--- fail2ban-0.8.4+svn20110323.orig/fail2ban-testcases +++ fail2ban-0.8.4+svn20110323/fail2ban-testcases @@ -57,6 +57,7 @@ tests.addTest(unittest.makeSuite(filtertestcase.IgnoreIP)) tests.addTest(unittest.makeSuite(filtertestcase.LogFile)) tests.addTest(unittest.makeSuite(filtertestcase.GetFailures)) +tests.addTest(unittest.makeSuite(filtertestcase.DNSUtilsTests)) # Server #tests.addTest(unittest.makeSuite(servertestcase.StartStop)) #tests.addTest(unittest.makeSuite(servertestcase.Transmitter)) --- fail2ban-0.8.4+svn20110323.orig/man/fail2ban-server.1 +++ fail2ban-0.8.4+svn20110323/man/fail2ban-server.1 @@ -35,7 +35,8 @@ Written by Cyril Jaquier . Many contributions by Yaroslav O. Halchenko . .SH "REPORTING BUGS" -Report bugs to +Please report bugs via Debian bug tracking system +http://www.debian.org/Bugs/. .SH COPYRIGHT Copyright \(co 2004-2008 Cyril Jaquier .br --- fail2ban-0.8.4+svn20110323.orig/man/fail2ban-client.1 +++ fail2ban-0.8.4+svn20110323/man/fail2ban-client.1 @@ -251,7 +251,8 @@ Written by Cyril Jaquier . Many contributions by Yaroslav O. Halchenko . .SH "REPORTING BUGS" -Report bugs to +Please report bugs via Debian bug tracking system +http://www.debian.org/Bugs/. .SH COPYRIGHT Copyright \(co 2004-2008 Cyril Jaquier .br --- fail2ban-0.8.4+svn20110323.orig/testcases/filtertestcase.py +++ fail2ban-0.8.4+svn20110323/testcases/filtertestcase.py @@ -26,7 +26,7 @@ import unittest from server.filterpoll import FilterPoll -from server.filter import FileFilter +from server.filter import FileFilter, DNSUtils from server.failmanager import FailManager from server.failmanager import FailManagerEmpty @@ -195,3 +195,15 @@ self.__filter.getFailures(GetFailures.FILENAME_02) self.assertRaises(FailManagerEmpty, self.__filter.failManager.toBan) + +class DNSUtilsTests(unittest.TestCase): + + def testTextToIp(self): + bogus = [ + 'doh1.2.3.4.buga.xxxxx.yyy', + '1.2.3.4.buga.xxxxx.yyy', + ] + """Really bogus addresses which should have no matches""" + for s in bogus: + res = DNSUtils.textToIp(s) + self.assertEqual(res, []) --- fail2ban-0.8.4+svn20110323.orig/server/datedetector.py +++ fail2ban-0.8.4+svn20110323/server/datedetector.py @@ -71,6 +71,13 @@ template.setRegex("\d{2}/\d{2}/\d{4} \d{2}:\d{2}:\d{2}") template.setPattern("%d/%m/%Y %H:%M:%S") self.__templates.append(template) + # previous one but with year given by 2 digits + # (See http://bugs.debian.org/537610) + template = DateStrptime() + template.setName("Day/Month/Year Hour:Minute:Second") + template.setRegex("\d{2}/\d{2}/\d{2} \d{2}:\d{2}:\d{2}") + template.setPattern("%d/%m/%y %H:%M:%S") + self.__templates.append(template) # Apache format [31/Oct/2006:09:22:55 -0000] template = DateStrptime() template.setName("Day/MONTH/Year:Hour:Minute:Second") --- fail2ban-0.8.4+svn20110323.orig/files/ipmasq-ZZZzzz|fail2ban.rul +++ fail2ban-0.8.4+svn20110323/files/ipmasq-ZZZzzz|fail2ban.rul @@ -0,0 +1,31 @@ +#! /bin/sh +# +# ZZZzzz|fail2ban.rul +# +# Ultima modifica: 20060112 Creazione +# Ultima modifica: 20071205 Verifica sia in esecuzione +# +# Riconfigura le regole di filtraggio relative a fail2ban alla fine +# dell'inizializzazione delle regole. +# Solo all'avvio del sistema mostra la (ri)esecuzione dello script + +_NAME=fail2ban +_INITSCRIPT=/etc/init.d/$_NAME +_CONFIG="/etc/$_NAME/$_NAME.local /etc/$_NAME/$_NAME.conf" + +if [ -s $_INITSCRIPT ]; then + SOCKFILE=`sed -n -e '/^[^#]*socket\s*=/{ + s/.*socket\s*=\s*\(\S\+\).*/\1/p;q}' $_CONFIG 2>/dev/null` + [ -z "$SOCKFILE" ] && SOCKFILE="/tmp/$_NAME.sock" + if [ -S "$SOCKFILE" ]; then # Is daemon running ? + if [ "$SHOWRULES" = "yes" ]; then + echo "#: Reinitializing $_NAME" + echo $_INITSCRIPT force-reload + else + [ ! $runlevel ] && HIDEOUTPUT=true + fi + if [ "$NOACT" != "yes" ]; then + eval $_INITSCRIPT force-reload ${HIDEOUTPUT:+\>/dev/null 2\>&1} + fi + fi # SOCKFILE is a socket +fi # _INITSCRIPT exist --- fail2ban-0.8.4+svn20110323.orig/files/logs/sasl +++ fail2ban-0.8.4+svn20110323/files/logs/sasl @@ -0,0 +1,5 @@ +#1 Example from postfix from dbts #507990 +Dec 2 22:24:22 hel postfix/smtpd[7676]: warning: 114-44-142-233.dynamic.hinet.net[114.44.142.233]: SASL CRAM-MD5 authentication failed: PDc3OTEwNTkyNTEyMzA2NDIuMTIyODI1MzA2MUBoZWw+ +#2 Example from postfix from dbts #573314 +Mar 10 13:33:30 gandalf postfix/smtpd[3937]: warning: HOSTNAME[1.1.1.1]: SASL LOGIN authentication failed: authentication failure + --- fail2ban-0.8.4+svn20110323.orig/files/logs/apache-overflows +++ fail2ban-0.8.4+svn20110323/files/logs/apache-overflows @@ -0,0 +1,2 @@ +[Tue Mar 16 15:39:29 2010] [error] [client 58.179.109.179] Invalid URI in request \xf9h\xa9\xf3\x88\x8cXKj \xbf-l*4\x87n\xe4\xfe\xd4\x1d\x06\x8c\xf8m\\rS\xf6n\xeb\x8 +[Mon Mar 15 15:44:47 2010] [error] [client 121.222.2.133] Invalid URI in request n\xed*\xbe*\xab\xefd\x80\xb5\xae\xf6\x01\x10M?\xf2\xce\x13\x9c\xd7\xa0N\xa7\xdb%0\xde\xe0\xfc\xd2\xa0\xfe\xe9w\xee\xc4`v\x9b[{\x0c:\xcb\x93\xc6\xa0\x93\x9c`l\\\x8d\xc9 --- fail2ban-0.8.4+svn20110323.orig/files/logs/proftpd +++ fail2ban-0.8.4+svn20110323/files/logs/proftpd @@ -0,0 +1,5 @@ +Jan 10 00:00:00 myhost proftpd[12345] myhost.domain.com (123.123.123.123[123.123.123.123]): USER username (Login failed): User in /etc/ftpusers +Feb 1 00:00:00 myhost proftpd[12345] myhost.domain.com (123.123.123.123[123.123.123.123]): USER username: no such user found from 123.123.123.123 [123.123.123.123] to 234.234.234.234:21 + + + --- fail2ban-0.8.4+svn20110323.orig/files/logs/pure-ftpd +++ fail2ban-0.8.4+svn20110323/files/logs/pure-ftpd @@ -0,0 +1,2 @@ +Jan 31 16:54:07 desktop pure-ftpd: (?@24.79.92.194) [WARNING] Authentication failed for user [Administrator] +Nov 5 18:54:02 pure-ftpd: (?@server202181210195.ixlink.net) [WARNING] Authentication failed for user [Administrator] --- fail2ban-0.8.4+svn20110323.orig/files/logs/sshd +++ fail2ban-0.8.4+svn20110323/files/logs/sshd @@ -0,0 +1,26 @@ +#1 +Jun 21 16:47:48 digital-mlhhyiqscv sshd[13709]: error: PAM: Authentication failure for myhlj1374 from 192.030.0.6 +May 29 20:56:52 imago sshd[28732]: error: PAM: Authentication failure for stefanor from www.onerussian.com + +#2 +Feb 25 14:34:10 belka sshd[31602]: Failed password for invalid user ROOT from 194.117.26.69 port 50273 ssh2 +Feb 25 14:34:10 belka sshd[31602]: Failed password for invalid user ROOT from 194.117.26.70 port 12345 + +#3 +Jan 5 01:31:41 www sshd[1643]: ROOT LOGIN REFUSED FROM 1.2.3.4 +Jan 5 01:31:41 www sshd[1643]: ROOT LOGIN REFUSED FROM ::ffff:1.2.3.4 + +#4 +Jul 20 14:42:11 localhost sshd[22708]: Invalid user ftp from 211.114.51.213 + + +#5 new filter introduced after looking at 44087D8C.9090407@bluewin.ch +Mar 3 00:17:22 [sshd] User root from 210.188.220.49 not allowed because not listed in AllowUsers +Feb 25 14:34:11 belka sshd[31607]: User root from ferrari.inescn.pt not allowed because not listed in AllowUsers + +#6 ew filter introduced thanks to report Guido Bozzetto +Nov 11 23:33:27 Server sshd[5174]: refused connect from _U2FsdGVkX19P3BCJmFBHhjLza8BcMH06WCUVwttMHpE=_@::ffff:218.249.210.161 (::ffff:218.249.210.161) + +#7 added exclamation mark to BREAK-IN +Oct 15 19:51:35 server sshd[7592]: Address 1.2.3.4 maps to 1234.bbbbbb.com, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT +Oct 15 19:51:35 server sshd[7592]: Address 1.2.3.4 maps to 1234.bbbbbb.com, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT! --- fail2ban-0.8.4+svn20110323.orig/files/logs/dovecot +++ fail2ban-0.8.4+svn20110323/files/logs/dovecot @@ -0,0 +1 @@ +@400000004c91b044077a9e94 imap-login: Info: Aborted login (auth failed, 1 attempts): user=, method=CRAM-MD5, rip=80.187.101.33, lip=80.254.129.240, TLS --- fail2ban-0.8.4+svn20110323.orig/files/logs/vsftpd +++ fail2ban-0.8.4+svn20110323/files/logs/vsftpd @@ -0,0 +1,7 @@ +#1 PAM based +Oct 11 01:06:47 ServerJV vsftpd: (pam_unix) authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=209.67.1.67 +Feb 6 12:02:29 server vsftpd(pam_unix)[15522]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=64.168.103.1 user=user1 + +#2 Internal +Fri Jan 19 12:20:33 2007 [pid 27202] [anonymous] FAIL LOGIN: Client "64.106.46.98" + --- fail2ban-0.8.4+svn20110323.orig/files/logs/named-refused +++ fail2ban-0.8.4+svn20110323/files/logs/named-refused @@ -0,0 +1,5 @@ +Jul 24 14:16:55 raid5 named[3935]: client 194.145.196.18#4795: query 'ricreig.com/NS/IN' denied +Jul 24 14:16:56 raid5 named[3935]: client 62.123.164.113#32768: query 'ricreig.com/NS/IN' denied +Jul 24 14:17:13 raid5 named[3935]: client 148.160.29.6#33081: query (cache) 'geo-mueller.de/NS/IN' denied +Jul 24 14:20:25 raid5 named[3935]: client 148.160.29.6#33081: query (cache) 'shivaree.de/NS/IN' denied +Jul 24 14:23:36 raid5 named[3935]: client 148.160.29.6#33081: query (cache) 'mietberatung.de/NS/IN' denied --- fail2ban-0.8.4+svn20110323.orig/files/logs/pam-generic +++ fail2ban-0.8.4+svn20110323/files/logs/pam-generic @@ -0,0 +1,7 @@ +Feb 7 15:10:42 example pure-ftpd: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=pure-ftpd ruser=sample-user rhost=192.168.1.1 +May 12 09:47:54 vaio sshd[16004]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=71-13-115-12.static.mdsn.wi.charter.com user=root +May 12 09:48:03 vaio sshd[16021]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=71-13-115-12.static.mdsn.wi.charter.com +May 15 18:02:12 localhost proftpd: (pam_unix) authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=66.232.129.62 user=mark +Nov 25 17:12:13 webmail pop(pam_unix)[4920]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=192.168.10.3 user=mailuser +Jul 19 18:11:26 srv2 vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=an8767 rhost=www3.google.com +Jul 19 18:11:26 srv2 vsftpd: pam_unix: authentication failure; logname= uid=0 euid=0 tty=ftp ruser=an8767 rhost=www3.google.com --- fail2ban-0.8.4+svn20110323.orig/debian/gbp.conf +++ fail2ban-0.8.4+svn20110323/debian/gbp.conf @@ -0,0 +1,18 @@ +[DEFAULT] +# the default branch for upstream sources: +upstream-branch = upstream +# the default branch for the debian patch: +debian-branch = debian-release +# use pristine-tar +pristine-tar = True +# the default tag formats used: +upstream-tag = upstream/%(version)s +debian-tag = debian/%(version)s + + +# Options only affecting git-buildpackage +[git-buildpackage] +# use this for more svn-buildpackage like bahaviour: +export-dir = ../build-area/ +tarball-dir = ../tarballs/ + --- fail2ban-0.8.4+svn20110323.orig/debian/postrm +++ fail2ban-0.8.4+svn20110323/debian/postrm @@ -0,0 +1,42 @@ +#! /bin/sh +# postrm script for fail2ban +# +# see: dh_installdeb(1) + +set -e + +# summary of how this script can be called: +# * `remove' +# * `purge' +# * `upgrade' +# * `failed-upgrade' +# * `abort-install' +# * `abort-install' +# * `abort-upgrade' +# * `disappear' overwrit>r> +# for details, see /usr/doc/packaging-manual/ + + +case "$1" in + purge|disappear) + + # Remove configuration + rm -f /etc/fail2ban.conf + + # Remove logs + rm -f /var/log/fail2ban* + + ;; + remove|upgrade|failed-upgrade|abort-install|abort-upgrade) + # nothing + # We may not delete the user fail2ban, as there may be + # files owned by it in /var/log/ and /etc/. + ;; +esac + +# dh_installdeb will replace this with shell code automatically +# generated by other debhelper scripts. + +#DEBHELPER# + + --- fail2ban-0.8.4+svn20110323.orig/debian/TODO +++ fail2ban-0.8.4+svn20110323/debian/TODO @@ -0,0 +1,6 @@ +* Collect more sections for other log files +* Find proper answer to "Syslog entries can be 'forged' by a regular + user" mentioned in README.Debian + + -- Yaroslav O. Halchenko Wed, 6 Dec 2006 22:14:26 -0500 + --- fail2ban-0.8.4+svn20110323.orig/debian/jail.conf +++ fail2ban-0.8.4+svn20110323/debian/jail.conf @@ -0,0 +1,299 @@ +# Fail2Ban configuration file. +# +# This file was composed for Debian systems from the original one +# provided now under /usr/share/doc/fail2ban/examples/jail.conf +# for additional examples. +# +# To avoid merges during upgrades DO NOT MODIFY THIS FILE +# and rather provide your changes in /etc/fail2ban/jail.local +# +# Author: Yaroslav O. Halchenko +# +# $Revision: 281 $ +# + +# The DEFAULT allows a global definition of the options. They can be overridden +# in each jail afterwards. + +[DEFAULT] + +# "ignoreip" can be an IP address, a CIDR mask or a DNS host +ignoreip = 127.0.0.1/8 +bantime = 600 +maxretry = 3 + +# "backend" specifies the backend used to get files modification. Available +# options are "gamin", "polling" and "auto". +# yoh: For some reason Debian shipped python-gamin didn't work as expected +# This issue left ToDo, so polling is default backend for now +backend = polling + +# +# Destination email address used solely for the interpolations in +# jail.{conf,local} configuration files. +destemail = root@localhost + +# +# ACTIONS +# + +# Default banning action (e.g. iptables, iptables-new, +# iptables-multiport, shorewall, etc) It is used to define +# action_* variables. Can be overridden globally or per +# section within jail.local file +banaction = iptables-multiport + +# email action. Since 0.8.1 upstream fail2ban uses sendmail +# MTA for the mailing. Change mta configuration parameter to mail +# if you want to revert to conventional 'mail'. +mta = sendmail + +# Default protocol +protocol = tcp + +# Specify chain where jumps would need to be added in iptables-* actions +chain = INPUT + +# +# Action shortcuts. To be used to define action parameter + +# The simplest action to take: ban only +action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] + +# ban & send an e-mail with whois report to the destemail. +action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] + %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"] + +# ban & send an e-mail with whois report and relevant log lines +# to the destemail. +action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] + %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"] + +# Choose default action. To change, just override value of 'action' with the +# interpolation to the chosen action shortcut (e.g. action_mw, action_mwl, etc) in jail.local +# globally (section [DEFAULT]) or per specific section +action = %(action_)s + +# +# JAILS +# + +# Next jails corresponds to the standard configuration in Fail2ban 0.6 which +# was shipped in Debian. Enable any defined here jail by including +# +# [SECTION_NAME] +# enabled = true + +# +# in /etc/fail2ban/jail.local. +# +# Optionally you may override any other parameter (e.g. banaction, +# action, port, logpath, etc) in that section within jail.local + +[ssh] + +enabled = true +port = ssh +filter = sshd +logpath = /var/log/auth.log +maxretry = 6 + +[dropbear] + +enabled = false +port = ssh +filter = sshd +logpath = /var/log/dropbear +maxretry = 6 + +# Generic filter for pam. Has to be used with action which bans all ports +# such as iptables-allports, shorewall +[pam-generic] + +enabled = false +# pam-generic filter can be customized to monitor specific subset of 'tty's +filter = pam-generic +# port actually must be irrelevant but lets leave it all for some possible uses +port = all +banaction = iptables-allports +port = anyport +logpath = /var/log/auth.log +maxretry = 6 + +[xinetd-fail] + +enabled = false +filter = xinetd-fail +port = all +banaction = iptables-multiport-log +logpath = /var/log/daemon.log +maxretry = 2 + + +[ssh-ddos] + +enabled = false +port = ssh +filter = sshd-ddos +logpath = /var/log/auth.log +maxretry = 6 + +# +# HTTP servers +# + +[apache] + +enabled = false +port = http,https +filter = apache-auth +logpath = /var/log/apache*/*error.log +maxretry = 6 + +# default action is now multiport, so apache-multiport jail was left +# for compatibility with previous (<0.7.6-2) releases +[apache-multiport] + +enabled = false +port = http,https +filter = apache-auth +logpath = /var/log/apache*/*error.log +maxretry = 6 + +[apache-noscript] + +enabled = false +port = http,https +filter = apache-noscript +logpath = /var/log/apache*/*error.log +maxretry = 6 + +[apache-overflows] + +enabled = false +port = http,https +filter = apache-overflows +logpath = /var/log/apache*/*error.log +maxretry = 2 + +# +# FTP servers +# + +[vsftpd] + +enabled = false +port = ftp,ftp-data,ftps,ftps-data +filter = vsftpd +logpath = /var/log/vsftpd.log +# or overwrite it in jails.local to be +# logpath = /var/log/auth.log +# if you want to rely on PAM failed login attempts +# vsftpd's failregex should match both of those formats +maxretry = 6 + + +[proftpd] + +enabled = false +port = ftp,ftp-data,ftps,ftps-data +filter = proftpd +logpath = /var/log/proftpd/proftpd.log +maxretry = 6 + + +[wuftpd] + +enabled = false +port = ftp,ftp-data,ftps,ftps-data +filter = wuftpd +logpath = /var/log/auth.log +maxretry = 6 + + +# +# Mail servers +# + +[postfix] + +enabled = false +port = smtp,ssmtp +filter = postfix +logpath = /var/log/mail.log + + +[couriersmtp] + +enabled = false +port = smtp,ssmtp +filter = couriersmtp +logpath = /var/log/mail.log + + +# +# Mail servers authenticators: might be used for smtp,ftp,imap servers, so +# all relevant ports get banned +# + +[courierauth] + +enabled = false +port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s +filter = courierlogin +logpath = /var/log/mail.log + + +[sasl] + +enabled = false +port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s +filter = sasl +# You might consider monitoring /var/log/mail.warn instead if you are +# running postfix since it would provide the same log lines at the +# "warn" level but overall at the smaller filesize. +logpath = /var/log/mail.log + + +# DNS Servers + + +# These jails block attacks against named (bind9). By default, logging is off +# with bind9 installation. You will need something like this: +# +# logging { +# channel security_file { +# file "/var/log/named/security.log" versions 3 size 30m; +# severity dynamic; +# print-time yes; +# }; +# category security { +# security_file; +# }; +# }; +# +# in your named.conf to provide proper logging + +# !!! WARNING !!! +# Since UDP is connection-less protocol, spoofing of IP and imitation +# of illegal actions is way too simple. Thus enabling of this filter +# might provide an easy way for implementing a DoS against a chosen +# victim. See +# http://nion.modprobe.de/blog/archives/690-fail2ban-+-dns-fail.html +# Please DO NOT USE this jail unless you know what you are doing. +#[named-refused-udp] +# +#enabled = false +#port = domain,953 +#protocol = udp +#filter = named-refused +#logpath = /var/log/named/security.log + +[named-refused-tcp] + +enabled = false +port = domain,953 +protocol = tcp +filter = named-refused +logpath = /var/log/named/security.log + --- fail2ban-0.8.4+svn20110323.orig/debian/NEWS +++ fail2ban-0.8.4+svn20110323/debian/NEWS @@ -0,0 +1,47 @@ +fail2ban (0.8.4-3) unstable; urgency=low + + * Jail named-refused-udp is unsafe and opens possibility for easy DoS, + thus discouraged to be used, and commented out (see #583364 for more + information). + + -- Yaroslav Halchenko Mon, 28 Jun 2010 22:12:22 -0400 + +fail2ban (0.7.1-0.2) unstable; urgency=low + + fail2ban 0.7 is a complete rewrite of the 0.6 version, and if you + customized any of provided configuration or startup files + (/etc/default/fail2ban, /etc/fail2ban.conf, /etc/init.d/fail2ban), + please read further. The configuration scheme has changed upstream: + 0.7 ignores /etc/fail2ban.conf and instead uses a split configuration + under /etc/fail2ban/. To retain your customizations, for example to + monitor anything other than sshd, you will need to set them under that + new directory; use *.local files for customizations. Please see + /usr/share/doc/fail2ban/README.Debian.gz and + http://fail2ban.sourceforge.net for further description of new + configuration scheme. Detailed documentation is under development (see + #400416). When you are satisfied with the new settings, please delete + /etc/fail2ban.conf to avoid confusion. + + Fail2ban 0.7 uses client/server architecture and fail2ban-client is to + substitute fail2ban command to provide an interface between the user and + fail2ban-server. That is why some command line parameters present in + fail2ban 0.6 are invalid in fail2ban-client. Such change affects + /etc/default/fail2ban; you should review that file if you customized it. + Please enable sections as directed in README.Debian.gz mentioned above. + You must use newly shipped init.d/fail2ban, or otherwise fail2ban will + not start. + + This note was rewritten in release 0.7.5-2 to clarify its meaning. + + -- Yaroslav Halchenko Sat, 9 Dec 2006 18:24:36 -0500 + +fail2ban (0.6.0-4) unstable; urgency=low + + In this version the new section ApacheAttacks was introduced to ban IPs + which are found to run some known attack on the host. For now it captures + just awstats and mambo related attacks. To make this feature work, the bug of + wrongly specified timeregexp for Apache's access.log file was fixed. + Besides that group of log files has changed to be adm, and now they are + readable by the group. + + -- Yaroslav Halchenko Fri, 10 Feb 2006 13:05:07 -0500 --- fail2ban-0.8.4+svn20110323.orig/debian/compat +++ fail2ban-0.8.4+svn20110323/debian/compat @@ -0,0 +1 @@ +5 --- fail2ban-0.8.4+svn20110323.orig/debian/fail2ban.init +++ fail2ban-0.8.4+svn20110323/debian/fail2ban.init @@ -0,0 +1,227 @@ +#! /bin/sh +### BEGIN INIT INFO +# Provides: fail2ban +# Required-Start: $local_fs $remote_fs +# Required-Stop: $local_fs $remote_fs +# Should-Start: $time $network $syslog iptables firehol shorewall ipmasq arno-iptables-firewall +# Should-Stop: $network $syslog iptables firehol shorewall ipmasq arno-iptables-firewall +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: Start/stop fail2ban +# Description: Start/stop fail2ban, a daemon scanning the log files and +# banning potential attackers. +### END INIT INFO + +# Author: Aaron Isotton +# Modified: by Yaroslav Halchenko +# reindented + minor corrections + to work on sarge without modifications +# +PATH=/usr/sbin:/usr/bin:/sbin:/bin +DESC="authentication failure monitor" +NAME=fail2ban + +# fail2ban-client is not a daemon itself but starts a daemon and +# loads its with configuration +DAEMON=/usr/bin/$NAME-client +SCRIPTNAME=/etc/init.d/$NAME + +# Ad-hoc way to parse out socket file name +SOCKFILE=`grep -h '^[^#]*socket *=' /etc/$NAME/$NAME.conf /etc/$NAME/$NAME.local 2>/dev/null \ + | tail -n 1 | sed -e 's/.*socket *= *//g' -e 's/ *$//g'` +[ -z "$SOCKFILE" ] && SOCKFILE='/tmp/fail2ban.sock' + +# Exit if the package is not installed +[ -x "$DAEMON" ] || exit 0 + +# Read configuration variable file if it is present +[ -r /etc/default/$NAME ] && . /etc/default/$NAME +DAEMON_ARGS="$FAIL2BAN_OPTS" + +# Load the VERBOSE setting and other rcS variables +[ -f /etc/default/rcS ] && . /etc/default/rcS + +# Predefine what can be missing from lsb source later on -- necessary to run +# on sarge. Just present it in a bit more compact way from what was shipped +log_daemon_msg () { + [ -z "$1" ] && return 1 + echo -n "$1:" + [ -z "$2" ] || echo -n " $2" +} + +# Define LSB log_* functions. +# Depend on lsb-base (>= 3.0-6) to ensure that this file is present. +# Actually has to (>=2.0-7) present in sarge. log_daemon_msg is predefined +# so we must be ok +. /lib/lsb/init-functions + +# +# Shortcut function for abnormal init script interruption +# +report_bug() +{ + echo $* + echo "Please submit a bug report to Debian BTS (reportbug fail2ban)" + exit 1 +} + +# +# Helper function to check if socket is present, which is often left after +# abnormal exit of fail2ban and needs to be removed +# +check_socket() +{ + # Return + # 0 if socket is present and readable + # 1 if socket file is not present + # 2 if socket file is present but not readable + # 3 if socket file is present but is not a socket + [ -e "$SOCKFILE" ] || return 1 + [ -r "$SOCKFILE" ] || return 2 + [ -S "$SOCKFILE" ] || return 3 + return 0 +} + +# +# Function that starts the daemon/service +# +do_start() +{ + # Return + # 0 if daemon has been started + # 1 if daemon was already running + # 2 if daemon could not be started + do_status && return 1 + + if [ -e "$SOCKFILE" ]; then + log_failure_msg "Socket file $SOCKFILE is present" + [ "$1" = "force-start" ] \ + && log_success_msg "Starting anyway as requested" \ + || return 2 + DAEMON_ARGS="$DAEMON_ARGS -x" + fi + + # Assure that /var/run/fail2ban exists + [ -d /var/run/fail2ban ] || mkdir -p /var/run/fail2ban + + start-stop-daemon --start --quiet --chuid root --exec $DAEMON -- \ + $DAEMON_ARGS start > /dev/null\ + || return 2 + + return 0 +} + + +# +# Function that checks the status of fail2ban and returns +# corresponding code +# +do_status() +{ + $DAEMON ping > /dev/null + return $? +} + +# +# Function that stops the daemon/service +# +do_stop() +{ + # Return + # 0 if daemon has been stopped + # 1 if daemon was already stopped + # 2 if daemon could not be stopped + # other if a failure occurred + $DAEMON status > /dev/null || return 1 + $DAEMON stop > /dev/null || return 2 + + # now we need actually to wait a bit since it might take time + # for server to react on client's stop request. Especially + # important for restart command on slow boxes + count=1 + while do_status && [ $count -lt 60 ]; do + sleep 1 + count=$(($count+1)) + done + [ $count -lt 60 ] || return 3 # failed to stop + + return 0 +} + +# +# Function to reload configuration +# +do_reload() { + $DAEMON reload > /dev/null && return 0 || return 1 + return 0 +} + +# yoh: +# shortcut function to don't duplicate case statements and to don't use +# bashisms (arrays). Fixes #368218 +# +log_end_msg_wrapper() +{ + [ $1 -lt $2 ] && value=0 || value=1 + log_end_msg $value +} + +command="$1" +case "$command" in + start|force-start) + [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME" + do_start "$command" + [ "$VERBOSE" != no ] && log_end_msg_wrapper $? 2 + ;; + + stop) + [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME" + do_stop + [ "$VERBOSE" != no ] && log_end_msg_wrapper $? 2 + ;; + + restart|force-reload) + log_daemon_msg "Restarting $DESC" "$NAME" + do_stop + case "$?" in + 0|1) + do_start + log_end_msg_wrapper $? 1 + ;; + *) + # Failed to stop + log_end_msg 1 + ;; + esac + ;; + + reload|force-reload) + log_daemon_msg "Reloading $DESC" "$NAME" + do_reload + log_end_msg $? + ;; + + status) + log_daemon_msg "Status of $DESC" + do_status + case $? in + 0) log_success_msg " $NAME is running" ;; + 255) + check_socket + case $? in + 1) log_warning_msg " $NAME is not running" ;; + 0) log_failure_msg " $NAME is not running but $SOCKFILE exists" ;; + 2) log_failure_msg " $SOCKFILE not readable, status of $NAME is unknown";; + 3) log_failure_msg " $SOCKFILE exists but not a socket, status of $NAME is unknown";; + *) report_bug "Unknown return code from $NAME:check_socket.";; + esac + ;; + *) report_bug "Unknown $NAME status code" + esac + ;; + *) + echo "Usage: $SCRIPTNAME {start|force-start|stop|restart|force-reload|status}" >&2 + exit 3 + ;; +esac + +: --- fail2ban-0.8.4+svn20110323.orig/debian/fail2ban.logrotate +++ fail2ban-0.8.4+svn20110323/debian/fail2ban.logrotate @@ -0,0 +1,13 @@ +/var/log/fail2ban.log { + + weekly + rotate 4 + compress + + delaycompress + missingok + postrotate + fail2ban-client set logtarget /var/log/fail2ban.log >/dev/null + endscript + create 640 root adm +} --- fail2ban-0.8.4+svn20110323.orig/debian/copyright +++ fail2ban-0.8.4+svn20110323/debian/copyright @@ -0,0 +1,31 @@ +This package was originally debianized by Yaroslav Halchenko + on Mon Jul 4 14:41:34 HST 2005 + +It was downloaded from http://www.sourceforge.net/projects/fail2ban + +Author: Cyril Jaquier: + http://fail2ban.sourceforge.net + +Copyright: 2004-2009 Cyril Jaquier + +This program is free software; you can redistribute it and/or modify +it under the terms of the GNU General Public License as published by +the Free Software Foundation; either version 2 of the License, or +(at your option) any later version. + +This program is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU General Public License for more details. + +You should have received a copy of the GNU General Public License +along with this program; if not, write to the +Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, +MA 02110-1301, USA. + +On Debian systems, the complete text of the GNU General Public +License, version 2, can be found in /usr/share/common-licenses/GPL-2. + +The Debian packaging is (C) 2006-2011, Yaroslav Halchenko +and is licensed under the GPL, see above. + --- fail2ban-0.8.4+svn20110323.orig/debian/postinst +++ fail2ban-0.8.4+svn20110323/debian/postinst @@ -0,0 +1,90 @@ +#! /bin/sh +# postinst script for fail2ban +# +# see: dh_installdeb(1) + +set -e + +# summary of how this script can be called: +# * `configure' +# * `abort-upgrade' +# * `abort-remove' `in-favour' +# +# * `abort-deconfigure' `in-favour' +# `removing' +# +# for details, see http://www.debian.org/doc/debian-policy/ or +# the debian-policy package +# +preversion=$2 + +case "$1" in + configure) + # To fix the bug in generated by previous version files permissions + # also closes #352053 + + LOG=/var/log/fail2ban.log + touch $LOG + chown root:adm ${LOG}* + chmod 640 ${LOG}* + + # Note regarding changed configuration file + # Note regarding changed configuration file + if [ ! -z $preversion ]; then + if dpkg --compare-versions $preversion lt 0.7.1-1; then + cat <&2 + exit 1 + ;; +esac + +# dh_installdeb will replace this with shell code automatically +# generated by other debhelper scripts. + +#DEBHELPER# + +exit 0 + + --- fail2ban-0.8.4+svn20110323.orig/debian/control +++ fail2ban-0.8.4+svn20110323/debian/control @@ -0,0 +1,34 @@ +Source: fail2ban +Section: net +Priority: optional +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: Yaroslav Halchenko +Build-Depends: debhelper (>= 5.0.37.2), python (>= 2.5.4-1~) +Build-Depends-Indep: python-central (>= 0.5.6) +XS-Python-Version: current, >= 2.4 +Homepage: http://www.fail2ban.org +Vcs-Browser: http://git.onerussian.com/?p=deb/fail2ban.git +Vcs-git: git://git.onerussian.com/deb/fail2ban.git +Standards-Version: 3.9.1 + + +Package: fail2ban +Architecture: all +Depends: ${python:Depends}, ${misc:Depends}, lsb-base (>=2.0-7) +Recommends: iptables, whois +Suggests: python-gamin, mailx +XB-Python-Version: ${python:Versions} +Description: ban hosts that cause multiple authentication errors + Fail2ban monitors log files (e.g. /var/log/auth.log, + /var/log/apache/access.log) and temporarily or persistently bans + failure-prone addresses by updating existing firewall rules. Fail2ban allows + easy specification of different actions to be taken such as to ban an + IP using iptables or hostsdeny rules, or simply to send a + notification email. + . + By default, it comes with filter expressions for various services + (sshd, apache, qmail, proftpd, sasl etc.) but configuration can be + easily extended for monitoring any other text file. All filters and + actions are given in the config files, thus fail2ban can be adopted + to be used with a variety of files and firewalls. + --- fail2ban-0.8.4+svn20110323.orig/debian/fail2ban.default +++ fail2ban-0.8.4+svn20110323/debian/fail2ban.default @@ -0,0 +1,23 @@ +# This file is part of Fail2Ban. +# +# Fail2Ban is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# Fail2Ban is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with Fail2Ban; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# +# Author: Cyril Jaquier +# +# $Revision: 1.2 $ + +# Command line options for Fail2Ban. Refer to "fail2ban-client -h" for +# valid options. +FAIL2BAN_OPTS="" --- fail2ban-0.8.4+svn20110323.orig/debian/pycompat +++ fail2ban-0.8.4+svn20110323/debian/pycompat @@ -0,0 +1 @@ +2 --- fail2ban-0.8.4+svn20110323.orig/debian/README.Debian +++ fail2ban-0.8.4+svn20110323/debian/README.Debian @@ -0,0 +1,224 @@ +fail2ban (>=0.7.0) for Debian +----------------------------- + +This package is ~99% identical to the upstream version. Few features +could have been added but not yet propagated into upstream version and +some modifications might be Debian-specific. Debian specific jail.conf +file is shipped. Original upstream file is available from +/usr/share/doc/fail2ban/examples/jail.conf + +Currently, the major difference with upstream: python libraries are +placed under /usr/share/fail2ban instead of /usr/lib/fail2ban to +comply with policy regarding architecture independent resources. + +Upgrade from 0.6 versions: +------------------------- + +* New Config Files Format: + +If you had introduced your own sections in /etc/fail2ban.conf, you +would need manually to convert them into a new format. At minimum you +need to create /etc/fail2ban/filter.d/NAME.local (leave .conf files +for me and upstream please to avoid any conflicts -- introduce your +changes in .local) with failregex in [Definition] section. And provide +appropriate jail definition in /etc/fail2ban/jail.local + + +* Enabled Sections: + +Only handling of ssh files is enabled by default. If you want to use +fail2ban with apache, please enable apache section manually in +/etc/fail2ban/jail.local by including next lines: + +[apache] +enabled = true + +NOTE: -e command line parameter is non existant in 0.7.x + + +* Interpolations vs actions/filters parameters: + +For details see #398739 or wait for a closure of #400416 + +Every pair of .conf and then .local (if exists) files is read +separately from any other configuration file, so interpolations cannot +penetrate from jail.* into actions.d/*. To overcome this, it is +necessary to create a PARAMETER which can be substituted in actions +[Definition] section, if it is also defined in the [Init] section of +that file and is used in place of necessary allocation as +tag. Parameters can be specified in the definitions within +jail.{conf,local}. For instance, 1 lengthy example, where the same +name "fwchain" is used both as interpolation (in jail.local) and as a +parameter (in iptables-flex.local) (from #398739) + +==> /etc/fail2ban/jail.local <== +[DEFAULT] +action = iptables-flex[name=%(__name__)s, port=%(port)s, fwchain=%(fwchain)s, post_start_commands=%(post_start_commands)s, pre_end_commands=%(pre_end_commands)s] +fwchain = INPUT +[ssh] +fwchain = ssh-tarpit +==> /etc/fail2ban/action.d/iptables-flex.local <== +[Definition] +actionstart = iptables -N fail2ban- + iptables -I -m state --state NEW -p --dport -j fail2ban- + iptables -I -j +actionstop = iptables -D -j + iptables -D -m state --state NEW -p --dport -j fail2ban- + iptables -F fail2ban- + iptables -X fail2ban- +actioncheck = iptables -n -L | grep -q fail2ban- +actionban = iptables -I fail2ban- 1 -s -j DROP +actionunban = iptables -D fail2ban- -s -j DROP +[Init] +whitelist = ssh-whitelist +fwchain = INPUT +name = default +port = ssh +protocol = tcp + + +* Multiport banning: Comment for #373592, #545971 + +iptables-multiport action is now default banaction (file jail.conf, to +be customized within jail.local). Therefore assure that you have built +multiport module if you use custom kernel. + +If you would like to ban all ports for that host, just redefine +fwban/fwunban commands to don't have --dport %(port)s statement at +all, or use shorewall, where actionban bans whole IP. + +* Blocking of NEW connections only +Comment for the wishlist #350746. + +It might be benefitial in some cases to ban only new connections. For +that just use iptables-new action instead of default banaction + +/etc/fail2ban/jail.local: + +[DEFAULT] +banaction=iptables-new + +(you can override banaction within interesting for you section). + Also you can redefine the whole action parameter if you like. + + +* Interaction with ipmasq + Comment to #461417 + +Although fail2ban should detect and recreate missing chains if the external +command wipes out iptables, it is better to explicitly to force-reload +fail2ban. For this reason there is examples/ipmasq-ZZZzzz|fail2ban.rul file is +shipped along to be installed under name ZZZzzz|fail2ban.rul within +/etc/ipmasq. + + +Troubleshooting: +--------------- + +* Updated failregex: + +To resolve the security bug #330827 [1] failregex expressions must +provide a named group (?P...) as a placeholder of the abuser's +host. Alternative tag (since 0.7.5) can be "". The naming of the +group was introduced to capture possible future generalizations of +failregex to provide even more information. + +[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=330827 + +You might benefit from using fail2ban-regex command shipped along to +construct and debug your failregex statements. + +* "Interpolations" in the config file: + +Since version 0.6.0-3 to reduce duplication, thus to improve +readability of the config file, interpolations provided by the module +ConfigParser are used. If you had custom sections defined before, you +might benefit from updating config file and adding appropriate +information for the new sections. + +N.B. If you have some nice additional sections defined, I would really +appreciate if you share them with me or upstream author, so they could +be eventually included in the fail2ban package for general use by the +rest of the community. + + +* Mailing: + +Since actions.d/mail*.conf commands rely on presence of "mail" +command, mailx package (or another package providing mailx +functionality such as mailutils) is required if those actions are +activated in jail.{conf,local}. + + +* Dirty exit: + +If firewall rules gets cleaned out before fail2ban exits (like was +happening with firestarter), errors get reported during the exit of +fail2ban, but they are "safe" and can be ignored. + + +** SSHD Configuration Specific Problems + +* Ban "Not allowed" attempts: + +Make sure that you have +ChallengeResponseAuthentication no +PasswordAuthentication yes + +Details from the bug report #350980 [2] + +[2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=350980 + + +* Not caught attempts to login as root + +On the boxes running older versions of openssh (e.g. sarge +distribution) in the case when PermitRootLogin is set to something +else than "yes" and iff AllowUsers is active, failed root logins do +not confirm to the standard logging message -- they omit the source +IP, thus allowing attack to persist since such messages are not caught +by fail2ban. + + +* Bantime: + +An IP is banned for "bantime" not since the last failed login attempt +from the IP, but rather since the moment when failed login was +detected by fail2ban. Thus, if fail2ban gets [re]started, any IP which +had enough of failed logins with durations less than "findtime" between +them prior to the [re]start moment, will be banned for +"bantime" since [re]start moment, not since the last failed login +time. + +* Findtime: + +"Findtime" option of a jail actually defines a duration to reset the +counter of failed login attempts, if no new attempt was detected within +that time frame (i.e. within "findtime"). + +See +http://www.fail2ban.org/wiki/index.php/MANUAL_0_8#Jail_Options +for more information on jail options. + + +* Syslog entries can be 'forged' by a regular user + +From +http://fail2ban.sourceforge.net/wiki/index.php/FAQ_english#What_do_I_have_to_consider_when_using_Fail2ban + +Especially on systems wich provide ssh/CGI/PHP services to unknown +users it is possible to block other users from ssh and probably other +access as a unprivileged user may issue: + +logger -p auth.warning -t 'sshd[123]' 'Illegal user user1 from 1.2.3.4' + +N.B. chmod o-x /usr/bin/logger should provide at least obfuscation +solution + +Or the malicious user may write via PHP's openlog()/syslog() to syslog. + +P.S. Anyone is welcome to recommend proper security solution to this +issue, such as an alternative to sysklogd which allows better control +over users logging to specific facilities (such as AUTH) + + -- Yaroslav Halchenko , Thu, 4 Jan 2007 15:18:39 -0500 --- fail2ban-0.8.4+svn20110323.orig/debian/changelog +++ fail2ban-0.8.4+svn20110323/debian/changelog @@ -0,0 +1,933 @@ +fail2ban (0.8.4+svn20110323-1ubuntu1) oneiric; urgency=low + + * Forward-port patch from Marat Khayrullin to fix fail2ban not starting + if failregex is specified in a jail config. (LP: #635036) + + -- Daniel T Chen Thu, 28 Jul 2011 17:07:43 -0400 + +fail2ban (0.8.4+svn20110323-1) unstable; urgency=low + + * Fresh upstream snapshot which absorbed some of the patches from Debian + and + - [c6d64e9] debug entry for lines ignored due to falling below + findtime (v2) + - [fc20f12] Tai64N stores time in GMT, we need to convert to + local time before returning + - [b0331bb] default ignoreip to ignore entire loopback zone (/8) + (Closes: #598200) + - [b9f15f6] ENH: dovecot filter + - [69165b1] ENH: add to action.d/iptables*. Thanks + Matthijs Kooijman + - [8330a20] ENH: make filter.d/apache-overflows.conf catch more + (Closes: #574182) + - [66cc6cb] BF: allow space in the trailing of failregex for sasl.conf + (Closes: #573314) + - [2714019] ENH: dropbear filter (Closes: #546913) + - [ea7d352] BF: Use /var/run/fail2ban instead of /tmp for temp files in + actions (Closes: #544232) + * debian/jail.conf: + - [bc8e22d] spellcheck (Closes: #598206). Thanks Christoph Anton Mitterer + - [d7f3e23] adjusted description for sasl jail (Closes: #615952) + - [92fb484] debian/jail.conf: closing " for protocol specification + - [f828c31] debian/jail.conf: got 'chain' parameter to be specified for + iptables actions (Closes: #515599) + * debian/control: + - [858af30] slight rewordings of the long description (Closes: #588176) + - [167dfd4] Boosted policy compliance version to 3.9.1 (no changes seems + to be due) + * [4e1e845] debian/copyright: updated copyright years + + -- Yaroslav Halchenko Wed, 23 Mar 2011 17:04:56 -0400 + +fail2ban (0.8.4-3) unstable; urgency=low + + * Commenting out named-refused-udp jail and providing even fatter + WARNING against using it (Closes: #583364) + * Merging upstream's commit for fixing missing import + + -- Yaroslav Halchenko Mon, 28 Jun 2010 21:50:20 -0400 + +fail2ban (0.8.4-2) unstable; urgency=low + + * Merged few upstream patches (svn rev ) which fixed: + - Patch to make log file descriptors cloexec to stop leaking file + descriptors on fork/exec. + * debian/rules,control: -install-layout=deb for setup.py + python (>= + 2.5.4-1~) to fix install with python2.6 (Closes: #571213). + * Boosted policy to 3.8.4 (no changes seems to be due). + + -- Yaroslav Halchenko Thu, 25 Feb 2010 00:17:07 -0500 + +fail2ban (0.8.4-1) unstable; urgency=low + + * New upstream release. Fixes compatibility issue with python2.6 + * Yet only in Debian fixes: + - escaping () in pure-ftpd. Thanks Teodor (Closes: #544744) + - use "set logtarget" instead of "reload" while logrotate. Thanks + J.M.Roth (Closes: #537773) + - be able to detect time for VNC recording only 2 letters of year + (Closes: #537610) + - proftpd filter: count all failed logins regardless of the reason + * Debian-specific changes: + - adjusted README.Debian - multiport is default (closes: #545971) + - Boosted policy to 3.8.3 (no changes seems to be due) + + -- Yaroslav Halchenko Thu, 10 Sep 2009 11:16:51 -0400 + +fail2ban (0.8.3-6) unstable; urgency=low + + * Time to shake the ground with upload to unstable. + * Merged upstream's development as of SVN revision 732: + - Fixed maxretry/findtime rate. Many thanks to Christos Psonis. + Tracker #2019714. + - Made the named-refused regex a bit less restrictive in order to match + logs with "view". Thanks to Stephen Gildea. + - Use timetuple instead of utctimetuple for ISO 8601. Maybe not a 100% + correct fix but seems to work. Tracker #2500276. + - Changed template to be more restrictive (closes: #514163). + - Added cyrus-imap and sieve filters. Thanks to Jan Wagner. (closes: + #513953). + - Pull a commit from Yaroslav git repo. BF: addressing added bang to ssh + log (closes: #512193). + - Added missing semi-colon in the bind9 example. Thanks to Yaroslav + Halchenko. + - Added NetBSD ipfilter (ipf command) action. Thanks to Ed Ravin. Tracker + #2484115. + - Improved SASL filter. Thanks to Loic Pefferkorn. Tracker #2310410. + (closes: #507990) + - Added CPanel date format. Thanks to David Collins. Tracker #1967610. + - Added nagios script. Thanks to Sebastian Mueller. + - Removed print. + - Removed begin-line anchor for "standard" timestamp (closes: #500824) + - Remove socket file on startup is fail2ban crashed. Thanks to Detlef + Reichelt. + * Added a comment into Debian-shipped jail.conf about sasl logpath -- it + might preferable to monitor warn.log in case of postfix (To complete react + to #507990) (git branch up/fixes). Also added sasl example log file (git + branch up/log_examples). + * Removing minor bashism in ipmasq example file (closes: #530078). + Thanks Raphael Geissert (git branch up/ipmasq) + * Allow for trailing spaces in proftpd logs (closes: #507986) + (git branch up/fixes). + * Removed duplicate entry for DataCha0s/2\.0 in badbots (closes: #519557) + (git branch up/fixes). + * Adjusted Git-vcs field to point to git:// . + * Thanks lintian fixes: + - Boosted policy to 3.8.2 (no changes are due). + - Boosted debhelper compatibility to 5. + - Misspell in README.Debian + - Removing stale /var/run/fail2ban from dirs -- should be created by + init script + + -- Yaroslav Halchenko Thu, 09 Jul 2009 01:08:40 -0400 + +fail2ban (0.8.3-5) experimental; urgency=low + + * BF: anchoring regex for IP with " *$" at the end + adjust regexp for + (closes: #514163) + * NF: adding unittests for previous BF + + -- Yaroslav Halchenko Thu, 05 Feb 2009 09:51:45 -0500 + +fail2ban (0.8.3-4) experimental; urgency=low + + * BF: added missing semicolon in a logging template for bind within + jail.conf (thanks to anonymous on www.debian-administration.org) + + -- Yaroslav Halchenko Mon, 02 Feb 2009 23:02:56 -0500 + +fail2ban (0.8.3-3) experimental; urgency=low + + * BF: addressed added bang to ssh log (closes: #512193). + Thanks Silvestre Zabala. + * Adjusted description of bantime/findtime in README.Debian (closes: + #507771) + * Synced current debian revision to FAIL2BAN-0_8@717 of upstream, + since it includes fixes to some forwarded bugs. Total list of + functional changes + - Added actions to report abuse to ISP, DShield and myNetWatchman. + Thanks to Russell Odom. + - Added apache-nohome.conf. Thanks to Yaroslav Halchenko. + - Added new time format. No idea from where it comes... + - Added new regex. Thanks to Tobias Offermann. + - Try to match the regex even if the line does not contain a valid + date/time. Described in Debian #491253. Thanks to Yaroslav + Halchenko. + - Removed "timeregex" and "timepattern" stuff that is not needed + anymore. + - Added date template for Day-Month-Year Hour:Minute:Second + (closes: #491253) + - Added date pattern for Hour:Minute:Second. Thanks to Andreas + Itzchak Rehberg. + - Use current day and month instead of Jan 1st if both are not + available in the log. Thanks to Andreas Itzchak Rehberg. + - Improved pattern. Thanks to Yaroslav Halchenko. + - Merged patches from Debian package. Thanks to Yaroslav Halchenko. + + -- Yaroslav Halchenko Sun, 18 Jan 2009 11:31:01 -0500 + +fail2ban (0.8.3-2) unstable; urgency=low + + * BF in apache-noscript.conf - regexp matched in referer (Closes: #492319). + Thanks Bernd Zeimetz. + * BF: extended apache-noscript with additional regexp + + -- Yaroslav Halchenko Fri, 25 Jul 2008 13:33:56 -0400 + +fail2ban (0.8.3-1) unstable; urgency=low + + * Fresh upstream release + * Boosted policy compliance to 3.8.0 (no changes needed) + * Specify explicitely facilities in "Failed .. for". Thanks Dean + Gaudet. (closes: #481760) + * Added failregex for "User not known" in sshd.conf. thanks Alexander + Gerasiov (closes: #479966) + + + -- Yaroslav Halchenko Mon, 21 Jul 2008 10:27:12 -0400 + +fail2ban (0.8.2-3) unstable; urgency=low + + * Changes propagated from upstream trunk (future 0.8.3): + - Fixed "fail2ban-client get logpath". Bug #1916986. + - Changed some log level. + - Added "Day/Month/Year Hour:Minute:Second" date template. Thanks to + Dennis Winter. + - Fixed PID file while started in daemon mode. Thanks to Christian + Jobic who submitted a similar patch (closes: #479703) + - Added gssftpd filter. Thanks to Kevin Zembower. + - Process failtickets as long as failmanager is not empty. + * Assure that /var/run/fail2ban exists upon start (LP: #222804, #223706) + + -- Yaroslav Halchenko Tue, 06 May 2008 10:49:34 -0400 + +fail2ban (0.8.2-2) unstable; urgency=low + + * BF: Recommends whois, which is used in some actions (LP: #213227) + + -- Yaroslav Halchenko Mon, 07 Apr 2008 10:25:52 -0400 + +fail2ban (0.8.2-1) unstable; urgency=low + + * New upstream release! Divergence from Debian version descreased + considerably, Major changes: + - "full line failregex" + - Moved socket to /var/run/fail2ban. + - Removed Python 2.4. Minimum required version is now Python 2.3. + - New log rotation detection algorithm. + - Some wishlists got accepted (closes: #456567, #468477, #462060, + #461426) + - Leap year issue (closes: #468452) + * debian/watch: switched to git-import-orig + * 2 new jails: xinetd-fail, apache-overflows added to jails.conf + + -- Yaroslav Halchenko Wed, 05 Mar 2008 23:30:56 -0500 + +fail2ban (0.8.1-5) unstable; urgency=low + + * manually "cherry picked" f6639981: Fixed "Feb 29" bug. Thanks to + James Andrewartha who pointed this out. Thanks to Yaroslav Halchenko + for the fix (closes: #468382) + + -- Yaroslav Halchenko Thu, 28 Feb 2008 19:51:53 -0500 + +fail2ban (0.8.1-4) unstable; urgency=low + + * Debian packaging switched from git+dpatch into pure git way via + feature-branches. That revealed the true amount of accumulated patching + done of top of vanilla upstream, thus this is the last Debian release + prior 0.8.2 upstream release which will hopefully absorb most of the + patches + * vsftp filter anchoring + * Fix/extension of proftpd failrexes (Closes: #461412). Thanks Guido + Bozzetto + * Added ipmasq rule file (in the examples) to restart fail2ban when + iptables are wiped out (closes: #461417). Thanks Guido Bozzetto + * Extended apache-noscript filter with more file extensions and to + react to "script not found or unable to stat" log message (closes: + #456565). Thanks Tim Connors + * Fixed == bashism (Closes: #464647). Thanks Raphael Geisser + * Confirms to policy 3.7.3 (no changes) + + -- Yaroslav Halchenko Sat, 09 Feb 2008 22:08:55 -0500 + +fail2ban (0.8.1-3) unstable; urgency=low + + * Added Vcs- fields, moved Homepage into source header's field + * Propagated patch from 0.9 upstream branch: "Replaced ssocket.py with + asyncore/asynchat implementation. Correct fix for bug #1769616. That is + supposed to resolve spontaneous 100% CPU utilization by fail2ban-server." + * BF: removed sftp from ssh jails (closes: #436053) + * NF: new filter for 'refused connect' (closes: #451093). Thanks Guido + Bozzetto + * Moved iptables into recommends since fail2ban can work without iptables + using some other action (e.g hosts.deny) + + -- Yaroslav Halchenko Fri, 23 Nov 2007 11:42:24 -0500 + +fail2ban (0.8.1-2) unstable; urgency=low + + * Fixed named-refused filter. + * Added force-start action to init script, so it could be forced + to start if previous run crashed and left a socket file. Must to be + used with caution. + + -- Yaroslav Halchenko Thu, 18 Oct 2007 18:31:58 -0400 + +fail2ban (0.8.1-1) unstable; urgency=low + + * New upstream release. + Patches absorbed upstream: + 00_daemon_pids.dpatch + 00_iptables_allports.dpatch + 00_vsftp_filter_spaces.dpatch + 00_resolve_all_names.dpatch + 00_HOST_ignoreregex.dpatch + Patches which needed some tune-up: + 00_ssh_strong_re.dpatch + 00_mail-whois-lines.dpatch + 00_named_refused.dpatch + + -- Yaroslav Halchenko Tue, 14 Aug 2007 23:15:21 -0400 + +fail2ban (0.8.0-5~pre1) UNRELEASED; urgency=low + + * Added optional spaces at the end of failregex for vsftpd. + * Resolve all "names" which became a part of . Previousely only fqdn's + were resolved + + -- Yaroslav Halchenko Sun, 05 Aug 2007 21:38:44 -0400 + +fail2ban (0.8.0-4) unstable; urgency=low + + * Moved expansion into regex.py (closes: #429263). Thanks James + Andrewartha. + * Added optional regexp entry for process PID in some entries (closes: + #426050). Thanks Roderick Schertler. + * Added a filter pam_generic to catch any login errors. + * Added iptables-allports. + * Use /var/run to keep socket file (closes: #425746) + * Added a filter for named to catch refused/denied queries + * Added new time template matching named log entries + * jail.conf has specification of protocol (default to tcp) to be provided to + banaction + * Adjusted failregex for sshd filter: + - anchored properly at the end of line, and source code has .examples + files to perform testing of the rules. + - added new explicit rule for users not in the AllowUsers lists + + + -- Yaroslav Halchenko Tue, 19 Jun 2007 23:04:02 -0400 + +fail2ban (0.8.0-2) unstable; urgency=low + + * Manually changing the order of debhelper inserted scripts in prerm + (Closes: #422655) + * Removed obsolete hack to have /bin/env invocation of python for + fail2ban-* scripts + * Applied changes submitted by Bernd Zeimetz (thanks Bernd): + - Removed obsolete Build-Depends-Indep on help2man, python-dev + - Explicit removal of *.pyc files compiled during build + - Invoke 'python setup.py clean' in clean target, which required also + to move python into Build-Depends + * Minor clean up of debian/rules + + -- Yaroslav Halchenko Wed, 16 May 2007 14:13:57 -0400 + +fail2ban (0.8.0-1) unstable; urgency=low + + * New stable upstream release + + -- Yaroslav Halchenko Sat, 05 May 2007 12:35:02 -0400 + +fail2ban (0.7.9-1) unstable; urgency=low + + * New upstream release + * Updated copyright to include current year + * Removed patches absorbed upstream + + -- Yaroslav Halchenko Thu, 19 Apr 2007 21:44:28 -0400 + +fail2ban (0.7.8-1) unstable; urgency=low + + * New upstream release + * Applied post-release upstream changes to resolve issues with + - Fix to close opened handlers to log file + - Tentative incomplete gamin fix + - Fix to "reload" bug + + -- Yaroslav Halchenko Mon, 26 Mar 2007 17:52:23 -0400 + +fail2ban (0.7.7-1) unstable; urgency=low + + * New upstream release (included most of the debian-provided patches -- new + filters and actions) + * Refreshed and made verbatim homepage in description + + -- Yaroslav Halchenko Thu, 8 Feb 2007 22:20:49 -0500 + +fail2ban (0.7.6-3) unstable; urgency=low + + * Synchronized action.d/iptables-* rules from upstream SVN (closes: + #407561) + * Minor: options renames in the comments to be in sync with upstream + * Use /usr/bin/python interpreter instead of wrapped call to python by + /usr/bin/env + + -- Yaroslav Halchenko Fri, 19 Jan 2007 10:43:59 -0500 + +fail2ban (0.7.6-2) unstable; urgency=low + + * iptables-multiport is default action to take since Debian kernel arrives + with multiport module. That is to address the fact that most services + listen on multiple port (for encrypted and non-encrypted connections) + * Added [courierauth] jail (First 2 items are to partially address #407404 + + -- Yaroslav Halchenko Thu, 18 Jan 2007 10:35:36 -0500 + +fail2ban (0.7.6-1) unstable; urgency=low + + * New upstream release, which incorporates fixes introduced in 3~pre + non-released versions (which were suggested to the users to overcome + problems reported in bug reports). In particular attention should be paid + to upstream changelog entries + - Several "failregex" and "ignoreregex" are now accepted. + Creation of rules should be easier now. + This is an alternative solution to 'multiple ' entries fix, + which is not applied to this shipped version - pay caution if upgrading + from 0.7.5-3~pre? + - Allow comma in action options. The value of the option must + be escaped with " or '. + That allowed to implement requested ability to ban multiple ports + at once (See 373592). README.Debian and jail.conf adjusted to reflect + possible use of iptables-mport + - Now Fail2ban goes in /usr/share/fail2ban instead of + /usr/lib/fail2ban. This is more compliant with FHS. + Patch 00_share_insteadof_lib no longer applied + * Refactored installed by debian package jail.conf: + - Added option banaction which is to incorporate banning agent + (usually some flavor of iptables rule), which can then be easily + overriden globally or per section + - Multiple actions are defined as action_* to serve as shortcuts + * Initd script was modified to inform about present socket file which + would forbid fail2ban-server from starting + * Adjusted default log file for postfix to be /var/log/mail.log + (Closes: #404921) + + -- Yaroslav Halchenko Thu, 4 Jan 2007 15:24:52 -0500 + +fail2ban (0.7.5-3~pre6) unstable; urgency=low + + * Fail2ban now bans vsftpd logins (corrected logfile path and failregex) + (Closes: #404060) + * Made fail2ban-server tollerate multiple entries in failregex + * Moved call to dh_pycentral before dh_installinit + * Removed unnecessary call of dh_shlibdeps + * Added filter ssh-ddos to fight DDOS attacks. Must be used with caution + if there is a possibility of valid clients accessing through + unreliable connection or faulty firewall (Closes: #404487) + * Not applying patch any more for rigid python2.4 - it is default now in + sid/etch + * Moving waiting loop for fail2ban-server to stop under do_stop + function, so it gets invoked by both 'restart' and 'stop' commands + * do_status action of init script is now using 'fail2ban-client ping' + instead of '... status' since we don't really use returned status + information, besides the return error code + + -- Yaroslav Halchenko Tue, 26 Dec 2006 21:56:58 -0500 + +fail2ban (0.7.5-2) unstable; urgency=low + + * NEWS.Debian confusions - the latest NEWS entry and postinst message were + rephrased (Closes: #402350) + * Added mail-whois-lines action, which emails log lines containing abuser + IP. Those lines are often required for proper abuse reports sent to the + Internet providers. Forwarding of such received emails to the email + addresses of abuse departments present in the output of whois is a + tentative solution for semi-automatic abuse reporting (Closes: #358810) + + -- Yaroslav Halchenko Sun, 10 Dec 2006 18:55:37 -0500 + +fail2ban (0.7.5-1) unstable; urgency=low + + * New upstream release which fixes next issues + + Socket parameter not work with other path (Closes: #400162) + + fail2ban does not start with /etc/init.d/fail2ban start but + with fail2ban-client start (Closes: #400278) + * Removed obsolete patches left from 0.6 + * Adjusted wsftpd patch to use tag to be in line with the other + filter definitions + + -- Yaroslav Halchenko Thu, 7 Dec 2006 20:19:09 -0500 + +fail2ban (0.7.4-5) unstable; urgency=low + + * Added Suggests on mailx and relevant comments in README.Debian about + invoking mail actions (closes: #396668) + * Removed obsolete entries in TODO and README + * README.Debian describes the use of interpolations vs parameters passed + from jail.{conf,local} into an action definitions (closes: + #398739) + * Initial version of postfix filter has been present in 0.7 (closes: + #377711) + * Removed Uploaded field from control since I am a DD now. Big thanks to + Barak Pearlmutter for being the sponsor of my packages for few years. + + -- Yaroslav O. Halchenko Wed, 6 Dec 2006 22:14:26 -0500 + +fail2ban (0.7.4-4) unstable; urgency=low + + * Added debian/backports to contain patches necessary for backporting. It + gets used by pbuilder-ssh to create package for backports.org + + -- Yaroslav Halchenko Mon, 4 Dec 2006 08:55:48 -0500 + +fail2ban (0.7.4-3) unstable; urgency=low + + * Reincarnated logrotate configuration (Closes: #397878) + * Only block new connects by using a new action iptables-new instead of + iptables (Closes: #350746) + * Updated README.Debian to reflect transition over to 0.7 branch and to + comment on 350746 + * "Clean" target removes generated .pyc files now (Closes: #398146) + * Cleaned up debian/rules a bit + + -- Yaroslav Halchenko Sat, 11 Nov 2006 21:00:18 -0500 + +fail2ban (0.7.4-2) unstable; urgency=low + + * Added reload/force-reload actions to init script + * Adjusted jail.conf a bit + * Warning NEWS entry for 0.7.1 was not shown during installation on test + boxes, thus postinst was adjusted accordingly to inform the user about the + changes in the configuration files since 0.6. + * no logrotation anymore? (Closes: #397878) + + -- Yaroslav Halchenko Fri, 10 Nov 2006 10:53:23 -0500 + +fail2ban (0.7.4-1) experimental; urgency=low + + * New upstream release + + -- Yaroslav Halchenko Wed, 1 Nov 2006 20:54:14 -0500 + +fail2ban (0.7.4~pre20061023.2-3) experimental; urgency=low + + * Corrected init.d script to properly perform restart due to server delay to + react to client command to stop. Handling of status was adjusted as well + + -- Yaroslav Halchenko Sun, 29 Oct 2006 22:29:27 -0500 + +fail2ban (0.7.4~pre20061023.2-2) experimental; urgency=low + + * Added apache-noscript to jail.conf + * Default action does not send emails to be inline with previous (0.6.x) + behavior + + -- Yaroslav Halchenko Thu, 26 Oct 2006 13:27:20 -0400 + +fail2ban (0.7.4~pre20061023.2-1) experimental; urgency=low + + * Fresh upstream: fixed a bug with not handling error producing + actioncheck call + + -- Yaroslav Halchenko Mon, 23 Oct 2006 17:00:03 -0400 + +fail2ban (0.7.4~pre2006102-1) experimental; urgency=low + + * Currrent snapshot of trunk + * Removed outdated (applied in 0.7.4 or specific for 0.6.?) patches + from debian/patches + * Adjusted rule to install man pages -- only .1 files since there are also + h2m sources + * debian/{rules,control} adjusted to conform all points in recent python + policy changes + * install under /usr/share instead of /usr/lib + + -- Yaroslav Halchenko Mon, 23 Oct 2006 00:17:55 -0400 + +fail2ban (0.7.3-2) experimental; urgency=low + + * Added wuftpd section + + -- Yaroslav Halchenko Wed, 18 Oct 2006 01:15:00 -0400 + +fail2ban (0.7.3-1) experimental; urgency=low + + * New upstream release + * Debian shipped jail.conf + * Refreshen init.d script + + -- Yaroslav Halchenko Thu, 28 Sep 2006 22:17:16 -0400 + +fail2ban (0.7.1-0.2) experimental; urgency=low + + * New upstream release (closes: #370095,#366307) + + -- Yaroslav Halchenko Tue, 5 Sep 2006 00:26:08 -0400 + +fail2ban (0.6.1-11) unstable; urgency=low + + * Adjusted manpage for fail2ban.conf to point to shipped examples of + configuration files as the source of details about available configuration + options (closes: #382403) + * Changes in man/fail2ban.conf.5 are managed via dpatch now + + -- Yaroslav Halchenko Wed, 16 Aug 2006 00:18:59 +0300 + +fail2ban (0.6.1-10) unstable; urgency=low + + * Adjusted to comply with recent changes in debian python policy and use + pycentral to byte compile modules + * Filtered out empty entries for ignoreip to reduce confusing WARNING log + message + * Added configuration parameter "locale" to specify LC_TIME for time + pattern matching (closes: #367990,363391) + * Verbosity is chosen to be max between cmdline parameters and config file + + -- Yaroslav Halchenko Thu, 6 Jul 2006 20:19:54 -0400 + +fail2ban (0.6.1-9) unstable; urgency=low + + * Adjusted rm commands in init script to don't use -r for removal of + the pidfile (thanks Stephen Gran) + * Added clarification about multiport banning to README.Debian + (closes: #373592) + + -- Yaroslav Halchenko Wed, 14 Jun 2006 12:05:44 -0400 + +fail2ban (0.6.1-8) unstable; urgency=low + + * Removed bashism (arrays) from init.d script to make it POSIX shell + complient (closes: #368218) + * Added new proftpd section + * Added new saslauthd section. Thanks to martin f krafft + (closes: #369483) + * Mentioned apache2 log file in Other. comment field for FILE in + apache section. Nothing has to be changed besides the logfile path to + work with apache2 (closes: #342144) + + -- Yaroslav Halchenko Mon, 22 May 2006 15:37:17 -0400 + +fail2ban (0.6.1-5) unstable; urgency=low + + * Further fixed debian packaging: to comply with policy empty target + binary-arch was provided + + -- Yaroslav Halchenko Tue, 16 May 2006 16:43:37 -0400 + +fail2ban (0.6.1-4) unstable; urgency=low + + * Adjusted debian packaging: + - Clean up of debian/rules: removed commented out dh_ scripts which + definetly will never be used + - debhelper and dpatch moved to Build-Depends + - added --no-compile for python setup.py install, and removed explicit + cleaning of .pyc's + - fixed separation binary-indep and binary-arch in debian/rules + - restricted depends on python >= 2.3 + + -- Yaroslav Halchenko Tue, 16 May 2006 15:53:06 -0400 + +fail2ban (0.6.1-3) unstable; urgency=low + + * Fixed vsftpd failregexp (closes: #366687) + * Started to use dpatch + + -- Yaroslav Halchenko Wed, 10 May 2006 11:45:57 -0400 + +fail2ban (0.6.1-2) unstable; urgency=low + + * Assigned maxreinits to 1000 to be reasonable since otherwise logfile grows + indefinetly if there is a real problem on the system (closes: #359218) + * Adjusted debian/{copyright,watch} + * New version of init.d script (Thanks to Aaron Isotton) (closes: #364278) + + -- Yaroslav Halchenko Mon, 27 Mar 2006 12:55:39 -0500 + +fail2ban (0.6.1-1) unstable; urgency=low + + * New upstream release + * In config file added fwchain to ease switching to another input chain + (closes: #357164) + + -- Yaroslav Halchenko Sat, 18 Mar 2006 23:11:53 -0500 + +fail2ban (0.6.0-8) unstable; urgency=low + + * Minor adjustments to reduce the deviation from the upstream code + + -- Yaroslav Halchenko Sat, 11 Mar 2006 00:48:14 -0500 + +fail2ban (0.6.0-7) unstable; urgency=low + + * Fixed a typo in failregex for SSH section (closes: #356112) + + -- Yaroslav Halchenko Thu, 9 Mar 2006 15:13:48 -0500 + +fail2ban (0.6.0-6) unstable; urgency=low + + * Updated README.Debian with information about some cases with + not-as-shipped configurations of sshd on the boxes running older versions + of openssh server + * Included regexps for SSH in case iff authentication as root using keys was + attempted whenever PermitRootLogin is set to something else than "yes" and + key authentication fails + * Included postrm script to remove log files during purge to comply with + policy 10.8 (closes: #355443) + + -- Yaroslav Halchenko Fri, 3 Mar 2006 16:32:38 -0500 + +fail2ban (0.6.0-5) unstable; urgency=low + + * Fixed Apache section: changed filepath to point at error.log, thus I had + to revert timeregex and timepattern to user RFC 2822 format (closes: + #354346) + + -- Yaroslav Halchenko Sat, 25 Feb 2006 19:56:46 -0500 + +fail2ban (0.6.0-4) unstable; urgency=low + + * Modifications in README.Debian to reflect a "finding" on + not-AllowedUsers banning which requires default Debian configuration + of "ChallengeResponseAuthentication no" and "PasswordAuthentication + yes" + * Fixed Apache timeregex and timepattern to confirm + the fomat of time stamp used in Debian's acccess.log (error.log uses + RFC 2822 format) + * Added section ApacheAttacks to specify some common patterns of attacks on + a webserver (awstats.pl as a try). This section stays split from Apache + since it is of different nature and might be not appropriate for some + users + * Forced owner/permissions of log file to be root:adm/640 in postinst and + logrotate (closes: #352053) + + -- Yaroslav Halchenko Mon, 16 Jan 2006 04:05:19 -0500 + +fail2ban (0.6.0-3) unstable; urgency=low + + * ignoreip is now empty by default (closes: #347766) + * increased verbosity in verbose=2 mode: now prints options accepted + from the config file + * to make fail2ban.conf more compact, thus to improve its readability, + fail2ban.conf was converted to use "interpolations" provided by + ConfigParser class. fw{start,end,{,un}ban} options were moved into + DEFAULT section and required options (port, protocol) were added + + -- Yaroslav Halchenko Thu, 12 Jan 2006 18:32:14 -0500 + +fail2ban (0.6.0-2) unstable; urgency=low + + * fail2ban path is inserted first in the list to avoid a conflict with + existing elsewhere modules with the same names. (Thanks for report and + patch to Nick Craig-Wood) (closes: #343821) + + -- Yaroslav Halchenko Mon, 19 Dec 2005 17:44:58 +0200 + +fail2ban (0.6.0-1) unstable; urgency=low + + * Merged with the latest stable upstream release. That incure some + changes for the Debian configuration of the package to be more + upstream-like. Visible one is: subject in the sent email includes + section outside of "[Fail2Ban]" + * Updated README.Debian to answer possible question regarding effective + bantime starting moment + + -- Yaroslav Halchenko Sun, 20 Nov 2005 14:56:41 -0500 + +fail2ban (0.5.4-10) unstable; urgency=low + + * Fixed the order of ssh and apache rules to avoid possible race + condition (Thanks to Jefferson Cowart for the bug report) (closes: + #339133) + + -- Yaroslav Halchenko Mon, 14 Nov 2005 23:44:45 -0500 + +fail2ban (0.5.4-9) unstable; urgency=low + + * Fixed init.d script so it doesn't return non-0 status if fail2ban is not + running. That fixes issues with purging the package and leaving garbage in + /usr/share/fail2ban (Thanx to Justin Pryzby for the insight) + (closes: #337223) + + -- Yaroslav Halchenko Thu, 3 Nov 2005 17:05:20 -0500 + +fail2ban (0.5.4-8) unstable; urgency=low + + * Added config option MAIL.localtime (closes: #336449) + + -- Yaroslav Halchenko Mon, 31 Oct 2005 16:53:19 -0500 + +fail2ban (0.5.4-7) unstable; urgency=low + + * Adjusted init.d script so it is resistant to delayed shutdowns of + fail2ban and in general more stable + + -- Yaroslav Halchenko Thu, 20 Oct 2005 21:22:03 -0400 + +fail2ban (0.5.4-6.2) unstable; urgency=low + + * Fixed typos (thanx to Ross Boylan). + * Robust startup: if iptables module gets fully initialized after + startup of fail2ban, fail2ban will do "maxreinit" attempts to + initialize its own firewall. It will sleep between attempts for + "polltime" number of seconds (closes: #334272). + * To overcome possible conflict with other firewall solutions and as a + secondary solution for the bug 334272, fail2ban startup is moved + during bootup to the latest (S99) sequenece position. That should not + cause any discomfort I believe. + + -- Yaroslav Halchenko Tue, 18 Oct 2005 15:54:38 -0400 + +fail2ban (0.5.4-5.14) unstable; urgency=low + + * Added a notification regarding the importance of 0.5.4-5 change of + failregex in the config file. + * Adjusted address to FSF. + * Adjusted failregex for SSH so it bans "Illegal user" entries as well, and + restricted full failregex more to include ":" at the beginning, because + otherwise it might not be sufficient and would revive bug 330827 (closes: + #333056). + * Adjusted failregex for SSH to accommodate recent changes in logging of + SSH: Illegal -> Invalid. Should match both now. + * Fixed a problem of raise AttributeError exception reported as a side + effect of crash during parsing of the config file. + * Introduced fwcheck option to verify consistency of the + chains. Implemented automatic restart of fail2ban main function in + case check of fwban or fwunban command failed (closes: #329163, #331695). + (Introduced patch was further adjusted by upstream author). + * Added -f command line parameter for [findtime]. + * Fixed the issue of not respecting command line parameters for parameters + within sections. + * Added -e command line parameter to provide enabled sections from command + line. + * Added a cleanup of firewall rules on emergency shutdown when unknown + exception is catched. + * Fail2ban should not crash now if a wrong file name is specified in + config. + + -- Yaroslav Halchenko Mon, 3 Oct 2005 22:26:28 -1000 + +fail2ban (0.5.4-5) unstable; urgency=low + + * Made failregex'es more specific to don't allow usernames to be used as a + tool for denial of service attacks. Config files (or at least + failregex'es) must be updated from this package, otherwise the security + breach would remain open and only warning gets issued (closes: #330827) + + -- Yaroslav Halchenko Sat, 1 Oct 2005 02:42:23 -1000 + +fail2ban (0.5.4-4) unstable; urgency=low + + * On a request from Calum Mackay added reporting of the enabled sections + + -- Yaroslav Halchenko Thu, 29 Sep 2005 11:20:43 -1000 + +fail2ban (0.5.4-3) unstable; urgency=low + + * Resolved the mystery of debug mode in which commands are not really + executed: added verbose option to config file, removed -v from + /etc/default/fail2ban, reordered code a bit so that log targets are + setup right after background and then only loglevel (verbose,debug) is + processed, so the warning could be seen in the logs + + -- Yaroslav Halchenko Thu, 29 Sep 2005 00:20:43 -1000 + +fail2ban (0.5.4-2) unstable; urgency=low + + * Now exporting PATH explicitely in init.d/fail2ban script, to avoid + problems finding iptables in the cases when PATH was not exported outside + (cfengine, broken shell environment) (closes: #329304) + * Removed -b from start-stop-daemon because fail2ban detahes on its own + * Added @localhost to MAIL:from and MAIL:to in fail2ban.conf and placed + a note to README.Debian regarding necessity to specify full email + address in MAIL:from (closes: #329722) + * Added a keyword
in parsing of the subject and the body of an + email sent out by fail2ban (closes: #330311) + + -- Yaroslav Halchenko Wed, 27 Sep 2005 08:09:06 -0400 + +fail2ban (0.5.4-1) unstable; urgency=low + + * New upstream release + + -- Yaroslav Halchenko Tue, 20 Sep 2005 12:19:19 -0400 + +fail2ban (0.5.3-2) unstable; urgency=low + + * Refined comments in README.Debian + * Reindented init.d script + P.S. Was not released + + -- Yaroslav Halchenko Sun, 11 Sep 2005 15:19:44 -0400 + +fail2ban (0.5.3-1) unstable; urgency=low + + * New upstream release + + -- Yaroslav Halchenko Fri, 9 Sep 2005 16:55:00 -0400 + +fail2ban (0.5.2-5) unstable; urgency=low + + * Included a patch from Stephen Gildea to provide "status" report by + init.d script + * Included a note in README.Debian regarding the fail2ban iptable's + chains + + -- Yaroslav Halchenko Fri, 9 Sep 2005 14:52:24 -0400 + +fail2ban (0.5.2-4) unstable; urgency=low + + * Format of SYSLOG entries is up to the standard now + + -- Yaroslav Halchenko Fri, 19 Aug 2005 00:06:44 -1000 + +fail2ban (0.5.2-3) unstable; urgency=low + + * Fixed errata in /etc/default/fail2ban (closes: #323451) + * Fixed handling of SYSLOG logging target. Now it can log to any syslog + target and facility as directed by the config (revisions 160:166 patch + from syslog branch) (closes: #323543) + * Included upstream README and TODO + * Mentioned in README.Debian that apache section is disabled by default + * Adjusted man pages to cross-reference each other + * Moved fail2ban man page under section 8 as in upstream + * Introduced findtime configuration variable to control the lifetime + of caught "failed" log entries (closes: #323840) + + -- Yaroslav Halchenko Tue, 16 Aug 2005 11:23:28 -1000 + +fail2ban (0.5.2-2) unstable; urgency=low + + * Updated description to reflect flexibility in application of fail2ban + * Included logrotate (Thanks to Baruch Even) + + -- Yaroslav Halchenko Sat, 13 Aug 2005 04:51:57 -0400 + +fail2ban (0.5.2-1) unstable; urgency=low + + * New upstream release + * No log4py any more + * removed -i eth0 from config + + -- Yaroslav Halchenko Sat, 6 Aug 2005 09:21:07 -1000 + +fail2ban (0.5.1-1) unstable; urgency=low + + * New upstream release + + -- Yaroslav Halchenko Sat, 23 Jul 2005 08:50:00 -1000 + +fail2ban (0.5.0-1) unstable; urgency=low + + * New upstream release + * Libraries placed under /usr/share/fail2ban instead of /usr/lib/fail2ban + * Corrections to the description of the package + + -- Yaroslav Halchenko Tue, 12 Jul 2005 23:33:20 -1000 + +fail2ban (0.4.1-1) unstable; urgency=low + + * First upstream release of a Debian package + + -- Yaroslav Halchenko Mon, 04 Jul 2005 11:47:23 +0300 --- fail2ban-0.8.4+svn20110323.orig/debian/watch +++ fail2ban-0.8.4+svn20110323/debian/watch @@ -0,0 +1,6 @@ +# watch control file for uscan +# Run the "uscan" command to check for upstream updates and more. +# Site Directory Pattern Version Script +version=3 + +http://sf.net/fail2ban/ fail2ban-(.*)\.tar\.bz2 debian git-import-orig --- fail2ban-0.8.4+svn20110323.orig/debian/rules +++ fail2ban-0.8.4+svn20110323/debian/rules @@ -0,0 +1,78 @@ +#!/usr/bin/make -f +# -*- makefile -*- +# Sample debian/rules that uses debhelper. +# This file was originally written by Joey Hess and Craig Small. +# As a special exception, when this file is copied by dh-make into a +# dh-make output file, you may use that output file without restriction. +# This special exception was added by Craig Small in version 0.37 of dh-make. + +# Uncomment this to turn on verbose mode. +#export DH_VERBOSE=1 + +DESTDIR=$(CURDIR)/debian/fail2ban + +configure: configure-stamp +configure-stamp: + dh_testdir + touch configure-stamp + +build: + +clean: clean-inits + dh_testdir + dh_testroot + rm -f build-stamp configure-stamp + rm -rf build + # Does not hurt to ask distutils to do their duty + python setup.py clean + # Enforce removal of *.pyc files. Apparently dh_clean does + # not perform find on provided filename patterns. + find . -name \*.pyc -exec rm -f {} \; + dh_clean + +install: build + dh_testdir + dh_testroot + dh_clean -k + dh_installdirs + + # Install the package into debian/fail2ban. + python setup.py install --root=$(DESTDIR) --no-compile --install-layout=deb + # Install Debian shipped jail file in 1 piece (instead of patching + # the shipped one since there are too many changes) + install -m 644 debian/jail.conf $(DESTDIR)/etc/fail2ban + # Remove explicitely created /var/run/fail2ban + # just to please lintian since init file will + # take care about it anyways + rm -rf $(DESTDIR)/var/run/fail2ban + +# +# Just to comply with policy 4.8 +binary-arch: + +# Build architecture-independent files here. +binary-indep: install + dh_testdir + dh_testroot + dh_installchangelogs ChangeLog + dh_installdocs + dh_installexamples config/jail.conf files/ipmasq-* + dh_installlogrotate + dh_pycentral + dh_installinit -- defaults 99 + # perform swap of order of calls to init and pycentral in prerm + # to close #422655 -- pycentral section is cut and placed at + # the end of the file + sed -i -e '/^#.*ed by dh_pycentral/,/# End auto/{H;d};$$G' \ + debian/fail2ban.prerm.debhelper + dh_installman man/*.1 + dh_link + dh_compress + dh_fixperms + dh_installdeb + dh_gencontrol + dh_md5sums + dh_builddeb + +binary: binary-indep +.PHONY: build clean binary-indep binary-arch binary install configure copy-inits clean-inits --- fail2ban-0.8.4+svn20110323.orig/debian/docs +++ fail2ban-0.8.4+svn20110323/debian/docs @@ -0,0 +1,2 @@ +README +TODO --- fail2ban-0.8.4+svn20110323.orig/debian/backports/00list.sarge-backports +++ fail2ban-0.8.4+svn20110323/debian/backports/00list.sarge-backports @@ -0,0 +1 @@ +nopycentral.patch --- fail2ban-0.8.4+svn20110323.orig/debian/backports/nopycentral.patch +++ fail2ban-0.8.4+svn20110323/debian/backports/nopycentral.patch @@ -0,0 +1,40 @@ +diff -x '*~' -x .svn -Naur trunk/debian/control trunk.backports/debian/control +--- trunk/debian/control 2006-10-23 00:57:02.000000000 -0400 ++++ trunk.backports/debian/control 2006-12-04 08:45:25.000000000 -0500 +@@ -4,13 +4,13 @@ + Maintainer: Yaroslav Halchenko + Uploaders: Barak Pearlmutter + Build-Depends: debhelper (>= 5.0.37.2), dpatch +-Build-Depends-Indep: python, python-dev, help2man, python-central (>= 0.5.6) ++Build-Depends-Indep: python, python2.4, python2.4-dev, help2man + XS-Python-Version: current, >= 2.4 + Standards-Version: 3.7.2 + + Package: fail2ban + Architecture: all +-Depends: ${python:Depends}, iptables, lsb-base (>=2.0-7) ++Depends: python2.4, iptables, lsb-base (>=2.0-7) + Suggests: python-gamin + XB-Python-Version: ${python:Versions} + Description: bans IPs that cause multiple authentication errors +diff -x '*~' -x .svn -Naur trunk/debian/rules trunk.backports/debian/rules +--- trunk/debian/rules 2006-11-11 21:19:14.000000000 -0500 ++++ trunk.backports/debian/rules 2006-12-04 08:45:45.000000000 -0500 +@@ -39,7 +39,7 @@ + dh_installdirs + + # Add here commands to install the package into debian/fail2ban. +- python setup.py install --root=$(DESTDIR) --no-compile ++ python2.4 setup.py install --root=$(DESTDIR) --no-compile + #X Evil - must be removed after Debian switches over to 2.4, now + # distutils.setup will override the enterpreter line to /usr/bin/python + install fail2ban-server fail2ban-client $(DESTDIR)/usr/bin +@@ -62,7 +62,7 @@ + dh_installlogrotate + dh_installinit -- defaults 99 + dh_installman man/*.1 +- dh_pycentral ++ dh_python + dh_link + dh_compress + dh_fixperms --- fail2ban-0.8.4+svn20110323.orig/client/jailreader.py +++ fail2ban-0.8.4+svn20110323/client/jailreader.py @@ -120,7 +120,7 @@ elif opt == "bantime": stream.append(["set", self.__name, "bantime", self.__opts[opt]]) elif opt == "failregex": - stream.append(["set", self.__name, "failregex", self.__opts[opt]]) + stream.append(["set", self.__name, "addfailregex", self.__opts[opt]]) elif opt == "ignoreregex": for regex in self.__opts[opt].split('\n'): # Do not send a command if the rule is empty. --- fail2ban-0.8.4+svn20110323.orig/config/filter.d/sshd.conf +++ fail2ban-0.8.4+svn20110323/config/filter.d/sshd.conf @@ -28,11 +28,11 @@ ^%(__prefix_line)sFailed (?:password|publickey) for .* from (?: port \d*)?(?: ssh\d*)?$ ^%(__prefix_line)sROOT LOGIN REFUSED.* FROM \s*$ ^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from \s*$ - ^%(__prefix_line)sUser \S+ from not allowed because not listed in AllowUsers$ + ^%(__prefix_line)sUser .+ from not allowed because not listed in AllowUsers$ ^%(__prefix_line)sauthentication failure; logname=\S* uid=\S* euid=\S* tty=\S* ruser=\S* rhost=(?:\s+user=.*)?\s*$ ^%(__prefix_line)srefused connect from \S+ \(\)\s*$ ^%(__prefix_line)sAddress .* POSSIBLE BREAK-IN ATTEMPT!*\s*$ - ^%(__prefix_line)sUser \S+ from not allowed because none of user's groups are listed in AllowGroups$ + ^%(__prefix_line)sUser .+ from not allowed because none of user's groups are listed in AllowGroups\s*$ # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. --- fail2ban-0.8.4+svn20110323.orig/config/filter.d/apache-badbots.conf +++ fail2ban-0.8.4+svn20110323/config/filter.d/apache-badbots.conf @@ -11,7 +11,7 @@ [Definition] badbotscustom = EmailCollector|WebEMailExtrac|TrackBack/1\.02|sogou music spider -badbots = atSpider/1\.0|autoemailspider|China Local Browse 2\.6|ContentSmartz|DataCha0s/2\.0|DataCha0s/2\.0|DBrowse 1\.4b|DBrowse 1\.4d|Demo Bot DOT 16b|Demo Bot Z 16b|DSurf15a 01|DSurf15a 71|DSurf15a 81|DSurf15a VA|EBrowse 1\.4b|Educate Search VxB|EmailSiphon|EmailWolf 1\.00|ESurf15a 15|ExtractorPro|Franklin Locator 1\.8|FSurf15a 01|Full Web Bot 0416B|Full Web Bot 0516B|Full Web Bot 2816B|Industry Program 1\.0\.x|ISC Systems iRc Search 2\.1|IUPUI Research Bot v 1\.9a|LARBIN-EXPERIMENTAL \(efp@gmx\.net\)|LetsCrawl\.com/1\.0 +http\://letscrawl\.com/|Lincoln State Web Browser|LWP\:\:Simple/5\.803|Mac Finder 1\.0\.xx|MFC Foundation Class Library 4\.0|Microsoft URL Control - 6\.00\.8xxx|Missauga Locate 1\.0\.0|Missigua Locator 1\.9|Missouri College Browse|Mizzu Labs 2\.2|Mo College 1\.9|Mozilla/2\.0 \(compatible; NEWT ActiveX; Win32\)|Mozilla/3\.0 \(compatible; Indy Library\)|Mozilla/4\.0 \(compatible; Advanced Email Extractor v2\.xx\)|Mozilla/4\.0 \(compatible; Iplexx Spider/1\.0 http\://www\.iplexx\.at\)|Mozilla/4\.0 \(compatible; MSIE 5\.0; Windows NT; DigExt; DTS Agent|Mozilla/4\.0 efp@gmx\.net|Mozilla/5\.0 \(Version\: xxxx Type\:xx\)|MVAClient|NASA Search 1\.0|Nsauditor/1\.x|PBrowse 1\.4b|PEval 1\.4b|Poirot|Port Huron Labs|Production Bot 0116B|Production Bot 2016B|Production Bot DOT 3016B|Program Shareware 1\.0\.2|PSurf15a 11|PSurf15a 51|PSurf15a VA|psycheclone|RSurf15a 41|RSurf15a 51|RSurf15a 81|searchbot admin@google\.com|sogou spider|sohu agent|SSurf15a 11 |TSurf15a 11|Under the Rainbow 2\.2|User-Agent\: Mozilla/4\.0 \(compatible; MSIE 6\.0; Windows NT 5\.1\)|WebVulnCrawl\.blogspot\.com/1\.0 libwww-perl/5\.803|Wells Search II|WEP Search 00 +badbots = atSpider/1\.0|autoemailspider|China Local Browse 2\.6|ContentSmartz|DataCha0s/2\.0|DBrowse 1\.4b|DBrowse 1\.4d|Demo Bot DOT 16b|Demo Bot Z 16b|DSurf15a 01|DSurf15a 71|DSurf15a 81|DSurf15a VA|EBrowse 1\.4b|Educate Search VxB|EmailSiphon|EmailWolf 1\.00|ESurf15a 15|ExtractorPro|Franklin Locator 1\.8|FSurf15a 01|Full Web Bot 0416B|Full Web Bot 0516B|Full Web Bot 2816B|Industry Program 1\.0\.x|ISC Systems iRc Search 2\.1|IUPUI Research Bot v 1\.9a|LARBIN-EXPERIMENTAL \(efp@gmx\.net\)|LetsCrawl\.com/1\.0 +http\://letscrawl\.com/|Lincoln State Web Browser|LWP\:\:Simple/5\.803|Mac Finder 1\.0\.xx|MFC Foundation Class Library 4\.0|Microsoft URL Control - 6\.00\.8xxx|Missauga Locate 1\.0\.0|Missigua Locator 1\.9|Missouri College Browse|Mizzu Labs 2\.2|Mo College 1\.9|Mozilla/2\.0 \(compatible; NEWT ActiveX; Win32\)|Mozilla/3\.0 \(compatible; Indy Library\)|Mozilla/4\.0 \(compatible; Advanced Email Extractor v2\.xx\)|Mozilla/4\.0 \(compatible; Iplexx Spider/1\.0 http\://www\.iplexx\.at\)|Mozilla/4\.0 \(compatible; MSIE 5\.0; Windows NT; DigExt; DTS Agent|Mozilla/4\.0 efp@gmx\.net|Mozilla/5\.0 \(Version\: xxxx Type\:xx\)|MVAClient|NASA Search 1\.0|Nsauditor/1\.x|PBrowse 1\.4b|PEval 1\.4b|Poirot|Port Huron Labs|Production Bot 0116B|Production Bot 2016B|Production Bot DOT 3016B|Program Shareware 1\.0\.2|PSurf15a 11|PSurf15a 51|PSurf15a VA|psycheclone|RSurf15a 41|RSurf15a 51|RSurf15a 81|searchbot admin@google\.com|sogou spider|sohu agent|SSurf15a 11 |TSurf15a 11|Under the Rainbow 2\.2|User-Agent\: Mozilla/4\.0 \(compatible; MSIE 6\.0; Windows NT 5\.1\)|WebVulnCrawl\.blogspot\.com/1\.0 libwww-perl/5\.803|Wells Search II|WEP Search 00 # Option: failregex # Notes.: Regexp to catch known spambots and software alike. Please verify