From 33c2059d1d8e6a3617e4f30f8a5f6f694dd720e4 Mon Sep 17 00:00:00 2001 From: Th4nat0s <thanspam@trollprod.org> Date: Sun, 17 Jun 2012 00:50:17 +0200 Subject: [PATCH] ip validation and reconfiguration of iptables actions --- config/action.d/iptables-allports.conf | 23 +++++++-------- config/action.d/iptables-multiport-log.conf | 31 +++++++++++---------- config/action.d/iptables-multiport.conf | 21 +++++++------- config/action.d/iptables-new.conf | 23 +++++++-------- config/action.d/iptables.conf | 21 +++++++------- server/filter.py | 18 +++++++++--- 6 files changed, 76 insertions(+), 61 deletions(-) diff --git a/config/action.d/iptables-allports.conf b/config/action.d/iptables-allports.conf index 1cc2daba..51dc8a5d 100644 --- a/config/action.d/iptables-allports.conf +++ b/config/action.d/iptables-allports.conf @@ -2,7 +2,8 @@ # # Author: Cyril Jaquier # Modified: Yaroslav O. Halchenko <debian@onerussian.com> -# made active on all ports from original iptables.conf +# made active on all ports from original fail2ban-iptables.conf +# Modified by Paul J aka Thanat0s for ipv6 support # # $Revision$ # @@ -13,23 +14,23 @@ # Notes.: command executed once at the start of Fail2Ban. # Values: CMD # -actionstart = iptables -N fail2ban-<name> - iptables -A fail2ban-<name> -j RETURN - iptables -I <chain> -p <protocol> -j fail2ban-<name> +actionstart = fail2ban-iptables -N fail2ban-<name> + fail2ban-iptables -A fail2ban-<name> -j RETURN + fail2ban-iptables -I <chain> -p <protocol> -j fail2ban-<name> # Option: actionstop # Notes.: command executed once at the end of Fail2Ban # Values: CMD # -actionstop = iptables -D <chain> -p <protocol> -j fail2ban-<name> - iptables -F fail2ban-<name> - iptables -X fail2ban-<name> +actionstop = fail2ban-iptables -D <chain> -p <protocol> -j fail2ban-<name> + fail2ban-iptables -F fail2ban-<name> + fail2ban-iptables -X fail2ban-<name> # Option: actioncheck # Notes.: command executed once before each actionban command # Values: CMD # -actioncheck = iptables -n -L <chain> | grep -q fail2ban-<name> +actioncheck = fail2ban-iptables -n -L <chain> | grep -q fail2ban-<name> # Option: actionban # Notes.: command executed when banning an IP. Take care that the @@ -39,7 +40,7 @@ actioncheck = iptables -n -L <chain> | grep -q fail2ban-<name> # <time> unix timestamp of the ban time # Values: CMD # -actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP +actionban = fail2ban-iptables -I fail2ban-<name> 1 -s <ip> -j DROP # Option: actionunban # Notes.: command executed when unbanning an IP. Take care that the @@ -49,7 +50,7 @@ actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP # <time> unix timestamp of the ban time # Values: CMD # -actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP +actionunban = fail2ban-iptables -D fail2ban-<name> -s <ip> -j DROP [Init] @@ -64,7 +65,7 @@ name = default protocol = tcp # Option: chain -# Notes specifies the iptables chain to which the fail2ban rules should be +# Notes specifies the fail2ban-iptables chain to which the fail2ban rules should be # added # Values: STRING Default: INPUT chain = INPUT diff --git a/config/action.d/iptables-multiport-log.conf b/config/action.d/iptables-multiport-log.conf index 9cdc4bab..bd63b388 100644 --- a/config/action.d/iptables-multiport-log.conf +++ b/config/action.d/iptables-multiport-log.conf @@ -2,6 +2,7 @@ # # Author: Guido Bozzetto # Modified: Cyril Jaquier +# Modified by Paul J aka Thanat0s for ipv6 support # # make "fail2ban-<name>" chain to match drop IP # make "fail2ban-<name>-log" chain to log and drop @@ -16,28 +17,28 @@ # Notes.: command executed once at the start of Fail2Ban. # Values: CMD # -actionstart = iptables -N fail2ban-<name> - iptables -A fail2ban-<name> -j RETURN - iptables -I <chain> 1 -p <protocol> -m multiport --dports <port> -j fail2ban-<name> - iptables -N fail2ban-<name>-log - iptables -I fail2ban-<name>-log -j LOG --log-prefix "$(expr fail2ban-<name> : '\(.\{1,23\}\)'):DROP " --log-level warning -m limit --limit 6/m --limit-burst 2 - iptables -A fail2ban-<name>-log -j DROP +actionstart = fail2ban-iptables -N fail2ban-<name> + fail2ban-iptables -A fail2ban-<name> -j RETURN + fail2ban-iptables -I <chain> 1 -p <protocol> -m multiport --dports <port> -j fail2ban-<name> + fail2ban-iptables -N fail2ban-<name>-log + fail2ban-iptables -I fail2ban-<name>-log -j LOG --log-prefix "$(expr fail2ban-<name> : '\(.\{1,23\}\)'):DROP " --log-level warning -m limit --limit 6/m --limit-burst 2 + fail2ban-iptables -A fail2ban-<name>-log -j DROP # Option: actionstop # Notes.: command executed once at the end of Fail2Ban # Values: CMD # -actionstop = iptables -D <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name> - iptables -F fail2ban-<name> - iptables -F fail2ban-<name>-log - iptables -X fail2ban-<name> - iptables -X fail2ban-<name>-log +actionstop = fail2ban-iptables -D <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name> + fail2ban-iptables -F fail2ban-<name> + fail2ban-iptables -F fail2ban-<name>-log + fail2ban-iptables -X fail2ban-<name> + fail2ban-iptables -X fail2ban-<name>-log # Option: actioncheck # Notes.: command executed once before each actionban command # Values: CMD # -actioncheck = iptables -n -L fail2ban-<name>-log >/dev/null +actioncheck = fail2ban-iptables -n -L fail2ban-<name>-log >/dev/null # Option: actionban # Notes.: command executed when banning an IP. Take care that the @@ -47,7 +48,7 @@ actioncheck = iptables -n -L fail2ban-<name>-log >/dev/null # <time> unix timestamp of the ban time # Values: CMD # -actionban = iptables -I fail2ban-<name> 1 -s <ip> -j fail2ban-<name>-log +actionban = fail2ban-iptables -I fail2ban-<name> 1 -s <ip> -j fail2ban-<name>-log # Option: actionunban # Notes.: command executed when unbanning an IP. Take care that the @@ -57,7 +58,7 @@ actionban = iptables -I fail2ban-<name> 1 -s <ip> -j fail2ban-<name>-log # <time> unix timestamp of the ban time # Values: CMD # -actionunban = iptables -D fail2ban-<name> -s <ip> -j fail2ban-<name>-log +actionunban = fail2ban-iptables -D fail2ban-<name> -s <ip> -j fail2ban-<name>-log [Init] @@ -78,7 +79,7 @@ port = ssh protocol = tcp # Option: chain -# Notes specifies the iptables chain to which the fail2ban rules should be +# Notes specifies the fail2ban-iptables chain to which the fail2ban rules should be # added # Values: STRING Default: INPUT chain = INPUT diff --git a/config/action.d/iptables-multiport.conf b/config/action.d/iptables-multiport.conf index ad554f5c..65c3a7f5 100644 --- a/config/action.d/iptables-multiport.conf +++ b/config/action.d/iptables-multiport.conf @@ -2,6 +2,7 @@ # # Author: Cyril Jaquier # Modified by Yaroslav Halchenko for multiport banning +# Modified by Paul J aka Thanat0s for ipv6 support # $Revision$ # @@ -11,23 +12,23 @@ # Notes.: command executed once at the start of Fail2Ban. # Values: CMD # -actionstart = iptables -N fail2ban-<name> - iptables -A fail2ban-<name> -j RETURN - iptables -I <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name> +actionstart = fail2ban-iptables -N fail2ban-<name> + fail2ban-iptables -A fail2ban-<name> -j RETURN + fail2ban-iptables -I <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name> # Option: actionstop # Notes.: command executed once at the end of Fail2Ban # Values: CMD # -actionstop = iptables -D <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name> - iptables -F fail2ban-<name> - iptables -X fail2ban-<name> +actionstop = fail2ban-iptables -D <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name> + fail2ban-iptables -F fail2ban-<name> + fail2ban-iptables -X fail2ban-<name> # Option: actioncheck # Notes.: command executed once before each actionban command # Values: CMD # -actioncheck = iptables -n -L <chain> | grep -q fail2ban-<name> +actioncheck = fail2ban-iptables -n -L <chain> | grep -q fail2ban-<name> # Option: actionban # Notes.: command executed when banning an IP. Take care that the @@ -37,7 +38,7 @@ actioncheck = iptables -n -L <chain> | grep -q fail2ban-<name> # <time> unix timestamp of the ban time # Values: CMD # -actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP +actionban = fail2ban-iptables -I fail2ban-<name> 1 -s <ip> -j DROP # Option: actionunban # Notes.: command executed when unbanning an IP. Take care that the @@ -47,7 +48,7 @@ actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP # <time> unix timestamp of the ban time # Values: CMD # -actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP +actionunban = fail2ban-iptables -D fail2ban-<name> -s <ip> -j DROP [Init] @@ -68,7 +69,7 @@ port = ssh protocol = tcp # Option: chain -# Notes specifies the iptables chain to which the fail2ban rules should be +# Notes specifies the fail2ban-iptables chain to which the fail2ban rules should be # added # Values: STRING Default: INPUT chain = INPUT diff --git a/config/action.d/iptables-new.conf b/config/action.d/iptables-new.conf index c249de2d..049ce719 100644 --- a/config/action.d/iptables-new.conf +++ b/config/action.d/iptables-new.conf @@ -1,8 +1,9 @@ # Fail2Ban configuration file # # Author: Cyril Jaquier -# Copied from iptables.conf and modified by Yaroslav Halchenko +# Copied from fail2ban-iptables.conf and modified by Yaroslav Halchenko # to fullfill the needs of bugreporter dbts#350746. +# Modified by Paul J aka Thanat0s for ipv6 support # # $Revision$ # @@ -13,23 +14,23 @@ # Notes.: command executed once at the start of Fail2Ban. # Values: CMD # -actionstart = iptables -N fail2ban-<name> - iptables -A fail2ban-<name> -j RETURN - iptables -I <chain> -m state --state NEW -p <protocol> --dport <port> -j fail2ban-<name> +actionstart = fail2ban-iptables -N fail2ban-<name> + fail2ban-iptables -A fail2ban-<name> -j RETURN + fail2ban-iptables -I <chain> -m state --state NEW -p <protocol> --dport <port> -j fail2ban-<name> # Option: actionstop # Notes.: command executed once at the end of Fail2Ban # Values: CMD # -actionstop = iptables -D <chain> -m state --state NEW -p <protocol> --dport <port> -j fail2ban-<name> - iptables -F fail2ban-<name> - iptables -X fail2ban-<name> +actionstop = fail2ban-iptables -D <chain> -m state --state NEW -p <protocol> --dport <port> -j fail2ban-<name> + fail2ban-iptables -F fail2ban-<name> + fail2ban-iptables -X fail2ban-<name> # Option: actioncheck # Notes.: command executed once before each actionban command # Values: CMD # -actioncheck = iptables -n -L <chain> | grep -q fail2ban-<name> +actioncheck = fail2ban-iptables -n -L <chain> | grep -q fail2ban-<name> # Option: actionban # Notes.: command executed when banning an IP. Take care that the @@ -39,7 +40,7 @@ actioncheck = iptables -n -L <chain> | grep -q fail2ban-<name> # <time> unix timestamp of the ban time # Values: CMD # -actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP +actionban = fail2ban-iptables -I fail2ban-<name> 1 -s <ip> -j DROP # Option: actionunban # Notes.: command executed when unbanning an IP. Take care that the @@ -49,7 +50,7 @@ actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP # <time> unix timestamp of the ban time # Values: CMD # -actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP +actionunban = fail2ban-iptables -D fail2ban-<name> -s <ip> -j DROP [Init] @@ -70,7 +71,7 @@ port = ssh protocol = tcp # Option: chain -# Notes specifies the iptables chain to which the fail2ban rules should be +# Notes specifies the fail2ban-iptables chain to which the fail2ban rules should be # added # Values: STRING Default: INPUT chain = INPUT diff --git a/config/action.d/iptables.conf b/config/action.d/iptables.conf index 09cfb98b..fffee7b8 100644 --- a/config/action.d/iptables.conf +++ b/config/action.d/iptables.conf @@ -1,6 +1,7 @@ # Fail2Ban configuration file # # Author: Cyril Jaquier +# Modified by Paul J aka Thanat0s for ipv6 support # # $Revision$ # @@ -11,23 +12,23 @@ # Notes.: command executed once at the start of Fail2Ban. # Values: CMD # -actionstart = iptables -N fail2ban-<name> - iptables -A fail2ban-<name> -j RETURN - iptables -I <chain> -p <protocol> --dport <port> -j fail2ban-<name> +actionstart = fail2ban-iptables -N fail2ban-<name> + fail2ban-iptables -A fail2ban-<name> -j RETURN + fail2ban-iptables -I <chain> -p <protocol> --dport <port> -j fail2ban-<name> # Option: actionstop # Notes.: command executed once at the end of Fail2Ban # Values: CMD # -actionstop = iptables -D <chain> -p <protocol> --dport <port> -j fail2ban-<name> - iptables -F fail2ban-<name> - iptables -X fail2ban-<name> +actionstop = fail2ban-iptables -D <chain> -p <protocol> --dport <port> -j fail2ban-<name> + fail2ban-iptables -F fail2ban-<name> + fail2ban-iptables -X fail2ban-<name> # Option: actioncheck # Notes.: command executed once before each actionban command # Values: CMD # -actioncheck = iptables -n -L <chain> | grep -q fail2ban-<name> +actioncheck = fail2ban-iptables -n -L <chain> | grep -q fail2ban-<name> # Option: actionban # Notes.: command executed when banning an IP. Take care that the @@ -37,7 +38,7 @@ actioncheck = iptables -n -L <chain> | grep -q fail2ban-<name> # <time> unix timestamp of the ban time # Values: CMD # -actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP +actionban = fail2ban-iptables -I fail2ban-<name> 1 -s <ip> -j DROP # Option: actionunban # Notes.: command executed when unbanning an IP. Take care that the @@ -47,7 +48,7 @@ actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP # <time> unix timestamp of the ban time # Values: CMD # -actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP +actionunban = fail2ban-iptables -D fail2ban-<name> -s <ip> -j DROP [Init] @@ -68,7 +69,7 @@ port = ssh protocol = tcp # Option: chain -# Notes specifies the iptables chain to which the fail2ban rules should be +# Notes specifies the fail2ban-iptables chain to which the fail2ban rules should be # added # Values: STRING Default: INPUT chain = INPUT diff --git a/server/filter.py b/server/filter.py index 2e9a2bc9..d09c3844 100644 --- a/server/filter.py +++ b/server/filter.py @@ -582,10 +582,20 @@ class DNSUtils: #@staticmethod def isValidIP(string): - """ Return true if str is a valid IP - We Consider that logfiles didn't make errors ;) - """ - return True + # Return true if str is a valid IP + s = string.split('/', 1) + # try to convert to ipv4 + try: + socket.inet_aton(s[0]) + return True + except socket.error: + # if it had failed try to convert ipv6 + try: + socket.inet_pton(socket.AF_INET6, s[0]) + return True + except socket.error: + # not a valid address in both stacks + return False isValidIP = staticmethod(isValidIP) #@staticmethod