Menu
▾
▴
fail2ban-commit
|
From: <yar...@us...> - 2011-03-23 20:36:03
|
Revision: 767
http://fail2ban.svn.sourceforge.net/fail2ban/?rev=767&view=rev
Author: yarikoptic
Date: 2011-03-23 20:35:56 +0000 (Wed, 23 Mar 2011)
Log Message:
-----------
BF: Use /var/run/fail2ban instead of /tmp for temp files in actions: see http://bugs.debian.org/544232
It should be robust since /var/run/fail2ban is guaranteed to exist to carry the
socket file, and it will be owned by root (or some other dedicated fail2ban
user) thus avoiding possibility for the exploit
Modified Paths:
--------------
branches/FAIL2BAN-0_8/config/action.d/dshield.conf
branches/FAIL2BAN-0_8/config/action.d/mail-buffered.conf
branches/FAIL2BAN-0_8/config/action.d/mynetwatchman.conf
branches/FAIL2BAN-0_8/config/action.d/sendmail-buffered.conf
Modified: branches/FAIL2BAN-0_8/config/action.d/dshield.conf
===================================================================
--- branches/FAIL2BAN-0_8/config/action.d/dshield.conf 2010-09-27 13:18:32 UTC (rev 766)
+++ branches/FAIL2BAN-0_8/config/action.d/dshield.conf 2011-03-23 20:35:56 UTC (rev 767)
@@ -206,5 +206,5 @@
# Notes.: Base name of temporary files used for buffering
# Values: [ STRING ] Default: /tmp/fail2ban-dshield
#
-tmpfile = /tmp/fail2ban-dshield
+tmpfile = /var/run/fail2ban/tmp-dshield
Modified: branches/FAIL2BAN-0_8/config/action.d/mail-buffered.conf
===================================================================
--- branches/FAIL2BAN-0_8/config/action.d/mail-buffered.conf 2010-09-27 13:18:32 UTC (rev 766)
+++ branches/FAIL2BAN-0_8/config/action.d/mail-buffered.conf 2011-03-23 20:35:56 UTC (rev 767)
@@ -81,7 +81,7 @@
# Default temporary file
#
-tmpfile = /tmp/fail2ban-mail.txt
+tmpfile = /var/run/fail2ban/tmp-mail.txt
# Destination/Addressee of the mail
#
Modified: branches/FAIL2BAN-0_8/config/action.d/mynetwatchman.conf
===================================================================
--- branches/FAIL2BAN-0_8/config/action.d/mynetwatchman.conf 2010-09-27 13:18:32 UTC (rev 766)
+++ branches/FAIL2BAN-0_8/config/action.d/mynetwatchman.conf 2011-03-23 20:35:56 UTC (rev 767)
@@ -141,4 +141,4 @@
# Notes.: Base name of temporary files
# Values: [ STRING ] Default: /tmp/fail2ban-mynetwatchman
#
-tmpfile = /tmp/fail2ban-mynetwatchman
+tmpfile = /var/run/fail2ban/tmp-mynetwatchman
Modified: branches/FAIL2BAN-0_8/config/action.d/sendmail-buffered.conf
===================================================================
--- branches/FAIL2BAN-0_8/config/action.d/sendmail-buffered.conf 2010-09-27 13:18:32 UTC (rev 766)
+++ branches/FAIL2BAN-0_8/config/action.d/sendmail-buffered.conf 2011-03-23 20:35:56 UTC (rev 767)
@@ -101,5 +101,5 @@
# Default temporary file
#
-tmpfile = /tmp/fail2ban-mail.txt
+tmpfile = /var/run/fail2ban/tmp-mail.txt
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <yar...@us...> - 2011-03-23 20:36:47
|
Revision: 771
http://fail2ban.svn.sourceforge.net/fail2ban/?rev=771&view=rev
Author: yarikoptic
Date: 2011-03-23 20:36:41 +0000 (Wed, 23 Mar 2011)
Log Message:
-----------
ENH: add <chain> to action.d/iptables*. Thanks Matthijs Kooijman: see http://bugs.debian.org/515599
Modified Paths:
--------------
branches/FAIL2BAN-0_8/config/action.d/iptables-allports.conf
branches/FAIL2BAN-0_8/config/action.d/iptables-multiport-log.conf
branches/FAIL2BAN-0_8/config/action.d/iptables-multiport.conf
branches/FAIL2BAN-0_8/config/action.d/iptables-new.conf
branches/FAIL2BAN-0_8/config/action.d/iptables.conf
Modified: branches/FAIL2BAN-0_8/config/action.d/iptables-allports.conf
===================================================================
--- branches/FAIL2BAN-0_8/config/action.d/iptables-allports.conf 2011-03-23 20:36:28 UTC (rev 770)
+++ branches/FAIL2BAN-0_8/config/action.d/iptables-allports.conf 2011-03-23 20:36:41 UTC (rev 771)
@@ -15,13 +15,13 @@
#
actionstart = iptables -N fail2ban-<name>
iptables -A fail2ban-<name> -j RETURN
- iptables -I INPUT -p <protocol> -j fail2ban-<name>
+ iptables -I <chain> -p <protocol> -j fail2ban-<name>
# Option: actionstop
# Notes.: command executed once at the end of Fail2Ban
# Values: CMD
#
-actionstop = iptables -D INPUT -p <protocol> -j fail2ban-<name>
+actionstop = iptables -D <chain> -p <protocol> -j fail2ban-<name>
iptables -F fail2ban-<name>
iptables -X fail2ban-<name>
@@ -29,7 +29,7 @@
# Notes.: command executed once before each actionban command
# Values: CMD
#
-actioncheck = iptables -n -L INPUT | grep -q fail2ban-<name>
+actioncheck = iptables -n -L <chain> | grep -q fail2ban-<name>
# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
@@ -63,3 +63,8 @@
#
protocol = tcp
+# Option: chain
+# Notes specifies the iptables chain to which the fail2ban rules should be
+# added
+# Values: STRING Default: INPUT
+chain = INPUT
Modified: branches/FAIL2BAN-0_8/config/action.d/iptables-multiport-log.conf
===================================================================
--- branches/FAIL2BAN-0_8/config/action.d/iptables-multiport-log.conf 2011-03-23 20:36:28 UTC (rev 770)
+++ branches/FAIL2BAN-0_8/config/action.d/iptables-multiport-log.conf 2011-03-23 20:36:41 UTC (rev 771)
@@ -5,7 +5,7 @@
#
# make "fail2ban-<name>" chain to match drop IP
# make "fail2ban-<name>-log" chain to log and drop
-# insert a jump to fail2ban-<name> from -I INPUT if proto/port match
+# insert a jump to fail2ban-<name> from -I <chain> if proto/port match
#
# $Revision$
#
@@ -18,7 +18,7 @@
#
actionstart = iptables -N fail2ban-<name>
iptables -A fail2ban-<name> -j RETURN
- iptables -I INPUT 1 -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
+ iptables -I <chain> 1 -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
iptables -N fail2ban-<name>-log
iptables -I fail2ban-<name>-log -j LOG --log-prefix "$(expr fail2ban-<name> : '\(.\{1,23\}\)'):DROP " --log-level warning -m limit --limit 6/m --limit-burst 2
iptables -A fail2ban-<name>-log -j DROP
@@ -27,7 +27,7 @@
# Notes.: command executed once at the end of Fail2Ban
# Values: CMD
#
-actionstop = iptables -D INPUT -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
+actionstop = iptables -D <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
iptables -F fail2ban-<name>
iptables -F fail2ban-<name>-log
iptables -X fail2ban-<name>
@@ -76,3 +76,9 @@
# Values: [ tcp | udp | icmp | all ] Default: tcp
#
protocol = tcp
+
+# Option: chain
+# Notes specifies the iptables chain to which the fail2ban rules should be
+# added
+# Values: STRING Default: INPUT
+chain = INPUT
Modified: branches/FAIL2BAN-0_8/config/action.d/iptables-multiport.conf
===================================================================
--- branches/FAIL2BAN-0_8/config/action.d/iptables-multiport.conf 2011-03-23 20:36:28 UTC (rev 770)
+++ branches/FAIL2BAN-0_8/config/action.d/iptables-multiport.conf 2011-03-23 20:36:41 UTC (rev 771)
@@ -13,13 +13,13 @@
#
actionstart = iptables -N fail2ban-<name>
iptables -A fail2ban-<name> -j RETURN
- iptables -I INPUT -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
+ iptables -I <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
# Option: actionstop
# Notes.: command executed once at the end of Fail2Ban
# Values: CMD
#
-actionstop = iptables -D INPUT -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
+actionstop = iptables -D <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
iptables -F fail2ban-<name>
iptables -X fail2ban-<name>
@@ -27,7 +27,7 @@
# Notes.: command executed once before each actionban command
# Values: CMD
#
-actioncheck = iptables -n -L INPUT | grep -q fail2ban-<name>
+actioncheck = iptables -n -L <chain> | grep -q fail2ban-<name>
# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
@@ -67,3 +67,8 @@
#
protocol = tcp
+# Option: chain
+# Notes specifies the iptables chain to which the fail2ban rules should be
+# added
+# Values: STRING Default: INPUT
+chain = INPUT
Modified: branches/FAIL2BAN-0_8/config/action.d/iptables-new.conf
===================================================================
--- branches/FAIL2BAN-0_8/config/action.d/iptables-new.conf 2011-03-23 20:36:28 UTC (rev 770)
+++ branches/FAIL2BAN-0_8/config/action.d/iptables-new.conf 2011-03-23 20:36:41 UTC (rev 771)
@@ -15,13 +15,13 @@
#
actionstart = iptables -N fail2ban-<name>
iptables -A fail2ban-<name> -j RETURN
- iptables -I INPUT -m state --state NEW -p <protocol> --dport <port> -j fail2ban-<name>
+ iptables -I <chain> -m state --state NEW -p <protocol> --dport <port> -j fail2ban-<name>
# Option: actionstop
# Notes.: command executed once at the end of Fail2Ban
# Values: CMD
#
-actionstop = iptables -D INPUT -m state --state NEW -p <protocol> --dport <port> -j fail2ban-<name>
+actionstop = iptables -D <chain> -m state --state NEW -p <protocol> --dport <port> -j fail2ban-<name>
iptables -F fail2ban-<name>
iptables -X fail2ban-<name>
@@ -29,7 +29,7 @@
# Notes.: command executed once before each actionban command
# Values: CMD
#
-actioncheck = iptables -n -L INPUT | grep -q fail2ban-<name>
+actioncheck = iptables -n -L <chain> | grep -q fail2ban-<name>
# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
@@ -69,3 +69,8 @@
#
protocol = tcp
+# Option: chain
+# Notes specifies the iptables chain to which the fail2ban rules should be
+# added
+# Values: STRING Default: INPUT
+chain = INPUT
Modified: branches/FAIL2BAN-0_8/config/action.d/iptables.conf
===================================================================
--- branches/FAIL2BAN-0_8/config/action.d/iptables.conf 2011-03-23 20:36:28 UTC (rev 770)
+++ branches/FAIL2BAN-0_8/config/action.d/iptables.conf 2011-03-23 20:36:41 UTC (rev 771)
@@ -13,13 +13,13 @@
#
actionstart = iptables -N fail2ban-<name>
iptables -A fail2ban-<name> -j RETURN
- iptables -I INPUT -p <protocol> --dport <port> -j fail2ban-<name>
+ iptables -I <chain> -p <protocol> --dport <port> -j fail2ban-<name>
# Option: actionstop
# Notes.: command executed once at the end of Fail2Ban
# Values: CMD
#
-actionstop = iptables -D INPUT -p <protocol> --dport <port> -j fail2ban-<name>
+actionstop = iptables -D <chain> -p <protocol> --dport <port> -j fail2ban-<name>
iptables -F fail2ban-<name>
iptables -X fail2ban-<name>
@@ -27,7 +27,7 @@
# Notes.: command executed once before each actionban command
# Values: CMD
#
-actioncheck = iptables -n -L INPUT | grep -q fail2ban-<name>
+actioncheck = iptables -n -L <chain> | grep -q fail2ban-<name>
# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
@@ -67,3 +67,8 @@
#
protocol = tcp
+# Option: chain
+# Notes specifies the iptables chain to which the fail2ban rules should be
+# added
+# Values: STRING Default: INPUT
+chain = INPUT
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
Thanks for helping keep SourceForge clean.
X