- Add log4py import exception handling

- Remove metalog class. Now use LogReader
- Add -r option: you can specifie the maximum number of login failure before ban
- Code comments


git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/trunk@27 a942ae1a-1317-0410-a47c-b1dcaea8d605

fail2ban.py

@@ -27,13 +27,19 @@ __copyright__ = "Copyright (c) 2004 Cyril Jaquier"
 __license__ = "GPL"
 
 import posix, time, sys, getopt, os, signal
-import log4py
+
+# Checks if log4py is present.
+try:
+	import log4py
+except:
+	print "log4py is needed (see README)"
+	sys.exit(-1)
 
 # Appends our own modules path
 sys.path.append('/usr/lib/fail2ban')
 
 from firewall.iptables import Iptables
-from logreader.metalog import Metalog
+from logreader.logreader import LogReader
 from version import version
 
 def usage():
@@ -47,6 +53,7 @@ def usage():
 	print "  -f <FILE>  read password failure from FILE"
 	print "  -h         display this help message"
 	print "  -l <FILE>  log message in FILE"
+	print "  -r <VALUE> allow a max of VALUE password failure"
 	print "  -t <TIME>  ban IP for TIME seconds"
 	print "  -v         verbose"
 	print
@@ -140,18 +147,22 @@ def createDaemon():
 
 if __name__ == "__main__":
 	
+	# Gets an instance of log4py.
 	logSys = log4py.Logger().get_instance()
 	logSys.set_formatstring("%T %L %M")
 	
-	try:
-		optList, args = getopt.getopt(sys.argv[1:], 'hvbdf:l:t:i:')
-	except getopt.GetoptError:
-		usage()
-
+	# Initializes some variables.
 	debug = False
 	logFilePath = "/var/log/pwdfail/current"
 	banTime = 600
 	ignoreIPList = {}
+	retryAllowed = 3
+	
+	# Reads the command line options.
+	try:
+		optList, args = getopt.getopt(sys.argv[1:], 'hvbdf:l:t:i:r:')
+	except getopt.GetoptError:
+		usage()
 	
 	for opt in optList:
 		if opt[0] == "-h":
@@ -185,7 +196,15 @@ if __name__ == "__main__":
 				logSys.error("Using default value")
 		if opt[0] == "-i":
 			ignoreIPList = opt[1].split(' ')
+		if opt[0] == "-r":
+			try:
+				retryAllowed = int(opt[1])
+			except ValueError:
+				logSys.error("retryAllowed must be an integer")
+				logSys.error("Using default value")
 	
+	# Checks for root user. This is necessary because log files
+	# are owned by root and firewall needs root access.
 	if not checkForRoot():
 		logSys.error("You must be root")
 		if not debug:
@@ -193,36 +212,51 @@ if __name__ == "__main__":
 	
 	logSys.debug("logFilePath is "+logFilePath)
 	logSys.debug("BanTime is "+`banTime`)
+	logSys.debug("retryAllowed is "+`retryAllowed`)
 	
+	# Creates one instance of Iptables and one of LogReader.
 	fireWall = Iptables(banTime, logSys)
-	logFile = Metalog(logFilePath, logSys, banTime)
+	logFile = LogReader(logFilePath, logSys, banTime)
 	
+	# We add 127.0.0.1 to the ignore list has we do not want
+	# to be ban ourself.
 	logFile.addIgnoreIP("127.0.0.1")
 	while len(ignoreIPList) > 0:
 		ip = ignoreIPList.pop()
 		logFile.addIgnoreIP(ip)
 	
 	logSys.info("Fail2Ban v"+version+" is running")
+	# Main loop
 	while True:
 		try:
 			sys.stdout.flush()
 			sys.stderr.flush()
 			
+			# Checks if some IP have to be remove from ban
+			# list.
 			fireWall.checkForUnBan(debug)
 			
+			# If the log file has not been modified since the
+			# last time, we sleep for 1 second. This is active
+			# polling so not very effective.
 			if not logFile.isModified():
 				time.sleep(1)
 				continue
 			
+			# Gets the failure list from the log file.
 			failList = logFile.getPwdFailure()
-						
+			
+			# We iterate the failure list and ban IP that make
+			# *retryAllowed* login failures.
 			iterFailList = failList.iteritems()
 			for i in range(len(failList)):
 				element = iterFailList.next()
-				if element[1][0] > 2:
+				if element[1][0] >= retryAllowed:
 					fireWall.addBanIP(element[0], debug)
 			
 		except KeyboardInterrupt:
+			# When the user press <ctrl>+<c> we flush the ban list
+			# and exit nicely.
 			logSys.info("Restoring iptables...")
 			fireWall.flushBanList(debug)
 			logSys.info("Exiting...")