From: <bu...@us...> - 2009-08-28 22:26:26
|
Revision: 734 http://fail2ban.svn.sourceforge.net/fail2ban/?rev=734&view=rev Author: buanzo Date: 2009-08-28 22:26:17 +0000 (Fri, 28 Aug 2009) Log Message: ----------- Added a "ban ip" command to fail2ban-client (manual IP banning for a certain jail). Added two new jails: lighttpd-fastcgi and php-url-fopen. Fixed release date for 0.8.3 (was ??/??). Added "beta" version 0.8.4 which new items (see above). Modified Paths: -------------- trunk/ChangeLog trunk/common/protocol.py trunk/config/jail.conf trunk/server/filter.py trunk/server/server.py trunk/server/transmitter.py Added Paths: ----------- trunk/config/filter.d/lighttpd-fastcgi.conf trunk/config/filter.d/php-url-fopen.conf Modified: trunk/ChangeLog =================================================================== --- trunk/ChangeLog 2009-08-28 16:05:17 UTC (rev 733) +++ trunk/ChangeLog 2009-08-28 22:26:17 UTC (rev 734) @@ -12,10 +12,14 @@ - Added new prefix remover. - Added ISO 8601 date/time format. - Removed deprecated mail*.conf actions. -- Added fail2ban-client command to manually ban a given IP for a given jail -ver. 0.8.3 (2008/??/??) - stable +ver. 0.8.4 (2009/??/??) - beta ---------- +- Added "banip" command to fail2ban-client. Manually ban a given IP for a given jail. +- Added jails lighttpd-fastci and php-url-fopen + +ver. 0.8.3 (2008/07/18) - stable +---------- - Process failtickets as long as failmanager is not empty. - Added "pam-generic" filter and more configuration fixes. Thanks to Yaroslav Halchenko. Modified: trunk/common/protocol.py =================================================================== --- trunk/common/protocol.py 2009-08-28 16:05:17 UTC (rev 733) +++ trunk/common/protocol.py 2009-08-28 22:26:17 UTC (rev 734) @@ -59,6 +59,7 @@ ["set <JAIL> delignoreregex <INDEX>", "removes the regular expression at <INDEX> for ignoreregex"], ["set <JAIL> findtime <TIME>", "sets the number of seconds <TIME> for which the filter will look back for <JAIL>"], ["set <JAIL> bantime <TIME>", "sets the number of seconds <TIME> a host will be banned for <JAIL>"], +["set <JAIL> banip <IP>", "manually Ban <IP> for <JAIL>"], ["set <JAIL> maxretry <RETRY>", "sets the number of failures <RETRY> before banning the host for <JAIL>"], ["set <JAIL> addaction <ACT>", "adds a new action named <NAME> for <JAIL>"], ["set <JAIL> delaction <ACT>", "removes the action <NAME> from <JAIL>"], Added: trunk/config/filter.d/lighttpd-fastcgi.conf =================================================================== --- trunk/config/filter.d/lighttpd-fastcgi.conf (rev 0) +++ trunk/config/filter.d/lighttpd-fastcgi.conf 2009-08-28 22:26:17 UTC (rev 734) @@ -0,0 +1,18 @@ +# Fail2Ban configuration file +# +# Author: Arturo 'Buanzo' Busleiman <bu...@bu...> +# + +[Definition] + +# Option: failregex +# Notes.: regex to match ALERTS as notified by lighttpd's FastCGI Module +# Values: TEXT +# +failregex = .*ALERT\ -\ .*attacker\ \'<HOST>\' + +# Option: ignoreregex +# Notes.: regex to ignore. If this regex matches, the line is ignored. +# Values: TEXT +# +ignoreregex = Added: trunk/config/filter.d/php-url-fopen.conf =================================================================== --- trunk/config/filter.d/php-url-fopen.conf (rev 0) +++ trunk/config/filter.d/php-url-fopen.conf 2009-08-28 22:26:17 UTC (rev 734) @@ -0,0 +1,23 @@ +# Fail2Ban configuration file +# +# Author: Arturo 'Buanzo' Busleiman <bu...@bu...> +# Version 2 +# fixes the failregex so REFERERS that contain =http:// don't get blocked +# (mentioned by "fasuto" (no real email provided... blog comment) in this entry: +# http://blogs.buanzo.com.ar/2009/04/fail2ban-filter-for-php-injection-attacks.html#comment-1489 +# + +[Definition] + +# Option: failregex +# Notes.: regex to match this kind of request: +# +# 66.185.212.172 - - [26/Mar/2009:08:44:20 -0500] "GET /index.php?n=http://eatmyfood.hostinginfive.com/pizza.htm? HTTP/1.1" 200 114 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)" +# +failregex = ^<HOST> -.*"(GET|POST).*\?.*\=http\:\/\/.* HTTP\/.*$ + +# Option: ignoreregex +# Notes.: regex to ignore. If this regex matches, the line is ignored. +# Values: TEXT +# +ignoreregex = Modified: trunk/config/jail.conf =================================================================== --- trunk/config/jail.conf 2009-08-28 16:05:17 UTC (rev 733) +++ trunk/config/jail.conf 2009-08-28 22:26:17 UTC (rev 734) @@ -152,6 +152,34 @@ sendmail[name=Postfix, dest=yo...@ma...] logpath = /var/log/apache2/error_log +# Ban attackers that try to use PHP's URL-fopen() functionality +# through GET/POST variables. - Experimental, with more than a year +# of usage in production environments. + +[php-url-fopen] + +enabled = false +port = http,https +filter = php-url-fopen +logpath = /var/www/*/logs/access_log +maxretry = 1 + +# A simple PHP-fastcgi jail which works with lighttpd. +# If you run a lighttpd server, then you probably will +# find these kinds of messages in your error_log: +# ALERT – tried to register forbidden variable ‘GLOBALS’ +# through GET variables (attacker '1.2.3.4', file '/var/www/default/htdocs/index.php') +# This jail would block the IP 1.2.3.4. + +[lighttpd-fastcgi] + +enabled = true +port = http,https +filter = lighttpd-fastcgi +# adapt the following two items as needed +logpath = /var/log/lighttpd/error.log +maxretry = 2 + # This jail uses ipfw, the standard firewall on FreeBSD. The "ignoreip" # option is overridden in this jail. Moreover, the action "mail-whois" defines # the variable "name" which contains a comma using "". The characters '' are Modified: trunk/server/filter.py =================================================================== --- trunk/server/filter.py 2009-08-28 16:05:17 UTC (rev 733) +++ trunk/server/filter.py 2009-08-28 22:26:17 UTC (rev 734) @@ -180,6 +180,17 @@ raise Exception("run() is abstract") ## + # Ban an IP - http://blogs.buanzo.com.ar/2009/04/fail2ban-patch-ban-ip-address-manually.html + # Arturo 'Buanzo' Busleiman <bu...@bu...> + # + # to enable banip fail2ban-client BAN command + + def addBannedIP(self, ip): + unixTime = time.time() + self.failManager.addFailure(FailTicket(ip, unixTime)) + return ip + + ## # Add an IP/DNS to the ignore list. # # IP addresses in the ignore list are not taken into account Modified: trunk/server/server.py =================================================================== --- trunk/server/server.py 2009-08-28 16:05:17 UTC (rev 733) +++ trunk/server/server.py 2009-08-28 22:26:17 UTC (rev 734) @@ -222,6 +222,9 @@ def setBanTime(self, name, value): self.__jails.getAction(name).setBanTime(value) + def setBanIP(self, name, value): + return self.__jails.getFilter(name).addBannedIP(value) + def getBanTime(self, name): return self.__jails.getAction(name).getBanTime() Modified: trunk/server/transmitter.py =================================================================== --- trunk/server/transmitter.py 2009-08-28 16:05:17 UTC (rev 733) +++ trunk/server/transmitter.py 2009-08-28 22:26:17 UTC (rev 734) @@ -164,6 +164,9 @@ value = command[2] self.__server.setBanTime(name, int(value)) return self.__server.getBanTime(name) + elif command[1] == "banip": + value = command[2] + return self.__server.setBanIP(name,value) elif command[1] == "addaction": value = command[2] self.__server.addAction(name, value) This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |