Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fixed directly defined banaction for allports jails like pam-generic, recidive, etc #1238

Merged
merged 1 commit into from Oct 31, 2015
Merged

Fixed directly defined banaction for allports jails like pam-generic, recidive, etc #1238

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
2 changes: 2 additions & 0 deletions ChangeLog
View file
Open in desktop
Expand Up @@ -22,6 +22,8 @@ ver. 0.9.4 (2015/XX/XXX) - wanna-be-released
different log messages), which addresses different behavior on different
exit codes of dash and bash (gh-1155)
* Fix jail.conf.5 man's section (gh-1226)
* Fixed default banaction for allports jails like pam-generic, recidive, etc
with new default variable `banaction_allports` (gh-1216)

- New Features:
* New filters:
Expand Down
7 changes: 4 additions & 3 deletions config/jail.conf
View file
Open in desktop
Expand Up @@ -154,6 +154,7 @@ port = 0:65535
# action_* variables. Can be overridden globally or per
# section within jail.local file
banaction = iptables-multiport
banaction_allports = iptables-allports

# The simplest action to take: ban only
action_ = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
Expand Down Expand Up @@ -713,7 +714,7 @@ maxretry = 5
[recidive]

logpath = /var/log/fail2ban.log
banaction = iptables-allports
banaction = %(banaction_allports)s
bantime = 604800 ; 1 week
findtime = 86400 ; 1 day
maxretry = 5
Expand All @@ -724,7 +725,7 @@ maxretry = 5

[pam-generic]
# pam-generic filter can be customized to monitor specific subset of 'tty's
banaction = iptables-allports
banaction = %(banaction_allports)s
logpath = %(syslog_authpriv)s


Expand Down Expand Up @@ -770,7 +771,7 @@ maxretry = 1
enabled = false
logpath = /opt/sun/comms/messaging64/log/mail.log_current
maxretry = 6
banaction = iptables-allports
banaction = %(banaction_allports)s

[directadmin]
enabled = false
Expand Down
6 changes: 6 additions & 0 deletions man/jail.conf.5
View file
Open in desktop
Expand Up @@ -146,6 +146,12 @@ Ensure syslog or the program that generates the log file isn't configured to com
.B logencoding
encoding of log files used for decoding. Default value of "auto" uses current system locale.
.TP
.B banaction
default banning action (iptables-multiport) for all jails specified in the \fI[DEFAULT]\fR section.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Default section doesn't have jails. Jails are all other sections and default one just provides defaults

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, but I meant: the banning action (for all jails) specified in the [DEFAULT] section.
Not the jails in default section. My bad english :(

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It could also be specified per jail. Again, DEFAULTS are just defaults. So no need to state where it is since it can be anywhere

On October 31, 2015 10:18:58 AM EDT, "Serg G. Brester" notifications@github.com wrote:

@@ -146,6 +146,12 @@ Ensure syslog or the program that generates the
log file isn't configured to com
.B logencoding
encoding of log files used for decoding. Default value of "auto"
uses current system locale.
.TP
+.B banaction
+default banning action (iptables-multiport) for all jails specified
in the \fI[DEFAULT]\fR section.

Yes, but I meant: the banning action (for all jails) specified in the
[DEFAULT] section.
Not the jails in default section. My bad english :(

Reply to this email directly or view it on GitHub:
https://github.com/fail2ban/fail2ban/pull/1238/files#r43572222

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes I know, but point of this commit resp. of this variables to specify it central in [DEFAULT] section of jail.local, just to not specify it per jail.
Also one place for all "normal" jails and one for "allports" jails...

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes. But my comment is about documentation. Now it is misleading and needs to be fixed up.

On October 31, 2015 11:08:46 AM EDT, "Serg G. Brester" notifications@github.com wrote:

@@ -146,6 +146,12 @@ Ensure syslog or the program that generates the
log file isn't configured to com
.B logencoding
encoding of log files used for decoding. Default value of "auto"
uses current system locale.
.TP
+.B banaction
+default banning action (iptables-multiport) for all jails specified
in the \fI[DEFAULT]\fR section.

Yes I know, but point of this commit resp. of this variables to specify
it central in [DEFAULT] section of jail.local, just to not specify it
per jail.
Also one place for all "normal" jails and one for "allports" jails...

Reply to this email directly or view it on GitHub:
https://github.com/fail2ban/fail2ban/pull/1238/files#r43572728

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Now it is misleading

Now it is available (before it was at all not documented) ... but I've corrected my "mistake" in 5767191.

.TP
.B banaction_allports
default allports banning action (iptables-allports) for some jails like "pam-generic" or "recidive", specified in the \fI[DEFAULT]\fR section.
.TP
.B action
action(s) from \fI/etc/fail2ban/action.d/\fR without the \fI.conf\fR/\fI.local\fR extension. Arguments can be passed to actions to override the default values from the [Init] section in the action file. Arguments are specified by:
.RS
Expand Down