2004-10-10 23:44:24 +00:00
#!/usr/bin/env python
# This file is part of Fail2Ban.
# Fail2Ban is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
# Fail2Ban is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# GNU General Public License for more details.
# You should have received a copy of the GNU General Public License
# along with Fail2Ban; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
# Author: Cyril Jaquier
# $Revision$
__author__ = "Cyril Jaquier"
__version__ = "$Revision$"
__date__ = "$Date$"
__copyright__ = "Copyright (c) 2004 Cyril Jaquier"
__license__ = "GPL"
2004-11-06 14:08:04 +00:00
import time, sys, getopt, os, signal, string
2004-10-16 22:18:25 +00:00
from ConfigParser import *
2004-10-14 10:30:25 +00:00
# Checks if log4py is present.
import log4py
print "log4py is needed (see README)"
2004-10-10 23:44:24 +00:00
2004-10-12 21:44:09 +00:00
# Appends our own modules path
2004-10-10 23:44:24 +00:00
from firewall.iptables import Iptables
2004-11-06 14:08:04 +00:00
from firewall.ipfw import Ipfw
from firewall.ipfwadm import Ipfwadm
2004-10-14 10:30:25 +00:00
from logreader.logreader import LogReader
2005-02-18 13:30:54 +00:00
from confreader.configreader import ConfigReader
2005-02-18 21:46:56 +00:00
from version import version
2004-10-10 23:44:24 +00:00
def usage():
2004-10-12 21:44:09 +00:00
print "Usage: fail2ban.py [OPTIONS]"
print "Fail2Ban v"+version+" reads log file that contains password failure report"
print "and bans the corresponding IP address using iptables."
print " -b start fail2ban in background"
print " -d start fail2ban in debug mode"
2004-11-06 14:08:04 +00:00
print " -e <INTF> ban IP on the INTF interface"
2005-02-18 13:30:54 +00:00
print " -c <FILE> read configuration file FILE"
2005-02-20 13:33:17 +00:00
print " -p <FILE> create PID lock in FILE"
2004-10-12 21:44:09 +00:00
print " -h display this help message"
2004-10-16 22:18:25 +00:00
print " -i <IP(s)> IP(s) to ignore"
2005-02-23 16:56:29 +00:00
print " -k kill a currently running Fail2Ban instance"
2004-10-12 21:44:09 +00:00
print " -l <FILE> log message in FILE"
2004-10-14 10:30:25 +00:00
print " -r <VALUE> allow a max of VALUE password failure"
2004-10-12 21:44:09 +00:00
print " -t <TIME> ban IP for TIME seconds"
print " -v verbose"
2004-11-06 14:08:04 +00:00
print " -w <FIWA> select the firewall to use. Can be iptables,"
print " ipfwadm or ipfw"
2004-10-12 21:44:09 +00:00
print "Report bugs to <lostcontrol@users.sourceforge.net>"
2004-10-10 23:44:24 +00:00
def checkForRoot():
""" Check for root user.
2004-11-06 14:08:04 +00:00
uid = `os.getuid()`
2004-10-10 23:44:24 +00:00
if uid == '0':
return True
return False
def createDaemon():
"""Detach a process from the controlling terminal and run it in the
background as a daemon.
# Fork a child process so the parent can exit. This will return control
# to the command line or shell. This is required so that the new process
# is guaranteed not to be a process group leader. We have this guarantee
# because the process GID of the parent is inherited by the child, but
# the child gets a new PID, making it impossible for its PID to equal its
pid = os.fork()
except OSError, e:
return((e.errno, e.strerror)) # ERROR (return a tuple)
if (pid == 0): # The first child.
# Next we call os.setsid() to become the session leader of this new
# session. The process also becomes the process group leader of the
# new process group. Since a controlling terminal is associated with a
# session, and this new session has not yet acquired a controlling
# terminal our process now has no controlling terminal. This shouldn't
# fail, since we're guaranteed that the child is not a process group
# leader.
# When the first child terminates, all processes in the second child
# are sent a SIGHUP, so it's ignored.
signal.signal(signal.SIGHUP, signal.SIG_IGN)
# Fork a second child to prevent zombies. Since the first child is
# a session leader without a controlling terminal, it's possible for
# it to acquire one by opening a terminal in the future. This second
# fork guarantees that the child is no longer a session leader, thus
# preventing the daemon from ever acquiring a controlling terminal.
pid = os.fork() # Fork a second child.
except OSError, e:
return((e.errno, e.strerror)) # ERROR (return a tuple)
if (pid == 0): # The second child.
# Ensure that the daemon doesn't keep any directory in use. Failure
# to do this could make a filesystem unmountable.
2004-10-11 10:26:39 +00:00
2004-10-10 23:44:24 +00:00
# Give the child complete control over permissions.
os._exit(0) # Exit parent (the first child) of the second child.
os._exit(0) # Exit parent of the first child.
# Close all open files. Try the system configuration variable, SC_OPEN_MAX,
# for the maximum number of open files to close. If it doesn't exist, use
# the default value (configurable).
maxfd = os.sysconf("SC_OPEN_MAX")
except (AttributeError, ValueError):
maxfd = 256 # default maximum
for fd in range(0, maxfd):
except OSError: # ERROR (ignore)
# Redirect the standard file descriptors to /dev/null.
os.open("/dev/null", os.O_RDONLY) # standard input (0)
2004-10-11 10:26:39 +00:00
os.open("/dev/null", os.O_RDWR) # standard output (1)
os.open("/dev/null", os.O_RDWR) # standard error (2)
2004-10-10 23:44:24 +00:00
2005-03-06 17:44:48 +00:00
return True
2004-10-10 23:44:24 +00:00
2004-10-18 20:50:56 +00:00
def sigTERMhandler(signum, frame):
""" Handles the TERM signal when in daemon mode in order to
exit properly.
logSys.debug("Signal handler called with sig "+`signum`)
2005-03-06 17:44:48 +00:00
def killApp():
""" Flush the ban list, remove the PID lock file and exit
logSys.warn("Restoring firewall rules...")
2004-10-18 20:50:56 +00:00
2005-03-06 17:44:48 +00:00
2004-10-18 20:50:56 +00:00
2005-02-20 13:33:17 +00:00
def checkForPID(lockfile):
""" Checks for running Fail2Ban.
Returns the current PID if Fail2Ban is running or False
if no instance found.
fileHandler = open(lockfile)
pid = fileHandler.readline()
return pid
except IOError:
return False
2005-02-23 17:31:46 +00:00
def createPID(lockfile):
""" Creates a PID lock file with the current PID.
fileHandler = open(lockfile, mode='w')
pid = os.getpid()
logSys.debug("Created PID lock ("+`pid`+") in "+lockfile)
2005-02-20 13:33:17 +00:00
def removePID(lockfile):
""" Remove PID lock.
logSys.debug("Removed PID lock "+lockfile)
2004-10-10 23:44:24 +00:00
2005-02-23 16:56:29 +00:00
def killPID(pid):
""" Kills the process with the given PID using the
INT signal (same effect as <ctrl>+<c>).
return os.kill(pid, 2)
2004-10-10 23:44:24 +00:00
if __name__ == "__main__":
2004-10-14 10:30:25 +00:00
# Gets an instance of log4py.
2004-10-11 10:26:39 +00:00
logSys = log4py.Logger().get_instance()
logSys.set_formatstring("%T %L %M")
2004-10-16 22:18:25 +00:00
conf = dict()
conf["verbose"] = False
conf["background"] = False
conf["debug"] = False
2005-02-18 13:30:54 +00:00
conf["conffile"] = "/etc/fail2ban.conf"
2005-02-20 13:33:17 +00:00
conf["pidlock"] = "/tmp/fail2ban.pid"
2004-10-16 22:18:25 +00:00
conf["logging"] = False
conf["logfile"] = "/var/log/fail2ban.log"
conf["maxretry"] = 3
conf["bantime"] = 600
conf["ignoreip"] = ''
2004-11-06 14:08:04 +00:00
conf["interface"] = "eth0"
conf["firewall"] = "iptables"
2005-02-22 21:14:04 +00:00
conf["ipfw-start-rule"] = 0
2004-10-16 22:18:25 +00:00
conf["polltime"] = 1
2005-02-18 13:30:54 +00:00
# Reads the command line options.
2005-02-23 16:56:29 +00:00
optList, args = getopt.getopt(sys.argv[1:], 'hvbdkc:l:t:i:r:e:w:p:')
2005-02-18 13:30:54 +00:00
except getopt.GetoptError:
# Pre-parsing of command line options for the -c option
for opt in optList:
if opt[0] == "-c":
conf["conffile"] = opt[1]
# Config file
configParser = SafeConfigParser()
2004-10-16 22:18:25 +00:00
# background
conf["background"] = configParser.getboolean("DEFAULT", "background")
except ValueError:
logSys.warn("background option should be a boolean")
logSys.warn("Using default value")
except NoOptionError:
logSys.warn("background option not in config file")
logSys.warn("Using default value")
# debug
conf["debug"] = configParser.getboolean("DEFAULT", "debug")
except ValueError:
logSys.warn("debug option should be a boolean")
logSys.warn("Using default value")
except NoOptionError:
logSys.warn("debug option not in config file")
logSys.warn("Using default value")
# logfile
conf["logfile"] = configParser.get("DEFAULT", "logfile")
except ValueError:
logSys.warn("logfile option should be a string")
logSys.warn("Using default value")
except NoOptionError:
logSys.warn("logfile option not in config file")
logSys.warn("Using default value")
2005-02-20 13:33:17 +00:00
# pidlock
conf["pidlock"] = configParser.get("DEFAULT", "pidlock")
except ValueError:
logSys.warn("pidlock option should be a string")
logSys.warn("Using default value")
except NoOptionError:
logSys.warn("pidlock option not in config file")
logSys.warn("Using default value")
2004-10-16 22:18:25 +00:00
# maxretry
conf["maxretry"] = configParser.getint("DEFAULT", "maxretry")
except ValueError:
logSys.warn("maxretry option should be an integer")
logSys.warn("Using default value")
except NoOptionError:
logSys.warn("maxretry option not in config file")
logSys.warn("Using default value")
# bantime
conf["bantime"] = configParser.getint("DEFAULT", "bantime")
except ValueError:
logSys.warn("bantime option should be an integer")
logSys.warn("Using default value")
except NoOptionError:
logSys.warn("bantime option not in config file")
logSys.warn("Using default value")
# ignoreip
conf["ignoreip"] = configParser.get("DEFAULT", "ignoreip")
except ValueError:
logSys.warn("ignoreip option should be a string")
logSys.warn("Using default value")
except NoOptionError:
logSys.warn("ignoreip option not in config file")
logSys.warn("Using default value")
2004-11-06 14:08:04 +00:00
# interface
conf["interface"] = configParser.get("DEFAULT", "interface")
except ValueError:
logSys.warn("interface option should be a string")
logSys.warn("Using default value")
except NoOptionError:
logSys.warn("interface option not in config file")
logSys.warn("Using default value")
2005-02-18 13:30:54 +00:00
# firewall
2004-11-06 14:08:04 +00:00
conf["firewall"] = configParser.get("DEFAULT", "firewall")
except ValueError:
logSys.warn("firewall option should be a string")
logSys.warn("Using default value")
except NoOptionError:
logSys.warn("firewall option not in config file")
logSys.warn("Using default value")
2005-02-22 21:14:04 +00:00
# ipfw-start-rule
conf["ipfw-start-rule"] = configParser.getint("DEFAULT",
except ValueError:
logSys.warn("ipfw-start-rule option should be an integer")
logSys.warn("Using default value")
except NoOptionError:
logSys.warn("ipfw-start-rule option not in config file")
logSys.warn("Using default value")
2004-11-06 14:08:04 +00:00
2004-10-16 22:18:25 +00:00
# polltime
conf["polltime"] = configParser.getint("DEFAULT", "polltime")
except ValueError:
logSys.warn("polltime option should be an integer")
logSys.warn("Using default value")
except NoOptionError:
logSys.warn("polltime option not in config file")
logSys.warn("Using default value")
2004-10-14 10:30:25 +00:00
2004-10-10 23:44:24 +00:00
for opt in optList:
if opt[0] == "-h":
if opt[0] == "-v":
2004-10-16 22:18:25 +00:00
conf["verbose"] = True
2004-10-10 23:44:24 +00:00
if opt[0] == "-b":
2004-10-16 22:18:25 +00:00
conf["background"] = True
2004-10-11 10:26:39 +00:00
if opt[0] == "-d":
2004-10-16 22:18:25 +00:00
conf["debug"] = True
2004-11-06 14:08:04 +00:00
if opt[0] == "-e":
conf["interface"] = opt[1]
2004-10-11 10:26:39 +00:00
if opt[0] == "-l":
2004-10-16 22:18:25 +00:00
conf["logging"] = True
conf["logfile"] = opt[1]
2004-10-12 21:44:09 +00:00
if opt[0] == "-t":
2004-10-16 22:18:25 +00:00
conf["bantime"] = int(opt[1])
2004-10-12 21:44:09 +00:00
except ValueError:
2004-10-16 22:18:25 +00:00
logSys.warn("banTime must be an integer")
logSys.warn("Using default value")
2004-10-12 21:44:09 +00:00
if opt[0] == "-i":
2004-10-16 22:18:25 +00:00
conf["ignoreip"] = opt[1]
2004-10-14 10:30:25 +00:00
if opt[0] == "-r":
2004-10-16 22:18:25 +00:00
conf["retrymax"] = int(opt[1])
2004-11-06 14:08:04 +00:00
if opt[0] == "-w":
conf["firewall"] = opt[1]
2005-02-20 13:33:17 +00:00
if opt[0] == "-p":
conf["pidlock"] = opt[1]
2005-02-23 16:56:29 +00:00
if opt[0] == "-k":
pid = checkForPID(conf["pidlock"])
if pid:
logSys.warn("Killed Fail2Ban with PID "+pid)
logSys.error("No running Fail2Ban found")
2004-10-16 22:18:25 +00:00
# Process some options
for c in conf:
if c == "verbose" and conf[c]:
elif c == "debug" and conf[c]:
elif c == "background" and conf[c]:
retCode = createDaemon()
2004-10-18 20:50:56 +00:00
signal.signal(signal.SIGTERM, sigTERMhandler)
2004-10-16 22:18:25 +00:00
if retCode != 0:
logSys.error("Unable to start daemon")
elif c == "logging" and conf[c]:
2004-10-14 10:30:25 +00:00
2004-10-16 22:18:25 +00:00
open(conf["logfile"], "a")
except IOError:
logSys.warn("Unable to log to "+conf["logfile"])
logSys.warn("Using default output for logging")
elif c == "ignoreip":
ignoreIPList = conf[c].split(' ')
2004-11-06 14:08:04 +00:00
elif c == "firewall":
conf[c] = string.lower(conf[c])
if conf[c] == "ipfw":
fireWallName = "Ipfw"
elif conf[c] == "ipfwadm":
fireWallName = "Ipfwadm"
fireWallName = "Iptables"
2004-10-10 23:44:24 +00:00
2004-10-14 10:30:25 +00:00
# Checks for root user. This is necessary because log files
# are owned by root and firewall needs root access.
2004-10-10 23:44:24 +00:00
if not checkForRoot():
2004-10-11 10:26:39 +00:00
logSys.error("You must be root")
2004-10-16 22:18:25 +00:00
if not conf["debug"]:
2004-10-11 10:26:39 +00:00
2005-02-20 13:33:17 +00:00
# Checks that no instance of Fail2Ban is currently running.
pid = checkForPID(conf["pidlock"])
if pid:
logSys.error("Fail2Ban already running with PID "+pid)
2005-02-23 17:31:46 +00:00
2004-10-10 23:44:24 +00:00
2005-02-18 13:30:54 +00:00
logSys.debug("ConfFile is "+conf["conffile"])
2004-10-16 22:18:25 +00:00
logSys.debug("BanTime is "+`conf["bantime"]`)
logSys.debug("retryAllowed is "+`conf["maxretry"]`)
2004-10-12 21:44:09 +00:00
2005-02-18 13:30:54 +00:00
# Reads the config file and create a LogReader instance for
# each log file to check.
2005-02-18 21:46:56 +00:00
confReader = ConfigReader(logSys, conf["conffile"]);
2005-02-18 13:30:54 +00:00
logList = list()
for t in confReader.getSections():
l = confReader.getLogOptions(t)
2005-02-22 21:14:04 +00:00
if l["enabled"]:
lObj = LogReader(logSys, l["logfile"], l["timeregex"],
l["timepattern"], l["failregex"], conf["bantime"])
2005-02-18 13:30:54 +00:00
2004-11-06 14:08:04 +00:00
# Creates one instance of Iptables (thanks to Pyhton dynamic
2005-02-22 21:14:04 +00:00
# features).
2004-11-06 14:08:04 +00:00
fireWallObj = eval(fireWallName)
fireWall = fireWallObj(conf["bantime"], logSys, conf["interface"])
2004-10-10 23:44:24 +00:00
2005-02-22 21:14:04 +00:00
# IPFW needs rules number. The configuration option "ipfw-start-rule"
# defines the first rule number used by Fail2Ban.
if fireWallName == "Ipfw":
2004-10-14 10:30:25 +00:00
# We add to the ignore list has we do not want
# to be ban ourself.
2005-02-18 13:30:54 +00:00
for element in logList:
2004-10-12 21:44:09 +00:00
while len(ignoreIPList) > 0:
ip = ignoreIPList.pop()
2005-02-18 13:30:54 +00:00
for element in logList:
2004-10-10 23:44:24 +00:00
2005-03-06 17:44:48 +00:00
logSys.info("Fail2Ban v"+version+" is running")
2004-10-14 10:30:25 +00:00
# Main loop
2004-10-10 23:44:24 +00:00
while True:
2004-10-14 10:30:25 +00:00
# Checks if some IP have to be remove from ban
# list.
2004-10-16 22:18:25 +00:00
2004-10-10 23:44:24 +00:00
2004-10-14 10:30:25 +00:00
# If the log file has not been modified since the
# last time, we sleep for 1 second. This is active
# polling so not very effective.
2005-02-18 21:46:56 +00:00
modList = list()
2005-02-18 13:30:54 +00:00
for element in logList:
if element.isModified():
2005-02-18 21:46:56 +00:00
2005-02-18 13:30:54 +00:00
2005-02-20 13:33:17 +00:00
if len(modList) == 0:
2004-10-16 22:18:25 +00:00
2004-10-10 23:44:24 +00:00
2005-02-20 13:33:17 +00:00
# Gets the failure list from the log file. For a given IP,
# takes only the service which has the most password failures.
2005-02-18 13:30:54 +00:00
failList = dict()
2005-02-18 21:46:56 +00:00
for element in modList:
2005-02-20 13:33:17 +00:00
e = element.getFailures()
2005-03-06 17:44:48 +00:00
for key in e.iterkeys():
2005-02-20 13:33:17 +00:00
if failList.has_key(key):
if failList[key][0] < e[key][0]:
failList[key] = (e[key][0], e[key][1],
failList[key] = (e[key][0], e[key][1],
2004-10-14 10:30:25 +00:00
# We iterate the failure list and ban IP that make
# *retryAllowed* login failures.
2005-03-06 17:44:48 +00:00
for element in failList.iteritems():
2004-10-18 20:50:56 +00:00
if element[1][0] >= conf["maxretry"]:
2005-03-06 17:44:48 +00:00
logSys.info(`element[1][2]`+": "+element[0]+" has "+
2005-02-20 13:33:17 +00:00
`element[1][0]`+" login failure(s). Banned.")
2004-10-16 22:18:25 +00:00
fireWall.addBanIP(element[0], conf["debug"])
2004-10-10 23:44:24 +00:00
except KeyboardInterrupt:
2005-03-06 17:44:48 +00:00
# When the user press <ctrl>+<c> we exit nicely.