github
/
fail2ban
mirror of https://github.com/fail2ban/fail2ban
1
0
Fork 0
Code Issues Releases Wiki Activity

Merge branch '0.10' into 0.11

pull/2362/head
sebres 2019-02-11 19:19:44 +01:00
parent d88ce7181c c819a18a0a
commit 1647d0090e
7 changed files with 58 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
ChangeLog
View File

@ -73,12 +73,15 @@ ver. 0.10.5-dev-1 (20??/??/??) - development edition
- MYSQL 8.0.13 compatibility (log-error-verbosity = 3), log-format contains few additional words - MYSQL 8.0.13 compatibility (log-error-verbosity = 3), log-format contains few additional words
enclosed in brackets after "[Note]" (gh-2314) enclosed in brackets after "[Note]" (gh-2314)
* `files/fail2ban.service.in`: fixed systemd-unit template - missing nftables dependency (gh-2313) * `files/fail2ban.service.in`: fixed systemd-unit template - missing nftables dependency (gh-2313)
* several `action.d/mail*`: fixed usage with multiple log files (ultimate fix for gh-976, gh-2341)
### New Features ### New Features
* new failregex-flag tag `<F-MLFGAINED>` for failregex, signaled that the access to service was gained * new failregex-flag tag `<F-MLFGAINED>` for failregex, signaled that the access to service was gained
(ATM used similar to tag `<F-NOFAIL>`, but it does not add the log-line to matches, gh-2279) (ATM used similar to tag `<F-NOFAIL>`, but it does not add the log-line to matches, gh-2279)
### Enhancements ### Enhancements
* jail-reader extended (amend to gh-1622): actions support multi-line options now (interpolations
containing new-line);
ver. 0.10.4 (2018/10/04) - ten-four-on-due-date-ten-four ver. 0.10.4 (2018/10/04) - ten-four-on-due-date-ten-four

7
config/jail.conf
View File

@ -85,6 +85,7 @@ before = paths-debian.conf
# "ignoreself" specifies whether the local resp. own IP addresses should be ignored # "ignoreself" specifies whether the local resp. own IP addresses should be ignored
# (default is true). Fail2ban will not ban a host which matches such addresses. # (default is true). Fail2ban will not ban a host which matches such addresses.
#ignoreself = true #ignoreself = true
# "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban # "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban
# will not ban a host which matches an address in this list. Several addresses # will not ban a host which matches an address in this list. Several addresses
# can be defined using space (and/or comma) separator. # can be defined using space (and/or comma) separator.
@ -214,19 +215,19 @@ action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protoc
# ban & send an e-mail with whois report and relevant log lines # ban & send an e-mail with whois report and relevant log lines
# to the destemail. # to the destemail.
action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
%(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"] %(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath="%(logpath)s", chain="%(chain)s"]
# See the IMPORTANT note in action.d/xarf-login-attack for when to use this action # See the IMPORTANT note in action.d/xarf-login-attack for when to use this action
# #
# ban & send a xarf e-mail to abuse contact of IP address and include relevant log lines # ban & send a xarf e-mail to abuse contact of IP address and include relevant log lines
# to the destemail. # to the destemail.
action_xarf = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] action_xarf = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
xarf-login-attack[service=%(__name__)s, sender="%(sender)s", logpath=%(logpath)s, port="%(port)s"] xarf-login-attack[service=%(__name__)s, sender="%(sender)s", logpath="%(logpath)s", port="%(port)s"]
# ban IP on CloudFlare & send an e-mail with whois report and relevant log lines # ban IP on CloudFlare & send an e-mail with whois report and relevant log lines
# to the destemail. # to the destemail.
action_cf_mwl = cloudflare[cfuser="%(cfemail)s", cftoken="%(cfapikey)s"] action_cf_mwl = cloudflare[cfuser="%(cfemail)s", cftoken="%(cfapikey)s"]
%(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"] %(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath="%(logpath)s", chain="%(chain)s"]
# Report block via blocklist.de fail2ban reporting service API # Report block via blocklist.de fail2ban reporting service API
# #

11
fail2ban/client/jailreader.py
View File

@ -158,12 +158,21 @@ class JailReader(ConfigReader):
self.__filter.getOptions(self.__opts) self.__filter.getOptions(self.__opts)
# Read action # Read action
for act in self.__opts["action"].split('\n'): prevln = ''
actlst = self.__opts["action"].split('\n')
for n, act in enumerate(actlst):
try: try:
if not act: # skip empty actions if not act: # skip empty actions
continue continue
# join with previous line if needed (consider possible new-line):
if prevln: act = prevln + '\n' + act
actName, actOpt = extractOptions(act) actName, actOpt = extractOptions(act)
prevln = ''
if not actName: if not actName:
# consider possible new-line, so repeat with joined next line's:
if n < len(actlst) - 1:
prevln = act
continue
raise JailDefError("Invalid action definition %r" % act) raise JailDefError("Invalid action definition %r" % act)
if actName.endswith(".py"): if actName.endswith(".py"):
self.__actions.append([ self.__actions.append([

24
fail2ban/tests/clientreadertestcase.py
View File

@ -353,6 +353,30 @@ class JailReaderTest(LogCaptureTestCase):
) )
self.assertEqual(expected2, result) self.assertEqual(expected2, result)
def testMultiLineOption(self):
jail = JailReader('multi-log', force_enable=True, basedir=IMPERFECT_CONFIG, share_config=IMPERFECT_CONFIG_SHARE_CFG)
self.assertTrue(jail.read())
self.assertTrue(jail.getOptions())
self.assertEqual(jail.options['logpath'], 'a.log\nb.log\nc.log')
self.assertEqual(jail.options['action'], 'action[actname=\'ban\']\naction[actname=\'log\', logpath="a.log\nb.log\nc.log\nd.log"]\naction[actname=\'test\']')
self.assertSortedEqual([a.convert() for a in jail._JailReader__actions], [
[['set', 'multi-log', 'addaction', 'ban'], ['multi-set', 'multi-log', 'action', 'ban', [
['actionban', 'echo "name: ban, ban: <ip>, logs: a.log\nb.log\nc.log"'],
['actname', 'ban'],
['name', 'multi-log']
]]],
[['set', 'multi-log', 'addaction', 'log'], ['multi-set', 'multi-log', 'action', 'log', [
['actionban', 'echo "name: log, ban: <ip>, logs: a.log\nb.log\nc.log\nd.log"'],
['actname', 'log'],
['logpath', 'a.log\nb.log\nc.log\nd.log'], ['name', 'multi-log']
]]],
[['set', 'multi-log', 'addaction', 'test'], ['multi-set', 'multi-log', 'action', 'test', [
['actionban', 'echo "name: test, ban: <ip>, logs: a.log\nb.log\nc.log"'],
['actname', 'test'],
['name', 'multi-log']
]]]
])
def testVersionAgent(self): def testVersionAgent(self):
unittest.F2B.SkipIfCfgMissing(stock=True) unittest.F2B.SkipIfCfgMissing(stock=True)
jail = JailReader('blocklisttest', force_enable=True, basedir=CONFIG_DIR) jail = JailReader('blocklisttest', force_enable=True, basedir=CONFIG_DIR)

4
fail2ban/tests/config/action.d/action.conf Normal file
View File

@ -0,0 +1,4 @@
[Definition]
actionban = echo "name: <actname>, ban: <ip>, logs: %(logpath)s"

12
fail2ban/tests/config/jail.conf
View File

@ -51,3 +51,15 @@ action =
[tz_correct] [tz_correct]
enabled = true enabled = true
logtimezone = UTC+0200 logtimezone = UTC+0200
[multi-log]
enabled = false
filter =
logpath = a.log
b.log
c.log
log2nd = %(logpath)s
d.log
action = action[actname='ban']
action[actname='log', logpath="%(log2nd)s"]
action[actname='test']

2
fail2ban/tests/fail2banclienttestcase.py
View File

@ -155,7 +155,7 @@ def _out_file(fn, handle=logSys.debug):
def _write_file(fn, mode, *lines): def _write_file(fn, mode, *lines):
f = open(fn, mode) f = open(fn, mode)
f.write('\n'.join(lines)) f.write('\n'.join(lines)+('\n' if lines else ''))
f.close() f.close()
def _read_file(fn): def _read_file(fn):