diff options
| author | Yaroslav Halchenko <debian@onerussian.com> | 2015-07-31 21:34:06 -0400 |
|---|---|---|
| committer | Yaroslav Halchenko <debian@onerussian.com> | 2015-07-31 21:34:06 -0400 |
| commit | bceb35ab34e7d4cbee499826dd7827b2e603d431 (patch) | |
| tree | 162490f18b686c724a34b2dbe431134b47990a20 | |
| parent | 77ea6e62b4e78d3865775cd2c44ed43a5b018aea (diff) | |
| parent | 70ba5cb0054f0869930b8cd2dc1bb836653dd289 (diff) | |
| download | fail2ban-bceb35ab34e7d4cbee499826dd7827b2e603d431.tar.gz | |
Merge tag '0.9.3' into debian
ver. 0.9.3 (2015/08/01) - lets-all-stay-friends
----------
- IMPORTANT incompatible changes:
* filter.d/roundcube-auth.conf
- Changed logpath to 'errors' log (was 'userlogins')
* action.d/iptables-common.conf
- All calls to iptables command now use -w switch introduced in
iptables 1.4.20 (some distribution could have patched their
earlier base version as well) to provide this locking mechanism
useful under heavy load to avoid contesting on iptables calls.
If you need to disable, define 'action.d/iptables-common.local'
with empty value for 'lockingopt' in `[Init]` section.
* mail-whois-lines, sendmail-geoip-lines and sendmail-whois-lines
actions now include by default only the first 1000 log lines in
the emails. Adjust <grepopts> to augment the behavior.
- Fixes:
* reload in interactive mode appends all the jails twice (gh-825)
* reload server/jail failed if database used (but was not changed) and
some jail active (gh-1072)
* filter.d/dovecot.conf - also match unknown user in passwd-file.
Thanks Anton Shestakov
* Fix fail2ban-regex not parsing journalmatch correctly from filter config
* filter.d/asterisk.conf - fix security log support for Asterisk 12+
* filter.d/roundcube-auth.conf
- Updated regex to work with 'errors' log (1.0.5 and 1.1.1)
- Added regex to work with 'userlogins' log
* action.d/sendmail*.conf - use LC_ALL (superseeding LC_TIME) to override
locale on systems with customized LC_ALL
* performance fix: minimizes connection overhead, close socket only at
communication end (gh-1099)
* unbanip always deletes ip from database (independent of bantime, also if
currently not banned or persistent)
* guarantee order of dbfile to be before dbpurgeage (gh-1048)
* always set 'dbfile' before other database options (gh-1050)
* kill the entire process group of the child process upon timeout (gh-1129).
Otherwise could lead to resource exhaustion due to hanging whois
processes.
* resolve /var/run/fail2ban path in setup.py to help installation
on platforms with /var/run -> /run symlink (gh-1142)
- New Features:
* RETURN iptables target is now a variable: <returntype>
* New type of operation: pass2allow, use fail2ban for "knocking",
opening a closed port by swapping blocktype and returntype
* New filters:
- froxlor-auth - Thanks Joern Muehlencord
- apache-pass - filter Apache access log for successful authentication
* New actions:
- shorewall-ipset-proto6 - using proto feature of the Shorewall. Still requires
manual pre-configuration of the shorewall. See the action file for detail.
* New jails:
- pass2allow-ftp - allows FTP traffic after successful HTTP authentication
- Enhancements:
* action.d/cloudflare.conf - improved documentation on how to allow
multiple CF accounts, and jail.conf got new compound action
definition action_cf_mwl to submit cloudflare report.
* Check access to socket for more detailed logging on error (gh-595)
* fail2ban-testcases man page
* filter.d/apache-badbots.conf, filter.d/nginx-botsearch.conf - add
HEAD method verb
* Revamp of Travis and coverage automated testing
* Added a space between IP address and the following colon
in notification emails for easier text selection
* Character detection heuristics for whois output via optional setting
in mail-whois*.conf. Thanks Thomas Mayer.
Not enabled by default, if _whois_command is set to be
%(_whois_convert_charset)s (e.g. in action.d/mail-whois-common.local),
it
- detects character set of whois output (which is undefined by
RFC 3912) via heuristics of the file command
- converts whois data to UTF-8 character set with iconv
- sends the whois output in UTF-8 character set to mail program
- avoids that heirloom mailx creates binary attachment for input with
unknown character set
* tag '0.9.3': (99 commits)
Release changes (too much of manual "labor"! ;))
BF: realpath for /var/run/fail2ban Closes #1142
Changelog entry for killpg fix
Changelog entries for Serge's fixes
bug fix: option 'dbpurgeage' was never set (always default) by start of fail2ban, because of invalid sorting of options ('dbfile' should be always set before other database options) / closes #1048, closes #1050
BF: guarantee order of dbfile to be before dbpurgeage (Closes #1048)
DOC: Changelog for shorewall-ipset-proto6.conf + adjusted its description
DOC: moved and adjusted changelog entry from 0.9.2 within 0.9.3 to come
TST: test to verify killing stuck children processes
BF: kill the entire process group upon timeout (Close #1129)
Limit the number of log lines in *-lines.conf actions
ipjailmatches is on one line with its description in man jail.conf
DOC: Changelog for iptables -w change
Remove self.printlog() call
Remove literal "TODO" from method's name
BF: do not wrap iptables into itself. Thanks Lee
Added a space between IP address and the following colon
BF: symbiosis-blacklist-allports now also requires iptables-common.conf
RF: use <iptables> to take effect of it being a parameter
ENH: added lockingopt option for iptables actions, made iptables cmd itself a parameter
...
124 files changed, 1175 insertions, 374 deletions
diff --git a/.coveragerc b/.coveragerc index 3bffd79a..19bc3db4 100644 --- a/.coveragerc +++ b/.coveragerc @@ -1,4 +1,11 @@ [run] branch = True -omit = /usr* +source = + config + fail2ban + +[report] +exclude_lines = + pragma: no cover + pragma: systemd no cover diff --git a/.travis.yml b/.travis.yml index bad7e16e..f65e4896 100644 --- a/.travis.yml +++ b/.travis.yml @@ -1,29 +1,56 @@ # vim ft=yaml # travis-ci.org definition for Fail2Ban build +# https://travis-ci.org/fail2ban/fail2ban/ language: python python: - - "2.6" - - "2.7" - - "3.2" - - "3.3" - - "3.4" - - "pypy" - - "pypy3" + - 2.6 + - 2.7 + - pypy + - 3.2 + - 3.3 + - 3.4 + - pypy3 before_install: - - if [[ $TRAVIS_PYTHON_VERSION == 2.7 ]]; then travis_retry sudo apt-get update -qq; fi + - if [[ $TRAVIS_PYTHON_VERSION == 2* || $TRAVIS_PYTHON_VERSION == 'pypy' ]]; then export F2B_PY_2=true && echo "Set F2B_PY_2"; fi + - if [[ $TRAVIS_PYTHON_VERSION == 3* || $TRAVIS_PYTHON_VERSION == 'pypy3' ]]; then export F2B_PY_3=true && echo "Set F2B_PY_3"; fi + - travis_retry sudo apt-get update -qq + # Set this so sudo executes the correct python binary + # Anything not using sudo will already have the correct environment + - export VENV_BIN="$VIRTUAL_ENV/bin" && echo "VENV_BIN set to $VENV_BIN" install: + # Install Python packages / dependencies + # coverage + - travis_retry pip install coverage + # coveralls + - travis_retry pip install coveralls + # dnspython or dnspython3 + - if [[ "$F2B_PY_2" ]]; then travis_retry pip install dnspython; fi + - if [[ "$F2B_PY_3" ]]; then travis_retry pip install dnspython3; fi + # gamin - install manually (not in PyPI) - travis-ci system Python is 2.7 + - if [[ $TRAVIS_PYTHON_VERSION == 2.7 ]]; then travis_retry sudo apt-get install -qq python-gamin && cp /usr/share/pyshared/gamin.py /usr/lib/pyshared/python2.7/_gamin.so $VIRTUAL_ENV/lib/python2.7/site-packages/; fi + # pyinotify - travis_retry pip install pyinotify - - if [[ $TRAVIS_PYTHON_VERSION == 2* || $TRAVIS_PYTHON_VERSION == 'pypy' ]]; then travis_retry pip install dnspython; fi - - if [[ $TRAVIS_PYTHON_VERSION == 3* || $TRAVIS_PYTHON_VERSION == 'pypy3' ]]; then travis_retry pip install dnspython3; fi - - if [[ $TRAVIS_PYTHON_VERSION == 2.7 ]]; then travis_retry sudo apt-get install -qq python-gamin; cp /usr/share/pyshared/gamin.py /usr/lib/pyshared/python2.7/_gamin.so $VIRTUAL_ENV/lib/python2.7/site-packages/; fi - - if [[ $TRAVIS_PYTHON_VERSION == 2.7 ]]; then cd ..; travis_retry pip install -q coveralls; cd -; fi - # overcome buggy pypy - - if [[ $TRAVIS_PYTHON_VERSION == pypy ]] ; then dpkg --compare-versions $(pypy --version 2>&1 | awk '/PyPy/{print $2;}') ge 2.5.1 || { d=$PWD; cd /tmp; wget http://buildbot.pypy.org/nightly/trunk/pypy-c-jit-latest-linux64.tar.bz2; tar -xjvf pypy*bz2; cd pypy-*/bin/; export PATH=$PWD:$PATH; cd $d; } ; fi +before_script: + # Manually execute 2to3 for now + - if [[ "$F2B_PY_3" ]]; then ./fail2ban-2to3; fi script: - - if [[ $TRAVIS_PYTHON_VERSION == 2.7 ]]; then coverage run --rcfile=.travis_coveragerc setup.py test; else python setup.py test; fi -# test installation - - sudo python setup.py install + # Keep the legacy setup.py test approach of checking coverage for python2 + - if [[ "$F2B_PY_2" ]]; then coverage run setup.py test; fi + # Coverage doesn't pick up setup.py test with python3, so run it directly + - if [[ "$F2B_PY_3" ]]; then coverage run bin/fail2ban-testcases; fi + # Use $VENV_BIN (not python) or else sudo will always run the system's python (2.7) + - sudo $VENV_BIN/pip install . after_success: -# Coverage config file must be .coveragerc for coveralls - - if [[ $TRAVIS_PYTHON_VERSION == 2.7 ]]; then cp -v .travis_coveragerc .coveragerc; fi - - if [[ $TRAVIS_PYTHON_VERSION == 2.7 ]]; then coveralls; fi + - coveralls +matrix: + fast_finish: true +# Might be worth looking into +#notifications: +# email: true +# irc: +# channels: "irc.freenode.org#fail2ban" +# template: +# - "%{repository}@%{branch}: %{message} (%{build_url})" +# on_success: change +# on_failure: change +# skip_join: true diff --git a/.travis_coveragerc b/.travis_coveragerc deleted file mode 100644 index 49fc3134..00000000 --- a/.travis_coveragerc +++ /dev/null @@ -1,7 +0,0 @@ - -[run] -branch = True -omit = - /usr/* - /home/travis/virtualenv/* - fail2ban/server/filtersystemd.py @@ -6,6 +6,85 @@ Fail2Ban: Changelog =================== +ver. 0.9.3 (2015/08/01) - lets-all-stay-friends +---------- + +- IMPORTANT incompatible changes: + * filter.d/roundcube-auth.conf + - Changed logpath to 'errors' log (was 'userlogins') + * action.d/iptables-common.conf + - All calls to iptables command now use -w switch introduced in + iptables 1.4.20 (some distribution could have patched their + earlier base version as well) to provide this locking mechanism + useful under heavy load to avoid contesting on iptables calls. + If you need to disable, define 'action.d/iptables-common.local' + with empty value for 'lockingopt' in `[Init]` section. + * mail-whois-lines, sendmail-geoip-lines and sendmail-whois-lines + actions now include by default only the first 1000 log lines in + the emails. Adjust <grepopts> to augment the behavior. + +- Fixes: + * reload in interactive mode appends all the jails twice (gh-825) + * reload server/jail failed if database used (but was not changed) and + some jail active (gh-1072) + * filter.d/dovecot.conf - also match unknown user in passwd-file. + Thanks Anton Shestakov + * Fix fail2ban-regex not parsing journalmatch correctly from filter config + * filter.d/asterisk.conf - fix security log support for Asterisk 12+ + * filter.d/roundcube-auth.conf + - Updated regex to work with 'errors' log (1.0.5 and 1.1.1) + - Added regex to work with 'userlogins' log + * action.d/sendmail*.conf - use LC_ALL (superseeding LC_TIME) to override + locale on systems with customized LC_ALL + * performance fix: minimizes connection overhead, close socket only at + communication end (gh-1099) + * unbanip always deletes ip from database (independent of bantime, also if + currently not banned or persistent) + * guarantee order of dbfile to be before dbpurgeage (gh-1048) + * always set 'dbfile' before other database options (gh-1050) + * kill the entire process group of the child process upon timeout (gh-1129). + Otherwise could lead to resource exhaustion due to hanging whois + processes. + * resolve /var/run/fail2ban path in setup.py to help installation + on platforms with /var/run -> /run symlink (gh-1142) + +- New Features: + * RETURN iptables target is now a variable: <returntype> + * New type of operation: pass2allow, use fail2ban for "knocking", + opening a closed port by swapping blocktype and returntype + * New filters: + - froxlor-auth - Thanks Joern Muehlencord + - apache-pass - filter Apache access log for successful authentication + * New actions: + - shorewall-ipset-proto6 - using proto feature of the Shorewall. Still requires + manual pre-configuration of the shorewall. See the action file for detail. + * New jails: + - pass2allow-ftp - allows FTP traffic after successful HTTP authentication + +- Enhancements: + * action.d/cloudflare.conf - improved documentation on how to allow + multiple CF accounts, and jail.conf got new compound action + definition action_cf_mwl to submit cloudflare report. + * Check access to socket for more detailed logging on error (gh-595) + * fail2ban-testcases man page + * filter.d/apache-badbots.conf, filter.d/nginx-botsearch.conf - add + HEAD method verb + * Revamp of Travis and coverage automated testing + * Added a space between IP address and the following colon + in notification emails for easier text selection + * Character detection heuristics for whois output via optional setting + in mail-whois*.conf. Thanks Thomas Mayer. + Not enabled by default, if _whois_command is set to be + %(_whois_convert_charset)s (e.g. in action.d/mail-whois-common.local), + it + - detects character set of whois output (which is undefined by + RFC 3912) via heuristics of the file command + - converts whois data to UTF-8 character set with iconv + - sends the whois output in UTF-8 character set to mail program + - avoids that heirloom mailx creates binary attachment for input with + unknown character set + + ver. 0.9.2 (2015/04/29) - better-quick-now-than-later ---------- @@ -42,7 +121,7 @@ ver. 0.9.2 (2015/04/29) - better-quick-now-than-later * firewallcmd-* actions: split output into separate lines for grepping (gh-908) * Guard unicode encode/decode issues while storing records in the database. Fixes "binding parameter error (unsupported type)" (gh-973), thanks to kot - for reporting + for reporting * filter.d/sshd added regex for matching openSUSE ssh authentication failure * filter.d/asterisk.conf: - Dropped "Sending fake auth rejection" failregex since it incorrectly @@ -56,9 +56,12 @@ following (note: on Debian-based systems, the script is called `python-coverage`):: coverage run bin/fail2ban-testcases + coverage report + +Optionally: coverage html -Then look at htmlcov/index.html and see how much coverage your test cases +And then browse htmlcov/index.html and see how much coverage your test cases exert over the code base. Full coverage is a good thing however it may not be complete. Try to ensure tests cover as many independent paths through the code. @@ -88,7 +91,7 @@ Testing can now be done inside a vagrant VM. Vagrantfile provided in source code repository established two VMs: - VM "secure" which can be used for testing fail2ban code. -- VM "attacker" which hcan be used to perform attack against our "secure" VM. +- VM "attacker" which can be used to perform attack against our "secure" VM. Both VMs are sharing the 192.168.200/24 network. If you are using this network take a look into the Vagrantfile and change the IP. @@ -2,7 +2,7 @@ / _|__ _(_) |_ ) |__ __ _ _ _ | _/ _` | | |/ /| '_ \/ _` | ' \ |_| \__,_|_|_/___|_.__/\__,_|_||_| - v0.9.2 2015/04/29 + v0.9.3 2015/08/01 ## Fail2Ban: ban hosts that cause multiple authentication errors @@ -37,8 +37,8 @@ Optional: To install, just do: - tar xvfj fail2ban-0.9.2.tar.bz2 - cd fail2ban-0.9.2 + tar xvfj fail2ban-0.9.3.tar.bz2 + cd fail2ban-0.9.3 python setup.py install This will install Fail2Ban into the python library directory. The executable @@ -61,24 +61,24 @@ Preparation * Which indicates that testcases/files/logs/mysqld.log has been moved or is a directory:: - tar -C /tmp -jxf dist/fail2ban-0.9.2.tar.bz2 + tar -C /tmp -jxf dist/fail2ban-0.9.3.tar.bz2 * clean up current direcory:: - diff -rul --exclude \*.pyc . /tmp/fail2ban-0.9.2/ + diff -rul --exclude \*.pyc . /tmp/fail2ban-0.9.3/ * Only differences should be files that you don't want distributed. * Ensure the tests work from the tarball:: - cd /tmp/fail2ban-0.9.2/ && bin/fail2ban-testcases + cd /tmp/fail2ban-0.9.3/ && bin/fail2ban-testcases * Add/finalize the corresponding entry in the ChangeLog * To generate a list of committers use e.g.:: - git shortlog -sn 0.9.2.. | sed -e 's,^[ 0-9\t]*,,g' | tr '\n' '\|' | sed -e 's:|:, :g' + git shortlog -sn 0.9.3.. | sed -e 's,^[ 0-9\t]*,,g' | tr '\n' '\|' | sed -e 's:|:, :g' * Ensure the top of the ChangeLog has the right version and current date. * Ensure the top entry of the ChangeLog has the right version and current date. @@ -101,7 +101,7 @@ Preparation * Tag the release by using a signed (and annotated) tag. Cut/paste release ChangeLog entry as tag annotation:: - git tag -s 0.9.2 + git tag -s 0.9.3 Pre Release =========== @@ -185,7 +185,7 @@ Post Release Add the following to the top of the ChangeLog:: - ver. 0.9.3 (2014/XX/XXX) - wanna-be-released + ver. 0.9.4 (2014/XX/XXX) - wanna-be-released ----------- - Fixes: @@ -197,5 +197,5 @@ Add the following to the top of the ChangeLog:: Alter the git shortlog command in the previous section to refer to the just released version. -and adjust fail2ban/version.py to carry .dev suffix to signal +and adjust fail2ban/version.py to carry .dev0 suffix to signal a version under development. @@ -109,6 +109,7 @@ Stefan Tatschner Stephen Gildea Steven Hiscocks TESTOVIK +Thomas Mayer Tom Pike Tomas Pihl Tony Lawrence diff --git a/bin/fail2ban-client b/bin/fail2ban-client index 866a5287..7f3f5639 100755 --- a/bin/fail2ban-client +++ b/bin/fail2ban-client @@ -22,8 +22,17 @@ __author__ = "Cyril Jaquier" __copyright__ = "Copyright (c) 2004 Cyril Jaquier" __license__ = "GPL" -import sys, string, os, pickle, re, logging, signal -import getopt, time, shlex, socket +import getopt +import logging +import os +import pickle +import re +import shlex +import signal +import socket +import string +import sys +import time from fail2ban.version import version from fail2ban.protocol import printFormatted @@ -144,32 +153,58 @@ class Fail2banClient: return self.__processCmd([["ping"]], False) def __processCmd(self, cmd, showRet = True): - beautifier = Beautifier() - streamRet = True - for c in cmd: - beautifier.setInputCmd(c) - try: - client = CSocket(self.__conf["socket"]) - ret = client.send(c) - if ret[0] == 0: - logSys.debug("OK : " + `ret[1]`) + client = None + try: + beautifier = Beautifier() + streamRet = True + for c in cmd: + beautifier.setInputCmd(c) + try: + if not client: + client = CSocket(self.__conf["socket"]) + ret = client.send(c) + if ret[0] == 0: + logSys.debug("OK : " + `ret[1]`) + if showRet: + print beautifier.beautify(ret[1]) + else: + logSys.error("NOK: " + `ret[1].args`) + if showRet: + print beautifier.beautifyError(ret[1]) + streamRet = False + except socket.error: if showRet: - print beautifier.beautify(ret[1]) - else: - logSys.error("NOK: " + `ret[1].args`) + self.__logSocketError() + return False + except Exception, e: if showRet: - print beautifier.beautifyError(ret[1]) - streamRet = False - except socket.error: - if showRet: - logSys.error("Unable to contact server. Is it running?") - return False - except Exception, e: - if showRet: - logSys.error(e) - return False + logSys.error(e) + return False + finally: + if client: + client.close() return streamRet + def __logSocketError(self): + try: + if os.access(self.__conf["socket"], os.F_OK): + # This doesn't check if path is a socket, + # but socket.error should be raised + if os.access(self.__conf["socket"], os.W_OK): + # Permissions look good, but socket.error was raised + logSys.error("Unable to contact server. Is it running?") + else: + logSys.error("Permission denied to socket: %s," + " (you must be root)", self.__conf["socket"]) + else: + logSys.error("Failed to access socket path: %s." + " Is fail2ban running?", + self.__conf["socket"]) + except Exception as e: + logSys.error("Exception while checking socket access: %s", + self.__conf["socket"]) + logSys.error(e) + ## # Process a command line. # diff --git a/bin/fail2ban-regex b/bin/fail2ban-regex index b337ab5d..b7b0579f 100755 --- a/bin/fail2ban-regex +++ b/bin/fail2ban-regex @@ -29,7 +29,15 @@ __author__ = "Fail2Ban Developers" __copyright__ = "Copyright (c) 2004-2008 Cyril Jaquier, 2012-2014 Yaroslav Halchenko" __license__ = "GPL" -import getopt, sys, time, logging, os, locale, shlex, time, urllib +import getopt +import locale +import logging +import os +import shlex +import sys +import time +import time +import urllib from optparse import OptionParser, Option from ConfigParser import NoOptionError, NoSectionError, MissingSectionHeaderError @@ -297,8 +305,8 @@ class Fail2banRegex(object): "read from %(value)s" % locals() return False elif command[2] == 'addjournalmatch': - journalmatch = command[3] - self.setJournalMatch(shlex.split(journalmatch)) + journalmatch = command[3:] + self.setJournalMatch(journalmatch) elif command[2] == 'datepattern': datepattern = command[3] self.setDatePattern(datepattern) diff --git a/bin/fail2ban-server b/bin/fail2ban-server index ec0c0dbe..f522f418 100755 --- a/bin/fail2ban-server +++ b/bin/fail2ban-server @@ -22,7 +22,9 @@ __author__ = "Cyril Jaquier" __copyright__ = "Copyright (c) 2004 Cyril Jaquier" __license__ = "GPL" -import getopt, sys, os +import getopt +import os +import sys from fail2ban.version import version from fail2ban.server.server import Server diff --git a/bin/fail2ban-testcases b/bin/fail2ban-testcases index 475aa40b..dd6547a5 100755 --- a/bin/fail2ban-testcases +++ b/bin/fail2ban-testcases @@ -25,7 +25,10 @@ __copyright__ = "Copyright (c) 2004 Cyril Jaquier, 2012- Yaroslav Halchenko" __license__ = "GPL" import logging -import unittest, sys, time, os +import os +import sys +import time +import unittest # Check if local fail2ban module exists, and use if it exists by # modifying the path. This is such that tests can be used in dev diff --git a/config/action.d/badips.py b/config/action.d/badips.py index c2a239f5..a1df00a3 100644 --- a/config/action.d/badips.py +++ b/config/action.d/badips.py @@ -35,6 +35,7 @@ else: from fail2ban.server.actions import ActionBase from fail2ban.version import version as f2bVersion + class BadIPsAction(ActionBase): """Fail2Ban action which reports bans to badips.com, and also blacklist bad IPs listed on badips.com by using another action's diff --git a/config/action.d/cloudflare.conf b/config/action.d/cloudflare.conf index 4d5e2dc8..4bc90c97 100644 --- a/config/action.d/cloudflare.conf +++ b/config/action.d/cloudflare.conf @@ -1,10 +1,14 @@ # # Author: Mike Rushton # -# Referenced from from http://www.normyee.net/blog/2012/02/02/adding-cloudflare-support-to-fail2ban by NORM YEE +# IMPORTANT # -# To get your Cloudflare API key: https://www.cloudflare.com/my-account +# Please set jail.local's permission to 640 because it contains your CF API key. # +# This action depends on curl. +# Referenced from http://www.normyee.net/blog/2012/02/02/adding-cloudflare-support-to-fail2ban by NORM YEE +# +# To get your CloudFlare API Key: https://www.cloudflare.com/a/account/my-account [Definition] @@ -34,7 +38,8 @@ actioncheck = # <time> unix timestamp of the ban time # Values: CMD # -actionban = curl https://www.cloudflare.com/api_json.html -d 'a=ban' -d 'tkn=<cftoken>' -d 'email=<cfuser>' -d 'key=<ip>' +actionban = curl -s -o /dev/null https://www.cloudflare.com/api_json.html -d 'a=ban' -d 'tkn=<cftoken>' -d 'email=<cfuser>' -d 'key=<ip>' + # Option: actionunban # Notes.: command executed when unbanning an IP. Take care that the # command is executed with Fail2Ban user rights. @@ -43,13 +48,19 @@ actionban = curl https://www.cloudflare.com/api_json.html -d 'a=ban' -d 'tkn=<cf # <time> unix timestamp of the ban time # Values: CMD # -actionunban = curl https://www.cloudflare.com/api_json.html -d 'a=nul' -d 'tkn=<cftoken>' -d 'email=<cfuser>' -d 'key=<ip>' - +actionunban = curl -s -o /dev/null https://www.cloudflare.com/api_json.html -d 'a=nul' -d 'tkn=<cftoken>' -d 'email=<cfuser>' -d 'key=<ip>' [Init] -# Default Cloudflare API token -cftoken = +# If you like to use this action with mailing whois lines, you could use the composite action +# action_cf_mwl predefined in jail.conf, just define in your jail: +# +# action = %(action_cf_mwl)s +# # Your CF account e-mail +# cfemail = +# # Your CF API Key +# cfapikey = + +cftoken = -# Default Cloudflare username -cfuser = +cfuser = diff --git a/config/action.d/iptables-allports.conf b/config/action.d/iptables-allports.conf index b30404d3..15f3cbcc 100644 --- a/config/action.d/iptables-allports.conf +++ b/config/action.d/iptables-allports.conf @@ -17,23 +17,23 @@ before = iptables-common.conf # Notes.: command executed once at the start of Fail2Ban. # Values: CMD # -actionstart = iptables -N f2b-<name> - iptables -A f2b-<name> -j RETURN - iptables -I <chain> -p <protocol> -j f2b-<name> +actionstart = <iptables> -N f2b-<name> + <iptables> -A f2b-<name> -j <returntype> + <iptables> -I <chain> -p <protocol> -j f2b-<name> # Option: actionstop # Notes.: command executed once at the end of Fail2Ban # Values: CMD # -actionstop = iptables -D <chain> -p <protocol> -j f2b-<name> - iptables -F f2b-<name> - iptables -X f2b-<name> +actionstop = <iptables> -D <chain> -p <protocol> -j f2b-<name> + <iptables> -F f2b-<name> + <iptables> -X f2b-<name> # Option: actioncheck # Notes.: command executed once before each actionban command # Values: CMD # -actioncheck = iptables -n -L <chain> | grep -q 'f2b-<name>[ \t]' +actioncheck = <iptables> -n -L <chain> | grep -q 'f2b-<name>[ \t]' # Option: actionban # Notes.: command executed when banning an IP. Take care that the @@ -41,7 +41,7 @@ actioncheck = iptables -n -L <chain> | grep -q 'f2b-<name>[ \t]' # Tags: See jail.conf(5) man page # Values: CMD # -actionban = iptables -I f2b-<name> 1 -s <ip> -j <blocktype> +actionban = <iptables> -I f2b-<name> 1 -s <ip> -j <blocktype> # Option: actionunban # Notes.: command executed when unbanning an IP. Take care that the @@ -49,7 +49,7 @@ actionban = iptables -I f2b-<name> 1 -s <ip> -j <blocktype> # Tags: See jail.conf(5) man page # Values: CMD # -actionunban = iptables -D f2b-<name> -s <ip> -j <blocktype> +actionunban = <iptables> -D f2b-<name> -s <ip> -j <blocktype> [Init] diff --git a/config/action.d/iptables-common.conf b/config/action.d/iptables-common.conf index c191c5a1..45819e3d 100644 --- a/config/action.d/iptables-common.conf +++ b/config/action.d/iptables-common.conf @@ -43,3 +43,22 @@ protocol = tcp # REJECT, REJECT --reject-with icmp-port-unreachable # Values: STRING blocktype = REJECT --reject-with icmp-port-unreachable + +# Option: returntype +# Note: This is the default rule on "actionstart". This should be RETURN +# in all (blocking) actions, except REJECT in allowing actions. +# Values: STRING +returntype = RETURN + +# Option: lockingopt +# Notes.: Option was introduced to iptables to prevent multiple instances from +# running concurrently and causing irratic behavior. -w was introduced +# in iptables 1.4.20, so might be absent on older systems +# See https://github.com/fail2ban/fail2ban/issues/1122 +# Values: STRING +lockingopt = -w + +# Option: iptables +# Notes.: Actual command to be executed, including common to all calls options +# Values: STRING +iptables = iptables <lockingopt> diff --git a/config/action.d/iptables-ipset-proto4.conf b/config/action.d/iptables-ipset-proto4.conf index c72b1a85..2f63cd4b 100644 --- a/config/action.d/iptables-ipset-proto4.conf +++ b/config/action.d/iptables-ipset-proto4.conf @@ -28,13 +28,13 @@ before = iptables-common.conf # Values: CMD # actionstart = ipset --create f2b-<name> iphash - iptables -I <chain> -p <protocol> -m multiport --dports <port> -m set --match-set f2b-<name> src -j <blocktype> + <iptables> -I <chain> -p <protocol> -m multiport --dports <port> -m set --match-set f2b-<name> src -j <blocktype> # Option: actionstop # Notes.: command executed once at the end of Fail2Ban # Values: CMD # -actionstop = iptables -D <chain> -p <protocol> -m multiport --dports <port> -m set --match-set f2b-<name> src -j <blocktype> +actionstop = <iptables> -D <chain> -p <protocol> -m multiport --dports <port> -m set --match-set f2b-<name> src -j <blocktype> ipset --flush f2b-<name> ipset --destroy f2b-<name> diff --git a/config/action.d/iptables-ipset-proto6-allports.conf b/config/action.d/iptables-ipset-proto6-allports.conf index aaeee461..1f1d336f 100644 --- a/config/action.d/iptables-ipset-proto6-allports.conf +++ b/config/action.d/iptables-ipset-proto6-allports.conf @@ -24,13 +24,13 @@ before = iptables-common.conf # Values: CMD # actionstart = ipset create f2b-<name> hash:ip timeout <bantime> - iptables -I <chain> -m set --match-set f2b-<name> src -j <blocktype> + <iptables> -I <chain> -m set --match-set f2b-<name> src -j <blocktype> # Option: actionstop # Notes.: command executed once at the end of Fail2Ban # Values: CMD # -actionstop = iptables -D <chain> -m set --match-set f2b-<name> src -j <blocktype> +actionstop = <iptables> -D <chain> -m set --match-set f2b-<name> src -j <blocktype> ipset flush f2b-<name> ipset destroy f2b-<name> diff --git a/config/action.d/iptables-ipset-proto6.conf b/config/action.d/iptables-ipset-proto6.conf index bd36c49e..3b51ef58 100644 --- a/config/action.d/iptables-ipset-proto6.conf +++ b/config/action.d/iptables-ipset-proto6.conf @@ -24,13 +24,13 @@ before = iptables-common.conf # Values: CMD # actionstart = ipset create f2b-<name> hash:ip timeout <bantime> - iptables -I <chain> -p <protocol> -m multiport --dports <port> -m set --match-set f2b-<name> src -j <blocktype> + <iptables> -I <chain> -p <protocol> -m multiport --dports <port> -m set --match-set f2b-<name> src -j <blocktype> # Option: actionstop # Notes.: command executed once at the end of Fail2Ban # Values: CMD # -actionstop = iptables -D <chain> -p <protocol> -m multiport --dports <port> -m set --match-set f2b-<name> src -j <blocktype> +actionstop = <iptables> -D <chain> -p <protocol> -m multiport --dports <port> -m set --match-set f2b-<name> src -j <blocktype> ipset flush f2b-<name> ipset destroy f2b-<name> diff --git a/config/action.d/iptables-multiport-log.conf b/config/action.d/iptables-multiport-log.conf index f4d80d6c..1777ce62 100644 --- a/config/action.d/iptables-multiport-log.conf +++ b/config/action.d/iptables-multiport-log.conf @@ -19,28 +19,28 @@ before = iptables-common.conf # Notes.: command executed once at the start of Fail2Ban. # Values: CMD # -actionstart = iptables -N f2b-<name> - iptables -A f2b-<name> -j RETURN - iptables -I <chain> 1 -p <protocol> -m multiport --dports <port> -j f2b-<name> - iptables -N f2b-<name>-log - iptables -I f2b-<name>-log -j LOG --log-prefix "$(expr f2b-<name> : '\(.\{1,23\}\)'):DROP " --log-level warning -m limit --limit 6/m --limit-burst 2 - iptables -A f2b-<name>-log -j <blocktype> +actionstart = <iptables> -N f2b-<name> + <iptables> -A f2b-<name> -j <returntype> + <iptables> -I <chain> 1 -p <protocol> -m multiport --dports <port> -j f2b-<name> + <iptables> -N f2b-<name>-log + <iptables> -I f2b-<name>-log -j LOG --log-prefix "$(expr f2b-<name> : '\(.\{1,23\}\)'):DROP " --log-level warning -m limit --limit 6/m --limit-burst 2 + <iptables> -A f2b-<name>-log -j <blocktype> # Option: actionstop # Notes.: command executed once at the end of Fail2Ban # Values: CMD # -actionstop = iptables -D <chain> -p <protocol> -m multiport --dports <port> -j f2b-<name> - iptables -F f2b-<name> - iptables -F f2b-<name>-log - iptables -X f2b-<name> - iptables -X f2b-<name>-log +actionstop = <iptables> -D <chain> -p <protocol> -m multiport --dports <port> -j f2b-<name> + <iptables> -F f2b-<name> + <iptables> -F f2b-<name>-log + <iptables> -X f2b-<name> + <iptables> -X f2b-<name>-log # Option: actioncheck # Notes.: command executed once before each actionban command # Values: CMD # -actioncheck = iptables -n -L f2b-<name>-log >/dev/null +actioncheck = <iptables> -n -L f2b-<name>-log >/dev/null # Option: actionban # Notes.: command executed when banning an IP. Take care that the @@ -48,7 +48,7 @@ actioncheck = iptables -n -L f2b-<name>-log >/dev/null # Tags: See jail.conf(5) man page # Values: CMD # -actionban = iptables -I f2b-<name> 1 -s <ip> -j f2b-<name>-log +actionban = <iptables> -I f2b-<name> 1 -s <ip> -j f2b-<name>-log # Option: actionunban # Notes.: command executed when unbanning an IP. Take care that the @@ -56,7 +56,7 @@ actionban = iptables -I f2b-<name> 1 -s <ip> -j f2b-<name>-log # Tags: See jail.conf(5) man page # Values: CMD # -actionunban = iptables -D f2b-<name> -s <ip> -j f2b-<name>-log +actionunban = <iptables> -D f2b-<name> -s <ip> -j f2b-<name>-log [Init] diff --git a/config/action.d/iptables-multiport.conf b/config/action.d/iptables-multiport.conf index b70baf92..9fd87d20 100644 --- a/config/action.d/iptables-multiport.conf +++ b/config/action.d/iptables-multiport.conf @@ -14,23 +14,23 @@ before = iptables-common.conf # Notes.: command executed once at the start of Fail2Ban. # Values: CMD # -actionstart = iptables -N f2b-<name> - iptables -A f2b-<name> -j RETURN - iptables -I <chain> -p <protocol> -m multiport --dports <port> -j f2b-<name> +actionstart = <iptables> -N f2b-<name> + <iptables> -A f2b-<name> -j <returntype> + <iptables> -I <chain> -p <protocol> -m multiport --dports <port> -j f2b-<name> # Option: actionstop # Notes.: command executed once at the end of Fail2Ban # Values: CMD # -actionstop = iptables -D <chain> -p <protocol> -m multiport --dports <port> -j f2b-<name> - iptables -F f2b-<name> - iptables -X f2b-<name> +actionstop = <iptables> -D <chain> -p <protocol> -m multiport --dports <port> -j f2b-<name> + <iptables> -F f2b-<name> + <iptables> -X f2b-<name> # Option: actioncheck # Notes.: command executed once before each actionban command # Values: CMD # -actioncheck = iptables -n -L <chain> | grep -q 'f2b-<name>[ \t]' +actioncheck = <iptables> -n -L <chain> | grep -q 'f2b-<name>[ \t]' # Option: actionban # Notes.: command executed when banning an IP. Take care that the @@ -38,7 +38,7 @@ actioncheck = iptables -n -L <chain> | grep -q 'f2b-<name>[ \t]' # Tags: See jail.conf(5) man page # Values: CMD # -actionban = iptables -I f2b-<name> 1 -s <ip> -j <blocktype> +actionban = <iptables> -I f2b-<name> 1 -s <ip> -j <blocktype> # Option: actionunban # Notes.: command executed when unbanning an IP. Take care that the @@ -46,7 +46,7 @@ actionban = iptables -I f2b-<name> 1 -s <ip> -j <blocktype> # Tags: See jail.conf(5) man page # Values: CMD # -actionunban = iptables -D f2b-<name> -s <ip> -j <blocktype> +actionunban = <iptables> -D f2b-<name> -s <ip> -j <blocktype> [Init] diff --git a/config/action.d/iptables-new.conf b/config/action.d/iptables-new.conf index 3c6657d9..795bc601 100644 --- a/config/action.d/iptables-new.conf +++ b/config/action.d/iptables-new.conf @@ -16,23 +16,23 @@ before = iptables-common.conf # Notes.: command executed once at the start of Fail2Ban. # Values: CMD # -actionstart = iptables -N f2b-<name> - iptables -A f2b-<name> -j RETURN - iptables -I <chain> -m state --state NEW -p <protocol> --dport <port> -j f2b-<name> +actionstart = <iptables> -N f2b-<name> + <iptables> -A f2b-<name> -j <returntype> + <iptables> -I <chain> -m state --state NEW -p <protocol> --dport <port> -j f2b-<name> # Option: actionstop # Notes.: command executed once at the end of Fail2Ban # Values: CMD # -actionstop = iptables -D <chain> -m state --state NEW -p <protocol> --dport <port> -j f2b-<name> - iptables -F f2b-<name> - iptables -X f2b-<name> +actionstop = <iptables> -D <chain> -m state --state NEW -p <protocol> --dport <port> -j f2b-<name> + <iptables> -F f2b-<name> + <iptables> -X f2b-<name> # Option: actioncheck # Notes.: command executed once before each actionban command # Values: CMD # -actioncheck = iptables -n -L <chain> | grep -q 'f2b-<name>[ \t]' +actioncheck = <iptables> -n -L <chain> | grep -q 'f2b-<name>[ \t]' # Option: actionban # Notes.: command executed when banning an IP. Take care that the @@ -40,7 +40,7 @@ actioncheck = iptables -n -L <chain> | grep -q 'f2b-<name>[ \t]' # Tags: See jail.conf(5) man page # Values: CMD # -actionban = iptables -I f2b-<name> 1 -s <ip> -j <blocktype> +actionban = <iptables> -I f2b-<name> 1 -s <ip> -j <blocktype> # Option: actionunban # Notes.: command executed when unbanning an IP. Take care that the @@ -48,7 +48,7 @@ actionban = iptables -I f2b-<name> 1 -s <ip> -j <blocktype> # Tags: See jail.conf(5) man page # Values: CMD # -actionunban = iptables -D f2b-<name> -s <ip> -j <blocktype> +actionunban = <iptables> -D f2b-<name> -s <ip> -j <blocktype> [Init] diff --git a/config/action.d/iptables-xt_recent-echo.conf b/config/action.d/iptables-xt_recent-echo.conf index 1a72968f..d3d43f86 100644 --- a/config/action.d/iptables-xt_recent-echo.conf +++ b/config/action.d/iptables-xt_recent-echo.conf @@ -32,14 +32,14 @@ before = iptables-common.conf # own rules. The 3600 second timeout is independent and acts as a # safeguard in case the fail2ban process dies unexpectedly. The # shorter of the two timeouts actually matters. -actionstart = if [ `id -u` -eq 0 ];then iptables -I <chain> -m recent --update --seconds 3600 --name f2b-<name> -j <blocktype>;fi +actionstart = if [ `id -u` -eq 0 ];then <iptables> -I <chain> -m recent --update --seconds 3600 --name f2b-<name> -j <blocktype>;fi # Option: actionstop # Notes.: command executed once at the end of Fail2Ban # Values: CMD # actionstop = echo / > /proc/net/xt_recent/f2b-<name> - if [ `id -u` -eq 0 ];then iptables -D <chain> -m recent --update --seconds 3600 --name f2b-<name> -j <blocktype>;fi + if [ `id -u` -eq 0 ];then <iptables> -D <chain> -m recent --update --seconds 3600 --name f2b-<name> -j <blocktype>;fi # Option: actioncheck # Notes.: command executed once before each actionban command diff --git a/config/action.d/iptables.conf b/config/action.d/iptables.conf index a956fc55..38985ffa 100644 --- a/config/action.d/iptables.conf +++ b/config/action.d/iptables.conf @@ -14,23 +14,23 @@ before = iptables-common.conf # Notes.: command executed once at the start of Fail2Ban. # Values: CMD # -actionstart = iptables -N f2b-<name> - iptables -A f2b-<name> -j RETURN - iptables -I <chain> -p <protocol> --dport <port> -j f2b-<name> +actionstart = <iptables> -N f2b-<name> + <iptables> -A f2b-<name> -j <returntype> + <iptables> -I <chain> -p <protocol> --dport <port> -j f2b-<name> # Option: actionstop # Notes.: command executed once at the end of Fail2Ban # Values: CMD # -actionstop = iptables -D <chain> -p <protocol> --dport <port> -j f2b-<name> - iptables -F f2b-<name> - iptables -X f2b-<name> +actionstop = <iptables> -D <chain> -p <protocol> --dport <port> -j f2b-<name> + <iptables> -F f2b-<name> + <iptables> -X f2b-<name> # Option: actioncheck # Notes.: command executed once before each actionban command # Values: CMD # -actioncheck = iptables -n -L <chain> | grep -q 'f2b-<name>[ \t]' +actioncheck = <iptables> -n -L <chain> | grep -q 'f2b-<name>[ \t]' # Option: actionban # Notes.: command executed when banning an IP. Take care that the @@ -38,7 +38,7 @@ actioncheck = iptables -n -L <chain> | grep -q 'f2b-<name>[ \t]' # Tags: See jail.conf(5) man page # Values: CMD # -actionban = iptables -I f2b-<name> 1 -s <ip> -j <blocktype> +actionban = <iptables> -I f2b-<name> 1 -s <ip> -j <blocktype> # Option: actionunban # Notes.: command executed when unbanning an IP. Take care that the @@ -46,7 +46,7 @@ actionban = iptables -I f2b-<name> 1 -s <ip> -j <blocktype> # Tags: See jail.conf(5) man page # Values: CMD # -actionunban = iptables -D f2b-<name> -s <ip> -j <blocktype> +actionunban = <iptables> -D f2b-<name> -s <ip> -j <blocktype> [Init] diff --git a/config/action.d/mail-whois-common.conf b/config/action.d/mail-whois-common.conf new file mode 100644 index 00000000..b0d27afc --- /dev/null +++ b/config/action.d/mail-whois-common.conf @@ -0,0 +1,28 @@ +# Fail2Ban configuration file +# +# Common settings for mail actions +# +# Users can override the defaults in mail-whois-common.local + +[INCLUDES] + +# Load customizations if any available +after = mail-whois-common.local + +[DEFAULT] +#original character set of whois output will be sent to mail program +_whois = whois <ip> || echo "missing whois program" + +# use heuristics to convert charset of whois output to a target +# character set before sending it to a mail program +# make sure you have 'file' and 'iconv' commands installed when opting for that +_whois_target_charset = UTF-8 +_whois_convert_charset = whois <ip> | + { WHOIS_OUTPUT=$(cat) ; WHOIS_CHARSET=$(printf %%b "$WHOIS_OUTPUT" | file -b --mime-encoding -) ; printf %%b "$WHOIS_OUTPUT" | iconv -f $WHOIS_CHARSET -t %(_whois_target_charset)s//TRANSLIT - ; } + +# choose between _whois and _whois_convert_charset in mail-whois-common.local +# or other *.local which include mail-whois-common.conf. +_whois_command = %(_whois)s +#_whois_command = %(_whois_convert_charset)s + +[Init] diff --git a/config/action.d/mail-whois-lines.conf b/config/action.d/mail-whois-lines.conf index 5f760ac8..6e39c605 100644 --- a/config/action.d/mail-whois-lines.conf +++ b/config/action.d/mail-whois-lines.conf @@ -4,6 +4,10 @@ # Modified-By: Yaroslav Halchenko to include grepping on IP over log files # +[INCLUDES] + +before = mail-whois-common.conf + [Definition] # Option: actionstart @@ -39,10 +43,10 @@ actioncheck = actionban = printf %%b "Hi,\n The IP <ip> has just been banned by Fail2Ban after <failures> attempts against <name>.\n\n - Here is more information about <ip>:\n - `whois <ip> || echo missing whois program`\n\n + Here is more information about <ip> :\n + `%(_whois_command)s`\n\n Lines containing IP:<ip> in <logpath>\n - `grep -E '(^|[^0-9])<ip>([^0-9]|$)' <logpath>`\n\n + `grep -E <grepopts> '(^|[^0-9])<ip>([^0-9]|$)' <logpath>`\n\n Regards,\n Fail2Ban"|mail -s "[Fail2Ban] <name>: banned <ip> from `uname -n`" <dest> @@ -67,3 +71,7 @@ dest = root # Path to the log files which contain relevant lines for the abuser IP # logpath = /dev/null + +# Number of log lines to include in the email +# +grepopts = -m 1000 diff --git a/config/action.d/mail-whois.conf b/config/action.d/mail-whois.conf index e4c8450e..018c327d 100644 --- a/config/action.d/mail-whois.conf +++ b/config/action.d/mail-whois.conf @@ -4,6 +4,10 @@ # # +[INCLUDES] + +before = mail-whois-common.conf + [Definition] # Option: actionstart @@ -39,8 +43,8 @@ actioncheck = actionban = printf %%b "Hi,\n The IP <ip> has just been banned by Fail2Ban after <failures> attempts against <name>.\n\n - Here is more information about <ip>:\n - `whois <ip> || echo missing whois program`\n + Here is more information about <ip> :\n + `%(_whois_command)s`\n Regards,\n Fail2Ban"|mail -s "[Fail2Ban] <name>: banned <ip> from `uname -n`" <dest> diff --git a/config/action.d/sendmail-common.conf b/config/action.d/sendmail-common.conf index af0212bd..1475dedb 100644 --- a/config/action.d/sendmail-common.conf +++ b/config/action.d/sendmail-common.conf @@ -15,7 +15,7 @@ after = sendmail-common.local # Values: CMD # actionstart = printf %%b "Subject: [Fail2Ban] <name>: started on `uname -n` - Date: `LC_TIME=C date +"%%a, %%d %%h %%Y %%T %%z"` + Date: `LC_ALL=C date +"%%a, %%d %%h %%Y %%T %%z"` From: <sendername> <<sender>> To: <dest>\n Hi,\n @@ -28,7 +28,7 @@ actionstart = printf %%b "Subject: [Fail2Ban] <name>: started on `uname -n` # Values: CMD # actionstop = printf %%b "Subject: [Fail2Ban] <name>: stopped on `uname -n` - Date: `LC_TIME=C date +"%%a, %%d %%h %%Y %%T %%z"` + Date: `LC_ALL=C date +"%%a, %%d %%h %%Y %%T %%z"` From: <sendername> <<sender>> To: <dest>\n Hi,\n @@ -40,7 +40,7 @@ actionstop = printf %%b "Subject: [Fail2Ban] <name>: stopped on `uname -n` # Notes.: command executed once before each actionban command # Values: CMD # -actioncheck = +actioncheck = # Option: actionban # Notes.: command executed when banning an IP. Take care that the @@ -48,7 +48,7 @@ actioncheck = # Tags: See jail.conf(5) man page # Values: CMD # -actionban = +actionban = # Option: actionunban # Notes.: command executed when unbanning an IP. Take care that the @@ -56,7 +56,7 @@ actionban = # Tags: See jail.conf(5) man page # Values: CMD # -actionunban = +actionunban = [Init] diff --git a/config/action.d/sendmail-geoip-lines.conf b/config/action.d/sendmail-geoip-lines.conf index 4225a3eb..2232642c 100644 --- a/config/action.d/sendmail-geoip-lines.conf +++ b/config/action.d/sendmail-geoip-lines.conf @@ -20,13 +20,13 @@ before = sendmail-common.conf # Values: CMD # actionban = printf %%b "Subject: [Fail2Ban] <name>: banned <ip> from `uname -n` - Date: `LC_TIME=C date +"%%a, %%d %%h %%Y %%T %%z"` + Date: `LC_ALL=C date +"%%a, %%d %%h %%Y %%T %%z"` From: <sendername> <<sender>> To: <dest>\n Hi,\n The IP <ip> has just been banned by Fail2Ban after <failures> attempts against <name>.\n\n - Here is more information about <ip>:\n + Here is more information about <ip> :\n http://bgp.he.net/ip/<ip> http://www.projecthoneypot.org/ip_<ip> http://whois.domaintools.com/<ip>\n\n @@ -34,7 +34,7 @@ actionban = printf %%b "Subject: [Fail2Ban] <name>: banned <ip> from `uname -n` AS:`geoiplookup -f /usr/share/GeoIP/GeoIPASNum.dat "<ip>" | cut -d':' -f2-` hostname: `host -t A <ip> 2>&1`\n\n Lines containing IP:<ip> in <logpath>\n - `grep -E '(^|[^0-9])<ip>([^0-9]|$)' <logpath>`\n\n + `grep -E <grepopts> '(^|[^0-9])<ip>([^0-9]|$)' <logpath>`\n\n Regards,\n Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest> @@ -47,3 +47,7 @@ name = default # Path to the log files which contain relevant lines for the abuser IP # logpath = /dev/null + +# Number of log lines to include in the email +# +grepopts = -m 1000 diff --git a/config/action.d/sendmail-whois-ipjailmatches.conf b/config/action.d/sendmail-whois-ipjailmatches.conf index 9c32f41b..689ffe45 100644 --- a/config/action.d/sendmail-whois-ipjailmatches.conf +++ b/config/action.d/sendmail-whois-ipjailmatches.conf @@ -17,13 +17,13 @@ before = sendmail-common.conf # Values: CMD # actionban = printf %%b "Subject: [Fail2Ban] <name>: banned <ip> from `uname -n` - Date: `LC_TIME=C date +"%%a, %%d %%h %%Y %%T %%z"` + Date: `LC_ALL=C date +"%%a, %%d %%h %%Y %%T %%z"` From: <sendername> <<sender>> To: <dest>\n Hi,\n The IP <ip> has just been banned by Fail2Ban after <failures> attempts against <name>.\n\n - Here is more information about <ip>:\n + Here is more information about <ip> :\n `/usr/bin/whois <ip>`\n\n Matches for <name> with <ipjailfailures> failures IP:<ip>\n <ipjailmatches>\n\n diff --git a/config/action.d/sendmail-whois-ipmatches.conf b/config/action.d/sendmail-whois-ipmatches.conf index 8c07454c..b06e6db6 100644 --- a/config/action.d/sendmail-whois-ipmatches.conf +++ b/config/action.d/sendmail-whois-ipmatches.conf @@ -17,13 +17,13 @@ before = sendmail-common.conf # Values: CMD # actionban = printf %%b "Subject: [Fail2Ban] <name>: banned <ip> from `uname -n` - Date: `LC_TIME=C date +"%%a, %%d %%h %%Y %%T %%z"` + Date: `LC_ALL=C date +"%%a, %%d %%h %%Y %%T %%z"` From: <sendername> <<sender>> To: <dest>\n Hi,\n The IP <ip> has just been banned by Fail2Ban after <failures> attempts against <name>.\n\n - Here is more information about <ip>:\n + Here is more information about <ip> :\n `/usr/bin/whois <ip>`\n\n Matches with <ipfailures> failures IP:<ip>\n <ipmatches>\n\n diff --git a/config/action.d/sendmail-whois-lines.conf b/config/action.d/sendmail-whois-lines.conf index 135632ce..4156c947 100644 --- a/config/action.d/sendmail-whois-lines.conf +++ b/config/action.d/sendmail-whois-lines.conf @@ -17,16 +17,16 @@ before = sendmail-common.conf # Values: CMD # actionban = printf %%b "Subject: [Fail2Ban] <name>: banned <ip> from `uname -n` - Date: `LC_TIME=C date +"%%a, %%d %%h %%Y %%T %%z"` + Date: `LC_ALL=C date +"%%a, %%d %%h %%Y %%T %%z"` From: <sendername> <<sender>> To: <dest>\n Hi,\n The IP <ip> has just been banned by Fail2Ban after <failures> attempts against <name>.\n\n - Here is more information about <ip>:\n + Here is more information about <ip> :\n `/usr/bin/whois <ip> || echo missing whois program`\n\n Lines containing IP:<ip> in <logpath>\n - `grep -E '(^|[^0-9])<ip>([^0-9]|$)' <logpath>`\n\n + `grep -E <grepopts> '(^|[^0-9])<ip>([^0-9]|$)' <logpath>`\n\n Regards,\n Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest> @@ -40,3 +40,6 @@ name = default # logpath = /dev/null +# Number of log lines to include in the email +# +grepopts = -m 1000 diff --git a/config/action.d/sendmail-whois-matches.conf b/config/action.d/sendmail-whois-matches.conf index 64bac3ef..8bca5937 100644 --- a/config/action.d/sendmail-whois-matches.conf +++ b/config/action.d/sendmail-whois-matches.conf @@ -17,13 +17,13 @@ before = sendmail-common.conf # Values: CMD # actionban = printf %%b "Subject: [Fail2Ban] <name>: banned <ip> from `uname -n` - Date: `LC_TIME=C date +"%%a, %%d %%h %%Y %%T %%z"` + Date: `LC_ALL=C date +"%%a, %%d %%h %%Y %%T %%z"` From: <sendername> <<sender>> To: <dest>\n Hi,\n The IP <ip> has just been banned by Fail2Ban after <failures> attempts against <name>.\n\n - Here is more information about <ip>:\n + Here is more information about <ip> :\n `/usr/bin/whois <ip>`\n\n Matches:\n <matches>\n\n diff --git a/config/action.d/sendmail-whois.conf b/config/action.d/sendmail-whois.conf index 9403a388..55b80bc5 100644 --- a/config/action.d/sendmail-whois.conf +++ b/config/action.d/sendmail-whois.conf @@ -17,13 +17,13 @@ before = sendmail-common.conf # Values: CMD # actionban = printf %%b "Subject: [Fail2Ban] <name>: banned <ip> from `uname -n` - Date: `LC_TIME=C date +"%%a, %%d %%h %%Y %%T %%z"` + Date: `LC_ALL=C date +"%%a, %%d %%h %%Y %%T %%z"` From: <sendername> <<sender>> To: <dest>\n Hi,\n The IP <ip> has just been banned by Fail2Ban after <failures> attempts against <name>.\n\n - Here is more information about <ip>:\n + Here is more information about <ip> :\n `/usr/bin/whois <ip> || echo missing whois program`\n Regards,\n Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest> diff --git a/config/action.d/sendmail.conf b/config/action.d/sendmail.conf index 4b088dc8..5f5670c3 100644 --- a/config/action.d/sendmail.conf +++ b/config/action.d/sendmail.conf @@ -17,7 +17,7 @@ before = sendmail-common.conf # Values: CMD # actionban = printf %%b "Subject: [Fail2Ban] <name>: banned <ip> from `uname -n` - Date: `LC_TIME=C date +"%%a, %%d %%h %%Y %%T %%z"` + Date: `LC_ALL=C date +"%%a, %%d %%h %%Y %%T %%z"` From: <sendername> <<sender>> To: <dest>\n Hi,\n diff --git a/config/action.d/shorewall-ipset-proto6.conf b/config/action.d/shorewall-ipset-proto6.conf new file mode 100644 index 00000000..1ebcfb01 --- /dev/null +++ b/config/action.d/shorewall-ipset-proto6.conf @@ -0,0 +1,85 @@ +# Fail2Ban configuration file +# +# Author: Eduardo Diaz +# +# This is for ipset protocol 6 (and hopefully later) (ipset v6.14). +# for shorewall +# +# Use this setting in jail.conf to modify use this action instead of a +# default one +# +# banaction = shorewall-ipset-proto6 +# +# This requires the program ipset which is normally in package called ipset. +# +# IPset was a feature introduced in the linux kernel 2.6.39 and 3.0.0 +# kernels, and you need Shorewall >= 4.5.5 to use this action. +# +# The default Shorewall configuration is with "BLACKLISTNEWONLY=Yes" (see +# file /etc/shorewall/shorewall.conf). This means that when Fail2ban adds a +# new shorewall rule to ban an IP address, that rule will affect only new +# connections. So if the attacker goes on trying using the same connection +# he could even log in. In order to get the same behavior of the iptable +# action (so that the ban is immediate) the /etc/shorewall/shorewall.conf +# file should me modified with "BLACKLISTNEWONLY=No". +# +# +# Enable shorewall to use a blacklist using iptables creating a file +# /etc/shorewall/blrules and adding "DROP net:+f2b-ssh all" and +# similar lines for every jail. To enable restoring you ipset you +# must set SAVE_IPSETS=Yes in shorewall.conf . You can read more +# about ipsets handling in Shorewall at http://shorewall.net/ipsets.html +# +# To force creation of the ipset in the case that somebody deletes the +# ipset create a file /etc/shorewall/initdone and add one line for +# every ipset (this files are in Perl) and add 1 at the end of the file. +# The example: +# system("/usr/sbin/ipset -quiet -exist create f2b-ssh hash:ip timeout 600 "); +# 1; +# +# To destroy the ipset in shorewall you must add to the file /etc/shorewall/stopped +# # One line of every ipset +# system("/usr/sbin/ipset -quiet destroy f2b-ssh "); +# 1; # This must go to the end of the file if not shorewall compilation fails +# + + +[Definition] + +# Option: actionstart +# Notes.: command executed once at the start of Fail2Ban. +# Values: CMD +# +actionstart = if ! ipset -quiet -name list f2b-<name> >/dev/null; + then ipset -quiet -exist create f2b-<name> hash:ip timeout <bantime>; + fi + +# Option: actionstop +# Notes.: command executed once at the end of Fail2Ban +# Values: CMD +# +actionstop = ipset flush f2b-<name> + +# Option: actionban +# Notes.: command executed when banning an IP. Take care that the +# command is executed with Fail2Ban user rights. +# Tags: See jail.conf(5) man page +# Values: CMD +# +actionban = ipset add f2b-<name> <ip> timeout <bantime> -exist + +# Option: actionunban +# Notes.: command executed when unbanning an IP. Take care that the +# command is executed with Fail2Ban user rights. +# Tags: See jail.conf(5) man page +# Values: CMD +# +actionunban = ipset del f2b-<name> <ip> -exist + +[Init] + +# Option: bantime +# Notes: specifies the bantime in seconds (handled internally rather than by fail2ban) +# Values: [ NUM ] Default: 600 +# +bantime = 600 diff --git a/config/action.d/smtp.py b/config/action.d/smtp.py index 86857616..2429cf48 100644 --- a/config/action.d/smtp.py +++ b/config/action.d/smtp.py @@ -68,6 +68,7 @@ Matches for %(ip)s for jail %(jailname)s: %(ipjailmatches)s """ + class SMTPAction(ActionBase): """Fail2Ban action which sends emails to inform on jail starting, stopping and bans. diff --git a/config/action.d/symbiosis-blacklist-allports.conf b/config/action.d/symbiosis-blacklist-allports.conf index c4979302..c24a8e0a 100644 --- a/config/action.d/symbiosis-blacklist-allports.conf +++ b/config/action.d/symbiosis-blacklist-allports.conf @@ -3,6 +3,9 @@ # Author: Yaroslav Halchenko # +[INCLUDES] + +before = iptables-common.conf [Definition] @@ -22,21 +25,21 @@ actionstop = # Notes.: command executed once before each actionban command # Values: CMD # -actioncheck = iptables -n -L <chain> +actioncheck = <iptables> -n -L <chain> # Option: actionban # Notes.: command executed when banning an IP. # Values: CMD # actionban = echo 'all' >| /etc/symbiosis/firewall/blacklist.d/<ip>.auto - iptables -I <chain> 1 -s <ip> -j <blocktype> + <iptables> -I <chain> 1 -s <ip> -j <blocktype> # Option: actionunban # Notes.: command executed when unbanning an IP. # Values: CMD # actionunban = rm -f /etc/symbiosis/firewall/blacklist.d/<ip>.auto - iptables -D <chain> -s <ip> -j <blocktype> || : + <iptables> -D <chain> -s <ip> -j <blocktype> || : [Init] diff --git a/config/action.d/xarf-login-attack.conf b/config/action.d/xarf-login-attack.conf index 19b3167f..3ab73817 100644 --- a/config/action.d/xarf-login-attack.conf +++ b/config/action.d/xarf-login-attack.conf @@ -1,7 +1,7 @@ # Fail2Ban action for sending xarf Login-Attack messages to IP owner # -# IMPORTANT: -# +# IMPORTANT: +# # Emailing a IP owner of abuse is a serious complain. Make sure that it is # serious. Fail2ban developers and network owners recommend you only use this # action for: @@ -46,7 +46,7 @@ actionban = oifs=${IFS}; IFS=.;SEP_IP=( <ip> ); set -- ${SEP_IP}; ADDRESSES=$(di REPORTID=<time>@`uname -n` TLP=<tlp> PORT=<port> - DATE=`LC_TIME=C date --date=@<time> +"%%a, %%d %%h %%Y %%T %%z"` + DATE=`LC_ALL=C date --date=@<time> +"%%a, %%d %%h %%Y %%T %%z"` if [ ! -z "$ADDRESSES" ]; then (printf -- %%b "<header>\n<message>\n<report>\n"; date '+Note: Local timezone is %%z (%%Z)'; @@ -70,7 +70,7 @@ footer = \n\n--Abuse-bfbb0f920793ac03cb8634bde14d8a1e-- report = --Abuse-bfbb0f920793ac03cb8634bde14d8a1e\nMIME-Version: 1.0\nContent-Transfer-Encoding: 7bit\nContent-Type: text/plain; charset=utf-8; name=\"report.txt\";\n\n---\nReported-From: $FROM\nCategory: abuse\nReport-ID: $REPORTID\nReport-Type: login-attack\nService: $SERVICE\nVersion: 0.2\nUser-Agent: Fail2ban v0.9\nDate: $DATE\nSource-Type: ip-address\nSource: $IP\nPort: $PORT\nSchema-URL: http://www.x-arf.org/schema/abuse_login-attack_0.1.2.json\nAttachment: text/plain\nOccurances: $FAILURES\nTLP: $TLP\n\n\n--Abuse-bfbb0f920793ac03cb8634bde14d8a1e\nMIME-Version: 1.0\nContent-Transfer-Encoding: 7bit\nContent-Type: text/plain; charset=utf8; name=\"logfile.log\"; # Option: Message -# Notes: This can be modified by the users +# Notes: This can be modified by the users message = Dear Sir/Madam,\n\nWe have detected abuse from the IP address $IP, which according to abusix.com is on your network. We would appreciate if you would investigate and take action as appropriate.\n\nLog lines are given below, but please ask if you require any further information.\n\n(If you are not the correct person to contact about this please accept our apologies - your e-mail address was extracted from the whois record by an automated process.)\n\n This mail was generated by Fail2Ban in a X-ARF format! You can find more information about x-arf at http://www.x-arf.org/specification.html.\n\nThe recipient address of this report was provided by the Abuse Contact DB by abusix.com. abusix.com does not maintain the content of the database. All information which we pass out, derives from the RIR databases and is processed for ease of use. If you want to change or report non working abuse contacts please contact the appropriate RIR. If you have any further question, contact abusix.com directly via email (info@abusix.com). Information about the Abuse Contact Database can be found here: https://abusix.com/global-reporting/abuse-contact-db\nabusix.com is neither responsible nor liable for the content or accuracy of this message.\n # Option: loglines @@ -97,7 +97,7 @@ mailargs = -f <sender> # Option: tlp # Notes.: Traffic light protocol defining the sharing of this information. # http://www.trusted-introducer.org/ISTLPv11.pdf -# green is share to those involved in network security but it is not +# green is share to those involved in network security but it is not # to be released to the public. tlp = green diff --git a/config/filter.d/apache-badbots.conf b/config/filter.d/apache-badbots.conf index b2ac9626..75c0de03 100644 --- a/config/filter.d/apache-badbots.conf +++ b/config/filter.d/apache-badbots.conf @@ -10,7 +10,7 @@ badbotscustom = EmailCollector|WebEMailExtrac|TrackBack/1\.02|sogou music spider badbots = Atomic_Email_Hunter/4\.0|atSpider/1\.0|autoemailspider|bwh3_user_agent|China Local Browse 2\.6|ContactBot/0\.2|ContentSmartz|DataCha0s/2\.0|DBrowse 1\.4b|DBrowse 1\.4d|Demo Bot DOT 16b|Demo Bot Z 16b|DSurf15a 01|DSurf15a 71|DSurf15a 81|DSurf15a VA|EBrowse 1\.4b|Educate Search VxB|EmailSiphon|EmailSpider|EmailWolf 1\.00|ESurf15a 15|ExtractorPro|Franklin Locator 1\.8|FSurf15a 01|Full Web Bot 0416B|Full Web Bot 0516B|Full Web Bot 2816B|Guestbook Auto Submitter|Industry Program 1\.0\.x|ISC Systems iRc Search 2\.1|IUPUI Research Bot v 1\.9a|LARBIN-EXPERIMENTAL \(efp@gmx\.net\)|LetsCrawl\.com/1\.0 +http\://letscrawl\.com/|Lincoln State Web Browser|LMQueueBot/0\.2|LWP\:\:Simple/5\.803|Mac Finder 1\.0\.xx|MFC Foundation Class Library 4\.0|Microsoft URL Control - 6\.00\.8xxx|Missauga Locate 1\.0\.0|Missigua Locator 1\.9|Missouri College Browse|Mizzu Labs 2\.2|Mo College 1\.9|MVAClient|Mozilla/2\.0 \(compatible; NEWT ActiveX; Win32\)|Mozilla/3\.0 \(compatible; Indy Library\)|Mozilla/3\.0 \(compatible; scan4mail \(advanced version\) http\://www\.peterspages\.net/?scan4mail\)|Mozilla/4\.0 \(compatible; Advanced Email Extractor v2\.xx\)|Mozilla/4\.0 \(compatible; Iplexx Spider/1\.0 http\://www\.iplexx\.at\)|Mozilla/4\.0 \(compatible; MSIE 5\.0; Windows NT; DigExt; DTS Agent|Mozilla/4\.0 efp@gmx\.net|Mozilla/5\.0 \(Version\: xxxx Type\:xx\)|NameOfAgent \(CMS Spider\)|NASA Search 1\.0|Nsauditor/1\.x|PBrowse 1\.4b|PEval 1\.4b|Poirot|Port Huron Labs|Production Bot 0116B|Production Bot 2016B|Production Bot DOT 3016B|Program Shareware 1\.0\.2|PSurf15a 11|PSurf15a 51|PSurf15a VA|psycheclone|RSurf15a 41|RSurf15a 51|RSurf15a 81|searchbot admin@google\.com|ShablastBot 1\.0|snap\.com beta crawler v0|Snapbot/1\.0|Snapbot/1\.0 \(Snap Shots, +http\://www\.snap\.com\)|sogou develop spider|Sogou Orion spider/3\.0\(+http\://www\.sogou\.com/docs/help/webmasters\.htm#07\)|sogou spider|Sogou web spider/3\.0\(+http\://www\.sogou\.com/docs/help/webmasters\.htm#07\)|sohu agent|SSurf15a 11 |TSurf15a 11|Under the Rainbow 2\.2|User-Agent\: Mozilla/4\.0 \(compatible; MSIE 6\.0; Windows NT 5\.1\)|VadixBot|WebVulnCrawl\.unknown/1\.0 libwww-perl/5\.803|Wells Search II|WEP Search 00 -failregex = ^<HOST> -.*"(GET|POST).*HTTP.*"(?:%(badbots)s|%(badbotscustom)s)"$ +failregex = ^<HOST> -.*"(GET|POST|HEAD).*HTTP.*"(?:%(badbots)s|%(badbotscustom)s)"$ ignoreregex = diff --git a/config/filter.d/apache-pass.conf b/config/filter.d/apache-pass.conf new file mode 100644 index 00000000..dd00f953 --- /dev/null +++ b/config/filter.d/apache-pass.conf @@ -0,0 +1,20 @@ +# Fail2Ban Apache pass filter +# This filter is for access.log, NOT for error.log +# +# The knocking request must have a referer. + +[INCLUDES] + +before = apache-common.conf + +[Definition] + +failregex = ^<HOST> - \w+ \[\] "GET <knocking_url> HTTP/1\.[01]" 200 \d+ ".*" "[^-].*"$ + +ignoreregex = + +[Init] + +knocking_url = /knocking/ + +# Author: Viktor Szépe diff --git a/config/filter.d/asterisk.conf b/config/filter.d/asterisk.conf index 76997a19..b446c44e 100644 --- a/config/filter.d/asterisk.conf +++ b/config/filter.d/asterisk.conf @@ -13,6 +13,8 @@ _daemon = asterisk __pid_re = (?:\[\d+\]) +iso8601 = \d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.\d+[+-]\d{4} + # All Asterisk log messages begin like this: log_prefix= (?:NOTICE|SECURITY)%(__pid_re)s:?(?:\[C-[\da-f]*\])? \S+:\d*( in \w+:)? @@ -23,7 +25,7 @@ failregex = ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Registration from '[^']*' ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Host <HOST> failed MD5 authentication for '[^']*' \([^)]+\)$ ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Failed to authenticate (user|device) [^@]+@<HOST>\S*$ ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s hacking attempt detected '<HOST>'$ - ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s SecurityEvent="(FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)",EventTV="[\d-]+",Severity="[\w]+",Service="[\w]+",EventVersion="\d+",AccountID="\d*",SessionID="0x[\da-f]+",LocalAddress="IPV[46]/(UD|TC)P/[\da-fA-F:.]+/\d+",RemoteAddress="IPV[46]/(UD|TC)P/<HOST>/\d+"(,Challenge="\w+",ReceivedChallenge="\w+")?(,ReceivedHash="[\da-f]+")?(,ACLName="\w+")?$ + ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s SecurityEvent="(FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)",EventTV="([\d-]+|%(iso8601)s)",Severity="[\w]+",Service="[\w]+",EventVersion="\d+",AccountID="(\d*|<unknown>)",SessionID=".+",LocalAddress="IPV[46]/(UDP|TCP|WS)/[\da-fA-F:.]+/\d+",RemoteAddress="IPV[46]/(UDP|TCP|WS)/<HOST>/\d+"(,Challenge="[\w/]+")?(,ReceivedChallenge="\w+")?(,Response="\w+",ExpectedResponse="\w*")?(,ReceivedHash="[\da-f]+")?(,ACLName="\w+")?$ ^(%(__prefix_line)s|\[\]\s*WARNING%(__pid_re)s:?(?:\[C-[\da-f]*\])? )Ext\. s: "Rejecting unknown SIP connection from <HOST>"$ ignoreregex = diff --git a/config/filter.d/dovecot.conf b/config/filter.d/dovecot.conf index b6645b89..856c220e 100644 --- a/config/filter.d/dovecot.conf +++ b/config/filter.d/dovecot.conf @@ -12,7 +12,7 @@ _daemon = (auth|dovecot(-auth)?|auth-worker) failregex = ^%(__prefix_line)s(%(__pam_auth)s(\(dovecot:auth\))?:)?\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=\S* rhost=<HOST>(\s+user=\S*)?\s*$ ^%(__prefix_line)s(pop3|imap)-login: (Info: )?(Aborted login|Disconnected)(: Inactivity)? \(((auth failed, \d+ attempts)( in \d+ secs)?|tried to use (disabled|disallowed) \S+ auth)\):( user=<\S*>,)?( method=\S+,)? rip=<HOST>(, lip=(\d{1,3}\.){3}\d{1,3})?(, TLS( handshaking(: SSL_accept\(\) failed: error:[\dA-F]+:SSL routines:[TLS\d]+_GET_CLIENT_HELLO:unknown protocol)?)?(: Disconnected)?)?(, session=<\S+>)?\s*$ ^%(__prefix_line)s(Info|dovecot: auth\(default\)|auth-worker\(\d+\)): pam\(\S+,<HOST>\): pam_authenticate\(\) failed: (User not known to the underlying authentication module: \d+ Time\(s\)|Authentication failure \(password mismatch\?\))\s*$ - ^%(__prefix_line)sauth-worker\(\d+\): pam\(\S+,<HOST>\): unknown user\s*$ + ^%(__prefix_line)s(auth|auth-worker\(\d+\)): (pam|passwd-file)\(\S+,<HOST>\): unknown user\s*$ ignoreregex = diff --git a/config/filter.d/froxlor-auth.conf b/config/filter.d/froxlor-auth.conf new file mode 100644 index 00000000..04003263 --- /dev/null +++ b/config/filter.d/froxlor-auth.conf @@ -0,0 +1,37 @@ +# Fail2Ban configuration file to block repeated failed login attempts to Frolor installation(s) +# +# Froxlor needs to log to Syslog User (e.g. /var/log/user.log) with one of the following messages +# <syslog prefix> Froxlor: [Login Action <HOST>] Unknown user '<USER>' tried to login. +# <syslog prefix> Froxlor: [Login Action <HOST>] User '<USER>' tried to login with wrong password. +# +# Author: Joern Muehlencord +# + +[INCLUDES] + +# Read common prefixes. If any customizations available -- read them from +# common.local +before = common.conf + + +[Definition] + +_daemon = Froxlor + +# Option: failregex +# Notes.: regex to match the password failures messages in the logfile. The +# host must be matched by a group named "host". The tag "<HOST>" can +# be used for standard IP/hostname matching and is only an alias for +# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+) +# Values: TEXT +# +failregex = ^%(__prefix_line)s\[Login Action <HOST>\] Unknown user \S* tried to login.$ + ^%(__prefix_line)s\[Login Action <HOST>\] User \S* tried to login with wrong password.$ + + +# Option: ignoreregex +# Notes.: regex to ignore. If this regex matches, the line is ignored. +# Values: TEXT +# +ignoreregex = + diff --git a/config/filter.d/nginx-botsearch.conf b/config/filter.d/nginx-botsearch.conf index 567f2f56..6853e1e8 100644 --- a/config/filter.d/nginx-botsearch.conf +++ b/config/filter.d/nginx-botsearch.conf @@ -8,8 +8,8 @@ before = botsearch-common.conf [Definition] -failregex = ^<HOST> \- \S+ \[\] \"(GET|POST) \/<block> \S+\" 404 .+$ - ^ \[error\] \d+#\d+: \*\d+ (\S+ )?\"\S+\" (failed|is not found) \(2\: No such file or directory\), client\: <HOST>\, server\: \S*\, request: \"(GET|POST) \/<block> \S+\"\, .*?$ +failregex = ^<HOST> \- \S+ \[\] \"(GET|POST|HEAD) \/<block> \S+\" 404 .+$ + ^ \[error\] \d+#\d+: \*\d+ (\S+ )?\"\S+\" (failed|is not found) \(2\: No such file or directory\), client\: <HOST>\, server\: \S*\, request: \"(GET|POST|HEAD) \/<block> \S+\"\, .*?$ ignoreregex = diff --git a/config/filter.d/proftpd.conf b/config/filter.d/proftpd.conf index ac714cc1..4bc0ba01 100644 --- a/config/filter.d/proftpd.conf +++ b/config/filter.d/proftpd.conf @@ -2,6 +2,9 @@ # # Set "UseReverseDNS off" in proftpd.conf to avoid the need for DNS. # See: http://www.proftpd.org/docs/howto/DNS.html +# When the default locale for your system is not en_US.UTF-8 +# on Debian-based systems be sure to add this to /etc/default/proftpd +# export LC_TIME="en_US.UTF-8" [INCLUDES] diff --git a/config/filter.d/roundcube-auth.conf b/config/filter.d/roundcube-auth.conf index 19e921e8..886cf2d6 100644 --- a/config/filter.d/roundcube-auth.conf +++ b/config/filter.d/roundcube-auth.conf @@ -1,6 +1,10 @@ # Fail2Ban configuration file for roundcube web server # +# By default failed logins are printed to 'errors'. The first regex matches those +# The second regex matches those printed to 'userlogins' +# The userlogins log file can be enabled by setting $config['log_logins'] = true; in config.inc.php # +# The logpath in your jail can be updated to userlogins if you wish # [INCLUDES] @@ -9,7 +13,8 @@ before = common.conf [Definition] -failregex = ^\s*(\[\])?(%(__hostname)s roundcube: IMAP Error)?: (FAILED login|Login failed) for .*? from <HOST>(\. .* in .*?/rcube_imap\.php on line \d+ \(\S+ \S+\))?$ +failregex = ^\s*(\[\])?(%(__hostname)s\s*(roundcube:)?\s*(<[\w]+>)? IMAP Error)?: (FAILED login|Login failed) for .*? from <HOST>(\. .* in .*?/rcube_imap\.php on line \d+ \(\S+ \S+\))?$ + ^\[\]:\s*(<[\w]+>)? Failed login for [\w\-\.\+]+(@[\w\-\.\+]+\.[a-zA-Z]{2,6})? from <HOST> in session \w+( \(error: \d\))?$ ignoreregex = # DEV Notes: @@ -26,4 +31,4 @@ ignoreregex = # arbitrary user input and IMAP response doesn't inject the wrong IP for # fail2ban # -# Author: Teodor Micu & Yaroslav Halchenko & terence namusonge & Daniel Black +# Author: Teodor Micu & Yaroslav Halchenko & terence namusonge & Daniel Black & Lee Clemens diff --git a/config/jail.conf b/config/jail.conf index 732aeab9..f545ff13 100644 --- a/config/jail.conf +++ b/config/jail.conf @@ -174,6 +174,10 @@ action_mwl = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(por action_xarf = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] xarf-login-attack[service=%(__name__)s, sender="%(sender)s", logpath=%(logpath)s, port="%(port)s"] +# ban IP on CloudFlare & send an e-mail with whois report and relevant log lines +# to the destemail. +action_cf_mwl = cloudflare[cfuser="%(cfemail)s", cftoken="%(cfapikey)s"] + %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"] # Report block via blocklist.de fail2ban reporting service API # @@ -344,7 +348,7 @@ logpath = %(lighttpd_error_log)s [roundcube-auth] port = http,https -logpath = /var/log/roundcube/userlogins +logpath = logpath = %(roundcube_errors_log)s [openwebmail] @@ -408,6 +412,12 @@ port = 10000 logpath = %(syslog_authpriv)s +[froxlor-auth] + +port = http,https +logpath = %(syslog_authpriv)s + + # # HTTP Proxy servers # @@ -424,6 +434,7 @@ logpath = /var/log/squid/access.log port = 3128 logpath = /var/log/3proxy.log + # # FTP servers # @@ -756,3 +767,16 @@ port = 2222 enabled = false logpath = /var/lib/portsentry/portsentry.history maxretry = 1 + +[pass2allow-ftp] +# this pass2allow example allows FTP traffic after successful HTTP authentication +port = ftp,ftp-data,ftps,ftps-data +# knocking_url variable must be overridden to some secret value in filter.d/apache-pass.local +filter = apache-pass +# access log of the website with HTTP auth +logpath = %(apache_access_log)s +blocktype = RETURN +returntype = DROP +bantime = 3600 +maxretry = 1 +findtime = 1 diff --git a/config/paths-common.conf b/config/paths-common.conf index 837d339a..bf3cfb6a 100644 --- a/config/paths-common.conf +++ b/config/paths-common.conf @@ -62,5 +62,7 @@ solidpop3d_log = %(syslog_local0)s mysql_log = %(syslog_daemon)s +roundcube_errors_log = /var/log/roundcube/errors + # Directory with ignorecommand scripts ignorecommands_dir = /etc/fail2ban/filter.d/ignorecommands diff --git a/config/paths-debian.conf b/config/paths-debian.conf index eff4fdae..4c27dac8 100644 --- a/config/paths-debian.conf +++ b/config/paths-debian.conf @@ -35,6 +35,3 @@ exim_main_log = /var/log/exim4/mainlog # was in debian squeezy but not in wheezy # /etc/proftpd/proftpd.conf (SystemLog) proftpd_log = /var/log/proftpd/proftpd.log - - - diff --git a/config/paths-fedora.conf b/config/paths-fedora.conf index cc574b39..c5601d3c 100644 --- a/config/paths-fedora.conf +++ b/config/paths-fedora.conf @@ -35,3 +35,5 @@ apache_access_log = /var/log/httpd/*access_log exim_main_log = /var/log/exim/main.log mysql_log = /var/lib/mysql/mysqld.log + +roundcube_errors_log = /var/log/roundcubemail/errors diff --git a/fail2ban/__init__.py b/fail2ban/__init__.py index b7906099..cd92dbab 100644 --- a/fail2ban/__init__.py +++ b/fail2ban/__init__.py @@ -37,6 +37,7 @@ Below derived from: logging.NOTICE = logging.INFO + 5 logging.addLevelName(logging.NOTICE, 'NOTICE') + # define a new logger function for notice # this is exactly like existing info, critical, debug...etc def _Logger_notice(self, msg, *args, **kwargs): @@ -53,6 +54,7 @@ def _Logger_notice(self, msg, *args, **kwargs): logging.Logger.notice = _Logger_notice + # define a new root level notice function # this is exactly like existing info, critical, debug...etc def _root_notice(msg, *args, **kwargs): diff --git a/fail2ban/client/actionreader.py b/fail2ban/client/actionreader.py index 8022ecc1..c80b230e 100644 --- a/fail2ban/client/actionreader.py +++ b/fail2ban/client/actionreader.py @@ -32,6 +32,7 @@ from ..helpers import getLogger # Gets the instance of the logger. logSys = getLogger(__name__) + class ActionReader(DefinitionInitConfigReader): _configOpts = [ diff --git a/fail2ban/client/beautifier.py b/fail2ban/client/beautifier.py index cbe4d327..812fbe65 100644 --- a/fail2ban/client/beautifier.py +++ b/fail2ban/client/beautifier.py @@ -27,6 +27,7 @@ from ..helpers import getLogger # Gets the instance of the logger. logSys = getLogger(__name__) + ## # Beautify the output of the client. # @@ -34,18 +35,19 @@ logSys = getLogger(__name__) # converted into user readable messages. class Beautifier: - + def __init__(self, cmd = None): self.__inputCmd = cmd def setInputCmd(self, cmd): self.__inputCmd = cmd - + def getInputCmd(self): return self.__inputCmd - + def beautify(self, response): - logSys.debug("Beautify " + `response` + " with " + `self.__inputCmd`) + logSys.debug( + "Beautify " + repr(response) + " with " + repr(self.__inputCmd)) inC = self.__inputCmd msg = response try: @@ -102,7 +104,7 @@ class Beautifier: elif response == 4: msg = msg + "DEBUG" else: - msg = msg + `response` + msg = msg + repr(response) elif inC[1] == "dbfile": if response is None: msg = "Database currently disabled" @@ -183,13 +185,14 @@ class Beautifier: msg += ", ".join(response) except Exception: logSys.warning("Beautifier error. Please report the error") - logSys.error("Beautify " + `response` + " with " + `self.__inputCmd` + - " failed") - msg = msg + `response` + logSys.error("Beautify " + repr(response) + " with " + + repr(self.__inputCmd) + " failed") + msg = msg + repr(response) return msg def beautifyError(self, response): - logSys.debug("Beautify (error) " + `response` + " with " + `self.__inputCmd`) + logSys.debug("Beautify (error) " + repr(response) + " with " + + repr(self.__inputCmd)) msg = response if isinstance(response, UnknownJailException): msg = "Sorry but the jail '" + response.args[0] + "' does not exist" diff --git a/fail2ban/client/configparserinc.py b/fail2ban/client/configparserinc.py index 387f0f2c..7bbc7886 100644 --- a/fail2ban/client/configparserinc.py +++ b/fail2ban/client/configparserinc.py @@ -24,7 +24,8 @@ __author__ = 'Yaroslav Halhenko' __copyright__ = 'Copyright (c) 2007 Yaroslav Halchenko' __license__ = 'GPL' -import os, sys +import os +import sys from ..helpers import getLogger if sys.version_info >= (3,2): # pragma: no cover @@ -66,6 +67,7 @@ logLevel = 7 __all__ = ['SafeConfigParserWithIncludes'] + class SafeConfigParserWithIncludes(SafeConfigParser): """ Class adds functionality to SafeConfigParser to handle included diff --git a/fail2ban/client/configreader.py b/fail2ban/client/configreader.py index ed1fbcde..d5675cc8 100644 --- a/fail2ban/client/configreader.py +++ b/fail2ban/client/configreader.py @@ -24,7 +24,8 @@ __author__ = "Cyril Jaquier" __copyright__ = "Copyright (c) 2004 Cyril Jaquier" __license__ = "GPL" -import glob, os +import glob +import os from ConfigParser import NoOptionError, NoSectionError from .configparserinc import SafeConfigParserWithIncludes, logLevel @@ -33,6 +34,7 @@ from ..helpers import getLogger # Gets the instance of the logger. logSys = getLogger(__name__) + class ConfigReader(): """Generic config reader class. @@ -135,6 +137,7 @@ class ConfigReader(): return self._cfg.getOptions(*args, **kwargs) return {} + class ConfigReaderUnshared(SafeConfigParserWithIncludes): """Unshared config reader (previously ConfigReader). @@ -186,7 +189,7 @@ class ConfigReaderUnshared(SafeConfigParserWithIncludes): if config_files_read: return True logSys.error("Found no accessible config files for %r under %s", - ( filename, self.getBaseDir() )) + filename, self.getBaseDir()) return False else: logSys.error("Found no accessible config files for %r " % filename @@ -232,10 +235,11 @@ class ConfigReaderUnshared(SafeConfigParserWithIncludes): logSys.log(logLevel, "Non essential option '%s' not defined in '%s'.", option[1], sec) except ValueError: logSys.warning("Wrong value for '" + option[1] + "' in '" + sec + - "'. Using default one: '" + `option[2]` + "'") + "'. Using default one: '" + repr(option[2]) + "'") values[option[1]] = option[2] return values + class DefinitionInitConfigReader(ConfigReader): """Config reader for files with options grouped in [Definition] and [Init] sections. @@ -281,7 +285,7 @@ class DefinitionInitConfigReader(ConfigReader): if self.has_section("Init"): for opt in self.options("Init"): - if not self._initOpts.has_key(opt): + if not opt in self._initOpts: self._initOpts[opt] = self.get("Init", opt) def convert(self): diff --git a/fail2ban/client/configurator.py b/fail2ban/client/configurator.py index 8667501c..3b9845b6 100644 --- a/fail2ban/client/configurator.py +++ b/fail2ban/client/configurator.py @@ -31,6 +31,7 @@ from ..helpers import getLogger # Gets the instance of the logger. logSys = getLogger(__name__) + class Configurator: def __init__(self, force_enable=False, share_config=None): diff --git a/fail2ban/client/csocket.py b/fail2ban/client/csocket.py index 921b0de5..2e22e5ee 100644 --- a/fail2ban/client/csocket.py +++ b/fail2ban/client/csocket.py @@ -26,43 +26,42 @@ __license__ = "GPL" #from cPickle import dumps, loads, HIGHEST_PROTOCOL from pickle import dumps, loads, HIGHEST_PROTOCOL -import socket, sys - -if sys.version_info >= (3,): - # b"" causes SyntaxError in python <= 2.5, so below implements equivalent - EMPTY_BYTES = bytes("", encoding="ascii") -else: - # python 2.x, string type is equivalent to bytes. - EMPTY_BYTES = "" +from ..protocol import CSPROTO +import socket +import sys class CSocket: - if sys.version_info >= (3,): - END_STRING = bytes("<F2B_END_COMMAND>", encoding='ascii') - else: - END_STRING = "<F2B_END_COMMAND>" - - def __init__(self, sock = "/var/run/fail2ban/fail2ban.sock"): + def __init__(self, sock="/var/run/fail2ban/fail2ban.sock"): # Create an INET, STREAMing socket #self.csock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) self.__csock = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM) #self.csock.connect(("localhost", 2222)) self.__csock.connect(sock) + + def __del__(self): + self.close(False) def send(self, msg): # Convert every list member to string obj = dumps([str(m) for m in msg], HIGHEST_PROTOCOL) - self.__csock.send(obj + CSocket.END_STRING) - ret = self.receive(self.__csock) + self.__csock.send(obj + CSPROTO.END) + return self.receive(self.__csock) + + def close(self, sendEnd=True): + if not self.__csock: + return + if sendEnd: + self.__csock.sendall(CSPROTO.CLOSE + CSPROTO.END) self.__csock.close() - return ret + self.__csock = None @staticmethod def receive(sock): - msg = EMPTY_BYTES - while msg.rfind(CSocket.END_STRING) == -1: + msg = CSPROTO.EMPTY + while msg.rfind(CSPROTO.END) == -1: chunk = sock.recv(6) if chunk == '': - raise RuntimeError, "socket connection broken" + raise RuntimeError("socket connection broken") msg = msg + chunk return loads(msg) diff --git a/fail2ban/client/fail2banreader.py b/fail2ban/client/fail2banreader.py index c2f71d06..709f4b5d 100644 --- a/fail2ban/client/fail2banreader.py +++ b/fail2ban/client/fail2banreader.py @@ -30,6 +30,7 @@ from ..helpers import getLogger # Gets the instance of the logger. logSys = getLogger(__name__) + class Fail2banReader(ConfigReader): def __init__(self, **kwargs): @@ -52,18 +53,14 @@ class Fail2banReader(ConfigReader): self.__opts = ConfigReader.getOptions(self, "Definition", opts) def convert(self): + # Ensure logtarget/level set first so any db errors are captured + # Also dbfile should be set before all other database options. + # So adding order indices into items, to be stripped after sorting, upon return + order = {"syslogsocket":0, "loglevel":1, "logtarget":2, + "dbfile":50, "dbpurgeage":51} stream = list() for opt in self.__opts: - if opt == "loglevel": - stream.append(["set", "loglevel", self.__opts[opt]]) - elif opt == "logtarget": - stream.append(["set", "logtarget", self.__opts[opt]]) - elif opt == "syslogsocket": - stream.append(["set", "syslogsocket", self.__opts[opt]]) - elif opt == "dbfile": - stream.append(["set", "dbfile", self.__opts[opt]]) - elif opt == "dbpurgeage": - stream.append(["set", "dbpurgeage", self.__opts[opt]]) - # Ensure logtarget/level set first so any db errors are captured - return sorted(stream, reverse=True) + if opt in order: + stream.append((order[opt], ["set", opt, self.__opts[opt]])) + return [opt[1] for opt in sorted(stream)] diff --git a/fail2ban/client/filterreader.py b/fail2ban/client/filterreader.py index debd4e28..318c8c9a 100644 --- a/fail2ban/client/filterreader.py +++ b/fail2ban/client/filterreader.py @@ -24,7 +24,8 @@ __author__ = "Cyril Jaquier" __copyright__ = "Copyright (c) 2004 Cyril Jaquier" __license__ = "GPL" -import os, shlex +import os +import shlex from .configreader import DefinitionInitConfigReader from ..server.action import CommandAction @@ -33,6 +34,7 @@ from ..helpers import getLogger # Gets the instance of the logger. logSys = getLogger(__name__) + class FilterReader(DefinitionInitConfigReader): _configOpts = [ diff --git a/fail2ban/client/jailreader.py b/fail2ban/client/jailreader.py index 340508c0..6d0fddfa 100644 --- a/fail2ban/client/jailreader.py +++ b/fail2ban/client/jailreader.py @@ -24,8 +24,10 @@ __author__ = "Cyril Jaquier" __copyright__ = "Copyright (c) 2004 Cyril Jaquier" __license__ = "GPL" -import re, glob, os.path +import glob import json +import os.path +import re from .configreader import ConfigReaderUnshared, ConfigReader from .filterreader import FilterReader @@ -35,6 +37,7 @@ from ..helpers import getLogger # Gets the instance of the logger. logSys = getLogger(__name__) + class JailReader(ConfigReader): optionCRE = re.compile("^((?:\w|-|_|\.)+)(?:\[(.*)\])?$") diff --git a/fail2ban/client/jailsreader.py b/fail2ban/client/jailsreader.py index 40255ce7..09725ec9 100644 --- a/fail2ban/client/jailsreader.py +++ b/fail2ban/client/jailsreader.py @@ -31,6 +31,7 @@ from ..helpers import getLogger # Gets the instance of the logger. logSys = getLogger(__name__) + class JailsReader(ConfigReader): def __init__(self, force_enable=False, **kwargs): @@ -50,6 +51,7 @@ class JailsReader(ConfigReader): return self.__jails def read(self): + self.__jails = list() return ConfigReader.read(self, "jail") def getOptions(self, section=None): diff --git a/fail2ban/exceptions.py b/fail2ban/exceptions.py index a7fe5ccc..03936b8e 100644 --- a/fail2ban/exceptions.py +++ b/fail2ban/exceptions.py @@ -23,12 +23,14 @@ __author__ = "Cyril Jaquier, Yaroslav Halchenko" __copyright__ = "Copyright (c) 2004 Cyril Jaquier, 2011-2012 Yaroslav Halchenko" __license__ = "GPL" + # # Jails # class DuplicateJailException(Exception): pass + class UnknownJailException(KeyError): pass diff --git a/fail2ban/helpers.py b/fail2ban/helpers.py index cecd3f31..f5c3163a 100644 --- a/fail2ban/helpers.py +++ b/fail2ban/helpers.py @@ -26,11 +26,13 @@ import traceback import re import logging + def formatExceptionInfo(): """ Consistently format exception information """ cla, exc = sys.exc_info()[:2] return (cla.__name__, str(exc)) + # # Following "traceback" functions are adopted from PyMVPA distributed # under MIT/Expat and copyright by PyMVPA developers (i.e. me and @@ -49,6 +51,7 @@ def mbasename(s): base = os.path.basename(os.path.dirname(s)) + '.' + base return base + class TraceBack(object): """Customized traceback to be included in debug messages """ @@ -94,6 +97,7 @@ class TraceBack(object): return sftb + class FormatterWithTraceBack(logging.Formatter): """Custom formatter which expands %(tb) and %(tbc) with tracebacks @@ -108,6 +112,7 @@ class FormatterWithTraceBack(logging.Formatter): record.tbc = record.tb = self._tb() return logging.Formatter.format(self, record) + def getLogger(name): """Get logging.Logger instance with Fail2Ban logger name convention """ @@ -115,6 +120,7 @@ def getLogger(name): name = "fail2ban.%s" % name.rpartition(".")[-1] return logging.getLogger(name) + def excepthook(exctype, value, traceback): """Except hook used to log unhandled exceptions to Fail2Ban log """ diff --git a/fail2ban/protocol.py b/fail2ban/protocol.py index 9218b736..2cace91f 100644 --- a/fail2ban/protocol.py +++ b/fail2ban/protocol.py @@ -29,6 +29,16 @@ import textwrap ## # Describes the protocol used to communicate with the server. +class dotdict(dict): + def __getattr__(self, name): + return self[name] + +CSPROTO = dotdict({ + "EMPTY": b"", + "END": b"<F2B_END_COMMAND>", + "CLOSE": b"<F2B_CLOSE_COMMAND>" +}) + protocol = [ ['', "BASIC", ""], ["start", "starts the server and the jails"], @@ -119,6 +129,7 @@ protocol = [ ["get <JAIL> action <ACT> <PROPERTY>", "gets the value of <PROPERTY> for the action <ACT> for <JAIL>"], ] + ## # Prints the protocol in a "man" format. This is used for the # "-h" output of fail2ban-client. @@ -143,6 +154,7 @@ def printFormatted(): line = ' ' * (INDENT + MARGIN) + n.strip() print line + ## # Prints the protocol in a "mediawiki" format. @@ -159,6 +171,7 @@ def printWiki(): print "| <span style=\"white-space:nowrap;\"><tt>" + m[0] + "</tt></span> || || " + m[1] print "|}" + def __printWikiHeader(section, desc): print print "=== " + section + " ===" diff --git a/fail2ban/server/action.py b/fail2ban/server/action.py index 8e0cd97f..c58fde2c 100644 --- a/fail2ban/server/action.py +++ b/fail2ban/server/action.py @@ -21,8 +21,14 @@ __author__ = "Cyril Jaquier and Fail2Ban Contributors" __copyright__ = "Copyright (c) 2004 Cyril Jaquier, 2011-2012 Yaroslav Halchenko" __license__ = "GPL" -import logging, os, subprocess, time, signal, tempfile -import threading, re +import logging +import os +import re +import signal +import subprocess +import tempfile +import threading +import time from abc import ABCMeta from collections import MutableMapping @@ -49,6 +55,7 @@ _RETCODE_HINTS = { signame = dict((num, name) for name, num in signal.__dict__.iteritems() if name.startswith("SIG")) + class CallingMap(MutableMapping): """A Mapping type which returns the result of callable values. @@ -94,6 +101,7 @@ class CallingMap(MutableMapping): def copy(self): return self.__class__(self.data.copy()) + class ActionBase(object): """An abstract base class for actions in Fail2Ban. @@ -176,6 +184,7 @@ class ActionBase(object): """ pass + class CommandAction(ActionBase): """A action which executes OS shell commands. @@ -400,7 +409,7 @@ class CommandAction(ActionBase): # recursive definitions are bad #logSys.log(5, 'recursion fail tag: %s value: %s' % (tag, value) ) return False - if found_tag in cls._escapedTags or not tags.has_key(found_tag): + if found_tag in cls._escapedTags or not found_tag in tags: # Escaped or missing tags - just continue on searching after end of match # Missing tags are ok - cInfo can contain aInfo elements like <HOST> and valid shell # constructs like <STDIN>. @@ -516,10 +525,10 @@ class CommandAction(ActionBase): realCmd = self.replaceTag(cmd, aInfo) else: realCmd = cmd - + # Replace static fields realCmd = self.replaceTag(realCmd, self._properties) - + return self.executeCmd(realCmd, self.timeout) @staticmethod @@ -549,14 +558,16 @@ class CommandAction(ActionBase): if not realCmd: logSys.debug("Nothing to do") return True - + _cmd_lock.acquire() try: # Try wrapped within another try needed for python version < 2.5 stdout = tempfile.TemporaryFile(suffix=".stdout", prefix="fai2ban_") stderr = tempfile.TemporaryFile(suffix=".stderr", prefix="fai2ban_") try: popen = subprocess.Popen( - realCmd, stdout=stdout, stderr=stderr, shell=True) + realCmd, stdout=stdout, stderr=stderr, shell=True, + preexec_fn=os.setsid # so that killpg does not kill our process + ) stime = time.time() retcode = popen.poll() while time.time() - stime <= timeout and retcode is None: @@ -565,11 +576,12 @@ class CommandAction(ActionBase): if retcode is None: logSys.error("%s -- timed out after %i seconds." % (realCmd, timeout)) - os.kill(popen.pid, signal.SIGTERM) # Terminate the process + pgid = os.getpgid(popen.pid) + os.killpg(pgid, signal.SIGTERM) # Terminate the process time.sleep(0.1) retcode = popen.poll() if retcode is None: # Still going... - os.kill(popen.pid, signal.SIGKILL) # Kill the process + os.killpg(pgid, signal.SIGKILL) # Kill the process time.sleep(0.1) retcode = popen.poll() except OSError, e: @@ -602,4 +614,4 @@ class CommandAction(ActionBase): % (retcode, msg % locals())) return False raise RuntimeError("Command execution failed: %s" % realCmd) - + diff --git a/fail2ban/server/actions.py b/fail2ban/server/actions.py index 3a1c9579..b4612f8c 100644 --- a/fail2ban/server/actions.py +++ b/fail2ban/server/actions.py @@ -24,9 +24,10 @@ __author__ = "Cyril Jaquier" __copyright__ = "Copyright (c) 2004 Cyril Jaquier" __license__ = "GPL" -import time, logging +import logging import os import sys +import time if sys.version_info >= (3, 3): import importlib.machinery else: @@ -46,6 +47,7 @@ from ..helpers import getLogger # Gets the instance of the logger. logSys = getLogger(__name__) + class Actions(JailThread, Mapping): """Handles jail actions. @@ -192,13 +194,14 @@ class Actions(JailThread, Mapping): ValueError If `ip` is not banned """ + # Always delete ip from database (also if currently not banned) + if self._jail.database is not None: + self._jail.database.delBan(self._jail, ip) # Find the ticket with the IP. ticket = self.__banManager.getTicketByIP(ip) if ticket is not None: # Unban the IP. self.__unBan(ticket) - if self._jail.database is not None: - self._jail.database.delBan(self._jail, ticket) else: raise ValueError("IP %s is not banned" % ip) @@ -294,7 +297,7 @@ class Actions(JailThread, Mapping): True if an IP address get banned. """ ticket = self._jail.getFailTicket() - if ticket != False: + if ticket: aInfo = CallingMap() bTicket = BanManager.createBanTicket(ticket) ip = bTicket.getIP() diff --git a/fail2ban/server/asyncserver.py b/fail2ban/server/asyncserver.py index 8f5423b9..a9be0ae2 100644 --- a/fail2ban/server/asyncserver.py +++ b/fail2ban/server/asyncserver.py @@ -25,20 +25,20 @@ __copyright__ = "Copyright (c) 2004 Cyril Jaquier" __license__ = "GPL" from pickle import dumps, loads, HIGHEST_PROTOCOL -import asyncore, asynchat, socket, os, sys, traceback, fcntl - +import asynchat +import asyncore +import fcntl +import os +import socket +import sys +import traceback + +from ..protocol import CSPROTO from ..helpers import getLogger,formatExceptionInfo # Gets the instance of the logger. logSys = getLogger(__name__) -if sys.version_info >= (3,): - # b"" causes SyntaxError in python <= 2.5, so below implements equivalent - EMPTY_BYTES = bytes("", encoding="ascii") -else: - # python 2.x, string type is equivalent to bytes. - EMPTY_BYTES = "" - ## # Request handler class. # @@ -47,17 +47,12 @@ else: class RequestHandler(asynchat.async_chat): - if sys.version_info >= (3,): - END_STRING = bytes("<F2B_END_COMMAND>", encoding="ascii") - else: - END_STRING = "<F2B_END_COMMAND>" - def __init__(self, conn, transmitter): asynchat.async_chat.__init__(self, conn) self.__transmitter = transmitter self.__buffer = [] # Sets the terminator. - self.set_terminator(RequestHandler.END_STRING) + self.set_terminator(CSPROTO.END) def collect_incoming_data(self, data): #logSys.debug("Received raw data: " + str(data)) @@ -69,16 +64,23 @@ class RequestHandler(asynchat.async_chat): # This method is called once we have a complete request. def found_terminator(self): + # Pop whole buffer + message = self.__buffer + self.__buffer = [] # Joins the buffer items. - message = loads(EMPTY_BYTES.join(self.__buffer)) + message = CSPROTO.EMPTY.join(message) + # Closes the channel if close was received + if message == CSPROTO.CLOSE: + self.close_when_done() + return + # Deserialize + message = loads(message) # Gives the message to the transmitter. message = self.__transmitter.proceed(message) # Serializes the response. message = dumps(message, HIGHEST_PROTOCOL) # Sends the response to the client. - self.push(message + RequestHandler.END_STRING) - # Closes the channel. - self.close_when_done() + self.push(message + CSPROTO.END) def handle_error(self): e1, e2 = formatExceptionInfo() @@ -86,6 +88,7 @@ class RequestHandler(asynchat.async_chat): logSys.error(traceback.format_exc().splitlines()) self.close() + ## # Asynchronous server class. # @@ -181,6 +184,7 @@ class AsyncServer(asyncore.dispatcher): flags = fcntl.fcntl(fd, fcntl.F_GETFD) fcntl.fcntl(fd, fcntl.F_SETFD, flags|fcntl.FD_CLOEXEC) + ## # AsyncServerException is used to wrap communication exceptions. diff --git a/fail2ban/server/banmanager.py b/fail2ban/server/banmanager.py index 2b2fd39a..662666b0 100644 --- a/fail2ban/server/banmanager.py +++ b/fail2ban/server/banmanager.py @@ -33,6 +33,7 @@ from ..helpers import getLogger # Gets the instance of the logger. logSys = getLogger(__name__) + ## # Banning Manager. # @@ -270,20 +271,19 @@ class BanManager: return False finally: self.__lock.release() - - + ## # Get the size of the ban list. # # @return the size - + def size(self): try: self.__lock.acquire() return len(self.__banList) finally: self.__lock.release() - + ## # Check if a ticket is in the list. # diff --git a/fail2ban/server/database.py b/fail2ban/server/database.py index 3ce3b2c0..7de87554 100644 --- a/fail2ban/server/database.py +++ b/fail2ban/server/database.py @@ -21,11 +21,12 @@ __author__ = "Steven Hiscocks" __copyright__ = "Copyright (c) 2013 Steven Hiscocks" __license__ = "GPL" -import sys -import shutil, time -import sqlite3 import json import locale +import shutil +import sqlite3 +import sys +import time from functools import wraps from threading import RLock @@ -45,6 +46,7 @@ if sys.version_info >= (3,): logSys.error('json dumps failed: %s', e) x = '{}' return x + def _json_loads_safe(x): try: x = json.loads(x.decode( @@ -63,6 +65,7 @@ else: return x.encode(locale.getpreferredencoding()) else: return x + def _json_dumps_safe(x): try: x = json.dumps(_normalize(x), ensure_ascii=False).decode( @@ -71,6 +74,7 @@ else: logSys.error('json dumps failed: %s', e) x = '{}' return x + def _json_loads_safe(x): try: x = _normalize(json.loads(x.decode( @@ -83,6 +87,7 @@ else: sqlite3.register_adapter(dict, _json_dumps_safe) sqlite3.register_converter("JSON", _json_loads_safe) + def commitandrollback(f): @wraps(f) def wrapper(self, *args, **kwargs): @@ -91,6 +96,7 @@ def commitandrollback(f): return f(self, self._db.cursor(), *args, **kwargs) return wrapper + class Fail2BanDb(object): """Fail2Ban database for storing persistent data. @@ -155,6 +161,7 @@ class Fail2BanDb(object): "CREATE INDEX bans_jail_ip ON bans(jail, ip);" \ "CREATE INDEX bans_ip ON bans(ip);" \ + def __init__(self, filename, purgeAge=24*60*60): try: self._lock = RLock() @@ -411,19 +418,20 @@ class Fail2BanDb(object): "failures": ticket.getAttempt()})) @commitandrollback - def delBan(self, cur, jail, ticket): + def delBan(self, cur, jail, ip): """Delete a ban from the database. Parameters ---------- jail : Jail Jail in which the ban has occurred. - ticket : BanTicket - Ticket of the ban to be removed. + ip : str + IP to be removed. """ + queryArgs = (jail.name, ip); cur.execute( - "DELETE FROM bans WHERE jail = ? AND ip = ? AND timeofban = ?", - (jail.name, ticket.getIP(), int(round(ticket.getTime())))) + "DELETE FROM bans WHERE jail = ? AND ip = ?", + queryArgs); @commitandrollback def _getBans(self, cur, jail=None, bantime=None, ip=None): diff --git a/fail2ban/server/datedetector.py b/fail2ban/server/datedetector.py index fe5282fd..95d368b5 100644 --- a/fail2ban/server/datedetector.py +++ b/fail2ban/server/datedetector.py @@ -29,6 +29,7 @@ from ..helpers import getLogger # Gets the instance of the logger. logSys = getLogger(__name__) + class DateDetector(object): """Manages one or more date templates to find a date within a log line. diff --git a/fail2ban/server/datetemplate.py b/fail2ban/server/datetemplate.py index a5179ed1..bcd17ec1 100644 --- a/fail2ban/server/datetemplate.py +++ b/fail2ban/server/datetemplate.py @@ -154,6 +154,7 @@ class DateEpoch(DateTemplate): return (float(dateMatch.group()), dateMatch) return None + class DatePatternRegex(DateTemplate): """Date template, with regex/pattern @@ -236,6 +237,7 @@ class DatePatternRegex(DateTemplate): if value is not None) return reGroupDictStrptime(groupdict), dateMatch + class DateTai64n(DateTemplate): """A date template which matches TAI64N formate timestamps. diff --git a/fail2ban/server/faildata.py b/fail2ban/server/faildata.py index 91aaa1ee..2dd8d4d8 100644 --- a/fail2ban/server/faildata.py +++ b/fail2ban/server/faildata.py @@ -29,6 +29,7 @@ from ..helpers import getLogger # Gets the instance of the logger. logSys = getLogger(__name__) + class FailData: def __init__(self): diff --git a/fail2ban/server/failmanager.py b/fail2ban/server/failmanager.py index 353f7135..37a5fe55 100644 --- a/fail2ban/server/failmanager.py +++ b/fail2ban/server/failmanager.py @@ -34,6 +34,7 @@ from ..helpers import getLogger # Gets the instance of the logger. logSys = getLogger(__name__) + class FailManager: def __init__(self): @@ -91,7 +92,7 @@ class FailManager: ip = ticket.getIP() unixTime = ticket.getTime() matches = ticket.getMatches() - if self.__failList.has_key(ip): + if ip in self.__failList: fData = self.__failList[ip] if fData.getLastReset() < unixTime - self.__maxTime: fData.setLastReset(unixTime) @@ -136,7 +137,7 @@ class FailManager: self.__lock.release() def __delFailure(self, ip): - if self.__failList.has_key(ip): + if ip in self.__failList: del self.__failList[ip] def toBan(self): @@ -154,5 +155,6 @@ class FailManager: finally: self.__lock.release() + class FailManagerEmpty(Exception): pass diff --git a/fail2ban/server/failregex.py b/fail2ban/server/failregex.py index 28ee8ef5..75e64c46 100644 --- a/fail2ban/server/failregex.py +++ b/fail2ban/server/failregex.py @@ -21,7 +21,10 @@ __author__ = "Cyril Jaquier" __copyright__ = "Copyright (c) 2004 Cyril Jaquier" __license__ = "GPL" -import re, sre_constants, sys +import re +import sre_constants +import sys + ## # Regular expression class. @@ -55,6 +58,7 @@ class Regex: except sre_constants.error: raise RegexException("Unable to compile regular expression '%s'" % regex) + def __str__(self): return "%s(%r)" % (self.__class__.__name__, self._regex) ## @@ -91,7 +95,6 @@ class Regex: except ValueError: self._matchLineEnd = len(self._matchCache.string) - lineCount1 = self._matchCache.string.count( "\n", 0, self._matchLineStart) lineCount2 = self._matchCache.string.count( @@ -182,6 +185,7 @@ class Regex: else: return ["".join(line) for line in self._matchedTupleLines] + ## # Exception dedicated to the class Regex. diff --git a/fail2ban/server/filter.py b/fail2ban/server/filter.py index cf0c0e2b..18afb135 100644 --- a/fail2ban/server/filter.py +++ b/fail2ban/server/filter.py @@ -21,7 +21,12 @@ __author__ = "Cyril Jaquier and Fail2Ban Contributors" __copyright__ = "Copyright (c) 2004 Cyril Jaquier, 2011-2013 Yaroslav Halchenko" __license__ = "GPL" -import re, os, fcntl, sys, locale, codecs +import codecs +import fcntl +import locale +import os +import re +import sys from .failmanager import FailManagerEmpty, FailManager from .ticket import FailTicket @@ -43,6 +48,7 @@ logSys = getLogger(__name__) # that matches a given regular expression. This class is instantiated by # a Jail object. + class Filter(JailThread): ## @@ -81,7 +87,6 @@ class Filter(JailThread): self.dateDetector.addDefaultTemplate() logSys.debug("Created %s" % self) - def __repr__(self): return "%s(%r)" % (self.__class__.__name__, self.jail) @@ -104,7 +109,6 @@ class Filter(JailThread): logSys.error(e) raise e - def delFailRegex(self, index): try: del self.__failRegex[index] @@ -390,7 +394,6 @@ class Filter(JailThread): return False - def processLine(self, line, date=None, returnRawHost=False, checkAllRegex=False): """Split the time portion from log msg and return findFailures on them @@ -576,7 +579,6 @@ class FileFilter(Filter): # to be overridden by backends pass - ## # Delete a log path # @@ -716,6 +718,7 @@ except ImportError: # pragma: no cover import md5 md5sum = md5.new + class FileContainer: def __init__(self, filename, encoding, tail = False): @@ -839,7 +842,9 @@ class JournalFilter(Filter): # pragma: systemd no cover # This class contains only static methods used to handle DNS and IP # addresses. -import socket, struct +import socket +import struct + class DNSUtils: diff --git a/fail2ban/server/filtergamin.py b/fail2ban/server/filtergamin.py index c9e8e31c..1f51744b 100644 --- a/fail2ban/server/filtergamin.py +++ b/fail2ban/server/filtergamin.py @@ -23,7 +23,8 @@ __author__ = "Cyril Jaquier, Yaroslav Halchenko" __copyright__ = "Copyright (c) 2004 Cyril Jaquier, 2012 Yaroslav Halchenko" __license__ = "GPL" -import time, fcntl +import fcntl +import time import gamin @@ -35,6 +36,7 @@ from ..helpers import getLogger # Gets the instance of the logger. logSys = getLogger(__name__) + ## # Log reader class. # @@ -60,16 +62,14 @@ class FilterGamin(FileFilter): fcntl.fcntl(fd, fcntl.F_SETFD, flags|fcntl.FD_CLOEXEC) logSys.debug("Created FilterGamin") - def callback(self, path, event): - logSys.debug("Got event: " + `event` + " for " + path) + logSys.debug("Got event: " + repr(event) + " for " + path) if event in (gamin.GAMCreated, gamin.GAMChanged, gamin.GAMExists): logSys.debug("File changed: " + path) self.__modified = True self._process_file(path) - def _process_file(self, path): """Process a given file @@ -121,7 +121,6 @@ class FilterGamin(FileFilter): logSys.debug(self.jail.name + ": filter terminated") return True - def stop(self): super(FilterGamin, self).stop() self.__cleanup() diff --git a/fail2ban/server/filterpoll.py b/fail2ban/server/filterpoll.py index f37be431..25c3e119 100644 --- a/fail2ban/server/filterpoll.py +++ b/fail2ban/server/filterpoll.py @@ -24,7 +24,8 @@ __author__ = "Cyril Jaquier, Yaroslav Halchenko" __copyright__ = "Copyright (c) 2004 Cyril Jaquier; 2012 Yaroslav Halchenko" __license__ = "GPL" -import time, os +import os +import time from .failmanager import FailManagerEmpty from .filter import FileFilter @@ -34,6 +35,7 @@ from ..helpers import getLogger # Gets the instance of the logger. logSys = getLogger(__name__) + ## # Log reader class. # diff --git a/fail2ban/server/filterpyinotify.py b/fail2ban/server/filterpyinotify.py index 784a7e53..100ad233 100644 --- a/fail2ban/server/filterpyinotify.py +++ b/fail2ban/server/filterpyinotify.py @@ -51,6 +51,7 @@ except Exception, e: # Gets the instance of the logger. logSys = getLogger(__name__) + ## # Log reader class. # @@ -73,7 +74,6 @@ class FilterPyinotify(FileFilter): self.__watches = dict() logSys.debug("Created FilterPyinotify") - def callback(self, event, origin=''): logSys.debug("%sCallback for Event: %s", origin, event) path = event.pathname @@ -95,7 +95,6 @@ class FilterPyinotify(FileFilter): self._process_file(path) - def _process_file(self, path): """Process a given file @@ -112,7 +111,6 @@ class FilterPyinotify(FileFilter): self.dateDetector.sortTemplate() self.__modified = False - def _addFileWatcher(self, path): wd = self.__monitor.add_watch(path, pyinotify.IN_MODIFY) self.__watches.update(wd) @@ -144,7 +142,6 @@ class FilterPyinotify(FileFilter): self._addFileWatcher(path) self._process_file(path) - ## # Delete a log path # @@ -163,7 +160,6 @@ class FilterPyinotify(FileFilter): self.__monitor.rm_watch(wdInt) logSys.debug("Removed monitor for the parent directory %s", path_dir) - ## # Main loop. # diff --git a/fail2ban/server/filtersystemd.py b/fail2ban/server/filtersystemd.py index d1150c57..d0ebec95 100644 --- a/fail2ban/server/filtersystemd.py +++ b/fail2ban/server/filtersystemd.py @@ -22,7 +22,8 @@ __author__ = "Steven Hiscocks" __copyright__ = "Copyright (c) 2013 Steven Hiscocks" __license__ = "GPL" -import datetime, time +import datetime +import time from distutils.version import LooseVersion from systemd import journal @@ -37,6 +38,7 @@ from ..helpers import getLogger # Gets the instance of the logger. logSys = getLogger(__name__) + ## # Journal reader class. # @@ -60,7 +62,6 @@ class FilterSystemd(JournalFilter): # pragma: systemd no cover self.setDatePattern(None) logSys.debug("Created FilterSystemd") - ## # Add a journal match filters from list structure # diff --git a/fail2ban/server/jail.py b/fail2ban/server/jail.py index c5b5e707..a866cb51 100644 --- a/fail2ban/server/jail.py +++ b/fail2ban/server/jail.py @@ -23,7 +23,8 @@ __author__ = "Cyril Jaquier, Lee Clemens, Yaroslav Halchenko" __copyright__ = "Copyright (c) 2004 Cyril Jaquier, 2011-2012 Lee Clemens, 2012 Yaroslav Halchenko" __license__ = "GPL" -import Queue, logging +import logging +import Queue from .actions import Actions from ..helpers import getLogger @@ -31,6 +32,7 @@ from ..helpers import getLogger # Gets the instance of the logger. logSys = getLogger(__name__) + class Jail: """Fail2Ban jail, which manages a filter and associated actions. @@ -115,7 +117,6 @@ class Jail: raise RuntimeError( "Failed to initialize any backend for Jail %r" % self.name) - def _initPolling(self): from filterpoll import FilterPoll logSys.info("Jail '%s' uses poller" % self.name) diff --git a/fail2ban/server/jailthread.py b/fail2ban/server/jailthread.py index e4186739..3897801a 100644 --- a/fail2ban/server/jailthread.py +++ b/fail2ban/server/jailthread.py @@ -30,6 +30,7 @@ from abc import abstractmethod from ..helpers import excepthook + class JailThread(Thread): """Abstract class for threading elements in Fail2Ban. @@ -59,6 +60,7 @@ class JailThread(Thread): # excepthook workaround for threads, derived from: # http://bugs.python.org/issue1230540#msg91244 run = self.run + def run_with_except_hook(*args, **kwargs): try: run(*args, **kwargs) diff --git a/fail2ban/server/mytime.py b/fail2ban/server/mytime.py index f284379e..166f4796 100644 --- a/fail2ban/server/mytime.py +++ b/fail2ban/server/mytime.py @@ -21,7 +21,9 @@ __author__ = "Cyril Jaquier" __copyright__ = "Copyright (c) 2004 Cyril Jaquier" __license__ = "GPL" -import time, datetime +import datetime +import time + ## # MyTime class. diff --git a/fail2ban/server/server.py b/fail2ban/server/server.py index 6a7a6699..6d19544d 100644 --- a/fail2ban/server/server.py +++ b/fail2ban/server/server.py @@ -25,7 +25,12 @@ __copyright__ = "Copyright (c) 2004 Cyril Jaquier" __license__ = "GPL" from threading import Lock, RLock -import logging, logging.handlers, sys, os, signal, stat +import logging +import logging.handlers +import os +import signal +import stat +import sys from .jails import Jails from .filter import FileFilter, JournalFilter @@ -43,6 +48,7 @@ except ImportError: # Dont print error here, as database may not even be used Fail2BanDb = None + class Server: def __init__(self, daemon = False): @@ -61,11 +67,10 @@ class Server: 'FreeBSD': '/var/run/log', 'Linux': '/dev/log', } + self.setSyslogSocket("auto") # Set logging level self.setLogLevel("INFO") self.setLogTarget("STDOUT") - self.setSyslogSocket("auto") - def __sigTERMhandler(self, signum, frame): logSys.debug("Caught signal %d. Exiting" % signum) @@ -139,7 +144,6 @@ class Server: finally: self.__loggingLock.release() - def addJail(self, name, backend): self.__jails.add(name, backend, self.__db) if self.__db is not None: @@ -494,24 +498,27 @@ class Server: return "flushed" def setDatabase(self, filename): - if len(self.__jails) == 0: - if filename.lower() == "none": - self.__db = None - else: - if Fail2BanDb is not None: - self.__db = Fail2BanDb(filename) - self.__db.delAllJails() - else: - logSys.error( - "Unable to import fail2ban database module as sqlite " - "is not available.") - else: + # if not changed - nothing to do + if self.__db and self.__db.filename == filename: + return + if not self.__db and filename.lower() == 'none': + return + if len(self.__jails) != 0: raise RuntimeError( "Cannot change database when there are jails present") + if filename.lower() == "none": + self.__db = None + else: + if Fail2BanDb is not None: + self.__db = Fail2BanDb(filename) + self.__db.delAllJails() + else: + logSys.error( + "Unable to import fail2ban database module as sqlite " + "is not available.") def getDatabase(self): return self.__db - def __createDaemon(self): # pragma: no cover """ Detach a process from the controlling terminal and run it in the diff --git a/fail2ban/server/strptime.py b/fail2ban/server/strptime.py index cf02dad5..2e3c051c 100644 --- a/fail2ban/server/strptime.py +++ b/fail2ban/server/strptime.py @@ -28,6 +28,7 @@ locale_time = LocaleTime() timeRE = TimeRE() timeRE['z'] = r"(?P<z>Z|[+-]\d{2}(?::?[0-5]\d)?)" + def reGroupDictStrptime(found_dict): """Return time from dictionary of strptime fields diff --git a/fail2ban/server/ticket.py b/fail2ban/server/ticket.py index 51abdc83..70be06fe 100644 --- a/fail2ban/server/ticket.py +++ b/fail2ban/server/ticket.py @@ -29,6 +29,7 @@ from ..helpers import getLogger # Gets the instance of the logger. logSys = getLogger(__name__) + class Ticket: def __init__(self, ip, time, matches=None): diff --git a/fail2ban/server/transmitter.py b/fail2ban/server/transmitter.py index 5bf62128..0d9f0fe4 100644 --- a/fail2ban/server/transmitter.py +++ b/fail2ban/server/transmitter.py @@ -33,6 +33,7 @@ from .. import version # Gets the instance of the logger. logSys = getLogger(__name__) + class Transmitter: ## @@ -51,7 +52,7 @@ class Transmitter: def proceed(self, command): # Deserialize object - logSys.debug("Command: " + `command`) + logSys.debug("Command: " + repr(command)) try: ret = self.__commandHandler(command) ack = 0, ret @@ -138,6 +139,7 @@ class Transmitter: elif name == "dbpurgeage": db = self.__server.getDatabase() if db is None: + logSys.warning("dbpurgeage setting was not in effect since no db yet") return None else: db.purgeage = command[1] diff --git a/fail2ban/tests/action_d/test_smtp.py b/fail2ban/tests/action_d/test_smtp.py index 440db55c..35ac2393 100644 --- a/fail2ban/tests/action_d/test_smtp.py +++ b/fail2ban/tests/action_d/test_smtp.py @@ -32,6 +32,7 @@ from ..dummyjail import DummyJail from ..utils import CONFIG_DIR + class TestSMTPServer(smtpd.SMTPServer): def process_message(self, peer, mailfrom, rcpttos, data): @@ -40,6 +41,7 @@ class TestSMTPServer(smtpd.SMTPServer): self.rcpttos = rcpttos self.data = data + class SMTPActionTest(unittest.TestCase): def setUp(self): diff --git a/fail2ban/tests/actionstestcase.py b/fail2ban/tests/actionstestcase.py index 5991da6d..bb295967 100644 --- a/fail2ban/tests/actionstestcase.py +++ b/fail2ban/tests/actionstestcase.py @@ -35,6 +35,7 @@ from .utils import LogCaptureTestCase TEST_FILES_DIR = os.path.join(os.path.dirname(__file__), "files") + class ExecuteActions(LogCaptureTestCase): def setUp(self): @@ -76,7 +77,6 @@ class ExecuteActions(LogCaptureTestCase): self.assertEqual(self.__actions.getBanTime(),127) self.assertRaises(ValueError, self.__actions.removeBannedIP, '127.0.0.1') - def testActionsOutput(self): self.defaultActions() self.__actions.start() @@ -89,7 +89,6 @@ class ExecuteActions(LogCaptureTestCase): self.assertEqual(self.__actions.status(),[("Currently banned", 0 ), ("Total banned", 0 ), ("Banned IP list", [] )]) - def testAddActionPython(self): self.__actions.add( "Action", os.path.join(TEST_FILES_DIR, "action.d/action.py"), diff --git a/fail2ban/tests/actiontestcase.py b/fail2ban/tests/actiontestcase.py index 2e826a8e..febbc619 100644 --- a/fail2ban/tests/actiontestcase.py +++ b/fail2ban/tests/actiontestcase.py @@ -24,11 +24,14 @@ __author__ = "Cyril Jaquier" __copyright__ = "Copyright (c) 2004 Cyril Jaquier" __license__ = "GPL" +import os import time +import tempfile from ..server.action import CommandAction, CallingMap from .utils import LogCaptureTestCase +from .utils import pid_exists class CommandActionTest(LogCaptureTestCase): @@ -110,7 +113,6 @@ class CommandActionTest(LogCaptureTestCase): {'ipjailmatches': "some >char< should \< be[ escap}ed&\n"}), "some \\>char\\< should \\\\\\< be\\[ escap\\}ed\\&\n") - # Recursive aInfo["ABC"] = "<xyz>" self.assertEqual( @@ -202,6 +204,44 @@ class CommandActionTest(LogCaptureTestCase): or self._is_logged('sleep 60 -- timed out after 3 seconds')) self.assertTrue(self._is_logged('sleep 60 -- killed with SIGTERM')) + def testExecuteTimeoutWithNastyChildren(self): + # temporary file for a nasty kid shell script + tmpFilename = tempfile.mktemp(".sh", "fail2ban_") + # Create a nasty script which would hang there for a while + with open(tmpFilename, 'w') as f: + f.write("""#!/bin/bash + trap : HUP EXIT TERM + + echo "$$" > %s.pid + echo "my pid $$ . sleeping lo-o-o-ong" + sleep 10000 + """ % tmpFilename) + + def getnastypid(): + with open(tmpFilename + '.pid') as f: + return int(f.read()) + + # First test if can kill the bastard + self.assertRaises( + RuntimeError, CommandAction.executeCmd, 'bash %s' % tmpFilename, timeout=.1) + # Verify that the proccess itself got killed + self.assertFalse(pid_exists(getnastypid())) # process should have been killed + self.assertTrue(self._is_logged('timed out')) + self.assertTrue(self._is_logged('killed with SIGTERM')) + + # A bit evolved case even though, previous test already tests killing children processes + self.assertRaises( + RuntimeError, CommandAction.executeCmd, 'out=`bash %s`; echo ALRIGHT' % tmpFilename, + timeout=.2) + # Verify that the proccess itself got killed + self.assertFalse(pid_exists(getnastypid())) + self.assertTrue(self._is_logged('timed out')) + self.assertTrue(self._is_logged('killed with SIGTERM')) + + os.unlink(tmpFilename) + os.unlink(tmpFilename + '.pid') + + def testCaptureStdOutErr(self): CommandAction.executeCmd('echo "How now brown cow"') self.assertTrue(self._is_logged("'How now brown cow\\n'")) diff --git a/fail2ban/tests/banmanagertestcase.py b/fail2ban/tests/banmanagertestcase.py index c4dd42cf..09d2411e 100644 --- a/fail2ban/tests/banmanagertestcase.py +++ b/fail2ban/tests/banmanagertestcase.py @@ -29,6 +29,7 @@ import unittest from ..server.banmanager import BanManager from ..server.ticket import BanTicket + class AddFailure(unittest.TestCase): def setUp(self): """Call before every test case.""" diff --git a/fail2ban/tests/clientreadertestcase.py b/fail2ban/tests/clientreadertestcase.py index 941116fd..00128c33 100644 --- a/fail2ban/tests/clientreadertestcase.py +++ b/fail2ban/tests/clientreadertestcase.py @@ -21,7 +21,13 @@ __author__ = "Cyril Jaquier, Yaroslav Halchenko" __copyright__ = "Copyright (c) 2004 Cyril Jaquier, 2011-2013 Yaroslav Halchenko" __license__ = "GPL" -import os, glob, shutil, tempfile, unittest, re, logging +import glob +import logging +import os +import re +import shutil +import tempfile +import unittest from ..client.configreader import ConfigReaderUnshared from ..client import configparserinc from ..client.jailreader import JailReader @@ -39,6 +45,7 @@ STOCK = os.path.exists(os.path.join('config','fail2ban.conf')) IMPERFECT_CONFIG = os.path.join(os.path.dirname(__file__), 'config') + class ConfigReaderTest(unittest.TestCase): def setUp(self): @@ -71,12 +78,10 @@ option = %s os.unlink("%s/%s" % (self.d, fname)) self.assertTrue(self.c.read('c')) # we still should have some - def _getoption(self, f='c'): self.assertTrue(self.c.read(f)) # we got some now return self.c.getOptions('section', [("int", 'option')])['option'] - def testInaccessibleFile(self): f = os.path.join(self.d, "d.conf") # inaccessible file self._write('d.conf', 0) @@ -91,7 +96,6 @@ option = %s # raise unittest.SkipTest("Skipping on %s -- access rights are not enforced" % platform) pass - def testOptionalDotDDir(self): self.assertFalse(self.c.read('c')) # nothing is there yet self._write("c.conf", "1") @@ -153,6 +157,7 @@ c = d ;in line comment self.assertEqual(self.c.get('DEFAULT', 'b'), 'a') self.assertEqual(self.c.get('DEFAULT', 'c'), 'd') + class JailReaderTest(LogCaptureTestCase): def __init__(self, *args, **kwargs): @@ -179,15 +184,19 @@ class JailReaderTest(LogCaptureTestCase): self.assertTrue(self._is_logged("Found no accessible config files for 'filter.d/catchallthebadies' under %s" % IMPERFECT_CONFIG)) self.assertTrue(self._is_logged('Unable to read the filter')) - def TODOtestJailActionBrokenDef(self): - jail = JailReader('brokenactiondef', basedir=IMPERFECT_CONFIG, share_config = self.__share_cfg) + def testJailActionBrokenDef(self): + jail = JailReader('brokenactiondef', basedir=IMPERFECT_CONFIG, + share_config=self.__share_cfg) self.assertTrue(jail.read()) self.assertFalse(jail.getOptions()) self.assertTrue(jail.isEnabled()) - self.printLog() self.assertTrue(self._is_logged('Error in action definition joho[foo')) - self.assertTrue(self._is_logged('Caught exception: While reading action joho[foo we should have got 1 or 2 groups. Got: 0')) - + # This unittest has been deactivated for some time... + # self.assertTrue(self._is_logged( + # 'Caught exception: While reading action joho[foo we should have got 1 or 2 groups. Got: 0')) + # let's test for what is actually logged and handle changes in the future + self.assertTrue(self._is_logged( + "Caught exception: 'NoneType' object has no attribute 'endswith'")) if STOCK: def testStockSSHJail(self): @@ -218,7 +227,6 @@ class JailReaderTest(LogCaptureTestCase): #self.assertRaises(ValueError, JailReader.extractOptions ,'mail-how[') - # Empty option option = "abc[]" expected = ('abc', {}) @@ -312,7 +320,6 @@ class FilterReaderTest(unittest.TestCase): output[-1][-1] = "5" self.assertEqual(sorted(filterReader.convert()), sorted(output)) - def testFilterReaderSubstitionDefault(self): output = [['set', 'jailname', 'addfailregex', 'to=sweet@example.com fromip=<IP>']] filterReader = FilterReader('substition', "jailname", {}) @@ -355,6 +362,7 @@ class FilterReaderTest(unittest.TestCase): except Exception, e: # pragma: no cover - failed if reachable self.fail('unexpected options after readexplicit: %s' % (e)) + class JailsReaderTestCache(LogCaptureTestCase): def _readWholeConf(self, basedir, force_enable=False, share_config=None): @@ -474,7 +482,6 @@ class JailsReaderTest(LogCaptureTestCase): self.assertTrue('Init' in actionReader.sections(), msg="Action file %r is lacking [Init] section" % actionConfig) - def testReadStockJailConf(self): jails = JailsReader(basedir=CONFIG_DIR, share_config=self.__share_cfg) # we are running tests from root project dir atm self.assertTrue(jails.read()) # opens fine @@ -601,7 +608,6 @@ class JailsReaderTest(LogCaptureTestCase): msg="Found no %s command among %s" % (target_command, str(commands)) ) - def testStockConfigurator(self): configurator = Configurator() configurator.setBaseDir(CONFIG_DIR) @@ -616,6 +622,22 @@ class JailsReaderTest(LogCaptureTestCase): configurator.getOptions() configurator.convertToProtocol() commands = configurator.getConfigStream() + + # verify that dbfile comes before dbpurgeage + def find_set(option): + for i, e in enumerate(commands): + if e[0] == 'set' and e[1] == option: + return i + raise ValueError("Did not find command 'set %s' among commands %s" + % (option, commands)) + + # Set up of logging should come first + self.assertEqual(find_set('syslogsocket'), 0) + self.assertEqual(find_set('loglevel'), 1) + self.assertEqual(find_set('logtarget'), 2) + # then dbfile should be before dbpurgeage + self.assertTrue(find_set('dbpurgeage') > find_set('dbfile')) + # and there is logging information left to be passed into the # server self.assertEqual(sorted(commands), diff --git a/fail2ban/tests/databasetestcase.py b/fail2ban/tests/databasetestcase.py index 9665e322..dd813ee6 100644 --- a/fail2ban/tests/databasetestcase.py +++ b/fail2ban/tests/databasetestcase.py @@ -42,6 +42,7 @@ from .utils import LogCaptureTestCase TEST_FILES_DIR = os.path.join(os.path.dirname(__file__), "files") + class DatabaseTest(LogCaptureTestCase): def setUp(self): @@ -211,7 +212,7 @@ class DatabaseTest(LogCaptureTestCase): def testDelBan(self): self.testAddBan() ticket = self.db.getBans(jail=self.jail)[0] - self.db.delBan(self.jail, ticket) + self.db.delBan(self.jail, ticket.getIP()) self.assertEqual(len(self.db.getBans(jail=self.jail)), 0) def testGetBansWithTime(self): @@ -305,7 +306,7 @@ class DatabaseTest(LogCaptureTestCase): def testActionWithDB(self): # test action together with database functionality self.testAddJail() # Jail required - self.jail.database = self.db; + self.jail.database = self.db actions = Actions(self.jail) actions.add( "action_checkainfo", @@ -317,7 +318,6 @@ class DatabaseTest(LogCaptureTestCase): actions._Actions__checkBan() self.assertTrue(self._is_logged("ban ainfo %s, %s, %s, %s" % (True, True, True, True))) - def testPurge(self): if Fail2BanDb is None: # pragma: no cover return diff --git a/fail2ban/tests/datedetectortestcase.py b/fail2ban/tests/datedetectortestcase.py index c82f92ba..0d758640 100644 --- a/fail2ban/tests/datedetectortestcase.py +++ b/fail2ban/tests/datedetectortestcase.py @@ -32,6 +32,7 @@ from ..server.datedetector import DateDetector from ..server.datetemplate import DateTemplate from .utils import setUpMyTime, tearDownMyTime + class DateDetectorTest(unittest.TestCase): def setUp(self): diff --git a/fail2ban/tests/dummyjail.py b/fail2ban/tests/dummyjail.py index 77ab785e..9b784f77 100644 --- a/fail2ban/tests/dummyjail.py +++ b/fail2ban/tests/dummyjail.py @@ -26,6 +26,7 @@ from threading import Lock from ..server.actions import Actions + class DummyJail(object): """A simple 'jail' to suck in all the tickets generated by Filter's """ diff --git a/fail2ban/tests/failmanagertestcase.py b/fail2ban/tests/failmanagertestcase.py index 1f99d161..a8c0f6fc 100644 --- a/fail2ban/tests/failmanagertestcase.py +++ b/fail2ban/tests/failmanagertestcase.py @@ -29,6 +29,7 @@ import unittest from ..server.failmanager import FailManager, FailManagerEmpty from ..server.ticket import FailTicket + class AddFailure(unittest.TestCase): def setUp(self): @@ -100,7 +101,7 @@ class AddFailure(unittest.TestCase): self.assertEqual( ticket_repr, 'FailTicket: ip=193.168.0.128 time=1167605999.0 #attempts=5 matches=[]') - self.assertFalse(ticket == False) + self.assertFalse(not ticket) # and some get/set-ers otherwise not tested ticket.setTime(1000002000.0) self.assertEqual(ticket.getTime(), 1000002000.0) diff --git a/fail2ban/tests/files/action.d/action.py b/fail2ban/tests/files/action.d/action.py index 2dd64c3f..16a0a208 100644 --- a/fail2ban/tests/files/action.d/action.py +++ b/fail2ban/tests/files/action.d/action.py @@ -1,6 +1,7 @@ from fail2ban.server.action import ActionBase + class TestAction(ActionBase): def __init__(self, jail, name, opt1, opt2=None): diff --git a/fail2ban/tests/files/action.d/action_checkainfo.py b/fail2ban/tests/files/action.d/action_checkainfo.py index eec9cc85..63dd4f5b 100644 --- a/fail2ban/tests/files/action.d/action_checkainfo.py +++ b/fail2ban/tests/files/action.d/action_checkainfo.py @@ -1,6 +1,7 @@ from fail2ban.server.action import ActionBase + class TestAction(ActionBase): def ban(self, aInfo): diff --git a/fail2ban/tests/files/action.d/action_errors.py b/fail2ban/tests/files/action.d/action_errors.py index 767848c1..a193be16 100644 --- a/fail2ban/tests/files/action.d/action_errors.py +++ b/fail2ban/tests/files/action.d/action_errors.py @@ -1,6 +1,7 @@ from fail2ban.server.action import ActionBase + class TestAction(ActionBase): def __init__(self, jail, name): diff --git a/fail2ban/tests/files/action.d/action_modifyainfo.py b/fail2ban/tests/files/action.d/action_modifyainfo.py index 9fbe1e0b..b003edef 100644 --- a/fail2ban/tests/files/action.d/action_modifyainfo.py +++ b/fail2ban/tests/files/action.d/action_modifyainfo.py @@ -1,6 +1,7 @@ from fail2ban.server.action import ActionBase + class TestAction(ActionBase): def ban(self, aInfo): diff --git a/fail2ban/tests/files/action.d/action_noAction.py b/fail2ban/tests/files/action.d/action_noAction.py index 1aa25e67..0888bf60 100644 --- a/fail2ban/tests/files/action.d/action_noAction.py +++ b/fail2ban/tests/files/action.d/action_noAction.py @@ -1,5 +1,6 @@ from fail2ban.server.action import ActionBase + class TestAction(ActionBase): pass diff --git a/fail2ban/tests/files/config/apache-auth/digest.py b/fail2ban/tests/files/config/apache-auth/digest.py index 020a1272..875ebffe 100755 --- a/fail2ban/tests/files/config/apache-auth/digest.py +++ b/fail2ban/tests/files/config/apache-auth/digest.py @@ -10,6 +10,7 @@ except ImportError: # pragma: no cover import md5 md5sum = md5.new + def auth(v): ha1 = md5sum(username + ':' + realm + ':' + password).hexdigest() @@ -44,6 +45,7 @@ def auth(v): s = requests.Session() return s.send(p) + def preauth(): r = requests.get(host + url) print(r) diff --git a/fail2ban/tests/files/logs/apache-badbots b/fail2ban/tests/files/logs/apache-badbots index 35669252..5486f36a 100644 --- a/fail2ban/tests/files/logs/apache-badbots +++ b/fail2ban/tests/files/logs/apache-badbots @@ -1,2 +1,8 @@ # failJSON: { "time": "2007-03-05T14:39:21", "match": true , "host": "1.2.3.4" } 1.2.3.4 - - [05/Mar/2007:14:39:21 +0100] "POST /123.html/trackback/ HTTP/1.0" 301 459 "http://www.mydomain.tld/123.html/trackback" "TrackBack/1.02" + +# failJSON: { "time": "2007-03-05T14:40:21", "match": true , "host": "1.2.3.4" } +1.2.3.4 - - [05/Mar/2007:14:40:21 +0100] "GET /123.html/trackback/ HTTP/1.0" 301 459 "http://www.mydomain.tld/123.html/trackback" "TrackBack/1.02" + +# failJSON: { "time": "2007-03-05T14:41:21", "match": true , "host": "1.2.3.4" } +1.2.3.4 - - [05/Mar/2007:14:41:21 +0100] "HEAD /123.html/trackback/ HTTP/1.0" 301 459 "http://www.mydomain.tld/123.html/trackback" "TrackBack/1.02" diff --git a/fail2ban/tests/files/logs/apache-pass b/fail2ban/tests/files/logs/apache-pass new file mode 100644 index 00000000..cb8d3454 --- /dev/null +++ b/fail2ban/tests/files/logs/apache-pass @@ -0,0 +1,2 @@ +# failJSON: { "time": "2013-06-27T11:55:44", "match": true , "host": "192.0.2.12" } +192.0.2.12 - user1 [27/Jun/2013:11:55:44] "GET /knocking/ HTTP/1.1" 200 266 "http://domain.net/hello-world/" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:40.0) Gecko/20100101 Firefox/40.0" diff --git a/fail2ban/tests/files/logs/asterisk b/fail2ban/tests/files/logs/asterisk index 34265841..ab018ba9 100644 --- a/fail2ban/tests/files/logs/asterisk +++ b/fail2ban/tests/files/logs/asterisk @@ -43,3 +43,19 @@ # failJSON: { "time": "2004-11-04T18:30:40", "match": true , "host": "192.168.200.100" } Nov 4 18:30:40 localhost asterisk[32229]: NOTICE[32257]: chan_sip.c:23417 in handle_request_register: Registration from '<sip:301@example.com>' failed for '192.168.200.100:36998' - Wrong password + +# failed authentication attempt on INVITE using PJSIP +# failJSON: { "time": "2015-05-24T08:42:16", "match": true, "host": "10.250.251.252" } +[2015-05-24 08:42:16] SECURITY[4583] res_security_log.c: SecurityEvent="ChallengeResponseFailed",EventTV="2015-05-24T08:42:16.296+0300",Severity="Error",Service="PJSIP",EventVersion="1",AccountID="<unknown>",SessionID="17a483d-eb8cc0-556164ab@1.2.3.4",LocalAddress="IPV4/UDP/1.2.3.4/5060",RemoteAddress="IPV4/UDP/10.250.251.252/5060",Challenge="1432446136/6d16ccf29ff59d423c6d548af00bf9b4",Response="849dfcf133d8156f77ef11a9194119df",ExpectedResponse="" + +# SessionID may contain any special characters and spaces +# failJSON: { "time": "2015-05-25T07:19:19", "match": true, "host": "10.250.251.252" } +[2015-05-25 07:19:19] SECURITY[6988] res_security_log.c: SecurityEvent="InvalidAccountID",EventTV="2015-05-25T07:19:19.015+0300",Severity="Error",Service="PJSIP",EventVersion="1",AccountID="70000180",SessionID="!@#$%^& *(}((')[ -+"++",LocalAddress="IPV4/UDP/1.2.3.4/5060",RemoteAddress="IPV4/UDP/10.250.251.252/5061" + +# SessionID here start with '",LocalAddress' and ends with '5.6.7.8/1111"' +# failJSON: { "time": "2015-05-25T07:21:48", "match": true, "host": "10.250.251.252" } +[2015-05-25 07:21:48] SECURITY[6988] res_security_log.c: SecurityEvent="InvalidAccountID",EventTV="2015-05-25T07:21:48.275+0300",Severity="Error",Service="PJSIP",EventVersion="1",AccountID="70000180",SessionID="",LocalAddress="IPV4/UDP/127.0.0.1/5060",RemoteAddress="IPV4/UDP/5.6.7.8/1111"",LocalAddress="IPV4/UDP/1.2.3.4/5060",RemoteAddress="IPV4/UDP/10.250.251.252/5061" + +# match UTF-8 in SessionID +# failJSON: { "time": "2015-05-25T07:52:36", "match": true, "host": "10.250.251.252" } +[2015-05-25 07:52:36] SECURITY[6988] res_security_log.c: SecurityEvent="InvalidAccountID",EventTV="2015-05-25T07:52:36.888+0300",Severity="Error",Service="PJSIP",EventVersion="1",AccountID="70000180",SessionID="Негодяй",LocalAddress="IPV4/UDP/1.2.3.4/5060",RemoteAddress="IPV4/UDP/10.250.251.252/5061" diff --git a/fail2ban/tests/files/logs/dovecot b/fail2ban/tests/files/logs/dovecot index aa2ab3cf..4c2ccc94 100644 --- a/fail2ban/tests/files/logs/dovecot +++ b/fail2ban/tests/files/logs/dovecot @@ -37,6 +37,9 @@ Jan 29 05:32:50 mail dovecot: auth-worker(304): pam(username,1.2.3.4): pam_authe # failJSON: { "time": "2005-01-29T05:13:40", "match": true , "host": "1.2.3.4" } Jan 29 05:13:40 mail dovecot: auth-worker(31326): pam(username,1.2.3.4): unknown user +# failJSON: { "time": "2005-01-29T05:13:50", "match": true , "host": "1.2.3.4" } +Jan 29 05:13:50 mail dovecot: auth: passwd-file(username,1.2.3.4): unknown user + # failJSON: { "time": "2005-04-19T05:22:20", "match": true , "host": "80.255.3.104" } Apr 19 05:22:20 vm5 auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=informix rhost=80.255.3.104 diff --git a/fail2ban/tests/files/logs/froxlor-auth b/fail2ban/tests/files/logs/froxlor-auth new file mode 100644 index 00000000..2a2c2fc4 --- /dev/null +++ b/fail2ban/tests/files/logs/froxlor-auth @@ -0,0 +1,5 @@ +# failJSON: { "time": "2005-05-21T00:56:27", "match": true , "host": "1.2.3.4" } +May 21 00:56:27 jomu Froxlor: [Login Action 1.2.3.4] Unknown user 'user' tried to login. +# failJSON: { "time": "2005-05-21T00:57:38", "match": true , "host": "1.2.3.4" } +May 21 00:57:38 jomu Froxlor: [Login Action 1.2.3.4] User 'admin' tried to login with wrong password. + diff --git a/fail2ban/tests/files/logs/nginx-botsearch b/fail2ban/tests/files/logs/nginx-botsearch index f1bf05f5..c694fa3b 100644 --- a/fail2ban/tests/files/logs/nginx-botsearch +++ b/fail2ban/tests/files/logs/nginx-botsearch @@ -10,6 +10,12 @@ # failJSON: { "time": "2015-01-20T19:53:28", "match": true , "host": "12.34.56.78" } 12.34.56.78 - - [20/Jan/2015:19:53:28 +0100] "GET //admin/pma/scripts/setup.php HTTP/1.1" 404 47 "-" "-" "-" +# failJSON: { "time": "2015-01-20T19:54:28", "match": true , "host": "12.34.56.78" } +12.34.56.78 - - [20/Jan/2015:19:54:28 +0100] "POST //admin/pma/scripts/setup.php HTTP/1.1" 404 47 "-" "-" "-" + +# failJSON: { "time": "2015-01-20T19:55:28", "match": true , "host": "12.34.56.78" } +12.34.56.78 - - [20/Jan/2015:19:55:28 +0100] "HEAD //admin/pma/scripts/setup.php HTTP/1.1" 404 47 "-" "-" "-" + # failJSON: { "time": "2015-01-20T01:17:07", "match": true , "host": "7.8.9.10" } 7.8.9.10 - root [20/Jan/2015:01:17:07 +0100] "GET /cgi-bin/recent.cgi HTTP/1.1" 404 162 "-" "-" "-" @@ -19,5 +25,11 @@ # failJSON: { "time": "2015-01-21T10:56:10", "match": true , "host": "5.7.9.2" } 2015/01/21 10:56:10 [error] 2833#0: *16336 open() "/var/www/site/cgi-bin/php4" failed (2: No such file or directory), client: 5.7.9.2, server: localhost, request: "GET /cgi-bin/php4 HTTP/1.1", host: "1.2.3.4" +# failJSON: { "time": "2015-01-21T10:57:10", "match": true , "host": "5.7.9.2" } +2015/01/21 10:57:10 [error] 2833#0: *16336 open() "/var/www/site/cgi-bin/php4" failed (2: No such file or directory), client: 5.7.9.2, server: localhost, request: "POST /cgi-bin/php4 HTTP/1.1", host: "1.2.3.4" + +# failJSON: { "time": "2015-01-21T10:58:10", "match": true , "host": "5.7.9.2" } +2015/01/21 10:58:10 [error] 2833#0: *16336 open() "/var/www/site/cgi-bin/php4" failed (2: No such file or directory), client: 5.7.9.2, server: localhost, request: "HEAD /cgi-bin/php4 HTTP/1.1", host: "1.2.3.4" + # failJSON: { "time": "2015-01-21T15:02:27", "match": true , "host": "5.7.9.2" } 2015/01/21 15:02:27 [error] 2833#0: *16813 "/var/www/site/roundcube/" is not found (2: No such file or directory), client: 5.7.9.2, server: localhost, request: "GET /roundcube/ HTTP/1.1", host: "1.2.3.4"
\ No newline at end of file diff --git a/fail2ban/tests/files/logs/roundcube-auth b/fail2ban/tests/files/logs/roundcube-auth index bab2a181..26868c3e 100644 --- a/fail2ban/tests/files/logs/roundcube-auth +++ b/fail2ban/tests/files/logs/roundcube-auth @@ -22,3 +22,21 @@ Jul 11 03:06:37 myhostname roundcube: IMAP Error: Login failed for admin from 12 # user = admin from 127.0.0.1 in # failJSON: { "time": "2005-07-11T03:06:37", "match": true , "host": "1.2.3.4" } Jul 11 03:06:37 myhostname roundcube: IMAP Error: Login failed for admin from 127.0.0.1 in from 1.2.3.4. AUTHENTICATE PLAIN: A0002 NO Login failed. user=admin from 127.0.0.1 in in /usr/share/roundcube/program/include/rcube_imap.php on line 205 (POST /wmail/?_task=login&_action=login) + +# Roundcube 1.0.5 CentOS 6 (/var/log/roundcubemail/errors) +# failJSON: { "time": "2014-12-30T19:02:34", "match": true , "host": "1.2.3.4" } +[30-Dec-2014 13:02:34 -0500]: IMAP Error: Login failed for admin@example.com from 1.2.3.4. AUTHENTICATE PLAIN: Authentication failed. in /docroot/path/program/lib/Roundcube/rcube_imap.php on line 184 (POST /?_task=login?_task=login&_action=login) + +# Roundcube 1.0.5 CentOS 6 (/var/log/roundcubemail/userlogins) +# failJSON: { "time": "2015-05-10T19:02:52", "match": true , "host": "1.2.3.4" } +[10-May-2015 13:02:52 -0400]: Failed login for sampleuser from 1.2.3.4 in session 1z506z6rvddstv6k7jz08hxo27 (error: 0) +# failJSON: { "time": "2015-05-10T19:02:52", "match": true , "host": "1.2.3.4" } +[10-May-2015 13:02:52 -0400]: Failed login for foo.bar-admin@some-thing.example.com from 1.2.3.4 in session 2z506z6rvddstv6k7jz08hxo27 (error: 0) + +# Roundcube 1.1.1 (/var/log/roundcubemail/errors) +# failJSON: { "time": "2014-12-30T19:02:34", "match": true , "host": "1.2.3.4" } +[30-Dec-2014 13:02:34 -0500]: <3z506z6r> IMAP Error: Login failed for admin@example.com from 1.2.3.4. AUTHENTICATE PLAIN: Authentication failed. in /docroot/path/program/lib/Roundcube/rcube_imap.php on line 198 (POST /?_task=login?_task=login&_action=login) + +# Roundcube 1.1.1 (/var/log/roundcubemail/userlogins) +# failJSON: { "time": "2015-05-10T19:02:52", "match": true , "host": "1.2.3.4" } +[10-May-2015 13:02:52 -0400]: <4z506z6r> Failed login for admin@example.com from 1.2.3.4 in session 4z506z6rvddstv6k7jz08hxo27 (error: 0) diff --git a/fail2ban/tests/filtertestcase.py b/fail2ban/tests/filtertestcase.py index 75f91584..891b55a6 100644 --- a/fail2ban/tests/filtertestcase.py +++ b/fail2ban/tests/filtertestcase.py @@ -46,6 +46,7 @@ from .dummyjail import DummyJail TEST_FILES_DIR = os.path.join(os.path.dirname(__file__), "files") + # yoh: per Steven Hiscocks's insight while troubleshooting # https://github.com/fail2ban/fail2ban/issues/103#issuecomment-15542836 # adding a sufficiently large buffer might help to guarantee that @@ -63,6 +64,7 @@ def open(*args): else: return fopen(*args) + def _killfile(f, name): try: f.close() @@ -98,6 +100,7 @@ def _assert_equal_entries(utest, found, output, count=None): srepr = repr utest.assertEqual(srepr(found[3]), srepr(output[3])) + def _ticket_tuple(ticket): """Create a tuple for easy comparison from fail ticket """ @@ -107,6 +110,7 @@ def _ticket_tuple(ticket): matches = ticket.getMatches() return (ip, attempts, date, matches) + def _assert_correct_last_attempt(utest, filter_, output, count=None): """Additional helper to wrap most common test case @@ -120,6 +124,7 @@ def _assert_correct_last_attempt(utest, filter_, output, count=None): _assert_equal_entries(utest, found, output, count) + def _copy_lines_between_files(in_, fout, n=None, skip=0, mode='a', terminal_line=""): """Copy lines from one file to another (which might be already open) @@ -156,6 +161,7 @@ def _copy_lines_between_files(in_, fout, n=None, skip=0, mode='a', terminal_line time.sleep(0.1) return fout + def _copy_lines_to_journal(in_, fields={},n=None, skip=0, terminal_line=""): # pragma: systemd no cover """Copy lines from one file to systemd journal @@ -184,6 +190,7 @@ def _copy_lines_to_journal(in_, fields={},n=None, skip=0, terminal_line=""): # p # Opened earlier, therefore must close it fin.close() + # # Actual tests # @@ -209,6 +216,7 @@ class BasicFilter(unittest.TestCase): ("^%Y-%m-%d-%H%M%S.%f %z", "^Year-Month-Day-24hourMinuteSecond.Microseconds Zone offset")) + class IgnoreIP(LogCaptureTestCase): def setUp(self): @@ -276,6 +284,7 @@ class IgnoreIP(LogCaptureTestCase): self.filter.logIgnoreIp("example.com", False, ignore_source="NOT_LOGGED") self.assertFalse(self._is_logged("[%s] Ignore %s by %s" % (self.jail.name, "example.com", "NOT_LOGGED"))) + class IgnoreIPDNS(IgnoreIP): def testIgnoreIPDNSOK(self): @@ -289,6 +298,7 @@ class IgnoreIPDNS(IgnoreIP): self.assertFalse(self.filter.inIgnoreIPList("128.178.50.11")) self.assertFalse(self.filter.inIgnoreIPList("128.178.50.13")) + class LogFile(LogCaptureTestCase): MISSING = 'testcases/missingLogFile' @@ -303,6 +313,7 @@ class LogFile(LogCaptureTestCase): self.filter = FilterPoll(None) self.assertRaises(IOError, self.filter.addLogPath, LogFile.MISSING) + class LogFileFilterPoll(unittest.TestCase): FILENAME = os.path.join(TEST_FILES_DIR, "testcase01.log") @@ -475,6 +486,7 @@ def get_monitor_failures_testcase(Filter_): class MonitorFailures(unittest.TestCase): count = 0 + def setUp(self): """Call before every test case.""" setUpMyTime() @@ -493,7 +505,6 @@ def get_monitor_failures_testcase(Filter_): self._sleep_4_poll() #print "D: started filter %s" % self.filter - def tearDown(self): tearDownMyTime() #print "D: SLEEPING A BIT" @@ -532,7 +543,6 @@ def get_monitor_failures_testcase(Filter_): self.assertTrue(self.isFilled(20)) # give Filter a chance to react _assert_correct_last_attempt(self, self.jail, failures, count=count) - def test_grow_file(self): # suck in lines from this sample log file self.assertRaises(FailManagerEmpty, self.filter.failManager.toBan) @@ -576,7 +586,6 @@ def get_monitor_failures_testcase(Filter_): skip=3, mode='w') self.assert_correct_last_attempt(GetFailures.FAILURES_01) - def test_move_file(self): # if we move file into a new location while it has been open already self.file.close() @@ -601,7 +610,6 @@ def get_monitor_failures_testcase(Filter_): self.assert_correct_last_attempt(GetFailures.FAILURES_01) self.assertEqual(self.filter.failManager.getFailTotal(), 6) - def _test_move_into_file(self, interim_kill=False): # if we move a new file into the location of an old (monitored) file _copy_lines_between_files(GetFailures.FILENAME_01, self.name, @@ -627,7 +635,6 @@ def get_monitor_failures_testcase(Filter_): self.assert_correct_last_attempt(GetFailures.FAILURES_01) self.assertEqual(self.filter.failManager.getFailTotal(), 9) - def test_move_into_file(self): self._test_move_into_file(interim_kill=False) @@ -636,7 +643,6 @@ def get_monitor_failures_testcase(Filter_): # to test against possible drop-out of the file from monitoring self._test_move_into_file(interim_kill=True) - def test_new_bogus_file(self): # to make sure that watching whole directory does not effect _copy_lines_between_files(GetFailures.FILENAME_01, self.name, n=100).close() @@ -649,7 +655,6 @@ def get_monitor_failures_testcase(Filter_): self.assertEqual(self.filter.failManager.getFailTotal(), 6) _killfile(None, self.name + '.bak2') - def test_delLogPath(self): # Smoke test for removing of the path from being watched @@ -681,6 +686,7 @@ def get_monitor_failures_testcase(Filter_): % (Filter_.__name__, testclass_name) # 'tempfile') return MonitorFailures + def get_monitor_failures_journal_testcase(Filter_): # pragma: systemd no cover """Generator of TestCase's for journal based filters/backends """ @@ -804,6 +810,7 @@ def get_monitor_failures_journal_testcase(Filter_): # pragma: systemd no cover return MonitorJournalFailures + class GetFailures(unittest.TestCase): FILENAME_01 = os.path.join(TEST_FILES_DIR, "testcase01.log") @@ -862,7 +869,6 @@ class GetFailures(unittest.TestCase): self.testGetFailures01(filename=fname) _killfile(fout, fname) - def testGetFailures02(self): output = ('141.3.81.106', 4, 1124013539.0, [u'Aug 14 11:%d:59 i60p295 sshd[12365]: Failed publickey for roehl from ::ffff:141.3.81.106 port 51332 ssh2' @@ -921,8 +927,6 @@ class GetFailures(unittest.TestCase): filter_.getFailures(GetFailures.FILENAME_USEDNS) _assert_correct_last_attempt(self, filter_, output) - - def testGetFailuresMultiRegex(self): output = ('141.3.81.106', 8, 1124013541.0) @@ -996,6 +1000,7 @@ class GetFailures(unittest.TestCase): break self.assertEqual(sorted(foundList), sorted(output)) + class DNSUtilsTests(unittest.TestCase): def testUseDns(self): @@ -1043,6 +1048,7 @@ class DNSUtilsTests(unittest.TestCase): res = DNSUtils.bin2addr(167772160L) self.assertEqual(res, '10.0.0.0') + class JailTests(unittest.TestCase): def testSetBackend_gh83(self): diff --git a/fail2ban/tests/misctestcase.py b/fail2ban/tests/misctestcase.py index a682b63f..c95efa43 100644 --- a/fail2ban/tests/misctestcase.py +++ b/fail2ban/tests/misctestcase.py @@ -55,6 +55,7 @@ class HelpersTest(unittest.TestCase): # might be fragile due to ' vs " self.assertEqual(args, "('Very bad', None)") + class SetupTest(unittest.TestCase): def setUp(self): @@ -66,7 +67,8 @@ class SetupTest(unittest.TestCase): " -- cannot locate setup.py") def testSetupInstallRoot(self): - if not self.setup: return # if verbose skip didn't work out + if not self.setup: + return # if verbose skip didn't work out tmp = tempfile.mkdtemp() try: os.system("%s %s install --root=%s >/dev/null" @@ -116,6 +118,7 @@ class SetupTest(unittest.TestCase): os.system("%s %s clean --all >/dev/null 2>&1" % (sys.executable, self.setup)) + class TestsUtilsTest(unittest.TestCase): def testmbasename(self): @@ -136,8 +139,10 @@ class TestsUtilsTest(unittest.TestCase): raise ValueError() def deep_function(i): - if i: deep_function(i-1) - else: func_raise() + if i: + deep_function(i-1) + else: + func_raise() try: print deep_function(3) @@ -150,10 +155,11 @@ class TestsUtilsTest(unittest.TestCase): # we must be calling it from setup or nosetests but using at least # nose's core etc self.assertTrue('>' in s, msg="no '>' in %r" % s) - else: - self.assertFalse('>' in s, msg="'>' present in %r" % s) # There is only "fail2ban-testcases" in this case, no true traceback - self.assertTrue(':' in s, msg="no ':' in %r" % s) + elif not ('coverage' in s): + # There is only "fail2ban-testcases" in this case, no true traceback + self.assertFalse('>' in s, msg="'>' present in %r" % s) + self.assertTrue(':' in s, msg="no ':' in %r" % s) def testFormatterWithTraceBack(self): strout = StringIO() @@ -177,6 +183,7 @@ class TestsUtilsTest(unittest.TestCase): iso8601 = DatePatternRegex("%Y-%m-%d[T ]%H:%M:%S(?:\.%f)?%z") + class CustomDateFormatsTest(unittest.TestCase): def testIso8601(self): diff --git a/fail2ban/tests/samplestestcase.py b/fail2ban/tests/samplestestcase.py index bd2bd2e7..9e6c0ee7 100644 --- a/fail2ban/tests/samplestestcase.py +++ b/fail2ban/tests/samplestestcase.py @@ -22,16 +22,22 @@ __copyright__ = "Copyright (c) 2013 Steven Hiscocks" __license__ = "GPL" -import unittest, sys, os, fileinput, re, time, datetime, inspect - +import datetime +import fileinput +import inspect import json - +import os +import re +import sys +import time +import unittest from ..server.filter import Filter from ..client.filterreader import FilterReader from .utils import setUpMyTime, tearDownMyTime, CONFIG_DIR TEST_FILES_DIR = os.path.join(os.path.dirname(__file__), "files") + class FilterSamplesRegex(unittest.TestCase): def setUp(self): @@ -53,6 +59,7 @@ class FilterSamplesRegex(unittest.TestCase): >= 10, "Expected more FilterSampleRegexs tests") + def testSampleRegexsFactory(name): def testFilter(self): @@ -120,7 +127,6 @@ def testSampleRegexsFactory(name): except ValueError: jsonTimeLocal = datetime.datetime.strptime(t, "%Y-%m-%dT%H:%M:%S.%f") - jsonTime = time.mktime(jsonTimeLocal.timetuple()) jsonTime += jsonTimeLocal.microsecond / 1000000 diff --git a/fail2ban/tests/servertestcase.py b/fail2ban/tests/servertestcase.py index fd43bd24..57453269 100644 --- a/fail2ban/tests/servertestcase.py +++ b/fail2ban/tests/servertestcase.py @@ -47,12 +47,15 @@ except ImportError: # pragma: no cover TEST_FILES_DIR = os.path.join(os.path.dirname(__file__), "files") + class TestServer(Server): def setLogLevel(self, *args, **kwargs): pass + def setLogTarget(self, *args, **kwargs): pass + class TransmitterBase(unittest.TestCase): def setUp(self): @@ -145,6 +148,7 @@ class TransmitterBase(unittest.TestCase): self.transm.proceed(["get", jail, cmd]), (0, outValues[n+1:])) + class Transmitter(TransmitterBase): def setUp(self): @@ -173,8 +177,14 @@ class Transmitter(TransmitterBase): self.setGetTestNOK("dbfile", tmpFilename) self.server.delJail(self.jailName) self.setGetTest("dbfile", tmpFilename) + # the same file name (again no jails / not changed): + self.setGetTest("dbfile", tmpFilename) self.setGetTest("dbpurgeage", "600", 600) self.setGetTestNOK("dbpurgeage", "LIZARD") + # the same file name (again with jails / not changed): + self.server.addJail(self.jailName, "auto") + self.setGetTest("dbfile", tmpFilename) + self.server.delJail(self.jailName) # Disable database self.assertEqual(self.transm.proceed( @@ -189,6 +199,11 @@ class Transmitter(TransmitterBase): self.assertEqual(self.transm.proceed( ["get", "dbpurgeage"]), (0, None)) + # the same (again with jails / not changed): + self.server.addJail(self.jailName, "auto") + self.assertEqual(self.transm.proceed( + ["set", "dbfile", "None"]), + (0, None)) os.close(tmp) os.unlink(tmpFilename) @@ -547,7 +562,6 @@ class Transmitter(TransmitterBase): ) ) - def testAction(self): action = "TestCaseAction" cmdList = [ @@ -749,6 +763,7 @@ class Transmitter(TransmitterBase): ["set", jailName, "deljournalmatch", value]) self.assertTrue(isinstance(result[1], ValueError)) + class TransmitterLogging(TransmitterBase): def setUp(self): @@ -873,6 +888,7 @@ class JailTests(unittest.TestCase): jail = Jail(longname) self.assertEqual(jail.name, longname) + class RegexTests(unittest.TestCase): def testInit(self): @@ -897,10 +913,12 @@ class RegexTests(unittest.TestCase): self.assertTrue(fr.hasMatched()) self.assertRaises(RegexException, fr.getHost) + class _BadThread(JailThread): def run(self): raise RuntimeError('run bad thread exception') + class LoggingTests(LogCaptureTestCase): def testGetF2BLogger(self): diff --git a/fail2ban/tests/sockettestcase.py b/fail2ban/tests/sockettestcase.py index 8a548998..8eeb7b51 100644 --- a/fail2ban/tests/sockettestcase.py +++ b/fail2ban/tests/sockettestcase.py @@ -24,11 +24,18 @@ __author__ = "Steven Hiscocks" __copyright__ = "Copyright (c) 2013 Steven Hiscocks" __license__ = "GPL" -import unittest, time, tempfile, os, threading +import os +import sys +import tempfile +import threading +import time +import unittest +from .. import protocol from ..server.asyncserver import AsyncServer, AsyncServerException from ..client.csocket import CSocket + class Socket(unittest.TestCase): def setUp(self): @@ -58,6 +65,11 @@ class Socket(unittest.TestCase): testMessage = ["A", "test", "message"] self.assertEqual(client.send(testMessage), testMessage) + # test close message + client.close() + # 2nd close does nothing + client.close() + self.server.stop() serverThread.join(1) self.assertFalse(os.path.exists(self.sock_name)) @@ -78,3 +90,17 @@ class Socket(unittest.TestCase): self.server.stop() serverThread.join(1) self.assertFalse(os.path.exists(self.sock_name)) + + +class ClientMisc(unittest.TestCase): + + def testPrintFormattedAndWiki(self): + # redirect stdout to devnull + saved_stdout = sys.stdout + sys.stdout = open(os.devnull, 'w') + try: + protocol.printFormatted() + protocol.printWiki() + finally: + # restore stdout + sys.stdout = saved_stdout diff --git a/fail2ban/tests/utils.py b/fail2ban/tests/utils.py index ec3be64c..e7993ead 100644 --- a/fail2ban/tests/utils.py +++ b/fail2ban/tests/utils.py @@ -44,12 +44,15 @@ if not CONFIG_DIR: else: CONFIG_DIR = '/etc/fail2ban' + def mtimesleep(): # no sleep now should be necessary since polling tracks now not only # mtime but also ino and size pass old_TZ = os.environ.get('TZ', None) + + def setUpMyTime(): # Set the time to a fixed, known value # Sun Aug 14 12:00:00 CEST 2005 @@ -58,6 +61,7 @@ def setUpMyTime(): time.tzset() MyTime.setTime(1124013600) + def tearDownMyTime(): os.environ.pop('TZ') if old_TZ: @@ -65,6 +69,7 @@ def tearDownMyTime(): time.tzset() MyTime.myTime = None + def gatherTests(regexps=None, no_network=False): # Import all the test cases here instead of a module level to # avoid circular imports @@ -86,6 +91,7 @@ def gatherTests(regexps=None, no_network=False): else: # pragma: no cover class FilteredTestSuite(unittest.TestSuite): _regexps = [re.compile(r) for r in regexps] + def addTest(self, suite): suite_str = str(suite) for r in self._regexps: @@ -120,6 +126,7 @@ def gatherTests(regexps=None, no_network=False): tests.addTest(unittest.makeSuite(clientreadertestcase.JailsReaderTestCache)) # CSocket and AsyncServer tests.addTest(unittest.makeSuite(sockettestcase.Socket)) + tests.addTest(unittest.makeSuite(sockettestcase.ClientMisc)) # Misc helpers tests.addTest(unittest.makeSuite(misctestcase.HelpersTest)) tests.addTest(unittest.makeSuite(misctestcase.SetupTest)) @@ -190,13 +197,13 @@ def gatherTests(regexps=None, no_network=False): except Exception, e: # pragma: no cover logSys.warning("I: Skipping systemd backend testing. Got exception '%s'" % e) - # Server test for logging elements which break logging used to support # testcases analysis tests.addTest(unittest.makeSuite(servertestcase.TransmitterLogging)) return tests + class LogCaptureTestCase(unittest.TestCase): def setUp(self): @@ -230,3 +237,30 @@ class LogCaptureTestCase(unittest.TestCase): def printLog(self): print(self._log.getvalue()) + +# Solution from http://stackoverflow.com/questions/568271/how-to-check-if-there-exists-a-process-with-a-given-pid +# under cc by-sa 3.0 +if os.name == 'posix': + def pid_exists(pid): + """Check whether pid exists in the current process table.""" + import errno + if pid < 0: + return False + try: + os.kill(pid, 0) + except OSError as e: + return e.errno == errno.EPERM + else: + return True +else: + def pid_exists(pid): + import ctypes + kernel32 = ctypes.windll.kernel32 + SYNCHRONIZE = 0x100000 + + process = kernel32.OpenProcess(SYNCHRONIZE, 0, pid) + if process != 0: + kernel32.CloseHandle(process) + return True + else: + return False
\ No newline at end of file diff --git a/fail2ban/version.py b/fail2ban/version.py index 6619d9ee..4a0f220d 100644 --- a/fail2ban/version.py +++ b/fail2ban/version.py @@ -24,4 +24,4 @@ __author__ = "Cyril Jaquier, Yaroslav Halchenko, Steven Hiscocks, Daniel Black" __copyright__ = "Copyright (c) 2004 Cyril Jaquier, 2005-2015 Yaroslav Halchenko, 2013-2014 Steven Hiscocks, Daniel Black" __license__ = "GPL-v2+" -version = "0.9.2" +version = "0.9.3" diff --git a/man/fail2ban-client.1 b/man/fail2ban-client.1 index e9e7ecfe..a43123da 100644 --- a/man/fail2ban-client.1 +++ b/man/fail2ban-client.1 @@ -1,12 +1,12 @@ -.\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.46.4. -.TH FAIL2BAN-CLIENT "1" "April 2015" "fail2ban-client v0.9.2" "User Commands" +.\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.1. +.TH FAIL2BAN-CLIENT "1" "July 2015" "fail2ban-client v0.9.3" "User Commands" .SH NAME fail2ban-client \- configure and control the server .SH SYNOPSIS .B fail2ban-client [\fI\,OPTIONS\/\fR] \fI\,<COMMAND>\/\fR .SH DESCRIPTION -Fail2Ban v0.9.2 reads log file that contains password failure report +Fail2Ban v0.9.3 reads log file that contains password failure report and bans the corresponding IP addresses using firewall rules. .SH OPTIONS .TP diff --git a/man/fail2ban-regex.1 b/man/fail2ban-regex.1 index dbd5e299..c1ae40dc 100644 --- a/man/fail2ban-regex.1 +++ b/man/fail2ban-regex.1 @@ -1,5 +1,5 @@ -.\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.46.4. -.TH FAIL2BAN-REGEX "1" "April 2015" "fail2ban-regex 0.9.2" "User Commands" +.\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.1. +.TH FAIL2BAN-REGEX "1" "July 2015" "fail2ban-regex 0.9.3" "User Commands" .SH NAME fail2ban-regex \- test Fail2ban "failregex" option .SH SYNOPSIS diff --git a/man/fail2ban-server.1 b/man/fail2ban-server.1 index d94d1c53..4260e748 100644 --- a/man/fail2ban-server.1 +++ b/man/fail2ban-server.1 @@ -1,12 +1,12 @@ -.\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.46.4. -.TH FAIL2BAN-SERVER "1" "April 2015" "fail2ban-server v0.9.2" "User Commands" +.\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.1. +.TH FAIL2BAN-SERVER "1" "July 2015" "fail2ban-server v0.9.3" "User Commands" .SH NAME fail2ban-server \- start the server .SH SYNOPSIS .B fail2ban-server [\fI\,OPTIONS\/\fR] .SH DESCRIPTION -Fail2Ban v0.9.2 reads log file that contains password failure report +Fail2Ban v0.9.3 reads log file that contains password failure report and bans the corresponding IP addresses using firewall rules. .PP Only use this command for debugging purpose. Start the server with diff --git a/man/fail2ban-testcases.1 b/man/fail2ban-testcases.1 new file mode 100644 index 00000000..55eedd50 --- /dev/null +++ b/man/fail2ban-testcases.1 @@ -0,0 +1,34 @@ +.\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.1. +.TH FAIL2BAN-TESTCASES "1" "July 2015" "fail2ban-testcases 0.9.3" "User Commands" +.SH NAME +fail2ban-testcases \- run Fail2Ban unit-tests +.SH SYNOPSIS +.B fail2ban-testcases +[\fI\,OPTIONS\/\fR] [\fI\,regexps\/\fR] +.SH DESCRIPTION +Script to run Fail2Ban tests battery +.SH OPTIONS +.TP +\fB\-\-version\fR +show program's version number and exit +.TP +\fB\-h\fR, \fB\-\-help\fR +show this help message and exit +.TP +\fB\-l\fR LOG_LEVEL, \fB\-\-log\-level\fR=\fI\,LOG_LEVEL\/\fR +Log level for the logger to use during running tests +.TP +\fB\-n\fR, \fB\-\-no\-network\fR +Do not run tests that require the network +.TP +\fB\-t\fR, \fB\-\-log\-traceback\fR +Enrich log\-messages with compressed tracebacks +.TP +\fB\-\-full\-traceback\fR +Either to make the tracebacks full, not compressed (as +by default) +.SH "SEE ALSO" +.br +fail2ban-client(1) +fail2ban-server(1) +fail2ban-regex(1) diff --git a/man/fail2ban-testcases.h2m b/man/fail2ban-testcases.h2m new file mode 100644 index 00000000..457c5d7c --- /dev/null +++ b/man/fail2ban-testcases.h2m @@ -0,0 +1,11 @@ +Include file for help2man man page +$Id: $ + +[name] +fail2ban-testcases \- run Fail2Ban unit-tests + +[see also] +.br +fail2ban-client(1) +fail2ban-server(1) +fail2ban-regex(1) diff --git a/man/generate-man b/man/generate-man index f18c3604..1ce73f76 100755 --- a/man/generate-man +++ b/man/generate-man @@ -40,6 +40,11 @@ echo -n "Generating fail2ban-server " help2man --section=1 --no-info --include=fail2ban-server.h2m --output fail2ban-server.1 ../bin/fail2ban-server echo "[done]" +# fail2ban-testcases +echo -n "Generating fail2ban-testcases " +help2man --section=1 --no-info --include=fail2ban-testcases.h2m --output fail2ban-testcases.1 ../bin/fail2ban-testcases +echo "[done]" + # fail2ban-regex echo -n "Generating fail2ban-regex " help2man --section=1 --no-info --include=fail2ban-regex.h2m --output fail2ban-regex.1 ../bin/fail2ban-regex diff --git a/man/jail.conf.5 b/man/jail.conf.5 index db30251c..45eea040 100644 --- a/man/jail.conf.5 +++ b/man/jail.conf.5 @@ -279,7 +279,7 @@ concatenated string of the log file lines of the matches that generated the ban. .B ipmatches As per \fBmatches\fR, but includes all lines for the IP which are contained with the fail2ban persistent database. Therefore the database must be set for this tag to function. .TP -.B ipjailmatches\ +.B ipjailmatches As per \fBipmatches\fR, but matches are limited for the IP and for the current jail. .SH "PYTHON ACTION FILES" @@ -39,8 +39,9 @@ except ImportError: from distutils.command.build_py import build_py from distutils.command.build_scripts import build_scripts import os -from os.path import isfile, join, isdir -import sys, warnings +from os.path import isfile, join, isdir, realpath +import sys +import warnings from glob import glob if setuptools and "test" in sys.argv: @@ -77,6 +78,13 @@ if setuptools: else: setup_extra = {} +data_files_extra = [] +if os.path.exists('/var/run'): + # if we are on the system with /var/run -- we are to use it for having fail2ban/ + # directory there for socket file etc. + # realpath is used to possibly resolve /var/run -> /run symlink + data_files_extra += [(realpath('/var/run/fail2ban'), '')] + # Get version number, avoiding importing fail2ban. # This is due to tests not functioning for python3 as 2to3 takes place later exec(open(join("fail2ban", "version.py")).read()) @@ -144,7 +152,7 @@ setup( ['README.md', 'README.Solaris', 'DEVELOP', 'FILTERS', 'doc/run-rootless.txt'] ) - ], + ] + data_files_extra, **setup_extra ) |