refined it to work nicely with current approach to handle externally modified iptables

debian-releases/etch
Yaroslav Halchenko 2005-10-12 15:08:05 +00:00
parent da0bb74180
commit 9c639040bc
4 changed files with 35 additions and 21 deletions

View File

@ -97,6 +97,21 @@ cmdend =
# #
polltime = 1 polltime = 1
# Option: reinittime
# Notes.: minimal number of seconds between the re-initialization of
# firewalls due to external changes in their rules (see fwcheck)
# Values: NUM Default: 100
#
reinittime = 10
# Option: maxreinits
# Notes.: maximal number of re-initialization of firewalls due to external
# changes. -1 stays for infinite, so only reinittime is of importance
# Values: NUM Default: -1
#
maxreinits = -1
[MAIL] [MAIL]
# Option: enabled # Option: enabled
# Notes.: enable mail notification when banning an IP address. # Notes.: enable mail notification when banning an IP address.

12
debian/changelog vendored
View File

@ -1,19 +1,19 @@
fail2ban (0.5.4-5.7) unstable; urgency=low fail2ban (0.5.4-5.7) unstable; urgency=low
* Added a notification regarding the importance of 0.5.4-5 change of * Added a notification regarding the importance of 0.5.4-5 change of
failregex in the config file failregex in the config file.
* Adjusted address to FSF * Adjusted address to FSF.
* Adjusted failregex for SSH so it bans "Illegal user" entries as well, and * Adjusted failregex for SSH so it bans "Illegal user" entries as well, and
restricted full failregex more to include ":" at the beginning, because restricted full failregex more to include ":" at the beginning, because
otherwise it might not be sufficient and would revive bug 330827 (closes: otherwise it might not be sufficient and would revive bug 330827 (closes:
#333056) #333056).
* Adjusted failregex for SSH to accommodate recent changes in logging of * Adjusted failregex for SSH to accommodate recent changes in logging of
SSH: Illegal -> Invalid. Should match both now SSH: Illegal -> Invalid. Should match both now.
* Fixed a problem of raise AttributeError exception reported as a side * Fixed a problem of raise AttributeError exception reported as a side
effect of crash during parsing of the config file effect of crash during parsing of the config file.
* Introduced fwcheck option to verify consistency of the * Introduced fwcheck option to verify consistency of the
chains. Implemented automatic restart of fail2ban main function in chains. Implemented automatic restart of fail2ban main function in
case if check of fwban failed. Should close few bugs case if check of fwban or fwban command failed (closes: #329163, #331695).
-- Yaroslav Halchenko <debian@onerussian.com> Mon, 3 Oct 2005 22:26:28 -1000 -- Yaroslav Halchenko <debian@onerussian.com> Mon, 3 Oct 2005 22:26:28 -1000

View File

@ -216,7 +216,9 @@ def main():
["str", "ignoreip", ""], ["str", "ignoreip", ""],
["int", "polltime", 1], ["int", "polltime", 1],
["str", "cmdstart", ""], ["str", "cmdstart", ""],
["str", "cmdend", ""]) ["str", "cmdend", ""],
["int", "reinittime", 100],
["int", "maxreinits", 100])
# Gets global configuration options # Gets global configuration options
conf.update(confReader.getLogOptions("DEFAULT", optionValues)) conf.update(confReader.getLogOptions("DEFAULT", optionValues))
@ -415,13 +417,8 @@ def main():
initializeFwRules() initializeFwRules()
# yoh: I don't think that this parameters need to be configured lastReinitTime = time.time()-conf["reinittime"]-1 # try to reinit once if it fails immediately
# and probably maxRestarts should be removed reinits = 0
legitRestartTime = 10 # legitimate minimal restart time
maxRestarts = 100 # max number of times to perform restart
lastRestartTime = time.time()
restarts = 0
# Main loop # Main loop
while True: while True:
try: try:
@ -484,12 +481,14 @@ def main():
except ExternalError, e: except ExternalError, e:
# Something wrong while dealing with Iptables. # Something wrong while dealing with Iptables.
# May be chain got removed? # May be chain got removed?
logSys.error("Fail2Ban got a problem: " + e.__str__()) reinits += 1
if (unixTime - lastRestartTime > legitRestartTime) and (restarts < maxRestarts): logSys.error(e)
logSys.error("Reinitializing firewalls for the %dst time "%restarts) if ((unixTime - lastReinitTime > conf["reinittime"]) and
lastRestartTime = time.time() ((conf["maxreinits"]<0) or (reinits < conf["maxreinits"]))):
logSys.warn("#%d reinitialization of firewalls"%reinits)
lastReinitTime = unixTime
else: else:
logSys.error("Exiting: restarts follow too often, or too many restart attempts") logSys.error("Exiting: reinits follow too often, or too many reinit attempts")
killApp() killApp()
# save firewalls to keep a list of IPs for rebanning # save firewalls to keep a list of IPs for rebanning
@ -499,7 +498,7 @@ def main():
# reinitialize all the chains # reinitialize all the chains
initializeFwRules() initializeFwRules()
# restore the lists of baned IPs # restore the lists of baned IPs
logFwList = logFwListCopy logFwList.__init__(logFwListCopy)
# reBan known IPs # reBan known IPs
reBan() reBan()
except KeyboardInterrupt: except KeyboardInterrupt:

View File

@ -49,12 +49,12 @@ class Firewall:
""" Bans an IP. """ Bans an IP.
""" """
ip = aInfo["ip"] ip = aInfo["ip"]
self.runCheck("pre-fwban", debug)
if not self.inBanList(ip): if not self.inBanList(ip):
crtTime = time.time() crtTime = time.time()
logSys.warn("Ban " + ip) logSys.warn("Ban " + ip)
self.banList[ip] = crtTime self.banList[ip] = crtTime
aInfo["bantime"] = crtTime aInfo["bantime"] = crtTime
self.runCheck("pre-fwban", debug)
cmd = self.banIP(aInfo) cmd = self.banIP(aInfo)
if executeCmd(cmd, debug): if executeCmd(cmd, debug):
raise ExternalError("Firewall: execution of fwban command '%s' failed"%cmd) raise ExternalError("Firewall: execution of fwban command '%s' failed"%cmd)