mirror of https://github.com/fail2ban/fail2ban
![]() * 001-fail2ban-server-socket-close-on-exec-no-leak.diff Add code that marks server and client sockets with FD_CLOEXEC flags. Avoid leaking file descriptors to processes spawned when handling fail2ban actions (ex: iptables). Unix sockets managed by fail2ban-server don't need to be passed to any child process. Fail2ban already uses the FD_CLOEXEC flags in the filter code. This patch also avoids giving iptables access to fail2ban UNIX socket in a SELinux environment (A sane SELinux policy should trigger an audit event because "iptables" will be given read/write access to the fail2ban control socket). Some random references related to this bug: http://sourceforge.net/tracker/?func=detail&atid=689044&aid=2086568&group_id=121032 http://www.redhat.com/archives/fedora-selinux-list/2009-June/msg00124.html http://forums.fedoraforum.org/showthread.php?t=234230 * 002-fail2ban-filters-close-on-exec-typo-fix.diff There is a typo in the fail2ban server/filter.py source code. The FD_CLOEXEC is correctly set but additional *random* flags are also set. It has no side-effect as long as the fd doesn't match a valid flag :) "fcntl.fcntl(fd, fcntl.F_SETFD, fd | fcntl.FD_CLOEXEC)" <== the 3rd parameter should be flags, not a file descriptor. * 003-fail2ban-gamin-socket-close-on-exec-no-leak.diff Add code that marks the Gamin monitor file descriptor with FD_CLOEXEC flags. Avoid leaking file descriptors to processes spawned when handling fail2ban actions (ex: iptables). --- File descriptors in action process before patches: dr-x------ 2 root root 0 . dr-xr-xr-x 8 root root 0 .. lr-x------ 1 root root 64 0 -> /dev/null <== OK l-wx------ 1 root root 64 1 -> /tmp/test.log <== used by test action lrwx------ 1 root root 64 2 -> /dev/null <== OK lrwx------ 1 root root 64 3 -> socket:[116361] <== NOK (fail2ban.sock leak) lr-x------ 1 root root 64 4 -> /proc/20090/fd <== used by test action l-wx------ 1 root root 64 5 -> /var/log/fail2ban.log <== OK lrwx------ 1 root root 64 6 -> socket:[115608] <== NOK (gamin sock leak) File descriptors in action process after patches: dr-x------ 2 root root 0 . dr-xr-xr-x 8 root root 0 .. lr-x------ 1 root root 64 0 -> /dev/null <== OK l-wx------ 1 root root 64 1 -> /tmp/test.log <== used by test action lrwx------ 1 root root 64 2 -> /dev/null <== OK lr-x------ 1 root root 64 3 -> /proc/18284/fd <== used by test action l-wx------ 1 root root 64 5 -> /var/log/fail2ban.log <== OK |
||
---|---|---|
client | ||
common | ||
config | ||
doc | ||
files | ||
man | ||
server | ||
testcases | ||
.coveragerc | ||
.gitignore | ||
.project | ||
.pydevproject | ||
.pylintrc | ||
.travis.yml | ||
.travis_coveragerc | ||
COPYING | ||
ChangeLog | ||
DEVELOP | ||
MANIFEST | ||
README | ||
THANKS | ||
TODO | ||
fail2ban-client | ||
fail2ban-regex | ||
fail2ban-server | ||
fail2ban-testcases | ||
fail2ban-testcases-all | ||
kill-server | ||
setup.cfg | ||
setup.py |
README
__ _ _ ___ _ / _|__ _(_) |_ ) |__ __ _ _ _ | _/ _` | | |/ /| '_ \/ _` | ' \ |_| \__,_|_|_/___|_.__/\__,_|_||_| ================================================================================ Fail2Ban (version 0.8.8) 2012/07/31 ================================================================================ Fail2Ban scans log files like /var/log/pwdfail and bans IP that makes too many password failures. It updates firewall rules to reject the IP address. These rules can be defined by the user. Fail2Ban can read multiple log files such as sshd or Apache web server ones. This README is a quick introduction to Fail2ban. More documentation, FAQ, HOWTOs are available on the project website: http://www.fail2ban.org Installation: ------------- Required: >=python-2.3 (http://www.python.org) Optional: pyinotify: >=linux-2.6.13 >=python-2.4 >=pyinotify-0.8.3 (https://github.com/seb-m/pyinotify) Gamin: >=gamin-0.0.21 (http://www.gnome.org/~veillard/gamin) To install, just do: > tar xvfj fail2ban-0.8.8.tar.bz2 > cd fail2ban-0.8.8 > python setup.py install This will install Fail2Ban into /usr/share/fail2ban. The executable scripts are placed into /usr/bin. It is possible that Fail2ban is already packaged for your distribution. In this case, you should use it. Fail2Ban should be correctly installed now. Just type: > fail2ban-client -h to see if everything is alright. You should always use fail2ban-client and never call fail2ban-server directly. Configuration: -------------- You can configure Fail2Ban using the files in /etc/fail2ban. It is possible to configure the server using commands sent to it by fail2ban-client. The available commands are described in the fail2ban-client(1) manpage. Also see fail2ban(1) manpage for further references and find even more documentation on the website: http://www.fail2ban.org Contact: -------- Website: http://www.fail2ban.org You need some new features, you found bugs: visit https://github.com/fail2ban/fail2ban/issues and if your issue is not yet known -- file a bug report. If you would like to troubleshoot or discuss: join the mailing list https://lists.sourceforge.net/lists/listinfo/fail2ban-users If you just appreciate this program: send kudos to the original author (Cyril Jaquier: <cyril.jaquier@fail2ban.org>) or the mailing list https://lists.sourceforge.net/lists/listinfo/fail2ban-users Thanks: ------- See THANKS file. License: -------- Fail2Ban is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. Fail2Ban is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with Fail2Ban; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110, USA