From 499b33f8a60b2f16e658bf98cdd0a7c3ff082476 Mon Sep 17 00:00:00 2001 From: Daniel Black Date: Wed, 22 Jan 2014 08:37:51 +1100 Subject: [PATCH 01/48] DOC: post release versioning --- ChangeLog | 11 ++++++++++- common/version.py | 2 +- 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 273718ca..5ec794fe 100644 --- a/ChangeLog +++ b/ChangeLog @@ -4,9 +4,18 @@ |_| \__,_|_|_/___|_.__/\__,_|_||_| ================================================================================ -Fail2Ban (version 0.8.12) 2014/01/22 +Fail2Ban (version 0.8.12.dev) 2014/01/22 ================================================================================ +ver. 0.8.13 (2014/XX/XXX) - maintaince-only-from-now-on +----------- + +- Fixes: + +- New Features: + +- Enhancements: + ver. 0.8.12 (2014/01/22) - things-can-only-get-better ----------- diff --git a/common/version.py b/common/version.py index 871ecd04..f0ce8877 100644 --- a/common/version.py +++ b/common/version.py @@ -24,4 +24,4 @@ __author__ = "Cyril Jaquier, Yaroslav Halchenko" __copyright__ = "Copyright (c) 2004 Cyril Jaquier, 2011-2013 Yaroslav Halchenko" __license__ = "GPL" -version = "0.8.12" +version = "0.8.12.dev" From ca574270802c4f2bac9a24a5ef71315c017570cb Mon Sep 17 00:00:00 2001 From: Daniel Black Date: Thu, 23 Jan 2014 17:41:13 +1100 Subject: [PATCH 02/48] BF: firewallcmd-ipset had non-working actioncheck --- ChangeLog | 2 ++ THANKS | 1 + config/action.d/firewallcmd-ipset.conf | 2 -- 3 files changed, 3 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 5ec794fe..a03b1858 100644 --- a/ChangeLog +++ b/ChangeLog @@ -11,6 +11,8 @@ ver. 0.8.13 (2014/XX/XXX) - maintaince-only-from-now-on ----------- - Fixes: + - action firewallcmd-ipset had non-working actioncheck. Removed. + redhat bug #1046816. - New Features: diff --git a/THANKS b/THANKS index a5ef4fda..a1e2b92d 100644 --- a/THANKS +++ b/THANKS @@ -30,6 +30,7 @@ Daniel B. Cid Daniel B. Daniel Black David Nutter +Derek Atkins Eric Gerbier Enrico Labedzki ftoppi diff --git a/config/action.d/firewallcmd-ipset.conf b/config/action.d/firewallcmd-ipset.conf index 2c4a36f1..03e30c3c 100644 --- a/config/action.d/firewallcmd-ipset.conf +++ b/config/action.d/firewallcmd-ipset.conf @@ -25,8 +25,6 @@ actionstop = firewall-cmd --direct --remove-rule ipv4 filter 0 -p ipset destroy fail2ban- -actioncheck = firewall-cmd --direct --get-chains ipv4 filter | grep -q '^fail2ban-$' - actionban = ipset add fail2ban- timeout -exist actionunban = ipset del fail2ban- -exist From 256c732bcdada8ee33c74bca7011589aa52c2ad2 Mon Sep 17 00:00:00 2001 From: Daniel Black Date: Sat, 25 Jan 2014 12:19:46 +1100 Subject: [PATCH 03/48] BF/ENH: filter pure-ftpd - re-add _daemon. Add translations _daemon was accidently removed in 89fd792dfbd09f331858d04bbe4f2d290d63b969 Added translations from source code --- config/filter.d/pure-ftpd.conf | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/config/filter.d/pure-ftpd.conf b/config/filter.d/pure-ftpd.conf index e96009b2..b6d36603 100644 --- a/config/filter.d/pure-ftpd.conf +++ b/config/filter.d/pure-ftpd.conf @@ -12,13 +12,19 @@ before = common.conf [Definition] -# Error message specified in multiple languages -__errmsg = (?:Authentication failed for user|Erreur d'authentification pour l'utilisateur) +_daemon = pure-ftpd -failregex = ^%(__prefix_line)s\(.+?@\) \[WARNING\] %(__errmsg)s \[.+\]\s*$ +# Error message specified in multiple languages +__errmsg = (?:�ϥΪ�\[.*\]���ҥ���|ʹ����\[.*\]��֤ʧ��|\[.*\] kullan�c�s� i�in giri� hatal�|����������� �� ������� ������������ \[.*\]|Godkjennelse mislyktes for \[.*\]|Beh�righetskontroll misslyckas f�r anv�ndare \[.*\]|Autentifikacia uzivatela zlyhala \[.*\]|Autentificare esuata pentru utilizatorul \[.*\]|Autentica��o falhou para usu�rio \[.*\]|Autentyfikacja nie powiod�a si� dla u�ytkownika \[.*\]|Autorisatie faalde voor gebruiker \[.*\]|\[.*\] ��� ���� ����|Autenticazione falita per l'utente \[.*\]|Azonos�t�s sikertelen \[.*\] felhaszn�l�nak|\[.*\] c'est un batard, il connait pas son code|Erreur d'authentification pour l'utilisateur \[.*\]|Autentificaci�n fallida para el usuario \[.*\]|Authentication failed for user \[.*\]|Authentifizierung fehlgeschlagen f�r Benutzer \[.*\].|Godkendelse mislykkedes for \[.*\]|Autentifikace u�ivatele selhala \[.*\]) + +failregex = ^%(__prefix_line)s\(.+?@\) \[WARNING\] %(__errmsg)s\s*$ ignoreregex = # Author: Cyril Jaquier # Modified: Yaroslav Halchenko for pure-ftpd # Documentation thanks to Blake on http://www.fail2ban.org/wiki/index.php?title=Fail2ban:Community_Portal +# +# Only logs to syslog though facility can be changed configuration file/command line +# +# fgrep -r MSG_AUTH_FAILED_LOG pure-ftpd-1.0.36/src From 3c48e3f035ed46dd685016cbd14d5ab07b47b33e Mon Sep 17 00:00:00 2001 From: Daniel Black Date: Sat, 25 Jan 2014 12:22:27 +1100 Subject: [PATCH 04/48] DOC: changelog for pure-ftpd filter fixes --- ChangeLog | 3 +++ 1 file changed, 3 insertions(+) diff --git a/ChangeLog b/ChangeLog index a03b1858..1a80427b 100644 --- a/ChangeLog +++ b/ChangeLog @@ -13,10 +13,13 @@ ver. 0.8.13 (2014/XX/XXX) - maintaince-only-from-now-on - Fixes: - action firewallcmd-ipset had non-working actioncheck. Removed. redhat bug #1046816. + - filter pureftpd - added _daemon which got removed. Added - New Features: - Enhancements: + - filter pureftpd - added all translations of "Authentication failed for + user" ver. 0.8.12 (2014/01/22) - things-can-only-get-better ----------- From 08171ba52f24b538045082a7d1bce90c4df12336 Mon Sep 17 00:00:00 2001 From: Joan Date: Tue, 28 Jan 2014 12:44:46 +0100 Subject: [PATCH 05/48] Removed the -no auth attempts- from the triggers because of lots of FP --- config/filter.d/dovecot.conf | 4 +++- testcases/files/logs/dovecot | 8 -------- 2 files changed, 3 insertions(+), 9 deletions(-) diff --git a/config/filter.d/dovecot.conf b/config/filter.d/dovecot.conf index c4ce7d7c..5b6a4d8f 100644 --- a/config/filter.d/dovecot.conf +++ b/config/filter.d/dovecot.conf @@ -10,7 +10,7 @@ before = common.conf _daemon = (auth|dovecot(-auth)?|auth-worker) failregex = ^%(__prefix_line)s(pam_unix(\(dovecot:auth\))?:)?\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=\S* rhost=(\s+user=\S*)?\s*$ - ^%(__prefix_line)s(pop3|imap)-login: (Info: )?(Aborted login|Disconnected)(: Inactivity)? \(((no auth attempts|auth failed, \d+ attempts)( in \d+ secs)?|tried to use (disabled|disallowed) \S+ auth)\):( user=<\S*>,)?( method=\S+,)? rip=, lip=(\d{1,3}\.){3}\d{1,3}(, TLS( handshaking)?(: Disconnected)?)?(, session=<\S+>)?\s*$ + ^%(__prefix_line)s(pop3|imap)-login: (Info: )?(Aborted login|Disconnected)(: Inactivity)? \(((auth failed, \d+ attempts)?|tried to use (disabled|disallowed) \S+ auth)\):( user=<\S*>,)?( method=\S+,)? rip=, lip=(\d{1,3}\.){3}\d{1,3}(, TLS( handshaking)?(: Disconnected)?)?(, session=<\S+>)?\s*$ ^%(__prefix_line)s(Info|dovecot: auth\(default\)): pam\(\S+,\): pam_authenticate\(\) failed: (User not known to the underlying authentication module: \d+ Time\(s\)|Authentication failure \(password mismatch\?\))\s*$ ignoreregex = @@ -18,6 +18,8 @@ ignoreregex = # DEV Notes: # * the first regex is essentially a copy of pam-generic.conf # * Probably doesn't do dovecot sql/ldap backends properly +# * Removed the 'no auth attempts' log lines from the matches because produces +# lots of false positives on misconfigured MTAs making regexp unuseable # # Author: Martin Waschbuesch # Daniel Black (rewrote with begin and end anchors) diff --git a/testcases/files/logs/dovecot b/testcases/files/logs/dovecot index 5fe89c56..4735e4f8 100644 --- a/testcases/files/logs/dovecot +++ b/testcases/files/logs/dovecot @@ -19,19 +19,11 @@ Dec 12 11:19:11 dunnart dovecot: pop3-login: Aborted login (tried to use disallo Jun 13 16:30:54 platypus dovecot: imap-login: Disconnected (auth failed, 2 attempts): user=, method=PLAIN, rip=49.176.98.87, lip=113.212.99.194, TLS # failJSON: { "time": "2005-06-14T00:48:21", "match": true , "host": "59.167.242.100" } Jun 14 00:48:21 platypus dovecot: imap-login: Disconnected (auth failed, 1 attempts): method=PLAIN, rip=59.167.242.100, lip=113.212.99.194, TLS: Disconnected -# failJSON: { "time": "2005-06-13T20:48:11", "match": true , "host": "121.44.24.254" } -Jun 13 20:48:11 platypus dovecot: pop3-login: Disconnected (no auth attempts): rip=121.44.24.254, lip=113.212.99.194, TLS: Disconnected -# failJSON: { "time": "2005-06-13T21:48:06", "match": true , "host": "180.200.180.81" } -Jun 13 21:48:06 platypus dovecot: pop3-login: Disconnected: Inactivity (no auth attempts): rip=180.200.180.81, lip=113.212.99.194, TLS -# failJSON: { "time": "2005-06-13T20:20:21", "match": true , "host": "180.189.168.166" } -Jun 13 20:20:21 platypus dovecot: imap-login: Disconnected (no auth attempts): rip=180.189.168.166, lip=113.212.99.194, TLS handshaking: Disconnected # failJSON: { "time": "2005-06-23T00:52:43", "match": true , "host": "193.95.245.163" } Jun 23 00:52:43 vhost1-ua dovecot: pop3-login: Disconnected: Inactivity (auth failed, 1 attempts): user=, method=PLAIN, rip=193.95.245.163, lip=176.214.13.210 # failJSON: { "time": "2005-07-02T13:49:31", "match": true , "host": "192.51.100.13" } Jul 02 13:49:31 hostname dovecot[442]: pop3-login: Aborted login (auth failed, 1 attempts in 17 secs): user=, method=PLAIN, rip=192.51.100.13, lip=203.0.113.17, session= -# failJSON: { "time": "2005-07-02T13:49:32", "match": true , "host": "192.51.100.13" } -Jul 02 13:49:32 hostname dovecot[442]: pop3-login: Disconnected (no auth attempts in 58 secs): user=<>, rip=192.51.100.13, lip=203.0.113.17, session= # failJSON: { "time": "2005-07-02T13:49:32", "match": true , "host": "200.76.17.206" } Jul 02 13:49:32 hostname dovecot[442]: dovecot: auth(default): pam(account@MYSERVERNAME.com,200.76.17.206): pam_authenticate() failed: User not known to the underlying authentication module: 2 Time(s) From 84617fa6dab684983a71587287867a20c16defcd Mon Sep 17 00:00:00 2001 From: Joan Date: Tue, 28 Jan 2014 16:19:35 +0100 Subject: [PATCH 06/48] Fixed a failing case --- config/filter.d/dovecot.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/filter.d/dovecot.conf b/config/filter.d/dovecot.conf index 5b6a4d8f..a444bde8 100644 --- a/config/filter.d/dovecot.conf +++ b/config/filter.d/dovecot.conf @@ -10,7 +10,7 @@ before = common.conf _daemon = (auth|dovecot(-auth)?|auth-worker) failregex = ^%(__prefix_line)s(pam_unix(\(dovecot:auth\))?:)?\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=\S* rhost=(\s+user=\S*)?\s*$ - ^%(__prefix_line)s(pop3|imap)-login: (Info: )?(Aborted login|Disconnected)(: Inactivity)? \(((auth failed, \d+ attempts)?|tried to use (disabled|disallowed) \S+ auth)\):( user=<\S*>,)?( method=\S+,)? rip=, lip=(\d{1,3}\.){3}\d{1,3}(, TLS( handshaking)?(: Disconnected)?)?(, session=<\S+>)?\s*$ + ^%(__prefix_line)s(pop3|imap)-login: (Info: )?(Aborted login|Disconnected)(: Inactivity)? \(((auth failed, \d+ attempts)( in \d+ secs)?|tried to use (disabled|disallowed) \S+ auth)\):( user=<\S*>,)?( method=\S+,)? rip=, lip=(\d{1,3}\.){3}\d{1,3}(, TLS( handshaking)?(: Disconnected)?)?(, session=<\S+>)?\s*$ ^%(__prefix_line)s(Info|dovecot: auth\(default\)): pam\(\S+,\): pam_authenticate\(\) failed: (User not known to the underlying authentication module: \d+ Time\(s\)|Authentication failure \(password mismatch\?\))\s*$ ignoreregex = From aaa86cd10fcd43aee5fc93a4c528e7b0821663ec Mon Sep 17 00:00:00 2001 From: Joan Date: Wed, 29 Jan 2014 08:31:29 +0100 Subject: [PATCH 07/48] As suggested by @grooverdan, grouping the tests and making them false to avoid accidentally reenabling them in the future --- testcases/files/logs/dovecot | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/testcases/files/logs/dovecot b/testcases/files/logs/dovecot index 4735e4f8..5fe89c56 100644 --- a/testcases/files/logs/dovecot +++ b/testcases/files/logs/dovecot @@ -19,11 +19,19 @@ Dec 12 11:19:11 dunnart dovecot: pop3-login: Aborted login (tried to use disallo Jun 13 16:30:54 platypus dovecot: imap-login: Disconnected (auth failed, 2 attempts): user=, method=PLAIN, rip=49.176.98.87, lip=113.212.99.194, TLS # failJSON: { "time": "2005-06-14T00:48:21", "match": true , "host": "59.167.242.100" } Jun 14 00:48:21 platypus dovecot: imap-login: Disconnected (auth failed, 1 attempts): method=PLAIN, rip=59.167.242.100, lip=113.212.99.194, TLS: Disconnected +# failJSON: { "time": "2005-06-13T20:48:11", "match": true , "host": "121.44.24.254" } +Jun 13 20:48:11 platypus dovecot: pop3-login: Disconnected (no auth attempts): rip=121.44.24.254, lip=113.212.99.194, TLS: Disconnected +# failJSON: { "time": "2005-06-13T21:48:06", "match": true , "host": "180.200.180.81" } +Jun 13 21:48:06 platypus dovecot: pop3-login: Disconnected: Inactivity (no auth attempts): rip=180.200.180.81, lip=113.212.99.194, TLS +# failJSON: { "time": "2005-06-13T20:20:21", "match": true , "host": "180.189.168.166" } +Jun 13 20:20:21 platypus dovecot: imap-login: Disconnected (no auth attempts): rip=180.189.168.166, lip=113.212.99.194, TLS handshaking: Disconnected # failJSON: { "time": "2005-06-23T00:52:43", "match": true , "host": "193.95.245.163" } Jun 23 00:52:43 vhost1-ua dovecot: pop3-login: Disconnected: Inactivity (auth failed, 1 attempts): user=, method=PLAIN, rip=193.95.245.163, lip=176.214.13.210 # failJSON: { "time": "2005-07-02T13:49:31", "match": true , "host": "192.51.100.13" } Jul 02 13:49:31 hostname dovecot[442]: pop3-login: Aborted login (auth failed, 1 attempts in 17 secs): user=, method=PLAIN, rip=192.51.100.13, lip=203.0.113.17, session= +# failJSON: { "time": "2005-07-02T13:49:32", "match": true , "host": "192.51.100.13" } +Jul 02 13:49:32 hostname dovecot[442]: pop3-login: Disconnected (no auth attempts in 58 secs): user=<>, rip=192.51.100.13, lip=203.0.113.17, session= # failJSON: { "time": "2005-07-02T13:49:32", "match": true , "host": "200.76.17.206" } Jul 02 13:49:32 hostname dovecot[442]: dovecot: auth(default): pam(account@MYSERVERNAME.com,200.76.17.206): pam_authenticate() failed: User not known to the underlying authentication module: 2 Time(s) From 9c6aab37d607eea8a0a4a2e31d352df64ab25514 Mon Sep 17 00:00:00 2001 From: Joan Date: Wed, 29 Jan 2014 08:32:14 +0100 Subject: [PATCH 08/48] As suggested by @grooverdan, grouping the tests and making them false to avoid accidentally reenabling them in the future --- testcases/files/logs/dovecot | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/testcases/files/logs/dovecot b/testcases/files/logs/dovecot index 5fe89c56..c72a60ac 100644 --- a/testcases/files/logs/dovecot +++ b/testcases/files/logs/dovecot @@ -19,19 +19,11 @@ Dec 12 11:19:11 dunnart dovecot: pop3-login: Aborted login (tried to use disallo Jun 13 16:30:54 platypus dovecot: imap-login: Disconnected (auth failed, 2 attempts): user=, method=PLAIN, rip=49.176.98.87, lip=113.212.99.194, TLS # failJSON: { "time": "2005-06-14T00:48:21", "match": true , "host": "59.167.242.100" } Jun 14 00:48:21 platypus dovecot: imap-login: Disconnected (auth failed, 1 attempts): method=PLAIN, rip=59.167.242.100, lip=113.212.99.194, TLS: Disconnected -# failJSON: { "time": "2005-06-13T20:48:11", "match": true , "host": "121.44.24.254" } -Jun 13 20:48:11 platypus dovecot: pop3-login: Disconnected (no auth attempts): rip=121.44.24.254, lip=113.212.99.194, TLS: Disconnected -# failJSON: { "time": "2005-06-13T21:48:06", "match": true , "host": "180.200.180.81" } -Jun 13 21:48:06 platypus dovecot: pop3-login: Disconnected: Inactivity (no auth attempts): rip=180.200.180.81, lip=113.212.99.194, TLS -# failJSON: { "time": "2005-06-13T20:20:21", "match": true , "host": "180.189.168.166" } -Jun 13 20:20:21 platypus dovecot: imap-login: Disconnected (no auth attempts): rip=180.189.168.166, lip=113.212.99.194, TLS handshaking: Disconnected # failJSON: { "time": "2005-06-23T00:52:43", "match": true , "host": "193.95.245.163" } Jun 23 00:52:43 vhost1-ua dovecot: pop3-login: Disconnected: Inactivity (auth failed, 1 attempts): user=, method=PLAIN, rip=193.95.245.163, lip=176.214.13.210 # failJSON: { "time": "2005-07-02T13:49:31", "match": true , "host": "192.51.100.13" } Jul 02 13:49:31 hostname dovecot[442]: pop3-login: Aborted login (auth failed, 1 attempts in 17 secs): user=, method=PLAIN, rip=192.51.100.13, lip=203.0.113.17, session= -# failJSON: { "time": "2005-07-02T13:49:32", "match": true , "host": "192.51.100.13" } -Jul 02 13:49:32 hostname dovecot[442]: pop3-login: Disconnected (no auth attempts in 58 secs): user=<>, rip=192.51.100.13, lip=203.0.113.17, session= # failJSON: { "time": "2005-07-02T13:49:32", "match": true , "host": "200.76.17.206" } Jul 02 13:49:32 hostname dovecot[442]: dovecot: auth(default): pam(account@MYSERVERNAME.com,200.76.17.206): pam_authenticate() failed: User not known to the underlying authentication module: 2 Time(s) @@ -48,3 +40,11 @@ Jan 13 20:51:05 valhalla dovecot: pop3-login: Disconnected: Inactivity (auth fai # failJSON: { "time": "2005-01-14T15:54:30", "match": true , "host": "1.2.3.4" } Jan 14 15:54:30 valhalla dovecot: pop3-login: Disconnected (auth failed, 1 attempts in 2 secs): user=, method=PLAIN, rip=1.2.3.4, lip=1.1.2.2, TLS: Disconnected, session= +# failJSON: { "time": "2005-06-13T20:48:11", "match": false , "host": "121.44.24.254" } +Jun 13 20:48:11 platypus dovecot: pop3-login: Disconnected (no auth attempts): rip=121.44.24.254, lip=113.212.99.194, TLS: Disconnected +# failJSON: { "time": "2005-06-13T21:48:06", "match": false , "host": "180.200.180.81" } +Jun 13 21:48:06 platypus dovecot: pop3-login: Disconnected: Inactivity (no auth attempts): rip=180.200.180.81, lip=113.212.99.194, TLS +# failJSON: { "time": "2005-06-13T20:20:21", "match": false , "host": "180.189.168.166" } +Jun 13 20:20:21 platypus dovecot: imap-login: Disconnected (no auth attempts): rip=180.189.168.166, lip=113.212.99.194, TLS handshaking: Disconnected +# failJSON: { "time": "2005-07-02T13:49:32", "match": false , "host": "192.51.100.13" } +Jul 02 13:49:32 hostname dovecot[442]: pop3-login: Disconnected (no auth attempts in 58 secs): user=<>, rip=192.51.100.13, lip=203.0.113.17, session= From 9b614ce4862bc1bb4790c49bb04fe37e05f5266c Mon Sep 17 00:00:00 2001 From: Daniel Black Date: Wed, 29 Jan 2014 20:27:45 +1100 Subject: [PATCH 09/48] ENH: dovecot filter enhancements --- ChangeLog | 2 ++ THANKS | 1 + config/filter.d/dovecot.conf | 2 +- testcases/files/logs/dovecot | 13 +++++++++++++ 4 files changed, 17 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 1a80427b..ba31b47a 100644 --- a/ChangeLog +++ b/ChangeLog @@ -20,6 +20,8 @@ ver. 0.8.13 (2014/XX/XXX) - maintaince-only-from-now-on - Enhancements: - filter pureftpd - added all translations of "Authentication failed for user" + - filter dovecot - lip= was optional and extended TLS errors can occur. + Thanks Noel Butler. ver. 0.8.12 (2014/01/22) - things-can-only-get-better ----------- diff --git a/THANKS b/THANKS index a1e2b92d..b92d09a7 100644 --- a/THANKS +++ b/THANKS @@ -67,6 +67,7 @@ Merijn Schering Michael C. Haller Michael Hanselmann Nick Munger +Noel Butler Patrick Börjesson Raphaël Marichez RealRancor diff --git a/config/filter.d/dovecot.conf b/config/filter.d/dovecot.conf index c4ce7d7c..053caa45 100644 --- a/config/filter.d/dovecot.conf +++ b/config/filter.d/dovecot.conf @@ -10,7 +10,7 @@ before = common.conf _daemon = (auth|dovecot(-auth)?|auth-worker) failregex = ^%(__prefix_line)s(pam_unix(\(dovecot:auth\))?:)?\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=\S* rhost=(\s+user=\S*)?\s*$ - ^%(__prefix_line)s(pop3|imap)-login: (Info: )?(Aborted login|Disconnected)(: Inactivity)? \(((no auth attempts|auth failed, \d+ attempts)( in \d+ secs)?|tried to use (disabled|disallowed) \S+ auth)\):( user=<\S*>,)?( method=\S+,)? rip=, lip=(\d{1,3}\.){3}\d{1,3}(, TLS( handshaking)?(: Disconnected)?)?(, session=<\S+>)?\s*$ + ^%(__prefix_line)s(pop3|imap)-login: (Info: )?(Aborted login|Disconnected)(: Inactivity)? \(((no auth attempts|auth failed, \d+ attempts)( in \d+ secs)?|tried to use (disabled|disallowed) \S+ auth)\):( user=<\S*>,)?( method=\S+,)? rip=(, lip=(\d{1,3}\.){3}\d{1,3})?(, TLS( handshaking(: SSL_accept\(\) failed: error:[\dA-F]+:SSL routines:[TLS\d]+_GET_CLIENT_HELLO:unknown protocol)?)?(: Disconnected)?)?(, session=<\S+>)?\s*$ ^%(__prefix_line)s(Info|dovecot: auth\(default\)): pam\(\S+,\): pam_authenticate\(\) failed: (User not known to the underlying authentication module: \d+ Time\(s\)|Authentication failure \(password mismatch\?\))\s*$ ignoreregex = diff --git a/testcases/files/logs/dovecot b/testcases/files/logs/dovecot index 5fe89c56..add41946 100644 --- a/testcases/files/logs/dovecot +++ b/testcases/files/logs/dovecot @@ -48,3 +48,16 @@ Jan 13 20:51:05 valhalla dovecot: pop3-login: Disconnected: Inactivity (auth fai # failJSON: { "time": "2005-01-14T15:54:30", "match": true , "host": "1.2.3.4" } Jan 14 15:54:30 valhalla dovecot: pop3-login: Disconnected (auth failed, 1 attempts in 2 secs): user=, method=PLAIN, rip=1.2.3.4, lip=1.1.2.2, TLS: Disconnected, session= + +# failJSON: { "time": "2005-01-29T09:33:58", "match": true , "host": "212.9.180.3" } +Jan 29 09:33:58 pop3-login: Info: Aborted login (auth failed, 1 attempts in 2 secs): user=, method=PLAIN, rip=212.9.180.3 + +# failJSON: { "time": "2005-01-29T09:34:17", "match": true , "host": "1.2.3.4" } +Jan 29 09:34:17 pop3-login: Info: Aborted login (auth failed, 1 attempts in 62 secs): user=, method=PLAIN, rip=1.2.3.4, TLS + +# failJSON: { "time": "2005-01-29T09:38:03", "match": true , "host": "117.218.51.80" } +Jan 29 09:38:03 pop3-login: Info: Disconnected: Inactivity (auth failed, 1 attempts in 178 secs): user=, method=PLAIN, rip=117.218.51.80 + +# failJSON: { "time": "2005-01-29T09:38:46", "match": true , "host": "176.61.137.100" } +Jan 29 09:38:46 pop3-login: Info: Disconnected (no auth attempts in 10 secs): user=<>, rip=176.61.137.100, TLS handshaking: SSL_accept() failed: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol + From 110b8e690517001a9393cf81ee6ea2339b00e213 Mon Sep 17 00:00:00 2001 From: Ivo Truxa Date: Mon, 3 Feb 2014 21:39:52 +0100 Subject: [PATCH 10/48] ENH: Nagios filter Sample log entry from /var/log/messages for a denied access to the nrpe2 (Nagios Remote Plugin Executor) daemon --- testcases/files/logs/nagios | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 testcases/files/logs/nagios diff --git a/testcases/files/logs/nagios b/testcases/files/logs/nagios new file mode 100644 index 00000000..9577b327 --- /dev/null +++ b/testcases/files/logs/nagios @@ -0,0 +1,4 @@ +# Access of unauthorized host in /etc/messages +# failJSON: { "time": "2005-02-39T11:22:44", "match": true , "host": "50.97.225.132" } +Feb 3 11:22:44 valhalla nrpe[63284]: Host 50.97.225.132 is not allowed to talk to us! + From c91fda8619d8729920d695ab70e26464a0a4ae4d Mon Sep 17 00:00:00 2001 From: Ivo Truxa Date: Mon, 3 Feb 2014 21:46:07 +0100 Subject: [PATCH 11/48] ENH: Nagios filter Sample log for the first failregex is available in the testcases. No example available for the IPv6 denial yet. --- config/filter.d/nagios.conf | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 config/filter.d/nagios.conf diff --git a/config/filter.d/nagios.conf b/config/filter.d/nagios.conf new file mode 100644 index 00000000..d01769cc --- /dev/null +++ b/config/filter.d/nagios.conf @@ -0,0 +1,21 @@ +# Fail2Ban filter for Nagios Remote Plugin Executor (nrpe2) +# Detecting unauthorized access to the nrpe2 daemon +# typically logged in /var/log/messages syslog +# + + +[INCLUDES] +# Read syslog common prefixes +before = common.conf + + +[Definition] +_daemon = nrpe +failregex = ^%(__prefix_line)sHost is not allowed to talk to us!\s*$ + = ^%(__prefix_line)sConnection from closed. We don't support AF_INET6 addreess family in ACL\s*$ +ignoreregex =. + + +# DEV Notes: +# +# Author: Ivo Truxa - 2014/02/03 From dac4dd465e7da1f5b357613ef5695f2e91998129 Mon Sep 17 00:00:00 2001 From: Ivo Truxa Date: Mon, 3 Feb 2014 21:51:49 +0100 Subject: [PATCH 12/48] ENH: Nagios filter added typical configuration settings for the nagios filter --- config/jail.conf | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/config/jail.conf b/config/jail.conf index 5dcce02c..74d1e1d2 100644 --- a/config/jail.conf +++ b/config/jail.conf @@ -758,3 +758,15 @@ action = iptables[name=SSH, port=ssh, protocol=tcp] blocklist_de[email="fail2ban@example.com", apikey="xxxxxx", service=%(filter)s] logpath = /var/log/sshd.log maxretry = 20 + + +# consider low maxretry and a long bantime +# nobody except your own Nagios server should ever probe nrpe +[nagios] +enabled = false +filter = nagios +action = iptables[name=Nagios, port=5666, protocol=tcp] + sendmail-whois[name=Nagios, dest=you@example.com, sender=fail2ban@example.com, sendername="Fail2Ban"] +logpath = /var/log/messages ; nrpe.cfg may define a different log_facility +ignoreip = 123.12.123.12 ; your Nagios server +maxretry = 1 From a8a43e8f3804d1f398b7232a5269869114c17ec8 Mon Sep 17 00:00:00 2001 From: Ivo Truxa Date: Mon, 3 Feb 2014 22:01:22 +0100 Subject: [PATCH 13/48] ENH: Nagios filter new filter Nagios added --- ChangeLog | 1 + 1 file changed, 1 insertion(+) diff --git a/ChangeLog b/ChangeLog index ba31b47a..a9126208 100644 --- a/ChangeLog +++ b/ChangeLog @@ -16,6 +16,7 @@ ver. 0.8.13 (2014/XX/XXX) - maintaince-only-from-now-on - filter pureftpd - added _daemon which got removed. Added - New Features: + - filter nagios - detects unauthorized access to the nrpe daemon (Ivo Truxa) - Enhancements: - filter pureftpd - added all translations of "Authentication failed for From a71bb89ccd908bf16678e9cc436c0d317eb8f5a3 Mon Sep 17 00:00:00 2001 From: Ivo Truxa Date: Mon, 3 Feb 2014 23:12:56 +0100 Subject: [PATCH 14/48] removing a dot (typo) The dot at the ignoregex did not belong there. Somehow it was added during the copying and pasting. Thanks for reporting it, I did not see it. Otherwise, empty ignoregexes are in all filters, and if they are missing, fail2ban client shows warnings when starting the filter, which I prefer avoiding. --- config/filter.d/nagios.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/filter.d/nagios.conf b/config/filter.d/nagios.conf index d01769cc..283aa987 100644 --- a/config/filter.d/nagios.conf +++ b/config/filter.d/nagios.conf @@ -13,7 +13,7 @@ before = common.conf _daemon = nrpe failregex = ^%(__prefix_line)sHost is not allowed to talk to us!\s*$ = ^%(__prefix_line)sConnection from closed. We don't support AF_INET6 addreess family in ACL\s*$ -ignoreregex =. +ignoreregex = # DEV Notes: From f6ccd8878d80753e6b1f2f61b79ed702896e418f Mon Sep 17 00:00:00 2001 From: Ivo Truxa Date: Mon, 3 Feb 2014 23:27:19 +0100 Subject: [PATCH 15/48] date fix sorry, need to get some glasses --- testcases/files/logs/nagios | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/testcases/files/logs/nagios b/testcases/files/logs/nagios index 9577b327..cbeb0a87 100644 --- a/testcases/files/logs/nagios +++ b/testcases/files/logs/nagios @@ -1,4 +1,4 @@ -# Access of unauthorized host in /etc/messages -# failJSON: { "time": "2005-02-39T11:22:44", "match": true , "host": "50.97.225.132" } +# Access of unauthorized host in /var/log/messages +# failJSON: { "time": "2005-02-03T11:22:44", "match": true , "host": "50.97.225.132" } Feb 3 11:22:44 valhalla nrpe[63284]: Host 50.97.225.132 is not allowed to talk to us! From 20886288e585c07f21e013315da57899e6fca7f2 Mon Sep 17 00:00:00 2001 From: Chris Markle Date: Wed, 5 Feb 2014 10:44:46 -0800 Subject: [PATCH 16/48] Correct spelling error in changelog I know it's a nit but still... ;) --- ChangeLog | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index ba31b47a..299329b7 100644 --- a/ChangeLog +++ b/ChangeLog @@ -7,7 +7,7 @@ Fail2Ban (version 0.8.12.dev) 2014/01/22 ================================================================================ -ver. 0.8.13 (2014/XX/XXX) - maintaince-only-from-now-on +ver. 0.8.13 (2014/XX/XXX) - maintenance-only-from-now-on ----------- - Fixes: From f5f434f846550e14abbb1244a71bd729e8f033b4 Mon Sep 17 00:00:00 2001 From: Ivo Truxa Date: Thu, 6 Feb 2014 00:22:05 +0100 Subject: [PATCH 17/48] removing the second failregex The second failregex was supposed to catch an error concerning an ACL denial over IPv6, but this message is no more generated by the nrpe version (v2.15) that introduced the IPv6 support, so the first failregex seems to be sufficient. --- config/filter.d/nagios.conf | 4 ---- 1 file changed, 4 deletions(-) diff --git a/config/filter.d/nagios.conf b/config/filter.d/nagios.conf index 283aa987..0429d3ff 100644 --- a/config/filter.d/nagios.conf +++ b/config/filter.d/nagios.conf @@ -3,19 +3,15 @@ # typically logged in /var/log/messages syslog # - [INCLUDES] # Read syslog common prefixes before = common.conf - [Definition] _daemon = nrpe failregex = ^%(__prefix_line)sHost is not allowed to talk to us!\s*$ - = ^%(__prefix_line)sConnection from closed. We don't support AF_INET6 addreess family in ACL\s*$ ignoreregex = - # DEV Notes: # # Author: Ivo Truxa - 2014/02/03 From c207ad6058905992aab0b9584b7335ec2bd94a4b Mon Sep 17 00:00:00 2001 From: Ivo Truxa Date: Thu, 6 Feb 2014 00:27:38 +0100 Subject: [PATCH 18/48] removing ignoreip at [nagios] I removed the ignoreip setting from the nagios section. As pointed out, it is redundant here. Nagios server, under normal circumstances should not trigger any access errors, and would be included in the global ignoreips anyway. --- config/jail.conf | 1 - 1 file changed, 1 deletion(-) diff --git a/config/jail.conf b/config/jail.conf index 74d1e1d2..ffbdf33e 100644 --- a/config/jail.conf +++ b/config/jail.conf @@ -768,5 +768,4 @@ filter = nagios action = iptables[name=Nagios, port=5666, protocol=tcp] sendmail-whois[name=Nagios, dest=you@example.com, sender=fail2ban@example.com, sendername="Fail2Ban"] logpath = /var/log/messages ; nrpe.cfg may define a different log_facility -ignoreip = 123.12.123.12 ; your Nagios server maxretry = 1 From c424e4032d7d3fbfc2423930273bb95bdb365b5d Mon Sep 17 00:00:00 2001 From: Yaroslav Halchenko Date: Fri, 7 Feb 2014 00:41:22 -0500 Subject: [PATCH 19/48] DOC: minor - replace tabs with spaces for consistent formatting --- ChangeLog | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 0f1287dc..948cfcd6 100644 --- a/ChangeLog +++ b/ChangeLog @@ -31,7 +31,7 @@ ver. 0.8.12 (2014/01/22) - things-can-only-get-better - Rename firewall-cmd-direct-new to firewallcmd-new to fit within jail name name length. As per gh-395 - mysqld-syslog-iptables jailname was too long. Renamed to mysqld-syslog. - Part of gh-447. + Part of gh-447. - Fixes: - allow for ",milliseconds" in the custom date format of proftpd.log @@ -48,7 +48,7 @@ ver. 0.8.12 (2014/01/22) - things-can-only-get-better - Fix apache-common for apache-2.4 log file format. Thanks Mark White. Closes gh-516 - Asynchat changed to use push method which verifys whether all data was - send. This ensures that all data is sent before closing the connection. + send. This ensures that all data is sent before closing the connection. - Removed unnecessary reference to as yet undeclared $jail_name when checking a specific jail. - Filter dovecot reordered session and TLS items in regex with wider scope @@ -890,7 +890,7 @@ ver. 0.5.4 (2005/09/13) - beta * Fixed errata in config/gentoo-confd * Introduced findtime configuration variable to control the lifetime of caught "failed" log entries - + ver. 0.5.3 (2005/09/08) - beta ---------- - Fixed a bug when overriding "maxfailures" or "bantime". Thanks to Yaroslav From 3cbfe9b057e493cfaedee26342923889bbf789ba Mon Sep 17 00:00:00 2001 From: Steven Hiscocks Date: Sat, 8 Feb 2014 22:15:19 +0000 Subject: [PATCH 20/48] BF: `ret` now changed after beautifier called --- fail2ban-client | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fail2ban-client b/fail2ban-client index 0f863ab0..af1ac856 100755 --- a/fail2ban-client +++ b/fail2ban-client @@ -156,10 +156,10 @@ class Fail2banClient: if showRet: print beautifier.beautify(ret[1]) else: - ret = False logSys.error("NOK: " + `ret[1].args`) if showRet: print beautifier.beautifyError(ret[1]) + ret = False except socket.error: if showRet: logSys.error("Unable to contact server. Is it running?") From 993b7d3dfb644b54fd336f5f61c9a1a044ffdb45 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aar=C3=B3n=20Nieves=20Fern=C3=A1ndez?= Date: Mon, 10 Feb 2014 21:41:50 +0100 Subject: [PATCH 21/48] Duplicate jail "php-url-fopen" --- config/jail.conf | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/config/jail.conf b/config/jail.conf index ffbdf33e..3d74a2f5 100644 --- a/config/jail.conf +++ b/config/jail.conf @@ -448,16 +448,6 @@ maxretry = 5 # of usage in production environments. [php-url-fopen] -enabled = false -action = iptables-multiport[name=php-url-open, port="http,https"] -filter = php-url-fopen -logpath = /var/www/*/logs/access_log -maxretry = 1 -# Ban attackers that try to use PHP's URL-fopen() functionality -# through GET/POST variables. - Experimental, with more than a year -# of usage in production environments. -[php-url-fopen] - enabled = false action = iptables-multiport[name=php-url-open, port="http,https"] filter = php-url-fopen From bda9b7d7252f3e968f741251640eaacb33d64a3c Mon Sep 17 00:00:00 2001 From: Steven Hiscocks Date: Wed, 12 Feb 2014 18:07:31 +0000 Subject: [PATCH 22/48] BF: Add handling of exception in pyinotify callback If error isn't handled, no error messages are printed and the jail ceases to function. --- server/filterpyinotify.py | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/server/filterpyinotify.py b/server/filterpyinotify.py index 9ecb999d..530b712d 100644 --- a/server/filterpyinotify.py +++ b/server/filterpyinotify.py @@ -209,4 +209,7 @@ class ProcessPyinotify(pyinotify.ProcessEvent): # just need default, since using mask on watch to limit events def process_default(self, event): - self.__FileFilter.callback(event, origin='Default ') + try: + self.__FileFilter.callback(event, origin='Default ') + except Exception as e: + logSys.error("Error in FilterPyinotify callback: %s", e) From 1e9910fcb0e2eae1004b149d10fdc5876c25c48f Mon Sep 17 00:00:00 2001 From: Steven Hiscocks Date: Wed, 12 Feb 2014 22:18:09 +0000 Subject: [PATCH 23/48] ENH: Added traceback for error log on pyinotify callback when in debug Thanks to Helmut Grohne for idea on #fail2ban IRC --- server/filterpyinotify.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/server/filterpyinotify.py b/server/filterpyinotify.py index 530b712d..42243552 100644 --- a/server/filterpyinotify.py +++ b/server/filterpyinotify.py @@ -212,4 +212,5 @@ class ProcessPyinotify(pyinotify.ProcessEvent): try: self.__FileFilter.callback(event, origin='Default ') except Exception as e: - logSys.error("Error in FilterPyinotify callback: %s", e) + logSys.error("Error in FilterPyinotify callback: %s", + e, exc_info=logSys.getEffectiveLevel() <= logging.DEBUG) From 9bfc77c32003f0156b64a3ab04766b07d55a8e79 Mon Sep 17 00:00:00 2001 From: Steven Hiscocks Date: Thu, 13 Feb 2014 20:03:45 +0000 Subject: [PATCH 24/48] BF: fail2ban-client processCmd ret was being overwritten each loop --- fail2ban-client | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/fail2ban-client b/fail2ban-client index af1ac856..b33a27ae 100755 --- a/fail2ban-client +++ b/fail2ban-client @@ -145,7 +145,7 @@ class Fail2banClient: def __processCmd(self, cmd, showRet = True): beautifier = Beautifier() - ret = True + streamRet = True for c in cmd: beautifier.setInputCmd(c) try: @@ -159,7 +159,7 @@ class Fail2banClient: logSys.error("NOK: " + `ret[1].args`) if showRet: print beautifier.beautifyError(ret[1]) - ret = False + streamRet = False except socket.error: if showRet: logSys.error("Unable to contact server. Is it running?") @@ -168,7 +168,7 @@ class Fail2banClient: if showRet: logSys.error(e) return False - return ret + return streamRet ## # Process a command line. From 31f4ea59cb86fb91221778902b7e6776c53553f5 Mon Sep 17 00:00:00 2001 From: Steven Hiscocks Date: Thu, 13 Feb 2014 22:00:33 +0000 Subject: [PATCH 25/48] BF: Use abusix Abuse Contact DB to get more accurate abuse addresses Taken from xarf-login-attack action from 0.9 branch by Daniel Black --- config/action.d/complain.conf | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/config/action.d/complain.conf b/config/action.d/complain.conf index 62331f19..a85c21ec 100644 --- a/config/action.d/complain.conf +++ b/config/action.d/complain.conf @@ -1,17 +1,16 @@ # Fail2Ban configuration file # -# Author: Russell Odom +# Author: Russell Odom , Daniel Black # Sends a complaint e-mail to addresses listed in the whois record for an # offending IP address. +# This uses the https://abusix.com/contactdb.html to lookup abuse contacts. +# +# DEPENDANCIES: +# This requires the dig command from bind-utils # # You should provide the in the jail config - lines from the log # matching the given IP address will be provided in the complaint as evidence. # -# Note that we will try to use e-mail addresses that are most likely to be abuse -# addresses (based on various keywords). If they aren't found we fall back on -# any other addresses found in the whois record, with a few exceptions. -# If no addresses are found, no e-mail is sent. -# # WARNING # ------- # @@ -55,7 +54,7 @@ actioncheck = # Tags: See jail.conf(5) man page # Values: CMD # -actionban = ADDRESSES=`whois | perl -e 'while () { next if /^changed|@(ripe|apnic)\.net/io; $m += (/abuse|trouble:|report|spam|security/io?3:0); if (/([a-z0-9_\-\.+]+@[a-z0-9\-]+(\.[[a-z0-9\-]+)+)/io) { while (s/([a-z0-9_\-\.+]+@[a-z0-9\-]+(\.[[a-z0-9\-]+)+)//io) { if ($m) { $a{lc($1)}=$m } else { $b{lc($1)}=$m } } $m=0 } else { $m && --$m } } if (%%a) {print join(",",keys(%%a))} else {print join(",",keys(%%b))}'` +actionban = oifs=${IFS}; IFS=.;SEP_IP=( ); set -- ${SEP_IP} ;ADDRESSES=$(dig +short -t txt -q $4.$3.$2.$1.abuse-contacts.abusix.org); IFS=${oifs} IP= if [ ! -z "$ADDRESSES" ]; then (printf %%b "\n"; date '+Note: Local timezone is %%z (%%Z)'; grep -E '(^|[^0-9])([^0-9]|$)' ) | "Abuse from " $ADDRESSES @@ -70,7 +69,7 @@ actionban = ADDRESSES=`whois | perl -e 'while () { next if /^changed actionunban = [Init] -message = Dear Sir/Madam,\n\nWe have detected abuse from the IP address $IP, which according to a whois lookup is on your network. We would appreciate if you would investigate and take action as appropriate.\n\nLog lines are given below, but please ask if you require any further information.\n\n(If you are not the correct person to contact about this please accept our apologies - your e-mail address was extracted from the whois record by an automated process. This mail was generated by Fail2Ban.)\n +message = Dear Sir/Madam,\n\nWe have detected abuse from the IP address $IP, which according to a abusix.com is on your network. We would appreciate if you would investigate and take action as appropriate.\n\nLog lines are given below, but please ask if you require any further information.\n\n(If you are not the correct person to contact about this please accept our apologies - your e-mail address was extracted from the whois record by an automated process.)\n\n This mail was generated by Fail2Ban.\nThe recipient address of this report was provided by the Abuse Contact DB by abusix.com. abusix.com does not maintain the content of the database. All information which we pass out, derives from the RIR databases and is processed for ease of use. If you want to change or report non working abuse contacts please contact the appropriate RIR. If you have any further question, contact abusix.com directly via email (info@abusix.com). Information about the Abuse Contact Database can be found here: https://abusix.com/global-reporting/abuse-contact-db\nabusix.com is neither responsible nor liable for the content or accuracy of this message.\n # Path to the log files which contain relevant lines for the abuser IP # From 2a37ee2fb720e5cb612ec9d3094e34ab3b0415f1 Mon Sep 17 00:00:00 2001 From: Steven Hiscocks Date: Sun, 16 Feb 2014 16:52:30 +0000 Subject: [PATCH 26/48] ENH: Add root user check in xt_recent, and add missing actionstop Thanks to Helmut Grohne on IRC for suggestion --- THANKS | 1 + config/action.d/iptables-xt_recent-echo.conf | 3 ++- doc/run-rootless.txt | 6 ------ 3 files changed, 3 insertions(+), 7 deletions(-) diff --git a/THANKS b/THANKS index b92d09a7..c3ff109c 100644 --- a/THANKS +++ b/THANKS @@ -92,5 +92,6 @@ Yaroslav Halchenko Winston Smith ykimon Yehuda Katz +Zbigniew Jędrzejewski-Szmek zugeschmiert Zurd diff --git a/config/action.d/iptables-xt_recent-echo.conf b/config/action.d/iptables-xt_recent-echo.conf index 829d4c06..fa314d68 100644 --- a/config/action.d/iptables-xt_recent-echo.conf +++ b/config/action.d/iptables-xt_recent-echo.conf @@ -33,13 +33,14 @@ before = iptables-blocktype.conf # own rules. The 3600 second timeout is independent and acts as a # safeguard in case the fail2ban process dies unexpectedly. The # shorter of the two timeouts actually matters. -actionstart = iptables -I INPUT -m recent --update --seconds 3600 --name fail2ban- -j +actionstart = if [ $EUID -eq 0 ];then iptables -I INPUT -m recent --update --seconds 3600 --name fail2ban- -j ;fi # Option: actionstop # Notes.: command executed once at the end of Fail2Ban # Values: CMD # actionstop = echo / > /proc/net/xt_recent/fail2ban- + if [ $EUID -eq 0 ];then iptables -D INPUT -m recent --update --seconds 3600 --name fail2ban- -j ;fi # Option: actioncheck # Notes.: command executed once before each actionban command diff --git a/doc/run-rootless.txt b/doc/run-rootless.txt index 5edf6ef6..57cd6f3a 100644 --- a/doc/run-rootless.txt +++ b/doc/run-rootless.txt @@ -74,12 +74,6 @@ further configuration. To run not as root, further setup is necessary: with suitably replaced. - - suppress actionstart for iptables-xt_recent-echo action by creating an override file - iptables-xt_recent-echo.local to accompany iptables-xt_recent-echo.conf with - - [Definition] - actionstart = - - Permissions: make sure that configuration files under /etc/fail2ban are readable by From 7c76f7f204dc2b8ff11581938ecee210832bfc52 Mon Sep 17 00:00:00 2001 From: Steven Hiscocks Date: Sun, 16 Feb 2014 17:56:06 +0000 Subject: [PATCH 27/48] BF: $EUID not avilable in all shells, replaced with `id -u` in xt_recent --- config/action.d/iptables-xt_recent-echo.conf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/config/action.d/iptables-xt_recent-echo.conf b/config/action.d/iptables-xt_recent-echo.conf index fa314d68..bc2e8971 100644 --- a/config/action.d/iptables-xt_recent-echo.conf +++ b/config/action.d/iptables-xt_recent-echo.conf @@ -33,14 +33,14 @@ before = iptables-blocktype.conf # own rules. The 3600 second timeout is independent and acts as a # safeguard in case the fail2ban process dies unexpectedly. The # shorter of the two timeouts actually matters. -actionstart = if [ $EUID -eq 0 ];then iptables -I INPUT -m recent --update --seconds 3600 --name fail2ban- -j ;fi +actionstart = if [ `id -u` -eq 0 ];then iptables -I INPUT -m recent --update --seconds 3600 --name fail2ban- -j ;fi # Option: actionstop # Notes.: command executed once at the end of Fail2Ban # Values: CMD # actionstop = echo / > /proc/net/xt_recent/fail2ban- - if [ $EUID -eq 0 ];then iptables -D INPUT -m recent --update --seconds 3600 --name fail2ban- -j ;fi + if [ `id -u` -eq 0 ];then iptables -D INPUT -m recent --update --seconds 3600 --name fail2ban- -j ;fi # Option: actioncheck # Notes.: command executed once before each actionban command From 4102f4f8c78df4c29a46d874524e0a50f8fb9d9a Mon Sep 17 00:00:00 2001 From: Steven Hiscocks Date: Sun, 16 Feb 2014 23:08:49 +0000 Subject: [PATCH 28/48] TST: Fix TravisCI build, install of coveralls from pip --- .travis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index d693f975..398411bf 100644 --- a/.travis.yml +++ b/.travis.yml @@ -9,7 +9,7 @@ before_install: install: - pip install pyinotify - if [[ $TRAVIS_PYTHON_VERSION == 2.7 ]]; then sudo apt-get install -qq python-gamin; fi - - if [[ $TRAVIS_PYTHON_VERSION == 2.7 ]]; then pip install -q coveralls; fi + - if [[ $TRAVIS_PYTHON_VERSION == 2.7 ]]; then cd ..; pip install -q coveralls; cd -; fi script: - if [[ $TRAVIS_PYTHON_VERSION == 2.7 ]]; then export PYTHONPATH="$PYTHONPATH:/usr/share/pyshared:/usr/lib/pyshared/python2.7"; fi - if [[ $TRAVIS_PYTHON_VERSION == 2.7 ]]; then coverage run --rcfile=.travis_coveragerc fail2ban-testcases; else python ./fail2ban-testcases; fi From 997729e274407863415aa3b7b24d878fbf410c96 Mon Sep 17 00:00:00 2001 From: Steven Hiscocks Date: Tue, 18 Feb 2014 15:05:06 +0000 Subject: [PATCH 29/48] BF: Fix complain action for multiple recipients and misplaced ";" --- config/action.d/complain.conf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/config/action.d/complain.conf b/config/action.d/complain.conf index a85c21ec..c0175831 100644 --- a/config/action.d/complain.conf +++ b/config/action.d/complain.conf @@ -54,10 +54,10 @@ actioncheck = # Tags: See jail.conf(5) man page # Values: CMD # -actionban = oifs=${IFS}; IFS=.;SEP_IP=( ); set -- ${SEP_IP} ;ADDRESSES=$(dig +short -t txt -q $4.$3.$2.$1.abuse-contacts.abusix.org); IFS=${oifs} +actionban = oifs=${IFS}; IFS=.;SEP_IP=( ); set -- ${SEP_IP}; ADDRESSES=$(dig +short -t txt -q $4.$3.$2.$1.abuse-contacts.abusix.org); IFS=${oifs} IP= if [ ! -z "$ADDRESSES" ]; then - (printf %%b "\n"; date '+Note: Local timezone is %%z (%%Z)'; grep -E '(^|[^0-9])([^0-9]|$)' ) | "Abuse from " $ADDRESSES + (printf %%b "\n"; date '+Note: Local timezone is %%z (%%Z)'; grep -E '(^|[^0-9])([^0-9]|$)' ) | "Abuse from " ${ADDRESSES//,/\" \"} fi # Option: actionunban From 9928f1df9651aa388452cbb396cf3a3d5da1dd22 Mon Sep 17 00:00:00 2001 From: Steven Hiscocks Date: Wed, 19 Feb 2014 17:51:08 +0000 Subject: [PATCH 30/48] ENH: Allow 255.255.255.0 style mask for ignoreip --- server/filter.py | 3 +++ testcases/filtertestcase.py | 9 +++++++++ 2 files changed, 12 insertions(+) diff --git a/server/filter.py b/server/filter.py index 840c5316..0e5f9ecb 100644 --- a/server/filter.py +++ b/server/filter.py @@ -288,6 +288,9 @@ class Filter(JailThread): # IP address without CIDR mask if len(s) == 1: s.insert(1, '32') + elif "." in s[1]: # 255.255.255.0 style mask + s[1] = len(re.search( + "(?<=b)1+", bin(DNSUtils.addr2bin(s[1]))).group()) s[1] = long(s[1]) try: a = DNSUtils.cidr(s[0], s[1]) diff --git a/testcases/filtertestcase.py b/testcases/filtertestcase.py index 30397d67..f1a9bcd2 100644 --- a/testcases/filtertestcase.py +++ b/testcases/filtertestcase.py @@ -188,6 +188,15 @@ class IgnoreIP(LogCaptureTestCase): self.assertFalse(self.filter.inIgnoreIPList('192.168.1.255')) self.assertFalse(self.filter.inIgnoreIPList('192.168.0.255')) + def testIgnoreIPMask(self): + self.filter.addIgnoreIP('192.168.1.0/255.255.255.128') + self.assertTrue(self.filter.inIgnoreIPList('192.168.1.0')) + self.assertTrue(self.filter.inIgnoreIPList('192.168.1.1')) + self.assertTrue(self.filter.inIgnoreIPList('192.168.1.127')) + self.assertFalse(self.filter.inIgnoreIPList('192.168.1.128')) + self.assertFalse(self.filter.inIgnoreIPList('192.168.1.255')) + self.assertFalse(self.filter.inIgnoreIPList('192.168.0.255')) + def testIgnoreInProcessLine(self): self.filter.addIgnoreIP('192.168.1.0/25') self.filter.addFailRegex('') From 3d776afbb003ba962fc1ca2d2c89cc363d69396c Mon Sep 17 00:00:00 2001 From: Daniel Black Date: Wed, 26 Feb 2014 19:16:49 +1100 Subject: [PATCH 31/48] ENH: add filter for sendmail-{auth,spam}. Closes gh-20 --- ChangeLog | 1 + MANIFEST | 2 ++ THANKS | 2 ++ config/filter.d/sendmail-auth.conf | 18 ++++++++++++++++ config/filter.d/sendmail-spam.conf | 33 ++++++++++++++++++++++++++++++ testcases/files/logs/sendmail-auth | 12 +++++++++++ testcases/files/logs/sendmail-spam | 24 ++++++++++++++++++++++ 7 files changed, 92 insertions(+) create mode 100644 config/filter.d/sendmail-auth.conf create mode 100644 config/filter.d/sendmail-spam.conf create mode 100644 testcases/files/logs/sendmail-auth create mode 100644 testcases/files/logs/sendmail-spam diff --git a/ChangeLog b/ChangeLog index 948cfcd6..c4a76979 100644 --- a/ChangeLog +++ b/ChangeLog @@ -17,6 +17,7 @@ ver. 0.8.13 (2014/XX/XXX) - maintenance-only-from-now-on - New Features: - filter nagios - detects unauthorized access to the nrpe daemon (Ivo Truxa) + - filter sendmail-{auth,spam} (jserrachinha and cepheid666). - Enhancements: - filter pureftpd - added all translations of "Authentication failed for diff --git a/MANIFEST b/MANIFEST index 9f2e5932..5d569e69 100644 --- a/MANIFEST +++ b/MANIFEST @@ -172,6 +172,8 @@ config/filter.d/qmail.conf config/filter.d/pam-generic.conf config/filter.d/php-url-fopen.conf config/filter.d/postfix-sasl.conf +config/filter.d/sendmail-auth.conf +config/filter.d/sendmail-spam.conf config/filter.d/sieve.conf config/filter.d/solid-pop3d.conf config/filter.d/squid.conf diff --git a/THANKS b/THANKS index c3ff109c..f7b77725 100644 --- a/THANKS +++ b/THANKS @@ -21,6 +21,7 @@ Bas van den Dikkenberg Beau Raines Bill Heaton Carlos Alberto Lopez Perez +cepheid666 Christian Rauch Christophe Carles Christoph Haas @@ -49,6 +50,7 @@ Jonathan Lanning Jonathan Underwood Joël Bertrand JP Espinosa +jserrachinha Justin Shore Kévin Drapel kjohnsonecl diff --git a/config/filter.d/sendmail-auth.conf b/config/filter.d/sendmail-auth.conf new file mode 100644 index 00000000..138fbb85 --- /dev/null +++ b/config/filter.d/sendmail-auth.conf @@ -0,0 +1,18 @@ +# Fail2Ban filter for sendmail authentication failures +# + +[INCLUDES] + +before = common.conf + +[Definition] + +_daemon = (?:sm-(mta|acceptingconnections)) + +failregex = ^%(__prefix_line)s\w{14}: (\S+ )?\[\]( \(may be forged\))?: possible SMTP attack: command=AUTH, count=\d+$ + +ignoreregex = + +# DEV Notes: +# +# Author: Daniel Black diff --git a/config/filter.d/sendmail-spam.conf b/config/filter.d/sendmail-spam.conf new file mode 100644 index 00000000..1f316f78 --- /dev/null +++ b/config/filter.d/sendmail-spam.conf @@ -0,0 +1,33 @@ +# Fail2Ban filter for sendmail spam/relay type failures +# +# Some of the below failregex will only work properly, when the following +# options are set in the .mc file (see your Sendmail documentation on how +# to modify it and generate the corresponding .cf file): +# +# FEATURE(`delay_checks') +# FEATURE(`greet_pause', `500') +# FEATURE(`ratecontrol', `nodelay', `terminate') +# FEATURE(`conncontrol', `nodelay', `terminate') +# +# ratecontrol and conncontrol also need corresponding options ClientRate: +# and ClientConn: in the access file, see documentation for ratecontrol and +# conncontrol in the sendmail/cf/README file. + +[INCLUDES] + +before = common.conf + +[Definition] + +_daemon = (?:sm-(mta|acceptingconnections)) + +failregex = ^%(__prefix_line)s\w{14}: ruleset=check_rcpt, arg1=(?P(<\S+@\S+>)?), relay=(\S+ )?\[\]( \(may be forged\))?, reject=550 5\.7\.1 (?P=email)\.\.\. Relaying denied\. (IP name possibly forged \[(\d+\.){3}\d+\]|Proper authentication required\.)$ + ^%(__prefix_line)s\w{14}: ruleset=check_rcpt, arg1=, relay=(\S+ )?\[\]( \(may be forged\))?, reject=(553 5\.1\.8 \.\.\. Domain of sender address \S+ does not exist|550 5\.7\.1 \.\.\. Rejected: (\d+\.){3}\d+\ listed at \S+)$ + ^%(__prefix_line)sruleset=check_relay, arg1=(?P\S+), arg2=, relay=(?P=dom) \[(\d+\.){3}\d+\]( \(may be forged\))?, reject=421 4\.3\.2 Connection rate limit exceeded\.$ + + +ignoreregex = + +# DEV Notes: +# +# Author: Daniel Black and Fabian Wenk diff --git a/testcases/files/logs/sendmail-auth b/testcases/files/logs/sendmail-auth new file mode 100644 index 00000000..7cc18c70 --- /dev/null +++ b/testcases/files/logs/sendmail-auth @@ -0,0 +1,12 @@ + +# failJSON: { "time": "2005-02-16T23:33:20", "match": true , "host": "190.5.230.178" } +Feb 16 23:33:20 smtp1 sm-mta[5133]: s1GNXHYB005133: [190.5.230.178]: possible SMTP attack: command=AUTH, count=5 + +# failJSON: { "time": "2005-02-16T23:40:36", "match": true , "host": "75.176.164.191" } +Feb 16 23:40:36 smtp1 sm-mta[5178]: s1GNeNqe005178: cpe-075-176-164-191.sc.res.rr.com [75.176.164.191]: possible SMTP attack: command=AUTH, count=5 + +# failJSON: { "time": "2005-02-24T12:10:15", "match": true , "host": "211.75.6.133" } +Feb 24 12:10:15 kismet sm-acceptingconnections[32053]: s1OHA28u032053: 211-75-6-133.HINET-IP.hinet.net [211.75.6.133]: possible SMTP attack: command=AUTH, count=6 + +# failJSON: { "time": "2005-02-24T13:00:17", "match": true , "host": "95.70.241.192" } +Feb 24 13:00:17 kismet sm-acceptingconnections[1499]: s1OHxxSn001499: 192.241.70.95.dsl.static.turk.net [95.70.241.192] (may be forged): possible SMTP attack: command=AUTH, count=6 diff --git a/testcases/files/logs/sendmail-spam b/testcases/files/logs/sendmail-spam new file mode 100644 index 00000000..14413482 --- /dev/null +++ b/testcases/files/logs/sendmail-spam @@ -0,0 +1,24 @@ +# failJSON: { "time": "2005-02-25T03:01:10", "match": true , "host": "128.68.136.133" } +Feb 25 03:01:10 kismet sm-acceptingconnections[27713]: s1P819mk027713: ruleset=check_rcpt, arg1=, relay=128-68-136-133.broadband.corbina.ru [128.68.136.133], reject=550 5.7.1 ... Relaying denied. Proper authentication required. + +# failJSON: { "time": "2005-02-23T21:36:14", "match": true , "host": "80.253.155.119" } +Feb 23 21:36:14 petermurray sm-mta[22248]: s1NLaDQT022248: ruleset=check_rcpt, arg1=, relay=int0.client.access.azadnet.net [80.253.155.119] (may be forged), reject=550 5.7.1 ... Relaying denied. IP name possibly forged [80.253.155.119] + +# failJSON: { "time": "2005-02-24T07:33:59", "match": true , "host": "118.161.66.57" } +Feb 24 07:33:59 petermurray sm-mta[21134]: s1O7XtZJ021134: ruleset=check_rcpt, arg1=, relay=118-161-66-57.dynamic.hinet.net [118.161.66.57], reject=550 5.7.1 ... Relaying denied. Proper authentication required. + +# failJSON: { "time": "2005-02-23T07:57:28", "match": true , "host": "2.180.185.27" } +Feb 23 07:57:28 petermurray sm-mta[6519]: s1N7vR47006519: ruleset=check_rcpt, arg1=, relay=[2.180.185.27], reject=553 5.1.8 ... Domain of sender address camila.pinto@andrewweitzman.com does not exist + +# failJSON: { "time": "2005-02-23T14:13:08", "match": true , "host": "85.60.238.161" } +Feb 23 14:13:08 petermurray sm-mta[17126]: s1NED81M017126: ruleset=check_rcpt, arg1=, relay=161.pool85-60-238.dynamic.orange.es [85.60.238.161], reject=553 5.1.8 ... Domain of sender address anabelaalvesd@dsldevice.lan does not exist + +# failJSON: { "time": "2005-02-24T05:07:40", "match": true , "host": "202.53.73.138" } +Feb 24 05:07:40 petermurray sm-mta[716]: s1O57c6H000716: ruleset=check_rcpt, arg1=, relay=202.53.73.138.nettlinx.com [202.53.73.138] (may be forged), reject=553 5.1.8 ... Domain of sender address root@srv.montserv.com does not exist + +# failJSON: { "time": "2005-02-23T07:00:08", "match": true , "host": "151.232.63.226" } +Feb 23 07:00:08 petermurray sm-mta[3992]: s1N706jo003992: ruleset=check_rcpt, arg1=, relay=[151.232.63.226], reject=550 5.7.1 ... Rejected: 151.232.63.226 listed at sbl-xbl.spamhaus.org + +# failJSON: { "time": "2005-02-24T01:46:44", "match": true , "host": "217.21.54.82" } +Feb 24 01:46:44 petermurray sm-mta[24422]: ruleset=check_relay, arg1=leased-line-54-82.telecom.by, arg2=217.21.54.82, relay=leased-line-54-82.telecom.by [217.21.54.82], reject=421 4.3.2 Connection rate limit exceeded. + From fe1725c603a2a1f32c686a7c5f16942585968999 Mon Sep 17 00:00:00 2001 From: Daniel Black Date: Wed, 26 Feb 2014 19:31:09 +1100 Subject: [PATCH 32/48] BF: add jail.conf definitions for sendmail* filters --- config/jail.conf | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/config/jail.conf b/config/jail.conf index 3d74a2f5..ea4f4555 100644 --- a/config/jail.conf +++ b/config/jail.conf @@ -157,6 +157,21 @@ logpath = /var/log/daemon.log maxretry = 6 +[sendmail-auth] + +enabled = false +filter = sendmail-auth +action = iptables-multiport[name=sendmail-auth, port="submission,465,smtp", protocol=tcp] +logpath = /var/log/mail.log + + +[sendmail-spam] + +enabled = false +filter = sendmail-spam +action = iptables[name=sendmail-spam, port=smtp, protocol=tcp] +logpath = /var/log/mail.log + # This jail forces the backend to "polling". [sasl-iptables] From 75599fc7a05b9b54872d9c6e1b91e064fd8871d2 Mon Sep 17 00:00:00 2001 From: Steven Hiscocks Date: Wed, 26 Feb 2014 22:13:23 +0000 Subject: [PATCH 33/48] DOC: Add reference to action argument values which contain "," Closes gh-632 --- man/jail.conf.5 | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/man/jail.conf.5 b/man/jail.conf.5 index f8f076c6..3a354c11 100644 --- a/man/jail.conf.5 +++ b/man/jail.conf.5 @@ -133,7 +133,15 @@ filename(s) of the log files to be monitored. Globs -- paths containing * and ? Ensure syslog or the program that generates the log file isn't configured to compress repeated log messages to "\fI*last message repeated 5 time*s\fR" otherwise it will fail to detect. This is called \fIRepeatedMsgReduction\fR in rsyslog and should be \fIOff\fR. .TP .B action -action(s) from \fI/etc/fail2ban/action.d/\fR without the \fI.conf\fR/\fI.local\fR extension. Arguments can be passed to actions to override the default values from the [Init] section in the action file. Arguments are specified by [name=value,name2=value]. Values can also be quoted. More that one action can be specified (in separate lines). +action(s) from \fI/etc/fail2ban/action.d/\fR without the \fI.conf\fR/\fI.local\fR extension. Arguments can be passed to actions to override the default values from the [Init] section in the action file. Arguments are specified by: +.RS +.RS + +[name=value,name2=value,name3="values,values"] + +.RE +Values can also be quoted (required when value includes a ","). More that one action can be specified (in separate lines). +.RE .TP .B ignoreip list of IPs not to ban. They can include a CIDR mask too. From 72c84fe9b0a88126d4c2bfa57af384ad76b433ac Mon Sep 17 00:00:00 2001 From: Daniel Black Date: Thu, 27 Feb 2014 10:02:34 +1100 Subject: [PATCH 34/48] ENH: wider regex for RBL and sendmail-spam --- config/filter.d/sendmail-spam.conf | 2 +- testcases/files/logs/sendmail-spam | 10 ++++++++++ 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/config/filter.d/sendmail-spam.conf b/config/filter.d/sendmail-spam.conf index 1f316f78..6268db2b 100644 --- a/config/filter.d/sendmail-spam.conf +++ b/config/filter.d/sendmail-spam.conf @@ -22,7 +22,7 @@ before = common.conf _daemon = (?:sm-(mta|acceptingconnections)) failregex = ^%(__prefix_line)s\w{14}: ruleset=check_rcpt, arg1=(?P(<\S+@\S+>)?), relay=(\S+ )?\[\]( \(may be forged\))?, reject=550 5\.7\.1 (?P=email)\.\.\. Relaying denied\. (IP name possibly forged \[(\d+\.){3}\d+\]|Proper authentication required\.)$ - ^%(__prefix_line)s\w{14}: ruleset=check_rcpt, arg1=, relay=(\S+ )?\[\]( \(may be forged\))?, reject=(553 5\.1\.8 \.\.\. Domain of sender address \S+ does not exist|550 5\.7\.1 \.\.\. Rejected: (\d+\.){3}\d+\ listed at \S+)$ + ^%(__prefix_line)s\w{14}: ruleset=check_rcpt, arg1=, relay=(\S+ )?\[\]( \(may be forged\))?, reject=(553 5\.1\.8 \.\.\. Domain of sender address \S+ does not exist|550 5\.7\.1 \.\.\. Rejected: .*)$ ^%(__prefix_line)sruleset=check_relay, arg1=(?P\S+), arg2=, relay=(?P=dom) \[(\d+\.){3}\d+\]( \(may be forged\))?, reject=421 4\.3\.2 Connection rate limit exceeded\.$ diff --git a/testcases/files/logs/sendmail-spam b/testcases/files/logs/sendmail-spam index 14413482..4aad3b25 100644 --- a/testcases/files/logs/sendmail-spam +++ b/testcases/files/logs/sendmail-spam @@ -19,6 +19,16 @@ Feb 24 05:07:40 petermurray sm-mta[716]: s1O57c6H000716: ruleset=check_rcpt, arg # failJSON: { "time": "2005-02-23T07:00:08", "match": true , "host": "151.232.63.226" } Feb 23 07:00:08 petermurray sm-mta[3992]: s1N706jo003992: ruleset=check_rcpt, arg1=, relay=[151.232.63.226], reject=550 5.7.1 ... Rejected: 151.232.63.226 listed at sbl-xbl.spamhaus.org +# failJSON: { "time": "2005-02-23T04:36:21", "match": true , "host": "74.137.127.206" } +Feb 23 04:36:21 kismet sm-acceptingconnections[12603]: s1N9aKAw012603: ruleset=check_rcpt, arg1=, relay=74-137-127-206.dhcp.insightbb.com [74.137.127.206], reject=550 5.7.1 ... Rejected: IP in SpamCop blacklist, see: http://spamcop.net/bl.shtml?74.137.127.206 + +# failJSON: { "time": "2005-02-23T04:38:57", "match": true , "host": "203.229.186.250" } +Feb 23 04:38:57 kismet sm-acceptingconnections[16772]: s1N9csSZ016772: ruleset=check_rcpt, arg1=, relay=[203.229.186.250], reject=550 5.7.1 ... Rejected: IP in Barracuda RBL, see: http://www.barracudacentral.org/reputation?ip=203.229.186.250 + +# failJSON: { "time": "2005-02-23T06:06:04", "match": true , "host": "186.54.117.93" } +Feb 23 06:06:04 kismet sm-acceptingconnections[18622]: s1NB63Bp018622: ruleset=check_rcpt, arg1=, relay=r186-54-117-93.dialup.adsl.anteldata.net.uy [186.54.117.93], reject=550 5.7.1 ... Rejected: IP in SpamHaus PBL, see http://www.spamhaus.org/query/bl?ip=186.54.117.93 + # failJSON: { "time": "2005-02-24T01:46:44", "match": true , "host": "217.21.54.82" } Feb 24 01:46:44 petermurray sm-mta[24422]: ruleset=check_relay, arg1=leased-line-54-82.telecom.by, arg2=217.21.54.82, relay=leased-line-54-82.telecom.by [217.21.54.82], reject=421 4.3.2 Connection rate limit exceeded. + From d34569fb8dec199336a3b05f1b101d8879902d21 Mon Sep 17 00:00:00 2001 From: Daniel Black Date: Thu, 27 Feb 2014 11:38:23 +1100 Subject: [PATCH 35/48] BF: email address as arg1 in sendmail filters --- config/filter.d/sendmail-spam.conf | 3 +-- testcases/files/logs/sendmail-spam | 16 ++++++++-------- 2 files changed, 9 insertions(+), 10 deletions(-) diff --git a/config/filter.d/sendmail-spam.conf b/config/filter.d/sendmail-spam.conf index 6268db2b..1ccd37a0 100644 --- a/config/filter.d/sendmail-spam.conf +++ b/config/filter.d/sendmail-spam.conf @@ -21,8 +21,7 @@ before = common.conf _daemon = (?:sm-(mta|acceptingconnections)) -failregex = ^%(__prefix_line)s\w{14}: ruleset=check_rcpt, arg1=(?P(<\S+@\S+>)?), relay=(\S+ )?\[\]( \(may be forged\))?, reject=550 5\.7\.1 (?P=email)\.\.\. Relaying denied\. (IP name possibly forged \[(\d+\.){3}\d+\]|Proper authentication required\.)$ - ^%(__prefix_line)s\w{14}: ruleset=check_rcpt, arg1=, relay=(\S+ )?\[\]( \(may be forged\))?, reject=(553 5\.1\.8 \.\.\. Domain of sender address \S+ does not exist|550 5\.7\.1 \.\.\. Rejected: .*)$ +failregex = ^%(__prefix_line)s\w{14}: ruleset=check_rcpt, arg1=(?P<\S+@\S+>), relay=(\S+ )?\[\]( \(may be forged\))?, reject=(550 5\.7\.1 (?P=email)\.\.\. Relaying denied\. (IP name possibly forged \[(\d+\.){3}\d+\]|Proper authentication required\.)|553 5\.1\.8 (?P=email)\.\.\. Domain of sender address \S+ does not exist|550 5\.7\.1 (?P=email)\.\.\. Rejected: .*)$ ^%(__prefix_line)sruleset=check_relay, arg1=(?P\S+), arg2=, relay=(?P=dom) \[(\d+\.){3}\d+\]( \(may be forged\))?, reject=421 4\.3\.2 Connection rate limit exceeded\.$ diff --git a/testcases/files/logs/sendmail-spam b/testcases/files/logs/sendmail-spam index 4aad3b25..2992725d 100644 --- a/testcases/files/logs/sendmail-spam +++ b/testcases/files/logs/sendmail-spam @@ -1,5 +1,5 @@ # failJSON: { "time": "2005-02-25T03:01:10", "match": true , "host": "128.68.136.133" } -Feb 25 03:01:10 kismet sm-acceptingconnections[27713]: s1P819mk027713: ruleset=check_rcpt, arg1=, relay=128-68-136-133.broadband.corbina.ru [128.68.136.133], reject=550 5.7.1 ... Relaying denied. Proper authentication required. +Feb 25 03:01:10 kismet sm-acceptingconnections[27713]: s1P819mk027713: ruleset=check_rcpt, arg1=, relay=128-68-136-133.broadband.corbina.ru [128.68.136.133], reject=550 5.7.1 ... Relaying denied. Proper authentication required. # failJSON: { "time": "2005-02-23T21:36:14", "match": true , "host": "80.253.155.119" } Feb 23 21:36:14 petermurray sm-mta[22248]: s1NLaDQT022248: ruleset=check_rcpt, arg1=, relay=int0.client.access.azadnet.net [80.253.155.119] (may be forged), reject=550 5.7.1 ... Relaying denied. IP name possibly forged [80.253.155.119] @@ -8,25 +8,25 @@ Feb 23 21:36:14 petermurray sm-mta[22248]: s1NLaDQT022248: ruleset=check_rcpt, a Feb 24 07:33:59 petermurray sm-mta[21134]: s1O7XtZJ021134: ruleset=check_rcpt, arg1=, relay=118-161-66-57.dynamic.hinet.net [118.161.66.57], reject=550 5.7.1 ... Relaying denied. Proper authentication required. # failJSON: { "time": "2005-02-23T07:57:28", "match": true , "host": "2.180.185.27" } -Feb 23 07:57:28 petermurray sm-mta[6519]: s1N7vR47006519: ruleset=check_rcpt, arg1=, relay=[2.180.185.27], reject=553 5.1.8 ... Domain of sender address camila.pinto@andrewweitzman.com does not exist +Feb 23 07:57:28 petermurray sm-mta[6519]: s1N7vR47006519: ruleset=check_rcpt, arg1=, relay=[2.180.185.27], reject=553 5.1.8 ... Domain of sender address camila.pinto@andrewweitzman.com does not exist # failJSON: { "time": "2005-02-23T14:13:08", "match": true , "host": "85.60.238.161" } -Feb 23 14:13:08 petermurray sm-mta[17126]: s1NED81M017126: ruleset=check_rcpt, arg1=, relay=161.pool85-60-238.dynamic.orange.es [85.60.238.161], reject=553 5.1.8 ... Domain of sender address anabelaalvesd@dsldevice.lan does not exist +Feb 23 14:13:08 petermurray sm-mta[17126]: s1NED81M017126: ruleset=check_rcpt, arg1=, relay=161.pool85-60-238.dynamic.orange.es [85.60.238.161], reject=553 5.1.8 ... Domain of sender address anabelaalvesd@dsldevice.lan does not exist # failJSON: { "time": "2005-02-24T05:07:40", "match": true , "host": "202.53.73.138" } -Feb 24 05:07:40 petermurray sm-mta[716]: s1O57c6H000716: ruleset=check_rcpt, arg1=, relay=202.53.73.138.nettlinx.com [202.53.73.138] (may be forged), reject=553 5.1.8 ... Domain of sender address root@srv.montserv.com does not exist +Feb 24 05:07:40 petermurray sm-mta[716]: s1O57c6H000716: ruleset=check_rcpt, arg1=, relay=202.53.73.138.nettlinx.com [202.53.73.138] (may be forged), reject=553 5.1.8 ... Domain of sender address root@srv.montserv.com does not exist # failJSON: { "time": "2005-02-23T07:00:08", "match": true , "host": "151.232.63.226" } -Feb 23 07:00:08 petermurray sm-mta[3992]: s1N706jo003992: ruleset=check_rcpt, arg1=, relay=[151.232.63.226], reject=550 5.7.1 ... Rejected: 151.232.63.226 listed at sbl-xbl.spamhaus.org +Feb 23 07:00:08 petermurray sm-mta[3992]: s1N706jo003992: ruleset=check_rcpt, arg1=, relay=[151.232.63.226], reject=550 5.7.1 ... Rejected: 151.232.63.226 listed at sbl-xbl.spamhaus.org # failJSON: { "time": "2005-02-23T04:36:21", "match": true , "host": "74.137.127.206" } -Feb 23 04:36:21 kismet sm-acceptingconnections[12603]: s1N9aKAw012603: ruleset=check_rcpt, arg1=, relay=74-137-127-206.dhcp.insightbb.com [74.137.127.206], reject=550 5.7.1 ... Rejected: IP in SpamCop blacklist, see: http://spamcop.net/bl.shtml?74.137.127.206 +Feb 23 04:36:21 kismet sm-acceptingconnections[12603]: s1N9aKAw012603: ruleset=check_rcpt, arg1=, relay=74-137-127-206.dhcp.insightbb.com [74.137.127.206], reject=550 5.7.1 ... Rejected: IP in SpamCop blacklist, see: http://spamcop.net/bl.shtml?74.137.127.206 # failJSON: { "time": "2005-02-23T04:38:57", "match": true , "host": "203.229.186.250" } -Feb 23 04:38:57 kismet sm-acceptingconnections[16772]: s1N9csSZ016772: ruleset=check_rcpt, arg1=, relay=[203.229.186.250], reject=550 5.7.1 ... Rejected: IP in Barracuda RBL, see: http://www.barracudacentral.org/reputation?ip=203.229.186.250 +Feb 23 04:38:57 kismet sm-acceptingconnections[16772]: s1N9csSZ016772: ruleset=check_rcpt, arg1=, relay=[203.229.186.250], reject=550 5.7.1 ... Rejected: IP in Barracuda RBL, see: http://www.barracudacentral.org/reputation?ip=203.229.186.250 # failJSON: { "time": "2005-02-23T06:06:04", "match": true , "host": "186.54.117.93" } -Feb 23 06:06:04 kismet sm-acceptingconnections[18622]: s1NB63Bp018622: ruleset=check_rcpt, arg1=, relay=r186-54-117-93.dialup.adsl.anteldata.net.uy [186.54.117.93], reject=550 5.7.1 ... Rejected: IP in SpamHaus PBL, see http://www.spamhaus.org/query/bl?ip=186.54.117.93 +Feb 23 06:06:04 kismet sm-acceptingconnections[18622]: s1NB63Bp018622: ruleset=check_rcpt, arg1=, relay=r186-54-117-93.dialup.adsl.anteldata.net.uy [186.54.117.93], reject=550 5.7.1 ... Rejected: IP in SpamHaus PBL, see http://www.spamhaus.org/query/bl?ip=186.54.117.93 # failJSON: { "time": "2005-02-24T01:46:44", "match": true , "host": "217.21.54.82" } Feb 24 01:46:44 petermurray sm-mta[24422]: ruleset=check_relay, arg1=leased-line-54-82.telecom.by, arg2=217.21.54.82, relay=leased-line-54-82.telecom.by [217.21.54.82], reject=421 4.3.2 Connection rate limit exceeded. From c10cc20928d2679d21bdb8e9f16ab7fc58e4aeb4 Mon Sep 17 00:00:00 2001 From: Daniel Black Date: Fri, 28 Feb 2014 08:41:04 +1100 Subject: [PATCH 36/48] ENH: rename sendmail-spam to sendmail-reject --- ChangeLog | 2 +- MANIFEST | 4 +++- config/jail.conf | 6 +++--- config/filter.d/sendmail-spam.conf => sendmail-reject.conf | 0 testcases/files/logs/{sendmail-spam => sendmail-reject} | 0 5 files changed, 7 insertions(+), 5 deletions(-) rename config/filter.d/sendmail-spam.conf => sendmail-reject.conf (100%) rename testcases/files/logs/{sendmail-spam => sendmail-reject} (100%) diff --git a/ChangeLog b/ChangeLog index c4a76979..eaab2247 100644 --- a/ChangeLog +++ b/ChangeLog @@ -17,7 +17,7 @@ ver. 0.8.13 (2014/XX/XXX) - maintenance-only-from-now-on - New Features: - filter nagios - detects unauthorized access to the nrpe daemon (Ivo Truxa) - - filter sendmail-{auth,spam} (jserrachinha and cepheid666). + - filter sendmail-{auth,reject} (jserrachinha and cepheid666 and fab23). - Enhancements: - filter pureftpd - added all translations of "Authentication failed for diff --git a/MANIFEST b/MANIFEST index 5d569e69..af3f564c 100644 --- a/MANIFEST +++ b/MANIFEST @@ -103,6 +103,8 @@ testcases/files/logs/qmail testcases/files/logs/recidive testcases/files/logs/sieve testcases/files/logs/selinux-ssh +testcases/files/logs/sendmail-auth +testcases/files/logs/sendmail-reject testcases/files/logs/suhosin testcases/files/logs/uwimap-auth testcases/files/logs/wuftpd @@ -173,7 +175,7 @@ config/filter.d/pam-generic.conf config/filter.d/php-url-fopen.conf config/filter.d/postfix-sasl.conf config/filter.d/sendmail-auth.conf -config/filter.d/sendmail-spam.conf +config/filter.d/sendmail-reject.conf config/filter.d/sieve.conf config/filter.d/solid-pop3d.conf config/filter.d/squid.conf diff --git a/config/jail.conf b/config/jail.conf index ea4f4555..5ba1c7c4 100644 --- a/config/jail.conf +++ b/config/jail.conf @@ -165,11 +165,11 @@ action = iptables-multiport[name=sendmail-auth, port="submission,465,smtp", pr logpath = /var/log/mail.log -[sendmail-spam] +[sendmail-reject] enabled = false -filter = sendmail-spam -action = iptables[name=sendmail-spam, port=smtp, protocol=tcp] +filter = sendmail-reject +action = iptables[name=sendmail-reject, port=smtp, protocol=tcp] logpath = /var/log/mail.log diff --git a/config/filter.d/sendmail-spam.conf b/sendmail-reject.conf similarity index 100% rename from config/filter.d/sendmail-spam.conf rename to sendmail-reject.conf diff --git a/testcases/files/logs/sendmail-spam b/testcases/files/logs/sendmail-reject similarity index 100% rename from testcases/files/logs/sendmail-spam rename to testcases/files/logs/sendmail-reject From d0ec09a3b5cebc62bcf7a13c25a623b88148191b Mon Sep 17 00:00:00 2001 From: Daniel Black Date: Sat, 1 Mar 2014 15:50:30 +1100 Subject: [PATCH 37/48] BF: move to right location --- sendmail-reject.conf => config/filter.d/sendmail-reject.conf | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename sendmail-reject.conf => config/filter.d/sendmail-reject.conf (100%) diff --git a/sendmail-reject.conf b/config/filter.d/sendmail-reject.conf similarity index 100% rename from sendmail-reject.conf rename to config/filter.d/sendmail-reject.conf From 853bed8e4f1cbddff0820f7e3948bc8db9077714 Mon Sep 17 00:00:00 2001 From: Daniel Black Date: Sun, 2 Mar 2014 14:04:27 +1100 Subject: [PATCH 38/48] ENH: more sendmail-reject filter items thanks to fab23 --- config/filter.d/sendmail-reject.conf | 6 +++-- testcases/files/logs/sendmail-reject | 33 ++++++++++++++++++++++++++++ 2 files changed, 37 insertions(+), 2 deletions(-) diff --git a/config/filter.d/sendmail-reject.conf b/config/filter.d/sendmail-reject.conf index 1ccd37a0..3a897316 100644 --- a/config/filter.d/sendmail-reject.conf +++ b/config/filter.d/sendmail-reject.conf @@ -21,8 +21,10 @@ before = common.conf _daemon = (?:sm-(mta|acceptingconnections)) -failregex = ^%(__prefix_line)s\w{14}: ruleset=check_rcpt, arg1=(?P<\S+@\S+>), relay=(\S+ )?\[\]( \(may be forged\))?, reject=(550 5\.7\.1 (?P=email)\.\.\. Relaying denied\. (IP name possibly forged \[(\d+\.){3}\d+\]|Proper authentication required\.)|553 5\.1\.8 (?P=email)\.\.\. Domain of sender address \S+ does not exist|550 5\.7\.1 (?P=email)\.\.\. Rejected: .*)$ - ^%(__prefix_line)sruleset=check_relay, arg1=(?P\S+), arg2=, relay=(?P=dom) \[(\d+\.){3}\d+\]( \(may be forged\))?, reject=421 4\.3\.2 Connection rate limit exceeded\.$ +failregex = ^%(__prefix_line)s\w{14}: ruleset=check_rcpt, arg1=(?P<\S+@\S+>), relay=(\S+ )?\[\]( \(may be forged\))?, reject=(550 5\.7\.1 (?P=email)\.\.\. Relaying denied\. (IP name possibly forged \[(\d+\.){3}\d+\]|Proper authentication required\.|IP name lookup failed \[(\d+\.){3}\d+\])|553 5\.1\.8 (?P=email)\.\.\. Domain of sender address \S+ does not exist|550 5\.[71]\.1 (?P=email)\.\.\. (Rejected: .*|User unknown))$ + ^%(__prefix_line)sruleset=check_relay, arg1=(?P\S+), arg2=, relay=((?P=dom) )?\[(\d+\.){3}\d+\]( \(may be forged\))?, reject=421 4\.3\.2 (Connection rate limit exceeded\.|Too many open connections\.)$ + ^%(__prefix_line)s\w{14}: rejecting commands from (\S+ )?\[\] due to pre-greeting traffic after \d+ seconds$ + ^%(__prefix_line)s\w{14}: (\S+ )?\[\]: ((?i)expn|vrfy) \S+ \[rejected\]$ ignoreregex = diff --git a/testcases/files/logs/sendmail-reject b/testcases/files/logs/sendmail-reject index 2992725d..b7d37e5a 100644 --- a/testcases/files/logs/sendmail-reject +++ b/testcases/files/logs/sendmail-reject @@ -32,3 +32,36 @@ Feb 23 06:06:04 kismet sm-acceptingconnections[18622]: s1NB63Bp018622: ruleset=c Feb 24 01:46:44 petermurray sm-mta[24422]: ruleset=check_relay, arg1=leased-line-54-82.telecom.by, arg2=217.21.54.82, relay=leased-line-54-82.telecom.by [217.21.54.82], reject=421 4.3.2 Connection rate limit exceeded. +# failJSON: { "time": "2005-02-27T15:49:07", "match": true , "host": "189.30.205.74" } +Feb 27 15:49:07 batman sm-mta[88390]: ruleset=check_relay, arg1=189-30-205-74.paebv701.dsl.brasiltelecom.net.br, arg2=189.30.205.74, relay=189-30-205-74.paebv701.dsl.brasiltelecom.net.br [189.30.205.74], reject=421 4.3.2 Too many open connections. + +# failJSON: { "time": "2005-02-19T18:01:50", "match": true , "host": "196.213.73.146" } +Feb 19 18:01:50 batman sm-mta[78152]: ruleset=check_relay, arg1=[196.213.73.146], arg2=196.213.73.146, relay=[196.213.73.146], reject=421 4.3.2 Connection rate limit exceeded. + +# failJSON: { "time": "2005-02-27T10:53:06", "match": true , "host": "209.15.212.253" } +Feb 27 10:53:06 batman sm-mta[44307]: s1R9r60D044307: rejecting commands from [209.15.212.253] due to pre-greeting traffic after 0 seconds + +# failJSON: { "time": "2005-02-27T15:44:18", "match": true , "host": "41.204.78.137" } +Feb 27 15:44:18 batman sm-mta[87838]: s1REiHdq087838: ruleset=check_rcpt, arg1=, relay=[41.204.78.137], reject=550 5.7.1 ... Relaying denied. IP name lookup failed [41.204.78.137] + +# failJSON: { "time": "2005-02-27T15:49:02", "match": true , "host": "189.30.205.74" } +Feb 27 15:49:02 batman sm-mta[88377]: s1REn1un088377: ruleset=check_rcpt, arg1=, relay=189-30-205-74.paebv701.dsl.brasiltelecom.net.br [189.30.205.74], reject=550 5.1.1 ... User unknown + +# failJSON: { "time": "2005-02-27T22:44:42", "match": true , "host": "123.69.106.50" } +Feb 27 22:44:42 batman sm-mta[30972]: s1RLieRP030972: ruleset=check_rcpt, arg1=, relay=[123.69.106.50], reject=553 5.1.8 ... Domain of sender address lf@ibuv.net does not exist + +# failJSON: { "time": "2005-02-23T21:18:47", "match": true , "host": "76.72.174.70" } +Feb 23 21:18:47 batman sm-mta[93301]: s1NKIkZa093301: [76.72.174.70]: EXPN root [rejected] + +# failJSON: { "time": "2005-02-13T01:16:50", "match": true , "host": "217.193.142.180" } +Feb 13 01:16:50 batman sm-mta[25815]: s1D0GoSs025815: [217.193.142.180]: expn info [rejected] + +# failJSON: { "time": "2005-02-22T14:02:44", "match": true , "host": "24.73.201.194" } +Feb 22 14:02:44 batman sm-mta[4030]: s1MD2hsd004030: rrcs-24-73-201-194.se.biz.rr.com [24.73.201.194]: EXPN root [rejected] + +# failJSON: { "time": "2005-02-13T01:16:50", "match": true , "host": "217.193.142.180" } +Feb 13 01:16:50 batman sm-mta[25815]: s1D0GoSs025815: [217.193.142.180]: vrfy info [rejected] + +# failJSON: { "time": "2005-02-22T14:02:44", "match": true , "host": "24.73.201.194" } +Feb 22 14:02:44 batman sm-mta[4030]: s1MD2hsd004030: rrcs-24-73-201-194.se.biz.rr.com [24.73.201.194]: VRFY root [rejected] + From 415f1876440272b2077019824af96a32f5d7664a Mon Sep 17 00:00:00 2001 From: Daniel Black Date: Fri, 14 Mar 2014 07:12:12 +1100 Subject: [PATCH 39/48] ENH: sendmail-reject for all smtp ports. --- config/jail.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/jail.conf b/config/jail.conf index 5ba1c7c4..effd0381 100644 --- a/config/jail.conf +++ b/config/jail.conf @@ -169,7 +169,7 @@ logpath = /var/log/mail.log enabled = false filter = sendmail-reject -action = iptables[name=sendmail-reject, port=smtp, protocol=tcp] +action = iptables-multiport[name=sendmail-auth, port="submission,465,smtp", protocol=tcp] logpath = /var/log/mail.log From 27dafea2811ddf13bc16ffcb98dae9c8ce250e79 Mon Sep 17 00:00:00 2001 From: Hank Leininger Date: Thu, 13 Mar 2014 22:47:28 -0400 Subject: [PATCH 40/48] Fix the --print-all-{missed,ignored} options. Previously, fail2ban-regex always printed both regardless of whether those options were present or not. This commit duplicates the patch I submitted at https://sourceforge.net/p/fail2ban/patches/25/ --- fail2ban-regex | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/fail2ban-regex b/fail2ban-regex index 18e2a5df..22fbbd67 100755 --- a/fail2ban-regex +++ b/fail2ban-regex @@ -354,8 +354,10 @@ class Fail2banRegex(object): print "\nLines: %s" % self._line_stats - self.printLines('ignored') - self.printLines('missed') + if self._print_all_ignored: + self.printLines('ignored') + if self._print_all_missed: + self.printLines('missed') return True From aa7af6f9c2b2feae17be7aafd5f3290c84494f8b Mon Sep 17 00:00:00 2001 From: Hank Leininger Date: Thu, 13 Mar 2014 23:18:08 -0400 Subject: [PATCH 41/48] Only remember log lines we need to print later. When testing proccessing a large logfile (430 MB, 2M lines) without --print-all-missed or --print-all-ignored, fail2ban-regex consumes just over 2 GB of RAM before completing. Even though it does not need to retain any of the missed or ignored log lines, it does anyway. With this patch, memory use never grows beyond about 11 MB (unless --print-all-* are enabled). --- fail2ban-regex | 22 ++++++++++------------ 1 file changed, 10 insertions(+), 12 deletions(-) diff --git a/fail2ban-regex b/fail2ban-regex index 22fbbd67..941d0074 100755 --- a/fail2ban-regex +++ b/fail2ban-regex @@ -156,22 +156,16 @@ class LineStats(object): """ def __init__(self): self.tested = self.matched = 0 + self.missed = 0 self.missed_lines = [] self.missed_lines_timeextracted = [] + self.ignored = 0 self.ignored_lines = [] self.ignored_lines_timeextracted = [] def __str__(self): return "%(tested)d lines, %(ignored)d ignored, %(matched)d matched, %(missed)d missed" % self - @property - def ignored(self): - return len(self.ignored_lines) - - @property - def missed(self): - return self.tested - (self.ignored + self.matched) - # just for convenient str def __getitem__(self, key): return getattr(self, key) @@ -267,16 +261,20 @@ class Fail2banRegex(object): line_datetimestripped, ret = fail2banRegex.testRegex(line) if is_ignored: - self._line_stats.ignored_lines.append(line) - self._line_stats.ignored_lines_timeextracted.append(line_datetimestripped) + self._line_stats.ignored += 1 + if self._print_all_ignored: + self._line_stats.ignored_lines.append(line) + self._line_stats.ignored_lines_timeextracted.append(line_datetimestripped) if len(ret) > 0: assert(not is_ignored) self._line_stats.matched += 1 else: if not is_ignored: - self._line_stats.missed_lines.append(line) - self._line_stats.missed_lines_timeextracted.append(line_datetimestripped) + self._line_stats.missed += 1 + if self._print_all_missed: + self._line_stats.missed_lines.append(line) + self._line_stats.missed_lines_timeextracted.append(line_datetimestripped) self._line_stats.tested += 1 if line_no % 10 == 0: From d4fb48fd142f2123f73679ed032a2c223619f215 Mon Sep 17 00:00:00 2001 From: Hank Leininger Date: Fri, 14 Mar 2014 01:57:55 -0400 Subject: [PATCH 42/48] Add --print-no-{missed,ignored} and restore -all. Realized --print-all-{missed,ignored} aren't meant to be simple on/off, but are meant to enable printing all lines even when there are more than 20. This restores the behavior of --print-all-*, but preserves the memory-savings when --print-all-* are not specified. Also adds --print-no-{missed,ignored} which can be used to suppress printing of a line type entirely. --- fail2ban-regex | 35 +++++++++++++++++++++-------------- 1 file changed, 21 insertions(+), 14 deletions(-) diff --git a/fail2ban-regex b/fail2ban-regex index 941d0074..da5bcf88 100755 --- a/fail2ban-regex +++ b/fail2ban-regex @@ -111,10 +111,14 @@ Report bugs to https://github.com/fail2ban/fail2ban/issues help="Be verbose in output"), Option("-D", "--debuggex", action='store_true', help="Produce debuggex.com urls for debugging there"), + Option("--print-no-missed", action='store_true', + help="Do not print any missed lines"), + Option("--print-no-ignored", action='store_true', + help="Do not print any ignored lines"), Option("--print-all-missed", action='store_true', - help="Either to print all missed lines"), + help="Print all missed lines, no matter how many"), Option("--print-all-ignored", action='store_true', - help="Either to print all ignored lines"), + help="Print all ignored lines, no matter how many"), Option("-t", "--log-traceback", action='store_true', help="Enrich log-messages with compressed tracebacks"), Option("--full-traceback", action='store_true', @@ -178,6 +182,9 @@ class Fail2banRegex(object): def __init__(self, opts): self._verbose = opts.verbose self._debuggex = opts.debuggex + self._maxlines = 20 + self._print_no_missed = opts.print_no_missed + self._print_no_ignored = opts.print_no_ignored self._print_all_missed = opts.print_all_missed self._print_all_ignored = opts.print_all_ignored @@ -262,7 +269,7 @@ class Fail2banRegex(object): if is_ignored: self._line_stats.ignored += 1 - if self._print_all_ignored: + if not self._print_no_ignored and (self._print_all_ignored or self._line_stats.ignored <= self._maxlines + 1): self._line_stats.ignored_lines.append(line) self._line_stats.ignored_lines_timeextracted.append(line_datetimestripped) @@ -272,7 +279,7 @@ class Fail2banRegex(object): else: if not is_ignored: self._line_stats.missed += 1 - if self._print_all_missed: + if not self._print_no_missed and (self._print_all_missed or self._line_stats.missed <= self._maxlines + 1): self._line_stats.missed_lines.append(line) self._line_stats.missed_lines_timeextracted.append(line_datetimestripped) self._line_stats.tested += 1 @@ -284,9 +291,10 @@ class Fail2banRegex(object): def printLines(self, ltype): lstats = self._line_stats - assert(len(lstats.missed_lines) == lstats.tested - (lstats.matched + lstats.ignored)) + assert(self._line_stats.missed == lstats.tested - (lstats.matched + lstats.ignored)) + lines = lstats[ltype] l = lstats[ltype + '_lines'] - if len(l): + if lines: header = "%s line(s):" % (ltype.capitalize(),) if self._debuggex: if ltype == 'missed': @@ -294,21 +302,20 @@ class Fail2banRegex(object): else: regexlist = self._ignoreregex l = lstats[ltype + '_lines_timeextracted'] - lines = len(l)*len(regexlist) - if lines < 20 or getattr(self, '_print_all_' + ltype): + if lines < self._maxlines or getattr(self, '_print_all_' + ltype): ans = [[]] for arg in [l, regexlist]: ans = [ x + [y] for x in ans for y in arg ] b = map(lambda a: a[0] + ' | ' + a[1].getFailRegex() + ' | ' + debuggexURL(a[0], a[1].getFailRegex()), ans) pprint_list([x.rstrip() for x in b], header) else: - print "%s: too many to print. Use --print-all-%s " \ + print "%s too many to print. Use --print-all-%s " \ "to print all %d lines" % (header, ltype, lines) - elif len(l) < 20 or getattr(self, '_print_all_' + ltype): + elif lines < self._maxlines or getattr(self, '_print_all_' + ltype): pprint_list([x.rstrip() for x in l], header) else: - print "%s: too many to print. Use --print-all-%s " \ - "to print all %d lines" % (header, ltype, len(l)) + print "%s too many to print. Use --print-all-%s " \ + "to print all %d lines" % (header, ltype, lines) def printStats(self): print @@ -352,9 +359,9 @@ class Fail2banRegex(object): print "\nLines: %s" % self._line_stats - if self._print_all_ignored: + if not self._print_no_ignored: self.printLines('ignored') - if self._print_all_missed: + if not self._print_no_missed: self.printLines('missed') return True From 2deb1b71a19cde27051264c35d1bb2821cc2b7bd Mon Sep 17 00:00:00 2001 From: Hank Leininger Date: Fri, 14 Mar 2014 02:10:00 -0400 Subject: [PATCH 43/48] Sanity-check print-all-* vs print-no-* options. Also, fixed a trivial whitespace issue. --- fail2ban-regex | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/fail2ban-regex b/fail2ban-regex index da5bcf88..9055360d 100755 --- a/fail2ban-regex +++ b/fail2ban-regex @@ -182,7 +182,7 @@ class Fail2banRegex(object): def __init__(self, opts): self._verbose = opts.verbose self._debuggex = opts.debuggex - self._maxlines = 20 + self._maxlines = 20 self._print_no_missed = opts.print_no_missed self._print_no_ignored = opts.print_no_ignored self._print_all_missed = opts.print_all_missed @@ -371,6 +371,14 @@ if __name__ == "__main__": parser = get_opt_parser() (opts, args) = parser.parse_args() + if opts.print_no_missed and opts.print_all_missed: + sys.stderr.write("ERROR: --print-no-missed and --print-all-missed are mutually exclusive.\n\n") + parser.print_help() + sys.exit(-1) + if opts.print_no_ignored and opts.print_all_ignored: + sys.stderr.write("ERROR: --print-no-ignored and --print-all-ignored are mutually exclusive.\n\n") + parser.print_help() + sys.exit(-1) fail2banRegex = Fail2banRegex(opts) From 77fda9498c511944687f0fbec01ad68ea29fe5ec Mon Sep 17 00:00:00 2001 From: Daniel Black Date: Fri, 14 Mar 2014 09:03:27 +1100 Subject: [PATCH 44/48] ENH: pull asterisk filter change to support syslog from 0.9 branch --- ChangeLog | 1 + config/filter.d/asterisk.conf | 37 ++++++++++++++++++++++++----------- testcases/files/logs/asterisk | 4 ++++ 3 files changed, 31 insertions(+), 11 deletions(-) diff --git a/ChangeLog b/ChangeLog index eaab2247..df121e07 100644 --- a/ChangeLog +++ b/ChangeLog @@ -20,6 +20,7 @@ ver. 0.8.13 (2014/XX/XXX) - maintenance-only-from-now-on - filter sendmail-{auth,reject} (jserrachinha and cepheid666 and fab23). - Enhancements: + - filter asterisk now supports syslog format - filter pureftpd - added all translations of "Authentication failed for user" - filter dovecot - lip= was optional and extended TLS errors can occur. diff --git a/config/filter.d/asterisk.conf b/config/filter.d/asterisk.conf index 7bb2c709..54b2db71 100644 --- a/config/filter.d/asterisk.conf +++ b/config/filter.d/asterisk.conf @@ -1,24 +1,39 @@ # Fail2Ban filter for asterisk authentication failures # +[INCLUDES] + +# Read common prefixes. If any customizations available -- read them from +# common.local +before = common.conf + [Definition] +_daemon = asterisk + __pid_re = (?:\[\d+\]) # All Asterisk log messages begin like this: -log_prefix= \[\]\s*(?:NOTICE|SECURITY)%(__pid_re)s:?(?:\[C-[\da-f]*\])? \S+:\d* +log_prefix= (?:NOTICE|SECURITY)%(__pid_re)s:?(?:\[C-[\da-f]*\])? \S+:\d*( in \w+:)? -failregex = ^%(log_prefix)s Registration from '[^']*' failed for '(:\d+)?' - (Wrong password|No matching peer found|Username/auth name mismatch|Device does not match ACL|Peer is not supposed to register|ACL error \(permit/deny\)|Not a local domain)$ - ^%(log_prefix)s Call from '[^']*' \(:\d+\) to extension '\d+' rejected because extension not found in context 'default'\.$ - ^%(log_prefix)s Host failed to authenticate as '[^']*'$ - ^%(log_prefix)s No registration for peer '[^']*' \(from \)$ - ^%(log_prefix)s Host failed MD5 authentication for '[^']*' \([^)]+\)$ - ^%(log_prefix)s Failed to authenticate (user|device) [^@]+@\S*$ - ^%(log_prefix)s (?:handle_request_subscribe: )?Sending fake auth rejection for (device|user) \d*>;tag=\w+\S*$ - ^%(log_prefix)s SecurityEvent="(FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)",EventTV="[\d-]+",Severity="[\w]+",Service="[\w]+",EventVersion="\d+",AccountID="\d*",SessionID="0x[\da-f]+",LocalAddress="IPV[46]/(UD|TC)P/[\da-fA-F:.]+/\d+",RemoteAddress="IPV[46]/(UD|TC)P//\d+"(,Challenge="\w+",ReceivedChallenge="\w+")?(,ReceivedHash="[\da-f]+")?(,ACLName="\w+")?$ - ^\[\]\s*WARNING%(__pid_re)s:?(?:\[C-[\da-f]*\])? Ext\. s: "Rejecting unknown SIP connection from "$ +failregex = ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Registration from '[^']*' failed for '(:\d+)?' - (Wrong password|Username/auth name mismatch|No matching peer found|Not a local domain|Device does not match ACL|Peer is not supposed to register|ACL error \(permit/deny\)|Not a local domain)$ + ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Call from '[^']*' \(:\d+\) to extension '\d+' rejected because extension not found in context 'default'\.$ + ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Host failed to authenticate as '[^']*'$ + ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s No registration for peer '[^']*' \(from \)$ + ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Host failed MD5 authentication for '[^']*' \([^)]+\)$ + ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Failed to authenticate (user|device) [^@]+@\S*$ + ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s (?:handle_request_subscribe: )?Sending fake auth rejection for (device|user) \d*>;tag=\w+\S*$ + ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s SecurityEvent="(FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)",EventTV="[\d-]+",Severity="[\w]+",Service="[\w]+",EventVersion="\d+",AccountID="\d*",SessionID="0x[\da-f]+",LocalAddress="IPV[46]/(UD|TC)P/[\da-fA-F:.]+/\d+",RemoteAddress="IPV[46]/(UD|TC)P//\d+"(,Challenge="\w+",ReceivedChallenge="\w+")?(,ReceivedHash="[\da-f]+")?(,ACLName="\w+")?$ + ^(%(__prefix_line)s|\[\]\s*WARNING%(__pid_re)s:?(?:\[C-[\da-f]*\])? )Ext\. s: "Rejecting unknown SIP connection from "$ ignoreregex = -# Author: Xavier Devlamynck +# Author: Xavier Devlamynck / Daniel Black +# +# General log format - main/logger.c:ast_log +# Address format - ast_sockaddr_stringify +# +# First regex: channels/chan_sip.c +# +# main/logger.c:ast_log_vsyslog - "in {functionname}:" only occurs in syslog diff --git a/testcases/files/logs/asterisk b/testcases/files/logs/asterisk index a2535156..21937571 100644 --- a/testcases/files/logs/asterisk +++ b/testcases/files/logs/asterisk @@ -45,3 +45,7 @@ # failJSON: { "time": "2013-11-11T14:33:38", "match": true , "host": "192.168.55.152" } [2013-11-11 14:33:38] WARNING[6756][C-0000001d] Ext. s: "Rejecting unknown SIP connection from 192.168.55.152" + + +# failJSON: { "time": "2004-11-04T18:30:40", "match": true , "host": "192.168.200.100" } +Nov 4 18:30:40 localhost asterisk[32229]: NOTICE[32257]: chan_sip.c:23417 in handle_request_register: Registration from '' failed for '192.168.200.100:36998' - Wrong password From 123791c94c3a6ef6f3c871d4b749586ec08e964c Mon Sep 17 00:00:00 2001 From: Daniel Black Date: Sat, 15 Mar 2014 18:52:18 +1100 Subject: [PATCH 45/48] DOC/ENH: update man pages for release --- man/fail2ban-client.1 | 4 ++-- man/fail2ban-regex.1 | 12 +++++++++--- man/fail2ban-server.1 | 4 ++-- 3 files changed, 13 insertions(+), 7 deletions(-) diff --git a/man/fail2ban-client.1 b/man/fail2ban-client.1 index 7542d5be..ff929ad6 100644 --- a/man/fail2ban-client.1 +++ b/man/fail2ban-client.1 @@ -1,12 +1,12 @@ .\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.41.2. -.TH FAIL2BAN-CLIENT "1" "January 2014" "fail2ban-client v0.8.12" "User Commands" +.TH FAIL2BAN-CLIENT "1" "March 2014" "fail2ban-client v0.8.13" "User Commands" .SH NAME fail2ban-client \- configure and control the server .SH SYNOPSIS .B fail2ban-client [\fIOPTIONS\fR] \fI\fR .SH DESCRIPTION -Fail2Ban v0.8.12 reads log file that contains password failure report +Fail2Ban v0.8.13 reads log file that contains password failure report and bans the corresponding IP addresses using firewall rules. .SH OPTIONS .TP diff --git a/man/fail2ban-regex.1 b/man/fail2ban-regex.1 index 1dec0860..96d6ecbf 100644 --- a/man/fail2ban-regex.1 +++ b/man/fail2ban-regex.1 @@ -1,5 +1,5 @@ .\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.41.2. -.TH FAIL2BAN-REGEX "1" "January 2014" "fail2ban-regex 0.8.12" "User Commands" +.TH FAIL2BAN-REGEX "1" "March 2014" "fail2ban-regex 0.8.13" "User Commands" .SH NAME fail2ban-regex \- test Fail2ban "failregex" option .SH SYNOPSIS @@ -48,11 +48,17 @@ Be verbose in output \fB\-D\fR, \fB\-\-debuggex\fR Produce debuggex.com urls for debugging there .TP +\fB\-\-print\-no\-missed\fR +Do not print any missed lines +.TP +\fB\-\-print\-no\-ignored\fR +Do not print any ignored lines +.TP \fB\-\-print\-all\-missed\fR -Either to print all missed lines +Print all missed lines, no matter how many .TP \fB\-\-print\-all\-ignored\fR -Either to print all ignored lines +Print all ignored lines, no matter how many .TP \fB\-t\fR, \fB\-\-log\-traceback\fR Enrich log\-messages with compressed tracebacks diff --git a/man/fail2ban-server.1 b/man/fail2ban-server.1 index d2c7cf6f..e92dab2b 100644 --- a/man/fail2ban-server.1 +++ b/man/fail2ban-server.1 @@ -1,12 +1,12 @@ .\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.41.2. -.TH FAIL2BAN-SERVER "1" "January 2014" "fail2ban-server v0.8.12" "User Commands" +.TH FAIL2BAN-SERVER "1" "March 2014" "fail2ban-server v0.8.13" "User Commands" .SH NAME fail2ban-server \- start the server .SH SYNOPSIS .B fail2ban-server [\fIOPTIONS\fR] .SH DESCRIPTION -Fail2Ban v0.8.12 reads log file that contains password failure report +Fail2Ban v0.8.13 reads log file that contains password failure report and bans the corresponding IP addresses using firewall rules. .PP Only use this command for debugging purpose. Start the server with From 0601a07961367627ebc1916abe35175a9308564f Mon Sep 17 00:00:00 2001 From: Daniel Black Date: Sat, 15 Mar 2014 19:06:18 +1100 Subject: [PATCH 46/48] PKG: include nagios filter/log --- MANIFEST | 2 ++ 1 file changed, 2 insertions(+) diff --git a/MANIFEST b/MANIFEST index af3f564c..7757f88b 100644 --- a/MANIFEST +++ b/MANIFEST @@ -67,6 +67,7 @@ testcases/files/logs/horde testcases/files/logs/suhosin testcases/files/logs/mysqld-auth testcases/files/logs/named-refused +testcases/files/logs/nagios testcases/files/logs/nginx-http-auth testcases/files/logs/nsd testcases/files/logs/openwebmail @@ -164,6 +165,7 @@ config/filter.d/freeswitch.conf config/filter.d/gssftpd.conf config/filter.d/horde.conf config/filter.d/suhosin.conf +config/filter.d/nagios.conf config/filter.d/named-refused.conf config/filter.d/nsd.conf config/filter.d/openwebmail.conf From cee341402990b8dc2f9e2544ba44185bce7922af Mon Sep 17 00:00:00 2001 From: Daniel Black Date: Sat, 15 Mar 2014 19:06:37 +1100 Subject: [PATCH 47/48] PKG: version release --- ChangeLog | 4 ++-- common/version.py | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index df121e07..44f9a624 100644 --- a/ChangeLog +++ b/ChangeLog @@ -4,10 +4,10 @@ |_| \__,_|_|_/___|_.__/\__,_|_||_| ================================================================================ -Fail2Ban (version 0.8.12.dev) 2014/01/22 +Fail2Ban (version 0.8.13) 2014/03/15 ================================================================================ -ver. 0.8.13 (2014/XX/XXX) - maintenance-only-from-now-on +ver. 0.8.13 (2014/03/15) - maintenance-only-from-now-on ----------- - Fixes: diff --git a/common/version.py b/common/version.py index f0ce8877..5dc2cc88 100644 --- a/common/version.py +++ b/common/version.py @@ -24,4 +24,4 @@ __author__ = "Cyril Jaquier, Yaroslav Halchenko" __copyright__ = "Copyright (c) 2004 Cyril Jaquier, 2011-2013 Yaroslav Halchenko" __license__ = "GPL" -version = "0.8.12.dev" +version = "0.8.13" From eb66edd3389d1e0a1f14e5fcad6cd7d287c6ce73 Mon Sep 17 00:00:00 2001 From: Daniel Black Date: Sat, 15 Mar 2014 19:14:36 +1100 Subject: [PATCH 48/48] DOC: DEVELOP release note changes --- DEVELOP | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/DEVELOP b/DEVELOP index 18d29ad4..39ee60df 100644 --- a/DEVELOP +++ b/DEVELOP @@ -316,23 +316,23 @@ Look for errors like: Which indicates that testcases/files/logs/mysqld.log has been moved or is a directory - tar -C /tmp -jxf dist/fail2ban-0.8.12.tar.bz2 + tar -C /tmp -jxf dist/fail2ban-0.8.14.tar.bz2 # clean up current direcory - diff -rul --exclude \*.pyc . /tmp/fail2ban-0.8.12/ + diff -rul --exclude \*.pyc . /tmp/fail2ban-0.8.14/ # Only differences should be files that you don't want distributed. # Ensure the tests work from the tarball - cd /tmp/fail2ban-0.8.12/ && ./fail2ban-testcases-all + cd /tmp/fail2ban-0.8.14/ && ./fail2ban-testcases-all # Add/finalize the corresponding entry in the ChangeLog To generate a list of committers use e.g. - git shortlog -sn 0.8.11.. | sed -e 's,^[ 0-9\t]*,,g' | tr '\n' '\|' | sed -e 's:|:, :g' + git shortlog -sn 0.8.13.. | sed -e 's,^[ 0-9\t]*,,g' | tr '\n' '\|' | sed -e 's:|:, :g' Ensure the top of the ChangeLog has the right version and current date.