Merge commit '0.8.10-1-g460e09a' into 0.9

* commit '0.8.10-1-g460e09a':
  it was not the end of the world and we should continue
  DOC: add information on where to report vulnerabilities + pointer to HOWTO_Seek_Help
  Changes for 0.8.10 release (changelog, version, etc)
  BF: anchor apache- filters.  Close #248
  DOC: credits for gh-244
  Filter Asterisk: Add sample log entry to testcase.
  Filter Asterisk: Add AUTH_UNKNOWN_DOMAIN error to list
  ENH: purge a few more .*
  DOC: credits
  DOC: how to do filter enhancements
  TST: normalize logs to use example.com and 1.2.3.4 as IP
  ENH/BF: constrain regex. Fix ACL error regex
  ENH: port optional
  Update asterisk
  Update asterisk.conf

Conflicts:
	ChangeLog
	DEVELOP
	README.md
	fail2ban/version.py

ChangeLog

@@ -41,14 +41,20 @@ code-review and minor additions from Yaroslav Halchenko.
    * [..e019ab7] Multiple instances of the same action are allowed in the
      same jail -- use actname option to disambiguate.
 
-ver. 0.8.10 (2013/XX/XXX) - NOT-YET-RELEASED
+ver. 0.8.10 (2013/06/12) - wanna-be-secure
 -----------
 
-- Fixes:
+Primarily bugfix and enhancements release, triggered by "bugs" in
-  Yaroslav Halchenko
+apache- filters.  If you are relying on listed below apache- filters,
+upgrade asap and seek your distributions to patch their fail2ban
+distribution with [6ccd5781].
+
+- Fixes: Yaroslav Halchenko
+   * [6ccd5781] filter.d/apache-{auth,nohome,noscript,overflows} - anchor
+     failregex at the beginning (and where applicable at the end).
+     Addresses a possible DoS. Closes gh-248
    * action.d/{route,shorewall}.conf - blocktype must be defined
      within [Init].  Closes gh-232
-- New Features
 - Enhancements
   Yaroslav Halchenko
    * jail.conf -- assure all jails have actions and remove unused
@@ -57,6 +63,10 @@ ver. 0.8.10 (2013/XX/XXX) - NOT-YET-RELEASED
    * config/filter.d/roundcube-auth.conf -- support roundcube 0.9+
   Daniel Black
    * files/suse-initd -- update to the copy from stock SUSE
+  silviogarbes & Daniel Black
+    * Updates to asterisk filter. Closes gh-227/gh-230.
+  Carlos Alberto Lopez Perez
+    * Updates to asterisk to include AUTH_UNKNOWN_DOMAIN. Closes gh-244.
 
 ver. 0.8.9 (2013/05/13) - wanna-be-stable
 ----------

DEVELOP

@@ -34,12 +34,22 @@ When submitting pull requests on GitHub we ask you to:
 * Include a change to the relevant section of the ChangeLog; and
 * Include yourself in THANKS if not already there.
 
-Testing
+Filters
 =======
 
-Existing tests can be run by executing `bin/fail2ban-testcases`. This has
+* Include sample logs with 1.2.3.4 used for IP addresses and 
-options like --log-level that will probably be useful.
+  example.com/example.org used for DNS names
-`bin/fail2ban-testcases --help` forfull options.
+* Ensure ./fail2ban-regex testcases/files/logs/{samplelog} config/filter.d/{filter}.conf
+  has matches for EVERY regex
+* Ensure regexs end with a $ and are restrictive as possible. E.g. not .* if
+ [0-9]+ is sufficient
+
+Code Testing
+============
+
+Existing tests can be run by executing `bin/fail2ban-testcases`. It has
+options like --log-level that will probably be useful.  Run
+`bin/fail2ban-testcases --help` for the full list of options.
 
 Test cases should cover all usual cases, all exception cases and all inside
 / outside boundary conditions.
@@ -338,10 +348,15 @@ Post Release
 
 Add the following to the top of the ChangeLog
 
-ver. 0.8.11 (2013/XX/XXX) - wanna-be-stable
+ver. 0.8.12 (2013/XX/XXX) - wanna-be-released
-- Fixes
+-----------
-- New Features
+
-- Enhancements
+- Fixes:
+  
+- New Features:
+  
+- Enhancements:
+  
 
 and adjust common/version.py to carry .dev suffix to signal
 a version under development.

README.md

@@ -2,7 +2,7 @@
                         / _|__ _(_) |_  ) |__  __ _ _ _  
                        |  _/ _` | | |/ /| '_ \/ _` | ' \ 
                        |_| \__,_|_|_/___|_.__/\__,_|_||_|
-                       v0.9.0a0                2013/05/??
+                       v0.9.0a0                2013/??/??
 
 ## Fail2Ban: ban hosts that cause multiple authentication errors
 
@@ -30,8 +30,8 @@ Optional:
 
 To install, just do:
 
-    tar xvfj fail2ban-0.8.9.tar.bz2
+    tar xvfj fail2ban-0.8.10.tar.bz2
-    cd fail2ban-0.8.9
+    cd fail2ban-0.8.10
     python setup.py install
 
 This will install Fail2Ban into /usr/share/fail2ban. The executable scripts are
@@ -63,9 +63,14 @@ Code status:
 Contact:
 --------
 
+### You found a severe security vulnerability in Fail2Ban?
+email details to fail2ban-vulnerabilities at lists dot sourceforge dot net .
+
 ### You need some new features, you found bugs?
 visit [Issues](https://github.com/fail2ban/fail2ban/issues)
-and if your issue is not yet known -- file a bug report.
+and if your issue is not yet known -- file a bug report. See
+[Fail2Ban wiki](http://www.fail2ban.org/wiki/index.php/HOWTO_Seek_Help)
+on further instructions.
 
 ### You would like to troubleshoot or discuss?
 join the [mailing list](https://lists.sourceforge.net/lists/listinfo/fail2ban-users)

THANKS

@@ -9,6 +9,7 @@ Andrey G. Grozin
 Arturo 'Buanzo' Busleiman
 Axel Thimm
 Bill Heaton
+Carlos Alberto Lopez Perez
 Christian Rauch
 Christoph Haas
 Christos Psonis
@@ -39,6 +40,7 @@ René Berber
 Robert Edeker
 Russell Odom
 Sireyessire
+silviogarbes
 Stephen Gildea
 Steven Hiscocks
 Tom Pike

config/filter.d/apache-auth.conf

@@ -4,6 +4,12 @@
 #
 #
 
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# common.local
+before = apache-common.conf
+
 [Definition]
 
 # Option:  failregex
@@ -13,9 +19,7 @@
 #          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
 # Values:  TEXT
 #
-failregex = [[]client <HOST>[]] user .* authentication failure
+failregex = ^%(_apache_error_client)s user .* (authentication failure|not found|password mismatch)\s*$
-            [[]client <HOST>[]] user .* not found
-            [[]client <HOST>[]] user .* password mismatch
 
 # Option:  ignoreregex
 # Notes.:  regex to ignore. If this regex matches, the line is ignored.

config/filter.d/apache-common.conf

@@ -0,0 +1,17 @@
+# Generic configuration items (to be used as interpolations) in other
+# apache filters
+#
+# Author: Yaroslav Halchenko
+#
+#
+
+[INCLUDES]
+
+# Load customizations if any available
+after = apache-common.local
+
+
+[DEFAULT]
+
+# Common prefix for [error] apache messages which also would include <HOST>
+_apache_error_client = \[[^]]+\] \[error\] \[client <HOST>\]

config/filter.d/apache-nohome.conf

@@ -4,6 +4,12 @@
 #
 #
 
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# common.local
+before = apache-common.conf
+
 [Definition]
 
 # Option:  failregex
@@ -13,7 +19,7 @@
 #          per-domain log files.
 # Values:  TEXT
 #
-failregex = [[]client <HOST>[]] File does not exist: .*/~.*
+failregex = ^%(_apache_error_client)s File does not exist: .*/~.*
 
 # Option:  ignoreregex
 # Notes.:  regex to ignore. If this regex matches, the line is ignored.

config/filter.d/apache-noscript.conf

@@ -4,6 +4,12 @@
 #
 #
 
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# common.local
+before = apache-common.conf
+
 [Definition]
 
 # Option:  failregex
@@ -13,8 +19,8 @@
 #          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
 # Values:  TEXT
 #
-failregex = [[]client <HOST>[]] (File does not exist|script not found or unable to stat): /\S*(\.php|\.asp|\.exe|\.pl)
+failregex = ^%(_apache_error_client)s (File does not exist|script not found or unable to stat): /\S*(\.php|\.asp|\.exe|\.pl)\s*$
-            [[]client <HOST>[]] script '/\S*(\.php|\.asp|\.exe|\.pl)\S*' not found or unable to stat *$
+            ^%(_apache_error_client)s script '/\S*(\.php|\.asp|\.exe|\.pl)\S*' not found or unable to stat\s*$
 
 # Option:  ignoreregex
 # Notes.:  regex to ignore. If this regex matches, the line is ignored.

config/filter.d/apache-overflows.conf

@@ -4,13 +4,19 @@
 #
 #
 
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# common.local
+before = apache-common.conf
+
 [Definition]
 
 # Option:  failregex
 # Notes.:  Regexp to catch Apache overflow attempts.
 # Values:  TEXT
 #
-failregex = [[]client <HOST>[]] (Invalid (method|URI) in request|request failed: URI too long|erroneous characters after protocol string)
+failregex = ^%(_apache_error_client)s (Invalid (method|URI) in request|request failed: URI too long|erroneous characters after protocol string)
 
 # Option:  ignoreregex
 # Notes.:  regex to ignore. If this regex matches, the line is ignored.

config/filter.d/asterisk.conf

@@ -20,19 +20,24 @@ before = common.conf
 #          (?:::f{4,6}:)?(?P<host>\S+)
 # Values:  TEXT
 #
-failregex = NOTICE%(__pid_re)s .*: Registration from '.*' failed for '<HOST>' - Wrong password$
+failregex = NOTICE%(__pid_re)s [^:]+: Registration from '[^']*' failed for '<HOST>(:[0-9]+)?' - Wrong password$
-            NOTICE%(__pid_re)s .*: Registration from '.*' failed for '<HOST>' - No matching peer found$
+            NOTICE%(__pid_re)s [^:]+: Registration from '[^']*' failed for '<HOST>(:[0-9]+)?' - No matching peer found$
-            NOTICE%(__pid_re)s .*: Registration from '.*' failed for '<HOST>' - Username/auth name mismatch$
+            NOTICE%(__pid_re)s [^:]+: Registration from '[^']*' failed for '<HOST>(:[0-9]+)?' - Username/auth name mismatch$
-            NOTICE%(__pid_re)s .*: Registration from '.*' failed for '<HOST>' - Device does not match ACL$
+            NOTICE%(__pid_re)s [^:]+: Registration from '[^']*' failed for '<HOST>(:[0-9]+)?' - Device does not match ACL$
-            NOTICE%(__pid_re)s .*: Registration from '.*' failed for '<HOST>' - Peer is not supposed to register$
+            NOTICE%(__pid_re)s [^:]+: Registration from '[^']*' failed for '<HOST>(:[0-9]+)?' - Peer is not supposed to register$
-            NOTICE%(__pid_re)s .*: Registration from '.*' failed for '<HOST>' - ACL error (permit/deny)$
+            NOTICE%(__pid_re)s [^:]+: Registration from '[^']*' failed for '<HOST>(:[0-9]+)?' - ACL error \(permit/deny\)$
-            NOTICE%(__pid_re)s <HOST> failed to authenticate as '.*'$
+            NOTICE%(__pid_re)s [^:]+: Registration from '[^']*' failed for '<HOST>(:[0-9]+)?' - Not a local domain$
-            NOTICE%(__pid_re)s .*: No registration for peer '.*' \(from <HOST>\)$
+            NOTICE%(__pid_re)s\[[^:]+\] [^:]+: Call from '[^']*' \(<HOST>:[0-9]+\) to extension '[0-9]+' rejected because extension not found in context 'default'.$
-            NOTICE%(__pid_re)s .*: Host <HOST> failed MD5 authentication for '.*' (.*)$
+            NOTICE%(__pid_re)s [^:]+: Host <HOST> failed to authenticate as '[^']*'$
-            NOTICE%(__pid_re)s .*: Failed to authenticate user .*@<HOST>.*$
+            NOTICE%(__pid_re)s [^:]+: No registration for peer '[^']*' \(from <HOST>\)$
+            NOTICE%(__pid_re)s [^:]+: Host <HOST> failed MD5 authentication for '[^']*' \([^)]+\)$
+            NOTICE%(__pid_re)s [^:]+: Failed to authenticate user [^@]+@<HOST>\S*$
+            SECURITY%(__pid_re)s [^:]+: SecurityEvent="InvalidAccountID",EventTV="[0-9-]+",Severity="[a-zA-Z]+",Service="[a-zA-Z]+",EventVersion="[0-9]+",AccountID="[0-9]+",SessionID="0x[0-9a-f]+",LocalAddress="IPV[46]/(UD|TC)P/[0-9a-fA-F:.]+/[0-9]+",RemoteAddress="IPV[46]/(UD|TC)P/<HOST>/[0-9]+"$
 
 # Option:  ignoreregex
 # Notes.:  regex to ignore. If this regex matches, the line is ignored.
 # Values:  TEXT
 #
 ignoreregex =
+
+

fail2ban/tests/files/logs/asterisk

@@ -1,11 +1,15 @@
 # Sample log files for asterisk 
-[2012-02-13 17:21:54] NOTICE[1638] chan_sip.c: Registration from '<sip:301@asclepios.eyepea.be>' failed for '1.2.3.4' - Wrong password
+[2012-02-13 17:21:54] NOTICE[1638] chan_sip.c: Registration from '<sip:301@example.com>' failed for '1.2.3.4' - Wrong password
-[2012-02-13 17:18:22] NOTICE[1638] chan_sip.c: Registration from '<sip:301@asclepios.eyepea.be>' failed for '1.2.3.4' - No matching peer found
+[2012-02-13 17:18:22] NOTICE[1638] chan_sip.c: Registration from '<sip:301@example.com>' failed for '1.2.3.4' - No matching peer found
-[2012-02-13 17:21:21] NOTICE[1638] chan_sip.c: Registration from '<sip:301@asclepios.eyepea.be>' failed for '1.2.3.4' - Username/auth name mismatch
+[2012-02-13 17:21:21] NOTICE[1638] chan_sip.c: Registration from '<sip:301@example.com>' failed for '1.2.3.4' - Username/auth name mismatch
-[2012-02-13 17:32:01] NOTICE[1638] chan_sip.c: Registration from '<sip:301@asclepios.eyepea.be>' failed for '1.2.3.4' - Device does not match ACL
+[2012-02-13 17:32:01] NOTICE[1638] chan_sip.c: Registration from '<sip:301@example.com>' failed for '1.2.3.4' - Device does not match ACL
-[2012-02-13 17:34:10] NOTICE[1638] chan_sip.c: Registration from '<sip:301@asclepios.eyepea.be>' failed for '1.2.3.4' - Peer is not supposed to register
+[2012-02-13 17:34:10] NOTICE[1638] chan_sip.c: Registration from '<sip:301@example.com>' failed for '1.2.3.4' - Peer is not supposed to register
-[2012-02-13 17:36:23] NOTICE[1638] chan_sip.c: Registration from '<sip:301@asclepios.eyepea.be>' failed for '1.2.3.4' - ACL error (permit/deny)
+[2012-02-13 17:36:23] NOTICE[1638] chan_sip.c: Registration from '<sip:301@example.com>' failed for '1.2.3.4' - ACL error (permit/deny)
 [2012-02-13 17:53:59] NOTICE[1638] chan_iax2.c: Host 1.2.3.4 failed to authenticate as 'Fail2ban'
 [2012-02-13 17:39:20] NOTICE[1638] chan_iax2.c: No registration for peer 'Fail2ban' (from 1.2.3.4)
 [2012-02-13 17:44:26] NOTICE[1638] chan_iax2.c: Host 1.2.3.4 failed MD5 authentication for 'Fail2ban' (e7df7cd2ca07f4f1ab415d457a6e1c13 != 53ac4bc41ee4ec77888ed4aa50677247)
 [2012-02-13 17:37:07] NOTICE[1638] chan_sip.c: Failed to authenticate user "Fail2ban" <sip:301@1.2.3.4>;tag=1r698745234
+[2013-02-05 23:44:42] NOTICE[436][C-00000fa9] chan_sip.c: Call from '' (1.2.3.4:10836) to extension '0972598285108' rejected because extension not found in context 'default'.
+[2013-03-26 15:47:54] NOTICE[1237] chan_sip.c: Registration from '"100"sip:100@1.2.3.4' failed for '1.2.3.4:23930' - No matching peer found
+[2013-05-13 07:10:53] SECURITY[1204] res_security_log.c: SecurityEvent="InvalidAccountID",EventTV="1368439853-500975",Severity="Error",Service="SIP",EventVersion="1",AccountID="00972599580679",SessionID="0x7f8ecc0421f8",LocalAddress="IPV4/UDP/1.2.3.4/5060",RemoteAddress="IPV4/UDP/1.2.3.4/5070"
+[2013-06-10 18:15:03] NOTICE[2723] chan_sip.c: Registration from '"100"<sip:100@192.168.0.2:5060>' failed for '1.2.3.4' - Not a local domain

man/fail2ban-client.1

@@ -1,12 +1,12 @@
-.\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.40.10.
+.\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.41.2.
-.TH FAIL2BAN-CLIENT "1" "May 2013" "fail2ban-client v0.8.9" "User Commands"
+.TH FAIL2BAN-CLIENT "1" "June 2013" "fail2ban-client v0.8.10" "User Commands"
 .SH NAME
 fail2ban-client \- configure and control the server
 .SH SYNOPSIS
 .B fail2ban-client
 [\fIOPTIONS\fR] \fI<COMMAND>\fR
 .SH DESCRIPTION
-Fail2Ban v0.8.9 reads log file that contains password failure report
+Fail2Ban v0.8.10 reads log file that contains password failure report
 and bans the corresponding IP addresses using firewall rules.
 .SH OPTIONS
 .TP

man/fail2ban-regex.1

@@ -1,12 +1,12 @@
-.\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.40.10.
+.\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.41.2.
-.TH FAIL2BAN-REGEX "1" "May 2013" "fail2ban-regex v0.8.9" "User Commands"
+.TH FAIL2BAN-REGEX "1" "June 2013" "fail2ban-regex v0.8.10" "User Commands"
 .SH NAME
 fail2ban-regex \- test Fail2ban "failregex" option
 .SH SYNOPSIS
 .B fail2ban-regex
 [\fIOPTIONS\fR] \fI<LOG> <REGEX> \fR[\fIIGNOREREGEX\fR]
 .SH DESCRIPTION
-Fail2Ban v0.8.9 reads log file that contains password failure report
+Fail2Ban v0.8.10 reads log file that contains password failure report
 and bans the corresponding IP addresses using firewall rules.
 .PP
 This tools can test regular expressions for "fail2ban".
@@ -26,7 +26,7 @@ verbose output
 a string representing a log line
 .TP
 \fBfilename\fR
-path to a log file (/var/log/auth.log)
+path to a log file (\fI/var/log/auth.log\fP)
 .SH REGEX
 .TP
 \fBstring\fR

man/fail2ban-server.1

@@ -1,12 +1,12 @@
-.\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.40.10.
+.\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.41.2.
-.TH FAIL2BAN-SERVER "1" "May 2013" "fail2ban-server v0.8.9" "User Commands"
+.TH FAIL2BAN-SERVER "1" "June 2013" "fail2ban-server v0.8.10" "User Commands"
 .SH NAME
 fail2ban-server \- start the server
 .SH SYNOPSIS
 .B fail2ban-server
 [\fIOPTIONS\fR]
 .SH DESCRIPTION
-Fail2Ban v0.8.9 reads log file that contains password failure report
+Fail2Ban v0.8.10 reads log file that contains password failure report
 and bans the corresponding IP addresses using firewall rules.
 .PP
 Only use this command for debugging purpose. Start the server with

testcases/files/logs/apache-auth

@@ -0,0 +1,5 @@
+# Should not match -- DoS vector https://vndh.net/note:fail2ban-089-denial-service
+[Sat Jun 01 02:17:42 2013] [error] [client 192.168.33.1] File does not exist: /srv/http/site/[client 192.168.0.1] user root not found
+
+# should match
+[Sat Jun 01 02:17:42 2013] [error] [client 192.168.0.2] user root not found

testcases/files/logs/apache-noscript

@@ -0,0 +1 @@
+[Sun Jun 09 07:57:47 2013] [error] [client 192.0.43.10] script '/usr/lib/cgi-bin/gitweb.cgiwp-login.php' not found or unable to stat