From 5087b410542daae8d13dd93829e273df08be6ba5 Mon Sep 17 00:00:00 2001 From: blotus Date: Fri, 25 Jan 2013 13:37:22 +0100 Subject: [PATCH 1/8] Escape ' and " in matches tag --- server/action.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/server/action.py b/server/action.py index f2614b339..35974c708 100644 --- a/server/action.py +++ b/server/action.py @@ -243,7 +243,7 @@ class Action: return Action.executeCmd(stopCmd) def escapeTag(tag): - for c in '\\#&;`|*?~<>^()[]{}$\n': + for c in '\\#&;`|*?~<>^()[]{}$\n\'"': if c in tag: tag = tag.replace(c, '\\' + c) return tag From 3b0800459b0a21f5c2c55ccd2981198768cea18d Mon Sep 17 00:00:00 2001 From: Orion Poplawski Date: Fri, 25 Jan 2013 12:56:00 -0700 Subject: [PATCH 2/8] Initial support for --no-network option for fail2ban-testcases --- fail2ban-testcases | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/fail2ban-testcases b/fail2ban-testcases index 0ee2c53c6..20d3b2262 100755 --- a/fail2ban-testcases +++ b/fail2ban-testcases @@ -53,6 +53,12 @@ def get_opt_parser(): help="Log level for the logger to use during running tests"), ]) + p.add_options([ + Option('-n', "--no-network", action="store_true", + dest="no_network", + help="Do not run tests that require the network"), + ]) + return p parser = get_opt_parser() @@ -90,6 +96,8 @@ else: stdout.setFormatter(logging.Formatter(' %(message)s')) logSys.addHandler(stdout) +if opts.no_network is None: + opts.no_network = False # # Let know the version @@ -129,11 +137,13 @@ tests.addTest(unittest.makeSuite(banmanagertestcase.AddFailure)) tests.addTest(unittest.makeSuite(clientreadertestcase.JailReaderTest)) # Filter -tests.addTest(unittest.makeSuite(filtertestcase.IgnoreIP)) +if not opts.no_network: + tests.addTest(unittest.makeSuite(filtertestcase.IgnoreIP)) tests.addTest(unittest.makeSuite(filtertestcase.LogFile)) tests.addTest(unittest.makeSuite(filtertestcase.LogFileMonitor)) -tests.addTest(unittest.makeSuite(filtertestcase.GetFailures)) -tests.addTest(unittest.makeSuite(filtertestcase.DNSUtilsTests)) +if not opts.no_network: + tests.addTest(unittest.makeSuite(filtertestcase.GetFailures)) + tests.addTest(unittest.makeSuite(filtertestcase.DNSUtilsTests)) tests.addTest(unittest.makeSuite(filtertestcase.JailTests)) # DateDetector From e4aedfdc00aa4b0a70d244ebc7670c51a4f946f5 Mon Sep 17 00:00:00 2001 From: Yaroslav Halchenko Date: Fri, 25 Jan 2013 16:01:35 -0500 Subject: [PATCH 3/8] BF: pyinotify - use bitwise op on masks and do not try tracking newly created directories --- server/filterpyinotify.py | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/server/filterpyinotify.py b/server/filterpyinotify.py index fdc7256ec..a2eea9d7a 100644 --- a/server/filterpyinotify.py +++ b/server/filterpyinotify.py @@ -65,7 +65,11 @@ class FilterPyinotify(FileFilter): def callback(self, event): path = event.pathname - if event.mask == pyinotify.IN_CREATE: + if event.mask & pyinotify.IN_CREATE: + # skip directories altogether + if event.mask & pyinotify.IN_ISDIR: + logSys.debug("Ignoring creation of directory %s" % path) + return # check if that is a file we care about if not path in self.__watches: logSys.debug("Ignoring creation of %s we do not monitor" % path) From 9055d925f26a338232a6e017548a68ca9d9d489f Mon Sep 17 00:00:00 2001 From: Orion Poplawski Date: Fri, 25 Jan 2013 14:19:10 -0700 Subject: [PATCH 4/8] Remove unneeded setting of opts.no_network --- fail2ban-testcases | 3 --- 1 file changed, 3 deletions(-) diff --git a/fail2ban-testcases b/fail2ban-testcases index 20d3b2262..99fefd574 100755 --- a/fail2ban-testcases +++ b/fail2ban-testcases @@ -96,9 +96,6 @@ else: stdout.setFormatter(logging.Formatter(' %(message)s')) logSys.addHandler(stdout) -if opts.no_network is None: - opts.no_network = False - # # Let know the version # From 7fc83196b960e663f073b8e554708c1183a0c34f Mon Sep 17 00:00:00 2001 From: Yaroslav Halchenko Date: Mon, 28 Jan 2013 09:46:50 -0500 Subject: [PATCH 5/8] RF: move exceptions used by both client and server into common/exceptions.py this prevents importing of server while operating with client only --- client/beautifier.py | 14 ++++---------- common/exceptions.py | 36 ++++++++++++++++++++++++++++++++++++ server/jails.py | 17 +++-------------- 3 files changed, 43 insertions(+), 24 deletions(-) create mode 100644 common/exceptions.py diff --git a/client/beautifier.py b/client/beautifier.py index a75655e74..7e48016ce 100644 --- a/client/beautifier.py +++ b/client/beautifier.py @@ -17,20 +17,14 @@ # along with Fail2Ban; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. -# Author: Cyril Jaquier -# -# $Revision$ - -__author__ = "Cyril Jaquier" -__version__ = "$Revision$" -__date__ = "$Date$" -__copyright__ = "Copyright (c) 2004 Cyril Jaquier" +__author__ = "Cyril Jaquier, Yaroslav Halchenko" +__copyright__ = "Copyright (c) 2004 Cyril Jaquier, 2013- Yaroslav Halchenko" __license__ = "GPL" -from server.jails import UnknownJailException -from server.jails import DuplicateJailException import logging +from common.exceptions import UnknownJailException, DuplicateJailException + # Gets the instance of the logger. logSys = logging.getLogger("fail2ban.client.config") diff --git a/common/exceptions.py b/common/exceptions.py new file mode 100644 index 000000000..7e9335448 --- /dev/null +++ b/common/exceptions.py @@ -0,0 +1,36 @@ +# emacs: -*- mode: python; py-indent-offset: 4; indent-tabs-mode: t -*- +# vi: set ft=python sts=4 ts=4 sw=4 noet : +"""Fail2Ban exceptions used by both client and server + +""" +# This file is part of Fail2Ban. +# +# Fail2Ban is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# Fail2Ban is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with Fail2Ban; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + +__author__ = "Cyril Jaquier, Yaroslav Halchenko" +__copyright__ = "Copyright (c) 2004 Cyril Jaquier, 2011-2012 Yaroslav Halchenko" +__license__ = "GPL" + +# +# Jails +# +class DuplicateJailException(Exception): + pass + +class UnknownJailException(Exception): + pass + + + diff --git a/server/jails.py b/server/jails.py index 3be38f707..4bf5f9716 100644 --- a/server/jails.py +++ b/server/jails.py @@ -17,16 +17,11 @@ # along with Fail2Ban; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. -# Author: Cyril Jaquier -# -# $Revision$ - -__author__ = "Cyril Jaquier" -__version__ = "$Revision$" -__date__ = "$Date$" -__copyright__ = "Copyright (c) 2004 Cyril Jaquier" +__author__ = "Cyril Jaquier, Yaroslav Halchenko" +__copyright__ = "Copyright (c) 2004 Cyril Jaquier, 2013- Yaroslav Halchenko" __license__ = "GPL" +from common.exceptions import DuplicateJailException, UnknownJailException from jail import Jail from threading import Lock @@ -160,9 +155,3 @@ class Jails: finally: self.__lock.release() - -class DuplicateJailException(Exception): - pass - -class UnknownJailException(Exception): - pass From 1eb23cf8afc9481ffcd2f393a291e8c9c6817608 Mon Sep 17 00:00:00 2001 From: Yaroslav Halchenko Date: Mon, 28 Jan 2013 09:54:08 -0500 Subject: [PATCH 6/8] BF: do not rely on scripts being under /usr -- might differ eg on Fedora -- rely on import of common.version (Closes gh-112) This is also not ideal, since if there happens to be some systemwide common.version -- we are doomed but otherwise, we cannot keep extending comparison check to /bin, /sbin whatelse --- fail2ban-client | 9 +++++---- fail2ban-regex | 9 +++++---- fail2ban-server | 7 ++++--- 3 files changed, 14 insertions(+), 11 deletions(-) diff --git a/fail2ban-client b/fail2ban-client index 1d8eb15e3..13d018e66 100755 --- a/fail2ban-client +++ b/fail2ban-client @@ -27,12 +27,13 @@ import getopt, time, shlex, socket # Inserts our own modules path first in the list # fix for bug #343821 -if os.path.abspath(__file__).startswith('/usr/'): - # makes sense to use system-wide library iff -client is also under /usr/ +try: + from common.version import version +except ImportError, e: sys.path.insert(1, "/usr/share/fail2ban") + from common.version import version -# Now we can import our modules -from common.version import version +# Now we can import the rest of modules from common.protocol import printFormatted from client.csocket import CSocket from client.configurator import Configurator diff --git a/fail2ban-regex b/fail2ban-regex index a42ed96d8..f9bc72c16 100755 --- a/fail2ban-regex +++ b/fail2ban-regex @@ -26,13 +26,14 @@ import getopt, sys, time, logging, os # Inserts our own modules path first in the list # fix for bug #343821 -if os.path.abspath(__file__).startswith('/usr/'): - # makes sense to use system-wide library iff -regex is also under /usr/ - sys.path.insert(1, "/usr/share/fail2ban") +try: + from common.version import version +except ImportError, e: + sys.path.insert(1, "/usr/share/fail2ban") + from common.version import version from client.configparserinc import SafeConfigParserWithIncludes from ConfigParser import NoOptionError, NoSectionError, MissingSectionHeaderError -from common.version import version from server.filter import Filter from server.failregex import RegexException diff --git a/fail2ban-server b/fail2ban-server index bd86e6cdb..0f3410c90 100755 --- a/fail2ban-server +++ b/fail2ban-server @@ -26,11 +26,12 @@ import getopt, sys, logging, os # Inserts our own modules path first in the list # fix for bug #343821 -if os.path.abspath(__file__).startswith('/usr/'): - # makes sense to use system-wide library iff -server is also under /usr/ +try: + from common.version import version +except ImportError, e: sys.path.insert(1, "/usr/share/fail2ban") + from common.version import version -from common.version import version from server.server import Server # Gets the instance of the logger. From ed386dfe0779067daa4f76f38a0234aeaa50292f Mon Sep 17 00:00:00 2001 From: Orion Poplawski Date: Fri, 15 Mar 2013 14:37:11 -0600 Subject: [PATCH 7/8] Add systemd unit file and tmpfiles.d configuration files --- files/fail2ban-tmpfiles.conf | 1 + files/fail2ban.service | 12 ++++++++++++ 2 files changed, 13 insertions(+) create mode 100644 files/fail2ban-tmpfiles.conf create mode 100644 files/fail2ban.service diff --git a/files/fail2ban-tmpfiles.conf b/files/fail2ban-tmpfiles.conf new file mode 100644 index 000000000..3fd783f38 --- /dev/null +++ b/files/fail2ban-tmpfiles.conf @@ -0,0 +1 @@ +D /var/run/fail2ban 0755 root root - \ No newline at end of file diff --git a/files/fail2ban.service b/files/fail2ban.service new file mode 100644 index 000000000..35d7fc884 --- /dev/null +++ b/files/fail2ban.service @@ -0,0 +1,12 @@ +[Unit] +Description=Fail2ban Service + +[Service] +Type=forking +ExecStart=/usr/bin/fail2ban-client -x start +ExecStop=/usr/bin/fail2ban-client stop +ExecReload=/usr/bin/fail2ban-client reload +Restart=always + +[Install] +WantedBy=network.target From ddebcab9aae68bb1b93d11bddb63c8c54bec4186 Mon Sep 17 00:00:00 2001 From: Orion Poplawski Date: Wed, 17 Apr 2013 09:27:06 -0600 Subject: [PATCH 8/8] Add After, PIDFile, and change WantedBy to multi-user.target in fail2ban.server --- files/fail2ban.service | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/files/fail2ban.service b/files/fail2ban.service index 35d7fc884..9c44042b1 100644 --- a/files/fail2ban.service +++ b/files/fail2ban.service @@ -1,12 +1,14 @@ [Unit] Description=Fail2ban Service +After=syslog.target network.target [Service] Type=forking ExecStart=/usr/bin/fail2ban-client -x start ExecStop=/usr/bin/fail2ban-client stop ExecReload=/usr/bin/fail2ban-client reload +PIDFile=/var/run/fail2ban/fail2ban.pid Restart=always [Install] -WantedBy=network.target +WantedBy=multi-user.target