instructions

fail2ban-master/fail2ban/tests/config/action.d/action.conf

@@ -0,0 +1,4 @@
+
+[Definition]
+
+actionban = echo "name: <actname>, ban: <ip>, logs: %(logpath)s"

fail2ban-master/fail2ban/tests/config/action.d/brokenaction.conf

@@ -0,0 +1,4 @@
+
+[Definition]
+
+actionban = hit with big stick <ip>

fail2ban-master/fail2ban/tests/config/fail2ban.conf

@@ -0,0 +1,5 @@
+[Definition]
+
+#         3 = INFO
+loglevel = 3
+

fail2ban-master/fail2ban/tests/config/filter.d/checklogtype.conf

@@ -0,0 +1,31 @@
+# Fail2Ban configuration file
+#
+
+[INCLUDES]
+
+# Read common prefixes (logtype is set in default section)
+before = ../../../../config/filter.d/common.conf
+
+[Definition]
+
+_daemon = test
+
+failregex = ^<lt_<logtype>/__prefix_line> failure from <HOST>$
+ignoreregex = 
+
+# following sections define prefix line considering logtype:
+
+# backend-related (retrieved from backend, overwrite default):
+[lt_file]
+__prefix_line = FILE
+
+[lt_journal]
+__prefix_line = JRNL
+
+# specified in definition section of filter (see filter checklogtype_test.conf):
+[lt_test]
+__prefix_line = TEST
+
+# specified in init parameter of jail (see ../jail.conf, jail checklogtype_init):
+[lt_init]
+__prefix_line = INIT

fail2ban-master/fail2ban/tests/config/filter.d/checklogtype_test.conf

@@ -0,0 +1,12 @@
+# Fail2Ban configuration file
+#
+
+[INCLUDES]
+
+# Read common prefixes (logtype is set in default section)
+before = checklogtype.conf
+
+[Definition]
+
+# overwrite logtype in definition (no backend anymore):
+logtype = test

fail2ban-master/fail2ban/tests/config/filter.d/simple.conf

@@ -0,0 +1,4 @@
+
+[Definition]
+
+failregex = <IP>

fail2ban-master/fail2ban/tests/config/filter.d/test.conf

@@ -0,0 +1,13 @@
+#[INCLUDES]
+#before = common.conf
+
+[DEFAULT]
+_daemon = default
+
+[Definition]
+where = conf
+failregex = failure <_daemon> <one> (filter.d/test.%(where)s) <HOST>
+
+[Init]
+# test parameter, should be overridden in jail by "filter=test[one=1,...]"
+one = *1*

fail2ban-master/fail2ban/tests/config/filter.d/test.local

@@ -0,0 +1,16 @@
+#[INCLUDES]
+#before = common.conf
+
+[Definition]
+# overwrite default daemon, additionally it should be accessible in jail with "%(known/_daemon)s":
+_daemon = test
+# interpolate previous regex (from test.conf) + new 2nd + dynamical substitution) of "two" an "where":
+failregex = %(known/failregex)s
+            failure %(_daemon)s <two> (filter.d/test.<where>) <HOST>
+# parameter "two" should be specified in jail by "filter=test[..., two=2]"
+
+[Init]
+# this parameter can be used in jail with "%(known/three)s":
+three = 3
+# this parameter "where" does not overwrite "where" in definition of test.conf (dynamical values only):
+where = local

fail2ban-master/fail2ban/tests/config/filter.d/zzz-generic-example.conf

@@ -0,0 +1,27 @@
+# Fail2Ban generic example resp. test filter 
+#
+# Author: Serg G. Brester (sebres)
+#
+
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# common.local.  common.conf is a symlink to the original common.conf and
+# should be copied (dereferenced) during installation
+before = ../../../../config/filter.d/common.conf
+
+[Definition]
+
+_daemon = test-demo
+
+failregex = ^%(__prefix_line)sF2B: failure from <HOST>$
+            ^%(__prefix_line)sF2B: error from <HOST>$
+
+# just to test multiple ignoreregex:
+ignoreregex = ^%(__prefix_line)sF2B: error from 192.0.2.251$
+              ^%(__prefix_line)sF2B: error from 192.0.2.252$
+
+# specify only exact date patterns, +1 with %%Y to test usage of last known date by wrong dates like 0000-00-00...
+datepattern = {^LN-BEG}%%ExY(?P<_sep>[-/.])%%m(?P=_sep)%%d[T ]%%H:%%M:%%S(?:[.,]%%f)?(?:\s*%%z)?
+              {^LN-BEG}(?:%%a )?%%b %%d %%H:%%M:%%S(?:\.%%f)?(?: %%ExY)?
+              {^LN-BEG}%%Y(?P<_sep>[-/.])%%m(?P=_sep)%%d[T ]%%H:%%M:%%S(?:[.,]%%f)?(?:\s*%%z)?

fail2ban-master/fail2ban/tests/config/filter.d/zzz-sshd-obsolete-multiline.conf

@@ -0,0 +1,102 @@
+# Fail2Ban obsolete multiline example resp. test filter (previously sshd.conf)
+#
+
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# common.local
+before = ../../../../config/filter.d/common.conf
+
+[DEFAULT]
+
+_daemon = sshd(?:-session)?
+
+# optional prefix (logged from several ssh versions) like "error: ", "error: PAM: " or "fatal: "
+__pref = (?:(?:error|fatal): (?:PAM: )?)?
+# optional suffix (logged from several ssh versions) like " [preauth]"
+__suff = (?: (?:port \d+|on \S+|\[preauth\])){0,3}\s*
+__on_port_opt = (?: (?:port \d+|on \S+)){0,2}
+# close by authenticating user:
+__authng_user = (?: authenticating user <F-USER>\S+|.+?</F-USER>)?
+
+# single line prefix:
+__prefix_line_sl = %(__prefix_line)s%(__pref)s
+# multi line prefixes (for first and second lines):
+__prefix_line_ml1 = (?P<__prefix>%(__prefix_line)s)%(__pref)s
+__prefix_line_ml2 = %(__suff)s$<SKIPLINES>^(?P=__prefix)%(__pref)s
+
+# for all possible (also future) forms of "no matching (cipher|mac|MAC|compression method|key exchange method|host key type) found",
+# see ssherr.c for all possible SSH_ERR_..._ALG_MATCH errors.
+__alg_match = (?:(?:\w+ (?!found\b)){0,2}\w+)
+
+# PAM authentication mechanism, can be overridden, e. g. `filter = sshd[__pam_auth='pam_ldap']`:
+__pam_auth = pam_[a-z]+
+
+[Definition]
+
+cmnfailre = ^%(__prefix_line_sl)s[aA]uthentication (?:failure|error|failed) for .* from <HOST>( via \S+)?\s*%(__suff)s$
+         ^%(__prefix_line_sl)sUser not known to the underlying authentication module for .* from <HOST>\s*%(__suff)s$
+         ^%(__prefix_line_sl)sFailed \S+ for invalid user <F-USER>(?P<cond_user>\S+)|(?:(?! from ).)*?</F-USER> from <HOST>%(__on_port_opt)s(?: ssh\d*)?(?(cond_user): |(?:(?:(?! from ).)*)$)
+         ^%(__prefix_line_sl)sFailed (?:<F-NOFAIL>publickey</F-NOFAIL>|\S+) for (?P<cond_inv>invalid user )?<F-USER>(?P<cond_user>\S+)|(?(cond_inv)(?:(?! from ).)*?|[^:]+)</F-USER> from <HOST>%(__on_port_opt)s(?: ssh\d*)?(?(cond_user): |(?:(?:(?! from ).)*)$)
+         ^%(__prefix_line_sl)sROOT LOGIN REFUSED FROM <HOST>
+         ^%(__prefix_line_sl)s[iI](?:llegal|nvalid) user .*? from <HOST>%(__suff)s$
+         ^%(__prefix_line_sl)sUser .+ from <HOST> not allowed because not listed in AllowUsers\s*%(__suff)s$
+         ^%(__prefix_line_sl)sUser .+ from <HOST> not allowed because listed in DenyUsers\s*%(__suff)s$
+         ^%(__prefix_line_sl)sUser .+ from <HOST> not allowed because not in any group\s*%(__suff)s$
+         ^%(__prefix_line_sl)srefused connect from \S+ \(<HOST>\)
+         ^%(__prefix_line_sl)sReceived disconnect from <HOST>%(__on_port_opt)s:\s*3: .*: Auth fail%(__suff)s$
+         ^%(__prefix_line_sl)sUser .+ from <HOST> not allowed because a group is listed in DenyGroups\s*%(__suff)s$
+         ^%(__prefix_line_sl)sUser .+ from <HOST> not allowed because none of user's groups are listed in AllowGroups\s*%(__suff)s$
+         ^%(__prefix_line_ml1)s%(__pam_auth)s\(sshd:auth\):\s+authentication failure;\s*logname=\S*\s*uid=\d*\s*euid=\d*\s*tty=\S*\s*ruser=\S*\s*rhost=<HOST>\s.*%(__suff)s$%(__prefix_line_ml2)sConnection closed
+         ^%(__prefix_line_sl)s(error: )?maximum authentication attempts exceeded for .* from <HOST>%(__on_port_opt)s(?: ssh\d*)? \[preauth\]$
+         ^%(__prefix_line_ml1)sUser .+ not allowed because account is locked%(__prefix_line_ml2)sReceived disconnect from <HOST>%(__on_port_opt)s:\s*11: .+%(__suff)s$
+         ^%(__prefix_line_ml1)sDisconnecting: Too many authentication failures(?: for .+?)?%(__suff)s%(__prefix_line_ml2)sConnection closed by%(__authng_user)s <HOST>%(__suff)s$
+         ^%(__prefix_line_ml1)sConnection from <HOST>%(__on_port_opt)s%(__prefix_line_ml2)sDisconnecting: Too many authentication failures(?: for .+?)?%(__suff)s$
+
+mdre-normal =
+
+mdre-ddos =  ^%(__prefix_line_sl)sDid not receive identification string from <HOST>
+             ^%(__prefix_line_sl)sBad protocol version identification '.*' from <HOST>
+             ^%(__prefix_line_sl)sConnection (?:closed|reset) by%(__authng_user)s <HOST>%(__on_port_opt)s\s+\[preauth\]\s*$
+             ^%(__prefix_line_ml1)sSSH: Server;Ltype: (?:Authname|Version|Kex);Remote: <HOST>-\d+;[A-Z]\w+:.*%(__prefix_line_ml2)sRead from socket failed: Connection reset by peer%(__suff)s$
+
+mdre-extra = ^%(__prefix_line_sl)sReceived disconnect from <HOST>%(__on_port_opt)s:\s*14: No(?: supported)? authentication methods available
+             ^%(__prefix_line_sl)sUnable to negotiate with <HOST>%(__on_port_opt)s: no matching <__alg_match> found.
+             ^%(__prefix_line_ml1)sConnection from <HOST>%(__on_port_opt)s%(__prefix_line_ml2)sUnable to negotiate a <__alg_match>
+             ^%(__prefix_line_ml1)sConnection from <HOST>%(__on_port_opt)s%(__prefix_line_ml2)sno matching <__alg_match> found:
+             ^%(__prefix_line_sl)sDisconnected(?: from)?(?: (?:invalid|authenticating)) user <F-USER>\S+</F-USER> <HOST>%(__on_port_opt)s \[preauth\]\s*$
+
+mdre-aggressive = %(mdre-ddos)s
+                  %(mdre-extra)s
+
+failregex = %(cmnfailre)s
+            <mdre-<mode>>
+
+# Parameter "mode": normal (default), ddos, extra or aggressive (combines all)
+# Usage example (for jail.local):
+#   [sshd]
+#   mode = extra
+#   # or another jail (rewrite filter parameters of jail):
+#   [sshd-aggressive]
+#   filter = sshd[mode=aggressive]
+#
+mode = normal
+
+ignoreregex = 
+
+# "maxlines" is number of log lines to buffer for multi-line regex searches
+maxlines = 10
+
+journalmatch = _SYSTEMD_UNIT=sshd.service + _COMM=sshd
+
+datepattern = {^LN-BEG}
+
+# DEV Notes:
+#
+#   "Failed \S+ for .*? from <HOST>..." failregex uses non-greedy catch-all because
+#   it is coming before use of <HOST> which is not hard-anchored at the end as well,
+#   and later catch-all's could contain user-provided input, which need to be greedily
+#   matched away first.
+#
+# Author: Cyril Jaquier, Yaroslav Halchenko, Petr Voralek, Daniel Black
+

fail2ban-master/fail2ban/tests/config/jail.conf

@@ -0,0 +1,107 @@
+
+[DEFAULT]
+filter = simple
+logpath = /non/exist
+
+[emptyaction]
+enabled = true
+filter =
+action =
+
+[special]
+failregex = <IP>
+ignoreregex =
+ignoreip =
+
+[test-known-interp]
+enabled = true
+filter = test[one=1,two=2]
+failregex = %(known/failregex)s
+            failure %(known/_daemon)s %(known/three)s (jail.local) <HOST>
+
+[missinglogfiles]
+enabled = true
+journalmatch = _COMM=test ;# allow to switch to systemd (by backend = `auto` and no logs found)
+logpath = /weapons/of/mass/destruction
+
+[missinglogfiles_skip]
+enabled = true
+skip_if_nologs = true
+logpath = /weapons/of/mass/destruction
+
+[brokenactiondef]
+enabled = true
+action = joho[foo
+
+[brokenfilterdef]
+enabled = true
+filter = flt[test
+
+[brokenaction]
+enabled = true
+action = brokenaction
+
+[missingaction]
+enabled = true
+action = noactionfileforthisaction
+
+[missingbitsjail]
+enabled = true
+filter = catchallthebadies
+action = thefunkychickendance
+
+[parse_to_end_of_jail.conf]
+enabled = true
+action =
+
+[tz_correct]
+enabled = true
+logtimezone = UTC+0200
+
+[multi-log]
+enabled = false
+filter  =
+logpath = a.log
+          b.log
+          c.log
+log2nd  = %(logpath)s
+          d.log
+action = action[actname='ban']
+         action[actname='log', logpath="%(log2nd)s"]
+         action[actname='test']
+
+[sshd-override-flt-opts]
+filter = zzz-sshd-obsolete-multiline[logtype=short]
+backend = systemd
+prefregex = ^Test
+failregex = ^Test unused <ADDR>$
+ignoreregex = ^Test ignore <ADDR>$
+journalmatch = _COMM=test
+maxlines = 2
+usedns = no
+enabled = false
+
+[checklogtype_jrnl]
+filter = checklogtype
+backend = systemd
+action = action
+enabled = false
+
+[checklogtype_file]
+filter = checklogtype
+backend = polling
+logpath = README.md
+action = action
+enabled = false
+
+[checklogtype_test]
+filter = checklogtype_test
+backend = systemd
+action = action
+enabled = false
+
+[checklogtype_init]
+filter = checklogtype_test[logtype=init]
+backend = systemd
+action = action
+enabled = false