ip validation and reconfiguration of iptables actions

config/action.d/iptables-allports.conf

@@ -2,7 +2,8 @@
 #
 # Author: Cyril Jaquier
 # Modified: Yaroslav O. Halchenko <debian@onerussian.com>
-# 			made active on all ports from original iptables.conf
+# 			made active on all ports from original fail2ban-iptables.conf
+# Modified by Paul J aka Thanat0s for ipv6 support
 #
 # $Revision$
 #
@@ -13,23 +14,23 @@
 # Notes.:  command executed once at the start of Fail2Ban.
 # Values:  CMD
 #
-actionstart = iptables -N fail2ban-<name>
-              iptables -A fail2ban-<name> -j RETURN
-              iptables -I <chain> -p <protocol> -j fail2ban-<name>
+actionstart = fail2ban-iptables -N fail2ban-<name>
+              fail2ban-iptables -A fail2ban-<name> -j RETURN
+              fail2ban-iptables -I <chain> -p <protocol> -j fail2ban-<name>
 
 # Option:  actionstop
 # Notes.:  command executed once at the end of Fail2Ban
 # Values:  CMD
 #
-actionstop = iptables -D <chain> -p <protocol> -j fail2ban-<name>
-             iptables -F fail2ban-<name>
-             iptables -X fail2ban-<name>
+actionstop = fail2ban-iptables -D <chain> -p <protocol> -j fail2ban-<name>
+             fail2ban-iptables -F fail2ban-<name>
+             fail2ban-iptables -X fail2ban-<name>
 
 # Option:  actioncheck
 # Notes.:  command executed once before each actionban command
 # Values:  CMD
 #
-actioncheck = iptables -n -L <chain> | grep -q fail2ban-<name>
+actioncheck = fail2ban-iptables -n -L <chain> | grep -q fail2ban-<name>
 
 # Option:  actionban
 # Notes.:  command executed when banning an IP. Take care that the
@@ -39,7 +40,7 @@ actioncheck = iptables -n -L <chain> | grep -q fail2ban-<name>
 #          <time>  unix timestamp of the ban time
 # Values:  CMD
 #
-actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
+actionban = fail2ban-iptables -I fail2ban-<name> 1 -s <ip> -j DROP
 
 # Option:  actionunban
 # Notes.:  command executed when unbanning an IP. Take care that the
@@ -49,7 +50,7 @@ actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
 #          <time>  unix timestamp of the ban time
 # Values:  CMD
 #
-actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP
+actionunban = fail2ban-iptables -D fail2ban-<name> -s <ip> -j DROP
 
 [Init]
 
@@ -64,7 +65,7 @@ name = default
 protocol = tcp
 
 # Option:  chain
-# Notes    specifies the iptables chain to which the fail2ban rules should be
+# Notes    specifies the fail2ban-iptables chain to which the fail2ban rules should be
 #          added
 # Values:  STRING  Default: INPUT
 chain = INPUT

config/action.d/iptables-multiport-log.conf

@@ -2,6 +2,7 @@
 #
 # Author: Guido Bozzetto
 # Modified: Cyril Jaquier
+# Modified by Paul J aka Thanat0s for ipv6 support
 #
 # make "fail2ban-<name>" chain to match drop IP
 # make "fail2ban-<name>-log" chain to log and drop
@@ -16,28 +17,28 @@
 # Notes.:  command executed once at the start of Fail2Ban.
 # Values:  CMD
 #
-actionstart = iptables -N fail2ban-<name>
-              iptables -A fail2ban-<name> -j RETURN
-              iptables -I <chain> 1 -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
-              iptables -N fail2ban-<name>-log
-              iptables -I fail2ban-<name>-log -j LOG --log-prefix "$(expr fail2ban-<name> : '\(.\{1,23\}\)'):DROP " --log-level warning -m limit --limit 6/m --limit-burst 2
-              iptables -A fail2ban-<name>-log -j DROP
+actionstart = fail2ban-iptables -N fail2ban-<name>
+              fail2ban-iptables -A fail2ban-<name> -j RETURN
+              fail2ban-iptables -I <chain> 1 -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
+              fail2ban-iptables -N fail2ban-<name>-log
+              fail2ban-iptables -I fail2ban-<name>-log -j LOG --log-prefix "$(expr fail2ban-<name> : '\(.\{1,23\}\)'):DROP " --log-level warning -m limit --limit 6/m --limit-burst 2
+              fail2ban-iptables -A fail2ban-<name>-log -j DROP
 
 # Option:  actionstop
 # Notes.:  command executed once at the end of Fail2Ban
 # Values:  CMD
 #
-actionstop = iptables -D <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
-             iptables -F fail2ban-<name>
-             iptables -F fail2ban-<name>-log
-             iptables -X fail2ban-<name>
-             iptables -X fail2ban-<name>-log
+actionstop = fail2ban-iptables -D <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
+             fail2ban-iptables -F fail2ban-<name>
+             fail2ban-iptables -F fail2ban-<name>-log
+             fail2ban-iptables -X fail2ban-<name>
+             fail2ban-iptables -X fail2ban-<name>-log
 
 # Option:  actioncheck
 # Notes.:  command executed once before each actionban command
 # Values:  CMD
 #
-actioncheck = iptables -n -L fail2ban-<name>-log >/dev/null
+actioncheck = fail2ban-iptables -n -L fail2ban-<name>-log >/dev/null
 
 # Option:  actionban
 # Notes.:  command executed when banning an IP. Take care that the
@@ -47,7 +48,7 @@ actioncheck = iptables -n -L fail2ban-<name>-log >/dev/null
 #          <time>  unix timestamp of the ban time
 # Values:  CMD
 #
-actionban = iptables -I fail2ban-<name> 1 -s <ip> -j fail2ban-<name>-log
+actionban = fail2ban-iptables -I fail2ban-<name> 1 -s <ip> -j fail2ban-<name>-log
 
 # Option:  actionunban
 # Notes.:  command executed when unbanning an IP. Take care that the
@@ -57,7 +58,7 @@ actionban = iptables -I fail2ban-<name> 1 -s <ip> -j fail2ban-<name>-log
 #          <time>  unix timestamp of the ban time
 # Values:  CMD
 #
-actionunban = iptables -D fail2ban-<name> -s <ip> -j fail2ban-<name>-log
+actionunban = fail2ban-iptables -D fail2ban-<name> -s <ip> -j fail2ban-<name>-log
 
 [Init]
 
@@ -78,7 +79,7 @@ port = ssh
 protocol = tcp
 
 # Option:  chain
-# Notes    specifies the iptables chain to which the fail2ban rules should be
+# Notes    specifies the fail2ban-iptables chain to which the fail2ban rules should be
 #          added
 # Values:  STRING  Default: INPUT
 chain = INPUT

config/action.d/iptables-multiport.conf

@@ -2,6 +2,7 @@
 #
 # Author: Cyril Jaquier
 # Modified by Yaroslav Halchenko for multiport banning
+# Modified by Paul J aka Thanat0s for ipv6 support
 # $Revision$
 #
 
@@ -11,23 +12,23 @@
 # Notes.:  command executed once at the start of Fail2Ban.
 # Values:  CMD
 #
-actionstart = iptables -N fail2ban-<name>
-              iptables -A fail2ban-<name> -j RETURN
-              iptables -I <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
+actionstart = fail2ban-iptables -N fail2ban-<name>
+              fail2ban-iptables -A fail2ban-<name> -j RETURN
+              fail2ban-iptables -I <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
 
 # Option:  actionstop
 # Notes.:  command executed once at the end of Fail2Ban
 # Values:  CMD
 #
-actionstop = iptables -D <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
-             iptables -F fail2ban-<name>
-             iptables -X fail2ban-<name>
+actionstop = fail2ban-iptables -D <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
+             fail2ban-iptables -F fail2ban-<name>
+             fail2ban-iptables -X fail2ban-<name>
 
 # Option:  actioncheck
 # Notes.:  command executed once before each actionban command
 # Values:  CMD
 #
-actioncheck = iptables -n -L <chain> | grep -q fail2ban-<name>
+actioncheck = fail2ban-iptables -n -L <chain> | grep -q fail2ban-<name>
 
 # Option:  actionban
 # Notes.:  command executed when banning an IP. Take care that the
@@ -37,7 +38,7 @@ actioncheck = iptables -n -L <chain> | grep -q fail2ban-<name>
 #          <time>  unix timestamp of the ban time
 # Values:  CMD
 #
-actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
+actionban = fail2ban-iptables -I fail2ban-<name> 1 -s <ip> -j DROP
 
 # Option:  actionunban
 # Notes.:  command executed when unbanning an IP. Take care that the
@@ -47,7 +48,7 @@ actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
 #          <time>  unix timestamp of the ban time
 # Values:  CMD
 #
-actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP
+actionunban = fail2ban-iptables -D fail2ban-<name> -s <ip> -j DROP
 
 [Init]
 
@@ -68,7 +69,7 @@ port = ssh
 protocol = tcp
 
 # Option:  chain
-# Notes    specifies the iptables chain to which the fail2ban rules should be
+# Notes    specifies the fail2ban-iptables chain to which the fail2ban rules should be
 #          added
 # Values:  STRING  Default: INPUT
 chain = INPUT

config/action.d/iptables-new.conf

@@ -1,8 +1,9 @@
 # Fail2Ban configuration file
 #
 # Author: Cyril Jaquier
-# Copied from iptables.conf and modified by Yaroslav Halchenko 
+# Copied from fail2ban-iptables.conf and modified by Yaroslav Halchenko 
 #  to fullfill the needs of bugreporter dbts#350746.
+# Modified by Paul J aka Thanat0s for ipv6 support
 #
 # $Revision$
 #
@@ -13,23 +14,23 @@
 # Notes.:  command executed once at the start of Fail2Ban.
 # Values:  CMD
 #
-actionstart = iptables -N fail2ban-<name>
-              iptables -A fail2ban-<name> -j RETURN
-              iptables -I <chain> -m state --state NEW -p <protocol> --dport <port> -j fail2ban-<name>
+actionstart = fail2ban-iptables -N fail2ban-<name>
+              fail2ban-iptables -A fail2ban-<name> -j RETURN
+              fail2ban-iptables -I <chain> -m state --state NEW -p <protocol> --dport <port> -j fail2ban-<name>
 
 # Option:  actionstop
 # Notes.:  command executed once at the end of Fail2Ban
 # Values:  CMD
 #
-actionstop = iptables -D <chain> -m state --state NEW -p <protocol> --dport <port> -j fail2ban-<name>
-             iptables -F fail2ban-<name>
-             iptables -X fail2ban-<name>
+actionstop = fail2ban-iptables -D <chain> -m state --state NEW -p <protocol> --dport <port> -j fail2ban-<name>
+             fail2ban-iptables -F fail2ban-<name>
+             fail2ban-iptables -X fail2ban-<name>
 
 # Option:  actioncheck
 # Notes.:  command executed once before each actionban command
 # Values:  CMD
 #
-actioncheck = iptables -n -L <chain> | grep -q fail2ban-<name>
+actioncheck = fail2ban-iptables -n -L <chain> | grep -q fail2ban-<name>
 
 # Option:  actionban
 # Notes.:  command executed when banning an IP. Take care that the
@@ -39,7 +40,7 @@ actioncheck = iptables -n -L <chain> | grep -q fail2ban-<name>
 #          <time>  unix timestamp of the ban time
 # Values:  CMD
 #
-actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
+actionban = fail2ban-iptables -I fail2ban-<name> 1 -s <ip> -j DROP
 
 # Option:  actionunban
 # Notes.:  command executed when unbanning an IP. Take care that the
@@ -49,7 +50,7 @@ actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
 #          <time>  unix timestamp of the ban time
 # Values:  CMD
 #
-actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP
+actionunban = fail2ban-iptables -D fail2ban-<name> -s <ip> -j DROP
 
 [Init]
 
@@ -70,7 +71,7 @@ port = ssh
 protocol = tcp
 
 # Option:  chain
-# Notes    specifies the iptables chain to which the fail2ban rules should be
+# Notes    specifies the fail2ban-iptables chain to which the fail2ban rules should be
 #          added
 # Values:  STRING  Default: INPUT
 chain = INPUT

config/action.d/iptables.conf

@@ -1,6 +1,7 @@
 # Fail2Ban configuration file
 #
 # Author: Cyril Jaquier
+# Modified by Paul J aka Thanat0s for ipv6 support
 #
 # $Revision$
 #
@@ -11,23 +12,23 @@
 # Notes.:  command executed once at the start of Fail2Ban.
 # Values:  CMD
 #
-actionstart = iptables -N fail2ban-<name>
-              iptables -A fail2ban-<name> -j RETURN
-              iptables -I <chain> -p <protocol> --dport <port> -j fail2ban-<name>
+actionstart = fail2ban-iptables -N fail2ban-<name>
+              fail2ban-iptables -A fail2ban-<name> -j RETURN
+              fail2ban-iptables -I <chain> -p <protocol> --dport <port> -j fail2ban-<name>
 
 # Option:  actionstop
 # Notes.:  command executed once at the end of Fail2Ban
 # Values:  CMD
 #
-actionstop = iptables -D <chain> -p <protocol> --dport <port> -j fail2ban-<name>
-             iptables -F fail2ban-<name>
-             iptables -X fail2ban-<name>
+actionstop = fail2ban-iptables -D <chain> -p <protocol> --dport <port> -j fail2ban-<name>
+             fail2ban-iptables -F fail2ban-<name>
+             fail2ban-iptables -X fail2ban-<name>
 
 # Option:  actioncheck
 # Notes.:  command executed once before each actionban command
 # Values:  CMD
 #
-actioncheck = iptables -n -L <chain> | grep -q fail2ban-<name>
+actioncheck = fail2ban-iptables -n -L <chain> | grep -q fail2ban-<name>
 
 # Option:  actionban
 # Notes.:  command executed when banning an IP. Take care that the
@@ -37,7 +38,7 @@ actioncheck = iptables -n -L <chain> | grep -q fail2ban-<name>
 #          <time>  unix timestamp of the ban time
 # Values:  CMD
 #
-actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
+actionban = fail2ban-iptables -I fail2ban-<name> 1 -s <ip> -j DROP
 
 # Option:  actionunban
 # Notes.:  command executed when unbanning an IP. Take care that the
@@ -47,7 +48,7 @@ actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
 #          <time>  unix timestamp of the ban time
 # Values:  CMD
 #
-actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP
+actionunban = fail2ban-iptables -D fail2ban-<name> -s <ip> -j DROP
 
 [Init]
 
@@ -68,7 +69,7 @@ port = ssh
 protocol = tcp
 
 # Option:  chain
-# Notes    specifies the iptables chain to which the fail2ban rules should be
+# Notes    specifies the fail2ban-iptables chain to which the fail2ban rules should be
 #          added
 # Values:  STRING  Default: INPUT
 chain = INPUT

server/filter.py

@@ -582,10 +582,20 @@ class DNSUtils:
 	
 	#@staticmethod
 	def isValidIP(string):
-		""" Return true if str is a valid IP
-		We Consider that logfiles didn't make errors ;) 
-		"""
-		return True
+		# Return true if str is a valid IP
+            	s = string.split('/', 1)
+          	# try to convert to ipv4
+          	try:
+      			socket.inet_aton(s[0])
+      			return True
+    		except socket.error:
+    			# if it had failed try to convert ipv6
+    			try:  
+            			socket.inet_pton(socket.AF_INET6, s[0])
+          			return True
+        		except socket.error: 
+    				# not a valid address in both stacks
+          			return False
 	isValidIP = staticmethod(isValidIP)
 	
 	#@staticmethod