debian/0000755000000000000000000000000012242241771007170 5ustar debian/source/0000755000000000000000000000000012242241771010470 5ustar debian/source/format0000644000000000000000000000001412242241771011676 0ustar 3.0 (quilt) debian/watch0000644000000000000000000000044612242241771010225 0ustar # watch control file for uscan # Run the "uscan" command to check for upstream updates and more. # Site Directory Pattern Version Script version=3 opts="filenamemangle=s/.*\/(.*).tar.gz/fail2ban_$1\.orig.tar.gz/" \ http://githubredir.debian.net/github/fail2ban/fail2ban /([\.0-9]*).tar.gz debian/patches/0000755000000000000000000000000012242241771010617 5ustar debian/patches/series0000644000000000000000000000011712242241771012033 0ustar changeset_d4f6ca4f8531f332bcb7ce3a89102f60afaaa08e.diff deb_manpages_reportbug debian/patches/deb_manpages_reportbug0000644000000000000000000000212512242241771015240 0ustar From: Yaroslav Halchenko Date: Fri, 8 Feb 2008 00:40:57 -0500 Subject: tune ups in upstream manpages to direct users to use reportbug --- a/man/fail2ban-client.1 +++ b/man/fail2ban-client.1 @@ -265,7 +265,7 @@ action for Written by Cyril Jaquier . Many contributions by Yaroslav O. Halchenko . .SH "REPORTING BUGS" -Report bugs to https://github.com/fail2ban/fail2ban/issues +Report bugs via Debian bug tracking system \fIhttp://www.debian.org/Bugs/\fR . .SH COPYRIGHT Copyright \(co 2004\-2008 Cyril Jaquier, 2008\- Fail2Ban Contributors .br --- a/man/fail2ban-server.1 +++ b/man/fail2ban-server.1 @@ -38,7 +38,7 @@ print the version Written by Cyril Jaquier . Many contributions by Yaroslav O. Halchenko . .SH "REPORTING BUGS" -Report bugs to https://github.com/fail2ban/fail2ban/issues +Report bugs via Debian bug tracking system \fIhttp://www.debian.org/Bugs/\fR . .SH COPYRIGHT Copyright \(co 2004\-2008 Cyril Jaquier, 2008\- Fail2Ban Contributors .br debian/patches/changeset_d4f6ca4f8531f332bcb7ce3a89102f60afaaa08e.diff0000644000000000000000000000425612242241771021422 0ustar From: Yaroslav Halchenko Subject: ENH: adding custom date format for proftpd when logging in its own log file (default on Debian) -- includes milliseconds Should resolve Debian #648276 --- a/server/datedetector.py +++ b/server/datedetector.py @@ -101,6 +101,13 @@ class DateDetector: template.setRegex("\d{2}/\d{2}/\d{4}:\d{2}:\d{2}:\d{2}") template.setPattern("%m/%d/%Y:%H:%M:%S") self._appendTemplate(template) + # proftpd 2013-11-16 21:43:03,296 + # So like Exim below but with ,subsecond + template = DateStrptime() + template.setName("Year-Month-Day Hour:Minute:Second[,subsecond]") + template.setRegex("\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2},\d+") + template.setPattern("%Y-%m-%d %H:%M:%S,%f") + self._appendTemplate(template) # Exim 2006-12-21 06:43:20 template = DateStrptime() template.setName("Year-Month-Day Hour:Minute:Second") --- a/testcases/datedetectortestcase.py +++ b/testcases/datedetectortestcase.py @@ -74,6 +74,7 @@ class DateDetectorTest(unittest.TestCase (False, "23/Jan/2005:21:59:59"), (False, "01/23/2005:21:59:59"), (False, "2005-01-23 21:59:59"), + (False, "2005-01-23 21:59:59,099"), # proftpd (False, "23-Jan-2005 21:59:59"), (False, "23-01-2005 21:59:59"), (False, "01-23-2005 21:59:59.252"), # reported on f2b, causes Feb29 fix to break --- a/testcases/files/logs/proftpd +++ b/testcases/files/logs/proftpd @@ -14,3 +14,5 @@ Jun 14 00:09:59 platypus.ace-hosting.com May 31 10:53:25 mail proftpd[15302]: xxxxxxxxxx (::ffff:1.2.3.4[::ffff:1.2.3.4]) - Maximum login attempts (3) exceeded # failJSON: { "time": "2004-12-05T15:44:32", "match": true , "host": "1.2.3.4" } Dec 5 15:44:32 serv1 proftpd[70944]: serv1.domain.com (example.com[1.2.3.4]) - USER jtittle@domain.org: no such user found from example.com [1.2.3.4] to 1.2.3.4:21 +# failJSON: { "time": "2013-11-16T21:59:30", "match": true , "host": "1.2.3.4", "desc": "proftpd-basic 1.3.5~rc3-2.1 on Debian uses date format with milliseconds if logging under /var/log/proftpd/proftpd.log" } +2013-11-16 21:59:30,121 novo proftpd[25891] localhost (andy[1.2.3.4]): USER kjsad: no such user found from andy [1.2.3.5] to ::ffff:192.168.1.14:21 debian/patches/lucid-dsc-patch0000644000000000000000000000323212242241771013506 0ustar From: Yaroslav Halchenko Date: Thu, 6 Dec 2012 12:50:12 -0500 Subject: [PATCH] Patch for elderly Debian/Ubuntu (e.g. 10.04) releases without dh_python2 Use again pycentral etc crafted post 0.8.8-1 release when a user complained about inability to upgrade --- debian/control | 2 ++ debian/rules | 12 +++++------- 2 files changed, 7 insertions(+), 7 deletions(-) --- a/debian/control +++ b/debian/control @@ -3,6 +3,8 @@ Section: net Priority: optional Maintainer: Yaroslav Halchenko Build-Depends: debhelper (>= 5.0.37.2), python (>= 2.5.4-1~), python-pyinotify +Build-Depends-Indep: python-central (>= 0.5.6) +XS-Python-Version: current, >= 2.4 Homepage: http://www.fail2ban.org Vcs-Git: git://github.com/fail2ban/fail2ban.git Vcs-Browser: http://github.com/fail2ban/fail2ban --- a/debian/rules +++ b/debian/rules @@ -72,14 +72,12 @@ binary-indep: install dh_installdocs dh_installexamples config/jail.conf files/ipmasq-* dh_installlogrotate - dh_python2 /usr/share/fail2ban + dh_pycentral dh_installinit -- defaults 99 - - # perform swap of order of calls to init and pycentral (or even - # bleedingly new dh_python2) in prerm to close #422655 -- - # python-cleanup section is cut and placed at the end of the file - # since .init script would trigger their compilation again - sed -i -e '/^#.*ed by dh_python2/,/# End auto/{H;d};$$G' \ + # perform swap of order of calls to init and pycentral in prerm + # to close #422655 -- pycentral section is cut and placed at + # the end of the file + sed -i -e '/^#.*ed by dh_pycentral/,/# End auto/{H;d};$$G' \ debian/fail2ban.prerm.debhelper dh_installman man/*.[15] debian/changelog0000644000000000000000000013203012242241771011041 0ustar fail2ban (0.8.11-1) unstable; urgency=low * Fresh upstream release - this release tightens all shipped filters to preclude possible injections leading to targetted DoS attacks. - omitted entry for ~pre release changelog: - asterisk filter was fixed (Closes: #719662), - nginx filter/jail added (Closes: #668064) - better detection of log rotation in polling backend (Closes: #696087) - includes sever name (uname -n) into subject of sendmail actions (Closes: #709196) * debian/jail.conf - dropbear jail: use dropbear filter (instead of ssh) and monitor auth.log instead of non-existing /var/log/dropbear (Closes: #620760) * debian/NEWS - information for change of default iptables action to REJECT now (Closes: #711463) * debian/patches - changeset_d4f6ca4f8531f332bcb7ce3a89102f60afaaa08e.diff post-release change to support native proftpd date format which includes milliseconds (Closes: #648276) - changeset_ac061155f093464fb6cd2329d3d513b15c68e256.diff absorbed upstream -- Yaroslav Halchenko Sun, 17 Nov 2013 17:29:06 -0500 fail2ban (0.8.11~pre1+git29-gccd2657-1) unstable; urgency=low * Snapshot of the upcoming new release candidate - improves dovecot (Closes: #709324), wuftpd (Closes: #665925) failregex'es - provides support for OpenSSH 6.3 (Closes: #722970) * debian/watch - restrict version matching only to numbers and period (to exclude alpha releases of 0.9 series) * debian/jail.conf - slightly adjusted for changes in master (suhosin replaced lighttpd-auth filer name, and postfix-sasl for sasl) - added nginx-http-auth. More jails to be adopted from upsream. -- Yaroslav Halchenko Sun, 10 Nov 2013 12:16:51 -0800 fail2ban (0.8.10-3) unstable; urgency=low * debian/jail.conf - added "submission" (port 587) to all SMTP-related jails (Closes: #714632). Thanks Tony den Haan for the report -- Yaroslav Halchenko Mon, 01 Jul 2013 14:36:24 -0400 fail2ban (0.8.10-2) unstable; urgency=low * debian/fail2ban.init: - fixed handling of the return code from do_start/do_stop - status calls would dump all output to /dev/null * debian/jail.conf: - pure-ftpd jail should monitor syslog not auth.log. Thanks Laurent Léonard for the report -- Yaroslav Halchenko Fri, 21 Jun 2013 10:47:56 -0400 fail2ban (0.8.10-1) unstable; urgency=high * New upstream release - addresses possible DoS for anyone enabling many of apache- filters -- Yaroslav Halchenko Wed, 12 Jun 2013 13:31:29 -0400 fail2ban (0.8.9-1) unstable; urgency=low * New upstream release - significant improvements in documentation (Closes: #400416) - roundcube auth filter (Closes: #699442) - enforces C locale for dates (Closes: #686341) - provides bash_completion.d/fail2ban * debian/jail.conf: - added findtime and documentation on those basic options from jail.conf (Closes: #704568) - added new sample jails definitions for ssh-route, ssh-iptables-ipset{4,6}, roundcube-auth, sogo-auth, mysqld-auth * debian/control: - suggest system-log-daemon (Closes: #691001) - boost policy compliance to 3.9.4 * debian/rules: - run fail2ban's unittests at build time but ignore the failures (there are still some known issues to fix up to guarantee robust testing in clean chroots etc). Only pyinotify was added to build-depends since gamin might still be buggy on older releases and get stuck, which would complicate backporting -- Yaroslav Halchenko Mon, 13 May 2013 11:58:56 -0400 fail2ban (0.8.8-1+lucid0) UNRELEASED; urgency=low * Added lucid-dsc-patch to use pycentral on systems without dh_python2 -- Yaroslav Halchenko Thu, 06 Dec 2012 12:52:30 -0500 fail2ban (0.8.8-1) experimental; urgency=low * Primarily a bugfix upstream release -- Yaroslav Halchenko Wed, 05 Dec 2012 22:53:15 -0500 fail2ban (0.8.7.1-1) experimental; urgency=low * Minor upstream bugfix release -- Yaroslav Halchenko Tue, 31 Jul 2012 21:46:19 -0400 fail2ban (0.8.7-1) experimental; urgency=low * New upstream release: - inotify backend is supported (and the default if pyinotify is present). It should bring number of wakeups to minimum (Closes: #481265) - usedns jail.conf parameter to disable reverse DNS mapping to avoid of DoS (see #588431, #514239 for related discussions) - enforces non-unicode logging (Closes: #657286) - new jail "recidive" to ban repeated offenders (Closes: #333557) - catch failed ssh logins due to being listed in DenyUsers (Closes: #669063) - document in config/*.conf on how to inline comments (Closes: #676146) - match possibly present "pam_unix(sshd:auth):" portion for sshd (Closes: #648020) - wu-ftpd: added failregex for use against syslog. Switch to monitor syslog (instead of auth.log) by default (Closes: #514239) - anchor chain name in actioncheck's for iptables actions (Closes: #672228) * debian/jail.conf: - adopted few jails from "upstreams" jail.conf: asterisk, recidive, lighttpd, php-url-open - provide instructions in jail.conf on how to comment (Closes: #676146) Thanks Stefano Forli for a report * debian/fail2ban.init: - Should-(start|stop): iptables-persistent (Closes: #598109), ferm (Closes: #604843) - 'status' exits with code 3 if fail2ban is not running (Closes: #653074) Thanks Glenn Aaldering for the patch * debian/source: - switch to 3.0 (quilt) format * debian/control,rules: - switch to use dh_python2 (Closes: #616803) - boost policy compliance to 3.9.3 - recommend python-pyinotify and only suggest python-gamin -- Yaroslav Halchenko Tue, 31 Jul 2012 16:51:40 -0400 fail2ban (0.8.6-3) unstable; urgency=low * Added dovecot section to Debian's jail.conf. Thanks to Laurent Léonard (Closes: #655182) * init.d script now returns non-0 exit codes upon status command with not running / failed to connect server. Thanks to Glenn Aaldering for the patch -- Yaroslav Halchenko Sun, 08 Jan 2012 21:46:24 -0500 fail2ban (0.8.6-2) unstable; urgency=low * Added pure-ftpd section to Debian's jail.conf. Thanks to Laurent Léonard (Closes: #654412) * Enhancement: action to use /proc/net/xt_recent and run f2b as a normal user. Many many thanks to Zbyszek Szmek (Closes: #602016) -- Yaroslav Halchenko Tue, 03 Jan 2012 10:36:24 -0500 fail2ban (0.8.6-1) unstable; urgency=low * [1efe1bc] Fresh upstream release (Closes: #648324) * Boosted policy compliance to 3.9.2 -- no changes * Adjusted debian/watch to fetch tarballs from github -- Yaroslav Halchenko Mon, 28 Nov 2011 22:27:18 -0500 fail2ban (0.8.5-2) unstable; urgency=low * [5242e73] BF: (cherry-picked from upstream, DEP-3 yet TODO) Lock server's executeCmd to prevent racing among iptables calls (Closes: #554162) Many kudos go to Michael Saavedra for the patch -- Yaroslav Halchenko Fri, 23 Sep 2011 22:12:08 -0400 fail2ban (0.8.5-1) unstable; urgency=low * [de95777] Fresh upstream release FAIL2BAN-0_8_5: - [00e1827] BF: use addfailregex instead of failregex while processing per-jail "failregex" parameter (Closes: #635830) (LP: #635036) Thanks Marat Khayrullin for the patch and Daniel T Chen for forwarding to Debian. * [1cbdafc] Set backend to auto and recommends python-gamin (Closes: #524425) * [ef449f4] Added a note on diverting logrotate configuration for custom logtarget=SYSLOG (Closes: #631917). Thanks Kenyon Ralph for report -- Yaroslav Halchenko Thu, 28 Jul 2011 23:20:55 -0400 fail2ban (0.8.4+svn20110323-1) unstable; urgency=low * Fresh upstream snapshot which absorbed some of the patches from Debian and - [c6d64e9] debug entry for lines ignored due to falling below findtime (v2) - [fc20f12] Tai64N stores time in GMT, we need to convert to local time before returning - [b0331bb] default ignoreip to ignore entire loopback zone (/8) (Closes: #598200) - [b9f15f6] ENH: dovecot filter - [69165b1] ENH: add to action.d/iptables*. Thanks Matthijs Kooijman - [8330a20] ENH: make filter.d/apache-overflows.conf catch more (Closes: #574182) - [66cc6cb] BF: allow space in the trailing of failregex for sasl.conf (Closes: #573314) - [2714019] ENH: dropbear filter (Closes: #546913) - [ea7d352] BF: Use /var/run/fail2ban instead of /tmp for temp files in actions (Closes: #544232) * debian/jail.conf: - [bc8e22d] spellcheck (Closes: #598206). Thanks Christoph Anton Mitterer - [d7f3e23] adjusted description for sasl jail (Closes: #615952) - [92fb484] debian/jail.conf: closing " for protocol specification - [f828c31] debian/jail.conf: got 'chain' parameter to be specified for iptables actions (Closes: #515599) * debian/control: - [858af30] slight rewordings of the long description (Closes: #588176) - [167dfd4] Boosted policy compliance version to 3.9.1 (no changes seems to be due) * [4e1e845] debian/copyright: updated copyright years -- Yaroslav Halchenko Wed, 23 Mar 2011 17:04:56 -0400 fail2ban (0.8.4-3) unstable; urgency=low * Commenting out named-refused-udp jail and providing even fatter WARNING against using it (Closes: #583364) * Merging upstream's commit for fixing missing import -- Yaroslav Halchenko Mon, 28 Jun 2010 21:50:20 -0400 fail2ban (0.8.4-2) unstable; urgency=low * Merged few upstream patches (svn rev ) which fixed: - Patch to make log file descriptors cloexec to stop leaking file descriptors on fork/exec. * debian/rules,control: -install-layout=deb for setup.py + python (>= 2.5.4-1~) to fix install with python2.6 (Closes: #571213). * Boosted policy to 3.8.4 (no changes seems to be due). -- Yaroslav Halchenko Thu, 25 Feb 2010 00:17:07 -0500 fail2ban (0.8.4-1) unstable; urgency=low * New upstream release. Fixes compatibility issue with python2.6 * Yet only in Debian fixes: - escaping () in pure-ftpd. Thanks Teodor (Closes: #544744) - use "set logtarget" instead of "reload" while logrotate. Thanks J.M.Roth (Closes: #537773) - be able to detect time for VNC recording only 2 letters of year (Closes: #537610) - proftpd filter: count all failed logins regardless of the reason * Debian-specific changes: - adjusted README.Debian - multiport is default (closes: #545971) - Boosted policy to 3.8.3 (no changes seems to be due) -- Yaroslav Halchenko Thu, 10 Sep 2009 11:16:51 -0400 fail2ban (0.8.3-6) unstable; urgency=low * Time to shake the ground with upload to unstable. * Merged upstream's development as of SVN revision 732: - Fixed maxretry/findtime rate. Many thanks to Christos Psonis. Tracker #2019714. - Made the named-refused regex a bit less restrictive in order to match logs with "view". Thanks to Stephen Gildea. - Use timetuple instead of utctimetuple for ISO 8601. Maybe not a 100% correct fix but seems to work. Tracker #2500276. - Changed template to be more restrictive (closes: #514163). - Added cyrus-imap and sieve filters. Thanks to Jan Wagner. (closes: #513953). - Pull a commit from Yaroslav git repo. BF: addressing added bang to ssh log (closes: #512193). - Added missing semi-colon in the bind9 example. Thanks to Yaroslav Halchenko. - Added NetBSD ipfilter (ipf command) action. Thanks to Ed Ravin. Tracker #2484115. - Improved SASL filter. Thanks to Loic Pefferkorn. Tracker #2310410. (closes: #507990) - Added CPanel date format. Thanks to David Collins. Tracker #1967610. - Added nagios script. Thanks to Sebastian Mueller. - Removed print. - Removed begin-line anchor for "standard" timestamp (closes: #500824) - Remove socket file on startup is fail2ban crashed. Thanks to Detlef Reichelt. * Added a comment into Debian-shipped jail.conf about sasl logpath -- it might preferable to monitor warn.log in case of postfix (To complete react to #507990) (git branch up/fixes). Also added sasl example log file (git branch up/log_examples). * Removing minor bashism in ipmasq example file (closes: #530078). Thanks Raphael Geissert (git branch up/ipmasq) * Allow for trailing spaces in proftpd logs (closes: #507986) (git branch up/fixes). * Removed duplicate entry for DataCha0s/2\.0 in badbots (closes: #519557) (git branch up/fixes). * Adjusted Git-vcs field to point to git:// . * Thanks lintian fixes: - Boosted policy to 3.8.2 (no changes are due). - Boosted debhelper compatibility to 5. - Misspell in README.Debian - Removing stale /var/run/fail2ban from dirs -- should be created by init script -- Yaroslav Halchenko Thu, 09 Jul 2009 01:08:40 -0400 fail2ban (0.8.3-5) experimental; urgency=low * BF: anchoring regex for IP with " *$" at the end + adjust regexp for (closes: #514163) * NF: adding unittests for previous BF -- Yaroslav Halchenko Thu, 05 Feb 2009 09:51:45 -0500 fail2ban (0.8.3-4) experimental; urgency=low * BF: added missing semicolon in a logging template for bind within jail.conf (thanks to anonymous on www.debian-administration.org) -- Yaroslav Halchenko Mon, 02 Feb 2009 23:02:56 -0500 fail2ban (0.8.3-3) experimental; urgency=low * BF: addressed added bang to ssh log (closes: #512193). Thanks Silvestre Zabala. * Adjusted description of bantime/findtime in README.Debian (closes: #507771) * Synced current debian revision to FAIL2BAN-0_8@717 of upstream, since it includes fixes to some forwarded bugs. Total list of functional changes - Added actions to report abuse to ISP, DShield and myNetWatchman. Thanks to Russell Odom. - Added apache-nohome.conf. Thanks to Yaroslav Halchenko. - Added new time format. No idea from where it comes... - Added new regex. Thanks to Tobias Offermann. - Try to match the regex even if the line does not contain a valid date/time. Described in Debian #491253. Thanks to Yaroslav Halchenko. - Removed "timeregex" and "timepattern" stuff that is not needed anymore. - Added date template for Day-Month-Year Hour:Minute:Second (closes: #491253) - Added date pattern for Hour:Minute:Second. Thanks to Andreas Itzchak Rehberg. - Use current day and month instead of Jan 1st if both are not available in the log. Thanks to Andreas Itzchak Rehberg. - Improved pattern. Thanks to Yaroslav Halchenko. - Merged patches from Debian package. Thanks to Yaroslav Halchenko. -- Yaroslav Halchenko Sun, 18 Jan 2009 11:31:01 -0500 fail2ban (0.8.3-2) unstable; urgency=low * BF in apache-noscript.conf - regexp matched in referer (Closes: #492319). Thanks Bernd Zeimetz. * BF: extended apache-noscript with additional regexp -- Yaroslav Halchenko Fri, 25 Jul 2008 13:33:56 -0400 fail2ban (0.8.3-1) unstable; urgency=low * Fresh upstream release * Boosted policy compliance to 3.8.0 (no changes needed) * Specify explicitely facilities in "Failed .. for". Thanks Dean Gaudet. (closes: #481760) * Added failregex for "User not known" in sshd.conf. thanks Alexander Gerasiov (closes: #479966) -- Yaroslav Halchenko Mon, 21 Jul 2008 10:27:12 -0400 fail2ban (0.8.2-3) unstable; urgency=low * Changes propagated from upstream trunk (future 0.8.3): - Fixed "fail2ban-client get logpath". Bug #1916986. - Changed some log level. - Added "Day/Month/Year Hour:Minute:Second" date template. Thanks to Dennis Winter. - Fixed PID file while started in daemon mode. Thanks to Christian Jobic who submitted a similar patch (closes: #479703) - Added gssftpd filter. Thanks to Kevin Zembower. - Process failtickets as long as failmanager is not empty. * Assure that /var/run/fail2ban exists upon start (LP: #222804, #223706) -- Yaroslav Halchenko Tue, 06 May 2008 10:49:34 -0400 fail2ban (0.8.2-2) unstable; urgency=low * BF: Recommends whois, which is used in some actions (LP: #213227) -- Yaroslav Halchenko Mon, 07 Apr 2008 10:25:52 -0400 fail2ban (0.8.2-1) unstable; urgency=low * New upstream release! Divergence from Debian version descreased considerably, Major changes: - "full line failregex" - Moved socket to /var/run/fail2ban. - Removed Python 2.4. Minimum required version is now Python 2.3. - New log rotation detection algorithm. - Some wishlists got accepted (closes: #456567, #468477, #462060, #461426) - Leap year issue (closes: #468452) * debian/watch: switched to git-import-orig * 2 new jails: xinetd-fail, apache-overflows added to jails.conf -- Yaroslav Halchenko Wed, 05 Mar 2008 23:30:56 -0500 fail2ban (0.8.1-5) unstable; urgency=low * manually "cherry picked" f6639981: Fixed "Feb 29" bug. Thanks to James Andrewartha who pointed this out. Thanks to Yaroslav Halchenko for the fix (closes: #468382) -- Yaroslav Halchenko Thu, 28 Feb 2008 19:51:53 -0500 fail2ban (0.8.1-4) unstable; urgency=low * Debian packaging switched from git+dpatch into pure git way via feature-branches. That revealed the true amount of accumulated patching done of top of vanilla upstream, thus this is the last Debian release prior 0.8.2 upstream release which will hopefully absorb most of the patches * vsftp filter anchoring * Fix/extension of proftpd failrexes (Closes: #461412). Thanks Guido Bozzetto * Added ipmasq rule file (in the examples) to restart fail2ban when iptables are wiped out (closes: #461417). Thanks Guido Bozzetto * Extended apache-noscript filter with more file extensions and to react to "script not found or unable to stat" log message (closes: #456565). Thanks Tim Connors * Fixed == bashism (Closes: #464647). Thanks Raphael Geisser * Confirms to policy 3.7.3 (no changes) -- Yaroslav Halchenko Sat, 09 Feb 2008 22:08:55 -0500 fail2ban (0.8.1-3) unstable; urgency=low * Added Vcs- fields, moved Homepage into source header's field * Propagated patch from 0.9 upstream branch: "Replaced ssocket.py with asyncore/asynchat implementation. Correct fix for bug #1769616. That is supposed to resolve spontaneous 100% CPU utilization by fail2ban-server." * BF: removed sftp from ssh jails (closes: #436053) * NF: new filter for 'refused connect' (closes: #451093). Thanks Guido Bozzetto * Moved iptables into recommends since fail2ban can work without iptables using some other action (e.g hosts.deny) -- Yaroslav Halchenko Fri, 23 Nov 2007 11:42:24 -0500 fail2ban (0.8.1-2) unstable; urgency=low * Fixed named-refused filter. * Added force-start action to init script, so it could be forced to start if previous run crashed and left a socket file. Must to be used with caution. -- Yaroslav Halchenko Thu, 18 Oct 2007 18:31:58 -0400 fail2ban (0.8.1-1) unstable; urgency=low * New upstream release. Patches absorbed upstream: 00_daemon_pids.dpatch 00_iptables_allports.dpatch 00_vsftp_filter_spaces.dpatch 00_resolve_all_names.dpatch 00_HOST_ignoreregex.dpatch Patches which needed some tune-up: 00_ssh_strong_re.dpatch 00_mail-whois-lines.dpatch 00_named_refused.dpatch -- Yaroslav Halchenko Tue, 14 Aug 2007 23:15:21 -0400 fail2ban (0.8.0-5~pre1) UNRELEASED; urgency=low * Added optional spaces at the end of failregex for vsftpd. * Resolve all "names" which became a part of . Previousely only fqdn's were resolved -- Yaroslav Halchenko Sun, 05 Aug 2007 21:38:44 -0400 fail2ban (0.8.0-4) unstable; urgency=low * Moved expansion into regex.py (closes: #429263). Thanks James Andrewartha. * Added optional regexp entry for process PID in some entries (closes: #426050). Thanks Roderick Schertler. * Added a filter pam_generic to catch any login errors. * Added iptables-allports. * Use /var/run to keep socket file (closes: #425746) * Added a filter for named to catch refused/denied queries * Added new time template matching named log entries * jail.conf has specification of protocol (default to tcp) to be provided to banaction * Adjusted failregex for sshd filter: - anchored properly at the end of line, and source code has .examples files to perform testing of the rules. - added new explicit rule for users not in the AllowUsers lists -- Yaroslav Halchenko Tue, 19 Jun 2007 23:04:02 -0400 fail2ban (0.8.0-2) unstable; urgency=low * Manually changing the order of debhelper inserted scripts in prerm (Closes: #422655) * Removed obsolete hack to have /bin/env invocation of python for fail2ban-* scripts * Applied changes submitted by Bernd Zeimetz (thanks Bernd): - Removed obsolete Build-Depends-Indep on help2man, python-dev - Explicit removal of *.pyc files compiled during build - Invoke 'python setup.py clean' in clean target, which required also to move python into Build-Depends * Minor clean up of debian/rules -- Yaroslav Halchenko Wed, 16 May 2007 14:13:57 -0400 fail2ban (0.8.0-1) unstable; urgency=low * New stable upstream release -- Yaroslav Halchenko Sat, 05 May 2007 12:35:02 -0400 fail2ban (0.7.9-1) unstable; urgency=low * New upstream release * Updated copyright to include current year * Removed patches absorbed upstream -- Yaroslav Halchenko Thu, 19 Apr 2007 21:44:28 -0400 fail2ban (0.7.8-1) unstable; urgency=low * New upstream release * Applied post-release upstream changes to resolve issues with - Fix to close opened handlers to log file - Tentative incomplete gamin fix - Fix to "reload" bug -- Yaroslav Halchenko Mon, 26 Mar 2007 17:52:23 -0400 fail2ban (0.7.7-1) unstable; urgency=low * New upstream release (included most of the debian-provided patches -- new filters and actions) * Refreshed and made verbatim homepage in description -- Yaroslav Halchenko Thu, 8 Feb 2007 22:20:49 -0500 fail2ban (0.7.6-3) unstable; urgency=low * Synchronized action.d/iptables-* rules from upstream SVN (closes: #407561) * Minor: options renames in the comments to be in sync with upstream * Use /usr/bin/python interpreter instead of wrapped call to python by /usr/bin/env -- Yaroslav Halchenko Fri, 19 Jan 2007 10:43:59 -0500 fail2ban (0.7.6-2) unstable; urgency=low * iptables-multiport is default action to take since Debian kernel arrives with multiport module. That is to address the fact that most services listen on multiple port (for encrypted and non-encrypted connections) * Added [courierauth] jail (First 2 items are to partially address #407404 -- Yaroslav Halchenko Thu, 18 Jan 2007 10:35:36 -0500 fail2ban (0.7.6-1) unstable; urgency=low * New upstream release, which incorporates fixes introduced in 3~pre non-released versions (which were suggested to the users to overcome problems reported in bug reports). In particular attention should be paid to upstream changelog entries - Several "failregex" and "ignoreregex" are now accepted. Creation of rules should be easier now. This is an alternative solution to 'multiple ' entries fix, which is not applied to this shipped version - pay caution if upgrading from 0.7.5-3~pre? - Allow comma in action options. The value of the option must be escaped with " or '. That allowed to implement requested ability to ban multiple ports at once (See 373592). README.Debian and jail.conf adjusted to reflect possible use of iptables-mport - Now Fail2ban goes in /usr/share/fail2ban instead of /usr/lib/fail2ban. This is more compliant with FHS. Patch 00_share_insteadof_lib no longer applied * Refactored installed by debian package jail.conf: - Added option banaction which is to incorporate banning agent (usually some flavor of iptables rule), which can then be easily overriden globally or per section - Multiple actions are defined as action_* to serve as shortcuts * Initd script was modified to inform about present socket file which would forbid fail2ban-server from starting * Adjusted default log file for postfix to be /var/log/mail.log (Closes: #404921) -- Yaroslav Halchenko Thu, 4 Jan 2007 15:24:52 -0500 fail2ban (0.7.5-3~pre6) unstable; urgency=low * Fail2ban now bans vsftpd logins (corrected logfile path and failregex) (Closes: #404060) * Made fail2ban-server tollerate multiple entries in failregex * Moved call to dh_pycentral before dh_installinit * Removed unnecessary call of dh_shlibdeps * Added filter ssh-ddos to fight DDOS attacks. Must be used with caution if there is a possibility of valid clients accessing through unreliable connection or faulty firewall (Closes: #404487) * Not applying patch any more for rigid python2.4 - it is default now in sid/etch * Moving waiting loop for fail2ban-server to stop under do_stop function, so it gets invoked by both 'restart' and 'stop' commands * do_status action of init script is now using 'fail2ban-client ping' instead of '... status' since we don't really use returned status information, besides the return error code -- Yaroslav Halchenko Tue, 26 Dec 2006 21:56:58 -0500 fail2ban (0.7.5-2) unstable; urgency=low * NEWS.Debian confusions - the latest NEWS entry and postinst message were rephrased (Closes: #402350) * Added mail-whois-lines action, which emails log lines containing abuser IP. Those lines are often required for proper abuse reports sent to the Internet providers. Forwarding of such received emails to the email addresses of abuse departments present in the output of whois is a tentative solution for semi-automatic abuse reporting (Closes: #358810) -- Yaroslav Halchenko Sun, 10 Dec 2006 18:55:37 -0500 fail2ban (0.7.5-1) unstable; urgency=low * New upstream release which fixes next issues + Socket parameter not work with other path (Closes: #400162) + fail2ban does not start with /etc/init.d/fail2ban start but with fail2ban-client start (Closes: #400278) * Removed obsolete patches left from 0.6 * Adjusted wsftpd patch to use tag to be in line with the other filter definitions -- Yaroslav Halchenko Thu, 7 Dec 2006 20:19:09 -0500 fail2ban (0.7.4-5) unstable; urgency=low * Added Suggests on mailx and relevant comments in README.Debian about invoking mail actions (closes: #396668) * Removed obsolete entries in TODO and README * README.Debian describes the use of interpolations vs parameters passed from jail.{conf,local} into an action definitions (closes: #398739) * Initial version of postfix filter has been present in 0.7 (closes: #377711) * Removed Uploaded field from control since I am a DD now. Big thanks to Barak Pearlmutter for being the sponsor of my packages for few years. -- Yaroslav O. Halchenko Wed, 6 Dec 2006 22:14:26 -0500 fail2ban (0.7.4-4) unstable; urgency=low * Added debian/backports to contain patches necessary for backporting. It gets used by pbuilder-ssh to create package for backports.org -- Yaroslav Halchenko Mon, 4 Dec 2006 08:55:48 -0500 fail2ban (0.7.4-3) unstable; urgency=low * Reincarnated logrotate configuration (Closes: #397878) * Only block new connects by using a new action iptables-new instead of iptables (Closes: #350746) * Updated README.Debian to reflect transition over to 0.7 branch and to comment on 350746 * "Clean" target removes generated .pyc files now (Closes: #398146) * Cleaned up debian/rules a bit -- Yaroslav Halchenko Sat, 11 Nov 2006 21:00:18 -0500 fail2ban (0.7.4-2) unstable; urgency=low * Added reload/force-reload actions to init script * Adjusted jail.conf a bit * Warning NEWS entry for 0.7.1 was not shown during installation on test boxes, thus postinst was adjusted accordingly to inform the user about the changes in the configuration files since 0.6. * no logrotation anymore? (Closes: #397878) -- Yaroslav Halchenko Fri, 10 Nov 2006 10:53:23 -0500 fail2ban (0.7.4-1) experimental; urgency=low * New upstream release -- Yaroslav Halchenko Wed, 1 Nov 2006 20:54:14 -0500 fail2ban (0.7.4~pre20061023.2-3) experimental; urgency=low * Corrected init.d script to properly perform restart due to server delay to react to client command to stop. Handling of status was adjusted as well -- Yaroslav Halchenko Sun, 29 Oct 2006 22:29:27 -0500 fail2ban (0.7.4~pre20061023.2-2) experimental; urgency=low * Added apache-noscript to jail.conf * Default action does not send emails to be inline with previous (0.6.x) behavior -- Yaroslav Halchenko Thu, 26 Oct 2006 13:27:20 -0400 fail2ban (0.7.4~pre20061023.2-1) experimental; urgency=low * Fresh upstream: fixed a bug with not handling error producing actioncheck call -- Yaroslav Halchenko Mon, 23 Oct 2006 17:00:03 -0400 fail2ban (0.7.4~pre2006102-1) experimental; urgency=low * Currrent snapshot of trunk * Removed outdated (applied in 0.7.4 or specific for 0.6.?) patches from debian/patches * Adjusted rule to install man pages -- only .1 files since there are also h2m sources * debian/{rules,control} adjusted to conform all points in recent python policy changes * install under /usr/share instead of /usr/lib -- Yaroslav Halchenko Mon, 23 Oct 2006 00:17:55 -0400 fail2ban (0.7.3-2) experimental; urgency=low * Added wuftpd section -- Yaroslav Halchenko Wed, 18 Oct 2006 01:15:00 -0400 fail2ban (0.7.3-1) experimental; urgency=low * New upstream release * Debian shipped jail.conf * Refreshen init.d script -- Yaroslav Halchenko Thu, 28 Sep 2006 22:17:16 -0400 fail2ban (0.7.1-0.2) experimental; urgency=low * New upstream release (closes: #370095,#366307) -- Yaroslav Halchenko Tue, 5 Sep 2006 00:26:08 -0400 fail2ban (0.6.1-11) unstable; urgency=low * Adjusted manpage for fail2ban.conf to point to shipped examples of configuration files as the source of details about available configuration options (closes: #382403) * Changes in man/fail2ban.conf.5 are managed via dpatch now -- Yaroslav Halchenko Wed, 16 Aug 2006 00:18:59 +0300 fail2ban (0.6.1-10) unstable; urgency=low * Adjusted to comply with recent changes in debian python policy and use pycentral to byte compile modules * Filtered out empty entries for ignoreip to reduce confusing WARNING log message * Added configuration parameter "locale" to specify LC_TIME for time pattern matching (closes: #367990,363391) * Verbosity is chosen to be max between cmdline parameters and config file -- Yaroslav Halchenko Thu, 6 Jul 2006 20:19:54 -0400 fail2ban (0.6.1-9) unstable; urgency=low * Adjusted rm commands in init script to don't use -r for removal of the pidfile (thanks Stephen Gran) * Added clarification about multiport banning to README.Debian (closes: #373592) -- Yaroslav Halchenko Wed, 14 Jun 2006 12:05:44 -0400 fail2ban (0.6.1-8) unstable; urgency=low * Removed bashism (arrays) from init.d script to make it POSIX shell complient (closes: #368218) * Added new proftpd section * Added new saslauthd section. Thanks to martin f krafft (closes: #369483) * Mentioned apache2 log file in Other. comment field for FILE in apache section. Nothing has to be changed besides the logfile path to work with apache2 (closes: #342144) -- Yaroslav Halchenko Mon, 22 May 2006 15:37:17 -0400 fail2ban (0.6.1-5) unstable; urgency=low * Further fixed debian packaging: to comply with policy empty target binary-arch was provided -- Yaroslav Halchenko Tue, 16 May 2006 16:43:37 -0400 fail2ban (0.6.1-4) unstable; urgency=low * Adjusted debian packaging: - Clean up of debian/rules: removed commented out dh_ scripts which definetly will never be used - debhelper and dpatch moved to Build-Depends - added --no-compile for python setup.py install, and removed explicit cleaning of .pyc's - fixed separation binary-indep and binary-arch in debian/rules - restricted depends on python >= 2.3 -- Yaroslav Halchenko Tue, 16 May 2006 15:53:06 -0400 fail2ban (0.6.1-3) unstable; urgency=low * Fixed vsftpd failregexp (closes: #366687) * Started to use dpatch -- Yaroslav Halchenko Wed, 10 May 2006 11:45:57 -0400 fail2ban (0.6.1-2) unstable; urgency=low * Assigned maxreinits to 1000 to be reasonable since otherwise logfile grows indefinetly if there is a real problem on the system (closes: #359218) * Adjusted debian/{copyright,watch} * New version of init.d script (Thanks to Aaron Isotton) (closes: #364278) -- Yaroslav Halchenko Mon, 27 Mar 2006 12:55:39 -0500 fail2ban (0.6.1-1) unstable; urgency=low * New upstream release * In config file added fwchain to ease switching to another input chain (closes: #357164) -- Yaroslav Halchenko Sat, 18 Mar 2006 23:11:53 -0500 fail2ban (0.6.0-8) unstable; urgency=low * Minor adjustments to reduce the deviation from the upstream code -- Yaroslav Halchenko Sat, 11 Mar 2006 00:48:14 -0500 fail2ban (0.6.0-7) unstable; urgency=low * Fixed a typo in failregex for SSH section (closes: #356112) -- Yaroslav Halchenko Thu, 9 Mar 2006 15:13:48 -0500 fail2ban (0.6.0-6) unstable; urgency=low * Updated README.Debian with information about some cases with not-as-shipped configurations of sshd on the boxes running older versions of openssh server * Included regexps for SSH in case iff authentication as root using keys was attempted whenever PermitRootLogin is set to something else than "yes" and key authentication fails * Included postrm script to remove log files during purge to comply with policy 10.8 (closes: #355443) -- Yaroslav Halchenko Fri, 3 Mar 2006 16:32:38 -0500 fail2ban (0.6.0-5) unstable; urgency=low * Fixed Apache section: changed filepath to point at error.log, thus I had to revert timeregex and timepattern to user RFC 2822 format (closes: #354346) -- Yaroslav Halchenko Sat, 25 Feb 2006 19:56:46 -0500 fail2ban (0.6.0-4) unstable; urgency=low * Modifications in README.Debian to reflect a "finding" on not-AllowedUsers banning which requires default Debian configuration of "ChallengeResponseAuthentication no" and "PasswordAuthentication yes" * Fixed Apache timeregex and timepattern to confirm the fomat of time stamp used in Debian's acccess.log (error.log uses RFC 2822 format) * Added section ApacheAttacks to specify some common patterns of attacks on a webserver (awstats.pl as a try). This section stays split from Apache since it is of different nature and might be not appropriate for some users * Forced owner/permissions of log file to be root:adm/640 in postinst and logrotate (closes: #352053) -- Yaroslav Halchenko Mon, 16 Jan 2006 04:05:19 -0500 fail2ban (0.6.0-3) unstable; urgency=low * ignoreip is now empty by default (closes: #347766) * increased verbosity in verbose=2 mode: now prints options accepted from the config file * to make fail2ban.conf more compact, thus to improve its readability, fail2ban.conf was converted to use "interpolations" provided by ConfigParser class. fw{start,end,{,un}ban} options were moved into DEFAULT section and required options (port, protocol) were added -- Yaroslav Halchenko Thu, 12 Jan 2006 18:32:14 -0500 fail2ban (0.6.0-2) unstable; urgency=low * fail2ban path is inserted first in the list to avoid a conflict with existing elsewhere modules with the same names. (Thanks for report and patch to Nick Craig-Wood) (closes: #343821) -- Yaroslav Halchenko Mon, 19 Dec 2005 17:44:58 +0200 fail2ban (0.6.0-1) unstable; urgency=low * Merged with the latest stable upstream release. That incure some changes for the Debian configuration of the package to be more upstream-like. Visible one is: subject in the sent email includes section outside of "[Fail2Ban]" * Updated README.Debian to answer possible question regarding effective bantime starting moment -- Yaroslav Halchenko Sun, 20 Nov 2005 14:56:41 -0500 fail2ban (0.5.4-10) unstable; urgency=low * Fixed the order of ssh and apache rules to avoid possible race condition (Thanks to Jefferson Cowart for the bug report) (closes: #339133) -- Yaroslav Halchenko Mon, 14 Nov 2005 23:44:45 -0500 fail2ban (0.5.4-9) unstable; urgency=low * Fixed init.d script so it doesn't return non-0 status if fail2ban is not running. That fixes issues with purging the package and leaving garbage in /usr/share/fail2ban (Thanx to Justin Pryzby for the insight) (closes: #337223) -- Yaroslav Halchenko Thu, 3 Nov 2005 17:05:20 -0500 fail2ban (0.5.4-8) unstable; urgency=low * Added config option MAIL.localtime (closes: #336449) -- Yaroslav Halchenko Mon, 31 Oct 2005 16:53:19 -0500 fail2ban (0.5.4-7) unstable; urgency=low * Adjusted init.d script so it is resistant to delayed shutdowns of fail2ban and in general more stable -- Yaroslav Halchenko Thu, 20 Oct 2005 21:22:03 -0400 fail2ban (0.5.4-6.2) unstable; urgency=low * Fixed typos (thanx to Ross Boylan). * Robust startup: if iptables module gets fully initialized after startup of fail2ban, fail2ban will do "maxreinit" attempts to initialize its own firewall. It will sleep between attempts for "polltime" number of seconds (closes: #334272). * To overcome possible conflict with other firewall solutions and as a secondary solution for the bug 334272, fail2ban startup is moved during bootup to the latest (S99) sequenece position. That should not cause any discomfort I believe. -- Yaroslav Halchenko Tue, 18 Oct 2005 15:54:38 -0400 fail2ban (0.5.4-5.14) unstable; urgency=low * Added a notification regarding the importance of 0.5.4-5 change of failregex in the config file. * Adjusted address to FSF. * Adjusted failregex for SSH so it bans "Illegal user" entries as well, and restricted full failregex more to include ":" at the beginning, because otherwise it might not be sufficient and would revive bug 330827 (closes: #333056). * Adjusted failregex for SSH to accommodate recent changes in logging of SSH: Illegal -> Invalid. Should match both now. * Fixed a problem of raise AttributeError exception reported as a side effect of crash during parsing of the config file. * Introduced fwcheck option to verify consistency of the chains. Implemented automatic restart of fail2ban main function in case check of fwban or fwunban command failed (closes: #329163, #331695). (Introduced patch was further adjusted by upstream author). * Added -f command line parameter for [findtime]. * Fixed the issue of not respecting command line parameters for parameters within sections. * Added -e command line parameter to provide enabled sections from command line. * Added a cleanup of firewall rules on emergency shutdown when unknown exception is catched. * Fail2ban should not crash now if a wrong file name is specified in config. -- Yaroslav Halchenko Mon, 3 Oct 2005 22:26:28 -1000 fail2ban (0.5.4-5) unstable; urgency=low * Made failregex'es more specific to don't allow usernames to be used as a tool for denial of service attacks. Config files (or at least failregex'es) must be updated from this package, otherwise the security breach would remain open and only warning gets issued (closes: #330827) -- Yaroslav Halchenko Sat, 1 Oct 2005 02:42:23 -1000 fail2ban (0.5.4-4) unstable; urgency=low * On a request from Calum Mackay added reporting of the enabled sections -- Yaroslav Halchenko Thu, 29 Sep 2005 11:20:43 -1000 fail2ban (0.5.4-3) unstable; urgency=low * Resolved the mystery of debug mode in which commands are not really executed: added verbose option to config file, removed -v from /etc/default/fail2ban, reordered code a bit so that log targets are setup right after background and then only loglevel (verbose,debug) is processed, so the warning could be seen in the logs -- Yaroslav Halchenko Thu, 29 Sep 2005 00:20:43 -1000 fail2ban (0.5.4-2) unstable; urgency=low * Now exporting PATH explicitely in init.d/fail2ban script, to avoid problems finding iptables in the cases when PATH was not exported outside (cfengine, broken shell environment) (closes: #329304) * Removed -b from start-stop-daemon because fail2ban detahes on its own * Added @localhost to MAIL:from and MAIL:to in fail2ban.conf and placed a note to README.Debian regarding necessity to specify full email address in MAIL:from (closes: #329722) * Added a keyword
in parsing of the subject and the body of an email sent out by fail2ban (closes: #330311) -- Yaroslav Halchenko Wed, 27 Sep 2005 08:09:06 -0400 fail2ban (0.5.4-1) unstable; urgency=low * New upstream release -- Yaroslav Halchenko Tue, 20 Sep 2005 12:19:19 -0400 fail2ban (0.5.3-2) unstable; urgency=low * Refined comments in README.Debian * Reindented init.d script P.S. Was not released -- Yaroslav Halchenko Sun, 11 Sep 2005 15:19:44 -0400 fail2ban (0.5.3-1) unstable; urgency=low * New upstream release -- Yaroslav Halchenko Fri, 9 Sep 2005 16:55:00 -0400 fail2ban (0.5.2-5) unstable; urgency=low * Included a patch from Stephen Gildea to provide "status" report by init.d script * Included a note in README.Debian regarding the fail2ban iptable's chains -- Yaroslav Halchenko Fri, 9 Sep 2005 14:52:24 -0400 fail2ban (0.5.2-4) unstable; urgency=low * Format of SYSLOG entries is up to the standard now -- Yaroslav Halchenko Fri, 19 Aug 2005 00:06:44 -1000 fail2ban (0.5.2-3) unstable; urgency=low * Fixed errata in /etc/default/fail2ban (closes: #323451) * Fixed handling of SYSLOG logging target. Now it can log to any syslog target and facility as directed by the config (revisions 160:166 patch from syslog branch) (closes: #323543) * Included upstream README and TODO * Mentioned in README.Debian that apache section is disabled by default * Adjusted man pages to cross-reference each other * Moved fail2ban man page under section 8 as in upstream * Introduced findtime configuration variable to control the lifetime of caught "failed" log entries (closes: #323840) -- Yaroslav Halchenko Tue, 16 Aug 2005 11:23:28 -1000 fail2ban (0.5.2-2) unstable; urgency=low * Updated description to reflect flexibility in application of fail2ban * Included logrotate (Thanks to Baruch Even) -- Yaroslav Halchenko Sat, 13 Aug 2005 04:51:57 -0400 fail2ban (0.5.2-1) unstable; urgency=low * New upstream release * No log4py any more * removed -i eth0 from config -- Yaroslav Halchenko Sat, 6 Aug 2005 09:21:07 -1000 fail2ban (0.5.1-1) unstable; urgency=low * New upstream release -- Yaroslav Halchenko Sat, 23 Jul 2005 08:50:00 -1000 fail2ban (0.5.0-1) unstable; urgency=low * New upstream release * Libraries placed under /usr/share/fail2ban instead of /usr/lib/fail2ban * Corrections to the description of the package -- Yaroslav Halchenko Tue, 12 Jul 2005 23:33:20 -1000 fail2ban (0.4.1-1) unstable; urgency=low * First upstream release of a Debian package -- Yaroslav Halchenko Mon, 04 Jul 2005 11:47:23 +0300 debian/backports/0000755000000000000000000000000012242241771011160 5ustar debian/backports/00list.sarge-backports0000644000000000000000000000002212242241771015276 0ustar nopycentral.patch debian/backports/nopycentral.patch0000644000000000000000000000316112242241771014540 0ustar diff -x '*~' -x .svn -Naur trunk/debian/control trunk.backports/debian/control --- trunk/debian/control 2006-10-23 00:57:02.000000000 -0400 +++ trunk.backports/debian/control 2006-12-04 08:45:25.000000000 -0500 @@ -4,13 +4,13 @@ Maintainer: Yaroslav Halchenko Uploaders: Barak Pearlmutter Build-Depends: debhelper (>= 5.0.37.2), dpatch -Build-Depends-Indep: python, python-dev, help2man, python-central (>= 0.5.6) +Build-Depends-Indep: python, python2.4, python2.4-dev, help2man XS-Python-Version: current, >= 2.4 Standards-Version: 3.7.2 Package: fail2ban Architecture: all -Depends: ${python:Depends}, iptables, lsb-base (>=2.0-7) +Depends: python2.4, iptables, lsb-base (>=2.0-7) Suggests: python-gamin XB-Python-Version: ${python:Versions} Description: bans IPs that cause multiple authentication errors diff -x '*~' -x .svn -Naur trunk/debian/rules trunk.backports/debian/rules --- trunk/debian/rules 2006-11-11 21:19:14.000000000 -0500 +++ trunk.backports/debian/rules 2006-12-04 08:45:45.000000000 -0500 @@ -39,7 +39,7 @@ dh_installdirs # Add here commands to install the package into debian/fail2ban. - python setup.py install --root=$(DESTDIR) --no-compile + python2.4 setup.py install --root=$(DESTDIR) --no-compile #X Evil - must be removed after Debian switches over to 2.4, now # distutils.setup will override the enterpreter line to /usr/bin/python install fail2ban-server fail2ban-client $(DESTDIR)/usr/bin @@ -62,7 +62,7 @@ dh_installlogrotate dh_installinit -- defaults 99 dh_installman man/*.1 - dh_pycentral + dh_python dh_link dh_compress dh_fixperms debian/README.Debian0000644000000000000000000002032612242241771011234 0ustar fail2ban (>=0.7.0) for Debian ----------------------------- This package is ~99% identical to the upstream version. Few features could have been added but not yet propagated into upstream version and some modifications might be Debian-specific. Debian specific jail.conf file is shipped. Original upstream file is available from /usr/share/doc/fail2ban/examples/jail.conf Currently, the major difference with upstream: python libraries are placed under /usr/share/fail2ban instead of /usr/lib/fail2ban to comply with policy regarding architecture independent resources. Upgrade from 0.6 versions: ------------------------- * New Config Files Format: If you had introduced your own sections in /etc/fail2ban.conf, you would need manually to convert them into a new format. At minimum you need to create /etc/fail2ban/filter.d/NAME.local (leave .conf files for me and upstream please to avoid any conflicts -- introduce your changes in .local) with failregex in [Definition] section. And provide appropriate jail definition in /etc/fail2ban/jail.local * Enabled Sections: Only handling of ssh files is enabled by default. If you want to use fail2ban with apache, please enable apache section manually in /etc/fail2ban/jail.local by including next lines: [apache] enabled = true NOTE: -e command line parameter is non existant in 0.7.x * Interpolations vs actions/filters parameters: For details see #398739 or wait for a closure of #400416 Every pair of .conf and then .local (if exists) files is read separately from any other configuration file, so interpolations cannot penetrate from jail.* into actions.d/*. To overcome this, it is necessary to create a PARAMETER which can be substituted in actions [Definition] section, if it is also defined in the [Init] section of that file and is used in place of necessary allocation as tag. Parameters can be specified in the definitions within jail.{conf,local}. For instance, 1 lengthy example, where the same name "fwchain" is used both as interpolation (in jail.local) and as a parameter (in iptables-flex.local) (from #398739) ==> /etc/fail2ban/jail.local <== [DEFAULT] action = iptables-flex[name=%(__name__)s, port=%(port)s, fwchain=%(fwchain)s, post_start_commands=%(post_start_commands)s, pre_end_commands=%(pre_end_commands)s] fwchain = INPUT [ssh] fwchain = ssh-tarpit ==> /etc/fail2ban/action.d/iptables-flex.local <== [Definition] actionstart = iptables -N fail2ban- iptables -I -m state --state NEW -p --dport -j fail2ban- iptables -I -j actionstop = iptables -D -j iptables -D -m state --state NEW -p --dport -j fail2ban- iptables -F fail2ban- iptables -X fail2ban- actioncheck = iptables -n -L | grep -q fail2ban- actionban = iptables -I fail2ban- 1 -s -j DROP actionunban = iptables -D fail2ban- -s -j DROP [Init] whitelist = ssh-whitelist fwchain = INPUT name = default port = ssh protocol = tcp * Multiport banning: Comment for #373592, #545971 iptables-multiport action is now default banaction (file jail.conf, to be customized within jail.local). Therefore assure that you have built multiport module if you use custom kernel. If you would like to ban all ports for that host, just redefine fwban/fwunban commands to don't have --dport %(port)s statement at all, or use shorewall, where actionban bans whole IP. * Blocking of NEW connections only Comment for the wishlist #350746. It might be benefitial in some cases to ban only new connections. For that just use iptables-new action instead of default banaction /etc/fail2ban/jail.local: [DEFAULT] banaction=iptables-new (you can override banaction within interesting for you section). Also you can redefine the whole action parameter if you like. * Interaction with ipmasq Comment to #461417 Although fail2ban should detect and recreate missing chains if the external command wipes out iptables, it is better to explicitly to force-reload fail2ban. For this reason there is examples/ipmasq-ZZZzzz|fail2ban.rul file is shipped along to be installed under name ZZZzzz|fail2ban.rul within /etc/ipmasq. * Interaction with logrotate with custom logtarget Comment to #631917 if you use an alternative logtarget (e.g. SYSLOG) thus not using /var/log/fail2ban.log you should divert logrotate configuration into a disabled state, e.g. sudo dpkg-divert --rename --divert \ /etc/logrotate.d/fail2ban.disabled /etc/logrotate.d/fail2ban Troubleshooting: --------------- * Updated failregex: To resolve the security bug #330827 [1] failregex expressions must provide a named group (?P...) as a placeholder of the abuser's host. Alternative tag (since 0.7.5) can be "". The naming of the group was introduced to capture possible future generalizations of failregex to provide even more information. [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=330827 You might benefit from using fail2ban-regex command shipped along to construct and debug your failregex statements. * "Interpolations" in the config file: Since version 0.6.0-3 to reduce duplication, thus to improve readability of the config file, interpolations provided by the module ConfigParser are used. If you had custom sections defined before, you might benefit from updating config file and adding appropriate information for the new sections. N.B. If you have some nice additional sections defined, I would really appreciate if you share them with me or upstream author, so they could be eventually included in the fail2ban package for general use by the rest of the community. * Mailing: Since actions.d/mail*.conf commands rely on presence of "mail" command, mailx package (or another package providing mailx functionality such as mailutils) is required if those actions are activated in jail.{conf,local}. * Dirty exit: If firewall rules gets cleaned out before fail2ban exits (like was happening with firestarter), errors get reported during the exit of fail2ban, but they are "safe" and can be ignored. ** SSHD Configuration Specific Problems * Ban "Not allowed" attempts: Make sure that you have ChallengeResponseAuthentication no PasswordAuthentication yes Details from the bug report #350980 [2] [2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=350980 * Not caught attempts to login as root On the boxes running older versions of openssh (e.g. sarge distribution) in the case when PermitRootLogin is set to something else than "yes" and iff AllowUsers is active, failed root logins do not confirm to the standard logging message -- they omit the source IP, thus allowing attack to persist since such messages are not caught by fail2ban. * Bantime: An IP is banned for "bantime" not since the last failed login attempt from the IP, but rather since the moment when failed login was detected by fail2ban. Thus, if fail2ban gets [re]started, any IP which had enough of failed logins with durations less than "findtime" between them prior to the [re]start moment, will be banned for "bantime" since [re]start moment, not since the last failed login time. * Findtime: "Findtime" option of a jail actually defines a duration to reset the counter of failed login attempts, if no new attempt was detected within that time frame (i.e. within "findtime"). See http://www.fail2ban.org/wiki/index.php/MANUAL_0_8#Jail_Options for more information on jail options. * Syslog entries can be 'forged' by a regular user From http://www.fail2ban.org/wiki/index.php/MANUAL_0_8#Possibility_of_DOS_attack_by_a_local_user Especially on systems wich provide ssh/CGI/PHP services to unknown users it is possible to block other users from ssh and probably other access as a unprivileged user may issue: logger -p auth.warning -t 'sshd[123]' 'Illegal user user1 from 1.2.3.4' N.B. chmod o-x /usr/bin/logger should provide at least obfuscation solution Or the malicious user may write via PHP's openlog()/syslog() to syslog. P.S. Anyone is welcome to recommend proper security solution to this issue, such as an alternative to sysklogd which allows better control over users logging to specific facilities (such as AUTH) -- Yaroslav Halchenko , Thu, 28 Jul 2011 23:19:44 -0400 debian/copyright0000644000000000000000000000234512242241771011127 0ustar This package was originally debianized by Yaroslav Halchenko on Mon Jul 4 14:41:34 HST 2005 It was downloaded from http://www.sourceforge.net/projects/fail2ban Author: Cyril Jaquier: http://fail2ban.sourceforge.net Copyright: 2004-2009 Cyril Jaquier This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA. On Debian systems, the complete text of the GNU General Public License, version 2, can be found in /usr/share/common-licenses/GPL-2. The Debian packaging is (C) 2006-2011, Yaroslav Halchenko and is licensed under the GPL, see above. debian/postrm0000755000000000000000000000201512242241771010440 0ustar #! /bin/sh # postrm script for fail2ban # # see: dh_installdeb(1) set -e # summary of how this script can be called: # * `remove' # * `purge' # * `upgrade' # * `failed-upgrade' # * `abort-install' # * `abort-install' # * `abort-upgrade' # * `disappear' overwrit>r> # for details, see /usr/doc/packaging-manual/ case "$1" in purge|disappear) # Remove configuration rm -f /etc/fail2ban.conf # Remove logs rm -f /var/log/fail2ban* ;; remove|upgrade|failed-upgrade|abort-install|abort-upgrade) # nothing # We may not delete the user fail2ban, as there may be # files owned by it in /var/log/ and /etc/. ;; esac # dh_installdeb will replace this with shell code automatically # generated by other debhelper scripts. #DEBHELPER# debian/rules0000755000000000000000000000511312242241771010250 0ustar #!/usr/bin/make -f # -*- makefile -*- # Sample debian/rules that uses debhelper. # This file was originally written by Joey Hess and Craig Small. # As a special exception, when this file is copied by dh-make into a # dh-make output file, you may use that output file without restriction. # This special exception was added by Craig Small in version 0.37 of dh-make. # Uncomment this to turn on verbose mode. #export DH_VERBOSE=1 DESTDIR=$(CURDIR)/debian/fail2ban configure: configure-stamp configure-stamp: dh_testdir touch configure-stamp build: build-arch: build-indep: clean: clean-inits dh_testdir dh_testroot rm -f build-stamp configure-stamp rm -rf build # Does not hurt to ask distutils to do their duty python setup.py clean # Enforce removal of *.pyc files. Apparently dh_clean does # not perform find on provided filename patterns. find . -name \*.pyc -exec rm -f {} \; dh_clean install: build dh_testdir dh_testroot dh_clean -k dh_installdirs # Install the package into debian/fail2ban. python setup.py install --root=$(DESTDIR) --no-compile --install-layout=deb # Install Debian shipped jail file in 1 piece (instead of patching # the shipped one since there are too many changes) install -m 644 debian/jail.conf $(DESTDIR)/etc/fail2ban # Remove explicitely created /var/run/fail2ban # just to please lintian since init file will # take care about it anyways rm -rf $(DESTDIR)/var/run/fail2ban # Install bash completion install -d $(DESTDIR)/etc/bash_completion.d install -m 644 files/bash-completion $(DESTDIR)/etc/bash_completion.d/fail2ban # Run tests ifeq (,$(filter nocheck,$(DEB_BUILD_OPTIONS))) ./fail2ban-testcases-all || : else : # Skip unittests due to nocheck endif # # Just to comply with policy 4.8 binary-arch: # Build architecture-independent files here. binary-indep: install dh_testdir dh_testroot dh_installchangelogs ChangeLog dh_installdocs dh_installexamples config/jail.conf files/ipmasq-* dh_installlogrotate dh_python2 /usr/share/fail2ban dh_installinit -- defaults 99 # perform swap of order of calls to init and pycentral (or even # bleedingly new dh_python2) in prerm to close #422655 -- # python-cleanup section is cut and placed at the end of the file # since .init script would trigger their compilation again sed -i -e '/^#.*ed by dh_python2/,/# End auto/{H;d};$$G' \ debian/fail2ban.prerm.debhelper dh_installman man/*.[15] dh_link dh_compress dh_fixperms dh_installdeb dh_gencontrol dh_md5sums dh_builddeb binary: binary-indep .PHONY: build clean binary-indep binary-arch binary install configure copy-inits clean-inits debian/docs0000644000000000000000000000004412242241771010041 0ustar README.md TODO doc/run-rootless.txt debian/postinst0000755000000000000000000000474612242241771011014 0ustar #! /bin/sh # postinst script for fail2ban # # see: dh_installdeb(1) set -e # summary of how this script can be called: # * `configure' # * `abort-upgrade' # * `abort-remove' `in-favour' # # * `abort-deconfigure' `in-favour' # `removing' # # for details, see http://www.debian.org/doc/debian-policy/ or # the debian-policy package # preversion=$2 case "$1" in configure) # To fix the bug in generated by previous version files permissions # also closes #352053 LOG=/var/log/fail2ban.log touch $LOG chown root:adm ${LOG}* chmod 640 ${LOG}* # Note regarding changed configuration file # Note regarding changed configuration file if [ ! -z $preversion ]; then if dpkg --compare-versions $preversion lt 0.7.1-1; then cat <&2 exit 1 ;; esac # dh_installdeb will replace this with shell code automatically # generated by other debhelper scripts. #DEBHELPER# exit 0 debian/fail2ban.logrotate0000644000000000000000000000052212242241771012567 0ustar /var/log/fail2ban.log { weekly rotate 4 compress delaycompress missingok postrotate fail2ban-client set logtarget /var/log/fail2ban.log >/dev/null endscript # If fail2ban runs as non-root it still needs to have write access # to logfiles. # create 640 fail2ban adm create 640 root adm } debian/gbp.conf0000644000000000000000000000070012242241771010604 0ustar [DEFAULT] # the default branch for upstream sources: upstream-branch = upstream # the default branch for the debian patch: debian-branch = debian # use pristine-tar pristine-tar = True # the default tag formats used: upstream-tag = %(version)s debian-tag = debian/%(version)s # Options only affecting git-buildpackage [git-buildpackage] # use this for more svn-buildpackage like bahaviour: export-dir = ../build-area/ tarball-dir = ../tarballs/ debian/NEWS0000644000000000000000000000570312242241771007674 0ustar fail2ban (0.8.11-1) unstable; urgency=low * retroactive for 0.8.9: by default iptables-* actions do not simply DROP packets from offending IP but rather reject with icmp-port-unreachable. If DROP behaviour is preferable, provide config/action.d/iptables-blocktype.local with [Init] section defining blocktype = DROP or override action definition to provide blocktype=DROP option in jail.local * Many failregex's were tight-up in this release which could theoretically effect operation in comparison to previous release(s). -- Yaroslav Halchenko Sat, 16 Nov 2013 22:27:50 -0500 fail2ban (0.8.4-3) unstable; urgency=low * Jail named-refused-udp is unsafe and opens possibility for easy DoS, thus discouraged to be used, and commented out (see #583364 for more information). -- Yaroslav Halchenko Mon, 28 Jun 2010 22:12:22 -0400 fail2ban (0.7.1-0.2) unstable; urgency=low fail2ban 0.7 is a complete rewrite of the 0.6 version, and if you customized any of provided configuration or startup files (/etc/default/fail2ban, /etc/fail2ban.conf, /etc/init.d/fail2ban), please read further. The configuration scheme has changed upstream: 0.7 ignores /etc/fail2ban.conf and instead uses a split configuration under /etc/fail2ban/. To retain your customizations, for example to monitor anything other than sshd, you will need to set them under that new directory; use *.local files for customizations. Please see /usr/share/doc/fail2ban/README.Debian.gz and http://fail2ban.sourceforge.net for further description of new configuration scheme. Detailed documentation is under development (see #400416). When you are satisfied with the new settings, please delete /etc/fail2ban.conf to avoid confusion. Fail2ban 0.7 uses client/server architecture and fail2ban-client is to substitute fail2ban command to provide an interface between the user and fail2ban-server. That is why some command line parameters present in fail2ban 0.6 are invalid in fail2ban-client. Such change affects /etc/default/fail2ban; you should review that file if you customized it. Please enable sections as directed in README.Debian.gz mentioned above. You must use newly shipped init.d/fail2ban, or otherwise fail2ban will not start. This note was rewritten in release 0.7.5-2 to clarify its meaning. -- Yaroslav Halchenko Sat, 9 Dec 2006 18:24:36 -0500 fail2ban (0.6.0-4) unstable; urgency=low In this version the new section ApacheAttacks was introduced to ban IPs which are found to run some known attack on the host. For now it captures just awstats and mambo related attacks. To make this feature work, the bug of wrongly specified timeregexp for Apache's access.log file was fixed. Besides that group of log files has changed to be adm, and now they are readable by the group. -- Yaroslav Halchenko Fri, 10 Feb 2006 13:05:07 -0500 debian/pycompat0000644000000000000000000000000212242241771010737 0ustar 2 debian/TODO0000644000000000000000000000035212242241771007660 0ustar * Collect more sections for other log files * Find proper answer to "Syslog entries can be 'forged' by a regular user" mentioned in README.Debian -- Yaroslav O. Halchenko Wed, 6 Dec 2006 22:14:26 -0500 debian/fail2ban.init0000755000000000000000000001435712242241771011550 0ustar #! /bin/sh ### BEGIN INIT INFO # Provides: fail2ban # Required-Start: $local_fs $remote_fs # Required-Stop: $local_fs $remote_fs # Should-Start: $time $network $syslog iptables firehol shorewall ipmasq arno-iptables-firewall iptables-persistent ferm # Should-Stop: $network $syslog iptables firehol shorewall ipmasq arno-iptables-firewall iptables-persistent ferm # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: Start/stop fail2ban # Description: Start/stop fail2ban, a daemon scanning the log files and # banning potential attackers. ### END INIT INFO # Author: Aaron Isotton # Modified: by Yaroslav Halchenko # reindented + minor corrections + to work on sarge without modifications # Modified: by Glenn Aaldering # added exit codes for status command # PATH=/usr/sbin:/usr/bin:/sbin:/bin DESC="authentication failure monitor" NAME=fail2ban # fail2ban-client is not a daemon itself but starts a daemon and # loads its with configuration DAEMON=/usr/bin/$NAME-client SCRIPTNAME=/etc/init.d/$NAME # Ad-hoc way to parse out socket file name SOCKFILE=`grep -h '^[^#]*socket *=' /etc/$NAME/$NAME.conf /etc/$NAME/$NAME.local 2>/dev/null \ | tail -n 1 | sed -e 's/.*socket *= *//g' -e 's/ *$//g'` [ -z "$SOCKFILE" ] && SOCKFILE='/tmp/fail2ban.sock' # Exit if the package is not installed [ -x "$DAEMON" ] || exit 0 # Run as root by default. FAIL2BAN_USER=root # Read configuration variable file if it is present [ -r /etc/default/$NAME ] && . /etc/default/$NAME DAEMON_ARGS="$FAIL2BAN_OPTS" # Load the VERBOSE setting and other rcS variables [ -f /etc/default/rcS ] && . /etc/default/rcS # Predefine what can be missing from lsb source later on -- necessary to run # on sarge. Just present it in a bit more compact way from what was shipped log_daemon_msg () { [ -z "$1" ] && return 1 echo -n "$1:" [ -z "$2" ] || echo -n " $2" } # Define LSB log_* functions. # Depend on lsb-base (>= 3.0-6) to ensure that this file is present. # Actually has to (>=2.0-7) present in sarge. log_daemon_msg is predefined # so we must be ok . /lib/lsb/init-functions # # Shortcut function for abnormal init script interruption # report_bug() { echo $* echo "Please submit a bug report to Debian BTS (reportbug fail2ban)" exit 1 } # # Helper function to check if socket is present, which is often left after # abnormal exit of fail2ban and needs to be removed # check_socket() { # Return # 0 if socket is present and readable # 1 if socket file is not present # 2 if socket file is present but not readable # 3 if socket file is present but is not a socket [ -e "$SOCKFILE" ] || return 1 [ -r "$SOCKFILE" ] || return 2 [ -S "$SOCKFILE" ] || return 3 return 0 } # # Function that starts the daemon/service # do_start() { # Return # 0 if daemon has been started # 1 if daemon was already running # 2 if daemon could not be started do_status && return 1 if [ -e "$SOCKFILE" ]; then log_failure_msg "Socket file $SOCKFILE is present" [ "$1" = "force-start" ] \ && log_success_msg "Starting anyway as requested" \ || return 2 DAEMON_ARGS="$DAEMON_ARGS -x" fi # Assure that /var/run/fail2ban exists [ -d /var/run/fail2ban ] || mkdir -p /var/run/fail2ban if [ "$FAIL2BAN_USER" != "root" ]; then # Make the socket directory, IP lists and fail2ban log # files writable by fail2ban chown "$FAIL2BAN_USER" /var/run/fail2ban # Create the logfile if it doesn't exist touch /var/log/fail2ban.log chown "$FAIL2BAN_USER" /var/log/fail2ban.log find /proc/net/xt_recent -name 'fail2ban-*' -exec chown "$FAIL2BAN_USER" {} \; fi start-stop-daemon --start --quiet --chuid "$FAIL2BAN_USER" --exec $DAEMON -- \ $DAEMON_ARGS start > /dev/null\ || return 2 return 0 } # # Function that checks the status of fail2ban and returns # corresponding code # do_status() { $DAEMON ping > /dev/null 2>&1 return $? } # # Function that stops the daemon/service # do_stop() { # Return # 0 if daemon has been stopped # 1 if daemon was already stopped # 2 if daemon could not be stopped # other if a failure occurred $DAEMON status > /dev/null 2>&1 || return 1 $DAEMON stop > /dev/null || return 2 # now we need actually to wait a bit since it might take time # for server to react on client's stop request. Especially # important for restart command on slow boxes count=1 while do_status && [ $count -lt 60 ]; do sleep 1 count=$(($count+1)) done [ $count -lt 60 ] || return 3 # failed to stop return 0 } # # Function to reload configuration # do_reload() { $DAEMON reload > /dev/null && return 0 || return 1 return 0 } # yoh: # shortcut function to don't duplicate case statements and to don't use # bashisms (arrays). Fixes #368218 # log_end_msg_wrapper() { if [ "$3" != "no" ]; then [ $1 -lt $2 ] && value=0 || value=1 log_end_msg $value fi } command="$1" case "$command" in start|force-start) [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME" do_start "$command" log_end_msg_wrapper $? 2 "$VERBOSE" ;; stop) [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME" do_stop log_end_msg_wrapper $? 2 "$VERBOSE" ;; restart|force-reload) log_daemon_msg "Restarting $DESC" "$NAME" do_stop case "$?" in 0|1) do_start log_end_msg_wrapper $? 1 "always" ;; *) # Failed to stop log_end_msg 1 ;; esac ;; reload|force-reload) log_daemon_msg "Reloading $DESC" "$NAME" do_reload log_end_msg $? ;; status) log_daemon_msg "Status of $DESC" do_status case $? in 0) log_success_msg " $NAME is running" ;; 255) check_socket case $? in 1) log_failure_msg " $NAME is not running" && exit 3 ;; 0) log_failure_msg " $NAME is not running but $SOCKFILE exists" && exit 3 ;; 2) log_failure_msg " $SOCKFILE not readable, status of $NAME is unknown" && exit 3 ;; 3) log_failure_msg " $SOCKFILE exists but not a socket, status of $NAME is unknown" && exit 3 ;; *) report_bug "Unknown return code from $NAME:check_socket." && exit 4 ;; esac ;; *) report_bug "Unknown $NAME status code" && exit 4 esac ;; *) echo "Usage: $SCRIPTNAME {start|force-start|stop|restart|force-reload|status}" >&2 exit 3 ;; esac : debian/jail.conf0000644000000000000000000002715512242241771010770 0ustar # Fail2Ban configuration file. # # This file was composed for Debian systems from the original one # provided now under /usr/share/doc/fail2ban/examples/jail.conf # for additional examples. # # Comments: use '#' for comment lines and ';' for inline comments # # To avoid merges during upgrades DO NOT MODIFY THIS FILE # and rather provide your changes in /etc/fail2ban/jail.local # # The DEFAULT allows a global definition of the options. They can be overridden # in each jail afterwards. [DEFAULT] # "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not # ban a host which matches an address in this list. Several addresses can be # defined using space separator. ignoreip = 127.0.0.1/8 # "bantime" is the number of seconds that a host is banned. bantime = 600 # A host is banned if it has generated "maxretry" during the last "findtime" # seconds. findtime = 600 maxretry = 3 # "backend" specifies the backend used to get files modification. # Available options are "pyinotify", "gamin", "polling" and "auto". # This option can be overridden in each jail as well. # # pyinotify: requires pyinotify (a file alteration monitor) to be installed. # If pyinotify is not installed, Fail2ban will use auto. # gamin: requires Gamin (a file alteration monitor) to be installed. # If Gamin is not installed, Fail2ban will use auto. # polling: uses a polling algorithm which does not require external libraries. # auto: will try to use the following backends, in order: # pyinotify, gamin, polling. backend = auto # "usedns" specifies if jails should trust hostnames in logs, # warn when reverse DNS lookups are performed, or ignore all hostnames in logs # # yes: if a hostname is encountered, a reverse DNS lookup will be performed. # warn: if a hostname is encountered, a reverse DNS lookup will be performed, # but it will be logged as a warning. # no: if a hostname is encountered, will not be used for banning, # but it will be logged as info. usedns = warn # # Destination email address used solely for the interpolations in # jail.{conf,local} configuration files. destemail = root@localhost # # Name of the sender for mta actions sendername = Fail2Ban # # ACTIONS # # Default banning action (e.g. iptables, iptables-new, # iptables-multiport, shorewall, etc) It is used to define # action_* variables. Can be overridden globally or per # section within jail.local file banaction = iptables-multiport # email action. Since 0.8.1 upstream fail2ban uses sendmail # MTA for the mailing. Change mta configuration parameter to mail # if you want to revert to conventional 'mail'. mta = sendmail # Default protocol protocol = tcp # Specify chain where jumps would need to be added in iptables-* actions chain = INPUT # # Action shortcuts. To be used to define action parameter # The simplest action to take: ban only action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] # ban & send an e-mail with whois report to the destemail. action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s", sendername="%(sendername)s"] # ban & send an e-mail with whois report and relevant log lines # to the destemail. action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s", sendername="%(sendername)s"] # Choose default action. To change, just override value of 'action' with the # interpolation to the chosen action shortcut (e.g. action_mw, action_mwl, etc) in jail.local # globally (section [DEFAULT]) or per specific section action = %(action_)s # # JAILS # # Next jails corresponds to the standard configuration in Fail2ban 0.6 which # was shipped in Debian. Enable any defined here jail by including # # [SECTION_NAME] # enabled = true # # in /etc/fail2ban/jail.local. # # Optionally you may override any other parameter (e.g. banaction, # action, port, logpath, etc) in that section within jail.local [ssh] enabled = true port = ssh filter = sshd logpath = /var/log/auth.log maxretry = 6 [dropbear] enabled = false port = ssh filter = dropbear logpath = /var/log/auth.log maxretry = 6 # Generic filter for pam. Has to be used with action which bans all ports # such as iptables-allports, shorewall [pam-generic] enabled = false # pam-generic filter can be customized to monitor specific subset of 'tty's filter = pam-generic # port actually must be irrelevant but lets leave it all for some possible uses port = all banaction = iptables-allports port = anyport logpath = /var/log/auth.log maxretry = 6 [xinetd-fail] enabled = false filter = xinetd-fail port = all banaction = iptables-multiport-log logpath = /var/log/daemon.log maxretry = 2 [ssh-ddos] enabled = false port = ssh filter = sshd-ddos logpath = /var/log/auth.log maxretry = 6 # Here we use blackhole routes for not requiring any additional kernel support # to store large volumes of banned IPs [ssh-route] enabled = false filter = sshd action = route logpath = /var/log/sshd.log maxretry = 6 # Here we use a combination of Netfilter/Iptables and IPsets # for storing large volumes of banned IPs # # IPset comes in two versions. See ipset -V for which one to use # requires the ipset package and kernel support. [ssh-iptables-ipset4] enabled = false port = ssh filter = sshd banaction = iptables-ipset-proto4 logpath = /var/log/sshd.log maxretry = 6 [ssh-iptables-ipset6] enabled = false port = ssh filter = sshd banaction = iptables-ipset-proto6 logpath = /var/log/sshd.log maxretry = 6 # # HTTP servers # [apache] enabled = false port = http,https filter = apache-auth logpath = /var/log/apache*/*error.log maxretry = 6 # default action is now multiport, so apache-multiport jail was left # for compatibility with previous (<0.7.6-2) releases [apache-multiport] enabled = false port = http,https filter = apache-auth logpath = /var/log/apache*/*error.log maxretry = 6 [apache-noscript] enabled = false port = http,https filter = apache-noscript logpath = /var/log/apache*/*error.log maxretry = 6 [apache-overflows] enabled = false port = http,https filter = apache-overflows logpath = /var/log/apache*/*error.log maxretry = 2 # Ban attackers that try to use PHP's URL-fopen() functionality # through GET/POST variables. - Experimental, with more than a year # of usage in production environments. [php-url-fopen] enabled = false port = http,https filter = php-url-fopen logpath = /var/www/*/logs/access_log # A simple PHP-fastcgi jail which works with lighttpd. # If you run a lighttpd server, then you probably will # find these kinds of messages in your error_log: # ALERT – tried to register forbidden variable ‘GLOBALS’ # through GET variables (attacker '1.2.3.4', file '/var/www/default/htdocs/index.php') [lighttpd-fastcgi] enabled = false port = http,https filter = lighttpd-fastcgi logpath = /var/log/lighttpd/error.log # Same as above for mod_auth # It catches wrong authentifications [lighttpd-auth] enabled = false port = http,https filter = suhosin logpath = /var/log/lighttpd/error.log [nginx-http-auth] enabled = false filter = nginx-http-auth port = http,https logpath = /var/log/nginx/error.log # Monitor roundcube server [roundcube-auth] enabled = false filter = roundcube-auth port = http,https logpath = /var/log/roundcube/userlogins [sogo-auth] enabled = false filter = sogo-auth port = http, https # without proxy this would be: # port = 20000 logpath = /var/log/sogo/sogo.log # # FTP servers # [vsftpd] enabled = false port = ftp,ftp-data,ftps,ftps-data filter = vsftpd logpath = /var/log/vsftpd.log # or overwrite it in jails.local to be # logpath = /var/log/auth.log # if you want to rely on PAM failed login attempts # vsftpd's failregex should match both of those formats maxretry = 6 [proftpd] enabled = false port = ftp,ftp-data,ftps,ftps-data filter = proftpd logpath = /var/log/proftpd/proftpd.log maxretry = 6 [pure-ftpd] enabled = false port = ftp,ftp-data,ftps,ftps-data filter = pure-ftpd logpath = /var/log/syslog maxretry = 6 [wuftpd] enabled = false port = ftp,ftp-data,ftps,ftps-data filter = wuftpd logpath = /var/log/syslog maxretry = 6 # # Mail servers # [postfix] enabled = false port = smtp,ssmtp,submission filter = postfix logpath = /var/log/mail.log [couriersmtp] enabled = false port = smtp,ssmtp,submission filter = couriersmtp logpath = /var/log/mail.log # # Mail servers authenticators: might be used for smtp,ftp,imap servers, so # all relevant ports get banned # [courierauth] enabled = false port = smtp,ssmtp,submission,imap2,imap3,imaps,pop3,pop3s filter = courierlogin logpath = /var/log/mail.log [sasl] enabled = false port = smtp,ssmtp,submission,imap2,imap3,imaps,pop3,pop3s filter = postfix-sasl # You might consider monitoring /var/log/mail.warn instead if you are # running postfix since it would provide the same log lines at the # "warn" level but overall at the smaller filesize. logpath = /var/log/mail.log [dovecot] enabled = false port = smtp,ssmtp,submission,imap2,imap3,imaps,pop3,pop3s filter = dovecot logpath = /var/log/mail.log # To log wrong MySQL access attempts add to /etc/my.cnf: # log-error=/var/log/mysqld.log # log-warning = 2 [mysqld-auth] enabled = false filter = mysqld-auth port = 3306 logpath = /var/log/mysqld.log # DNS Servers # These jails block attacks against named (bind9). By default, logging is off # with bind9 installation. You will need something like this: # # logging { # channel security_file { # file "/var/log/named/security.log" versions 3 size 30m; # severity dynamic; # print-time yes; # }; # category security { # security_file; # }; # }; # # in your named.conf to provide proper logging # !!! WARNING !!! # Since UDP is connection-less protocol, spoofing of IP and imitation # of illegal actions is way too simple. Thus enabling of this filter # might provide an easy way for implementing a DoS against a chosen # victim. See # http://nion.modprobe.de/blog/archives/690-fail2ban-+-dns-fail.html # Please DO NOT USE this jail unless you know what you are doing. #[named-refused-udp] # #enabled = false #port = domain,953 #protocol = udp #filter = named-refused #logpath = /var/log/named/security.log [named-refused-tcp] enabled = false port = domain,953 protocol = tcp filter = named-refused logpath = /var/log/named/security.log # Multiple jails, 1 per protocol, are necessary ATM: # see https://github.com/fail2ban/fail2ban/issues/37 [asterisk-tcp] enabled = false filter = asterisk port = 5060,5061 protocol = tcp logpath = /var/log/asterisk/messages [asterisk-udp] enabled = false filter = asterisk port = 5060,5061 protocol = udp logpath = /var/log/asterisk/messages # Jail for more extended banning of persistent abusers # !!! WARNING !!! # Make sure that your loglevel specified in fail2ban.conf/.local # is not at DEBUG level -- which might then cause fail2ban to fall into # an infinite loop constantly feeding itself with non-informative lines [recidive] enabled = false filter = recidive logpath = /var/log/fail2ban.log action = iptables-allports[name=recidive] sendmail-whois-lines[name=recidive, logpath=/var/log/fail2ban.log] bantime = 604800 ; 1 week findtime = 86400 ; 1 day maxretry = 5 debian/control0000644000000000000000000000240012242241771010567 0ustar Source: fail2ban Section: net Priority: optional Maintainer: Yaroslav Halchenko Build-Depends: debhelper (>= 5.0.37.2), python (>= 2.5.4-1~), python-pyinotify Homepage: http://www.fail2ban.org Vcs-Git: git://github.com/fail2ban/fail2ban.git Vcs-Browser: http://github.com/fail2ban/fail2ban Standards-Version: 3.9.4 Package: fail2ban Architecture: all Depends: ${python:Depends}, ${misc:Depends}, lsb-base (>=2.0-7) Recommends: iptables, whois, python-pyinotify Suggests: python-gamin, mailx, system-log-daemon Description: ban hosts that cause multiple authentication errors Fail2ban monitors log files (e.g. /var/log/auth.log, /var/log/apache/access.log) and temporarily or persistently bans failure-prone addresses by updating existing firewall rules. Fail2ban allows easy specification of different actions to be taken such as to ban an IP using iptables or hostsdeny rules, or simply to send a notification email. . By default, it comes with filter expressions for various services (sshd, apache, qmail, proftpd, sasl etc.) but configuration can be easily extended for monitoring any other text file. All filters and actions are given in the config files, thus fail2ban can be adopted to be used with a variety of files and firewalls. debian/fail2ban.default0000644000000000000000000000277312242241771012225 0ustar # This file is part of Fail2Ban. # # Fail2Ban is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Fail2Ban is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Fail2Ban; if not, write to the Free Software # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # # Author: Cyril Jaquier # # $Revision$ # Command line options for Fail2Ban. Refer to "fail2ban-client -h" for # valid options. FAIL2BAN_OPTS="" # Run fail2ban as a different user. If not set, fail2ban # will run as root. # # The user is not created automatically. # The user can be created e.g. with # useradd --system --no-create-home --home-dir / --groups adm fail2ban # Log files are readable by group adm by default. Adding the fail2ban # user to this group allows it to read the logfiles. # # Another manual step that needs to be taken is to allow write access # for fail2ban user to fail2ban log files. The /etc/init.d/fail2ban # script will change the ownership when starting fail2ban. Logrotate # needs to be configured seperately, see /etc/logrotate.d/fail2ban. # # FAIL2BAN_USER="fail2ban" debian/compat0000644000000000000000000000000212242241771010366 0ustar 5