Package: fail2ban Version: 0.7.5-2 Severity: normal Tags: patch I think the subject is fairly clear. The problem is that syslog will omit logging a repeated line if it repeates too quickly, so you can end up missing a real attack if it happens quickly enough.
Very rough patch attached. It seems to do what it should, but my python is fairly awful, so I would give it a careful review before considering merging it. Thanks, -- System Information: Debian Release: 4.0 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.18-5-686 Locale: LANG=en_US.utf-8, LC_CTYPE=en_US.utf-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.utf-8) Versions of packages fail2ban depends on: ii iptables 1.3.6.0debian1-5 administration tools for packet fi ii lsb-base 3.1-23.2etch1 Linux Standard Base 3.1 init scrip ii python 2.4.4-2 An interactive high-level object-o ii python-central 0.5.12 register and build utility for Pyt ii python2.4 2.4.4-3 An interactive high-level object-o fail2ban recommends no packages. -- no debconf information -- ----------------------------------------------------------------- | ,''`. Stephen Gran | | : :' : [EMAIL PROTECTED] | | `. `' Debian user, admin, and developer | | `- http://www.debian.org | -----------------------------------------------------------------
--- server/filter.py 2007-08-29 01:47:31.000000000 +0100
+++ server/filter-new.py 2007-08-29 11:25:40.000000000 +0100
@@ -75,6 +75,9 @@
self.__lastPos = dict()
## The last date in tht log file.
self.__lastDate = dict()
+ ## The last match in a logfile. Useful for syslog's
+ ## last line repeated n times message
+ self.__lastMatch = dict()
self.dateDetector = DateDetector()
self.dateDetector.addDefaultTemplate()
@@ -384,6 +387,7 @@
return False
self.__setFilePos()
lastLine = None
+ match = None
for line in self.__crtHandler:
if not self._isActive():
# The jail has been stopped
@@ -396,6 +400,22 @@
if not self.dateDetector.matchTime(line):
# There is no valid time in this line
continue
+ count = self.getrepeatLine(line)
+ if count is not None:
+ if self.__lastMatch.get(filename) is not None:
+ for element in self.findFailure(self.__lastMatch[filename]):
+ ip = element[0]
+ unixTime = element[1]
+ if unixTime < MyTime.time()-self.__findTime:
+ break
+ if self.inIgnoreIPList(ip):
+ logSys.debug("Ignore "+ip)
+ continue
+ logSys.debug("Found "+ip)
+ for i in range(count):
+ self.failManager.addFailure(FailTicket(ip, unixTime))
+ self.__lastMatch[filename] = None
+ continue
lastLine = line
for element in self.findFailure(line):
ip = element[0]
@@ -407,7 +427,9 @@
continue
logSys.debug("Found "+ip)
self.failManager.addFailure(FailTicket(ip, unixTime))
+ match = lastLine
self.__lastPos[filename] = self.__getFilePos()
+ self.__lastMatch[filename] = match
if lastLine:
self.__lastDate[filename] = self.dateDetector.getUnixTime(lastLine)
self.__closeLogFile()
@@ -427,6 +449,13 @@
return True
return False
+ def getrepeatLine(self, line):
+ a = [ 'last', 'message', 'repeated' ]
+ b = [ bit for bit in line.split(" ") if len(bit) > 0 ]
+ if len(b) >= 7 and b[4:7] == a:
+ return b[7]
+ return None
+
##
# Finds the failure in a line.
#
signature.asc
Description: Digital signature
