mirror of https://github.com/fail2ban/fail2ban
Merge commit 'upstream-repo/FAIL2BAN-0_8' into upstream
* commit 'upstream-repo/FAIL2BAN-0_8': - Use 80 columns. - Fixed maxretry/findtime rate. Many thanks to Christos Psonis. Tracker #2019714. - Made the named-refused regex a bit less restrictive in order to match logs with "view". Thanks to Stephen Gildea. - Use timetuple instead of utctimetuple for ISO 8601. Maybe not a 100% correct fix but seems to work. Tracker #2500276. - Changed <HOST> template to be more restrictive. Debian bug #514163. - Added cyrus-imap and sieve filters. Thanks to Jan Wagner. Debian bug #513953. - Pull a commit from Yaroslav git repo. BF: addressing added bang to ssh log (closes: #512193). - Added missing semi-colon in the bind9 example. Thanks to Yaroslav Halchenko. - Added NetBSD ipfilter (ipf command) action. Thanks to Ed Ravin. Tracker #2484115. - Improved SASL filter. Thanks to Loic Pefferkorn. Tracker #2310410. - Added CPanel date format. Thanks to David Collins. Tracker #1967610. - Added nagios script. Thanks to Sebastian Mueller. - Removed print. - Removed begin-line anchor for "standard" timestamp. Fixed Debian bug #500824. - Remove socket file on startup is fail2ban crashed. Thanks to Detlef Reichelt. Conflicts: MANIFEST TODOdebian-upstream
commit
fec4e7d286
392
ChangeLog
392
ChangeLog
|
@ -3,107 +3,100 @@
|
|||
| _/ _` | | |/ /| '_ \/ _` | ' \
|
||||
|_| \__,_|_|_/___|_.__/\__,_|_||_|
|
||||
|
||||
=============================================================
|
||||
Fail2Ban (version 0.8.4) 2008/??/??
|
||||
=============================================================
|
||||
================================================================================
|
||||
Fail2Ban (version 0.8.4) 2009/02/??
|
||||
================================================================================
|
||||
|
||||
ver. 0.8.4 (2008/??/??) - stable
|
||||
ver. 0.8.4 (2009/??/??) - stable
|
||||
----------
|
||||
- Merged patches from Debian package. Thanks to Yaroslav
|
||||
Halchenko.
|
||||
- Use current day and month instead of Jan 1st if both are
|
||||
not available in the log. Thanks to Andreas Itzchak
|
||||
Rehberg.
|
||||
- Try to match the regex even if the line does not contain a
|
||||
valid date/time. Described in Debian #491253. Thanks to
|
||||
Yaroslav Halchenko.
|
||||
- Merged patches from Debian package. Thanks to Yaroslav Halchenko.
|
||||
- Use current day and month instead of Jan 1st if both are not available in the
|
||||
log. Thanks to Andreas Itzchak Rehberg.
|
||||
- Try to match the regex even if the line does not contain a valid date/time.
|
||||
Described in Debian #491253. Thanks to Yaroslav Halchenko.
|
||||
- Added/improved filters and date formats.
|
||||
- Added actions to report abuse to ISP, DShield and
|
||||
myNetWatchman. Thanks to Russell Odom.
|
||||
- Added actions to report abuse to ISP, DShield and myNetWatchman. Thanks to
|
||||
Russell Odom.
|
||||
- Suse init script. Remove socket file on startup is fail2ban crashed. Thanks to
|
||||
Detlef Reichelt.
|
||||
- Removed begin-line anchor for "standard" timestamp. Fixed Debian bug #500824.
|
||||
- Added nagios script. Thanks to Sebastian Mueller.
|
||||
- Added CPanel date format. Thanks to David Collins. Tracker #1967610.
|
||||
- Improved SASL filter. Thanks to Loic Pefferkorn. Tracker #2310410.
|
||||
- Added NetBSD ipfilter (ipf command) action. Thanks to Ed Ravin. Tracker
|
||||
#2484115.
|
||||
- Added cyrus-imap and sieve filters. Thanks to Jan Wagner. Debian bug #513953.
|
||||
- Changed <HOST> template to be more restrictive. Debian bug #514163.
|
||||
- Use timetuple instead of utctimetuple for ISO 8601. Maybe not a 100% correct
|
||||
fix but seems to work. Tracker #2500276.
|
||||
- Made the named-refused regex a bit less restrictive in order to match logs
|
||||
with "view". Thanks to Stephen Gildea.
|
||||
- Fixed maxretry/findtime rate. Many thanks to Christos Psonis. Tracker
|
||||
#2019714.
|
||||
|
||||
ver. 0.8.3 (2008/07/17) - stable
|
||||
----------
|
||||
- Process failtickets as long as failmanager is not empty.
|
||||
- Added "pam-generic" filter and more configuration fixes.
|
||||
Thanks to Yaroslav Halchenko.
|
||||
- Fixed socket path in redhat and suse init script. Thanks to
|
||||
Jim Wight.
|
||||
- Fixed PID file while started in daemon mode. Thanks to
|
||||
Christian Jobic who submitted a similar patch.
|
||||
- Added "pam-generic" filter and more configuration fixes. Thanks to Yaroslav
|
||||
Halchenko.
|
||||
- Fixed socket path in redhat and suse init script. Thanks to Jim Wight.
|
||||
- Fixed PID file while started in daemon mode. Thanks to Christian Jobic who
|
||||
submitted a similar patch.
|
||||
- Fixed "fail2ban-client get <jail> logpath". Bug #1916986.
|
||||
- Added gssftpd filter. Thanks to Kevin Zembower.
|
||||
- Added "Day/Month/Year Hour:Minute:Second" date template.
|
||||
Thanks to Dennis Winter.
|
||||
- Fixed ignoreregex processing in fail2ban-client. Thanks to
|
||||
René Berber.
|
||||
- Added "Day/Month/Year Hour:Minute:Second" date template. Thanks to Dennis
|
||||
Winter.
|
||||
- Fixed ignoreregex processing in fail2ban-client. Thanks to René Berber.
|
||||
- Added ISO 8601 date/time format.
|
||||
- Added and changed some logging level and messages.
|
||||
- Added missing ignoreregex to filters. Thanks to Klaus
|
||||
Lehmann.
|
||||
- Use poll instead of select in asyncore.loop. This should
|
||||
solve the "Unknown error 514". Thanks to Michael Geiger and
|
||||
Klaus Lehmann.
|
||||
- Added missing ignoreregex to filters. Thanks to Klaus Lehmann.
|
||||
- Use poll instead of select in asyncore.loop. This should solve the "Unknown
|
||||
error 514". Thanks to Michael Geiger and Klaus Lehmann.
|
||||
|
||||
ver. 0.8.2 (2008/03/06) - stable
|
||||
----------
|
||||
- Fixed named filter. Thanks to Yaroslav Halchenko
|
||||
- Fixed wrong path for apache-auth in jail.conf. Thanks to
|
||||
Vincent Deffontaines
|
||||
- Fixed timezone bug with epoch date template. Thanks to
|
||||
Michael Hanselmann
|
||||
- Added "full line failregex" patch. Thanks to Yaroslav
|
||||
Halchenko. It will be possible to create stronger failregex
|
||||
against log injection
|
||||
- Fixed wrong path for apache-auth in jail.conf. Thanks to Vincent Deffontaines
|
||||
- Fixed timezone bug with epoch date template. Thanks to Michael Hanselmann
|
||||
- Added "full line failregex" patch. Thanks to Yaroslav Halchenko. It will be
|
||||
possible to create stronger failregex against log injection
|
||||
- Fixed ipfw action script. Thanks to Nick Munger
|
||||
- Removed date from logging message when using SYSLOG. Thanks
|
||||
to Iain Lea
|
||||
- Fixed "ignore IPs". Only the first value was taken into
|
||||
account. Thanks to Adrien Clerc
|
||||
- Removed date from logging message when using SYSLOG. Thanks to Iain Lea
|
||||
- Fixed "ignore IPs". Only the first value was taken into account. Thanks to
|
||||
Adrien Clerc
|
||||
- Moved socket to /var/run/fail2ban.
|
||||
- Rewrote the communication server.
|
||||
- Refactoring. Reduced number of files.
|
||||
- Removed Python 2.4. Minimum required version is now Python
|
||||
2.3.
|
||||
- Removed Python 2.4. Minimum required version is now Python 2.3.
|
||||
- New log rotation detection algorithm.
|
||||
- Print monitored files in status.
|
||||
- Create a PID file in /var/run/fail2ban/. Thanks to Julien
|
||||
Perez.
|
||||
- Fixed "Feb 29" bug. Thanks to James Andrewartha who pointed
|
||||
this out. Thanks to Yaroslav Halchenko for the fix.
|
||||
- "reload <jail>" reloads a single jail and the parameters in
|
||||
fail2ban.conf.
|
||||
- Create a PID file in /var/run/fail2ban/. Thanks to Julien Perez.
|
||||
- Fixed "Feb 29" bug. Thanks to James Andrewartha who pointed this out. Thanks
|
||||
to Yaroslav Halchenko for the fix.
|
||||
- "reload <jail>" reloads a single jail and the parameters in fail2ban.conf.
|
||||
- Added Mac OS/X startup script. Thanks to Bill Heaton.
|
||||
- Absorbed some Debian patches. Thanks to Yaroslav Halchenko.
|
||||
- Replaced "echo" with "printf" in actions. Fix #1839673
|
||||
- Replaced "reject" with "drop" in shorwall action. Fix
|
||||
#1854875
|
||||
- Replaced "reject" with "drop" in shorwall action. Fix #1854875
|
||||
- Fixed Debian bug #456567, #468477, #462060, #461426
|
||||
- readline is now optional in fail2ban-client (not needed in
|
||||
fail2ban-server).
|
||||
- readline is now optional in fail2ban-client (not needed in fail2ban-server).
|
||||
|
||||
ver. 0.8.1 (2007/08/14) - stable
|
||||
----------
|
||||
- Fixed vulnerability in sshd.conf. Thanks to Daniel B. Cid
|
||||
- Expand <HOST> in ignoreregex. Thanks to Yaroslav Halchenko
|
||||
- Improved regular expressions. Thanks to Yaroslav Halchenko
|
||||
and others
|
||||
- Added sendmail actions. The action started with "mail" are
|
||||
now deprecated. Thanks to Raphaël Marichez
|
||||
- Improved regular expressions. Thanks to Yaroslav Halchenko and others
|
||||
- Added sendmail actions. The action started with "mail" are now deprecated.
|
||||
Thanks to Raphaël Marichez
|
||||
- Added "ignoreregex" support to fail2ban-regex
|
||||
- Updated suse-initd and added it to MANIFEST. Thanks to
|
||||
Christian Rauch
|
||||
- Tightening up the pid check in redhat-initd. Thanks to
|
||||
David Nutter
|
||||
- Added webmin authentication filter. Thanks to Guillaume
|
||||
Delvit
|
||||
- Removed textToDns() which is not required anymore. Thanks
|
||||
to Yaroslav Halchenko
|
||||
- Added new action iptables-allports. Thanks to Yaroslav
|
||||
Halchenko
|
||||
- Added "named" date format to date detector. Thanks to
|
||||
Yaroslav Halchenko
|
||||
- Added filter file for named (bind9). Thanks to Yaroslav
|
||||
- Updated suse-initd and added it to MANIFEST. Thanks to Christian Rauch
|
||||
- Tightening up the pid check in redhat-initd. Thanks to David Nutter
|
||||
- Added webmin authentication filter. Thanks to Guillaume Delvit
|
||||
- Removed textToDns() which is not required anymore. Thanks to Yaroslav
|
||||
Halchenko
|
||||
- Added new action iptables-allports. Thanks to Yaroslav Halchenko
|
||||
- Added "named" date format to date detector. Thanks to Yaroslav Halchenko
|
||||
- Added filter file for named (bind9). Thanks to Yaroslav Halchenko
|
||||
- Fixed vsftpd filter. Thanks to Yaroslav Halchenko
|
||||
|
||||
ver. 0.8.0 (2007/05/03) - stable
|
||||
|
@ -123,20 +116,17 @@ ver. 0.7.8 (2007/03/21) - release candidate
|
|||
----------
|
||||
- Fixed asctime pattern in datedetector.py
|
||||
- Added new filters/actions. Thanks to Yaroslav Halchenko
|
||||
- Added Suse init script and modified gentoo-initd. Thanks to
|
||||
Christian Rauch
|
||||
- Added Suse init script and modified gentoo-initd. Thanks to Christian Rauch
|
||||
- Moved every locking statements in a try..finally block
|
||||
|
||||
ver. 0.7.7 (2007/02/08) - release candidate
|
||||
----------
|
||||
- Added signal handling in fail2ban-client
|
||||
- Added a wonderful visual effect when waiting on the server
|
||||
- fail2ban-client returns an error code if configuration is
|
||||
not valid
|
||||
- fail2ban-client returns an error code if configuration is not valid
|
||||
- Added new filters/actions. Thanks to Yaroslav Halchenko
|
||||
- Call Python interpreter directly (instead of using "env")
|
||||
- Added file support to fail2ban-regex. Benchmark feature has
|
||||
been removed
|
||||
- Added file support to fail2ban-regex. Benchmark feature has been removed
|
||||
- Added cacti script and template.
|
||||
- Added IP list in "status <JAIL>". Thanks to Eric Gerbier
|
||||
|
||||
|
@ -146,60 +136,53 @@ ver. 0.7.6 (2007/01/04) - beta
|
|||
- Use /dev/log for SYSLOG output. Thanks to Joerg Sommrey
|
||||
- Use numeric output for iptables in "actioncheck"
|
||||
- Fixed removal of host in hosts.deny. Thanks to René Berber
|
||||
- Added new date format (2006-12-21 06:43:20) and Exim4
|
||||
filter. Thanks to mEDI
|
||||
- Several "failregex" and "ignoreregex" are now accepted.
|
||||
Creation of rules should be easier now.
|
||||
- Added new date format (2006-12-21 06:43:20) and Exim4 filter. Thanks to mEDI
|
||||
- Several "failregex" and "ignoreregex" are now accepted. Creation of rules
|
||||
should be easier now.
|
||||
- Added license in COPYING. Thanks to Axel Thimm
|
||||
- Allow comma in action options. The value of the option must
|
||||
be escaped with " or '. Thanks to Yaroslav Halchenko
|
||||
- Now Fail2ban goes in /usr/share/fail2ban instead of
|
||||
/usr/lib/fail2ban. This is more compliant with FHS. Thanks
|
||||
to Axel Thimm and Yaroslav Halchenko
|
||||
- Allow comma in action options. The value of the option must be escaped with "
|
||||
or '. Thanks to Yaroslav Halchenko
|
||||
- Now Fail2ban goes in /usr/share/fail2ban instead of /usr/lib/fail2ban. This is
|
||||
more compliant with FHS. Thanks to Axel Thimm and Yaroslav Halchenko
|
||||
|
||||
ver. 0.7.5 (2006/12/07) - beta
|
||||
----------
|
||||
- Do not ban a host that is currently banned. Thanks to
|
||||
Yaroslav Halchenko
|
||||
- The supported tags in "action(un)ban" are <ip>, <failures>
|
||||
and <time>
|
||||
- Do not ban a host that is currently banned. Thanks to Yaroslav Halchenko
|
||||
- The supported tags in "action(un)ban" are <ip>, <failures> and <time>
|
||||
- Fixed refactoring bug (getLastcommand -> getLastAction)
|
||||
- Added option "ignoreregex" in filter scripts and jail.conf.
|
||||
Feature Request #1283304
|
||||
- Added option "ignoreregex" in filter scripts and jail.conf. Feature Request
|
||||
#1283304
|
||||
- Fixed a bug in user defined time regex/pattern
|
||||
- Improved documentation
|
||||
- Moved version.py and protocol.py to common/
|
||||
- Merged "maxtime" option with "findtime"
|
||||
- Added "<HOST>" tag support in failregex which matches
|
||||
default IP address/hostname. "(?P<host>\S)" is still valid
|
||||
and supported
|
||||
- Fixed exception when calling fail2ban-server with unknown
|
||||
option
|
||||
- Fixed Debian bug 400162. The "socket" option is now handled
|
||||
correctly by fail2ban-client
|
||||
- Added "<HOST>" tag support in failregex which matches default IP
|
||||
address/hostname. "(?P<host>\S)" is still valid and supported
|
||||
- Fixed exception when calling fail2ban-server with unknown option
|
||||
- Fixed Debian bug 400162. The "socket" option is now handled correctly by
|
||||
fail2ban-client
|
||||
- Fixed RedHat init script. Thanks to Justin Shore
|
||||
- Changed timeout to 30 secondes before assuming the server
|
||||
cannot be started. Thanks to Joël Bertrand
|
||||
- Changed timeout to 30 secondes before assuming the server cannot be started.
|
||||
Thanks to Joël Bertrand
|
||||
|
||||
ver. 0.7.4 (2006/11/01) - beta
|
||||
----------
|
||||
- Improved configuration files. Thanks to Yaroslav Halchenko
|
||||
- Added man page for "fail2ban-regex"
|
||||
- Moved ban/unban messages from "info" level to "warn"
|
||||
- Added "-s" option to specify the socket path and "socket"
|
||||
option in "fail2ban.conf"
|
||||
- Added "-s" option to specify the socket path and "socket" option in
|
||||
"fail2ban.conf"
|
||||
- Added "backend" option in "jail.conf"
|
||||
- Added more filters/actions and jail samples. Thanks to Nick
|
||||
Munger, Christoph Haas
|
||||
- Added more filters/actions and jail samples. Thanks to Nick Munger, Christoph
|
||||
Haas
|
||||
- Improved testing framework
|
||||
- Fixed a bug in the return code handling of the executed
|
||||
commands. Thanks to Yaroslav Halchenko
|
||||
- Signal handling. There is a bug with join() and signal in
|
||||
Python
|
||||
- Fixed a bug in the return code handling of the executed commands. Thanks to
|
||||
Yaroslav Halchenko
|
||||
- Signal handling. There is a bug with join() and signal in Python
|
||||
- Better debugging output for "fail2ban-regex"
|
||||
- Added support for more date format
|
||||
- cPickle does not work with Python 2.5. Use pickle instead
|
||||
(performance is not a problem in our case)
|
||||
- cPickle does not work with Python 2.5. Use pickle instead (performance is not
|
||||
a problem in our case)
|
||||
|
||||
ver. 0.7.3 (2006/09/28) - beta
|
||||
----------
|
||||
|
@ -219,15 +202,13 @@ ver. 0.7.2 (2006/09/10) - beta
|
|||
- Improved client output
|
||||
- Added more get/set commands
|
||||
- Added more configuration templates
|
||||
- Removed "logpath" and "maxretry" from filter templates.
|
||||
They must be defined in jail.conf now
|
||||
- Removed "logpath" and "maxretry" from filter templates. They must be defined
|
||||
in jail.conf now
|
||||
- Added interactive mode. Use "-i"
|
||||
- Added a date detector. "timeregex" and "timepattern" are no
|
||||
more needed
|
||||
- Added "fail2ban-regex". This is a tool to help finding
|
||||
"failregex"
|
||||
- Improved server communication. Start a new thread for each
|
||||
incoming request. Fail2ban is not really thread-safe yet
|
||||
- Added a date detector. "timeregex" and "timepattern" are no more needed
|
||||
- Added "fail2ban-regex". This is a tool to help finding "failregex"
|
||||
- Improved server communication. Start a new thread for each incoming request.
|
||||
Fail2ban is not really thread-safe yet
|
||||
|
||||
ver. 0.7.1 (2006/08/23) - alpha
|
||||
----------
|
||||
|
@ -238,106 +219,91 @@ ver. 0.7.1 (2006/08/23) - alpha
|
|||
|
||||
ver. 0.7.0 (2006/08/23) - alpha
|
||||
----------
|
||||
- Almost a complete rewrite :) Fail2ban design is really
|
||||
better (IMHO). There is a lot of new features
|
||||
- Almost a complete rewrite :) Fail2ban design is really better (IMHO). There is
|
||||
a lot of new features
|
||||
- Client/Server architecture
|
||||
- Multithreading. Each jail has its own threads: one for the
|
||||
log reading and another for the actions
|
||||
- Multithreading. Each jail has its own threads: one for the log reading and
|
||||
another for the actions
|
||||
- Execute several actions
|
||||
- Split configuration files. They are more readable and easy
|
||||
to use
|
||||
- failregex uses group (<host>) now. This feature was already
|
||||
present in the Debian package
|
||||
- Split configuration files. They are more readable and easy to use
|
||||
- failregex uses group (<host>) now. This feature was already present in the
|
||||
Debian package
|
||||
- lots of things...
|
||||
|
||||
ver. 0.6.1 (2006/03/16) - stable
|
||||
----------
|
||||
- Added permanent banning. Set banTime to a negative value to
|
||||
enable this feature (-1 is perfect). Thanks to Mannone
|
||||
- Added permanent banning. Set banTime to a negative value to enable this
|
||||
feature (-1 is perfect). Thanks to Mannone
|
||||
- Fixed locale bug. Thanks to Fernando José
|
||||
- Fixed crash when time format does not match data
|
||||
- Propagated patch from Debian to fix fail2ban search path
|
||||
addition to the path search list: now it is added first.
|
||||
Thanks to Nick Craig-Wood
|
||||
- Added SMTP authentification for mail notification. Thanks
|
||||
to Markus Hoffmann
|
||||
- Propagated patch from Debian to fix fail2ban search path addition to the path
|
||||
search list: now it is added first. Thanks to Nick Craig-Wood
|
||||
- Added SMTP authentification for mail notification. Thanks to Markus Hoffmann
|
||||
- Removed debug mode as it is confusing for people
|
||||
- Added parsing of timestamp in TAI64N format (#1275325).
|
||||
Thanks to Mark Edgington
|
||||
- Added patch #1382936 (Default formatted syslog logging).
|
||||
Thanks to Patrick B<>rjesson
|
||||
- Removed 192.168.0.0/16 from ignoreip. Attacks could also
|
||||
come from the local network.
|
||||
- Robust startup: if iptables module does not get fully
|
||||
initialized after startup of fail2ban, fail2ban will do
|
||||
"maxreinit" attempts to initialize its own firewall. It
|
||||
will sleep between attempts for "polltime" number of
|
||||
seconds (closes Debian: #334272). Thanks to Yaroslav
|
||||
Halchenko
|
||||
- Added "interpolations" in fail2ban.conf. This is provided
|
||||
by the ConfigParser module. Old configuration files still
|
||||
work. Thanks to Yaroslav Halchenko
|
||||
- Added initial support for hosts.deny and shorewall. Need
|
||||
more testing. Please test. Thanks to kojiro from Gentoo
|
||||
forum for hosts.deny support
|
||||
- Added parsing of timestamp in TAI64N format (#1275325). Thanks to Mark
|
||||
Edgington
|
||||
- Added patch #1382936 (Default formatted syslog logging). Thanks to Patrick
|
||||
B<>rjesson
|
||||
- Removed 192.168.0.0/16 from ignoreip. Attacks could also come from the local
|
||||
network.
|
||||
- Robust startup: if iptables module does not get fully initialized after
|
||||
startup of fail2ban, fail2ban will do "maxreinit" attempts to initialize its
|
||||
own firewall. It will sleep between attempts for "polltime" number of seconds
|
||||
(closes Debian: #334272). Thanks to Yaroslav Halchenko
|
||||
- Added "interpolations" in fail2ban.conf. This is provided by the ConfigParser
|
||||
module. Old configuration files still work. Thanks to Yaroslav Halchenko
|
||||
- Added initial support for hosts.deny and shorewall. Need more testing. Please
|
||||
test. Thanks to kojiro from Gentoo forum for hosts.deny support
|
||||
- Added support for vsftpd. Thanks to zugeschmiert
|
||||
|
||||
ver. 0.6.0 (2005/11/20) - stable
|
||||
----------
|
||||
- Propagated patches introduced by Debian maintainer
|
||||
(Yaroslav Halchenko):
|
||||
* Added an option to report local time (including timezone)
|
||||
or GMT in mail notification.
|
||||
- Propagated patches introduced by Debian maintainer (Yaroslav Halchenko):
|
||||
* Added an option to report local time (including timezone) or GMT in mail
|
||||
notification.
|
||||
|
||||
ver. 0.5.5 (2005/10/26) - beta
|
||||
----------
|
||||
- Propagated patches introduced by Debian maintainer
|
||||
(Yaroslav Halchenko):
|
||||
* Introduced fwcheck option to verify consistency of the
|
||||
chains. Implemented automatic restart of fail2ban main
|
||||
function in case check of fwban or fwunban command failed
|
||||
(closes: #329163, #331695). (Introduced patch was further
|
||||
adjusted by upstream author).
|
||||
- Propagated patches introduced by Debian maintainer (Yaroslav Halchenko):
|
||||
* Introduced fwcheck option to verify consistency of the chains. Implemented
|
||||
automatic restart of fail2ban main function in case check of fwban or
|
||||
fwunban command failed (closes: #329163, #331695). (Introduced patch was
|
||||
further adjusted by upstream author).
|
||||
* Added -f command line parameter for [findtime].
|
||||
* Added a cleanup of firewall rules on emergency shutdown
|
||||
when unknown exception is catched.
|
||||
* Fail2ban should not crash now if a wrong file name is
|
||||
specified in config.
|
||||
* reordered code a bit so that log targets are setup right
|
||||
after background and then only loglevel (verbose, debug)
|
||||
is processed, so the warning could be seen in the logs
|
||||
* Added a keyword <section> in parsing of the subject and
|
||||
the body of an email sent out by fail2ban (closes:
|
||||
#330311)
|
||||
* Added a cleanup of firewall rules on emergency shutdown when unknown
|
||||
exception is catched.
|
||||
* Fail2ban should not crash now if a wrong file name is specified in config.
|
||||
* reordered code a bit so that log targets are setup right after background
|
||||
and then only loglevel (verbose, debug) is processed, so the warning could
|
||||
be seen in the logs
|
||||
* Added a keyword <section> in parsing of the subject and the body of an email
|
||||
sent out by fail2ban (closes: #330311)
|
||||
|
||||
ver. 0.5.4 (2005/09/13) - beta
|
||||
----------
|
||||
- Fixed bug #1286222.
|
||||
- Propagated patches introduced by Debian maintainer
|
||||
(Yaroslav Halchenko):
|
||||
* Fixed handling of SYSLOG logging target. Now it can log
|
||||
to any SYSLOG target and facility as directed by the
|
||||
config
|
||||
- Propagated patches introduced by Debian maintainer (Yaroslav Halchenko):
|
||||
* Fixed handling of SYSLOG logging target. Now it can log to any SYSLOG target
|
||||
and facility as directed by the config
|
||||
* Format of SYSLOG entries fixed to look closer to standard
|
||||
* Fixed errata in config/gentoo-confd
|
||||
* Introduced findtime configuration variable to control the
|
||||
lifetime of caught "failed" log entries
|
||||
* Introduced findtime configuration variable to control the lifetime of caught
|
||||
"failed" log entries
|
||||
|
||||
ver. 0.5.3 (2005/09/08) - beta
|
||||
----------
|
||||
- Fixed a bug when overriding "maxfailures" or "bantime".
|
||||
Thanks to Yaroslav Halchenko
|
||||
- Added more debug output if an error occurs when sending
|
||||
mail. Thanks to Stephen Gildea
|
||||
- Renamed "maxretry" to "maxfailures" and changed default
|
||||
value to 5. Thanks to Stephen Gildea
|
||||
- Fixed a bug when overriding "maxfailures" or "bantime". Thanks to Yaroslav
|
||||
Halchenko
|
||||
- Added more debug output if an error occurs when sending mail. Thanks to
|
||||
Stephen Gildea
|
||||
- Renamed "maxretry" to "maxfailures" and changed default value to 5. Thanks to
|
||||
Stephen Gildea
|
||||
- Hopefully fixed bug #1256075
|
||||
- Fixed bug #1262345
|
||||
- Fixed exception handling in PIDLock
|
||||
- Removed warning when using "-V" or "-h" with no config
|
||||
file. Thanks to Yaroslav Halchenko
|
||||
- Removed "-i eth0" from config file. Thanks to Yaroslav
|
||||
Halchenko
|
||||
- Removed warning when using "-V" or "-h" with no config file. Thanks to
|
||||
Yaroslav Halchenko
|
||||
- Removed "-i eth0" from config file. Thanks to Yaroslav Halchenko
|
||||
|
||||
ver. 0.5.2 (2005/08/06) - beta
|
||||
----------
|
||||
|
@ -353,11 +319,9 @@ ver. 0.5.1 (2005/07/23) - beta
|
|||
----------
|
||||
- Fixed bugs #1241756, #1239557
|
||||
- Added log targets in configuration file. Removed -l option
|
||||
- Changed iptables rules in order to create a separated chain
|
||||
for each section
|
||||
- Changed iptables rules in order to create a separated chain for each section
|
||||
- Fixed static banList in firewall.py
|
||||
- Added an initd script for Debian. Thanks to Yaroslav
|
||||
Halchenko
|
||||
- Added an initd script for Debian. Thanks to Yaroslav Halchenko
|
||||
- Check for obsolete files after install
|
||||
|
||||
ver. 0.5.0 (2005/07/12) - beta
|
||||
|
@ -365,24 +329,22 @@ ver. 0.5.0 (2005/07/12) - beta
|
|||
- Added support for CIDR mask in ignoreip
|
||||
- Added mail notification support
|
||||
- Fixed bug #1234699
|
||||
- Added tags replacement in rules definition. Should allow a
|
||||
clean solution for Feature Request #1229479
|
||||
- Added tags replacement in rules definition. Should allow a clean solution for
|
||||
Feature Request #1229479
|
||||
- Removed "interface" and "firewall" options
|
||||
- Added start and end commands in the configuration file.
|
||||
Thanks to Yaroslav Halchenko
|
||||
- Added start and end commands in the configuration file. Thanks to Yaroslav
|
||||
Halchenko
|
||||
- Added firewall rules definition in the configuration file
|
||||
- Cleaned fail2ban.py
|
||||
- Added an initd script for RedHat/Fedora. Thanks to Andrey
|
||||
G. Grozin
|
||||
- Added an initd script for RedHat/Fedora. Thanks to Andrey G. Grozin
|
||||
|
||||
ver. 0.4.1 (2005/06/30) - stable
|
||||
----------
|
||||
- Fixed textToDNS method which generated wrong matches for
|
||||
"rhost=12-xyz...". Thanks to Tom Pike
|
||||
- Fixed textToDNS method which generated wrong matches for "rhost=12-xyz...".
|
||||
Thanks to Tom Pike
|
||||
- fail2ban.conf modified for readability. Thanks to Iain Lea
|
||||
- Added an initd script for Gentoo
|
||||
- Changed default PID lock file location from /tmp to
|
||||
/var/run
|
||||
- Changed default PID lock file location from /tmp to /var/run
|
||||
|
||||
ver. 0.4.0 (2005/04/24) - stable
|
||||
----------
|
||||
|
@ -398,8 +360,8 @@ ver. 0.3.1 (2005/03/31) - beta
|
|||
|
||||
ver. 0.3.0 (2005/02/24) - beta
|
||||
----------
|
||||
- Re-writting of parts of the code in order to handle several
|
||||
log files with different rules
|
||||
- Re-writting of parts of the code in order to handle several log files with
|
||||
different rules
|
||||
- Removed sshd.py because it is no more needed
|
||||
- Fixed a bug when exiting with IP in the ban list
|
||||
- Added PID lock file
|
||||
|
@ -409,26 +371,22 @@ ver. 0.3.0 (2005/02/24) - beta
|
|||
|
||||
ver. 0.1.2 (2004/11/21) - beta
|
||||
----------
|
||||
- Add ipfw and ipfwadm support. The rules are taken from
|
||||
BlockIt. Thanks to Robert Edeker
|
||||
- Add -e option which allows to set the interface. Thanks to
|
||||
Robert Edeker who reminded me this
|
||||
- Add ipfw and ipfwadm support. The rules are taken from BlockIt. Thanks to
|
||||
Robert Edeker
|
||||
- Add -e option which allows to set the interface. Thanks to Robert Edeker who
|
||||
reminded me this
|
||||
- Small code cleaning
|
||||
|
||||
ver. 0.1.1 (2004/10/23) - beta
|
||||
----------
|
||||
- Add SIGTERM handler in order to exit nicely when in daemon
|
||||
mode
|
||||
- Add -r option which allows to set the maximum number of
|
||||
login failures
|
||||
- Remove the Metalog class as the log file are not so syslog
|
||||
daemon specific
|
||||
- Rewrite log reader to be service centered. Sshd support
|
||||
added. Match "Failed password" and "Illegal user"
|
||||
- Add SIGTERM handler in order to exit nicely when in daemon mode
|
||||
- Add -r option which allows to set the maximum number of login failures
|
||||
- Remove the Metalog class as the log file are not so syslog daemon specific
|
||||
- Rewrite log reader to be service centered. Sshd support added. Match "Failed
|
||||
password" and "Illegal user"
|
||||
- Add /etc/fail2ban.conf configuration support
|
||||
- Code documentation
|
||||
|
||||
|
||||
ver. 0.1.0 (2004/10/12) - alpha
|
||||
----------
|
||||
- Initial release
|
||||
|
|
86
README
86
README
|
@ -3,19 +3,17 @@
|
|||
| _/ _` | | |/ /| '_ \/ _` | ' \
|
||||
|_| \__,_|_|_/___|_.__/\__,_|_||_|
|
||||
|
||||
=============================================================
|
||||
Fail2Ban (version 0.8.4) 2008/??/??
|
||||
=============================================================
|
||||
================================================================================
|
||||
Fail2Ban (version 0.8.4) 2009/??/??
|
||||
================================================================================
|
||||
|
||||
Fail2Ban scans log files like /var/log/pwdfail and bans IP
|
||||
that makes too many password failures. It updates firewall
|
||||
rules to reject the IP address. These rules can be defined by
|
||||
the user. Fail2Ban can read multiple log files such as sshd
|
||||
or Apache web server ones.
|
||||
Fail2Ban scans log files like /var/log/pwdfail and bans IP that makes too many
|
||||
password failures. It updates firewall rules to reject the IP address. These
|
||||
rules can be defined by the user. Fail2Ban can read multiple log files such as
|
||||
sshd or Apache web server ones.
|
||||
|
||||
This README is a quick introduction to Fail2ban. More
|
||||
documentation, FAQ, HOWTOs are available on the project
|
||||
website: http://www.fail2ban.org
|
||||
This README is a quick introduction to Fail2ban. More documentation, FAQ, HOWTOs
|
||||
are available on the project website: http://www.fail2ban.org
|
||||
|
||||
Installation:
|
||||
-------------
|
||||
|
@ -32,33 +30,32 @@ To install, just do:
|
|||
> cd fail2ban-0.8.4
|
||||
> python setup.py install
|
||||
|
||||
This will install Fail2Ban into /usr/share/fail2ban. The
|
||||
executable scripts are placed into /usr/bin.
|
||||
This will install Fail2Ban into /usr/share/fail2ban. The executable scripts are
|
||||
placed into /usr/bin.
|
||||
|
||||
It is possible that Fail2ban is already packaged for your
|
||||
distribution. In this case, you should use it.
|
||||
It is possible that Fail2ban is already packaged for your distribution. In this
|
||||
case, you should use it.
|
||||
|
||||
Fail2Ban should be correctly installed now. Just type:
|
||||
|
||||
> fail2ban-client -h
|
||||
|
||||
to see if everything is alright. You should always use
|
||||
fail2ban-client and never call fail2ban-server directly.
|
||||
to see if everything is alright. You should always use fail2ban-client and never
|
||||
call fail2ban-server directly.
|
||||
|
||||
Configuration:
|
||||
--------------
|
||||
|
||||
You can configure Fail2ban using the files in /etc/fail2ban.
|
||||
It is possible to configure the server using commands sent to
|
||||
it by fail2ban-client. The available commands are described
|
||||
in the man page of fail2ban-client. Please refer to it or to
|
||||
the website: http://www.fail2ban.org
|
||||
You can configure Fail2ban using the files in /etc/fail2ban. It is possible to
|
||||
configure the server using commands sent to it by fail2ban-client. The available
|
||||
commands are described in the man page of fail2ban-client. Please refer to it or
|
||||
to the website: http://www.fail2ban.org
|
||||
|
||||
Contact:
|
||||
--------
|
||||
|
||||
You need some new features, you found bugs or you just
|
||||
appreciate this program, you can contact me at:
|
||||
You need some new features, you found bugs or you just appreciate this program,
|
||||
you can contact me at:
|
||||
|
||||
Website: http://www.fail2ban.org
|
||||
|
||||
|
@ -67,34 +64,27 @@ Cyril Jaquier: <cyril.jaquier@fail2ban.org>
|
|||
Thanks:
|
||||
-------
|
||||
|
||||
Kévin Drapel, Marvin Rouge, Sireyessire, Robert Edeker,
|
||||
Tom Pike, Iain Lea, Andrey G. Grozin, Yaroslav Halchenko,
|
||||
Jonathan Kamens, Stephen Gildea, Markus Hoffmann, Mark
|
||||
Edgington, Patrick Börjesson, kojiro, zugeschmiert, Tyler,
|
||||
Nick Munger, Christoph Haas, Justin Shore, Joël Bertrand,
|
||||
René Berber, mEDI, Axel Thimm, Eric Gerbier, Christian Rauch,
|
||||
Michael C. Haller, Jonathan Underwood, Hanno 'Rince' Wagner,
|
||||
Daniel B. Cid, David Nutter, Raphaël Marichez, Guillaume
|
||||
Delvit, Vaclav Misek, Adrien Clerc, Michael Hanselmann,
|
||||
Vincent Deffontaines, Bill Heaton, Russell Odom and many
|
||||
others.
|
||||
Kévin Drapel, Marvin Rouge, Sireyessire, Robert Edeker, Tom Pike, Iain Lea,
|
||||
Andrey G. Grozin, Yaroslav Halchenko, Jonathan Kamens, Stephen Gildea, Markus
|
||||
Hoffmann, Mark Edgington, Patrick Börjesson, kojiro, zugeschmiert, Tyler, Nick
|
||||
Munger, Christoph Haas, Justin Shore, Joël Bertrand, René Berber, mEDI, Axel
|
||||
Thimm, Eric Gerbier, Christian Rauch, Michael C. Haller, Jonathan Underwood,
|
||||
Hanno 'Rince' Wagner, Daniel B. Cid, David Nutter, Raphaël Marichez, Guillaume
|
||||
Delvit, Vaclav Misek, Adrien Clerc, Michael Hanselmann, Vincent Deffontaines,
|
||||
Bill Heaton, Russell Odom, Christos Psonis and many others.
|
||||
|
||||
License:
|
||||
--------
|
||||
|
||||
Fail2Ban is free software; you can redistribute it
|
||||
and/or modify it under the terms of the GNU General Public
|
||||
License as published by the Free Software Foundation; either
|
||||
version 2 of the License, or (at your option) any later
|
||||
Fail2Ban is free software; you can redistribute it and/or modify it under the
|
||||
terms of the GNU General Public License as published by the Free Software
|
||||
Foundation; either version 2 of the License, or (at your option) any later
|
||||
version.
|
||||
|
||||
Fail2Ban is distributed in the hope that it will be
|
||||
useful, but WITHOUT ANY WARRANTY; without even the implied
|
||||
warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
||||
PURPOSE. See the GNU General Public License for more
|
||||
details.
|
||||
Fail2Ban is distributed in the hope that it will be useful, but WITHOUT ANY
|
||||
WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
|
||||
PARTICULAR PURPOSE. See the GNU General Public License for more details.
|
||||
|
||||
You should have received a copy of the GNU General Public
|
||||
License along with Fail2Ban; if not, write to the Free
|
||||
Software Foundation, Inc., 59 Temple Place, Suite 330,
|
||||
Boston, MA 02111-1307 USA
|
||||
You should have received a copy of the GNU General Public License along with
|
||||
Fail2Ban; if not, write to the Free Software Foundation, Inc., 59 Temple Place,
|
||||
Suite 330, Boston, MA 02111-1307 USA
|
||||
|
|
28
TODO
28
TODO
|
@ -3,9 +3,9 @@
|
|||
| _/ _` | | |/ /| '_ \/ _` | ' \
|
||||
|_| \__,_|_|_/___|_.__/\__,_|_||_|
|
||||
|
||||
=============================================================
|
||||
ToDo $Revision: 653 $
|
||||
=============================================================
|
||||
================================================================================
|
||||
ToDo $Revision$
|
||||
================================================================================
|
||||
|
||||
Legend:
|
||||
- not yet done
|
||||
|
@ -15,26 +15,24 @@ Legend:
|
|||
|
||||
- Removed relative imports
|
||||
|
||||
- Cleanup fail2ban-client and fail2ban-server. Move code to
|
||||
server/ and client/
|
||||
- Cleanup fail2ban-client and fail2ban-server. Move code to server/ and client/
|
||||
|
||||
- Add timeout to external commands (signal alarm, watchdog
|
||||
thread, etc)
|
||||
- Add timeout to external commands (signal alarm, watchdog thread, etc)
|
||||
|
||||
- New backend: pyinotify
|
||||
|
||||
- Uniformize filters and actions name. Use the software name
|
||||
(openssh, postfix, proftp)
|
||||
- Uniformize filters and actions name. Use the software name (openssh, postfix,
|
||||
proftp)
|
||||
|
||||
- Added <USER> tag for failregex. Add features using this
|
||||
information. Maybe add more tags
|
||||
- Added <USER> tag for failregex. Add features using this information. Maybe add
|
||||
more tags
|
||||
|
||||
- Look at the memory consumption. Decrease memory usage
|
||||
|
||||
- More detailed statistics
|
||||
|
||||
- Auto-enable function (search for log files), check
|
||||
modification date to see if service is still in use
|
||||
- Auto-enable function (search for log files), check modification date to see if
|
||||
service is still in use
|
||||
|
||||
- Improve parsing of the action parameters in jailreader.py
|
||||
|
||||
|
@ -44,8 +42,8 @@ Legend:
|
|||
|
||||
- Multiline log reading
|
||||
|
||||
- Improve execution of action. Why does subprocess.call
|
||||
deadlock with multi-jails?
|
||||
- Improve execution of action. Why does subprocess.call deadlock with
|
||||
multi-jails?
|
||||
|
||||
# see Feature Request Tracking System at SourceForge.net
|
||||
|
||||
|
|
|
@ -0,0 +1,57 @@
|
|||
# Fail2Ban configuration file
|
||||
#
|
||||
# NetBSD ipfilter (ipf command) ban/unban
|
||||
#
|
||||
# Author: Ed Ravin <eravin@panix.com>
|
||||
#
|
||||
#
|
||||
|
||||
[Definition]
|
||||
|
||||
# Option: actionstart
|
||||
# Notes.: command executed once at the start of Fail2Ban.
|
||||
# Values: CMD
|
||||
#
|
||||
# enable IPF if not already enabled
|
||||
actionstart = /sbin/ipf -E
|
||||
|
||||
|
||||
# Option: actionstop
|
||||
# Notes.: command executed once at the end of Fail2Ban
|
||||
# Values: CMD
|
||||
#
|
||||
# don't disable IPF with "/sbin/ipf -D", there may be other filters in use
|
||||
actionstop =
|
||||
|
||||
|
||||
# Option: actioncheck
|
||||
# Notes.: command executed once before each actionban command
|
||||
# Values: CMD
|
||||
#
|
||||
actioncheck =
|
||||
|
||||
|
||||
# Option: actionban
|
||||
# Notes.: command executed when banning an IP. Take care that the
|
||||
# command is executed with Fail2Ban user rights.
|
||||
# Tags: <ip> IP address
|
||||
# <failures> number of failures
|
||||
# <time> unix timestamp of the ban time
|
||||
# Values: CMD
|
||||
#
|
||||
actionban = echo block in quick from <ip>/32 | /sbin/ipf -f -
|
||||
|
||||
|
||||
# Option: actionunban
|
||||
# Notes.: command executed when unbanning an IP. Take care that the
|
||||
# command is executed with Fail2Ban user rights.
|
||||
# Tags: <ip> IP address
|
||||
# <failures> number of failures
|
||||
# <time> unix timestamp of the ban time
|
||||
# Values: CMD
|
||||
#
|
||||
# note -r option used to remove matching rule
|
||||
actionunban = echo block in quick from <ip>/32 | /sbin/ipf -r -f -
|
||||
|
||||
[Init]
|
||||
|
|
@ -11,7 +11,7 @@
|
|||
# Notes.: regex to match the password failure messages in the logfile. The
|
||||
# host must be matched by a group named "host". The tag "<HOST>" can
|
||||
# be used for standard IP/hostname matching and is only an alias for
|
||||
# (?:::f{4,6}:)?(?P<host>\S+)
|
||||
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
|
||||
# Values: TEXT
|
||||
#
|
||||
failregex = [[]client <HOST>[]] user .* authentication failure
|
||||
|
|
|
@ -11,7 +11,7 @@
|
|||
# Notes.: regex to match the password failure messages in the logfile. The
|
||||
# host must be matched by a group named "host". The tag "<HOST>" can
|
||||
# be used for standard IP/hostname matching and is only an alias for
|
||||
# (?:::f{4,6}:)?(?P<host>\S+)
|
||||
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
|
||||
# Values: TEXT
|
||||
#
|
||||
failregex = [[]client <HOST>[]] (File does not exist|script not found or unable to stat): /\S*(\.php|\.asp|\.exe|\.pl)
|
||||
|
|
|
@ -3,7 +3,7 @@
|
|||
#
|
||||
# Author: Yaroslav Halchenko
|
||||
#
|
||||
# $Revision: $
|
||||
# $Revision$
|
||||
#
|
||||
|
||||
[INCLUDES]
|
||||
|
|
|
@ -12,7 +12,7 @@
|
|||
# Notes.: regex to match the password failures messages in the logfile. The
|
||||
# host must be matched by a group named "host". The tag "<HOST>" can
|
||||
# be used for standard IP/hostname matching and is only an alias for
|
||||
# (?:::f{4,6}:)?(?P<host>\S+)
|
||||
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
|
||||
# Values: TEXT
|
||||
#
|
||||
failregex = LOGIN FAILED, .*, ip=\[<HOST>\]$
|
||||
|
|
|
@ -11,7 +11,7 @@
|
|||
# Notes.: regex to match the password failures messages in the logfile. The
|
||||
# host must be matched by a group named "host". The tag "<HOST>" can
|
||||
# be used for standard IP/hostname matching and is only an alias for
|
||||
# (?:::f{4,6}:)?(?P<host>\S+)
|
||||
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
|
||||
# Values: TEXT
|
||||
#
|
||||
failregex = error,relay=<HOST>,.*550 User unknown
|
||||
|
|
|
@ -0,0 +1,26 @@
|
|||
# Fail2Ban configuration file
|
||||
#
|
||||
# Author: Jan Wagner <waja@cyconet.org>
|
||||
#
|
||||
# $Revision$
|
||||
#
|
||||
|
||||
[Definition]
|
||||
|
||||
# Option: failregex
|
||||
# Notes.: regex to match the password failures messages in the logfile. The
|
||||
# host must be matched by a group named "host". The tag "<HOST>" can
|
||||
# be used for standard IP/hostname matching and is only an alias for
|
||||
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
|
||||
# Values: TEXT
|
||||
#
|
||||
failregex = : badlogin: .*\[<HOST>\] plaintext .*SASL\(-13\): authentication failure: checkpass failed$
|
||||
: badlogin: .*\[<HOST>\] LOGIN \[SASL\(-13\): authentication failure: checkpass failed\]$
|
||||
: badlogin: .*\[<HOST>\] (?:CRAM-MD5|NTLM) \[SASL\(-13\): authentication failure: incorrect (?:digest|NTLM) response\]$
|
||||
: badlogin: .*\[<HOST>\] DIGEST-MD5 \[SASL\(-13\): authentication failure: client response doesn't match what we generated\]$
|
||||
|
||||
# Option: ignoreregex
|
||||
# Notes.: regex to ignore. If this regex matches, the line is ignored.
|
||||
# Values: TEXT
|
||||
#
|
||||
ignoreregex =
|
|
@ -11,7 +11,7 @@
|
|||
# Notes.: regex to match the password failures messages in the logfile. The
|
||||
# host must be matched by a group named "host". The tag "<HOST>" can
|
||||
# be used for standard IP/hostname matching and is only an alias for
|
||||
# (?:::f{4,6}:)?(?P<host>\S+)
|
||||
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
|
||||
# Values: TEXT
|
||||
#
|
||||
failregex = \[<HOST>\] .*(?:rejected by local_scan|Unrouteable address)
|
||||
|
|
|
@ -26,7 +26,7 @@ __line_prefix=(?:\s\S+ %(__daemon_combs_re)s\s+)?
|
|||
# Notes.: regex to match the password failures messages in the logfile.
|
||||
# Values: TEXT
|
||||
#
|
||||
failregex = %(__line_prefix)sclient <HOST>#\S+: query(?: \(cache\))? '.*' denied\s*$
|
||||
failregex = %(__line_prefix)sclient <HOST>#.+: query(?: \(cache\))? '.*' denied\s*$
|
||||
|
||||
# Option: ignoreregex
|
||||
# Notes.: regex to ignore. If this regex matches, the line is ignored.
|
||||
|
|
|
@ -11,7 +11,7 @@
|
|||
# Notes.: regex to match the password failures messages in the logfile. The
|
||||
# host must be matched by a group named "host". The tag "<HOST>" can
|
||||
# be used for standard IP/hostname matching and is only an alias for
|
||||
# (?:::f{4,6}:)?(?P<host>\S+)
|
||||
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
|
||||
# Values: TEXT
|
||||
#
|
||||
failregex = reject: RCPT from (.*)\[<HOST>\]: 554
|
||||
|
|
|
@ -11,7 +11,7 @@
|
|||
# Notes.: regex to match the password failures messages in the logfile. The
|
||||
# host must be matched by a group named "host". The tag "<HOST>" can
|
||||
# be used for standard IP/hostname matching and is only an alias for
|
||||
# (?:::f{4,6}:)?(?P<host>\S+)
|
||||
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
|
||||
# Values: TEXT
|
||||
#
|
||||
failregex = \(\S+\[<HOST>\]\)[: -]+ USER \S+: no such user found from \S+ \[\S+\] to \S+:\S+$
|
||||
|
|
|
@ -16,7 +16,7 @@ __errmsg = (?:Authentication failed for user|Erreur d'authentification pour l'ut
|
|||
# Notes.: regex to match the password failures messages in the logfile. The
|
||||
# host must be matched by a group named "host". The tag "<HOST>" can
|
||||
# be used for standard IP/hostname matching and is only an alias for
|
||||
# (?:::f{4,6}:)?(?P<host>\S+)
|
||||
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
|
||||
# Values: TEXT
|
||||
#
|
||||
failregex = pure-ftpd(?:\[\d+\])?: (.+?@<HOST>) \[WARNING\] %(__errmsg)s \[.+\]$
|
||||
|
|
|
@ -11,7 +11,7 @@
|
|||
# Notes.: regex to match the password failures messages in the logfile. The
|
||||
# host must be matched by a group named "host". The tag "<HOST>" can
|
||||
# be used for standard IP/hostname matching and is only an alias for
|
||||
# (?:::f{4,6}:)?(?P<host>\S+)
|
||||
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
|
||||
# Values: TEXT
|
||||
#
|
||||
failregex = (?:[\d,.]+[\d,.] rblsmtpd: |421 badiprbl: ip )<HOST>
|
||||
|
|
|
@ -11,10 +11,10 @@
|
|||
# Notes.: regex to match the password failures messages in the logfile. The
|
||||
# host must be matched by a group named "host". The tag "<HOST>" can
|
||||
# be used for standard IP/hostname matching and is only an alias for
|
||||
# (?:::f{4,6}:)?(?P<host>\S+)
|
||||
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
|
||||
# Values: TEXT
|
||||
#
|
||||
failregex = : warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed$
|
||||
failregex = (?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [A-Za-z0-9+/]*={0,2})?$
|
||||
|
||||
# Option: ignoreregex
|
||||
# Notes.: regex to ignore. If this regex matches, the line is ignored.
|
||||
|
|
|
@ -0,0 +1,22 @@
|
|||
# Fail2Ban configuration file
|
||||
#
|
||||
# Author: Jan Wagner <waja@cyconet.org>
|
||||
#
|
||||
# $Revision$
|
||||
#
|
||||
|
||||
[Definition]
|
||||
|
||||
# Option: failregex
|
||||
# Notes.: regex to match the password failures messages in the logfile. The
|
||||
# host must be matched by a group named "host". The tag "<HOST>" can
|
||||
# be used for standard IP/hostname matching.
|
||||
# Values: TEXT
|
||||
#
|
||||
failregex = : badlogin: .*\[<HOST>\] (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failure$
|
||||
|
||||
# Option: ignoreregex
|
||||
# Notes.: regex to ignore. If this regex matches, the line is ignored.
|
||||
# Values: TEXT
|
||||
#
|
||||
ignoreregex =
|
|
@ -11,7 +11,7 @@
|
|||
# Notes.: regex to match the password failures messages in the logfile. The
|
||||
# host must be matched by a group named "host". The tag "<HOST>" can
|
||||
# be used for standard IP/hostname matching and is only an alias for
|
||||
# (?:::f{4,6}:)?(?P<host>\S+)
|
||||
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
|
||||
# Values: TEXT
|
||||
#
|
||||
failregex = sshd(?:\[\d+\])?: Did not receive identification string from <HOST>$
|
||||
|
|
|
@ -20,7 +20,7 @@ _daemon = sshd
|
|||
# Notes.: regex to match the password failures messages in the logfile. The
|
||||
# host must be matched by a group named "host". The tag "<HOST>" can
|
||||
# be used for standard IP/hostname matching and is only an alias for
|
||||
# (?:::f{4,6}:)?(?P<host>\S+)
|
||||
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
|
||||
# Values: TEXT
|
||||
#
|
||||
failregex = ^%(__prefix_line)s(?:error: PAM: )?Authentication failure for .* from <HOST>\s*$
|
||||
|
@ -31,7 +31,7 @@ failregex = ^%(__prefix_line)s(?:error: PAM: )?Authentication failure for .* fro
|
|||
^%(__prefix_line)sUser \S+ from <HOST> not allowed because not listed in AllowUsers$
|
||||
^%(__prefix_line)sauthentication failure; logname=\S* uid=\S* euid=\S* tty=\S* ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$
|
||||
^%(__prefix_line)srefused connect from \S+ \(<HOST>\)\s*$
|
||||
^%(__prefix_line)sAddress <HOST> .* POSSIBLE BREAK-IN ATTEMPT\s*$
|
||||
^%(__prefix_line)sAddress <HOST> .* POSSIBLE BREAK-IN ATTEMPT!*\s*$
|
||||
^%(__prefix_line)sUser \S+ from <HOST> not allowed because none of user's groups are listed in AllowGroups$
|
||||
|
||||
# Option: ignoreregex
|
||||
|
|
|
@ -11,7 +11,7 @@
|
|||
# Notes.: regex to match the password failures messages in the logfile. The
|
||||
# host must be matched by a group named "host". The tag "<HOST>" can
|
||||
# be used for standard IP/hostname matching and is only an alias for
|
||||
# (?:::f{4,6}:)?(?P<host>\S+)
|
||||
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
|
||||
# Values: TEXT
|
||||
#
|
||||
failregex = vsftpd(?:\(pam_unix\))?(?:\[\d+\])?:.* authentication failure; .* rhost=<HOST>(?:\s+user=\S*)?\s*$
|
||||
|
|
|
@ -15,7 +15,7 @@
|
|||
# Notes.: regex to match the password failure messages in the logfile. The
|
||||
# host must be matched by a group named "host". The tag "<HOST>" can
|
||||
# be used for standard IP/hostname matching and is only an alias for
|
||||
# (?:::f{4,6}:)?(?P<host>\S+)
|
||||
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
|
||||
# Values: TEXT
|
||||
#
|
||||
failregex = webmin.* Non-existent login as .+ from <HOST>$
|
||||
|
|
|
@ -11,7 +11,7 @@
|
|||
# Notes.: regex to match the password failures messages in the logfile. The
|
||||
# host must be matched by a group named "host". The tag "<HOST>" can
|
||||
# be used for standard IP/hostname matching and is only an alias for
|
||||
# (?:::f{4,6}:)?(?P<host>\S+)
|
||||
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
|
||||
# Values: TEXT
|
||||
#
|
||||
# Cfr.: /var/log/(daemon\.|sys)log
|
||||
|
|
|
@ -178,7 +178,7 @@ ignoreip = 168.192.0.1
|
|||
# category security {
|
||||
# security_file;
|
||||
# };
|
||||
# }
|
||||
# };
|
||||
#
|
||||
# in your named.conf to provide proper logging.
|
||||
# This jail blocks UDP traffic for DNS requests.
|
||||
|
|
|
@ -0,0 +1,106 @@
|
|||
#!/bin/bash
|
||||
#
|
||||
# Usage: ./check_fail2ban
|
||||
###############################################################################################
|
||||
# Description:
|
||||
# This plugin will check the status of Fail2ban.
|
||||
#
|
||||
# Created: 2008-10-25 (Sebastian Mueller)
|
||||
#
|
||||
# Changes: 2008-10-26 fixed some issues (Sebastian Mueller)
|
||||
# Changes: 2009-01-25 add the second check, when server is not replying and the
|
||||
# process is hang-up (Sebastian Mueller)
|
||||
#
|
||||
# please visit my website http://www.elchtest.eu or my personal WIKI http://wiki.elchtest.eu
|
||||
#
|
||||
################################################################################################
|
||||
# if you have any questions, send a mail to linux@krabbe-offline.de
|
||||
#
|
||||
# this script is for my personal use. read the script before running/using it!!!
|
||||
#
|
||||
#
|
||||
# YOU HAVE BEEN WARNED. THIS MAY DESTROY YOUR MACHINE. I ACCEPT NO RESPONSIBILITY.
|
||||
###############################################################################################
|
||||
|
||||
|
||||
SECOND_CHECK=0
|
||||
STATE_OK=0
|
||||
STATE_CRITICAL=2
|
||||
|
||||
######################################################################
|
||||
# Read the Status from fail2ban-client
|
||||
######################################################################
|
||||
check_processes_fail2ban()
|
||||
{
|
||||
|
||||
F2B=`sudo -u root fail2ban-client ping | awk -F " " '{print $3}'`
|
||||
exit_fail2ban=0
|
||||
|
||||
if [[ $F2B = "pong" ]]; then
|
||||
exit_fail2ban=$STATE_OK
|
||||
else
|
||||
exit_fail2ban=$STATE_CRITICAL
|
||||
fi
|
||||
|
||||
}
|
||||
######################################################################
|
||||
# first check in the Background, PID will be killed when no response
|
||||
# after 10 seconds, might be possible, otherwise the scipt will be
|
||||
# pressent in your memory all the time
|
||||
#
|
||||
######################################################################
|
||||
|
||||
check_processes_fail2ban &
|
||||
pid=$!
|
||||
|
||||
typeset -i i=0
|
||||
while ps $pid >/dev/null
|
||||
do
|
||||
sleep 1
|
||||
i=$i+1
|
||||
if [ $i -ge 10 ]
|
||||
then
|
||||
kill $pid
|
||||
SECOND_CHECK=1
|
||||
exit_fail2ban=$STATE_CRITICAL
|
||||
break
|
||||
fi
|
||||
done
|
||||
|
||||
######################################################################
|
||||
# when the Server response (doesent mean the FAIL2BAN is working)
|
||||
# in the first step, then it will run again and test the Service
|
||||
# and provide the real status
|
||||
######################################################################
|
||||
|
||||
|
||||
if [ $SECOND_CHECK -eq 0 ]; then
|
||||
check_processes_fail2ban
|
||||
elif [ $SECOND_CHECK -eq 1 ]; then
|
||||
exit_fail2ban=$STATE_CRITICAL
|
||||
fi
|
||||
|
||||
|
||||
|
||||
######################################################################
|
||||
# Mainmenu
|
||||
######################################################################
|
||||
|
||||
|
||||
final_exit=$exit_fail2ban
|
||||
if [ $final_exit -eq 0 ]; then
|
||||
echo "SYSTEM OK - Fail2ban is working normaly"
|
||||
exitstatus=$STATE_OK
|
||||
elif [ $final_exit -ne "0" ]; then
|
||||
echo "SYSTEM WARNING - Fail2Ban is not working"
|
||||
######################################################################
|
||||
# If don't have a Nagios Server for monitoring, remove the comment and
|
||||
# add your Mail Addres. You can check it with a Cron Job once a hour.
|
||||
# put a txt file on your server and describe how to fix the issue, this
|
||||
# could be attached to the mail.
|
||||
######################################################################
|
||||
# mutt -s "FAIL2BAN NOT WORKING" your@email.com < /home/f2ban.txt
|
||||
|
||||
exitstatus=$STATE_CRITICAL
|
||||
fi
|
||||
exit $exitstatus
|
|
@ -0,0 +1,18 @@
|
|||
It seems that Fail2ban is currently not working, please login and check
|
||||
|
||||
HELP:
|
||||
|
||||
1.) stop the Service
|
||||
/etc/init.d/fail2ban stop
|
||||
|
||||
2.) delete the socket if avalible
|
||||
rm /tmp/fail2ban.sock
|
||||
|
||||
3.) start the Service
|
||||
/etc/init.d/fail2ban start
|
||||
|
||||
4.) check if fail2ban is working
|
||||
fail2ban-client ping
|
||||
Answer should be "pong"
|
||||
|
||||
5.) if the answer is not "pong" run away or CRY FOR HELP ;-)
|
|
@ -35,6 +35,13 @@ rc_reset
|
|||
case "$1" in
|
||||
start)
|
||||
echo -n "Starting Fail2Ban "
|
||||
# a cleanup workaround, since /etc/init.d/boot.local removes only.
|
||||
# regular files, and not sockets
|
||||
if test -e $FAIL2BAN_SOCKET; then
|
||||
if ! lsof -n $FAIL2BAN_SOCKET &>/dev/null; then
|
||||
rm $FAIL2BAN_SOCKET
|
||||
fi
|
||||
fi
|
||||
/sbin/startproc $FAIL2BAN_BIN start &>/dev/null
|
||||
rc_status -v
|
||||
;;
|
||||
|
|
|
@ -44,7 +44,7 @@ class DateDetector:
|
|||
# standard
|
||||
template = DateStrptime()
|
||||
template.setName("MONTH Day Hour:Minute:Second")
|
||||
template.setRegex("^\S{3}\s{1,2}\d{1,2} \d{2}:\d{2}:\d{2}")
|
||||
template.setRegex("\S{3}\s{1,2}\d{1,2} \d{2}:\d{2}:\d{2}")
|
||||
template.setPattern("%b %d %H:%M:%S")
|
||||
self.__templates.append(template)
|
||||
# asctime
|
||||
|
@ -77,6 +77,12 @@ class DateDetector:
|
|||
template.setRegex("\d{2}/\S{3}/\d{4}:\d{2}:\d{2}:\d{2}")
|
||||
template.setPattern("%d/%b/%Y:%H:%M:%S")
|
||||
self.__templates.append(template)
|
||||
# CPanel 05/20/2008:01:57:39
|
||||
template = DateStrptime()
|
||||
template.setName("Month/Day/Year:Hour:Minute:Second")
|
||||
template.setRegex("\d{2}/\d{2}/\d{4}:\d{2}:\d{2}:\d{2}")
|
||||
template.setPattern("%m/%d/%Y:%H:%M:%S")
|
||||
self.__templates.append(template)
|
||||
# Exim 2006-12-21 06:43:20
|
||||
template = DateStrptime()
|
||||
template.setName("Year-Month-Day Hour:Minute:Second")
|
||||
|
|
|
@ -132,7 +132,7 @@ class DateStrptime(DateTemplate):
|
|||
conv = self.convertLocale(dateMatch.group())
|
||||
try:
|
||||
date = list(time.strptime(conv, self.getPattern()))
|
||||
except ValueError:
|
||||
except ValueError, e:
|
||||
# Try to add the current year to the pattern. Should fix
|
||||
# the "Feb 29" issue.
|
||||
conv += " %s" % MyTime.gmtime()[0]
|
||||
|
@ -187,6 +187,5 @@ class DateISO8601(DateTemplate):
|
|||
if dateMatch:
|
||||
# Parses the date.
|
||||
value = dateMatch.group()
|
||||
print value
|
||||
date = list(iso8601.parse_date(value).utctimetuple())
|
||||
date = list(iso8601.parse_date(value).timetuple())
|
||||
return date
|
||||
|
|
|
@ -34,6 +34,7 @@ class FailData:
|
|||
def __init__(self):
|
||||
self.__retry = 0
|
||||
self.__lastTime = 0
|
||||
self.__lastReset = 0
|
||||
|
||||
def setRetry(self, value):
|
||||
self.__retry = value
|
||||
|
@ -51,3 +52,8 @@ class FailData:
|
|||
def getLastTime(self):
|
||||
return self.__lastTime
|
||||
|
||||
def getLastReset(self):
|
||||
return self.__lastReset
|
||||
|
||||
def setLastReset(self, value):
|
||||
self.__lastReset = value
|
||||
|
|
|
@ -90,11 +90,15 @@ class FailManager:
|
|||
unixTime = ticket.getTime()
|
||||
if self.__failList.has_key(ip):
|
||||
fData = self.__failList[ip]
|
||||
if fData.getLastReset() < unixTime - self.__maxTime:
|
||||
fData.setLastReset(unixTime)
|
||||
fData.setRetry(0)
|
||||
fData.inc()
|
||||
fData.setLastTime(unixTime)
|
||||
else:
|
||||
fData = FailData()
|
||||
fData.inc()
|
||||
fData.setLastReset(unixTime)
|
||||
fData.setLastTime(unixTime)
|
||||
self.__failList[ip] = fData
|
||||
self.__failTotal += 1
|
||||
|
|
|
@ -44,7 +44,7 @@ class Regex:
|
|||
self._matchCache = None
|
||||
# Perform shortcuts expansions.
|
||||
# Replace "<HOST>" with default regular expression for host.
|
||||
regex = regex.replace("<HOST>", "(?:::f{4,6}:)?(?P<host>\S+)")
|
||||
regex = regex.replace("<HOST>", "(?:::f{4,6}:)?(?P<host>[\w\-.^_]+)")
|
||||
if regex.lstrip() == '':
|
||||
raise RegexException("Cannot add empty regex")
|
||||
try:
|
||||
|
|
|
@ -492,7 +492,7 @@ import socket, struct
|
|||
|
||||
class DNSUtils:
|
||||
|
||||
IP_CRE = re.compile("(?:\d{1,3}\.){3}\d{1,3}")
|
||||
IP_CRE = re.compile("^(?:\d{1,3}\.){3}\d{1,3}$")
|
||||
|
||||
#@staticmethod
|
||||
def dnsToIp(dns):
|
||||
|
|
|
@ -39,7 +39,12 @@ class AddFailure(unittest.TestCase):
|
|||
['193.168.0.128', 1167605999.0],
|
||||
['87.142.124.10', 1167605999.0],
|
||||
['87.142.124.10', 1167605999.0],
|
||||
['87.142.124.10', 1167605999.0]]
|
||||
['87.142.124.10', 1167605999.0],
|
||||
['100.100.10.10', 1000000000.0],
|
||||
['100.100.10.10', 1000000500.0],
|
||||
['100.100.10.10', 1000001000.0],
|
||||
['100.100.10.10', 1000001500.0],
|
||||
['100.100.10.10', 1000002000.0]]
|
||||
|
||||
self.__failManager = FailManager()
|
||||
for i in self.__items:
|
||||
|
@ -49,7 +54,7 @@ class AddFailure(unittest.TestCase):
|
|||
"""Call after every test case."""
|
||||
|
||||
def testAdd(self):
|
||||
self.assertEqual(self.__failManager.size(), 2)
|
||||
self.assertEqual(self.__failManager.size(), 3)
|
||||
|
||||
def _testDel(self):
|
||||
self.__failManager.delFailure('193.168.0.128')
|
||||
|
@ -76,3 +81,10 @@ class AddFailure(unittest.TestCase):
|
|||
def testbanNOK(self):
|
||||
self.__failManager.setMaxRetry(10)
|
||||
self.assertRaises(FailManagerEmpty, self.__failManager.toBan)
|
||||
|
||||
def testWindow(self):
|
||||
ticket = self.__failManager.toBan()
|
||||
self.assertNotEqual(ticket.getIP(), "100.100.10.10")
|
||||
ticket = self.__failManager.toBan()
|
||||
self.assertNotEqual(ticket.getIP(), "100.100.10.10")
|
||||
self.assertRaises(FailManagerEmpty, self.__failManager.toBan)
|
||||
|
|
|
@ -99,7 +99,7 @@ class GetFailures(unittest.TestCase):
|
|||
output = ('193.168.0.128', 3, 1124013599.0)
|
||||
|
||||
self.__filter.addLogPath(GetFailures.FILENAME_01)
|
||||
self.__filter.addFailRegex("(?:(?:Authentication failure|Failed [-/\w+]+) for(?: [iI](?:llegal|nvalid) user)?|[Ii](?:llegal|nvalid) user|ROOT LOGIN REFUSED) .*(?: from|FROM) (?:::f{4,6}:)?(?P<host>\S*)")
|
||||
self.__filter.addFailRegex("(?:(?:Authentication failure|Failed [-/\w+]+) for(?: [iI](?:llegal|nvalid) user)?|[Ii](?:llegal|nvalid) user|ROOT LOGIN REFUSED) .*(?: from|FROM) <HOST>")
|
||||
|
||||
self.__filter.getFailures(GetFailures.FILENAME_01)
|
||||
|
||||
|
@ -116,7 +116,7 @@ class GetFailures(unittest.TestCase):
|
|||
output = ('141.3.81.106', 4, 1124013539.0)
|
||||
|
||||
self.__filter.addLogPath(GetFailures.FILENAME_02)
|
||||
self.__filter.addFailRegex("Failed .* (?:::f{4,6}:)(?P<host>\S*)")
|
||||
self.__filter.addFailRegex("Failed .* from <HOST>")
|
||||
|
||||
self.__filter.getFailures(GetFailures.FILENAME_02)
|
||||
|
||||
|
@ -133,7 +133,7 @@ class GetFailures(unittest.TestCase):
|
|||
output = ('203.162.223.135', 6, 1124013544.0)
|
||||
|
||||
self.__filter.addLogPath(GetFailures.FILENAME_03)
|
||||
self.__filter.addFailRegex("error,relay=(?:::f{4,6}:)?(?P<host>\S*),.*550 User unknown")
|
||||
self.__filter.addFailRegex("error,relay=<HOST>,.*550 User unknown")
|
||||
|
||||
self.__filter.getFailures(GetFailures.FILENAME_03)
|
||||
|
||||
|
@ -151,7 +151,7 @@ class GetFailures(unittest.TestCase):
|
|||
('212.41.96.185', 4, 1124013598.0)]
|
||||
|
||||
self.__filter.addLogPath(GetFailures.FILENAME_04)
|
||||
self.__filter.addFailRegex("Invalid user .* (?P<host>\S*)")
|
||||
self.__filter.addFailRegex("Invalid user .* <HOST>")
|
||||
|
||||
self.__filter.getFailures(GetFailures.FILENAME_04)
|
||||
|
||||
|
|
Loading…
Reference in New Issue