Hello community, here is the log from the commit of package fail2ban for openSUSE:Factory checked in at 2013-06-14 15:44:35 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/fail2ban (Old) and /work/SRC/openSUSE:Factory/.fail2ban.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "fail2ban" Changes: -------- --- /work/SRC/openSUSE:Factory/fail2ban/fail2ban.changes 2013-06-05 13:27:59.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.fail2ban.new/fail2ban.changes 2013-06-14 15:44:37.000000000 +0200 @@ -1,0 +2,24 @@ +Thu Jun 13 08:58:53 UTC 2013 - [email protected] + +- Update to version 0.8.10 Primarily bugfix and enhancements release, triggered + by "bugs" in apache- filters. If you are relying on listed below apache- + filters, upgrade asap and seek your distributions to patch their fail2ban + distribution with [6ccd5781]. The bug's decription can be found in + https://vndh.net/note:fail2ban-089-denial-service + +- Fixes + * [6ccd5781] filter.d/apache-{auth,nohome,noscript,overflows} - anchor + failregex at the beginning (and where applicable at the end). + Addresses a possible DoS. Closes gh-248, bnc#824710 + * action.d/{route,shorewall}.conf - blocktype must be defined + within [Init]. Closes gh-232 + +- Enhancements + * jail.conf -- assure all jails have actions and remove unused + ports specifications + * config/filter.d/roundcube-auth.conf -- support roundcube 0.9+ + * files/suse-initd -- update to the copy from stock SUSE + * Updates to asterisk filter. Closes gh-227/gh-230. + * Updates to asterisk to include AUTH_UNKNOWN_DOMAIN. Closes gh-244. + +------------------------------------------------------------------ Old: ---- fail2ban-0.8.9.tar.gz New: ---- fail2ban-0.8.10.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ fail2ban.spec ++++++ --- /var/tmp/diff_new_pack.vRB5N4/_old 2013-06-14 15:44:38.000000000 +0200 +++ /var/tmp/diff_new_pack.vRB5N4/_new 2013-06-14 15:44:38.000000000 +0200 @@ -31,7 +31,7 @@ BuildRequires: logrotate BuildRequires: python-devel PreReq: %fillup_prereq -Version: 0.8.9 +Version: 0.8.10 Release: 0 Url: http://www.fail2ban.org/ BuildRoot: %{_tmppath}/%{name}-%{version}-build ++++++ fail2ban-0.8.9.tar.gz -> fail2ban-0.8.10.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fail2ban-0.8.9/ChangeLog new/fail2ban-0.8.10/ChangeLog --- old/fail2ban-0.8.9/ChangeLog 2013-05-13 17:24:07.000000000 +0200 +++ new/fail2ban-0.8.10/ChangeLog 2013-06-12 19:21:12.000000000 +0200 @@ -4,9 +4,36 @@ |_| \__,_|_|_/___|_.__/\__,_|_||_| ================================================================================ -Fail2Ban (version 0.8.9) 2013/05/13 +Fail2Ban (version 0.8.10) 2013/06/12 ================================================================================ +ver. 0.8.10 (2013/06/12) - wanna-be-secure +----------- + +Primarily bugfix and enhancements release, triggered by "bugs" in +apache- filters. If you are relying on listed below apache- filters, +upgrade asap and seek your distributions to patch their fail2ban +distribution with [6ccd5781]. + +- Fixes: Yaroslav Halchenko + * [6ccd5781] filter.d/apache-{auth,nohome,noscript,overflows} - anchor + failregex at the beginning (and where applicable at the end). + Addresses a possible DoS. Closes gh-248 + * action.d/{route,shorewall}.conf - blocktype must be defined + within [Init]. Closes gh-232 +- Enhancements + Yaroslav Halchenko + * jail.conf -- assure all jails have actions and remove unused + ports specifications + Terence Namusonge + * config/filter.d/roundcube-auth.conf -- support roundcube 0.9+ + Daniel Black + * files/suse-initd -- update to the copy from stock SUSE + silviogarbes & Daniel Black + * Updates to asterisk filter. Closes gh-227/gh-230. + Carlos Alberto Lopez Perez + * Updates to asterisk to include AUTH_UNKNOWN_DOMAIN. Closes gh-244. + ver. 0.8.9 (2013/05/13) - wanna-be-stable ---------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fail2ban-0.8.9/DEVELOP new/fail2ban-0.8.10/DEVELOP --- old/fail2ban-0.8.9/DEVELOP 2013-05-13 17:24:07.000000000 +0200 +++ new/fail2ban-0.8.10/DEVELOP 2013-06-12 19:21:12.000000000 +0200 @@ -34,9 +34,19 @@ * Include a change to the relevant section of the ChangeLog; and * Include yourself in THANKS if not already there. -Testing +Filters ======= +* Include sample logs with 1.2.3.4 used for IP addresses and + example.com/example.org used for DNS names +* Ensure ./fail2ban-regex testcases/files/logs/{samplelog} config/filter.d/{filter}.conf + has matches for EVERY regex +* Ensure regexs end with a $ and are restrictive as possible. E.g. not .* if + [0-9]+ is sufficient + +Code Testing +============ + Existing tests can be run by executing `fail2ban-testcases`. This has options like --log-level that will probably be useful. `fail2ban-testcases --help` for full options. @@ -338,8 +348,10 @@ Add the following to the top of the ChangeLog -ver. 0.8.9 (2013/XX/XXX) - wanna-be-stable +ver. 0.8.11 (2013/XX/XXX) - wanna-be-stable - Fixes - New Features - Enhancements +and adjust common/version.py to carry .dev suffix to signal +a version under development. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fail2ban-0.8.9/README.md new/fail2ban-0.8.10/README.md --- old/fail2ban-0.8.9/README.md 2013-05-13 17:24:07.000000000 +0200 +++ new/fail2ban-0.8.10/README.md 2013-06-12 19:21:12.000000000 +0200 @@ -2,9 +2,9 @@ / _|__ _(_) |_ ) |__ __ _ _ _ | _/ _` | | |/ /| '_ \/ _` | ' \ |_| \__,_|_|_/___|_.__/\__,_|_||_| - v0.8.9 2013/05/13 + v0.8.10 2013/06/12 -## Fail2Ban: ban hosts that cause multiple authentication errors +## Fail2Ban: ban hosts that cause multiple authentication errors Fail2Ban scans log files like /var/log/pwdfail and bans IP that makes too many password failures. It updates firewall rules to reject the IP address. These @@ -30,8 +30,8 @@ To install, just do: - tar xvfj fail2ban-0.8.9.tar.bz2 - cd fail2ban-0.8.9 + tar xvfj fail2ban-0.8.10.tar.bz2 + cd fail2ban-0.8.10 python setup.py install This will install Fail2Ban into /usr/share/fail2ban. The executable scripts are @@ -63,9 +63,14 @@ Contact: -------- +### You found a severe security vulnerability in Fail2Ban? +email details to fail2ban-vulnerabilities at lists dot sourceforge dot net . + ### You need some new features, you found bugs? visit [Issues](https://github.com/fail2ban/fail2ban/issues) -and if your issue is not yet known -- file a bug report. +and if your issue is not yet known -- file a bug report. See +[Fail2Ban wiki](http://www.fail2ban.org/wiki/index.php/HOWTO_Seek_Help) +on further instructions. ### You would like to troubleshoot or discuss? join the [mailing list](https://lists.sourceforge.net/lists/listinfo/fail2ban-users) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fail2ban-0.8.9/THANKS new/fail2ban-0.8.10/THANKS --- old/fail2ban-0.8.9/THANKS 2013-05-13 17:24:07.000000000 +0200 +++ new/fail2ban-0.8.10/THANKS 2013-06-12 19:21:12.000000000 +0200 @@ -9,6 +9,7 @@ Arturo 'Buanzo' Busleiman Axel Thimm Bill Heaton +Carlos Alberto Lopez Perez Christian Rauch Christoph Haas Christos Psonis @@ -39,6 +40,7 @@ Robert Edeker Russell Odom Sireyessire +silviogarbes Stephen Gildea Steven Hiscocks Tom Pike diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fail2ban-0.8.9/common/version.py new/fail2ban-0.8.10/common/version.py --- old/fail2ban-0.8.9/common/version.py 2013-05-13 17:24:07.000000000 +0200 +++ new/fail2ban-0.8.10/common/version.py 2013-06-12 19:21:12.000000000 +0200 @@ -24,4 +24,4 @@ __copyright__ = "Copyright (c) 2004 Cyril Jaquier, 2011-2013 Yaroslav Halchenko" __license__ = "GPL" -version = "0.8.9" +version = "0.8.10" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fail2ban-0.8.9/config/action.d/route.conf new/fail2ban-0.8.10/config/action.d/route.conf --- old/fail2ban-0.8.9/config/action.d/route.conf 2013-05-13 17:24:07.000000000 +0200 +++ new/fail2ban-0.8.10/config/action.d/route.conf 2013-06-12 19:21:12.000000000 +0200 @@ -18,6 +18,8 @@ actionban = ip route add <blocktype> <ip> actionunban = ip route del <blocktype> <ip> +[Init] + # Option: blocktype # Note: Type can be blackhole, unreachable and prohibit. Unreachable and prohibit correspond to the ICMP reject messages. # Values: STRING diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fail2ban-0.8.9/config/action.d/shorewall.conf new/fail2ban-0.8.10/config/action.d/shorewall.conf --- old/fail2ban-0.8.9/config/action.d/shorewall.conf 2013-05-13 17:24:07.000000000 +0200 +++ new/fail2ban-0.8.10/config/action.d/shorewall.conf 2013-06-12 19:21:12.000000000 +0200 @@ -48,6 +48,8 @@ # actionunban = shorewall allow <ip> +[Init] + # Option: blocktype # Note: This is what the action does with rules. # See man page of shorewall for options that include drop, logdrop, reject, or logreject diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fail2ban-0.8.9/config/filter.d/apache-auth.conf new/fail2ban-0.8.10/config/filter.d/apache-auth.conf --- old/fail2ban-0.8.9/config/filter.d/apache-auth.conf 2013-05-13 17:24:07.000000000 +0200 +++ new/fail2ban-0.8.10/config/filter.d/apache-auth.conf 2013-06-12 19:21:12.000000000 +0200 @@ -4,6 +4,12 @@ # # +[INCLUDES] + +# Read common prefixes. If any customizations available -- read them from +# common.local +before = apache-common.conf + [Definition] # Option: failregex @@ -13,9 +19,7 @@ # (?:::f{4,6}:)?(?P<host>[\w\-.^_]+) # Values: TEXT # -failregex = [[]client <HOST>[]] user .* authentication failure - [[]client <HOST>[]] user .* not found - [[]client <HOST>[]] user .* password mismatch +failregex = ^%(_apache_error_client)s user .* (authentication failure|not found|password mismatch)\s*$ # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fail2ban-0.8.9/config/filter.d/apache-common.conf new/fail2ban-0.8.10/config/filter.d/apache-common.conf --- old/fail2ban-0.8.9/config/filter.d/apache-common.conf 1970-01-01 01:00:00.000000000 +0100 +++ new/fail2ban-0.8.10/config/filter.d/apache-common.conf 2013-06-12 19:21:12.000000000 +0200 @@ -0,0 +1,17 @@ +# Generic configuration items (to be used as interpolations) in other +# apache filters +# +# Author: Yaroslav Halchenko +# +# + +[INCLUDES] + +# Load customizations if any available +after = apache-common.local + + +[DEFAULT] + +# Common prefix for [error] apache messages which also would include <HOST> +_apache_error_client = \[[^]]+\] \[error\] \[client <HOST>\] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fail2ban-0.8.9/config/filter.d/apache-nohome.conf new/fail2ban-0.8.10/config/filter.d/apache-nohome.conf --- old/fail2ban-0.8.9/config/filter.d/apache-nohome.conf 2013-05-13 17:24:07.000000000 +0200 +++ new/fail2ban-0.8.10/config/filter.d/apache-nohome.conf 2013-06-12 19:21:12.000000000 +0200 @@ -4,6 +4,12 @@ # # +[INCLUDES] + +# Read common prefixes. If any customizations available -- read them from +# common.local +before = apache-common.conf + [Definition] # Option: failregex @@ -13,7 +19,7 @@ # per-domain log files. # Values: TEXT # -failregex = [[]client <HOST>[]] File does not exist: .*/~.* +failregex = ^%(_apache_error_client)s File does not exist: .*/~.* # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fail2ban-0.8.9/config/filter.d/apache-noscript.conf new/fail2ban-0.8.10/config/filter.d/apache-noscript.conf --- old/fail2ban-0.8.9/config/filter.d/apache-noscript.conf 2013-05-13 17:24:07.000000000 +0200 +++ new/fail2ban-0.8.10/config/filter.d/apache-noscript.conf 2013-06-12 19:21:12.000000000 +0200 @@ -4,6 +4,12 @@ # # +[INCLUDES] + +# Read common prefixes. If any customizations available -- read them from +# common.local +before = apache-common.conf + [Definition] # Option: failregex @@ -13,8 +19,8 @@ # (?:::f{4,6}:)?(?P<host>[\w\-.^_]+) # Values: TEXT # -failregex = [[]client <HOST>[]] (File does not exist|script not found or unable to stat): /\S*(\.php|\.asp|\.exe|\.pl) - [[]client <HOST>[]] script '/\S*(\.php|\.asp|\.exe|\.pl)\S*' not found or unable to stat *$ +failregex = ^%(_apache_error_client)s (File does not exist|script not found or unable to stat): /\S*(\.php|\.asp|\.exe|\.pl)\s*$ + ^%(_apache_error_client)s script '/\S*(\.php|\.asp|\.exe|\.pl)\S*' not found or unable to stat\s*$ # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fail2ban-0.8.9/config/filter.d/apache-overflows.conf new/fail2ban-0.8.10/config/filter.d/apache-overflows.conf --- old/fail2ban-0.8.9/config/filter.d/apache-overflows.conf 2013-05-13 17:24:07.000000000 +0200 +++ new/fail2ban-0.8.10/config/filter.d/apache-overflows.conf 2013-06-12 19:21:12.000000000 +0200 @@ -4,13 +4,19 @@ # # +[INCLUDES] + +# Read common prefixes. If any customizations available -- read them from +# common.local +before = apache-common.conf + [Definition] # Option: failregex # Notes.: Regexp to catch Apache overflow attempts. # Values: TEXT # -failregex = [[]client <HOST>[]] (Invalid (method|URI) in request|request failed: URI too long|erroneous characters after protocol string) +failregex = ^%(_apache_error_client)s (Invalid (method|URI) in request|request failed: URI too long|erroneous characters after protocol string) # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fail2ban-0.8.9/config/filter.d/asterisk.conf new/fail2ban-0.8.10/config/filter.d/asterisk.conf --- old/fail2ban-0.8.9/config/filter.d/asterisk.conf 2013-05-13 17:24:07.000000000 +0200 +++ new/fail2ban-0.8.10/config/filter.d/asterisk.conf 2013-06-12 19:21:12.000000000 +0200 @@ -20,19 +20,24 @@ # (?:::f{4,6}:)?(?P<host>\S+) # Values: TEXT # -failregex = NOTICE%(__pid_re)s .*: Registration from '.*' failed for '<HOST>' - Wrong password$ - NOTICE%(__pid_re)s .*: Registration from '.*' failed for '<HOST>' - No matching peer found$ - NOTICE%(__pid_re)s .*: Registration from '.*' failed for '<HOST>' - Username/auth name mismatch$ - NOTICE%(__pid_re)s .*: Registration from '.*' failed for '<HOST>' - Device does not match ACL$ - NOTICE%(__pid_re)s .*: Registration from '.*' failed for '<HOST>' - Peer is not supposed to register$ - NOTICE%(__pid_re)s .*: Registration from '.*' failed for '<HOST>' - ACL error (permit/deny)$ - NOTICE%(__pid_re)s <HOST> failed to authenticate as '.*'$ - NOTICE%(__pid_re)s .*: No registration for peer '.*' \(from <HOST>\)$ - NOTICE%(__pid_re)s .*: Host <HOST> failed MD5 authentication for '.*' (.*)$ - NOTICE%(__pid_re)s .*: Failed to authenticate user .*@<HOST>.*$ +failregex = NOTICE%(__pid_re)s [^:]+: Registration from '[^']*' failed for '<HOST>(:[0-9]+)?' - Wrong password$ + NOTICE%(__pid_re)s [^:]+: Registration from '[^']*' failed for '<HOST>(:[0-9]+)?' - No matching peer found$ + NOTICE%(__pid_re)s [^:]+: Registration from '[^']*' failed for '<HOST>(:[0-9]+)?' - Username/auth name mismatch$ + NOTICE%(__pid_re)s [^:]+: Registration from '[^']*' failed for '<HOST>(:[0-9]+)?' - Device does not match ACL$ + NOTICE%(__pid_re)s [^:]+: Registration from '[^']*' failed for '<HOST>(:[0-9]+)?' - Peer is not supposed to register$ + NOTICE%(__pid_re)s [^:]+: Registration from '[^']*' failed for '<HOST>(:[0-9]+)?' - ACL error \(permit/deny\)$ + NOTICE%(__pid_re)s [^:]+: Registration from '[^']*' failed for '<HOST>(:[0-9]+)?' - Not a local domain$ + NOTICE%(__pid_re)s\[[^:]+\] [^:]+: Call from '[^']*' \(<HOST>:[0-9]+\) to extension '[0-9]+' rejected because extension not found in context 'default'.$ + NOTICE%(__pid_re)s [^:]+: Host <HOST> failed to authenticate as '[^']*'$ + NOTICE%(__pid_re)s [^:]+: No registration for peer '[^']*' \(from <HOST>\)$ + NOTICE%(__pid_re)s [^:]+: Host <HOST> failed MD5 authentication for '[^']*' \([^)]+\)$ + NOTICE%(__pid_re)s [^:]+: Failed to authenticate user [^@]+@<HOST>\S*$ + SECURITY%(__pid_re)s [^:]+: SecurityEvent="InvalidAccountID",EventTV="[0-9-]+",Severity="[a-zA-Z]+",Service="[a-zA-Z]+",EventVersion="[0-9]+",AccountID="[0-9]+",SessionID="0x[0-9a-f]+",LocalAddress="IPV[46]/(UD|TC)P/[0-9a-fA-F:.]+/[0-9]+",RemoteAddress="IPV[46]/(UD|TC)P/<HOST>/[0-9]+"$ # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT # ignoreregex = + + diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fail2ban-0.8.9/config/filter.d/roundcube-auth.conf new/fail2ban-0.8.10/config/filter.d/roundcube-auth.conf --- old/fail2ban-0.8.9/config/filter.d/roundcube-auth.conf 2013-05-13 17:24:07.000000000 +0200 +++ new/fail2ban-0.8.10/config/filter.d/roundcube-auth.conf 2013-06-12 19:21:12.000000000 +0200 @@ -1,6 +1,6 @@ # Fail2Ban configuration file for roundcube web server # -# Author: Teodor Micu & Yaroslav Halchenko +# Author: Teodor Micu & Yaroslav Halchenko & terence namusonge # # @@ -13,7 +13,7 @@ # (?:::f{4,6}:)?(?P<host>[\w\-.^_]+) # Values: TEXT # -failregex = FAILED login for .*. from <HOST>\s*$ +failregex = (FAILED login|Login failed) for .* from <HOST>\s*$ # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fail2ban-0.8.9/config/jail.conf new/fail2ban-0.8.10/config/jail.conf --- old/fail2ban-0.8.9/config/jail.conf 2013-05-13 17:24:07.000000000 +0200 +++ new/fail2ban-0.8.10/config/jail.conf 2013-06-12 19:21:12.000000000 +0200 @@ -239,10 +239,8 @@ enabled = false filter = sogo-auth -port = http, https # without proxy this would be: # port = 20000 - action = iptables[name=SOGo, port="http,https"] logpath = /var/log/sogo/sogo.log @@ -253,7 +251,7 @@ [php-url-fopen] enabled = false -port = http,https +action = iptables[name=php-url-open, port="http,https"] filter = php-url-fopen logpath = /var/www/*/logs/access_log maxretry = 1 @@ -268,8 +266,8 @@ [lighttpd-fastcgi] enabled = false -port = http,https filter = lighttpd-fastcgi +action = iptables[name=lighttpd-fastcgi, port="http,https"] # adapt the following two items as needed logpath = /var/log/lighttpd/error.log maxretry = 2 @@ -280,8 +278,8 @@ [lighttpd-auth] enabled = false -port = http,https filter = lighttpd-auth +action = iptables[name=lighttpd-auth, port="http,https"] # adapt the following two items as needed logpath = /var/log/lighttpd/error.log maxretry = 2 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fail2ban-0.8.9/files/suse-initd new/fail2ban-0.8.10/files/suse-initd --- old/fail2ban-0.8.9/files/suse-initd 2013-05-13 17:24:07.000000000 +0200 +++ new/fail2ban-0.8.10/files/suse-initd 2013-06-12 19:21:12.000000000 +0200 @@ -1,103 +1,114 @@ #!/bin/sh # -# /etc/init.d/fail2ban -# and its symbolic link -# /usr/sbin/rcfail2ban -# ### BEGIN INIT INFO # Provides: fail2ban -# Required-Start: $syslog $remote_fs sendmail -# Required-Stop: $syslog $remote_fs -# Should-Stop: $time ypbind sendmail +# Required-Start: $remote_fs $local_fs +# Should-Start: $syslog $time $network iptables +# Required-Stop: $remote_fs $local_fs +# Should-Stop: $syslog $time $network iptables # Default-Start: 3 5 # Default-Stop: 0 1 2 6 -# Description: startup Fail2Ban +# Pidfile: /var/run/fail2ban/fail2ban.pid +# Short-Description: Bans IPs with too many authentication failures +# Description: Start fail2ban to scan logfiles and ban IP addresses +# which make too many logfiles failures, and/or sent e-mails about ### END INIT INFO -PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/sbin:/usr/sbin:/usr/bin:/bin -FAIL2BAN_BIN=/usr/local/bin/fail2ban-client -FAIL2BAN_SERVER=/usr/local/bin/fail2ban-server -FAIL2BAN_SOCKET=/var/run/fail2ban/fail2ban.sock -test -x $FAIL2BAN_BIN || { echo "$FAIL2BAN_BIN not installed"; - if [ "$1" = "stop" ]; then exit 0; - else exit 5; fi; } - -# Check for existence of needed config file and read it -FAIL2BAN_CONFIG=/etc/fail2ban/fail2ban.conf -test -r $FAIL2BAN_CONFIG || { echo "$FAIL2BAN_CONFIG not existing"; - if [ "$1" = "stop" ]; then exit 0; - else exit 6; fi; } -. /etc/rc.status +# Check for missing binaries (stale symlinks should not happen) +FAIL2BAN_CLI=/usr/bin/fail2ban-client +test -x $FAIL2BAN_CLI || { echo "$FAIL2BAN_CLI not installed"; + if [ "$1" = "stop" ]; then exit 0; + else exit 5; fi; } +FAIL2BAN_SRV=/usr/bin/fail2ban-server +test -x $FAIL2BAN_SRV || { echo "$FAIL2BAN_SRV not installed"; + if [ "$1" = "stop" ]; then exit 0; + else exit 5; fi; } + +FAIL2BAN_CONFIG="/etc/sysconfig/fail2ban" +FAIL2BAN_SOCKET_DIR="/var/run/fail2ban" +FAIL2BAN_SOCKET="$FAIL2BAN_SOCKET_DIR/fail2ban.sock" +FAIL2BAN_PID="$FAIL2BAN_SOCKET_DIR/fail2ban.pid" -# Reset status of this service +if [ -e $FAIL2BAN_CONFIG ]; then + . $FAIL2BAN_CONFIG +fi + +. /etc/rc.status rc_reset case "$1" in start) - echo -n "Starting Fail2Ban " - # a cleanup workaround, since /etc/init.d/boot.local removes only. - # regular files, and not sockets - if test -e $FAIL2BAN_SOCKET; then - if ! lsof -n $FAIL2BAN_SOCKET &>/dev/null; then - rm $FAIL2BAN_SOCKET - fi - fi - /sbin/startproc $FAIL2BAN_BIN start &>/dev/null - rc_status -v - ;; + echo -n "Starting fail2ban " + + if [ ! -d $FAIL2BAN_SOCKET_DIR ]; then + mkdir -p $FAIL2BAN_SOCKET_DIR + fi + + if [ -e $FAIL2BAN_SOCKET ]; then + if ! lsof -n $FAIL2BAN_SOCKET &>/dev/null; then + rm $FAIL2BAN_SOCKET + fi + fi + $FAIL2BAN_CLI -x -q $FAIL2BAN_OPTIONS start &>/dev/null 2>&1 + + rc_status -v + ;; stop) - echo -n "Shutting down Fail2ban " - /sbin/startproc $FAIL2BAN_BIN -q stop - rc_status -v - ;; - try-restart|condrestart) - if test "$1" = "condrestart"; then - echo "${attn} Use try-restart ${done}(LSB)${attn} rather than condrestart ${warn}(RH)${norm}" + echo -n "Shutting down fail2ban " + ## Stop daemon with built-in functionality 'stop' + /sbin/startproc -w $FAIL2BAN_CLI -q stop > /dev/null 2>&1 + + if [ -f $FAIL2BAN_SOCKET ] + then + echo "$FAIL2BAN_SOCKET not removed .. removing .." + rm $FAIL2BAN_SOCKET fi - $0 status - if test $? = 0; then - $0 restart - else - rc_reset # Not running is not a failure. + if [ -f $FAIL2BAN_PID ] + then + echo "$FAIL2BAN_PID not removed .. removing .." + rm $FAIL2BAN_PID fi - rc_status - ;; + + + rc_status -v + ;; + try-restart|condrestart) + $0 status + if test $? = 0; then + $0 restart + else + rc_reset # Not running is not a failure. + fi + rc_status + ;; restart) - $0 stop - echo -n "-wait a minute " - i=60 - while [ -e $FAIL2BAN_SOCKET ] && [ $i -gt 0 ]; do - sleep 1 - i=$[$i-1] - echo -n "." - done - echo "." - $0 start - - # Remember status and be quiet - rc_status - ;; - force-reload) - echo -n "Reload service Fail2ban " - /sbin/startproc $FAIL2BAN_BIN -q reload - rc_status -v - ;; - reload) - echo -n "Reload service Fail2ban " - /sbin/startproc $FAIL2BAN_BIN -q reload - rc_status -v - ;; + $0 stop + i=60 + while [ -e $FAIL2BAN_SOCKET ] && [ $i -gt 0 ]; do + sleep 1 + i=$[$i-1] + echo -n "." + done + $0 start + + rc_status + ;; + reload|force-reload) + echo -n "Reload service Fail2ban " + /sbin/startproc $FAIL2BAN_CLI -q reload > /dev/null 2>&1 + + rc_status -v + ;; status) - echo -n "Checking for service Fail2ban " - /sbin/checkproc $FAIL2BAN_SERVER - rc_status -v - ;; - probe) - test /etc/fail2ban/fail2ban.conf -nt /var/run/fail2ban.pid && echo reload - ;; + echo -n "Checking for service fail2ban " + /sbin/checkproc $FAIL2BAN_SRV + + rc_status -v + ;; *) - echo "Usage: $0 {start|stop|status|try-restart|restart|force-reload|reload|probe}" - exit 1 - ;; + echo "Usage: $0 {start|stop|status|try-restart|restart|force-reload|reload|probe}" + exit 1 + ;; esac -rc_exit \ No newline at end of file +rc_exit + diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fail2ban-0.8.9/man/fail2ban-client.1 new/fail2ban-0.8.10/man/fail2ban-client.1 --- old/fail2ban-0.8.9/man/fail2ban-client.1 2013-05-13 17:24:07.000000000 +0200 +++ new/fail2ban-0.8.10/man/fail2ban-client.1 2013-06-12 19:21:12.000000000 +0200 @@ -1,12 +1,12 @@ -.\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.40.10. -.TH FAIL2BAN-CLIENT "1" "May 2013" "fail2ban-client v0.8.9" "User Commands" +.\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.41.2. +.TH FAIL2BAN-CLIENT "1" "June 2013" "fail2ban-client v0.8.10" "User Commands" .SH NAME fail2ban-client \- configure and control the server .SH SYNOPSIS .B fail2ban-client [\fIOPTIONS\fR] \fI<COMMAND>\fR .SH DESCRIPTION -Fail2Ban v0.8.9 reads log file that contains password failure report +Fail2Ban v0.8.10 reads log file that contains password failure report and bans the corresponding IP addresses using firewall rules. .SH OPTIONS .TP diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fail2ban-0.8.9/man/fail2ban-regex.1 new/fail2ban-0.8.10/man/fail2ban-regex.1 --- old/fail2ban-0.8.9/man/fail2ban-regex.1 2013-05-13 17:24:07.000000000 +0200 +++ new/fail2ban-0.8.10/man/fail2ban-regex.1 2013-06-12 19:21:12.000000000 +0200 @@ -1,12 +1,12 @@ -.\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.40.10. -.TH FAIL2BAN-REGEX "1" "May 2013" "fail2ban-regex v0.8.9" "User Commands" +.\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.41.2. +.TH FAIL2BAN-REGEX "1" "June 2013" "fail2ban-regex v0.8.10" "User Commands" .SH NAME fail2ban-regex \- test Fail2ban "failregex" option .SH SYNOPSIS .B fail2ban-regex [\fIOPTIONS\fR] \fI<LOG> <REGEX> \fR[\fIIGNOREREGEX\fR] .SH DESCRIPTION -Fail2Ban v0.8.9 reads log file that contains password failure report +Fail2Ban v0.8.10 reads log file that contains password failure report and bans the corresponding IP addresses using firewall rules. .PP This tools can test regular expressions for "fail2ban". @@ -26,7 +26,7 @@ a string representing a log line .TP \fBfilename\fR -path to a log file (/var/log/auth.log) +path to a log file (\fI/var/log/auth.log\fP) .SH REGEX .TP \fBstring\fR diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fail2ban-0.8.9/man/fail2ban-server.1 new/fail2ban-0.8.10/man/fail2ban-server.1 --- old/fail2ban-0.8.9/man/fail2ban-server.1 2013-05-13 17:24:07.000000000 +0200 +++ new/fail2ban-0.8.10/man/fail2ban-server.1 2013-06-12 19:21:12.000000000 +0200 @@ -1,12 +1,12 @@ -.\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.40.10. -.TH FAIL2BAN-SERVER "1" "May 2013" "fail2ban-server v0.8.9" "User Commands" +.\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.41.2. +.TH FAIL2BAN-SERVER "1" "June 2013" "fail2ban-server v0.8.10" "User Commands" .SH NAME fail2ban-server \- start the server .SH SYNOPSIS .B fail2ban-server [\fIOPTIONS\fR] .SH DESCRIPTION -Fail2Ban v0.8.9 reads log file that contains password failure report +Fail2Ban v0.8.10 reads log file that contains password failure report and bans the corresponding IP addresses using firewall rules. .PP Only use this command for debugging purpose. Start the server with diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fail2ban-0.8.9/testcases/clientreadertestcase.py new/fail2ban-0.8.10/testcases/clientreadertestcase.py --- old/fail2ban-0.8.9/testcases/clientreadertestcase.py 2013-05-13 17:24:07.000000000 +0200 +++ new/fail2ban-0.8.10/testcases/clientreadertestcase.py 2013-06-12 19:21:12.000000000 +0200 @@ -144,10 +144,38 @@ # and warn on useDNS self.assertTrue(['set', j, 'usedns', 'warn'] in comm_commands) self.assertTrue(['start', j] in comm_commands) + # last commands should be the 'start' commands self.assertEqual(comm_commands[-1][0], 'start') - # TODO: make sure that all of the jails have actions assigned, - # otherwise it makes little to no sense + + for j in jails._JailsReader__jails: + actions = j._JailReader__actions + jail_name = j.getName() + # make sure that all of the jails have actions assigned, + # otherwise it makes little to no sense + self.assertTrue(len(actions), + msg="No actions found for jail %s" % jail_name) + + # Test for presence of blocktype (in relation to gh-232) + for action in actions: + commands = action.convert() + file_ = action.getFile() + if '<blocktype>' in str(commands): + # Verify that it is among cInfo + self.assertTrue('blocktype' in action._ActionReader__cInfo) + # Verify that we have a call to set it up + blocktype_present = False + target_command = [ 'set', jail_name, 'setcinfo', file_, 'blocktype' ] + for command in commands: + if (len(command) > 5 and + command[:5] == target_command): + blocktype_present = True + continue + self.assertTrue( + blocktype_present, + msg="Found no %s command among %s" + % (target_command, str(commands)) ) + def testConfigurator(self): configurator = Configurator() @@ -165,7 +193,7 @@ commands = configurator.getConfigStream() # and there is logging information left to be passed into the # server - self.assertEqual(commands, + self.assertEqual(sorted(commands), [['set', 'loglevel', 3], ['set', 'logtarget', '/var/log/fail2ban.log']]) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fail2ban-0.8.9/testcases/files/logs/apache-auth new/fail2ban-0.8.10/testcases/files/logs/apache-auth --- old/fail2ban-0.8.9/testcases/files/logs/apache-auth 1970-01-01 01:00:00.000000000 +0100 +++ new/fail2ban-0.8.10/testcases/files/logs/apache-auth 2013-06-12 19:21:12.000000000 +0200 @@ -0,0 +1,5 @@ +# Should not match -- DoS vector https://vndh.net/note:fail2ban-089-denial-service +[Sat Jun 01 02:17:42 2013] [error] [client 192.168.33.1] File does not exist: /srv/http/site/[client 192.168.0.1] user root not found + +# should match +[Sat Jun 01 02:17:42 2013] [error] [client 192.168.0.2] user root not found diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fail2ban-0.8.9/testcases/files/logs/apache-noscript new/fail2ban-0.8.10/testcases/files/logs/apache-noscript --- old/fail2ban-0.8.9/testcases/files/logs/apache-noscript 1970-01-01 01:00:00.000000000 +0100 +++ new/fail2ban-0.8.10/testcases/files/logs/apache-noscript 2013-06-12 19:21:12.000000000 +0200 @@ -0,0 +1 @@ +[Sun Jun 09 07:57:47 2013] [error] [client 192.0.43.10] script '/usr/lib/cgi-bin/gitweb.cgiwp-login.php' not found or unable to stat diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fail2ban-0.8.9/testcases/files/logs/asterisk new/fail2ban-0.8.10/testcases/files/logs/asterisk --- old/fail2ban-0.8.9/testcases/files/logs/asterisk 2013-05-13 17:24:07.000000000 +0200 +++ new/fail2ban-0.8.10/testcases/files/logs/asterisk 2013-06-12 19:21:12.000000000 +0200 @@ -1,11 +1,15 @@ # Sample log files for asterisk -[2012-02-13 17:21:54] NOTICE[1638] chan_sip.c: Registration from '<sip:[email protected]>' failed for '1.2.3.4' - Wrong password -[2012-02-13 17:18:22] NOTICE[1638] chan_sip.c: Registration from '<sip:[email protected]>' failed for '1.2.3.4' - No matching peer found -[2012-02-13 17:21:21] NOTICE[1638] chan_sip.c: Registration from '<sip:[email protected]>' failed for '1.2.3.4' - Username/auth name mismatch -[2012-02-13 17:32:01] NOTICE[1638] chan_sip.c: Registration from '<sip:[email protected]>' failed for '1.2.3.4' - Device does not match ACL -[2012-02-13 17:34:10] NOTICE[1638] chan_sip.c: Registration from '<sip:[email protected]>' failed for '1.2.3.4' - Peer is not supposed to register -[2012-02-13 17:36:23] NOTICE[1638] chan_sip.c: Registration from '<sip:[email protected]>' failed for '1.2.3.4' - ACL error (permit/deny) +[2012-02-13 17:21:54] NOTICE[1638] chan_sip.c: Registration from '<sip:[email protected]>' failed for '1.2.3.4' - Wrong password +[2012-02-13 17:18:22] NOTICE[1638] chan_sip.c: Registration from '<sip:[email protected]>' failed for '1.2.3.4' - No matching peer found +[2012-02-13 17:21:21] NOTICE[1638] chan_sip.c: Registration from '<sip:[email protected]>' failed for '1.2.3.4' - Username/auth name mismatch +[2012-02-13 17:32:01] NOTICE[1638] chan_sip.c: Registration from '<sip:[email protected]>' failed for '1.2.3.4' - Device does not match ACL +[2012-02-13 17:34:10] NOTICE[1638] chan_sip.c: Registration from '<sip:[email protected]>' failed for '1.2.3.4' - Peer is not supposed to register +[2012-02-13 17:36:23] NOTICE[1638] chan_sip.c: Registration from '<sip:[email protected]>' failed for '1.2.3.4' - ACL error (permit/deny) [2012-02-13 17:53:59] NOTICE[1638] chan_iax2.c: Host 1.2.3.4 failed to authenticate as 'Fail2ban' [2012-02-13 17:39:20] NOTICE[1638] chan_iax2.c: No registration for peer 'Fail2ban' (from 1.2.3.4) [2012-02-13 17:44:26] NOTICE[1638] chan_iax2.c: Host 1.2.3.4 failed MD5 authentication for 'Fail2ban' (e7df7cd2ca07f4f1ab415d457a6e1c13 != 53ac4bc41ee4ec77888ed4aa50677247) [2012-02-13 17:37:07] NOTICE[1638] chan_sip.c: Failed to authenticate user "Fail2ban" <sip:[email protected]>;tag=1r698745234 +[2013-02-05 23:44:42] NOTICE[436][C-00000fa9] chan_sip.c: Call from '' (1.2.3.4:10836) to extension '0972598285108' rejected because extension not found in context 'default'. +[2013-03-26 15:47:54] NOTICE[1237] chan_sip.c: Registration from '"100"sip:[email protected]' failed for '1.2.3.4:23930' - No matching peer found +[2013-05-13 07:10:53] SECURITY[1204] res_security_log.c: SecurityEvent="InvalidAccountID",EventTV="1368439853-500975",Severity="Error",Service="SIP",EventVersion="1",AccountID="00972599580679",SessionID="0x7f8ecc0421f8",LocalAddress="IPV4/UDP/1.2.3.4/5060",RemoteAddress="IPV4/UDP/1.2.3.4/5070" +[2013-06-10 18:15:03] NOTICE[2723] chan_sip.c: Registration from '"100"<sip:[email protected]:5060>' failed for '1.2.3.4' - Not a local domain diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fail2ban-0.8.9/testcases/files/logs/roundcube-auth new/fail2ban-0.8.10/testcases/files/logs/roundcube-auth --- old/fail2ban-0.8.9/testcases/files/logs/roundcube-auth 2013-05-13 17:24:07.000000000 +0200 +++ new/fail2ban-0.8.10/testcases/files/logs/roundcube-auth 2013-06-12 19:21:12.000000000 +0200 @@ -1 +1,2 @@ [22-Jan-2013 22:28:21 +0200]: FAILED login for user1 from 192.0.43.10 +May 26 07:12:40 hamster roundcube: IMAP Error: Login failed for [email protected] from 10.1.1.47 -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
