From ab3a7fc6d2ea01cd4a17607398d151bb5fe2e63b Mon Sep 17 00:00:00 2001 From: sebres Date: Mon, 17 Feb 2020 16:24:42 +0100 Subject: [PATCH 1/4] filter.d/sshd.conf: mode `ddos` (and aggressive) extended to detect port scanner sending unexpected ident string after connect --- config/filter.d/sshd.conf | 3 ++- fail2ban/tests/files/logs/sshd | 5 +++++ 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/config/filter.d/sshd.conf b/config/filter.d/sshd.conf index c61cf960..12631cb3 100644 --- a/config/filter.d/sshd.conf +++ b/config/filter.d/sshd.conf @@ -52,7 +52,7 @@ cmnfailre = ^[aA]uthentication (?:failure|error|failed) for .* ^User .+ from not allowed because a group is listed in DenyGroups%(__suff)s$ ^User .+ from not allowed because none of user's groups are listed in AllowGroups%(__suff)s$ ^%(__pam_auth)s\(sshd:auth\):\s+authentication failure;(?:\s+(?:(?:logname|e?uid|tty)=\S*)){0,4}\s+ruser=\S*\s+rhost=(?:\s+user=\S*)?%(__suff)s$ - ^(error: )?maximum authentication attempts exceeded for .* from %(__on_port_opt)s(?: ssh\d*)?%(__suff)s$ + ^maximum authentication attempts exceeded for .* from %(__on_port_opt)s(?: ssh\d*)?%(__suff)s$ ^User .+ not allowed because account is locked%(__suff)s ^Disconnecting(?: from)?(?: (?:invalid|authenticating)) user \S+ %(__on_port_opt)s:\s*Change of username or service not allowed:\s*.*\[preauth\]\s*$ ^Disconnecting: Too many authentication failures(?: for .+?)?%(__suff)s$ @@ -71,6 +71,7 @@ mdre-normal = mdre-normal-other = ^(Connection closed|Disconnected) (?:by|from)%(__authng_user)s (?:%(__suff)s|\s*)$ mdre-ddos = ^Did not receive identification string from + ^kex_exchange_identification: client sent invalid protocol identifier ^Bad protocol version identification '.*' from ^Connection reset by ^SSH: Server;Ltype: (?:Authname|Version|Kex);Remote: -\d+;[A-Z]\w+: diff --git a/fail2ban/tests/files/logs/sshd b/fail2ban/tests/files/logs/sshd index 3b4f0a0a..0385f38c 100644 --- a/fail2ban/tests/files/logs/sshd +++ b/fail2ban/tests/files/logs/sshd @@ -305,6 +305,11 @@ Jul 17 23:04:01 srv sshd[1300]: Connection closed by authenticating user test 12 # filterOptions: [{"test.condition":"name=='sshd'", "mode": "ddos"}, {"test.condition":"name=='sshd'", "mode": "aggressive"}] +# failJSON: { "match": false } +Feb 17 17:40:17 sshd[19725]: Connection from 192.0.2.10 port 62004 on 192.0.2.10 port 22 +# failJSON: { "time": "2005-02-17T17:40:17", "match": true , "host": "192.0.2.10", "desc": "ddos: port scanner (invalid protocol identifier)" } +Feb 17 17:40:17 sshd[19725]: error: kex_exchange_identification: client sent invalid protocol identifier "" + # failJSON: { "time": "2005-03-15T09:21:01", "match": true , "host": "192.0.2.212", "desc": "DDOS mode causes failure on close within preauth stage" } Mar 15 09:21:01 host sshd[2717]: Connection closed by 192.0.2.212 [preauth] # failJSON: { "time": "2005-03-15T09:21:02", "match": true , "host": "192.0.2.212", "desc": "DDOS mode causes failure on close within preauth stage" } From e57e950ef57ab19ac8af315ecfc517039f0c5d6d Mon Sep 17 00:00:00 2001 From: sebres Date: Tue, 25 Feb 2020 14:43:15 +0100 Subject: [PATCH 2/4] version bump (back to dev) --- ChangeLog | 9 ++++++++- fail2ban/version.py | 2 +- man/fail2ban-client.1 | 4 ++-- man/fail2ban-python.1 | 2 +- man/fail2ban-regex.1 | 2 +- man/fail2ban-server.1 | 4 ++-- man/fail2ban-testcases.1 | 2 +- 7 files changed, 16 insertions(+), 9 deletions(-) diff --git a/ChangeLog b/ChangeLog index 6c7b4bd9..ea0c4a64 100644 --- a/ChangeLog +++ b/ChangeLog @@ -6,9 +6,10 @@ Fail2Ban: Changelog =================== -Incompatibility list (compared to v.0.9): +ver. 0.10.6-dev (20??/??/??) - development edition ----------- +### Incompatibility list (v.0.10 compared to v.0.9): * Filter (or `failregex`) internal capture-groups: - If you've your own `failregex` or custom filters using conditional match `(?P=host)`, you should @@ -30,6 +31,12 @@ Incompatibility list (compared to v.0.9): * Since v0.10 fail2ban supports the matching of IPv6 addresses, but not all ban actions are IPv6-capable now. +### Fixes + +### New Features + +### Enhancements + ver. 0.10.5 (2020/01/10) - deserve-more-respect-a-jedis-weapon-must ----------- diff --git a/fail2ban/version.py b/fail2ban/version.py index 89f6248c..e3c02e63 100644 --- a/fail2ban/version.py +++ b/fail2ban/version.py @@ -24,7 +24,7 @@ __author__ = "Cyril Jaquier, Yaroslav Halchenko, Steven Hiscocks, Daniel Black" __copyright__ = "Copyright (c) 2004 Cyril Jaquier, 2005-2016 Yaroslav Halchenko, 2013-2014 Steven Hiscocks, Daniel Black" __license__ = "GPL-v2+" -version = "0.10.5" +version = "0.10.6-dev" def normVersion(): """ Returns fail2ban version in normalized machine-readable format""" diff --git a/man/fail2ban-client.1 b/man/fail2ban-client.1 index ad4fa0ed..84f846f2 100644 --- a/man/fail2ban-client.1 +++ b/man/fail2ban-client.1 @@ -1,12 +1,12 @@ .\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.4. -.TH FAIL2BAN-CLIENT "1" "February 2020" "fail2ban-client v0.10.5" "User Commands" +.TH FAIL2BAN-CLIENT "1" "February 2020" "fail2ban-client v0.10.6-dev" "User Commands" .SH NAME fail2ban-client \- configure and control the server .SH SYNOPSIS .B fail2ban-client [\fI\,OPTIONS\/\fR] \fI\,\/\fR .SH DESCRIPTION -Fail2Ban v0.10.5 reads log file that contains password failure report +Fail2Ban v0.10.6\-dev reads log file that contains password failure report and bans the corresponding IP addresses using firewall rules. .SH OPTIONS .TP diff --git a/man/fail2ban-python.1 b/man/fail2ban-python.1 index f38097c5..16ebf3ed 100644 --- a/man/fail2ban-python.1 +++ b/man/fail2ban-python.1 @@ -1,5 +1,5 @@ .\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.4. -.TH FAIL2BAN-PYTHON "1" "January 2020" "fail2ban-python 0.10.5" "User Commands" +.TH FAIL2BAN-PYTHON "1" "February 2020" "fail2ban-python 0.10.6-dev" "User Commands" .SH NAME fail2ban-python \- a helper for Fail2Ban to assure that the same Python is used .SH DESCRIPTION diff --git a/man/fail2ban-regex.1 b/man/fail2ban-regex.1 index 44154b85..bb89ef8c 100644 --- a/man/fail2ban-regex.1 +++ b/man/fail2ban-regex.1 @@ -1,5 +1,5 @@ .\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.4. -.TH FAIL2BAN-REGEX "1" "January 2020" "fail2ban-regex 0.10.5" "User Commands" +.TH FAIL2BAN-REGEX "1" "February 2020" "fail2ban-regex 0.10.6-dev" "User Commands" .SH NAME fail2ban-regex \- test Fail2ban "failregex" option .SH SYNOPSIS diff --git a/man/fail2ban-server.1 b/man/fail2ban-server.1 index c7516cc8..bca729b5 100644 --- a/man/fail2ban-server.1 +++ b/man/fail2ban-server.1 @@ -1,12 +1,12 @@ .\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.4. -.TH FAIL2BAN-SERVER "1" "February 2020" "fail2ban-server v0.10.5" "User Commands" +.TH FAIL2BAN-SERVER "1" "February 2020" "fail2ban-server v0.10.6-dev" "User Commands" .SH NAME fail2ban-server \- start the server .SH SYNOPSIS .B fail2ban-server [\fI\,OPTIONS\/\fR] .SH DESCRIPTION -Fail2Ban v0.10.5 reads log file that contains password failure report +Fail2Ban v0.10.6\-dev reads log file that contains password failure report and bans the corresponding IP addresses using firewall rules. .SH OPTIONS .TP diff --git a/man/fail2ban-testcases.1 b/man/fail2ban-testcases.1 index 56b02627..fd91d466 100644 --- a/man/fail2ban-testcases.1 +++ b/man/fail2ban-testcases.1 @@ -1,5 +1,5 @@ .\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.4. -.TH FAIL2BAN-TESTCASES "1" "January 2020" "fail2ban-testcases 0.10.5" "User Commands" +.TH FAIL2BAN-TESTCASES "1" "February 2020" "fail2ban-testcases 0.10.6-dev" "User Commands" .SH NAME fail2ban-testcases \- run Fail2Ban unit-tests .SH SYNOPSIS From df885586d490d1149efda1b59269c69e7185549f Mon Sep 17 00:00:00 2001 From: Christopher Gurnee Date: Wed, 19 Feb 2020 15:28:12 -0500 Subject: [PATCH 3/4] close Popen() pipes explicitly for PyPy Waiting for garbage collection to close pipes opened by Popen() can lead to "Too many open files" errors with PyPy; close them explicitly. --- ChangeLog | 1 + fail2ban/server/utils.py | 4 ++-- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index ea0c4a64..007e4ffc 100644 --- a/ChangeLog +++ b/ChangeLog @@ -32,6 +32,7 @@ ver. 0.10.6-dev (20??/??/??) - development edition IPv6-capable now. ### Fixes +* restoring a large number (500+ depending on files ulimit) of current bans when using PyPy fixed ### New Features diff --git a/fail2ban/server/utils.py b/fail2ban/server/utils.py index 2bde3f4d..8e8b0571 100644 --- a/fail2ban/server/utils.py +++ b/fail2ban/server/utils.py @@ -260,7 +260,6 @@ class Utils(): if stdout is not None and stdout != '' and std_level >= logSys.getEffectiveLevel(): for l in stdout.splitlines(): logSys.log(std_level, "%x -- stdout: %r", realCmdId, uni_decode(l)) - popen.stdout.close() if popen.stderr: try: if retcode is None or retcode < 0: @@ -271,7 +270,8 @@ class Utils(): if stderr is not None and stderr != '' and std_level >= logSys.getEffectiveLevel(): for l in stderr.splitlines(): logSys.log(std_level, "%x -- stderr: %r", realCmdId, uni_decode(l)) - popen.stderr.close() + popen.stdout.close() + popen.stderr.close() success = False if retcode in success_codes: From 6c6cf2a9562fa6de53432dd39debbec0985d2967 Mon Sep 17 00:00:00 2001 From: sebres Date: Tue, 25 Feb 2020 15:06:04 +0100 Subject: [PATCH 4/4] small amend (avoid possible error by close of not existing pipe) --- fail2ban/server/utils.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/fail2ban/server/utils.py b/fail2ban/server/utils.py index 8e8b0571..053aa04f 100644 --- a/fail2ban/server/utils.py +++ b/fail2ban/server/utils.py @@ -270,8 +270,9 @@ class Utils(): if stderr is not None and stderr != '' and std_level >= logSys.getEffectiveLevel(): for l in stderr.splitlines(): logSys.log(std_level, "%x -- stderr: %r", realCmdId, uni_decode(l)) - popen.stdout.close() - popen.stderr.close() + + if popen.stdout: popen.stdout.close() + if popen.stderr: popen.stderr.close() success = False if retcode in success_codes: