Merge branch 'master' into 0.9

Conflicts: ChangeLog Spelling correction of 0.8.13 fixed in master config/jail.conf Added nagios and duplicate php-url removal in master Just nagios added, duplicate not issue in 0.9
2014-02-13 20:14:40 +00:00 · 2014-02-13 20:14:40 +00:00 · f68d85a6ac
parent 9bbf4ea258 9bfc77c320
commit f68d85a6ac
6 changed files with 43 additions and 10 deletions
--- a/11
+++ b/11
@ -80,8 +80,8 @@ configuration before relying on it.
   * Add honeypot email address to exim-spam filter as argument


-ver. 0.8.13 (2014/XX/XXX) - maintaince-only-from-now-on
----------
+ver. 0.8.13 (2014/XX/XXX) - maintenance-only-from-now-on
+-----------

 - Fixes:
  - action firewallcmd-ipset had non-working actioncheck. Removed.
@ -89,6 +89,7 @@ ver. 0.8.13 (2014/XX/XXX) - maintaince-only-from-now-on
  - filter pureftpd - added _daemon which got removed. Added

 - New Features:
+  - filter nagios - detects unauthorized access to the nrpe daemon (Ivo Truxa)

 - Enhancements:
  - filter pureftpd - added all translations of "Authentication failed for
@ -103,7 +104,7 @@ ver. 0.8.12 (2014/01/22) - things-can-only-get-better
  - Rename firewall-cmd-direct-new to firewallcmd-new to fit within jail name
    name length. As per gh-395
  - mysqld-syslog-iptables jailname was too long. Renamed to mysqld-syslog.
-	  Part of gh-447.
+    Part of gh-447.

 - Fixes:
  - allow for ",milliseconds" in the custom date format of proftpd.log
@ -120,7 +121,7 @@ ver. 0.8.12 (2014/01/22) - things-can-only-get-better
  - Fix apache-common for apache-2.4 log file format. Thanks Mark White.
    Closes gh-516
  - Asynchat changed to use push method which verifys whether all data was
-	  send. This ensures that all data is sent before closing the connection.
+    send. This ensures that all data is sent before closing the connection.
  - Removed unnecessary reference to as yet undeclared $jail_name when checking
    a specific jail in nagios script.
  - Filter dovecot reordered session and TLS items in regex with wider scope
@ -967,7 +968,7 @@ ver. 0.5.4 (2005/09/13) - beta
  * Fixed errata in config/gentoo-confd
  * Introduced findtime configuration variable to control the lifetime of caught
    "failed" log entries
-	
+
 ver. 0.5.3 (2005/09/08) - beta
 ----------
 - Fixed a bug when overriding "maxfailures" or "bantime". Thanks to Yaroslav
--- a/bin/fail2ban-client
+++ b/bin/fail2ban-client
@ -137,7 +137,7 @@ class Fail2banClient:

 	def __processCmd(self, cmd, showRet = True):
 		beautifier = Beautifier()
-		ret = True
+		streamRet = True
 		for c in cmd:
 			beautifier.setInputCmd(c)
 			try:
@ -148,10 +148,10 @@ class Fail2banClient:
 					if showRet:
 						print beautifier.beautify(ret[1])
 				else:
-					ret = False
 					logSys.error("NOK: " + `ret[1].args`)
 					if showRet:
 						print beautifier.beautifyError(ret[1])
+					streamRet = False
 			except socket.error:
 				if showRet:
 					logSys.error("Unable to contact server. Is it running?")
@ -160,7 +160,7 @@ class Fail2banClient:
 				if showRet:
 					logSys.error(e)
 				return False
-		return ret
+		return streamRet

 	##
 	# Process a command line.
--- a/config/filter.d/nagios.conf
+++ b/config/filter.d/nagios.conf
@ -0,0 +1,17 @@
+# Fail2Ban filter for Nagios Remote Plugin Executor (nrpe2)
+# Detecting unauthorized access to the nrpe2 daemon 
+# typically logged in /var/log/messages syslog
+#
+
+[INCLUDES]
+# Read syslog common prefixes
+before = common.conf
+
+[Definition]
+_daemon     = nrpe
+failregex   = ^%(__prefix_line)sHost <HOST> is not allowed to talk to us!\s*$
+ignoreregex =
+
+# DEV Notes:
+# 
+# Author: Ivo Truxa - 2014/02/03
--- a/config/jail.conf
+++ b/config/jail.conf
@ -614,7 +614,6 @@ logpath = /var/log/mail.log
 port   = smtp,465,submission
 logpath = /var/log/exim/mainlog

-
 [exim-spam]
 port   = smtp,465,submission
 logpath = /var/log/exim/mainlog
@ -827,3 +826,11 @@ tcpport = 27030,27031,27032,27033,27034,27035,27036,27037,27038,27039
 udpport = 1200,27000,27001,27002,27003,27004,27005,27006,27007,27008,27009,27010,27011,27012,27013,27014,27015
 action  = %(banaction)s[name=%(__name__)s-tcp, port="%(tcpport)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
           %(banaction)s[name=%(__name__)s-udp, port="%(udpport)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
+
+# consider low maxretry and a long bantime
+# nobody except your own Nagios server should ever probe nrpe
+[nagios]
+
+enabled  = false
+logpath  = /var/log/messages     ; nrpe.cfg may define a different log_facility
+maxretry = 1
--- a/fail2ban/server/filterpyinotify.py
+++ b/fail2ban/server/filterpyinotify.py
@ -208,4 +208,8 @@ class ProcessPyinotify(pyinotify.ProcessEvent):

 	# just need default, since using mask on watch to limit events
 	def process_default(self, event):
-		self.__FileFilter.callback(event, origin='Default ')
+		try:
+			self.__FileFilter.callback(event, origin='Default ')
+		except Exception as e:
+			logSys.error("Error in FilterPyinotify callback: %s",
+				e, exc_info=logSys.getEffectiveLevel() <= logging.DEBUG)
--- a/testcases/files/logs/nagios
+++ b/testcases/files/logs/nagios
@ -0,0 +1,4 @@
+# Access of unauthorized host in /var/log/messages
+# failJSON: { "time": "2005-02-03T11:22:44", "match": true , "host": "50.97.225.132" }
+Feb  3 11:22:44 valhalla nrpe[63284]: Host 50.97.225.132 is not allowed to talk to us!
+