From de98e3dabd2b9a1b728955fe4e7727aac2c8407b Mon Sep 17 00:00:00 2001 From: jamesstout Date: Sun, 21 Apr 2013 07:29:48 +0800 Subject: [PATCH 01/51] change sed to perl for Solaris --- config/action.d/hostsdeny.conf | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/config/action.d/hostsdeny.conf b/config/action.d/hostsdeny.conf index b04f2adb..db36aa29 100644 --- a/config/action.d/hostsdeny.conf +++ b/config/action.d/hostsdeny.conf @@ -40,7 +40,11 @@ actionban = IP= && # Tags: See jail.conf(5) man page # Values: CMD # -actionunban = IP= && sed -i.old /ALL:\ $IP/d +# Original: +#actionunban = IP= && sed -i.old /ALL:\ $IP/d + +# -i is not supported under Solaris 10/OpenSolaris +actionunban = IP= && perl -ne "print unless (/^ALL:\s$IP/)" -i [Init] From 10fcfb925dde8da606a7e2f841159675528cedb9 Mon Sep 17 00:00:00 2001 From: jamesstout Date: Sun, 21 Apr 2013 07:30:21 +0800 Subject: [PATCH 02/51] Extra patterns for Solaris --- config/filter.d/sshd.conf | 2 ++ 1 file changed, 2 insertions(+) diff --git a/config/filter.d/sshd.conf b/config/filter.d/sshd.conf index e4339c78..2c104073 100644 --- a/config/filter.d/sshd.conf +++ b/config/filter.d/sshd.conf @@ -27,11 +27,13 @@ failregex = ^%(__prefix_line)s(?:error: PAM: )?Authentication failure for .* fro ^%(__prefix_line)s(?:error: PAM: )?User not known to the underlying authentication module for .* from \s*$ ^%(__prefix_line)sFailed (?:password|publickey) for .* from (?: port \d*)?(?: ssh\d*)?\s*$ ^%(__prefix_line)sROOT LOGIN REFUSED.* FROM \s*$ + ^%(__prefix_line)s\[.*\] Failed keyboard-interactive for .* from (?: port \d*)?(?: ssh\d*)?$ ^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from \s*$ ^%(__prefix_line)sUser .+ from not allowed because not listed in AllowUsers\s*$ ^%(__prefix_line)sUser .+ from not allowed because listed in DenyUsers\s*$ ^%(__prefix_line)srefused connect from \S+ \(\)\s*$ ^%(__prefix_line)sUser .+ from not allowed because none of user's groups are listed in AllowGroups\s*$ + ^%(__prefix_line)s\[.*\] Received disconnect from .* Bye\s*$ # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. From 578a8998c63f8133421668d2648a623e9ac8fd6a Mon Sep 17 00:00:00 2001 From: jamesstout Date: Sun, 21 Apr 2013 07:30:52 +0800 Subject: [PATCH 03/51] create socket/pid dir if needed Also remove any lingering sockets --- files/solaris-svc-fail2ban | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) mode change 100644 => 100755 files/solaris-svc-fail2ban diff --git a/files/solaris-svc-fail2ban b/files/solaris-svc-fail2ban old mode 100644 new mode 100755 index 9f75f9f6..e397474b --- a/files/solaris-svc-fail2ban +++ b/files/solaris-svc-fail2ban @@ -17,8 +17,26 @@ fi ENV="/usr/bin/env -i LANG=C PATH=/usr/local/bin:/usr/bin:/bin:/opt/sfw/bin:/usr/sfw/bin" +# get socket/pid conf and check dir exists +# sock and pid default dirs are currently the same +# mkdir if it doesn't exist +SOCK_FILE=$(sed "/^\#/d" "$F2B_CONF" | grep "socket" | tail -1 | cut -d "=" -f2-) +SOCK_DIR=$(dirname $SOCK_FILE) +if [ -n "$SOCK_DIR" ]; then + if [ ! -d "$SOCK_DIR" ]; then + mkdir "$SOCK_DIR" || exit 1 + fi +fi + case $1 in start) + # remove any lingering sockets + # don't quote the var for the -e test + if [ -n "$SOCK_FILE" ]; then + if [ -e $SOCK_FILE ]; then + rm -f $SOCK_FILE || exit 1 + fi + fi [ -f /etc/fail2ban.conf ] || touch /etc/fail2ban.conf echo "Starting fail2ban-server with $F2B_CONF" eval $ENV /usr/local/bin/fail2ban-client start & From 686f43caacf080eccbb5e1f7272975babd3fcd52 Mon Sep 17 00:00:00 2001 From: jamesstout Date: Sun, 21 Apr 2013 07:31:27 +0800 Subject: [PATCH 04/51] Readme for config on Solaris --- README.Solaris | 106 +++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 106 insertions(+) create mode 100644 README.Solaris diff --git a/README.Solaris b/README.Solaris new file mode 100644 index 00000000..b8883e7f --- /dev/null +++ b/README.Solaris @@ -0,0 +1,106 @@ +# vim:tw=80:ft=txt + +README FOR SOLARIS INSTALLATIONS + +By Roy Sigurd Karlsbakk + +ABOUT + +This readme is meant for those wanting to install fail2ban on Solaris 10, +OpenSolaris, OpenIndiana etc. To some degree it may as well be useful for +users of older Solaris versions and Nexenta, but don't rely on it. + +READ ME FIRST + +If I use the term Solaris, I am talking about any Solaris dialect, that is, the +official Sun/Oracle ones or derivates. If I describe an OS as +"OpenSolaris-based", it means it's either OpenSolaris, OpenIndiana or one of the +other, but /not/ the Nexenta family, since this only uses the OpenSolaris/ +IllumOS kernel and not the userland. If I say Solaris 10, I mean Solaris 10 and +perhaps, if you're lucky and have some good gods on your side, it may also apply +to Solaris 9 or even 8 and hopefully in the new Solaris 11 whenever that may be +released. Quoted lines of code, settings et cetera are indented with two spaces. +This does _not_ mean you should use that indentation, especially in config files +where they can be harmful. Optional settings are prefixed with OPT: while +required settings are prefixed with REQ:. If no prefix is found, regard it as a +required setting. + +INSTALLATION ON SOLARIS + +The installation is straight forward on Solaris as well as on linux/bsd/etc. +./setup.py install installs the general packages in /usr/bin on OpenSolaris- +based distros or (at least on this box) under /usr/sfw/bin on Solaris 10. In +the files/ directory you will find the file solaris-fail2ban.xml containing the +Solaris service. To install this, run the following command as root (or with +sudo): + + svccfg import files/solaris-fail2ban.xml + +This should normally without giving an error. If you get an error, deal with it, +and please post any relevant info (or fixes?) to the fail2ban mailing list. +Next install the service handler - copy the script in and allow it to be executed: + + cp files/solaris-svc-fail2ban /lib/svc/method/svc-fail2ban + chmod +x /lib/svc/method/svc-fail2ban + +CONFIGURE SYSLOG + +For some reason, a default Solaris installation does not log ssh login attempts, +and since fail2ban works by monitoring logs, enabling this logging is rather +important for it to work. To enable this, edit /etc/syslog.conf and add a line +at the end: + + auth.info /var/adm/auth.log + +Save the file and exit, and run + + touch /var/adm/auth.log + +The Solaris system logger will _not_ create a non-existing file. Now, restart +the system logger. + + svcadm restart system-log + +Try to ssh into localhost with ssh asdf@localhost and enter an invalid password. +Make sure this is logged in the above file. When done, you may configure +fail2ban. + +FAIL2BAN CONFIGURATION + +OPT: Edit /etc/fail2ban/fail2ban.conf and change logtarget to /var/adm/fail2ban.log +REQ: Edit /etc/fail2ban/jail.conf and move down to the [ssh-tcpwrapper] section. + Here, set enabled = true and logpath = /var/adm/auth.log. Set the sendmail + dest address to something useful or drop the line to stop it spamming you. + +START (OR RESTART) FAIL2BAN + +Enable the fail2ban service with + + svcadm enable fail2ban + +When done, check that all services are running well + + svcs -xv + +GOTCHAS AND FIXMES + +* It seems the installation may be starting fail2ban automatically. If this is + done, fail2ban will not start, but no errors will be returned from svcs + (above). Check if it's running with 'ps -ef | grep fail2ban' and manually kill + the PID if it is. Re-enable fail2ban and try again + + svcadm disable fail2ban + svcadm enable fail2ban + +* If svcs -xv says that fail2ban failed to start or svcs says it's in maintenance mode + chcek /var/svc/log/network-fail2ban:default.log for clues. + Check permissions on /var/adm, /var/adm/auth.log /var/adm/fail2ban.log and /var/run/fail2ban + You may need to: + + sudo mkdir /var/run/fail2ban + +* Fail2ban adds lines like these to /etc/hosts.deny: + + ALL: 1.2.3.4 + + wouldn't it be better to just block sshd? From b7795addd0958919fed3ee6b4c0f2a993e31cbd4 Mon Sep 17 00:00:00 2001 From: jamesstout Date: Tue, 30 Apr 2013 04:10:32 +0800 Subject: [PATCH 05/51] ENH: actionunban back to a sed command per https://github.com/fail2ban/fail2ban/pull/182#discussion_r3999128 --- config/action.d/hostsdeny.conf | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/config/action.d/hostsdeny.conf b/config/action.d/hostsdeny.conf index db36aa29..6f324e1e 100644 --- a/config/action.d/hostsdeny.conf +++ b/config/action.d/hostsdeny.conf @@ -40,11 +40,7 @@ actionban = IP= && # Tags: See jail.conf(5) man page # Values: CMD # -# Original: -#actionunban = IP= && sed -i.old /ALL:\ $IP/d - -# -i is not supported under Solaris 10/OpenSolaris -actionunban = IP= && perl -ne "print unless (/^ALL:\s$IP/)" -i +actionunban = IP= && sed /ALL:\ $IP/d > .new && mv .new [Init] From d2a953756802bd7cf63f5f5f792371f52f5cba8c Mon Sep 17 00:00:00 2001 From: jamesstout Date: Tue, 30 Apr 2013 04:14:36 +0800 Subject: [PATCH 06/51] ENH: extra daemon info regex for matching log lines like: Mar 29 05:20:09 dusky sshd[19558]: [ID 800047 auth.info] Failed keyboard-interactive for james from 205.186.180.30 port 54520 ssh2 this matches [ID 800047 auth.info] --- config/filter.d/common.conf | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/config/filter.d/common.conf b/config/filter.d/common.conf index 18bf41c5..d13b6adb 100644 --- a/config/filter.d/common.conf +++ b/config/filter.d/common.conf @@ -28,6 +28,10 @@ __pid_re = (?:\[\d+\]) # EXAMPLES: pam_rhosts_auth, [sshd], pop(pam_unix) __daemon_re = [\[\(]?%(_daemon)s(?:\(\S+\))?[\]\)]?:? +# extra daemon info +# EXAMPLE: [ID 800047 auth.info] +__daemon_extra_re = (?:\[ID \d+ \S+\]) + # Combinations of daemon name and PID # EXAMPLES: sshd[31607], pop(pam_unix)[4920] __daemon_combs_re = (?:%(__pid_re)s?:\s+%(__daemon_re)s|%(__daemon_re)s%(__pid_re)s?:) @@ -43,5 +47,5 @@ __hostname = \S+ # # [hostname] [vserver tag] daemon_id spaces # this can be optional (for instance if we match named native log files) -__prefix_line = \s*(?:%(__hostname)s )?(?:%(__kernel_prefix)s )?(?:@vserver_\S+ )?%(__daemon_combs_re)s?\s* +__prefix_line = \s*(?:%(__hostname)s )?(?:%(__kernel_prefix)s )?(?:@vserver_\S+ )?%(__daemon_combs_re)s?\s%(__daemon_extra_re)s?\s* From 3367dbd987dada35438e0583bf0836133368bbf9 Mon Sep 17 00:00:00 2001 From: jamesstout Date: Tue, 30 Apr 2013 04:23:13 +0800 Subject: [PATCH 07/51] ENH: fail message matching for OpenSolaris and OS X - OpenSolaris keyboard message matched by new regex 3 - Removed Bye Bye regex per https://github.com/fail2ban/fail2ban/issues/175#issuecomment-16538036 - PAM auth failure or error and first char case-insensitive, can also have chars after the hostname. e.g. Apr 29 16:53:38 Jamess-iMac.local sshd[47831]: error: PAM: authentication error for james from 205.186.180.101 via 192.168.1.201 --- config/filter.d/sshd.conf | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/config/filter.d/sshd.conf b/config/filter.d/sshd.conf index 2c104073..8d98c675 100644 --- a/config/filter.d/sshd.conf +++ b/config/filter.d/sshd.conf @@ -23,17 +23,15 @@ _daemon = sshd # (?:::f{4,6}:)?(?P[\w\-.^_]+) # Values: TEXT # -failregex = ^%(__prefix_line)s(?:error: PAM: )?Authentication failure for .* from \s*$ +failregex = ^%(__prefix_line)s(?:error: PAM: )?[aA](?:uthentication) (?:failure|error) for .* from .*$ ^%(__prefix_line)s(?:error: PAM: )?User not known to the underlying authentication module for .* from \s*$ - ^%(__prefix_line)sFailed (?:password|publickey) for .* from (?: port \d*)?(?: ssh\d*)?\s*$ + ^%(__prefix_line)sFailed \S+ for .* from (?: port \d*)?(?: ssh\d*)?\s*$ ^%(__prefix_line)sROOT LOGIN REFUSED.* FROM \s*$ - ^%(__prefix_line)s\[.*\] Failed keyboard-interactive for .* from (?: port \d*)?(?: ssh\d*)?$ ^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from \s*$ ^%(__prefix_line)sUser .+ from not allowed because not listed in AllowUsers\s*$ ^%(__prefix_line)sUser .+ from not allowed because listed in DenyUsers\s*$ ^%(__prefix_line)srefused connect from \S+ \(\)\s*$ ^%(__prefix_line)sUser .+ from not allowed because none of user's groups are listed in AllowGroups\s*$ - ^%(__prefix_line)s\[.*\] Received disconnect from .* Bye\s*$ # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. From 018913db6a840c1502df5630afcf371be0053ba1 Mon Sep 17 00:00:00 2001 From: jamesstout Date: Tue, 30 Apr 2013 04:24:56 +0800 Subject: [PATCH 08/51] ENH+TST: ssh failure messages for OpenSolaris and OS X --- testcases/files/logs/sshd | 22 +++++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) diff --git a/testcases/files/logs/sshd b/testcases/files/logs/sshd index 8e6c1273..e3e5c67e 100644 --- a/testcases/files/logs/sshd +++ b/testcases/files/logs/sshd @@ -29,5 +29,25 @@ Oct 15 19:51:35 server sshd[7592]: Address 1.2.3.4 maps to 1234.bbbbbb.com, but #8 DenyUsers https://github.com/fail2ban/fail2ban/issues/47 Apr 16 22:01:15 al-ribat sshd[5154]: User root from 46.45.128.3 not allowed because listed in DenyUsers -# http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=648020 +#9 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=648020 +# should this be removed? regex was removed in https://github.com/fail2ban/fail2ban/commit/bb7628591c124309774d5f4787d2a4f07cf6b906 Nov 8 11:19:38 bar sshd[25427]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=1.2.3.6 + +#10 OpenSolaris patch - pull https://github.com/fail2ban/fail2ban/pull/182 +Mar 29 05:59:23 dusky sshd[20878]: [ID 800047 auth.info] Failed keyboard-interactive for from 205.186.180.55 port 42742 ssh2 +Mar 29 05:20:09 dusky sshd[19558]: [ID 800047 auth.info] Failed keyboard-interactive for james from 205.186.180.30 port 54520 ssh2 + +#11 OSX syslog error +Apr 29 14:53:38 Jamess-iMac.local sshd[47831]: error: PAM: authentication error for james from dusky via 192.168.1.201 +Apr 29 17:16:20 Jamess-iMac.local sshd[62312]: error: PAM: authentication error for james from n29.c07.mtsvc.net via 192.168.1.201 +Apr 29 20:11:08 Jamess-iMac.local sshd[63814]: [ID 800047 auth.info] Failed keyboard-interactive for from 205.186.180.35 port 42742 ssh2 +Apr 29 20:12:08 Jamess-iMac.local sshd[63814]: [ID 800047 auth.info] Failed keyboard-interactive for james from 205.186.180.22 port 54520 ssh2 +Apr 29 20:13:08 Jamess-iMac.local sshd[63814]: Failed keyboard-interactive for james from 205.186.180.42 port 54520 ssh2 +Apr 29 20:14:08 Jamess-iMac.local sshd[63814]: Failed keyboard-interactive for from 205.186.180.44 port 42742 ssh2 +Apr 30 01:42:12 Jamess-iMac.local sshd[2554]: Failed keyboard-interactive/pam for invalid user jamedds from 205.186.180.77 port 33723 ssh2 +Apr 29 12:53:38 Jamess-iMac.local sshd[47831]: error: PAM: authentication failure for james from 205.186.180.88 via 192.168.1.201 +Apr 29 13:53:38 Jamess-iMac.local sshd[47831]: error: PAM: Authentication failure for james from 205.186.180.99 via 192.168.1.201 +Apr 29 15:53:38 Jamess-iMac.local sshd[47831]: error: PAM: Authentication error for james from 205.186.180.100 via 192.168.1.201 +Apr 29 16:53:38 Jamess-iMac.local sshd[47831]: error: PAM: authentication error for james from 205.186.180.101 via 192.168.1.201 +Apr 29 17:53:38 Jamess-iMac.local sshd[47831]: error: PAM: authentication error for james from 205.186.180.102 +Apr 29 18:53:38 Jamess-iMac.local sshd[47831]: error: PAM: authentication error for james from 205.186.180.103 \ No newline at end of file From 86a5de040ba9bcee897fe5c2b1aaa0a0a695eb7c Mon Sep 17 00:00:00 2001 From: jamesstout Date: Tue, 30 Apr 2013 04:35:36 +0800 Subject: [PATCH 09/51] ENH: Use .local config files for logtarget and jail Per: https://github.com/fail2ban/fail2ban/pull/182#discussion_r3886353 --- README.Solaris | 22 ++++++++++++++++++---- 1 file changed, 18 insertions(+), 4 deletions(-) diff --git a/README.Solaris b/README.Solaris index b8883e7f..b03a31a1 100644 --- a/README.Solaris +++ b/README.Solaris @@ -67,10 +67,24 @@ fail2ban. FAIL2BAN CONFIGURATION -OPT: Edit /etc/fail2ban/fail2ban.conf and change logtarget to /var/adm/fail2ban.log -REQ: Edit /etc/fail2ban/jail.conf and move down to the [ssh-tcpwrapper] section. - Here, set enabled = true and logpath = /var/adm/auth.log. Set the sendmail - dest address to something useful or drop the line to stop it spamming you. +OPT: Create /etc/fail2ban/fail2ban.local containing: + +logtarget = /var/adm/fail2ban.log + + +REQ: Create /etc/fail2ban/jail.local containing: + +[ssh-tcpwrapper] + +enabled = true +filter = sshd +action = hostsdeny + sendmail-whois[name=SSH, dest=you@example.com] +ignoreregex = for myuser from +logpath = /var/adm/auth.log + +Set the sendmail dest address to something useful or drop the line to stop it spamming you. +Set 'myuser' to your username to avoid banning yourself or drop it. START (OR RESTART) FAIL2BAN From 0c2900e458f642ae2772526700c0888a187084bd Mon Sep 17 00:00:00 2001 From: jamesstout Date: Tue, 30 Apr 2013 05:41:29 +0800 Subject: [PATCH 10/51] BF: fail2ban.local needs section headers --- README.Solaris | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/README.Solaris b/README.Solaris index b03a31a1..49056062 100644 --- a/README.Solaris +++ b/README.Solaris @@ -69,6 +69,27 @@ FAIL2BAN CONFIGURATION OPT: Create /etc/fail2ban/fail2ban.local containing: +# Fail2Ban main configuration file +# +# Comments: use '#' for comment lines and ';' for inline comments +# +# Changes: in most of the cases you should not modify this +# file, but provide customizations in fail2ban.local file, e.g.: +# +# [Definition] +# loglevel = 4 +# +[Definition] + +# Option: logtarget +# Notes.: Set the log target. This could be a file, SYSLOG, STDERR or STDOUT. +# Only one log target can be specified. +# If you change logtarget from the default value and you are +# using logrotate -- also adjust or disable rotation in the +# corresponding configuration file +# (e.g. /etc/logrotate.d/fail2ban on Debian systems) +# Values: STDOUT STDERR SYSLOG file Default: /var/log/fail2ban.log +# logtarget = /var/adm/fail2ban.log From 24a8d07c20da396dac0cc2f26f0ab4a14c236cef Mon Sep 17 00:00:00 2001 From: Enrico Labedzki Date: Sun, 28 Apr 2013 10:44:31 +0200 Subject: [PATCH 11/51] added new date format support for ASSP SMTP Proxy --- ChangeLog | 6 ++++-- THANKS | 1 + TODO | 2 ++ config/filter.d/assp.conf | 33 +++++++++++++++++++++++++++++++ config/jail.conf | 7 +++++++ server/datedetector.py | 7 ++++++- server/datetemplate.py | 12 +++++++++++ testcases/datedetectortestcase.py | 1 + testcases/files/logs/assp | 13 ++++++++++++ 9 files changed, 79 insertions(+), 3 deletions(-) create mode 100644 config/filter.d/assp.conf create mode 100644 testcases/files/logs/assp diff --git a/ChangeLog b/ChangeLog index fde414f4..0224431f 100644 --- a/ChangeLog +++ b/ChangeLog @@ -4,10 +4,10 @@ |_| \__,_|_|_/___|_.__/\__,_|_||_| ================================================================================ -Fail2Ban (version 0.8.9) 2013/04/XX +Fail2Ban (version 0.8.9) 2013/04/28 ================================================================================ -ver. 0.8.9 (2013/04/XXX) - wanna-be-stable +ver. 0.8.9 (2013/04/28) - wanna-be-stable ---------- Although primarily a bugfix release, it incorporates many new @@ -68,6 +68,8 @@ Borreli, blotus: Soulard Morgan * [f336d9f] Add filter for webmin. Closes gh-99. - Enhancements: + Enrico Labedzki + * [???????] Added Datew format for ASSP SMTP Proxy. Steven Hiscocks * [3d6791f] Ensure restart of Actions after a check fails occurs consistently. Closes gh-172. diff --git a/THANKS b/THANKS index f207d71e..9545d43a 100644 --- a/THANKS +++ b/THANKS @@ -16,6 +16,7 @@ Daniel B. Cid Daniel Black David Nutter Eric Gerbier +Enrico Labedzki Guillaume Delvit Hanno 'Rince' Wagner Iain Lea diff --git a/TODO b/TODO index 61bdc093..33263d3e 100644 --- a/TODO +++ b/TODO @@ -13,6 +13,8 @@ Legend: # partially done * done +- more detailed explaination in DEVELOP for new developers (eg. howto build this HEX numbers in ChangeLog) + - Run tests though all filters/examples files - (see sshd example file) as unit test diff --git a/config/filter.d/assp.conf b/config/filter.d/assp.conf new file mode 100644 index 00000000..055fb9fe --- /dev/null +++ b/config/filter.d/assp.conf @@ -0,0 +1,33 @@ +# Fail2Ban configuration file +# for Anti-Spam SMTP Proxy Server also known as ASSP +# Honmepage: http://www.magicvillage.de/~Fritz_Borgstedt/assp/0003D91C-8000001C/ +# ProjektSite: http://sourceforge.net/projects/assp/?source=directory +# +# Author: Enrico Labedzki (enrico.labedzki@deiwos.de) +# + +[Definition] + +# Option: failregex +# Notes.: regex to match the SMTP failure messages in the logfile. The +# host must be matched by a group named "host". The tag "" can +# be used for standard IP/hostname matching and is only an alias for +# (?:::f{4,6}:)?(?P\S+) +# Values: TEXT +# +# Examples: Apr-27-13 02:33:09 Blocking 217.194.197.97 - too much AUTH errors (41); +# Dec-29-12 17:10:31 [SSL-out] 200.247.87.82 SSL negotiation with client failed: SSL accept attempt failed with unknown errorerror:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol; +# Dec-30-12 04:01:47 [SSL-out] 81.82.232.66 max sender authentication errors (5) exceeded +__assp_actions = (dropping|refusing) + +failregex = max sender authentication errors \(\d+\) exceeded -- %(__assp_actions)s connection - after reply: \d{3} \d{1}\.\d{1}.\d{1} Error: authentication failed: [a-zA-Z0-9]+;$ + SSL negotiation with client failed: SSL accept attempt failed with unknown error.*:unknown protocol;$ + Blocking - too much AUTH errors \(\d+\);$ + + +# Option: ignoreregex +# Notes.: regex to ignore. If this regex matches, the line is ignored. +# Values: TEXT +# +ignoreregex = + diff --git a/config/jail.conf b/config/jail.conf index 7569cd2f..86425b9c 100644 --- a/config/jail.conf +++ b/config/jail.conf @@ -89,6 +89,13 @@ action = iptables[name=sasl, port=smtp, protocol=tcp] sendmail-whois[name=sasl, dest=you@example.com] logpath = /var/log/mail.log +# ASSP SMTP Proxy Jail +[assp] +enabled = false +port = 25,465,587 +filter = assp +logpath = /root/path/to/assp/logs/maillog.txt + # Here we use TCP-Wrappers instead of Netfilter/Iptables. "ignoreregex" is # used to avoid banning the user "myuser". diff --git a/server/datedetector.py b/server/datedetector.py index a54e072d..8ebdc949 100644 --- a/server/datedetector.py +++ b/server/datedetector.py @@ -29,7 +29,7 @@ __license__ = "GPL" import time, logging -from datetemplate import DateStrptime, DateTai64n, DateEpoch, DateISO8601 +from datetemplate import DateStrptime, DateTai64n, DateEpoch, DateISO8601, DateASSPlike from threading import Lock # Gets the instance of the logger. @@ -161,6 +161,11 @@ class DateDetector: template.setRegex("^\d{2}\d{2}\d{2} +\d{1,2}:\d{2}:\d{2}") template.setPattern("%y%m%d %H:%M:%S") self._appendTemplate(template) + # ASSP: Apr-27-13 02:33:06 + template = DateASSPlike() + template.setName("ASSP like date format") + template.setRegex("^[a-zA-Z]{3}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}") + self._appendTemplate(template) finally: self.__lock.release() diff --git a/server/datetemplate.py b/server/datetemplate.py index 51b8bb1e..55f6d7e4 100644 --- a/server/datetemplate.py +++ b/server/datetemplate.py @@ -218,3 +218,15 @@ class DateISO8601(DateTemplate): value = dateMatch.group() date = list(iso8601.parse_date(value).timetuple()) return date + + +class DateASSPlike(DateTemplate): + + def __init__(self): + DateTemplate.__init__(self) + + def getDate(self, line): + # there is no need to parse the date. + # ASSP doesn't buffer the log output. + return MyTime.gmtime() + diff --git a/testcases/datedetectortestcase.py b/testcases/datedetectortestcase.py index 7c3c7140..3bf7bf0f 100644 --- a/testcases/datedetectortestcase.py +++ b/testcases/datedetectortestcase.py @@ -85,6 +85,7 @@ class DateDetectorTest(unittest.TestCase): "2005-01-23T21:59:59-05:00Z", #ISO 8601 with TZ "<01/23/05@21:59:59>", "050123 21:59:59", # MySQL + "Apr-27-13 01:27:45", # ASSP like ): log = sdate + "[sshd] error: PAM: Authentication failure" # exclude diff --git a/testcases/files/logs/assp b/testcases/files/logs/assp new file mode 100644 index 00000000..99363001 --- /dev/null +++ b/testcases/files/logs/assp @@ -0,0 +1,13 @@ +Apr-07-13 07:08:36 [SSL-out] 68.171.223.68 SSL negotiation with client failed: SSL accept attempt failed with unknown errorerror:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol; +Apr-07-13 07:08:36 [SSL-out] 68.171.223.68 SSL negotiation with client failed: SSL accept attempt failed with unknown errorerror:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol; +Apr-07-13 07:10:37 [SSL-out] 68.171.223.68 SSL negotiation with client failed: SSL accept attempt failed with unknown errorerror:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol; +Apr-07-13 07:12:37 [SSL-out] 68.171.223.68 SSL negotiation with client failed: SSL accept attempt failed with unknown errorerror:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol; +Apr-07-13 07:14:36 [SSL-out] 68.171.223.68 SSL negotiation with client failed: SSL accept attempt failed with unknown errorerror:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol; +Apr-27-13 02:25:09 Blocking 217.194.197.97 - too much AUTH errors (8); +Apr-27-13 02:25:09 Blocking 217.194.197.97 - too much AUTH errors (9); +Apr-27-13 02:25:09 Blocking 217.194.197.97 - too much AUTH errors (10); +Apr-27-13 02:25:10 [SSL-out] 217.194.197.97 max sender authentication errors (5) exceeded -- dropping connection - after reply: 535 5.7.8 Error: authentication failed: UGFzc3dvcmQ6; +Apr-27-13 02:25:10 [SSL-out] 217.194.197.97 max sender authentication errors (5) exceeded -- dropping connection - after reply: 535 5.7.8 Error: authentication failed: UGFzc3dvcmQ6; +Apr-27-13 02:25:10 [SSL-out] 217.194.197.97 max sender authentication errors (5) exceeded -- dropping connection - after reply: 535 5.7.8 Error: authentication failed: UGFzc3dvcmQ6; +Apr-27-13 02:25:11 [SSL-out] 217.194.197.97 max sender authentication errors (5) exceeded -- dropping connection - after reply: 535 5.7.8 Error: authentication failed: UGFzc3dvcmQ6; + From ba8f012637b2b6d6ddb211d379dffc4834ff0152 Mon Sep 17 00:00:00 2001 From: Enrico Labedzki Date: Sun, 28 Apr 2013 22:18:55 +0200 Subject: [PATCH 12/51] fixed little things --- ChangeLog | 6 +++--- server/datedetector.py | 1 + server/datetemplate.py | 15 ++++++++++++--- 3 files changed, 16 insertions(+), 6 deletions(-) diff --git a/ChangeLog b/ChangeLog index 0224431f..47f213bd 100644 --- a/ChangeLog +++ b/ChangeLog @@ -4,10 +4,10 @@ |_| \__,_|_|_/___|_.__/\__,_|_||_| ================================================================================ -Fail2Ban (version 0.8.9) 2013/04/28 +Fail2Ban (version 0.8.9) 2013/04/XX ================================================================================ -ver. 0.8.9 (2013/04/28) - wanna-be-stable +ver. 0.8.9 (2013/04/XX) - wanna-be-stable ---------- Although primarily a bugfix release, it incorporates many new @@ -69,7 +69,7 @@ Borreli, blotus: * [f336d9f] Add filter for webmin. Closes gh-99. - Enhancements: Enrico Labedzki - * [???????] Added Datew format for ASSP SMTP Proxy. + * [1524b07] Added Datew format for ASSP SMTP Proxy. Steven Hiscocks * [3d6791f] Ensure restart of Actions after a check fails occurs consistently. Closes gh-172. diff --git a/server/datedetector.py b/server/datedetector.py index 8ebdc949..33270105 100644 --- a/server/datedetector.py +++ b/server/datedetector.py @@ -165,6 +165,7 @@ class DateDetector: template = DateASSPlike() template.setName("ASSP like date format") template.setRegex("^[a-zA-Z]{3}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}") + template.setPattern("%b-%d-%y %H:%M:%S") self._appendTemplate(template) finally: self.__lock.release() diff --git a/server/datetemplate.py b/server/datetemplate.py index 55f6d7e4..dccd6419 100644 --- a/server/datetemplate.py +++ b/server/datetemplate.py @@ -224,9 +224,18 @@ class DateASSPlike(DateTemplate): def __init__(self): DateTemplate.__init__(self) + self.__pattern = "" + + def setPattern(self, pattern): + self.__pattern = pattern.strip() + + def getPattern(self): + return self.__pattern def getDate(self, line): - # there is no need to parse the date. - # ASSP doesn't buffer the log output. - return MyTime.gmtime() + date = None + dateMatch = self.matchDate(line) + if dateMatch: + date = list(time.strptime(dateMatch.group(), self.getPattern())) + return date From 9185c070ebdf8d0c20a8ec0868c0092ce0996338 Mon Sep 17 00:00:00 2001 From: Enrico Labedzki Date: Wed, 1 May 2013 02:25:05 +0200 Subject: [PATCH 13/51] changed from DateASSPlike class to DateStrptime --- server/datedetector.py | 6 +++--- server/datetemplate.py | 19 ------------------- 2 files changed, 3 insertions(+), 22 deletions(-) diff --git a/server/datedetector.py b/server/datedetector.py index 33270105..8ece81fb 100644 --- a/server/datedetector.py +++ b/server/datedetector.py @@ -29,7 +29,7 @@ __license__ = "GPL" import time, logging -from datetemplate import DateStrptime, DateTai64n, DateEpoch, DateISO8601, DateASSPlike +from datetemplate import DateStrptime, DateTai64n, DateEpoch, DateISO8601 from threading import Lock # Gets the instance of the logger. @@ -162,8 +162,8 @@ class DateDetector: template.setPattern("%y%m%d %H:%M:%S") self._appendTemplate(template) # ASSP: Apr-27-13 02:33:06 - template = DateASSPlike() - template.setName("ASSP like date format") + template = DateStrptime() + template.setName("Month-Day-Year Hour:Minute:Second") template.setRegex("^[a-zA-Z]{3}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}") template.setPattern("%b-%d-%y %H:%M:%S") self._appendTemplate(template) diff --git a/server/datetemplate.py b/server/datetemplate.py index dccd6419..01492755 100644 --- a/server/datetemplate.py +++ b/server/datetemplate.py @@ -220,22 +220,3 @@ class DateISO8601(DateTemplate): return date -class DateASSPlike(DateTemplate): - - def __init__(self): - DateTemplate.__init__(self) - self.__pattern = "" - - def setPattern(self, pattern): - self.__pattern = pattern.strip() - - def getPattern(self): - return self.__pattern - - def getDate(self, line): - date = None - dateMatch = self.matchDate(line) - if dateMatch: - date = list(time.strptime(dateMatch.group(), self.getPattern())) - return date - From 07aee8cd335f56b43f65188815fd98d94254c4fa Mon Sep 17 00:00:00 2001 From: Enrico Labedzki Date: Wed, 1 May 2013 02:35:46 +0200 Subject: [PATCH 14/51] as daniel desires --- config/jail.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/jail.conf b/config/jail.conf index 86425b9c..8b82d1d7 100644 --- a/config/jail.conf +++ b/config/jail.conf @@ -92,8 +92,8 @@ logpath = /var/log/mail.log # ASSP SMTP Proxy Jail [assp] enabled = false -port = 25,465,587 filter = assp +action = iptables-multiport[name=assp,port="25,465,587"] logpath = /root/path/to/assp/logs/maillog.txt # Here we use TCP-Wrappers instead of Netfilter/Iptables. "ignoreregex" is From e27385e87304951478d3b3c88dafc1a7a593f838 Mon Sep 17 00:00:00 2001 From: Enrico Labedzki Date: Wed, 1 May 2013 03:42:13 +0200 Subject: [PATCH 15/51] as yaroslav wishes --- server/datetemplate.py | 1 - 1 file changed, 1 deletion(-) diff --git a/server/datetemplate.py b/server/datetemplate.py index 01492755..d404cf68 100644 --- a/server/datetemplate.py +++ b/server/datetemplate.py @@ -219,4 +219,3 @@ class DateISO8601(DateTemplate): date = list(iso8601.parse_date(value).timetuple()) return date - From 36b0d78ff88aa9d4558fd24d9ea1859d8063c3e7 Mon Sep 17 00:00:00 2001 From: Enrico Labedzki Date: Wed, 1 May 2013 04:51:56 +0200 Subject: [PATCH 16/51] tight control of the filter for ASSP --- config/filter.d/assp.conf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/config/filter.d/assp.conf b/config/filter.d/assp.conf index 055fb9fe..b1bfc082 100644 --- a/config/filter.d/assp.conf +++ b/config/filter.d/assp.conf @@ -20,9 +20,9 @@ # Dec-30-12 04:01:47 [SSL-out] 81.82.232.66 max sender authentication errors (5) exceeded __assp_actions = (dropping|refusing) -failregex = max sender authentication errors \(\d+\) exceeded -- %(__assp_actions)s connection - after reply: \d{3} \d{1}\.\d{1}.\d{1} Error: authentication failed: [a-zA-Z0-9]+;$ +failregex = max sender authentication errors \(\d{,3}\) exceeded -- %(__assp_actions)s connection - after reply: \d{3} \d{1}\.\d{1}.\d{1} Error: authentication failed: [a-zA-Z0-9]+;$ SSL negotiation with client failed: SSL accept attempt failed with unknown error.*:unknown protocol;$ - Blocking - too much AUTH errors \(\d+\);$ + Blocking - too much AUTH errors \(\d{,3}\);$ # Option: ignoreregex From fd01649a61065b41abc8490a4c04074e36ee7c13 Mon Sep 17 00:00:00 2001 From: Enrico Labedzki Date: Thu, 2 May 2013 06:19:39 +0200 Subject: [PATCH 17/51] fixed test date thx to steven --- testcases/datedetectortestcase.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/testcases/datedetectortestcase.py b/testcases/datedetectortestcase.py index 3bf7bf0f..a3d90f22 100644 --- a/testcases/datedetectortestcase.py +++ b/testcases/datedetectortestcase.py @@ -85,7 +85,7 @@ class DateDetectorTest(unittest.TestCase): "2005-01-23T21:59:59-05:00Z", #ISO 8601 with TZ "<01/23/05@21:59:59>", "050123 21:59:59", # MySQL - "Apr-27-13 01:27:45", # ASSP like + "Jan-23-05 21:59:59", # ASSP like ): log = sdate + "[sshd] error: PAM: Authentication failure" # exclude From 617fe6cb02d387c9eabe22267794c4eb7b3147f9 Mon Sep 17 00:00:00 2001 From: Yaroslav Halchenko Date: Fri, 3 May 2013 01:03:53 -0400 Subject: [PATCH 18/51] Slight tune up of changelog entry (treeish change due to squashing) --- ChangeLog | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index f19130c4..c80e3b3c 100644 --- a/ChangeLog +++ b/ChangeLog @@ -73,7 +73,7 @@ Borreli, blotus: * [f336d9f] Add filter for webmin. Closes gh-99. - Enhancements: Enrico Labedzki - * [1524b07] Added Datew format for ASSP SMTP Proxy. + * [24a8d07] Added new date format for ASSP SMTP Proxy. Steven Hiscocks * [3d6791f] Ensure restart of Actions after a check fails occurs consistently. Closes gh-172. From 495f2dd877d0f1db6260af46a1e162dbea956cf6 Mon Sep 17 00:00:00 2001 From: Daniel Black Date: Fri, 3 May 2013 16:03:38 +1000 Subject: [PATCH 19/51] DOC: purge of svn tags --- client/__init__.py | 1 - client/actionreader.py | 1 - client/configparserinc.py | 1 - client/configreader.py | 1 - client/configurator.py | 1 - client/csocket.py | 1 - client/fail2banreader.py | 1 - client/filterreader.py | 1 - client/jailreader.py | 1 - client/jailsreader.py | 1 - common/__init__.py | 1 - common/helpers.py | 1 - common/protocol.py | 1 - common/version.py | 1 - config/action.d/dshield.conf | 1 - config/action.d/dummy.conf | 1 - config/action.d/hostsdeny.conf | 1 - config/action.d/ipfw.conf | 1 - config/action.d/iptables-allports.conf | 1 - config/action.d/iptables-multiport-log.conf | 1 - config/action.d/iptables-multiport.conf | 1 - config/action.d/iptables-new.conf | 1 - config/action.d/iptables-xt_recent-echo.conf | 1 - config/action.d/iptables.conf | 1 - config/action.d/mail-buffered.conf | 1 - config/action.d/mail-whois-lines.conf | 1 - config/action.d/mail-whois.conf | 1 - config/action.d/mail.conf | 1 - config/action.d/mynetwatchman.conf | 1 - config/action.d/sendmail-buffered.conf | 1 - config/action.d/sendmail-whois-lines.conf | 1 - config/action.d/sendmail-whois.conf | 1 - config/action.d/sendmail.conf | 1 - config/action.d/shorewall.conf | 1 - config/filter.d/apache-auth.conf | 1 - config/filter.d/apache-badbots.conf | 1 - config/filter.d/apache-nohome.conf | 1 - config/filter.d/apache-noscript.conf | 1 - config/filter.d/apache-overflows.conf | 1 - config/filter.d/asterisk.conf | 1 - config/filter.d/common.conf | 1 - config/filter.d/courierlogin.conf | 1 - config/filter.d/couriersmtp.conf | 1 - config/filter.d/cyrus-imap.conf | 1 - config/filter.d/dovecot.conf | 1 - config/filter.d/dropbear.conf | 1 - config/filter.d/exim.conf | 1 - config/filter.d/gssftpd.conf | 1 - config/filter.d/named-refused.conf | 1 - config/filter.d/pam-generic.conf | 1 - config/filter.d/postfix.conf | 1 - config/filter.d/proftpd.conf | 1 - config/filter.d/pure-ftpd.conf | 1 - config/filter.d/qmail.conf | 1 - config/filter.d/sasl.conf | 1 - config/filter.d/sieve.conf | 1 - config/filter.d/sshd.conf | 1 - config/filter.d/vsftpd.conf | 1 - config/filter.d/webmin-auth.conf | 1 - config/filter.d/wuftpd.conf | 1 - config/filter.d/xinetd-fail.conf | 1 - files/cacti/fail2ban_stats.sh | 1 - files/gentoo-initd | 1 - server/__init__.py | 3 --- server/actions.py | 3 --- server/asyncserver.py | 3 --- server/banmanager.py | 3 --- server/datetemplate.py | 3 --- server/faildata.py | 3 --- server/failmanager.py | 3 --- server/filterpoll.py | 2 -- server/jailthread.py | 3 --- server/server.py | 3 --- server/ticket.py | 3 --- server/transmitter.py | 3 --- testcases/__init__.py | 1 - testcases/actiontestcase.py | 1 - testcases/banmanagertestcase.py | 1 - testcases/datedetectortestcase.py | 1 - testcases/failmanagertestcase.py | 1 - testcases/servertestcase.py | 1 - testcases/sockettestcase.py | 1 - 82 files changed, 105 deletions(-) diff --git a/client/__init__.py b/client/__init__.py index c448827b..3de9058c 100644 --- a/client/__init__.py +++ b/client/__init__.py @@ -19,7 +19,6 @@ # Author: Cyril Jaquier # -# $Revision$ __author__ = "Cyril Jaquier" __version__ = "$Revision$" diff --git a/client/actionreader.py b/client/actionreader.py index 9ad1ef28..c1a64245 100644 --- a/client/actionreader.py +++ b/client/actionreader.py @@ -19,7 +19,6 @@ # Author: Cyril Jaquier # -# $Revision$ __author__ = "Cyril Jaquier" __version__ = "$Revision$" diff --git a/client/configparserinc.py b/client/configparserinc.py index 7ac8b4a5..df5af1ac 100644 --- a/client/configparserinc.py +++ b/client/configparserinc.py @@ -19,7 +19,6 @@ # Author: Yaroslav Halchenko # Modified: Cyril Jaquier -# $Revision$ __author__ = 'Yaroslav Halhenko' __revision__ = '$Revision$' diff --git a/client/configreader.py b/client/configreader.py index 4b4a391b..9fb6b3eb 100644 --- a/client/configreader.py +++ b/client/configreader.py @@ -19,7 +19,6 @@ # Author: Cyril Jaquier # Modified by: Yaroslav Halchenko (SafeConfigParserWithIncludes) -# $Revision$ __author__ = "Cyril Jaquier" __version__ = "$Revision$" diff --git a/client/configurator.py b/client/configurator.py index 2097fd54..fc588558 100644 --- a/client/configurator.py +++ b/client/configurator.py @@ -19,7 +19,6 @@ # Author: Cyril Jaquier # -# $Revision$ __author__ = "Cyril Jaquier" __version__ = "$Revision$" diff --git a/client/csocket.py b/client/csocket.py index 6e014e23..c6f318f2 100644 --- a/client/csocket.py +++ b/client/csocket.py @@ -19,7 +19,6 @@ # Author: Cyril Jaquier # -# $Revision$ __author__ = "Cyril Jaquier" __version__ = "$Revision$" diff --git a/client/fail2banreader.py b/client/fail2banreader.py index c8f42976..026076fa 100644 --- a/client/fail2banreader.py +++ b/client/fail2banreader.py @@ -19,7 +19,6 @@ # Author: Cyril Jaquier # -# $Revision$ __author__ = "Cyril Jaquier" __version__ = "$Revision$" diff --git a/client/filterreader.py b/client/filterreader.py index 7dba3579..b8c47558 100644 --- a/client/filterreader.py +++ b/client/filterreader.py @@ -19,7 +19,6 @@ # Author: Cyril Jaquier # -# $Revision$ __author__ = "Cyril Jaquier" __version__ = "$Revision$" diff --git a/client/jailreader.py b/client/jailreader.py index ad69bfa0..d6f678ee 100644 --- a/client/jailreader.py +++ b/client/jailreader.py @@ -19,7 +19,6 @@ # Author: Cyril Jaquier # -# $Revision$ __author__ = "Cyril Jaquier" __version__ = "$Revision$" diff --git a/client/jailsreader.py b/client/jailsreader.py index 91e178d6..f87794dd 100644 --- a/client/jailsreader.py +++ b/client/jailsreader.py @@ -19,7 +19,6 @@ # Author: Cyril Jaquier # -# $Revision$ __author__ = "Cyril Jaquier" __version__ = "$Revision$" diff --git a/common/__init__.py b/common/__init__.py index c448827b..3de9058c 100644 --- a/common/__init__.py +++ b/common/__init__.py @@ -19,7 +19,6 @@ # Author: Cyril Jaquier # -# $Revision$ __author__ = "Cyril Jaquier" __version__ = "$Revision$" diff --git a/common/helpers.py b/common/helpers.py index 6115b971..3c830138 100644 --- a/common/helpers.py +++ b/common/helpers.py @@ -20,7 +20,6 @@ # Author: Cyril Jaquier # Author: Arturo 'Buanzo' Busleiman # -# $Revision$ __author__ = "Cyril Jaquier" __version__ = "$Revision$" diff --git a/common/protocol.py b/common/protocol.py index 1083a94b..ccd44398 100644 --- a/common/protocol.py +++ b/common/protocol.py @@ -19,7 +19,6 @@ # Author: Cyril Jaquier # -# $Revision$ __author__ = "Cyril Jaquier" __version__ = "$Revision$" diff --git a/common/version.py b/common/version.py index 2a1c0d0b..df3b97c3 100644 --- a/common/version.py +++ b/common/version.py @@ -19,7 +19,6 @@ # Author: Cyril Jaquier # -# $Revision$ __author__ = "Cyril Jaquier, Yaroslav Halchenko" __copyright__ = "Copyright (c) 2004 Cyril Jaquier, 2011-2012 Yaroslav Halchenko" diff --git a/config/action.d/dshield.conf b/config/action.d/dshield.conf index 151db28f..ca68e638 100644 --- a/config/action.d/dshield.conf +++ b/config/action.d/dshield.conf @@ -25,7 +25,6 @@ # configured at DShield), and // (to # configure how often the buffer is flushed). # -# $Revision$ [Definition] diff --git a/config/action.d/dummy.conf b/config/action.d/dummy.conf index ea59881a..20507c0b 100644 --- a/config/action.d/dummy.conf +++ b/config/action.d/dummy.conf @@ -2,7 +2,6 @@ # # Author: Cyril Jaquier # -# $Revision$ # [Definition] diff --git a/config/action.d/hostsdeny.conf b/config/action.d/hostsdeny.conf index b04f2adb..f73c6ec4 100644 --- a/config/action.d/hostsdeny.conf +++ b/config/action.d/hostsdeny.conf @@ -2,7 +2,6 @@ # # Author: Cyril Jaquier # -# $Revision$ # [Definition] diff --git a/config/action.d/ipfw.conf b/config/action.d/ipfw.conf index 62612307..3a56415d 100644 --- a/config/action.d/ipfw.conf +++ b/config/action.d/ipfw.conf @@ -3,7 +3,6 @@ # Author: Nick Munger # Modified by: Cyril Jaquier # -# $Revision$ # [Definition] diff --git a/config/action.d/iptables-allports.conf b/config/action.d/iptables-allports.conf index a02ba63d..50f49d82 100644 --- a/config/action.d/iptables-allports.conf +++ b/config/action.d/iptables-allports.conf @@ -4,7 +4,6 @@ # Modified: Yaroslav O. Halchenko # made active on all ports from original iptables.conf # -# $Revision$ # [Definition] diff --git a/config/action.d/iptables-multiport-log.conf b/config/action.d/iptables-multiport-log.conf index 49958013..b79983fc 100644 --- a/config/action.d/iptables-multiport-log.conf +++ b/config/action.d/iptables-multiport-log.conf @@ -7,7 +7,6 @@ # make "fail2ban--log" chain to log and drop # insert a jump to fail2ban- from -I if proto/port match # -# $Revision$ # [Definition] diff --git a/config/action.d/iptables-multiport.conf b/config/action.d/iptables-multiport.conf index ab0ee8de..f799289f 100644 --- a/config/action.d/iptables-multiport.conf +++ b/config/action.d/iptables-multiport.conf @@ -2,7 +2,6 @@ # # Author: Cyril Jaquier # Modified by Yaroslav Halchenko for multiport banning -# $Revision$ # [Definition] diff --git a/config/action.d/iptables-new.conf b/config/action.d/iptables-new.conf index 12f398c7..f22916e1 100644 --- a/config/action.d/iptables-new.conf +++ b/config/action.d/iptables-new.conf @@ -4,7 +4,6 @@ # Copied from iptables.conf and modified by Yaroslav Halchenko # to fullfill the needs of bugreporter dbts#350746. # -# $Revision$ # [Definition] diff --git a/config/action.d/iptables-xt_recent-echo.conf b/config/action.d/iptables-xt_recent-echo.conf index 887311be..4fb397a2 100644 --- a/config/action.d/iptables-xt_recent-echo.conf +++ b/config/action.d/iptables-xt_recent-echo.conf @@ -2,7 +2,6 @@ # # Author: Zbigniew Jędrzejewski-Szmek # -# $Revision: 1 $ # [Definition] diff --git a/config/action.d/iptables.conf b/config/action.d/iptables.conf index a3412f6b..662b41c0 100644 --- a/config/action.d/iptables.conf +++ b/config/action.d/iptables.conf @@ -2,7 +2,6 @@ # # Author: Cyril Jaquier # -# $Revision$ # [Definition] diff --git a/config/action.d/mail-buffered.conf b/config/action.d/mail-buffered.conf index 94a60e3b..7ff17cf2 100644 --- a/config/action.d/mail-buffered.conf +++ b/config/action.d/mail-buffered.conf @@ -2,7 +2,6 @@ # # Author: Cyril Jaquier # -# $Revision$ # [Definition] diff --git a/config/action.d/mail-whois-lines.conf b/config/action.d/mail-whois-lines.conf index 2120432e..d30e266d 100644 --- a/config/action.d/mail-whois-lines.conf +++ b/config/action.d/mail-whois-lines.conf @@ -2,7 +2,6 @@ # # Author: Cyril Jaquier # Modified-By: Yaroslav Halchenko to include grepping on IP over log files -# $Revision$ # [Definition] diff --git a/config/action.d/mail-whois.conf b/config/action.d/mail-whois.conf index 3293c7a2..f58ae535 100644 --- a/config/action.d/mail-whois.conf +++ b/config/action.d/mail-whois.conf @@ -2,7 +2,6 @@ # # Author: Cyril Jaquier # -# $Revision$ # [Definition] diff --git a/config/action.d/mail.conf b/config/action.d/mail.conf index f9942e10..f9a54979 100644 --- a/config/action.d/mail.conf +++ b/config/action.d/mail.conf @@ -2,7 +2,6 @@ # # Author: Cyril Jaquier # -# $Revision$ # [Definition] diff --git a/config/action.d/mynetwatchman.conf b/config/action.d/mynetwatchman.conf index 06f16db6..5245a4e3 100644 --- a/config/action.d/mynetwatchman.conf +++ b/config/action.d/mynetwatchman.conf @@ -24,7 +24,6 @@ # Another useful configuration value is , if you don't have wget # installed (an example config for curl is given below) # -# $Revision$ [Definition] diff --git a/config/action.d/sendmail-buffered.conf b/config/action.d/sendmail-buffered.conf index ce4479e8..bec1e91c 100644 --- a/config/action.d/sendmail-buffered.conf +++ b/config/action.d/sendmail-buffered.conf @@ -2,7 +2,6 @@ # # Author: Cyril Jaquier # -# $Revision$ # [Definition] diff --git a/config/action.d/sendmail-whois-lines.conf b/config/action.d/sendmail-whois-lines.conf index 30cd84b8..bc5074c6 100644 --- a/config/action.d/sendmail-whois-lines.conf +++ b/config/action.d/sendmail-whois-lines.conf @@ -2,7 +2,6 @@ # # Author: Cyril Jaquier # -# $Revision$ # [Definition] diff --git a/config/action.d/sendmail-whois.conf b/config/action.d/sendmail-whois.conf index 6b7b9383..0d1fd97e 100644 --- a/config/action.d/sendmail-whois.conf +++ b/config/action.d/sendmail-whois.conf @@ -2,7 +2,6 @@ # # Author: Cyril Jaquier # -# $Revision$ # [Definition] diff --git a/config/action.d/sendmail.conf b/config/action.d/sendmail.conf index db619a87..8054050d 100644 --- a/config/action.d/sendmail.conf +++ b/config/action.d/sendmail.conf @@ -2,7 +2,6 @@ # # Author: Cyril Jaquier # -# $Revision$ # [Definition] diff --git a/config/action.d/shorewall.conf b/config/action.d/shorewall.conf index aca3a256..31c1dce5 100644 --- a/config/action.d/shorewall.conf +++ b/config/action.d/shorewall.conf @@ -2,7 +2,6 @@ # # Author: Cyril Jaquier # -# $Revision$ # # The default Shorewall configuration is with "BLACKLISTNEWONLY=Yes" (see # file /etc/shorewall/shorewall.conf). This means that when Fail2ban adds a diff --git a/config/filter.d/apache-auth.conf b/config/filter.d/apache-auth.conf index 962fb2e3..66f6a1d6 100644 --- a/config/filter.d/apache-auth.conf +++ b/config/filter.d/apache-auth.conf @@ -2,7 +2,6 @@ # # Author: Cyril Jaquier # -# $Revision$ # [Definition] diff --git a/config/filter.d/apache-badbots.conf b/config/filter.d/apache-badbots.conf index 1c60676d..f9c79472 100644 --- a/config/filter.d/apache-badbots.conf +++ b/config/filter.d/apache-badbots.conf @@ -5,7 +5,6 @@ # # Author: Yaroslav Halchenko # -# $Revision$ # [Definition] diff --git a/config/filter.d/apache-nohome.conf b/config/filter.d/apache-nohome.conf index b6a00005..6e738c68 100644 --- a/config/filter.d/apache-nohome.conf +++ b/config/filter.d/apache-nohome.conf @@ -2,7 +2,6 @@ # # Author: Yaroslav O. Halchenko # -# $Revision$ # [Definition] diff --git a/config/filter.d/apache-noscript.conf b/config/filter.d/apache-noscript.conf index 4746fbfb..5b48cb32 100644 --- a/config/filter.d/apache-noscript.conf +++ b/config/filter.d/apache-noscript.conf @@ -2,7 +2,6 @@ # # Author: Cyril Jaquier # -# $Revision$ # [Definition] diff --git a/config/filter.d/apache-overflows.conf b/config/filter.d/apache-overflows.conf index 4567f7da..e25b79a4 100644 --- a/config/filter.d/apache-overflows.conf +++ b/config/filter.d/apache-overflows.conf @@ -2,7 +2,6 @@ # # Author: Tim Connors # -# $Revision$ # [Definition] diff --git a/config/filter.d/asterisk.conf b/config/filter.d/asterisk.conf index 73947a67..9ed69804 100644 --- a/config/filter.d/asterisk.conf +++ b/config/filter.d/asterisk.conf @@ -2,7 +2,6 @@ # # Author: Xavier Devlamynck # -# $Revision$ # diff --git a/config/filter.d/common.conf b/config/filter.d/common.conf index 18bf41c5..52b644cf 100644 --- a/config/filter.d/common.conf +++ b/config/filter.d/common.conf @@ -3,7 +3,6 @@ # # Author: Yaroslav Halchenko # -# $Revision$ # [INCLUDES] diff --git a/config/filter.d/courierlogin.conf b/config/filter.d/courierlogin.conf index b8710ac3..20731e5d 100644 --- a/config/filter.d/courierlogin.conf +++ b/config/filter.d/courierlogin.conf @@ -3,7 +3,6 @@ # Author: Christoph Haas # Modified by: Cyril Jaquier # -# $Revision$ # [Definition] diff --git a/config/filter.d/couriersmtp.conf b/config/filter.d/couriersmtp.conf index f0d696ff..6c0cf5ff 100644 --- a/config/filter.d/couriersmtp.conf +++ b/config/filter.d/couriersmtp.conf @@ -2,7 +2,6 @@ # # Author: Cyril Jaquier # -# $Revision$ # [Definition] diff --git a/config/filter.d/cyrus-imap.conf b/config/filter.d/cyrus-imap.conf index 3a8734ee..758f75de 100644 --- a/config/filter.d/cyrus-imap.conf +++ b/config/filter.d/cyrus-imap.conf @@ -2,7 +2,6 @@ # # Author: Jan Wagner # -# $Revision$ # [Definition] diff --git a/config/filter.d/dovecot.conf b/config/filter.d/dovecot.conf index 18451e42..d7fb6e6d 100644 --- a/config/filter.d/dovecot.conf +++ b/config/filter.d/dovecot.conf @@ -2,7 +2,6 @@ # # Author: Martin Waschbuesch # -# $Revision$ # [Definition] diff --git a/config/filter.d/dropbear.conf b/config/filter.d/dropbear.conf index 1309cc41..c822d08c 100644 --- a/config/filter.d/dropbear.conf +++ b/config/filter.d/dropbear.conf @@ -3,7 +3,6 @@ # Author: Francis Russell # Zak B. Elep # -# $Revision$ # # More information: http://bugs.debian.org/546913 diff --git a/config/filter.d/exim.conf b/config/filter.d/exim.conf index 8bf4fc5f..b846e992 100644 --- a/config/filter.d/exim.conf +++ b/config/filter.d/exim.conf @@ -2,7 +2,6 @@ # # Author: Cyril Jaquier # -# $Revision$ # [Definition] diff --git a/config/filter.d/gssftpd.conf b/config/filter.d/gssftpd.conf index 8c166309..e6c2e84a 100644 --- a/config/filter.d/gssftpd.conf +++ b/config/filter.d/gssftpd.conf @@ -2,7 +2,6 @@ # # Author: Kevin Zembower (copied from wsftpd.conf) # -# $Revision$ # [Definition] diff --git a/config/filter.d/named-refused.conf b/config/filter.d/named-refused.conf index 64f7d685..1cdc626e 100644 --- a/config/filter.d/named-refused.conf +++ b/config/filter.d/named-refused.conf @@ -4,7 +4,6 @@ # # Author: Yaroslav Halchenko # -# $Revision$ # [Definition] diff --git a/config/filter.d/pam-generic.conf b/config/filter.d/pam-generic.conf index 702f8ab0..eaeb122f 100644 --- a/config/filter.d/pam-generic.conf +++ b/config/filter.d/pam-generic.conf @@ -2,7 +2,6 @@ # # Author: Yaroslav Halchenko # -# $Revision$ # [Definition] diff --git a/config/filter.d/postfix.conf b/config/filter.d/postfix.conf index d2dc4a0c..f92c3619 100644 --- a/config/filter.d/postfix.conf +++ b/config/filter.d/postfix.conf @@ -2,7 +2,6 @@ # # Author: Cyril Jaquier # -# $Revision$ # [Definition] diff --git a/config/filter.d/proftpd.conf b/config/filter.d/proftpd.conf index 55a15da9..f28e2d4b 100644 --- a/config/filter.d/proftpd.conf +++ b/config/filter.d/proftpd.conf @@ -2,7 +2,6 @@ # # Author: Yaroslav Halchenko # -# $Revision$ # [Definition] diff --git a/config/filter.d/pure-ftpd.conf b/config/filter.d/pure-ftpd.conf index 8066ae00..de46461d 100644 --- a/config/filter.d/pure-ftpd.conf +++ b/config/filter.d/pure-ftpd.conf @@ -3,7 +3,6 @@ # Author: Cyril Jaquier # Modified: Yaroslav Halchenko for pure-ftpd # -# $Revision$ # [Definition] diff --git a/config/filter.d/qmail.conf b/config/filter.d/qmail.conf index 4d7acd6f..04feb2b7 100644 --- a/config/filter.d/qmail.conf +++ b/config/filter.d/qmail.conf @@ -2,7 +2,6 @@ # # Author: Cyril Jaquier # -# $Revision$ # [Definition] diff --git a/config/filter.d/sasl.conf b/config/filter.d/sasl.conf index 4be847ee..6c4aeba7 100644 --- a/config/filter.d/sasl.conf +++ b/config/filter.d/sasl.conf @@ -2,7 +2,6 @@ # # Author: Yaroslav Halchenko # -# $Revision$ # [Definition] diff --git a/config/filter.d/sieve.conf b/config/filter.d/sieve.conf index 00e9daf1..866b4228 100644 --- a/config/filter.d/sieve.conf +++ b/config/filter.d/sieve.conf @@ -2,7 +2,6 @@ # # Author: Jan Wagner # -# $Revision$ # [Definition] diff --git a/config/filter.d/sshd.conf b/config/filter.d/sshd.conf index b4e645c4..4138a9c4 100644 --- a/config/filter.d/sshd.conf +++ b/config/filter.d/sshd.conf @@ -2,7 +2,6 @@ # # Author: Cyril Jaquier # -# $Revision$ # [INCLUDES] diff --git a/config/filter.d/vsftpd.conf b/config/filter.d/vsftpd.conf index 4fc25777..259e2c82 100644 --- a/config/filter.d/vsftpd.conf +++ b/config/filter.d/vsftpd.conf @@ -2,7 +2,6 @@ # # Author: Cyril Jaquier # -# $Revision$ # [Definition] diff --git a/config/filter.d/webmin-auth.conf b/config/filter.d/webmin-auth.conf index b1df45dc..67f6e73f 100644 --- a/config/filter.d/webmin-auth.conf +++ b/config/filter.d/webmin-auth.conf @@ -3,7 +3,6 @@ # Author: Cyril Jaquier # Rule by : Delvit Guillaume # -# $Revision$ # [Definition] diff --git a/config/filter.d/wuftpd.conf b/config/filter.d/wuftpd.conf index 6f266fb5..3351d258 100644 --- a/config/filter.d/wuftpd.conf +++ b/config/filter.d/wuftpd.conf @@ -2,7 +2,6 @@ # # Author: Yaroslav Halchenko # -# $Revision$ # [Definition] diff --git a/config/filter.d/xinetd-fail.conf b/config/filter.d/xinetd-fail.conf index e1c1e108..4ff5bfde 100644 --- a/config/filter.d/xinetd-fail.conf +++ b/config/filter.d/xinetd-fail.conf @@ -2,7 +2,6 @@ # # Author: Guido Bozzetto # -# $Revision$ # [Definition] diff --git a/files/cacti/fail2ban_stats.sh b/files/cacti/fail2ban_stats.sh index 4d29854f..2c2e368a 100644 --- a/files/cacti/fail2ban_stats.sh +++ b/files/cacti/fail2ban_stats.sh @@ -25,7 +25,6 @@ # # Author: Cyril Jaquier # -# $Revision$ FAIL2BAN="fail2ban-client" diff --git a/files/gentoo-initd b/files/gentoo-initd index 4f4486ca..b56d4bdb 100755 --- a/files/gentoo-initd +++ b/files/gentoo-initd @@ -17,7 +17,6 @@ # # Author: Sireyessire, Cyril Jaquier # -# $Revision$ extra_started_commands="reload showlog" diff --git a/server/__init__.py b/server/__init__.py index c448827b..2b76f4b6 100644 --- a/server/__init__.py +++ b/server/__init__.py @@ -19,10 +19,7 @@ # Author: Cyril Jaquier # -# $Revision$ __author__ = "Cyril Jaquier" -__version__ = "$Revision$" -__date__ = "$Date$" __copyright__ = "Copyright (c) 2004 Cyril Jaquier" __license__ = "GPL" diff --git a/server/actions.py b/server/actions.py index ddcc83d6..4f538b7b 100644 --- a/server/actions.py +++ b/server/actions.py @@ -19,11 +19,8 @@ # Author: Cyril Jaquier # -# $Revision$ __author__ = "Cyril Jaquier" -__version__ = "$Revision$" -__date__ = "$Date$" __copyright__ = "Copyright (c) 2004 Cyril Jaquier" __license__ = "GPL" diff --git a/server/asyncserver.py b/server/asyncserver.py index 35167a6b..87f91633 100644 --- a/server/asyncserver.py +++ b/server/asyncserver.py @@ -19,11 +19,8 @@ # Author: Cyril Jaquier # -# $Revision$ __author__ = "Cyril Jaquier" -__version__ = "$Revision$" -__date__ = "$Date$" __copyright__ = "Copyright (c) 2004 Cyril Jaquier" __license__ = "GPL" diff --git a/server/banmanager.py b/server/banmanager.py index 1143f791..88a01ea2 100644 --- a/server/banmanager.py +++ b/server/banmanager.py @@ -19,11 +19,8 @@ # Author: Cyril Jaquier # -# $Revision$ __author__ = "Cyril Jaquier" -__version__ = "$Revision$" -__date__ = "$Date$" __copyright__ = "Copyright (c) 2004 Cyril Jaquier" __license__ = "GPL" diff --git a/server/datetemplate.py b/server/datetemplate.py index c35e58c2..8c49aa15 100644 --- a/server/datetemplate.py +++ b/server/datetemplate.py @@ -19,11 +19,8 @@ # Author: Cyril Jaquier # -# $Revision$ __author__ = "Cyril Jaquier" -__version__ = "$Revision$" -__date__ = "$Date$" __copyright__ = "Copyright (c) 2004 Cyril Jaquier" __license__ = "GPL" diff --git a/server/faildata.py b/server/faildata.py index 1f0bda04..3d943434 100644 --- a/server/faildata.py +++ b/server/faildata.py @@ -19,11 +19,8 @@ # Author: Cyril Jaquier # -# $Revision$ __author__ = "Cyril Jaquier" -__version__ = "$Revision$" -__date__ = "$Date$" __copyright__ = "Copyright (c) 2004 Cyril Jaquier" __license__ = "GPL" diff --git a/server/failmanager.py b/server/failmanager.py index 02f16ce3..57d7fced 100644 --- a/server/failmanager.py +++ b/server/failmanager.py @@ -19,11 +19,8 @@ # Author: Cyril Jaquier # -# $Revision$ __author__ = "Cyril Jaquier" -__version__ = "$Revision$" -__date__ = "$Date$" __copyright__ = "Copyright (c) 2004 Cyril Jaquier" __license__ = "GPL" diff --git a/server/filterpoll.py b/server/filterpoll.py index f0e23ac1..8a6a88e7 100644 --- a/server/filterpoll.py +++ b/server/filterpoll.py @@ -21,8 +21,6 @@ # __author__ = "Cyril Jaquier, Yaroslav Halchenko" -__version__ = "$Revision$" -__date__ = "$Date$" __copyright__ = "Copyright (c) 2004 Cyril Jaquier; 2012 Yaroslav Halchenko" __license__ = "GPL" diff --git a/server/jailthread.py b/server/jailthread.py index 343ea7e2..11d1a82b 100644 --- a/server/jailthread.py +++ b/server/jailthread.py @@ -19,11 +19,8 @@ # Author: Cyril Jaquier # -# $Revision$ __author__ = "Cyril Jaquier" -__version__ = "$Revision$" -__date__ = "$Date$" __copyright__ = "Copyright (c) 2004 Cyril Jaquier" __license__ = "GPL" diff --git a/server/server.py b/server/server.py index d46ab9b3..a8cf1c2f 100644 --- a/server/server.py +++ b/server/server.py @@ -19,11 +19,8 @@ # Author: Cyril Jaquier # -# $Revision$ __author__ = "Cyril Jaquier" -__version__ = "$Revision$" -__date__ = "$Date$" __copyright__ = "Copyright (c) 2004 Cyril Jaquier" __license__ = "GPL" diff --git a/server/ticket.py b/server/ticket.py index c03761c1..8826f26b 100644 --- a/server/ticket.py +++ b/server/ticket.py @@ -19,11 +19,8 @@ # Author: Cyril Jaquier # -# $Revision$ __author__ = "Cyril Jaquier" -__version__ = "$Revision$" -__date__ = "$Date$" __copyright__ = "Copyright (c) 2004 Cyril Jaquier" __license__ = "GPL" diff --git a/server/transmitter.py b/server/transmitter.py index b54fbb93..deaf9adf 100644 --- a/server/transmitter.py +++ b/server/transmitter.py @@ -19,11 +19,8 @@ # Author: Cyril Jaquier # -# $Revision$ __author__ = "Cyril Jaquier" -__version__ = "$Revision$" -__date__ = "$Date$" __copyright__ = "Copyright (c) 2004 Cyril Jaquier" __license__ = "GPL" diff --git a/testcases/__init__.py b/testcases/__init__.py index c448827b..3de9058c 100644 --- a/testcases/__init__.py +++ b/testcases/__init__.py @@ -19,7 +19,6 @@ # Author: Cyril Jaquier # -# $Revision$ __author__ = "Cyril Jaquier" __version__ = "$Revision$" diff --git a/testcases/actiontestcase.py b/testcases/actiontestcase.py index 281cb0b6..73f40549 100644 --- a/testcases/actiontestcase.py +++ b/testcases/actiontestcase.py @@ -19,7 +19,6 @@ # Author: Cyril Jaquier # -# $Revision$ __author__ = "Cyril Jaquier" __version__ = "$Revision$" diff --git a/testcases/banmanagertestcase.py b/testcases/banmanagertestcase.py index 6d0ce55a..58651573 100644 --- a/testcases/banmanagertestcase.py +++ b/testcases/banmanagertestcase.py @@ -19,7 +19,6 @@ # Author: Cyril Jaquier # -# $Revision$ __author__ = "Cyril Jaquier" __version__ = "$Revision$" diff --git a/testcases/datedetectortestcase.py b/testcases/datedetectortestcase.py index a3d90f22..4b38fb12 100644 --- a/testcases/datedetectortestcase.py +++ b/testcases/datedetectortestcase.py @@ -19,7 +19,6 @@ # Author: Cyril Jaquier # -# $Revision$ __author__ = "Cyril Jaquier" __version__ = "$Revision$" diff --git a/testcases/failmanagertestcase.py b/testcases/failmanagertestcase.py index ffee4ff1..de23219c 100644 --- a/testcases/failmanagertestcase.py +++ b/testcases/failmanagertestcase.py @@ -19,7 +19,6 @@ # Author: Cyril Jaquier # -# $Revision$ __author__ = "Cyril Jaquier" __version__ = "$Revision$" diff --git a/testcases/servertestcase.py b/testcases/servertestcase.py index 1b6eb8d3..9a285553 100644 --- a/testcases/servertestcase.py +++ b/testcases/servertestcase.py @@ -19,7 +19,6 @@ # Author: Cyril Jaquier # -# $Revision$ __author__ = "Cyril Jaquier" __version__ = "$Revision$" diff --git a/testcases/sockettestcase.py b/testcases/sockettestcase.py index 4cd5a687..cd13c772 100644 --- a/testcases/sockettestcase.py +++ b/testcases/sockettestcase.py @@ -19,7 +19,6 @@ # Author: Steven Hiscocks # -# $Revision$ __author__ = "Steven Hiscocks" __version__ = "$Revision$" From b3bd877d23e578e12791c6db4ca9fd82108d75c3 Mon Sep 17 00:00:00 2001 From: Daniel Black Date: Tue, 30 Apr 2013 07:48:01 +1000 Subject: [PATCH 20/51] BF: change common.conf to handle formats of syslog -v and syslog -vv in BSD --- config/filter.d/common.conf | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/config/filter.d/common.conf b/config/filter.d/common.conf index 18bf41c5..a5fe1176 100644 --- a/config/filter.d/common.conf +++ b/config/filter.d/common.conf @@ -41,7 +41,10 @@ __hostname = \S+ # # Common line prefixes (beginnings) which could be used in filters # -# [hostname] [vserver tag] daemon_id spaces -# this can be optional (for instance if we match named native log files) -__prefix_line = \s*(?:%(__hostname)s )?(?:%(__kernel_prefix)s )?(?:@vserver_\S+ )?%(__daemon_combs_re)s?\s* - +# [bsdverbose]? [hostname] [vserver tag] daemon_id spaces +# +# bsdverbose is where syslogd is started with -v or -vv and results in <4.3> or +# appearing before the host as per testcases/files/logs/bsd/*. +# +# This can be optional (for instance if we match named native log files) +__prefix_line = \s*(<[^.]+.[^.]+>)?\s*(?:%(__hostname)s )?(?:%(__kernel_prefix)s )?(?:@vserver_\S+ )?%(__daemon_combs_re)s?\s* From cde710803367b8529cde6093232ca1151d20ddd7 Mon Sep 17 00:00:00 2001 From: Daniel Black Date: Mon, 29 Apr 2013 13:47:33 +1000 Subject: [PATCH 21/51] DOC: bsd syslog files thanks to Nick Hilliard --- testcases/files/logs/bsd/syslog-plain.txt | 3 +++ testcases/files/logs/bsd/syslog-v.txt | 10 ++++++++++ testcases/files/logs/bsd/syslog-vv.txt | 5 +++++ 3 files changed, 18 insertions(+) create mode 100644 testcases/files/logs/bsd/syslog-plain.txt create mode 100644 testcases/files/logs/bsd/syslog-v.txt create mode 100644 testcases/files/logs/bsd/syslog-vv.txt diff --git a/testcases/files/logs/bsd/syslog-plain.txt b/testcases/files/logs/bsd/syslog-plain.txt new file mode 100644 index 00000000..7dcecb2e --- /dev/null +++ b/testcases/files/logs/bsd/syslog-plain.txt @@ -0,0 +1,3 @@ +Apr 2 17:52:55 pancake sshd[55657]: Invalid user oracle from 192.0.2.100 +Apr 2 17:53:01 pancake sshd[55657]: error: PAM: authentication error for illegal user oracle from test.example.com +Apr 2 17:53:01 pancake sshd[55657]: Failed keyboard-interactive/pam for invalid user oracle from 192.0.2.100 port 48856 ssh2 diff --git a/testcases/files/logs/bsd/syslog-v.txt b/testcases/files/logs/bsd/syslog-v.txt new file mode 100644 index 00000000..319582ba --- /dev/null +++ b/testcases/files/logs/bsd/syslog-v.txt @@ -0,0 +1,10 @@ +Apr 2 17:51:27 <4.3> pancake sshd[55624]: error: PAM: authentication error for nick from test.example.com +Apr 2 17:51:32 <4.6> pancake sshd[55628]: Invalid user r00t from 192.0.2.100 +Apr 2 17:51:33 <4.3> pancake sshd[55628]: error: PAM: authentication error for illegal user r00t from test.example.com +Apr 2 17:51:33 <4.6> pancake sshd[55628]: Failed keyboard-interactive/pam for invalid user r00t from 192.0.2.100 port 46050 ssh2 +Apr 2 17:51:34 <4.3> pancake sshd[55628]: error: PAM: authentication error for illegal user r00t from test.example.com +Apr 2 17:51:34 <4.6> pancake sshd[55628]: Failed keyboard-interactive/pam for invalid user r00t from 192.0.2.100 port 46050 ssh2 +Apr 2 17:51:36 <4.3> pancake sshd[55628]: error: PAM: authentication error for illegal user r00t from test.example.com +Apr 2 17:51:36 <4.6> pancake sshd[55628]: Failed keyboard-interactive/pam for invalid user r00t from 192.0.2.100 port 46050 ssh2 +Apr 2 17:52:06 <4.6> pancake sshd[55647]: Invalid user oracle from 192.0.2.100 +Apr 2 17:52:07 <4.3> pancake sshd[55647]: error: PAM: authentication error for illegal user oracle from test.example.com diff --git a/testcases/files/logs/bsd/syslog-vv.txt b/testcases/files/logs/bsd/syslog-vv.txt new file mode 100644 index 00000000..74143226 --- /dev/null +++ b/testcases/files/logs/bsd/syslog-vv.txt @@ -0,0 +1,5 @@ +Mar 19 23:48:18 pancake sshd[55517]: Invalid user r00t from 183.60.159.20 +Mar 19 23:48:20 pancake sshd[55519]: Invalid user r00t from 183.60.159.20 +Mar 19 23:50:03 pancake sshd[55604]: Invalid user http from 183.60.159.20 +Mar 19 23:50:05 pancake sshd[55606]: Invalid user kylix from 183.60.159.20 +Mar 19 23:50:08 pancake sshd[55608]: Invalid user nagios from 183.60.159.20 From ebfab512bc7618365ea8eaf64f4039ea709c6f5b Mon Sep 17 00:00:00 2001 From: Daniel Black Date: Fri, 3 May 2013 16:15:26 +1000 Subject: [PATCH 22/51] DOC: credits for bsd log --- ChangeLog | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ChangeLog b/ChangeLog index c80e3b3c..24a88587 100644 --- a/ChangeLog +++ b/ChangeLog @@ -50,6 +50,8 @@ Borreli, blotus: gh-70. Thanks to iGeorgeX for the idea. blotus * [96eb8986] ' and " should also be escaped in action tags Closes gh-109 + Christoph Theis, Nick Hilliard, Daniel Black + * [b3bd877d,cde71080] Make syslog -v and syslog -vv formats work on FreeBSD - New features: Yaroslav Halchenko * [9ba27353] Add support for jail.d/{confilefile} and fail2ban.d/{configfile} From 40c56b10a0f91a84377ccecc38ecdfc01cdeafdc Mon Sep 17 00:00:00 2001 From: Daniel Black Date: Tue, 30 Apr 2013 23:27:16 +1000 Subject: [PATCH 23/51] EHN: enhance sshd filter for bsd. --- config/filter.d/sshd.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/filter.d/sshd.conf b/config/filter.d/sshd.conf index b4e645c4..f9d9c050 100644 --- a/config/filter.d/sshd.conf +++ b/config/filter.d/sshd.conf @@ -23,7 +23,7 @@ _daemon = sshd # (?:::f{4,6}:)?(?P[\w\-.^_]+) # Values: TEXT # -failregex = ^%(__prefix_line)s(?:error: PAM: )?Authentication failure for .* from \s*$ +failregex = ^%(__prefix_line)s(?:error: PAM: )?[A|a]uthentication (?:failure|error) for .* from \s*$ ^%(__prefix_line)s(?:error: PAM: )?User not known to the underlying authentication module for .* from \s*$ ^%(__prefix_line)sFailed \S+ for .* from (?: port \d*)?(?: ssh\d*)?\s*$ ^%(__prefix_line)sROOT LOGIN REFUSED.* FROM \s*$ From be725ae5c39ab7dfb7c73e7f112806bb5ef473de Mon Sep 17 00:00:00 2001 From: Daniel Black Date: Fri, 3 May 2013 16:19:44 +1000 Subject: [PATCH 24/51] DOC: credits for BSD ssh filter changes --- ChangeLog | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index c80e3b3c..b10931be 100644 --- a/ChangeLog +++ b/ChangeLog @@ -96,7 +96,8 @@ Borreli, blotus: * [7cd6dab] Added help command to fail2ban-client. * [c8c7b0b,23bbc60] Better logging of log file read errors. * [3665e6d] Added code coverage to development process. - * [41b9f7b,32d10e9] More complete ssh filter rules to match openssh source. + * [41b9f7b,32d10e9,39750b8] More complete ssh filter rules to match openssh + source. Also include BSD changes. * [1d9abd1] Action files can have tags in definition that refer to other tags. Pascal Borreli From b6d0e8ad9c7b688e8bc4dd375bdc897293a21320 Mon Sep 17 00:00:00 2001 From: Daniel Black Date: Fri, 3 May 2013 16:31:45 +1000 Subject: [PATCH 25/51] ENH: add ipfw rule for bsd using the tables. --- config/action.d/bsd-ipfw.conf | 82 +++++++++++++++++++++++++++++++++++ config/jail.conf | 13 ++++++ 2 files changed, 95 insertions(+) create mode 100644 config/action.d/bsd-ipfw.conf diff --git a/config/action.d/bsd-ipfw.conf b/config/action.d/bsd-ipfw.conf new file mode 100644 index 00000000..33f176e4 --- /dev/null +++ b/config/action.d/bsd-ipfw.conf @@ -0,0 +1,82 @@ +# Fail2Ban configuration file +# +# Author: Nick Munger +# Modified by: Ken Menzel +# Daniel Black (start/stop) +# Fabian Wenk (many ideas as per fail2ban users list) +# +# Ensure firewall_enable="YES" in the top of /etc/rc.conf +# + +[Definition] + +# Option: actionstart +# Notes.: command executed once at the start of Fail2Ban. +# Values: CMD +# +actionstart = ipfw show | fgrep -q 'table()' || ( ipfw show | awk 'BEGIN { b = 1 } { if ($1 <= b) { b = $1 + 1 } else { e = b } } END { if (e) exit e
else exit b }'; num=$?; ipfw -q add $num deny from table\(
\) to me ; echo $num > "" ) + + +# Option: actionstop +# Notes.: command executed once at the end of Fail2Ban +# Values: CMD +# +actionstop = [ -f ] && ( read num < ""
ipfw -q delete $num
rm "" ) + + +# Option: actioncheck +# Notes.: command executed once before each actionban command +# Values: CMD +# +actioncheck = + + +# Option: actionban +# Notes.: command executed when banning an IP. Take care that the +# command is executed with Fail2Ban user rights. +# Tags: See jail.conf(5) man page +# Values: CMD +# +# requires an ipfw rule like "deny ip from table(1) to me" +actionban = ipfw table
add + + +# Option: actionunban +# Notes.: command executed when unbanning an IP. Take care that the +# command is executed with Fail2Ban user rights. +# Tags: See jail.conf(5) man page +# Values: CMD +# +actionunban = ipfw table
delete + +[Init] +# Option: table +# Notes: The ipfw table to use. If a ipfw rule using this table already exists, +# this action will not create a ipfw rule to block it and the following +# options will have no effect. +# Values: NUM +table = 1 + +# Option: port +# Notes.: Specifies port to monitor. Blank indicate block all ports. +# Values: [ NUM | STRING ] +# +port = + +# Option: startstatefile +# Notes: A file to indicate that the table rule that was added. Ensure it is unique per table. +# Values: STRING +startstatefile = /var/run/fail2ban/ipfw-started-table_
+ +# Option: action +# Notes: This is the action to take for automaticly created rules. See the +# ACTION defination at the top of man ipfw for allowed values. +# "deny" and "unreach port" are probably the useful. +# Values: STRING +action = deny + +# Option: block +# Notes: This is how much to block. +# Can be "ip", "tcp", "udp" or various other options. +# Values: STRING +block = ip diff --git a/config/jail.conf b/config/jail.conf index 8b82d1d7..17c4dfe9 100644 --- a/config/jail.conf +++ b/config/jail.conf @@ -139,6 +139,19 @@ action = iptables-ipset-proto6[name=SSH, port=ssh, protocol=tcp, bantime=600] logpath = /var/log/sshd.log maxretry = 5 +# bsd-ipfw is ipfw used by BSD. It uses ipfw tables. +# table number must be unique. +# +# This will create a deny rule for that table ONLY if a rule +# for the table doesn't ready exist. +# +[ssh-bsd-ipfw] +enabled = false +filter = sshd +action = bsd-ipfw[port=ssh,table=1] +logpath = /var/log/auth.log +maxretry = 5 + # This jail demonstrates the use of wildcards in "logpath". # Moreover, it is possible to give other files on a new line. From f402609f19fcbf2467adbe9d64766fa9107aad30 Mon Sep 17 00:00:00 2001 From: Daniel Black Date: Fri, 3 May 2013 16:32:11 +1000 Subject: [PATCH 26/51] DOC: credits for bsd-ipfw --- ChangeLog | 3 +++ 1 file changed, 3 insertions(+) diff --git a/ChangeLog b/ChangeLog index c80e3b3c..35c706cc 100644 --- a/ChangeLog +++ b/ChangeLog @@ -69,6 +69,9 @@ Borreli, blotus: * [5f2d383] Add roundcube auth filter. Closes Debian bug #699442. Daniel Black * [be06b1b] Add action for iptables-ipsets. Closes gh-102. + Nick Munger, Ken Menzel, Daniel Black, Christoph Theis & Fabian Wenk + * [b6d0e8a] Add and enhance the bsd-ipfw action from + FreeBSD ports. Soulard Morgan * [f336d9f] Add filter for webmin. Closes gh-99. - Enhancements: From 0c5a9c53e1542784b7c1ab2d41463aa464f54104 Mon Sep 17 00:00:00 2001 From: Daniel Black Date: Tue, 16 Apr 2013 21:11:06 +1000 Subject: [PATCH 27/51] ENH: pf action thanks to Nick Hilliard . --- config/action.d/pf.conf | 62 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 62 insertions(+) create mode 100644 config/action.d/pf.conf diff --git a/config/action.d/pf.conf b/config/action.d/pf.conf new file mode 100644 index 00000000..d82cbb12 --- /dev/null +++ b/config/action.d/pf.conf @@ -0,0 +1,62 @@ +# Fail2Ban configuration file +# +# OpenBSD pf ban/unban +# +# Author: Nick Hilliard +# +# + +[Definition] + +# Option: actionstart +# Notes.: command executed once at the start of Fail2Ban. +# Values: CMD +# +# we don't enable PF automatically, as it will be enabled elsewhere +actionstart = + + +# Option: actionstop +# Notes.: command executed once at the end of Fail2Ban +# Values: CMD +# +# we don't disable PF automatically either +actionstop = + + +# Option: actioncheck +# Notes.: command executed once before each actionban command +# Values: CMD +# +actioncheck = + + +# Option: actionban +# Notes.: command executed when banning an IP. Take care that the +# command is executed with Fail2Ban user rights. +# Tags: IP address +# number of failures +#