
Debian modifications penetrate into the next upstream. most of the Debian modifications penetrate into the next upstream, few
features present in Debian release were rejected by the upstream
author (-e option for instance)
Currently the main difference with upstream: python libraries are Currently, the major difference with upstream: python libraries are
placed under /usr/share/fail2ban instead of /usr/lib/fail2ban to placed under /usr/share/fail2ban instead of /usr/lib/fail2ban to
comply with policy regarding architecture independent resources. comply with policy regarding architecture independent resources.
@ -19,10 +21,14 @@ fail2ban with apache, please enable apache section manually in
in /etc/default/fail2ban to avoid conflicts during upgrade of the in /etc/default/fail2ban to avoid conflicts during upgrade of the
config file. config file.
N.B. '-e' command line parameter is present solely in Debian release
of fail2ban, thus it will not work if you decided to proceed with
vanilla upstream.
Troubleshooting: Troubleshooting:
--------------- ---------------
Updated failregex: * Updated failregex:
To resolve the security bug #330827 [1] failregex expressions must To resolve the security bug #330827 [1] failregex expressions must
provide a named group (?P<host>...) as a placeholder of the abuser's provide a named group (?P<host>...) as a placeholder of the abuser's
@ -34,7 +40,8 @@ just a single group (?P<host>...)
[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=330827 [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=330827
"Interpolations" in the config file:
* "Interpolations" in the config file:
Since version 0.6.0-3 to reduce duplication, thus to improve Since version 0.6.0-3 to reduce duplication, thus to improve
readability of the config file, interpolations provided by the module readability of the config file, interpolations provided by the module
@ -47,7 +54,8 @@ appreciate if you share them with me, so they could be eventually
included in the fail2ban package for general use by the rest of the included in the fail2ban package for general use by the rest of the
community. community.
Mailing:
* Mailing:
As it was reported (bug #329722) you might need to provide a full As it was reported (bug #329722) you might need to provide a full
e-mail address in fail2ban.conf option MAIL:from to make your mail e-mail address in fail2ban.conf option MAIL:from to make your mail
@ -58,13 +66,26 @@ work nicely now
See TODO.Debian for more details, as well as the Debian Bug Tracking See TODO.Debian for more details, as well as the Debian Bug Tracking
system. system.
Dirty exit:
* Dirty exit:
If firewall rules gets cleaned out before fail2ban exits (like was If firewall rules gets cleaned out before fail2ban exits (like was
happening with firestarter), errors get reported during the exit of happening with firestarter), errors get reported during the exit of
fail2ban, but they are "safe" and can be ignored. fail2ban, but they are "safe" and can be ignored.
Ban time:
* Ban "Not allowed" attempts:
Make sure that you have
ChallengeResponseAuthentication no
PasswordAuthentication yes
Details from the bug report #350980 [2]
[2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=350980
* Bantime:
An IP is banned for "bantime" not since the last failed login attempt An IP is banned for "bantime" not since the last failed login attempt
from the IP, but rather since the moment when failed login was from the IP, but rather since the moment when failed login was

9
debian/changelog vendored
View File

@ -1,5 +1,12 @@
fail2ban (0.6.0-3.3) unstable; urgency=low fail2ban (0.6.0-3.4) UNRELEASED; urgency=low
* Modifications in README.Debian to reflect a "finding" on
not-AllowedUsers banning which requires default Debian configuration
of "ChallengeResponseAuthentication no" and "PasswordAuthentication
yes"
* Fixed Apache timeregex and timepattern to confirm
the fomat of time stamp used in Debian's acccess.log (error.log uses
RFC 2822 format)
* Added section ApacheAttacks to specify some common patterns of attacks on * Added section ApacheAttacks to specify some common patterns of attacks on
a webserver (awstats.pl as a try). This section stays split from Apache a webserver (awstats.pl as a try). This section stays split from Apache
since it is of different nature and might be not appropriate for some since it is of different nature and might be not appropriate for some