mirror of https://github.com/fail2ban/fail2ban
Merge commit '0.8.10-1-g460e09a' into 0.9
* commit '0.8.10-1-g460e09a': it was not the end of the world and we should continue DOC: add information on where to report vulnerabilities + pointer to HOWTO_Seek_Help Changes for 0.8.10 release (changelog, version, etc) BF: anchor apache- filters. Close #248 DOC: credits for gh-244 Filter Asterisk: Add sample log entry to testcase. Filter Asterisk: Add AUTH_UNKNOWN_DOMAIN error to list ENH: purge a few more .* DOC: credits DOC: how to do filter enhancements TST: normalize logs to use example.com and 1.2.3.4 as IP ENH/BF: constrain regex. Fix ACL error regex ENH: port optional Update asterisk Update asterisk.conf Conflicts: ChangeLog DEVELOP README.md fail2ban/version.pypull/272/head
commit
f6cb981fc0
18
ChangeLog
18
ChangeLog
|
@ -41,14 +41,20 @@ code-review and minor additions from Yaroslav Halchenko.
|
|||
* [..e019ab7] Multiple instances of the same action are allowed in the
|
||||
same jail -- use actname option to disambiguate.
|
||||
|
||||
ver. 0.8.10 (2013/XX/XXX) - NOT-YET-RELEASED
|
||||
ver. 0.8.10 (2013/06/12) - wanna-be-secure
|
||||
-----------
|
||||
|
||||
- Fixes:
|
||||
Yaroslav Halchenko
|
||||
Primarily bugfix and enhancements release, triggered by "bugs" in
|
||||
apache- filters. If you are relying on listed below apache- filters,
|
||||
upgrade asap and seek your distributions to patch their fail2ban
|
||||
distribution with [6ccd5781].
|
||||
|
||||
- Fixes: Yaroslav Halchenko
|
||||
* [6ccd5781] filter.d/apache-{auth,nohome,noscript,overflows} - anchor
|
||||
failregex at the beginning (and where applicable at the end).
|
||||
Addresses a possible DoS. Closes gh-248
|
||||
* action.d/{route,shorewall}.conf - blocktype must be defined
|
||||
within [Init]. Closes gh-232
|
||||
- New Features
|
||||
- Enhancements
|
||||
Yaroslav Halchenko
|
||||
* jail.conf -- assure all jails have actions and remove unused
|
||||
|
@ -57,6 +63,10 @@ ver. 0.8.10 (2013/XX/XXX) - NOT-YET-RELEASED
|
|||
* config/filter.d/roundcube-auth.conf -- support roundcube 0.9+
|
||||
Daniel Black
|
||||
* files/suse-initd -- update to the copy from stock SUSE
|
||||
silviogarbes & Daniel Black
|
||||
* Updates to asterisk filter. Closes gh-227/gh-230.
|
||||
Carlos Alberto Lopez Perez
|
||||
* Updates to asterisk to include AUTH_UNKNOWN_DOMAIN. Closes gh-244.
|
||||
|
||||
ver. 0.8.9 (2013/05/13) - wanna-be-stable
|
||||
----------
|
||||
|
|
31
DEVELOP
31
DEVELOP
|
@ -34,12 +34,22 @@ When submitting pull requests on GitHub we ask you to:
|
|||
* Include a change to the relevant section of the ChangeLog; and
|
||||
* Include yourself in THANKS if not already there.
|
||||
|
||||
Testing
|
||||
Filters
|
||||
=======
|
||||
|
||||
Existing tests can be run by executing `bin/fail2ban-testcases`. This has
|
||||
options like --log-level that will probably be useful.
|
||||
`bin/fail2ban-testcases --help` forfull options.
|
||||
* Include sample logs with 1.2.3.4 used for IP addresses and
|
||||
example.com/example.org used for DNS names
|
||||
* Ensure ./fail2ban-regex testcases/files/logs/{samplelog} config/filter.d/{filter}.conf
|
||||
has matches for EVERY regex
|
||||
* Ensure regexs end with a $ and are restrictive as possible. E.g. not .* if
|
||||
[0-9]+ is sufficient
|
||||
|
||||
Code Testing
|
||||
============
|
||||
|
||||
Existing tests can be run by executing `bin/fail2ban-testcases`. It has
|
||||
options like --log-level that will probably be useful. Run
|
||||
`bin/fail2ban-testcases --help` for the full list of options.
|
||||
|
||||
Test cases should cover all usual cases, all exception cases and all inside
|
||||
/ outside boundary conditions.
|
||||
|
@ -338,10 +348,15 @@ Post Release
|
|||
|
||||
Add the following to the top of the ChangeLog
|
||||
|
||||
ver. 0.8.11 (2013/XX/XXX) - wanna-be-stable
|
||||
- Fixes
|
||||
- New Features
|
||||
- Enhancements
|
||||
ver. 0.8.12 (2013/XX/XXX) - wanna-be-released
|
||||
-----------
|
||||
|
||||
- Fixes:
|
||||
|
||||
- New Features:
|
||||
|
||||
- Enhancements:
|
||||
|
||||
|
||||
and adjust common/version.py to carry .dev suffix to signal
|
||||
a version under development.
|
||||
|
|
13
README.md
13
README.md
|
@ -2,7 +2,7 @@
|
|||
/ _|__ _(_) |_ ) |__ __ _ _ _
|
||||
| _/ _` | | |/ /| '_ \/ _` | ' \
|
||||
|_| \__,_|_|_/___|_.__/\__,_|_||_|
|
||||
v0.9.0a0 2013/05/??
|
||||
v0.9.0a0 2013/??/??
|
||||
|
||||
## Fail2Ban: ban hosts that cause multiple authentication errors
|
||||
|
||||
|
@ -30,8 +30,8 @@ Optional:
|
|||
|
||||
To install, just do:
|
||||
|
||||
tar xvfj fail2ban-0.8.9.tar.bz2
|
||||
cd fail2ban-0.8.9
|
||||
tar xvfj fail2ban-0.8.10.tar.bz2
|
||||
cd fail2ban-0.8.10
|
||||
python setup.py install
|
||||
|
||||
This will install Fail2Ban into /usr/share/fail2ban. The executable scripts are
|
||||
|
@ -63,9 +63,14 @@ Code status:
|
|||
Contact:
|
||||
--------
|
||||
|
||||
### You found a severe security vulnerability in Fail2Ban?
|
||||
email details to fail2ban-vulnerabilities at lists dot sourceforge dot net .
|
||||
|
||||
### You need some new features, you found bugs?
|
||||
visit [Issues](https://github.com/fail2ban/fail2ban/issues)
|
||||
and if your issue is not yet known -- file a bug report.
|
||||
and if your issue is not yet known -- file a bug report. See
|
||||
[Fail2Ban wiki](http://www.fail2ban.org/wiki/index.php/HOWTO_Seek_Help)
|
||||
on further instructions.
|
||||
|
||||
### You would like to troubleshoot or discuss?
|
||||
join the [mailing list](https://lists.sourceforge.net/lists/listinfo/fail2ban-users)
|
||||
|
|
2
THANKS
2
THANKS
|
@ -9,6 +9,7 @@ Andrey G. Grozin
|
|||
Arturo 'Buanzo' Busleiman
|
||||
Axel Thimm
|
||||
Bill Heaton
|
||||
Carlos Alberto Lopez Perez
|
||||
Christian Rauch
|
||||
Christoph Haas
|
||||
Christos Psonis
|
||||
|
@ -39,6 +40,7 @@ René Berber
|
|||
Robert Edeker
|
||||
Russell Odom
|
||||
Sireyessire
|
||||
silviogarbes
|
||||
Stephen Gildea
|
||||
Steven Hiscocks
|
||||
Tom Pike
|
||||
|
|
|
@ -4,6 +4,12 @@
|
|||
#
|
||||
#
|
||||
|
||||
[INCLUDES]
|
||||
|
||||
# Read common prefixes. If any customizations available -- read them from
|
||||
# common.local
|
||||
before = apache-common.conf
|
||||
|
||||
[Definition]
|
||||
|
||||
# Option: failregex
|
||||
|
@ -13,9 +19,7 @@
|
|||
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
|
||||
# Values: TEXT
|
||||
#
|
||||
failregex = [[]client <HOST>[]] user .* authentication failure
|
||||
[[]client <HOST>[]] user .* not found
|
||||
[[]client <HOST>[]] user .* password mismatch
|
||||
failregex = ^%(_apache_error_client)s user .* (authentication failure|not found|password mismatch)\s*$
|
||||
|
||||
# Option: ignoreregex
|
||||
# Notes.: regex to ignore. If this regex matches, the line is ignored.
|
||||
|
|
|
@ -0,0 +1,17 @@
|
|||
# Generic configuration items (to be used as interpolations) in other
|
||||
# apache filters
|
||||
#
|
||||
# Author: Yaroslav Halchenko
|
||||
#
|
||||
#
|
||||
|
||||
[INCLUDES]
|
||||
|
||||
# Load customizations if any available
|
||||
after = apache-common.local
|
||||
|
||||
|
||||
[DEFAULT]
|
||||
|
||||
# Common prefix for [error] apache messages which also would include <HOST>
|
||||
_apache_error_client = \[[^]]+\] \[error\] \[client <HOST>\]
|
|
@ -4,6 +4,12 @@
|
|||
#
|
||||
#
|
||||
|
||||
[INCLUDES]
|
||||
|
||||
# Read common prefixes. If any customizations available -- read them from
|
||||
# common.local
|
||||
before = apache-common.conf
|
||||
|
||||
[Definition]
|
||||
|
||||
# Option: failregex
|
||||
|
@ -13,7 +19,7 @@
|
|||
# per-domain log files.
|
||||
# Values: TEXT
|
||||
#
|
||||
failregex = [[]client <HOST>[]] File does not exist: .*/~.*
|
||||
failregex = ^%(_apache_error_client)s File does not exist: .*/~.*
|
||||
|
||||
# Option: ignoreregex
|
||||
# Notes.: regex to ignore. If this regex matches, the line is ignored.
|
||||
|
|
|
@ -4,6 +4,12 @@
|
|||
#
|
||||
#
|
||||
|
||||
[INCLUDES]
|
||||
|
||||
# Read common prefixes. If any customizations available -- read them from
|
||||
# common.local
|
||||
before = apache-common.conf
|
||||
|
||||
[Definition]
|
||||
|
||||
# Option: failregex
|
||||
|
@ -13,8 +19,8 @@
|
|||
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
|
||||
# Values: TEXT
|
||||
#
|
||||
failregex = [[]client <HOST>[]] (File does not exist|script not found or unable to stat): /\S*(\.php|\.asp|\.exe|\.pl)
|
||||
[[]client <HOST>[]] script '/\S*(\.php|\.asp|\.exe|\.pl)\S*' not found or unable to stat *$
|
||||
failregex = ^%(_apache_error_client)s (File does not exist|script not found or unable to stat): /\S*(\.php|\.asp|\.exe|\.pl)\s*$
|
||||
^%(_apache_error_client)s script '/\S*(\.php|\.asp|\.exe|\.pl)\S*' not found or unable to stat\s*$
|
||||
|
||||
# Option: ignoreregex
|
||||
# Notes.: regex to ignore. If this regex matches, the line is ignored.
|
||||
|
|
|
@ -4,13 +4,19 @@
|
|||
#
|
||||
#
|
||||
|
||||
[INCLUDES]
|
||||
|
||||
# Read common prefixes. If any customizations available -- read them from
|
||||
# common.local
|
||||
before = apache-common.conf
|
||||
|
||||
[Definition]
|
||||
|
||||
# Option: failregex
|
||||
# Notes.: Regexp to catch Apache overflow attempts.
|
||||
# Values: TEXT
|
||||
#
|
||||
failregex = [[]client <HOST>[]] (Invalid (method|URI) in request|request failed: URI too long|erroneous characters after protocol string)
|
||||
failregex = ^%(_apache_error_client)s (Invalid (method|URI) in request|request failed: URI too long|erroneous characters after protocol string)
|
||||
|
||||
# Option: ignoreregex
|
||||
# Notes.: regex to ignore. If this regex matches, the line is ignored.
|
||||
|
|
|
@ -20,19 +20,24 @@ before = common.conf
|
|||
# (?:::f{4,6}:)?(?P<host>\S+)
|
||||
# Values: TEXT
|
||||
#
|
||||
failregex = NOTICE%(__pid_re)s .*: Registration from '.*' failed for '<HOST>' - Wrong password$
|
||||
NOTICE%(__pid_re)s .*: Registration from '.*' failed for '<HOST>' - No matching peer found$
|
||||
NOTICE%(__pid_re)s .*: Registration from '.*' failed for '<HOST>' - Username/auth name mismatch$
|
||||
NOTICE%(__pid_re)s .*: Registration from '.*' failed for '<HOST>' - Device does not match ACL$
|
||||
NOTICE%(__pid_re)s .*: Registration from '.*' failed for '<HOST>' - Peer is not supposed to register$
|
||||
NOTICE%(__pid_re)s .*: Registration from '.*' failed for '<HOST>' - ACL error (permit/deny)$
|
||||
NOTICE%(__pid_re)s <HOST> failed to authenticate as '.*'$
|
||||
NOTICE%(__pid_re)s .*: No registration for peer '.*' \(from <HOST>\)$
|
||||
NOTICE%(__pid_re)s .*: Host <HOST> failed MD5 authentication for '.*' (.*)$
|
||||
NOTICE%(__pid_re)s .*: Failed to authenticate user .*@<HOST>.*$
|
||||
failregex = NOTICE%(__pid_re)s [^:]+: Registration from '[^']*' failed for '<HOST>(:[0-9]+)?' - Wrong password$
|
||||
NOTICE%(__pid_re)s [^:]+: Registration from '[^']*' failed for '<HOST>(:[0-9]+)?' - No matching peer found$
|
||||
NOTICE%(__pid_re)s [^:]+: Registration from '[^']*' failed for '<HOST>(:[0-9]+)?' - Username/auth name mismatch$
|
||||
NOTICE%(__pid_re)s [^:]+: Registration from '[^']*' failed for '<HOST>(:[0-9]+)?' - Device does not match ACL$
|
||||
NOTICE%(__pid_re)s [^:]+: Registration from '[^']*' failed for '<HOST>(:[0-9]+)?' - Peer is not supposed to register$
|
||||
NOTICE%(__pid_re)s [^:]+: Registration from '[^']*' failed for '<HOST>(:[0-9]+)?' - ACL error \(permit/deny\)$
|
||||
NOTICE%(__pid_re)s [^:]+: Registration from '[^']*' failed for '<HOST>(:[0-9]+)?' - Not a local domain$
|
||||
NOTICE%(__pid_re)s\[[^:]+\] [^:]+: Call from '[^']*' \(<HOST>:[0-9]+\) to extension '[0-9]+' rejected because extension not found in context 'default'.$
|
||||
NOTICE%(__pid_re)s [^:]+: Host <HOST> failed to authenticate as '[^']*'$
|
||||
NOTICE%(__pid_re)s [^:]+: No registration for peer '[^']*' \(from <HOST>\)$
|
||||
NOTICE%(__pid_re)s [^:]+: Host <HOST> failed MD5 authentication for '[^']*' \([^)]+\)$
|
||||
NOTICE%(__pid_re)s [^:]+: Failed to authenticate user [^@]+@<HOST>\S*$
|
||||
SECURITY%(__pid_re)s [^:]+: SecurityEvent="InvalidAccountID",EventTV="[0-9-]+",Severity="[a-zA-Z]+",Service="[a-zA-Z]+",EventVersion="[0-9]+",AccountID="[0-9]+",SessionID="0x[0-9a-f]+",LocalAddress="IPV[46]/(UD|TC)P/[0-9a-fA-F:.]+/[0-9]+",RemoteAddress="IPV[46]/(UD|TC)P/<HOST>/[0-9]+"$
|
||||
|
||||
# Option: ignoreregex
|
||||
# Notes.: regex to ignore. If this regex matches, the line is ignored.
|
||||
# Values: TEXT
|
||||
#
|
||||
ignoreregex =
|
||||
|
||||
|
||||
|
|
|
@ -1,11 +1,15 @@
|
|||
# Sample log files for asterisk
|
||||
[2012-02-13 17:21:54] NOTICE[1638] chan_sip.c: Registration from '<sip:301@asclepios.eyepea.be>' failed for '1.2.3.4' - Wrong password
|
||||
[2012-02-13 17:18:22] NOTICE[1638] chan_sip.c: Registration from '<sip:301@asclepios.eyepea.be>' failed for '1.2.3.4' - No matching peer found
|
||||
[2012-02-13 17:21:21] NOTICE[1638] chan_sip.c: Registration from '<sip:301@asclepios.eyepea.be>' failed for '1.2.3.4' - Username/auth name mismatch
|
||||
[2012-02-13 17:32:01] NOTICE[1638] chan_sip.c: Registration from '<sip:301@asclepios.eyepea.be>' failed for '1.2.3.4' - Device does not match ACL
|
||||
[2012-02-13 17:34:10] NOTICE[1638] chan_sip.c: Registration from '<sip:301@asclepios.eyepea.be>' failed for '1.2.3.4' - Peer is not supposed to register
|
||||
[2012-02-13 17:36:23] NOTICE[1638] chan_sip.c: Registration from '<sip:301@asclepios.eyepea.be>' failed for '1.2.3.4' - ACL error (permit/deny)
|
||||
[2012-02-13 17:21:54] NOTICE[1638] chan_sip.c: Registration from '<sip:301@example.com>' failed for '1.2.3.4' - Wrong password
|
||||
[2012-02-13 17:18:22] NOTICE[1638] chan_sip.c: Registration from '<sip:301@example.com>' failed for '1.2.3.4' - No matching peer found
|
||||
[2012-02-13 17:21:21] NOTICE[1638] chan_sip.c: Registration from '<sip:301@example.com>' failed for '1.2.3.4' - Username/auth name mismatch
|
||||
[2012-02-13 17:32:01] NOTICE[1638] chan_sip.c: Registration from '<sip:301@example.com>' failed for '1.2.3.4' - Device does not match ACL
|
||||
[2012-02-13 17:34:10] NOTICE[1638] chan_sip.c: Registration from '<sip:301@example.com>' failed for '1.2.3.4' - Peer is not supposed to register
|
||||
[2012-02-13 17:36:23] NOTICE[1638] chan_sip.c: Registration from '<sip:301@example.com>' failed for '1.2.3.4' - ACL error (permit/deny)
|
||||
[2012-02-13 17:53:59] NOTICE[1638] chan_iax2.c: Host 1.2.3.4 failed to authenticate as 'Fail2ban'
|
||||
[2012-02-13 17:39:20] NOTICE[1638] chan_iax2.c: No registration for peer 'Fail2ban' (from 1.2.3.4)
|
||||
[2012-02-13 17:44:26] NOTICE[1638] chan_iax2.c: Host 1.2.3.4 failed MD5 authentication for 'Fail2ban' (e7df7cd2ca07f4f1ab415d457a6e1c13 != 53ac4bc41ee4ec77888ed4aa50677247)
|
||||
[2012-02-13 17:37:07] NOTICE[1638] chan_sip.c: Failed to authenticate user "Fail2ban" <sip:301@1.2.3.4>;tag=1r698745234
|
||||
[2013-02-05 23:44:42] NOTICE[436][C-00000fa9] chan_sip.c: Call from '' (1.2.3.4:10836) to extension '0972598285108' rejected because extension not found in context 'default'.
|
||||
[2013-03-26 15:47:54] NOTICE[1237] chan_sip.c: Registration from '"100"sip:100@1.2.3.4' failed for '1.2.3.4:23930' - No matching peer found
|
||||
[2013-05-13 07:10:53] SECURITY[1204] res_security_log.c: SecurityEvent="InvalidAccountID",EventTV="1368439853-500975",Severity="Error",Service="SIP",EventVersion="1",AccountID="00972599580679",SessionID="0x7f8ecc0421f8",LocalAddress="IPV4/UDP/1.2.3.4/5060",RemoteAddress="IPV4/UDP/1.2.3.4/5070"
|
||||
[2013-06-10 18:15:03] NOTICE[2723] chan_sip.c: Registration from '"100"<sip:100@192.168.0.2:5060>' failed for '1.2.3.4' - Not a local domain
|
||||
|
|
|
@ -1,12 +1,12 @@
|
|||
.\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.40.10.
|
||||
.TH FAIL2BAN-CLIENT "1" "May 2013" "fail2ban-client v0.8.9" "User Commands"
|
||||
.\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.41.2.
|
||||
.TH FAIL2BAN-CLIENT "1" "June 2013" "fail2ban-client v0.8.10" "User Commands"
|
||||
.SH NAME
|
||||
fail2ban-client \- configure and control the server
|
||||
.SH SYNOPSIS
|
||||
.B fail2ban-client
|
||||
[\fIOPTIONS\fR] \fI<COMMAND>\fR
|
||||
.SH DESCRIPTION
|
||||
Fail2Ban v0.8.9 reads log file that contains password failure report
|
||||
Fail2Ban v0.8.10 reads log file that contains password failure report
|
||||
and bans the corresponding IP addresses using firewall rules.
|
||||
.SH OPTIONS
|
||||
.TP
|
||||
|
|
|
@ -1,12 +1,12 @@
|
|||
.\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.40.10.
|
||||
.TH FAIL2BAN-REGEX "1" "May 2013" "fail2ban-regex v0.8.9" "User Commands"
|
||||
.\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.41.2.
|
||||
.TH FAIL2BAN-REGEX "1" "June 2013" "fail2ban-regex v0.8.10" "User Commands"
|
||||
.SH NAME
|
||||
fail2ban-regex \- test Fail2ban "failregex" option
|
||||
.SH SYNOPSIS
|
||||
.B fail2ban-regex
|
||||
[\fIOPTIONS\fR] \fI<LOG> <REGEX> \fR[\fIIGNOREREGEX\fR]
|
||||
.SH DESCRIPTION
|
||||
Fail2Ban v0.8.9 reads log file that contains password failure report
|
||||
Fail2Ban v0.8.10 reads log file that contains password failure report
|
||||
and bans the corresponding IP addresses using firewall rules.
|
||||
.PP
|
||||
This tools can test regular expressions for "fail2ban".
|
||||
|
@ -26,7 +26,7 @@ verbose output
|
|||
a string representing a log line
|
||||
.TP
|
||||
\fBfilename\fR
|
||||
path to a log file (/var/log/auth.log)
|
||||
path to a log file (\fI/var/log/auth.log\fP)
|
||||
.SH REGEX
|
||||
.TP
|
||||
\fBstring\fR
|
||||
|
|
|
@ -1,12 +1,12 @@
|
|||
.\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.40.10.
|
||||
.TH FAIL2BAN-SERVER "1" "May 2013" "fail2ban-server v0.8.9" "User Commands"
|
||||
.\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.41.2.
|
||||
.TH FAIL2BAN-SERVER "1" "June 2013" "fail2ban-server v0.8.10" "User Commands"
|
||||
.SH NAME
|
||||
fail2ban-server \- start the server
|
||||
.SH SYNOPSIS
|
||||
.B fail2ban-server
|
||||
[\fIOPTIONS\fR]
|
||||
.SH DESCRIPTION
|
||||
Fail2Ban v0.8.9 reads log file that contains password failure report
|
||||
Fail2Ban v0.8.10 reads log file that contains password failure report
|
||||
and bans the corresponding IP addresses using firewall rules.
|
||||
.PP
|
||||
Only use this command for debugging purpose. Start the server with
|
||||
|
|
|
@ -0,0 +1,5 @@
|
|||
# Should not match -- DoS vector https://vndh.net/note:fail2ban-089-denial-service
|
||||
[Sat Jun 01 02:17:42 2013] [error] [client 192.168.33.1] File does not exist: /srv/http/site/[client 192.168.0.1] user root not found
|
||||
|
||||
# should match
|
||||
[Sat Jun 01 02:17:42 2013] [error] [client 192.168.0.2] user root not found
|
|
@ -0,0 +1 @@
|
|||
[Sun Jun 09 07:57:47 2013] [error] [client 192.0.43.10] script '/usr/lib/cgi-bin/gitweb.cgiwp-login.php' not found or unable to stat
|
Loading…
Reference in New Issue