diff --git a/ChangeLog b/ChangeLog index ed2add0f..5e625c1c 100644 --- a/ChangeLog +++ b/ChangeLog @@ -80,8 +80,8 @@ configuration before relying on it. * Add honeypot email address to exim-spam filter as argument -ver. 0.8.13 (2014/XX/XXX) - maintaince-only-from-now-on ----------- +ver. 0.8.13 (2014/XX/XXX) - maintenance-only-from-now-on +----------- - Fixes: - action firewallcmd-ipset had non-working actioncheck. Removed. @@ -89,6 +89,7 @@ ver. 0.8.13 (2014/XX/XXX) - maintaince-only-from-now-on - filter pureftpd - added _daemon which got removed. Added - New Features: + - filter nagios - detects unauthorized access to the nrpe daemon (Ivo Truxa) - Enhancements: - filter pureftpd - added all translations of "Authentication failed for @@ -103,7 +104,7 @@ ver. 0.8.12 (2014/01/22) - things-can-only-get-better - Rename firewall-cmd-direct-new to firewallcmd-new to fit within jail name name length. As per gh-395 - mysqld-syslog-iptables jailname was too long. Renamed to mysqld-syslog. - Part of gh-447. + Part of gh-447. - Fixes: - allow for ",milliseconds" in the custom date format of proftpd.log @@ -120,7 +121,7 @@ ver. 0.8.12 (2014/01/22) - things-can-only-get-better - Fix apache-common for apache-2.4 log file format. Thanks Mark White. Closes gh-516 - Asynchat changed to use push method which verifys whether all data was - send. This ensures that all data is sent before closing the connection. + send. This ensures that all data is sent before closing the connection. - Removed unnecessary reference to as yet undeclared $jail_name when checking a specific jail in nagios script. - Filter dovecot reordered session and TLS items in regex with wider scope @@ -967,7 +968,7 @@ ver. 0.5.4 (2005/09/13) - beta * Fixed errata in config/gentoo-confd * Introduced findtime configuration variable to control the lifetime of caught "failed" log entries - + ver. 0.5.3 (2005/09/08) - beta ---------- - Fixed a bug when overriding "maxfailures" or "bantime". Thanks to Yaroslav diff --git a/bin/fail2ban-client b/bin/fail2ban-client index c8778849..15fad1b0 100755 --- a/bin/fail2ban-client +++ b/bin/fail2ban-client @@ -137,7 +137,7 @@ class Fail2banClient: def __processCmd(self, cmd, showRet = True): beautifier = Beautifier() - ret = True + streamRet = True for c in cmd: beautifier.setInputCmd(c) try: @@ -148,10 +148,10 @@ class Fail2banClient: if showRet: print beautifier.beautify(ret[1]) else: - ret = False logSys.error("NOK: " + `ret[1].args`) if showRet: print beautifier.beautifyError(ret[1]) + streamRet = False except socket.error: if showRet: logSys.error("Unable to contact server. Is it running?") @@ -160,7 +160,7 @@ class Fail2banClient: if showRet: logSys.error(e) return False - return ret + return streamRet ## # Process a command line. diff --git a/config/filter.d/nagios.conf b/config/filter.d/nagios.conf new file mode 100644 index 00000000..0429d3ff --- /dev/null +++ b/config/filter.d/nagios.conf @@ -0,0 +1,17 @@ +# Fail2Ban filter for Nagios Remote Plugin Executor (nrpe2) +# Detecting unauthorized access to the nrpe2 daemon +# typically logged in /var/log/messages syslog +# + +[INCLUDES] +# Read syslog common prefixes +before = common.conf + +[Definition] +_daemon = nrpe +failregex = ^%(__prefix_line)sHost is not allowed to talk to us!\s*$ +ignoreregex = + +# DEV Notes: +# +# Author: Ivo Truxa - 2014/02/03 diff --git a/config/jail.conf b/config/jail.conf index bb3cb38d..a8646763 100644 --- a/config/jail.conf +++ b/config/jail.conf @@ -614,7 +614,6 @@ logpath = /var/log/mail.log port = smtp,465,submission logpath = /var/log/exim/mainlog - [exim-spam] port = smtp,465,submission logpath = /var/log/exim/mainlog @@ -827,3 +826,11 @@ tcpport = 27030,27031,27032,27033,27034,27035,27036,27037,27038,27039 udpport = 1200,27000,27001,27002,27003,27004,27005,27006,27007,27008,27009,27010,27011,27012,27013,27014,27015 action = %(banaction)s[name=%(__name__)s-tcp, port="%(tcpport)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp] %(banaction)s[name=%(__name__)s-udp, port="%(udpport)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp] + +# consider low maxretry and a long bantime +# nobody except your own Nagios server should ever probe nrpe +[nagios] + +enabled = false +logpath = /var/log/messages ; nrpe.cfg may define a different log_facility +maxretry = 1 diff --git a/fail2ban/server/filterpyinotify.py b/fail2ban/server/filterpyinotify.py index 9ab8a83a..ab57290f 100644 --- a/fail2ban/server/filterpyinotify.py +++ b/fail2ban/server/filterpyinotify.py @@ -208,4 +208,8 @@ class ProcessPyinotify(pyinotify.ProcessEvent): # just need default, since using mask on watch to limit events def process_default(self, event): - self.__FileFilter.callback(event, origin='Default ') + try: + self.__FileFilter.callback(event, origin='Default ') + except Exception as e: + logSys.error("Error in FilterPyinotify callback: %s", + e, exc_info=logSys.getEffectiveLevel() <= logging.DEBUG) diff --git a/testcases/files/logs/nagios b/testcases/files/logs/nagios new file mode 100644 index 00000000..cbeb0a87 --- /dev/null +++ b/testcases/files/logs/nagios @@ -0,0 +1,4 @@ +# Access of unauthorized host in /var/log/messages +# failJSON: { "time": "2005-02-03T11:22:44", "match": true , "host": "50.97.225.132" } +Feb 3 11:22:44 valhalla nrpe[63284]: Host 50.97.225.132 is not allowed to talk to us! +