From 110b8e690517001a9393cf81ee6ea2339b00e213 Mon Sep 17 00:00:00 2001 From: Ivo Truxa Date: Mon, 3 Feb 2014 21:39:52 +0100 Subject: [PATCH 01/15] ENH: Nagios filter Sample log entry from /var/log/messages for a denied access to the nrpe2 (Nagios Remote Plugin Executor) daemon --- testcases/files/logs/nagios | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 testcases/files/logs/nagios diff --git a/testcases/files/logs/nagios b/testcases/files/logs/nagios new file mode 100644 index 00000000..9577b327 --- /dev/null +++ b/testcases/files/logs/nagios @@ -0,0 +1,4 @@ +# Access of unauthorized host in /etc/messages +# failJSON: { "time": "2005-02-39T11:22:44", "match": true , "host": "50.97.225.132" } +Feb 3 11:22:44 valhalla nrpe[63284]: Host 50.97.225.132 is not allowed to talk to us! + From c91fda8619d8729920d695ab70e26464a0a4ae4d Mon Sep 17 00:00:00 2001 From: Ivo Truxa Date: Mon, 3 Feb 2014 21:46:07 +0100 Subject: [PATCH 02/15] ENH: Nagios filter Sample log for the first failregex is available in the testcases. No example available for the IPv6 denial yet. --- config/filter.d/nagios.conf | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 config/filter.d/nagios.conf diff --git a/config/filter.d/nagios.conf b/config/filter.d/nagios.conf new file mode 100644 index 00000000..d01769cc --- /dev/null +++ b/config/filter.d/nagios.conf @@ -0,0 +1,21 @@ +# Fail2Ban filter for Nagios Remote Plugin Executor (nrpe2) +# Detecting unauthorized access to the nrpe2 daemon +# typically logged in /var/log/messages syslog +# + + +[INCLUDES] +# Read syslog common prefixes +before = common.conf + + +[Definition] +_daemon = nrpe +failregex = ^%(__prefix_line)sHost is not allowed to talk to us!\s*$ + = ^%(__prefix_line)sConnection from closed. We don't support AF_INET6 addreess family in ACL\s*$ +ignoreregex =. + + +# DEV Notes: +# +# Author: Ivo Truxa - 2014/02/03 From dac4dd465e7da1f5b357613ef5695f2e91998129 Mon Sep 17 00:00:00 2001 From: Ivo Truxa Date: Mon, 3 Feb 2014 21:51:49 +0100 Subject: [PATCH 03/15] ENH: Nagios filter added typical configuration settings for the nagios filter --- config/jail.conf | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/config/jail.conf b/config/jail.conf index 5dcce02c..74d1e1d2 100644 --- a/config/jail.conf +++ b/config/jail.conf @@ -758,3 +758,15 @@ action = iptables[name=SSH, port=ssh, protocol=tcp] blocklist_de[email="fail2ban@example.com", apikey="xxxxxx", service=%(filter)s] logpath = /var/log/sshd.log maxretry = 20 + + +# consider low maxretry and a long bantime +# nobody except your own Nagios server should ever probe nrpe +[nagios] +enabled = false +filter = nagios +action = iptables[name=Nagios, port=5666, protocol=tcp] + sendmail-whois[name=Nagios, dest=you@example.com, sender=fail2ban@example.com, sendername="Fail2Ban"] +logpath = /var/log/messages ; nrpe.cfg may define a different log_facility +ignoreip = 123.12.123.12 ; your Nagios server +maxretry = 1 From a8a43e8f3804d1f398b7232a5269869114c17ec8 Mon Sep 17 00:00:00 2001 From: Ivo Truxa Date: Mon, 3 Feb 2014 22:01:22 +0100 Subject: [PATCH 04/15] ENH: Nagios filter new filter Nagios added --- ChangeLog | 1 + 1 file changed, 1 insertion(+) diff --git a/ChangeLog b/ChangeLog index ba31b47a..a9126208 100644 --- a/ChangeLog +++ b/ChangeLog @@ -16,6 +16,7 @@ ver. 0.8.13 (2014/XX/XXX) - maintaince-only-from-now-on - filter pureftpd - added _daemon which got removed. Added - New Features: + - filter nagios - detects unauthorized access to the nrpe daemon (Ivo Truxa) - Enhancements: - filter pureftpd - added all translations of "Authentication failed for From a71bb89ccd908bf16678e9cc436c0d317eb8f5a3 Mon Sep 17 00:00:00 2001 From: Ivo Truxa Date: Mon, 3 Feb 2014 23:12:56 +0100 Subject: [PATCH 05/15] removing a dot (typo) The dot at the ignoregex did not belong there. Somehow it was added during the copying and pasting. Thanks for reporting it, I did not see it. Otherwise, empty ignoregexes are in all filters, and if they are missing, fail2ban client shows warnings when starting the filter, which I prefer avoiding. --- config/filter.d/nagios.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/filter.d/nagios.conf b/config/filter.d/nagios.conf index d01769cc..283aa987 100644 --- a/config/filter.d/nagios.conf +++ b/config/filter.d/nagios.conf @@ -13,7 +13,7 @@ before = common.conf _daemon = nrpe failregex = ^%(__prefix_line)sHost is not allowed to talk to us!\s*$ = ^%(__prefix_line)sConnection from closed. We don't support AF_INET6 addreess family in ACL\s*$ -ignoreregex =. +ignoreregex = # DEV Notes: From f6ccd8878d80753e6b1f2f61b79ed702896e418f Mon Sep 17 00:00:00 2001 From: Ivo Truxa Date: Mon, 3 Feb 2014 23:27:19 +0100 Subject: [PATCH 06/15] date fix sorry, need to get some glasses --- testcases/files/logs/nagios | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/testcases/files/logs/nagios b/testcases/files/logs/nagios index 9577b327..cbeb0a87 100644 --- a/testcases/files/logs/nagios +++ b/testcases/files/logs/nagios @@ -1,4 +1,4 @@ -# Access of unauthorized host in /etc/messages -# failJSON: { "time": "2005-02-39T11:22:44", "match": true , "host": "50.97.225.132" } +# Access of unauthorized host in /var/log/messages +# failJSON: { "time": "2005-02-03T11:22:44", "match": true , "host": "50.97.225.132" } Feb 3 11:22:44 valhalla nrpe[63284]: Host 50.97.225.132 is not allowed to talk to us! From 20886288e585c07f21e013315da57899e6fca7f2 Mon Sep 17 00:00:00 2001 From: Chris Markle Date: Wed, 5 Feb 2014 10:44:46 -0800 Subject: [PATCH 07/15] Correct spelling error in changelog I know it's a nit but still... ;) --- ChangeLog | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index ba31b47a..299329b7 100644 --- a/ChangeLog +++ b/ChangeLog @@ -7,7 +7,7 @@ Fail2Ban (version 0.8.12.dev) 2014/01/22 ================================================================================ -ver. 0.8.13 (2014/XX/XXX) - maintaince-only-from-now-on +ver. 0.8.13 (2014/XX/XXX) - maintenance-only-from-now-on ----------- - Fixes: From f5f434f846550e14abbb1244a71bd729e8f033b4 Mon Sep 17 00:00:00 2001 From: Ivo Truxa Date: Thu, 6 Feb 2014 00:22:05 +0100 Subject: [PATCH 08/15] removing the second failregex The second failregex was supposed to catch an error concerning an ACL denial over IPv6, but this message is no more generated by the nrpe version (v2.15) that introduced the IPv6 support, so the first failregex seems to be sufficient. --- config/filter.d/nagios.conf | 4 ---- 1 file changed, 4 deletions(-) diff --git a/config/filter.d/nagios.conf b/config/filter.d/nagios.conf index 283aa987..0429d3ff 100644 --- a/config/filter.d/nagios.conf +++ b/config/filter.d/nagios.conf @@ -3,19 +3,15 @@ # typically logged in /var/log/messages syslog # - [INCLUDES] # Read syslog common prefixes before = common.conf - [Definition] _daemon = nrpe failregex = ^%(__prefix_line)sHost is not allowed to talk to us!\s*$ - = ^%(__prefix_line)sConnection from closed. We don't support AF_INET6 addreess family in ACL\s*$ ignoreregex = - # DEV Notes: # # Author: Ivo Truxa - 2014/02/03 From c207ad6058905992aab0b9584b7335ec2bd94a4b Mon Sep 17 00:00:00 2001 From: Ivo Truxa Date: Thu, 6 Feb 2014 00:27:38 +0100 Subject: [PATCH 09/15] removing ignoreip at [nagios] I removed the ignoreip setting from the nagios section. As pointed out, it is redundant here. Nagios server, under normal circumstances should not trigger any access errors, and would be included in the global ignoreips anyway. --- config/jail.conf | 1 - 1 file changed, 1 deletion(-) diff --git a/config/jail.conf b/config/jail.conf index 74d1e1d2..ffbdf33e 100644 --- a/config/jail.conf +++ b/config/jail.conf @@ -768,5 +768,4 @@ filter = nagios action = iptables[name=Nagios, port=5666, protocol=tcp] sendmail-whois[name=Nagios, dest=you@example.com, sender=fail2ban@example.com, sendername="Fail2Ban"] logpath = /var/log/messages ; nrpe.cfg may define a different log_facility -ignoreip = 123.12.123.12 ; your Nagios server maxretry = 1 From c424e4032d7d3fbfc2423930273bb95bdb365b5d Mon Sep 17 00:00:00 2001 From: Yaroslav Halchenko Date: Fri, 7 Feb 2014 00:41:22 -0500 Subject: [PATCH 10/15] DOC: minor - replace tabs with spaces for consistent formatting --- ChangeLog | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 0f1287dc..948cfcd6 100644 --- a/ChangeLog +++ b/ChangeLog @@ -31,7 +31,7 @@ ver. 0.8.12 (2014/01/22) - things-can-only-get-better - Rename firewall-cmd-direct-new to firewallcmd-new to fit within jail name name length. As per gh-395 - mysqld-syslog-iptables jailname was too long. Renamed to mysqld-syslog. - Part of gh-447. + Part of gh-447. - Fixes: - allow for ",milliseconds" in the custom date format of proftpd.log @@ -48,7 +48,7 @@ ver. 0.8.12 (2014/01/22) - things-can-only-get-better - Fix apache-common for apache-2.4 log file format. Thanks Mark White. Closes gh-516 - Asynchat changed to use push method which verifys whether all data was - send. This ensures that all data is sent before closing the connection. + send. This ensures that all data is sent before closing the connection. - Removed unnecessary reference to as yet undeclared $jail_name when checking a specific jail. - Filter dovecot reordered session and TLS items in regex with wider scope @@ -890,7 +890,7 @@ ver. 0.5.4 (2005/09/13) - beta * Fixed errata in config/gentoo-confd * Introduced findtime configuration variable to control the lifetime of caught "failed" log entries - + ver. 0.5.3 (2005/09/08) - beta ---------- - Fixed a bug when overriding "maxfailures" or "bantime". Thanks to Yaroslav From 3cbfe9b057e493cfaedee26342923889bbf789ba Mon Sep 17 00:00:00 2001 From: Steven Hiscocks Date: Sat, 8 Feb 2014 22:15:19 +0000 Subject: [PATCH 11/15] BF: `ret` now changed after beautifier called --- fail2ban-client | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fail2ban-client b/fail2ban-client index 0f863ab0..af1ac856 100755 --- a/fail2ban-client +++ b/fail2ban-client @@ -156,10 +156,10 @@ class Fail2banClient: if showRet: print beautifier.beautify(ret[1]) else: - ret = False logSys.error("NOK: " + `ret[1].args`) if showRet: print beautifier.beautifyError(ret[1]) + ret = False except socket.error: if showRet: logSys.error("Unable to contact server. Is it running?") From 993b7d3dfb644b54fd336f5f61c9a1a044ffdb45 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aar=C3=B3n=20Nieves=20Fern=C3=A1ndez?= Date: Mon, 10 Feb 2014 21:41:50 +0100 Subject: [PATCH 12/15] Duplicate jail "php-url-fopen" --- config/jail.conf | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/config/jail.conf b/config/jail.conf index ffbdf33e..3d74a2f5 100644 --- a/config/jail.conf +++ b/config/jail.conf @@ -448,16 +448,6 @@ maxretry = 5 # of usage in production environments. [php-url-fopen] -enabled = false -action = iptables-multiport[name=php-url-open, port="http,https"] -filter = php-url-fopen -logpath = /var/www/*/logs/access_log -maxretry = 1 -# Ban attackers that try to use PHP's URL-fopen() functionality -# through GET/POST variables. - Experimental, with more than a year -# of usage in production environments. -[php-url-fopen] - enabled = false action = iptables-multiport[name=php-url-open, port="http,https"] filter = php-url-fopen From bda9b7d7252f3e968f741251640eaacb33d64a3c Mon Sep 17 00:00:00 2001 From: Steven Hiscocks Date: Wed, 12 Feb 2014 18:07:31 +0000 Subject: [PATCH 13/15] BF: Add handling of exception in pyinotify callback If error isn't handled, no error messages are printed and the jail ceases to function. --- server/filterpyinotify.py | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/server/filterpyinotify.py b/server/filterpyinotify.py index 9ecb999d..530b712d 100644 --- a/server/filterpyinotify.py +++ b/server/filterpyinotify.py @@ -209,4 +209,7 @@ class ProcessPyinotify(pyinotify.ProcessEvent): # just need default, since using mask on watch to limit events def process_default(self, event): - self.__FileFilter.callback(event, origin='Default ') + try: + self.__FileFilter.callback(event, origin='Default ') + except Exception as e: + logSys.error("Error in FilterPyinotify callback: %s", e) From 1e9910fcb0e2eae1004b149d10fdc5876c25c48f Mon Sep 17 00:00:00 2001 From: Steven Hiscocks Date: Wed, 12 Feb 2014 22:18:09 +0000 Subject: [PATCH 14/15] ENH: Added traceback for error log on pyinotify callback when in debug Thanks to Helmut Grohne for idea on #fail2ban IRC --- server/filterpyinotify.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/server/filterpyinotify.py b/server/filterpyinotify.py index 530b712d..42243552 100644 --- a/server/filterpyinotify.py +++ b/server/filterpyinotify.py @@ -212,4 +212,5 @@ class ProcessPyinotify(pyinotify.ProcessEvent): try: self.__FileFilter.callback(event, origin='Default ') except Exception as e: - logSys.error("Error in FilterPyinotify callback: %s", e) + logSys.error("Error in FilterPyinotify callback: %s", + e, exc_info=logSys.getEffectiveLevel() <= logging.DEBUG) From 9bfc77c32003f0156b64a3ab04766b07d55a8e79 Mon Sep 17 00:00:00 2001 From: Steven Hiscocks Date: Thu, 13 Feb 2014 20:03:45 +0000 Subject: [PATCH 15/15] BF: fail2ban-client processCmd ret was being overwritten each loop --- fail2ban-client | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/fail2ban-client b/fail2ban-client index af1ac856..b33a27ae 100755 --- a/fail2ban-client +++ b/fail2ban-client @@ -145,7 +145,7 @@ class Fail2banClient: def __processCmd(self, cmd, showRet = True): beautifier = Beautifier() - ret = True + streamRet = True for c in cmd: beautifier.setInputCmd(c) try: @@ -159,7 +159,7 @@ class Fail2banClient: logSys.error("NOK: " + `ret[1].args`) if showRet: print beautifier.beautifyError(ret[1]) - ret = False + streamRet = False except socket.error: if showRet: logSys.error("Unable to contact server. Is it running?") @@ -168,7 +168,7 @@ class Fail2banClient: if showRet: logSys.error(e) return False - return ret + return streamRet ## # Process a command line.