Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#676146: fail2ban: Incorrect parsing of commented text after reading a value from config file
71 views
Skip to first unread message
Stefano Forli
Jun 4, 2012, 10:20:01 PM6/4/12
to
Package: fail2ban
Version: 0.8.4-3+squeeze1
Severity: normal
When parsing a jail.local config file there is a problem when parsing inline comments with "#".
For example the following line in the jail.local file:
bantime = 28800 # seconds
results in an error message when checking the configuration with fail2ban-client:
# fail2ban-client -d
WARNING 'findtime' not defined in 'apache-noscript'. Using default value
WARNING Wrong value for 'bantime' in 'apache-noscript'. Using default one: '600'
WARNING 'findtime' not defined in 'pam-generic'. Using default value
WARNING Wrong value for 'bantime' in 'pam-generic'. Using default one: '600'
WARNING 'findtime' not defined in 'vsftpd'. Using default value
WARNING Wrong value for 'bantime' in 'vsftpd'. Using default one: '600'
WARNING 'findtime' not defined in 'xinetd-fail'. Using default value
WARNING Wrong value for 'bantime' in 'xinetd-fail'. Using default one: '600'
WARNING 'findtime' not defined in 'ssh-ddos'. Using default value
WARNING Wrong value for 'bantime' in 'ssh-ddos'. Using default one: '600'
...
I've found out in the ConfigParser Python module documentation (used by fail2ban
to parse the config files) there is an explicit mention to this:
For backwards compatibility, only ; starts an inline comment, while # does not.
( http://docs.python.org/release/2.6.8/library/configparser.html )
Possibly this should be mentioned in the default config file provided within the package
maybe as following:
diff jail.local_patch jail.local
10,12d9
< # Comment lines can be inserted by prefixing them with a '#'
< # Inline commments must use ';'.
< #
-- System Information:
Debian Release: 6.0.5
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.32-bpo.5-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages fail2ban depends on:
ii lsb-base 3.2-23.2squeeze1 Linux Standard Base 3.2 init scrip
ii python 2.6.6-3+squeeze7 interactive high-level object-orie
ii python-central 0.6.16+nmu1 register and build utility for Pyt
Versions of packages fail2ban recommends:
ii iptables 1.4.8-3 administration tools for packet fi
ii whois 5.0.10 an intelligent whois client
Versions of packages fail2ban suggests:
ii bsd-mailx [mailx] 8.1.2-0.20100314cvs-1 simple mail user agent
ii mailx 1:20071201-3 Transitional package for mailx ren
pn python-gamin <none> (no description available)
-- Configuration Files:
/etc/fail2ban/jail.conf changed:
[DEFAULT]
ignoreip = 127.0.0.1
bantime = 7200
maxretry = 3
backend = polling
destemail = root@localhost
banaction = iptables-multiport
mta = sendmail
protocol = tcp
action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s]
action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s]
%(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s]
action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s]
%(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s]
action = %(action_)s
[ssh]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 6
[pam-generic]
enabled = false
filter = pam-generic
port = all
banaction = iptables-allports
port = anyport
logpath = /var/log/auth.log
maxretry = 6
[xinetd-fail]
enabled = false
filter = xinetd-fail
port = all
banaction = iptables-multiport-log
logpath = /var/log/daemon.log
maxretry = 2
[ssh-ddos]
enabled = false
port = ssh
filter = sshd-ddos
logpath = /var/log/auth.log
maxretry = 6
[apache]
enabled = false
port = http,https
filter = apache-auth
logpath = /var/log/apache*/*error.log
maxretry = 6
[apache-multiport]
enabled = false
port = http,https
filter = apache-auth
logpath = /var/log/apache*/*error.log
maxretry = 6
[apache-noscript]
enabled = false
port = http,https
filter = apache-noscript
logpath = /var/log/apache*/*error.log
maxretry = 6
[apache-overflows]
enabled = false
port = http,https
filter = apache-overflows
logpath = /var/log/apache*/*error.log
maxretry = 2
[vsftpd]
enabled = false
port = ftp,ftp-data,ftps,ftps-data
filter = vsftpd
logpath = /var/log/vsftpd.log
maxretry = 6
[proftpd]
enabled = false
port = ftp,ftp-data,ftps,ftps-data
filter = proftpd
logpath = /var/log/proftpd/proftpd.log
maxretry = 6
[wuftpd]
enabled = false
port = ftp,ftp-data,ftps,ftps-data
filter = wuftpd
logpath = /var/log/auth.log
maxretry = 6
[postfix]
enabled = false
port = smtp,ssmtp
filter = postfix
logpath = /var/log/mail.log
[couriersmtp]
enabled = false
port = smtp,ssmtp
filter = couriersmtp
logpath = /var/log/mail.log
[courierauth]
enabled = false
port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter = courierlogin
logpath = /var/log/mail.log
[sasl]
enabled = false
port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter = sasl
logpath = /var/log/mail.log
[named-refused-tcp]
enabled = false
port = domain,953
protocol = tcp
filter = named-refused
logpath = /var/log/named/security.log
-- no debconf information
--
To UNSUBSCRIBE, email to debian-bugs-...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Version: 0.8.4-3+squeeze1
Severity: normal
When parsing a jail.local config file there is a problem when parsing inline comments with "#".
For example the following line in the jail.local file:
bantime = 28800 # seconds
results in an error message when checking the configuration with fail2ban-client:
# fail2ban-client -d
WARNING 'findtime' not defined in 'apache-noscript'. Using default value
WARNING Wrong value for 'bantime' in 'apache-noscript'. Using default one: '600'
WARNING 'findtime' not defined in 'pam-generic'. Using default value
WARNING Wrong value for 'bantime' in 'pam-generic'. Using default one: '600'
WARNING 'findtime' not defined in 'vsftpd'. Using default value
WARNING Wrong value for 'bantime' in 'vsftpd'. Using default one: '600'
WARNING 'findtime' not defined in 'xinetd-fail'. Using default value
WARNING Wrong value for 'bantime' in 'xinetd-fail'. Using default one: '600'
WARNING 'findtime' not defined in 'ssh-ddos'. Using default value
WARNING Wrong value for 'bantime' in 'ssh-ddos'. Using default one: '600'
...
I've found out in the ConfigParser Python module documentation (used by fail2ban
to parse the config files) there is an explicit mention to this:
For backwards compatibility, only ; starts an inline comment, while # does not.
( http://docs.python.org/release/2.6.8/library/configparser.html )
Possibly this should be mentioned in the default config file provided within the package
maybe as following:
diff jail.local_patch jail.local
10,12d9
< # Comment lines can be inserted by prefixing them with a '#'
< # Inline commments must use ';'.
< #
-- System Information:
Debian Release: 6.0.5
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.32-bpo.5-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages fail2ban depends on:
ii lsb-base 3.2-23.2squeeze1 Linux Standard Base 3.2 init scrip
ii python 2.6.6-3+squeeze7 interactive high-level object-orie
ii python-central 0.6.16+nmu1 register and build utility for Pyt
Versions of packages fail2ban recommends:
ii iptables 1.4.8-3 administration tools for packet fi
ii whois 5.0.10 an intelligent whois client
Versions of packages fail2ban suggests:
ii bsd-mailx [mailx] 8.1.2-0.20100314cvs-1 simple mail user agent
ii mailx 1:20071201-3 Transitional package for mailx ren
pn python-gamin <none> (no description available)
-- Configuration Files:
/etc/fail2ban/jail.conf changed:
[DEFAULT]
ignoreip = 127.0.0.1
bantime = 7200
maxretry = 3
backend = polling
destemail = root@localhost
banaction = iptables-multiport
mta = sendmail
protocol = tcp
action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s]
action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s]
%(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s]
action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s]
%(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s]
action = %(action_)s
[ssh]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 6
[pam-generic]
enabled = false
filter = pam-generic
port = all
banaction = iptables-allports
port = anyport
logpath = /var/log/auth.log
maxretry = 6
[xinetd-fail]
enabled = false
filter = xinetd-fail
port = all
banaction = iptables-multiport-log
logpath = /var/log/daemon.log
maxretry = 2
[ssh-ddos]
enabled = false
port = ssh
filter = sshd-ddos
logpath = /var/log/auth.log
maxretry = 6
[apache]
enabled = false
port = http,https
filter = apache-auth
logpath = /var/log/apache*/*error.log
maxretry = 6
[apache-multiport]
enabled = false
port = http,https
filter = apache-auth
logpath = /var/log/apache*/*error.log
maxretry = 6
[apache-noscript]
enabled = false
port = http,https
filter = apache-noscript
logpath = /var/log/apache*/*error.log
maxretry = 6
[apache-overflows]
enabled = false
port = http,https
filter = apache-overflows
logpath = /var/log/apache*/*error.log
maxretry = 2
[vsftpd]
enabled = false
port = ftp,ftp-data,ftps,ftps-data
filter = vsftpd
logpath = /var/log/vsftpd.log
maxretry = 6
[proftpd]
enabled = false
port = ftp,ftp-data,ftps,ftps-data
filter = proftpd
logpath = /var/log/proftpd/proftpd.log
maxretry = 6
[wuftpd]
enabled = false
port = ftp,ftp-data,ftps,ftps-data
filter = wuftpd
logpath = /var/log/auth.log
maxretry = 6
[postfix]
enabled = false
port = smtp,ssmtp
filter = postfix
logpath = /var/log/mail.log
[couriersmtp]
enabled = false
port = smtp,ssmtp
filter = couriersmtp
logpath = /var/log/mail.log
[courierauth]
enabled = false
port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter = courierlogin
logpath = /var/log/mail.log
[sasl]
enabled = false
port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter = sasl
logpath = /var/log/mail.log
[named-refused-tcp]
enabled = false
port = domain,953
protocol = tcp
filter = named-refused
logpath = /var/log/named/security.log
-- no debconf information
--
To UNSUBSCRIBE, email to debian-bugs-...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Yaroslav Halchenko
Jun 4, 2012, 11:00:01 PM6/4/12
to
tags 676146 +fixed-upstream +pending
thanks
to say the truth I did not even know that I could do inline comments and
did not feel it alright to embed comments into the value fields...
clarifying that might be worth it but then it would need to be done for
every configuration file which imho would be too much. For now I have
made those modifications in upstream repository:
http://github.com/fail2ban/fail2ban/commit/b4099dae577ca3a4c42037f71f09fd24b1d71030
and in Debian branch which carries custom jail.conf
http://github.com/fail2ban/fail2ban/commit/6ad4276a4eaf095dd6408122d729fcb1321bd029
with which I will close this bug whenever freshier f2b gets uploaded
Cheers,
Yaroslav O. Halchenko
Postdoctoral Fellow, Department of Psychological and Brain Sciences
Dartmouth College, 419 Moore Hall, Hinman Box 6207, Hanover, NH 03755
Phone: +1 (603) 646-9834 Fax: +1 (603) 646-1419
WWW: http://www.linkedin.com/in/yarik
thanks
to say the truth I did not even know that I could do inline comments and
did not feel it alright to embed comments into the value fields...
clarifying that might be worth it but then it would need to be done for
every configuration file which imho would be too much. For now I have
made those modifications in upstream repository:
http://github.com/fail2ban/fail2ban/commit/b4099dae577ca3a4c42037f71f09fd24b1d71030
and in Debian branch which carries custom jail.conf
http://github.com/fail2ban/fail2ban/commit/6ad4276a4eaf095dd6408122d729fcb1321bd029
with which I will close this bug whenever freshier f2b gets uploaded
Cheers,
Postdoctoral Fellow, Department of Psychological and Brain Sciences
Dartmouth College, 419 Moore Hall, Hinman Box 6207, Hanover, NH 03755
Phone: +1 (603) 646-9834 Fax: +1 (603) 646-1419
WWW: http://www.linkedin.com/in/yarik
Stefano Forli
Jun 4, 2012, 11:10:01 PM6/4/12
to
After sending the bug report (as usual) I thought that it probably
this is barely a bug.
On the other hand, I got bitten by it because the config file 'looks'
pretty much like a Unix config file, and I took me a while to find out
why my options were not applied (hence the buggy nature).
Maybe instead of the overkill text in the config header, it would be
easier just to put one or two inline comments somewhere to show that
the ';' should be used for inline mumbling.
Just my 2 cents, but thanks for the quick reply.
Cheers,
S.
this is barely a bug.
On the other hand, I got bitten by it because the config file 'looks'
pretty much like a Unix config file, and I took me a while to find out
why my options were not applied (hence the buggy nature).
Maybe instead of the overkill text in the config header, it would be
easier just to put one or two inline comments somewhere to show that
the ';' should be used for inline mumbling.
Just my 2 cents, but thanks for the quick reply.
Cheers,
S.
Yaroslav Halchenko
Jun 4, 2012, 11:20:01 PM6/4/12
to
well
bantime = 28800 ; seconds
might indeed be a nice example on one hand... on the other -- you are
the first one in years to run into such problem ;-) if I do not forget
then may be I would give them another tune up before release for such a
descriptive example ... no promises though -- memory is leaking,
priorities are changing
On Mon, 04 Jun 2012, Stefano Forli wrote:
> After sending the bug report (as usual) I thought that it probably
> this is barely a bug.
> On the other hand, I got bitten by it because the config file 'looks'
> pretty much like a Unix config file, and I took me a while to find out
> why my options were not applied (hence the buggy nature).
> Maybe instead of the overkill text in the config header, it would be
> easier just to put one or two inline comments somewhere to show that
> the ';' should be used for inline mumbling.
> Just my 2 cents, but thanks for the quick reply.
> Cheers,
> S.
bantime = 28800 ; seconds
might indeed be a nice example on one hand... on the other -- you are
the first one in years to run into such problem ;-) if I do not forget
then may be I would give them another tune up before release for such a
descriptive example ... no promises though -- memory is leaking,
priorities are changing
On Mon, 04 Jun 2012, Stefano Forli wrote:
> After sending the bug report (as usual) I thought that it probably
> this is barely a bug.
> On the other hand, I got bitten by it because the config file 'looks'
> pretty much like a Unix config file, and I took me a while to find out
> why my options were not applied (hence the buggy nature).
> Maybe instead of the overkill text in the config header, it would be
> easier just to put one or two inline comments somewhere to show that
> the ';' should be used for inline mumbling.
> Just my 2 cents, but thanks for the quick reply.
> Cheers,
> S.
0 new messages