diff options
author | Yaroslav Halchenko <debian@onerussian.com> | 2015-04-28 23:59:34 -0400 |
---|---|---|
committer | Yaroslav Halchenko <debian@onerussian.com> | 2015-04-28 23:59:34 -0400 |
commit | 39147397d8d255d71f28e8b797a3442ab562a977 (patch) | |
tree | ef408bf62cef01c890875806eae68e703300bbcf | |
parent | d530240c9950311dd4a4a297ffc31e679102bca8 (diff) | |
parent | acc4c2d10409b061474b94933162a2adaad322c7 (diff) | |
download | fail2ban-39147397d8d255d71f28e8b797a3442ab562a977.tar.gz |
Merge tag '0.9.2' into debian
Long delayed
ver. 0.9.2 (2015/04/29) - better-quick-now-than-later
----------
- Fixes:
* Fix ufw action commands
* infinite busy loop on _escapedTags match in substituteRecursiveTags gh-907.
Thanks TonyThompson
* port[s] typo in jail.conf/nginx-http-auth gh-913. Thanks Frederik Wagner
(fnerdwq)
* $ typo in jail.conf. Thanks Skibbi. Debian bug #767255
* grep'ing for IP in *mail-whois-lines.conf should now match also
at the beginning and EOL. Thanks Dean Lee
* jail.conf
- php-url-fopen: separate logpath entries by newline
* failregex declared direct in jail was joined to single line (specifying of
multiple expressions was not possible).
* filters.d/exim.conf - cover different settings of exim logs
details. Thanks bes.internal
* filter.d/postfix-sasl.conf - failregex is now case insensitive
* filters.d/postfix.conf - add 'Client host rejected error message' failregex
* fail2ban/__init__.py - add strptime thread safety hack-around
* recidive uses iptables-allports banaction by default now.
Avoids problems with iptables versions not understanding 'all' for
protocols and ports
* filter.d/dovecot.conf
- match pam_authenticate line from EL7
- match unknown user line from EL7
* Use use_poll=True for Python 2.7 and >=3.4 to overcome "Bad file
descriptor" msgs issue (gh-161)
* filter.d/postfix-sasl.conf - tweak failregex and add ignoreregex to ignore
system authentication issues
* fail2ban-regex reads filter file(s) completely, incl. '.local' file etc.
(gh-954)
* firewallcmd-* actions: split output into separate lines for grepping (gh-908)
* Guard unicode encode/decode issues while storing records in the database.
Fixes "binding parameter error (unsupported type)" (gh-973), thanks to kot
for reporting
* filter.d/sshd added regex for matching openSUSE ssh authentication failure
* filter.d/asterisk.conf:
- Dropped "Sending fake auth rejection" failregex since it incorrectly
targets the asterisk server itself
- match "hacking attempt detected" logs
- New Features:
- New filters:
- postfix-rbl Thanks Lee Clemens
- apache-fakegooglebot.conf Thanks Lee Clemens
- nginx-botsearch Thanks Frantisek Sumsal
- drupal-auth Thanks Lee Clemens
- New recursive embedded substitution feature added:
- `<<PREF>HOST>` becomes `<IPV4HOST>` for PREF=`IPV4`;
- `<<PREF>HOST>` becomes `1.2.3.4` for PREF=`IPV4` and IPV4HOST=`1.2.3.4`;
- New interpolation feature for config readers - `%(known/parameter)s`.
(means last known option with name `parameter`). This interpolation makes
possible to extend a stock filter or jail regexp in .local file
(opposite to simply set failregex/ignoreregex that overwrites it),
see gh-867.
- Monit config for fail2ban in files/monit/
- New actions:
- action.d/firewallcmd-multiport and action.d/firewallcmd-allports Thanks Donald Yandt
- action.d/sendmail-geoip-lines.conf
- action.d/nsupdate to update DNSBL. Thanks Andrew St. Jean
- New status argument for fail2ban-client -- flavor:
fail2ban-client status <jail> [flavor]
- empty or "basic" works as-is
- "cymru" additionally prints (ASN, Country RIR) per banned IP
(requires dnspython or dnspython3)
- Flush log at USR1 signal
- Enhancements:
* Enable multiport for firewallcmd-new action. Closes gh-834
* files/debian-initd migrated from the debian branch and should be
suitable for manual installations now (thanks Juan Karlo de Guzman)
* Define empty ignoreregex in filters which didn't have it to avoid
warnings (gh-934)
* action.d/{sendmail-*,xarf-login-attack}.conf - report local
timezone not UTC time/zone. Closes gh-911
* Conditionally log Ignore IP with reason (dns, ip, command). Closes gh-916
* Absorbed DNSUtils.cidr into addr2bin in filter.py, added unittests
* Added syslogsocket configuration to fail2ban.conf
* Note in the jail.conf for the recidive jail to increase dbpurgeage (gh-964)
* tag '0.9.2':
Hope for release tomorrow
BF: if no /dev/log on Linux -- don't expect setting syslog to work
Fix actions in ufw.conf
Add drupal-auth filter and jail
-rw-r--r-- | ChangeLog | 4 | ||||
-rw-r--r-- | README.md | 2 | ||||
-rw-r--r-- | THANKS | 1 | ||||
-rw-r--r-- | config/action.d/ufw.conf | 6 | ||||
-rw-r--r-- | config/filter.d/drupal-auth.conf | 26 | ||||
-rw-r--r-- | config/jail.conf | 5 | ||||
-rw-r--r-- | fail2ban/tests/files/logs/drupal-auth | 7 | ||||
-rw-r--r-- | fail2ban/tests/servertestcase.py | 2 |
8 files changed, 48 insertions, 5 deletions
@@ -6,10 +6,11 @@ Fail2Ban: Changelog =================== -ver. 0.9.2 (2015/04/26) - better-quick-now-than-later +ver. 0.9.2 (2015/04/29) - better-quick-now-than-later ---------- - Fixes: + * Fix ufw action commands * infinite busy loop on _escapedTags match in substituteRecursiveTags gh-907. Thanks TonyThompson * port[s] typo in jail.conf/nginx-http-auth gh-913. Thanks Frederik Wagner @@ -53,6 +54,7 @@ ver. 0.9.2 (2015/04/26) - better-quick-now-than-later - postfix-rbl Thanks Lee Clemens - apache-fakegooglebot.conf Thanks Lee Clemens - nginx-botsearch Thanks Frantisek Sumsal + - drupal-auth Thanks Lee Clemens - New recursive embedded substitution feature added: - `<<PREF>HOST>` becomes `<IPV4HOST>` for PREF=`IPV4`; - `<<PREF>HOST>` becomes `1.2.3.4` for PREF=`IPV4` and IPV4HOST=`1.2.3.4`; @@ -2,7 +2,7 @@ / _|__ _(_) |_ ) |__ __ _ _ _ | _/ _` | | |/ /| '_ \/ _` | ' \ |_| \__,_|_|_/___|_.__/\__,_|_||_| - v0.9.2 2015/04/26 + v0.9.2 2015/04/29 ## Fail2Ban: ban hosts that cause multiple authentication errors @@ -6,6 +6,7 @@ the project. If you have been left off, please let us know (preferably send a pull request on github with the "fix") and you will be added +Aaron Brice Adam Tkac Adrien Clerc ache diff --git a/config/action.d/ufw.conf b/config/action.d/ufw.conf index 04b8b32c..d2f731f2 100644 --- a/config/action.d/ufw.conf +++ b/config/action.d/ufw.conf @@ -13,9 +13,11 @@ actionstop = actioncheck = -actionban = [ -n "<application>" ] && app="app <application>" ; ufw insert <insertpos> <blocktype> from <ip> to <destination> $app +actionban = [ -n "<application>" ] && app="app <application>" + ufw insert <insertpos> <blocktype> from <ip> to <destination> $app -actionunban = [ -n "<application>" ] && app="app <application>" ; ufw delete <blocktype> from <ip> to <destination> $app +actionunban = [ -n "<application>" ] && app="app <application>" + ufw delete <blocktype> from <ip> to <destination> $app [Init] # Option: insertpos diff --git a/config/filter.d/drupal-auth.conf b/config/filter.d/drupal-auth.conf new file mode 100644 index 00000000..b60abe3e --- /dev/null +++ b/config/filter.d/drupal-auth.conf @@ -0,0 +1,26 @@ +# Fail2Ban filter to block repeated failed login attempts to Drupal site(s) +# +# +# Drupal must be setup to use Syslog, which defaults to the following format: +# +# !base_url|!timestamp|!type|!ip|!request_uri|!referer|!uid|!link|!message +# +# + +[INCLUDES] + +before = common.conf + + +[Definition] + +failregex = ^%(__prefix_line)s(https?:\/\/)([\da-z\.-]+)\.([a-z\.]{2,6})(\/[\w\.-]+)*\|\d{10}\|user\|<HOST>\|.+\|.+\|\d\|.*\|Login attempt failed for .+\.$ + +ignoreregex = + + +# DEV Notes: +# +# https://www.drupal.org/documentation/modules/syslog +# +# Author: Lee Clemens diff --git a/config/jail.conf b/config/jail.conf index c7946660..732aeab9 100644 --- a/config/jail.conf +++ b/config/jail.conf @@ -385,6 +385,11 @@ maxretry = 5 # # +[drupal-auth] + +port = http,https +logpath = %(syslog_daemon)s + [guacamole] port = http,https diff --git a/fail2ban/tests/files/logs/drupal-auth b/fail2ban/tests/files/logs/drupal-auth new file mode 100644 index 00000000..5e7194d9 --- /dev/null +++ b/fail2ban/tests/files/logs/drupal-auth @@ -0,0 +1,7 @@ +# failJSON: { "time": "2005-04-26T13:15:25", "match": true , "host": "1.2.3.4" } +Apr 26 13:15:25 webserver example.com: https://example.com|1430068525|user|1.2.3.4|https://example.com/?q=user|https://example.com/?q=user|0||Login attempt failed for drupaladmin. +# failJSON: { "time": "2005-04-26T13:15:25", "match": true , "host": "1.2.3.4" } +Apr 26 13:15:25 webserver example.com: https://example.com/subdir|1430068525|user|1.2.3.4|https://example.com/subdir/user|https://example.com/subdir/user|0||Login attempt failed for drupaladmin. + +# failJSON: { "time": "2005-04-26T13:19:08", "match": false , "host": "1.2.3.4" } +Apr 26 13:19:08 webserver example.com: https://example.com|1430068748|user|1.2.3.4|https://example.com/user|https://example.com/user|1||Session opened for drupaladmin. diff --git a/fail2ban/tests/servertestcase.py b/fail2ban/tests/servertestcase.py index b851c54b..fd43bd24 100644 --- a/fail2ban/tests/servertestcase.py +++ b/fail2ban/tests/servertestcase.py @@ -802,7 +802,7 @@ class TransmitterLogging(TransmitterBase): outValue=Exception('Failed to change log target'), repr_=True # Exceptions are not comparable apparently ) - }[platform.system() in ('Linux',)] + }[platform.system() in ('Linux',) and os.path.exists('/dev/log')] ) def testLogLevel(self): |