From: <los...@us...> - 2009-02-08 17:31:33
|
Revision: 728 http://fail2ban.svn.sourceforge.net/fail2ban/?rev=728&view=rev Author: lostcontrol Date: 2009-02-08 17:31:24 +0000 (Sun, 08 Feb 2009) Log Message: ----------- - Changed <HOST> template to be more restrictive. Debian bug #514163. Modified Paths: -------------- branches/FAIL2BAN-0_8/ChangeLog branches/FAIL2BAN-0_8/config/filter.d/apache-auth.conf branches/FAIL2BAN-0_8/config/filter.d/apache-noscript.conf branches/FAIL2BAN-0_8/config/filter.d/common.conf branches/FAIL2BAN-0_8/config/filter.d/courierlogin.conf branches/FAIL2BAN-0_8/config/filter.d/couriersmtp.conf branches/FAIL2BAN-0_8/config/filter.d/cyrus-imap.conf branches/FAIL2BAN-0_8/config/filter.d/exim.conf branches/FAIL2BAN-0_8/config/filter.d/postfix.conf branches/FAIL2BAN-0_8/config/filter.d/proftpd.conf branches/FAIL2BAN-0_8/config/filter.d/pure-ftpd.conf branches/FAIL2BAN-0_8/config/filter.d/qmail.conf branches/FAIL2BAN-0_8/config/filter.d/sasl.conf branches/FAIL2BAN-0_8/config/filter.d/sshd-ddos.conf branches/FAIL2BAN-0_8/config/filter.d/sshd.conf branches/FAIL2BAN-0_8/config/filter.d/vsftpd.conf branches/FAIL2BAN-0_8/config/filter.d/webmin-auth.conf branches/FAIL2BAN-0_8/config/filter.d/xinetd-fail.conf branches/FAIL2BAN-0_8/server/failregex.py branches/FAIL2BAN-0_8/server/filter.py branches/FAIL2BAN-0_8/testcases/filtertestcase.py Modified: branches/FAIL2BAN-0_8/ChangeLog =================================================================== --- branches/FAIL2BAN-0_8/ChangeLog 2009-02-03 22:37:46 UTC (rev 727) +++ branches/FAIL2BAN-0_8/ChangeLog 2009-02-08 17:31:24 UTC (rev 728) @@ -33,6 +33,8 @@ Ravin. Tracker #2484115. - Added cyrus-imap and sieve filters. Thanks to Jan Wagner. Debian bug #513953. +- Changed <HOST> template to be more restrictive. Debian bug + #514163. ver. 0.8.3 (2008/07/17) - stable ---------- Modified: branches/FAIL2BAN-0_8/config/filter.d/apache-auth.conf =================================================================== --- branches/FAIL2BAN-0_8/config/filter.d/apache-auth.conf 2009-02-03 22:37:46 UTC (rev 727) +++ branches/FAIL2BAN-0_8/config/filter.d/apache-auth.conf 2009-02-08 17:31:24 UTC (rev 728) @@ -11,7 +11,7 @@ # Notes.: regex to match the password failure messages in the logfile. The # host must be matched by a group named "host". The tag "<HOST>" can # be used for standard IP/hostname matching and is only an alias for -# (?:::f{4,6}:)?(?P<host>\S+) +# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+) # Values: TEXT # failregex = [[]client <HOST>[]] user .* authentication failure Modified: branches/FAIL2BAN-0_8/config/filter.d/apache-noscript.conf =================================================================== --- branches/FAIL2BAN-0_8/config/filter.d/apache-noscript.conf 2009-02-03 22:37:46 UTC (rev 727) +++ branches/FAIL2BAN-0_8/config/filter.d/apache-noscript.conf 2009-02-08 17:31:24 UTC (rev 728) @@ -11,7 +11,7 @@ # Notes.: regex to match the password failure messages in the logfile. The # host must be matched by a group named "host". The tag "<HOST>" can # be used for standard IP/hostname matching and is only an alias for -# (?:::f{4,6}:)?(?P<host>\S+) +# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+) # Values: TEXT # failregex = [[]client <HOST>[]] (File does not exist|script not found or unable to stat): /\S*(\.php|\.asp|\.exe|\.pl) Modified: branches/FAIL2BAN-0_8/config/filter.d/common.conf =================================================================== --- branches/FAIL2BAN-0_8/config/filter.d/common.conf 2009-02-03 22:37:46 UTC (rev 727) +++ branches/FAIL2BAN-0_8/config/filter.d/common.conf 2009-02-08 17:31:24 UTC (rev 728) @@ -3,7 +3,7 @@ # # Author: Yaroslav Halchenko # -# $Revision: $ +# $Revision$ # [INCLUDES] Modified: branches/FAIL2BAN-0_8/config/filter.d/courierlogin.conf =================================================================== --- branches/FAIL2BAN-0_8/config/filter.d/courierlogin.conf 2009-02-03 22:37:46 UTC (rev 727) +++ branches/FAIL2BAN-0_8/config/filter.d/courierlogin.conf 2009-02-08 17:31:24 UTC (rev 728) @@ -12,7 +12,7 @@ # Notes.: regex to match the password failures messages in the logfile. The # host must be matched by a group named "host". The tag "<HOST>" can # be used for standard IP/hostname matching and is only an alias for -# (?:::f{4,6}:)?(?P<host>\S+) +# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+) # Values: TEXT # failregex = LOGIN FAILED, .*, ip=\[<HOST>\]$ Modified: branches/FAIL2BAN-0_8/config/filter.d/couriersmtp.conf =================================================================== --- branches/FAIL2BAN-0_8/config/filter.d/couriersmtp.conf 2009-02-03 22:37:46 UTC (rev 727) +++ branches/FAIL2BAN-0_8/config/filter.d/couriersmtp.conf 2009-02-08 17:31:24 UTC (rev 728) @@ -11,7 +11,7 @@ # Notes.: regex to match the password failures messages in the logfile. The # host must be matched by a group named "host". The tag "<HOST>" can # be used for standard IP/hostname matching and is only an alias for -# (?:::f{4,6}:)?(?P<host>\S+) +# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+) # Values: TEXT # failregex = error,relay=<HOST>,.*550 User unknown Modified: branches/FAIL2BAN-0_8/config/filter.d/cyrus-imap.conf =================================================================== --- branches/FAIL2BAN-0_8/config/filter.d/cyrus-imap.conf 2009-02-03 22:37:46 UTC (rev 727) +++ branches/FAIL2BAN-0_8/config/filter.d/cyrus-imap.conf 2009-02-08 17:31:24 UTC (rev 728) @@ -11,7 +11,7 @@ # Notes.: regex to match the password failures messages in the logfile. The # host must be matched by a group named "host". The tag "<HOST>" can # be used for standard IP/hostname matching and is only an alias for -# (?:::f{4,6}:)?(?P<host>\S+) +# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+) # Values: TEXT # failregex = : badlogin: .*\[<HOST>\] plaintext .*SASL\(-13\): authentication failure: checkpass failed$ Modified: branches/FAIL2BAN-0_8/config/filter.d/exim.conf =================================================================== --- branches/FAIL2BAN-0_8/config/filter.d/exim.conf 2009-02-03 22:37:46 UTC (rev 727) +++ branches/FAIL2BAN-0_8/config/filter.d/exim.conf 2009-02-08 17:31:24 UTC (rev 728) @@ -11,7 +11,7 @@ # Notes.: regex to match the password failures messages in the logfile. The # host must be matched by a group named "host". The tag "<HOST>" can # be used for standard IP/hostname matching and is only an alias for -# (?:::f{4,6}:)?(?P<host>\S+) +# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+) # Values: TEXT # failregex = \[<HOST>\] .*(?:rejected by local_scan|Unrouteable address) Modified: branches/FAIL2BAN-0_8/config/filter.d/postfix.conf =================================================================== --- branches/FAIL2BAN-0_8/config/filter.d/postfix.conf 2009-02-03 22:37:46 UTC (rev 727) +++ branches/FAIL2BAN-0_8/config/filter.d/postfix.conf 2009-02-08 17:31:24 UTC (rev 728) @@ -11,7 +11,7 @@ # Notes.: regex to match the password failures messages in the logfile. The # host must be matched by a group named "host". The tag "<HOST>" can # be used for standard IP/hostname matching and is only an alias for -# (?:::f{4,6}:)?(?P<host>\S+) +# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+) # Values: TEXT # failregex = reject: RCPT from (.*)\[<HOST>\]: 554 Modified: branches/FAIL2BAN-0_8/config/filter.d/proftpd.conf =================================================================== --- branches/FAIL2BAN-0_8/config/filter.d/proftpd.conf 2009-02-03 22:37:46 UTC (rev 727) +++ branches/FAIL2BAN-0_8/config/filter.d/proftpd.conf 2009-02-08 17:31:24 UTC (rev 728) @@ -11,7 +11,7 @@ # Notes.: regex to match the password failures messages in the logfile. The # host must be matched by a group named "host". The tag "<HOST>" can # be used for standard IP/hostname matching and is only an alias for -# (?:::f{4,6}:)?(?P<host>\S+) +# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+) # Values: TEXT # failregex = \(\S+\[<HOST>\]\)[: -]+ USER \S+: no such user found from \S+ \[\S+\] to \S+:\S+$ Modified: branches/FAIL2BAN-0_8/config/filter.d/pure-ftpd.conf =================================================================== --- branches/FAIL2BAN-0_8/config/filter.d/pure-ftpd.conf 2009-02-03 22:37:46 UTC (rev 727) +++ branches/FAIL2BAN-0_8/config/filter.d/pure-ftpd.conf 2009-02-08 17:31:24 UTC (rev 728) @@ -16,7 +16,7 @@ # Notes.: regex to match the password failures messages in the logfile. The # host must be matched by a group named "host". The tag "<HOST>" can # be used for standard IP/hostname matching and is only an alias for -# (?:::f{4,6}:)?(?P<host>\S+) +# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+) # Values: TEXT # failregex = pure-ftpd(?:\[\d+\])?: (.+?@<HOST>) \[WARNING\] %(__errmsg)s \[.+\]$ Modified: branches/FAIL2BAN-0_8/config/filter.d/qmail.conf =================================================================== --- branches/FAIL2BAN-0_8/config/filter.d/qmail.conf 2009-02-03 22:37:46 UTC (rev 727) +++ branches/FAIL2BAN-0_8/config/filter.d/qmail.conf 2009-02-08 17:31:24 UTC (rev 728) @@ -11,7 +11,7 @@ # Notes.: regex to match the password failures messages in the logfile. The # host must be matched by a group named "host". The tag "<HOST>" can # be used for standard IP/hostname matching and is only an alias for -# (?:::f{4,6}:)?(?P<host>\S+) +# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+) # Values: TEXT # failregex = (?:[\d,.]+[\d,.] rblsmtpd: |421 badiprbl: ip )<HOST> Modified: branches/FAIL2BAN-0_8/config/filter.d/sasl.conf =================================================================== --- branches/FAIL2BAN-0_8/config/filter.d/sasl.conf 2009-02-03 22:37:46 UTC (rev 727) +++ branches/FAIL2BAN-0_8/config/filter.d/sasl.conf 2009-02-08 17:31:24 UTC (rev 728) @@ -11,7 +11,7 @@ # Notes.: regex to match the password failures messages in the logfile. The # host must be matched by a group named "host". The tag "<HOST>" can # be used for standard IP/hostname matching and is only an alias for -# (?:::f{4,6}:)?(?P<host>\S+) +# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+) # Values: TEXT # failregex = (?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [A-Za-z0-9+/]*={0,2})?$ Modified: branches/FAIL2BAN-0_8/config/filter.d/sshd-ddos.conf =================================================================== --- branches/FAIL2BAN-0_8/config/filter.d/sshd-ddos.conf 2009-02-03 22:37:46 UTC (rev 727) +++ branches/FAIL2BAN-0_8/config/filter.d/sshd-ddos.conf 2009-02-08 17:31:24 UTC (rev 728) @@ -11,7 +11,7 @@ # Notes.: regex to match the password failures messages in the logfile. The # host must be matched by a group named "host". The tag "<HOST>" can # be used for standard IP/hostname matching and is only an alias for -# (?:::f{4,6}:)?(?P<host>\S+) +# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+) # Values: TEXT # failregex = sshd(?:\[\d+\])?: Did not receive identification string from <HOST>$ Modified: branches/FAIL2BAN-0_8/config/filter.d/sshd.conf =================================================================== --- branches/FAIL2BAN-0_8/config/filter.d/sshd.conf 2009-02-03 22:37:46 UTC (rev 727) +++ branches/FAIL2BAN-0_8/config/filter.d/sshd.conf 2009-02-08 17:31:24 UTC (rev 728) @@ -20,7 +20,7 @@ # Notes.: regex to match the password failures messages in the logfile. The # host must be matched by a group named "host". The tag "<HOST>" can # be used for standard IP/hostname matching and is only an alias for -# (?:::f{4,6}:)?(?P<host>\S+) +# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+) # Values: TEXT # failregex = ^%(__prefix_line)s(?:error: PAM: )?Authentication failure for .* from <HOST>\s*$ Modified: branches/FAIL2BAN-0_8/config/filter.d/vsftpd.conf =================================================================== --- branches/FAIL2BAN-0_8/config/filter.d/vsftpd.conf 2009-02-03 22:37:46 UTC (rev 727) +++ branches/FAIL2BAN-0_8/config/filter.d/vsftpd.conf 2009-02-08 17:31:24 UTC (rev 728) @@ -11,7 +11,7 @@ # Notes.: regex to match the password failures messages in the logfile. The # host must be matched by a group named "host". The tag "<HOST>" can # be used for standard IP/hostname matching and is only an alias for -# (?:::f{4,6}:)?(?P<host>\S+) +# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+) # Values: TEXT # failregex = vsftpd(?:\(pam_unix\))?(?:\[\d+\])?:.* authentication failure; .* rhost=<HOST>(?:\s+user=\S*)?\s*$ Modified: branches/FAIL2BAN-0_8/config/filter.d/webmin-auth.conf =================================================================== --- branches/FAIL2BAN-0_8/config/filter.d/webmin-auth.conf 2009-02-03 22:37:46 UTC (rev 727) +++ branches/FAIL2BAN-0_8/config/filter.d/webmin-auth.conf 2009-02-08 17:31:24 UTC (rev 728) @@ -15,7 +15,7 @@ # Notes.: regex to match the password failure messages in the logfile. The # host must be matched by a group named "host". The tag "<HOST>" can # be used for standard IP/hostname matching and is only an alias for -# (?:::f{4,6}:)?(?P<host>\S+) +# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+) # Values: TEXT # failregex = webmin.* Non-existent login as .+ from <HOST>$ Modified: branches/FAIL2BAN-0_8/config/filter.d/xinetd-fail.conf =================================================================== --- branches/FAIL2BAN-0_8/config/filter.d/xinetd-fail.conf 2009-02-03 22:37:46 UTC (rev 727) +++ branches/FAIL2BAN-0_8/config/filter.d/xinetd-fail.conf 2009-02-08 17:31:24 UTC (rev 728) @@ -11,7 +11,7 @@ # Notes.: regex to match the password failures messages in the logfile. The # host must be matched by a group named "host". The tag "<HOST>" can # be used for standard IP/hostname matching and is only an alias for -# (?:::f{4,6}:)?(?P<host>\S+) +# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+) # Values: TEXT # # Cfr.: /var/log/(daemon\.|sys)log Modified: branches/FAIL2BAN-0_8/server/failregex.py =================================================================== --- branches/FAIL2BAN-0_8/server/failregex.py 2009-02-03 22:37:46 UTC (rev 727) +++ branches/FAIL2BAN-0_8/server/failregex.py 2009-02-08 17:31:24 UTC (rev 728) @@ -44,7 +44,7 @@ self._matchCache = None # Perform shortcuts expansions. # Replace "<HOST>" with default regular expression for host. - regex = regex.replace("<HOST>", "(?:::f{4,6}:)?(?P<host>\S+)") + regex = regex.replace("<HOST>", "(?:::f{4,6}:)?(?P<host>[\w\-.^_]+)") if regex.lstrip() == '': raise RegexException("Cannot add empty regex") try: Modified: branches/FAIL2BAN-0_8/server/filter.py =================================================================== --- branches/FAIL2BAN-0_8/server/filter.py 2009-02-03 22:37:46 UTC (rev 727) +++ branches/FAIL2BAN-0_8/server/filter.py 2009-02-08 17:31:24 UTC (rev 728) @@ -492,7 +492,7 @@ class DNSUtils: - IP_CRE = re.compile("(?:\d{1,3}\.){3}\d{1,3}") + IP_CRE = re.compile("^(?:\d{1,3}\.){3}\d{1,3}$") #@staticmethod def dnsToIp(dns): Modified: branches/FAIL2BAN-0_8/testcases/filtertestcase.py =================================================================== --- branches/FAIL2BAN-0_8/testcases/filtertestcase.py 2009-02-03 22:37:46 UTC (rev 727) +++ branches/FAIL2BAN-0_8/testcases/filtertestcase.py 2009-02-08 17:31:24 UTC (rev 728) @@ -99,7 +99,7 @@ output = ('193.168.0.128', 3, 1124013599.0) self.__filter.addLogPath(GetFailures.FILENAME_01) - self.__filter.addFailRegex("(?:(?:Authentication failure|Failed [-/\w+]+) for(?: [iI](?:llegal|nvalid) user)?|[Ii](?:llegal|nvalid) user|ROOT LOGIN REFUSED) .*(?: from|FROM) (?:::f{4,6}:)?(?P<host>\S*)") + self.__filter.addFailRegex("(?:(?:Authentication failure|Failed [-/\w+]+) for(?: [iI](?:llegal|nvalid) user)?|[Ii](?:llegal|nvalid) user|ROOT LOGIN REFUSED) .*(?: from|FROM) <HOST>") self.__filter.getFailures(GetFailures.FILENAME_01) @@ -116,7 +116,7 @@ output = ('141.3.81.106', 4, 1124013539.0) self.__filter.addLogPath(GetFailures.FILENAME_02) - self.__filter.addFailRegex("Failed .* (?:::f{4,6}:)(?P<host>\S*)") + self.__filter.addFailRegex("Failed .* from <HOST>") self.__filter.getFailures(GetFailures.FILENAME_02) @@ -133,7 +133,7 @@ output = ('203.162.223.135', 6, 1124013544.0) self.__filter.addLogPath(GetFailures.FILENAME_03) - self.__filter.addFailRegex("error,relay=(?:::f{4,6}:)?(?P<host>\S*),.*550 User unknown") + self.__filter.addFailRegex("error,relay=<HOST>,.*550 User unknown") self.__filter.getFailures(GetFailures.FILENAME_03) @@ -151,7 +151,7 @@ ('212.41.96.185', 4, 1124013598.0)] self.__filter.addLogPath(GetFailures.FILENAME_04) - self.__filter.addFailRegex("Invalid user .* (?P<host>\S*)") + self.__filter.addFailRegex("Invalid user .* <HOST>") self.__filter.getFailures(GetFailures.FILENAME_04) This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |