From 95845b7b6571cd80385777de6fdd932612165831 Mon Sep 17 00:00:00 2001
From: Daniel Black <grooverdan@users.sourceforge.net>
Date: Sat, 30 Nov 2013 17:47:10 +1100
Subject: [PATCH 1/3] BF: complain action could match too many IP addresses

---
 ChangeLog                     | 1 +
 config/action.d/complain.conf | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/ChangeLog b/ChangeLog
index 3cc0f453..12fc70f1 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -20,6 +20,7 @@ ver. 0.8.12 (2013/12/XX) - things-can-only-get-better
   - smtps not a IANA standard and has been removed from Arch. Replaced with
     465. Thanks Stefan. Closes gh-447
   - mysqld-syslog-iptables rule was too long. Part of gh-447.
+  - complain action - ensure where not matching other IPs in log sample.
 
 - Enhancements:
   - long names on jails documented based on iptables limit of 30 less
diff --git a/config/action.d/complain.conf b/config/action.d/complain.conf
index ad14a87e..d1ca25c7 100644
--- a/config/action.d/complain.conf
+++ b/config/action.d/complain.conf
@@ -58,7 +58,7 @@ actioncheck =
 actionban = ADDRESSES=`whois <ip> | perl -e 'while (<STDIN>) { next if /^changed|@(ripe|apnic)\.net/io; $m += (/abuse|trouble:|report|spam|security/io?3:0); if (/([a-z0-9_\-\.+]+@[a-z0-9\-]+(\.[[a-z0-9\-]+)+)/io) { while (s/([a-z0-9_\-\.+]+@[a-z0-9\-]+(\.[[a-z0-9\-]+)+)//io) { if ($m) { $a{lc($1)}=$m } else { $b{lc($1)}=$m } } $m=0 } else { $m && --$m } } if (%%a) {print join(",",keys(%%a))} else {print join(",",keys(%%b))}'`
 	    IP=<ip>
             if [ ! -z "$ADDRESSES" ]; then
-                (printf %%b "<message>\n"; date '+Note: Local timezone is %%z (%%Z)'; grep '<ip>' <logpath>) | <mailcmd> "Abuse from <ip>" <mailargs> $ADDRESSES
+                (printf %%b "<message>\n"; date '+Note: Local timezone is %%z (%%Z)'; grep '[^0-9]<ip>[^0-9]' <logpath>) | <mailcmd> "Abuse from <ip>" <mailargs> $ADDRESSES
             fi
 
 # Option:  actionunban

From 0495aa098eefb1ad7111c7f98ee761e8e642c65e Mon Sep 17 00:00:00 2001
From: Daniel Black <grooverdan@users.sourceforge.net>
Date: Sat, 30 Nov 2013 18:01:45 +1100
Subject: [PATCH 2/3] BF: grep matches on <ip> shouldn't include other IPs

---
 config/action.d/ipfw.conf                 | 2 +-
 config/action.d/mail-whois-lines.conf     | 2 +-
 config/action.d/sendmail-whois-lines.conf | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/config/action.d/ipfw.conf b/config/action.d/ipfw.conf
index 09045815..37625209 100644
--- a/config/action.d/ipfw.conf
+++ b/config/action.d/ipfw.conf
@@ -43,7 +43,7 @@ actionban = ipfw add <blocktype> tcp from <ip> to <localhost> <port>
 # Tags:    See jail.conf(5) man page
 # Values:  CMD
 #
-actionunban = ipfw delete `ipfw list | grep -i <ip> | awk '{print $1;}'`
+actionunban = ipfw delete `ipfw list | grep -i "[^0-9]<ip>[^0-9]" | awk '{print $1;}'`
 
 [Init]
 
diff --git a/config/action.d/mail-whois-lines.conf b/config/action.d/mail-whois-lines.conf
index 758c4eff..6b7b3841 100644
--- a/config/action.d/mail-whois-lines.conf
+++ b/config/action.d/mail-whois-lines.conf
@@ -42,7 +42,7 @@ actionban = printf %%b "Hi,\n
             Here are more information about <ip>:\n
             `whois <ip>`\n\n
             Lines containing IP:<ip> in <logpath>\n
-            `grep '\<<ip>\>' <logpath>`\n\n
+            `grep '[^0-9]<ip>[^0-9]' <logpath>`\n\n
             Regards,\n
             Fail2Ban"|mail -s "[Fail2Ban] <name>: banned <ip> from  `uname -n`" <dest>
 
diff --git a/config/action.d/sendmail-whois-lines.conf b/config/action.d/sendmail-whois-lines.conf
index 5a331e24..a0f0a9c3 100644
--- a/config/action.d/sendmail-whois-lines.conf
+++ b/config/action.d/sendmail-whois-lines.conf
@@ -58,7 +58,7 @@ actionban = printf %%b "Subject: [Fail2Ban] <name>: banned <ip> from `uname -n`
             Here are more information about <ip>:\n
             `/usr/bin/whois <ip>`\n\n
             Lines containing IP:<ip> in <logpath>\n
-            `grep '\<<ip>\>' <logpath>`\n\n
+            `grep '[^0-9]<ip>[^0-9]' <logpath>`\n\n
             Regards,\n
             Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
 

From 36917d7517a6c864d1a9c8b5390ded4d49d474eb Mon Sep 17 00:00:00 2001
From: Daniel Black <grooverdan@users.sourceforge.net>
Date: Mon, 9 Dec 2013 09:21:55 +1100
Subject: [PATCH 3/3] BF: action.d/complain - match IP at beginning and end of
 lines

---
 config/action.d/complain.conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/config/action.d/complain.conf b/config/action.d/complain.conf
index d1ca25c7..62331f19 100644
--- a/config/action.d/complain.conf
+++ b/config/action.d/complain.conf
@@ -58,7 +58,7 @@ actioncheck =
 actionban = ADDRESSES=`whois <ip> | perl -e 'while (<STDIN>) { next if /^changed|@(ripe|apnic)\.net/io; $m += (/abuse|trouble:|report|spam|security/io?3:0); if (/([a-z0-9_\-\.+]+@[a-z0-9\-]+(\.[[a-z0-9\-]+)+)/io) { while (s/([a-z0-9_\-\.+]+@[a-z0-9\-]+(\.[[a-z0-9\-]+)+)//io) { if ($m) { $a{lc($1)}=$m } else { $b{lc($1)}=$m } } $m=0 } else { $m && --$m } } if (%%a) {print join(",",keys(%%a))} else {print join(",",keys(%%b))}'`
 	    IP=<ip>
             if [ ! -z "$ADDRESSES" ]; then
-                (printf %%b "<message>\n"; date '+Note: Local timezone is %%z (%%Z)'; grep '[^0-9]<ip>[^0-9]' <logpath>) | <mailcmd> "Abuse from <ip>" <mailargs> $ADDRESSES
+                (printf %%b "<message>\n"; date '+Note: Local timezone is %%z (%%Z)'; grep -E '(^|[^0-9])<ip>([^0-9]|$)' <logpath>) | <mailcmd> "Abuse from <ip>" <mailargs> $ADDRESSES
             fi
 
 # Option:  actionunban