mirror of https://github.com/fail2ban/fail2ban
jail.conf: don't specify `action` directly in jails (use `action_` or `banaction` instead);
no mails-action added per default anymore (e. g. to allow that `action = %(action_mw)s` should be specified per jail or in default section in jail.local), closes gh-2357; ensure we've unique action name per jail (also if parameter `actname` is not set but name deviates from standard name, gh-2686); don't use %(banaction)s interpolation because it can be complex value (containing `[...]`), so would bother the action interpolation.pull/2703/head
parent
7e3061e7ac
commit
06b46e92eb
|
@ -38,6 +38,12 @@ ver. 0.10.6-dev (20??/??/??) - development edition
|
||||||
* python 3.9 compatibility (and Travis CI support)
|
* python 3.9 compatibility (and Travis CI support)
|
||||||
* restoring a large number (500+ depending on files ulimit) of current bans when using PyPy fixed
|
* restoring a large number (500+ depending on files ulimit) of current bans when using PyPy fixed
|
||||||
* manual ban is written to database, so can be restored by restart (gh-2647)
|
* manual ban is written to database, so can be restored by restart (gh-2647)
|
||||||
|
* `jail.conf`: don't specify `action` directly in jails (use `action_` or `banaction` instead)
|
||||||
|
* no mails-action added per default anymore (e. g. to allow that `action = %(action_mw)s` should be specified
|
||||||
|
per jail or in default section in jail.local), closes gh-2357
|
||||||
|
* ensure we've unique action name per jail (also if parameter `actname` is not set but name deviates from standard name, gh-2686)
|
||||||
|
* don't use `%(banaction)s` interpolation because it can be complex value (containing `[...]` and/or quotes),
|
||||||
|
so would bother the action interpolation
|
||||||
* `filter.d/common.conf`: avoid substitute of default values in related `lt_*` section, `__prefix_line`
|
* `filter.d/common.conf`: avoid substitute of default values in related `lt_*` section, `__prefix_line`
|
||||||
should be interpolated in definition section (inside the filter-config, gh-2650)
|
should be interpolated in definition section (inside the filter-config, gh-2650)
|
||||||
|
|
||||||
|
|
|
@ -174,19 +174,19 @@ banaction_allports = iptables-allports
|
||||||
action_ = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
|
action_ = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
|
||||||
|
|
||||||
# ban & send an e-mail with whois report to the destemail.
|
# ban & send an e-mail with whois report to the destemail.
|
||||||
action_mw = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
|
action_mw = %(action_)s
|
||||||
%(mta)s-whois[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]
|
%(mta)s-whois[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]
|
||||||
|
|
||||||
# ban & send an e-mail with whois report and relevant log lines
|
# ban & send an e-mail with whois report and relevant log lines
|
||||||
# to the destemail.
|
# to the destemail.
|
||||||
action_mwl = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
|
action_mwl = %(action_)s
|
||||||
%(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath="%(logpath)s", chain="%(chain)s"]
|
%(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath="%(logpath)s", chain="%(chain)s"]
|
||||||
|
|
||||||
# See the IMPORTANT note in action.d/xarf-login-attack for when to use this action
|
# See the IMPORTANT note in action.d/xarf-login-attack for when to use this action
|
||||||
#
|
#
|
||||||
# ban & send a xarf e-mail to abuse contact of IP address and include relevant log lines
|
# ban & send a xarf e-mail to abuse contact of IP address and include relevant log lines
|
||||||
# to the destemail.
|
# to the destemail.
|
||||||
action_xarf = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
|
action_xarf = %(action_)s
|
||||||
xarf-login-attack[service=%(__name__)s, sender="%(sender)s", logpath="%(logpath)s", port="%(port)s"]
|
xarf-login-attack[service=%(__name__)s, sender="%(sender)s", logpath="%(logpath)s", port="%(port)s"]
|
||||||
|
|
||||||
# ban IP on CloudFlare & send an e-mail with whois report and relevant log lines
|
# ban IP on CloudFlare & send an e-mail with whois report and relevant log lines
|
||||||
|
@ -333,7 +333,7 @@ maxretry = 1
|
||||||
[openhab-auth]
|
[openhab-auth]
|
||||||
|
|
||||||
filter = openhab
|
filter = openhab
|
||||||
action = iptables-allports[name=NoAuthFailures]
|
banaction = %(banaction_allports)s
|
||||||
logpath = /opt/openhab/logs/request.log
|
logpath = /opt/openhab/logs/request.log
|
||||||
|
|
||||||
|
|
||||||
|
@ -706,8 +706,8 @@ logpath = /var/log/named/security.log
|
||||||
[nsd]
|
[nsd]
|
||||||
|
|
||||||
port = 53
|
port = 53
|
||||||
action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
|
action_ = %(default/action_)s[name=%(__name__)s-tcp, protocol="tcp"]
|
||||||
%(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
|
%(default/action_)s[name=%(__name__)s-udp, protocol="udp"]
|
||||||
logpath = /var/log/nsd.log
|
logpath = /var/log/nsd.log
|
||||||
|
|
||||||
|
|
||||||
|
@ -718,9 +718,8 @@ logpath = /var/log/nsd.log
|
||||||
[asterisk]
|
[asterisk]
|
||||||
|
|
||||||
port = 5060,5061
|
port = 5060,5061
|
||||||
action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
|
action_ = %(default/action_)s[name=%(__name__)s-tcp, protocol="tcp"]
|
||||||
%(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
|
%(default/action_)s[name=%(__name__)s-udp, protocol="udp"]
|
||||||
%(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"]
|
|
||||||
logpath = /var/log/asterisk/messages
|
logpath = /var/log/asterisk/messages
|
||||||
maxretry = 10
|
maxretry = 10
|
||||||
|
|
||||||
|
@ -728,9 +727,8 @@ maxretry = 10
|
||||||
[freeswitch]
|
[freeswitch]
|
||||||
|
|
||||||
port = 5060,5061
|
port = 5060,5061
|
||||||
action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
|
action_ = %(default/action_)s[name=%(__name__)s-tcp, protocol="tcp"]
|
||||||
%(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
|
%(default/action_)s[name=%(__name__)s-udp, protocol="udp"]
|
||||||
%(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"]
|
|
||||||
logpath = /var/log/freeswitch.log
|
logpath = /var/log/freeswitch.log
|
||||||
maxretry = 10
|
maxretry = 10
|
||||||
|
|
||||||
|
@ -818,8 +816,8 @@ logpath = /opt/cstrike/logs/L[0-9]*.log
|
||||||
# Firewall: http://www.cstrike-planet.com/faq/6
|
# Firewall: http://www.cstrike-planet.com/faq/6
|
||||||
tcpport = 27030,27031,27032,27033,27034,27035,27036,27037,27038,27039
|
tcpport = 27030,27031,27032,27033,27034,27035,27036,27037,27038,27039
|
||||||
udpport = 1200,27000,27001,27002,27003,27004,27005,27006,27007,27008,27009,27010,27011,27012,27013,27014,27015
|
udpport = 1200,27000,27001,27002,27003,27004,27005,27006,27007,27008,27009,27010,27011,27012,27013,27014,27015
|
||||||
action = %(banaction)s[name=%(__name__)s-tcp, port="%(tcpport)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
|
action_ = %(default/action_)s[name=%(__name__)s-tcp, port="%(tcpport)s", protocol="tcp"]
|
||||||
%(banaction)s[name=%(__name__)s-udp, port="%(udpport)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
|
%(default/action_)s[name=%(__name__)s-udp, port="%(udpport)s", protocol="udp"]
|
||||||
|
|
||||||
[bitwarden]
|
[bitwarden]
|
||||||
port = http,https
|
port = http,https
|
||||||
|
@ -871,8 +869,8 @@ findtime = 1
|
||||||
[murmur]
|
[murmur]
|
||||||
# AKA mumble-server
|
# AKA mumble-server
|
||||||
port = 64738
|
port = 64738
|
||||||
action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol=tcp, chain="%(chain)s", actname=%(banaction)s-tcp]
|
action_ = %(default/action_)s[name=%(__name__)s-tcp, protocol="tcp"]
|
||||||
%(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol=udp, chain="%(chain)s", actname=%(banaction)s-udp]
|
%(default/action_)s[name=%(__name__)s-udp, protocol="udp"]
|
||||||
logpath = /var/log/mumble-server/mumble-server.log
|
logpath = /var/log/mumble-server/mumble-server.log
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -52,13 +52,17 @@ class ActionReader(DefinitionInitConfigReader):
|
||||||
}
|
}
|
||||||
|
|
||||||
def __init__(self, file_, jailName, initOpts, **kwargs):
|
def __init__(self, file_, jailName, initOpts, **kwargs):
|
||||||
|
# always supply jail name as name parameter if not specified in options:
|
||||||
|
n = initOpts.get("name")
|
||||||
|
if n is None:
|
||||||
|
initOpts["name"] = n = jailName
|
||||||
actname = initOpts.get("actname")
|
actname = initOpts.get("actname")
|
||||||
if actname is None:
|
if actname is None:
|
||||||
actname = file_
|
actname = file_
|
||||||
|
# ensure we've unique action name per jail:
|
||||||
|
if n != jailName:
|
||||||
|
actname += n[len(jailName):] if n.startswith(jailName) else '-' + n
|
||||||
initOpts["actname"] = actname
|
initOpts["actname"] = actname
|
||||||
# always supply jail name as name parameter if not specified in options:
|
|
||||||
if initOpts.get("name") is None:
|
|
||||||
initOpts["name"] = jailName
|
|
||||||
self._name = actname
|
self._name = actname
|
||||||
DefinitionInitConfigReader.__init__(
|
DefinitionInitConfigReader.__init__(
|
||||||
self, file_, jailName, initOpts, **kwargs)
|
self, file_, jailName, initOpts, **kwargs)
|
||||||
|
|
Loading…
Reference in New Issue