Browse Source

ip validation and reconfiguration of iptables actions

pull/88/head
Th4nat0s 13 years ago
parent
commit
33c2059d1d
  1. 23
      config/action.d/iptables-allports.conf
  2. 31
      config/action.d/iptables-multiport-log.conf
  3. 21
      config/action.d/iptables-multiport.conf
  4. 23
      config/action.d/iptables-new.conf
  5. 21
      config/action.d/iptables.conf
  6. 16
      server/filter.py

23
config/action.d/iptables-allports.conf

@ -2,7 +2,8 @@
#
# Author: Cyril Jaquier
# Modified: Yaroslav O. Halchenko <debian@onerussian.com>
# made active on all ports from original iptables.conf
# made active on all ports from original fail2ban-iptables.conf
# Modified by Paul J aka Thanat0s for ipv6 support
#
# $Revision$
#
@ -13,23 +14,23 @@
# Notes.: command executed once at the start of Fail2Ban.
# Values: CMD
#
actionstart = iptables -N fail2ban-<name>
iptables -A fail2ban-<name> -j RETURN
iptables -I <chain> -p <protocol> -j fail2ban-<name>
actionstart = fail2ban-iptables -N fail2ban-<name>
fail2ban-iptables -A fail2ban-<name> -j RETURN
fail2ban-iptables -I <chain> -p <protocol> -j fail2ban-<name>
# Option: actionstop
# Notes.: command executed once at the end of Fail2Ban
# Values: CMD
#
actionstop = iptables -D <chain> -p <protocol> -j fail2ban-<name>
iptables -F fail2ban-<name>
iptables -X fail2ban-<name>
actionstop = fail2ban-iptables -D <chain> -p <protocol> -j fail2ban-<name>
fail2ban-iptables -F fail2ban-<name>
fail2ban-iptables -X fail2ban-<name>
# Option: actioncheck
# Notes.: command executed once before each actionban command
# Values: CMD
#
actioncheck = iptables -n -L <chain> | grep -q fail2ban-<name>
actioncheck = fail2ban-iptables -n -L <chain> | grep -q fail2ban-<name>
# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
@ -39,7 +40,7 @@ actioncheck = iptables -n -L <chain> | grep -q fail2ban-<name>
# <time> unix timestamp of the ban time
# Values: CMD
#
actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
actionban = fail2ban-iptables -I fail2ban-<name> 1 -s <ip> -j DROP
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
@ -49,7 +50,7 @@ actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
# <time> unix timestamp of the ban time
# Values: CMD
#
actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP
actionunban = fail2ban-iptables -D fail2ban-<name> -s <ip> -j DROP
[Init]
@ -64,7 +65,7 @@ name = default
protocol = tcp
# Option: chain
# Notes specifies the iptables chain to which the fail2ban rules should be
# Notes specifies the fail2ban-iptables chain to which the fail2ban rules should be
# added
# Values: STRING Default: INPUT
chain = INPUT

31
config/action.d/iptables-multiport-log.conf

@ -2,6 +2,7 @@
#
# Author: Guido Bozzetto
# Modified: Cyril Jaquier
# Modified by Paul J aka Thanat0s for ipv6 support
#
# make "fail2ban-<name>" chain to match drop IP
# make "fail2ban-<name>-log" chain to log and drop
@ -16,28 +17,28 @@
# Notes.: command executed once at the start of Fail2Ban.
# Values: CMD
#
actionstart = iptables -N fail2ban-<name>
iptables -A fail2ban-<name> -j RETURN
iptables -I <chain> 1 -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
iptables -N fail2ban-<name>-log
iptables -I fail2ban-<name>-log -j LOG --log-prefix "$(expr fail2ban-<name> : '\(.\{1,23\}\)'):DROP " --log-level warning -m limit --limit 6/m --limit-burst 2
iptables -A fail2ban-<name>-log -j DROP
actionstart = fail2ban-iptables -N fail2ban-<name>
fail2ban-iptables -A fail2ban-<name> -j RETURN
fail2ban-iptables -I <chain> 1 -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
fail2ban-iptables -N fail2ban-<name>-log
fail2ban-iptables -I fail2ban-<name>-log -j LOG --log-prefix "$(expr fail2ban-<name> : '\(.\{1,23\}\)'):DROP " --log-level warning -m limit --limit 6/m --limit-burst 2
fail2ban-iptables -A fail2ban-<name>-log -j DROP
# Option: actionstop
# Notes.: command executed once at the end of Fail2Ban
# Values: CMD
#
actionstop = iptables -D <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
iptables -F fail2ban-<name>
iptables -F fail2ban-<name>-log
iptables -X fail2ban-<name>
iptables -X fail2ban-<name>-log
actionstop = fail2ban-iptables -D <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
fail2ban-iptables -F fail2ban-<name>
fail2ban-iptables -F fail2ban-<name>-log
fail2ban-iptables -X fail2ban-<name>
fail2ban-iptables -X fail2ban-<name>-log
# Option: actioncheck
# Notes.: command executed once before each actionban command
# Values: CMD
#
actioncheck = iptables -n -L fail2ban-<name>-log >/dev/null
actioncheck = fail2ban-iptables -n -L fail2ban-<name>-log >/dev/null
# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
@ -47,7 +48,7 @@ actioncheck = iptables -n -L fail2ban-<name>-log >/dev/null
# <time> unix timestamp of the ban time
# Values: CMD
#
actionban = iptables -I fail2ban-<name> 1 -s <ip> -j fail2ban-<name>-log
actionban = fail2ban-iptables -I fail2ban-<name> 1 -s <ip> -j fail2ban-<name>-log
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
@ -57,7 +58,7 @@ actionban = iptables -I fail2ban-<name> 1 -s <ip> -j fail2ban-<name>-log
# <time> unix timestamp of the ban time
# Values: CMD
#
actionunban = iptables -D fail2ban-<name> -s <ip> -j fail2ban-<name>-log
actionunban = fail2ban-iptables -D fail2ban-<name> -s <ip> -j fail2ban-<name>-log
[Init]
@ -78,7 +79,7 @@ port = ssh
protocol = tcp
# Option: chain
# Notes specifies the iptables chain to which the fail2ban rules should be
# Notes specifies the fail2ban-iptables chain to which the fail2ban rules should be
# added
# Values: STRING Default: INPUT
chain = INPUT

21
config/action.d/iptables-multiport.conf

@ -2,6 +2,7 @@
#
# Author: Cyril Jaquier
# Modified by Yaroslav Halchenko for multiport banning
# Modified by Paul J aka Thanat0s for ipv6 support
# $Revision$
#
@ -11,23 +12,23 @@
# Notes.: command executed once at the start of Fail2Ban.
# Values: CMD
#
actionstart = iptables -N fail2ban-<name>
iptables -A fail2ban-<name> -j RETURN
iptables -I <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
actionstart = fail2ban-iptables -N fail2ban-<name>
fail2ban-iptables -A fail2ban-<name> -j RETURN
fail2ban-iptables -I <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
# Option: actionstop
# Notes.: command executed once at the end of Fail2Ban
# Values: CMD
#
actionstop = iptables -D <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
iptables -F fail2ban-<name>
iptables -X fail2ban-<name>
actionstop = fail2ban-iptables -D <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
fail2ban-iptables -F fail2ban-<name>
fail2ban-iptables -X fail2ban-<name>
# Option: actioncheck
# Notes.: command executed once before each actionban command
# Values: CMD
#
actioncheck = iptables -n -L <chain> | grep -q fail2ban-<name>
actioncheck = fail2ban-iptables -n -L <chain> | grep -q fail2ban-<name>
# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
@ -37,7 +38,7 @@ actioncheck = iptables -n -L <chain> | grep -q fail2ban-<name>
# <time> unix timestamp of the ban time
# Values: CMD
#
actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
actionban = fail2ban-iptables -I fail2ban-<name> 1 -s <ip> -j DROP
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
@ -47,7 +48,7 @@ actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
# <time> unix timestamp of the ban time
# Values: CMD
#
actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP
actionunban = fail2ban-iptables -D fail2ban-<name> -s <ip> -j DROP
[Init]
@ -68,7 +69,7 @@ port = ssh
protocol = tcp
# Option: chain
# Notes specifies the iptables chain to which the fail2ban rules should be
# Notes specifies the fail2ban-iptables chain to which the fail2ban rules should be
# added
# Values: STRING Default: INPUT
chain = INPUT

23
config/action.d/iptables-new.conf

@ -1,8 +1,9 @@
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
# Copied from iptables.conf and modified by Yaroslav Halchenko
# Copied from fail2ban-iptables.conf and modified by Yaroslav Halchenko
# to fullfill the needs of bugreporter dbts#350746.
# Modified by Paul J aka Thanat0s for ipv6 support
#
# $Revision$
#
@ -13,23 +14,23 @@
# Notes.: command executed once at the start of Fail2Ban.
# Values: CMD
#
actionstart = iptables -N fail2ban-<name>
iptables -A fail2ban-<name> -j RETURN
iptables -I <chain> -m state --state NEW -p <protocol> --dport <port> -j fail2ban-<name>
actionstart = fail2ban-iptables -N fail2ban-<name>
fail2ban-iptables -A fail2ban-<name> -j RETURN
fail2ban-iptables -I <chain> -m state --state NEW -p <protocol> --dport <port> -j fail2ban-<name>
# Option: actionstop
# Notes.: command executed once at the end of Fail2Ban
# Values: CMD
#
actionstop = iptables -D <chain> -m state --state NEW -p <protocol> --dport <port> -j fail2ban-<name>
iptables -F fail2ban-<name>
iptables -X fail2ban-<name>
actionstop = fail2ban-iptables -D <chain> -m state --state NEW -p <protocol> --dport <port> -j fail2ban-<name>
fail2ban-iptables -F fail2ban-<name>
fail2ban-iptables -X fail2ban-<name>
# Option: actioncheck
# Notes.: command executed once before each actionban command
# Values: CMD
#
actioncheck = iptables -n -L <chain> | grep -q fail2ban-<name>
actioncheck = fail2ban-iptables -n -L <chain> | grep -q fail2ban-<name>
# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
@ -39,7 +40,7 @@ actioncheck = iptables -n -L <chain> | grep -q fail2ban-<name>
# <time> unix timestamp of the ban time
# Values: CMD
#
actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
actionban = fail2ban-iptables -I fail2ban-<name> 1 -s <ip> -j DROP
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
@ -49,7 +50,7 @@ actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
# <time> unix timestamp of the ban time
# Values: CMD
#
actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP
actionunban = fail2ban-iptables -D fail2ban-<name> -s <ip> -j DROP
[Init]
@ -70,7 +71,7 @@ port = ssh
protocol = tcp
# Option: chain
# Notes specifies the iptables chain to which the fail2ban rules should be
# Notes specifies the fail2ban-iptables chain to which the fail2ban rules should be
# added
# Values: STRING Default: INPUT
chain = INPUT

21
config/action.d/iptables.conf

@ -1,6 +1,7 @@
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
# Modified by Paul J aka Thanat0s for ipv6 support
#
# $Revision$
#
@ -11,23 +12,23 @@
# Notes.: command executed once at the start of Fail2Ban.
# Values: CMD
#
actionstart = iptables -N fail2ban-<name>
iptables -A fail2ban-<name> -j RETURN
iptables -I <chain> -p <protocol> --dport <port> -j fail2ban-<name>
actionstart = fail2ban-iptables -N fail2ban-<name>
fail2ban-iptables -A fail2ban-<name> -j RETURN
fail2ban-iptables -I <chain> -p <protocol> --dport <port> -j fail2ban-<name>
# Option: actionstop
# Notes.: command executed once at the end of Fail2Ban
# Values: CMD
#
actionstop = iptables -D <chain> -p <protocol> --dport <port> -j fail2ban-<name>
iptables -F fail2ban-<name>
iptables -X fail2ban-<name>
actionstop = fail2ban-iptables -D <chain> -p <protocol> --dport <port> -j fail2ban-<name>
fail2ban-iptables -F fail2ban-<name>
fail2ban-iptables -X fail2ban-<name>
# Option: actioncheck
# Notes.: command executed once before each actionban command
# Values: CMD
#
actioncheck = iptables -n -L <chain> | grep -q fail2ban-<name>
actioncheck = fail2ban-iptables -n -L <chain> | grep -q fail2ban-<name>
# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
@ -37,7 +38,7 @@ actioncheck = iptables -n -L <chain> | grep -q fail2ban-<name>
# <time> unix timestamp of the ban time
# Values: CMD
#
actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
actionban = fail2ban-iptables -I fail2ban-<name> 1 -s <ip> -j DROP
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
@ -47,7 +48,7 @@ actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
# <time> unix timestamp of the ban time
# Values: CMD
#
actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP
actionunban = fail2ban-iptables -D fail2ban-<name> -s <ip> -j DROP
[Init]
@ -68,7 +69,7 @@ port = ssh
protocol = tcp
# Option: chain
# Notes specifies the iptables chain to which the fail2ban rules should be
# Notes specifies the fail2ban-iptables chain to which the fail2ban rules should be
# added
# Values: STRING Default: INPUT
chain = INPUT

16
server/filter.py

@ -582,10 +582,20 @@ class DNSUtils:
#@staticmethod
def isValidIP(string):
""" Return true if str is a valid IP
We Consider that logfiles didn't make errors ;)
"""
# Return true if str is a valid IP
s = string.split('/', 1)
# try to convert to ipv4
try:
socket.inet_aton(s[0])
return True
except socket.error:
# if it had failed try to convert ipv6
try:
socket.inet_pton(socket.AF_INET6, s[0])
return True
except socket.error:
# not a valid address in both stacks
return False
isValidIP = staticmethod(isValidIP)
#@staticmethod

Loading…
Cancel
Save