Commit Graph

983 Commits (b8e823bd4ef335833893869fa246ca124307acb4)

Author SHA1 Message Date
Yaroslav Halchenko b8e823bd4e DOC: initiated changelog (but not juice left to actually fill it up ;-)) 2013-04-16 23:44:38 -04:00
Yaroslav Halchenko 12f1398ec1 Merge pull request #172 from kwirk/minor
Minor tweaks -- removing duplication and improving testing
2013-04-15 06:31:09 -07:00
Steven Hiscocks 94956bee84 TST: test all valid loglevels in server testcases 2013-04-14 15:59:05 +01:00
Steven Hiscocks 4c4b60f4b4 TST: Add tag replace and escape test for actions 2013-04-14 15:58:35 +01:00
Steven Hiscocks 3d6791fe3e ENH: Minor change to action for consistency of execStart/Stop 2013-04-14 15:57:37 +01:00
Steven Hiscocks d259e903a3 TST: Coverage for coveralls.io should only be run on success 2013-04-14 15:56:14 +01:00
Steven Hiscocks 28e9acf86a TST: no cover additions to server, primarily daemon creation 2013-04-14 15:55:18 +01:00
Yaroslav Halchenko ffe48741e3 DOC: thanks @kwirk for spotting the typos in exception message 2013-04-13 22:20:57 -04:00
Yaroslav Halchenko 301460f451 Merge remote-tracking branch 'pr/167/head': FD_CLOEXEC bug fixes (filters) + support (actions). Avoid sockets descriptors leak.
* pr/167/head:
  FD_CLOEXEC support
2013-04-11 15:05:56 -04:00
Yaroslav Halchenko 59192a5585 Merge remote-tracking branch 'github_kwirk_fail2ban/pidfile'
* github_kwirk_fail2ban/pidfile:
  Typo in default pidfile in fail2ban.conf
2013-04-09 23:48:46 -04:00
Yaroslav Halchenko 99a5d78e37 ENH: for consistency (and future expansion ;)) -- rename to mysqld-auth 2013-04-09 18:03:34 -04:00
Yaroslav Halchenko ffaa9697ee Adjusting previous PR (MySQL logs) according to my comments 2013-04-09 18:00:40 -04:00
Yaroslav Halchenko 3e6be243bf Merge branch 'Support_for_mysql_log_example' of https://github.com/arto-p/fail2ban
* 'Support_for_mysql_log_example' of https://github.com/arto-p/fail2ban:
  Added testcase for MySQL date format to testcases/datedetectortestcase.py and example of MySQL log file.
  Added support for MySQL logfiles

Conflicts:
	testcases/datedetectortestcase.py -- conflictde with other added test cases
2013-04-09 17:55:14 -04:00
Yaroslav Halchenko 4fb06170f1 Merge 'Update the check_fail2ban script' PR from https://github.com/labynocle/fail2ban
* 'master' of https://github.com/labynocle/fail2ban:
  change the license to GPLv2 + adapat text
  fix the script name to check_fail2ban everywhere
  Replace the check_fail2ban script by a new one which respects the Nagios specs (like status, output, perfdata, help...). Also add a README which includes the content of f2ban.txt (which is now removed)
2013-04-09 17:41:36 -04:00
Yaroslav Halchenko f5ad99b527 Merge pull request #166 from kwirk/travis-gamin
Travis gamin support on Travis CI
2013-04-06 08:20:21 -07:00
Steven Hiscocks 47c54ba293 TST: Add gamin testing for and only coveralls coverage for python2.7 2013-04-06 11:08:07 +01:00
Nicolas Collignon 39667ff6f7 FD_CLOEXEC support
* 001-fail2ban-server-socket-close-on-exec-no-leak.diff

Add code that marks server and client sockets with FD_CLOEXEC flags.
Avoid leaking file descriptors to processes spawned when handling
fail2ban actions (ex: iptables).

Unix sockets managed by fail2ban-server don't need to be passed to any
child process. Fail2ban already uses the FD_CLOEXEC flags in the filter
code.

This patch also avoids giving iptables access to fail2ban UNIX socket in
a SELinux environment (A sane SELinux policy should trigger an audit
event because "iptables" will be given read/write access to the fail2ban
control socket).

Some random references related to this bug:
 http://sourceforge.net/tracker/?func=detail&atid=689044&aid=2086568&group_id=121032
 http://www.redhat.com/archives/fedora-selinux-list/2009-June/msg00124.html
 http://forums.fedoraforum.org/showthread.php?t=234230

 * 002-fail2ban-filters-close-on-exec-typo-fix.diff

There is a typo in the fail2ban server/filter.py source code. The
FD_CLOEXEC is correctly set but additional *random* flags are also set.
It has no side-effect as long as the fd doesn't match a valid flag :)
"fcntl.fcntl(fd, fcntl.F_SETFD, fd | fcntl.FD_CLOEXEC)" <== the 3rd
parameter should be flags, not a file descriptor.

 * 003-fail2ban-gamin-socket-close-on-exec-no-leak.diff

Add code that marks the Gamin monitor file descriptor with FD_CLOEXEC
flags. Avoid leaking file descriptors to processes spawned when handling
fail2ban actions (ex: iptables).

---

File descriptors in action process before patches:
dr-x------ 2 root root  0 .
dr-xr-xr-x 8 root root  0 ..
lr-x------ 1 root root 64 0 -> /dev/null        <== OK
l-wx------ 1 root root 64 1 -> /tmp/test.log    <== used by test action
lrwx------ 1 root root 64 2 -> /dev/null        <== OK
lrwx------ 1 root root 64 3 -> socket:[116361]  <== NOK (fail2ban.sock leak)
lr-x------ 1 root root 64 4 -> /proc/20090/fd   <== used by test action
l-wx------ 1 root root 64 5 -> /var/log/fail2ban.log <== OK
lrwx------ 1 root root 64 6 -> socket:[115608]  <== NOK (gamin sock leak)

File descriptors in action process after patches:
dr-x------ 2 root root  0 .
dr-xr-xr-x 8 root root  0 ..
lr-x------ 1 root root 64 0 -> /dev/null        <== OK
l-wx------ 1 root root 64 1 -> /tmp/test.log    <== used by test action
lrwx------ 1 root root 64 2 -> /dev/null        <== OK
lr-x------ 1 root root 64 3 -> /proc/18284/fd   <== used by test action
l-wx------ 1 root root 64 5 -> /var/log/fail2ban.log <== OK
2013-04-02 19:11:59 +02:00
Erwan Ben Souiden 44736035bd change the license to GPLv2 + adapat text 2013-04-02 09:49:44 +02:00
Steven Hiscocks b0a08b9790 TST: Add gamin support for Travis CI 2013-03-30 18:17:01 +00:00
Yaroslav Halchenko 74e76e068c Merge pull request #164 from kwirk/coveralls
TST+BF: Use separate coveragerc for Travis CI
2013-03-29 13:32:29 -07:00
Steven Hiscocks 0002fb4ca3 TST+BF: Use separate coveragerc for Travis CI
Should now ignore server/filtergamin.py as gamin is not tested. Also
ignores Travis CI python virtual environments
2013-03-29 20:14:13 +00:00
Yaroslav Halchenko 33a31e096a RF+TST: bring inBanList back from private to protected and enabled its rudimentary unittests 2013-03-29 15:33:08 -04:00
Yaroslav Halchenko 08dd6fed26 Merge pull request #163 from kwirk/coveralls
Coveralls.io
2013-03-29 12:15:34 -07:00
Steven Hiscocks e0e116cb36 TST: coverage ignore Travis CI python virtual environments 2013-03-29 19:09:55 +00:00
Yaroslav Halchenko e7184e70f6 ENH: increase waiting to 4 sec for gamin/pyinotify
This will be the last gesture from me for the bloody tests:
https://travis-ci.org/kwirk/fail2ban/jobs/5904668
2013-03-29 14:59:52 -04:00
Steven Hiscocks 92d26e6897 TST+BF: Fix incorrect commands for coveralls support 2013-03-29 17:22:48 +00:00
Steven Hiscocks b3251fca79 TST: Add support for coveralls for python 2.6 and python 2.7 2013-03-29 17:16:19 +00:00
Yaroslav Halchenko ffbbb9f8a3 ENH: deleted trailing spaces in fail2ban- cmdline tools
Now it was already a mix, and Cyril is not working on this code any
longer so no need to maintain this convention.
2013-03-29 12:31:50 -04:00
Yaroslav Halchenko 7cf509378c DOC: minor change -- refer to the fail2ban manpage 2013-03-28 11:36:18 -04:00
Yaroslav Halchenko ef3f2b7e99 TST: be more aggressive in cleanup of temp files + use mktemp instead of mkstemp 2013-03-27 23:40:50 -04:00
Yaroslav Halchenko bf4d4af1d4 ENH(BF?): overload open() (for buffering) within filtertestcase to guarantee atomic writing
This is with the hope to further resolve random tests failures
( primarily on fast travis-ci systems ;) )
2013-03-27 15:11:49 -04:00
Yaroslav Halchenko ab044b75ea BF: delay check for the existence of config directory until read() 2013-03-27 12:22:39 -04:00
Yaroslav Halchenko 4b11f071ed DOC: minor fix ups of manpages. fixes #159 2013-03-27 12:02:19 -04:00
Yaroslav Halchenko f643e2e907 non-static (get|set)BaseDir for Configurator. fixes #160
ConfigReader's (get|set)BaseDir are no longer static as a result of
.d/ support RFing
2013-03-27 11:51:07 -04:00
Yaroslav Halchenko 72b06479a5 ENH: Slight tune ups for fresh SOGo filter + comment into the sample log file 2013-03-27 11:09:54 -04:00
Yaroslav Halchenko 105306e1a8 Merge remote-tracking branch 'pr/117/head' -- SOGo filters
* pr/117/head:
  An example of failed logins against sogo
  Update sogo-auth.conf
  Update config/filter.d/sogo-auth.conf
  Create sogo-auth.conf
  Update config/jail.conf
2013-03-27 11:09:35 -04:00
Yaroslav Halchenko cd57d9c552 Merge pull request #155 from yarikoptic/master
TST+ENH: enable basic (smoke) testing of the default jail.conf + improve postfix filter
2013-03-27 05:43:55 -07:00
Yaroslav Halchenko 01b4870adc Merge pull request #154 from fail2ban/_tent/fixup_tests_racing
Multiple ENHs + fixup tests racing. fixes #103
2013-03-27 05:42:44 -07:00
Erwan Ben Souiden c4d92fba71 fix the script name to check_fail2ban everywhere 2013-03-26 16:08:05 +01:00
Erwan Ben Souiden d7d5228964 Replace the check_fail2ban script by a new one which respects the Nagios specs (like status, output, perfdata, help...).
Also add a README which includes the content of f2ban.txt (which is now removed)
2013-03-26 15:55:26 +01:00
Yaroslav Halchenko 91d5736c12 ENH: postfix filter -- react also on (450 4.7.1) with empty from/to. fixes #126 2013-03-26 09:40:04 -04:00
Yaroslav Halchenko c06b7abb46 TST: basic testing of reading the shipped jail.conf (forcing all jails to be enabled) 2013-03-26 00:01:56 -04:00
Yaroslav Halchenko 8fe4e11b67 ENH: allow to force enable all jails (for testing), do not crash for jails without actions (just warn)
also a bit more explicit handling of regexp groups in splitAction
2013-03-26 00:01:12 -04:00
Yaroslav Halchenko 2fb053643e ENH: minor -- add default value into the warning if option had none provided 2013-03-25 23:59:42 -04:00
Yaroslav Halchenko 7064a411c2 ENH: _copy_lines_between_files -- read all needed, and only then write/flush at once
I think this is the one which should resolve
https://github.com/fail2ban/fail2ban/issues/103
2013-03-25 23:05:55 -04:00
Yaroslav Halchenko ba042c6e3a ENH: move pyinotify callback debug message into callback + delay string interpolations 2013-03-25 23:05:55 -04:00
Yaroslav Halchenko 52af29a080 ENH: adding ability to incorporate tracebacks into log lines while running tests 2013-03-25 23:05:48 -04:00
Yaroslav Halchenko c29553354b ENH: FailManager -- improve log message to report total # of detected failures as well 2013-03-25 23:05:47 -04:00
Yaroslav Halchenko f72bc13111 BF: allow to wait longer for FilterPoll in test_move_file 2013-03-25 23:05:47 -04:00
Yaroslav Halchenko 5ea2ab14e6 ENH: elaborated debug log message about already detected failures
Now it should be evaluated only if logging mode is debug or "lower", and also
should happen not only on initial detections but for every added failure.
It also reports counts per each IP now
2013-03-25 23:05:47 -04:00