github
/
fail2ban
mirror of https://github.com/fail2ban/fail2ban
1
0
Fork 0
Code Issues Releases Wiki Activity

Merge branch 'master' into 0.9 

Conflicts:
	ChangeLog
                Spelling correction of 0.8.13 fixed in master
	config/jail.conf
                Added nagios and duplicate php-url removal in master
                Just nagios added, duplicate not issue in 0.9
pull/616/head
Steven Hiscocks 2014-02-13 20:14:40 +00:00
parent 9bbf4ea258 9bfc77c320
commit f68d85a6ac
6 changed files with 43 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
ChangeLog
View File

@ -80,8 +80,8 @@ configuration before relying on it.
* Add honeypot email address to exim-spam filter as argument * Add honeypot email address to exim-spam filter as argument
ver. 0.8.13 (2014/XX/XXX) - maintaince-only-from-now-on ver. 0.8.13 (2014/XX/XXX) - maintenance-only-from-now-on
---------- -----------
- Fixes: - Fixes:
- action firewallcmd-ipset had non-working actioncheck. Removed. - action firewallcmd-ipset had non-working actioncheck. Removed.
@ -89,6 +89,7 @@ ver. 0.8.13 (2014/XX/XXX) - maintaince-only-from-now-on
- filter pureftpd - added _daemon which got removed. Added - filter pureftpd - added _daemon which got removed. Added
- New Features: - New Features:
- filter nagios - detects unauthorized access to the nrpe daemon (Ivo Truxa)
- Enhancements: - Enhancements:
- filter pureftpd - added all translations of "Authentication failed for - filter pureftpd - added all translations of "Authentication failed for
@ -103,7 +104,7 @@ ver. 0.8.12 (2014/01/22) - things-can-only-get-better
- Rename firewall-cmd-direct-new to firewallcmd-new to fit within jail name - Rename firewall-cmd-direct-new to firewallcmd-new to fit within jail name
name length. As per gh-395 name length. As per gh-395
- mysqld-syslog-iptables jailname was too long. Renamed to mysqld-syslog. - mysqld-syslog-iptables jailname was too long. Renamed to mysqld-syslog.
Part of gh-447. Part of gh-447.
- Fixes: - Fixes:
- allow for ",milliseconds" in the custom date format of proftpd.log - allow for ",milliseconds" in the custom date format of proftpd.log
@ -120,7 +121,7 @@ ver. 0.8.12 (2014/01/22) - things-can-only-get-better
- Fix apache-common for apache-2.4 log file format. Thanks Mark White. - Fix apache-common for apache-2.4 log file format. Thanks Mark White.
Closes gh-516 Closes gh-516
- Asynchat changed to use push method which verifys whether all data was - Asynchat changed to use push method which verifys whether all data was
send. This ensures that all data is sent before closing the connection. send. This ensures that all data is sent before closing the connection.
- Removed unnecessary reference to as yet undeclared $jail_name when checking - Removed unnecessary reference to as yet undeclared $jail_name when checking
a specific jail in nagios script. a specific jail in nagios script.
- Filter dovecot reordered session and TLS items in regex with wider scope - Filter dovecot reordered session and TLS items in regex with wider scope
@ -967,7 +968,7 @@ ver. 0.5.4 (2005/09/13) - beta
* Fixed errata in config/gentoo-confd * Fixed errata in config/gentoo-confd
* Introduced findtime configuration variable to control the lifetime of caught * Introduced findtime configuration variable to control the lifetime of caught
"failed" log entries "failed" log entries
ver. 0.5.3 (2005/09/08) - beta ver. 0.5.3 (2005/09/08) - beta
---------- ----------
- Fixed a bug when overriding "maxfailures" or "bantime". Thanks to Yaroslav - Fixed a bug when overriding "maxfailures" or "bantime". Thanks to Yaroslav

6
bin/fail2ban-client
View File

@ -137,7 +137,7 @@ class Fail2banClient:
def __processCmd(self, cmd, showRet = True): def __processCmd(self, cmd, showRet = True):
beautifier = Beautifier() beautifier = Beautifier()
ret = True streamRet = True
for c in cmd: for c in cmd:
beautifier.setInputCmd(c) beautifier.setInputCmd(c)
try: try:
@ -148,10 +148,10 @@ class Fail2banClient:
if showRet: if showRet:
print beautifier.beautify(ret[1]) print beautifier.beautify(ret[1])
else: else:
ret = False
logSys.error("NOK: " + `ret[1].args`) logSys.error("NOK: " + `ret[1].args`)
if showRet: if showRet:
print beautifier.beautifyError(ret[1]) print beautifier.beautifyError(ret[1])
streamRet = False
except socket.error: except socket.error:
if showRet: if showRet:
logSys.error("Unable to contact server. Is it running?") logSys.error("Unable to contact server. Is it running?")
@ -160,7 +160,7 @@ class Fail2banClient:
if showRet: if showRet:
logSys.error(e) logSys.error(e)
return False return False
return ret return streamRet
## ##
# Process a command line. # Process a command line.

17
config/filter.d/nagios.conf Normal file
View File

@ -0,0 +1,17 @@
# Fail2Ban filter for Nagios Remote Plugin Executor (nrpe2)
# Detecting unauthorized access to the nrpe2 daemon
# typically logged in /var/log/messages syslog
#
[INCLUDES]
# Read syslog common prefixes
before = common.conf
[Definition]
_daemon = nrpe
failregex = ^%(__prefix_line)sHost <HOST> is not allowed to talk to us!\s*$
ignoreregex =
# DEV Notes:
#
# Author: Ivo Truxa - 2014/02/03

9
config/jail.conf
View File

@ -614,7 +614,6 @@ logpath = /var/log/mail.log
port = smtp,465,submission port = smtp,465,submission
logpath = /var/log/exim/mainlog logpath = /var/log/exim/mainlog
[exim-spam] [exim-spam]
port = smtp,465,submission port = smtp,465,submission
logpath = /var/log/exim/mainlog logpath = /var/log/exim/mainlog
@ -827,3 +826,11 @@ tcpport = 27030,27031,27032,27033,27034,27035,27036,27037,27038,27039
udpport = 1200,27000,27001,27002,27003,27004,27005,27006,27007,27008,27009,27010,27011,27012,27013,27014,27015 udpport = 1200,27000,27001,27002,27003,27004,27005,27006,27007,27008,27009,27010,27011,27012,27013,27014,27015
action = %(banaction)s[name=%(__name__)s-tcp, port="%(tcpport)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp] action = %(banaction)s[name=%(__name__)s-tcp, port="%(tcpport)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
%(banaction)s[name=%(__name__)s-udp, port="%(udpport)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp] %(banaction)s[name=%(__name__)s-udp, port="%(udpport)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
# consider low maxretry and a long bantime
# nobody except your own Nagios server should ever probe nrpe
[nagios]
enabled = false
logpath = /var/log/messages ; nrpe.cfg may define a different log_facility
maxretry = 1

6
fail2ban/server/filterpyinotify.py
View File

@ -208,4 +208,8 @@ class ProcessPyinotify(pyinotify.ProcessEvent):
# just need default, since using mask on watch to limit events # just need default, since using mask on watch to limit events
def process_default(self, event): def process_default(self, event):
self.__FileFilter.callback(event, origin='Default ') try:
self.__FileFilter.callback(event, origin='Default ')
except Exception as e:
logSys.error("Error in FilterPyinotify callback: %s",
e, exc_info=logSys.getEffectiveLevel() <= logging.DEBUG)

4
testcases/files/logs/nagios Normal file
View File

@ -0,0 +1,4 @@
# Access of unauthorized host in /var/log/messages
# failJSON: { "time": "2005-02-03T11:22:44", "match": true , "host": "50.97.225.132" }
Feb 3 11:22:44 valhalla nrpe[63284]: Host 50.97.225.132 is not allowed to talk to us!