mirror of https://github.com/fail2ban/fail2ban
refined it to work nicely with current approach to handle externally modified iptables
parent
da0bb74180
commit
9c639040bc
|
@ -97,6 +97,21 @@ cmdend =
|
||||||
#
|
#
|
||||||
polltime = 1
|
polltime = 1
|
||||||
|
|
||||||
|
# Option: reinittime
|
||||||
|
# Notes.: minimal number of seconds between the re-initialization of
|
||||||
|
# firewalls due to external changes in their rules (see fwcheck)
|
||||||
|
# Values: NUM Default: 100
|
||||||
|
#
|
||||||
|
reinittime = 10
|
||||||
|
|
||||||
|
# Option: maxreinits
|
||||||
|
# Notes.: maximal number of re-initialization of firewalls due to external
|
||||||
|
# changes. -1 stays for infinite, so only reinittime is of importance
|
||||||
|
# Values: NUM Default: -1
|
||||||
|
#
|
||||||
|
maxreinits = -1
|
||||||
|
|
||||||
|
|
||||||
[MAIL]
|
[MAIL]
|
||||||
# Option: enabled
|
# Option: enabled
|
||||||
# Notes.: enable mail notification when banning an IP address.
|
# Notes.: enable mail notification when banning an IP address.
|
||||||
|
|
|
@ -1,19 +1,19 @@
|
||||||
fail2ban (0.5.4-5.7) unstable; urgency=low
|
fail2ban (0.5.4-5.7) unstable; urgency=low
|
||||||
|
|
||||||
* Added a notification regarding the importance of 0.5.4-5 change of
|
* Added a notification regarding the importance of 0.5.4-5 change of
|
||||||
failregex in the config file
|
failregex in the config file.
|
||||||
* Adjusted address to FSF
|
* Adjusted address to FSF.
|
||||||
* Adjusted failregex for SSH so it bans "Illegal user" entries as well, and
|
* Adjusted failregex for SSH so it bans "Illegal user" entries as well, and
|
||||||
restricted full failregex more to include ":" at the beginning, because
|
restricted full failregex more to include ":" at the beginning, because
|
||||||
otherwise it might not be sufficient and would revive bug 330827 (closes:
|
otherwise it might not be sufficient and would revive bug 330827 (closes:
|
||||||
#333056)
|
#333056).
|
||||||
* Adjusted failregex for SSH to accommodate recent changes in logging of
|
* Adjusted failregex for SSH to accommodate recent changes in logging of
|
||||||
SSH: Illegal -> Invalid. Should match both now
|
SSH: Illegal -> Invalid. Should match both now.
|
||||||
* Fixed a problem of raise AttributeError exception reported as a side
|
* Fixed a problem of raise AttributeError exception reported as a side
|
||||||
effect of crash during parsing of the config file
|
effect of crash during parsing of the config file.
|
||||||
* Introduced fwcheck option to verify consistency of the
|
* Introduced fwcheck option to verify consistency of the
|
||||||
chains. Implemented automatic restart of fail2ban main function in
|
chains. Implemented automatic restart of fail2ban main function in
|
||||||
case if check of fwban failed. Should close few bugs
|
case if check of fwban or fwban command failed (closes: #329163, #331695).
|
||||||
|
|
||||||
-- Yaroslav Halchenko <debian@onerussian.com> Mon, 3 Oct 2005 22:26:28 -1000
|
-- Yaroslav Halchenko <debian@onerussian.com> Mon, 3 Oct 2005 22:26:28 -1000
|
||||||
|
|
||||||
|
|
27
fail2ban.py
27
fail2ban.py
|
@ -216,7 +216,9 @@ def main():
|
||||||
["str", "ignoreip", ""],
|
["str", "ignoreip", ""],
|
||||||
["int", "polltime", 1],
|
["int", "polltime", 1],
|
||||||
["str", "cmdstart", ""],
|
["str", "cmdstart", ""],
|
||||||
["str", "cmdend", ""])
|
["str", "cmdend", ""],
|
||||||
|
["int", "reinittime", 100],
|
||||||
|
["int", "maxreinits", 100])
|
||||||
|
|
||||||
# Gets global configuration options
|
# Gets global configuration options
|
||||||
conf.update(confReader.getLogOptions("DEFAULT", optionValues))
|
conf.update(confReader.getLogOptions("DEFAULT", optionValues))
|
||||||
|
@ -415,13 +417,8 @@ def main():
|
||||||
|
|
||||||
initializeFwRules()
|
initializeFwRules()
|
||||||
|
|
||||||
# yoh: I don't think that this parameters need to be configured
|
lastReinitTime = time.time()-conf["reinittime"]-1 # try to reinit once if it fails immediately
|
||||||
# and probably maxRestarts should be removed
|
reinits = 0
|
||||||
legitRestartTime = 10 # legitimate minimal restart time
|
|
||||||
maxRestarts = 100 # max number of times to perform restart
|
|
||||||
|
|
||||||
lastRestartTime = time.time()
|
|
||||||
restarts = 0
|
|
||||||
# Main loop
|
# Main loop
|
||||||
while True:
|
while True:
|
||||||
try:
|
try:
|
||||||
|
@ -484,12 +481,14 @@ def main():
|
||||||
except ExternalError, e:
|
except ExternalError, e:
|
||||||
# Something wrong while dealing with Iptables.
|
# Something wrong while dealing with Iptables.
|
||||||
# May be chain got removed?
|
# May be chain got removed?
|
||||||
logSys.error("Fail2Ban got a problem: " + e.__str__())
|
reinits += 1
|
||||||
if (unixTime - lastRestartTime > legitRestartTime) and (restarts < maxRestarts):
|
logSys.error(e)
|
||||||
logSys.error("Reinitializing firewalls for the %dst time "%restarts)
|
if ((unixTime - lastReinitTime > conf["reinittime"]) and
|
||||||
lastRestartTime = time.time()
|
((conf["maxreinits"]<0) or (reinits < conf["maxreinits"]))):
|
||||||
|
logSys.warn("#%d reinitialization of firewalls"%reinits)
|
||||||
|
lastReinitTime = unixTime
|
||||||
else:
|
else:
|
||||||
logSys.error("Exiting: restarts follow too often, or too many restart attempts")
|
logSys.error("Exiting: reinits follow too often, or too many reinit attempts")
|
||||||
killApp()
|
killApp()
|
||||||
|
|
||||||
# save firewalls to keep a list of IPs for rebanning
|
# save firewalls to keep a list of IPs for rebanning
|
||||||
|
@ -499,7 +498,7 @@ def main():
|
||||||
# reinitialize all the chains
|
# reinitialize all the chains
|
||||||
initializeFwRules()
|
initializeFwRules()
|
||||||
# restore the lists of baned IPs
|
# restore the lists of baned IPs
|
||||||
logFwList = logFwListCopy
|
logFwList.__init__(logFwListCopy)
|
||||||
# reBan known IPs
|
# reBan known IPs
|
||||||
reBan()
|
reBan()
|
||||||
except KeyboardInterrupt:
|
except KeyboardInterrupt:
|
||||||
|
|
|
@ -49,12 +49,12 @@ class Firewall:
|
||||||
""" Bans an IP.
|
""" Bans an IP.
|
||||||
"""
|
"""
|
||||||
ip = aInfo["ip"]
|
ip = aInfo["ip"]
|
||||||
|
self.runCheck("pre-fwban", debug)
|
||||||
if not self.inBanList(ip):
|
if not self.inBanList(ip):
|
||||||
crtTime = time.time()
|
crtTime = time.time()
|
||||||
logSys.warn("Ban " + ip)
|
logSys.warn("Ban " + ip)
|
||||||
self.banList[ip] = crtTime
|
self.banList[ip] = crtTime
|
||||||
aInfo["bantime"] = crtTime
|
aInfo["bantime"] = crtTime
|
||||||
self.runCheck("pre-fwban", debug)
|
|
||||||
cmd = self.banIP(aInfo)
|
cmd = self.banIP(aInfo)
|
||||||
if executeCmd(cmd, debug):
|
if executeCmd(cmd, debug):
|
||||||
raise ExternalError("Firewall: execution of fwban command '%s' failed"%cmd)
|
raise ExternalError("Firewall: execution of fwban command '%s' failed"%cmd)
|
||||||
|
|
Loading…
Reference in New Issue