* 001-fail2ban-server-socket-close-on-exec-no-leak.diff
Add code that marks server and client sockets with FD_CLOEXEC flags.
Avoid leaking file descriptors to processes spawned when handling
fail2ban actions (ex: iptables).
Unix sockets managed by fail2ban-server don't need to be passed to any
child process. Fail2ban already uses the FD_CLOEXEC flags in the filter
code.
This patch also avoids giving iptables access to fail2ban UNIX socket in
a SELinux environment (A sane SELinux policy should trigger an audit
event because "iptables" will be given read/write access to the fail2ban
control socket).
Some random references related to this bug:
http://sourceforge.net/tracker/?func=detail&atid=689044&aid=2086568&group_id=121032http://www.redhat.com/archives/fedora-selinux-list/2009-June/msg00124.htmlhttp://forums.fedoraforum.org/showthread.php?t=234230
* 002-fail2ban-filters-close-on-exec-typo-fix.diff
There is a typo in the fail2ban server/filter.py source code. The
FD_CLOEXEC is correctly set but additional *random* flags are also set.
It has no side-effect as long as the fd doesn't match a valid flag :)
"fcntl.fcntl(fd, fcntl.F_SETFD, fd | fcntl.FD_CLOEXEC)" <== the 3rd
parameter should be flags, not a file descriptor.
* 003-fail2ban-gamin-socket-close-on-exec-no-leak.diff
Add code that marks the Gamin monitor file descriptor with FD_CLOEXEC
flags. Avoid leaking file descriptors to processes spawned when handling
fail2ban actions (ex: iptables).
---
File descriptors in action process before patches:
dr-x------ 2 root root 0 .
dr-xr-xr-x 8 root root 0 ..
lr-x------ 1 root root 64 0 -> /dev/null <== OK
l-wx------ 1 root root 64 1 -> /tmp/test.log <== used by test action
lrwx------ 1 root root 64 2 -> /dev/null <== OK
lrwx------ 1 root root 64 3 -> socket:[116361] <== NOK (fail2ban.sock leak)
lr-x------ 1 root root 64 4 -> /proc/20090/fd <== used by test action
l-wx------ 1 root root 64 5 -> /var/log/fail2ban.log <== OK
lrwx------ 1 root root 64 6 -> socket:[115608] <== NOK (gamin sock leak)
File descriptors in action process after patches:
dr-x------ 2 root root 0 .
dr-xr-xr-x 8 root root 0 ..
lr-x------ 1 root root 64 0 -> /dev/null <== OK
l-wx------ 1 root root 64 1 -> /tmp/test.log <== used by test action
lrwx------ 1 root root 64 2 -> /dev/null <== OK
lr-x------ 1 root root 64 3 -> /proc/18284/fd <== used by test action
l-wx------ 1 root root 64 5 -> /var/log/fail2ban.log <== OK
* pr/117/head:
An example of failed logins against sogo
Update sogo-auth.conf
Update config/filter.d/sogo-auth.conf
Create sogo-auth.conf
Update config/jail.conf
Now it should be evaluated only if logging mode is debug or "lower", and also
should happen not only on initial detections but for every added failure.
It also reports counts per each IP now
Also to guarantee unique file names across tests -- append incremental
numeric suffix.
This should prevent unittest from not reporting specific unittest method names,
thus complicating the analysis of failures
It also fixes#115 since current implementation provides similarly informative
error messages. But see #153 for possible improvements
* _tent/conf_d:
Reincarnated removed (by mistake) test for SplitAction
ENH: made log messages while parsing files more informative + test for inaccessible file (Closes: gh-24)
NF: allow customization configuration under corresponding .d directories (Closes gh-114)
Fix up for warning/error for inaccessible config files
Warn if config file present but unreadable
Conflicts:
fail2ban-testcases
* 'master' of https://github.com/sebres/fail2ban:
invalid date recognition, irregular because of sorting template list, now via setRegex
invalid date recognition, irregular because of sorting template list (sometimes not reproducible by fail2ban-regex, cause will be not sorted)
Conflicts:
testcases/servertestcase.py -- excluded all the changes to this file,
since they were conflicting and actually not needed (yet at least)
* 'misc-fixes' of https://github.com/grooverdan/fail2ban:
PKG: change email that I want in RPMs
BF: defer testSocket for later
DOC: Defin{a,i}tion
DOC: add fail2ban.1 manual page
DOC: init -> Init, defination -> Defination. Improved intro
DOC: punishment claimed
BF: add missing items from MANIFEST, used by python setup.py sdist
DOC: tags are documented in the jail.conf(5) man page
ENH: add test case for testing socket
ENH: jail.conf man page
ENH: git ignore failed patch reminants
BF: remove non-existant files from setup.py. ENH: add documentation
ENH: packaging information for RPM builds
completed items from TODO list
Yaroslav Halchenko