diff --git a/.codespellrc b/.codespellrc index 44a5bb83..86ce487f 100644 --- a/.codespellrc +++ b/.codespellrc @@ -9,4 +9,4 @@ check-hidden = true ignore-regex = (\b([A-Z][A-Z][A-Z]+|gir\.st)\b)|\[[a-zA-Z]+\][a-z]+\b|[a-z]+://\S+|.*codespell-ignore.* # some oddly named variables, some names, etc # wee -- comes in regex etc for weeks -ignore-words-list = assertIn,theis,timere,alls,wee,wight,ans,re-use +ignore-words-list = assertIn,theis,timere,alls,wee,wight,ans,re-use,pre-emptive diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index d1dfe521..dccd57ef 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -22,7 +22,7 @@ jobs: runs-on: ubuntu-20.04 strategy: matrix: - python-version: [3.7, 3.8, 3.9, '3.10', '3.11', '3.12', '3.13.0', '3.14.0-alpha.1', pypy3.10] + python-version: [3.7, 3.8, 3.9, '3.10', '3.11', '3.12', '3.13', '3.14.0-alpha.4', pypy3.10] fail-fast: false # Steps represent a sequence of tasks that will be executed as part of the job steps: diff --git a/config/action.d/iptables.conf b/config/action.d/iptables.conf index 382716ac..c8314b9d 100644 --- a/config/action.d/iptables.conf +++ b/config/action.d/iptables.conf @@ -135,7 +135,7 @@ returntype = RETURN # Option: lockingopt # Notes.: Option was introduced to iptables to prevent multiple instances from -# running concurrently and causing irratic behavior. -w was introduced +# running concurrently and causing erratic behavior. -w was introduced # in iptables 1.4.20, so might be absent on older systems # See https://github.com/fail2ban/fail2ban/issues/1122 # Values: STRING diff --git a/fail2ban/tests/files/logs/apache-fakegooglebot b/fail2ban/tests/files/logs/apache-fakegooglebot index b77a1a6b..024842fd 100644 --- a/fail2ban/tests/files/logs/apache-fakegooglebot +++ b/fail2ban/tests/files/logs/apache-fakegooglebot @@ -1,5 +1,5 @@ # Apache 2.2 # failJSON: { "time": "2015-01-31T14:29:44", "match": true, "host": "66.249.66.1" } -66.249.66.1 - - - [31/Jan/2015:14:29:44 ] example.com "GET / HTTP/1.1" 200 814 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)" + 293 1149 546 -# failJSON: { "time": "2015-01-31T14:29:44", "match": false, "host": "93.184.215.14" } -93.184.215.14 - - - [31/Jan/2015:14:29:44 ] example.com "GET / HTTP/1.1" 200 814 "-" "NOT A __GOOGLE_BOT__" + 293 1149 546 +66.249.66.1 - - - [31/Jan/2015:14:29:44 ] fail2ban.org "GET / HTTP/1.1" 200 814 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)" + 293 1149 546 +# failJSON: { "time": "2015-01-31T14:29:44", "match": false, "host": "51.159.55.100" } +51.159.55.100 - - - [31/Jan/2015:14:29:44 ] fail2ban.org "GET / HTTP/1.1" 200 814 "-" "NOT A __GOOGLE_BOT__" + 293 1149 546 diff --git a/fail2ban/tests/files/testcase-usedns.log b/fail2ban/tests/files/testcase-usedns.log index eea6eb44..3e7b36bb 100644 --- a/fail2ban/tests/files/testcase-usedns.log +++ b/fail2ban/tests/files/testcase-usedns.log @@ -1,2 +1,2 @@ -Aug 14 11:54:59 i60p295 sshd[12365]: Failed publickey for roehl from example.com port 51332 ssh2 -Aug 14 11:58:59 i60p295 sshd[12365]: Failed publickey for roehl from ::ffff:93.184.215.14 port 51332 ssh2 +Aug 14 11:54:59 i60p295 sshd[12365]: Failed publickey for roehl from fail2ban.org port 51332 ssh2 +Aug 14 11:58:59 i60p295 sshd[12365]: Failed publickey for roehl from ::ffff:51.159.55.100 port 51332 ssh2 diff --git a/fail2ban/tests/filtertestcase.py b/fail2ban/tests/filtertestcase.py index 20945b78..26961a1b 100644 --- a/fail2ban/tests/filtertestcase.py +++ b/fail2ban/tests/filtertestcase.py @@ -587,14 +587,14 @@ class IgnoreIP(LogCaptureTestCase): self.assertNotLogged("returned successfully") def testIgnoreCauseOK(self): - ip = "93.184.215.14" + ip = "51.159.55.100" for ignore_source in ["dns", "ip", "command"]: self.filter.logIgnoreIp(ip, True, ignore_source=ignore_source) self.assertLogged("[%s] Ignore %s by %s" % (self.jail.name, ip, ignore_source)) def testIgnoreCauseNOK(self): - self.filter.logIgnoreIp("example.com", False, ignore_source="NOT_LOGGED") - self.assertNotLogged("[%s] Ignore %s by %s" % (self.jail.name, "example.com", "NOT_LOGGED")) + self.filter.logIgnoreIp("fail2ban.org", False, ignore_source="NOT_LOGGED") + self.assertNotLogged("[%s] Ignore %s by %s" % (self.jail.name, "fail2ban.org", "NOT_LOGGED")) class IgnoreIPDNS(LogCaptureTestCase): @@ -607,7 +607,7 @@ class IgnoreIPDNS(LogCaptureTestCase): self.filter = FileFilter(self.jail) def testIgnoreIPDNS(self): - for dns in ("www.epfl.ch", "example.com"): + for dns in ("www.epfl.ch", "fail2ban.org"): self.filter.addIgnoreIP(dns) ips = DNSUtils.dnsToIp(dns) self.assertTrue(len(ips) > 0) @@ -1892,22 +1892,22 @@ class GetFailures(LogCaptureTestCase): #unittest.F2B.SkipIfNoNetwork() ## without network it is simulated via cache in utils. # We should still catch failures with usedns = no ;-) output_yes = ( - ('93.184.215.14', 1, 1124013299.0, - ['Aug 14 11:54:59 i60p295 sshd[12365]: Failed publickey for roehl from example.com port 51332 ssh2'] + ('51.159.55.100', 1, 1124013299.0, + ['Aug 14 11:54:59 i60p295 sshd[12365]: Failed publickey for roehl from fail2ban.org port 51332 ssh2'] ), - ('93.184.215.14', 1, 1124013539.0, - ['Aug 14 11:58:59 i60p295 sshd[12365]: Failed publickey for roehl from ::ffff:93.184.215.14 port 51332 ssh2'] + ('51.159.55.100', 1, 1124013539.0, + ['Aug 14 11:58:59 i60p295 sshd[12365]: Failed publickey for roehl from ::ffff:51.159.55.100 port 51332 ssh2'] ), - ('2606:2800:21f:cb07:6820:80da:af6b:8b2c', 1, 1124013299.0, - ['Aug 14 11:54:59 i60p295 sshd[12365]: Failed publickey for roehl from example.com port 51332 ssh2'] + ('2001:bc8:1200:6:208:a2ff:fe0c:61f8', 1, 1124013299.0, + ['Aug 14 11:54:59 i60p295 sshd[12365]: Failed publickey for roehl from fail2ban.org port 51332 ssh2'] ), ) if not unittest.F2B.no_network and not DNSUtils.IPv6IsAllowed(): output_yes = output_yes[0:2] output_no = ( - ('93.184.215.14', 1, 1124013539.0, - ['Aug 14 11:58:59 i60p295 sshd[12365]: Failed publickey for roehl from ::ffff:93.184.215.14 port 51332 ssh2'] + ('51.159.55.100', 1, 1124013539.0, + ['Aug 14 11:58:59 i60p295 sshd[12365]: Failed publickey for roehl from ::ffff:51.159.55.100 port 51332 ssh2'] ) ) @@ -2098,10 +2098,10 @@ class DNSUtilsNetworkTests(unittest.TestCase): super(DNSUtilsNetworkTests, self).setUp() #unittest.F2B.SkipIfNoNetwork() - ## example.com IPs considering IPv6 support (without network it is simulated via cache in utils). + ## fail2ban.org IPs considering IPv6 support (without network it is simulated via cache in utils). EXAMPLE_ADDRS = ( - ['93.184.215.14', '2606:2800:21f:cb07:6820:80da:af6b:8b2c'] if unittest.F2B.no_network or DNSUtils.IPv6IsAllowed() else \ - ['93.184.215.14'] + ['51.159.55.100', '2001:bc8:1200:6:208:a2ff:fe0c:61f8'] if unittest.F2B.no_network or DNSUtils.IPv6IsAllowed() else \ + ['51.159.55.100'] ) def test_IPAddr(self): @@ -2163,13 +2163,13 @@ class DNSUtilsNetworkTests(unittest.TestCase): self.assertTrue(r < ip6) def testUseDns(self): - res = DNSUtils.textToIp('www.example.com', 'no') + res = DNSUtils.textToIp('www.fail2ban.org', 'no') self.assertSortedEqual(res, []) #unittest.F2B.SkipIfNoNetwork() ## without network it is simulated via cache in utils. - res = DNSUtils.textToIp('www.example.com', 'warn') + res = DNSUtils.textToIp('www.fail2ban.org', 'warn') # sort ipaddr, IPv4 is always smaller as IPv6 self.assertSortedEqual(res, self.EXAMPLE_ADDRS) - res = DNSUtils.textToIp('www.example.com', 'yes') + res = DNSUtils.textToIp('www.fail2ban.org', 'yes') # sort ipaddr, IPv4 is always smaller as IPv6 self.assertSortedEqual(res, self.EXAMPLE_ADDRS) @@ -2177,13 +2177,13 @@ class DNSUtilsNetworkTests(unittest.TestCase): #unittest.F2B.SkipIfNoNetwork() ## without network it is simulated via cache in utils. # Test hostnames hostnames = [ - 'www.example.com', + 'www.fail2ban.org', 'doh1.2.3.4.buga.xxxxx.yyy.invalid', '1.2.3.4.buga.xxxxx.yyy.invalid', ] for s in hostnames: res = DNSUtils.textToIp(s, 'yes') - if s == 'www.example.com': + if s == 'www.fail2ban.org': # sort ipaddr, IPv4 is always smaller as IPv6 self.assertSortedEqual(res, self.EXAMPLE_ADDRS) else: @@ -2234,8 +2234,8 @@ class DNSUtilsNetworkTests(unittest.TestCase): self.assertEqual(IPAddr('192.0.2.0').getPTR(), '0.2.0.192.in-addr.arpa.') self.assertEqual(IPAddr('192.0.2.1').getPTR(), '1.2.0.192.in-addr.arpa.') - self.assertEqual(IPAddr('2606:2800:21f:cb07:6820:80da:af6b:8b2c').getPTR(), - 'c.2.b.8.b.6.f.a.a.d.0.8.0.2.8.6.7.0.b.c.f.1.2.0.0.0.8.2.6.0.6.2.ip6.arpa.') + self.assertEqual(IPAddr('2001:db8::1').getPTR(), + '1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.') def testIPAddr_Equal6(self): self.assertEqual( @@ -2365,10 +2365,10 @@ class DNSUtilsNetworkTests(unittest.TestCase): def testIPAddr_CompareDNS(self): #unittest.F2B.SkipIfNoNetwork() ## without network it is simulated via cache in utils. - ips = IPAddr('example.com') - self.assertTrue(IPAddr("93.184.215.14").isInNet(ips)) - self.assertEqual(IPAddr("2606:2800:21f:cb07:6820:80da:af6b:8b2c").isInNet(ips), - "2606:2800:21f:cb07:6820:80da:af6b:8b2c" in self.EXAMPLE_ADDRS) + ips = IPAddr('fail2ban.org') + self.assertTrue(IPAddr("51.159.55.100").isInNet(ips)) + self.assertEqual(IPAddr("2001:bc8:1200:6:208:a2ff:fe0c:61f8").isInNet(ips), + "2001:bc8:1200:6:208:a2ff:fe0c:61f8" in self.EXAMPLE_ADDRS) def testIPAddr_wrongDNS_IP(self): unittest.F2B.SkipIfNoNetwork() @@ -2376,11 +2376,11 @@ class DNSUtilsNetworkTests(unittest.TestCase): DNSUtils.ipToName('*') def testIPAddr_Cached(self): - ips = [DNSUtils.dnsToIp('example.com'), DNSUtils.dnsToIp('example.com')] + ips = [DNSUtils.dnsToIp('fail2ban.org'), DNSUtils.dnsToIp('fail2ban.org')] for ip1, ip2 in zip(ips, ips): self.assertEqual(id(ip1), id(ip2)) - ip1 = IPAddr('93.184.215.14'); ip2 = IPAddr('93.184.215.14'); self.assertEqual(id(ip1), id(ip2)) - ip1 = IPAddr('2606:2800:21f:cb07:6820:80da:af6b:8b2c'); ip2 = IPAddr('2606:2800:21f:cb07:6820:80da:af6b:8b2c'); self.assertEqual(id(ip1), id(ip2)) + ip1 = IPAddr('51.159.55.100'); ip2 = IPAddr('51.159.55.100'); self.assertEqual(id(ip1), id(ip2)) + ip1 = IPAddr('2001:bc8:1200:6:208:a2ff:fe0c:61f8'); ip2 = IPAddr('2001:bc8:1200:6:208:a2ff:fe0c:61f8'); self.assertEqual(id(ip1), id(ip2)) def test_NetworkInterfacesAddrs(self): for withMask in (False, True): diff --git a/fail2ban/tests/utils.py b/fail2ban/tests/utils.py index f71ba60a..e6ef54f3 100644 --- a/fail2ban/tests/utils.py +++ b/fail2ban/tests/utils.py @@ -326,8 +326,8 @@ def initTests(opts): ('failed.dns.ch', set()), ('doh1.2.3.4.buga.xxxxx.yyy.invalid', set()), ('1.2.3.4.buga.xxxxx.yyy.invalid', set()), - ('example.com', set([IPAddr('2606:2800:21f:cb07:6820:80da:af6b:8b2c'), IPAddr('93.184.215.14')])), - ('www.example.com', set([IPAddr('2606:2800:21f:cb07:6820:80da:af6b:8b2c'), IPAddr('93.184.215.14')])), + ('fail2ban.org', set([IPAddr('2001:bc8:1200:6:208:a2ff:fe0c:61f8'), IPAddr('51.159.55.100')])), + ('www.fail2ban.org', set([IPAddr('2001:bc8:1200:6:208:a2ff:fe0c:61f8'), IPAddr('51.159.55.100')])), ): c.set(*i) # if fast - precache all host names as localhost addresses (speed-up getSelfIPs/ignoreself):