Bug#676146: fail2ban: Incorrect parsing of commented text after reading a value from config file

Mon, 04 Jun 2012 19:10:38 -0700 

Package: fail2ban
Version: 0.8.4-3+squeeze1
Severity: normal

When parsing a jail.local config file there is a problem when parsing inline 
comments with "#".
For example the following line in the jail.local file:

    bantime  = 28800 # seconds

results in an error message when checking the configuration with 
fail2ban-client:

    # fail2ban-client -d
    WARNING 'findtime' not defined in 'apache-noscript'. Using default value
    WARNING Wrong value for 'bantime' in 'apache-noscript'. Using default one: 
'600'
    WARNING 'findtime' not defined in 'pam-generic'. Using default value
    WARNING Wrong value for 'bantime' in 'pam-generic'. Using default one: '600'
    WARNING 'findtime' not defined in 'vsftpd'. Using default value
    WARNING Wrong value for 'bantime' in 'vsftpd'. Using default one: '600'
    WARNING 'findtime' not defined in 'xinetd-fail'. Using default value
    WARNING Wrong value for 'bantime' in 'xinetd-fail'. Using default one: '600'
    WARNING 'findtime' not defined in 'ssh-ddos'. Using default value
    WARNING Wrong value for 'bantime' in 'ssh-ddos'. Using default one: '600'
    ...

I've found out in the ConfigParser Python module documentation (used by 
fail2ban 
to parse the config files) there is an explicit mention to this:

    For backwards compatibility, only ; starts an inline comment, while # does 
not.
    ( http://docs.python.org/release/2.6.8/library/configparser.html )

Possibly this should be mentioned in the default config file provided within 
the package 
maybe as following: 

diff jail.local_patch jail.local

10,12d9
< # Comment lines can be inserted by prefixing them with a '#'   
< # Inline commments must use ';'.                              
< #



-- System Information:
Debian Release: 6.0.5
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-bpo.5-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages fail2ban depends on:
ii  lsb-base                3.2-23.2squeeze1 Linux Standard Base 3.2 init scrip
ii  python                  2.6.6-3+squeeze7 interactive high-level object-orie
ii  python-central          0.6.16+nmu1      register and build utility for Pyt

Versions of packages fail2ban recommends:
ii  iptables                      1.4.8-3    administration tools for packet fi
ii  whois                         5.0.10     an intelligent whois client

Versions of packages fail2ban suggests:
ii  bsd-mailx [mailx]  8.1.2-0.20100314cvs-1 simple mail user agent
ii  mailx              1:20071201-3          Transitional package for mailx ren
pn  python-gamin       <none>                (no description available)

-- Configuration Files:
/etc/fail2ban/jail.conf changed:
[DEFAULT]
ignoreip = 127.0.0.1
bantime  = 7200 
maxretry = 3
backend = polling
destemail = root@localhost
banaction = iptables-multiport
mta = sendmail
protocol = tcp
action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", 
protocol="%(protocol)s]
action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", 
protocol="%(protocol)s]
              %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", 
protocol="%(protocol)s]
action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", 
protocol="%(protocol)s]
               %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", 
logpath=%(logpath)s]
 
action = %(action_)s
[ssh]
enabled = true
port    = ssh
filter  = sshd
logpath  = /var/log/auth.log
maxretry = 6
[pam-generic]
enabled = false
filter  = pam-generic
port = all
banaction = iptables-allports
port     = anyport
logpath  = /var/log/auth.log
maxretry = 6
[xinetd-fail]
enabled   = false
filter    = xinetd-fail
port      = all
banaction = iptables-multiport-log
logpath   = /var/log/daemon.log
maxretry  = 2
[ssh-ddos]
enabled = false
port    = ssh
filter  = sshd-ddos
logpath  = /var/log/auth.log
maxretry = 6
[apache]
enabled = false
port    = http,https
filter  = apache-auth
logpath = /var/log/apache*/*error.log
maxretry = 6
[apache-multiport]
enabled   = false
port      = http,https
filter    = apache-auth
logpath   = /var/log/apache*/*error.log
maxretry  = 6
[apache-noscript]
enabled = false
port    = http,https
filter  = apache-noscript
logpath = /var/log/apache*/*error.log
maxretry = 6
[apache-overflows]
enabled = false
port    = http,https
filter  = apache-overflows
logpath = /var/log/apache*/*error.log
maxretry = 2
[vsftpd]
enabled  = false
port     = ftp,ftp-data,ftps,ftps-data
filter   = vsftpd
logpath  = /var/log/vsftpd.log
maxretry = 6
[proftpd]
enabled  = false
port     = ftp,ftp-data,ftps,ftps-data
filter   = proftpd
logpath  = /var/log/proftpd/proftpd.log
maxretry = 6
[wuftpd]
enabled  = false
port     = ftp,ftp-data,ftps,ftps-data
filter   = wuftpd
logpath  = /var/log/auth.log
maxretry = 6
[postfix]
enabled  = false
port     = smtp,ssmtp
filter   = postfix
logpath  = /var/log/mail.log
[couriersmtp]
enabled  = false
port     = smtp,ssmtp
filter   = couriersmtp
logpath  = /var/log/mail.log
[courierauth]
enabled  = false
port     = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter   = courierlogin
logpath  = /var/log/mail.log
[sasl]
enabled  = false
port     = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter   = sasl
logpath  = /var/log/mail.log
[named-refused-tcp]
enabled  = false
port     = domain,953
protocol = tcp
filter   = named-refused
logpath  = /var/log/named/security.log


-- no debconf information



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Reply via email to