mirror of https://github.com/fail2ban/fail2ban
39667ff6f7
* 001-fail2ban-server-socket-close-on-exec-no-leak.diff Add code that marks server and client sockets with FD_CLOEXEC flags. Avoid leaking file descriptors to processes spawned when handling fail2ban actions (ex: iptables). Unix sockets managed by fail2ban-server don't need to be passed to any child process. Fail2ban already uses the FD_CLOEXEC flags in the filter code. This patch also avoids giving iptables access to fail2ban UNIX socket in a SELinux environment (A sane SELinux policy should trigger an audit event because "iptables" will be given read/write access to the fail2ban control socket). Some random references related to this bug: http://sourceforge.net/tracker/?func=detail&atid=689044&aid=2086568&group_id=121032 http://www.redhat.com/archives/fedora-selinux-list/2009-June/msg00124.html http://forums.fedoraforum.org/showthread.php?t=234230 * 002-fail2ban-filters-close-on-exec-typo-fix.diff There is a typo in the fail2ban server/filter.py source code. The FD_CLOEXEC is correctly set but additional *random* flags are also set. It has no side-effect as long as the fd doesn't match a valid flag :) "fcntl.fcntl(fd, fcntl.F_SETFD, fd | fcntl.FD_CLOEXEC)" <== the 3rd parameter should be flags, not a file descriptor. * 003-fail2ban-gamin-socket-close-on-exec-no-leak.diff Add code that marks the Gamin monitor file descriptor with FD_CLOEXEC flags. Avoid leaking file descriptors to processes spawned when handling fail2ban actions (ex: iptables). --- File descriptors in action process before patches: dr-x------ 2 root root 0 . dr-xr-xr-x 8 root root 0 .. lr-x------ 1 root root 64 0 -> /dev/null <== OK l-wx------ 1 root root 64 1 -> /tmp/test.log <== used by test action lrwx------ 1 root root 64 2 -> /dev/null <== OK lrwx------ 1 root root 64 3 -> socket:[116361] <== NOK (fail2ban.sock leak) lr-x------ 1 root root 64 4 -> /proc/20090/fd <== used by test action l-wx------ 1 root root 64 5 -> /var/log/fail2ban.log <== OK lrwx------ 1 root root 64 6 -> socket:[115608] <== NOK (gamin sock leak) File descriptors in action process after patches: dr-x------ 2 root root 0 . dr-xr-xr-x 8 root root 0 .. lr-x------ 1 root root 64 0 -> /dev/null <== OK l-wx------ 1 root root 64 1 -> /tmp/test.log <== used by test action lrwx------ 1 root root 64 2 -> /dev/null <== OK lr-x------ 1 root root 64 3 -> /proc/18284/fd <== used by test action l-wx------ 1 root root 64 5 -> /var/log/fail2ban.log <== OK |
||
|---|---|---|
| client | ||
| common | ||
| config | ||
| doc | ||
| files | ||
| man | ||
| server | ||
| testcases | ||
| .coveragerc | ||
| .gitignore | ||
| .project | ||
| .pydevproject | ||
| .pylintrc | ||
| .travis.yml | ||
| .travis_coveragerc | ||
| COPYING | ||
| ChangeLog | ||
| DEVELOP | ||
| MANIFEST | ||
| README | ||
| THANKS | ||
| TODO | ||
| fail2ban-client | ||
| fail2ban-regex | ||
| fail2ban-server | ||
| fail2ban-testcases | ||
| fail2ban-testcases-all | ||
| kill-server | ||
| setup.cfg | ||
| setup.py | ||
README
__ _ _ ___ _
/ _|__ _(_) |_ ) |__ __ _ _ _
| _/ _` | | |/ /| '_ \/ _` | ' \
|_| \__,_|_|_/___|_.__/\__,_|_||_|
================================================================================
Fail2Ban (version 0.8.8) 2012/07/31
================================================================================
Fail2Ban scans log files like /var/log/pwdfail and bans IP that makes too many
password failures. It updates firewall rules to reject the IP address. These
rules can be defined by the user. Fail2Ban can read multiple log files such as
sshd or Apache web server ones.
This README is a quick introduction to Fail2ban. More documentation, FAQ, HOWTOs
are available on the project website: http://www.fail2ban.org
Installation:
-------------
Required:
>=python-2.3 (http://www.python.org)
Optional:
pyinotify:
>=linux-2.6.13
>=python-2.4
>=pyinotify-0.8.3 (https://github.com/seb-m/pyinotify)
Gamin:
>=gamin-0.0.21 (http://www.gnome.org/~veillard/gamin)
To install, just do:
> tar xvfj fail2ban-0.8.8.tar.bz2
> cd fail2ban-0.8.8
> python setup.py install
This will install Fail2Ban into /usr/share/fail2ban. The executable scripts are
placed into /usr/bin.
It is possible that Fail2ban is already packaged for your distribution. In this
case, you should use it.
Fail2Ban should be correctly installed now. Just type:
> fail2ban-client -h
to see if everything is alright. You should always use fail2ban-client and never
call fail2ban-server directly.
Configuration:
--------------
You can configure Fail2Ban using the files in /etc/fail2ban. It is
possible to configure the server using commands sent to it by
fail2ban-client. The available commands are described in the
fail2ban-client(1) manpage. Also see fail2ban(1) manpage for further
references and find even more documentation on the website:
http://www.fail2ban.org
Contact:
--------
Website: http://www.fail2ban.org
You need some new features, you found bugs: visit
https://github.com/fail2ban/fail2ban/issues
and if your issue is not yet known -- file a bug report.
If you would like to troubleshoot or discuss: join the mailing list
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
If you just appreciate this program: send kudos to the original author
(Cyril Jaquier: <cyril.jaquier@fail2ban.org>) or the mailing list
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
Thanks:
-------
See THANKS file.
License:
--------
Fail2Ban is free software; you can redistribute it and/or modify it under the
terms of the GNU General Public License as published by the Free Software
Foundation; either version 2 of the License, or (at your option) any later
version.
Fail2Ban is distributed in the hope that it will be useful, but WITHOUT ANY
WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE. See the GNU General Public License for more details.
You should have received a copy of the GNU General Public License along with
Fail2Ban; if not, write to the Free Software Foundation, Inc., 51 Franklin
Street, Fifth Floor, Boston, MA 02110, USA