Commit Graph

862 Commits (c7ae460b8a5c6a688931d931f4fd1e28e6e30348)

Author SHA1 Message Date
Yaroslav Halchenko 6ad55f64b3 ENH: add wu-ftpd failregex for use against syslog (Closes: #514239) 2012-07-31 15:43:13 -04:00
Yaroslav Halchenko a512ea47d2 Adjusted changelog to reflect the last change 2012-07-31 15:33:30 -04:00
Yaroslav Halchenko 80b191c7fd BF: anchor chain name in actioncheck's for iptables actions (Closes: #672228) 2012-07-31 15:27:05 -04:00
Yaroslav Halchenko a3b242d6dd BF: inline comments must use ; not # -- recidive jail 2012-07-31 14:05:42 -04:00
Yaroslav Halchenko 99c0caa9cc Boosted version to 0.8.7 + few more comments 2012-07-31 12:32:25 -04:00
Yaroslav Halchenko da752aff14 perspective changelog for 0.8.7
Conflicts:
	ChangeLog
2012-07-30 14:50:43 -04:00
Yaroslav Halchenko 6495942550 DOC: minor (untabify, utf8) for ChangeLog 2012-07-30 13:57:00 -04:00
Yaroslav Halchenko dca5634717 Merge branch '_enh/test_backends' -- fixing inotify backend, RF backends, unittests
* _enh/test_backends:
  RF: reordered tests + enabled gamin now that its fix is pending in Debian
  ENH+BF: filtergamin -- to be more inline with current design of filterinotify
  ENH: 1 more sleep_4_poll to guarantee difference in time stamp
  ENH: few more delays for cases relying on time stamps
  ENH: tests much more robust now across pythons 2.4 -- 2.7
  BF+RF: pyinotify refreshes watcher upon CREATE, unified/simplified *(add|del)LogPath among *Filters
  ENH: fail2ban-testcases -- custom logging format to ease debugging, non-0 exit code in case of failure
  ENH: Filter's testcases -- rename, del + list again --- a bit unstable, might still fail from time to time
  BF: pyinotify -- monitor the parent directory for IN_CREATE + process freshly added file (Closes gh-44)
  ENH: first working unittest for checking polling and inotify backends
  RF/BF: just use pyinotify.ThreadedNotifier thread in filterpyinotify
  RF: filter.py -- single readline in a loop
  ENH: FilterPoll -- adjusted some msgs + allowed to operate without jail (for testing)
  Minor additional comment to DEVELOP
  ENH: extended test LogfileMonitor
2012-07-20 09:50:08 -04:00
Yaroslav Halchenko 481b1530d6 RF: reordered tests + enabled gamin now that its fix is pending in Debian
reference: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=542361
2012-07-19 23:08:33 -04:00
Yaroslav Halchenko c6f5d854d3 ENH+BF: filtergamin -- to be more inline with current design of filterinotify 2012-07-19 23:07:43 -04:00
Yaroslav Halchenko 337f3f6f7b ENH: 1 more sleep_4_poll to guarantee difference in time stamp 2012-07-19 23:07:08 -04:00
Yaroslav Halchenko e9964846fa ENH: few more delays for cases relying on time stamps 2012-07-19 21:41:04 -04:00
Yaroslav Halchenko c0c1232c5f Merge branch 'master' into _enh/test_backends
* master:
  Ask users to report bugs to github's issues
  Replace "|" with "_" in ipmasq-ZZZzzz|fail2ban.rul (Closes gh-66)
2012-07-19 17:29:35 -04:00
Yaroslav Halchenko a1a67d34a9 ENH: tests much more robust now across pythons 2.4 -- 2.7
* needed additional sleeps for polling filter since that one relies on
  time-stamps and too rapid changes would not be caught by the
  PollFilter
* in python 2.4, time stamps are up to a second (int's) so sleeps longer
* test_new_bogus_file -- just to make sure that addition of new files
  does not alter our monitoring
2012-07-19 17:29:12 -04:00
Yaroslav Halchenko d9248a6cf8 BF+RF: pyinotify refreshes watcher upon CREATE, unified/simplified *(add|del)LogPath among *Filters
* all of the *Filters had too much of common logic in their *LogPath
  methods, which is now handled by FileFilter and derived classes only
  add custom actions in corresponding _(add|del)LogPath methods

pyinotify:

* upon CREATE event:
  - unknown files should not be handled at all
  - "watcher" for the monitored files should be recreated.
    Lead to adding _(add|del)FileWatcher helper methods
* callback now obtains full event to judge what to do
2012-07-19 17:26:09 -04:00
Yaroslav Halchenko b33ae8c194 Ask users to report bugs to github's issues 2012-07-19 14:51:46 -04:00
Yaroslav Halchenko 08564bda1a ENH: fail2ban-testcases -- custom logging format to ease debugging, non-0 exit code in case of failure 2012-07-19 13:30:55 -04:00
Yaroslav Halchenko 6ac9fd5d26 ENH: Filter's testcases -- rename, del + list again --- a bit unstable, might still fail from time to time 2012-07-19 13:30:01 -04:00
Yaroslav Halchenko 3c95121a8b BF: pyinotify -- monitor the parent directory for IN_CREATE + process freshly added file (Closes gh-44) 2012-07-19 13:28:48 -04:00
Yaroslav Halchenko 60260bce3d ENH: first working unittest for checking polling and inotify backends 2012-07-19 01:14:55 -04:00
Yaroslav Halchenko baa09098f0 RF/BF: just use pyinotify.ThreadedNotifier thread in filterpyinotify
that seems also to overcome the problem of often locking upon stop()
2012-07-19 01:14:02 -04:00
Yaroslav Halchenko 25674a95f8 RF: filter.py -- single readline in a loop 2012-07-19 01:10:59 -04:00
Yaroslav Halchenko b3614d4ea2 ENH: FilterPoll -- adjusted some msgs + allowed to operate without jail (for testing) 2012-07-19 01:08:34 -04:00
Yaroslav Halchenko 42523dce92 Minor additional comment to DEVELOP 2012-07-19 01:04:05 -04:00
Yaroslav Halchenko 47e956bc8e Replace "|" with "_" in ipmasq-ZZZzzz|fail2ban.rul (Closes gh-66)
Surprise -- that is for Windows compatibility
2012-07-18 10:29:59 -04:00
Yaroslav Halchenko 0b842272e3 ENH: extended test LogfileMonitor 2012-07-18 10:26:42 -04:00
Alan Jenkins 8c38907016 Misconfigured DNS should not ban *successful* ssh logins
Noticed while looking at the source (to see the point of ssh-ddos).

POSSIBLE BREAK-IN ATTEMPT - sounds scary?  But keep reading
the message.  It's not a login failure.  It's a warning about
reverse-DNS.  The login can still succeed, and if it _does_ fail,
that will be logged as normal.

<exhibit n="1">
Jul  9 05:43:00 brick sshd[18971]: Address 200.41.233.234 maps to host234.advance.com.
ar, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Jul  9 05:43:00 brick sshd[18971]: Invalid user html from 200.41.233.234
</exhibit>

The problem (in my mind) is that some users are stuck with bad dns.
The warning won't stop them from logging in.  I'm pretty sure they can't
even see it.  But when they exceed a threshold number of logins -
which could be all successful logins - fail2ban will trigger.

fail2ban shouldn't adding additional checks to successful logins
 - it goes against the name fail2ban :)
 - the first X "POSSIBLE BREAK-IN ATTEMPT"s would be permitted anyway
 - if you want to ban bad DNS, the right way is PARANOID in /etc/hosts.deny

I've checked the source of OpenSSH, and this will only affect the
reverse-DNS error.  (I won't be offended if you want to check
for yourself though ;)

<exhibit n="2">
$ grep -r -h -C1 'ATTEMPT' openssh-5.5p1/
                logit("reverse mapping checking getaddrinfo for %.700s "
                    "[%s] failed - POSSIBLE BREAK-IN ATTEMPT!", name, ntop);
                return xstrdup(ntop);
--
                logit("Address %.100s maps to %.600s, but this does not "
                    "map back to the address - POSSIBLE BREAK-IN ATTEMPT!",
                    ntop, name);
$
</exhibit>
2012-07-13 21:41:58 +01:00
Yaroslav Halchenko 9a2b41f6ad ENH: add more verbosity levels to be controlled while running unittests 2012-06-30 00:35:43 -04:00
Yaroslav Halchenko 398cc73d3d Added few tests of FileFilter. yet to place them into a Jail-ed execution test
At the moment they are, despite  being provided different  backends,
pretty much test FileFilter functionality.
2012-06-30 00:35:08 -04:00
Yaroslav Halchenko bbab49a415 DOC: distilling some of server "design" into DEVELOP notes for common good 2012-06-29 12:59:26 -04:00
Yaroslav Halchenko 9b360bb12d ENH: minor, just trailing spaces/tabs + reformated a string 2012-06-29 12:58:53 -04:00
Yaroslav Halchenko 215c3cc5c5 ENH: added a basic test for FilterPoll for detection of modifications
The test class MonitorFailures is intended to be excercised for all
Filter*'s, i.e. backends. It is just atm it is useful only for Poll
2012-06-29 12:56:32 -04:00
Yaroslav Halchenko f970bb288a Merge pull request #59 from yakatz/doc/DEVELOP
clarified that the are existing test cases and the 'coming soon' is about creating new ones
2012-06-26 21:05:41 -07:00
Yehuda Katz bd40cc7c31 clarified that the are existing test cases and the 'coming soon' is about creating new ones. 2012-06-26 23:16:16 -04:00
Yaroslav Halchenko 25b629a75b Merge pull request #58 from yakatz/doc/DEVELOP
Added beginnings of documentation for developers
2012-06-26 14:50:55 -07:00
Yehuda Katz 322f53e26d Added beginnings of documentation for developers 2012-06-26 12:25:52 -04:00
Yaroslav Halchenko 3989d24967 BF: usedns=no was not working at all
it was not adding any detected address, IP or not to the list of failed attempts
This commit also adds appropriate unittest
2012-06-15 23:43:11 -04:00
Yaroslav Halchenko 971406f722 RF: filtertestcase.py to put common testing into a helping subroutine 2012-06-15 22:23:38 -04:00
Yaroslav Halchenko d0a322f2b8 ENH: be able to control verbosity from cmdline for fail2ban-testcases 2012-06-15 22:21:16 -04:00
Yaroslav Halchenko b4099dae57 DOC: Adjusted header for config/*.conf to mention .local and way to comment
thanks to Stefano Forli for reminding about comments
see Debian Bug#676146
2012-06-04 22:41:28 -04:00
Yaroslav Halchenko 958aa2e932 Merge pull request #50 from mellitus/master
Fix addBannedIP/banip command (Closes gh-31)
2012-05-01 15:11:00 -07:00
Chris Reffett a018a26133 Fixed addBannedIP to add enough failures to trigger a ban, rather than
just one failure.
2012-05-01 17:13:21 -04:00
Jeremy Olexa 444e4ac3ed Fix Gentoo initd script (drop extra_commands) 2012-04-21 22:24:51 -04:00
Petr Voralek 4007751191 ENH: catch failed ssh logins due to being listed in DenyUsers. Close gh-47 (Closes: #669063) 2012-04-16 20:36:53 -04:00
Yaroslav Halchenko 7b77beee0e DOC: comment in jail.conf for the need of multiple jails for asterisk 2012-02-28 12:04:24 -05:00
Yaroslav Halchenko 71a3fb17e2 Merge remote-tracking branch 'gh-magicrhesus/master'
* gh-magicrhesus/master:
  Add the INCLUDE section to use __pid_re feature
  Disable asterisk jail by default
  Change jail for asterisk, add support for SIP and SIP-TLS on TCP and UDP ports
  Change NOTICE by NOTICE%(__pid_re)s
  Remove custom bantime
  Add sample log file for asterisk
  Add $ at the end of the failregex
  Add asterisk support

Conflicts:
	config/jail.conf -- placed asterisk jails before recidive and added blank lines after the jail headers
2012-02-28 12:03:16 -05:00
Xavier Devlamynck 8c00ce0a65 Add the INCLUDE section to use __pid_re feature 2012-02-28 17:28:06 +01:00
Xavier Devlamynck 180c17bede Disable asterisk jail by default 2012-02-27 16:14:18 +01:00
Xavier Devlamynck df0e0fdc07 Change jail for asterisk, add support for SIP and SIP-TLS on TCP and UDP ports 2012-02-21 18:53:44 +01:00
Xavier Devlamynck c679a1a588 Change NOTICE by NOTICE%(__pid_re)s 2012-02-21 18:05:53 +01:00