-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iEYEABECAAYFAlAYOHoACgkQjRFFY3XAJMjhMQCdGJhq6ZcD11b3M3brz4X9M5hR
GNIAnAhTSETsuP+h1qJ/hhCDvyTdC6yc
=3KZh
-----END PGP SIGNATURE-----
Merge tag '0.8.7' into debian -- additional fixes after reviewing more of Debian bug reports
Re-tagging 0.8.7 with hope to do that last time ;)
* tag '0.8.7':
ENH: match possibly present "pam_unix(sshd:auth):" portion for sshd (Closes: #648020)
ENH: add wu-ftpd failregex for use against syslog (Closes: #514239)
BF: anchor chain name in actioncheck's for iptables actions (Closes: #672228)
BF: inline comments must use ; not # -- recidive jail
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iEYEABECAAYFAlAYCLoACgkQjRFFY3XAJMjpNQCgrUJeFXGzyfiYKr0AkeARxgWr
5zUAoMb+wg726s39K9kyjbtQ4THEAKx9
=6B3m
-----END PGP SIGNATURE-----
Merge tag '0.8.7' into debian
Releasing 0.8.7
* tag '0.8.7':
Boosted version to 0.8.7 + few more comments
perspective changelog for 0.8.7
DOC: minor (untabify, utf8) for ChangeLog
* commit '0.8.6-100-gdca5634':
RF: reordered tests + enabled gamin now that its fix is pending in Debian
ENH+BF: filtergamin -- to be more inline with current design of filterinotify
ENH: 1 more sleep_4_poll to guarantee difference in time stamp
ENH: few more delays for cases relying on time stamps
* _enh/test_backends:
RF: reordered tests + enabled gamin now that its fix is pending in Debian
ENH+BF: filtergamin -- to be more inline with current design of filterinotify
ENH: 1 more sleep_4_poll to guarantee difference in time stamp
ENH: few more delays for cases relying on time stamps
ENH: tests much more robust now across pythons 2.4 -- 2.7
BF+RF: pyinotify refreshes watcher upon CREATE, unified/simplified *(add|del)LogPath among *Filters
ENH: fail2ban-testcases -- custom logging format to ease debugging, non-0 exit code in case of failure
ENH: Filter's testcases -- rename, del + list again --- a bit unstable, might still fail from time to time
BF: pyinotify -- monitor the parent directory for IN_CREATE + process freshly added file (Closes gh-44)
ENH: first working unittest for checking polling and inotify backends
RF/BF: just use pyinotify.ThreadedNotifier thread in filterpyinotify
RF: filter.py -- single readline in a loop
ENH: FilterPoll -- adjusted some msgs + allowed to operate without jail (for testing)
Minor additional comment to DEVELOP
ENH: extended test LogfileMonitor
* commit '0.8.6-95-gc0c1232':
ENH: tests much more robust now across pythons 2.4 -- 2.7
BF+RF: pyinotify refreshes watcher upon CREATE, unified/simplified *(add|del)LogPath among *Filters
Ask users to report bugs to github's issues
Replace "|" with "_" in ipmasq-ZZZzzz|fail2ban.rul (Closes gh-66)
* needed additional sleeps for polling filter since that one relies on
time-stamps and too rapid changes would not be caught by the
PollFilter
* in python 2.4, time stamps are up to a second (int's) so sleeps longer
* test_new_bogus_file -- just to make sure that addition of new files
does not alter our monitoring
* all of the *Filters had too much of common logic in their *LogPath
methods, which is now handled by FileFilter and derived classes only
add custom actions in corresponding _(add|del)LogPath methods
pyinotify:
* upon CREATE event:
- unknown files should not be handled at all
- "watcher" for the monitored files should be recreated.
Lead to adding _(add|del)FileWatcher helper methods
* callback now obtains full event to judge what to do
* commit '0.8.6-90-g08564bd':
ENH: fail2ban-testcases -- custom logging format to ease debugging, non-0 exit code in case of failure
ENH: Filter's testcases -- rename, del + list again --- a bit unstable, might still fail from time to time
BF: pyinotify -- monitor the parent directory for IN_CREATE + process freshly added file (Closes gh-44)
ENH: first working unittest for checking polling and inotify backends
RF/BF: just use pyinotify.ThreadedNotifier thread in filterpyinotify
RF: filter.py -- single readline in a loop
ENH: FilterPoll -- adjusted some msgs + allowed to operate without jail (for testing)
Minor additional comment to DEVELOP
ENH: extended test LogfileMonitor
ENH: add more verbosity levels to be controlled while running unittests
Added few tests of FileFilter. yet to place them into a Jail-ed execution test
DOC: distilling some of server "design" into DEVELOP notes for common good
ENH: minor, just trailing spaces/tabs + reformated a string
ENH: added a basic test for FilterPoll for detection of modifications
clarified that the are existing test cases and the 'coming soon' is about creating new ones.
Added beginnings of documentation for developers
BF: usedns=no was not working at all
RF: filtertestcase.py to put common testing into a helping subroutine
ENH: be able to control verbosity from cmdline for fail2ban-testcases
Noticed while looking at the source (to see the point of ssh-ddos).
POSSIBLE BREAK-IN ATTEMPT - sounds scary? But keep reading
the message. It's not a login failure. It's a warning about
reverse-DNS. The login can still succeed, and if it _does_ fail,
that will be logged as normal.
<exhibit n="1">
Jul 9 05:43:00 brick sshd[18971]: Address 200.41.233.234 maps to host234.advance.com.
ar, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Jul 9 05:43:00 brick sshd[18971]: Invalid user html from 200.41.233.234
</exhibit>
The problem (in my mind) is that some users are stuck with bad dns.
The warning won't stop them from logging in. I'm pretty sure they can't
even see it. But when they exceed a threshold number of logins -
which could be all successful logins - fail2ban will trigger.
fail2ban shouldn't adding additional checks to successful logins
- it goes against the name fail2ban :)
- the first X "POSSIBLE BREAK-IN ATTEMPT"s would be permitted anyway
- if you want to ban bad DNS, the right way is PARANOID in /etc/hosts.deny
I've checked the source of OpenSSH, and this will only affect the
reverse-DNS error. (I won't be offended if you want to check
for yourself though ;)
<exhibit n="2">
$ grep -r -h -C1 'ATTEMPT' openssh-5.5p1/
logit("reverse mapping checking getaddrinfo for %.700s "
"[%s] failed - POSSIBLE BREAK-IN ATTEMPT!", name, ntop);
return xstrdup(ntop);
--
logit("Address %.100s maps to %.600s, but this does not "
"map back to the address - POSSIBLE BREAK-IN ATTEMPT!",
ntop, name);
$
</exhibit>