mirror of https://github.com/fail2ban/fail2ban
Merge commit 'upstream-repo/FAIL2BAN-0_8' into upstream
* commit 'upstream-repo/FAIL2BAN-0_8': - Use 80 columns. - Fixed maxretry/findtime rate. Many thanks to Christos Psonis. Tracker #2019714. - Made the named-refused regex a bit less restrictive in order to match logs with "view". Thanks to Stephen Gildea. - Use timetuple instead of utctimetuple for ISO 8601. Maybe not a 100% correct fix but seems to work. Tracker #2500276. - Changed <HOST> template to be more restrictive. Debian bug #514163. - Added cyrus-imap and sieve filters. Thanks to Jan Wagner. Debian bug #513953. - Pull a commit from Yaroslav git repo. BF: addressing added bang to ssh log (closes: #512193). - Added missing semi-colon in the bind9 example. Thanks to Yaroslav Halchenko. - Added NetBSD ipfilter (ipf command) action. Thanks to Ed Ravin. Tracker #2484115. - Improved SASL filter. Thanks to Loic Pefferkorn. Tracker #2310410. - Added CPanel date format. Thanks to David Collins. Tracker #1967610. - Added nagios script. Thanks to Sebastian Mueller. - Removed print. - Removed begin-line anchor for "standard" timestamp. Fixed Debian bug #500824. - Remove socket file on startup is fail2ban crashed. Thanks to Detlef Reichelt. Conflicts: MANIFEST TODOdebian-upstream
commit
fec4e7d286
400
ChangeLog
400
ChangeLog
|
@ -1,109 +1,102 @@
|
||||||
__ _ _ ___ _
|
__ _ _ ___ _
|
||||||
/ _|__ _(_) |_ ) |__ __ _ _ _
|
/ _|__ _(_) |_ ) |__ __ _ _ _
|
||||||
| _/ _` | | |/ /| '_ \/ _` | ' \
|
| _/ _` | | |/ /| '_ \/ _` | ' \
|
||||||
|_| \__,_|_|_/___|_.__/\__,_|_||_|
|
|_| \__,_|_|_/___|_.__/\__,_|_||_|
|
||||||
|
|
||||||
=============================================================
|
================================================================================
|
||||||
Fail2Ban (version 0.8.4) 2008/??/??
|
Fail2Ban (version 0.8.4) 2009/02/??
|
||||||
=============================================================
|
================================================================================
|
||||||
|
|
||||||
ver. 0.8.4 (2008/??/??) - stable
|
ver. 0.8.4 (2009/??/??) - stable
|
||||||
----------
|
----------
|
||||||
- Merged patches from Debian package. Thanks to Yaroslav
|
- Merged patches from Debian package. Thanks to Yaroslav Halchenko.
|
||||||
Halchenko.
|
- Use current day and month instead of Jan 1st if both are not available in the
|
||||||
- Use current day and month instead of Jan 1st if both are
|
log. Thanks to Andreas Itzchak Rehberg.
|
||||||
not available in the log. Thanks to Andreas Itzchak
|
- Try to match the regex even if the line does not contain a valid date/time.
|
||||||
Rehberg.
|
Described in Debian #491253. Thanks to Yaroslav Halchenko.
|
||||||
- Try to match the regex even if the line does not contain a
|
|
||||||
valid date/time. Described in Debian #491253. Thanks to
|
|
||||||
Yaroslav Halchenko.
|
|
||||||
- Added/improved filters and date formats.
|
- Added/improved filters and date formats.
|
||||||
- Added actions to report abuse to ISP, DShield and
|
- Added actions to report abuse to ISP, DShield and myNetWatchman. Thanks to
|
||||||
myNetWatchman. Thanks to Russell Odom.
|
Russell Odom.
|
||||||
|
- Suse init script. Remove socket file on startup is fail2ban crashed. Thanks to
|
||||||
|
Detlef Reichelt.
|
||||||
|
- Removed begin-line anchor for "standard" timestamp. Fixed Debian bug #500824.
|
||||||
|
- Added nagios script. Thanks to Sebastian Mueller.
|
||||||
|
- Added CPanel date format. Thanks to David Collins. Tracker #1967610.
|
||||||
|
- Improved SASL filter. Thanks to Loic Pefferkorn. Tracker #2310410.
|
||||||
|
- Added NetBSD ipfilter (ipf command) action. Thanks to Ed Ravin. Tracker
|
||||||
|
#2484115.
|
||||||
|
- Added cyrus-imap and sieve filters. Thanks to Jan Wagner. Debian bug #513953.
|
||||||
|
- Changed <HOST> template to be more restrictive. Debian bug #514163.
|
||||||
|
- Use timetuple instead of utctimetuple for ISO 8601. Maybe not a 100% correct
|
||||||
|
fix but seems to work. Tracker #2500276.
|
||||||
|
- Made the named-refused regex a bit less restrictive in order to match logs
|
||||||
|
with "view". Thanks to Stephen Gildea.
|
||||||
|
- Fixed maxretry/findtime rate. Many thanks to Christos Psonis. Tracker
|
||||||
|
#2019714.
|
||||||
|
|
||||||
ver. 0.8.3 (2008/07/17) - stable
|
ver. 0.8.3 (2008/07/17) - stable
|
||||||
----------
|
----------
|
||||||
- Process failtickets as long as failmanager is not empty.
|
- Process failtickets as long as failmanager is not empty.
|
||||||
- Added "pam-generic" filter and more configuration fixes.
|
- Added "pam-generic" filter and more configuration fixes. Thanks to Yaroslav
|
||||||
Thanks to Yaroslav Halchenko.
|
Halchenko.
|
||||||
- Fixed socket path in redhat and suse init script. Thanks to
|
- Fixed socket path in redhat and suse init script. Thanks to Jim Wight.
|
||||||
Jim Wight.
|
- Fixed PID file while started in daemon mode. Thanks to Christian Jobic who
|
||||||
- Fixed PID file while started in daemon mode. Thanks to
|
submitted a similar patch.
|
||||||
Christian Jobic who submitted a similar patch.
|
|
||||||
- Fixed "fail2ban-client get <jail> logpath". Bug #1916986.
|
- Fixed "fail2ban-client get <jail> logpath". Bug #1916986.
|
||||||
- Added gssftpd filter. Thanks to Kevin Zembower.
|
- Added gssftpd filter. Thanks to Kevin Zembower.
|
||||||
- Added "Day/Month/Year Hour:Minute:Second" date template.
|
- Added "Day/Month/Year Hour:Minute:Second" date template. Thanks to Dennis
|
||||||
Thanks to Dennis Winter.
|
Winter.
|
||||||
- Fixed ignoreregex processing in fail2ban-client. Thanks to
|
- Fixed ignoreregex processing in fail2ban-client. Thanks to René Berber.
|
||||||
René Berber.
|
|
||||||
- Added ISO 8601 date/time format.
|
- Added ISO 8601 date/time format.
|
||||||
- Added and changed some logging level and messages.
|
- Added and changed some logging level and messages.
|
||||||
- Added missing ignoreregex to filters. Thanks to Klaus
|
- Added missing ignoreregex to filters. Thanks to Klaus Lehmann.
|
||||||
Lehmann.
|
- Use poll instead of select in asyncore.loop. This should solve the "Unknown
|
||||||
- Use poll instead of select in asyncore.loop. This should
|
error 514". Thanks to Michael Geiger and Klaus Lehmann.
|
||||||
solve the "Unknown error 514". Thanks to Michael Geiger and
|
|
||||||
Klaus Lehmann.
|
|
||||||
|
|
||||||
ver. 0.8.2 (2008/03/06) - stable
|
ver. 0.8.2 (2008/03/06) - stable
|
||||||
----------
|
----------
|
||||||
- Fixed named filter. Thanks to Yaroslav Halchenko
|
- Fixed named filter. Thanks to Yaroslav Halchenko
|
||||||
- Fixed wrong path for apache-auth in jail.conf. Thanks to
|
- Fixed wrong path for apache-auth in jail.conf. Thanks to Vincent Deffontaines
|
||||||
Vincent Deffontaines
|
- Fixed timezone bug with epoch date template. Thanks to Michael Hanselmann
|
||||||
- Fixed timezone bug with epoch date template. Thanks to
|
- Added "full line failregex" patch. Thanks to Yaroslav Halchenko. It will be
|
||||||
Michael Hanselmann
|
possible to create stronger failregex against log injection
|
||||||
- Added "full line failregex" patch. Thanks to Yaroslav
|
|
||||||
Halchenko. It will be possible to create stronger failregex
|
|
||||||
against log injection
|
|
||||||
- Fixed ipfw action script. Thanks to Nick Munger
|
- Fixed ipfw action script. Thanks to Nick Munger
|
||||||
- Removed date from logging message when using SYSLOG. Thanks
|
- Removed date from logging message when using SYSLOG. Thanks to Iain Lea
|
||||||
to Iain Lea
|
- Fixed "ignore IPs". Only the first value was taken into account. Thanks to
|
||||||
- Fixed "ignore IPs". Only the first value was taken into
|
Adrien Clerc
|
||||||
account. Thanks to Adrien Clerc
|
|
||||||
- Moved socket to /var/run/fail2ban.
|
- Moved socket to /var/run/fail2ban.
|
||||||
- Rewrote the communication server.
|
- Rewrote the communication server.
|
||||||
- Refactoring. Reduced number of files.
|
- Refactoring. Reduced number of files.
|
||||||
- Removed Python 2.4. Minimum required version is now Python
|
- Removed Python 2.4. Minimum required version is now Python 2.3.
|
||||||
2.3.
|
|
||||||
- New log rotation detection algorithm.
|
- New log rotation detection algorithm.
|
||||||
- Print monitored files in status.
|
- Print monitored files in status.
|
||||||
- Create a PID file in /var/run/fail2ban/. Thanks to Julien
|
- Create a PID file in /var/run/fail2ban/. Thanks to Julien Perez.
|
||||||
Perez.
|
- Fixed "Feb 29" bug. Thanks to James Andrewartha who pointed this out. Thanks
|
||||||
- Fixed "Feb 29" bug. Thanks to James Andrewartha who pointed
|
to Yaroslav Halchenko for the fix.
|
||||||
this out. Thanks to Yaroslav Halchenko for the fix.
|
- "reload <jail>" reloads a single jail and the parameters in fail2ban.conf.
|
||||||
- "reload <jail>" reloads a single jail and the parameters in
|
|
||||||
fail2ban.conf.
|
|
||||||
- Added Mac OS/X startup script. Thanks to Bill Heaton.
|
- Added Mac OS/X startup script. Thanks to Bill Heaton.
|
||||||
- Absorbed some Debian patches. Thanks to Yaroslav Halchenko.
|
- Absorbed some Debian patches. Thanks to Yaroslav Halchenko.
|
||||||
- Replaced "echo" with "printf" in actions. Fix #1839673
|
- Replaced "echo" with "printf" in actions. Fix #1839673
|
||||||
- Replaced "reject" with "drop" in shorwall action. Fix
|
- Replaced "reject" with "drop" in shorwall action. Fix #1854875
|
||||||
#1854875
|
|
||||||
- Fixed Debian bug #456567, #468477, #462060, #461426
|
- Fixed Debian bug #456567, #468477, #462060, #461426
|
||||||
- readline is now optional in fail2ban-client (not needed in
|
- readline is now optional in fail2ban-client (not needed in fail2ban-server).
|
||||||
fail2ban-server).
|
|
||||||
|
|
||||||
ver. 0.8.1 (2007/08/14) - stable
|
ver. 0.8.1 (2007/08/14) - stable
|
||||||
----------
|
----------
|
||||||
- Fixed vulnerability in sshd.conf. Thanks to Daniel B. Cid
|
- Fixed vulnerability in sshd.conf. Thanks to Daniel B. Cid
|
||||||
- Expand <HOST> in ignoreregex. Thanks to Yaroslav Halchenko
|
- Expand <HOST> in ignoreregex. Thanks to Yaroslav Halchenko
|
||||||
- Improved regular expressions. Thanks to Yaroslav Halchenko
|
- Improved regular expressions. Thanks to Yaroslav Halchenko and others
|
||||||
and others
|
- Added sendmail actions. The action started with "mail" are now deprecated.
|
||||||
- Added sendmail actions. The action started with "mail" are
|
Thanks to Raphaël Marichez
|
||||||
now deprecated. Thanks to Raphaël Marichez
|
|
||||||
- Added "ignoreregex" support to fail2ban-regex
|
- Added "ignoreregex" support to fail2ban-regex
|
||||||
- Updated suse-initd and added it to MANIFEST. Thanks to
|
- Updated suse-initd and added it to MANIFEST. Thanks to Christian Rauch
|
||||||
Christian Rauch
|
- Tightening up the pid check in redhat-initd. Thanks to David Nutter
|
||||||
- Tightening up the pid check in redhat-initd. Thanks to
|
- Added webmin authentication filter. Thanks to Guillaume Delvit
|
||||||
David Nutter
|
- Removed textToDns() which is not required anymore. Thanks to Yaroslav
|
||||||
- Added webmin authentication filter. Thanks to Guillaume
|
|
||||||
Delvit
|
|
||||||
- Removed textToDns() which is not required anymore. Thanks
|
|
||||||
to Yaroslav Halchenko
|
|
||||||
- Added new action iptables-allports. Thanks to Yaroslav
|
|
||||||
Halchenko
|
|
||||||
- Added "named" date format to date detector. Thanks to
|
|
||||||
Yaroslav Halchenko
|
|
||||||
- Added filter file for named (bind9). Thanks to Yaroslav
|
|
||||||
Halchenko
|
Halchenko
|
||||||
|
- Added new action iptables-allports. Thanks to Yaroslav Halchenko
|
||||||
|
- Added "named" date format to date detector. Thanks to Yaroslav Halchenko
|
||||||
|
- Added filter file for named (bind9). Thanks to Yaroslav Halchenko
|
||||||
- Fixed vsftpd filter. Thanks to Yaroslav Halchenko
|
- Fixed vsftpd filter. Thanks to Yaroslav Halchenko
|
||||||
|
|
||||||
ver. 0.8.0 (2007/05/03) - stable
|
ver. 0.8.0 (2007/05/03) - stable
|
||||||
|
@ -123,20 +116,17 @@ ver. 0.7.8 (2007/03/21) - release candidate
|
||||||
----------
|
----------
|
||||||
- Fixed asctime pattern in datedetector.py
|
- Fixed asctime pattern in datedetector.py
|
||||||
- Added new filters/actions. Thanks to Yaroslav Halchenko
|
- Added new filters/actions. Thanks to Yaroslav Halchenko
|
||||||
- Added Suse init script and modified gentoo-initd. Thanks to
|
- Added Suse init script and modified gentoo-initd. Thanks to Christian Rauch
|
||||||
Christian Rauch
|
|
||||||
- Moved every locking statements in a try..finally block
|
- Moved every locking statements in a try..finally block
|
||||||
|
|
||||||
ver. 0.7.7 (2007/02/08) - release candidate
|
ver. 0.7.7 (2007/02/08) - release candidate
|
||||||
----------
|
----------
|
||||||
- Added signal handling in fail2ban-client
|
- Added signal handling in fail2ban-client
|
||||||
- Added a wonderful visual effect when waiting on the server
|
- Added a wonderful visual effect when waiting on the server
|
||||||
- fail2ban-client returns an error code if configuration is
|
- fail2ban-client returns an error code if configuration is not valid
|
||||||
not valid
|
|
||||||
- Added new filters/actions. Thanks to Yaroslav Halchenko
|
- Added new filters/actions. Thanks to Yaroslav Halchenko
|
||||||
- Call Python interpreter directly (instead of using "env")
|
- Call Python interpreter directly (instead of using "env")
|
||||||
- Added file support to fail2ban-regex. Benchmark feature has
|
- Added file support to fail2ban-regex. Benchmark feature has been removed
|
||||||
been removed
|
|
||||||
- Added cacti script and template.
|
- Added cacti script and template.
|
||||||
- Added IP list in "status <JAIL>". Thanks to Eric Gerbier
|
- Added IP list in "status <JAIL>". Thanks to Eric Gerbier
|
||||||
|
|
||||||
|
@ -146,60 +136,53 @@ ver. 0.7.6 (2007/01/04) - beta
|
||||||
- Use /dev/log for SYSLOG output. Thanks to Joerg Sommrey
|
- Use /dev/log for SYSLOG output. Thanks to Joerg Sommrey
|
||||||
- Use numeric output for iptables in "actioncheck"
|
- Use numeric output for iptables in "actioncheck"
|
||||||
- Fixed removal of host in hosts.deny. Thanks to René Berber
|
- Fixed removal of host in hosts.deny. Thanks to René Berber
|
||||||
- Added new date format (2006-12-21 06:43:20) and Exim4
|
- Added new date format (2006-12-21 06:43:20) and Exim4 filter. Thanks to mEDI
|
||||||
filter. Thanks to mEDI
|
- Several "failregex" and "ignoreregex" are now accepted. Creation of rules
|
||||||
- Several "failregex" and "ignoreregex" are now accepted.
|
should be easier now.
|
||||||
Creation of rules should be easier now.
|
|
||||||
- Added license in COPYING. Thanks to Axel Thimm
|
- Added license in COPYING. Thanks to Axel Thimm
|
||||||
- Allow comma in action options. The value of the option must
|
- Allow comma in action options. The value of the option must be escaped with "
|
||||||
be escaped with " or '. Thanks to Yaroslav Halchenko
|
or '. Thanks to Yaroslav Halchenko
|
||||||
- Now Fail2ban goes in /usr/share/fail2ban instead of
|
- Now Fail2ban goes in /usr/share/fail2ban instead of /usr/lib/fail2ban. This is
|
||||||
/usr/lib/fail2ban. This is more compliant with FHS. Thanks
|
more compliant with FHS. Thanks to Axel Thimm and Yaroslav Halchenko
|
||||||
to Axel Thimm and Yaroslav Halchenko
|
|
||||||
|
|
||||||
ver. 0.7.5 (2006/12/07) - beta
|
ver. 0.7.5 (2006/12/07) - beta
|
||||||
----------
|
----------
|
||||||
- Do not ban a host that is currently banned. Thanks to
|
- Do not ban a host that is currently banned. Thanks to Yaroslav Halchenko
|
||||||
Yaroslav Halchenko
|
- The supported tags in "action(un)ban" are <ip>, <failures> and <time>
|
||||||
- The supported tags in "action(un)ban" are <ip>, <failures>
|
|
||||||
and <time>
|
|
||||||
- Fixed refactoring bug (getLastcommand -> getLastAction)
|
- Fixed refactoring bug (getLastcommand -> getLastAction)
|
||||||
- Added option "ignoreregex" in filter scripts and jail.conf.
|
- Added option "ignoreregex" in filter scripts and jail.conf. Feature Request
|
||||||
Feature Request #1283304
|
#1283304
|
||||||
- Fixed a bug in user defined time regex/pattern
|
- Fixed a bug in user defined time regex/pattern
|
||||||
- Improved documentation
|
- Improved documentation
|
||||||
- Moved version.py and protocol.py to common/
|
- Moved version.py and protocol.py to common/
|
||||||
- Merged "maxtime" option with "findtime"
|
- Merged "maxtime" option with "findtime"
|
||||||
- Added "<HOST>" tag support in failregex which matches
|
- Added "<HOST>" tag support in failregex which matches default IP
|
||||||
default IP address/hostname. "(?P<host>\S)" is still valid
|
address/hostname. "(?P<host>\S)" is still valid and supported
|
||||||
and supported
|
- Fixed exception when calling fail2ban-server with unknown option
|
||||||
- Fixed exception when calling fail2ban-server with unknown
|
- Fixed Debian bug 400162. The "socket" option is now handled correctly by
|
||||||
option
|
fail2ban-client
|
||||||
- Fixed Debian bug 400162. The "socket" option is now handled
|
|
||||||
correctly by fail2ban-client
|
|
||||||
- Fixed RedHat init script. Thanks to Justin Shore
|
- Fixed RedHat init script. Thanks to Justin Shore
|
||||||
- Changed timeout to 30 secondes before assuming the server
|
- Changed timeout to 30 secondes before assuming the server cannot be started.
|
||||||
cannot be started. Thanks to Joël Bertrand
|
Thanks to Joël Bertrand
|
||||||
|
|
||||||
ver. 0.7.4 (2006/11/01) - beta
|
ver. 0.7.4 (2006/11/01) - beta
|
||||||
----------
|
----------
|
||||||
- Improved configuration files. Thanks to Yaroslav Halchenko
|
- Improved configuration files. Thanks to Yaroslav Halchenko
|
||||||
- Added man page for "fail2ban-regex"
|
- Added man page for "fail2ban-regex"
|
||||||
- Moved ban/unban messages from "info" level to "warn"
|
- Moved ban/unban messages from "info" level to "warn"
|
||||||
- Added "-s" option to specify the socket path and "socket"
|
- Added "-s" option to specify the socket path and "socket" option in
|
||||||
option in "fail2ban.conf"
|
"fail2ban.conf"
|
||||||
- Added "backend" option in "jail.conf"
|
- Added "backend" option in "jail.conf"
|
||||||
- Added more filters/actions and jail samples. Thanks to Nick
|
- Added more filters/actions and jail samples. Thanks to Nick Munger, Christoph
|
||||||
Munger, Christoph Haas
|
Haas
|
||||||
- Improved testing framework
|
- Improved testing framework
|
||||||
- Fixed a bug in the return code handling of the executed
|
- Fixed a bug in the return code handling of the executed commands. Thanks to
|
||||||
commands. Thanks to Yaroslav Halchenko
|
Yaroslav Halchenko
|
||||||
- Signal handling. There is a bug with join() and signal in
|
- Signal handling. There is a bug with join() and signal in Python
|
||||||
Python
|
|
||||||
- Better debugging output for "fail2ban-regex"
|
- Better debugging output for "fail2ban-regex"
|
||||||
- Added support for more date format
|
- Added support for more date format
|
||||||
- cPickle does not work with Python 2.5. Use pickle instead
|
- cPickle does not work with Python 2.5. Use pickle instead (performance is not
|
||||||
(performance is not a problem in our case)
|
a problem in our case)
|
||||||
|
|
||||||
ver. 0.7.3 (2006/09/28) - beta
|
ver. 0.7.3 (2006/09/28) - beta
|
||||||
----------
|
----------
|
||||||
|
@ -219,15 +202,13 @@ ver. 0.7.2 (2006/09/10) - beta
|
||||||
- Improved client output
|
- Improved client output
|
||||||
- Added more get/set commands
|
- Added more get/set commands
|
||||||
- Added more configuration templates
|
- Added more configuration templates
|
||||||
- Removed "logpath" and "maxretry" from filter templates.
|
- Removed "logpath" and "maxretry" from filter templates. They must be defined
|
||||||
They must be defined in jail.conf now
|
in jail.conf now
|
||||||
- Added interactive mode. Use "-i"
|
- Added interactive mode. Use "-i"
|
||||||
- Added a date detector. "timeregex" and "timepattern" are no
|
- Added a date detector. "timeregex" and "timepattern" are no more needed
|
||||||
more needed
|
- Added "fail2ban-regex". This is a tool to help finding "failregex"
|
||||||
- Added "fail2ban-regex". This is a tool to help finding
|
- Improved server communication. Start a new thread for each incoming request.
|
||||||
"failregex"
|
Fail2ban is not really thread-safe yet
|
||||||
- Improved server communication. Start a new thread for each
|
|
||||||
incoming request. Fail2ban is not really thread-safe yet
|
|
||||||
|
|
||||||
ver. 0.7.1 (2006/08/23) - alpha
|
ver. 0.7.1 (2006/08/23) - alpha
|
||||||
----------
|
----------
|
||||||
|
@ -238,106 +219,91 @@ ver. 0.7.1 (2006/08/23) - alpha
|
||||||
|
|
||||||
ver. 0.7.0 (2006/08/23) - alpha
|
ver. 0.7.0 (2006/08/23) - alpha
|
||||||
----------
|
----------
|
||||||
- Almost a complete rewrite :) Fail2ban design is really
|
- Almost a complete rewrite :) Fail2ban design is really better (IMHO). There is
|
||||||
better (IMHO). There is a lot of new features
|
a lot of new features
|
||||||
- Client/Server architecture
|
- Client/Server architecture
|
||||||
- Multithreading. Each jail has its own threads: one for the
|
- Multithreading. Each jail has its own threads: one for the log reading and
|
||||||
log reading and another for the actions
|
another for the actions
|
||||||
- Execute several actions
|
- Execute several actions
|
||||||
- Split configuration files. They are more readable and easy
|
- Split configuration files. They are more readable and easy to use
|
||||||
to use
|
- failregex uses group (<host>) now. This feature was already present in the
|
||||||
- failregex uses group (<host>) now. This feature was already
|
Debian package
|
||||||
present in the Debian package
|
|
||||||
- lots of things...
|
- lots of things...
|
||||||
|
|
||||||
ver. 0.6.1 (2006/03/16) - stable
|
ver. 0.6.1 (2006/03/16) - stable
|
||||||
----------
|
----------
|
||||||
- Added permanent banning. Set banTime to a negative value to
|
- Added permanent banning. Set banTime to a negative value to enable this
|
||||||
enable this feature (-1 is perfect). Thanks to Mannone
|
feature (-1 is perfect). Thanks to Mannone
|
||||||
- Fixed locale bug. Thanks to Fernando José
|
- Fixed locale bug. Thanks to Fernando José
|
||||||
- Fixed crash when time format does not match data
|
- Fixed crash when time format does not match data
|
||||||
- Propagated patch from Debian to fix fail2ban search path
|
- Propagated patch from Debian to fix fail2ban search path addition to the path
|
||||||
addition to the path search list: now it is added first.
|
search list: now it is added first. Thanks to Nick Craig-Wood
|
||||||
Thanks to Nick Craig-Wood
|
- Added SMTP authentification for mail notification. Thanks to Markus Hoffmann
|
||||||
- Added SMTP authentification for mail notification. Thanks
|
|
||||||
to Markus Hoffmann
|
|
||||||
- Removed debug mode as it is confusing for people
|
- Removed debug mode as it is confusing for people
|
||||||
- Added parsing of timestamp in TAI64N format (#1275325).
|
- Added parsing of timestamp in TAI64N format (#1275325). Thanks to Mark
|
||||||
Thanks to Mark Edgington
|
Edgington
|
||||||
- Added patch #1382936 (Default formatted syslog logging).
|
- Added patch #1382936 (Default formatted syslog logging). Thanks to Patrick
|
||||||
Thanks to Patrick B<>rjesson
|
B<>rjesson
|
||||||
- Removed 192.168.0.0/16 from ignoreip. Attacks could also
|
- Removed 192.168.0.0/16 from ignoreip. Attacks could also come from the local
|
||||||
come from the local network.
|
network.
|
||||||
- Robust startup: if iptables module does not get fully
|
- Robust startup: if iptables module does not get fully initialized after
|
||||||
initialized after startup of fail2ban, fail2ban will do
|
startup of fail2ban, fail2ban will do "maxreinit" attempts to initialize its
|
||||||
"maxreinit" attempts to initialize its own firewall. It
|
own firewall. It will sleep between attempts for "polltime" number of seconds
|
||||||
will sleep between attempts for "polltime" number of
|
(closes Debian: #334272). Thanks to Yaroslav Halchenko
|
||||||
seconds (closes Debian: #334272). Thanks to Yaroslav
|
- Added "interpolations" in fail2ban.conf. This is provided by the ConfigParser
|
||||||
Halchenko
|
module. Old configuration files still work. Thanks to Yaroslav Halchenko
|
||||||
- Added "interpolations" in fail2ban.conf. This is provided
|
- Added initial support for hosts.deny and shorewall. Need more testing. Please
|
||||||
by the ConfigParser module. Old configuration files still
|
test. Thanks to kojiro from Gentoo forum for hosts.deny support
|
||||||
work. Thanks to Yaroslav Halchenko
|
|
||||||
- Added initial support for hosts.deny and shorewall. Need
|
|
||||||
more testing. Please test. Thanks to kojiro from Gentoo
|
|
||||||
forum for hosts.deny support
|
|
||||||
- Added support for vsftpd. Thanks to zugeschmiert
|
- Added support for vsftpd. Thanks to zugeschmiert
|
||||||
|
|
||||||
ver. 0.6.0 (2005/11/20) - stable
|
ver. 0.6.0 (2005/11/20) - stable
|
||||||
----------
|
----------
|
||||||
- Propagated patches introduced by Debian maintainer
|
- Propagated patches introduced by Debian maintainer (Yaroslav Halchenko):
|
||||||
(Yaroslav Halchenko):
|
* Added an option to report local time (including timezone) or GMT in mail
|
||||||
* Added an option to report local time (including timezone)
|
notification.
|
||||||
or GMT in mail notification.
|
|
||||||
|
|
||||||
ver. 0.5.5 (2005/10/26) - beta
|
ver. 0.5.5 (2005/10/26) - beta
|
||||||
----------
|
----------
|
||||||
- Propagated patches introduced by Debian maintainer
|
- Propagated patches introduced by Debian maintainer (Yaroslav Halchenko):
|
||||||
(Yaroslav Halchenko):
|
* Introduced fwcheck option to verify consistency of the chains. Implemented
|
||||||
* Introduced fwcheck option to verify consistency of the
|
automatic restart of fail2ban main function in case check of fwban or
|
||||||
chains. Implemented automatic restart of fail2ban main
|
fwunban command failed (closes: #329163, #331695). (Introduced patch was
|
||||||
function in case check of fwban or fwunban command failed
|
further adjusted by upstream author).
|
||||||
(closes: #329163, #331695). (Introduced patch was further
|
|
||||||
adjusted by upstream author).
|
|
||||||
* Added -f command line parameter for [findtime].
|
* Added -f command line parameter for [findtime].
|
||||||
* Added a cleanup of firewall rules on emergency shutdown
|
* Added a cleanup of firewall rules on emergency shutdown when unknown
|
||||||
when unknown exception is catched.
|
exception is catched.
|
||||||
* Fail2ban should not crash now if a wrong file name is
|
* Fail2ban should not crash now if a wrong file name is specified in config.
|
||||||
specified in config.
|
* reordered code a bit so that log targets are setup right after background
|
||||||
* reordered code a bit so that log targets are setup right
|
and then only loglevel (verbose, debug) is processed, so the warning could
|
||||||
after background and then only loglevel (verbose, debug)
|
be seen in the logs
|
||||||
is processed, so the warning could be seen in the logs
|
* Added a keyword <section> in parsing of the subject and the body of an email
|
||||||
* Added a keyword <section> in parsing of the subject and
|
sent out by fail2ban (closes: #330311)
|
||||||
the body of an email sent out by fail2ban (closes:
|
|
||||||
#330311)
|
|
||||||
|
|
||||||
ver. 0.5.4 (2005/09/13) - beta
|
ver. 0.5.4 (2005/09/13) - beta
|
||||||
----------
|
----------
|
||||||
- Fixed bug #1286222.
|
- Fixed bug #1286222.
|
||||||
- Propagated patches introduced by Debian maintainer
|
- Propagated patches introduced by Debian maintainer (Yaroslav Halchenko):
|
||||||
(Yaroslav Halchenko):
|
* Fixed handling of SYSLOG logging target. Now it can log to any SYSLOG target
|
||||||
* Fixed handling of SYSLOG logging target. Now it can log
|
and facility as directed by the config
|
||||||
to any SYSLOG target and facility as directed by the
|
|
||||||
config
|
|
||||||
* Format of SYSLOG entries fixed to look closer to standard
|
* Format of SYSLOG entries fixed to look closer to standard
|
||||||
* Fixed errata in config/gentoo-confd
|
* Fixed errata in config/gentoo-confd
|
||||||
* Introduced findtime configuration variable to control the
|
* Introduced findtime configuration variable to control the lifetime of caught
|
||||||
lifetime of caught "failed" log entries
|
"failed" log entries
|
||||||
|
|
||||||
ver. 0.5.3 (2005/09/08) - beta
|
ver. 0.5.3 (2005/09/08) - beta
|
||||||
----------
|
----------
|
||||||
- Fixed a bug when overriding "maxfailures" or "bantime".
|
- Fixed a bug when overriding "maxfailures" or "bantime". Thanks to Yaroslav
|
||||||
Thanks to Yaroslav Halchenko
|
Halchenko
|
||||||
- Added more debug output if an error occurs when sending
|
- Added more debug output if an error occurs when sending mail. Thanks to
|
||||||
mail. Thanks to Stephen Gildea
|
Stephen Gildea
|
||||||
- Renamed "maxretry" to "maxfailures" and changed default
|
- Renamed "maxretry" to "maxfailures" and changed default value to 5. Thanks to
|
||||||
value to 5. Thanks to Stephen Gildea
|
Stephen Gildea
|
||||||
- Hopefully fixed bug #1256075
|
- Hopefully fixed bug #1256075
|
||||||
- Fixed bug #1262345
|
- Fixed bug #1262345
|
||||||
- Fixed exception handling in PIDLock
|
- Fixed exception handling in PIDLock
|
||||||
- Removed warning when using "-V" or "-h" with no config
|
- Removed warning when using "-V" or "-h" with no config file. Thanks to
|
||||||
file. Thanks to Yaroslav Halchenko
|
Yaroslav Halchenko
|
||||||
- Removed "-i eth0" from config file. Thanks to Yaroslav
|
- Removed "-i eth0" from config file. Thanks to Yaroslav Halchenko
|
||||||
Halchenko
|
|
||||||
|
|
||||||
ver. 0.5.2 (2005/08/06) - beta
|
ver. 0.5.2 (2005/08/06) - beta
|
||||||
----------
|
----------
|
||||||
|
@ -353,11 +319,9 @@ ver. 0.5.1 (2005/07/23) - beta
|
||||||
----------
|
----------
|
||||||
- Fixed bugs #1241756, #1239557
|
- Fixed bugs #1241756, #1239557
|
||||||
- Added log targets in configuration file. Removed -l option
|
- Added log targets in configuration file. Removed -l option
|
||||||
- Changed iptables rules in order to create a separated chain
|
- Changed iptables rules in order to create a separated chain for each section
|
||||||
for each section
|
|
||||||
- Fixed static banList in firewall.py
|
- Fixed static banList in firewall.py
|
||||||
- Added an initd script for Debian. Thanks to Yaroslav
|
- Added an initd script for Debian. Thanks to Yaroslav Halchenko
|
||||||
Halchenko
|
|
||||||
- Check for obsolete files after install
|
- Check for obsolete files after install
|
||||||
|
|
||||||
ver. 0.5.0 (2005/07/12) - beta
|
ver. 0.5.0 (2005/07/12) - beta
|
||||||
|
@ -365,24 +329,22 @@ ver. 0.5.0 (2005/07/12) - beta
|
||||||
- Added support for CIDR mask in ignoreip
|
- Added support for CIDR mask in ignoreip
|
||||||
- Added mail notification support
|
- Added mail notification support
|
||||||
- Fixed bug #1234699
|
- Fixed bug #1234699
|
||||||
- Added tags replacement in rules definition. Should allow a
|
- Added tags replacement in rules definition. Should allow a clean solution for
|
||||||
clean solution for Feature Request #1229479
|
Feature Request #1229479
|
||||||
- Removed "interface" and "firewall" options
|
- Removed "interface" and "firewall" options
|
||||||
- Added start and end commands in the configuration file.
|
- Added start and end commands in the configuration file. Thanks to Yaroslav
|
||||||
Thanks to Yaroslav Halchenko
|
Halchenko
|
||||||
- Added firewall rules definition in the configuration file
|
- Added firewall rules definition in the configuration file
|
||||||
- Cleaned fail2ban.py
|
- Cleaned fail2ban.py
|
||||||
- Added an initd script for RedHat/Fedora. Thanks to Andrey
|
- Added an initd script for RedHat/Fedora. Thanks to Andrey G. Grozin
|
||||||
G. Grozin
|
|
||||||
|
|
||||||
ver. 0.4.1 (2005/06/30) - stable
|
ver. 0.4.1 (2005/06/30) - stable
|
||||||
----------
|
----------
|
||||||
- Fixed textToDNS method which generated wrong matches for
|
- Fixed textToDNS method which generated wrong matches for "rhost=12-xyz...".
|
||||||
"rhost=12-xyz...". Thanks to Tom Pike
|
Thanks to Tom Pike
|
||||||
- fail2ban.conf modified for readability. Thanks to Iain Lea
|
- fail2ban.conf modified for readability. Thanks to Iain Lea
|
||||||
- Added an initd script for Gentoo
|
- Added an initd script for Gentoo
|
||||||
- Changed default PID lock file location from /tmp to
|
- Changed default PID lock file location from /tmp to /var/run
|
||||||
/var/run
|
|
||||||
|
|
||||||
ver. 0.4.0 (2005/04/24) - stable
|
ver. 0.4.0 (2005/04/24) - stable
|
||||||
----------
|
----------
|
||||||
|
@ -398,8 +360,8 @@ ver. 0.3.1 (2005/03/31) - beta
|
||||||
|
|
||||||
ver. 0.3.0 (2005/02/24) - beta
|
ver. 0.3.0 (2005/02/24) - beta
|
||||||
----------
|
----------
|
||||||
- Re-writting of parts of the code in order to handle several
|
- Re-writting of parts of the code in order to handle several log files with
|
||||||
log files with different rules
|
different rules
|
||||||
- Removed sshd.py because it is no more needed
|
- Removed sshd.py because it is no more needed
|
||||||
- Fixed a bug when exiting with IP in the ban list
|
- Fixed a bug when exiting with IP in the ban list
|
||||||
- Added PID lock file
|
- Added PID lock file
|
||||||
|
@ -409,26 +371,22 @@ ver. 0.3.0 (2005/02/24) - beta
|
||||||
|
|
||||||
ver. 0.1.2 (2004/11/21) - beta
|
ver. 0.1.2 (2004/11/21) - beta
|
||||||
----------
|
----------
|
||||||
- Add ipfw and ipfwadm support. The rules are taken from
|
- Add ipfw and ipfwadm support. The rules are taken from BlockIt. Thanks to
|
||||||
BlockIt. Thanks to Robert Edeker
|
Robert Edeker
|
||||||
- Add -e option which allows to set the interface. Thanks to
|
- Add -e option which allows to set the interface. Thanks to Robert Edeker who
|
||||||
Robert Edeker who reminded me this
|
reminded me this
|
||||||
- Small code cleaning
|
- Small code cleaning
|
||||||
|
|
||||||
ver. 0.1.1 (2004/10/23) - beta
|
ver. 0.1.1 (2004/10/23) - beta
|
||||||
----------
|
----------
|
||||||
- Add SIGTERM handler in order to exit nicely when in daemon
|
- Add SIGTERM handler in order to exit nicely when in daemon mode
|
||||||
mode
|
- Add -r option which allows to set the maximum number of login failures
|
||||||
- Add -r option which allows to set the maximum number of
|
- Remove the Metalog class as the log file are not so syslog daemon specific
|
||||||
login failures
|
- Rewrite log reader to be service centered. Sshd support added. Match "Failed
|
||||||
- Remove the Metalog class as the log file are not so syslog
|
password" and "Illegal user"
|
||||||
daemon specific
|
|
||||||
- Rewrite log reader to be service centered. Sshd support
|
|
||||||
added. Match "Failed password" and "Illegal user"
|
|
||||||
- Add /etc/fail2ban.conf configuration support
|
- Add /etc/fail2ban.conf configuration support
|
||||||
- Code documentation
|
- Code documentation
|
||||||
|
|
||||||
|
|
||||||
ver. 0.1.0 (2004/10/12) - alpha
|
ver. 0.1.0 (2004/10/12) - alpha
|
||||||
----------
|
----------
|
||||||
- Initial release
|
- Initial release
|
||||||
|
|
94
README
94
README
|
@ -1,21 +1,19 @@
|
||||||
__ _ _ ___ _
|
__ _ _ ___ _
|
||||||
/ _|__ _(_) |_ ) |__ __ _ _ _
|
/ _|__ _(_) |_ ) |__ __ _ _ _
|
||||||
| _/ _` | | |/ /| '_ \/ _` | ' \
|
| _/ _` | | |/ /| '_ \/ _` | ' \
|
||||||
|_| \__,_|_|_/___|_.__/\__,_|_||_|
|
|_| \__,_|_|_/___|_.__/\__,_|_||_|
|
||||||
|
|
||||||
=============================================================
|
================================================================================
|
||||||
Fail2Ban (version 0.8.4) 2008/??/??
|
Fail2Ban (version 0.8.4) 2009/??/??
|
||||||
=============================================================
|
================================================================================
|
||||||
|
|
||||||
Fail2Ban scans log files like /var/log/pwdfail and bans IP
|
Fail2Ban scans log files like /var/log/pwdfail and bans IP that makes too many
|
||||||
that makes too many password failures. It updates firewall
|
password failures. It updates firewall rules to reject the IP address. These
|
||||||
rules to reject the IP address. These rules can be defined by
|
rules can be defined by the user. Fail2Ban can read multiple log files such as
|
||||||
the user. Fail2Ban can read multiple log files such as sshd
|
sshd or Apache web server ones.
|
||||||
or Apache web server ones.
|
|
||||||
|
|
||||||
This README is a quick introduction to Fail2ban. More
|
This README is a quick introduction to Fail2ban. More documentation, FAQ, HOWTOs
|
||||||
documentation, FAQ, HOWTOs are available on the project
|
are available on the project website: http://www.fail2ban.org
|
||||||
website: http://www.fail2ban.org
|
|
||||||
|
|
||||||
Installation:
|
Installation:
|
||||||
-------------
|
-------------
|
||||||
|
@ -32,33 +30,32 @@ To install, just do:
|
||||||
> cd fail2ban-0.8.4
|
> cd fail2ban-0.8.4
|
||||||
> python setup.py install
|
> python setup.py install
|
||||||
|
|
||||||
This will install Fail2Ban into /usr/share/fail2ban. The
|
This will install Fail2Ban into /usr/share/fail2ban. The executable scripts are
|
||||||
executable scripts are placed into /usr/bin.
|
placed into /usr/bin.
|
||||||
|
|
||||||
It is possible that Fail2ban is already packaged for your
|
It is possible that Fail2ban is already packaged for your distribution. In this
|
||||||
distribution. In this case, you should use it.
|
case, you should use it.
|
||||||
|
|
||||||
Fail2Ban should be correctly installed now. Just type:
|
Fail2Ban should be correctly installed now. Just type:
|
||||||
|
|
||||||
> fail2ban-client -h
|
> fail2ban-client -h
|
||||||
|
|
||||||
to see if everything is alright. You should always use
|
to see if everything is alright. You should always use fail2ban-client and never
|
||||||
fail2ban-client and never call fail2ban-server directly.
|
call fail2ban-server directly.
|
||||||
|
|
||||||
Configuration:
|
Configuration:
|
||||||
--------------
|
--------------
|
||||||
|
|
||||||
You can configure Fail2ban using the files in /etc/fail2ban.
|
You can configure Fail2ban using the files in /etc/fail2ban. It is possible to
|
||||||
It is possible to configure the server using commands sent to
|
configure the server using commands sent to it by fail2ban-client. The available
|
||||||
it by fail2ban-client. The available commands are described
|
commands are described in the man page of fail2ban-client. Please refer to it or
|
||||||
in the man page of fail2ban-client. Please refer to it or to
|
to the website: http://www.fail2ban.org
|
||||||
the website: http://www.fail2ban.org
|
|
||||||
|
|
||||||
Contact:
|
Contact:
|
||||||
--------
|
--------
|
||||||
|
|
||||||
You need some new features, you found bugs or you just
|
You need some new features, you found bugs or you just appreciate this program,
|
||||||
appreciate this program, you can contact me at:
|
you can contact me at:
|
||||||
|
|
||||||
Website: http://www.fail2ban.org
|
Website: http://www.fail2ban.org
|
||||||
|
|
||||||
|
@ -67,34 +64,27 @@ Cyril Jaquier: <cyril.jaquier@fail2ban.org>
|
||||||
Thanks:
|
Thanks:
|
||||||
-------
|
-------
|
||||||
|
|
||||||
Kévin Drapel, Marvin Rouge, Sireyessire, Robert Edeker,
|
Kévin Drapel, Marvin Rouge, Sireyessire, Robert Edeker, Tom Pike, Iain Lea,
|
||||||
Tom Pike, Iain Lea, Andrey G. Grozin, Yaroslav Halchenko,
|
Andrey G. Grozin, Yaroslav Halchenko, Jonathan Kamens, Stephen Gildea, Markus
|
||||||
Jonathan Kamens, Stephen Gildea, Markus Hoffmann, Mark
|
Hoffmann, Mark Edgington, Patrick Börjesson, kojiro, zugeschmiert, Tyler, Nick
|
||||||
Edgington, Patrick Börjesson, kojiro, zugeschmiert, Tyler,
|
Munger, Christoph Haas, Justin Shore, Joël Bertrand, René Berber, mEDI, Axel
|
||||||
Nick Munger, Christoph Haas, Justin Shore, Joël Bertrand,
|
Thimm, Eric Gerbier, Christian Rauch, Michael C. Haller, Jonathan Underwood,
|
||||||
René Berber, mEDI, Axel Thimm, Eric Gerbier, Christian Rauch,
|
Hanno 'Rince' Wagner, Daniel B. Cid, David Nutter, Raphaël Marichez, Guillaume
|
||||||
Michael C. Haller, Jonathan Underwood, Hanno 'Rince' Wagner,
|
Delvit, Vaclav Misek, Adrien Clerc, Michael Hanselmann, Vincent Deffontaines,
|
||||||
Daniel B. Cid, David Nutter, Raphaël Marichez, Guillaume
|
Bill Heaton, Russell Odom, Christos Psonis and many others.
|
||||||
Delvit, Vaclav Misek, Adrien Clerc, Michael Hanselmann,
|
|
||||||
Vincent Deffontaines, Bill Heaton, Russell Odom and many
|
|
||||||
others.
|
|
||||||
|
|
||||||
License:
|
License:
|
||||||
--------
|
--------
|
||||||
|
|
||||||
Fail2Ban is free software; you can redistribute it
|
Fail2Ban is free software; you can redistribute it and/or modify it under the
|
||||||
and/or modify it under the terms of the GNU General Public
|
terms of the GNU General Public License as published by the Free Software
|
||||||
License as published by the Free Software Foundation; either
|
Foundation; either version 2 of the License, or (at your option) any later
|
||||||
version 2 of the License, or (at your option) any later
|
|
||||||
version.
|
version.
|
||||||
|
|
||||||
Fail2Ban is distributed in the hope that it will be
|
Fail2Ban is distributed in the hope that it will be useful, but WITHOUT ANY
|
||||||
useful, but WITHOUT ANY WARRANTY; without even the implied
|
WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
|
||||||
warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
PARTICULAR PURPOSE. See the GNU General Public License for more details.
|
||||||
PURPOSE. See the GNU General Public License for more
|
|
||||||
details.
|
|
||||||
|
|
||||||
You should have received a copy of the GNU General Public
|
You should have received a copy of the GNU General Public License along with
|
||||||
License along with Fail2Ban; if not, write to the Free
|
Fail2Ban; if not, write to the Free Software Foundation, Inc., 59 Temple Place,
|
||||||
Software Foundation, Inc., 59 Temple Place, Suite 330,
|
Suite 330, Boston, MA 02111-1307 USA
|
||||||
Boston, MA 02111-1307 USA
|
|
||||||
|
|
36
TODO
36
TODO
|
@ -1,11 +1,11 @@
|
||||||
__ _ _ ___ _
|
__ _ _ ___ _
|
||||||
/ _|__ _(_) |_ ) |__ __ _ _ _
|
/ _|__ _(_) |_ ) |__ __ _ _ _
|
||||||
| _/ _` | | |/ /| '_ \/ _` | ' \
|
| _/ _` | | |/ /| '_ \/ _` | ' \
|
||||||
|_| \__,_|_|_/___|_.__/\__,_|_||_|
|
|_| \__,_|_|_/___|_.__/\__,_|_||_|
|
||||||
|
|
||||||
=============================================================
|
================================================================================
|
||||||
ToDo $Revision: 653 $
|
ToDo $Revision$
|
||||||
=============================================================
|
================================================================================
|
||||||
|
|
||||||
Legend:
|
Legend:
|
||||||
- not yet done
|
- not yet done
|
||||||
|
@ -15,26 +15,24 @@ Legend:
|
||||||
|
|
||||||
- Removed relative imports
|
- Removed relative imports
|
||||||
|
|
||||||
- Cleanup fail2ban-client and fail2ban-server. Move code to
|
- Cleanup fail2ban-client and fail2ban-server. Move code to server/ and client/
|
||||||
server/ and client/
|
|
||||||
|
|
||||||
- Add timeout to external commands (signal alarm, watchdog
|
- Add timeout to external commands (signal alarm, watchdog thread, etc)
|
||||||
thread, etc)
|
|
||||||
|
|
||||||
- New backend: pyinotify
|
- New backend: pyinotify
|
||||||
|
|
||||||
- Uniformize filters and actions name. Use the software name
|
- Uniformize filters and actions name. Use the software name (openssh, postfix,
|
||||||
(openssh, postfix, proftp)
|
proftp)
|
||||||
|
|
||||||
- Added <USER> tag for failregex. Add features using this
|
- Added <USER> tag for failregex. Add features using this information. Maybe add
|
||||||
information. Maybe add more tags
|
more tags
|
||||||
|
|
||||||
- Look at the memory consumption. Decrease memory usage
|
- Look at the memory consumption. Decrease memory usage
|
||||||
|
|
||||||
- More detailed statistics
|
- More detailed statistics
|
||||||
|
|
||||||
- Auto-enable function (search for log files), check
|
- Auto-enable function (search for log files), check modification date to see if
|
||||||
modification date to see if service is still in use
|
service is still in use
|
||||||
|
|
||||||
- Improve parsing of the action parameters in jailreader.py
|
- Improve parsing of the action parameters in jailreader.py
|
||||||
|
|
||||||
|
@ -44,8 +42,8 @@ Legend:
|
||||||
|
|
||||||
- Multiline log reading
|
- Multiline log reading
|
||||||
|
|
||||||
- Improve execution of action. Why does subprocess.call
|
- Improve execution of action. Why does subprocess.call deadlock with
|
||||||
deadlock with multi-jails?
|
multi-jails?
|
||||||
|
|
||||||
# see Feature Request Tracking System at SourceForge.net
|
# see Feature Request Tracking System at SourceForge.net
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,57 @@
|
||||||
|
# Fail2Ban configuration file
|
||||||
|
#
|
||||||
|
# NetBSD ipfilter (ipf command) ban/unban
|
||||||
|
#
|
||||||
|
# Author: Ed Ravin <eravin@panix.com>
|
||||||
|
#
|
||||||
|
#
|
||||||
|
|
||||||
|
[Definition]
|
||||||
|
|
||||||
|
# Option: actionstart
|
||||||
|
# Notes.: command executed once at the start of Fail2Ban.
|
||||||
|
# Values: CMD
|
||||||
|
#
|
||||||
|
# enable IPF if not already enabled
|
||||||
|
actionstart = /sbin/ipf -E
|
||||||
|
|
||||||
|
|
||||||
|
# Option: actionstop
|
||||||
|
# Notes.: command executed once at the end of Fail2Ban
|
||||||
|
# Values: CMD
|
||||||
|
#
|
||||||
|
# don't disable IPF with "/sbin/ipf -D", there may be other filters in use
|
||||||
|
actionstop =
|
||||||
|
|
||||||
|
|
||||||
|
# Option: actioncheck
|
||||||
|
# Notes.: command executed once before each actionban command
|
||||||
|
# Values: CMD
|
||||||
|
#
|
||||||
|
actioncheck =
|
||||||
|
|
||||||
|
|
||||||
|
# Option: actionban
|
||||||
|
# Notes.: command executed when banning an IP. Take care that the
|
||||||
|
# command is executed with Fail2Ban user rights.
|
||||||
|
# Tags: <ip> IP address
|
||||||
|
# <failures> number of failures
|
||||||
|
# <time> unix timestamp of the ban time
|
||||||
|
# Values: CMD
|
||||||
|
#
|
||||||
|
actionban = echo block in quick from <ip>/32 | /sbin/ipf -f -
|
||||||
|
|
||||||
|
|
||||||
|
# Option: actionunban
|
||||||
|
# Notes.: command executed when unbanning an IP. Take care that the
|
||||||
|
# command is executed with Fail2Ban user rights.
|
||||||
|
# Tags: <ip> IP address
|
||||||
|
# <failures> number of failures
|
||||||
|
# <time> unix timestamp of the ban time
|
||||||
|
# Values: CMD
|
||||||
|
#
|
||||||
|
# note -r option used to remove matching rule
|
||||||
|
actionunban = echo block in quick from <ip>/32 | /sbin/ipf -r -f -
|
||||||
|
|
||||||
|
[Init]
|
||||||
|
|
|
@ -11,7 +11,7 @@
|
||||||
# Notes.: regex to match the password failure messages in the logfile. The
|
# Notes.: regex to match the password failure messages in the logfile. The
|
||||||
# host must be matched by a group named "host". The tag "<HOST>" can
|
# host must be matched by a group named "host". The tag "<HOST>" can
|
||||||
# be used for standard IP/hostname matching and is only an alias for
|
# be used for standard IP/hostname matching and is only an alias for
|
||||||
# (?:::f{4,6}:)?(?P<host>\S+)
|
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
|
||||||
# Values: TEXT
|
# Values: TEXT
|
||||||
#
|
#
|
||||||
failregex = [[]client <HOST>[]] user .* authentication failure
|
failregex = [[]client <HOST>[]] user .* authentication failure
|
||||||
|
|
|
@ -11,7 +11,7 @@
|
||||||
# Notes.: regex to match the password failure messages in the logfile. The
|
# Notes.: regex to match the password failure messages in the logfile. The
|
||||||
# host must be matched by a group named "host". The tag "<HOST>" can
|
# host must be matched by a group named "host". The tag "<HOST>" can
|
||||||
# be used for standard IP/hostname matching and is only an alias for
|
# be used for standard IP/hostname matching and is only an alias for
|
||||||
# (?:::f{4,6}:)?(?P<host>\S+)
|
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
|
||||||
# Values: TEXT
|
# Values: TEXT
|
||||||
#
|
#
|
||||||
failregex = [[]client <HOST>[]] (File does not exist|script not found or unable to stat): /\S*(\.php|\.asp|\.exe|\.pl)
|
failregex = [[]client <HOST>[]] (File does not exist|script not found or unable to stat): /\S*(\.php|\.asp|\.exe|\.pl)
|
||||||
|
|
|
@ -3,7 +3,7 @@
|
||||||
#
|
#
|
||||||
# Author: Yaroslav Halchenko
|
# Author: Yaroslav Halchenko
|
||||||
#
|
#
|
||||||
# $Revision: $
|
# $Revision$
|
||||||
#
|
#
|
||||||
|
|
||||||
[INCLUDES]
|
[INCLUDES]
|
||||||
|
|
|
@ -12,7 +12,7 @@
|
||||||
# Notes.: regex to match the password failures messages in the logfile. The
|
# Notes.: regex to match the password failures messages in the logfile. The
|
||||||
# host must be matched by a group named "host". The tag "<HOST>" can
|
# host must be matched by a group named "host". The tag "<HOST>" can
|
||||||
# be used for standard IP/hostname matching and is only an alias for
|
# be used for standard IP/hostname matching and is only an alias for
|
||||||
# (?:::f{4,6}:)?(?P<host>\S+)
|
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
|
||||||
# Values: TEXT
|
# Values: TEXT
|
||||||
#
|
#
|
||||||
failregex = LOGIN FAILED, .*, ip=\[<HOST>\]$
|
failregex = LOGIN FAILED, .*, ip=\[<HOST>\]$
|
||||||
|
|
|
@ -11,7 +11,7 @@
|
||||||
# Notes.: regex to match the password failures messages in the logfile. The
|
# Notes.: regex to match the password failures messages in the logfile. The
|
||||||
# host must be matched by a group named "host". The tag "<HOST>" can
|
# host must be matched by a group named "host". The tag "<HOST>" can
|
||||||
# be used for standard IP/hostname matching and is only an alias for
|
# be used for standard IP/hostname matching and is only an alias for
|
||||||
# (?:::f{4,6}:)?(?P<host>\S+)
|
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
|
||||||
# Values: TEXT
|
# Values: TEXT
|
||||||
#
|
#
|
||||||
failregex = error,relay=<HOST>,.*550 User unknown
|
failregex = error,relay=<HOST>,.*550 User unknown
|
||||||
|
|
|
@ -0,0 +1,26 @@
|
||||||
|
# Fail2Ban configuration file
|
||||||
|
#
|
||||||
|
# Author: Jan Wagner <waja@cyconet.org>
|
||||||
|
#
|
||||||
|
# $Revision$
|
||||||
|
#
|
||||||
|
|
||||||
|
[Definition]
|
||||||
|
|
||||||
|
# Option: failregex
|
||||||
|
# Notes.: regex to match the password failures messages in the logfile. The
|
||||||
|
# host must be matched by a group named "host". The tag "<HOST>" can
|
||||||
|
# be used for standard IP/hostname matching and is only an alias for
|
||||||
|
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
|
||||||
|
# Values: TEXT
|
||||||
|
#
|
||||||
|
failregex = : badlogin: .*\[<HOST>\] plaintext .*SASL\(-13\): authentication failure: checkpass failed$
|
||||||
|
: badlogin: .*\[<HOST>\] LOGIN \[SASL\(-13\): authentication failure: checkpass failed\]$
|
||||||
|
: badlogin: .*\[<HOST>\] (?:CRAM-MD5|NTLM) \[SASL\(-13\): authentication failure: incorrect (?:digest|NTLM) response\]$
|
||||||
|
: badlogin: .*\[<HOST>\] DIGEST-MD5 \[SASL\(-13\): authentication failure: client response doesn't match what we generated\]$
|
||||||
|
|
||||||
|
# Option: ignoreregex
|
||||||
|
# Notes.: regex to ignore. If this regex matches, the line is ignored.
|
||||||
|
# Values: TEXT
|
||||||
|
#
|
||||||
|
ignoreregex =
|
|
@ -11,7 +11,7 @@
|
||||||
# Notes.: regex to match the password failures messages in the logfile. The
|
# Notes.: regex to match the password failures messages in the logfile. The
|
||||||
# host must be matched by a group named "host". The tag "<HOST>" can
|
# host must be matched by a group named "host". The tag "<HOST>" can
|
||||||
# be used for standard IP/hostname matching and is only an alias for
|
# be used for standard IP/hostname matching and is only an alias for
|
||||||
# (?:::f{4,6}:)?(?P<host>\S+)
|
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
|
||||||
# Values: TEXT
|
# Values: TEXT
|
||||||
#
|
#
|
||||||
failregex = \[<HOST>\] .*(?:rejected by local_scan|Unrouteable address)
|
failregex = \[<HOST>\] .*(?:rejected by local_scan|Unrouteable address)
|
||||||
|
|
|
@ -26,7 +26,7 @@ __line_prefix=(?:\s\S+ %(__daemon_combs_re)s\s+)?
|
||||||
# Notes.: regex to match the password failures messages in the logfile.
|
# Notes.: regex to match the password failures messages in the logfile.
|
||||||
# Values: TEXT
|
# Values: TEXT
|
||||||
#
|
#
|
||||||
failregex = %(__line_prefix)sclient <HOST>#\S+: query(?: \(cache\))? '.*' denied\s*$
|
failregex = %(__line_prefix)sclient <HOST>#.+: query(?: \(cache\))? '.*' denied\s*$
|
||||||
|
|
||||||
# Option: ignoreregex
|
# Option: ignoreregex
|
||||||
# Notes.: regex to ignore. If this regex matches, the line is ignored.
|
# Notes.: regex to ignore. If this regex matches, the line is ignored.
|
||||||
|
|
|
@ -11,7 +11,7 @@
|
||||||
# Notes.: regex to match the password failures messages in the logfile. The
|
# Notes.: regex to match the password failures messages in the logfile. The
|
||||||
# host must be matched by a group named "host". The tag "<HOST>" can
|
# host must be matched by a group named "host". The tag "<HOST>" can
|
||||||
# be used for standard IP/hostname matching and is only an alias for
|
# be used for standard IP/hostname matching and is only an alias for
|
||||||
# (?:::f{4,6}:)?(?P<host>\S+)
|
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
|
||||||
# Values: TEXT
|
# Values: TEXT
|
||||||
#
|
#
|
||||||
failregex = reject: RCPT from (.*)\[<HOST>\]: 554
|
failregex = reject: RCPT from (.*)\[<HOST>\]: 554
|
||||||
|
|
|
@ -11,7 +11,7 @@
|
||||||
# Notes.: regex to match the password failures messages in the logfile. The
|
# Notes.: regex to match the password failures messages in the logfile. The
|
||||||
# host must be matched by a group named "host". The tag "<HOST>" can
|
# host must be matched by a group named "host". The tag "<HOST>" can
|
||||||
# be used for standard IP/hostname matching and is only an alias for
|
# be used for standard IP/hostname matching and is only an alias for
|
||||||
# (?:::f{4,6}:)?(?P<host>\S+)
|
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
|
||||||
# Values: TEXT
|
# Values: TEXT
|
||||||
#
|
#
|
||||||
failregex = \(\S+\[<HOST>\]\)[: -]+ USER \S+: no such user found from \S+ \[\S+\] to \S+:\S+$
|
failregex = \(\S+\[<HOST>\]\)[: -]+ USER \S+: no such user found from \S+ \[\S+\] to \S+:\S+$
|
||||||
|
|
|
@ -16,7 +16,7 @@ __errmsg = (?:Authentication failed for user|Erreur d'authentification pour l'ut
|
||||||
# Notes.: regex to match the password failures messages in the logfile. The
|
# Notes.: regex to match the password failures messages in the logfile. The
|
||||||
# host must be matched by a group named "host". The tag "<HOST>" can
|
# host must be matched by a group named "host". The tag "<HOST>" can
|
||||||
# be used for standard IP/hostname matching and is only an alias for
|
# be used for standard IP/hostname matching and is only an alias for
|
||||||
# (?:::f{4,6}:)?(?P<host>\S+)
|
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
|
||||||
# Values: TEXT
|
# Values: TEXT
|
||||||
#
|
#
|
||||||
failregex = pure-ftpd(?:\[\d+\])?: (.+?@<HOST>) \[WARNING\] %(__errmsg)s \[.+\]$
|
failregex = pure-ftpd(?:\[\d+\])?: (.+?@<HOST>) \[WARNING\] %(__errmsg)s \[.+\]$
|
||||||
|
|
|
@ -11,7 +11,7 @@
|
||||||
# Notes.: regex to match the password failures messages in the logfile. The
|
# Notes.: regex to match the password failures messages in the logfile. The
|
||||||
# host must be matched by a group named "host". The tag "<HOST>" can
|
# host must be matched by a group named "host". The tag "<HOST>" can
|
||||||
# be used for standard IP/hostname matching and is only an alias for
|
# be used for standard IP/hostname matching and is only an alias for
|
||||||
# (?:::f{4,6}:)?(?P<host>\S+)
|
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
|
||||||
# Values: TEXT
|
# Values: TEXT
|
||||||
#
|
#
|
||||||
failregex = (?:[\d,.]+[\d,.] rblsmtpd: |421 badiprbl: ip )<HOST>
|
failregex = (?:[\d,.]+[\d,.] rblsmtpd: |421 badiprbl: ip )<HOST>
|
||||||
|
|
|
@ -11,10 +11,10 @@
|
||||||
# Notes.: regex to match the password failures messages in the logfile. The
|
# Notes.: regex to match the password failures messages in the logfile. The
|
||||||
# host must be matched by a group named "host". The tag "<HOST>" can
|
# host must be matched by a group named "host". The tag "<HOST>" can
|
||||||
# be used for standard IP/hostname matching and is only an alias for
|
# be used for standard IP/hostname matching and is only an alias for
|
||||||
# (?:::f{4,6}:)?(?P<host>\S+)
|
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
|
||||||
# Values: TEXT
|
# Values: TEXT
|
||||||
#
|
#
|
||||||
failregex = : warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed$
|
failregex = (?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [A-Za-z0-9+/]*={0,2})?$
|
||||||
|
|
||||||
# Option: ignoreregex
|
# Option: ignoreregex
|
||||||
# Notes.: regex to ignore. If this regex matches, the line is ignored.
|
# Notes.: regex to ignore. If this regex matches, the line is ignored.
|
||||||
|
|
|
@ -0,0 +1,22 @@
|
||||||
|
# Fail2Ban configuration file
|
||||||
|
#
|
||||||
|
# Author: Jan Wagner <waja@cyconet.org>
|
||||||
|
#
|
||||||
|
# $Revision$
|
||||||
|
#
|
||||||
|
|
||||||
|
[Definition]
|
||||||
|
|
||||||
|
# Option: failregex
|
||||||
|
# Notes.: regex to match the password failures messages in the logfile. The
|
||||||
|
# host must be matched by a group named "host". The tag "<HOST>" can
|
||||||
|
# be used for standard IP/hostname matching.
|
||||||
|
# Values: TEXT
|
||||||
|
#
|
||||||
|
failregex = : badlogin: .*\[<HOST>\] (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failure$
|
||||||
|
|
||||||
|
# Option: ignoreregex
|
||||||
|
# Notes.: regex to ignore. If this regex matches, the line is ignored.
|
||||||
|
# Values: TEXT
|
||||||
|
#
|
||||||
|
ignoreregex =
|
|
@ -11,7 +11,7 @@
|
||||||
# Notes.: regex to match the password failures messages in the logfile. The
|
# Notes.: regex to match the password failures messages in the logfile. The
|
||||||
# host must be matched by a group named "host". The tag "<HOST>" can
|
# host must be matched by a group named "host". The tag "<HOST>" can
|
||||||
# be used for standard IP/hostname matching and is only an alias for
|
# be used for standard IP/hostname matching and is only an alias for
|
||||||
# (?:::f{4,6}:)?(?P<host>\S+)
|
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
|
||||||
# Values: TEXT
|
# Values: TEXT
|
||||||
#
|
#
|
||||||
failregex = sshd(?:\[\d+\])?: Did not receive identification string from <HOST>$
|
failregex = sshd(?:\[\d+\])?: Did not receive identification string from <HOST>$
|
||||||
|
|
|
@ -20,7 +20,7 @@ _daemon = sshd
|
||||||
# Notes.: regex to match the password failures messages in the logfile. The
|
# Notes.: regex to match the password failures messages in the logfile. The
|
||||||
# host must be matched by a group named "host". The tag "<HOST>" can
|
# host must be matched by a group named "host". The tag "<HOST>" can
|
||||||
# be used for standard IP/hostname matching and is only an alias for
|
# be used for standard IP/hostname matching and is only an alias for
|
||||||
# (?:::f{4,6}:)?(?P<host>\S+)
|
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
|
||||||
# Values: TEXT
|
# Values: TEXT
|
||||||
#
|
#
|
||||||
failregex = ^%(__prefix_line)s(?:error: PAM: )?Authentication failure for .* from <HOST>\s*$
|
failregex = ^%(__prefix_line)s(?:error: PAM: )?Authentication failure for .* from <HOST>\s*$
|
||||||
|
@ -31,7 +31,7 @@ failregex = ^%(__prefix_line)s(?:error: PAM: )?Authentication failure for .* fro
|
||||||
^%(__prefix_line)sUser \S+ from <HOST> not allowed because not listed in AllowUsers$
|
^%(__prefix_line)sUser \S+ from <HOST> not allowed because not listed in AllowUsers$
|
||||||
^%(__prefix_line)sauthentication failure; logname=\S* uid=\S* euid=\S* tty=\S* ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$
|
^%(__prefix_line)sauthentication failure; logname=\S* uid=\S* euid=\S* tty=\S* ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$
|
||||||
^%(__prefix_line)srefused connect from \S+ \(<HOST>\)\s*$
|
^%(__prefix_line)srefused connect from \S+ \(<HOST>\)\s*$
|
||||||
^%(__prefix_line)sAddress <HOST> .* POSSIBLE BREAK-IN ATTEMPT\s*$
|
^%(__prefix_line)sAddress <HOST> .* POSSIBLE BREAK-IN ATTEMPT!*\s*$
|
||||||
^%(__prefix_line)sUser \S+ from <HOST> not allowed because none of user's groups are listed in AllowGroups$
|
^%(__prefix_line)sUser \S+ from <HOST> not allowed because none of user's groups are listed in AllowGroups$
|
||||||
|
|
||||||
# Option: ignoreregex
|
# Option: ignoreregex
|
||||||
|
|
|
@ -11,7 +11,7 @@
|
||||||
# Notes.: regex to match the password failures messages in the logfile. The
|
# Notes.: regex to match the password failures messages in the logfile. The
|
||||||
# host must be matched by a group named "host". The tag "<HOST>" can
|
# host must be matched by a group named "host". The tag "<HOST>" can
|
||||||
# be used for standard IP/hostname matching and is only an alias for
|
# be used for standard IP/hostname matching and is only an alias for
|
||||||
# (?:::f{4,6}:)?(?P<host>\S+)
|
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
|
||||||
# Values: TEXT
|
# Values: TEXT
|
||||||
#
|
#
|
||||||
failregex = vsftpd(?:\(pam_unix\))?(?:\[\d+\])?:.* authentication failure; .* rhost=<HOST>(?:\s+user=\S*)?\s*$
|
failregex = vsftpd(?:\(pam_unix\))?(?:\[\d+\])?:.* authentication failure; .* rhost=<HOST>(?:\s+user=\S*)?\s*$
|
||||||
|
|
|
@ -15,7 +15,7 @@
|
||||||
# Notes.: regex to match the password failure messages in the logfile. The
|
# Notes.: regex to match the password failure messages in the logfile. The
|
||||||
# host must be matched by a group named "host". The tag "<HOST>" can
|
# host must be matched by a group named "host". The tag "<HOST>" can
|
||||||
# be used for standard IP/hostname matching and is only an alias for
|
# be used for standard IP/hostname matching and is only an alias for
|
||||||
# (?:::f{4,6}:)?(?P<host>\S+)
|
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
|
||||||
# Values: TEXT
|
# Values: TEXT
|
||||||
#
|
#
|
||||||
failregex = webmin.* Non-existent login as .+ from <HOST>$
|
failregex = webmin.* Non-existent login as .+ from <HOST>$
|
||||||
|
|
|
@ -11,7 +11,7 @@
|
||||||
# Notes.: regex to match the password failures messages in the logfile. The
|
# Notes.: regex to match the password failures messages in the logfile. The
|
||||||
# host must be matched by a group named "host". The tag "<HOST>" can
|
# host must be matched by a group named "host". The tag "<HOST>" can
|
||||||
# be used for standard IP/hostname matching and is only an alias for
|
# be used for standard IP/hostname matching and is only an alias for
|
||||||
# (?:::f{4,6}:)?(?P<host>\S+)
|
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
|
||||||
# Values: TEXT
|
# Values: TEXT
|
||||||
#
|
#
|
||||||
# Cfr.: /var/log/(daemon\.|sys)log
|
# Cfr.: /var/log/(daemon\.|sys)log
|
||||||
|
|
|
@ -178,7 +178,7 @@ ignoreip = 168.192.0.1
|
||||||
# category security {
|
# category security {
|
||||||
# security_file;
|
# security_file;
|
||||||
# };
|
# };
|
||||||
# }
|
# };
|
||||||
#
|
#
|
||||||
# in your named.conf to provide proper logging.
|
# in your named.conf to provide proper logging.
|
||||||
# This jail blocks UDP traffic for DNS requests.
|
# This jail blocks UDP traffic for DNS requests.
|
||||||
|
|
|
@ -0,0 +1,106 @@
|
||||||
|
#!/bin/bash
|
||||||
|
#
|
||||||
|
# Usage: ./check_fail2ban
|
||||||
|
###############################################################################################
|
||||||
|
# Description:
|
||||||
|
# This plugin will check the status of Fail2ban.
|
||||||
|
#
|
||||||
|
# Created: 2008-10-25 (Sebastian Mueller)
|
||||||
|
#
|
||||||
|
# Changes: 2008-10-26 fixed some issues (Sebastian Mueller)
|
||||||
|
# Changes: 2009-01-25 add the second check, when server is not replying and the
|
||||||
|
# process is hang-up (Sebastian Mueller)
|
||||||
|
#
|
||||||
|
# please visit my website http://www.elchtest.eu or my personal WIKI http://wiki.elchtest.eu
|
||||||
|
#
|
||||||
|
################################################################################################
|
||||||
|
# if you have any questions, send a mail to linux@krabbe-offline.de
|
||||||
|
#
|
||||||
|
# this script is for my personal use. read the script before running/using it!!!
|
||||||
|
#
|
||||||
|
#
|
||||||
|
# YOU HAVE BEEN WARNED. THIS MAY DESTROY YOUR MACHINE. I ACCEPT NO RESPONSIBILITY.
|
||||||
|
###############################################################################################
|
||||||
|
|
||||||
|
|
||||||
|
SECOND_CHECK=0
|
||||||
|
STATE_OK=0
|
||||||
|
STATE_CRITICAL=2
|
||||||
|
|
||||||
|
######################################################################
|
||||||
|
# Read the Status from fail2ban-client
|
||||||
|
######################################################################
|
||||||
|
check_processes_fail2ban()
|
||||||
|
{
|
||||||
|
|
||||||
|
F2B=`sudo -u root fail2ban-client ping | awk -F " " '{print $3}'`
|
||||||
|
exit_fail2ban=0
|
||||||
|
|
||||||
|
if [[ $F2B = "pong" ]]; then
|
||||||
|
exit_fail2ban=$STATE_OK
|
||||||
|
else
|
||||||
|
exit_fail2ban=$STATE_CRITICAL
|
||||||
|
fi
|
||||||
|
|
||||||
|
}
|
||||||
|
######################################################################
|
||||||
|
# first check in the Background, PID will be killed when no response
|
||||||
|
# after 10 seconds, might be possible, otherwise the scipt will be
|
||||||
|
# pressent in your memory all the time
|
||||||
|
#
|
||||||
|
######################################################################
|
||||||
|
|
||||||
|
check_processes_fail2ban &
|
||||||
|
pid=$!
|
||||||
|
|
||||||
|
typeset -i i=0
|
||||||
|
while ps $pid >/dev/null
|
||||||
|
do
|
||||||
|
sleep 1
|
||||||
|
i=$i+1
|
||||||
|
if [ $i -ge 10 ]
|
||||||
|
then
|
||||||
|
kill $pid
|
||||||
|
SECOND_CHECK=1
|
||||||
|
exit_fail2ban=$STATE_CRITICAL
|
||||||
|
break
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
|
||||||
|
######################################################################
|
||||||
|
# when the Server response (doesent mean the FAIL2BAN is working)
|
||||||
|
# in the first step, then it will run again and test the Service
|
||||||
|
# and provide the real status
|
||||||
|
######################################################################
|
||||||
|
|
||||||
|
|
||||||
|
if [ $SECOND_CHECK -eq 0 ]; then
|
||||||
|
check_processes_fail2ban
|
||||||
|
elif [ $SECOND_CHECK -eq 1 ]; then
|
||||||
|
exit_fail2ban=$STATE_CRITICAL
|
||||||
|
fi
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
######################################################################
|
||||||
|
# Mainmenu
|
||||||
|
######################################################################
|
||||||
|
|
||||||
|
|
||||||
|
final_exit=$exit_fail2ban
|
||||||
|
if [ $final_exit -eq 0 ]; then
|
||||||
|
echo "SYSTEM OK - Fail2ban is working normaly"
|
||||||
|
exitstatus=$STATE_OK
|
||||||
|
elif [ $final_exit -ne "0" ]; then
|
||||||
|
echo "SYSTEM WARNING - Fail2Ban is not working"
|
||||||
|
######################################################################
|
||||||
|
# If don't have a Nagios Server for monitoring, remove the comment and
|
||||||
|
# add your Mail Addres. You can check it with a Cron Job once a hour.
|
||||||
|
# put a txt file on your server and describe how to fix the issue, this
|
||||||
|
# could be attached to the mail.
|
||||||
|
######################################################################
|
||||||
|
# mutt -s "FAIL2BAN NOT WORKING" your@email.com < /home/f2ban.txt
|
||||||
|
|
||||||
|
exitstatus=$STATE_CRITICAL
|
||||||
|
fi
|
||||||
|
exit $exitstatus
|
|
@ -0,0 +1,18 @@
|
||||||
|
It seems that Fail2ban is currently not working, please login and check
|
||||||
|
|
||||||
|
HELP:
|
||||||
|
|
||||||
|
1.) stop the Service
|
||||||
|
/etc/init.d/fail2ban stop
|
||||||
|
|
||||||
|
2.) delete the socket if avalible
|
||||||
|
rm /tmp/fail2ban.sock
|
||||||
|
|
||||||
|
3.) start the Service
|
||||||
|
/etc/init.d/fail2ban start
|
||||||
|
|
||||||
|
4.) check if fail2ban is working
|
||||||
|
fail2ban-client ping
|
||||||
|
Answer should be "pong"
|
||||||
|
|
||||||
|
5.) if the answer is not "pong" run away or CRY FOR HELP ;-)
|
|
@ -35,6 +35,13 @@ rc_reset
|
||||||
case "$1" in
|
case "$1" in
|
||||||
start)
|
start)
|
||||||
echo -n "Starting Fail2Ban "
|
echo -n "Starting Fail2Ban "
|
||||||
|
# a cleanup workaround, since /etc/init.d/boot.local removes only.
|
||||||
|
# regular files, and not sockets
|
||||||
|
if test -e $FAIL2BAN_SOCKET; then
|
||||||
|
if ! lsof -n $FAIL2BAN_SOCKET &>/dev/null; then
|
||||||
|
rm $FAIL2BAN_SOCKET
|
||||||
|
fi
|
||||||
|
fi
|
||||||
/sbin/startproc $FAIL2BAN_BIN start &>/dev/null
|
/sbin/startproc $FAIL2BAN_BIN start &>/dev/null
|
||||||
rc_status -v
|
rc_status -v
|
||||||
;;
|
;;
|
||||||
|
|
|
@ -44,7 +44,7 @@ class DateDetector:
|
||||||
# standard
|
# standard
|
||||||
template = DateStrptime()
|
template = DateStrptime()
|
||||||
template.setName("MONTH Day Hour:Minute:Second")
|
template.setName("MONTH Day Hour:Minute:Second")
|
||||||
template.setRegex("^\S{3}\s{1,2}\d{1,2} \d{2}:\d{2}:\d{2}")
|
template.setRegex("\S{3}\s{1,2}\d{1,2} \d{2}:\d{2}:\d{2}")
|
||||||
template.setPattern("%b %d %H:%M:%S")
|
template.setPattern("%b %d %H:%M:%S")
|
||||||
self.__templates.append(template)
|
self.__templates.append(template)
|
||||||
# asctime
|
# asctime
|
||||||
|
@ -77,6 +77,12 @@ class DateDetector:
|
||||||
template.setRegex("\d{2}/\S{3}/\d{4}:\d{2}:\d{2}:\d{2}")
|
template.setRegex("\d{2}/\S{3}/\d{4}:\d{2}:\d{2}:\d{2}")
|
||||||
template.setPattern("%d/%b/%Y:%H:%M:%S")
|
template.setPattern("%d/%b/%Y:%H:%M:%S")
|
||||||
self.__templates.append(template)
|
self.__templates.append(template)
|
||||||
|
# CPanel 05/20/2008:01:57:39
|
||||||
|
template = DateStrptime()
|
||||||
|
template.setName("Month/Day/Year:Hour:Minute:Second")
|
||||||
|
template.setRegex("\d{2}/\d{2}/\d{4}:\d{2}:\d{2}:\d{2}")
|
||||||
|
template.setPattern("%m/%d/%Y:%H:%M:%S")
|
||||||
|
self.__templates.append(template)
|
||||||
# Exim 2006-12-21 06:43:20
|
# Exim 2006-12-21 06:43:20
|
||||||
template = DateStrptime()
|
template = DateStrptime()
|
||||||
template.setName("Year-Month-Day Hour:Minute:Second")
|
template.setName("Year-Month-Day Hour:Minute:Second")
|
||||||
|
|
|
@ -132,7 +132,7 @@ class DateStrptime(DateTemplate):
|
||||||
conv = self.convertLocale(dateMatch.group())
|
conv = self.convertLocale(dateMatch.group())
|
||||||
try:
|
try:
|
||||||
date = list(time.strptime(conv, self.getPattern()))
|
date = list(time.strptime(conv, self.getPattern()))
|
||||||
except ValueError:
|
except ValueError, e:
|
||||||
# Try to add the current year to the pattern. Should fix
|
# Try to add the current year to the pattern. Should fix
|
||||||
# the "Feb 29" issue.
|
# the "Feb 29" issue.
|
||||||
conv += " %s" % MyTime.gmtime()[0]
|
conv += " %s" % MyTime.gmtime()[0]
|
||||||
|
@ -187,6 +187,5 @@ class DateISO8601(DateTemplate):
|
||||||
if dateMatch:
|
if dateMatch:
|
||||||
# Parses the date.
|
# Parses the date.
|
||||||
value = dateMatch.group()
|
value = dateMatch.group()
|
||||||
print value
|
date = list(iso8601.parse_date(value).timetuple())
|
||||||
date = list(iso8601.parse_date(value).utctimetuple())
|
|
||||||
return date
|
return date
|
||||||
|
|
|
@ -34,6 +34,7 @@ class FailData:
|
||||||
def __init__(self):
|
def __init__(self):
|
||||||
self.__retry = 0
|
self.__retry = 0
|
||||||
self.__lastTime = 0
|
self.__lastTime = 0
|
||||||
|
self.__lastReset = 0
|
||||||
|
|
||||||
def setRetry(self, value):
|
def setRetry(self, value):
|
||||||
self.__retry = value
|
self.__retry = value
|
||||||
|
@ -50,4 +51,9 @@ class FailData:
|
||||||
|
|
||||||
def getLastTime(self):
|
def getLastTime(self):
|
||||||
return self.__lastTime
|
return self.__lastTime
|
||||||
|
|
||||||
|
def getLastReset(self):
|
||||||
|
return self.__lastReset
|
||||||
|
|
||||||
|
def setLastReset(self, value):
|
||||||
|
self.__lastReset = value
|
||||||
|
|
|
@ -90,11 +90,15 @@ class FailManager:
|
||||||
unixTime = ticket.getTime()
|
unixTime = ticket.getTime()
|
||||||
if self.__failList.has_key(ip):
|
if self.__failList.has_key(ip):
|
||||||
fData = self.__failList[ip]
|
fData = self.__failList[ip]
|
||||||
|
if fData.getLastReset() < unixTime - self.__maxTime:
|
||||||
|
fData.setLastReset(unixTime)
|
||||||
|
fData.setRetry(0)
|
||||||
fData.inc()
|
fData.inc()
|
||||||
fData.setLastTime(unixTime)
|
fData.setLastTime(unixTime)
|
||||||
else:
|
else:
|
||||||
fData = FailData()
|
fData = FailData()
|
||||||
fData.inc()
|
fData.inc()
|
||||||
|
fData.setLastReset(unixTime)
|
||||||
fData.setLastTime(unixTime)
|
fData.setLastTime(unixTime)
|
||||||
self.__failList[ip] = fData
|
self.__failList[ip] = fData
|
||||||
self.__failTotal += 1
|
self.__failTotal += 1
|
||||||
|
|
|
@ -44,7 +44,7 @@ class Regex:
|
||||||
self._matchCache = None
|
self._matchCache = None
|
||||||
# Perform shortcuts expansions.
|
# Perform shortcuts expansions.
|
||||||
# Replace "<HOST>" with default regular expression for host.
|
# Replace "<HOST>" with default regular expression for host.
|
||||||
regex = regex.replace("<HOST>", "(?:::f{4,6}:)?(?P<host>\S+)")
|
regex = regex.replace("<HOST>", "(?:::f{4,6}:)?(?P<host>[\w\-.^_]+)")
|
||||||
if regex.lstrip() == '':
|
if regex.lstrip() == '':
|
||||||
raise RegexException("Cannot add empty regex")
|
raise RegexException("Cannot add empty regex")
|
||||||
try:
|
try:
|
||||||
|
|
|
@ -492,7 +492,7 @@ import socket, struct
|
||||||
|
|
||||||
class DNSUtils:
|
class DNSUtils:
|
||||||
|
|
||||||
IP_CRE = re.compile("(?:\d{1,3}\.){3}\d{1,3}")
|
IP_CRE = re.compile("^(?:\d{1,3}\.){3}\d{1,3}$")
|
||||||
|
|
||||||
#@staticmethod
|
#@staticmethod
|
||||||
def dnsToIp(dns):
|
def dnsToIp(dns):
|
||||||
|
|
|
@ -39,7 +39,12 @@ class AddFailure(unittest.TestCase):
|
||||||
['193.168.0.128', 1167605999.0],
|
['193.168.0.128', 1167605999.0],
|
||||||
['87.142.124.10', 1167605999.0],
|
['87.142.124.10', 1167605999.0],
|
||||||
['87.142.124.10', 1167605999.0],
|
['87.142.124.10', 1167605999.0],
|
||||||
['87.142.124.10', 1167605999.0]]
|
['87.142.124.10', 1167605999.0],
|
||||||
|
['100.100.10.10', 1000000000.0],
|
||||||
|
['100.100.10.10', 1000000500.0],
|
||||||
|
['100.100.10.10', 1000001000.0],
|
||||||
|
['100.100.10.10', 1000001500.0],
|
||||||
|
['100.100.10.10', 1000002000.0]]
|
||||||
|
|
||||||
self.__failManager = FailManager()
|
self.__failManager = FailManager()
|
||||||
for i in self.__items:
|
for i in self.__items:
|
||||||
|
@ -49,7 +54,7 @@ class AddFailure(unittest.TestCase):
|
||||||
"""Call after every test case."""
|
"""Call after every test case."""
|
||||||
|
|
||||||
def testAdd(self):
|
def testAdd(self):
|
||||||
self.assertEqual(self.__failManager.size(), 2)
|
self.assertEqual(self.__failManager.size(), 3)
|
||||||
|
|
||||||
def _testDel(self):
|
def _testDel(self):
|
||||||
self.__failManager.delFailure('193.168.0.128')
|
self.__failManager.delFailure('193.168.0.128')
|
||||||
|
@ -76,3 +81,10 @@ class AddFailure(unittest.TestCase):
|
||||||
def testbanNOK(self):
|
def testbanNOK(self):
|
||||||
self.__failManager.setMaxRetry(10)
|
self.__failManager.setMaxRetry(10)
|
||||||
self.assertRaises(FailManagerEmpty, self.__failManager.toBan)
|
self.assertRaises(FailManagerEmpty, self.__failManager.toBan)
|
||||||
|
|
||||||
|
def testWindow(self):
|
||||||
|
ticket = self.__failManager.toBan()
|
||||||
|
self.assertNotEqual(ticket.getIP(), "100.100.10.10")
|
||||||
|
ticket = self.__failManager.toBan()
|
||||||
|
self.assertNotEqual(ticket.getIP(), "100.100.10.10")
|
||||||
|
self.assertRaises(FailManagerEmpty, self.__failManager.toBan)
|
||||||
|
|
|
@ -99,7 +99,7 @@ class GetFailures(unittest.TestCase):
|
||||||
output = ('193.168.0.128', 3, 1124013599.0)
|
output = ('193.168.0.128', 3, 1124013599.0)
|
||||||
|
|
||||||
self.__filter.addLogPath(GetFailures.FILENAME_01)
|
self.__filter.addLogPath(GetFailures.FILENAME_01)
|
||||||
self.__filter.addFailRegex("(?:(?:Authentication failure|Failed [-/\w+]+) for(?: [iI](?:llegal|nvalid) user)?|[Ii](?:llegal|nvalid) user|ROOT LOGIN REFUSED) .*(?: from|FROM) (?:::f{4,6}:)?(?P<host>\S*)")
|
self.__filter.addFailRegex("(?:(?:Authentication failure|Failed [-/\w+]+) for(?: [iI](?:llegal|nvalid) user)?|[Ii](?:llegal|nvalid) user|ROOT LOGIN REFUSED) .*(?: from|FROM) <HOST>")
|
||||||
|
|
||||||
self.__filter.getFailures(GetFailures.FILENAME_01)
|
self.__filter.getFailures(GetFailures.FILENAME_01)
|
||||||
|
|
||||||
|
@ -116,7 +116,7 @@ class GetFailures(unittest.TestCase):
|
||||||
output = ('141.3.81.106', 4, 1124013539.0)
|
output = ('141.3.81.106', 4, 1124013539.0)
|
||||||
|
|
||||||
self.__filter.addLogPath(GetFailures.FILENAME_02)
|
self.__filter.addLogPath(GetFailures.FILENAME_02)
|
||||||
self.__filter.addFailRegex("Failed .* (?:::f{4,6}:)(?P<host>\S*)")
|
self.__filter.addFailRegex("Failed .* from <HOST>")
|
||||||
|
|
||||||
self.__filter.getFailures(GetFailures.FILENAME_02)
|
self.__filter.getFailures(GetFailures.FILENAME_02)
|
||||||
|
|
||||||
|
@ -133,7 +133,7 @@ class GetFailures(unittest.TestCase):
|
||||||
output = ('203.162.223.135', 6, 1124013544.0)
|
output = ('203.162.223.135', 6, 1124013544.0)
|
||||||
|
|
||||||
self.__filter.addLogPath(GetFailures.FILENAME_03)
|
self.__filter.addLogPath(GetFailures.FILENAME_03)
|
||||||
self.__filter.addFailRegex("error,relay=(?:::f{4,6}:)?(?P<host>\S*),.*550 User unknown")
|
self.__filter.addFailRegex("error,relay=<HOST>,.*550 User unknown")
|
||||||
|
|
||||||
self.__filter.getFailures(GetFailures.FILENAME_03)
|
self.__filter.getFailures(GetFailures.FILENAME_03)
|
||||||
|
|
||||||
|
@ -151,7 +151,7 @@ class GetFailures(unittest.TestCase):
|
||||||
('212.41.96.185', 4, 1124013598.0)]
|
('212.41.96.185', 4, 1124013598.0)]
|
||||||
|
|
||||||
self.__filter.addLogPath(GetFailures.FILENAME_04)
|
self.__filter.addLogPath(GetFailures.FILENAME_04)
|
||||||
self.__filter.addFailRegex("Invalid user .* (?P<host>\S*)")
|
self.__filter.addFailRegex("Invalid user .* <HOST>")
|
||||||
|
|
||||||
self.__filter.getFailures(GetFailures.FILENAME_04)
|
self.__filter.getFailures(GetFailures.FILENAME_04)
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue