github
/
fail2ban
mirror of https://github.com/fail2ban/fail2ban
1
0
Fork 0
Code Issues Releases Wiki Activity

Merge branch 'master' into 0.9 

* master: (51 commits)
  ENH: Use real (resolving) example.com instead of test.example.com
  DOC: Slight tune ups to ChangeLog -- we must release!
  Changelog entries for the latest merges
  BF: add bash-completion to MANIFEST
  DOC: ChangeLog for default action type change
  ENH: consolidate where blocktype is defined for iptables rules
  BF: default type to unreachable
  ENH: separate out regex and escape a .
  ENH: logs/sshd -- have ":" after [daemon] (other uses are uncommon)
  ENH: logs/sshd -- use example.com as the resolved hostname in sample log lines
  ENH: filter.d/sshd.conf -- allow for trailing "via IP" in logs
  DOC: Drop sudo from bash-completion
  DOC: Added bash-completion script
  ENH: add blocktype to all relevant actions. Also default the rejection to a ICMP reject rather than a drop
  ENH: Removed unused log line
  ENH: logrotate file
  BF: missed MANIFEST include
  BF: missed MANIFEST include
  BF: missed MANIFEST include
  ENH: some form of logrotate based on what distros are doing
  ...

Conflicts:
	ChangeLog
	MANIFEST
	client/actionreader.py
	config/jail.conf
	fail2ban/server/datedetector.py
	fail2ban/tests/datedetectortestcase.py
pull/218/head
Yaroslav Halchenko 2013-05-08 13:43:45 -04:00
parent 93ad298aa8 2b1e19933f
commit f1b6806eb4
106 changed files with 760 additions and 162 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

57
ChangeLog
View File

@ -41,23 +41,27 @@ code-review and minor additions from Yaroslav Halchenko.
* [..e019ab7] Multiple instances of the same action are allowed in the
same jail -- use actname option to disambiguate.
ver. 0.8.9 (2013/04/XXX) - wanna-be-stable
ver. 0.8.9 (2013/05/XX) - wanna-be-stable
----------
Although primarily a bugfix release, it incorporates many new
enhancements, few new features, but more importantly -- quite extended
tests battery with current 94% coverage. This release incorporates
more than a 100 of non-merge commits from 14 contributors (sorted by
number of commits): Yaroslav Halchenko, Daniel Black, Steven Hiscocks,
ArndRa, hamilton5, pigsyn, Erwan Ben Souiden, Michael Gebetsroither,
Orion Poplawski, Artur Penttinen, sebres, Nicolas Collignon, Pascal
Borreli, blotus:
Originally targeted as a bugfix release, it incorporated many new
enhancements, few new features, and more importantly -- quite extended
tests battery with current 94% coverage.
- Fixes:
Yaroslav Halchenko
* [6f4dad46] Documentation python-2.4 is the minimium version.
* [1eb23cf8] do not rely on scripts being under /usr -- might differ eg on
Fedora. Closes gh-112. Thanks to Camusensei for the bug report.
This release introduces over 200 of non-merge commits from 16
contributors (sorted by number of commits): Yaroslav Halchenko, Daniel
Black, Steven Hiscocks, James Stout, Orion Poplawski, Enrico Labedzki,
ArndRa, hamilton5, pigsyn, Erwan Ben Souiden, Michael Gebetsroither,
Artur Penttinen, blotus, sebres, Nicolas Collignon, Pascal Borreli.
Special Kudos also go to Fabian Wenk, Arturo 'Buanzo' Busleiman, Tom
Hendrikx, Yehuda Katz and other TBN heroes supporting users on
fail2ban-users mailing list and IRC.
- Fixes: Yaroslav Halchenko
* [6f4dad46] python-2.4 is the minimal version.
* [1eb23cf8] do not rely on scripts being under /usr -- might differ e.g.
on Fedora. Closes gh-112. Thanks to Camusensei for the bug report.
* [bf4d4af1] Changes for atomic writes. Thanks to Steven Hiscocks for
insight. Closes gh-103.
* [ab044b75] delay check for the existence of config directory until read.
@ -84,6 +88,8 @@ Borreli, blotus:
gh-70. Thanks to iGeorgeX for the idea.
blotus
* [96eb8986] ' and " should also be escaped in action tags Closes gh-109
Christoph Theis, Nick Hilliard, Daniel Black
* [b3bd877d,cde71080] Make syslog -v and syslog -vv formats work on FreeBSD
- New features:
Yaroslav Halchenko
* [9ba27353] Add support for jail.d/{confilefile} and fail2ban.d/{configfile}
@ -103,9 +109,18 @@ Borreli, blotus:
* [5f2d383] Add roundcube auth filter. Closes Debian bug #699442.
Daniel Black
* [be06b1b] Add action for iptables-ipsets. Closes gh-102.
Nick Munger, Ken Menzel, Daniel Black, Christoph Theis & Fabian Wenk
* [b6d0e8a] Add and enhance the bsd-ipfw action from
FreeBSD ports.
Soulard Morgan
* [f336d9f] Add filter for webmin. Closes gh-99.
Steven Hiscocks
* [..746c7d9] bash interactive shell completions for fail2ban-*'s
Nick Hilliard
* [0c5a9c5] Add pf action.
- Enhancements:
Enrico Labedzki
* [24a8d07] Added new date format for ASSP SMTP Proxy.
Steven Hiscocks
* [3d6791f] Ensure restart of Actions after a check fails occurs
consistently. Closes gh-172.
@ -128,19 +143,23 @@ Borreli, blotus:
* [7cd6dab] Added help command to fail2ban-client.
* [c8c7b0b,23bbc60] Better logging of log file read errors.
* [3665e6d] Added code coverage to development process.
* [41b9f7b,32d10e9] More complete ssh filter rules to match openssh source.
* [41b9f7b,32d10e9,39750b8] More complete ssh filter rules to match openssh
source. Also include BSD changes.
* [1d9abd1] Action files can have tags in definition that refer to other
tags.
* [10886e7,cec5da2,adb991a] Change actions to response with ICMP port
unreachable rather than just a drop of the packet.
Pascal Borreli
* [a2b29b4] Fixed lots of typos in config files and documentation.
hamilton5
* [7ede1e8] Update dovecot filter config.
Romain Riviere
* [0ac8746] Enhance named-refused filter for views.
Special Kudos also go to Fabian Wenk, Arturo 'Buanzo' Busleiman, Tom
Hendrikx and other TBN heroes supporting users on fail2ban-users
mailing list and IRC.
James Stout
* [..2143cdf] Solaris support enhancements:
- README.Solaris
- failregex'es tune ups (sshd.conf)
- hostsdeny: do not rely on support of '-i' in sed
ver. 0.8.8 (2012/12/06) - stable
----------

3
DEVELOP
View File

@ -269,6 +269,7 @@ Releasing
* http://svnweb.freebsd.org/ports/head/security/py-fail2ban/
* https://build.opensuse.org/package/show?package=fail2ban&project=openSUSE%3AFactory
* http://sophie.zarb.org/sources/fail2ban (Mageia)
* https://trac.macports.org/browser/trunk/dports/security/fail2ban
# Check distribution outstanding bugs
@ -291,6 +292,8 @@ Releasing
http://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/net-analyzer/fail2ban/metadata.xml?view=markup
* openSUSE: Stephan Kulow <coolo@suse.com>
https://build.opensuse.org/package/users?package=fail2ban&project=openSUSE%3AFactory
* Mac Ports: @Malbrouck on github (gh-49)
https://trac.macports.org/browser/trunk/dports/security/fail2ban/Portfile
# Wait for feedback from distributors

8
MANIFEST
View File

@ -58,6 +58,9 @@ fail2ban/tests/files/testcase02.log
fail2ban/tests/files/testcase03.log
fail2ban/tests/files/testcase04.log
fail2ban/tests/files/testcase-usedns.log
fail2ban/tests/files/logs/bsd/syslog-plain.txt
fail2ban/tests/files/logs/bsd/syslog-v.txt
fail2ban/tests/files/logs/bsd/syslog-vv.txt
setup.py
setup.cfg
fail2ban/__init__.py
@ -99,7 +102,9 @@ config/filter.d/dropbear.conf
config/filter.d/lighttpd-auth.conf
config/filter.d/recidive.conf
config/filter.d/roundcube-auth.conf
config/action.d/bsd-ipfw.conf
config/action.d/dummy.conf
config/action.d/iptables-blocktype.conf
config/action.d/iptables-ipset-proto4.conf
config/action.d/iptables-ipset-proto6.conf
config/action.d/iptables-xt_recent-echo.conf
@ -119,6 +124,7 @@ config/action.d/mail-buffered.conf
config/action.d/mail-whois.conf
config/action.d/mail-whois-lines.conf
config/action.d/mynetwatchman.conf
config/action.d/pf.conf
config/action.d/sendmail.conf
config/action.d/sendmail-buffered.conf
config/action.d/sendmail-whois.conf
@ -141,8 +147,10 @@ files/macosx-initd
files/solaris-fail2ban.xml
files/solaris-svc-fail2ban
files/suse-initd
files/fail2ban-logrotate
files/cacti/fail2ban_stats.sh
files/cacti/cacti_host_template_fail2ban.xml
files/cacti/README
files/nagios/check_fail2ban
files/nagios/f2ban.txt
files/bash-completion

141
README.Solaris Normal file
View File

@ -0,0 +1,141 @@
# vim:tw=80:ft=txt
README FOR SOLARIS INSTALLATIONS
By Roy Sigurd Karlsbakk <roy@karlsbakk.net>
ABOUT
This readme is meant for those wanting to install fail2ban on Solaris 10,
OpenSolaris, OpenIndiana etc. To some degree it may as well be useful for
users of older Solaris versions and Nexenta, but don't rely on it.
READ ME FIRST
If I use the term Solaris, I am talking about any Solaris dialect, that is, the
official Sun/Oracle ones or derivates. If I describe an OS as
"OpenSolaris-based", it means it's either OpenSolaris, OpenIndiana or one of the
other, but /not/ the Nexenta family, since this only uses the OpenSolaris/
IllumOS kernel and not the userland. If I say Solaris 10, I mean Solaris 10 and
perhaps, if you're lucky and have some good gods on your side, it may also apply
to Solaris 9 or even 8 and hopefully in the new Solaris 11 whenever that may be
released. Quoted lines of code, settings et cetera are indented with two spaces.
This does _not_ mean you should use that indentation, especially in config files
where they can be harmful. Optional settings are prefixed with OPT: while
required settings are prefixed with REQ:. If no prefix is found, regard it as a
required setting.
INSTALLATION ON SOLARIS
The installation is straight forward on Solaris as well as on linux/bsd/etc.
./setup.py install installs the general packages in /usr/bin on OpenSolaris-
based distros or (at least on this box) under /usr/sfw/bin on Solaris 10. In
the files/ directory you will find the file solaris-fail2ban.xml containing the
Solaris service. To install this, run the following command as root (or with
sudo):
svccfg import files/solaris-fail2ban.xml
This should normally without giving an error. If you get an error, deal with it,
and please post any relevant info (or fixes?) to the fail2ban mailing list.
Next install the service handler - copy the script in and allow it to be executed:
cp files/solaris-svc-fail2ban /lib/svc/method/svc-fail2ban
chmod +x /lib/svc/method/svc-fail2ban
CONFIGURE SYSLOG
For some reason, a default Solaris installation does not log ssh login attempts,
and since fail2ban works by monitoring logs, enabling this logging is rather
important for it to work. To enable this, edit /etc/syslog.conf and add a line
at the end:
auth.info /var/adm/auth.log
Save the file and exit, and run
touch /var/adm/auth.log
The Solaris system logger will _not_ create a non-existing file. Now, restart
the system logger.
svcadm restart system-log
Try to ssh into localhost with ssh asdf@localhost and enter an invalid password.
Make sure this is logged in the above file. When done, you may configure
fail2ban.
FAIL2BAN CONFIGURATION
OPT: Create /etc/fail2ban/fail2ban.local containing:
# Fail2Ban main configuration file
#
# Comments: use '#' for comment lines and ';' for inline comments
#
# Changes: in most of the cases you should not modify this
# file, but provide customizations in fail2ban.local file, e.g.:
#
# [Definition]
# loglevel = 4
#
[Definition]
# Option: logtarget
# Notes.: Set the log target. This could be a file, SYSLOG, STDERR or STDOUT.
# Only one log target can be specified.
# If you change logtarget from the default value and you are
# using logrotate -- also adjust or disable rotation in the
# corresponding configuration file
# (e.g. /etc/logrotate.d/fail2ban on Debian systems)
# Values: STDOUT STDERR SYSLOG file Default: /var/log/fail2ban.log
#
logtarget = /var/adm/fail2ban.log
REQ: Create /etc/fail2ban/jail.local containing:
[ssh-tcpwrapper]
enabled = true
filter = sshd
action = hostsdeny
sendmail-whois[name=SSH, dest=you@example.com]
ignoreregex = for myuser from
logpath = /var/adm/auth.log
Set the sendmail dest address to something useful or drop the line to stop it spamming you.
Set 'myuser' to your username to avoid banning yourself or drop it.
START (OR RESTART) FAIL2BAN
Enable the fail2ban service with
svcadm enable fail2ban
When done, check that all services are running well
svcs -xv
GOTCHAS AND FIXMES
* It seems the installation may be starting fail2ban automatically. If this is
done, fail2ban will not start, but no errors will be returned from svcs
(above). Check if it's running with 'ps -ef | grep fail2ban' and manually kill
the PID if it is. Re-enable fail2ban and try again
svcadm disable fail2ban
svcadm enable fail2ban
* If svcs -xv says that fail2ban failed to start or svcs says it's in maintenance mode
chcek /var/svc/log/network-fail2ban:default.log for clues.
Check permissions on /var/adm, /var/adm/auth.log /var/adm/fail2ban.log and /var/run/fail2ban
You may need to:
sudo mkdir /var/run/fail2ban
* Fail2ban adds lines like these to /etc/hosts.deny:
ALL: 1.2.3.4
wouldn't it be better to just block sshd?

1
THANKS
View File

@ -16,6 +16,7 @@ Daniel B. Cid
Daniel Black
David Nutter
Eric Gerbier
Enrico Labedzki
Guillaume Delvit
Hanno 'Rince' Wagner
Iain Lea

2
TODO
View File

@ -13,6 +13,8 @@ Legend:
# partially done
* done
- more detailed explaination in DEVELOP for new developers (eg. howto build this HEX numbers in ChangeLog)
- Run tests though all filters/examples files - (see sshd example file) as unit
test

82
config/action.d/bsd-ipfw.conf Normal file
View File

@ -0,0 +1,82 @@
# Fail2Ban configuration file
#
# Author: Nick Munger
# Modified by: Ken Menzel
# Daniel Black (start/stop)
# Fabian Wenk (many ideas as per fail2ban users list)
#
# Ensure firewall_enable="YES" in the top of /etc/rc.conf
#
[Definition]
# Option: actionstart
# Notes.: command executed once at the start of Fail2Ban.
# Values: CMD
#
actionstart = ipfw show | fgrep -q 'table(<table>)' || ( ipfw show | awk 'BEGIN { b = 1 } { if ($1 <= b) { b = $1 + 1 } else { e = b } } END { if (e) exit e <br> else exit b }'; num=$?; ipfw -q add $num deny <block> from table\(<table>\) to me <port>; echo $num > "<startstatefile>" )
# Option: actionstop
# Notes.: command executed once at the end of Fail2Ban
# Values: CMD
#
actionstop = [ -f <startstatefile> ] && ( read num < "<startstatefile>" <br> ipfw -q delete $num <br> rm "<startstatefile>" )
# Option: actioncheck
# Notes.: command executed once before each actionban command
# Values: CMD
#
actioncheck =
# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: See jail.conf(5) man page
# Values: CMD
#
# requires an ipfw rule like "deny ip from table(1) to me"
actionban = ipfw table <table> add <ip>
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionunban = ipfw table <table> delete <ip>
[Init]
# Option: table
# Notes: The ipfw table to use. If a ipfw rule using this table already exists,
# this action will not create a ipfw rule to block it and the following
# options will have no effect.
# Values: NUM
table = 1
# Option: port
# Notes.: Specifies port to monitor. Blank indicate block all ports.
# Values: [ NUM | STRING ]
#
port =
# Option: startstatefile
# Notes: A file to indicate that the table rule that was added. Ensure it is unique per table.
# Values: STRING
startstatefile = /var/run/fail2ban/ipfw-started-table_<table>
# Option: action
# Notes: This is the action to take for automaticly created rules. See the
# ACTION defination at the top of man ipfw for allowed values.
# "deny" and "unreach port" are probably the useful.
# Values: STRING
action = deny
# Option: block
# Notes: This is how much to block.
# Can be "ip", "tcp", "udp" or various other options.
# Values: STRING
block = ip

1
config/action.d/dshield.conf
View File

@ -25,7 +25,6 @@
# configured at DShield), and <lines>/<minreportinterval>/<maxbufferage> (to
# configure how often the buffer is flushed).
#
# $Revision$
[Definition]

1
config/action.d/dummy.conf
View File

@ -2,7 +2,6 @@
#
# Author: Cyril Jaquier
#
# $Revision$
#
[Definition]

3
config/action.d/hostsdeny.conf
View File

@ -2,7 +2,6 @@
#
# Author: Cyril Jaquier
#
# $Revision$
#
[Definition]
@ -40,7 +39,7 @@ actionban = IP=<ip> &&
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionunban = IP=<ip> && sed -i.old /ALL:\ $IP/d <file>
actionunban = IP=<ip> && sed /ALL:\ $IP/d <file> > <file>.new && mv <file>.new <file>
[Init]

9
config/action.d/ipfilter.conf
View File

@ -37,7 +37,7 @@ actioncheck =
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionban = echo block in quick from <ip>/32 | /sbin/ipf -f -
actionban = echo block <blocktype> in quick from <ip>/32 | /sbin/ipf -f -
# Option: actionunban
@ -47,7 +47,12 @@ actionban = echo block in quick from <ip>/32 | /sbin/ipf -f -
# Values: CMD
#
# note -r option used to remove matching rule
actionunban = echo block in quick from <ip>/32 | /sbin/ipf -r -f -
actionunban = echo block <blocktype> in quick from <ip>/32 | /sbin/ipf -r -f -
[Init]
# Option: Blocktype
# Notes : This is the return-icmp[return-code] mentioned in the ipf man page section 5. Keep this quoted to prevent
# Shell expansion. This should be blank (unquoted) to drop the packet.
# Values: STRING
blocktype = "return-icmp(port-unr)"

11
config/action.d/ipfw.conf
View File

@ -3,7 +3,6 @@
# Author: Nick Munger
# Modified by: Cyril Jaquier
#
# $Revision$
#
[Definition]
@ -35,7 +34,7 @@ actioncheck =
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionban = ipfw add deny tcp from <ip> to <localhost> <port>
actionban = ipfw add <blocktype> tcp from <ip> to <localhost> <port>
# Option: actionunban
@ -59,3 +58,11 @@ port = ssh
# Values: IP
#
localhost = 127.0.0.1
# Option: blocktype
# Notes.: How to block the traffic. Use a action from man 5 ipfw
# Common values: deny, unreach port, reset
# Values: STRING
#
blocktype = unreach port

10
config/action.d/iptables-allports.conf
View File

@ -4,9 +4,13 @@
# Modified: Yaroslav O. Halchenko <debian@onerussian.com>
# made active on all ports from original iptables.conf
#
# $Revision$
#
[INCLUDES]
before = iptables-blocktype.conf
[Definition]
# Option: actionstart
@ -37,7 +41,7 @@ actioncheck = iptables -n -L <chain> | grep -q 'fail2ban-<name>[ \t]'
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
actionban = iptables -I fail2ban-<name> 1 -s <ip> -j <blocktype>
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
@ -45,7 +49,7 @@ actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP
actionunban = iptables -D fail2ban-<name> -s <ip> -j <blocktype>
[Init]

22
config/action.d/iptables-blocktype.conf Normal file
View File

@ -0,0 +1,22 @@
# Fail2Ban configuration file
#
# Author: Daniel Black
#
# This is a included configuration file and includes the defination for the blocktype
# used in all iptables based actions by default.
#
# The user can override the default in iptables-blocktype.local
[INCLUDES]
after = iptables-blocktype.local
[Init]
# Option: blocktype
# Note: This is what the action does with rules. This can be any jump target
# as per the iptables man page (section 8). Common values are DROP
# REJECT, REJECT --reject-with icmp-port-unreachable
# Values: STRING
blocktype = REJECT --reject-with icmp-port-unreachable

9
config/action.d/iptables-ipset-proto4.conf
View File

@ -18,6 +18,10 @@
# apt-get install ipset xtables-addons-source
# module-assistant auto-install xtables-addons
[INCLUDES]
before = iptables-blocktype.conf
[Definition]
# Option: actionstart
@ -25,13 +29,13 @@
# Values: CMD
#
actionstart = ipset --create fail2ban-<name> iphash
iptables -I INPUT -p <protocol> -m multiport --dports <port> -m set --match-set fail2ban-<name> src -j DROP
iptables -I INPUT -p <protocol> -m multiport --dports <port> -m set --match-set fail2ban-<name> src -j <blocktype>
# Option: actionstop
# Notes.: command executed once at the end of Fail2Ban
# Values: CMD
#
actionstop = iptables -D INPUT -p <protocol> -m multiport --dports <port> -m set --match-set fail2ban-<name> src -j DROP
actionstop = iptables -D INPUT -p <protocol> -m multiport --dports <port> -m set --match-set fail2ban-<name> src -j <blocktype>
ipset --flush fail2ban-<name>
ipset --destroy fail2ban-<name>
@ -68,4 +72,3 @@ port = ssh
# Values: [ tcp | udp | icmp | all ] Default: tcp
#
protocol = tcp

7
config/action.d/iptables-ipset-proto6.conf
View File

@ -18,6 +18,11 @@
# apt-get install ipset xtables-addons-source
# module-assistant auto-install xtables-addons
[INCLUDES]
before = iptables-blocktype.conf
[Definition]
# Option: actionstart
@ -74,5 +79,3 @@ protocol = tcp
# Values: [ NUM ] Default: 600
bantime = 600

7
config/action.d/iptables-multiport-log.conf
View File

@ -7,9 +7,12 @@
# make "fail2ban-<name>-log" chain to log and drop
# insert a jump to fail2ban-<name> from -I <chain> if proto/port match
#
# $Revision$
#
[INCLUDES]
before = iptables-blocktype.conf
[Definition]
# Option: actionstart
@ -21,7 +24,7 @@ actionstart = iptables -N fail2ban-<name>
iptables -I <chain> 1 -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
iptables -N fail2ban-<name>-log
iptables -I fail2ban-<name>-log -j LOG --log-prefix "$(expr fail2ban-<name> : '\(.\{1,23\}\)'):DROP " --log-level warning -m limit --limit 6/m --limit-burst 2
iptables -A fail2ban-<name>-log -j DROP
iptables -A fail2ban-<name>-log -j <blocktype>
# Option: actionstop
# Notes.: command executed once at the end of Fail2Ban

9
config/action.d/iptables-multiport.conf
View File

@ -2,9 +2,12 @@
#
# Author: Cyril Jaquier
# Modified by Yaroslav Halchenko for multiport banning
# $Revision$
#
[INCLUDES]
before = iptables-blocktype.conf
[Definition]
# Option: actionstart
@ -35,7 +38,7 @@ actioncheck = iptables -n -L <chain> | grep -q 'fail2ban-<name>[ \t]'
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
actionban = iptables -I fail2ban-<name> 1 -s <ip> -j <blocktype>
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
@ -43,7 +46,7 @@ actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP
actionunban = iptables -D fail2ban-<name> -s <ip> -j <blocktype>
[Init]

10
config/action.d/iptables-new.conf
View File

@ -4,9 +4,13 @@
# Copied from iptables.conf and modified by Yaroslav Halchenko
# to fullfill the needs of bugreporter dbts#350746.
#
# $Revision$
#
[INCLUDES]
before = iptables-blocktype.conf
[Definition]
# Option: actionstart
@ -37,7 +41,7 @@ actioncheck = iptables -n -L <chain> | grep -q 'fail2ban-<name>[ \t]'
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
actionban = iptables -I fail2ban-<name> 1 -s <ip> -j <blocktype>
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
@ -45,7 +49,7 @@ actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP
actionunban = iptables -D fail2ban-<name> -s <ip> -j <blocktype>
[Init]

8
config/action.d/iptables-xt_recent-echo.conf
View File

@ -2,9 +2,13 @@
#
# Author: Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
#
# $Revision: 1 $
#
[INCLUDES]
before = iptables-blocktype.conf
[Definition]
# Option: actionstart
@ -29,7 +33,7 @@
# own rules. The 3600 second timeout is independent and acts as a
# safeguard in case the fail2ban process dies unexpectedly. The
# shorter of the two timeouts actually matters.
actionstart = iptables -I INPUT -m recent --update --seconds 3600 --name fail2ban-<name> -j DROP
actionstart = iptables -I INPUT -m recent --update --seconds 3600 --name fail2ban-<name> -j <blocktype>
# Option: actionstop
# Notes.: command executed once at the end of Fail2Ban

9
config/action.d/iptables.conf
View File

@ -2,9 +2,12 @@
#
# Author: Cyril Jaquier
#
# $Revision$
#
[INCLUDES]
before = iptables-blocktype.conf
[Definition]
# Option: actionstart
@ -35,7 +38,7 @@ actioncheck = iptables -n -L <chain> | grep -q 'fail2ban-<name>[ \t]'
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
actionban = iptables -I fail2ban-<name> 1 -s <ip> -j <blocktype>
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
@ -43,7 +46,7 @@ actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP
actionunban = iptables -D fail2ban-<name> -s <ip> -j <blocktype>
[Init]

1
config/action.d/mail-buffered.conf
View File

@ -2,7 +2,6 @@
#
# Author: Cyril Jaquier
#
# $Revision$
#
[Definition]

1
config/action.d/mail-whois-lines.conf
View File

@ -2,7 +2,6 @@
#
# Author: Cyril Jaquier
# Modified-By: Yaroslav Halchenko to include grepping on IP over log files
# $Revision$
#
[Definition]

1
config/action.d/mail-whois.conf
View File

@ -2,7 +2,6 @@
#
# Author: Cyril Jaquier
#
# $Revision$
#
[Definition]

1
config/action.d/mail.conf
View File

@ -2,7 +2,6 @@
#
# Author: Cyril Jaquier
#
# $Revision$
#
[Definition]

1
config/action.d/mynetwatchman.conf
View File

@ -24,7 +24,6 @@
# Another useful configuration value is <getcmd>, if you don't have wget
# installed (an example config for curl is given below)
#
# $Revision$
[Definition]

62
config/action.d/pf.conf Normal file
View File

@ -0,0 +1,62 @@
# Fail2Ban configuration file
#
# OpenBSD pf ban/unban
#
# Author: Nick Hilliard <nick@foobar.org>
#
#
[Definition]
# Option: actionstart
# Notes.: command executed once at the start of Fail2Ban.
# Values: CMD
#
# we don't enable PF automatically, as it will be enabled elsewhere
actionstart =
# Option: actionstop
# Notes.: command executed once at the end of Fail2Ban
# Values: CMD
#
# we don't disable PF automatically either
actionstop =
# Option: actioncheck
# Notes.: command executed once before each actionban command
# Values: CMD
#
actioncheck =
# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: <ip> IP address
# <failures> number of failures
# <time> unix timestamp of the ban time
# Values: CMD
#
actionban = /sbin/pfctl -t <tablename> -T add <ip>/32
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: <ip> IP address
# <failures> number of failures
# <time> unix timestamp of the ban time
# Values: CMD
#
# note -r option used to remove matching rule
actionunban = /sbin/pfctl -t <tablename> -T delete <ip>/32
[Init]
# Option: tablename
# Notes.: The pf table name.
# Values: [ STRING ] Default: fail2ban
#
tablename = fail2ban

13
config/action.d/route.conf
View File

@ -15,11 +15,10 @@
# - Blocking is per IP and NOT per service, but ideal as action against ssh password bruteforcing hosts
[Definition]
actionban = ip route add <type> <ip>
actionunban = ip route del <type> <ip>
actionban = ip route add <blocktype> <ip>
actionunban = ip route del <blocktype> <ip>
# Type of blocking
#
# Type can be blackhole, unreachable and prohibit. Unreachable and prohibit correspond to the ICMP reject messages.
type = blackhole
# Option: blocktype
# Note: Type can be blackhole, unreachable and prohibit. Unreachable and prohibit correspond to the ICMP reject messages.
# Values: STRING
blocktype = unreachable

1
config/action.d/sendmail-buffered.conf
View File

@ -2,7 +2,6 @@
#
# Author: Cyril Jaquier
#
# $Revision$
#
[Definition]

1
config/action.d/sendmail-whois-lines.conf
View File

@ -2,7 +2,6 @@
#
# Author: Cyril Jaquier
#
# $Revision$
#
[Definition]

1
config/action.d/sendmail-whois.conf
View File

@ -2,7 +2,6 @@
#
# Author: Cyril Jaquier
#
# $Revision$
#
[Definition]

1
config/action.d/sendmail.conf
View File

@ -2,7 +2,6 @@
#
# Author: Cyril Jaquier
#
# $Revision$
#
[Definition]

9
config/action.d/shorewall.conf
View File

@ -2,7 +2,6 @@
#
# Author: Cyril Jaquier
#
# $Revision$
#
# The default Shorewall configuration is with "BLACKLISTNEWONLY=Yes" (see
# file /etc/shorewall/shorewall.conf). This means that when Fail2ban adds a
@ -39,7 +38,7 @@ actioncheck =
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionban = shorewall drop <ip>
actionban = shorewall <blocktype> <ip>
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
@ -48,3 +47,9 @@ actionban = shorewall drop <ip>
# Values: CMD
#
actionunban = shorewall allow <ip>
# Option: blocktype
# Note: This is what the action does with rules.
# See man page of shorewall for options that include drop, logdrop, reject, or logreject
# Values: STRING
blocktype = reject

1
config/filter.d/apache-auth.conf
View File

@ -2,7 +2,6 @@
#
# Author: Cyril Jaquier
#
# $Revision$
#
[Definition]

1
config/filter.d/apache-badbots.conf
View File

@ -5,7 +5,6 @@
#
# Author: Yaroslav Halchenko
#
# $Revision$
#
[Definition]

1
config/filter.d/apache-nohome.conf
View File

@ -2,7 +2,6 @@
#
# Author: Yaroslav O. Halchenko <debian@onerussian.com>
#
# $Revision$
#
[Definition]

1
config/filter.d/apache-noscript.conf
View File

@ -2,7 +2,6 @@
#
# Author: Cyril Jaquier
#
# $Revision$
#
[Definition]

1
config/filter.d/apache-overflows.conf
View File

@ -2,7 +2,6 @@
#
# Author: Tim Connors
#
# $Revision$
#
[Definition]

33
config/filter.d/assp.conf Normal file
View File

@ -0,0 +1,33 @@
# Fail2Ban configuration file
# for Anti-Spam SMTP Proxy Server also known as ASSP
# Honmepage: http://www.magicvillage.de/~Fritz_Borgstedt/assp/0003D91C-8000001C/
# ProjektSite: http://sourceforge.net/projects/assp/?source=directory
#
# Author: Enrico Labedzki (enrico.labedzki@deiwos.de)
#
[Definition]
# Option: failregex
# Notes.: regex to match the SMTP failure messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>\S+)
# Values: TEXT
#
# Examples: Apr-27-13 02:33:09 Blocking 217.194.197.97 - too much AUTH errors (41);
# Dec-29-12 17:10:31 [SSL-out] 200.247.87.82 SSL negotiation with client failed: SSL accept attempt failed with unknown errorerror:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol;
# Dec-30-12 04:01:47 [SSL-out] 81.82.232.66 max sender authentication errors (5) exceeded
__assp_actions = (dropping|refusing)
failregex = <HOST> max sender authentication errors \(\d{,3}\) exceeded -- %(__assp_actions)s connection - after reply: \d{3} \d{1}\.\d{1}.\d{1} Error: authentication failed: [a-zA-Z0-9]+;$
<HOST> SSL negotiation with client failed: SSL accept attempt failed with unknown error.*:unknown protocol;$
Blocking <HOST> - too much AUTH errors \(\d{,3}\);$
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =

1
config/filter.d/asterisk.conf
View File

@ -2,7 +2,6 @@
#
# Author: Xavier Devlamynck
#
# $Revision$
#

17
config/filter.d/common.conf
View File

@ -3,7 +3,6 @@
#
# Author: Yaroslav Halchenko
#
# $Revision$
#
[INCLUDES]
@ -28,6 +27,10 @@ __pid_re = (?:\[\d+\])
# EXAMPLES: pam_rhosts_auth, [sshd], pop(pam_unix)
__daemon_re = [\[\(]?%(_daemon)s(?:\(\S+\))?[\]\)]?:?
# extra daemon info
# EXAMPLE: [ID 800047 auth.info]
__daemon_extra_re = (?:\[ID \d+ \S+\])
# Combinations of daemon name and PID
# EXAMPLES: sshd[31607], pop(pam_unix)[4920]
__daemon_combs_re = (?:%(__pid_re)s?:\s+%(__daemon_re)s|%(__daemon_re)s%(__pid_re)s?:)
@ -38,10 +41,16 @@ __kernel_prefix = kernel: \[\d+\.\d+\]
__hostname = \S+
# bsdverbose is where syslogd is started with -v or -vv and results in <4.3> or
# <auth.info> appearing before the host as per testcases/files/logs/bsd/*.
__bsd_syslog_verbose = (<[^.]+\.[^.]+>)
#
# Common line prefixes (beginnings) which could be used in filters
#
# [hostname] [vserver tag] daemon_id spaces
# this can be optional (for instance if we match named native log files)
__prefix_line = \s*(?:%(__hostname)s )?(?:%(__kernel_prefix)s )?(?:@vserver_\S+ )?%(__daemon_combs_re)s?\s*
# [bsdverbose]? [hostname] [vserver tag] daemon_id spaces
#
# This can be optional (for instance if we match named native log files)
__prefix_line = \s*%(__bsd_syslog_verbose)s?\s*(?:%(__hostname)s )?(?:%(__kernel_prefix)s )?(?:@vserver_\S+ )?%(__daemon_combs_re)s?\s%(__daemon_extra_re)s?\s*

1
config/filter.d/courier-auth.conf
View File

@ -3,7 +3,6 @@
# Author: Christoph Haas
# Modified by: Cyril Jaquier
#
# $Revision$
#
[Definition]

1
config/filter.d/courier-smtp.conf
View File

@ -2,7 +2,6 @@
#
# Author: Cyril Jaquier
#
# $Revision$
#
[Definition]

1
config/filter.d/cyrus-imap.conf
View File

@ -2,7 +2,6 @@
#
# Author: Jan Wagner <waja@cyconet.org>
#
# $Revision$
#
[Definition]

1
config/filter.d/dovecot.conf
View File

@ -2,7 +2,6 @@
#
# Author: Martin Waschbuesch
#
# $Revision$
#
[Definition]

1
config/filter.d/dropbear.conf
View File

@ -3,7 +3,6 @@
# Author: Francis Russell
# Zak B. Elep
#
# $Revision$
#
# More information: http://bugs.debian.org/546913

1
config/filter.d/exim.conf
View File

@ -2,7 +2,6 @@
#
# Author: Cyril Jaquier
#
# $Revision$
#
[Definition]

1
config/filter.d/gssftpd.conf
View File

@ -2,7 +2,6 @@
#
# Author: Kevin Zembower (copied from wsftpd.conf)
#
# $Revision$
#
[Definition]

1
config/filter.d/named-refused.conf
View File

@ -4,7 +4,6 @@
#
# Author: Yaroslav Halchenko
#
# $Revision$
#
[Definition]

1
config/filter.d/pam-generic.conf
View File

@ -2,7 +2,6 @@
#
# Author: Yaroslav Halchenko
#
# $Revision$
#
[Definition]

1
config/filter.d/postfix.conf
View File

@ -2,7 +2,6 @@
#
# Author: Cyril Jaquier
#
# $Revision$
#
[Definition]

1
config/filter.d/proftpd.conf
View File

@ -2,7 +2,6 @@
#
# Author: Yaroslav Halchenko
#
# $Revision$
#
[Definition]

1
config/filter.d/pure-ftpd.conf
View File

@ -3,7 +3,6 @@
# Author: Cyril Jaquier
# Modified: Yaroslav Halchenko for pure-ftpd
#
# $Revision$
#
[Definition]

1
config/filter.d/qmail.conf
View File

@ -2,7 +2,6 @@
#
# Author: Cyril Jaquier
#
# $Revision$
#
[Definition]

1
config/filter.d/sasl.conf
View File

@ -2,7 +2,6 @@
#
# Author: Yaroslav Halchenko
#
# $Revision$
#
[Definition]

1
config/filter.d/sieve.conf
View File

@ -2,7 +2,6 @@
#
# Author: Jan Wagner <waja@cyconet.org>
#
# $Revision$
#
[Definition]

3
config/filter.d/sshd.conf
View File

@ -2,7 +2,6 @@
#
# Author: Cyril Jaquier
#
# $Revision$
#
[INCLUDES]
@ -23,7 +22,7 @@ _daemon = sshd
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT
#
failregex = ^%(__prefix_line)s(?:error: PAM: )?Authentication failure for .* from <HOST>\s*$
failregex = ^%(__prefix_line)s(?:error: PAM: )?[aA]uthentication (?:failure|error) for .* from <HOST>( via \S+)?\s*$
^%(__prefix_line)s(?:error: PAM: )?User not known to the underlying authentication module for .* from <HOST>\s*$
^%(__prefix_line)sFailed \S+ for .* from <HOST>(?: port \d*)?(?: ssh\d*)?\s*$
^%(__prefix_line)sROOT LOGIN REFUSED.* FROM <HOST>\s*$

1
config/filter.d/vsftpd.conf
View File

@ -2,7 +2,6 @@
#
# Author: Cyril Jaquier
#
# $Revision$
#
[Definition]

1
config/filter.d/webmin-auth.conf
View File

@ -3,7 +3,6 @@
# Author: Cyril Jaquier
# Rule by : Delvit Guillaume
#
# $Revision$
#
[Definition]

1
config/filter.d/wuftpd.conf
View File

@ -2,7 +2,6 @@
#
# Author: Yaroslav Halchenko
#
# $Revision$
#
[Definition]

1
config/filter.d/xinetd-fail.conf
View File

@ -2,7 +2,6 @@
#
# Author: Guido Bozzetto
#
# $Revision$
#
[Definition]

29
config/jail.conf
View File

@ -182,6 +182,13 @@ maxretry = 2
# .. custom jails
# ASSP SMTP Proxy Jail
[assp]
enabled = false
filter = assp
action = iptables-multiport[name=assp,port="25,465,587"]
logpath = /root/path/to/assp/logs/maillog.txt
# Here we use TCP-Wrappers instead of Netfilter/Iptables. "ignoreregex" is
# used to avoid banning the user "myuser".
@ -223,7 +230,6 @@ logpath = /var/log/sshd.log
# option is overridden in this jail. Moreover, the action "mail-whois" defines
# the variable "name" which contains a comma using "". The characters '' are
# valid too.
[sshd-ipfw]
filter = sshd
@ -232,6 +238,16 @@ action = ipfw[localhost=192.168.0.1]
logpath = /var/log/auth.log
ignoreip = 168.192.0.1
# bsd-ipfw is ipfw used by BSD. It uses ipfw tables.
# table number must be unique.
#
# This will create a deny rule for that table ONLY if a rule
# for the table doesn't ready exist.
#
[ssh-bsd-ipfw]
filter = sshd
action = bsd-ipfw[port=ssh,table=1]
logpath = /var/log/auth.log
#
# HTTP servers
@ -493,3 +509,14 @@ action = iptables-allports[name=recidive]
bantime = 604800 ; 1 week
findtime = 86400 ; 1 day
maxretry = 5
# PF is a BSD based firewall
[ssh-pf]
enabled=false
filter = sshd
action = pf
logpath = /var/log/sshd.log
maxretry=5

1
fail2ban/__init__.py
View File

@ -19,7 +19,6 @@
# Author: Cyril Jaquier
#
# $Revision$
__author__ = "Cyril Jaquier"
__version__ = "$Revision$"

1
fail2ban/client/__init__.py
View File

@ -19,7 +19,6 @@
# Author: Cyril Jaquier
#
# $Revision$
__author__ = "Cyril Jaquier"
__version__ = "$Revision$"

1
fail2ban/client/actionreader.py
View File

@ -19,7 +19,6 @@
# Author: Cyril Jaquier
#
# $Revision$
__author__ = "Cyril Jaquier"
__version__ = "$Revision$"

1
fail2ban/client/configparserinc.py
View File

@ -19,7 +19,6 @@
# Author: Yaroslav Halchenko
# Modified: Cyril Jaquier
# $Revision$
__author__ = 'Yaroslav Halhenko'
__revision__ = '$Revision$'

1
fail2ban/client/configreader.py
View File

@ -19,7 +19,6 @@
# Author: Cyril Jaquier
# Modified by: Yaroslav Halchenko (SafeConfigParserWithIncludes)
# $Revision$
__author__ = "Cyril Jaquier"
__version__ = "$Revision$"

1
fail2ban/client/configurator.py
View File

@ -19,7 +19,6 @@
# Author: Cyril Jaquier
#
# $Revision$
__author__ = "Cyril Jaquier"
__version__ = "$Revision$"

1
fail2ban/client/csocket.py
View File

@ -19,7 +19,6 @@
# Author: Cyril Jaquier
#
# $Revision$
__author__ = "Cyril Jaquier"
__version__ = "$Revision$"

1
fail2ban/client/fail2banreader.py
View File

@ -19,7 +19,6 @@
# Author: Cyril Jaquier
#
# $Revision$
__author__ = "Cyril Jaquier"
__version__ = "$Revision$"

1
fail2ban/client/filterreader.py
View File

@ -19,7 +19,6 @@
# Author: Cyril Jaquier
#
# $Revision$
__author__ = "Cyril Jaquier"
__version__ = "$Revision$"

1
fail2ban/client/jailreader.py
View File

@ -19,7 +19,6 @@
# Author: Cyril Jaquier
#
# $Revision$
__author__ = "Cyril Jaquier"
__version__ = "$Revision$"

1
fail2ban/client/jailsreader.py
View File

@ -19,7 +19,6 @@
# Author: Cyril Jaquier
#
# $Revision$
__author__ = "Cyril Jaquier"
__version__ = "$Revision$"

1
fail2ban/helpers.py
View File

@ -20,7 +20,6 @@
# Author: Cyril Jaquier
# Author: Arturo 'Buanzo' Busleiman
#
# $Revision$
__author__ = "Cyril Jaquier"
__version__ = "$Revision$"

1
fail2ban/protocol.py
View File

@ -19,7 +19,6 @@
# Author: Cyril Jaquier
#
# $Revision$
__author__ = "Cyril Jaquier"
__version__ = "$Revision$"

3
fail2ban/server/__init__.py
View File

@ -19,10 +19,7 @@
# Author: Cyril Jaquier
#
# $Revision$
__author__ = "Cyril Jaquier"
__version__ = "$Revision$"
__date__ = "$Date$"
__copyright__ = "Copyright (c) 2004 Cyril Jaquier"
__license__ = "GPL"

3
fail2ban/server/actions.py
View File

@ -19,11 +19,8 @@
# Author: Cyril Jaquier
#
# $Revision$
__author__ = "Cyril Jaquier"
__version__ = "$Revision$"
__date__ = "$Date$"
__copyright__ = "Copyright (c) 2004 Cyril Jaquier"
__license__ = "GPL"

3
fail2ban/server/asyncserver.py
View File

@ -19,11 +19,8 @@
# Author: Cyril Jaquier
#
# $Revision$
__author__ = "Cyril Jaquier"
__version__ = "$Revision$"
__date__ = "$Date$"
__copyright__ = "Copyright (c) 2004 Cyril Jaquier"
__license__ = "GPL"

3
fail2ban/server/banmanager.py
View File

@ -19,11 +19,8 @@
# Author: Cyril Jaquier
#
# $Revision$
__author__ = "Cyril Jaquier"
__version__ = "$Revision$"
__date__ = "$Date$"
__copyright__ = "Copyright (c) 2004 Cyril Jaquier"
__license__ = "GPL"

6
fail2ban/server/datedetector.py
View File

@ -161,6 +161,12 @@ class DateDetector:
template.setRegex("\S{3}\s{1,2}\d{1,2}, \d{4} \d{1,2}:\d{2}:\d{2} [AP]M")
template.setPattern("%b %d, %Y %I:%M:%S %p")
self._appendTemplate(template)
# ASSP: Apr-27-13 02:33:06
template = DateStrptime()
template.setName("Month-Day-Year Hour:Minute:Second")
template.setRegex("^[a-zA-Z]{3}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}")
template.setPattern("%b-%d-%y %H:%M:%S")
self._appendTemplate(template)
finally:
self.__lock.release()

4
fail2ban/server/datetemplate.py
View File

@ -19,11 +19,8 @@
# Author: Cyril Jaquier
#
# $Revision$
__author__ = "Cyril Jaquier"
__version__ = "$Revision$"
__date__ = "$Date$"
__copyright__ = "Copyright (c) 2004 Cyril Jaquier"
__license__ = "GPL"
@ -218,3 +215,4 @@ class DateISO8601(DateTemplate):
value = dateMatch.group()
date = list(iso8601.parse_date(value).timetuple())
return date

3
fail2ban/server/faildata.py
View File

@ -19,11 +19,8 @@
# Author: Cyril Jaquier
#
# $Revision$
__author__ = "Cyril Jaquier"
__version__ = "$Revision$"
__date__ = "$Date$"
__copyright__ = "Copyright (c) 2004 Cyril Jaquier"
__license__ = "GPL"

3
fail2ban/server/failmanager.py
View File

@ -19,11 +19,8 @@
# Author: Cyril Jaquier
#
# $Revision$
__author__ = "Cyril Jaquier"
__version__ = "$Revision$"
__date__ = "$Date$"
__copyright__ = "Copyright (c) 2004 Cyril Jaquier"
__license__ = "GPL"

2
fail2ban/server/filterpoll.py
View File

@ -21,8 +21,6 @@
#
__author__ = "Cyril Jaquier, Yaroslav Halchenko"
__version__ = "$Revision$"
__date__ = "$Date$"
__copyright__ = "Copyright (c) 2004 Cyril Jaquier; 2012 Yaroslav Halchenko"
__license__ = "GPL"

3
fail2ban/server/jailthread.py
View File

@ -19,11 +19,8 @@
# Author: Cyril Jaquier
#
# $Revision$
__author__ = "Cyril Jaquier"
__version__ = "$Revision$"
__date__ = "$Date$"
__copyright__ = "Copyright (c) 2004 Cyril Jaquier"
__license__ = "GPL"

3
fail2ban/server/server.py
View File

@ -19,11 +19,8 @@
# Author: Cyril Jaquier
#
# $Revision$
__author__ = "Cyril Jaquier"
__version__ = "$Revision$"
__date__ = "$Date$"
__copyright__ = "Copyright (c) 2004 Cyril Jaquier"
__license__ = "GPL"

3
fail2ban/server/ticket.py
View File

@ -19,11 +19,8 @@
# Author: Cyril Jaquier
#
# $Revision$
__author__ = "Cyril Jaquier"
__version__ = "$Revision$"
__date__ = "$Date$"
__copyright__ = "Copyright (c) 2004 Cyril Jaquier"
__license__ = "GPL"

3
fail2ban/server/transmitter.py
View File

@ -19,11 +19,8 @@
# Author: Cyril Jaquier
#
# $Revision$
__author__ = "Cyril Jaquier"
__version__ = "$Revision$"
__date__ = "$Date$"
__copyright__ = "Copyright (c) 2004 Cyril Jaquier"
__license__ = "GPL"

1
fail2ban/tests/__init__.py
View File

@ -19,7 +19,6 @@
# Author: Cyril Jaquier
#
# $Revision$
__author__ = "Cyril Jaquier"
__version__ = "$Revision$"

4
fail2ban/tests/actiontestcase.py
View File

@ -19,7 +19,6 @@
# Author: Cyril Jaquier
#
# $Revision$
__author__ = "Cyril Jaquier"
__version__ = "$Revision$"
@ -89,6 +88,9 @@ class ExecuteAction(unittest.TestCase):
'ABC': "123",
'xyz': "890",
}
self.assertEqual(
self.__action.replaceTag("Text<br>text", aInfo),
"Text\ntext")
self.assertEqual(
self.__action.replaceTag("Text <HOST> text", aInfo),
"Text 192.0.2.0 text")

1
fail2ban/tests/banmanagertestcase.py
View File

@ -19,7 +19,6 @@
# Author: Cyril Jaquier
#
# $Revision$
__author__ = "Cyril Jaquier"
__version__ = "$Revision$"

2
fail2ban/tests/datedetectortestcase.py
View File

@ -19,7 +19,6 @@
# Author: Cyril Jaquier
#
# $Revision$
__author__ = "Cyril Jaquier"
__version__ = "$Revision$"
@ -90,6 +89,7 @@ class DateDetectorTest(unittest.TestCase):
"<01/23/05@21:59:59>",
"050123 21:59:59", # MySQL
"Jan 23, 2005 9:59:59 PM", # Apache Tomcat
"Jan-23-05 21:59:59", # ASSP like
):
log = sdate + "[sshd] error: PAM: Authentication failure"
# exclude

1
fail2ban/tests/failmanagertestcase.py
View File

@ -19,7 +19,6 @@
# Author: Cyril Jaquier
#
# $Revision$
__author__ = "Cyril Jaquier"
__version__ = "$Revision$"

27
fail2ban/tests/files/logs/sshd
View File

@ -1,6 +1,6 @@
#1
Jun 21 16:47:48 digital-mlhhyiqscv sshd[13709]: error: PAM: Authentication failure for myhlj1374 from 192.030.0.6
May 29 20:56:52 imago sshd[28732]: error: PAM: Authentication failure for stefanor from www.onerussian.com
May 29 20:56:52 imago sshd[28732]: error: PAM: Authentication failure for stefanor from example.com
#2
Feb 25 14:34:10 belka sshd[31602]: Failed password for invalid user ROOT from 194.117.26.69 port 50273 ssh2
@ -13,10 +13,10 @@ Jan 5 01:31:41 www sshd[1643]: ROOT LOGIN REFUSED FROM ::ffff:1.2.3.4
#4
Jul 20 14:42:11 localhost sshd[22708]: Invalid user ftp from 211.114.51.213
#5 new filter introduced after looking at 44087D8C.9090407@bluewin.ch
Mar 3 00:17:22 [sshd] User root from 210.188.220.49 not allowed because not listed in AllowUsers
Feb 25 14:34:11 belka sshd[31607]: User root from ferrari.inescn.pt not allowed because not listed in AllowUsers
# yoh: added ':' after [sshd] since the case without is not really common any more
Mar 3 00:17:22 [sshd]: User root from 211.188.220.49 not allowed because not listed in AllowUsers
Feb 25 14:34:11 belka sshd[31607]: User root from example.com not allowed because not listed in AllowUsers
#6 ew filter introduced thanks to report Guido Bozzetto <reportbug@G-B.it>
Nov 11 23:33:27 Server sshd[5174]: refused connect from _U2FsdGVkX19P3BCJmFBHhjLza8BcMH06WCUVwttMHpE=_@::ffff:218.249.210.161 (::ffff:218.249.210.161)
@ -29,5 +29,20 @@ Oct 15 19:51:35 server sshd[7592]: Address 1.2.3.4 maps to 1234.bbbbbb.com, but
#8 DenyUsers https://github.com/fail2ban/fail2ban/issues/47
Apr 16 22:01:15 al-ribat sshd[5154]: User root from 46.45.128.3 not allowed because listed in DenyUsers
# http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=648020
Nov 8 11:19:38 bar sshd[25427]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=1.2.3.6
#9 OpenSolaris patch - pull https://github.com/fail2ban/fail2ban/pull/182
Mar 29 05:59:23 dusky sshd[20878]: [ID 800047 auth.info] Failed keyboard-interactive for <invalid username> from 205.186.180.55 port 42742 ssh2
Mar 29 05:20:09 dusky sshd[19558]: [ID 800047 auth.info] Failed keyboard-interactive for james from 205.186.180.30 port 54520 ssh2
#10 OSX syslog error
Apr 29 17:16:20 Jamess-iMac.local sshd[62312]: error: PAM: authentication error for james from example.com via 192.168.1.201
Apr 29 20:11:08 Jamess-iMac.local sshd[63814]: [ID 800047 auth.info] Failed keyboard-interactive for <invalid username> from 205.186.180.35 port 42742 ssh2
Apr 29 20:12:08 Jamess-iMac.local sshd[63814]: [ID 800047 auth.info] Failed keyboard-interactive for james from 205.186.180.22 port 54520 ssh2
Apr 29 20:13:08 Jamess-iMac.local sshd[63814]: Failed keyboard-interactive for james from 205.186.180.42 port 54520 ssh2
Apr 29 20:14:08 Jamess-iMac.local sshd[63814]: Failed keyboard-interactive for <invalid username> from 205.186.180.44 port 42742 ssh2
Apr 30 01:42:12 Jamess-iMac.local sshd[2554]: Failed keyboard-interactive/pam for invalid user jamedds from 205.186.180.77 port 33723 ssh2
Apr 29 12:53:38 Jamess-iMac.local sshd[47831]: error: PAM: authentication failure for james from 205.186.180.88 via 192.168.1.201
Apr 29 13:53:38 Jamess-iMac.local sshd[47831]: error: PAM: Authentication failure for james from 205.186.180.99 via 192.168.1.201
Apr 29 15:53:38 Jamess-iMac.local sshd[47831]: error: PAM: Authentication error for james from 205.186.180.100 via 192.168.1.201
Apr 29 16:53:38 Jamess-iMac.local sshd[47831]: error: PAM: authentication error for james from 205.186.180.101 via 192.168.1.201
Apr 29 17:53:38 Jamess-iMac.local sshd[47831]: error: PAM: authentication error for james from 205.186.180.102
Apr 29 18:53:38 Jamess-iMac.local sshd[47831]: error: PAM: authentication error for james from 205.186.180.103

1
fail2ban/tests/servertestcase.py
View File

@ -19,7 +19,6 @@
# Author: Cyril Jaquier
#
# $Revision$
__author__ = "Cyril Jaquier"
__version__ = "$Revision$"

1
fail2ban/tests/sockettestcase.py
View File

@ -19,7 +19,6 @@
# Author: Steven Hiscocks
#
# $Revision$
__author__ = "Steven Hiscocks"
__version__ = "$Revision$"

1
fail2ban/version.py
View File

@ -19,7 +19,6 @@
# Author: Cyril Jaquier
#
# $Revision$
__author__ = "Cyril Jaquier, Yaroslav Halchenko"
__copyright__ = "Copyright (c) 2004 Cyril Jaquier, 2011-2013 Yaroslav Halchenko"

149
files/bash-completion Normal file
View File

@ -0,0 +1,149 @@
# fail2ban bash-completion -*- shell-script -*-
#
# This file is part of Fail2Ban.
#
# Fail2Ban is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# Fail2Ban is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with Fail2Ban; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
__fail2ban_jails () {
"$1" status 2>/dev/null | awk -F"\t+" '/Jail list/{print $2}' | sed 's/, / /g'
}
_fail2ban () {
local cur prev words cword
_init_completion || return
case $prev in
-V|--version|-h|--help)
return 0 # No further completion valid
;;
-c)
_filedir -d # Directories
return 0
;;
-s|-p)
_filedir # Files
return 0
;;
*)
if [[ "$cur" == "-"* ]];then
COMPREPLY=( $( compgen -W \
"$( _parse_help "$1" --help 2>/dev/null) -V" \
-- "$cur") )
return 0
fi
;;
esac
if [[ "$1" == *"fail2ban-regex" ]];then
_filedir
return 0
elif [[ "$1" == *"fail2ban-client" ]];then
local cmd jail
case $prev in
"$1")
COMPREPLY=( $( compgen -W \
"$( "$1" --help 2>/dev/null | awk '/^ [a-z]+/{print $1}')" \
-- "$cur") )
return 0
;;
start|reload|stop|status)
COMPREPLY=( $(compgen -W "$(__fail2ban_jails "$1")" -- "$cur" ) )
return 0
;;
set|get)
COMPREPLY=( $( compgen -W \
"$( "$1" --help 2>/dev/null | awk '/^ '$prev' [^<]/{print $2}')" \
-- "$cur") )
COMPREPLY+=( $(compgen -W "$(__fail2ban_jails "$1")" -- "$cur" ) )
return 0
;;
*)
if [[ "${words[$cword-2]}" == "add" ]];then
COMPREPLY=( $( compgen -W "auto polling gamin pyinotify" -- "$cur" ) )
return 0
elif [[ "${words[$cword-2]}" == "set" || "${words[$cword-2]}" == "get" ]];then
cmd="${words[cword-2]}"
# Handle in section below
elif [[ "${words[$cword-3]}" == "set" || "${words[$cword-3]}" == "get" ]];then
cmd="${words[$cword-3]}"
jail="${words[$cword-2]}"
# Handle in section below
fi
;;
esac
if [[ -z "$jail" && -n "$cmd" ]];then
case $prev in
loglevel)
if [[ "$cmd" == "set" ]];then
COMPREPLY=( $( compgen -W "0 1 2 3 4" -- "$cur" ) )
fi
return 0
;;
logtarget)
if [[ "$cmd" == "set" ]];then
COMPREPLY=( $( compgen -W "STDOUT STDERR SYSLOG" -- "$cur" ) )
_filedir # And files
fi
return 0
;;
*) # Jail name
COMPREPLY=( $( compgen -W \
"$( "$1" --help 2>/dev/null | awk '/^ '${cmd}' <JAIL>/{print $3}')" \
-- "$cur") )
return 0
;;
esac
elif [[ -n "$jail" && "$cmd" == "set" ]];then
case $prev in
addlogpath)
_filedir
return 0
;;
dellogpath|delignoreip)
COMPREPLY=( $( compgen -W \
"$( "$1" get "$jail" "${prev/del/}" 2>/dev/null | awk -F- '{print $2}')" \
-- "$cur" ) )
if [[ -z "$COMPREPLY" && "$prev" == "dellogpath" ]];then
_filedir
fi
return 0
;;
delfailregex|delignoregex)
COMPREPLY=( $( compgen -W \
"$( "$1" get "$jail" "${prev/del/}" 2>/dev/null | awk -F"[][]" '{print $2}')" \
-- "$cur" ) )
return 0
;;
unbanip)
COMPREPLY=( $( compgen -W \
"$( "$1" status "$jail" 2>/dev/null | awk -F"\t+" '/IP list:/{print $2}')" \
-- "$cur" ) )
return 0
;;
idle)
COMPREPLY=( $( compgen -W "on off" -- "$cur" ) )
return 0
;;
usedns)
COMPREPLY=( $( compgen -W "yes no warn" -- "$cur" ) )
return 0
;;
esac
fi
fi # fail2ban-client
} &&
complete -F _fail2ban fail2ban-client fail2ban-server fail2ban-regex

1
files/cacti/fail2ban_stats.sh
View File

@ -25,7 +25,6 @@
#
# Author: Cyril Jaquier
#
# $Revision$
FAIL2BAN="fail2ban-client"

18
files/fail2ban-logrotate Normal file
View File

@ -0,0 +1,18 @@
#
# Gentoo:
# http://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/net-analyzer/fail2ban/files/fail2ban-logrotate?view=markup
#
# Debian:
# https://github.com/fail2ban/fail2ban/blob/debian/debian/fail2ban.logrotate
#
# Fedora view:
# http://pkgs.fedoraproject.org/cgit/fail2ban.git/tree/fail2ban-logrotate
/var/log/fail2ban.log {
rotate 7
missingok
compress
postrotate
/usr/bin/fail2ban-client set logtarget /var/log/fail2ban.log 1>/dev/null || true
endscript
}

Some files were not shown because too many files have changed in this diff Show More