Merge remote-tracking branch 'gh-Th4nat0s/master'

* gh-Th4nat0s/master: Fixed fail2ban-iptables. f2b-iptable no os inject f2b-iptables return errors clean f2b-ipt ip validation and reconfiguration of iptables actions conversion of iptable wrapper to python initial ipv6 via iptable wapper Conflicts: primarily due to fix anchoring actioncheck grep regexp config/action.d/iptables-allports.conf config/action.d/iptables-multiport.conf config/action.d/iptables-new.conf config/action.d/iptables.conf server/filter.py
2012-11-08 17:12:09 -05:00 · 2012-11-08 17:12:09 -05:00 · 1423de45be
parent 348239cf14 485753afc9
commit 1423de45be
10 changed files with 153 additions and 68 deletions
--- a/config/action.d/iptables-allports.conf
+++ b/config/action.d/iptables-allports.conf
@ -2,7 +2,8 @@
 #
 # Author: Cyril Jaquier
 # Modified: Yaroslav O. Halchenko <debian@onerussian.com>
-# 			made active on all ports from original iptables.conf
+# 			made active on all ports from original fail2ban-iptables.conf
 # Modified by Paul J aka Thanat0s for ipv6 support
 #
 # $Revision$
 #
@ -13,23 +14,23 @@
 # Notes.:  command executed once at the start of Fail2Ban.
 # Values:  CMD
 #
-actionstart = iptables -N fail2ban-<name>
+actionstart = fail2ban-iptables -N fail2ban-<name>
-              iptables -A fail2ban-<name> -j RETURN
+              fail2ban-iptables -A fail2ban-<name> -j RETURN
-              iptables -I <chain> -p <protocol> -j fail2ban-<name>
+              fail2ban-iptables -I <chain> -p <protocol> -j fail2ban-<name>
 # Option:  actionstop
 # Notes.:  command executed once at the end of Fail2Ban
 # Values:  CMD
 #
-actionstop = iptables -D <chain> -p <protocol> -j fail2ban-<name>
+actionstop = fail2ban-iptables -D <chain> -p <protocol> -j fail2ban-<name>
-             iptables -F fail2ban-<name>
+             fail2ban-iptables -F fail2ban-<name>
-             iptables -X fail2ban-<name>
+             fail2ban-iptables -X fail2ban-<name>
 # Option:  actioncheck
 # Notes.:  command executed once before each actionban command
 # Values:  CMD
 #
-actioncheck = iptables -n -L <chain> | grep -q 'fail2ban-<name>[ \t]'
+actioncheck = fail2ban-iptables -n -L <chain> | grep -q 'fail2ban-<name>[ \t]'
 # Option:  actionban
 # Notes.:  command executed when banning an IP. Take care that the
@ -39,7 +40,7 @@ actioncheck = iptables -n -L <chain> | grep -q 'fail2ban-<name>[ \t]'
 #          <time>  unix timestamp of the ban time
 # Values:  CMD
 #
-actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
+actionban = fail2ban-iptables -I fail2ban-<name> 1 -s <ip> -j DROP
 # Option:  actionunban
 # Notes.:  command executed when unbanning an IP. Take care that the
@ -49,7 +50,7 @@ actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
 #          <time>  unix timestamp of the ban time
 # Values:  CMD
 #
-actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP
+actionunban = fail2ban-iptables -D fail2ban-<name> -s <ip> -j DROP
 [Init]
@ -64,7 +65,7 @@ name = default
 protocol = tcp
 # Option:  chain
-# Notes    specifies the iptables chain to which the fail2ban rules should be
+# Notes    specifies the fail2ban-iptables chain to which the fail2ban rules should be
 #          added
 # Values:  STRING  Default: INPUT
 chain = INPUT
--- a/config/action.d/iptables-multiport-log.conf
+++ b/config/action.d/iptables-multiport-log.conf
@ -2,6 +2,7 @@
 #
 # Author: Guido Bozzetto
 # Modified: Cyril Jaquier
 # Modified by Paul J aka Thanat0s for ipv6 support
 #
 # make "fail2ban-<name>" chain to match drop IP
 # make "fail2ban-<name>-log" chain to log and drop
@ -16,28 +17,28 @@
 # Notes.:  command executed once at the start of Fail2Ban.
 # Values:  CMD
 #
-actionstart = iptables -N fail2ban-<name>
+actionstart = fail2ban-iptables -N fail2ban-<name>
-              iptables -A fail2ban-<name> -j RETURN
+              fail2ban-iptables -A fail2ban-<name> -j RETURN
-              iptables -I <chain> 1 -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
+              fail2ban-iptables -I <chain> 1 -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
-              iptables -N fail2ban-<name>-log
+              fail2ban-iptables -N fail2ban-<name>-log
-              iptables -I fail2ban-<name>-log -j LOG --log-prefix "$(expr fail2ban-<name> : '\(.\{1,23\}\)'):DROP " --log-level warning -m limit --limit 6/m --limit-burst 2
+              fail2ban-iptables -I fail2ban-<name>-log -j LOG --log-prefix "$(expr fail2ban-<name> : '\(.\{1,23\}\)'):DROP " --log-level warning -m limit --limit 6/m --limit-burst 2
-              iptables -A fail2ban-<name>-log -j DROP
+              fail2ban-iptables -A fail2ban-<name>-log -j DROP
 # Option:  actionstop
 # Notes.:  command executed once at the end of Fail2Ban
 # Values:  CMD
 #
-actionstop = iptables -D <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
+actionstop = fail2ban-iptables -D <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
-             iptables -F fail2ban-<name>
+             fail2ban-iptables -F fail2ban-<name>
-             iptables -F fail2ban-<name>-log
+             fail2ban-iptables -F fail2ban-<name>-log
-             iptables -X fail2ban-<name>
+             fail2ban-iptables -X fail2ban-<name>
-             iptables -X fail2ban-<name>-log
+             fail2ban-iptables -X fail2ban-<name>-log
 # Option:  actioncheck
 # Notes.:  command executed once before each actionban command
 # Values:  CMD
 #
-actioncheck = iptables -n -L fail2ban-<name>-log >/dev/null
+actioncheck = fail2ban-iptables -n -L fail2ban-<name>-log >/dev/null
 # Option:  actionban
 # Notes.:  command executed when banning an IP. Take care that the
@ -47,7 +48,7 @@ actioncheck = iptables -n -L fail2ban-<name>-log >/dev/null
 #          <time>  unix timestamp of the ban time
 # Values:  CMD
 #
-actionban = iptables -I fail2ban-<name> 1 -s <ip> -j fail2ban-<name>-log
+actionban = fail2ban-iptables -I fail2ban-<name> 1 -s <ip> -j fail2ban-<name>-log
 # Option:  actionunban
 # Notes.:  command executed when unbanning an IP. Take care that the
@ -57,7 +58,7 @@ actionban = iptables -I fail2ban-<name> 1 -s <ip> -j fail2ban-<name>-log
 #          <time>  unix timestamp of the ban time
 # Values:  CMD
 #
-actionunban = iptables -D fail2ban-<name> -s <ip> -j fail2ban-<name>-log
+actionunban = fail2ban-iptables -D fail2ban-<name> -s <ip> -j fail2ban-<name>-log
 [Init]
@ -78,7 +79,7 @@ port = ssh
 protocol = tcp
 # Option:  chain
-# Notes    specifies the iptables chain to which the fail2ban rules should be
+# Notes    specifies the fail2ban-iptables chain to which the fail2ban rules should be
 #          added
 # Values:  STRING  Default: INPUT
 chain = INPUT
--- a/config/action.d/iptables-multiport.conf
+++ b/config/action.d/iptables-multiport.conf
@ -2,6 +2,7 @@
 #
 # Author: Cyril Jaquier
 # Modified by Yaroslav Halchenko for multiport banning
 # Modified by Paul J aka Thanat0s for ipv6 support
 # $Revision$
 #
@ -11,23 +12,23 @@
 # Notes.:  command executed once at the start of Fail2Ban.
 # Values:  CMD
 #
-actionstart = iptables -N fail2ban-<name>
+actionstart = fail2ban-iptables -N fail2ban-<name>
-              iptables -A fail2ban-<name> -j RETURN
+              fail2ban-iptables -A fail2ban-<name> -j RETURN
-              iptables -I <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
+              fail2ban-iptables -I <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
 # Option:  actionstop
 # Notes.:  command executed once at the end of Fail2Ban
 # Values:  CMD
 #
-actionstop = iptables -D <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
+actionstop = fail2ban-iptables -D <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
-             iptables -F fail2ban-<name>
+             fail2ban-iptables -F fail2ban-<name>
-             iptables -X fail2ban-<name>
+             fail2ban-iptables -X fail2ban-<name>
 # Option:  actioncheck
 # Notes.:  command executed once before each actionban command
 # Values:  CMD
 #
-actioncheck = iptables -n -L <chain> | grep -q 'fail2ban-<name>[ \t]'
+actioncheck = fail2ban-iptables -n -L <chain> | grep -q 'fail2ban-<name>[ \t]'
 # Option:  actionban
 # Notes.:  command executed when banning an IP. Take care that the
@ -37,7 +38,7 @@ actioncheck = iptables -n -L <chain> | grep -q 'fail2ban-<name>[ \t]'
 #          <time>  unix timestamp of the ban time
 # Values:  CMD
 #
-actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
+actionban = fail2ban-iptables -I fail2ban-<name> 1 -s <ip> -j DROP
 # Option:  actionunban
 # Notes.:  command executed when unbanning an IP. Take care that the
@ -47,7 +48,7 @@ actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
 #          <time>  unix timestamp of the ban time
 # Values:  CMD
 #
-actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP
+actionunban = fail2ban-iptables -D fail2ban-<name> -s <ip> -j DROP
 [Init]
@ -68,7 +69,7 @@ port = ssh
 protocol = tcp
 # Option:  chain
-# Notes    specifies the iptables chain to which the fail2ban rules should be
+# Notes    specifies the fail2ban-iptables chain to which the fail2ban rules should be
 #          added
 # Values:  STRING  Default: INPUT
 chain = INPUT
--- a/config/action.d/iptables-new.conf
+++ b/config/action.d/iptables-new.conf
@ -1,8 +1,9 @@
 # Fail2Ban configuration file
 #
 # Author: Cyril Jaquier
-# Copied from iptables.conf and modified by Yaroslav Halchenko 
+# Copied from fail2ban-iptables.conf and modified by Yaroslav Halchenko 
 #  to fullfill the needs of bugreporter dbts#350746.
 # Modified by Paul J aka Thanat0s for ipv6 support
 #
 # $Revision$
 #
@ -13,23 +14,23 @@
 # Notes.:  command executed once at the start of Fail2Ban.
 # Values:  CMD
 #
-actionstart = iptables -N fail2ban-<name>
+actionstart = fail2ban-iptables -N fail2ban-<name>
-              iptables -A fail2ban-<name> -j RETURN
+              fail2ban-iptables -A fail2ban-<name> -j RETURN
-              iptables -I <chain> -m state --state NEW -p <protocol> --dport <port> -j fail2ban-<name>
+              fail2ban-iptables -I <chain> -m state --state NEW -p <protocol> --dport <port> -j fail2ban-<name>
 # Option:  actionstop
 # Notes.:  command executed once at the end of Fail2Ban
 # Values:  CMD
 #
-actionstop = iptables -D <chain> -m state --state NEW -p <protocol> --dport <port> -j fail2ban-<name>
+actionstop = fail2ban-iptables -D <chain> -m state --state NEW -p <protocol> --dport <port> -j fail2ban-<name>
-             iptables -F fail2ban-<name>
+             fail2ban-iptables -F fail2ban-<name>
-             iptables -X fail2ban-<name>
+             fail2ban-iptables -X fail2ban-<name>
 # Option:  actioncheck
 # Notes.:  command executed once before each actionban command
 # Values:  CMD
 #
-actioncheck = iptables -n -L <chain> | grep -q 'fail2ban-<name>[ \t]'
+actioncheck = fail2ban-iptables -n -L <chain> | grep -q 'fail2ban-<name>[ \t]'
 # Option:  actionban
 # Notes.:  command executed when banning an IP. Take care that the
@ -39,7 +40,7 @@ actioncheck = iptables -n -L <chain> | grep -q 'fail2ban-<name>[ \t]'
 #          <time>  unix timestamp of the ban time
 # Values:  CMD
 #
-actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
+actionban = fail2ban-iptables -I fail2ban-<name> 1 -s <ip> -j DROP
 # Option:  actionunban
 # Notes.:  command executed when unbanning an IP. Take care that the
@ -49,7 +50,7 @@ actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
 #          <time>  unix timestamp of the ban time
 # Values:  CMD
 #
-actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP
+actionunban = fail2ban-iptables -D fail2ban-<name> -s <ip> -j DROP
 [Init]
@ -70,7 +71,7 @@ port = ssh
 protocol = tcp
 # Option:  chain
-# Notes    specifies the iptables chain to which the fail2ban rules should be
+# Notes    specifies the fail2ban-iptables chain to which the fail2ban rules should be
 #          added
 # Values:  STRING  Default: INPUT
 chain = INPUT
--- a/config/action.d/iptables.conf
+++ b/config/action.d/iptables.conf
@ -1,6 +1,7 @@
 # Fail2Ban configuration file
 #
 # Author: Cyril Jaquier
 # Modified by Paul J aka Thanat0s for ipv6 support
 #
 # $Revision$
 #
@ -11,23 +12,23 @@
 # Notes.:  command executed once at the start of Fail2Ban.
 # Values:  CMD
 #
-actionstart = iptables -N fail2ban-<name>
+actionstart = fail2ban-iptables -N fail2ban-<name>
-              iptables -A fail2ban-<name> -j RETURN
+              fail2ban-iptables -A fail2ban-<name> -j RETURN
-              iptables -I <chain> -p <protocol> --dport <port> -j fail2ban-<name>
+              fail2ban-iptables -I <chain> -p <protocol> --dport <port> -j fail2ban-<name>
 # Option:  actionstop
 # Notes.:  command executed once at the end of Fail2Ban
 # Values:  CMD
 #
-actionstop = iptables -D <chain> -p <protocol> --dport <port> -j fail2ban-<name>
+actionstop = fail2ban-iptables -D <chain> -p <protocol> --dport <port> -j fail2ban-<name>
-             iptables -F fail2ban-<name>
+             fail2ban-iptables -F fail2ban-<name>
-             iptables -X fail2ban-<name>
+             fail2ban-iptables -X fail2ban-<name>
 # Option:  actioncheck
 # Notes.:  command executed once before each actionban command
 # Values:  CMD
 #
-actioncheck = iptables -n -L <chain> | grep -q 'fail2ban-<name>[ \t]'
+actioncheck = fail2ban-iptables -n -L <chain> | grep -q 'fail2ban-<name>[ \t]'
 # Option:  actionban
 # Notes.:  command executed when banning an IP. Take care that the
@ -37,7 +38,7 @@ actioncheck = iptables -n -L <chain> | grep -q 'fail2ban-<name>[ \t]'
 #          <time>  unix timestamp of the ban time
 # Values:  CMD
 #
-actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
+actionban = fail2ban-iptables -I fail2ban-<name> 1 -s <ip> -j DROP
 # Option:  actionunban
 # Notes.:  command executed when unbanning an IP. Take care that the
@ -47,7 +48,7 @@ actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
 #          <time>  unix timestamp of the ban time
 # Values:  CMD
 #
-actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP
+actionunban = fail2ban-iptables -D fail2ban-<name> -s <ip> -j DROP
 [Init]
@ -68,7 +69,7 @@ port = ssh
 protocol = tcp
 # Option:  chain
-# Notes    specifies the iptables chain to which the fail2ban rules should be
+# Notes    specifies the fail2ban-iptables chain to which the fail2ban rules should be
 #          added
 # Values:  STRING  Default: INPUT
 chain = INPUT
--- a/config/fail2ban.conf
+++ b/config/fail2ban.conf
@ -36,3 +36,10 @@ logtarget = /var/log/fail2ban.log
 #
 socket = /var/run/fail2ban/fail2ban.sock
 # Option: ipv6
 # Notes.: Activate IPv6 support
 #         Warning : only with iptables action supported
 # Values: BOOLEAN Default:  disabled
 #
 ipv6 = enabled
--- a/59
+++ b/59
@ -0,0 +1,59 @@
 #!/usr/bin/python
 # This file is part of Fail2Ban.
 #
 # Fail2Ban is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation; either version 2 of the License, or
 # (at your option) any later version.
 #
 # Fail2Ban is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with Fail2Ban; if not, write to the Free Software
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
 # Iptable wrapper, call the right iptables depending of the ip proposed
 # Author: Paul J Aka "Thanat0s"
 import sys, re, subprocess
 IPTABLES='/sbin/iptables'
 IP6TABLES='/sbin/ip6tables'
 # Main procedure
 def main(argv):
    pline = " ".join(argv)
    regv4 = re.compile('([0-9]{1,3}\.){3}[0-9]{1,3}')
    if regv4.search(pline):   
        # we are facing to a ipv4
        ret = subprocess.call([IPTABLES] + argv)
        sys.exit(ret)                  
    else:
        # if not, maybe it's a ipv6
        regv6 = re.compile('::[A-Fa-f0-9]{1,4}|(:[A-Fa-f0-9]{1,4}){2,}')
        if regv6.search(pline):
            ret6 = subprocess.call([IP6TABLES] + argv)
            sys.exit(ret6)
        else:
            # if it's not a ipv6 either, we call both iptables
            proc = subprocess.Popen([IPTABLES] + argv)
            proc6 = subprocess.Popen([IP6TABLES] + argv)
            # Splitting the Popen and wait() calls lets us run them in
            # parallel, rather than one after the other
            ret = proc.wait()
            ret6 = proc6.wait()
            # return worst error code
            if ret > ret6:
                sys.exit(ret)
            else:
                sys.exit(ret6)
 # Main call, pass all variables
 if __name__ == "__main__":
    main(sys.argv[1:])
--- a/server/failregex.py
+++ b/server/failregex.py
@ -47,7 +47,7 @@ class Regex:
 		self._matchCache = None
 		# Perform shortcuts expansions.
 		# Replace "<HOST>" with default regular expression for host.
-		regex = regex.replace("<HOST>", "(?:::f{4,6}:)?(?P<host>[\w\-.^_]+)")
+		regex = regex.replace("<HOST>", "(?:::f{4,6}:)?(?P<host>[\w\-.^_:]+)")
 		if regex.lstrip() == '':
 			raise RegexException("Cannot add empty regex")
 		try:
--- a/server/filter.py
+++ b/server/filter.py
@ -583,6 +583,7 @@ import socket, struct
 class DNSUtils:
 	IP_CRE = re.compile("^(?:\d{1,3}\.){3}\d{1,3}$")
 	IP_CRE6 = re.compile("^(?:[0-9:A-Fa-f]{3,})$")
 	#@staticmethod
 	def dnsToIp(dns):
@ -606,19 +607,31 @@ class DNSUtils:
 		if match:
 			return match
 		else:
-			return None
+			match = DNSUtils.IP_CRE6.match(text)
 			if match:
 				""" Right Here, we faced to a ipv6
 				"""
 				return match
 			else:
 				return None
 	searchIP = staticmethod(searchIP)
 	#@staticmethod
 	def isValidIP(string):
-		""" Return true if str is a valid IP
+		# Return true if str is a valid IP
-		"""
+            	s = string.split('/', 1)
-		s = string.split('/', 1)
+          	# try to convert to ipv4
-		try:
+          	try:
-			socket.inet_aton(s[0])
+      			socket.inet_aton(s[0])
-			return True
+      			return True
-		except socket.error:
+    		except socket.error:
-			return False
+    			# if it had failed try to convert ipv6
    			try:  
            			socket.inet_pton(socket.AF_INET6, s[0])
          			return True
        		except socket.error: 
    				# not a valid address in both stacks
          			return False
 	isValidIP = staticmethod(isValidIP)
 	#@staticmethod
--- a/setup.py
+++ b/setup.py
@ -54,7 +54,8 @@ setup(
 	scripts =	[
 					'fail2ban-client', 
 					'fail2ban-server', 
-					'fail2ban-regex'
+					'fail2ban-regex' ,
 					'fail2ban-iptables'
 				], 
 	packages =	[
 					'common',