Project

General

Profile

Feature #228 ยป fail2ban-solaris.patch

Roy Sigurd Karlsbakk, 2010-09-18 07:11 AM

View differences:

README.Solaris (revision 467)
1
# vim:tw=80:ft=txt
2

  
3
README FOR SOLARIS INSTALLATIONS
4

  
5
By Roy Sigurd Karlsbakk <roy@karlsbakk.net>
6

  
7
ABOUT
8

  
9
This readme is meant for those wanting to install fail2ban on Solaris 10,
10
OpenSolaris, OpenIndiana etc. To some degree it may as well be useful for
11
users of older Solaris versions and Nexenta, but don't rely on it.
12

  
13
READ ME FIRST
14

  
15
If I use the term Solaris, I am talking about any Solaris dialect, that is, the
16
official Sun/Oracle ones or derivates. If I describe an OS as
17
"OpenSolaris-based", it means it's either OpenSolaris, OpenIndiana or one of the
18
other, but /not/ the Nexenta family, since this only uses the OpenSolaris/
19
IllumOS kernel and not the userland. If I say Solaris 10, I mean Solaris 10 and
20
perhaps, if you're lucky and have some good gods on your side, it may also apply
21
to Solaris 9 or even 8 and hopefully in the new Solaris 11 whenever that may be
22
released. Quoted lines of code, settings et cetera are indented with two spaces.
23
This does _not_ mean you should use that indentation, especially in config files
24
where they can be harmful. Optional settings are prefixed with OPT: while
25
required settings are prefixed with REQ:. If no prefix is found, regard it as a
26
required setting.
27

  
28
INSTALLATION ON SOLARIS
29

  
30
The installation is straight forward on Solaris as well as on linux/bsd/etc.
31
./setup.py install installs the general packages in /usr/bin on OpenSolaris-
32
based distros or (at least on this box) under /usr/sfw/bin on Solaris 10. In
33
the files/ directory you will find the file solaris-fail2ban.xml containing the
34
Solaris service. To install this, run the following command as root (or with
35
sudo):
36

  
37
  svccfg import files/solaris-fail2ban.xml
38

  
39
This should normally without giving an error. If you get an error, deal with it,
40
and please post any relevant info (or fixes?) to the fail2ban mailing list.
41
Next, there are two more files in the files/ directory from which you can
42
choose. These are opensolaris-svc-fail2ban and solaris-10-svc-fail2ban. The
43
former is for OpenSolaris-based distros and the latter for Solaris 10. The only
44
difference is that the former uses the path of /usr/bin and the latter
45
/usr/sfw/bin for the fail2ban program files. To install the service handler,
46
copy the script in and allow it to be executed:
47

  
48
  cp files/opensolaris-svc-fail2ban /lib/svc/method/svc-fail2ban
49
  chmod +x /lib/svc/method/svc-fail2ban
50

  
51
CONFIGURE SYSLOG
52

  
53
For some reason, a default Solaris installation does not log ssh login attempts,
54
and since fail2ban works by monitoring logs, enabling this logging is rather
55
important for it to work. To enable this, edit /etc/syslog.conf and add a line
56
at the end:
57

  
58
  auth.info					/var/adm/auth.log
59

  
60
Save the file and exit, and run
61

  
62
  touch /var/adm/auth.log
63

  
64
The Solaris system logger will _not_ create a non-existing file. Now, restart
65
the system logger.
66

  
67
  svcadm restart system-log
68

  
69
Try to ssh into localhost with ssh asdf@localhost and enter an invalid password.
70
Make sure this is logged in the above file. When done, you may configure
71
fail2ban.
72

  
73
FAIL2BAN CONFIGURATION
74

  
75
OPT: Edit /etc/fail2ban/fail2ban.conf and change logtarget to /var/adm/fail2ban.log
76
REQ: Edit /etc/fail2ban/jail.conf and move down to the [ssh-tcpwrapper] section.
77
     Here, set enabled = true and logpath = /var/adm/auth.log. Set the sendmail
78
     dest address to something useful or drop the line to stop it spamming you.
79

  
80
START (OR RESTART) FAIL2BAN
81

  
82
Enable the fail2ban service with
83

  
84
  svcadm enable fail2ban
85

  
86
When done, check that all services are running well
87

  
88
  svcs -xv
89

  
90
GOTCHAS AND FIXMES
91

  
92
* It seems the installation may be starting fail2ban automatically. If this is
93
  done, fail2ban will not start, but no errors will be returned from svcs
94
  (above). Check if it's running with 'ps -ef | grep fail2ban' and manually kill
95
  the PID if it is. Re-enable fail2ban and try again
96

  
97
    svcadm disable fail2ban
98
    svcadm enable fail2ban
99

  
100
* Fail2ban adds lines like these to /etc/hosts.deny:
101

  
102
    ALL: 1.2.3.4
103

  
104
  wouldn't it be better to just block sshd?
fail2ban-regex (working copy)
1 1
#!/usr/bin/python
2
# vim:ts=4:sw=4:si
3
#
2 4
# This file is part of Fail2Ban.
3 5
#
4 6
# Fail2Ban is free software; you can redistribute it and/or modify
setup.py (working copy)
1 1
#!/usr/bin/python
2
# vim:ts=8:sw=8:si
2 3

  
3 4
# This file is part of Fail2Ban.
4 5
#
......
31 32
from os.path import isfile, join, isdir
32 33
from sys import argv
33 34
from glob import glob
35
import os
34 36

  
35 37
longdesc = '''
36 38
Fail2Ban scans log files like /var/log/pwdfail or
......
129 131
	print "Please do not forget to update your configuration files."
130 132
	print "They are in /etc/fail2ban/."
131 133
	print
134

  
135
	osname = os.uname()[0]
136
	if osname == "SunOS":
137
		print "Please read README.Solaris for installing this as Solaris service"
files/solaris-10-svc-fail2ban (revision 467)
1
#!/usr/bin/bash -e
2
#
3
# fail2ban		This init.d script is used to start fail2ban.
4
# (C) by Hanno Wagner <wagner@rince.de>, License is GPL
5
 
6
#set -x
7

  
8
. /lib/svc/share/smf_include.sh
9

  
10
set -e
11

  
12

  
13
F2B_CONF="/etc/fail2ban/fail2ban.conf"
14
if [ -n "$2" ] && [ -f "$F2B_CONF" ]; then
15
  F2B_CONF="$2"
16
fi
17

  
18
ENV="/usr/bin/env -i LANG=C PATH=/usr/local/bin:/usr/bin:/bin:/opt/sfw/bin:/usr/sfw/bin"
19

  
20
case $1 in
21
	start)
22
		echo "Starting fail2ban-server with $F2B_CONF"
23
		eval $ENV /usr/bin/fail2ban-client start &
24
	;;
25
	stop)
26
		echo "Stopping fail2ban-server with $F2B_CONF"
27
		eval $ENV /usr/bin/fail2ban-client stop &
28
	;;
29
	reload | refresh )
30
		echo "Reloading fail2ban-server with $F2B_CONF"
31
		eval $ENV /usr/bin/fail2ban-client reload &
32
	;;
33
	restart | force-reload)
34
		echo "Forcing reload of fail2ban-server with $F2B_CONF"
35
		eval $ENV /usr/bin/fail2ban-client stop &
36
		sleep 2
37
		eval $ENV /usr/bin/fail2ban-client start &
38
	;;
39
	status)
40
		/usr/bin/fail2ban-client status &
41
	;;
42
	*)
43
		echo "Usage: /lib/svc/method/svc-fail2ban start|stop|status|refresh|restart|reload|force-reload" >&2
44
		exit 2
45
	;;
46
esac
files/opensolaris-svc-fail2ban (revision 467)
1
#!/usr/bin/bash -e
2
#
3
# fail2ban		This init.d script is used to start fail2ban.
4
# (C) by Hanno Wagner <wagner@rince.de>, License is GPL
5
 
6
#set -x
7

  
8
. /lib/svc/share/smf_include.sh
9

  
10
set -e
11

  
12

  
13
F2B_CONF="/etc/fail2ban/fail2ban.conf"
14
if [ -n "$2" ] && [ -f "$F2B_CONF" ]; then
15
  F2B_CONF="$2"
16
fi
17

  
18
ENV="/usr/bin/env -i LANG=C PATH=/usr/local/bin:/usr/bin:/bin:/opt/sfw/bin:/usr/sfw/bin"
19

  
20
case $1 in
21
	start)
22
		echo "Starting fail2ban-server with $F2B_CONF"
23
		eval $ENV /usr/bin/fail2ban-client start &
24
	;;
25
	stop)
26
		echo "Stopping fail2ban-server with $F2B_CONF"
27
		eval $ENV /usr/sfw/bin/fail2ban-client stop &
28
	;;
29
	reload | refresh )
30
		echo "Reloading fail2ban-server with $F2B_CONF"
31
		eval $ENV /usr/sfw/bin/fail2ban-client reload &
32
	;;
33
	restart | force-reload)
34
		echo "Forcing reload of fail2ban-server with $F2B_CONF"
35
		eval $ENV /usr/sfw/bin/fail2ban-client stop &
36
		sleep 2
37
		eval $ENV /usr/sfw/bin/fail2ban-client start &
38
	;;
39
	status)
40
		/usr/sfw/bin/fail2ban-client status &
41
	;;
42
	*)
43
		echo "Usage: /lib/svc/method/svc-fail2ban start|stop|status|refresh|restart|reload|force-reload" >&2
44
		exit 2
45
	;;
46
esac
files/solaris-svc-fail2ban (working copy)
1
#!/usr/bin/bash -e
2
#
3
# fail2ban		This init.d script is used to start fail2ban.
4
# (C) by Hanno Wagner <wagner@rince.de>, License is GPL
5
 
6
#set -x
7

  
8
. /lib/svc/share/smf_include.sh
9

  
10
set -e
11

  
12

  
13
F2B_CONF="/etc/fail2ban/fail2ban.conf"
14
if [ -n "$2" ] && [ -f "$F2B_CONF" ]; then
15
  F2B_CONF="$2"
16
fi
17

  
18
ENV="/usr/bin/env -i LANG=C PATH=/usr/local/bin:/usr/bin:/bin:/opt/sfw/bin:/usr/sfw/bin"
19

  
20
case $1 in
21
	start)
22
		[ -f /etc/fail2ban.conf ] || touch /etc/fail2ban.conf
23
		echo "Starting fail2ban-server with $F2B_CONF"
24
		eval $ENV /usr/local/bin/fail2ban-client start &
25
	;;
26
	stop)
27
		echo "Stopping fail2ban-server with $F2B_CONF"
28
		eval $ENV /usr/local/bin/fail2ban-client stop &
29
	;;
30
	reload | refresh )
31
		echo "Reloading fail2ban-server with $F2B_CONF"
32
		eval $ENV /usr/local/bin/fail2ban-client reload &
33
	;;
34
	restart | force-reload)
35
		echo "Forcing reload of fail2ban-server with $F2B_CONF"
36
		eval $ENV /usr/local/bin/fail2ban-client stop &
37
		sleep 2
38
		eval $ENV /usr/local/bin/fail2ban-client start &
39
	;;
40
	status)
41
		/usr/local/bin/fail2ban-client status &
42
	;;
43
	*)
44
		echo "Usage: /lib/svc/method/svc-fail2ban start|stop|status|refresh|restart|reload|force-reload" >&2
45
		exit 2
46
	;;
47
esac
config/action.d/hostsdeny.conf (working copy)
44 44
#          <time>  unix timestamp of the ban time
45 45
# Values:  CMD
46 46
#
47
actionunban = IP=<ip> && sed -i.old /ALL:\ $IP/d <file>
47
# Original:
48
#actionunban = IP=<ip> && sed -i.old /ALL:\ $IP/d <file>
48 49

  
50
# -i is not supported under Solaris 10
51
actionunban = IP=<ip> && perl -ne 'print unless (/^ALL:\s$IP/)' -i <file>
52

  
49 53
[Init]
50 54

  
51 55
# Option:  file
config/filter.d/sshd.conf (working copy)
26 26
failregex = ^%(__prefix_line)s(?:error: PAM: )?Authentication failure for .* from <HOST>\s*$
27 27
            ^%(__prefix_line)s(?:error: PAM: )?User not known to the underlying authentication module for .* from <HOST>\s*$
28 28
            ^%(__prefix_line)sFailed (?:password|publickey) for .* from <HOST>(?: port \d*)?(?: ssh\d*)?$
29
            ^%(__prefix_line)s\[.*\] Failed keyboard-interactive for .* from <HOST>(?: port \d*)?(?: ssh\d*)?$
29 30
            ^%(__prefix_line)sROOT LOGIN REFUSED.* FROM <HOST>\s*$
30 31
            ^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from <HOST>\s*$
31 32
            ^%(__prefix_line)sUser \S+ from <HOST> not allowed because not listed in AllowUsers$
    (1-1/1)