From f0399ca5a4c9ede9b5c5a14c51a0a102ac59ef7d Mon Sep 17 00:00:00 2001 From: Cyril Jaquier Date: Tue, 4 Mar 2008 22:41:28 +0000 Subject: [PATCH] - Absorbed some Debian patches. Thanks to Yaroslav Halchenko. - Renamed actionend to actionstop. git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@658 a942ae1a-1317-0410-a47c-b1dcaea8d605 --- ChangeLog | 1 + config/action.d/dummy.conf | 2 +- config/action.d/hostsdeny.conf | 2 +- config/action.d/ipfw.conf | 2 +- config/action.d/iptables-allports.conf | 2 +- config/action.d/iptables-multiport.conf | 2 +- config/action.d/iptables-new.conf | 2 +- config/action.d/iptables.conf | 2 +- config/action.d/mail-buffered.conf | 2 +- config/action.d/mail-whois-lines.conf | 12 ++++++------ config/action.d/mail-whois.conf | 2 +- config/action.d/mail.conf | 2 +- config/action.d/sendmail-buffered.conf | 2 +- config/action.d/sendmail-whois-lines.conf | 2 +- config/action.d/sendmail-whois.conf | 2 +- config/action.d/sendmail.conf | 2 +- config/action.d/shorewall.conf | 2 +- config/filter.d/apache-noscript.conf | 2 +- config/filter.d/proftpd.conf | 6 ++++-- config/filter.d/sshd.conf | 2 ++ config/filter.d/vsftpd.conf | 2 +- 21 files changed, 30 insertions(+), 25 deletions(-) diff --git a/ChangeLog b/ChangeLog index 01c34b22..41aa9c53 100644 --- a/ChangeLog +++ b/ChangeLog @@ -36,6 +36,7 @@ ver. 0.8.2 (2008/??/??) - stable - "reload " reloads a single jail and the parameters in fail2ban.conf. - Added Mac OS/X startup script. Thanks to Bill Heaton. +- Absorbed some Debian patches. Thanks to Yaroslav Halchenko. ver. 0.8.1 (2007/08/14) - stable ---------- diff --git a/config/action.d/dummy.conf b/config/action.d/dummy.conf index cc729fdd..be426b4a 100644 --- a/config/action.d/dummy.conf +++ b/config/action.d/dummy.conf @@ -14,7 +14,7 @@ actionstart = touch /tmp/fail2ban.dummy echo "" >> /tmp/fail2ban.dummy -# Option: actionend +# Option: actionstop # Notes.: command executed once at the end of Fail2Ban # Values: CMD # diff --git a/config/action.d/hostsdeny.conf b/config/action.d/hostsdeny.conf index c7b836fc..2e314eb3 100644 --- a/config/action.d/hostsdeny.conf +++ b/config/action.d/hostsdeny.conf @@ -13,7 +13,7 @@ # actionstart = -# Option: actionend +# Option: actionstop # Notes.: command executed once at the end of Fail2Ban # Values: CMD # diff --git a/config/action.d/ipfw.conf b/config/action.d/ipfw.conf index 5305265e..6fd12c19 100644 --- a/config/action.d/ipfw.conf +++ b/config/action.d/ipfw.conf @@ -15,7 +15,7 @@ actionstart = -# Option: actionend +# Option: actionstop # Notes.: command executed once at the end of Fail2Ban # Values: CMD # diff --git a/config/action.d/iptables-allports.conf b/config/action.d/iptables-allports.conf index a95065d4..123bac69 100644 --- a/config/action.d/iptables-allports.conf +++ b/config/action.d/iptables-allports.conf @@ -17,7 +17,7 @@ actionstart = iptables -N fail2ban- iptables -A fail2ban- -j RETURN iptables -I INPUT -p -j fail2ban- -# Option: actionend +# Option: actionstop # Notes.: command executed once at the end of Fail2Ban # Values: CMD # diff --git a/config/action.d/iptables-multiport.conf b/config/action.d/iptables-multiport.conf index f881a782..fe3712d5 100644 --- a/config/action.d/iptables-multiport.conf +++ b/config/action.d/iptables-multiport.conf @@ -15,7 +15,7 @@ actionstart = iptables -N fail2ban- iptables -A fail2ban- -j RETURN iptables -I INPUT -p -m multiport --dports -j fail2ban- -# Option: actionend +# Option: actionstop # Notes.: command executed once at the end of Fail2Ban # Values: CMD # diff --git a/config/action.d/iptables-new.conf b/config/action.d/iptables-new.conf index ef9571c5..373826c2 100644 --- a/config/action.d/iptables-new.conf +++ b/config/action.d/iptables-new.conf @@ -17,7 +17,7 @@ actionstart = iptables -N fail2ban- iptables -A fail2ban- -j RETURN iptables -I INPUT -m state --state NEW -p --dport -j fail2ban- -# Option: actionend +# Option: actionstop # Notes.: command executed once at the end of Fail2Ban # Values: CMD # diff --git a/config/action.d/iptables.conf b/config/action.d/iptables.conf index de3646f6..daef9267 100644 --- a/config/action.d/iptables.conf +++ b/config/action.d/iptables.conf @@ -15,7 +15,7 @@ actionstart = iptables -N fail2ban- iptables -A fail2ban- -j RETURN iptables -I INPUT -p --dport -j fail2ban- -# Option: actionend +# Option: actionstop # Notes.: command executed once at the end of Fail2Ban # Values: CMD # diff --git a/config/action.d/mail-buffered.conf b/config/action.d/mail-buffered.conf index a39ca2b2..c761847a 100644 --- a/config/action.d/mail-buffered.conf +++ b/config/action.d/mail-buffered.conf @@ -17,7 +17,7 @@ actionstart = echo -en "Hi,\n Regards,\n Fail2Ban"|mail -s "[Fail2Ban] : started" -# Option: actionend +# Option: actionstop # Notes.: command executed once at the end of Fail2Ban # Values: CMD # diff --git a/config/action.d/mail-whois-lines.conf b/config/action.d/mail-whois-lines.conf index 7e371557..08f2a932 100644 --- a/config/action.d/mail-whois-lines.conf +++ b/config/action.d/mail-whois-lines.conf @@ -7,7 +7,7 @@ [Definition] -# Option: fwstart +# Option: actionstart # Notes.: command executed once at the start of Fail2Ban. # Values: CMD # @@ -16,7 +16,7 @@ actionstart = echo -en "Hi,\n Regards,\n Fail2Ban"|mail -s "[Fail2Ban] : started" -# Option: fwend +# Option: actionstop # Notes.: command executed once at the end of Fail2Ban # Values: CMD # @@ -25,13 +25,13 @@ actionstop = echo -en "Hi,\n Regards,\n Fail2Ban"|mail -s "[Fail2Ban] : stopped" -# Option: fwcheck -# Notes.: command executed once before each fwban command +# Option: actioncheck +# Notes.: command executed once before each actionban command # Values: CMD # actioncheck = -# Option: fwban +# Option: actionban # Notes.: command executed when banning an IP. Take care that the # command is executed with Fail2Ban user rights. # Tags: IP address @@ -50,7 +50,7 @@ actionban = echo -en "Hi,\n Regards,\n Fail2Ban"|mail -s "[Fail2Ban] : banned " -# Option: fwunban +# Option: actionunban # Notes.: command executed when unbanning an IP. Take care that the # command is executed with Fail2Ban user rights. # Tags: IP address diff --git a/config/action.d/mail-whois.conf b/config/action.d/mail-whois.conf index 39f7fdac..1a2a2f0e 100644 --- a/config/action.d/mail-whois.conf +++ b/config/action.d/mail-whois.conf @@ -16,7 +16,7 @@ actionstart = echo -en "Hi,\n Regards,\n Fail2Ban"|mail -s "[Fail2Ban] : started" -# Option: actionend +# Option: actionstop # Notes.: command executed once at the end of Fail2Ban # Values: CMD # diff --git a/config/action.d/mail.conf b/config/action.d/mail.conf index 7c901894..940ccc03 100644 --- a/config/action.d/mail.conf +++ b/config/action.d/mail.conf @@ -16,7 +16,7 @@ actionstart = echo -en "Hi,\n Regards,\n Fail2Ban"|mail -s "[Fail2Ban] : started" -# Option: actionend +# Option: actionstop # Notes.: command executed once at the end of Fail2Ban # Values: CMD # diff --git a/config/action.d/sendmail-buffered.conf b/config/action.d/sendmail-buffered.conf index 621034f0..153aa574 100644 --- a/config/action.d/sendmail-buffered.conf +++ b/config/action.d/sendmail-buffered.conf @@ -20,7 +20,7 @@ actionstart = echo -en "Subject: [Fail2Ban] : started Regards,\n Fail2Ban" | /usr/sbin/sendmail -f -# Option: actionend +# Option: actionstop # Notes.: command executed once at the end of Fail2Ban # Values: CMD # diff --git a/config/action.d/sendmail-whois-lines.conf b/config/action.d/sendmail-whois-lines.conf index 68555ad2..4ab21348 100644 --- a/config/action.d/sendmail-whois-lines.conf +++ b/config/action.d/sendmail-whois-lines.conf @@ -19,7 +19,7 @@ actionstart = echo -en "Subject: [Fail2Ban] : started Regards,\n Fail2Ban" | /usr/sbin/sendmail -f -# Option: actionend +# Option: actionstop # Notes.: command executed once at the end of Fail2Ban # Values: CMD # diff --git a/config/action.d/sendmail-whois.conf b/config/action.d/sendmail-whois.conf index 9f72ca7d..2d8ab96c 100644 --- a/config/action.d/sendmail-whois.conf +++ b/config/action.d/sendmail-whois.conf @@ -19,7 +19,7 @@ actionstart = echo -en "Subject: [Fail2Ban] : started Regards,\n Fail2Ban" | /usr/sbin/sendmail -f -# Option: actionend +# Option: actionstop # Notes.: command executed once at the end of Fail2Ban # Values: CMD # diff --git a/config/action.d/sendmail.conf b/config/action.d/sendmail.conf index 367d9119..111c3d6e 100644 --- a/config/action.d/sendmail.conf +++ b/config/action.d/sendmail.conf @@ -19,7 +19,7 @@ actionstart = echo -en "Subject: [Fail2Ban] : started Regards,\n Fail2Ban" | /usr/sbin/sendmail -f -# Option: actionend +# Option: actionstop # Notes.: command executed once at the end of Fail2Ban # Values: CMD # diff --git a/config/action.d/shorewall.conf b/config/action.d/shorewall.conf index 83e66975..71238a1b 100644 --- a/config/action.d/shorewall.conf +++ b/config/action.d/shorewall.conf @@ -13,7 +13,7 @@ # actionstart = -# Option: actionend +# Option: actionstop # Notes.: command executed once at the end of Fail2Ban # Values: CMD # diff --git a/config/filter.d/apache-noscript.conf b/config/filter.d/apache-noscript.conf index 6f57cc8c..636dcd53 100644 --- a/config/filter.d/apache-noscript.conf +++ b/config/filter.d/apache-noscript.conf @@ -14,7 +14,7 @@ # (?:::f{4,6}:)?(?P\S+) # Values: TEXT # -failregex = [[]client []] File does not exist: .*(\.php|\.asp) +failregex = [[]client []] (File does not exist|script not found or unable to stat): .*(\.php|\.asp|\.exe|\.pl) # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. diff --git a/config/filter.d/proftpd.conf b/config/filter.d/proftpd.conf index 45b91c66..4794d084 100644 --- a/config/filter.d/proftpd.conf +++ b/config/filter.d/proftpd.conf @@ -14,8 +14,10 @@ # (?:::f{4,6}:)?(?P\S+) # Values: TEXT # -failregex = USER \S+: no such user found from \S* ?\[\] to \S+\s*$ - \(\S*\[\]\) - USER \S+ \(Login failed\): Incorrect password.$ +failregex = \(\S+\[\]\): USER \S+: no such user found from \S+ \[[0-9.]+\] to \S+:\S+$ + \(\S+\[\]\): USER \S+ \(Login failed\): Incorrect password\.$ + \(\S+\[\]\): SECURITY VIOLATION: \S+ login attempted\.$ + \(\S+\[\]\): Maximum login attempts \(\d+\) exceeded$ # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. diff --git a/config/filter.d/sshd.conf b/config/filter.d/sshd.conf index 84d09614..c8893e56 100644 --- a/config/filter.d/sshd.conf +++ b/config/filter.d/sshd.conf @@ -28,6 +28,8 @@ failregex = ^%(__prefix_line)s(?:error: PAM: )?Authentication failure for .* fro ^%(__prefix_line)sROOT LOGIN REFUSED.* FROM \s*$ ^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from \s*$ ^%(__prefix_line)sUser \S+ from not allowed because not listed in AllowUsers$ + ^%(__prefix_line)sauthentication failure; logname=\S* uid=\S* euid=\S* tty=\S* ruser=\S* rhost=(?:\s+user=.*)?\s*$ + ^%(__prefix_line)srefused connect from \S+ \(\)\s*$ # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. diff --git a/config/filter.d/vsftpd.conf b/config/filter.d/vsftpd.conf index 9f955fae..d905f825 100644 --- a/config/filter.d/vsftpd.conf +++ b/config/filter.d/vsftpd.conf @@ -14,7 +14,7 @@ # (?:::f{4,6}:)?(?P\S+) # Values: TEXT # -failregex = vsftpd(?:\[\d+\])?: .* authentication failure; .* rhost=\s*$ +failregex = vsftpd(?:\(pam_unix\))?(?:\[\d+\])?:.* authentication failure; .* rhost=(?:\s+user=\S*)?\s*$ \[.+\] FAIL LOGIN: Client ""\s*$ # Option: ignoreregex