Merge branch '0.10' into 0.11

mohamed-hmd · Oct 18, 2019 · 0824ad0 · 0824ad0
2 parents 8c6a547 + 8b85086
commit 0824ad0
Show file tree

Hide file tree

Showing 9 changed files with 321 additions and 154 deletions.
diff --git a/ChangeLog b/ChangeLog
@@ -79,6 +79,9 @@ ver. 0.10.5-dev-1 (20??/??/??) - development edition
 * `action.d/badips.py`: fixed start of banaction on demand (which may be IP-family related), gh-2390
 * `action.d/helpers-common.conf`: rewritten grep arguments, now options `-wF` used to match only
   whole words and fixed string (not as pattern), gh-2298
+* `filter.d/apache-auth.conf`:
+  - ignore errors from mod_evasive in `normal` mode (mode-controlled now) (gh-2548);
+  - extended with option `mode` - `normal` (default) and `aggressive`
 * `filter.d/sshd.conf`:
   - matches `Bad protocol version identification` in `ddos` and `aggressive` modes (gh-2404).
   - captures `Disconnecting ...: Change of username or service not allowed` (gh-2239, gh-2279)
@@ -138,6 +141,16 @@ filter = flt[logtype=short]
   attempts (failure) for IP (resp. failure-ID), see gh-2351;
   Syntax:
   - `fail2ban-client set <jail> attempt <ip> [<failure-message1> ... <failure-messageN>]`
+* `action.d/nftables.conf`:
+  - isolate fail2ban rules into a dedicated table and chain (gh-2254)
+  - `nftables-allports` supports multiple protocols in single rule now
+  - combined nftables actions to single action `nftables`:
+    * `nftables-common` is removed (replaced with single action `nftables` now)
+    * `nftables-allports` is obsolete, superseded by `nftables[type=allports]`
+    * `nftables-multiport` is obsolete, superseded by `nftables[type=multiport]`
+  - allowed multiple protocols in `nftables[type=multiport]` action (single set with multiple rules
+    in chain), following configuration in jail would replace 3 separate actions, see
+    https://github.com/fail2ban/fail2ban/pull/2254#issuecomment-534684675
 * `action.d/badips.py`: option `loglevel` extended with level of summary message,
   following example configuration logging summary with NOTICE and rest with DEBUG log-levels:
   `action = badips.py[loglevel="debug, notice"]`

diff --git a/config/action.d/nftables-allports.conf b/config/action.d/nftables-allports.conf
@@ -6,17 +6,12 @@
 # Modified: Alexander Belykh <[email protected]>
 #                       adapted for nftables
 #
+# Obsolete: superseded by nftables[type=allports]
 
 [INCLUDES]
 
-before = nftables-common.conf
+before = nftables.conf
 
 [Definition]
 
-# Option:  nftables_mode
-# Notes.:  additional expressions for nftables filter rule
-# Values:  nftables expressions
-#
-nftables_mode = meta l4proto <protocol>
-
-[Init]
+type = allports
diff --git a/config/action.d/nftables-common.conf b/config/action.d/nftables-common.conf
diff --git a/config/action.d/nftables-multiport.conf b/config/action.d/nftables-multiport.conf
@@ -6,17 +6,12 @@
 # Modified: Alexander Belykh <[email protected]>
 #                       adapted for nftables
 #
+# Obsolete: superseded by nftables[type=multiport]
 
 [INCLUDES]
 
-before = nftables-common.conf
+before = nftables.conf
 
 [Definition]
 
-# Option:  nftables_mode
-# Notes.:  additional expressions for nftables filter rule
-# Values:  nftables expressions
-#
-nftables_mode = <protocol> dport \{ <port> \}
-
-[Init]
+type = multiport
diff --git a/config/action.d/nftables.conf b/config/action.d/nftables.conf
@@ -0,0 +1,184 @@
+# Fail2Ban configuration file
+#
+# Author: Daniel Black
+# Author: Cyril Jaquier
+# Modified: Yaroslav O. Halchenko <[email protected]>
+# 			made active on all ports from original iptables.conf
+# Modified: Alexander Belykh <[email protected]>
+#                       adapted for nftables
+#
+# This is a included configuration file and includes the definitions for the nftables
+# used in all nftables based actions by default.
+#
+# The user can override the defaults in nftables-common.local
+# Example: redirect flow to honeypot
+#
+# [Init]
+# table_family = ip
+# chain_type = nat
+# chain_hook = prerouting
+# chain_priority = -50
+# blocktype = counter redirect to 2222
+
+[INCLUDES]
+
+after = nftables-common.local
+
+[Definition]
+
+# Option:  type
+# Notes.:  type of the action.
+# Values:  [ multiport | allports ]  Default: multiport
+#
+type = multiport
+
+rule_match-custom =
+rule_match-allports = meta l4proto \{ <protocol> \}
+rule_match-multiport = $proto dport \{ <port> \}
+match = <rule_match-<type>>
+
+# Option:  rule_stat
+# Notes.:  statement for nftables filter rule.
+#          leaving it empty will block all (include udp and icmp)
+# Values:  nftables statement
+#
+rule_stat = %(match)s <addr_family> saddr @<addr_set> <blocktype>
+
+# optional interator over protocol's:
+_nft_for_proto-custom-iter =
+_nft_for_proto-custom-done =
+_nft_for_proto-allports-iter =
+_nft_for_proto-allports-done =
+_nft_for_proto-multiport-iter = for proto in $(echo '<protocol>' | sed 's/,/ /g'); do
+_nft_for_proto-multiport-done = done
+
+_nft_list = <nftables> -a list chain <table_family> f2b-table f2b-chain
+_nft_get_handle_id = grep -oP '@<addr_set>\s+.*\s+\Khandle\s+(\d+)$'
+
+_nft_add_set = <nftables> add set <table_family> f2b-table <addr_set> \{ type <addr_type>\; \}
+              <_nft_for_proto-<type>-iter>
+              <nftables> add rule <table_family> f2b-table f2b-chain %(rule_stat)s
+              <_nft_for_proto-<type>-done>
+_nft_del_set = (%(_nft_list)s | %(_nft_get_handle_id)s) | while read -r hdl; do
+               <nftables> delete rule <table_family> f2b-table f2b-chain $hdl; done
+              <nftables> delete set <table_family> f2b-table <addr_set>
+
+# Option:  actionstart
+# Notes.:  command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
+# Values:  CMD
+#
+actionstart = <nftables> add table <table_family> f2b-table
+              <nftables> -- add chain <table_family> f2b-table f2b-chain \{ type <chain_type> hook <chain_hook> priority <chain_priority> \; \}
+              %(_nft_add_set)s
+
+# Option:  actionflush
+# Notes.:  command executed once to flush IPS, by shutdown (resp. by stop of the jail or this action);
+#          uses `nft flush set ...` and as fallback (e. g. unsupported) recreates the set (with references)
+# Values:  CMD
+#
+actionflush = (<nftables> flush set <table_family> f2b-table <addr_set> 2> /dev/null) || (
+              %(_nft_del_set)s
+              %(_nft_add_set)s
+              )
+
+# Option:  actionstop
+# Notes.:  command executed at the stop of jail (or at the end of Fail2Ban)
+# Values:  CMD
+#
+actionstop = %(_nft_del_set)s
+
+# Option:  actioncheck
+# Notes.:  command executed once before each actionban command
+# Values:  CMD
+#
+actioncheck = <nftables> list chain <table_family> f2b-table f2b-chain | grep -q '@<addr_set>[ \t]'
+
+# Option:  actionban
+# Notes.:  command executed when banning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    See jail.conf(5) man page
+# Values:  CMD
+#
+actionban = <nftables> add element <table_family> f2b-table <addr_set> { <ip> }
+
+# Option:  actionunban
+# Notes.:  command executed when unbanning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    See jail.conf(5) man page
+# Values:  CMD
+#
+actionunban = <nftables> delete element <table_family> f2b-table <addr_set> { <ip> }
+
+[Init]
+
+# Option:  table_family
+# Notes.:  address family to work in
+# Values:  [ip | ip6 | inet]  Default: inet
+table_family = inet
+
+# Option:  chain_type
+# Notes.:  refers to the kind of chain to be created
+# Values:  [filter | route | nat]  Default: filter
+#
+chain_type = filter
+
+# Option:  chain_hook
+# Notes.:  refers to the kind of chain to be created
+# Values:  [ prerouting | input | forward | output | postrouting ]  Default: input
+#
+chain_hook = input
+
+# Option:  chain_priority
+# Notes.:  priority in the chain.
+# Values:  NUMBER  Default: -1
+#
+chain_priority = -1
+
+# Option:  addr_type
+# Notes.:  address type to work with
+# Values:  [ipv4_addr | ipv6_addr]  Default: ipv4_addr
+#
+addr_type = ipv4_addr
+
+# Default name of the filtering set
+#
+name = default
+
+# Option:  port
+# Notes.:  specifies port to monitor
+# Values:  [ NUM | STRING ]  Default:
+#
+port = ssh
+
+# Option:  protocol
+# Notes.:  internally used by config reader for interpolations.
+# Values:  [ tcp | udp ] Default: tcp
+#
+protocol = tcp
+
+# Option:  blocktype
+# Note:    This is what the action does with rules. This can be any jump target
+#          as per the nftables man page (section 8). Common values are drop,
+#          reject, reject with icmpx type host-unreachable, redirect to 2222
+# Values:  STRING
+blocktype = reject
+
+# Option:  nftables
+# Notes.:  Actual command to be executed, including common to all calls options
+# Values:  STRING
+nftables = nft
+
+# Option: addr_set
+# Notes.: The name of the nft set used to store banned addresses
+# Values: STRING
+addr_set = addr-set-<name>
+
+# Option: addr_family
+# Notes.: The family of the banned addresses
+# Values: [ ip | ip6 ]
+addr_family = ip
+
+[Init?family=inet6]
+addr_family = ip6
+addr_type = ipv6_addr
+addr_set = addr6-set-<name>