Menu
▾
▴
fail2ban-commit
|
From: <bu...@us...> - 2009-08-28 22:26:26
|
Revision: 734
http://fail2ban.svn.sourceforge.net/fail2ban/?rev=734&view=rev
Author: buanzo
Date: 2009-08-28 22:26:17 +0000 (Fri, 28 Aug 2009)
Log Message:
-----------
Added a "ban ip" command to fail2ban-client (manual IP banning for a certain jail).
Added two new jails: lighttpd-fastcgi and php-url-fopen.
Fixed release date for 0.8.3 (was ??/??).
Added "beta" version 0.8.4 which new items (see above).
Modified Paths:
--------------
trunk/ChangeLog
trunk/common/protocol.py
trunk/config/jail.conf
trunk/server/filter.py
trunk/server/server.py
trunk/server/transmitter.py
Added Paths:
-----------
trunk/config/filter.d/lighttpd-fastcgi.conf
trunk/config/filter.d/php-url-fopen.conf
Modified: trunk/ChangeLog
===================================================================
--- trunk/ChangeLog 2009-08-28 16:05:17 UTC (rev 733)
+++ trunk/ChangeLog 2009-08-28 22:26:17 UTC (rev 734)
@@ -12,10 +12,14 @@
- Added new prefix remover.
- Added ISO 8601 date/time format.
- Removed deprecated mail*.conf actions.
-- Added fail2ban-client command to manually ban a given IP for a given jail
-ver. 0.8.3 (2008/??/??) - stable
+ver. 0.8.4 (2009/??/??) - beta
----------
+- Added "banip" command to fail2ban-client. Manually ban a given IP for a given jail.
+- Added jails lighttpd-fastci and php-url-fopen
+
+ver. 0.8.3 (2008/07/18) - stable
+----------
- Process failtickets as long as failmanager is not empty.
- Added "pam-generic" filter and more configuration fixes.
Thanks to Yaroslav Halchenko.
Modified: trunk/common/protocol.py
===================================================================
--- trunk/common/protocol.py 2009-08-28 16:05:17 UTC (rev 733)
+++ trunk/common/protocol.py 2009-08-28 22:26:17 UTC (rev 734)
@@ -59,6 +59,7 @@
["set <JAIL> delignoreregex <INDEX>", "removes the regular expression at <INDEX> for ignoreregex"],
["set <JAIL> findtime <TIME>", "sets the number of seconds <TIME> for which the filter will look back for <JAIL>"],
["set <JAIL> bantime <TIME>", "sets the number of seconds <TIME> a host will be banned for <JAIL>"],
+["set <JAIL> banip <IP>", "manually Ban <IP> for <JAIL>"],
["set <JAIL> maxretry <RETRY>", "sets the number of failures <RETRY> before banning the host for <JAIL>"],
["set <JAIL> addaction <ACT>", "adds a new action named <NAME> for <JAIL>"],
["set <JAIL> delaction <ACT>", "removes the action <NAME> from <JAIL>"],
Added: trunk/config/filter.d/lighttpd-fastcgi.conf
===================================================================
--- trunk/config/filter.d/lighttpd-fastcgi.conf (rev 0)
+++ trunk/config/filter.d/lighttpd-fastcgi.conf 2009-08-28 22:26:17 UTC (rev 734)
@@ -0,0 +1,18 @@
+# Fail2Ban configuration file
+#
+# Author: Arturo 'Buanzo' Busleiman <bu...@bu...>
+#
+
+[Definition]
+
+# Option: failregex
+# Notes.: regex to match ALERTS as notified by lighttpd's FastCGI Module
+# Values: TEXT
+#
+failregex = .*ALERT\ -\ .*attacker\ \'<HOST>\'
+
+# Option: ignoreregex
+# Notes.: regex to ignore. If this regex matches, the line is ignored.
+# Values: TEXT
+#
+ignoreregex =
Added: trunk/config/filter.d/php-url-fopen.conf
===================================================================
--- trunk/config/filter.d/php-url-fopen.conf (rev 0)
+++ trunk/config/filter.d/php-url-fopen.conf 2009-08-28 22:26:17 UTC (rev 734)
@@ -0,0 +1,23 @@
+# Fail2Ban configuration file
+#
+# Author: Arturo 'Buanzo' Busleiman <bu...@bu...>
+# Version 2
+# fixes the failregex so REFERERS that contain =http:// don't get blocked
+# (mentioned by "fasuto" (no real email provided... blog comment) in this entry:
+# http://blogs.buanzo.com.ar/2009/04/fail2ban-filter-for-php-injection-attacks.html#comment-1489
+#
+
+[Definition]
+
+# Option: failregex
+# Notes.: regex to match this kind of request:
+#
+# 66.185.212.172 - - [26/Mar/2009:08:44:20 -0500] "GET /index.php?n=http://eatmyfood.hostinginfive.com/pizza.htm? HTTP/1.1" 200 114 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)"
+#
+failregex = ^<HOST> -.*"(GET|POST).*\?.*\=http\:\/\/.* HTTP\/.*$
+
+# Option: ignoreregex
+# Notes.: regex to ignore. If this regex matches, the line is ignored.
+# Values: TEXT
+#
+ignoreregex =
Modified: trunk/config/jail.conf
===================================================================
--- trunk/config/jail.conf 2009-08-28 16:05:17 UTC (rev 733)
+++ trunk/config/jail.conf 2009-08-28 22:26:17 UTC (rev 734)
@@ -152,6 +152,34 @@
sendmail[name=Postfix, dest=yo...@ma...]
logpath = /var/log/apache2/error_log
+# Ban attackers that try to use PHP's URL-fopen() functionality
+# through GET/POST variables. - Experimental, with more than a year
+# of usage in production environments.
+
+[php-url-fopen]
+
+enabled = false
+port = http,https
+filter = php-url-fopen
+logpath = /var/www/*/logs/access_log
+maxretry = 1
+
+# A simple PHP-fastcgi jail which works with lighttpd.
+# If you run a lighttpd server, then you probably will
+# find these kinds of messages in your error_log:
+# ALERT – tried to register forbidden variable ‘GLOBALS’
+# through GET variables (attacker '1.2.3.4', file '/var/www/default/htdocs/index.php')
+# This jail would block the IP 1.2.3.4.
+
+[lighttpd-fastcgi]
+
+enabled = true
+port = http,https
+filter = lighttpd-fastcgi
+# adapt the following two items as needed
+logpath = /var/log/lighttpd/error.log
+maxretry = 2
+
# This jail uses ipfw, the standard firewall on FreeBSD. The "ignoreip"
# option is overridden in this jail. Moreover, the action "mail-whois" defines
# the variable "name" which contains a comma using "". The characters '' are
Modified: trunk/server/filter.py
===================================================================
--- trunk/server/filter.py 2009-08-28 16:05:17 UTC (rev 733)
+++ trunk/server/filter.py 2009-08-28 22:26:17 UTC (rev 734)
@@ -180,6 +180,17 @@
raise Exception("run() is abstract")
##
+ # Ban an IP - http://blogs.buanzo.com.ar/2009/04/fail2ban-patch-ban-ip-address-manually.html
+ # Arturo 'Buanzo' Busleiman <bu...@bu...>
+ #
+ # to enable banip fail2ban-client BAN command
+
+ def addBannedIP(self, ip):
+ unixTime = time.time()
+ self.failManager.addFailure(FailTicket(ip, unixTime))
+ return ip
+
+ ##
# Add an IP/DNS to the ignore list.
#
# IP addresses in the ignore list are not taken into account
Modified: trunk/server/server.py
===================================================================
--- trunk/server/server.py 2009-08-28 16:05:17 UTC (rev 733)
+++ trunk/server/server.py 2009-08-28 22:26:17 UTC (rev 734)
@@ -222,6 +222,9 @@
def setBanTime(self, name, value):
self.__jails.getAction(name).setBanTime(value)
+ def setBanIP(self, name, value):
+ return self.__jails.getFilter(name).addBannedIP(value)
+
def getBanTime(self, name):
return self.__jails.getAction(name).getBanTime()
Modified: trunk/server/transmitter.py
===================================================================
--- trunk/server/transmitter.py 2009-08-28 16:05:17 UTC (rev 733)
+++ trunk/server/transmitter.py 2009-08-28 22:26:17 UTC (rev 734)
@@ -164,6 +164,9 @@
value = command[2]
self.__server.setBanTime(name, int(value))
return self.__server.getBanTime(name)
+ elif command[1] == "banip":
+ value = command[2]
+ return self.__server.setBanIP(name,value)
elif command[1] == "addaction":
value = command[2]
self.__server.addAction(name, value)
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <yar...@us...> - 2010-06-22 14:33:12
|
Revision: 760
http://fail2ban.svn.sourceforge.net/fail2ban/?rev=760&view=rev
Author: yarikoptic
Date: 2010-06-22 14:33:05 +0000 (Tue, 22 Jun 2010)
Log Message:
-----------
ENH: adding gen_badbots script to generate apache-badbots.conf
Modified Paths:
--------------
trunk/config/filter.d/apache-badbots.conf
Added Paths:
-----------
trunk/files/gen_badbots
Modified: trunk/config/filter.d/apache-badbots.conf
===================================================================
--- trunk/config/filter.d/apache-badbots.conf 2010-05-01 13:26:02 UTC (rev 759)
+++ trunk/config/filter.d/apache-badbots.conf 2010-06-22 14:33:05 UTC (rev 760)
@@ -1,7 +1,7 @@
# Fail2Ban configuration file
#
# List of bad bots fetched from http://www.user-agents.org
-# Generated on Sun Feb 11 01:09:15 EST 2007 by ./badbots.sh
+# Generated on Sun Feb 11 01:09:15 EST 2007 by gen_badbots
#
# Author: Yaroslav Halchenko
#
Added: trunk/files/gen_badbots
===================================================================
--- trunk/files/gen_badbots (rev 0)
+++ trunk/files/gen_badbots 2010-06-22 14:33:05 UTC (rev 760)
@@ -0,0 +1,83 @@
+#!/bin/bash
+#-------------------------- =+- Shell script -+= --------------------------
+#
+# @file badbots.sh
+# @date Sun Feb 11 00:49:53 2007
+# @brief
+#
+#
+# Yaroslav Halchenko CS@UNM, CS@NJIT
+# web: http://www.onerussian.com & PSYCH@RUTGERS
+# e-mail: yo...@on... ICQ#: 60653192
+#
+# DESCRIPTION (NOTES):
+#
+# Script to fetch list of agent strings from http://www.user-agents.org
+# which are known to be from mailicious bots, and create apache-badbots.conf
+# filter for fail2ban
+#
+# COPYRIGHT: Yaroslav Halchenko 2007-2010
+#
+# LICENSE:
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the
+# Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston,
+# MA 02110-1301, USA.
+#
+# On Debian system see /usr/share/common-licenses/GPL for the full license.
+#
+#-----------------\____________________________________/------------------
+
+url=http://www.user-agents.org/index.shtml
+badbots=$(
+for f in "" "?g_l" "?m" "?n_s" "?t_z"; do
+ wget -q -O- $url$f;
+done \
+| grep -h -B4 '<td class="smallcell" nowrap>S </td>'\
+| sed -e 's/ //g' \
+| awk '/^--/{getline; gsub(" ",""); print $0}' \
+| sed -e 's/\([.\:|()]\)/\\\1/g' \
+| tr '\n' '|' \
+| sed -e 's/|$//g'
+)
+
+echo $badbots >| /tmp/badbots.tmp
+
+cat >| apache-badbots.conf <<EOF
+# Fail2Ban configuration file
+#
+# List of bad bots fetched from http://www.user-agents.org
+# Generated on `date` by $0
+#
+# Author: Yaroslav Halchenko
+#
+#
+
+[Definition]
+badbotscustom = EmailCollector|WebEMailExtrac
+badbots = $badbots
+
+# Option: failregex
+# Notes.: Regexp to catch known spambots and software alike. Please verify that
+# it is your intent to block IPs which were driven by abovementioned bots
+# Values: TEXT
+#
+failregex = ^(?P<host>\S*) -.*"GET.*HTTP.*"(?:%(badbots)s|%(badbotscustom)s)"\$
+
+# Option: ignoreregex
+# Notes.: regex to ignore. If this regex matches, the line is ignored.
+# Values: TEXT
+#
+ignoreregex =
+EOF
Property changes on: trunk/files/gen_badbots
___________________________________________________________________
Added: svn:executable
+ *
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
Thanks for helping keep SourceForge clean.
X