github
/
fail2ban
mirror of https://github.com/fail2ban/fail2ban
1
0
Fork 0
Code Issues Releases Wiki Activity

Another way to recognize restored tickets - new option `norestored` of action introduced; 

Complete prevents executing of ban/unban operations for actions where norestored = true.
pull/1669/head
sebres 2017-01-16 09:05:45 +01:00
parent 2ed2e7810d
commit 0aa241d303
2 changed files with 25 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
fail2ban/server/actions.py
View File

@ -363,6 +363,8 @@ class Actions(JailThread, Mapping):
logSys.notice("[%s] %sBan %s", self._jail.name, ('' if not bTicket.restored else 'Restore '), ip) logSys.notice("[%s] %sBan %s", self._jail.name, ('' if not bTicket.restored else 'Restore '), ip)
for name, action in self._actions.iteritems(): for name, action in self._actions.iteritems():
try: try:
if ticket.restored and getattr(action, 'norestored', False):
continue
action.ban(aInfo.copy()) action.ban(aInfo.copy())
except Exception as e: except Exception as e:
logSys.error( logSys.error(
@ -457,6 +459,8 @@ class Actions(JailThread, Mapping):
logSys.notice("[%s] Unban %s", self._jail.name, aInfo["ip"]) logSys.notice("[%s] Unban %s", self._jail.name, aInfo["ip"])
for name, action in unbactions.iteritems(): for name, action in unbactions.iteritems():
try: try:
if ticket.restored and getattr(action, 'norestored', False):
continue
logSys.debug("[%s] action %r: unban %s", self._jail.name, name, aInfo["ip"]) logSys.debug("[%s] action %r: unban %s", self._jail.name, name, aInfo["ip"])
action.unban(aInfo.copy()) action.unban(aInfo.copy())
except Exception as e: except Exception as e:

32
fail2ban/tests/fail2banclienttestcase.py
View File

@ -755,13 +755,17 @@ class Fail2banServerTest(Fail2banClientServerBase):
os.remove(fn) os.remove(fn)
return return
_write_file(fn, "w", _write_file(fn, "w",
"[DEFAULT]",
"_exec_once = 0",
"",
"[Definition]", "[Definition]",
"norestored = %(_exec_once)s",
"restore = ", "restore = ",
"actionstart = echo '[<name>] %s: ** start'" % actname, start, "actionstart = echo '[%(name)s] %(actname)s: ** start'", start,
"actionreload = echo '[<name>] %s: .. reload'" % actname, reload, "actionreload = echo '[%(name)s] %(actname)s: .. reload'", reload,
"actionban = echo '[<name>] %s: ++ ban <ip> %%(restore)s'" % actname, ban, "actionban = echo '[%(name)s] %(actname)s: ++ ban <ip> %(restore)s'", ban,
"actionunban = echo '[<name>] %s: -- unban <ip>'" % actname, unban, "actionunban = echo '[%(name)s] %(actname)s: -- unban <ip>'", unban,
"actionstop = echo '[<name>] %s: __ stop'" % actname, stop, "actionstop = echo '[%(name)s] %(actname)s: __ stop'", stop,
) )
if unittest.F2B.log_level <= logging.DEBUG: # pragma: no cover if unittest.F2B.log_level <= logging.DEBUG: # pragma: no cover
_out_file(fn) _out_file(fn)
@ -782,6 +786,8 @@ class Fail2banServerTest(Fail2banClientServerBase):
if 1 in actions else "", if 1 in actions else "",
" test-action2[name='%(__name__)s', restore='restored: <restored>']" \ " test-action2[name='%(__name__)s', restore='restored: <restored>']" \
if 2 in actions else "", if 2 in actions else "",
" test-action2[name='%(__name__)s', actname=test-action3, _exec_once=1, restore='restored: <restored>']" \
if 3 in actions else "",
"logpath = " + test1log, "logpath = " + test1log,
" " + test2log if 2 in enabled else "", " " + test2log if 2 in enabled else "",
" " + test3log if 2 in enabled else "", " " + test3log if 2 in enabled else "",
@ -794,6 +800,8 @@ class Fail2banServerTest(Fail2banClientServerBase):
"action = ", "action = ",
" test-action2[name='%(__name__)s', restore='restored: <restored>']" \ " test-action2[name='%(__name__)s', restore='restored: <restored>']" \
if 2 in actions else "", if 2 in actions else "",
" test-action2[name='%(__name__)s', actname=test-action3, _exec_once=1, restore='restored: <restored>']" \
if 3 in actions else "",
"logpath = " + test2log, "logpath = " + test2log,
"enabled = true" if 2 in enabled else "", "enabled = true" if 2 in enabled else "",
) )
@ -804,7 +812,7 @@ class Fail2banServerTest(Fail2banClientServerBase):
_write_action_cfg(actname="test-action1") _write_action_cfg(actname="test-action1")
_write_action_cfg(actname="test-action2") _write_action_cfg(actname="test-action2")
_write_jail_cfg(enabled=[1], actions=[1,2]) _write_jail_cfg(enabled=[1], actions=[1,2,3])
# append one wrong configured jail: # append one wrong configured jail:
_write_file(pjoin(cfg, "jail.conf"), "a", "", "[broken-jail]", _write_file(pjoin(cfg, "jail.conf"), "a", "", "[broken-jail]",
"", "filter = broken-jail-filter", "enabled = true") "", "filter = broken-jail-filter", "enabled = true")
@ -827,9 +835,10 @@ class Fail2banServerTest(Fail2banClientServerBase):
self.assertLogged( self.assertLogged(
"stdout: '[test-jail1] test-action1: ** start'", "stdout: '[test-jail1] test-action1: ** start'",
"stdout: '[test-jail1] test-action2: ** start'", all=True) "stdout: '[test-jail1] test-action2: ** start'", all=True)
# test restored is 0: # test restored is 0 (both actions available):
self.assertLogged( self.assertLogged(
"stdout: '[test-jail1] test-action2: ++ ban 192.0.2.1 restored: 0'", "stdout: '[test-jail1] test-action2: ++ ban 192.0.2.1 restored: 0'",
"stdout: '[test-jail1] test-action3: ++ ban 192.0.2.1 restored: 0'",
all=True, wait=MID_WAITTIME) all=True, wait=MID_WAITTIME)
# broken jail was logged (in client and server log): # broken jail was logged (in client and server log):
@ -895,7 +904,7 @@ class Fail2banServerTest(Fail2banClientServerBase):
# don't need action1 anymore: # don't need action1 anymore:
_write_action_cfg(actname="test-action1", allow=False) _write_action_cfg(actname="test-action1", allow=False)
# leave action2 just to test restored interpolation: # leave action2 just to test restored interpolation:
_write_jail_cfg(actions=[2]) _write_jail_cfg(actions=[2,3])
# write new failures: # write new failures:
self.pruneLog("[test-phase 2b]") self.pruneLog("[test-phase 2b]")
@ -947,14 +956,15 @@ class Fail2banServerTest(Fail2banClientServerBase):
"[test-jail2] Restore Ban 192.0.2.4", "[test-jail2] Restore Ban 192.0.2.4",
"[test-jail2] Restore Ban 192.0.2.8", all=True "[test-jail2] Restore Ban 192.0.2.8", all=True
) )
# test restored is 1: # test restored is 1 (only test-action2):
self.assertLogged( self.assertLogged(
"stdout: '[test-jail2] test-action2: ++ ban 192.0.2.4 restored: 1'", "stdout: '[test-jail2] test-action2: ++ ban 192.0.2.4 restored: 1'",
"stdout: '[test-jail2] test-action2: ++ ban 192.0.2.8 restored: 1'", "stdout: '[test-jail2] test-action2: ++ ban 192.0.2.8 restored: 1'",
all=True, wait=MID_WAITTIME) all=True, wait=MID_WAITTIME)
# test test-action3 not executed at all (norestored check):
self.assertNotLogged( self.assertNotLogged(
"stdout: '[test-jail2] test-action2: ++ ban 192.0.2.4 restored: 0'", "stdout: '[test-jail2] test-action3: ++ ban 192.0.2.4 restored: 1'",
"stdout: '[test-jail2] test-action2: ++ ban 192.0.2.8 restored: 0'", "stdout: '[test-jail2] test-action3: ++ ban 192.0.2.8 restored: 1'",
all=True) all=True)
# don't need actions anymore: # don't need actions anymore: