ignorecommand

client/filterreader.py

@@ -54,7 +54,9 @@ class FilterReader(ConfigReader):
 
 	def getOptions(self, pOpts):
 		opts = [["string", "ignoreregex", ""],
-				["string", "failregex", ""]]
+				["string", "failregex", ""],
+				["string", "ignorecommand", ""]
+				]
 		self.__opts = ConfigReader.getOptions(self, "Definition", opts, pOpts)
 
 	def convert(self):

client/jailreader.py

@@ -81,6 +81,7 @@ class JailReader(ConfigReader):
 				["int", "bantime", 600],
 				["string", "usedns", "warn"],
 				["string", "failregex", None],
+				["string", "ignorecommand", None],
 				["string", "ignoreregex", None],
 				["string", "ignoreip", None],
 				["string", "filter", ""],
@@ -160,6 +161,8 @@ class JailReader(ConfigReader):
 				stream.append(["set", self.__name, "usedns", self.__opts[opt]])
 			elif opt == "failregex":
 				stream.append(["set", self.__name, "addfailregex", self.__opts[opt]])
+			elif opt == "ignorecommand":
+				stream.append(["set", self.__name, "ignorecommand", self.__opts[opt]])
 			elif opt == "ignoreregex":
 				for regex in self.__opts[opt].split('\n'):
 					# Do not send a command if the rule is empty.

common/protocol.py

@@ -49,6 +49,7 @@ protocol = [
 ["stop <JAIL>", "stops the jail <JAIL>. The jail is removed"],
 ["status <JAIL>", "gets the current status of <JAIL>"],
 ['', "JAIL CONFIGURATION", ""],
+["set <JAIL> ignorecommand <VALUE>", "sets ignorecommand of <JAIL>"],
 ["set <JAIL> idle on|off", "sets the idle state of <JAIL>"],
 ["set <JAIL> addignoreip <IP>", "adds <IP> to the ignore list of <JAIL>"],
 ["set <JAIL> delignoreip <IP>", "removes <IP> from the ignore list of <JAIL>"],
@@ -74,6 +75,7 @@ protocol = [
 ["set <JAIL> actionban <ACT> <CMD>", "sets the ban command <CMD> of the action <ACT> for <JAIL>"],
 ["set <JAIL> actionunban <ACT> <CMD>", "sets the unban command <CMD> of the action <ACT> for <JAIL>"],
 ['', "JAIL INFORMATION", ""],
+["get <JAIL> ignorecommand", "gets ignorecommand of <JAIL>"],
 ["get <JAIL> logpath", "gets the list of the monitored files for <JAIL>"],
 ["get <JAIL> ignoreip", "gets the list of ignored IP addresses for <JAIL>"],
 ["get <JAIL> failregex", "gets the list of regular expressions which matches the failures for <JAIL>"],

config/jail.conf

@@ -34,6 +34,9 @@ ignoreip = 127.0.0.1/8
 # "bantime" is the number of seconds that a host is banned.
 bantime  = 600
 
+# External command with space separated output ips to ignore
+# ignorecommand = /path/to/command
+
 # A host is banned if it has generated "maxretry" during the last "findtime"
 # seconds.
 findtime  = 600

server/filter.py

@@ -21,8 +21,7 @@ __author__ = "Cyril Jaquier and Fail2Ban Contributors"
 __copyright__ = "Copyright (c) 2004 Cyril Jaquier, 2011-2013 Yaroslav Halchenko"
 __license__ = "GPL"
 
-import sys
-
+#import sys, os, getopt
 from failmanager import FailManagerEmpty
 from failmanager import FailManager
 from ticket import FailTicket
@@ -43,6 +42,7 @@ logSys = logging.getLogger("fail2ban.filter")
 # that matches a given regular expression. This class is instantiated by
 # a Jail object.
 
+
 class Filter(JailThread):
 
 	##
@@ -67,12 +67,13 @@ class Filter(JailThread):
 		self.__findTime = 6000
 		## The ignore IP list.
 		self.__ignoreIpList = []
+		## External command
+		self.__ignoreCommand = False
 
 		self.dateDetector = DateDetector()
 		self.dateDetector.addDefaultTemplate()
 		logSys.debug("Created %s" % self)
 
-
 	def __repr__(self):
 		return "%s(%r)" % (self.__class__.__name__, self.jail)
 
@@ -91,7 +92,6 @@ class Filter(JailThread):
 			logSys.error(e)
 			raise e
 
-
 	def delFailRegex(self, index):
 		try:
 			del self.__failRegex[index]
@@ -212,6 +212,21 @@ class Filter(JailThread):
 	def run(self):  # pragma: no cover
 		raise Exception("run() is abstract")
 
+
+	##
+	# Set external command, for ignoredips
+	# hazg@mail.ru
+	#
+	def setIgnoreCommand(self, command):
+		self.__ignoreCommand = command
+
+	##
+	# Get external command, for ignoredips
+	# hazg@mail.ru
+	#
+	def getIgnoreCommand(self):
+		return self.__ignoreCommand
+
 	##
 	# Ban an IP - http://blogs.buanzo.com.ar/2009/04/fail2ban-patch-ban-ip-address-manually.html
 	# Arturo 'Buanzo' Busleiman <buanzo@buanzo.com.ar>
@@ -249,8 +264,11 @@ class Filter(JailThread):
 		self.__ignoreIpList.remove(ip)
 
 	def getIgnoreIP(self):
+		#logSys.info(self.jail.opts)
+		if self.__ignoreCommand is not False:
+			return self.__ignoreIpList + os.popen(self.__ignoreCommand).read().split(" ")
+		else:
 			return self.__ignoreIpList
-
 	##
 	# Check if IP address/DNS is in the ignore list.
 	#
@@ -258,12 +276,17 @@ class Filter(JailThread):
 	# mask in the ignore list.
 	# @param ip IP address
 	# @return True if IP address is in ignore list
-
 	def inIgnoreIPList(self, ip):
 		for i in self.__ignoreIpList:
 			# An empty string is always false
 			if i == "":
 				continue
+			# External command with ips to ignore
+			if self.__ignoreCommand is not False:
+				ignored_ips = os.popen(self.__ignoreCommand).read().split(" ")
+				if ip in ignored_ips:
+					continue
+
 			s = i.split('/', 1)
 			# IP address without CIDR mask
 			if len(s) == 1:

server/server.py

@@ -187,6 +187,12 @@ class Server:
 	def addFailRegex(self, name, value):
 		self.__jails.getFilter(name).addFailRegex(value)
 
+	def setIgnoreCommand(self, name, value):
+		self.__jails.getFilter(name).setIgnoreCommand(value)
+	def getIgnoreCommand(self, name):
+		self.__jails.getFilter(name).getIgnoreCommand()
+
+
 	def delFailRegex(self, name, index):
 		self.__jails.getFilter(name).delFailRegex(index)
 

server/transmitter.py

@@ -152,6 +152,10 @@ class Transmitter:
 			value = command[2]
 			self.__server.addIgnoreRegex(name, value)
 			return self.__server.getIgnoreRegex(name)
+		elif command[1] == "ignorecommand":
+			value = command[2]
+			self.__server.setIgnoreCommand(name, value)
+			return self.__server.getIgnoreCommand(name)
 		elif command[1] == "delignoreregex":
 			value = int(command[2])
 			self.__server.delIgnoreRegex(name, value)