Hello community, here is the log from the commit of package fail2ban for openSUSE:Factory checked in at 2011-11-24 12:35:58 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/fail2ban (Old) and /work/SRC/openSUSE:Factory/.fail2ban.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "fail2ban", Maintainer is "[email protected]" Changes: -------- --- /work/SRC/openSUSE:Factory/fail2ban/fail2ban.changes 2011-09-23 01:57:16.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.fail2ban.new/fail2ban.changes 2011-11-24 11:36:04.000000000 +0100 @@ -1,0 +2,8 @@ +Fri Nov 18 22:04:03 UTC 2011 - [email protected] + +- Update to version 0.8.5: many bug fixes, enhancements and, as + a bonus, drop two patches that are now upstream +- Update FSF address to silent rpmlint warnings +- Drop stale socket files on startup (bnc#537239, bnc#730044) + +------------------------------------------------------------------- @@ -15 +23 @@ -Thu Jan 6 16:56:30 UTC 2011 - [email protected] +Thu Jan 6 16:56:30 UTC 2011 - [email protected] @@ -26 +34 @@ -Wed May 5 16:48:46 UTC 2010 - [email protected] +Wed May 5 16:48:46 UTC 2010 - [email protected] @@ -36 +44 @@ -Thu Nov 26 16:05:42 CET 2009 - [email protected] +Thu Nov 26 16:05:42 CET 2009 - [email protected] Old: ---- fail2ban-0.8.2-fd_cloexec.patch fail2ban-0.8.4.tar.bz2 fix-tmp-usage.diff New: ---- fail2ban-0.8.5-update-fsf-address.patch fail2ban-0.8.5.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ fail2ban.spec ++++++ --- /var/tmp/diff_new_pack.lJ1X0R/_old 2011-11-24 11:36:06.000000000 +0100 +++ /var/tmp/diff_new_pack.lJ1X0R/_new 2011-11-24 11:36:06.000000000 +0100 @@ -15,23 +15,24 @@ # Please submit bugfixes or comments via http://bugs.opensuse.org/ # + + Name: fail2ban License: GPLv2+ Group: Productivity/Networking/Security -Requires: python >= 2.5, logrotate, cron +Requires: python >= 2.5, logrotate, cron, lsof BuildRequires: python-devel PreReq: %fillup_prereq -Version: 0.8.4 +Version: 0.8.5 Release: 13 Url: http://www.fail2ban.org/ BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildArch: noarch Summary: Bans IP addresses that make too many authentication failures -Source0: http://download.sourceforge.net/sourceforge/fail2ban/%{name}-%{version}.tar.bz2 +Source0: %{name}-%{version}.tar.bz2 Source1: %{name}.init Source2: %{name}.sysconfig -Patch: fail2ban-0.8.2-fd_cloexec.patch -Patch1: fix-tmp-usage.diff +Patch0: fail2ban-0.8.5-update-fsf-address.patch %description Fail2ban scans log files like /var/log/messages and bans IP addresses @@ -42,9 +43,7 @@ %prep %setup -perl -pi -e 's;/usr/local/;/usr/;g' files/suse-initd -%patch -p1 -%patch1 -p1 +%patch0 -p1 %build export CFLAGS="$RPM_OPT_FLAGS" ++++++ fail2ban-0.8.5-update-fsf-address.patch ++++++ ++++ 650 lines (skipped) ++++++ fail2ban-0.8.4.tar.bz2 -> fail2ban-0.8.5.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fail2ban-0.8.4/ChangeLog new/fail2ban-0.8.5/ChangeLog --- old/fail2ban-0.8.4/ChangeLog 2009-09-07 21:11:29.000000000 +0200 +++ new/fail2ban-0.8.5/ChangeLog 2011-07-29 05:07:09.000000000 +0200 @@ -4,9 +4,47 @@ |_| \__,_|_|_/___|_.__/\__,_|_||_| ================================================================================ -Fail2Ban (version 0.8.4) 2009/09/07 +Fail2Ban (version 0.8.5) 2011/07/28 ================================================================================ +ver. 0.8.5 (2011/07/28) - stable +---------- +- Fix: use addfailregex instead of failregex while processing per-jail + "failregex" parameter (Fixed Debian bug #635830, LP: #635036). Thanks to + Marat Khayrullin for the patch and Daniel T Chen for forwarding to + Debian. +- Fix: use os.path.join to generate full path - fixes includes in configs + given local filename (5 weeks ago) [yarikoptic] +- Fix: allowed for trailing spaces in proftpd logs +- Fix: escaped () in pure-ftpd filter. Thanks to Teodor +- Fix: allowed space in the trailing of failregex for sasl.conf: + see http://bugs.debian.org/573314 +- Fix: use /var/run/fail2ban instead of /tmp for temp files in actions: + see http://bugs.debian.org/544232 +- Fix: Tai64N stores time in GMT, needed to convert to local time before + returning +- Fix: disabled named-refused-udp jail entirely with a big fat warning +- Fix: added time module. Bug reported in buanzo's blog: + see http://blogs.buanzo.com.ar/2009/04/fail2ban-patch-ban-ip-address-manually.html +- Fix: Patch to make log file descriptors cloexec to stop leaking file + descriptors on fork/exec. Thanks to Jonathan Underwood: + see https://bugzilla.redhat.com/show_bug.cgi?id=230191#c24 +- Enhancement: added author for dovecot filter and pruned unneeded space + in the regexp +- Enhancement: proftpd filter -- if login failed -- count regardless of the + reason for failure +- Enhancement: added <chain> to action.d/iptables*. Thanks to Matthijs Kooijman: + see http://bugs.debian.org/515599 +- Enhancement: added filter.d/dovecot.conf from Martin Waschbuesch +- Enhancement: made filter.d/apache-overflows.conf catch more: + see http://bugs.debian.org/574182 +- Enhancement: added dropbear filter from Francis Russell and Zak B. Elep: + see http://bugs.debian.org/546913 +- Enhancement: changed default ignoreip to ignore entire loopback zone (/8): + see http://bugs.debian.org/598200 +- Minor: spell-checked jail.conf. Thanks to Christoph Anton Mitterer +- Few minor cosmetic changes + ver. 0.8.4 (2009/09/07) - stable ---------- - Check the inode number for rotation in addition to checking the first line of diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fail2ban-0.8.4/README new/fail2ban-0.8.5/README --- old/fail2ban-0.8.4/README 2009-09-07 21:12:24.000000000 +0200 +++ new/fail2ban-0.8.5/README 2011-07-29 05:07:09.000000000 +0200 @@ -4,7 +4,7 @@ |_| \__,_|_|_/___|_.__/\__,_|_||_| ================================================================================ -Fail2Ban (version 0.8.4) 2009/09/07 +Fail2Ban (version 0.8.5) 2011/07/26 ================================================================================ Fail2Ban scans log files like /var/log/pwdfail and bans IP that makes too many diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fail2ban-0.8.4/client/configparserinc.py new/fail2ban-0.8.5/client/configparserinc.py --- old/fail2ban-0.8.4/client/configparserinc.py 2008-03-04 01:17:56.000000000 +0100 +++ new/fail2ban-0.8.5/client/configparserinc.py 2011-07-29 05:07:09.000000000 +0200 @@ -43,7 +43,7 @@ [INCLUDES] before = 1.conf - 3.conf + 3.conf after = 1.conf @@ -54,8 +54,8 @@ the tree. I wasn't sure what would be the right way to implement generic (aka c++ - template) so we could base at any *configparser class... so I will - leave it for the future + template) so we could base at any *configparser class... so I will + leave it for the future """ @@ -86,7 +86,7 @@ if os.path.isabs(newResource): r = newResource else: - r = "%s/%s" % (resourceDir, newResource) + r = os.path.join(resourceDir, newResource) if r in seen: continue s = seen + [resource] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fail2ban-0.8.4/client/jailreader.py new/fail2ban-0.8.5/client/jailreader.py --- old/fail2ban-0.8.4/client/jailreader.py 2008-05-12 10:34:43.000000000 +0200 +++ new/fail2ban-0.8.5/client/jailreader.py 2011-07-29 05:07:09.000000000 +0200 @@ -120,7 +120,7 @@ elif opt == "bantime": stream.append(["set", self.__name, "bantime", self.__opts[opt]]) elif opt == "failregex": - stream.append(["set", self.__name, "failregex", self.__opts[opt]]) + stream.append(["set", self.__name, "addfailregex", self.__opts[opt]]) elif opt == "ignoreregex": for regex in self.__opts[opt].split('\n'): # Do not send a command if the rule is empty. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fail2ban-0.8.4/common/version.py new/fail2ban-0.8.5/common/version.py --- old/fail2ban-0.8.4/common/version.py 2009-09-07 21:13:46.000000000 +0200 +++ new/fail2ban-0.8.5/common/version.py 2011-07-29 05:07:09.000000000 +0200 @@ -21,7 +21,7 @@ __author__ = "Cyril Jaquier" __version__ = "$Revision: 754 $" __date__ = "$Date: 2009-09-07 21:13:45 +0200 (Mon, 07 Sep 2009) $" -__copyright__ = "Copyright (c) 2004 Cyril Jaquier" +__copyright__ = "Copyright (c) 2004 Cyril Jaquier, 2011 Yaroslav Halchenko" __license__ = "GPL" -version = "0.8.4" +version = "0.8.5" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fail2ban-0.8.4/config/action.d/dshield.conf new/fail2ban-0.8.5/config/action.d/dshield.conf --- old/fail2ban-0.8.4/config/action.d/dshield.conf 2008-07-14 19:13:47.000000000 +0200 +++ new/fail2ban-0.8.5/config/action.d/dshield.conf 2011-07-29 05:07:09.000000000 +0200 @@ -206,5 +206,5 @@ # Notes.: Base name of temporary files used for buffering # Values: [ STRING ] Default: /tmp/fail2ban-dshield # -tmpfile = /tmp/fail2ban-dshield +tmpfile = /var/run/fail2ban/tmp-dshield diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fail2ban-0.8.4/config/action.d/iptables-allports.conf new/fail2ban-0.8.5/config/action.d/iptables-allports.conf --- old/fail2ban-0.8.4/config/action.d/iptables-allports.conf 2008-03-04 23:41:29.000000000 +0100 +++ new/fail2ban-0.8.5/config/action.d/iptables-allports.conf 2011-07-29 05:07:09.000000000 +0200 @@ -15,13 +15,13 @@ # actionstart = iptables -N fail2ban-<name> iptables -A fail2ban-<name> -j RETURN - iptables -I INPUT -p <protocol> -j fail2ban-<name> + iptables -I <chain> -p <protocol> -j fail2ban-<name> # Option: actionstop # Notes.: command executed once at the end of Fail2Ban # Values: CMD # -actionstop = iptables -D INPUT -p <protocol> -j fail2ban-<name> +actionstop = iptables -D <chain> -p <protocol> -j fail2ban-<name> iptables -F fail2ban-<name> iptables -X fail2ban-<name> @@ -29,7 +29,7 @@ # Notes.: command executed once before each actionban command # Values: CMD # -actioncheck = iptables -n -L INPUT | grep -q fail2ban-<name> +actioncheck = iptables -n -L <chain> | grep -q fail2ban-<name> # Option: actionban # Notes.: command executed when banning an IP. Take care that the @@ -63,3 +63,8 @@ # protocol = tcp +# Option: chain +# Notes specifies the iptables chain to which the fail2ban rules should be +# added +# Values: STRING Default: INPUT +chain = INPUT diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fail2ban-0.8.4/config/action.d/iptables-multiport-log.conf new/fail2ban-0.8.5/config/action.d/iptables-multiport-log.conf --- old/fail2ban-0.8.4/config/action.d/iptables-multiport-log.conf 2008-03-05 23:37:21.000000000 +0100 +++ new/fail2ban-0.8.5/config/action.d/iptables-multiport-log.conf 2011-07-29 05:07:09.000000000 +0200 @@ -5,7 +5,7 @@ # # make "fail2ban-<name>" chain to match drop IP # make "fail2ban-<name>-log" chain to log and drop -# insert a jump to fail2ban-<name> from -I INPUT if proto/port match +# insert a jump to fail2ban-<name> from -I <chain> if proto/port match # # $Revision: 668 $ # @@ -18,7 +18,7 @@ # actionstart = iptables -N fail2ban-<name> iptables -A fail2ban-<name> -j RETURN - iptables -I INPUT 1 -p <protocol> -m multiport --dports <port> -j fail2ban-<name> + iptables -I <chain> 1 -p <protocol> -m multiport --dports <port> -j fail2ban-<name> iptables -N fail2ban-<name>-log iptables -I fail2ban-<name>-log -j LOG --log-prefix "$(expr fail2ban-<name> : '\(.\{1,23\}\)'):DROP " --log-level warning -m limit --limit 6/m --limit-burst 2 iptables -A fail2ban-<name>-log -j DROP @@ -27,7 +27,7 @@ # Notes.: command executed once at the end of Fail2Ban # Values: CMD # -actionstop = iptables -D INPUT -p <protocol> -m multiport --dports <port> -j fail2ban-<name> +actionstop = iptables -D <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name> iptables -F fail2ban-<name> iptables -F fail2ban-<name>-log iptables -X fail2ban-<name> @@ -76,3 +76,9 @@ # Values: [ tcp | udp | icmp | all ] Default: tcp # protocol = tcp + +# Option: chain +# Notes specifies the iptables chain to which the fail2ban rules should be +# added +# Values: STRING Default: INPUT +chain = INPUT diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fail2ban-0.8.4/config/action.d/iptables-multiport.conf new/fail2ban-0.8.5/config/action.d/iptables-multiport.conf --- old/fail2ban-0.8.4/config/action.d/iptables-multiport.conf 2008-03-04 23:41:29.000000000 +0100 +++ new/fail2ban-0.8.5/config/action.d/iptables-multiport.conf 2011-07-29 05:07:09.000000000 +0200 @@ -13,13 +13,13 @@ # actionstart = iptables -N fail2ban-<name> iptables -A fail2ban-<name> -j RETURN - iptables -I INPUT -p <protocol> -m multiport --dports <port> -j fail2ban-<name> + iptables -I <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name> # Option: actionstop # Notes.: command executed once at the end of Fail2Ban # Values: CMD # -actionstop = iptables -D INPUT -p <protocol> -m multiport --dports <port> -j fail2ban-<name> +actionstop = iptables -D <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name> iptables -F fail2ban-<name> iptables -X fail2ban-<name> @@ -27,7 +27,7 @@ # Notes.: command executed once before each actionban command # Values: CMD # -actioncheck = iptables -n -L INPUT | grep -q fail2ban-<name> +actioncheck = iptables -n -L <chain> | grep -q fail2ban-<name> # Option: actionban # Notes.: command executed when banning an IP. Take care that the @@ -67,3 +67,8 @@ # protocol = tcp +# Option: chain +# Notes specifies the iptables chain to which the fail2ban rules should be +# added +# Values: STRING Default: INPUT +chain = INPUT diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fail2ban-0.8.4/config/action.d/iptables-new.conf new/fail2ban-0.8.5/config/action.d/iptables-new.conf --- old/fail2ban-0.8.4/config/action.d/iptables-new.conf 2008-03-04 23:41:29.000000000 +0100 +++ new/fail2ban-0.8.5/config/action.d/iptables-new.conf 2011-07-29 05:07:09.000000000 +0200 @@ -15,13 +15,13 @@ # actionstart = iptables -N fail2ban-<name> iptables -A fail2ban-<name> -j RETURN - iptables -I INPUT -m state --state NEW -p <protocol> --dport <port> -j fail2ban-<name> + iptables -I <chain> -m state --state NEW -p <protocol> --dport <port> -j fail2ban-<name> # Option: actionstop # Notes.: command executed once at the end of Fail2Ban # Values: CMD # -actionstop = iptables -D INPUT -m state --state NEW -p <protocol> --dport <port> -j fail2ban-<name> +actionstop = iptables -D <chain> -m state --state NEW -p <protocol> --dport <port> -j fail2ban-<name> iptables -F fail2ban-<name> iptables -X fail2ban-<name> @@ -29,7 +29,7 @@ # Notes.: command executed once before each actionban command # Values: CMD # -actioncheck = iptables -n -L INPUT | grep -q fail2ban-<name> +actioncheck = iptables -n -L <chain> | grep -q fail2ban-<name> # Option: actionban # Notes.: command executed when banning an IP. Take care that the @@ -69,3 +69,8 @@ # protocol = tcp +# Option: chain +# Notes specifies the iptables chain to which the fail2ban rules should be +# added +# Values: STRING Default: INPUT +chain = INPUT diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fail2ban-0.8.4/config/action.d/iptables.conf new/fail2ban-0.8.5/config/action.d/iptables.conf --- old/fail2ban-0.8.4/config/action.d/iptables.conf 2008-03-04 23:41:29.000000000 +0100 +++ new/fail2ban-0.8.5/config/action.d/iptables.conf 2011-07-29 05:07:09.000000000 +0200 @@ -13,13 +13,13 @@ # actionstart = iptables -N fail2ban-<name> iptables -A fail2ban-<name> -j RETURN - iptables -I INPUT -p <protocol> --dport <port> -j fail2ban-<name> + iptables -I <chain> -p <protocol> --dport <port> -j fail2ban-<name> # Option: actionstop # Notes.: command executed once at the end of Fail2Ban # Values: CMD # -actionstop = iptables -D INPUT -p <protocol> --dport <port> -j fail2ban-<name> +actionstop = iptables -D <chain> -p <protocol> --dport <port> -j fail2ban-<name> iptables -F fail2ban-<name> iptables -X fail2ban-<name> @@ -27,7 +27,7 @@ # Notes.: command executed once before each actionban command # Values: CMD # -actioncheck = iptables -n -L INPUT | grep -q fail2ban-<name> +actioncheck = iptables -n -L <chain> | grep -q fail2ban-<name> # Option: actionban # Notes.: command executed when banning an IP. Take care that the @@ -67,3 +67,8 @@ # protocol = tcp +# Option: chain +# Notes specifies the iptables chain to which the fail2ban rules should be +# added +# Values: STRING Default: INPUT +chain = INPUT diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fail2ban-0.8.4/config/action.d/mail-buffered.conf new/fail2ban-0.8.5/config/action.d/mail-buffered.conf --- old/fail2ban-0.8.4/config/action.d/mail-buffered.conf 2008-07-16 23:11:43.000000000 +0200 +++ new/fail2ban-0.8.5/config/action.d/mail-buffered.conf 2011-07-29 05:07:09.000000000 +0200 @@ -81,7 +81,7 @@ # Default temporary file # -tmpfile = /tmp/fail2ban-mail.txt +tmpfile = /var/run/fail2ban/tmp-mail.txt # Destination/Addressee of the mail # diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fail2ban-0.8.4/config/action.d/mynetwatchman.conf new/fail2ban-0.8.5/config/action.d/mynetwatchman.conf --- old/fail2ban-0.8.4/config/action.d/mynetwatchman.conf 2008-07-14 19:14:13.000000000 +0200 +++ new/fail2ban-0.8.5/config/action.d/mynetwatchman.conf 2011-07-29 05:07:09.000000000 +0200 @@ -141,4 +141,4 @@ # Notes.: Base name of temporary files # Values: [ STRING ] Default: /tmp/fail2ban-mynetwatchman # -tmpfile = /tmp/fail2ban-mynetwatchman +tmpfile = /var/run/fail2ban/tmp-mynetwatchman diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fail2ban-0.8.4/config/action.d/sendmail-buffered.conf new/fail2ban-0.8.5/config/action.d/sendmail-buffered.conf --- old/fail2ban-0.8.4/config/action.d/sendmail-buffered.conf 2008-07-16 23:11:43.000000000 +0200 +++ new/fail2ban-0.8.5/config/action.d/sendmail-buffered.conf 2011-07-29 05:07:09.000000000 +0200 @@ -101,5 +101,5 @@ # Default temporary file # -tmpfile = /tmp/fail2ban-mail.txt +tmpfile = /var/run/fail2ban/tmp-mail.txt diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fail2ban-0.8.4/config/filter.d/apache-overflows.conf new/fail2ban-0.8.5/config/filter.d/apache-overflows.conf --- old/fail2ban-0.8.4/config/filter.d/apache-overflows.conf 2008-03-05 23:37:22.000000000 +0100 +++ new/fail2ban-0.8.5/config/filter.d/apache-overflows.conf 2011-07-29 05:07:09.000000000 +0200 @@ -11,7 +11,7 @@ # Notes.: Regexp to catch Apache overflow attempts. # Values: TEXT # -failregex = [[]client <HOST>[]] (Invalid method in request|request failed: URI too long|erroneous characters after protocol string) +failregex = [[]client <HOST>[]] (Invalid (method|URI) in request|request failed: URI too long|erroneous characters after protocol string) # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fail2ban-0.8.4/config/filter.d/dovecot.conf new/fail2ban-0.8.5/config/filter.d/dovecot.conf --- old/fail2ban-0.8.4/config/filter.d/dovecot.conf 1970-01-01 01:00:00.000000000 +0100 +++ new/fail2ban-0.8.5/config/filter.d/dovecot.conf 2011-07-29 05:07:09.000000000 +0200 @@ -0,0 +1,23 @@ +# Fail2Ban configuration file for dovcot +# +# Author: Martin Waschbuesch +# +# $Revision: $ +# + +[Definition] + +# Option: failregex +# Notes.: regex to match the password failures messages in the logfile. The +# host must be matched by a group named "host". The tag "<HOST>" can +# be used for standard IP/hostname matching and is only an alias for +# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+) +# Values: TEXT +# +failregex = .*(?:pop3-login|imap-login):.*(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed).*rip=(?P<host>\S*),.* + +# Option: ignoreregex +# Notes.: regex to ignore. If this regex matches, the line is ignored. +# Values: TEXT +# +ignoreregex = diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fail2ban-0.8.4/config/filter.d/dropbear.conf new/fail2ban-0.8.5/config/filter.d/dropbear.conf --- old/fail2ban-0.8.4/config/filter.d/dropbear.conf 1970-01-01 01:00:00.000000000 +0100 +++ new/fail2ban-0.8.5/config/filter.d/dropbear.conf 2011-07-29 05:07:09.000000000 +0200 @@ -0,0 +1,52 @@ +# Fail2Ban configuration file +# +# Author: Francis Russell +# Zak B. Elep +# +# $Revision$ +# +# More information: http://bugs.debian.org/546913 + +[INCLUDES] + +# Read common prefixes. If any customizations available -- read them from +# common.local +before = common.conf + + +[Definition] + +_daemon = dropbear + +# Option: failregex +# Notes.: regex to match the password failures messages in the logfile. The +# host must be matched by a group named "host". The tag "<HOST>" can +# be used for standard IP/hostname matching and is only an alias for +# (?:::f{4,6}:)?(?P<host>\S+) +# Values: TEXT + +# These match the unmodified dropbear messages. It isn't possible to +# match the source of the 'exit before auth' messages from dropbear. +# +failregex = ^%(__prefix_line)slogin attempt for nonexistent user ('.*' )?from <HOST>:.*\s*$ + ^%(__prefix_line)sbad password attempt for .+ from <HOST>:.*\s*$ + +# The only line we need to match with the modified dropbear. + +# NOTE: The failregex below is ONLY intended to work with a patched +# version of Dropbear as described here: +# http://www.unchartedbackwaters.co.uk/pyblosxom/static/patches +# +# The standard Dropbear output doesn't provide enough information to +# ban all types of attack. The Dropbear patch adds IP address +# information to the 'exit before auth' message which is always +# produced for any form of non-successful login. It is that message +# which this file matches. + +# failregex = ^%(__prefix_line)sexit before auth from <HOST>.*\s*$ + +# Option: ignoreregex +# Notes.: regex to ignore. If this regex matches, the line is ignored. +# Values: TEXT +# +ignoreregex = diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fail2ban-0.8.4/config/filter.d/proftpd.conf new/fail2ban-0.8.5/config/filter.d/proftpd.conf --- old/fail2ban-0.8.4/config/filter.d/proftpd.conf 2009-02-08 18:31:30.000000000 +0100 +++ new/fail2ban-0.8.5/config/filter.d/proftpd.conf 2011-07-29 05:07:09.000000000 +0200 @@ -14,10 +14,10 @@ # (?:::f{4,6}:)?(?P<host>[\w\-.^_]+) # Values: TEXT # -failregex = \(\S+\[<HOST>\]\)[: -]+ USER \S+: no such user found from \S+ \[\S+\] to \S+:\S+$ - \(\S+\[<HOST>\]\)[: -]+ USER \S+ \(Login failed\): Incorrect password\.$ - \(\S+\[<HOST>\]\)[: -]+ SECURITY VIOLATION: \S+ login attempted\.$ - \(\S+\[<HOST>\]\)[: -]+ Maximum login attempts \(\d+\) exceeded$ +failregex = \(\S+\[<HOST>\]\)[: -]+ USER \S+: no such user found from \S+ \[\S+\] to \S+:\S+ *$ + \(\S+\[<HOST>\]\)[: -]+ USER \S+ \(Login failed\): .*$ + \(\S+\[<HOST>\]\)[: -]+ SECURITY VIOLATION: \S+ login attempted\. *$ + \(\S+\[<HOST>\]\)[: -]+ Maximum login attempts \(\d+\) exceeded *$ # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fail2ban-0.8.4/config/filter.d/pure-ftpd.conf new/fail2ban-0.8.5/config/filter.d/pure-ftpd.conf --- old/fail2ban-0.8.4/config/filter.d/pure-ftpd.conf 2009-02-08 18:16:34.000000000 +0100 +++ new/fail2ban-0.8.5/config/filter.d/pure-ftpd.conf 2011-07-29 05:07:09.000000000 +0200 @@ -19,7 +19,7 @@ # (?:::f{4,6}:)?(?P<host>[\w\-.^_]+) # Values: TEXT # -failregex = pure-ftpd(?:\[\d+\])?: (.+?@<HOST>) \[WARNING\] %(__errmsg)s \[.+\]$ +failregex = pure-ftpd(?:\[\d+\])?: \(.+?@<HOST>\) \[WARNING\] %(__errmsg)s \[.+\]\s*$ # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fail2ban-0.8.4/config/filter.d/sasl.conf new/fail2ban-0.8.5/config/filter.d/sasl.conf --- old/fail2ban-0.8.4/config/filter.d/sasl.conf 2009-02-08 18:31:30.000000000 +0100 +++ new/fail2ban-0.8.5/config/filter.d/sasl.conf 2011-07-29 05:07:09.000000000 +0200 @@ -14,7 +14,7 @@ # (?:::f{4,6}:)?(?P<host>[\w\-.^_]+) # Values: TEXT # -failregex = (?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [A-Za-z0-9+/]*={0,2})?$ +failregex = (?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/]*={0,2})?$ # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fail2ban-0.8.4/config/jail.conf new/fail2ban-0.8.5/config/jail.conf --- old/fail2ban-0.8.4/config/jail.conf 2009-09-01 21:43:23.000000000 +0200 +++ new/fail2ban-0.8.5/config/jail.conf 2011-07-29 05:07:09.000000000 +0200 @@ -5,7 +5,7 @@ # $Revision: 747 $ # -# The DEFAULT allows a global definition of the options. They can be override +# The DEFAULT allows a global definition of the options. They can be overridden # in each jail afterwards. [DEFAULT] @@ -13,7 +13,7 @@ # "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not # ban a host which matches an address in this list. Several addresses can be # defined using space separator. -ignoreip = 127.0.0.1 +ignoreip = 127.0.0.1/8 # "bantime" is the number of seconds that a host is banned. bantime = 600 @@ -45,7 +45,7 @@ enabled = false filter = sshd action = iptables[name=SSH, port=ssh, protocol=tcp] - sendmail-whois[name=SSH, [email protected], [email protected]] + sendmail-whois[name=SSH, [email protected], [email protected]] logpath = /var/log/sshd.log maxretry = 5 @@ -54,7 +54,7 @@ enabled = false filter = proftpd action = iptables[name=ProFTPD, port=ftp, protocol=tcp] - sendmail-whois[name=ProFTPD, [email protected]] + sendmail-whois[name=ProFTPD, [email protected]] logpath = /var/log/proftpd/proftpd.log maxretry = 6 @@ -66,7 +66,7 @@ filter = sasl backend = polling action = iptables[name=sasl, port=smtp, protocol=tcp] - sendmail-whois[name=sasl, [email protected]] + sendmail-whois[name=sasl, [email protected]] logpath = /var/log/mail.log # Here we use TCP-Wrappers instead of Netfilter/Iptables. "ignoreregex" is @@ -77,7 +77,7 @@ enabled = false filter = sshd action = hostsdeny - sendmail-whois[name=SSH, [email protected]] + sendmail-whois[name=SSH, [email protected]] ignoreregex = for myuser from logpath = /var/log/sshd.log @@ -101,7 +101,7 @@ enabled = false filter = postfix action = hostsdeny[file=/not/a/standard/path/hosts.deny] - sendmail[name=Postfix, [email protected]] + sendmail[name=Postfix, [email protected]] logpath = /var/log/postfix.log bantime = 300 @@ -112,7 +112,7 @@ enabled = false filter = vsftpd -action = sendmail-whois[name=VSFTPD, [email protected]] +action = sendmail-whois[name=VSFTPD, [email protected]] logpath = /var/log/vsftpd.log maxretry = 5 bantime = 1800 @@ -124,7 +124,7 @@ enabled = false filter = vsftpd action = iptables[name=VSFTPD, port=ftp, protocol=tcp] - sendmail-whois[name=VSFTPD, [email protected]] + sendmail-whois[name=VSFTPD, [email protected]] logpath = /var/log/vsftpd.log maxretry = 5 bantime = 1800 @@ -137,7 +137,7 @@ enabled = false filter = apache-badbots action = iptables-multiport[name=BadBots, port="http,https"] - sendmail-buffered[name=BadBots, lines=5, [email protected]] + sendmail-buffered[name=BadBots, lines=5, [email protected]] logpath = /var/www/*/logs/access_log bantime = 172800 maxretry = 1 @@ -149,7 +149,7 @@ enabled = false filter = apache-noscript action = shorewall - sendmail[name=Postfix, [email protected]] + sendmail[name=Postfix, [email protected]] logpath = /var/log/apache2/error_log # Ban attackers that try to use PHP's URL-fopen() functionality @@ -190,7 +190,7 @@ enabled = false filter = sshd action = ipfw[localhost=192.168.0.1] - sendmail-whois[name="SSH,IPFW", [email protected]] + sendmail-whois[name="SSH,IPFW", [email protected]] logpath = /var/log/auth.log ignoreip = 168.192.0.1 @@ -211,14 +211,22 @@ # in your named.conf to provide proper logging. # This jail blocks UDP traffic for DNS requests. -[named-refused-udp] - -enabled = false -filter = named-refused -action = iptables-multiport[name=Named, port="domain,953", protocol=udp] - sendmail-whois[name=Named, [email protected]] -logpath = /var/log/named/security.log -ignoreip = 168.192.0.1 +# !!! WARNING !!! +# Since UDP is connection-less protocol, spoofing of IP and imitation +# of illegal actions is way too simple. Thus enabling of this filter +# might provide an easy way for implementing a DoS against a chosen +# victim. See +# http://nion.modprobe.de/blog/archives/690-fail2ban-+-dns-fail.html +# Please DO NOT USE this jail unless you know what you are doing. +# +# [named-refused-udp] +# +# enabled = false +# filter = named-refused +# action = iptables-multiport[name=Named, port="domain,953", protocol=udp] +# sendmail-whois[name=Named, [email protected]] +# logpath = /var/log/named/security.log +# ignoreip = 168.192.0.1 # This jail blocks TCP traffic for DNS requests. @@ -227,7 +235,7 @@ enabled = false filter = named-refused action = iptables-multiport[name=Named, port="domain,953", protocol=tcp] - sendmail-whois[name=Named, [email protected]] + sendmail-whois[name=Named, [email protected]] logpath = /var/log/named/security.log ignoreip = 168.192.0.1 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fail2ban-0.8.4/files/nagios/check_fail2ban new/fail2ban-0.8.5/files/nagios/check_fail2ban --- old/fail2ban-0.8.4/files/nagios/check_fail2ban 2009-01-27 23:54:11.000000000 +0100 +++ new/fail2ban-0.8.5/files/nagios/check_fail2ban 2011-07-29 05:07:09.000000000 +0200 @@ -99,7 +99,7 @@ # put a txt file on your server and describe how to fix the issue, this # could be attached to the mail. ###################################################################### -# mutt -s "FAIL2BAN NOT WORKING" [email protected] < /home/f2ban.txt +# mutt -s "FAIL2BAN NOT WORKING" [email protected] < /home/f2ban.txt exitstatus=$STATE_CRITICAL fi diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fail2ban-0.8.4/server/datetemplate.py new/fail2ban-0.8.5/server/datetemplate.py --- old/fail2ban-0.8.4/server/datetemplate.py 2009-02-08 20:50:45.000000000 +0100 +++ new/fail2ban-0.8.5/server/datetemplate.py 2011-07-29 05:07:09.000000000 +0200 @@ -1,4 +1,4 @@ -# -*- coding: utf8 -*- +# -*- coding: utf-8 -*- # This file is part of Fail2Ban. # # Fail2Ban is free software; you can redistribute it and/or modify @@ -168,7 +168,8 @@ # extract part of format which represents seconds since epoch value = dateMatch.group() seconds_since_epoch = value[2:17] - date = list(time.gmtime(int(seconds_since_epoch, 16))) + # convert seconds from HEX into local time stamp + date = list(time.localtime(int(seconds_since_epoch, 16))) return date diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fail2ban-0.8.4/server/filter.py new/fail2ban-0.8.5/server/filter.py --- old/fail2ban-0.8.4/server/filter.py 2009-09-01 23:21:35.000000000 +0200 +++ new/fail2ban-0.8.5/server/filter.py 2011-07-29 05:07:09.000000000 +0200 @@ -31,7 +31,7 @@ from mytime import MyTime from failregex import FailRegex, Regex, RegexException -import logging, re, os +import logging, re, os, fcntl, time # Gets the instance of the logger. logSys = logging.getLogger("fail2ban.filter") @@ -268,7 +268,11 @@ for element in self.processLine(line): ip = element[0] unixTime = element[1] + logSys.debug("Processing line with time:%s and ip:%s" + % (unixTime, ip)) if unixTime < MyTime.time() - self.getFindTime(): + logSys.debug("Ignore line since time %s < %s - %s" + % (unixTime, MyTime.time(), self.getFindTime())) break if self.inIgnoreIPList(ip): logSys.debug("Ignore %s" % ip) @@ -469,6 +473,9 @@ def open(self): self.__handler = open(self.__filename) + # Set the file descriptor to be FD_CLOEXEC + fd = self.__handler.fileno() + fcntl.fcntl(fd, fcntl.F_SETFD, fd | fcntl.FD_CLOEXEC) firstLine = self.__handler.readline() # Computes the MD5 of the first line. myHash = md5.new(firstLine).digest() ++++++ fail2ban.init ++++++ --- /var/tmp/diff_new_pack.lJ1X0R/_old 2011-11-24 11:36:06.000000000 +0100 +++ /var/tmp/diff_new_pack.lJ1X0R/_new 2011-11-24 11:36:06.000000000 +0100 @@ -1,24 +1,5 @@ #!/bin/sh # -# Template SUSE system startup script for example daemon fail2ban -# Copyright (C) 2010 Klaus Sinvogel, SUSE / Novell Inc. -# -# This library is free software; you can redistribute it and/or modify it -# under the terms of the GNU Lesser General Public License as published by -# the Free Software Foundation; either version 2.1 of the License, or (at -# your option) any later version. -# -# This library is distributed in the hope that it will be useful, but -# WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -# Lesser General Public License for more details. -# -# You should have received a copy of the GNU Lesser General Public -# License along with this library; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307, -# USA. -# -# ### BEGIN INIT INFO # Provides: fail2ban # Required-Start: $syslog $remote_fs $local_fs @@ -27,32 +8,28 @@ # Should-Stop: $time $network iptables # Default-Start: 3 5 # Default-Stop: 0 1 2 6 -# Short-Description: Bans IPs with too many password failures +# Short-Description: Bans IPs with too many authentication failures # Description: Start fail2ban to scan logfiles and ban IP addresses -# which make too many logfiles failures, and/or sent e-mails about +# which make too many logfiles failures, and/or sent e-mails about ### END INIT INFO # Check for missing binaries (stale symlinks should not happen) FAIL2BAN_CLI=/usr/bin/fail2ban-client -test -x $FAIL2BAN_CLI || { echo "$FAIL2BAN_CLI not installed"; +test -x $FAIL2BAN_CLI || { echo "$FAIL2BAN_CLI not installed"; if [ "$1" = "stop" ]; then exit 0; else exit 5; fi; } FAIL2BAN_SRV=/usr/bin/fail2ban-server -test -x $FAIL2BAN_SRV || { echo "$FAIL2BAN_SRV not installed"; +test -x $FAIL2BAN_SRV || { echo "$FAIL2BAN_SRV not installed"; if [ "$1" = "stop" ]; then exit 0; else exit 5; fi; } -# Check for existence of needed config file and read it -FAIL2BAN_CONFIG=/etc/sysconfig/fail2ban -test -r $FAIL2BAN_CONFIG || { echo "$FAIL2BAN_CONFIG not existing"; - if [ "$1" = "stop" ]; then exit 0; - else exit 6; fi; } - -# Socket directory -FAIL2BAN_SOCK_DIR="/var/run/fail2ban" - -# Read config -. $FAIL2BAN_CONFIG +FAIL2BAN_CONFIG="/etc/sysconfig/fail2ban" +FAIL2BAN_SOCKET_DIR="/var/run/fail2ban" +FAIL2BAN_SOCKET="$FAIL2BAN_SOCKET_DIR/fail2ban.sock" + +if [ -e $FAIL2BAN_CONFIG ]; then + . $FAIL2BAN_CONFIG +fi . /etc/rc.status rc_reset @@ -61,103 +38,59 @@ start) echo -n "Starting fail2ban " - if [ ! -d $FAIL2BAN_SOCK_DIR ]; then - mkdir -p $FAIL2BAN_SOCK_DIR + if [ ! -d $FAIL2BAN_SOCKET_DIR ]; then + mkdir -p $FAIL2BAN_SOCKET_DIR + fi + + if [ -e $FAIL2BAN_SOCKET ]; then + if ! lsof -n $FAIL2BAN_SOCKET &>/dev/null; then + rm $FAIL2BAN_SOCKET + fi fi - ## Start daemon with startproc(8). If this fails - ## the return value is set appropriately by startproc. - startproc $FAIL2BAN_CLI -q $FAIL2BAN_OPTIONS start > /dev/null 2>&1 + /sbin/startproc $FAIL2BAN_CLI -q $FAIL2BAN_OPTIONS start &>/dev/null 2>&1 - # Remember status and be verbose rc_status -v ;; stop) echo -n "Shutting down fail2ban " ## Stop daemon with built-in functionality 'stop' - startproc -w $FAIL2BAN_CLI -q stop > /dev/null 2>&1 + /sbin/startproc -w $FAIL2BAN_CLI -q stop > /dev/null 2>&1 - # Remember status and be verbose rc_status -v ;; try-restart|condrestart) - ## Do a restart only if the service was active before. - ## Note: try-restart is now part of LSB (as of 1.9). - ## RH has a similar command named condrestart. - if test "$1" = "condrestart"; then - echo "${attn} Use try-restart ${done}(LSB)${attn} rather than condrestart ${warn}(RH)${norm}" - fi $0 status if test $? = 0; then $0 restart else rc_reset # Not running is not a failure. fi - # Remember status and be quiet rc_status ;; restart) - ## Stop the service and regardless of whether it was - ## running or not, start it again. $0 stop + i=60 + while [ -e $FAIL2BAN_SOCKET ] && [ $i -gt 0 ]; do + sleep 1 + i=$[$i-1] + echo -n "." + done $0 start - # Remember status and be quiet rc_status ;; - force-reload) - ## Signal the daemon to reload its config. Most daemons - ## do this on signal 1 (SIGHUP). - ## If it does not support it, restart the service if it - ## is running. - - echo -n "Reload service fail2ban " - killproc -HUP $FAIL2BAN_SRV - rc_status -v - - ## Otherwise: - #$0 try-restart - #rc_status - ;; - reload) - ## Like force-reload, but if daemon does not support - ## signaling, do nothing (!) - - # If it supports signaling: - echo -n "Reload service fail2ban " - startproc $FAIL2BAN_CLI -q reload > /dev/null 2>&1 + reload|force-reload) + echo -n "Reload service Fail2ban " + /sbin/startproc $FAIL2BAN_CLI -q reload > /dev/null 2>&1 rc_status -v - - ## Otherwise if it does not support reload: - #rc_failed 3 - #rc_status -v ;; status) echo -n "Checking for service fail2ban " - ## Check status with checkproc(8), if process is running - ## checkproc will return with exit status 0. + /sbin/checkproc $FAIL2BAN_SRV - # Return value is slightly different for the status command: - # 0 - service up and running - # 1 - service dead, but /var/run/ pid file exists - # 2 - service dead, but /var/lock/ lock file exists - # 3 - service not running (unused) - # 4 - service status unknown :-( - # 5--199 reserved (5--99 LSB, 100--149 distro, 150--199 appl.) - - # NOTE: checkproc returns LSB compliant status values. - checkproc $FAIL2BAN_SRV - # NOTE: rc_status knows that we called this init script with - # "status" option and adapts its messages accordingly. rc_status -v ;; - probe) - ## Optional: Probe for the necessity of a reload, print out the - ## argument to this init script which is required for a reload. - ## Note: probe is not (yet) part of LSB (as of 1.9) - - test /etc/fail2ban/fail2ban.conf -nt /var/run/fail2ban/fail2ban.pid && echo reload - ;; *) echo "Usage: $0 {start|stop|status|try-restart|restart|force-reload|reload|probe}" exit 1 -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
