Commit Graph

3743 Commits (d530240c9950311dd4a4a297ffc31e679102bca8)

Author SHA1 Message Date
Yaroslav Halchenko d530240c99 BF: enforce C.UTF-8 LC_ALL while running tests 2015-04-29 03:56:08 +00:00
Yaroslav Halchenko b989027329 refreshed backport patch 2015-04-26 22:03:47 -04:00
Yaroslav Halchenko 5b33e57053 refreshed patches 2015-04-26 22:00:24 -04:00
Yaroslav Halchenko d8469b3973 Added regular python to Recommends since apache-fakegooglebot still python2 2015-04-26 21:59:21 -04:00
Yaroslav Halchenko fc70f0922c Long delayed
ver. 0.9.2 (2015/04/26) - better-quick-now-than-later
 ----------
 
 - Fixes:
    * infinite busy loop on _escapedTags match in substituteRecursiveTags gh-907.
      Thanks TonyThompson
    * port[s] typo in jail.conf/nginx-http-auth gh-913. Thanks Frederik Wagner
      (fnerdwq)
    * $ typo in jail.conf. Thanks Skibbi. Debian bug #767255
    * grep'ing for IP in *mail-whois-lines.conf should now match also
      at the beginning and EOL.  Thanks Dean Lee
    * jail.conf
      - php-url-fopen: separate logpath entries by newline
    * failregex declared direct in jail was joined to single line (specifying of
      multiple expressions was not possible).
    * filters.d/exim.conf - cover different settings of exim logs
      details. Thanks bes.internal
    * filter.d/postfix-sasl.conf - failregex is now case insensitive
    * filters.d/postfix.conf - add 'Client host rejected error message' failregex
    * fail2ban/__init__.py - add strptime thread safety hack-around
    * recidive uses iptables-allports banaction by default now.
      Avoids problems with iptables versions not understanding 'all' for
      protocols and ports
    * filter.d/dovecot.conf
      - match pam_authenticate line from EL7
      - match unknown user line from EL7
    * Use use_poll=True for Python 2.7 and >=3.4 to overcome "Bad file
      descriptor" msgs issue (gh-161)
    * filter.d/postfix-sasl.conf - tweak failregex and add ignoreregex to ignore
      system authentication issues
    * fail2ban-regex reads filter file(s) completely, incl. '.local' file etc.
      (gh-954)
    * firewallcmd-* actions: split output into separate lines for grepping (gh-908)
    * Guard unicode encode/decode issues while storing records in the database.
      Fixes "binding parameter error (unsupported type)" (gh-973), thanks to kot
      for reporting
    * filter.d/sshd added regex for matching openSUSE ssh authentication failure
    * filter.d/asterisk.conf:
      - Dropped "Sending fake auth rejection" failregex since it incorrectly
        targets the asterisk server itself
      - match "hacking attempt detected" logs
 
 - New Features:
    - New filters:
      - postfix-rbl  Thanks Lee Clemens
      - apache-fakegooglebot.conf  Thanks Lee Clemens
      - nginx-botsearch  Thanks Frantisek Sumsal
    - New recursive embedded substitution feature added:
      - `<<PREF>HOST>` becomes `<IPV4HOST>` for PREF=`IPV4`;
      - `<<PREF>HOST>` becomes `1.2.3.4` for PREF=`IPV4` and IPV4HOST=`1.2.3.4`;
    - New interpolation feature for config readers - `%(known/parameter)s`.
      (means last known option with name `parameter`). This interpolation makes
      possible to extend a stock filter or jail regexp in .local file
      (opposite to simply set failregex/ignoreregex that overwrites it),
      see gh-867.
    - Monit config for fail2ban in files/monit/
    - New actions:
      - action.d/firewallcmd-multiport and action.d/firewallcmd-allports Thanks Donald Yandt
      - action.d/sendmail-geoip-lines.conf
      - action.d/nsupdate to update DNSBL. Thanks Andrew St. Jean
    - New status argument for fail2ban-client -- flavor:
      fail2ban-client status <jail> [flavor]
      - empty or "basic" works as-is
      - "cymru" additionally prints (ASN, Country RIR) per banned IP
        (requires dnspython or dnspython3)
    - Flush log at USR1 signal
 
 - Enhancements:
    * Enable multiport for firewallcmd-new action.  Closes gh-834
    * files/debian-initd migrated from the debian branch and should be
      suitable for manual installations now (thanks Juan Karlo de Guzman)
    * Define empty ignoreregex in filters which didn't have it to avoid
      warnings (gh-934)
    * action.d/{sendmail-*,xarf-login-attack}.conf - report local
      timezone not UTC time/zone. Closes gh-911
    * Conditionally log Ignore IP with reason (dns, ip, command). Closes gh-916
    * Absorbed DNSUtils.cidr into addr2bin in filter.py, added unittests
    * Added syslogsocket configuration to fail2ban.conf
    * Note in the jail.conf for the recidive jail to increase dbpurgeage (gh-964)
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iEYEABECAAYFAlU9l5AACgkQjRFFY3XAJMiFPACgo2uC4dekIlUNX22W4W6AH3rx
 ALYAn29F5fMdGW8aEr0IzyISiNX+BxfL
 =ZFul
 -----END PGP SIGNATURE-----

Merge tag '0.9.2' into debian
2015-04-26 21:57:40 -04:00
Yaroslav Halchenko 0f75ed5e2a Just use a system wide python in the tests digest.py
to stay inline with the other scripts
2015-04-26 21:57:13 -04:00
Yaroslav Halchenko 5a8d39fc22 updated changelog 2015-04-26 21:52:01 -04:00
Yaroslav Halchenko a1dbfdb478 Long delayed and possibly incomplete 0.9.2 release:
ver. 0.9.2 (2015/04/26) - better-quick-now-than-later
 ----------
 
 - Fixes:
    * infinite busy loop on _escapedTags match in substituteRecursiveTags gh-907.
      Thanks TonyThompson
    * port[s] typo in jail.conf/nginx-http-auth gh-913. Thanks Frederik Wagner
      (fnerdwq)
    * $ typo in jail.conf. Thanks Skibbi. Debian bug #767255
    * grep'ing for IP in *mail-whois-lines.conf should now match also
      at the beginning and EOL.  Thanks Dean Lee
    * jail.conf
      - php-url-fopen: separate logpath entries by newline
    * failregex declared direct in jail was joined to single line (specifying of
      multiple expressions was not possible).
    * filters.d/exim.conf - cover different settings of exim logs
      details. Thanks bes.internal
    * filter.d/postfix-sasl.conf - failregex is now case insensitive
    * filters.d/postfix.conf - add 'Client host rejected error message' failregex
    * fail2ban/__init__.py - add strptime thread safety hack-around
    * recidive uses iptables-allports banaction by default now.
      Avoids problems with iptables versions not understanding 'all' for
      protocols and ports
    * filter.d/dovecot.conf
      - match pam_authenticate line from EL7
      - match unknown user line from EL7
    * Use use_poll=True for Python 2.7 and >=3.4 to overcome "Bad file
      descriptor" msgs issue (gh-161)
    * filter.d/postfix-sasl.conf - tweak failregex and add ignoreregex to ignore
      system authentication issues
    * fail2ban-regex reads filter file(s) completely, incl. '.local' file etc.
      (gh-954)
    * firewallcmd-* actions: split output into separate lines for grepping (gh-908)
    * Guard unicode encode/decode issues while storing records in the database.
      Fixes "binding parameter error (unsupported type)" (gh-973), thanks to kot
      for reporting
    * filter.d/sshd added regex for matching openSUSE ssh authentication failure
    * filter.d/asterisk.conf:
      - Dropped "Sending fake auth rejection" failregex since it incorrectly
        targets the asterisk server itself
      - match "hacking attempt detected" logs
 
 - New Features:
    - New filters:
      - postfix-rbl  Thanks Lee Clemens
      - apache-fakegooglebot.conf  Thanks Lee Clemens
      - nginx-botsearch  Thanks Frantisek Sumsal
    - New recursive embedded substitution feature added:
      - `<<PREF>HOST>` becomes `<IPV4HOST>` for PREF=`IPV4`;
      - `<<PREF>HOST>` becomes `1.2.3.4` for PREF=`IPV4` and IPV4HOST=`1.2.3.4`;
    - New interpolation feature for config readers - `%(known/parameter)s`.
      (means last known option with name `parameter`). This interpolation makes
      possible to extend a stock filter or jail regexp in .local file
      (opposite to simply set failregex/ignoreregex that overwrites it),
      see gh-867.
    - Monit config for fail2ban in files/monit/
    - New actions:
      - action.d/firewallcmd-multiport and action.d/firewallcmd-allports Thanks Donald Yandt
      - action.d/sendmail-geoip-lines.conf
      - action.d/nsupdate to update DNSBL. Thanks Andrew St. Jean
    - New status argument for fail2ban-client -- flavor:
      fail2ban-client status <jail> [flavor]
      - empty or "basic" works as-is
      - "cymru" additionally prints (ASN, Country RIR) per banned IP
        (requires dnspython or dnspython3)
    - Flush log at USR1 signal
 
 - Enhancements:
    * Enable multiport for firewallcmd-new action.  Closes gh-834
    * files/debian-initd migrated from the debian branch and should be
      suitable for manual installations now (thanks Juan Karlo de Guzman)
    * Define empty ignoreregex in filters which didn't have it to avoid
      warnings (gh-934)
    * action.d/{sendmail-*,xarf-login-attack}.conf - report local
      timezone not UTC time/zone. Closes gh-911
    * Conditionally log Ignore IP with reason (dns, ip, command). Closes gh-916
    * Absorbed DNSUtils.cidr into addr2bin in filter.py, added unittests
    * Added syslogsocket configuration to fail2ban.conf
    * Note in the jail.conf for the recidive jail to increase dbpurgeage (gh-964)
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iEYEABECAAYFAlU9lg8ACgkQjRFFY3XAJMgFTgCfeDp7M0Xh1J9sbnehVL5fnMT3
 xOoAnA0qN8bR/zGXf1ofDPsZuPEo90k6
 =Iyl6
 -----END PGP SIGNATURE-----

Merge tag '0.9.2' into debian

Long delayed and possibly incomplete 0.9.2 release:

ver. 0.9.2 (2015/04/26) - better-quick-now-than-later
----------

- Fixes:
   * infinite busy loop on _escapedTags match in substituteRecursiveTags gh-907.
     Thanks TonyThompson
   * port[s] typo in jail.conf/nginx-http-auth gh-913. Thanks Frederik Wagner
     (fnerdwq)
   * $ typo in jail.conf. Thanks Skibbi. Debian bug #767255
   * grep'ing for IP in *mail-whois-lines.conf should now match also
     at the beginning and EOL.  Thanks Dean Lee
   * jail.conf
     - php-url-fopen: separate logpath entries by newline
   * failregex declared direct in jail was joined to single line (specifying of
     multiple expressions was not possible).
   * filters.d/exim.conf - cover different settings of exim logs
     details. Thanks bes.internal
   * filter.d/postfix-sasl.conf - failregex is now case insensitive
   * filters.d/postfix.conf - add 'Client host rejected error message' failregex
   * fail2ban/__init__.py - add strptime thread safety hack-around
   * recidive uses iptables-allports banaction by default now.
     Avoids problems with iptables versions not understanding 'all' for
     protocols and ports
   * filter.d/dovecot.conf
     - match pam_authenticate line from EL7
     - match unknown user line from EL7
   * Use use_poll=True for Python 2.7 and >=3.4 to overcome "Bad file
     descriptor" msgs issue (gh-161)
   * filter.d/postfix-sasl.conf - tweak failregex and add ignoreregex to ignore
     system authentication issues
   * fail2ban-regex reads filter file(s) completely, incl. '.local' file etc.
     (gh-954)
   * firewallcmd-* actions: split output into separate lines for grepping (gh-908)
   * Guard unicode encode/decode issues while storing records in the database.
     Fixes "binding parameter error (unsupported type)" (gh-973), thanks to kot
     for reporting
   * filter.d/sshd added regex for matching openSUSE ssh authentication failure
   * filter.d/asterisk.conf:
     - Dropped "Sending fake auth rejection" failregex since it incorrectly
       targets the asterisk server itself
     - match "hacking attempt detected" logs

- New Features:
   - New filters:
     - postfix-rbl  Thanks Lee Clemens
     - apache-fakegooglebot.conf  Thanks Lee Clemens
     - nginx-botsearch  Thanks Frantisek Sumsal
   - New recursive embedded substitution feature added:
     - `<<PREF>HOST>` becomes `<IPV4HOST>` for PREF=`IPV4`;
     - `<<PREF>HOST>` becomes `1.2.3.4` for PREF=`IPV4` and IPV4HOST=`1.2.3.4`;
   - New interpolation feature for config readers - `%(known/parameter)s`.
     (means last known option with name `parameter`). This interpolation makes
     possible to extend a stock filter or jail regexp in .local file
     (opposite to simply set failregex/ignoreregex that overwrites it),
     see gh-867.
   - Monit config for fail2ban in files/monit/
   - New actions:
     - action.d/firewallcmd-multiport and action.d/firewallcmd-allports Thanks Donald Yandt
     - action.d/sendmail-geoip-lines.conf
     - action.d/nsupdate to update DNSBL. Thanks Andrew St. Jean
   - New status argument for fail2ban-client -- flavor:
     fail2ban-client status <jail> [flavor]
     - empty or "basic" works as-is
     - "cymru" additionally prints (ASN, Country RIR) per banned IP
       (requires dnspython or dnspython3)
   - Flush log at USR1 signal

- Enhancements:
   * Enable multiport for firewallcmd-new action.  Closes gh-834
   * files/debian-initd migrated from the debian branch and should be
     suitable for manual installations now (thanks Juan Karlo de Guzman)
   * Define empty ignoreregex in filters which didn't have it to avoid
     warnings (gh-934)
   * action.d/{sendmail-*,xarf-login-attack}.conf - report local
     timezone not UTC time/zone. Closes gh-911
   * Conditionally log Ignore IP with reason (dns, ip, command). Closes gh-916
   * Absorbed DNSUtils.cidr into addr2bin in filter.py, added unittests
   * Added syslogsocket configuration to fail2ban.conf
   * Note in the jail.conf for the recidive jail to increase dbpurgeage (gh-964)

* tag '0.9.2': (140 commits)
  DOC: Slight tune up to RELEASE doc -- no need for PYTHONPATH to run tests
  MANIFEST: updated for some new files, sorted all entries, removed some duplicates
  Initial changes for the release -- simplified ChangeLog header etc
  added \s after host
  replaced .* before rhost with regex matching all the previous fields
  Fixed typo in filter description authentification instead of authentication
  Fixed the UTC -> CEST difference...
  Added changes to ChangeLog & updated sample test cases
  updated filter.d/sshd.conf
  Do not run smtp tests if no_network set
  BF: if install pypy -- come back to original directory
  BF(OSX): apparently exceptions could not be compared for identity, use repr
  very long time resolving IP for address "abcdef" on some PDC, under NAT etc. - replaced via "abcdef.abcdef" to prevent searching in local domains;
  fix test for invalid IP (use TEST-NET-1 according to RFC 5737): since fef031b3cd failed, because on some platforms like vm:debian 10.0.0.0 returns 'localhost' (intern network).
  Match hacking attempt IP instead of asterisk server IP (closes #1000)
  BF: fixing up version comparison for pypy.  Issue appeared in 2.5.0
  ENH: minor formatting, no functional changes
  BF: do not expect setting logtarget to SYSLOG to work on non-Linuxes
  Added a comment about systemd backend for jails with logs outside of journal (Closes #959)
  DOC: make a warning for recidive jail to increase dbpurgeage (Closes #964)
  ...
2015-04-26 21:51:19 -04:00
Yaroslav Halchenko 1784205ff8 DOC: Slight tune up to RELEASE doc -- no need for PYTHONPATH to run tests 2015-04-26 21:49:58 -04:00
Yaroslav Halchenko 1fb867b839 MANIFEST: updated for some new files, sorted all entries, removed some duplicates 2015-04-26 21:47:28 -04:00
Yaroslav Halchenko ca849b93dc Initial changes for the release -- simplified ChangeLog header etc 2015-04-26 21:39:54 -04:00
Yaroslav Halchenko 23d9e22477 Merge pull request #1001 from leeclemens/bf/1000-asteriskBlocksSelf
Match hacking attempt IP instead of asterisk server IP (closes #1000)
2015-04-26 21:02:04 -04:00
Lee Clemens b530d88eca Merge remote-tracking branch 'upstream/master' into bf/1000-asteriskBlocksSelf
Conflicts:
	ChangeLog
2015-04-26 15:13:59 -04:00
Yaroslav Halchenko 3b4bf59c6a Moved python3-systemd to Recommends from Suggests given that systemd is the default init system now. Should help people upgrading on Ubuntu 15.04 as well 2015-04-26 13:17:01 -04:00
Yaroslav Halchenko 878cbd008e Merge pull request #1024 from themanwhosold/master
updated filter.d/sshd.conf
2015-04-17 08:06:25 -04:00
Markus Oesterle f8c7247f42 added \s after host 2015-04-17 10:22:01 +02:00
Markus Oesterle 5f2807b41f replaced .* before rhost with regex matching all the previous fields 2015-04-17 10:04:35 +02:00
Markus Oesterle 6ba389c70c Fixed typo in filter description authentification instead of authentication 2015-04-16 23:43:57 +02:00
Markus Oesterle 7a1f1c6b0c Fixed the UTC -> CEST difference... 2015-04-16 21:54:57 +02:00
Markus Oesterle b9a09af914 Added changes to ChangeLog & updated sample test cases 2015-04-16 21:33:57 +02:00
Markus Oesterle 8825a5f31b updated filter.d/sshd.conf
Added line to match sshd auth errors on OpenSuSE systems
2015-04-16 19:48:28 +02:00
Yaroslav Halchenko 13d56af981 Merge pull request #1018 from opoplawski/no_network
Do not run smtp tests if no_network set
2015-04-07 21:33:09 -04:00
Orion Poplawski aa8113c128 Do not run smtp tests if no_network set 2015-04-07 15:52:29 -06:00
Yaroslav Halchenko c926af1fce Merge pull request #1002 from sebres/_bf/fix-invalid-ip
fix test for invalid IP (use TEST-NET-1 according to RFC 5737)
2015-03-25 14:02:00 -04:00
Yaroslav Halchenko b2c1673d28 BF: if install pypy -- come back to original directory 2015-03-25 12:56:25 -04:00
Yaroslav Halchenko eb05cd7bd5 BF(OSX): apparently exceptions could not be compared for identity, use repr 2015-03-25 11:27:22 -04:00
sebres 6da0c4ad48 very long time resolving IP for address "abcdef" on some PDC, under NAT etc. - replaced via "abcdef.abcdef" to prevent searching in local domains; 2015-03-25 01:50:51 +01:00
sebres c5ba76aab8 fix test for invalid IP (use TEST-NET-1 according to RFC 5737):
since fef031b3cd failed, because on some platforms like vm:debian 10.0.0.0 returns 'localhost' (intern network).
2015-03-25 01:24:33 +01:00
Lee Clemens 72f4bcfbff Match hacking attempt IP instead of asterisk server IP (closes #1000) 2015-03-24 19:03:26 -04:00
Yaroslav Halchenko d28880fdca Merge pull request #997 from yarikoptic/bf/long-purge-for-recidive
DOC: make a warning for recidive jail to increase dbpurgeage (Closes #964)
2015-03-23 21:30:04 -04:00
Yaroslav Halchenko 54f111429d BF: fixing up version comparison for pypy. Issue appeared in 2.5.0
00:11  yoh: upgraded to 2.5.0 from debianexperimental and now reproduced locally
00:12  yoh: why pypy --version  directs output to stderr?  thereis no error
00:12  mattip: ok, can you try with a nightly from http://buildbot.pypy.org/nightly/trunk ?
00:15 * yoh running with 2.6.0-alpha0...
00:16  yoh: clean -- no crash
2015-03-23 21:28:16 -04:00
Yaroslav Halchenko 9339293413 ENH: minor formatting, no functional changes 2015-03-23 21:26:17 -04:00
Yaroslav Halchenko 4a83741397 BF: do not expect setting logtarget to SYSLOG to work on non-Linuxes
I have no BSD buildbots available for *BSDs etc, so can't speak for all, but
http://nipy.bic.berkeley.edu/builders/fail2ban-py2.6-osx-10.6_master/builds/151/steps/shell_1/logs/stdio
suggests that logically fails on OSX
2015-03-21 22:30:58 -04:00
Yaroslav Halchenko 56aacf872c Merge pull request #952 from ache/master
Update bsd-ipfw.conf
2015-03-21 21:46:54 -04:00
Yaroslav Halchenko 02836b599c Added a comment about systemd backend for jails with logs outside of journal (Closes #959) 2015-03-21 21:25:50 -04:00
Yaroslav Halchenko 320a28a4a4 DOC: make a warning for recidive jail to increase dbpurgeage (Closes #964) 2015-03-21 20:50:03 -04:00
Yaroslav Halchenko 938e6343ea Merge pull request #996 from yarikoptic/bf/no-dns-module
BF/TST: expect ['error'] as a value if no dns module available
2015-03-21 20:27:15 -04:00
Yaroslav Halchenko d5d8bc8134 Merge pull request #986 from yarikoptic/bf/pypy-2.4.0
BF: use daily build of pypy until next one gets released
2015-03-21 20:26:45 -04:00
Yaroslav Halchenko 382e7f02ca BF: expect ['error'] as a value if no dns module available
As many buildbots show:
e.g. http://nipy.bic.berkeley.edu/builders/fail2ban-py2.7-osx-10.8_master/builds/163/steps/shell_1/logs/stdio
2015-03-21 16:04:34 -04:00
Yaroslav Halchenko 782629c256 Merge pull request #985 from yarikoptic/bf/bad_file_descr_3.4
BF: asyncore.loop poll=True for recent (>=3.4) pythons too
2015-03-21 13:31:10 -04:00
Yaroslav Halchenko 3f3ddaceae print travis python version to figure out why not in effect 2015-03-06 08:53:12 -05:00
Yaroslav Halchenko dd9b5f75af BF: use daily build of pypy until next one gets released 2015-03-06 00:20:17 -05:00
Yaroslav Halchenko 31d107d181 BF: asyncore.loop poll=True for recent (>=3.4) pythons too
should avoid
  File /usr/lib/python3.4/asyncore.py, line 208, in loop
    poll_fun(timeout, map)
  File /usr/lib/python3.4/asyncore.py, line 145, in poll
    r, w, e = select.select(r, w, e, timeout)
OSError: [Errno 9] Bad file descriptor
2015-03-05 22:52:40 -05:00
Yaroslav Halchenko daa2a9e5d8 Merge pull request #975 from sebres/gh-973-fix
BF: binding parameter error (unsupported type) (closes gh-973) ...
2015-03-05 22:47:45 -05:00
Yaroslav Halchenko 954075449d BF: fixed casing in __sigUSR1handler 2015-02-26 20:59:52 -05:00
Yaroslav Halchenko e52790073d Merge pull request #979 from tgyurci/master
Flush logs at USR1 signal
2015-02-26 21:00:07 -05:00
Teubel György 0254cbf7fb Flush logs at USR1 signal 2015-02-26 23:23:10 +01:00
sebres 5ab30c88c2 more stable handling of json dump/load different encoded strings for older python versions;
extended test cases (more precise, python version insensitive, etc.)
2015-02-25 22:14:49 +01:00
sebres 2bfe22aa66 makes test case more precise; 2015-02-25 15:05:32 +01:00
sebres 6c788a32ee BF: binding parameter error (unsupported type) by writing json with invalid encoded lines into sqlite database (gh-973);
especially python < 3.0; try to prevent occurring such errors in the future;
2015-02-25 11:56:11 +01:00