diff options
author | sebres <serg.brester@sebres.de> | 2017-07-03 12:43:48 +0200 |
---|---|---|
committer | sebres <serg.brester@sebres.de> | 2017-07-03 12:43:48 +0200 |
commit | 33fcf8d80984ac7d4437d1ad2a401c26623efaaf (patch) | |
tree | 594a11e1b9c046db35e7c21e10085cb0b9c4db7d | |
parent | 1307e0a5b97ecd63c5f4bf8049cb614953aeddea (diff) | |
parent | 9f55ed86df19d990890c0103f038a147cb7145b9 (diff) | |
download | fail2ban-33fcf8d80984ac7d4437d1ad2a401c26623efaaf.tar.gz |
Merge branch 'master' into 0.10
-rw-r--r-- | ChangeLog | 3 | ||||
-rw-r--r-- | config/action.d/bsd-ipfw.conf | 10 | ||||
-rw-r--r-- | config/filter.d/proftpd.conf | 3 | ||||
-rw-r--r-- | fail2ban/tests/banmanagertestcase.py | 9 |
4 files changed, 19 insertions, 6 deletions
@@ -325,6 +325,9 @@ releases. ### Fixes * Fix for systemd-backend: fail2ban hits the ulimit (out of file descriptors), see gh-991. Partially back-ported from v.0.10. +* action.d/bsd-ipfw.conf + - Make the rule number, the action starts looking for a free slot to insert + the new rule, configurable (gh-1689) * filter.d/apache-overflows.conf: - Fixes resources greedy expression (see gh-1790); - Rewritten without end-anchor ($), because of potential vulnerability on very long URLs. diff --git a/config/action.d/bsd-ipfw.conf b/config/action.d/bsd-ipfw.conf index 8b0a51aa..65a5e39b 100644 --- a/config/action.d/bsd-ipfw.conf +++ b/config/action.d/bsd-ipfw.conf @@ -14,7 +14,7 @@ # Notes.: command executed once at the start of Fail2Ban. # Values: CMD # -actionstart = ipfw show | fgrep -q 'table(<table>)' || ( ipfw show | awk 'BEGIN { b = 1 } { if ($1 <= b) { b = $1 + 1 } else { e = b } } END { if (e) exit e <br> else exit b }'; num=$?; ipfw -q add $num <blocktype> <block> from table\(<table>\) to me <port>; echo $num > "<startstatefile>" ) +actionstart = ipfw show | fgrep -q 'table(<table>)' || ( ipfw show | awk 'BEGIN { b = <lowest_rule_num> } { if ($1 < b) {} else if ($1 == b) { b = $1 + 1 } else { e = b } } END { if (e) exit e <br> else exit b }'; num=$?; ipfw -q add $num <blocktype> <block> from table\(<table>\) to me <port>; echo $num > "<startstatefile>" ) # Option: actionstop @@ -81,3 +81,11 @@ block = ip # Values: STRING # blocktype = unreach port + +# Option: lowest_rule_num +# Notes: When fail2ban starts with action and there is no rule for the given table yet +# then fail2ban will start looking for an empty slot starting with this rule number. +# Values: NUM +lowest_rule_num = 111 + + diff --git a/config/filter.d/proftpd.conf b/config/filter.d/proftpd.conf index 455bbdfc..a7bd2837 100644 --- a/config/filter.d/proftpd.conf +++ b/config/filter.d/proftpd.conf @@ -27,5 +27,8 @@ failregex = ^USER .*: no such user found from \S+ \[\S+\] to \S+:\S+ *$ ignoreregex = +[Init] +journalmatch = _SYSTEMD_UNIT=proftpd.service + # Author: Yaroslav Halchenko # Daniel Black - hardening of regex diff --git a/fail2ban/tests/banmanagertestcase.py b/fail2ban/tests/banmanagertestcase.py index b818d617..33cd2dac 100644 --- a/fail2ban/tests/banmanagertestcase.py +++ b/fail2ban/tests/banmanagertestcase.py @@ -198,13 +198,12 @@ class StatusExtendedCymruInfo(unittest.TestCase): "country": ["nxdomain"], "rir": ["nxdomain"]}) - # even for private IPs ASNs defined # Since it outputs for all active tickets we would get previous results # and new ones - ticket = BanTicket("10.0.0.0", 1167606000.0) + ticket = BanTicket("8.0.0.0", 1167606000.0) self.assertTrue(self.__banManager.addBanTicket(ticket)) cymru_info = self._getBanListExtendedCymruInfo() self.assertDictEqual(dict((k, sorted(v)) for k, v in cymru_info.iteritems()), - {"asn": sorted(["nxdomain", "4565",]), - "country": sorted(["nxdomain", "unknown"]), - "rir": sorted(["nxdomain", "other"])}) + {"asn": sorted(["nxdomain", "3356",]), + "country": sorted(["nxdomain", "US"]), + "rir": sorted(["nxdomain", "arin"])}) |