From 33c2059d1d8e6a3617e4f30f8a5f6f694dd720e4 Mon Sep 17 00:00:00 2001
From: Th4nat0s <thanspam@trollprod.org>
Date: Sun, 17 Jun 2012 00:50:17 +0200
Subject: [PATCH] ip validation and reconfiguration of iptables actions
---
config/action.d/iptables-allports.conf | 23 +++++++--------
config/action.d/iptables-multiport-log.conf | 31 +++++++++++----------
config/action.d/iptables-multiport.conf | 21 +++++++-------
config/action.d/iptables-new.conf | 23 +++++++--------
config/action.d/iptables.conf | 21 +++++++-------
server/filter.py | 18 +++++++++---
6 files changed, 76 insertions(+), 61 deletions(-)
diff --git a/config/action.d/iptables-allports.conf b/config/action.d/iptables-allports.conf
index 1cc2daba..51dc8a5d 100644
--- a/config/action.d/iptables-allports.conf
+++ b/config/action.d/iptables-allports.conf
@@ -2,7 +2,8 @@
#
# Author: Cyril Jaquier
# Modified: Yaroslav O. Halchenko <debian@onerussian.com>
-# made active on all ports from original iptables.conf
+# made active on all ports from original fail2ban-iptables.conf
+# Modified by Paul J aka Thanat0s for ipv6 support
#
# $Revision$
#
@@ -13,23 +14,23 @@
# Notes.: command executed once at the start of Fail2Ban.
# Values: CMD
#
-actionstart = iptables -N fail2ban-<name>
- iptables -A fail2ban-<name> -j RETURN
- iptables -I <chain> -p <protocol> -j fail2ban-<name>
+actionstart = fail2ban-iptables -N fail2ban-<name>
+ fail2ban-iptables -A fail2ban-<name> -j RETURN
+ fail2ban-iptables -I <chain> -p <protocol> -j fail2ban-<name>
# Option: actionstop
# Notes.: command executed once at the end of Fail2Ban
# Values: CMD
#
-actionstop = iptables -D <chain> -p <protocol> -j fail2ban-<name>
- iptables -F fail2ban-<name>
- iptables -X fail2ban-<name>
+actionstop = fail2ban-iptables -D <chain> -p <protocol> -j fail2ban-<name>
+ fail2ban-iptables -F fail2ban-<name>
+ fail2ban-iptables -X fail2ban-<name>
# Option: actioncheck
# Notes.: command executed once before each actionban command
# Values: CMD
#
-actioncheck = iptables -n -L <chain> | grep -q fail2ban-<name>
+actioncheck = fail2ban-iptables -n -L <chain> | grep -q fail2ban-<name>
# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
@@ -39,7 +40,7 @@ actioncheck = iptables -n -L <chain> | grep -q fail2ban-<name>
# <time> unix timestamp of the ban time
# Values: CMD
#
-actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
+actionban = fail2ban-iptables -I fail2ban-<name> 1 -s <ip> -j DROP
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
@@ -49,7 +50,7 @@ actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
# <time> unix timestamp of the ban time
# Values: CMD
#
-actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP
+actionunban = fail2ban-iptables -D fail2ban-<name> -s <ip> -j DROP
[Init]
@@ -64,7 +65,7 @@ name = default
protocol = tcp
# Option: chain
-# Notes specifies the iptables chain to which the fail2ban rules should be
+# Notes specifies the fail2ban-iptables chain to which the fail2ban rules should be
# added
# Values: STRING Default: INPUT
chain = INPUT
diff --git a/config/action.d/iptables-multiport-log.conf b/config/action.d/iptables-multiport-log.conf
index 9cdc4bab..bd63b388 100644
--- a/config/action.d/iptables-multiport-log.conf
+++ b/config/action.d/iptables-multiport-log.conf
@@ -2,6 +2,7 @@
#
# Author: Guido Bozzetto
# Modified: Cyril Jaquier
+# Modified by Paul J aka Thanat0s for ipv6 support
#
# make "fail2ban-<name>" chain to match drop IP
# make "fail2ban-<name>-log" chain to log and drop
@@ -16,28 +17,28 @@
# Notes.: command executed once at the start of Fail2Ban.
# Values: CMD
#
-actionstart = iptables -N fail2ban-<name>
- iptables -A fail2ban-<name> -j RETURN
- iptables -I <chain> 1 -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
- iptables -N fail2ban-<name>-log
- iptables -I fail2ban-<name>-log -j LOG --log-prefix "$(expr fail2ban-<name> : '\(.\{1,23\}\)'):DROP " --log-level warning -m limit --limit 6/m --limit-burst 2
- iptables -A fail2ban-<name>-log -j DROP
+actionstart = fail2ban-iptables -N fail2ban-<name>
+ fail2ban-iptables -A fail2ban-<name> -j RETURN
+ fail2ban-iptables -I <chain> 1 -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
+ fail2ban-iptables -N fail2ban-<name>-log
+ fail2ban-iptables -I fail2ban-<name>-log -j LOG --log-prefix "$(expr fail2ban-<name> : '\(.\{1,23\}\)'):DROP " --log-level warning -m limit --limit 6/m --limit-burst 2
+ fail2ban-iptables -A fail2ban-<name>-log -j DROP
# Option: actionstop
# Notes.: command executed once at the end of Fail2Ban
# Values: CMD
#
-actionstop = iptables -D <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
- iptables -F fail2ban-<name>
- iptables -F fail2ban-<name>-log
- iptables -X fail2ban-<name>
- iptables -X fail2ban-<name>-log
+actionstop = fail2ban-iptables -D <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
+ fail2ban-iptables -F fail2ban-<name>
+ fail2ban-iptables -F fail2ban-<name>-log
+ fail2ban-iptables -X fail2ban-<name>
+ fail2ban-iptables -X fail2ban-<name>-log
# Option: actioncheck
# Notes.: command executed once before each actionban command
# Values: CMD
#
-actioncheck = iptables -n -L fail2ban-<name>-log >/dev/null
+actioncheck = fail2ban-iptables -n -L fail2ban-<name>-log >/dev/null
# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
@@ -47,7 +48,7 @@ actioncheck = iptables -n -L fail2ban-<name>-log >/dev/null
# <time> unix timestamp of the ban time
# Values: CMD
#
-actionban = iptables -I fail2ban-<name> 1 -s <ip> -j fail2ban-<name>-log
+actionban = fail2ban-iptables -I fail2ban-<name> 1 -s <ip> -j fail2ban-<name>-log
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
@@ -57,7 +58,7 @@ actionban = iptables -I fail2ban-<name> 1 -s <ip> -j fail2ban-<name>-log
# <time> unix timestamp of the ban time
# Values: CMD
#
-actionunban = iptables -D fail2ban-<name> -s <ip> -j fail2ban-<name>-log
+actionunban = fail2ban-iptables -D fail2ban-<name> -s <ip> -j fail2ban-<name>-log
[Init]
@@ -78,7 +79,7 @@ port = ssh
protocol = tcp
# Option: chain
-# Notes specifies the iptables chain to which the fail2ban rules should be
+# Notes specifies the fail2ban-iptables chain to which the fail2ban rules should be
# added
# Values: STRING Default: INPUT
chain = INPUT
diff --git a/config/action.d/iptables-multiport.conf b/config/action.d/iptables-multiport.conf
index ad554f5c..65c3a7f5 100644
--- a/config/action.d/iptables-multiport.conf
+++ b/config/action.d/iptables-multiport.conf
@@ -2,6 +2,7 @@
#
# Author: Cyril Jaquier
# Modified by Yaroslav Halchenko for multiport banning
+# Modified by Paul J aka Thanat0s for ipv6 support
# $Revision$
#
@@ -11,23 +12,23 @@
# Notes.: command executed once at the start of Fail2Ban.
# Values: CMD
#
-actionstart = iptables -N fail2ban-<name>
- iptables -A fail2ban-<name> -j RETURN
- iptables -I <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
+actionstart = fail2ban-iptables -N fail2ban-<name>
+ fail2ban-iptables -A fail2ban-<name> -j RETURN
+ fail2ban-iptables -I <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
# Option: actionstop
# Notes.: command executed once at the end of Fail2Ban
# Values: CMD
#
-actionstop = iptables -D <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
- iptables -F fail2ban-<name>
- iptables -X fail2ban-<name>
+actionstop = fail2ban-iptables -D <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
+ fail2ban-iptables -F fail2ban-<name>
+ fail2ban-iptables -X fail2ban-<name>
# Option: actioncheck
# Notes.: command executed once before each actionban command
# Values: CMD
#
-actioncheck = iptables -n -L <chain> | grep -q fail2ban-<name>
+actioncheck = fail2ban-iptables -n -L <chain> | grep -q fail2ban-<name>
# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
@@ -37,7 +38,7 @@ actioncheck = iptables -n -L <chain> | grep -q fail2ban-<name>
# <time> unix timestamp of the ban time
# Values: CMD
#
-actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
+actionban = fail2ban-iptables -I fail2ban-<name> 1 -s <ip> -j DROP
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
@@ -47,7 +48,7 @@ actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
# <time> unix timestamp of the ban time
# Values: CMD
#
-actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP
+actionunban = fail2ban-iptables -D fail2ban-<name> -s <ip> -j DROP
[Init]
@@ -68,7 +69,7 @@ port = ssh
protocol = tcp
# Option: chain
-# Notes specifies the iptables chain to which the fail2ban rules should be
+# Notes specifies the fail2ban-iptables chain to which the fail2ban rules should be
# added
# Values: STRING Default: INPUT
chain = INPUT
diff --git a/config/action.d/iptables-new.conf b/config/action.d/iptables-new.conf
index c249de2d..049ce719 100644
--- a/config/action.d/iptables-new.conf
+++ b/config/action.d/iptables-new.conf
@@ -1,8 +1,9 @@
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
-# Copied from iptables.conf and modified by Yaroslav Halchenko
+# Copied from fail2ban-iptables.conf and modified by Yaroslav Halchenko
# to fullfill the needs of bugreporter dbts#350746.
+# Modified by Paul J aka Thanat0s for ipv6 support
#
# $Revision$
#
@@ -13,23 +14,23 @@
# Notes.: command executed once at the start of Fail2Ban.
# Values: CMD
#
-actionstart = iptables -N fail2ban-<name>
- iptables -A fail2ban-<name> -j RETURN
- iptables -I <chain> -m state --state NEW -p <protocol> --dport <port> -j fail2ban-<name>
+actionstart = fail2ban-iptables -N fail2ban-<name>
+ fail2ban-iptables -A fail2ban-<name> -j RETURN
+ fail2ban-iptables -I <chain> -m state --state NEW -p <protocol> --dport <port> -j fail2ban-<name>
# Option: actionstop
# Notes.: command executed once at the end of Fail2Ban
# Values: CMD
#
-actionstop = iptables -D <chain> -m state --state NEW -p <protocol> --dport <port> -j fail2ban-<name>
- iptables -F fail2ban-<name>
- iptables -X fail2ban-<name>
+actionstop = fail2ban-iptables -D <chain> -m state --state NEW -p <protocol> --dport <port> -j fail2ban-<name>
+ fail2ban-iptables -F fail2ban-<name>
+ fail2ban-iptables -X fail2ban-<name>
# Option: actioncheck
# Notes.: command executed once before each actionban command
# Values: CMD
#
-actioncheck = iptables -n -L <chain> | grep -q fail2ban-<name>
+actioncheck = fail2ban-iptables -n -L <chain> | grep -q fail2ban-<name>
# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
@@ -39,7 +40,7 @@ actioncheck = iptables -n -L <chain> | grep -q fail2ban-<name>
# <time> unix timestamp of the ban time
# Values: CMD
#
-actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
+actionban = fail2ban-iptables -I fail2ban-<name> 1 -s <ip> -j DROP
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
@@ -49,7 +50,7 @@ actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
# <time> unix timestamp of the ban time
# Values: CMD
#
-actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP
+actionunban = fail2ban-iptables -D fail2ban-<name> -s <ip> -j DROP
[Init]
@@ -70,7 +71,7 @@ port = ssh
protocol = tcp
# Option: chain
-# Notes specifies the iptables chain to which the fail2ban rules should be
+# Notes specifies the fail2ban-iptables chain to which the fail2ban rules should be
# added
# Values: STRING Default: INPUT
chain = INPUT
diff --git a/config/action.d/iptables.conf b/config/action.d/iptables.conf
index 09cfb98b..fffee7b8 100644
--- a/config/action.d/iptables.conf
+++ b/config/action.d/iptables.conf
@@ -1,6 +1,7 @@
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
+# Modified by Paul J aka Thanat0s for ipv6 support
#
# $Revision$
#
@@ -11,23 +12,23 @@
# Notes.: command executed once at the start of Fail2Ban.
# Values: CMD
#
-actionstart = iptables -N fail2ban-<name>
- iptables -A fail2ban-<name> -j RETURN
- iptables -I <chain> -p <protocol> --dport <port> -j fail2ban-<name>
+actionstart = fail2ban-iptables -N fail2ban-<name>
+ fail2ban-iptables -A fail2ban-<name> -j RETURN
+ fail2ban-iptables -I <chain> -p <protocol> --dport <port> -j fail2ban-<name>
# Option: actionstop
# Notes.: command executed once at the end of Fail2Ban
# Values: CMD
#
-actionstop = iptables -D <chain> -p <protocol> --dport <port> -j fail2ban-<name>
- iptables -F fail2ban-<name>
- iptables -X fail2ban-<name>
+actionstop = fail2ban-iptables -D <chain> -p <protocol> --dport <port> -j fail2ban-<name>
+ fail2ban-iptables -F fail2ban-<name>
+ fail2ban-iptables -X fail2ban-<name>
# Option: actioncheck
# Notes.: command executed once before each actionban command
# Values: CMD
#
-actioncheck = iptables -n -L <chain> | grep -q fail2ban-<name>
+actioncheck = fail2ban-iptables -n -L <chain> | grep -q fail2ban-<name>
# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
@@ -37,7 +38,7 @@ actioncheck = iptables -n -L <chain> | grep -q fail2ban-<name>
# <time> unix timestamp of the ban time
# Values: CMD
#
-actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
+actionban = fail2ban-iptables -I fail2ban-<name> 1 -s <ip> -j DROP
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
@@ -47,7 +48,7 @@ actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
# <time> unix timestamp of the ban time
# Values: CMD
#
-actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP
+actionunban = fail2ban-iptables -D fail2ban-<name> -s <ip> -j DROP
[Init]
@@ -68,7 +69,7 @@ port = ssh
protocol = tcp
# Option: chain
-# Notes specifies the iptables chain to which the fail2ban rules should be
+# Notes specifies the fail2ban-iptables chain to which the fail2ban rules should be
# added
# Values: STRING Default: INPUT
chain = INPUT
diff --git a/server/filter.py b/server/filter.py
index 2e9a2bc9..d09c3844 100644
--- a/server/filter.py
+++ b/server/filter.py
@@ -582,10 +582,20 @@ class DNSUtils:
#@staticmethod
def isValidIP(string):
- """ Return true if str is a valid IP
- We Consider that logfiles didn't make errors ;)
- """
- return True
+ # Return true if str is a valid IP
+ s = string.split('/', 1)
+ # try to convert to ipv4
+ try:
+ socket.inet_aton(s[0])
+ return True
+ except socket.error:
+ # if it had failed try to convert ipv6
+ try:
+ socket.inet_pton(socket.AF_INET6, s[0])
+ return True
+ except socket.error:
+ # not a valid address in both stacks
+ return False
isValidIP = staticmethod(isValidIP)
#@staticmethod