Commit Graph

1149 Commits (4cf402d60e42003d7bb1c10e22eb99ebb57d0f71)

Author SHA1 Message Date
Daniel Black d1c8b57952 DOC: ChangeLog versions and dates for Releasing 2013-04-18 04:52:21 +10:00
Daniel Black 1331e15ac3 DOC: guidance for pull requests 2013-04-18 04:48:51 +10:00
Daniel Black 41b9f7b6ac BF: filter.d/sshd "Did not receive identification string" relates to an exploit so document this in sshd-ddos.conf but leave it out of authentication based blocks in sshd.conf 2013-04-18 04:38:03 +10:00
Yaroslav Halchenko 76c08cebe9 DOC: a plugin to thanks for the community support 2013-04-17 11:54:45 -04:00
Yaroslav Halchenko 82e2fc34eb Merge branch 'systemd' of https://github.com/opoplawski/fail2ban
Just two files to enable fail2ban within systemd:

 files/fail2ban-tmpfiles.conf |  1 +
 files/fail2ban.service       | 14 ++++++++++++++

* 'systemd' of https://github.com/opoplawski/fail2ban:
  Add After, PIDFile, and change WantedBy to multi-user.target in fail2ban.server
  Add systemd unit file and tmpfiles.d configuration files
2013-04-17 11:40:03 -04:00
Orion Poplawski ddebcab9aa Add After, PIDFile, and change WantedBy to multi-user.target in fail2ban.server 2013-04-17 09:27:06 -06:00
Yaroslav Halchenko 6f4dad46f0 DOC: slight tune ups to README (we are no longer compatible with python 2.3 ;) ) 2013-04-17 10:07:01 -04:00
Yaroslav Halchenko b8e823bd4e DOC: initiated changelog (but not juice left to actually fill it up ;-)) 2013-04-16 23:44:38 -04:00
Daniel Black 32d10e904a ENH: more openssh fail messages from openssh source code (CVS 20121205) 2013-04-17 00:03:36 +10:00
Yaroslav Halchenko 12f1398ec1 Merge pull request #172 from kwirk/minor
Minor tweaks -- removing duplication and improving testing
2013-04-15 06:31:09 -07:00
Steven Hiscocks 94956bee84 TST: test all valid loglevels in server testcases 2013-04-14 15:59:05 +01:00
Steven Hiscocks 4c4b60f4b4 TST: Add tag replace and escape test for actions 2013-04-14 15:58:35 +01:00
Steven Hiscocks 3d6791fe3e ENH: Minor change to action for consistency of execStart/Stop 2013-04-14 15:57:37 +01:00
Steven Hiscocks d259e903a3 TST: Coverage for coveralls.io should only be run on success 2013-04-14 15:56:14 +01:00
Steven Hiscocks 28e9acf86a TST: no cover additions to server, primarily daemon creation 2013-04-14 15:55:18 +01:00
Yaroslav Halchenko ffe48741e3 DOC: thanks @kwirk for spotting the typos in exception message 2013-04-13 22:20:57 -04:00
Yaroslav Halchenko 301460f451 Merge remote-tracking branch 'pr/167/head': FD_CLOEXEC bug fixes (filters) + support (actions). Avoid sockets descriptors leak.
* pr/167/head:
  FD_CLOEXEC support
2013-04-11 15:05:56 -04:00
Yaroslav Halchenko 59192a5585 Merge remote-tracking branch 'github_kwirk_fail2ban/pidfile'
* github_kwirk_fail2ban/pidfile:
  Typo in default pidfile in fail2ban.conf
2013-04-09 23:48:46 -04:00
Yaroslav Halchenko 99a5d78e37 ENH: for consistency (and future expansion ;)) -- rename to mysqld-auth 2013-04-09 18:03:34 -04:00
Yaroslav Halchenko ffaa9697ee Adjusting previous PR (MySQL logs) according to my comments 2013-04-09 18:00:40 -04:00
Yaroslav Halchenko 3e6be243bf Merge branch 'Support_for_mysql_log_example' of https://github.com/arto-p/fail2ban
* 'Support_for_mysql_log_example' of https://github.com/arto-p/fail2ban:
  Added testcase for MySQL date format to testcases/datedetectortestcase.py and example of MySQL log file.
  Added support for MySQL logfiles

Conflicts:
	testcases/datedetectortestcase.py -- conflictde with other added test cases
2013-04-09 17:55:14 -04:00
Yaroslav Halchenko 4fb06170f1 Merge 'Update the check_fail2ban script' PR from https://github.com/labynocle/fail2ban
* 'master' of https://github.com/labynocle/fail2ban:
  change the license to GPLv2 + adapat text
  fix the script name to check_fail2ban everywhere
  Replace the check_fail2ban script by a new one which respects the Nagios specs (like status, output, perfdata, help...). Also add a README which includes the content of f2ban.txt (which is now removed)
2013-04-09 17:41:36 -04:00
Yaroslav Halchenko f5ad99b527 Merge pull request #166 from kwirk/travis-gamin
Travis gamin support on Travis CI
2013-04-06 08:20:21 -07:00
Steven Hiscocks 47c54ba293 TST: Add gamin testing for and only coveralls coverage for python2.7 2013-04-06 11:08:07 +01:00
Nicolas Collignon 39667ff6f7 FD_CLOEXEC support
* 001-fail2ban-server-socket-close-on-exec-no-leak.diff

Add code that marks server and client sockets with FD_CLOEXEC flags.
Avoid leaking file descriptors to processes spawned when handling
fail2ban actions (ex: iptables).

Unix sockets managed by fail2ban-server don't need to be passed to any
child process. Fail2ban already uses the FD_CLOEXEC flags in the filter
code.

This patch also avoids giving iptables access to fail2ban UNIX socket in
a SELinux environment (A sane SELinux policy should trigger an audit
event because "iptables" will be given read/write access to the fail2ban
control socket).

Some random references related to this bug:
 http://sourceforge.net/tracker/?func=detail&atid=689044&aid=2086568&group_id=121032
 http://www.redhat.com/archives/fedora-selinux-list/2009-June/msg00124.html
 http://forums.fedoraforum.org/showthread.php?t=234230

 * 002-fail2ban-filters-close-on-exec-typo-fix.diff

There is a typo in the fail2ban server/filter.py source code. The
FD_CLOEXEC is correctly set but additional *random* flags are also set.
It has no side-effect as long as the fd doesn't match a valid flag :)
"fcntl.fcntl(fd, fcntl.F_SETFD, fd | fcntl.FD_CLOEXEC)" <== the 3rd
parameter should be flags, not a file descriptor.

 * 003-fail2ban-gamin-socket-close-on-exec-no-leak.diff

Add code that marks the Gamin monitor file descriptor with FD_CLOEXEC
flags. Avoid leaking file descriptors to processes spawned when handling
fail2ban actions (ex: iptables).

---

File descriptors in action process before patches:
dr-x------ 2 root root  0 .
dr-xr-xr-x 8 root root  0 ..
lr-x------ 1 root root 64 0 -> /dev/null        <== OK
l-wx------ 1 root root 64 1 -> /tmp/test.log    <== used by test action
lrwx------ 1 root root 64 2 -> /dev/null        <== OK
lrwx------ 1 root root 64 3 -> socket:[116361]  <== NOK (fail2ban.sock leak)
lr-x------ 1 root root 64 4 -> /proc/20090/fd   <== used by test action
l-wx------ 1 root root 64 5 -> /var/log/fail2ban.log <== OK
lrwx------ 1 root root 64 6 -> socket:[115608]  <== NOK (gamin sock leak)

File descriptors in action process after patches:
dr-x------ 2 root root  0 .
dr-xr-xr-x 8 root root  0 ..
lr-x------ 1 root root 64 0 -> /dev/null        <== OK
l-wx------ 1 root root 64 1 -> /tmp/test.log    <== used by test action
lrwx------ 1 root root 64 2 -> /dev/null        <== OK
lr-x------ 1 root root 64 3 -> /proc/18284/fd   <== used by test action
l-wx------ 1 root root 64 5 -> /var/log/fail2ban.log <== OK
2013-04-02 19:11:59 +02:00
Erwan Ben Souiden 44736035bd change the license to GPLv2 + adapat text 2013-04-02 09:49:44 +02:00
Steven Hiscocks b0a08b9790 TST: Add gamin support for Travis CI 2013-03-30 18:17:01 +00:00
Yaroslav Halchenko 74e76e068c Merge pull request #164 from kwirk/coveralls
TST+BF: Use separate coveragerc for Travis CI
2013-03-29 13:32:29 -07:00
Steven Hiscocks 0002fb4ca3 TST+BF: Use separate coveragerc for Travis CI
Should now ignore server/filtergamin.py as gamin is not tested. Also
ignores Travis CI python virtual environments
2013-03-29 20:14:13 +00:00
Yaroslav Halchenko 33a31e096a RF+TST: bring inBanList back from private to protected and enabled its rudimentary unittests 2013-03-29 15:33:08 -04:00
Yaroslav Halchenko 08dd6fed26 Merge pull request #163 from kwirk/coveralls
Coveralls.io
2013-03-29 12:15:34 -07:00
Steven Hiscocks e0e116cb36 TST: coverage ignore Travis CI python virtual environments 2013-03-29 19:09:55 +00:00
Yaroslav Halchenko e7184e70f6 ENH: increase waiting to 4 sec for gamin/pyinotify
This will be the last gesture from me for the bloody tests:
https://travis-ci.org/kwirk/fail2ban/jobs/5904668
2013-03-29 14:59:52 -04:00
Steven Hiscocks 92d26e6897 TST+BF: Fix incorrect commands for coveralls support 2013-03-29 17:22:48 +00:00
Steven Hiscocks b3251fca79 TST: Add support for coveralls for python 2.6 and python 2.7 2013-03-29 17:16:19 +00:00
Yaroslav Halchenko ffbbb9f8a3 ENH: deleted trailing spaces in fail2ban- cmdline tools
Now it was already a mix, and Cyril is not working on this code any
longer so no need to maintain this convention.
2013-03-29 12:31:50 -04:00
Yaroslav Halchenko 7cf509378c DOC: minor change -- refer to the fail2ban manpage 2013-03-28 11:36:18 -04:00
Yaroslav Halchenko ef3f2b7e99 TST: be more aggressive in cleanup of temp files + use mktemp instead of mkstemp 2013-03-27 23:40:50 -04:00
Yaroslav Halchenko bf4d4af1d4 ENH(BF?): overload open() (for buffering) within filtertestcase to guarantee atomic writing
This is with the hope to further resolve random tests failures
( primarily on fast travis-ci systems ;) )
2013-03-27 15:11:49 -04:00
Yaroslav Halchenko ab044b75ea BF: delay check for the existence of config directory until read() 2013-03-27 12:22:39 -04:00
Yaroslav Halchenko 4b11f071ed DOC: minor fix ups of manpages. fixes #159 2013-03-27 12:02:19 -04:00
Yaroslav Halchenko f643e2e907 non-static (get|set)BaseDir for Configurator. fixes #160
ConfigReader's (get|set)BaseDir are no longer static as a result of
.d/ support RFing
2013-03-27 11:51:07 -04:00
Yaroslav Halchenko 72b06479a5 ENH: Slight tune ups for fresh SOGo filter + comment into the sample log file 2013-03-27 11:09:54 -04:00
Yaroslav Halchenko 105306e1a8 Merge remote-tracking branch 'pr/117/head' -- SOGo filters
* pr/117/head:
  An example of failed logins against sogo
  Update sogo-auth.conf
  Update config/filter.d/sogo-auth.conf
  Create sogo-auth.conf
  Update config/jail.conf
2013-03-27 11:09:35 -04:00
Yaroslav Halchenko cd57d9c552 Merge pull request #155 from yarikoptic/master
TST+ENH: enable basic (smoke) testing of the default jail.conf + improve postfix filter
2013-03-27 05:43:55 -07:00
Yaroslav Halchenko 01b4870adc Merge pull request #154 from fail2ban/_tent/fixup_tests_racing
Multiple ENHs + fixup tests racing. fixes #103
2013-03-27 05:42:44 -07:00
Erwan Ben Souiden c4d92fba71 fix the script name to check_fail2ban everywhere 2013-03-26 16:08:05 +01:00
Erwan Ben Souiden d7d5228964 Replace the check_fail2ban script by a new one which respects the Nagios specs (like status, output, perfdata, help...).
Also add a README which includes the content of f2ban.txt (which is now removed)
2013-03-26 15:55:26 +01:00
Yaroslav Halchenko 91d5736c12 ENH: postfix filter -- react also on (450 4.7.1) with empty from/to. fixes #126 2013-03-26 09:40:04 -04:00
Yaroslav Halchenko c06b7abb46 TST: basic testing of reading the shipped jail.conf (forcing all jails to be enabled) 2013-03-26 00:01:56 -04:00