mirror of https://github.com/fail2ban/fail2ban
initial ipv6 via iptable wapper
parent
b4099dae57
commit
abc45d28f7
|
@ -0,0 +1,69 @@
|
|||
# Fail2Ban configuration file
|
||||
#
|
||||
# Author: Cyril Jaquier
|
||||
# Modified by Yaroslav Halchenko for multiport banning
|
||||
# Modified by Paul Jung for calling wrapper in dual stack ipv6 and v4 banning
|
||||
#
|
||||
|
||||
[Definition]
|
||||
|
||||
# Option: actionstart
|
||||
# Notes.: command executed once at the start of Fail2Ban.
|
||||
# Values: CMD
|
||||
#
|
||||
actionstart = fail2ban-iptwrp -N fail2ban-<name>
|
||||
fail2ban-iptwrp -A fail2ban-<name> -j RETURN
|
||||
fail2ban-iptwrp -I INPUT -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
|
||||
|
||||
# Option: actionstop
|
||||
# Notes.: command executed once at the end of Fail2Ban
|
||||
# Values: CMD
|
||||
#
|
||||
actionstop = fail2ban-iptwrp -D INPUT -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
|
||||
fail2ban-iptwrp -F fail2ban-<name>
|
||||
fail2ban-iptwrp -X fail2ban-<name>
|
||||
|
||||
# Option: actioncheck
|
||||
# Notes.: command executed once before each actionban command
|
||||
# Values: CMD
|
||||
#
|
||||
actioncheck = fail2ban-iptwrp -n -L INPUT | grep -q fail2ban-<name>
|
||||
|
||||
# Option: actionban
|
||||
# Notes.: command executed when banning an IP. Take care that the
|
||||
# command is executed with Fail2Ban user rights.
|
||||
# Tags: <ip> IP address
|
||||
# <failures> number of failures
|
||||
# <time> unix timestamp of the ban time
|
||||
# Values: CMD
|
||||
#
|
||||
actionban = fail2ban-iptwrp -I fail2ban-<name> 1 -s <ip> -j DROP
|
||||
|
||||
# Option: actionunban
|
||||
# Notes.: command executed when unbanning an IP. Take care that the
|
||||
# command is executed with Fail2Ban user rights.
|
||||
# Tags: <ip> IP address
|
||||
# <failures> number of failures
|
||||
# <time> unix timestamp of the ban time
|
||||
# Values: CMD
|
||||
#
|
||||
actionunban = fail2ban-iptwrp -D fail2ban-<name> -s <ip> -j DROP
|
||||
|
||||
[Init]
|
||||
|
||||
# Defaut name of the chain
|
||||
#
|
||||
name = default
|
||||
|
||||
# Option: port
|
||||
# Notes.: specifies port to monitor
|
||||
# Values: [ NUM | STRING ] Default:
|
||||
#
|
||||
port = ssh
|
||||
|
||||
# Option: protocol
|
||||
# Notes.: internally used by config reader for interpolations.
|
||||
# Values: [ tcp | udp | icmp | all ] Default: tcp
|
||||
#
|
||||
protocol = tcp
|
||||
|
|
@ -0,0 +1,49 @@
|
|||
#!/bin/sh
|
||||
|
||||
# This file is part of Fail2Ban.
|
||||
#
|
||||
# Fail2Ban is free software; you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
# the Free Software Foundation; either version 2 of the License, or
|
||||
# (at your option) any later version.
|
||||
#
|
||||
# Fail2Ban is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with Fail2Ban; if not, write to the Free Software
|
||||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
|
||||
|
||||
# Author: Paul Jung aka 'Thanat0s'
|
||||
|
||||
# IPTable WRaPper
|
||||
# This script will call iptable or ip6tables6 depending of the ip format
|
||||
|
||||
LINE=$@
|
||||
|
||||
# try to be simple, keep regexes 'approximatives'
|
||||
RESULT4=`echo $LINE | egrep -c -e "([0-9]{1,3}\.){3}[0-9]{1,3}"`
|
||||
RESULT6=`echo $LINE | egrep -c -e "(::[A-Fa-f0-9]{1,4}|(:[A-Fa-f0-9]{1,4}){2,})"`
|
||||
|
||||
if [ $RESULT4 -ne "0" ]; then
|
||||
# action for ipv4
|
||||
iptables $LINE
|
||||
ERRCODE=$?
|
||||
elif [ $RESULT6 -ne "0" ]; then
|
||||
# action for ipv6
|
||||
ip6tables $LINE
|
||||
ERRCODE=$?
|
||||
else
|
||||
# action for both iptables if no ip is present
|
||||
iptables $LINE
|
||||
ERRCODE=$?
|
||||
ip6tables $LINE
|
||||
if [ $? -ge "1" ]; then
|
||||
ERRCODE=$?
|
||||
fi
|
||||
fi
|
||||
|
||||
# always report the error
|
||||
exit $ERRCODE
|
|
@ -47,7 +47,7 @@ class Regex:
|
|||
self._matchCache = None
|
||||
# Perform shortcuts expansions.
|
||||
# Replace "<HOST>" with default regular expression for host.
|
||||
regex = regex.replace("<HOST>", "(?:::f{4,6}:)?(?P<host>[\w\-.^_]+)")
|
||||
regex = regex.replace("<HOST>", "(?:::f{4,6}:)?(?P<host>[\w\-.^_:]+)")
|
||||
if regex.lstrip() == '':
|
||||
raise RegexException("Cannot add empty regex")
|
||||
try:
|
||||
|
|
|
@ -547,6 +547,7 @@ import socket, struct
|
|||
class DNSUtils:
|
||||
|
||||
IP_CRE = re.compile("^(?:\d{1,3}\.){3}\d{1,3}$")
|
||||
IP_CRE6 = re.compile("^(?:[0-9:A-Fa-f]{3,})$")
|
||||
|
||||
#@staticmethod
|
||||
def dnsToIp(dns):
|
||||
|
@ -570,19 +571,21 @@ class DNSUtils:
|
|||
if match:
|
||||
return match
|
||||
else:
|
||||
return None
|
||||
match = DNSUtils.IP_CRE6.match(text)
|
||||
if match:
|
||||
""" Right Here, we faced to a ipv6
|
||||
"""
|
||||
return match
|
||||
else:
|
||||
return None
|
||||
searchIP = staticmethod(searchIP)
|
||||
|
||||
#@staticmethod
|
||||
def isValidIP(string):
|
||||
""" Return true if str is a valid IP
|
||||
We Consider that logfiles didn't make errors ;)
|
||||
"""
|
||||
s = string.split('/', 1)
|
||||
try:
|
||||
socket.inet_aton(s[0])
|
||||
return True
|
||||
except socket.error:
|
||||
return False
|
||||
return True
|
||||
isValidIP = staticmethod(isValidIP)
|
||||
|
||||
#@staticmethod
|
||||
|
|
Loading…
Reference in New Issue