github
/
fail2ban
mirror of https://github.com/fail2ban/fail2ban
1
0
Fork 0
Code Issues Releases Wiki Activity
Browse Source

ip validation and reconfiguration of iptables actions

pull/88/head
Th4nat0s 13 years ago
parent
d80643f5de
commit
33c2059d1d
6 changed files with 76 additions and 61 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 23
      config/action.d/iptables-allports.conf
  2. 31
      config/action.d/iptables-multiport-log.conf
  3. 21
      config/action.d/iptables-multiport.conf
  4. 23
      config/action.d/iptables-new.conf
  5. 21
      config/action.d/iptables.conf
  6. 18
      server/filter.py

23
config/action.d/iptables-allports.conf
Unescape View File

@ -2,7 +2,8 @@
#
# Author: Cyril Jaquier
# Modified: Yaroslav O. Halchenko <debian@onerussian.com>
# made active on all ports from original iptables.conf
# made active on all ports from original fail2ban-iptables.conf
# Modified by Paul J aka Thanat0s for ipv6 support
#
# $Revision$
#
@ -13,23 +14,23 @@
# Notes.: command executed once at the start of Fail2Ban.
# Values: CMD
#
actionstart = iptables -N fail2ban-<name>
iptables -A fail2ban-<name> -j RETURN
iptables -I <chain> -p <protocol> -j fail2ban-<name>
actionstart = fail2ban-iptables -N fail2ban-<name>
fail2ban-iptables -A fail2ban-<name> -j RETURN
fail2ban-iptables -I <chain> -p <protocol> -j fail2ban-<name>
# Option: actionstop
# Notes.: command executed once at the end of Fail2Ban
# Values: CMD
#
actionstop = iptables -D <chain> -p <protocol> -j fail2ban-<name>
iptables -F fail2ban-<name>
iptables -X fail2ban-<name>
actionstop = fail2ban-iptables -D <chain> -p <protocol> -j fail2ban-<name>
fail2ban-iptables -F fail2ban-<name>
fail2ban-iptables -X fail2ban-<name>
# Option: actioncheck
# Notes.: command executed once before each actionban command
# Values: CMD
#
actioncheck = iptables -n -L <chain> | grep -q fail2ban-<name>
actioncheck = fail2ban-iptables -n -L <chain> | grep -q fail2ban-<name>
# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
@ -39,7 +40,7 @@ actioncheck = iptables -n -L <chain> | grep -q fail2ban-<name>
# <time> unix timestamp of the ban time
# Values: CMD
#
actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
actionban = fail2ban-iptables -I fail2ban-<name> 1 -s <ip> -j DROP
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
@ -49,7 +50,7 @@ actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
# <time> unix timestamp of the ban time
# Values: CMD
#
actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP
actionunban = fail2ban-iptables -D fail2ban-<name> -s <ip> -j DROP
[Init]
@ -64,7 +65,7 @@ name = default
protocol = tcp
# Option: chain
# Notes specifies the iptables chain to which the fail2ban rules should be
# Notes specifies the fail2ban-iptables chain to which the fail2ban rules should be
# added
# Values: STRING Default: INPUT
chain = INPUT

31
config/action.d/iptables-multiport-log.conf
Unescape View File

@ -2,6 +2,7 @@
#
# Author: Guido Bozzetto
# Modified: Cyril Jaquier
# Modified by Paul J aka Thanat0s for ipv6 support
#
# make "fail2ban-<name>" chain to match drop IP
# make "fail2ban-<name>-log" chain to log and drop
@ -16,28 +17,28 @@
# Notes.: command executed once at the start of Fail2Ban.
# Values: CMD
#
actionstart = iptables -N fail2ban-<name>
iptables -A fail2ban-<name> -j RETURN
iptables -I <chain> 1 -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
iptables -N fail2ban-<name>-log
iptables -I fail2ban-<name>-log -j LOG --log-prefix "$(expr fail2ban-<name> : '\(.\{1,23\}\)'):DROP " --log-level warning -m limit --limit 6/m --limit-burst 2
iptables -A fail2ban-<name>-log -j DROP
actionstart = fail2ban-iptables -N fail2ban-<name>
fail2ban-iptables -A fail2ban-<name> -j RETURN
fail2ban-iptables -I <chain> 1 -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
fail2ban-iptables -N fail2ban-<name>-log
fail2ban-iptables -I fail2ban-<name>-log -j LOG --log-prefix "$(expr fail2ban-<name> : '\(.\{1,23\}\)'):DROP " --log-level warning -m limit --limit 6/m --limit-burst 2
fail2ban-iptables -A fail2ban-<name>-log -j DROP
# Option: actionstop
# Notes.: command executed once at the end of Fail2Ban
# Values: CMD
#
actionstop = iptables -D <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
iptables -F fail2ban-<name>
iptables -F fail2ban-<name>-log
iptables -X fail2ban-<name>
iptables -X fail2ban-<name>-log
actionstop = fail2ban-iptables -D <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
fail2ban-iptables -F fail2ban-<name>
fail2ban-iptables -F fail2ban-<name>-log
fail2ban-iptables -X fail2ban-<name>
fail2ban-iptables -X fail2ban-<name>-log
# Option: actioncheck
# Notes.: command executed once before each actionban command
# Values: CMD
#
actioncheck = iptables -n -L fail2ban-<name>-log >/dev/null
actioncheck = fail2ban-iptables -n -L fail2ban-<name>-log >/dev/null
# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
@ -47,7 +48,7 @@ actioncheck = iptables -n -L fail2ban-<name>-log >/dev/null
# <time> unix timestamp of the ban time
# Values: CMD
#
actionban = iptables -I fail2ban-<name> 1 -s <ip> -j fail2ban-<name>-log
actionban = fail2ban-iptables -I fail2ban-<name> 1 -s <ip> -j fail2ban-<name>-log
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
@ -57,7 +58,7 @@ actionban = iptables -I fail2ban-<name> 1 -s <ip> -j fail2ban-<name>-log
# <time> unix timestamp of the ban time
# Values: CMD
#
actionunban = iptables -D fail2ban-<name> -s <ip> -j fail2ban-<name>-log
actionunban = fail2ban-iptables -D fail2ban-<name> -s <ip> -j fail2ban-<name>-log
[Init]
@ -78,7 +79,7 @@ port = ssh
protocol = tcp
# Option: chain
# Notes specifies the iptables chain to which the fail2ban rules should be
# Notes specifies the fail2ban-iptables chain to which the fail2ban rules should be
# added
# Values: STRING Default: INPUT
chain = INPUT

21
config/action.d/iptables-multiport.conf
Unescape View File

@ -2,6 +2,7 @@
#
# Author: Cyril Jaquier
# Modified by Yaroslav Halchenko for multiport banning
# Modified by Paul J aka Thanat0s for ipv6 support
# $Revision$
#
@ -11,23 +12,23 @@
# Notes.: command executed once at the start of Fail2Ban.
# Values: CMD
#
actionstart = iptables -N fail2ban-<name>
iptables -A fail2ban-<name> -j RETURN
iptables -I <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
actionstart = fail2ban-iptables -N fail2ban-<name>
fail2ban-iptables -A fail2ban-<name> -j RETURN
fail2ban-iptables -I <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
# Option: actionstop
# Notes.: command executed once at the end of Fail2Ban
# Values: CMD
#
actionstop = iptables -D <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
iptables -F fail2ban-<name>
iptables -X fail2ban-<name>
actionstop = fail2ban-iptables -D <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
fail2ban-iptables -F fail2ban-<name>
fail2ban-iptables -X fail2ban-<name>
# Option: actioncheck
# Notes.: command executed once before each actionban command
# Values: CMD
#
actioncheck = iptables -n -L <chain> | grep -q fail2ban-<name>
actioncheck = fail2ban-iptables -n -L <chain> | grep -q fail2ban-<name>
# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
@ -37,7 +38,7 @@ actioncheck = iptables -n -L <chain> | grep -q fail2ban-<name>
# <time> unix timestamp of the ban time
# Values: CMD
#
actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
actionban = fail2ban-iptables -I fail2ban-<name> 1 -s <ip> -j DROP
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
@ -47,7 +48,7 @@ actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
# <time> unix timestamp of the ban time
# Values: CMD
#
actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP
actionunban = fail2ban-iptables -D fail2ban-<name> -s <ip> -j DROP
[Init]
@ -68,7 +69,7 @@ port = ssh
protocol = tcp
# Option: chain
# Notes specifies the iptables chain to which the fail2ban rules should be
# Notes specifies the fail2ban-iptables chain to which the fail2ban rules should be
# added
# Values: STRING Default: INPUT
chain = INPUT

23
config/action.d/iptables-new.conf
Unescape View File

@ -1,8 +1,9 @@
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
# Copied from iptables.conf and modified by Yaroslav Halchenko
# Copied from fail2ban-iptables.conf and modified by Yaroslav Halchenko
# to fullfill the needs of bugreporter dbts#350746.
# Modified by Paul J aka Thanat0s for ipv6 support
#
# $Revision$
#
@ -13,23 +14,23 @@
# Notes.: command executed once at the start of Fail2Ban.
# Values: CMD
#
actionstart = iptables -N fail2ban-<name>
iptables -A fail2ban-<name> -j RETURN
iptables -I <chain> -m state --state NEW -p <protocol> --dport <port> -j fail2ban-<name>
actionstart = fail2ban-iptables -N fail2ban-<name>
fail2ban-iptables -A fail2ban-<name> -j RETURN
fail2ban-iptables -I <chain> -m state --state NEW -p <protocol> --dport <port> -j fail2ban-<name>
# Option: actionstop
# Notes.: command executed once at the end of Fail2Ban
# Values: CMD
#
actionstop = iptables -D <chain> -m state --state NEW -p <protocol> --dport <port> -j fail2ban-<name>
iptables -F fail2ban-<name>
iptables -X fail2ban-<name>
actionstop = fail2ban-iptables -D <chain> -m state --state NEW -p <protocol> --dport <port> -j fail2ban-<name>
fail2ban-iptables -F fail2ban-<name>
fail2ban-iptables -X fail2ban-<name>
# Option: actioncheck
# Notes.: command executed once before each actionban command
# Values: CMD
#
actioncheck = iptables -n -L <chain> | grep -q fail2ban-<name>
actioncheck = fail2ban-iptables -n -L <chain> | grep -q fail2ban-<name>
# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
@ -39,7 +40,7 @@ actioncheck = iptables -n -L <chain> | grep -q fail2ban-<name>
# <time> unix timestamp of the ban time
# Values: CMD
#
actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
actionban = fail2ban-iptables -I fail2ban-<name> 1 -s <ip> -j DROP
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
@ -49,7 +50,7 @@ actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
# <time> unix timestamp of the ban time
# Values: CMD
#
actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP
actionunban = fail2ban-iptables -D fail2ban-<name> -s <ip> -j DROP
[Init]
@ -70,7 +71,7 @@ port = ssh
protocol = tcp
# Option: chain
# Notes specifies the iptables chain to which the fail2ban rules should be
# Notes specifies the fail2ban-iptables chain to which the fail2ban rules should be
# added
# Values: STRING Default: INPUT
chain = INPUT

21
config/action.d/iptables.conf
Unescape View File

@ -1,6 +1,7 @@
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
# Modified by Paul J aka Thanat0s for ipv6 support
#
# $Revision$
#
@ -11,23 +12,23 @@
# Notes.: command executed once at the start of Fail2Ban.
# Values: CMD
#
actionstart = iptables -N fail2ban-<name>
iptables -A fail2ban-<name> -j RETURN
iptables -I <chain> -p <protocol> --dport <port> -j fail2ban-<name>
actionstart = fail2ban-iptables -N fail2ban-<name>
fail2ban-iptables -A fail2ban-<name> -j RETURN
fail2ban-iptables -I <chain> -p <protocol> --dport <port> -j fail2ban-<name>
# Option: actionstop
# Notes.: command executed once at the end of Fail2Ban
# Values: CMD
#
actionstop = iptables -D <chain> -p <protocol> --dport <port> -j fail2ban-<name>
iptables -F fail2ban-<name>
iptables -X fail2ban-<name>
actionstop = fail2ban-iptables -D <chain> -p <protocol> --dport <port> -j fail2ban-<name>
fail2ban-iptables -F fail2ban-<name>
fail2ban-iptables -X fail2ban-<name>
# Option: actioncheck
# Notes.: command executed once before each actionban command
# Values: CMD
#
actioncheck = iptables -n -L <chain> | grep -q fail2ban-<name>
actioncheck = fail2ban-iptables -n -L <chain> | grep -q fail2ban-<name>
# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
@ -37,7 +38,7 @@ actioncheck = iptables -n -L <chain> | grep -q fail2ban-<name>
# <time> unix timestamp of the ban time
# Values: CMD
#
actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
actionban = fail2ban-iptables -I fail2ban-<name> 1 -s <ip> -j DROP
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
@ -47,7 +48,7 @@ actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
# <time> unix timestamp of the ban time
# Values: CMD
#
actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP
actionunban = fail2ban-iptables -D fail2ban-<name> -s <ip> -j DROP
[Init]
@ -68,7 +69,7 @@ port = ssh
protocol = tcp
# Option: chain
# Notes specifies the iptables chain to which the fail2ban rules should be
# Notes specifies the fail2ban-iptables chain to which the fail2ban rules should be
# added
# Values: STRING Default: INPUT
chain = INPUT

18
server/filter.py
Unescape View File

@ -582,10 +582,20 @@ class DNSUtils:
#@staticmethod
def isValidIP(string):
""" Return true if str is a valid IP
We Consider that logfiles didn't make errors ;)
"""
return True
# Return true if str is a valid IP
s = string.split('/', 1)
# try to convert to ipv4
try:
socket.inet_aton(s[0])
return True
except socket.error:
# if it had failed try to convert ipv6
try:
socket.inet_pton(socket.AF_INET6, s[0])
return True
except socket.error:
# not a valid address in both stacks
return False
isValidIP = staticmethod(isValidIP)
#@staticmethod

Write Preview
Loading…
Cancel
Save