From 2a37ee2fb720e5cb612ec9d3094e34ab3b0415f1 Mon Sep 17 00:00:00 2001 From: Steven Hiscocks Date: Sun, 16 Feb 2014 16:52:30 +0000 Subject: [PATCH 1/4] ENH: Add root user check in xt_recent, and add missing actionstop Thanks to Helmut Grohne on IRC for suggestion --- THANKS | 1 + config/action.d/iptables-xt_recent-echo.conf | 3 ++- doc/run-rootless.txt | 6 ------ 3 files changed, 3 insertions(+), 7 deletions(-) diff --git a/THANKS b/THANKS index b92d09a7..c3ff109c 100644 --- a/THANKS +++ b/THANKS @@ -92,5 +92,6 @@ Yaroslav Halchenko Winston Smith ykimon Yehuda Katz +Zbigniew Jędrzejewski-Szmek zugeschmiert Zurd diff --git a/config/action.d/iptables-xt_recent-echo.conf b/config/action.d/iptables-xt_recent-echo.conf index 829d4c06..fa314d68 100644 --- a/config/action.d/iptables-xt_recent-echo.conf +++ b/config/action.d/iptables-xt_recent-echo.conf @@ -33,13 +33,14 @@ before = iptables-blocktype.conf # own rules. The 3600 second timeout is independent and acts as a # safeguard in case the fail2ban process dies unexpectedly. The # shorter of the two timeouts actually matters. -actionstart = iptables -I INPUT -m recent --update --seconds 3600 --name fail2ban- -j +actionstart = if [ $EUID -eq 0 ];then iptables -I INPUT -m recent --update --seconds 3600 --name fail2ban- -j ;fi # Option: actionstop # Notes.: command executed once at the end of Fail2Ban # Values: CMD # actionstop = echo / > /proc/net/xt_recent/fail2ban- + if [ $EUID -eq 0 ];then iptables -D INPUT -m recent --update --seconds 3600 --name fail2ban- -j ;fi # Option: actioncheck # Notes.: command executed once before each actionban command diff --git a/doc/run-rootless.txt b/doc/run-rootless.txt index 5edf6ef6..57cd6f3a 100644 --- a/doc/run-rootless.txt +++ b/doc/run-rootless.txt @@ -74,12 +74,6 @@ further configuration. To run not as root, further setup is necessary: with suitably replaced. - - suppress actionstart for iptables-xt_recent-echo action by creating an override file - iptables-xt_recent-echo.local to accompany iptables-xt_recent-echo.conf with - - [Definition] - actionstart = - - Permissions: make sure that configuration files under /etc/fail2ban are readable by From 7c76f7f204dc2b8ff11581938ecee210832bfc52 Mon Sep 17 00:00:00 2001 From: Steven Hiscocks Date: Sun, 16 Feb 2014 17:56:06 +0000 Subject: [PATCH 2/4] BF: $EUID not avilable in all shells, replaced with `id -u` in xt_recent --- config/action.d/iptables-xt_recent-echo.conf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/config/action.d/iptables-xt_recent-echo.conf b/config/action.d/iptables-xt_recent-echo.conf index fa314d68..bc2e8971 100644 --- a/config/action.d/iptables-xt_recent-echo.conf +++ b/config/action.d/iptables-xt_recent-echo.conf @@ -33,14 +33,14 @@ before = iptables-blocktype.conf # own rules. The 3600 second timeout is independent and acts as a # safeguard in case the fail2ban process dies unexpectedly. The # shorter of the two timeouts actually matters. -actionstart = if [ $EUID -eq 0 ];then iptables -I INPUT -m recent --update --seconds 3600 --name fail2ban- -j ;fi +actionstart = if [ `id -u` -eq 0 ];then iptables -I INPUT -m recent --update --seconds 3600 --name fail2ban- -j ;fi # Option: actionstop # Notes.: command executed once at the end of Fail2Ban # Values: CMD # actionstop = echo / > /proc/net/xt_recent/fail2ban- - if [ $EUID -eq 0 ];then iptables -D INPUT -m recent --update --seconds 3600 --name fail2ban- -j ;fi + if [ `id -u` -eq 0 ];then iptables -D INPUT -m recent --update --seconds 3600 --name fail2ban- -j ;fi # Option: actioncheck # Notes.: command executed once before each actionban command From 4102f4f8c78df4c29a46d874524e0a50f8fb9d9a Mon Sep 17 00:00:00 2001 From: Steven Hiscocks Date: Sun, 16 Feb 2014 23:08:49 +0000 Subject: [PATCH 3/4] TST: Fix TravisCI build, install of coveralls from pip --- .travis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index d693f975..398411bf 100644 --- a/.travis.yml +++ b/.travis.yml @@ -9,7 +9,7 @@ before_install: install: - pip install pyinotify - if [[ $TRAVIS_PYTHON_VERSION == 2.7 ]]; then sudo apt-get install -qq python-gamin; fi - - if [[ $TRAVIS_PYTHON_VERSION == 2.7 ]]; then pip install -q coveralls; fi + - if [[ $TRAVIS_PYTHON_VERSION == 2.7 ]]; then cd ..; pip install -q coveralls; cd -; fi script: - if [[ $TRAVIS_PYTHON_VERSION == 2.7 ]]; then export PYTHONPATH="$PYTHONPATH:/usr/share/pyshared:/usr/lib/pyshared/python2.7"; fi - if [[ $TRAVIS_PYTHON_VERSION == 2.7 ]]; then coverage run --rcfile=.travis_coveragerc fail2ban-testcases; else python ./fail2ban-testcases; fi From 9928f1df9651aa388452cbb396cf3a3d5da1dd22 Mon Sep 17 00:00:00 2001 From: Steven Hiscocks Date: Wed, 19 Feb 2014 17:51:08 +0000 Subject: [PATCH 4/4] ENH: Allow 255.255.255.0 style mask for ignoreip --- server/filter.py | 3 +++ testcases/filtertestcase.py | 9 +++++++++ 2 files changed, 12 insertions(+) diff --git a/server/filter.py b/server/filter.py index 840c5316..0e5f9ecb 100644 --- a/server/filter.py +++ b/server/filter.py @@ -288,6 +288,9 @@ class Filter(JailThread): # IP address without CIDR mask if len(s) == 1: s.insert(1, '32') + elif "." in s[1]: # 255.255.255.0 style mask + s[1] = len(re.search( + "(?<=b)1+", bin(DNSUtils.addr2bin(s[1]))).group()) s[1] = long(s[1]) try: a = DNSUtils.cidr(s[0], s[1]) diff --git a/testcases/filtertestcase.py b/testcases/filtertestcase.py index 30397d67..f1a9bcd2 100644 --- a/testcases/filtertestcase.py +++ b/testcases/filtertestcase.py @@ -188,6 +188,15 @@ class IgnoreIP(LogCaptureTestCase): self.assertFalse(self.filter.inIgnoreIPList('192.168.1.255')) self.assertFalse(self.filter.inIgnoreIPList('192.168.0.255')) + def testIgnoreIPMask(self): + self.filter.addIgnoreIP('192.168.1.0/255.255.255.128') + self.assertTrue(self.filter.inIgnoreIPList('192.168.1.0')) + self.assertTrue(self.filter.inIgnoreIPList('192.168.1.1')) + self.assertTrue(self.filter.inIgnoreIPList('192.168.1.127')) + self.assertFalse(self.filter.inIgnoreIPList('192.168.1.128')) + self.assertFalse(self.filter.inIgnoreIPList('192.168.1.255')) + self.assertFalse(self.filter.inIgnoreIPList('192.168.0.255')) + def testIgnoreInProcessLine(self): self.filter.addIgnoreIP('192.168.1.0/25') self.filter.addFailRegex('')